fixed different bugs when checking out ike sa and retransmitting
requests
This commit is contained in:
parent
a0fb67f500
commit
94b0f906e6
|
@ -166,7 +166,7 @@ static void load_default_config (private_configuration_manager_t *this)
|
|||
sa_config_t *sa_config1, *sa_config2, *sa_config3;
|
||||
traffic_selector_t *ts;
|
||||
|
||||
init_config1 = init_config_create("152.96.193.131","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
|
||||
init_config1 = init_config_create("152.96.193.130","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
|
||||
init_config2 = init_config_create("152.96.193.131","152.96.193.130",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
|
||||
init_config3 = init_config_create("0.0.0.0","127.0.0.1",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
|
||||
ts = traffic_selector_create_from_string(1, TS_IPV4_ADDR_RANGE, "0.0.0.0", 0, "255.255.255.255", 65535);
|
||||
|
@ -193,15 +193,15 @@ static void load_default_config (private_configuration_manager_t *this)
|
|||
init_config3->add_proposal(init_config3,1,proposals[0]);
|
||||
init_config3->add_proposal(init_config3,1,proposals[1]);
|
||||
|
||||
sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131",
|
||||
ID_IPV4_ADDR, "152.96.193.130",
|
||||
sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130",
|
||||
ID_IPV4_ADDR, "152.96.193.131",
|
||||
SHARED_KEY_MESSAGE_INTEGRITY_CODE);
|
||||
|
||||
sa_config1->add_traffic_selector_initiator(sa_config1,ts);
|
||||
sa_config1->add_traffic_selector_responder(sa_config1,ts);
|
||||
|
||||
sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130",
|
||||
ID_IPV4_ADDR, "152.96.193.131",
|
||||
sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131",
|
||||
ID_IPV4_ADDR, "152.96.193.130",
|
||||
SHARED_KEY_MESSAGE_INTEGRITY_CODE);
|
||||
|
||||
sa_config2->add_traffic_selector_initiator(sa_config2,ts);
|
||||
|
@ -238,8 +238,8 @@ static void load_default_config (private_configuration_manager_t *this)
|
|||
sa_config2->add_proposal(sa_config2, &child_proposals[0]);
|
||||
sa_config3->add_proposal(sa_config3, &child_proposals[0]);
|
||||
|
||||
this->add_new_configuration(this,"pinflb31",init_config1,sa_config2);
|
||||
this->add_new_configuration(this,"pinflb30",init_config2,sa_config1);
|
||||
this->add_new_configuration(this,"pinflb31",init_config1,sa_config1);
|
||||
this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
|
||||
this->add_new_configuration(this,"localhost",init_config3,sa_config3);
|
||||
|
||||
}
|
||||
|
|
|
@ -159,7 +159,7 @@ static void build_test_jobs(private_daemon_t *this)
|
|||
for(i = 0; i<1; i++)
|
||||
{
|
||||
initiate_ike_sa_job_t *initiate_job;
|
||||
initiate_job = initiate_ike_sa_job_create("localhost");
|
||||
initiate_job = initiate_ike_sa_job_create("pinflb30");
|
||||
this->public.job_queue->add(this->public.job_queue, (job_t*)initiate_job);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -54,7 +54,7 @@
|
|||
* Port on which the daemon will
|
||||
* listen for incoming traffic.
|
||||
*/
|
||||
#define IKEV2_UDP_PORT 4500
|
||||
#define IKEV2_UDP_PORT 500
|
||||
|
||||
/**
|
||||
* First retransmit timeout in milliseconds.
|
||||
|
|
|
@ -145,6 +145,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
|
|||
*/
|
||||
static supported_payload_entry_t supported_ike_auth_r_payloads[] =
|
||||
{
|
||||
{NOTIFY,0,1,TRUE,TRUE},
|
||||
{CERTIFICATE,0,1,TRUE,FALSE},
|
||||
{ID_RESPONDER,0,1,TRUE,FALSE},
|
||||
{AUTHENTICATION,1,1,TRUE,FALSE},
|
||||
|
|
|
@ -210,7 +210,7 @@ struct private_ike_sa_t {
|
|||
/**
|
||||
* Last message id which was successfully replied.
