ike_aggressive.c: Merge with EOM 1.2

ike_main_mode.c: Merge with EOM 1.77
ipsec.h: Merge with EOM 1.35

author: niklas
Send out INITIAL-CONTACT notifications

3 files changed, 38 insertions, 8 deletions

diff --git a/sbin/isakmpd/ike_aggressive.c b/sbin/isakmpd/ike_aggressive.c
index 4a3daf3bb3d..a4ff4436746 100644
--- a/sbin/isakmpd/ike_aggressive.c
+++ b/sbin/isakmpd/ike_aggressive.c
@@ -1,4 +1,5 @@
-/*	$Id: ike_aggressive.c,v 1.1 1999/04/19 19:59:53 niklas Exp $	*/
+/*	$OpenBSD: ike_aggressive.c,v 1.2 1999/04/27 21:11:53 niklas Exp $	*/
+/*	$EOM: ike_aggressive.c,v 1.2 1999/04/25 22:12:33 niklas Exp $	*/
 
 /*
  * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
@@ -111,7 +112,20 @@ initiator_send_AUTH (struct message *msg)
 {
   msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT;
 
-  return ike_phase_1_send_AUTH (msg);
+  if (ike_phase_1_send_AUTH (msg))
+    return -1;
+
+  /*
+   * RFC 2407 4.6.3 says that, among others, INITIAL-CONTACT MUST NOT
+   * be sent in Aggressive Mode.  This leaves us with the choice of
+   * doing it in an informational exchange of its own with no delivery
+   * guarantee or in the first Quick Mode, or not at all.
+   * draft-jenkins-ipsec-rekeying-01.txt has some text that requires
+   * INITIAL-CONTACT in phase 1, thus contradicting what we learned
+   * above.  I will bring this up in the IPsec list.  For now we don't
+   * do INITIAL-CONTACT at all when using aggressive mode.
+   */
+  return 0;
 }
 
 /*
diff --git a/sbin/isakmpd/ike_main_mode.c b/sbin/isakmpd/ike_main_mode.c
index f9ef570b5bc..4d972ac2030 100644
--- a/sbin/isakmpd/ike_main_mode.c
+++ b/sbin/isakmpd/ike_main_mode.c
@@ -1,5 +1,5 @@
-/*	$OpenBSD: ike_main_mode.c,v 1.10 1999/04/19 21:01:16 niklas Exp $	*/
-/*	$EOM: ike_main_mode.c,v 1.76 1999/04/16 21:24:43 niklas Exp $	*/
+/*	$OpenBSD: ike_main_mode.c,v 1.11 1999/04/27 21:11:53 niklas Exp $	*/
+/*	$EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $	*/
 
 /*
  * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
@@ -64,6 +64,7 @@
 #include "util.h"
 
 static int initiator_send_ID_AUTH (struct message *);
+static int responder_send_ID_AUTH (struct message *);
 static int responder_send_KE_NONCE (struct message *);
 
 int (*ike_main_mode_initiator[]) (struct message *) = {
@@ -81,7 +82,7 @@ int (*ike_main_mode_responder[]) (struct message *) = {
   ike_phase_1_recv_KE_NONCE,
   responder_send_KE_NONCE,
   ike_phase_1_recv_ID_AUTH,
-  ike_phase_1_responder_send_ID_AUTH
+  responder_send_ID_AUTH
 };
 
 static int
@@ -92,7 +93,10 @@ initiator_send_ID_AUTH (struct message *msg)
   if (ike_phase_1_send_ID (msg))
     return -1;
 
-  return ike_phase_1_send_AUTH (msg);
+  if (ike_phase_1_send_AUTH (msg))
+    return -1;
+
+  return ipsec_initial_contact (msg);
 }
 
 /* Send our public DH value and a nonce to the initiator.  */
@@ -113,3 +117,14 @@ responder_send_KE_NONCE (struct message *msg)
 
   return 0;
 }
+
+static int
+responder_send_ID_AUTH (struct message *msg)
+{
+  msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT;
+
+  if (ike_phase_1_responder_send_ID_AUTH (msg))
+    return -1;
+
+  return ipsec_initial_contact (msg);
+}
diff --git a/sbin/isakmpd/ipsec.h b/sbin/isakmpd/ipsec.h
index 8ba72c94b16..4219cb7369d 100644
--- a/sbin/isakmpd/ipsec.h
+++ b/sbin/isakmpd/ipsec.h
@@ -1,5 +1,5 @@
-/*	$OpenBSD: ipsec.h,v 1.7 1999/04/19 19:54:54 niklas Exp $	*/
-/*	$EOM: ipsec.h,v 1.34 1999/04/02 00:57:49 niklas Exp $	*/
+/*	$OpenBSD: ipsec.h,v 1.8 1999/04/27 21:11:54 niklas Exp $	*/
+/*	$EOM: ipsec.h,v 1.35 1999/04/25 22:12:37 niklas Exp $	*/
 
 /*
  * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
@@ -135,6 +135,7 @@ extern int ipsec_esp_enckeylength (struct proto *);
 extern int ipsec_gen_g_x (struct message *);
 extern int ipsec_get_id (char *, int *, struct in_addr *, struct in_addr *);
 extern void ipsec_init (void);
+extern int ipsec_initial_contact (struct message *msg);
 extern int ipsec_is_attribute_incompatible (u_int16_t, u_int8_t *, u_int16_t,
 					    void *);
 extern int ipsec_keymat_length (struct proto *);