diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-01-10 18:16:27 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-01-10 18:16:27 +0000 |
commit | 50bdf8a0b3e18a1f8e4ae0362f41d8de488b60e9 (patch) | |
tree | 82f2f85fe61922e0c9438fdf4c90be63bf22d89a /sbin/isakmpd | |
parent | d6a7aee40204953ff03a351f51e525153edaa297 (diff) |
If only the Remote-ID is specified for a Phase 2 configuration, use
our address for Local-ID; useful for road-warrior scenarios
(adrian@lion.aba.net.au)
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/ike_quick_mode.c | 54 |
1 files changed, 52 insertions, 2 deletions
diff --git a/sbin/isakmpd/ike_quick_mode.c b/sbin/isakmpd/ike_quick_mode.c index 2340c775330..7cab347e027 100644 --- a/sbin/isakmpd/ike_quick_mode.c +++ b/sbin/isakmpd/ike_quick_mode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.38 2000/10/16 23:29:07 niklas Exp $ */ +/* $OpenBSD: ike_quick_mode.c,v 1.39 2001/01/10 18:16:26 angelos Exp $ */ /* $EOM: ike_quick_mode.c,v 1.135 2000/10/16 18:16:59 provos Exp $ */ /* @@ -63,6 +63,7 @@ #include "prf.h" #include "sa.h" #include "transport.h" +#include "util.h" #ifdef USE_X509 #include "x509.h" #endif @@ -446,6 +447,9 @@ initiator_send_HASH_SA_NONCE (struct message *msg) struct ipsec_sa *isa = msg->isakmp_sa->data; struct hash *hash = hash_get (isa->hash); + struct sockaddr *src; + socklen_t srclen; + if (!ipsec_add_hash_payload (msg, hash->hashsize)) return -1; @@ -867,10 +871,56 @@ initiator_send_HASH_SA_NONCE (struct message *msg) "Local-ID given without Remote-ID for \"%s\"", exchange->name); else if (remote_id) - log_print ("initiator_send_HASH_SA_NONCE: " + /* This code supports the "road warrior" case, where the initiator doesn't + * have a fixed IP address, but wants to specify a particular remote + * network to talk to. + * -- Adrian Close <adrian@esec.com.au> + */ + { + log_print ("initiator_send_HASH_SA_NONCE: " "Remote-ID given without Local-ID for \"%s\"", exchange->name); + /* If we're here, then we are the initiator, so use initiator + address for local ID */ + msg->transport->vtbl->get_src (msg->transport, &src, &srclen); + + sz = ISAKMP_ID_SZ + + sizeof (((struct sockaddr_in *)src)->sin_addr.s_addr); + + id = calloc (sz, sizeof (char)); + if (!id) + { + log_error ("initiator_send_HASH_SA_NONCE: malloc(%d) failed", sz); + return -1; + } + SET_ISAKMP_ID_TYPE (id, IPSEC_ID_IPV4_ADDR); + + encode_32 (id + ISAKMP_ID_DATA_OFF, + ntohl (((struct sockaddr_in *)src)->sin_addr.s_addr)); + + LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDic", id, + sz)); + if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) + { + free (id); + return -1; + } + + /* Send supplied remote_id */ + id = ipsec_build_id (remote_id, &sz); + if (!id) + return -1; + LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_SA_NONCE: IDrc", id, + sz)); + if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) + { + free (id); + return -1; + } + } + + if (ipsec_fill_in_hash (msg)) goto bail_out; |