111 agg_i1send(iph1, msg)
112 	struct ph1handle *iph1;
142 	if (iph1->status != PHASE1ST_START) {
144 			"status mismatched %d.\n", iph1->status);
149 	memset(&iph1->index, 0, sizeof(iph1->index));
150 	isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
153 	if (ipsecdoi_setid1(iph1) < 0)
157 	iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf, iph1->rmconf->proposal);
158 	if (iph1->sa == NULL)
162 	if (iph1->rmconf->dhgrp == NULL) {
169 	if (oakley_dh_generate(iph1->rmconf->dhgrp,
170 				&iph1->dhpub, &iph1->dhpriv) < 0)
174 	iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
175 	if (iph1->nonce == NULL)
180 	switch (iph1->rmconf->proposal->authmethod) {
201 	if (iph1->rmconf->ike_frag) {
213 		s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
215 	if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
216 		gssapi_get_itoken(iph1, &len);
220 	plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
223 	plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
226 	plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
229 	plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
232 	if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
233 		if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
242 	if (oakley_needcr(iph1->rmconf->proposal->authmethod))
243 		plist = oakley_append_cr(plist, iph1);
254 	if (iph1->rmconf->nat_traversal)
266 	if(iph1->rmconf->dpd){
273 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
276 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
280 	if (isakmp_ph1send(iph1) == -1)
283 	iph1->status = PHASE1ST_MSG1SENT;
323 agg_i2recv(iph1, msg)
324 	struct ph1handle *iph1;
348 	if (iph1->status != PHASE1ST_MSG1SENT) {
350 			"status mismatched %d.\n", iph1->status);
360 	iph1->pl_hash = NULL;
364 		plog(LLV_ERROR, LOCATION, iph1->remote,
381 			if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
385 			if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
389 			if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
393 			iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
396 			if (oakley_savecr(iph1, pa->ptr) < 0)
400 			if (oakley_savecert(iph1, pa->ptr) < 0)
404 			if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
408 			handle_vendorid(iph1, pa->ptr);
411 			isakmp_log_notify(iph1,
419 			gssapi_save_received_token(iph1, gsstoken);
426 			if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
427 			    pa->type == iph1->natt_options->payload_nat_d) {
448 			plog(LLV_ERROR, LOCATION, iph1->remote,
457 	if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
458 		plog(LLV_ERROR, LOCATION, iph1->remote,
464 	if (ipsecdoi_checkid1(iph1) != 0) {
465 		plog(LLV_ERROR, LOCATION, iph1->remote,
471 	if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
472 		plog(LLV_ERROR, LOCATION, iph1->remote,
477 	VPTRINIT(iph1->sa_ret);
480 	memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
484 	if (NATT_AVAILABLE(iph1)) {
488 		plog(LLV_INFO, LOCATION, iph1->remote,
490 		     vid_string_by_id(iph1->natt_options->version));
494 		iph1->natt_flags |= NAT_DETECTED;
498 			   from iph1->natt_flags */
499 			natd_verified = natt_compare_addr_hash (iph1,
513 		      iph1->natt_flags & NAT_DETECTED ?
