#include "vpn_control_var.h"
#include "ipsecSessionTracer.h"
#include "ipsecMessageTracer.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
/*
* begin Aggressive Mode as initiator.
}
/* generate DH public value */
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_generate(iph1->rmconf->dhgrp,
+ &iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
if (oakley_dh_generate(iph1->rmconf->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0) {
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH");
goto end;
#ifdef HAVE_GSSAPI
vchar_t *gsstoken = NULL;
#endif
+ int received_cert = 0;
#ifdef ENABLE_NATT
int natd_seq = 0;
"failed to process CERT payload");
goto end;
}
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"remote supports DPD\n");
}
+#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
#endif
break;
case ISAKMP_NPTYPE_N:
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
pa->type == iph1->natt_options->payload_nat_d) {
struct natd_payload *natd;
}
}
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* payload existency check */
if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
plog(LLV_ERROR, LOCATION, iph1->remote,
if (iph1->natt_flags & NAT_DETECTED)
natt_float_ports (iph1);
+ ike_session_update_natt_version(iph1);
}
#endif
/* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+ if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to compute DH");
goto end;
need_cert = 1;
/* add CERT payload if there */
+ // we don't support sending of certchains
if (need_cert)
plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
"NAT-D hashing failed for %s\n", saddr2str(iph1->local));
goto end;
}
-
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#endif
#ifdef ENABLE_FRAG
if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG))
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
iph1->frag = 1;
+ }
#endif
break;
}
#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
+ if (NATT_AVAILABLE(iph1)) {
plog(LLV_INFO, LOCATION, iph1->remote,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
+ ike_session_update_natt_version(iph1);
+ }
#endif
/* check SA payload and set approval SA for use */
}
/* generate DH public value */
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_generate(iph1->rmconf->dhgrp,
+ &iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
if (oakley_dh_generate(iph1->rmconf->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0) {
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to generate DH");
goto end;
}
/* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
+ iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
plog(LLV_ERROR, LOCATION, NULL,
"failed to compute DH");
goto end;
/* chosen VID */
plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
/* NAT-D */
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#ifdef ENABLE_NATT
int natd_seq = 0;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG1SENT) {
"failed to process CERT payload");
goto end;
}
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
#endif
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* validate authentication value */
ptype = oakley_validate_auth(iph1);
if (ptype != 0) {
projects / apple / ipsec.git / blobdiff