diff options
| -rw-r--r-- | sbin/isakmpd/Makefile | 5 | ||||
| -rw-r--r-- | sbin/isakmpd/exchange.h | 3 | ||||
| -rw-r--r-- | sbin/isakmpd/ike_phase_1.c | 15 | ||||
| -rw-r--r-- | sbin/isakmpd/init.c | 4 | ||||
| -rw-r--r-- | sbin/isakmpd/message.c | 4 | ||||
| -rw-r--r-- | sbin/isakmpd/vendor.c | 140 | ||||
| -rw-r--r-- | sbin/isakmpd/vendor.h | 26 |
7 files changed, 189 insertions, 8 deletions
diff --git a/sbin/isakmpd/Makefile b/sbin/isakmpd/Makefile index f465658abfe..ef5cce93cd8 100644 --- a/sbin/isakmpd/Makefile +++ b/sbin/isakmpd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.77 2005/05/18 20:15:22 hshoexer Exp $ +# $OpenBSD: Makefile,v 1.78 2006/07/02 13:19:00 hshoexer Exp $ # $EOM: Makefile,v 1.78 2000/10/15 21:33:42 niklas Exp $ # @@ -42,7 +42,8 @@ SRCS= app.c attribute.c cert.c connection.c constants.c conf.c \ prf.c sa.c sysdep.c timer.c transport.c virtual.c udp.c \ ui.c util.c x509.c \ pf_key_v2.c policy.c math_ec2n.c ike_aggressive.c isakmp_cfg.c \ - dpd.c monitor.c monitor_fdpass.c nat_traversal.c udp_encap.c + dpd.c monitor.c monitor_fdpass.c nat_traversal.c udp_encap.c \ + vendor.c GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \ isakmp_num.h diff --git a/sbin/isakmpd/exchange.h b/sbin/isakmpd/exchange.h index adb07976b38..56fb1efc8b1 100644 --- a/sbin/isakmpd/exchange.h +++ b/sbin/isakmpd/exchange.h @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.h,v 1.31 2006/05/31 04:54:46 hshoexer Exp $ */ +/* $OpenBSD: exchange.h,v 1.32 2006/07/02 13:19:00 hshoexer Exp $ */ /* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */ /* @@ -221,6 +221,7 @@ struct exchange { #define EXCHANGE_FLAG_DPD_CAP_PEER 0x0040 /* Peer is DPD capable. */ #define EXCHANGE_FLAG_NAT_T_RFC 0x0080 /* Peer does RFC NAT-T. */ #define EXCHANGE_FLAG_NAT_T_DRAFT 0x0100 /* Peer does draft NAT-T.*/ +#define EXCHANGE_FLAG_OPENBSD 0x0200 /* Peer is OpenBSD */ extern int exchange_add_certs(struct message *); extern void exchange_finalize(struct message *); diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c index 3333aed6dc4..ccbba6130eb 100644 --- a/sbin/isakmpd/ike_phase_1.c +++ b/sbin/isakmpd/ike_phase_1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_phase_1.c,v 1.65 2005/07/05 11:59:51 hshoexer Exp $ */ +/* $OpenBSD: ike_phase_1.c,v 1.66 2006/07/02 13:19:00 hshoexer Exp $ */ /* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */ /* @@ -59,11 +59,12 @@ #include "sa.h" #include "transport.h" #include "util.h" +#include "vendor.h" static int attribute_unacceptable(u_int16_t, u_int8_t *, u_int16_t, - void *); + void *); static int ike_phase_1_validate_prop(struct exchange *, struct sa *, - struct sa *); + struct sa *); /* Offer a set of transforms to the responder in the MSG message. */ int @@ -358,6 +359,10 @@ ike_phase_1_initiator_send_SA(struct message *msg) transforms_len += transform_len[i]; } + /* Advertise OpenBSD isakmpd. */ + if (add_vendor_openbsd(msg)) + goto bail_out; + /* Advertise NAT-T capability. */ if (nat_t_add_vendor_payloads(msg)) goto bail_out; @@ -518,6 +523,10 @@ ike_phase_1_responder_send_SA(struct message *msg) if (message_add_sa_payload(msg)) return -1; + /* Advertise OpenBSD isakmpd. */ + if (add_vendor_openbsd(msg)) + return -1; + /* Advertise NAT-T capability. */ if (nat_t_add_vendor_payloads(msg)) return -1; diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c index 37e494727fd..b47a8206029 100644 --- a/sbin/isakmpd/init.c +++ b/sbin/isakmpd/init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: init.c,v 1.38 2006/03/20 16:43:22 hshoexer Exp $ */ +/* $OpenBSD: init.c,v 1.39 2006/07/02 13:19:00 hshoexer Exp $ */ /* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */ /* @@ -55,6 +55,7 @@ #include "udp.h" #include "ui.h" #include "util.h" +#include "vendor.h" #include "policy.h" @@ -94,6 +95,7 @@ init(void) udp_init(); nat_t_init(); udp_encap_init(); + vendor_init(); } /* Reinitialize, either after a SIGHUP reception or by FIFO UI cmd. */ diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index b63fdb14d57..51a6d076edf 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.119 2006/06/02 19:35:55 hshoexer Exp $ */ +/* $OpenBSD: message.c,v 1.120 2006/07/02 13:19:00 hshoexer Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -58,6 +58,7 @@ #include "timer.h" #include "transport.h" #include "util.h" +#include "vendor.h" #include "virtual.h" /* A local set datatype, coincidentally fd_set suits our purpose fine. */ @@ -1144,6 +1145,7 @@ message_validate_vendor(struct message *msg, struct payload *p) message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); return -1; } + check_vendor_openbsd(msg, p); dpd_check_vendor_payload(msg, p); nat_t_check_vendor_payload(msg, p); if (!