added new VIDs
[strongswan.git] / src / pluto / vendor.c
1 /* ISAKMP VendorID
2 * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 *
14 * RCSID $Id: vendor.c,v 1.35 2006/04/12 16:44:28 as Exp $
15 */
16
17 #include <stdlib.h>
18 #include <string.h>
19 #include <ctype.h>
20 #include <sys/queue.h>
21 #include <freeswan.h>
22
23 #include "constants.h"
24 #include "defs.h"
25 #include "log.h"
26 #include "md5.h"
27 #include "connections.h"
28 #include "packet.h"
29 #include "demux.h"
30 #include "whack.h"
31 #include "vendor.h"
32 #include "kernel.h"
33 #include "nat_traversal.h"
34
35 /**
36 * Unknown/Special VID:
37 *
38 * SafeNet SoftRemote 8.0.0:
39 * 47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e302e3020284275696c6420313029000000
40 * >> 382e302e3020284275696c6420313029 = '8.0.0 (Build 10)'
41 * da8e937880010000
42 *
43 * SafeNet SoftRemote 9.0.1
44 * 47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310392e302e3120284275696c6420313229000000
45 * >> 392e302e3120284275696c6420313229 = '9.0.1 (Build 12)'
46 * da8e937880010000
47 *
48 * Netscreen:
49 * d6b45f82f24bacb288af59a978830ab7
50 * cf49908791073fb46439790fdeb6aeed981101ab0000000500000300
51 *
52 * Cisco:
53 * 1f07f70eaa6514d3b0fa96542a500300 (VPN 3000 version 3.0.0)
54 * 1f07f70eaa6514d3b0fa96542a500301 (VPN 3000 version 3.0.1)
55 * 1f07f70eaa6514d3b0fa96542a500305 (VPN 3000 version 3.0.5)
56 * 1f07f70eaa6514d3b0fa96542a500407 (VPN 3000 version 4.0.7)
57 * (Can you see the pattern?)
58 * afcad71368a1f1c96b8696fc77570100 (Non-RFC Dead Peer Detection ?)
59 * c32364b3b4f447eb17c488ab2a480a57
60 * 6d761ddc26aceca1b0ed11fabbb860c4
61 * 5946c258f99a1a57b03eb9d1759e0f24 (From a Cisco VPN 3k)
62 * ebbc5b00141d0c895e11bd395902d690 (From a Cisco VPN 3k)
63 *
64 * Microsoft L2TP (???):
65 * 47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e312e3020284275696c6420313029000000
66 * >> 382e312e3020284275696c6420313029 = '8.1.0 (Build 10)'
67 * 3025dbd21062b9e53dc441c6aab5293600000000
68 * da8e937880010000
69 *
70 * 3COM-superstack
71 * da8e937880010000
72 * 404bf439522ca3f6
73 *
74
75 * If someone know what they mean, mail me.
76 */
77
78 #define MAX_LOG_VID_LEN 32
79
80 #define VID_KEEP 0x0000
81 #define VID_MD5HASH 0x0001
82 #define VID_STRING 0x0002
83 #define VID_FSWAN_HASH 0x0004
84
85 #define VID_SUBSTRING_DUMPHEXA 0x0100
86 #define VID_SUBSTRING_DUMPASCII 0x0200
87 #define VID_SUBSTRING_MATCH 0x0400
88 #define VID_SUBSTRING (VID_SUBSTRING_DUMPHEXA | VID_SUBSTRING_DUMPASCII | VID_SUBSTRING_MATCH)
89
90 struct vid_struct {
91 enum known_vendorid id;
92 unsigned short flags;
93 const char *data;
94 const char *descr;
95 const char *vid;
96 u_int vid_len;
97 };
98
99 #define DEC_MD5_VID_D(id,str,descr) \
100 { VID_##id, VID_MD5HASH, str, descr, NULL, 0 },
101 #define DEC_MD5_VID(id,str) \
102 { VID_##id, VID_MD5HASH, str, NULL, NULL, 0 },
103 #define DEC_FSWAN_VID(id,str,descr) \
104 { VID_##id, VID_FSWAN_HASH, str, descr, NULL, 0 },
105
106 static struct vid_struct _vid_tab[] = {
107
108 /* Implementation names */
109
110 { VID_OPENPGP, VID_STRING, "OpenPGP10171", "OpenPGP", NULL, 0 },
111
