ipsec-tools: use aggressive mode when identifier is set.
From RFC 2409 section 5.4,
When using pre-shared key authentication with Main Mode the key can
only be identified by the IP address of the peers since HASH_I must
be computed before the initiator has processed IDir. Aggressive Mode
allows for a wider range of identifiers of the pre-shared secret to
be used. In addition, Aggressive Mode allows two parties to maintain
multiple, different pre-shared keys and identify the correct one for
a particular exchange.
From draft-ietf-ipsec-isakmp-xauth-06 section 8,
When using XAUTH with Pre-Shared keys, where the peer's IP address
is dynamic, Main Mode SHOULD NOT be used, and is STRONGLY
DISCOURAGED. In this particular scenario, the phase 1
authentication becomes suspect as the administrator has little
choice but to use one single Shared-Key for all users, and group-
shared keys are susceptible to social engineering attacks.
Change-Id: I2b414098ebb7624e4dc1be1416f746c523952d06
diff --git a/setup.c b/setup.c
index d37d44d..ed0ea7e 100644
--- a/setup.c
+++ b/setup.c
@@ -296,6 +296,34 @@
}
}
+static vchar_t *strtovchar(char *string)
+{
+ vchar_t *vchar = string ? vmalloc(strlen(string) + 1) : NULL;
+ if (vchar) {
+ memcpy(vchar->v, string, vchar->l);
+ }
+ return vchar;
+}
+
+static void set_pre_shared_key(struct remoteconf *remoteconf,
+ char *identifier, char *key)
+{
+ pre_shared_key = key;
+ if (identifier[0]) {
+ remoteconf->idv = strtovchar(identifier);
+ remoteconf->idv->l -= 1;
+ remoteconf->etypes->type = ISAKMP_ETYPE_AGG;
+
+ remoteconf->idvtype = IDTYPE_KEYID;
+ if (strchr(identifier, '.')) {
+ remoteconf->idvtype = IDTYPE_FQDN;
+ if (strchr(identifier, '@')) {
+ remoteconf->idvtype = IDTYPE_USERFQDN;
+ }
+ }
+ }
+}
+
static vchar_t *get_certificate(char *type, char *file)
{
char path[PATH_MAX + 1];
@@ -316,6 +344,7 @@
remoteconf->myprivfile = user_private_key;
remoteconf->mycertfile = user_certificate;
if (user_certificate) {
+ remoteconf->idvtype = IDTYPE_ASN1DN;
remoteconf->mycert = get_certificate("user", user_certificate);
}
if (!ca_certificate[0]) {
@@ -324,16 +353,6 @@
remoteconf->cacertfile = ca_certificate;
remoteconf->cacert = get_certificate("CA", ca_certificate);
}
- remoteconf->idvtype = IDTYPE_ASN1DN;
-}
-
-static vchar_t *strtovchar(char *string)
-{
- vchar_t *vchar = string ? vmalloc(strlen(string) + 1) : NULL;
- if (vchar) {
- memcpy(vchar->v, string, vchar->l);
- }
- return vchar;
}
#ifdef ENABLE_HYBRID
@@ -377,21 +396,23 @@
remoteconf = newrmconf();
remoteconf->etypes = racoon_calloc(1, sizeof(struct etypes));
remoteconf->etypes->type = ISAKMP_ETYPE_IDENT;
+ remoteconf->idvtype = IDTYPE_ADDRESS;
remoteconf->ike_frag = TRUE;
remoteconf->pcheck_level = PROP_CHECK_CLAIM;
remoteconf->gen_policy = TRUE;
remoteconf->nat_traversal = TRUE;
+ remoteconf->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
+ oakley_setdhgroup(remoteconf->dh_group, &remoteconf->dhgrp);
remoteconf->remote = dupsaddr(targets[0]);
set_port(remoteconf->remote, localconf.port_isakmp);
}
/* Set authentication method and credentials. */
- if (argc == 6 && !strcmp(argv[3], "udppsk")) {
- pre_shared_key = argv[4];
- remoteconf->idvtype = IDTYPE_ADDRESS;
+ if (argc == 7 && !strcmp(argv[3], "udppsk")) {
+ set_pre_shared_key(remoteconf, argv[4], argv[5]);
auth = OAKLEY_ATTR_AUTH_METHOD_PSKEY;
- set_port(targets[0], atoi(argv[5]));
+ set_port(targets[0], atoi(argv[6]));
spdadd(sources[0].addr, targets[0], IPPROTO_UDP, NULL, NULL);
} else if (argc == 8 && !strcmp(argv[3], "udprsa")) {
set_certificates(remoteconf, argv[4], argv[5], argv[6]);
@@ -401,13 +422,7 @@
spdadd(sources[0].addr, targets[0], IPPROTO_UDP, NULL, NULL);
#ifdef ENABLE_HYBRID
} else if (argc == 10 && !strcmp(argv[3], "xauthpsk")) {
- pre_shared_key = argv[5];
- remoteconf->idvtype = IDTYPE_ADDRESS;
- if (*argv[4]) {
- remoteconf->idv = strtovchar(argv[4]);
- /* We might want to add some heuristics to detect the type? */
- remoteconf->idvtype = IDTYPE_KEYID;
- }
+ set_pre_shared_key(remoteconf, argv[4], argv[5]);
set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]);
auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I;
} else if (argc == 11 && !strcmp(argv[3], "xauthrsa")) {
@@ -421,7 +436,7 @@
#endif
} else {
printf("Usage: %s <interface> <server> [...], where [...] can be:\n"
- " udppsk <pre-shared-key> <port>\n"
+ " udppsk <identifier> <pre-shared-key> <port>\n"
" udprsa <user-private-key> <user-cert> <ca-cert> <port>\n"
#ifdef ENABLE_HYBRID
" xauthpsk <identifier> <pre-shared-key>"
