]> git.saurik.com Git - apple/ipsec.git/blobdiff - ipsec-tools/racoon/isakmp_ident.c
ipsec-146.3.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_ident.c
index 6488207f5b613f48d844371af74c430626584a01..09aa68502fd5e3fe370c26ad4e5f1ee6a480c23b 100644 (file)
@@ -94,6 +94,9 @@
 #include "vpn_control_var.h"
 #include "ipsecSessionTracer.h"
 #include "ipsecMessageTracer.h"
+#ifndef HAVE_OPENSSL
+#include <Security/SecDH.h>
+#endif
 
 static vchar_t *ident_ir2mx __P((struct ph1handle *));
 static vchar_t *ident_ir3mx __P((struct ph1handle *));
@@ -351,6 +354,14 @@ ident_i2recv(iph1, msg)
 #ifdef ENABLE_DPD
                        if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
                                iph1->dpd_support=1;
+#endif
+#ifdef ENABLE_FRAG
+                       if ((vid_numeric == VENDORID_FRAG) &&
+                               (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
+                               plog(LLV_DEBUG, LOCATION, NULL,
+                                        "remote supports FRAGMENTATION\n");
+                               iph1->frag = 1;
+                       }
 #endif
                        break;
                default:
@@ -364,10 +375,12 @@ ident_i2recv(iph1, msg)
        }
 
 #ifdef ENABLE_NATT
-       if (NATT_AVAILABLE(iph1))
+       if (NATT_AVAILABLE(iph1)) {
                plog(LLV_INFO, LOCATION, iph1->remote,
                     "Selected NAT-T version: %s\n",
                     vid_string_by_id(iph1->natt_options->version));
+               ike_session_update_natt_version(iph1);
+       }
 #endif
 
        /* check SA payload and set approval SA for use */
@@ -434,8 +447,13 @@ ident_i2send(iph1, msg)
                sizeof(cookie_t));
 
        /* generate DH public value */
+#ifdef HAVE_OPENSSL
        if (oakley_dh_generate(iph1->approval->dhgrp,
                                                   &iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
+       if (oakley_dh_generate(iph1->approval->dhgrp,
+                                                  &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif
                plog(LLV_ERROR, LOCATION, NULL,
                         "failed to generate DH");
                goto end;
@@ -480,7 +498,7 @@ ident_i2send(iph1, msg)
 
        /* the sending message is added to the received-list. */
        if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
-                     PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+                     PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
                plog(LLV_ERROR , LOCATION, NULL,
                        "failed to add a response packet to the tree.\n");
                goto end;
@@ -609,9 +627,7 @@ ident_i3recv(iph1, msg)
 #ifdef ENABLE_NATT
                case ISAKMP_NPTYPE_NATD_DRAFT:
                case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
                case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
                        if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
                            pa->type == iph1->natt_options->payload_nat_d) {
                                natd_received = NULL;
@@ -737,8 +753,12 @@ ident_i3send(iph1, msg0)
        }
 
        /* compute sharing secret of DH */
+#ifdef HAVE_OPENSSL
        if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
                                                  iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+       if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
                plog(LLV_ERROR, LOCATION, NULL,
                         "failed to compute DH");
                goto end;
@@ -819,7 +839,7 @@ ident_i3send(iph1, msg0)
 
        /* the sending message is added to the received-list. */
        if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0,
-                     PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+                     PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
                plog(LLV_ERROR , LOCATION, NULL,
                        "failed to add a response packet to the tree.\n");
                goto end;
@@ -869,6 +889,7 @@ ident_i4recv(iph1, msg0)
 #ifdef HAVE_GSSAPI
        vchar_t *gsstoken = NULL;
 #endif
+       int received_cert = 0;
 
        /* validity check */
        if (iph1->status != PHASE1ST_MSG3SENT) {
@@ -922,6 +943,7 @@ ident_i4recv(iph1, msg0)
                                         "failed to process CERT payload");
                                goto end;
                        }
+                       received_cert = 1;
                        break;
                case ISAKMP_NPTYPE_SIG:
                        if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
@@ -960,6 +982,10 @@ ident_i4recv(iph1, msg0)
                }
        }
 
+       if (received_cert) {
+               oakley_verify_certid(iph1);
+       }
+       
        /* payload existency check */
 
        /* verify identifier */
@@ -1147,11 +1173,6 @@ ident_r1recv(iph1, msg)
                        if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric))
                                natt_handle_vendorid(iph1, vid_numeric);
 #endif
-#ifdef ENABLE_FRAG
-                       if ((vid_numeric == VENDORID_FRAG) &&
-                           (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
-                               iph1->frag = 1;
-#endif   
 #ifdef ENABLE_HYBRID
                        switch (vid_numeric) {
                        case VENDORID_XAUTH:
@@ -1171,6 +1192,14 @@ ident_r1recv(iph1, msg)
 #ifdef ENABLE_DPD
                        if (vid_numeric == VENDORID_DPD && iph1->rmconf->dpd)
                                iph1->dpd_support=1;
+#endif
+#ifdef ENABLE_FRAG
+                       if ((vid_numeric == VENDORID_FRAG) &&
+                               (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT)) {
+                               plog(LLV_DEBUG, LOCATION, NULL,
+                                        "remote supports FRAGMENTATION\n");
+                               iph1->frag = 1;
+                       }
 #endif
                        break;
                default:
@@ -1190,10 +1219,12 @@ ident_r1recv(iph1, msg)
        }
 
