From 8714867440ab2363ef6d587b83cc730c350d0399 Mon Sep 17 00:00:00 2001
From: tobhe <tobhe@openbsd.org>
Date: Fri, 22 Jul 2022 15:53:33 +0000
Subject: [PATCH] Include an OpenIKED Vendor ID payload in the initial
 handshake.  This will make it easier to handle interoperability problems with
 older versions in the future.  The ID is constructed from the string
 "OpenIKED-" followed by the version number. Sending of the vendor ID payload
 can be disabled by specifying "set novendorid" in iked.conf(5).

ok markus@ bluhm@
---
 sbin/iked/iked.conf.5 |  9 +++++++--
 sbin/iked/iked.h      |  4 +++-
 sbin/iked/ikev2.c     | 41 +++++++++++++++++++++++++++++++++++++++--
 sbin/iked/parse.y     | 11 +++++++++--
 sbin/iked/types.h     |  4 +++-
 5 files changed, 61 insertions(+), 8 deletions(-)

diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5
index eabd483a3eb..371b310cb45 100644
--- a/sbin/iked/iked.conf.5
+++ b/sbin/iked/iked.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.93 2022/04/13 11:06:15 tobhe Exp $
+.\" $OpenBSD: iked.conf.5,v 1.94 2022/07/22 15:53:33 tobhe Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 13 2022 $
+.Dd $Mdocdate: July 22 2022 $
 .Dt IKED.CONF 5
 .Os
 .Sh NAME
@@ -216,6 +216,11 @@ If
 .Ic tolerate
 is set to 0 then the times are not verified at all.
 This is the default setting.
+.It Ic set vendorid
+Send OpenIKED Vendor ID payload.
+This is the default
+.It Ic set novendorid
+Don't send a Vendor ID payload.
 .It Ic user Ar name password
 .Xr iked 8
 supports user-based authentication by tunneling the Extensible
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 17d42dae73c..9873bc36f71 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.205 2022/07/08 19:51:11 tobhe Exp $	*/
+/*	$OpenBSD: iked.h,v 1.206 2022/07/22 15:53:33 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -735,6 +735,7 @@ struct iked_static {
 	uint8_t			 st_mobike;	/* MOBIKE */
 	in_port_t		 st_nattport;
 	int			 st_stickyaddress; /* addr per DSTID  */
+	int			 st_vendorid;
 };
 
 struct iked {
@@ -753,6 +754,7 @@ struct iked {
 #define sc_mobike		sc_static.st_mobike
 #define sc_nattport		sc_static.st_nattport
 #define sc_stickyaddress	sc_static.st_stickyaddress
+#define sc_vendorid		sc_static.st_vendorid
 
 	struct iked_policies		 sc_policies;
 	struct iked_policy		*sc_defaultcon;
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 783d9cb5dfa..9ad1e5e2df0 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.349 2022/07/08 19:51:11 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.350 2022/07/22 15:53:33 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -45,6 +45,7 @@
 #include "eap.h"
 #include "dh.h"
 #include "chap_ms.h"
+#include "version.h"
 
 void	 ikev2_info(struct iked *, int);
 void	 ikev2_info_sa(struct iked *, int, const char *, struct iked_sa *);
@@ -171,6 +172,8 @@ ssize_t	 ikev2_add_sighashnotify(struct ibuf *, struct ikev2_payload **,
 	    ssize_t);
 ssize_t	 ikev2_add_nat_detection(struct iked *, struct ibuf *,
 	    struct ikev2_payload **, struct iked_message *, ssize_t);
+ssize_t	 ikev2_add_vendor_id(struct ibuf *, struct ikev2_payload **,
+	    ssize_t, struct ibuf *);
 ssize_t	 ikev2_add_notify(struct ibuf *, struct ikev2_payload **, ssize_t,
 	    uint16_t);
 ssize_t	 ikev2_add_mobike(struct ibuf *, struct ikev2_payload **, ssize_t);
@@ -1326,7 +1329,7 @@ ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol,
 	struct ikev2_keyexchange	*ke;
 	struct ikev2_notify		*n;
 	struct iked_sa			*sa = NULL;
-	struct ibuf			*buf, *cookie = NULL;
+	struct ibuf			*buf, *cookie = NULL, *vendor_id = NULL;
 	struct dh_group			*group;
 	ssize_t				 len;
 	int				 ret = -1;
@@ -1440,6 +1443,14 @@ ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol,
 		goto done;
 	len = ibuf_size(sa->sa_inonce);
 
+	if (env->sc_vendorid != 0) {
+		vendor_id = ibuf_new(IKED_VENDOR_ID, strlen(IKED_VENDOR_ID));
+		ibuf_add(vendor_id, IKED_VERSION, strlen(IKED_VERSION));
+		if ((len = ikev2_add_vendor_id(buf, &pld, len, vendor_id))
+		    == -1)
+			goto done;
+	}
+
 	/* Fragmentation Notify */
 	if (env->sc_frag) {
 		if ((len = ikev2_add_fragmentation(buf, &pld, len))
@@ -1490,6 +1501,7 @@ ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol,
 		ikev2_ike_sa_setreason(sa, "failed to send SA_INIT");
 		sa_free(env, sa);
 	}
+	ibuf_free(vendor_id);
 
 	return (ret);
 }
@@ -2151,6 +2163,21 @@ ikev2_add_notify(struct ibuf *e, struct ikev2_payload **pld, ssize_t len,
 	return (len);
 }
 
