X-Git-Url: https://git.saurik.com/apple/network_cmds.git/blobdiff_plain/3daef399aa12707bd9256a87337e559c62bd9759..f47db663cb3ae4d2fc391bb3acf9d0c2b38a41b7:/racoon.tproj/isakmp_agg.c diff --git a/racoon.tproj/isakmp_agg.c b/racoon.tproj/isakmp_agg.c index 7d31b9f..2f1ebc5 100644 --- a/racoon.tproj/isakmp_agg.c +++ b/racoon.tproj/isakmp_agg.c @@ -420,7 +420,11 @@ agg_i2recv(iph1, msg) natt_select_type(iph1); /* payload existency check */ - /* XXX to be checked each authentication method. */ + if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { + plog(LLV_ERROR, LOCATION, iph1->remote, + "required payloads missing from isakmp message.\n"); + goto end; + } /* verify identifier */ if (ipsecdoi_checkid1(iph1) != 0) { @@ -453,18 +457,7 @@ agg_i2recv(iph1, msg) pa->type != ISAKMP_NPTYPE_NONE; pa++) { - if (pa->type == ISAKMP_NPTYPE_NATD_RFC || - pa->type == ISAKMP_NPTYPE_NATD_DRAFT || - pa->type == ISAKMP_NPTYPE_NATD_BADDRAFT) - { - if (pa->type != iph1->natd_payload_type) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpected natd payload type %d.\n", - pa->type); - goto end; - } - + if (pa->type == iph1->natd_payload_type) { natd_match_t match = natd_matches(iph1, pa->ptr); iph1->natt_flags |= natt_natd_received; if ((match & natd_match_local) != 0) @@ -705,10 +698,17 @@ agg_i2send(iph1, msg) #ifdef IKE_NAT_T if (natd_type) { - if (iph1->local_natd) - p = set_isakmp_payload(p, iph1->local_natd, natd_type); - if (iph1->remote_natd) - p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE); + if ((iph1->natt_flags & NATT_TYPE_MASK) == natt_type_apple) { + if (iph1->local_natd) + p = set_isakmp_payload(p, iph1->local_natd, natd_type); + if (iph1->remote_natd) + p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE); + } else { + if (iph1->remote_natd) + p = set_isakmp_payload(p, iph1->remote_natd, natd_type); + if (iph1->local_natd) + p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NONE); + } } #endif @@ -847,7 +847,11 @@ agg_r1recv(iph1, msg) } /* payload existency check */ - /* XXX to be checked each authentication method. */ + if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { + plog(LLV_ERROR, LOCATION, iph1->remote, + "required payloads missing from isakmp message.\n"); + goto end; + } /* verify identifier */ if (ipsecdoi_checkid1(iph1) != 0) { @@ -1155,10 +1159,17 @@ agg_r1send(iph1, msg) #ifdef IKE_NAT_T if (nattvid) { p = set_isakmp_payload(p, nattvid, iph1->natd_payload_type); - if (iph1->local_natd) - p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type); - if (iph1->remote_natd) - p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE); + if ((iph1->natt_flags & NATT_TYPE_MASK) == natt_type_apple) { + if (iph1->local_natd) + p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type); + if (iph1->remote_natd) + p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE); + } else { + if (iph1->remote_natd) + p = set_isakmp_payload(p, iph1->remote_natd, iph1->natd_payload_type); + if (iph1->local_natd) + p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NONE); + } } #endif break; @@ -1242,10 +1253,17 @@ agg_r1send(iph1, msg) #ifdef IKE_NAT_T if (nattvid) { p = set_isakmp_payload(p, nattvid, iph1->natd_payload_type); - if (iph1->local_natd) - p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type); - if (iph1->remote_natd) - p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE); + if ((iph1->natt_flags & NATT_TYPE_MASK) == natt_type_apple) { + if (iph1->local_natd) + p = set_isakmp_payload(p, iph1->local_natd, iph1->natd_payload_type); + if (iph1->remote_natd) + p = set_isakmp_payload(p, iph1->remote_natd, ISAKMP_NPTYPE_NONE); + } else { + if (iph1->remote_natd) + p = set_isakmp_payload(p, iph1->remote_natd, iph1->natd_payload_type); + if (iph1->local_natd) + p = set_isakmp_payload(p, iph1->local_natd, ISAKMP_NPTYPE_NONE); + } } #endif @@ -1359,15 +1377,7 @@ agg_r2recv(iph1, msg0) case ISAKMP_NPTYPE_NATD_DRAFT: case ISAKMP_NPTYPE_NATD_BADDRAFT: #ifdef IKE_NAT_T - if (pa->type != iph1->natd_payload_type) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpected natd payload type %d.\n", - pa->type); - goto end; - } - - { + if (pa->type == iph1->natd_payload_type) { natd_match_t match = natd_matches(iph1, pa->ptr); iph1->natt_flags |= natt_natd_received; if ((match & natd_match_local) != 0)