|
||||
*/
|
||||
u_int32_t last_replied_message_id;
|
||||
int32_t last_replied_message_id;
|
||||
|
||||
/**
|
||||
* a logger for this IKE_SA
|
||||
|
@ -431,8 +431,8 @@ static status_t resend_last_reply(private_ike_sa_t *this)
|
|||
status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
|
||||
{
|
||||
packet_t *packet;
|
||||
|
||||
if ((this->message_id_out -1) != message_id)
|
||||
|
||||
if (this->last_requested_message == NULL)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
@ -441,12 +441,13 @@ status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
|
|||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
if (this->last_requested_message == NULL)
|
||||
|
||||
if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
|
||||
{
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Going to retransmit message with id %d",message_id);
|
||||
packet = this->last_requested_message->get_packet(this->last_requested_message);
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
|
||||
|
@ -713,7 +714,7 @@ static status_t send_request (private_ike_sa_t *this,message_t * message)
|
|||
}
|
||||
|
||||
/* message counter can now be increased */
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages");
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages from %d",this->message_id_out);
|
||||
this->message_id_out++;
|
||||
return SUCCESS;
|
||||
}
|
||||
|
@ -796,7 +797,10 @@ static void reset_message_buffers (private_ike_sa_t *this)
|
|||
*/
|
||||
static void destroy (private_ike_sa_t *this)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Going to destroy IKE_SA");
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Going to destroy IKE SA %llu:%llu, role %s",
|
||||
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
|
||||
this->ike_sa_id->get_responder_spi(this->ike_sa_id),
|
||||
this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
|
||||
|
||||
/* destroy child sa's */
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Destroy all child_sa's");
|
||||
|
|
|
@ -219,7 +219,8 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
|
|||
ike_sa_entry_t *current;
|
||||
|
||||
iterator->current(iterator, (void**)¤t);
|
||||
if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0) {
|
||||
if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
|
||||
{
|
||||
/* seems to be a half ready ike_sa */
|
||||
if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
|
||||
&& (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
|
||||
|
@ -230,7 +231,18 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
|
|||
break;
|
||||
}
|
||||
}
|
||||
if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
|
||||
else if (ike_sa_id->get_responder_spi(ike_sa_id) == 0)
|
||||
{
|
||||
if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
|
||||
&& (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
|
||||
{
|
||||
this->logger->log(this->logger,CONTROL | MOST,"Found entry by initiator spi %d",ike_sa_id->get_initiator_spi(ike_sa_id));
|
||||
*entry = current;
|
||||
status = SUCCESS;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
|
||||
{
|
||||
this->logger->log(this->logger,CONTROL | MOST,"Found entry by full ID");
|
||||
*entry = current;
|
||||
|
@ -357,6 +369,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
|
|||
{
|
||||
bool responder_spi_set;
|
||||
bool initiator_spi_set;
|
||||
bool original_initiator;
|
||||
status_t retval;
|
||||
|
||||
/* each access is locked */
|
||||
|
@ -364,8 +377,10 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
|
|||
|
||||
responder_spi_set = (FALSE != ike_sa_id->get_responder_spi(ike_sa_id));
|
||||
initiator_spi_set = (FALSE != ike_sa_id->get_initiator_spi(ike_sa_id));
|
||||
original_initiator = ike_sa_id->is_initiator(ike_sa_id);
|
||||
|
||||
if (initiator_spi_set && responder_spi_set)
|
||||
if ((initiator_spi_set && responder_spi_set) ||
|
||||
((initiator_spi_set && !responder_spi_set) && (original_initiator)))
|
||||
{
|
||||
/* we SHOULD have an IKE_SA for these SPIs in the list,
|
||||
* if not, we can't handle the request...
|
||||
|
@ -422,7 +437,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
|
|||
retval = NOT_FOUND;
|
||||
}
|
||||
}
|
||||
else if (initiator_spi_set && !responder_spi_set)
|
||||
else if ((initiator_spi_set && !responder_spi_set) && (!original_initiator))
|
||||
{
|
||||
/* an IKE_SA_INIT from an another endpoint,
|
||||
* he is the initiator.
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
#include <encoding/payloads/sa_payload.h>
|
||||
#include <encoding/payloads/id_payload.h>
|
||||
#include <encoding/payloads/auth_payload.h>
|
||||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <transforms/signers/signer.h>
|
||||
#include <transforms/crypters/crypter.h>
|
||||
#include <sa/states/ike_sa_established.h>
|
||||
|
@ -87,7 +88,7 @@ struct private_ike_auth_requested_t {
|
|||
/**
|
||||
* Implements state_t.process_message
|
||||
*/
|
||||
static status_t process_message(private_ike_auth_requested_t *this, message_t *request)
|
||||
static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
|
||||
{
|
||||
status_t status;
|
||||
signer_t *signer;
|
||||
|
@ -99,7 +100,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
|
|||
sa_payload_t *sa_payload;
|
||||
ts_payload_t *tsi_payload, *tsr_payload;
|
||||
|
||||
exchange_type = request->get_exchange_type(request);
|
||||
exchange_type = ike_auth_reply->get_exchange_type(ike_auth_reply);
|
||||
if (exchange_type != IKE_AUTH)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested",
|
||||
|
@ -107,7 +108,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
|
|||
return FAILED;
|
||||
}
|
||||
|
||||
if (request->get_request(request))
|
||||
if (ike_auth_reply->get_request(ike_auth_reply))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
|
||||
return FAILED;
|
||||
|
@ -118,7 +119,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
|
|||
crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
|
||||
|
||||
/* parse incoming message */
|
||||
status = request->parse_body(request, crypter, signer);
|
||||
status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
|
||||
|
@ -128,7 +129,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
|
|||
this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
|
||||
|
||||
/* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
|
||||
payloads = request->get_payload_iterator(request);
|
||||
payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
|
||||
while (payloads->has_next(payloads))
|
||||
{
|
||||
payload_t *payload;
|
||||
|
@ -166,10 +167,43 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
|
|||
tsr_payload = (ts_payload_t*)payload;
|
||||
break;
|
||||
}
|
||||
case NOTIFY:
|
||||
{
|
||||
notify_payload_t *notify_payload = (notify_payload_t *) payload;
|
||||
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
|
||||
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
|
||||
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
|
||||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
switch (notify_payload->get_notify_message_type(notify_payload))
|
||||
{
|
||||
default:
|
||||
{
|
||||
/*
|
||||
* If an unrecognized Notify type is received, the IKE_SA gets destroyed.
|
||||
*
|
||||
*/
|
||||
|
||||
this->logger->log(this->logger, ERROR, "Notify type %s not recognized in state ike_auth_requested.",
|
||||
mapping_find(notify_message_type_m,notify_payload->get_notify_message_type(notify_payload)));
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
}
|
||||
}
|
||||
}
|
||||
default:
|
||||
{
|
||||
/* can't happen, since message is verified, notify's? */
|
||||
break;
|
||||
this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -208,7 +242,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
|
|||
return status;
|
||||
}
|
||||
|
||||
this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
|
||||
this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
|
||||
this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH response successfully handled. IKE_SA established.");
|
||||
|
||||
/* create new state */
|
||||
|
|
|
@ -391,7 +391,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
|
|||
request->destroy(request);
|
||||
return DELETE_ME;
|
||||
}
|
||||
this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
|
||||
|
||||
this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
|
||||
|
||||
/* state can now be changed */
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
|
||||
|
|
|
@ -162,8 +162,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
}
|
||||
default:
|
||||
{
|
||||
/* can't happen, since message is verified, notify's? */
|
||||
break;
|
||||
this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -342,6 +342,7 @@ static void process_retransmit_request_job(private_thread_pool_t *this, retransm
|
|||
status = charon->ike_sa_manager->checkout(charon->ike_sa_manager,ike_sa_id, &ike_sa);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
job->destroy(job);
|
||||
this->worker_logger->log(this->worker_logger, ERROR, "IKE SA could not be checked out. Allready deleted?");
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue