vendor.c

ipsec vpn

		/** VendorID is a string **/
		vid->vid = strdup(vid->data);
		vid->vid_len = strlen(vid->data);
	    }
	    else if (vid->flags & VID_MD5HASH) {
		/** VendorID is a string to hash with MD5 **/
		char *vidm =  malloc(MD5_DIGEST_SIZE);
		vid->vid = vidm;
		if (vidm) {
		    unsigned const char *d = vid->data;
		    osMD5Init(&ctx);
		    osMD5Update(&ctx, d, strlen(vid->data));
		    osMD5Final(vidm, &ctx);
		    vid->vid_len = MD5_DIGEST_SIZE;
		}
	    }
	    else if (vid->flags & VID_FSWAN_HASH) {
		/** FreeS/WAN 2.00+ specific hash **/
#define FSWAN_VID_SIZE 12
		unsigned char hash[MD5_DIGEST_SIZE];
		char *vidm =  malloc(FSWAN_VID_SIZE);
		vid->vid = vidm;
		if (vidm) {
		    osMD5Init(&ctx);
		    osMD5Update(&ctx, vid->data, strlen(vid->data));
		    osMD5Final(hash, &ctx);
		    vidm[0] = 'O';
		    vidm[1] = 'E';
#if FSWAN_VID_SIZE - 2 <= MD5_DIGEST_SIZE
		    memcpy(vidm + 2, hash, FSWAN_VID_SIZE - 2);
#else
		    memcpy(vidm + 2, hash, MD5_DIGEST_SIZE);
		    memset(vidm + 2 + MD5_DIGEST_SIZE, '\0',
			   FSWAN_VID_SIZE - 2 - MD5_DIGEST_SIZE);
#endif
		    for (i = 2; i < FSWAN_VID_SIZE; i++) {
			vidm[i] &= 0x7f;
			vidm[i] |= 0x40;
		    }
		    vid->vid_len = FSWAN_VID_SIZE;
		}
	    }
	    
	    if (vid->descr == NULL) {
		/** Find something to display **/
		vid->descr = vid->data;
	    }
#if 0
	    DBG_log("vendorid_init: %d [%s]",
		    vid->id,
		    vid->descr ? vid->descr : ""
		);
	    if (vid->vid) DBG_dump("VID:", vid->vid, vid->vid_len);
#endif
	}
	_vid_struct_init = 1;
}


/**
 * Handle Known VendorID's.  This function parses what the remote peer 
 * sends us, and enables/disables features based on it.  As we go along, 
 * we set vid_usefull =1 if we did something based on this VendorID.  This
 * supresses the 'Ignored VendorID ...' log message.
 *
 * @param md UNUSED - Deprecated
 * @param vidstr VendorID String
 * @param len Length of vidstr
 * @param vid VendorID Struct (see vendor.h)
 * @param st State Structure (Hopefully initialized)
 * @return void
 */
static void handle_known_vendorid (struct msg_digest *md UNUSED
				   , const char *vidstr
				   , size_t len
				   , struct vid_struct *vid
				   , struct state *st UNUSED)
{
	char vid_dump[128];
	int vid_usefull = 0;
	size_t i, j;

	switch (vid->id) {
#ifdef NAT_TRAVERSAL
	    /**
	     * Use most recent supported NAT-Traversal method and ignore
	     * the other ones (implementations will send all supported
	     * methods but only one will be used)
	     *
	     * Note: most recent == higher id in vendor.h
	     */

	    /* PAUL TRY THIS IF BELOW FAILS WITH APPLE */
	    /*case VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE: */
	case VID_NATT_IETF_00:
	    if (!nat_traversal_support_non_ike)
		break;
	    vid_usefull = 1;
	    if ((nat_traversal_enabled) && (!md->quirks.nat_traversal_vid)) {
		md->quirks.nat_traversal_vid = vid->id;
	    }
	    break;
	case VID_NATT_IETF_02:
	case VID_NATT_IETF_02_N:
	case VID_NATT_IETF_03:
	case VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE:
	case VID_NATT_RFC:
	    vid_usefull = 1;
	    if(!nat_traversal_support_port_floating) {
		loglog(RC_LOG_SERIOUS
		       , "received Vendor ID payload [%s] meth=%d, "
		       "but port floating is off"
		       , vid->descr, vid->id);
		return;
	    } else {
		if (md->quirks.nat_traversal_vid < vid->id) {
		    loglog(RC_LOG_SERIOUS
			   , "received Vendor ID payload [%s] method set to=%d "
			   , vid->descr, vid->id);
		    md->quirks.nat_traversal_vid = vid->id;
		    return;
		} else {
		    loglog(RC_LOG_SERIOUS
			   , "received Vendor ID payload [%s] meth=%d, "
			   "but already using method %d"
			   , vid->descr, vid->id
			   , md->quirks.nat_traversal_vid);
		    return;
		}
	    }
	    break;
#endif
	    
        case VID_MISC_DPD:
	    /* Remote side would like to do DPD with us on this connection */
	    md->dpd = 1;
	    vid_usefull = 1;
            break;