+ssize_t
+ikev2_add_vendor_id(struct ibuf *e, struct ikev2_payload **pld,
+    ssize_t len, struct ibuf *id)
+{
+	if (*pld)
+		if (ikev2_next_payload(*pld, len, IKEV2_PAYLOAD_VENDOR) == -1)
+			return (-1);
+	if ((*pld = ikev2_add_payload(e)) == NULL)
+		return (-1);
+	if (ibuf_cat(e, id) == -1)
+		return (-1);
+
+	return (ibuf_length(id));
+}
+
 ssize_t
 ikev2_add_mobike(struct ibuf *e, struct ikev2_payload **pld, ssize_t len)
 {
@@ -3272,6 +3299,7 @@ ikev2_resp_ike_sa_init(struct iked *env, struct iked_message *msg)
 	struct ikev2_keyexchange	*ke;
 	struct iked_sa			*sa = msg->msg_sa;
 	struct ibuf			*buf;
+	struct ibuf			*vendor_id = NULL;
 	struct dh_group			*group;
 	ssize_t				 len;
 	int				 ret = -1;
@@ -3336,6 +3364,14 @@ ikev2_resp_ike_sa_init(struct iked *env, struct iked_message *msg)
 		goto done;
 	len = ibuf_size(sa->sa_rnonce);
 
+	if (env->sc_vendorid != 0) {
+		vendor_id = ibuf_new(IKED_VENDOR_ID, strlen(IKED_VENDOR_ID));
+		ibuf_add(vendor_id, IKED_VERSION, strlen(IKED_VERSION));
+		if ((len = ikev2_add_vendor_id(buf, &pld, len, vendor_id))
+		    == -1)
+			goto done;
+	}
+
 	/* Fragmentation Notify*/
 	if (sa->sa_frag) {
 		if ((len = ikev2_add_fragmentation(buf, &pld, len))
@@ -3382,6 +3418,7 @@ ikev2_resp_ike_sa_init(struct iked *env, struct iked_message *msg)
 	ret = ikev2_msg_send(env, &resp);
 
  done:
+	ibuf_free(vendor_id);
 	ikev2_msg_cleanup(env, &resp);
 
 	return (ret);
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index dc02311ef3a..9d2f124254e 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.140 2022/04/11 20:41:21 tobhe Exp $	*/
+/*	$OpenBSD: parse.y,v 1.141 2022/07/22 15:53:33 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -102,6 +102,7 @@ static int		 mobike = 1;
 static int		 enforcesingleikesa = 0;
 static int		 stickyaddress = 0;
 static int		 fragmentation = 0;
+static int		 vendorid = 1;
 static int		 dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT;
 static char		*ocsp_url = NULL;
 static long		 ocsp_tolerate = 0;
@@ -442,6 +443,7 @@ typedef struct {
 %token	FRAGMENTATION NOFRAGMENTATION DPD_CHECK_INTERVAL
 %token	ENFORCESINGLEIKESA NOENFORCESINGLEIKESA
 %token	STICKYADDRESS NOSTICKYADDRESS
+%token	VENDORID NOVENDORID
 %token	TOLERATE MAXAGE DYNAMIC
 %token	CERTPARTIALCHAIN
 %token	REQUEST IFACE
@@ -509,6 +511,8 @@ set		: SET ACTIVE	{ passive = 0; }
 		| SET NOFRAGMENTATION	{ fragmentation = 0; }
 		| SET MOBIKE	{ mobike = 1; }
 		| SET NOMOBIKE	{ mobike = 0; }
+		| SET VENDORID		{ vendorid = 1; }
+		| SET NOVENDORID	{ vendorid = 0; }
 		| SET ENFORCESINGLEIKESA	{ enforcesingleikesa = 1; }
 		| SET NOENFORCESINGLEIKESA	{ enforcesingleikesa = 0; }
 		| SET STICKYADDRESS	{ stickyaddress = 1; }
@@ -1376,6 +1380,7 @@ lookup(char *s)
 		{ "nofragmentation",	NOFRAGMENTATION },
 		{ "nomobike",		NOMOBIKE },
 		{ "nostickyaddress",	NOSTICKYADDRESS },
+		{ "novendorid",		NOVENDORID },
 		{ "ocsp",		OCSP },
 		{ "passive",		PASSIVE },
 		{ "peer",		PEER },
@@ -1398,7 +1403,8 @@ lookup(char *s)
 		{ "tolerate",		TOLERATE },
 		{ "transport",		TRANSPORT },
 		{ "tunnel",		TUNNEL },
-		{ "user",		USER }
+		{ "user",		USER },
+		{ "vendorid",		VENDORID }
 	};
 	const struct keywords	*p;
 
@@ -1806,6 +1812,7 @@ parse_config(const char *filename, struct iked *x_env)
 	env->sc_ocsp_tolerate = ocsp_tolerate;
 	env->sc_ocsp_maxage = ocsp_maxage;
 	env->sc_cert_partial_chain = cert_partial_chain;
+	env->sc_vendorid = vendorid;
 
 	if (!rules)
 		log_warnx("%s: no valid configuration rules found",
diff --git a/sbin/iked/types.h b/sbin/iked/types.h
index 7800b179d75..14f5ca57b27 100644
--- a/sbin/iked/types.h
+++ b/sbin/iked/types.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: types.h,v 1.49 2022/07/08 19:51:11 tobhe Exp $	*/
+/*	$OpenBSD: types.h,v 1.50 2022/07/22 15:53:33 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -41,6 +41,8 @@
 #define IKED_PRIVKEY		IKED_CA "private/local.key"
 #define IKED_PUBKEY		"local.pub"
 
+#define IKED_VENDOR_ID		"OpenIKED-"
+
 #define IKED_OCSP_RESPCERT	"ocsp/responder.crt"
 
 #define IKED_OPT_VERBOSE	0x00000001
-- 
2.20.1