112 DEC_MD5_VID(KAME_RACOON, "KAME/racoon")
113
114 { VID_MS_NT5, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
115 "MS NT5 ISAKMPOAKLEY", NULL, NULL, 0 },
116
117 DEC_MD5_VID(SSH_SENTINEL, "SSH Sentinel")
118 DEC_MD5_VID(SSH_SENTINEL_1_1, "SSH Sentinel 1.1")
119 DEC_MD5_VID(SSH_SENTINEL_1_2, "SSH Sentinel 1.2")
120 DEC_MD5_VID(SSH_SENTINEL_1_3, "SSH Sentinel 1.3")
121 DEC_MD5_VID(SSH_SENTINEL_1_4, "SSH Sentinel 1.4")
122 DEC_MD5_VID(SSH_SENTINEL_1_4_1, "SSH Sentinel 1.4.1")
123
124 /* These ones come from SSH vendors.txt */
125 DEC_MD5_VID(SSH_IPSEC_1_1_0,
126 "Ssh Communications Security IPSEC Express version 1.1.0")
127 DEC_MD5_VID(SSH_IPSEC_1_1_1,
128 "Ssh Communications Security IPSEC Express version 1.1.1")
129 DEC_MD5_VID(SSH_IPSEC_1_1_2,
130 "Ssh Communications Security IPSEC Express version 1.1.2")
131 DEC_MD5_VID(SSH_IPSEC_1_2_1,
132 "Ssh Communications Security IPSEC Express version 1.2.1")
133 DEC_MD5_VID(SSH_IPSEC_1_2_2,
134 "Ssh Communications Security IPSEC Express version 1.2.2")
135 DEC_MD5_VID(SSH_IPSEC_2_0_0,
136 "SSH Communications Security IPSEC Express version 2.0.0")
137 DEC_MD5_VID(SSH_IPSEC_2_1_0,
138 "SSH Communications Security IPSEC Express version 2.1.0")
139 DEC_MD5_VID(SSH_IPSEC_2_1_1,
140 "SSH Communications Security IPSEC Express version 2.1.1")
141 DEC_MD5_VID(SSH_IPSEC_2_1_2,
142 "SSH Communications Security IPSEC Express version 2.1.2")
143 DEC_MD5_VID(SSH_IPSEC_3_0_0,
144 "SSH Communications Security IPSEC Express version 3.0.0")
145 DEC_MD5_VID(SSH_IPSEC_3_0_1,
146 "SSH Communications Security IPSEC Express version 3.0.1")
147 DEC_MD5_VID(SSH_IPSEC_4_0_0,
148 "SSH Communications Security IPSEC Express version 4.0.0")
149 DEC_MD5_VID(SSH_IPSEC_4_0_1,
150 "SSH Communications Security IPSEC Express version 4.0.1")
151 DEC_MD5_VID(SSH_IPSEC_4_1_0,
152 "SSH Communications Security IPSEC Express version 4.1.0")
153 DEC_MD5_VID(SSH_IPSEC_4_2_0,
154 "SSH Communications Security IPSEC Express version 4.2.0")
155
156 /* note: md5('CISCO-UNITY') = 12f5f28c457168a9702d9fe274cc02d4 */
157 { VID_CISCO_UNITY, VID_KEEP, NULL, "Cisco-Unity",
158 "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00",
159 16 },
160
161 { VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH,
162 NULL, "Cisco VPN 3000 Series" , "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14},
163
164 { VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH,
165 NULL, "Cisco IOS Device", "\x3e\x98\x40\x48", 4},
166
167 /*
168 * Timestep VID seen:
169 * - 54494d455354455020312053475720313532302033313520322e303145303133
170 * = 'TIMESTEP 1 SGW 1520 315 2.01E013'
171 */
172 { VID_TIMESTEP, VID_STRING | VID_SUBSTRING_DUMPASCII, "TIMESTEP",
173 NULL, NULL, 0 },
174
175 /*
176 * Netscreen:
177 * 4865617274426561745f4e6f74696679386b0100 (HeartBeat_Notify + 386b0100)
178 */
179 { VID_MISC_HEARTBEAT_NOTIFY, VID_STRING | VID_SUBSTRING_DUMPHEXA,
180 "HeartBeat_Notify", "HeartBeat Notify", NULL, 0 },
181
182 /*
183 * MacOS X
184 */
185 { VID_MACOSX, VID_STRING|VID_SUBSTRING_DUMPHEXA, "Mac OSX 10.x",
186 "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62", NULL, 0},
187
188 /*
189 * Openswan