(p->flags & PL_MARK)) diff --git a/sbin/isakmpd/vendor.c b/sbin/isakmpd/vendor.c new file mode 100644 index 00000000000..e10ace8acee --- /dev/null +++ b/sbin/isakmpd/vendor.c @@ -0,0 +1,140 @@ +/* $OpenBSD: */ +/* + * Copyright (c) 2006 Hans-Joerg Hoexer <hshoexer@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <sys/types.h> +#include <stdlib.h> +#include <string.h> + +#include "exchange.h" +#include "hash.h" +#include "log.h" +#include "message.h" +#include "vendor.h" + +static struct vendor_cap openbsd_vendor_cap[] = { + { "OpenBSD-4.0", NULL, 0 }, +}; + +#define NUMVIDS (sizeof openbsd_vendor_cap / sizeof openbsd_vendor_cap[0]) + +static int +setup_vendor_hashes(void) +{ + struct hash *hash; + int i, n = NUMVIDS; + + hash = hash_get(HASH_MD5); + if (!hash) { + log_print("setup_vendor_hashes: could not find MD5 hash"); + return (-1); + } + + for (i = 0; i < n; i++) { + openbsd_vendor_cap[i].hashsize = hash->hashsize; + openbsd_vendor_cap[i].hash = calloc(hash->hashsize, + sizeof(u_int8_t)); + if (openbsd_vendor_cap[i].hash == NULL) { + log_error("setup_vendor_hashes: calloc failed"); + goto errout; + } + + hash->Init(hash->ctx); + hash->Update(hash->ctx, + (unsigned char *)openbsd_vendor_cap[i].text, + strlen(openbsd_vendor_cap[i].text)); + hash->Final(openbsd_vendor_cap[i].hash, hash->ctx); + + LOG_DBG((LOG_EXCHANGE, 50, "setup_vendor_hashes: " + "MD5(\"%s\") (%lu bytes)", openbsd_vendor_cap[i].text, + (unsigned long)hash->hashsize)); + LOG_DBG_BUF((LOG_EXCHANGE, 50, "setup_vendor_hashes", + openbsd_vendor_cap[i].hash, hash->hashsize)); + } + return (0); + +errout: + for (i = 0; i < n; i++) + if (openbsd_vendor_cap[i].hash) + free(openbsd_vendor_cap[i].hash); + return (-1); +} + +void +vendor_init(void) +{ + setup_vendor_hashes(); +} + +int +add_vendor_openbsd(struct message *msg) +{ + u_int8_t *buf; + size_t buflen; + int i, n = NUMVIDS; + + for (i = 0; i < n; i++) { + buflen = openbsd_vendor_cap[i].hashsize + ISAKMP_GEN_SZ; + if ((buf = calloc(buflen, sizeof(char))) == NULL) { + log_error("add_vendor_payload: calloc(%lu) failed", + (unsigned long)buflen); + return (-1); + } + + SET_ISAKMP_GEN_LENGTH(buf, buflen); + memcpy(buf + ISAKMP_VENDOR_ID_OFF, openbsd_vendor_cap[i].hash, + openbsd_vendor_cap[i].hashsize); + if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, + buflen, 1)) { + free(buf); + return (-1); + } + } + + return (0); +} + +void +check_vendor_openbsd(struct message *msg, struct payload *p) +{ + u_int8_t *pbuf = p->p; + ssize_t vlen; + int i, n = NUMVIDS; + + if (msg->exchange->flags & EXCHANGE_FLAG_OPENBSD) { + p->flags |= PL_MARK; + return; + } + + vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ; + + for (i = 0; i < n; i++) { + if (vlen != openbsd_vendor_cap[i].hashsize) { + LOG_DBG((LOG_EXCHANGE, 90, + "check_vendor_openbsd: bad size %lu != %lu", + (unsigned long)vlen, + (unsigned long)openbsd_vendor_cap[i].hashsize)); + continue; + } + if (memcmp(openbsd_vendor_cap[i].hash, pbuf + ISAKMP_GEN_SZ, + vlen) == 0) { + msg->exchange->flags |= EXCHANGE_FLAG_OPENBSD; + LOG_DBG((LOG_EXCHANGE, 10, "check_vendor_openbsd: " + "OpenBSD (%s)", openbsd_vendor_cap[i].text)); + } + p->flags |= PL_MARK; + } +} diff --git a/sbin/isakmpd/vendor.h b/sbin/isakmpd/vendor.h new file mode 100644 index 00000000000..d67f28be340 --- /dev/null +++ b/sbin/isakmpd/vendor.h @@ -0,0 +1,26 @@ +/* $OpenBSD: */ +/* + * Copyright (c) 2006 Hans-Joerg Hoexer <hshoexer@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +struct vendor_cap { + const char *text; + char *hash; + size_t hashsize; +}; + +void vendor_init(void); +int add_vendor_openbsd(struct message *); +void check_vendor_openbsd(struct message *, struct payload *); |