#endif
#include "vpn_control.h"
#include "vpn_control_var.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
/* %%%
* begin Identity Protection Mode as initiator.
"remote supports DPD\n");
}
#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
+#endif
break;
default:
/* don't send information, see ident_r1recv() */
}
#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
+ if (NATT_AVAILABLE(iph1)) {
plog(LLV_INFO, LOCATION, iph1->remote,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
+ ike_session_update_natt_version(iph1);
+ }
#endif
/* check SA payload and set approval SA for use */
sizeof(cookie_t));
/* generate DH public value */
+#ifdef HAVE_OPENSSL
if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
+ &iph1->dhpub, &iph1->dhpriv) < 0)
+#else
+ if (oakley_dh_generate(iph1->approval->dhgrp,
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0)
+#endif
goto end;
/* generate SKEYID to compute hash if not signature mode */
goto end;
}
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
vchar_t *natd_received;
int natd_seq = 0, natd_verified;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG2SENT) {
case ISAKMP_NPTYPE_CERT:
if (oakley_savecert(iph1, pa->ptr) < 0)
goto end;
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (NATT_AVAILABLE(iph1) && iph1->natt_options &&
pa->type == iph1->natt_options->payload_nat_d) {
natd_received = NULL;
}
#endif
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* payload existency check */
/* validate authentication value */
ptype = oakley_validate_auth(iph1);
}
/* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+ iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0)
+#endif
goto end;
/* generate SKEYID to compute hash if signature mode */
if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
natt_handle_vendorid(iph1, vid_numeric);
#endif
-#ifdef ENABLE_FRAG
- if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
- iph1->frag = 1;
-#endif
#ifdef ENABLE_HYBRID
switch (vid_numeric) {
case VENDORID_XAUTH:
"remote supports DPD\n");
}
#endif
+#ifdef ENABLE_FRAG
+ if ((vid_numeric == VENDORID_FRAG) &&
+ (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remote supports FRAGMENTATION\n");
+ iph1->frag = 1;
+ }
+#endif
break;
default:
/* don't send information, see ident_r1recv() */
}
#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
+ if (NATT_AVAILABLE(iph1)) {
plog(LLV_INFO, LOCATION, iph1->remote,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
+ ike_session_update_natt_version(iph1);
+ }
#endif
/* check SA payload and set approval SA for use */
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
#ifdef ENABLE_NATT
int natd_seq = 0;
#endif
+ int received_cert = 0;
/* validity check */
if (iph1->status != PHASE1ST_MSG1SENT) {
case ISAKMP_NPTYPE_CERT:
if (oakley_savecert(iph1, pa->ptr) < 0)
goto end;
+ received_cert = 1;
break;
case ISAKMP_NPTYPE_SIG:
if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
#ifdef ENABLE_NATT
case ISAKMP_NPTYPE_NATD_DRAFT:
case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
if (pa->type == iph1->natt_options->payload_nat_d)
{
vchar_t *natd_received = NULL;
}
}
+ if (received_cert) {
+ oakley_verify_certid(iph1);
+ }
+
/* generate DH public value */
+#ifdef HAVE_OPENSSL
+ if (oakley_dh_generate(iph1->approval->dhgrp,
+ &iph1->dhpub, &iph1->dhpriv) < 0)
+#else
if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
+ &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0)
+#endif
goto end;
/* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+ iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
+#else
+ if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0)
+#endif
goto end;
/* generate SKEYID */
goto end;
}
-#ifdef __APPLE__
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
} else
-#endif
{
plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
- PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+ PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
goto end;
projects / apple / ipsec.git / blobdiff