190 */
191 DEC_FSWAN_VID(OPENSWAN2, "Openswan 2.2.0", "Openswan 2.2.0")
192
193 /* NCP */
194 { VID_NCP_SERVER, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Server",
195 "\xc6\xf5\x7a\xc3\x98\xf4\x93\x20\x81\x45\xb7\x58", 12},
196 { VID_NCP_CLIENT, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Client",
197 "\xeb\x4c\x1b\x78\x8a\xfd\x4a\x9c\xb7\x73\x0a\x68", 12},
198 /*
199 * strongSwan
200 */
201 DEC_MD5_VID(STRONGSWAN, "strongSwan 4.0.5")
202 DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
203 DEC_MD5_VID(STRONGSWAN_4_0_3, "strongSwan 4.0.3")
204 DEC_MD5_VID(STRONGSWAN_4_0_2, "strongSwan 4.0.2")
205 DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
206 DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
207
208 DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
209 DEC_MD5_VID(STRONGSWAN_2_7_3, "strongSwan 2.7.3")
210 DEC_MD5_VID(STRONGSWAN_2_7_2, "strongSwan 2.7.2")
211 DEC_MD5_VID(STRONGSWAN_2_7_1, "strongSwan 2.7.1")
212 DEC_MD5_VID(STRONGSWAN_2_7_0, "strongSwan 2.7.0")
213 DEC_MD5_VID(STRONGSWAN_2_6_4, "strongSwan 2.6.4")
214 DEC_MD5_VID(STRONGSWAN_2_6_3, "strongSwan 2.6.3")
215 DEC_MD5_VID(STRONGSWAN_2_6_2, "strongSwan 2.6.2")
216 DEC_MD5_VID(STRONGSWAN_2_6_1, "strongSwan 2.6.1")
217 DEC_MD5_VID(STRONGSWAN_2_6_0, "strongSwan 2.6.0")
218 DEC_MD5_VID(STRONGSWAN_2_5_7, "strongSwan 2.5.7")
219 DEC_MD5_VID(STRONGSWAN_2_5_6, "strongSwan 2.5.6")
220 DEC_MD5_VID(STRONGSWAN_2_5_5, "strongSwan 2.5.5")
221 DEC_MD5_VID(STRONGSWAN_2_5_4, "strongSwan 2.5.4")
222 DEC_MD5_VID(STRONGSWAN_2_5_3, "strongSwan 2.5.3")
223 DEC_MD5_VID(STRONGSWAN_2_5_2, "strongSwan 2.5.2")
224 DEC_MD5_VID(STRONGSWAN_2_5_1, "strongSwan 2.5.1")
225 DEC_MD5_VID(STRONGSWAN_2_5_0, "strongSwan 2.5.0")
226 DEC_MD5_VID(STRONGSWAN_2_4_4, "strongSwan 2.4.4")
227 DEC_MD5_VID(STRONGSWAN_2_4_3, "strongSwan 2.4.3")
228 DEC_MD5_VID(STRONGSWAN_2_4_2, "strongSwan 2.4.2")
229 DEC_MD5_VID(STRONGSWAN_2_4_1, "strongSwan 2.4.1")
230 DEC_MD5_VID(STRONGSWAN_2_4_0, "strongSwan 2.4.0")
231 DEC_MD5_VID(STRONGSWAN_2_3_2, "strongSwan 2.3.2")
232 DEC_MD5_VID(STRONGSWAN_2_3_1, "strongSwan 2.3.1")
233 DEC_MD5_VID(STRONGSWAN_2_3_0, "strongSwan 2.3.0")
234 DEC_MD5_VID(STRONGSWAN_2_2_2, "strongSwan 2.2.2")
235 DEC_MD5_VID(STRONGSWAN_2_2_1, "strongSwan 2.2.1")
236 DEC_MD5_VID(STRONGSWAN_2_2_0, "strongSwan 2.2.0")
237
238 /* NAT-Traversal */
239
240 DEC_MD5_VID(NATT_STENBERG_01, "draft-stenberg-ipsec-nat-traversal-01")
241 DEC_MD5_VID(NATT_STENBERG_02, "draft-stenberg-ipsec-nat-traversal-02")
242 DEC_MD5_VID(NATT_HUTTUNEN, "ESPThruNAT")
243 DEC_MD5_VID(NATT_HUTTUNEN_ESPINUDP, "draft-huttunen-ipsec-esp-in-udp-00.txt")
244 DEC_MD5_VID(NATT_IETF_00, "draft-ietf-ipsec-nat-t-ike-00")
245 DEC_MD5_VID(NATT_IETF_02, "draft-ietf-ipsec-nat-t-ike-02")
246 /* hash in draft-ietf-ipsec-nat-t-ike-02 contains '\n'... Accept both */
247 DEC_MD5_VID_D(NATT_IETF_02_N, "draft-ietf-ipsec-nat-t-ike-02\n", "draft-ietf-ipsec-nat-t-ike-02_n")
248 DEC_MD5_VID(NATT_IETF_03, "draft-ietf-ipsec-nat-t-ike-03")
249 DEC_MD5_VID(NATT_RFC, "RFC 3947")
250
251 /* misc */
252
253 { VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
254 "\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 },
255
256 { VID_MISC_DPD, VID_KEEP, NULL, "Dead Peer Detection",
257 "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00", 16 },
258
259 DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
260
261 DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
262
263 /**
264 * Cisco VPN 3000
265 */
266 { VID_MISC_FRAGMENTATION, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
267 "FRAGMENTATION", NULL, NULL, 0 },
268
269 /* -- */
270 { 0, 0, NULL, NULL, NULL, 0 }
271
272 };
273
274 static const char _hexdig[] = "0123456789abcdef";
275
276 static int _vid_struct_init = 0;
277
278 void
279 init_vendorid(void)
280 {
281 struct vid_struct *vid;
282 MD5_CTX ctx;
283 int i;
284
285 for (vid = _vid_tab; vid->id; vid++)
286 {
287 if (vid->flags & VID_STRING)
288 {
289 /** VendorID is a string **/
290 vid->vid = strdup(vid->data);
291 vid->vid_len = strlen(vid->data);
292 }
293 else if (vid->flags & VID_MD5HASH)
294 {
295 /** VendorID is a string to hash with MD5 **/
296 char *vidm = malloc(MD5_DIGEST_SIZE);
297
298 vid->vid = vidm;
299 if (vidm)
300 {
301 MD5Init(&ctx);
302 MD5Update(&ctx, (const u_char *)vid->data, strlen(vid->data));
303 MD5Final(vidm, &ctx);
304 vid->vid_len = MD5_DIGEST_SIZE;
305 }
306 }
307 else if (vid->flags & VID_FSWAN_HASH)
308 {
309 /** FreeS/WAN 2.00+ specific hash **/
310 #define FSWAN_VID_SIZE 12
311 unsigned char hash[MD5_DIGEST_SIZE];
312 char *vidm = malloc(FSWAN_VID_SIZE);
313
314 vid->vid = vidm;
315 if (vidm)
316 {
317 MD5Init(&ctx);
318 MD5Update(&ctx, (const u_char *)vid->data, strlen(vid->data));
319 MD5Final(hash, &ctx);
320 vidm[0] = 'O';
321 vidm[1] = 'E';
322 #if FSWAN_VID_SIZE - 2 <= MD5_DIGEST_SIZE
323 memcpy(vidm + 2, hash, FSWAN_VID_SIZE - 2);
324 #else
325 memcpy(vidm + 2, hash, MD5_DIGEST_SIZE);
326 memset(vidm + 2 + MD5_DIGEST_SIZE, '\0',
327 FSWAN_VID_SIZE - 2 - MD5_DIGEST_SIZE);
328 #endif
329 for (i = 2; i < FSWAN_VID_SIZE; i++)
330 {
331 vidm[i] &= 0x7f;
332 vidm[i] |= 0x40;
333 }
334 vid->vid_len = FSWAN_VID_SIZE;
335 }
336 }
337
338 if (vid->descr == NULL)
339 {
340 /** Find something to display **/
341 vid->descr = vid->data;
342 }
343 }
344 _vid_struct_init = 1;
345 }
346
347 static void
348 handle_known_vendorid (struct msg_digest *md
349 , const char *vidstr, size_t len, struct vid_struct *vid)
350 {
351 char vid_dump[128];
352 bool vid_useful = FALSE;
353 size_t i, j;
354
355 switch (vid->id) {
356 /* Remote side supports OpenPGP certificates */
357 case VID_OPENPGP:
358 md->openpgp = TRUE;
359 vid_useful = TRUE;
360 break;
361
362 /*
363 * Use most recent supported NAT-Traversal method and ignore the
364 * other ones (implementations will send all supported methods but
365 * only one will be used)
366 *
367 * Note: most recent == higher id in vendor.h
368 */
369 case VID_NATT_IETF_00:
370 if (!nat_traversal_support_non_ike)
371 break;
372 if ((nat_traversal_enabled) && (!md->nat_traversal_vid))
373 {
374 md->nat_traversal_vid = vid->id;
375 vid_useful = TRUE;
376 }
377 break;
378 case VID_NATT_IETF_02:
379 case VID_NATT_IETF_02_N:
380 case VID_NATT_IETF_03:
381 case VID_NATT_RFC:
382 if (nat_traversal_support_port_floating
383 && md->nat_traversal_vid < vid->id)
384 {
385 md->nat_traversal_vid = vid->id;
386 vid_useful = TRUE;
387 }
388 break;
389
390 /* Remote side would like to do DPD with us on this connection */
391 case VID_MISC_DPD:
392 md->dpd = TRUE;
393 vid_useful = TRUE;
394 break;
395 default:
396 break;
397 }
398
399 if (vid->flags & VID_SUBSTRING_DUMPHEXA)
400 {
401 /* Dump description + Hexa */
402 memset(vid_dump, 0, sizeof(vid_dump));
403 snprintf(vid_dump, sizeof(vid_dump), "%s ",
404 vid->descr ? vid->descr : "");
405 for (i = strlen(vid_dump), j = vid->vid_len;
406 j < len && i < sizeof(vid_dump) - 2;
407 i += 2, j++)
408 {
409 vid_dump[i] = _hexdig[(vidstr[j] >> 4) & 0xF];
410 vid_dump[i+1] = _hexdig[vidstr[j] & 0xF];
411 }
412 }
413 else if (vid->flags & VID_SUBSTRING_DUMPASCII)
414 {
415 /* Dump ASCII content */
416 memset(vid_dump, 0, sizeof(vid_dump));
417 for (i = 0; i < len && i < sizeof(vid_dump) - 1; i++)
418 {
419 vid_dump[i] = (isprint(vidstr[i])) ? vidstr[i] : '.';
420 }
421 }
422 else
423 {
424 /* Dump description (descr) */
425 snprintf(vid_dump, sizeof(vid_dump), "%s",
426 vid->descr ? vid->descr : "");
427 }
428
429 loglog(RC_LOG_SERIOUS, "%s Vendor ID payload [%s]",
430 vid_useful ? "received" : "ignoring", vid_dump);
431 }
432
433 void
434 handle_vendorid (struct msg_digest *md, const char *vid, size_t len)
435 {
436 struct vid_struct *pvid;
437
438 if (!_vid_struct_init)
439 init_vendorid();
440
441 /*
442 * Find known VendorID in _vid_tab
443 */
444 for (pvid = _vid_tab; pvid->id; pvid++)
445 {
446 if (pvid->vid && vid && pvid->vid_len && len)
447 {
448 if (pvid->vid_len == len)
449 {
450 if (memcmp(pvid->vid, vid, len) == 0)
451 {
452 handle_known_vendorid(md, vid, len, pvid);
453 return;
454 }
455 }
456 else if ((pvid->vid_len < len) && (pvid->flags & VID_SUBSTRING))
457 {
458 if (memcmp(pvid->vid, vid, pvid->vid_len) == 0)
459 {
460 handle_known_vendorid(md, vid, len, pvid);
461 return;
462 }
463 }
464 }
465 }
466
467 /*
468 * Unknown VendorID. Log the beginning.
469 */
470 {
471 char log_vid[2*MAX_LOG_VID_LEN+1];
472 size_t i;
473
474 memset(log_vid, 0, sizeof(log_vid));
475
476 for (i = 0; i < len && i < MAX_LOG_VID_LEN; i++)
477 {
478 log_vid[2*i] = _hexdig[(vid[i] >> 4) & 0xF];
479 log_vid[2*i+1] = _hexdig[vid[i] & 0xF];
480 }
481 loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload [%s%s]",
482 log_vid, (len>MAX_LOG_VID_LEN) ? "..." : "");
483 }
484 }
485
486 /**
487 * Add a vendor id payload to the msg
488 */
489 bool
490 out_vendorid (u_int8_t np, pb_stream *outs, enum known_vendorid vid)
491 {
492 struct vid_struct *pvid;
493
494 if (!_vid_struct_init)
495 init_vendorid();
496
497 for (pvid = _vid_tab; pvid->id && pvid->id != vid; pvid++);
498
499 if (pvid->id != vid)
500 return STF_INTERNAL_ERROR; /* not found */
501 if (!pvid->vid)
502 return STF_INTERNAL_ERROR; /* not initialized */
503
504 DBG(DBG_EMITTING,
505 DBG_log("out_vendorid(): sending [%s]", pvid->descr)
506 )
507 return out_generic_raw(np, &isakmp_vendor_id_desc, outs,
508 pvid->vid, pvid->vid_len, "V_ID");
509 }
510