515 		      iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
516 		      iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
518 		if (iph1->natt_flags & NAT_DETECTED)
519 			natt_float_ports (iph1);
524 	if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
525 				iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
529 	if (oakley_skeyid(iph1) < 0)
531 	if (oakley_skeyid_dae(iph1) < 0)
533 	if (oakley_compute_enckey(iph1) < 0)
535 	if (oakley_newiv(iph1) < 0)
539 	ptype = oakley_validate_auth(iph1);
545 		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
546 		isakmp_info_send_n1(iph1, ptype, NULL);
550 	if (oakley_checkcr(iph1) < 0) {
556 	iph1->status = PHASE1ST_MSG2RECEIVED;
570 		VPTRINIT(iph1->dhpub_p);
571 		VPTRINIT(iph1->nonce_p);
572 		VPTRINIT(iph1->id_p);
573 		VPTRINIT(iph1->cert_p);
574 		VPTRINIT(iph1->crl_p);
575 		VPTRINIT(iph1->sig_p);
576 		VPTRINIT(iph1->cr_p);
591 agg_i2send(iph1, msg)
592 	struct ph1handle *iph1;
601 	if (iph1->status != PHASE1ST_MSG2RECEIVED) {
603 			"status mismatched %d.\n", iph1->status);
609 	iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
610 	if (iph1->hash == NULL) {
612 		if (gssapi_more_tokens(iph1) &&
614 		    !iph1->rmconf->xauth &&
617 			isakmp_info_send_n1(iph1,
623 	switch (iph1->approval->authmethod) {
632 		    iph1->hash, ISAKMP_NPTYPE_HASH);
643 		if (oakley_getmycert(iph1) < 0)
646 		if (oakley_getsign(iph1) < 0)
649 		if (iph1->cert != NULL && iph1->rmconf->send_cert)
654 			plist = isakmp_plist_append(plist, iph1->cert,
659 		    iph1->sig, ISAKMP_NPTYPE_SIG);
671 		gsshash = gssapi_wraphash(iph1);
675 			isakmp_info_send_n1(iph1,
688 	if (NATT_AVAILABLE(iph1)) {
694 		if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
697 			    saddr2str(iph1->remote));
701 		if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
704 			    saddr2str(iph1->local));
709 		    natd[0], iph1->natt_options->payload_nat_d);
711 		    natd[1], iph1->natt_options->payload_nat_d);
715 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
718 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
722 	if (isakmp_send(iph1, iph1->sendbuf) < 0)
726 	if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
733 	iph1->flags |= ISAKMP_FLAG_E;
735 	iph1->status = PHASE1ST_ESTABLISHED;
755 agg_r1recv(iph1, msg)
756 	struct ph1handle *iph1;
768 	if (iph1->status != PHASE1ST_START) {
770 			"status mismatched %d.\n", iph1->status);
782 		plog(LLV_ERROR, LOCATION, iph1->remote,
788 	if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
802 			if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
806 			if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
810 			if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
814 			vid_numeric = handle_vendorid(iph1, pa->ptr);
818 				iph1->frag = 1;
823 			if (oakley_savecr(iph1, pa->ptr) < 0)
831 			gssapi_save_received_token(iph1, gsstoken);
836 			plog(LLV_ERROR, LOCATION, iph1->remote,
845 	if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
846 		plog(LLV_ERROR, LOCATION, iph1->remote,
852 	if (ipsecdoi_checkid1(iph1) != 0) {
853 		plog(LLV_ERROR, LOCATION, iph1->remote,
859 	if (NATT_AVAILABLE(iph1))
860 		plog(LLV_INFO, LOCATION, iph1->remote,
862 		     vid_string_by_id(iph1->natt_options->version));
866 	if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
867 		plog(LLV_ERROR, LOCATION, iph1->remote,
873 	if (oakley_checkcr(iph1) < 0) {
878 	iph1->status = PHASE1ST_MSG1RECEIVED;
890 		VPTRINIT(iph1->sa);
891 		VPTRINIT(iph1->dhpub_p);
892 		VPTRINIT(iph1->nonce_p);
893 		VPTRINIT(iph1->id_p);
894 		VPTRINIT(iph1->cr_p);
909 agg_r1send(iph1, msg)
910 	struct ph1handle *iph1;
939 	if (iph1->status != PHASE1ST_MSG1RECEIVED) {
941 			"status mismatched %d.\n", iph1->status);
946 	isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
949 	if (ipsecdoi_setid1(iph1) < 0)
953 	if (oakley_dh_generate(iph1->rmconf->dhgrp,
954 				&iph1->dhpub, &iph1->dhpriv) < 0)
958 	iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
959 	if (iph1->nonce == NULL)
963 	if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
964 				iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
968 	if (oakley_skeyid(iph1) < 0)
970 	if (oakley_skeyid_dae(iph1) < 0)
972 	if (oakley_compute_enckey(iph1) < 0)
974 	if (oakley_newiv(iph1) < 0)
978 	if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
979 		gssapi_get_rtoken(iph1, &gsslen);
984 	iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
985 	if (iph1->hash == NULL) {
987 		if (gssapi_more_tokens(iph1))
988 			isakmp_info_send_n1(iph1,
996 	if (NATT_AVAILABLE(iph1)) {
998 		vid_natt = set_vendorid(iph1->natt_options->version);
1002 		if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
1004 				"NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
1008 		if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
1010 				"NAT-D hashing failed for %s\n", saddr2str(iph1->local));
1017 	if (iph1->dpd_support && iph1->rmconf->dpd)
1021 	if (iph1->frag) {
1032 	switch (iph1->approval->authmethod) {
1039 		    iph1->sa_ret, ISAKMP_NPTYPE_SA);
1043 		    iph1->dhpub, ISAKMP_NPTYPE_KE);
1047 		    iph1->nonce, ISAKMP_NPTYPE_NONCE);
1051 		    iph1->id, ISAKMP_NPTYPE_ID);
1055 		    iph1->hash, ISAKMP_NPTYPE_HASH);
1058 		if (oakley_needcr(iph1->approval->authmethod))
1059 			plist = oakley_append_cr(plist, iph1);
1071 		if (oakley_getmycert(iph1) < 0)
1074 		if (oakley_getsign(iph1) < 0)
1077 		if (iph1->cert != NULL && iph1->rmconf->send_cert)
1082 		    iph1->sa_ret, ISAKMP_NPTYPE_SA);
1086 		    iph1->dhpub, ISAKMP_NPTYPE_KE);
1090 		    iph1->nonce, ISAKMP_NPTYPE_NONCE);
1094 		    iph1->id, ISAKMP_NPTYPE_ID);
1098 			plist = isakmp_plist_append(plist, iph1->cert,
1103 		    iph1->sig, ISAKMP_NPTYPE_SIG);
1106 		if (oakley_needcr(iph1->approval->authmethod))
1107 			plist = oakley_append_cr(plist, iph1);
1120 			gsshash = gssapi_wraphash(iph1);
1130 				isakmp_info_send_n1(iph1,
1134 			if (iph1->approval->gssid != NULL)
1135 				gss_sa = ipsecdoi_setph1proposal(iph1->rmconf,
1136 								 iph1->approval);
1138 				gss_sa = iph1->sa_ret;
1140 			if (gss_sa != iph1->sa_ret)
1149 			    iph1->dhpub, ISAKMP_NPTYPE_KE);
1153 			    iph1->nonce, ISAKMP_NPTYPE_NONCE);
1157 			    iph1->id, ISAKMP_NPTYPE_ID);
1160 			if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
1178 	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
1189 	if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
1206 		plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
1207 		plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
1221 	iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
1224 	isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
1228 	if (isakmp_ph1send(iph1) == -1)
1232 	if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
1238 	iph1->status = PHASE1ST_MSG1SENT;
1278 agg_r2recv(iph1, msg0)
1279 	struct ph1handle *iph1;
1291 	if (iph1->status != PHASE1ST_MSG1SENT) {
1293 			"status mismatched %d.\n", iph1->status);
1300 		msg = oakley_do_decrypt(iph1, msg0,
1301 					iph1->ivm->iv, iph1->ivm->ive);
1312 	iph1->pl_hash = NULL;
1320 			iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
1323 			handle_vendorid(iph1, pa->ptr);
1326 			if (oakley_savecert(iph1, pa->ptr) < 0)
1330 			if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
1334 			isakmp_log_notify(iph1,
1342 			if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
1343 				pa->type == iph1->natt_options->payload_nat_d)
1352 					iph1->natt_flags |= NAT_DETECTED;
1354 				natd_verified = natt_compare_addr_hash (iph1,
1369 			plog(LLV_ERROR, LOCATION, iph1->remote,
1378 	if (NATT_AVAILABLE(iph1))
1380 		      iph1->natt_flags & NAT_DETECTED ?
1382 		      iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
1383 		      iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
1387 	ptype = oakley_validate_auth(iph1);
1393 		evt_phase1(iph1, EVT_PHASE1_AUTH_FAILED, NULL);
1394 		isakmp_info_send_n1(iph1, ptype, NULL);
1398 	iph1->status = PHASE1ST_MSG2RECEIVED;
1408 		VPTRINIT(iph1->cert_p);
1409 		VPTRINIT(iph1->crl_p);
1410 		VPTRINIT(iph1->sig_p);
1420 agg_r2send(iph1, msg)
1421 	struct ph1handle *iph1;
1427 	if (iph1->status != PHASE1ST_MSG2RECEIVED) {
1429 			"status mismatched %d.\n", iph1->status);
1436 		memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
1439 	iph1->flags |= ISAKMP_FLAG_E;
1441 	iph1->status = PHASE1ST_ESTABLISHED;

Indexes created Thu Jun 27 20:29:42 MDT 2024