fixed ID selection bug when peer doesn't include IDr payload
allowing vendor ID in any messag
This commit is contained in:
parent
03ffdf7526
commit
5bf1be3c9f
|
@ -125,6 +125,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
|
|||
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
|
||||
{KEY_EXCHANGE,1,1,FALSE,FALSE},
|
||||
{NONCE,1,1,FALSE,FALSE},
|
||||
{VENDOR_ID,0,10,FALSE,FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -135,6 +136,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
|
|||
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
|
||||
{KEY_EXCHANGE,1,1,FALSE,FALSE},
|
||||
{NONCE,1,1,FALSE,FALSE},
|
||||
{VENDOR_ID,0,10,FALSE,FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -152,6 +154,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
|
|||
{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
{VENDOR_ID,0,10,TRUE,FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -167,6 +170,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
|
|||
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
{VENDOR_ID,0,10,TRUE,FALSE},
|
||||
};
|
||||
|
||||
|
||||
|
@ -177,6 +181,7 @@ static payload_rule_t informational_i_payload_rules[] = {
|
|||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
{DELETE,0,1,TRUE,FALSE},
|
||||
{VENDOR_ID,0,10,TRUE,FALSE},
|
||||
|
||||
};
|
||||
|
||||
|
@ -187,6 +192,7 @@ static payload_rule_t informational_r_payload_rules[] = {
|
|||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
{DELETE,0,1,TRUE,FALSE},
|
||||
{VENDOR_ID,0,10,TRUE,FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -200,6 +206,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
|
|||
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
{VENDOR_ID,0,10,TRUE,FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -213,6 +220,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
|
|||
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
{VENDOR_ID,0,10,TRUE,FALSE},
|
||||
};
|
||||
|
||||
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
|
||||
#include "id_payload.h"
|
||||
|
||||
#include <daemon.h>
|
||||
#include <encoding/payloads/encodings.h>
|
||||
|
||||
typedef struct private_id_payload_t private_id_payload_t;
|
||||
|
@ -127,6 +128,7 @@ static status_t verify(private_id_payload_t *this)
|
|||
((this->id_type >= 12) && (this->id_type <= 200)))
|
||||
{
|
||||
/* reserved IDs */
|
||||
DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
|
|
@ -108,6 +108,27 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
|
|||
me = this->ike_sa->get_my_id(this->ike_sa);
|
||||
other = this->ike_sa->get_other_id(this->ike_sa);
|
||||
|
||||
|
||||
/* create own authenticator and add auth payload */
|
||||
policy = this->ike_sa->get_policy(this->ike_sa);
|
||||
if (!policy)
|
||||
{
|
||||
SIG(IKE_UP_FAILED, "no acceptable policy found");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
method = policy->get_auth_method(policy);
|
||||
if (me->contains_wildcards(me))
|
||||
{
|
||||
me = policy->get_my_id(policy);
|
||||
if (me->contains_wildcards(me))
|
||||
{
|
||||
SIG(IKE_UP_FAILED, "negotiation of own ID failed");
|
||||
return FAILED;
|
||||
}
|
||||
this->ike_sa->set_my_id(this->ike_sa, me);
|
||||
}
|
||||
|
||||
id_payload = id_payload_create_from_identification(this->initiator, me);
|
||||
message->add_payload(message, (payload_t*)id_payload);
|
||||
|
||||
|
@ -118,12 +139,6 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
|
|||
message->add_payload(message, (payload_t*)id_payload);
|
||||
}
|
||||
|
||||
/* create own authenticator and add auth payload */
|
||||
policy = this->ike_sa->get_policy(this->ike_sa);
|
||||
if (policy)
|
||||
{
|
||||
method = policy->get_auth_method(policy);
|
||||
}
|
||||
auth = authenticator_create(this->ike_sa, method);
|
||||
if (auth == NULL)
|
||||
{
|
||||
|
@ -198,40 +213,14 @@ static void process_payloads(private_ike_auth_t *this, message_t *message)
|
|||
|
||||
if (this->initiator)
|
||||
{
|
||||
identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
|
||||
if (!idr->matches(idr, other_id, NULL))
|
||||
{
|
||||
SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required", idr,
|
||||
this->ike_sa->get_other_id(this->ike_sa));
|
||||
DESTROY_IF(idi); DESTROY_IF(idr);
|
||||
return;
|
||||
}
|
||||
this->ike_sa->set_other_id(this->ike_sa, idr);
|
||||
}
|
||||
else
|
||||
{
|
||||
identification_t *my_id = this->ike_sa->get_other_id(this->ike_sa);
|
||||
if (idr)
|
||||
{
|
||||
if (!idr->matches(idr, my_id, NULL))
|
||||
{
|
||||
SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required",
|
||||
idr, this->ike_sa->get_other_id(this->ike_sa));
|
||||
DESTROY_IF(idi); DESTROY_IF(idr);
|
||||
return;
|
||||
}
|
||||
this->ike_sa->set_my_id(this->ike_sa, idr);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (my_id->contains_wildcards(my_id))
|
||||
{
|
||||
SIG(IKE_UP_FAILED, "own ID (%D) not defined after exchange",
|
||||
my_id);
|
||||
DESTROY_IF(idi);
|
||||
return;
|
||||
}
|
||||
}
|
||||
this->ike_sa->set_other_id(this->ike_sa, idi);
|
||||
}
|
||||
|
||||
|
@ -351,13 +340,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
|
|||
return collect_my_init_data(this, message);
|
||||
}
|
||||
|
||||
if (!this->peer_authenticated)
|
||||
{
|
||||
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
if (build_payloads(this, message) == SUCCESS)
|
||||
if (this->peer_authenticated && build_payloads(this, message) == SUCCESS)
|
||||
{
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
||||
SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
|
||||
|
@ -367,6 +350,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
|
|||
this->ike_sa->get_other_id(this->ike_sa));
|
||||
return SUCCESS;
|
||||
}
|
||||
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
|
|
@ -830,7 +830,7 @@ static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
|
|||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_IKE, "%H is not a local address", ip);
|
||||
DBG2(DBG_IKE, "%H is not a local address", ip);
|
||||
}
|
||||
return name;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue