111 agg_i1send(iph1, msg)
112 	struct ph1handle *iph1;
142 	if (iph1->status != PHASE1ST_START) {
144 			"status mismatched %d.\n", iph1->status);
149 	memset(&iph1->index, 0, sizeof(iph1->index));
150 	isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
153 	if (ipsecdoi_setid1(iph1) < 0)
157 	iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf, iph1->rmconf->proposal);
158 	if (iph1->sa == NULL)
162 	if (iph1->rmconf->dhgrp == NULL) {
169 	if (oakley_dh_generate(iph1->rmconf->dhgrp,
170 				&iph1->dhpub, &iph1->dhpriv) < 0)
174 	iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
175 	if (iph1->nonce == NULL)
180 	switch (iph1->rmconf->proposal->authmethod) {
201 	if (iph1->rmconf->ike_frag) {
213 		s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
215 	if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
216 		gssapi_get_itoken(iph1, &len);
220 	plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
223 	plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
226 	plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
229 	plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
232 	if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
233 		if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
242 	if (oakley_needcr(iph1->rmconf->proposal->authmethod))
243 		plist = oakley_append_cr(plist, iph1);
254 	if (iph1->rmconf->nat_traversal)
266 	if(iph1->rmconf->dpd){
273 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
276 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
280 	if (isakmp_ph1send(iph1) == -1)
283 	iph1->status = PHASE1ST_MSG1SENT;
323 agg_i2recv(iph1, msg)
324 	struct ph1handle *iph1;
352 	if (iph1->status != PHASE1ST_MSG1SENT) {
354 			"status mismatched %d.\n", iph1->status);
364 	iph1->pl_hash = NULL;
368 		plog(LLV_ERROR, LOCATION, iph1->remote,
385 			if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
389 			if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
393 			if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
397 			iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
400 			if (oakley_savecr(iph1, pa->ptr) < 0)
404 			if (oakley_savecert(iph1, pa->ptr) < 0)
408 			if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
412 			handle_vendorid(iph1, pa->ptr);
415 			isakmp_log_notify(iph1,
423 			gssapi_save_received_token(iph1, gsstoken);
430 			if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
431 			    pa->type == iph1->natt_options->payload_nat_d) {
452 			plog(LLV_ERROR, LOCATION, iph1->remote,
461 	if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
462 		plog(LLV_ERROR, LOCATION, iph1->remote,
468 	if (ipsecdoi_checkid1(iph1) != 0) {
469 		plog(LLV_ERROR, LOCATION, iph1->remote,
475 	if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
476 		plog(LLV_ERROR, LOCATION, iph1->remote,
481 	VPTRINIT(iph1->sa_ret);
484 	memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
488 	if (NATT_AVAILABLE(iph1)) {
492 		plog(LLV_INFO, LOCATION, iph1->remote,
494 		     vid_string_by_id(iph1->natt_options->version));
498 		iph1->natt_flags |= NAT_DETECTED;
502 			   from iph1->natt_flags */
503 			natd_verified = natt_compare_addr_hash (iph1,
517 		      iph1->natt_flags & NAT_DETECTED ?
519 		      iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
520 		      iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
522 		if (iph1->natt_flags & NAT_DETECTED)
523 			natt_float_ports (iph1);
528 	if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
529 				iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
533 	if (oakley_skeyid(iph1) < 0)
535 	if (oakley_skeyid_dae(iph1) < 0)
537 	if (oakley_compute_enckey(iph1) < 0)
539 	if (oakley_newiv(iph1) < 0)
543 	ptype = oakley_validate_auth(iph1);
549 		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
550 		isakmp_info_send_n1(iph1, ptype, NULL);
554 	if (oakley_checkcr(iph1) < 0) {
560 	iph1->status = PHASE1ST_MSG2RECEIVED;
574 		VPTRINIT(iph1->dhpub_p);
575 		VPTRINIT(iph1->nonce_p);
576 		VPTRINIT(iph1->id_p);
577 		VPTRINIT(iph1->cert_p);
578 		VPTRINIT(iph1->crl_p);
579 		VPTRINIT(iph1->sig_p);
580 		VPTRINIT(iph1->cr_p);
595 agg_i2send(iph1, msg)
596 	struct ph1handle *iph1;
605 	if (iph1->status != PHASE1ST_MSG2RECEIVED) {
607 			"status mismatched %d.\n", iph1->status);
613 	iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
614 	if (iph1->hash == NULL) {
616 		if (gssapi_more_tokens(iph1) &&
618 		    !iph1->rmconf->xauth &&
621 			isakmp_info_send_n1(iph1,
627 	switch (iph1->approval->authmethod) {
636 		    iph1->hash, ISAKMP_NPTYPE_HASH);
647 		if (oakley_getmycert(iph1) < 0)
650 		if (oakley_getsign(iph1) < 0)
653 		if (iph1->cert != NULL && iph1->rmconf->send_cert)
658 			plist = isakmp_plist_append(plist, iph1->cert,
663 		    iph1->sig, ISAKMP_NPTYPE_SIG);
675 		gsshash = gssapi_wraphash(iph1);
679 			isakmp_info_send_n1(iph1,
692 	if (NATT_AVAILABLE(iph1)) {
698 		if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
701 			    saddr2str(iph1->remote));
705 		if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
708 			    saddr2str(iph1->local));
713 		    natd[0], iph1->natt_options->payload_nat_d);
715 		    natd[1], iph1->natt_options->payload_nat_d);
719 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
722 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
726 	if (isakmp_send(iph1, iph1->sendbuf) < 0)
730 	if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
737 	iph1->flags |= ISAKMP_FLAG_E;
739 	iph1->status = PHASE1ST_ESTABLISHED;
759 agg_r1recv(iph1, msg)
760 	struct ph1handle *iph1;
772 	if (iph1->status != PHASE1ST_START) {
774 			"status mismatched %d.\n", iph1->status);
786 		plog(LLV_ERROR, LOCATION, iph1->remote,
792 	if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
806 			if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
810 			if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
814 			if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
818 			vid_numeric = handle_vendorid(iph1, pa->ptr);
822 				iph1->frag = 1;
827 			if (oakley_savecr(iph1, pa->ptr) < 0)
835 			gssapi_save_received_token(iph1, gsstoken);
840 			plog(LLV_ERROR, LOCATION, iph1->remote,
849 	if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
850 		plog(LLV_ERROR, LOCATION, iph1->remote,
856 	if (ipsecdoi_checkid1(iph1) != 0) {
857 		plog(LLV_ERROR, LOCATION, iph1->remote,
863 	if (NATT_AVAILABLE(iph1))
864 		plog(LLV_INFO, LOCATION, iph1->remote,
866 		     vid_string_by_id(iph1->natt_options->version));
870 	if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
871 		plog(LLV_ERROR, LOCATION, iph1->remote,
877 	if (oakley_checkcr(iph1) < 0) {
882 	iph1->status = PHASE1ST_MSG1RECEIVED;
894 		VPTRINIT(iph1->sa);
895 		VPTRINIT(iph1->dhpub_p);
896 		VPTRINIT(iph1->nonce_p);
897 		VPTRINIT(iph1->id_p);
898 		VPTRINIT(iph1->cr_p);
913 agg_r1send(iph1, msg)
914 	struct ph1handle *iph1;
943 	if (iph1->status != PHASE1ST_MSG1RECEIVED) {
945 			"status mismatched %d.\n", iph1->status);
950 	isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
953 	if (ipsecdoi_setid1(iph1) < 0)
957 	if (oakley_dh_generate(iph1->rmconf->dhgrp,
958 				&iph1->dhpub, &iph1->dhpriv) < 0)
962 	iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
963 	if (iph1->nonce == NULL)
967 	if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
968 				iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
972 	if (oakley_skeyid(iph1) < 0)
974 	if (oakley_skeyid_dae(iph1) < 0)
976 	if (oakley_compute_enckey(iph1) < 0)
978 	if (oakley_newiv(iph1) < 0)
982 	if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
983 		gssapi_get_rtoken(iph1, &gsslen);
988 	iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
989 	if (iph1->hash == NULL) {
991 		if (gssapi_more_tokens(iph1))
992 			isakmp_info_send_n1(iph1,
1000 	if (NATT_AVAILABLE(iph1)) {
1002 		vid_natt = set_vendorid(iph1->natt_options->version);
1006 		if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1008 				"NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1012 		if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1014 				"NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1021 	if (iph1->dpd_support && iph1->rmconf->dpd)
1025 	if (iph1->frag) {
1036 	switch (iph1->approval->authmethod) {
1043 		    iph1->sa_ret, ISAKMP_NPTYPE_SA);
1047 		    iph1->dhpub, ISAKMP_NPTYPE_KE);
1051 		    iph1->nonce, ISAKMP_NPTYPE_NONCE);
1055 		    iph1->id, ISAKMP_NPTYPE_ID);
1059 		    iph1->hash, ISAKMP_NPTYPE_HASH);
1062 		if (oakley_needcr(iph1->approval->authmethod))
1063 			plist = oakley_append_cr(plist, iph1);
1075 		if (oakley_getmycert(iph1) < 0)
1078 		if (oakley_getsign(iph1) < 0)
1081 		if (iph1->cert != NULL && iph1->rmconf->send_cert)
1086 		    iph1->sa_ret, ISAKMP_NPTYPE_SA);
1090 		    iph1->dhpub, ISAKMP_NPTYPE_KE);
1094 		    iph1->nonce, ISAKMP_NPTYPE_NONCE);
1098 		    iph1->id, ISAKMP_NPTYPE_ID);
1102 			plist = isakmp_plist_append(plist, iph1->cert,
1107 		    iph1->sig, ISAKMP_NPTYPE_SIG);
1110 		if (oakley_needcr(iph1->approval->authmethod))
1111 			plist = oakley_append_cr(plist, iph1);
1124 			gsshash = gssapi_wraphash(iph1);
1134 				isakmp_info_send_n1(iph1,
1138 			if (iph1->approval->gssid != NULL)
1139 				gss_sa = ipsecdoi_setph1proposal(iph1->rmconf,
1140 								 iph1->approval);
1142 				gss_sa = iph1->sa_ret;
1144 			if (gss_sa != iph1->sa_ret)
1153 			    iph1->dhpub, ISAKMP_NPTYPE_KE);
1157 			    iph1->nonce, ISAKMP_NPTYPE_NONCE);
1161 			    iph1->id, ISAKMP_NPTYPE_ID);
1164 			if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
1182 	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1193 	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1210 		plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1211 		plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1225 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1228 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1232 	if (isakmp_ph1send(iph1) == -1)
1236 	if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1242 	iph1->status = PHASE1ST_MSG1SENT;
1282 agg_r2recv(iph1, msg0)
1283 	struct ph1handle *iph1;
1295 	if (iph1->status != PHASE1ST_MSG1SENT) {
1297 			"status mismatched %d.\n", iph1->status);
1304 		msg = oakley_do_decrypt(iph1, msg0,
1305 					iph1->ivm->iv, iph1->ivm->ive);
1316 	iph1->pl_hash = NULL;
1324 			iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1327 			handle_vendorid(iph1, pa->ptr);
1330 			if (oakley_savecert(iph1, pa->ptr) < 0)
1334 			if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1338 			isakmp_log_notify(iph1,
1346 			if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1347 				pa->type == iph1->natt_options->payload_nat_d)
1356 					iph1->natt_flags |= NAT_DETECTED;
1358 				natd_verified = natt_compare_addr_hash (iph1,
1373 			plog(LLV_ERROR, LOCATION, iph1->remote,
1382 	if (NATT_AVAILABLE(iph1))
1384 		      iph1->natt_flags & NAT_DETECTED ?
1386 		      iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1387 		      iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1391 	ptype = oakley_validate_auth(iph1);
1397 		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
1398 		isakmp_info_send_n1(iph1, ptype, NULL);
1402 	iph1->status = PHASE1ST_MSG2RECEIVED;
1412 		VPTRINIT(iph1->cert_p);
1413 		VPTRINIT(iph1->crl_p);
1414 		VPTRINIT(iph1->sig_p);
1424 agg_r2send(iph1, msg)
1425 	struct ph1handle *iph1;
1431 	if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1433 			"status mismatched %d.\n", iph1->status);
1440 		memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1443 	iph1->flags |= ISAKMP_FLAG_E;
1445 	iph1->status = PHASE1ST_ESTABLISHED;

Indexes created Sun Jun 23 19:15:37 MDT 2024