ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

fixed different bugs when checking out ike sa and retransmitting 

requests
This commit is contained in:
Jan Hutter 2005-12-02 15:40:04 +00:00
parent a0fb67f500
commit 94b0f906e6
10 changed files with 88 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Source/charon/config/configuration_manager.c
View File

@ -166,7 +166,7 @@ static void load_default_config (private_configuration_manager_t *this)
sa_config_t *sa_config1, *sa_config2, *sa_config3;
traffic_selector_t *ts;
init_config1 = init_config_create("152.96.193.131","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
init_config1 = init_config_create("152.96.193.130","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
init_config2 = init_config_create("152.96.193.131","152.96.193.130",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
init_config3 = init_config_create("0.0.0.0","127.0.0.1",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
ts = traffic_selector_create_from_string(1, TS_IPV4_ADDR_RANGE, "0.0.0.0", 0, "255.255.255.255", 65535);
@ -193,15 +193,15 @@ static void load_default_config (private_configuration_manager_t *this)
init_config3->add_proposal(init_config3,1,proposals[0]);
init_config3->add_proposal(init_config3,1,proposals[1]);
sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131",
ID_IPV4_ADDR, "152.96.193.130",
sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130",
ID_IPV4_ADDR, "152.96.193.131",
SHARED_KEY_MESSAGE_INTEGRITY_CODE);
sa_config1->add_traffic_selector_initiator(sa_config1,ts);
sa_config1->add_traffic_selector_responder(sa_config1,ts);
sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130",
ID_IPV4_ADDR, "152.96.193.131",
sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131",
ID_IPV4_ADDR, "152.96.193.130",
SHARED_KEY_MESSAGE_INTEGRITY_CODE);
sa_config2->add_traffic_selector_initiator(sa_config2,ts);
@ -238,8 +238,8 @@ static void load_default_config (private_configuration_manager_t *this)
sa_config2->add_proposal(sa_config2, &child_proposals[0]);
sa_config3->add_proposal(sa_config3, &child_proposals[0]);
this->add_new_configuration(this,"pinflb31",init_config1,sa_config2);
this->add_new_configuration(this,"pinflb30",init_config2,sa_config1);
this->add_new_configuration(this,"pinflb31",init_config1,sa_config1);
this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
this->add_new_configuration(this,"localhost",init_config3,sa_config3);
}

2
Source/charon/daemon.c
View File

@ -159,7 +159,7 @@ static void build_test_jobs(private_daemon_t *this)
for(i = 0; i<1; i++)
{
initiate_ike_sa_job_t *initiate_job;
initiate_job = initiate_ike_sa_job_create("localhost");
initiate_job = initiate_ike_sa_job_create("pinflb30");
this->public.job_queue->add(this->public.job_queue, (job_t*)initiate_job);
}
}

2
Source/charon/daemon.h
View File

@ -54,7 +54,7 @@
* Port on which the daemon will
* listen for incoming traffic.
*/
#define IKEV2_UDP_PORT 4500
#define IKEV2_UDP_PORT 500
/**
* First retransmit timeout in milliseconds.

1
Source/charon/encoding/message.c
View File

@ -145,6 +145,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
*/
static supported_payload_entry_t supported_ike_auth_r_payloads[] =
{
{NOTIFY,0,1,TRUE,TRUE},
{CERTIFICATE,0,1,TRUE,FALSE},
{ID_RESPONDER,0,1,TRUE,FALSE},
{AUTHENTICATION,1,1,TRUE,FALSE},

18
Source/charon/sa/ike_sa.c
View File

@ -210,7 +210,7 @@ struct private_ike_sa_t {
/**
* Last message id which was successfully replied.
*/
u_int32_t last_replied_message_id;
int32_t last_replied_message_id;
/**
* a logger for this IKE_SA
@ -431,8 +431,8 @@ static status_t resend_last_reply(private_ike_sa_t *this)
status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
{
packet_t *packet;
if ((this->message_id_out -1) != message_id)
if (this->last_requested_message == NULL)
{
return NOT_FOUND;
}
@ -441,12 +441,13 @@ status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
{
return NOT_FOUND;
}
if (this->last_requested_message == NULL)
if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
{
return NOT_FOUND;
}
this->logger->log(this->logger, CONTROL | MORE, "Going to retransmit message with id %d",message_id);
packet = this->last_requested_message->get_packet(this->last_requested_message);
charon->send_queue->add(charon->send_queue, packet);
@ -713,7 +714,7 @@ static status_t send_request (private_ike_sa_t *this,message_t * message)
}
/* message counter can now be increased */
this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages");
this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages from %d",this->message_id_out);
this->message_id_out++;
return SUCCESS;
}
@ -796,7 +797,10 @@ static void reset_message_buffers (private_ike_sa_t *this)
*/
static void destroy (private_ike_sa_t *this)
{
this->logger->log(this->logger, CONTROL | MORE, "Going to destroy IKE_SA");
this->logger->log(this->logger, CONTROL|MOST, "Going to destroy IKE SA %llu:%llu, role %s",
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
this->ike_sa_id->get_responder_spi(this->ike_sa_id),
this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
/* destroy child sa's */
this->logger->log(this->logger, CONTROL | MOST, "Destroy all child_sa's");

23
Source/charon/sa/ike_sa_manager.c
View File

@ -219,7 +219,8 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
ike_sa_entry_t *current;
iterator->current(iterator, (void**)&current);
if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0) {
if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
{
/* seems to be a half ready ike_sa */
if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
&& (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
@ -230,7 +231,18 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
break;
}
}
if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
else if (ike_sa_id->get_responder_spi(ike_sa_id) == 0)
{
if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
&& (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
{
this->logger->log(this->logger,CONTROL | MOST,"Found entry by initiator spi %d",ike_sa_id->get_initiator_spi(ike_sa_id));
*entry = current;
status = SUCCESS;
break;
}
}
if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
{
this->logger->log(this->logger,CONTROL | MOST,"Found entry by full ID");
*entry = current;
@ -357,6 +369,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
{
bool responder_spi_set;
bool initiator_spi_set;
bool original_initiator;
status_t retval;
/* each access is locked */
@ -364,8 +377,10 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
responder_spi_set = (FALSE != ike_sa_id->get_responder_spi(ike_sa_id));
initiator_spi_set = (FALSE != ike_sa_id->get_initiator_spi(ike_sa_id));
original_initiator = ike_sa_id->is_initiator(ike_sa_id);
if (initiator_spi_set && responder_spi_set)
if ((initiator_spi_set && responder_spi_set) ||
((initiator_spi_set && !responder_spi_set) && (original_initiator)))
{
/* we SHOULD have an IKE_SA for these SPIs in the list,
* if not, we can't handle the request...
@ -422,7 +437,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
retval = NOT_FOUND;
}
}
else if (initiator_spi_set && !responder_spi_set)
else if ((initiator_spi_set && !responder_spi_set) && (!original_initiator))
{
/* an IKE_SA_INIT from an another endpoint,
* he is the initiator.

50
Source/charon/sa/states/ike_auth_requested.c
View File

@ -28,6 +28,7 @@
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/notify_payload.h>
#include <transforms/signers/signer.h>
#include <transforms/crypters/crypter.h>
#include <sa/states/ike_sa_established.h>
@ -87,7 +88,7 @@ struct private_ike_auth_requested_t {
/**
* Implements state_t.process_message
*/
static status_t process_message(private_ike_auth_requested_t *this, message_t *request)
static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
{
status_t status;
signer_t *signer;
@ -99,7 +100,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
sa_payload_t *sa_payload;
ts_payload_t *tsi_payload, *tsr_payload;
exchange_type = request->get_exchange_type(request);
exchange_type = ike_auth_reply->get_exchange_type(ike_auth_reply);
if (exchange_type != IKE_AUTH)
{
this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested",
@ -107,7 +108,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
return FAILED;
}
if (request->get_request(request))
if (ike_auth_reply->get_request(ike_auth_reply))
{
this->logger->log(this->logger, ERROR | MORE, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
return FAILED;
@ -118,7 +119,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
/* parse incoming message */
status = request->parse_body(request, crypter, signer);
status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
@ -128,7 +129,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
/* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
payloads = request->get_payload_iterator(request);
payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
while (payloads->has_next(payloads))
{
payload_t *payload;
@ -166,10 +167,43 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
tsr_payload = (ts_payload_t*)payload;
break;
}
case NOTIFY:
{
notify_payload_t *notify_payload = (notify_payload_t *) payload;
this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
if (notify_payload->get_protocol_id(notify_payload) != IKE)
{
this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
payloads->destroy(payloads);
return FAILED;
}
switch (notify_payload->get_notify_message_type(notify_payload))
{
default:
{
/*
* If an unrecognized Notify type is received, the IKE_SA gets destroyed.
*
*/
this->logger->log(this->logger, ERROR, "Notify type %s not recognized in state ike_auth_requested.",
mapping_find(notify_message_type_m,notify_payload->get_notify_message_type(notify_payload)));
payloads->destroy(payloads);
return DELETE_ME;
}
}
}
default:
{
/* can't happen, since message is verified, notify's? */
break;
this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
payloads->destroy(payloads);
return FAILED;
}
}
}
@ -208,7 +242,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
return status;
}
this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH response successfully handled. IKE_SA established.");
/* create new state */

3
Source/charon/sa/states/ike_sa_init_requested.c
View File

@ -391,7 +391,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
request->destroy(request);
return DELETE_ME;
}
this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
/* state can now be changed */
this->logger->log(this->logger, CONTROL|MOST, "Create next state object");

5
Source/charon/sa/states/ike_sa_init_responded.c
View File

@ -162,8 +162,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
}
default:
{
/* can't happen, since message is verified, notify's? */
break;
this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
payloads->destroy(payloads);
return FAILED;
}
}
}

1
Source/charon/threads/thread_pool.c
View File

@ -342,6 +342,7 @@ static void process_retransmit_request_job(private_thread_pool_t *this, retransm
status = charon->ike_sa_manager->checkout(charon->ike_sa_manager,ike_sa_id, &ike_sa);
if (status != SUCCESS)
{
job->destroy(job);
this->worker_logger->log(this->worker_logger, ERROR, "IKE SA could not be checked out. Allready deleted?");
return;
}