summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>2004-07-29 08:54:09 +0000
committerHakan Olsson <ho@cvs.openbsd.org>2004-07-29 08:54:09 +0000
commitf02fd7fcfcfe4af77f8133bb3218e02b748b2704 (patch)
tree5d69a47cefcb71ceb5cdbddc77d415aa778a40d5 /sbin
parent3d5db7fb8218bfddd4dba9c31df44108c1e76bd1 (diff)
Repair NAT-T using Aggressive mode, NAT-D checks were in the wrong place.
Noted by Yvan VANHULLEBUS.
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/ike_aggressive.c37
-rw-r--r--sbin/isakmpd/ike_phase_1.c7
-rw-r--r--sbin/isakmpd/nat_traversal.c14
3 files changed, 44 insertions, 14 deletions
diff --git a/sbin/isakmpd/ike_aggressive.c b/sbin/isakmpd/ike_aggressive.c
index 6ff93cd72f7..48ec10f6f25 100644
--- a/sbin/isakmpd/ike_aggressive.c
+++ b/sbin/isakmpd/ike_aggressive.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_aggressive.c,v 1.7 2004/05/23 18:17:55 hshoexer Exp $ */
+/* $OpenBSD: ike_aggressive.c,v 1.8 2004/07/29 08:54:08 ho Exp $ */
/* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */
/*
@@ -54,16 +54,20 @@
#include "log.h"
#include "math_group.h"
#include "message.h"
+#if defined (USE_NAT_TRAVERSAL)
+#include "nat_traversal.h"
+#endif
#include "prf.h"
#include "sa.h"
#include "transport.h"
#include "util.h"
-static int initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *);
-static int initiator_send_SA_KE_NONCE_ID(struct message *);
-static int initiator_send_AUTH(struct message *);
-static int responder_recv_SA_KE_NONCE_ID(struct message *);
-static int responder_send_SA_KE_NONCE_ID_AUTH(struct message *);
+static int initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *);
+static int initiator_send_SA_KE_NONCE_ID(struct message *);
+static int initiator_send_AUTH(struct message *);
+static int responder_recv_SA_KE_NONCE_ID(struct message *);
+static int responder_send_SA_KE_NONCE_ID_AUTH(struct message *);
+static int responder_recv_AUTH(struct message *);
int (*ike_aggressive_initiator[])(struct message *) = {
initiator_send_SA_KE_NONCE_ID,
@@ -74,7 +78,7 @@ int (*ike_aggressive_initiator[])(struct message *) = {
int (*ike_aggressive_responder[])(struct message *) = {
responder_recv_SA_KE_NONCE_ID,
responder_send_SA_KE_NONCE_ID_AUTH,
- ike_phase_1_recv_AUTH
+ responder_recv_AUTH
};
/* Offer a set of transforms to the responder in the MSG message. */
@@ -159,5 +163,22 @@ responder_send_SA_KE_NONCE_ID_AUTH(struct message *msg)
return -1;
return ike_phase_1_responder_send_ID_AUTH(msg);
- return -1;
+}
+
+/*
+ * Reply with the transform we chose. Send our public DH value and a nonce
+ * to the initiator.
+ */
+static int
+responder_recv_AUTH(struct message *msg)
+{
+ if (ike_phase_1_recv_AUTH(msg))
+ return -1;
+
+#if defined (USE_NAT_TRAVERSAL)
+ /* Aggressive: Check for NAT-D payloads and contents. */
+ if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
+ (void)nat_t_exchange_check_nat_d(msg);
+#endif
+ return 0;
}
diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c
index 3f84e7151a3..2caac756285 100644
--- a/sbin/isakmpd/ike_phase_1.c
+++ b/sbin/isakmpd/ike_phase_1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike_phase_1.c,v 1.54 2004/07/05 17:33:35 pvalchev Exp $ */
+/* $OpenBSD: ike_phase_1.c,v 1.55 2004/07/29 08:54:08 ho Exp $ */
/* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */
/*
@@ -592,8 +592,9 @@ ike_phase_1_recv_KE_NONCE(struct message *msg)
return -1;
}
#if defined (USE_NAT_TRAVERSAL)
- /* Check NAT-D payloads and contents. */
- if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
+ /* MainMode: Check for NAT-D payloads and contents. */
+ if (msg->exchange->type == ISAKMP_EXCH_ID_PROT &&
+ msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
(void)nat_t_exchange_check_nat_d(msg);
#endif
return 0;
diff --git a/sbin/isakmpd/nat_traversal.c b/sbin/isakmpd/nat_traversal.c
index 13553379a5e..a358178b0ee 100644
--- a/sbin/isakmpd/nat_traversal.c
+++ b/sbin/isakmpd/nat_traversal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: nat_traversal.c,v 1.4 2004/06/30 10:07:13 hshoexer Exp $ */
+/* $OpenBSD: nat_traversal.c,v 1.5 2004/07/29 08:54:08 ho Exp $ */
/*
* Copyright (c) 2004 Håkan Olsson. All rights reserved.
@@ -332,12 +332,19 @@ nat_t_match_nat_d_payload(struct message *msg, struct sockaddr *sa)
size_t hbuflen;
int found = 0;
+ /*
+ * If there are no NAT-D payloads in the message, return "found"
+ * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()).
+ */
+ p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D);
+ if (!p)
+ return 1;
+
hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen);
if (!hbuf)
return 0;
- for (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D); p;
- p = TAILQ_NEXT(p, link)) {
+ while (p) {
if (GET_ISAKMP_GEN_LENGTH (p->p) !=
hbuflen + ISAKMP_NAT_D_DATA_OFF)
continue;
@@ -346,6 +353,7 @@ nat_t_match_nat_d_payload(struct message *msg, struct sockaddr *sa)
found++;
break;
}
+ p = TAILQ_NEXT(p, link);
}
free(hbuf);
return found;