From f02fd7fcfcfe4af77f8133bb3218e02b748b2704 Mon Sep 17 00:00:00 2001 From: Hakan Olsson Date: Thu, 29 Jul 2004 08:54:09 +0000 Subject: Repair NAT-T using Aggressive mode, NAT-D checks were in the wrong place. Noted by Yvan VANHULLEBUS. --- sbin/isakmpd/ike_aggressive.c | 37 +++++++++++++++++++++++++++++-------- sbin/isakmpd/ike_phase_1.c | 7 ++++--- sbin/isakmpd/nat_traversal.c | 14 +++++++++++--- 3 files changed, 44 insertions(+), 14 deletions(-) (limited to 'sbin/isakmpd') diff --git a/sbin/isakmpd/ike_aggressive.c b/sbin/isakmpd/ike_aggressive.c index 6ff93cd72f7..48ec10f6f25 100644 --- a/sbin/isakmpd/ike_aggressive.c +++ b/sbin/isakmpd/ike_aggressive.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_aggressive.c,v 1.7 2004/05/23 18:17:55 hshoexer Exp $ */ +/* $OpenBSD: ike_aggressive.c,v 1.8 2004/07/29 08:54:08 ho Exp $ */ /* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */ /* @@ -54,16 +54,20 @@ #include "log.h" #include "math_group.h" #include "message.h" +#if defined (USE_NAT_TRAVERSAL) +#include "nat_traversal.h" +#endif #include "prf.h" #include "sa.h" #include "transport.h" #include "util.h" -static int initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *); -static int initiator_send_SA_KE_NONCE_ID(struct message *); -static int initiator_send_AUTH(struct message *); -static int responder_recv_SA_KE_NONCE_ID(struct message *); -static int responder_send_SA_KE_NONCE_ID_AUTH(struct message *); +static int initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *); +static int initiator_send_SA_KE_NONCE_ID(struct message *); +static int initiator_send_AUTH(struct message *); +static int responder_recv_SA_KE_NONCE_ID(struct message *); +static int responder_send_SA_KE_NONCE_ID_AUTH(struct message *); +static int responder_recv_AUTH(struct message *); int (*ike_aggressive_initiator[])(struct message *) = { initiator_send_SA_KE_NONCE_ID, @@ -74,7 +78,7 @@ int (*ike_aggressive_initiator[])(struct message *) = { int (*ike_aggressive_responder[])(struct message *) = { responder_recv_SA_KE_NONCE_ID, responder_send_SA_KE_NONCE_ID_AUTH, - ike_phase_1_recv_AUTH + responder_recv_AUTH }; /* Offer a set of transforms to the responder in the MSG message. */ @@ -159,5 +163,22 @@ responder_send_SA_KE_NONCE_ID_AUTH(struct message *msg) return -1; return ike_phase_1_responder_send_ID_AUTH(msg); - return -1; +} + +/* + * Reply with the transform we chose. Send our public DH value and a nonce + * to the initiator. + */ +static int +responder_recv_AUTH(struct message *msg) +{ + if (ike_phase_1_recv_AUTH(msg)) + return -1; + +#if defined (USE_NAT_TRAVERSAL) + /* Aggressive: Check for NAT-D payloads and contents. */ + if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) + (void)nat_t_exchange_check_nat_d(msg); +#endif + return 0; } diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c index 3f84e7151a3..2caac756285 100644 --- a/sbin/isakmpd/ike_phase_1.c +++ b/sbin/isakmpd/ike_phase_1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike_phase_1.c,v 1.54 2004/07/05 17:33:35 pvalchev Exp $ */ +/* $OpenBSD: ike_phase_1.c,v 1.55 2004/07/29 08:54:08 ho Exp $ */ /* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */ /* @@ -592,8 +592,9 @@ ike_phase_1_recv_KE_NONCE(struct message *msg) return -1; } #if defined (USE_NAT_TRAVERSAL) - /* Check NAT-D payloads and contents. */ - if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) + /* MainMode: Check for NAT-D payloads and contents. */ + if (msg->exchange->type == ISAKMP_EXCH_ID_PROT && + msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) (void)nat_t_exchange_check_nat_d(msg); #endif return 0; diff --git a/sbin/isakmpd/nat_traversal.c b/sbin/isakmpd/nat_traversal.c index 13553379a5e..a358178b0ee 100644 --- a/sbin/isakmpd/nat_traversal.c +++ b/sbin/isakmpd/nat_traversal.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nat_traversal.c,v 1.4 2004/06/30 10:07:13 hshoexer Exp $ */ +/* $OpenBSD: nat_traversal.c,v 1.5 2004/07/29 08:54:08 ho Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -332,12 +332,19 @@ nat_t_match_nat_d_payload(struct message *msg, struct sockaddr *sa) size_t hbuflen; int found = 0; + /* + * If there are no NAT-D payloads in the message, return "found" + * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()). + */ + p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D); + if (!p) + return 1; + hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen); if (!hbuf) return 0; - for (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D); p; - p = TAILQ_NEXT(p, link)) { + while (p) { if (GET_ISAKMP_GEN_LENGTH (p->p) != hbuflen + ISAKMP_NAT_D_DATA_OFF) continue; @@ -346,6 +353,7 @@ nat_t_match_nat_d_payload(struct message *msg, struct sockaddr *sa) found++; break; } + p = TAILQ_NEXT(p, link); } free(hbuf); return found; -- cgit v1.2.3