Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: vpnc: devel

svn commit: vpnc r437 - /branches/vpnc-nortel/vpnc.c

  

 
vpnc devel RSS feed   Index | Next | Previous | View Threaded


vpnc at unix-ag

Sep 6, 2009, 8:56 AM

Post #1 of 1 (395 views)
Permalink
svn commit: vpnc r437 - /branches/vpnc-nortel/vpnc.c
Author: Antonio Borneo
Date: Sun Sep 6 17:56:06 2009
New Revision: 437

Log:
Merge in Nortel branch the commit r387 by Maurice Massar.
From original comment:
change do_phase2_qm() to use do_phase2_notice_check()

This merge does not affect Nortel-specific code.

Modified:
branches/vpnc-nortel/vpnc.c

Modified: branches/vpnc-nortel/vpnc.c
==============================================================================
--- branches/vpnc-nortel/vpnc.c (original)
+++ branches/vpnc-nortel/vpnc.c Sun Sep 6 17:56:06 2009
@@ -2172,13 +2172,14 @@
do_phase1_am_cleanup(s);
}

-static int do_phase2_notice_check(struct sa_block *s, struct isakmp_packet **r_p)
+static int do_phase2_notice_check(struct sa_block *s, struct isakmp_packet **r_p,
+ const uint8_t * nonce, size_t nonce_size)
{
int reject = 0;
struct isakmp_packet *r;

while (1) {
- reject = unpack_verify_phase2(s, r_packet, r_length, r_p, NULL, 0);
+ reject = unpack_verify_phase2(s, r_packet, r_length, r_p, nonce, nonce_size);
if (reject == ISAKMP_N_INVALID_COOKIE) {
r_length = sendrecv(s, r_packet, sizeof(r_packet), NULL, 0, 0);
continue;
@@ -2263,7 +2264,7 @@
/* recv and check for notices */
if (r) free_isakmp_packet(r);
r = NULL;
- reject = do_phase2_notice_check(s, &r);
+ reject = do_phase2_notice_check(s, &r, NULL, 0);
if (reject == -1) {
if (r) free_isakmp_packet(r);
return 1;
@@ -2507,7 +2508,7 @@
ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
r->message_id, 0, 0, 0, 0, 0, 0, 0);

- reject = do_phase2_notice_check(s, &r);
+ reject = do_phase2_notice_check(s, &r, NULL, 0);
if (reject == -1) {
free_isakmp_packet(r);
return 1;
@@ -2604,7 +2605,7 @@

DEBUGTOP(2, printf("S6.2 phase2_config receive modecfg\n"));
/* recv and check for notices */
- reject = do_phase2_notice_check(s, &r);
+ reject = do_phase2_notice_check(s, &r, NULL, 0);
if (reject == -1) {
if (r) free_isakmp_packet(r);
return 1;
@@ -2920,7 +2921,7 @@
int reject;

r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);
- reject = do_phase2_notice_check(s, &r);
+ reject = do_phase2_notice_check(s, &r, NULL, 0);

if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
@@ -3110,9 +3111,6 @@
if (opt_vendor != VENDOR_NORTEL) {
uint32_t msgid;
int reject;
- uint8_t *p_flat = NULL;
- size_t p_size = 0;
- int i;

DEBUGTOP(2, printf("S7.1 QM_packet1\n"));
/* Set up the Diffie-Hellman stuff. */
@@ -3155,49 +3153,23 @@
if (msgid == 0)
msgid = 1;

- for (i = 0; i < 4; i++) {
- DEBUGTOP(2, printf("S7.2 QM_packet2 send_receive\n"));
- sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
- msgid, 0, &p_flat, &p_size, 0, 0, 0, 0);
-
- DEBUGTOP(2, printf("S7.3 QM_packet2 validate type\n"));
- reject = unpack_verify_phase2(s, r_packet, r_length, &r, nonce_i, sizeof(nonce_i)); /* FIXME: LEAK */
-
- if (((reject == 0) || (reject == ISAKMP_N_AUTHENTICATION_FAILED))
- && r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) {
- DEBUGTOP(2, printf("S7.4 process and skip lifetime notice\n"));
- /* handle notify responder-lifetime */
- /* (broken hash => ignore AUTHENTICATION_FAILED) */
- if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_N)
- reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
-
- if (reject == 0
- && r->payload->next->u.n.type == ISAKMP_N_IPSEC_RESPONDER_LIFETIME) {
- if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_ISAKMP)
- lifetime_ike_process(s, r->payload->next->u.n.attributes);
- else if (r->payload->next->u.n.protocol == ISAKMP_IPSEC_PROTO_IPSEC_ESP)
- lifetime_ipsec_process(s, r->payload->next->u.n.attributes);
- else
- DEBUG(2, printf("got unknown lifetime notice, ignoring..\n"));
- continue;
- }
- }
-
- /* Check the transaction type & message ID are OK. */
- if (reject == 0 && r->message_id != msgid)
- reject = ISAKMP_N_INVALID_MESSAGE_ID;
-
- if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
- reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
-
- /* The SA payload must be second. */
- if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_SA)
- reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;
-
- free(p_flat);
-
- break;
- }
+ DEBUGTOP(2, printf("S7.2 QM_packet2 send_receive\n"));
+ sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_IKE_QUICK,
+ msgid, 0, 0, 0, 0, 0, 0, 0);
+
+ DEBUGTOP(2, printf("S7.3 QM_packet2 validate type\n"));
+ reject = do_phase2_notice_check(s, &r, nonce_i, sizeof(nonce_i)); /* FIXME: LEAK */
+
+ /* Check the transaction type & message ID are OK. */
+ if (reject == 0 && r->message_id != msgid)
+ reject = ISAKMP_N_INVALID_MESSAGE_ID;
+
+ if (reject == 0 && r->exchange_type != ISAKMP_EXCHANGE_IKE_QUICK)
+ reject = ISAKMP_N_INVALID_EXCHANGE_TYPE;
+
+ /* The SA payload must be second. */
+ if (reject == 0 && r->payload->next->type != ISAKMP_PAYLOAD_SA)
+ reject = ISAKMP_N_INVALID_PAYLOAD_TYPE;

DEBUGTOP(2, printf("S7.5 QM_packet2 check reject offer\n"));
if (reject != 0)

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

vpnc devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.