re-introduced the XAUTH_VID compile option
[strongswan.git] / src / pluto / ipsec_doi.c
index f35b5f9..14aec44 100644 (file)
 #endif /* !VENDORID */
 
 /*
+ * are we sending an XAUTH VID?
+ */
+#ifdef XAUTH_VID
+#define SEND_XAUTH_VID 1
+#else /* !XAUTH_VID */
+#define SEND_XAUTH_VID 0
+#endif /* !XAUTH_VID */
+
+/*
  * are we sending a Cisco Unity VID?
  */
 #ifdef CISCO_QUIRKS
@@ -453,9 +462,11 @@ send_notification_from_state(struct state *st, enum state_kind state,
     if (state == STATE_UNDEFINED)
        state = st->st_state;
 
-    if (IS_QUICK(state)) {
+    if (IS_QUICK(state))
+    {
        p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-       if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state))) {
+       if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)))
+       {
            loglog(RC_LOG_SERIOUS,
                "no Phase1 state for Quick mode notification");
            return;
@@ -463,11 +474,13 @@ send_notification_from_state(struct state *st, enum state_kind state,
        send_notification(st, type, p1st, generate_msgid(p1st),
            st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
     }
-    else if (IS_ISAKMP_ENCRYPTED(state)) {
+    else if (IS_ISAKMP_ENCRYPTED(state) && st->st_enc_key.ptr != NULL)
+    {
        send_notification(st, type, st, generate_msgid(st),
            st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
     }
-    else {
+    else
+    {
        /* no ISAKMP SA established - don't encrypt notification */
        send_notification(st, type, NULL, 0,
            st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
@@ -895,7 +908,7 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
        vids_to_send++;
     if (c->spd.this.cert.type == CERT_PGP)
        vids_to_send++;
-    /* always send XAUTH Vendor ID */
+    if (SEND_XAUTH_VID)
        vids_to_send++;
     /* always send DPD Vendor ID */
        vids_to_send++;
@@ -989,11 +1002,14 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
     }
 
     /* Announce our ability to do eXtended AUTHentication to the peer */
-    if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-    , &rbody, VID_MISC_XAUTH))
+    if (SEND_XAUTH_VID)
     {
-       reset_cur_state();
-       return STF_INTERNAL_ERROR;
+       if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+       , &rbody, VID_MISC_XAUTH))
+       {
+           reset_cur_state();
+           return STF_INTERNAL_ERROR;
+       }
     }
 
     /* Announce our ability to do Dead Peer Detection to the peer */
@@ -1772,7 +1788,7 @@ RSA_check_signature(const struct id* peer
     {
        char id_buf[BUF_LEN];   /* arbitrary limit on length of ID reported */
 
-       (void) idtoa(&st->st_connection->spd.that.id, id_buf, sizeof(id_buf));
+       (void) idtoa(peer, id_buf, sizeof(id_buf));
 
        if (s.best_ugh == NULL)
        {
@@ -2475,7 +2491,7 @@ switch_connection(struct msg_digest *md, struct id *peer, bool initiator)
        DBG(DBG_CONTROL,
            char buf[BUF_LEN];
 
-           dntoa_or_null(buf, BUF_LEN, c->spd.this.ca, "%none");
+           dntoa_or_null(buf, BUF_LEN, c->spd.that.ca, "%none");
            DBG_log("required CA:  '%s'", buf);
         )
 
@@ -3110,7 +3126,7 @@ main_inI1_outR1(struct msg_digest *md)
        vids_to_send++;
     if (md->openpgp)
        vids_to_send++;
-    /* always send XAUTH Vendor ID */
+    if (SEND_XAUTH_VID)
        vids_to_send++;
     /* always send DPD Vendor ID */
        vids_to_send++;
@@ -3178,10 +3194,13 @@ main_inI1_outR1(struct msg_digest *md)
     }
 
     /* Announce our ability to do eXtended AUTHentication to the peer */
-    if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
-    , &md->rbody, VID_MISC_XAUTH))
+    if (SEND_XAUTH_VID)
     {
-       return STF_INTERNAL_ERROR;
+       if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+       , &md->rbody, VID_MISC_XAUTH))
+       {
+           return STF_INTERNAL_ERROR;
+       }
     }
 
     /* Announce our ability to do Dead Peer Detection to the peer */
@@ -3509,23 +3528,22 @@ main_inR2_outI3(struct msg_digest *md)
     send_cr = !no_cr_send && send_cert && !has_preloaded_public_key(st);
 
     /* done parsing; initialize crypto  */
-
     compute_dh_shared(st, st->st_gr, st->st_oakley.group);
     if (!generate_skeyids_iv(st))
        return STF_FAIL + AUTHENTICATION_FAILED;
 
-       if (st->nat_traversal & NAT_T_WITH_NATD)
-       {
-           nat_traversal_natd_lookup(md);
-       }
-       if (st->nat_traversal)
-       {
-           nat_traversal_show_result(st->nat_traversal, md->sender_port);
-       }
-       if (st->nat_traversal & NAT_T_WITH_KA)
-       {
-           nat_traversal_new_ka_event();
-       }
+    if (st->nat_traversal & NAT_T_WITH_NATD)
+    {
+       nat_traversal_natd_lookup(md);
+    }
+    if (st->nat_traversal)
+    {
+       nat_traversal_show_result(st->nat_traversal, md->sender_port);
+    }
+    if (st->nat_traversal & NAT_T_WITH_KA)
+    {
+       nat_traversal_new_ka_event();
+    }
 
     /*************** build output packet HDR*;IDii;HASH/SIG_I ***************/
     /* ??? NOTE: this is almost the same as main_inI3_outR3's code */