 #ifdef ENABLE_NATT
-       if (NATT_AVAILABLE(iph1))
+       if (NATT_AVAILABLE(iph1)) {
                plog(LLV_INFO, LOCATION, iph1->remote,
                     "Selected NAT-T version: %s\n",
                     vid_string_by_id(iph1->natt_options->version));
+               ike_session_update_natt_version(iph1);
+       }
 #endif
 
        /* check SA payload and set approval SA for use */
@@ -1352,7 +1383,7 @@ ident_r1send(iph1, msg)
 
        /* the sending message is added to the received-list. */
        if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
-                     PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+                     PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
                plog(LLV_ERROR , LOCATION, NULL,
                        "failed to add a response packet to the tree.\n");
                goto end;
@@ -1483,9 +1514,7 @@ ident_r2recv(iph1, msg)
 #ifdef ENABLE_NATT
                case ISAKMP_NPTYPE_NATD_DRAFT:
                case ISAKMP_NPTYPE_NATD_RFC:
-#ifdef __APPLE__
                case ISAKMP_NPTYPE_NATD_BADDRAFT:
-#endif
                        if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
                            pa->type == iph1->natt_options->payload_nat_d)
                        {
@@ -1597,8 +1626,13 @@ ident_r2send(iph1, msg)
        }
 
        /* generate DH public value */
+#ifdef HAVE_OPENSSL
        if (oakley_dh_generate(iph1->approval->dhgrp,
                                                   &iph1->dhpub, &iph1->dhpriv) < 0) {
+#else
+               if (oakley_dh_generate(iph1->approval->dhgrp,
+                                                          &iph1->dhpub, &iph1->publicKeySize, &iph1->dhC) < 0) {
+#endif         
                plog(LLV_ERROR, LOCATION, NULL,
                         "failed to generate DH");
                goto end;
@@ -1639,15 +1673,19 @@ ident_r2send(iph1, msg)
 
        /* the sending message is added to the received-list. */
        if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
-                     PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+                     PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
                plog(LLV_ERROR , LOCATION, NULL,
                        "failed to add a response packet to the tree.\n");
                goto end;
        }
 
        /* compute sharing secret of DH */
-       if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
-                                                 iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#ifdef HAVE_OPENSSL
+               if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
+                                                         iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) {
+#else
+       if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub_p, iph1->publicKeySize, &iph1->dhgxy, iph1->dhC) < 0) {
+#endif
                plog(LLV_ERROR, LOCATION, NULL,
                         "failed to compute DH");
                goto end;
@@ -1715,6 +1753,7 @@ ident_r3recv(iph1, msg0)
 #ifdef HAVE_GSSAPI
        vchar_t *gsstoken = NULL;
 #endif
+       int received_cert = 0;
 
        /* validity check */
        if (iph1->status != PHASE1ST_MSG2SENT) {
@@ -1775,6 +1814,7 @@ ident_r3recv(iph1, msg0)
                                         "failed to process CERT payload");
                                goto end;
                        }
+                       received_cert = 1;
                        break;
                case ISAKMP_NPTYPE_SIG:
                        if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) {
@@ -1809,6 +1849,10 @@ ident_r3recv(iph1, msg0)
                }
        }
 
+       if (received_cert) {
+               oakley_verify_certid(iph1);
+       }
+       
        /* payload existency check */
        /* XXX same as ident_i4recv(), should be merged. */
     {
@@ -2029,7 +2073,7 @@ ident_r3send(iph1, msg)
 
        /* the sending message is added to the received-list. */
        if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg,
-                     PH1_NON_ESP_EXTRA_LEN(iph1)) == -1) {
+                     PH1_NON_ESP_EXTRA_LEN(iph1), PH1_FRAG_FLAGS(iph1)) == -1) {
                plog(LLV_ERROR , LOCATION, NULL,
                        "failed to add a response packet to the tree.\n");
                goto end;
@@ -2149,13 +2193,11 @@ ident_ir2mx(iph1)
                }
 
                plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
-#ifdef __APPLE__
                /* old Apple version sends natd payloads in the wrong order */
                if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
                        plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
                        plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
                } else
-#endif
                {
                        plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
                        plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
@@ -2221,6 +2263,7 @@ ident_ir3mx(iph1)
        vchar_t *gsstoken = NULL;
        vchar_t *gsshash = NULL;
 #endif
+       vchar_t *notp_ini = NULL;
 
        switch (AUTHMETHOD(iph1)) {
        case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
@@ -2279,6 +2322,7 @@ ident_ir3mx(iph1)
                plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
 
                /* add CERT payload if there */
+               // we don't support sending of certchains
                if (need_cert)
                        plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
                /* add SIG payload */
@@ -2333,6 +2377,10 @@ ident_ir3mx(iph1)
                goto end;
        }
 
+       if (iph1->side == INITIATOR) {
+               notp_ini = isakmp_plist_append_initial_contact(iph1, plist);
+       }
+       
        buf = isakmp_plist_set_all (&plist, iph1);
        
 #ifdef HAVE_PRINT_ISAKMP_C
@@ -2364,6 +2412,8 @@ end:
                vfree(buf);
                buf = NULL;
        }
+       if (notp_ini)
+               vfree(notp_ini);
 
        return buf;
 }