ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

fixed ID selection bug when peer doesn't include IDr payload 

allowing vendor ID in any messag
This commit is contained in:
Martin Willi 2007-03-05 15:22:50 +00:00
parent 03ffdf7526
commit 5bf1be3c9f
4 changed files with 34 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/charon/encoding/message.c
View File

@ -125,6 +125,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
{KEY_EXCHANGE,1,1,FALSE,FALSE},
{NONCE,1,1,FALSE,FALSE},
{VENDOR_ID,0,10,FALSE,FALSE},
};
/**
@ -135,6 +136,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
{KEY_EXCHANGE,1,1,FALSE,FALSE},
{NONCE,1,1,FALSE,FALSE},
{VENDOR_ID,0,10,FALSE,FALSE},
};
/**
@ -152,6 +154,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{VENDOR_ID,0,10,TRUE,FALSE},
};
/**
@ -167,6 +170,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{VENDOR_ID,0,10,TRUE,FALSE},
};
@ -177,6 +181,7 @@ static payload_rule_t informational_i_payload_rules[] = {
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{DELETE,0,1,TRUE,FALSE},
{VENDOR_ID,0,10,TRUE,FALSE},
};
@ -187,6 +192,7 @@ static payload_rule_t informational_r_payload_rules[] = {
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{DELETE,0,1,TRUE,FALSE},
{VENDOR_ID,0,10,TRUE,FALSE},
};
/**
@ -200,6 +206,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{VENDOR_ID,0,10,TRUE,FALSE},
};
/**
@ -213,6 +220,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{VENDOR_ID,0,10,TRUE,FALSE},
};

2
src/charon/encoding/payloads/id_payload.c
View File

@ -25,6 +25,7 @@
#include "id_payload.h"
#include <daemon.h>
#include <encoding/payloads/encodings.h>
typedef struct private_id_payload_t private_id_payload_t;
@ -127,6 +128,7 @@ static status_t verify(private_id_payload_t *this)
((this->id_type >= 12) && (this->id_type <= 200)))
{
/* reserved IDs */
DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
return FAILED;
}

62
src/charon/sa/tasks/ike_auth.c
View File

@ -108,6 +108,27 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
me = this->ike_sa->get_my_id(this->ike_sa);
other = this->ike_sa->get_other_id(this->ike_sa);
/* create own authenticator and add auth payload */
policy = this->ike_sa->get_policy(this->ike_sa);
if (!policy)
{
SIG(IKE_UP_FAILED, "no acceptable policy found");
return FAILED;
}
method = policy->get_auth_method(policy);
if (me->contains_wildcards(me))
{
me = policy->get_my_id(policy);
if (me->contains_wildcards(me))
{
SIG(IKE_UP_FAILED, "negotiation of own ID failed");
return FAILED;
}
this->ike_sa->set_my_id(this->ike_sa, me);
}
id_payload = id_payload_create_from_identification(this->initiator, me);
message->add_payload(message, (payload_t*)id_payload);
@ -118,12 +139,6 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
message->add_payload(message, (payload_t*)id_payload);
}
/* create own authenticator and add auth payload */
policy = this->ike_sa->get_policy(this->ike_sa);
if (policy)
{
method = policy->get_auth_method(policy);
}
auth = authenticator_create(this->ike_sa, method);
if (auth == NULL)
{
@ -198,40 +213,14 @@ static void process_payloads(private_ike_auth_t *this, message_t *message)
if (this->initiator)
{
identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
if (!idr->matches(idr, other_id, NULL))
{
SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required", idr,
this->ike_sa->get_other_id(this->ike_sa));
DESTROY_IF(idi); DESTROY_IF(idr);
return;
}
this->ike_sa->set_other_id(this->ike_sa, idr);
}
else
{
identification_t *my_id = this->ike_sa->get_other_id(this->ike_sa);
if (idr)
{
if (!idr->matches(idr, my_id, NULL))
{
SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required",
idr, this->ike_sa->get_other_id(this->ike_sa));
DESTROY_IF(idi); DESTROY_IF(idr);
return;
}
this->ike_sa->set_my_id(this->ike_sa, idr);
}
else
{
if (my_id->contains_wildcards(my_id))
{
SIG(IKE_UP_FAILED, "own ID (%D) not defined after exchange",
my_id);
DESTROY_IF(idi);
return;
}
}
this->ike_sa->set_other_id(this->ike_sa, idi);
}
@ -351,13 +340,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
return collect_my_init_data(this, message);
}
if (!this->peer_authenticated)
{
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
return FAILED;
}
if (build_payloads(this, message) == SUCCESS)
if (this->peer_authenticated && build_payloads(this, message) == SUCCESS)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
@ -367,6 +350,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
return FAILED;
}

2
src/charon/threads/kernel_interface.c
View File

@ -830,7 +830,7 @@ static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
}
else
{
DBG1(DBG_IKE, "%H is not a local address", ip);
DBG2(DBG_IKE, "%H is not a local address", ip);
}
return name;
}