/* We only need these when dealing with XAUTH */
#ifdef XAUTH
	case VID_SSH_SENTINEL_1_4_1:
	  loglog(RC_LOG_SERIOUS
		 , "SSH Sentinel 1.4.1 found, setting XAUTH_ACK quirk");
	  md->quirks.xauth_ack_msgid = TRUE;
	  vid_usefull = 1;
	  break;

	case VID_CISCO_UNITY:
	  md->quirks.modecfg_pull_mode= TRUE;
	  vid_usefull = 1;
	  break;

	case VID_MISC_XAUTH:
	    vid_usefull=1;
	    break;
#endif
	    
	case VID_OPENSWANSELF:
	    vid_usefull=1;
	    break;
	    
	default:
	    break;
	}

	if (vid->flags & VID_SUBSTRING_DUMPHEXA) {
		/* Dump description + Hexa */
		memset(vid_dump, 0, sizeof(vid_dump));
		snprintf(vid_dump, sizeof(vid_dump), "%s ",
			vid->descr ? vid->descr : "");
		for (i=strlen(vid_dump), j=vid->vid_len;
			(j<len) && (i<sizeof(vid_dump)-2);
			i+=2, j++) {
			vid_dump[i] = _hexdig[(vidstr[j] >> 4) & 0xF];
			vid_dump[i+1] = _hexdig[vidstr[j] & 0xF];
		}
	}
	else if (vid->flags & VID_SUBSTRING_DUMPASCII) {
		/* Dump ASCII content */
		memset(vid_dump, 0, sizeof(vid_dump));
		for (i=0; (i<len) && (i<sizeof(vid_dump)-1); i++) {
			vid_dump[i] = (isprint(vidstr[i])) ? vidstr[i] : '.';
		}
	}
	else {
		/* Dump description (descr) */
		snprintf(vid_dump, sizeof(vid_dump), "%s",
			vid->descr ? vid->descr : "");
	}

	loglog(RC_LOG_SERIOUS, "%s Vendor ID payload [%s]",
		vid_usefull ? "received" : "ignoring", vid_dump);
}


/**
 * Handle VendorID's.  This function parses what the remote peer 
 * sends us, calls handle_known_vendorid on each VID we received
 *
 * Known VendorID's are defined in vendor.h
 *
 * @param md Message Digest from remote peer
 * @param vid String of VendorIDs
 * @param len Length of vid
 * @param vid VendorID Struct (see vendor.h)
 * @param st State Structure (Hopefully initialized)
 * @return void
 */
void handle_vendorid (struct msg_digest *md, const char *vid, size_t len, struct state *st)
{
	struct vid_struct *pvid;

	if (!_vid_struct_init) {
		init_vendorid();
	}

	/*
	 * Find known VendorID in _vid_tab
	 */
	for (pvid = _vid_tab; pvid->id; pvid++) {
		if (pvid->vid && vid && pvid->vid_len && len) {
			if (pvid->vid_len == len) {
				if (memcmp(pvid->vid, vid, len)==0) {
					handle_known_vendorid(md, vid
							      , len, pvid, st);
					return;
				}
			}
			else if ((pvid->vid_len < len)
				 && (pvid->flags & VID_SUBSTRING)) {
				if (memcmp(pvid->vid, vid, pvid->vid_len)==0) {
					handle_known_vendorid(md, vid, len
							      , pvid, st);
					return;
				}
			}
		}
	}

	/*
	 * Unknown VendorID. Log the beginning.
	 */
	{
		char log_vid[2*MAX_LOG_VID_LEN+1];
		size_t i;
		memset(log_vid, 0, sizeof(log_vid));
		for (i=0; (i<len) && (i<MAX_LOG_VID_LEN); i++) {
			log_vid[2*i] = _hexdig[(vid[i] >> 4) & 0xF];
			log_vid[2*i+1] = _hexdig[vid[i] & 0xF];
		}
		loglog(RC_LOG_SERIOUS, "ignoring unknown Vendor ID payload [%s%s]",
			log_vid, (len>MAX_LOG_VID_LEN) ? "..." : "");
	}
}

/**
 * Add a vendor id payload to the msg
 *
 * @param np
 * @param outs PB stream
 * @param vid Int of VendorID to be sent (see vendor.h for the list)
 * @return bool True if successful
 */
bool out_vendorid (u_int8_t np, pb_stream *outs, unsigned int vid)
{
	struct vid_struct *pvid;

	if (!_vid_struct_init) {
		init_vendorid();
	}

	for (pvid = _vid_tab; (pvid->id) && (pvid->id!=vid); pvid++);

	if (pvid->id != vid) return STF_INTERNAL_ERROR; /* not found */
	if (!pvid->vid) return STF_INTERNAL_ERROR; /* not initialized */

	DBG(DBG_EMITTING,
		DBG_log("out_vendorid(): sending [%s]", pvid->descr);
	);

	if (!out_modify_previous_np(ISAKMP_NEXT_VID, outs))
		return FALSE;

	return out_generic_raw(np, &isakmp_vendor_id_desc, outs,
		pvid->vid, pvid->vid_len, "V_ID");
}

/* OpenPGP Vendor ID needed for interoperability with PGPnet
 *
 * Note: it is a NUL-terminated ASCII string, but NUL won't go on the wire.
 */
char pgp_vendorid[] = "OpenPGP10171";
const int pgp_vendorid_len = sizeof(pgp_vendorid);

char dpd_vendorid[] = {0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1,
          0xC9, 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00};
const int dpd_vendorid_len = sizeof(dpd_vendorid);



/*
 * Local Variables:
 * c-basic-offset:4
 * c-style: pluto
 * End:
 */