diff options
author | Martin Willi <martin@strongswan.org> | 2007-03-05 15:22:50 +0000 |
---|---|---|
committer | Martin Willi <martin@strongswan.org> | 2007-03-05 15:22:50 +0000 |
commit | 5bf1be3c9fedd8ba81a653b65b17629f63ede078 (patch) | |
tree | f53b7afd250b53f10bb61f9277fed83616a6a364 | |
parent | 03ffdf75260f2bc55c8a453039b2601e9d35a90a (diff) | |
download | strongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.bz2 strongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.xz |
fixed ID selection bug when peer doesn't include IDr payload
allowing vendor ID in any messag
-rw-r--r-- | src/charon/encoding/message.c | 8 | ||||
-rw-r--r-- | src/charon/encoding/payloads/id_payload.c | 2 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_auth.c | 62 | ||||
-rw-r--r-- | src/charon/threads/kernel_interface.c | 2 |
4 files changed, 34 insertions, 40 deletions
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c index acc3abd1b..3366baf77 100644 --- a/src/charon/encoding/message.c +++ b/src/charon/encoding/message.c @@ -125,6 +125,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = { {SECURITY_ASSOCIATION,1,1,FALSE,FALSE}, {KEY_EXCHANGE,1,1,FALSE,FALSE}, {NONCE,1,1,FALSE,FALSE}, + {VENDOR_ID,0,10,FALSE,FALSE}, }; /** @@ -135,6 +136,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = { {SECURITY_ASSOCIATION,1,1,FALSE,FALSE}, {KEY_EXCHANGE,1,1,FALSE,FALSE}, {NONCE,1,1,FALSE,FALSE}, + {VENDOR_ID,0,10,FALSE,FALSE}, }; /** @@ -152,6 +154,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = { {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE}, {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE}, {CONFIGURATION,0,1,TRUE,FALSE}, + {VENDOR_ID,0,10,TRUE,FALSE}, }; /** @@ -167,6 +170,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = { {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE}, {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE}, {CONFIGURATION,0,1,TRUE,FALSE}, + {VENDOR_ID,0,10,TRUE,FALSE}, }; @@ -177,6 +181,7 @@ static payload_rule_t informational_i_payload_rules[] = { {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE}, {CONFIGURATION,0,1,TRUE,FALSE}, {DELETE,0,1,TRUE,FALSE}, + {VENDOR_ID,0,10,TRUE,FALSE}, }; @@ -187,6 +192,7 @@ static payload_rule_t informational_r_payload_rules[] = { {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE}, {CONFIGURATION,0,1,TRUE,FALSE}, {DELETE,0,1,TRUE,FALSE}, + {VENDOR_ID,0,10,TRUE,FALSE}, }; /** @@ -200,6 +206,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = { {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE}, {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE}, {CONFIGURATION,0,1,TRUE,FALSE}, + {VENDOR_ID,0,10,TRUE,FALSE}, }; /** @@ -213,6 +220,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = { {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE}, {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE}, {CONFIGURATION,0,1,TRUE,FALSE}, + {VENDOR_ID,0,10,TRUE,FALSE}, }; diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c index 1a8293a76..74c0ce870 100644 --- a/src/charon/encoding/payloads/id_payload.c +++ b/src/charon/encoding/payloads/id_payload.c @@ -25,6 +25,7 @@ #include "id_payload.h" +#include <daemon.h> #include <encoding/payloads/encodings.h> typedef struct private_id_payload_t private_id_payload_t; @@ -127,6 +128,7 @@ static status_t verify(private_id_payload_t *this) ((this->id_type >= 12) && (this->id_type <= 200))) { /* reserved IDs */ + DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type); return FAILED; } diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 2e54b7797..4ab486ac7 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -108,6 +108,27 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message) me = this->ike_sa->get_my_id(this->ike_sa); other = this->ike_sa->get_other_id(this->ike_sa); + + /* create own authenticator and add auth payload */ + policy = this->ike_sa->get_policy(this->ike_sa); + if (!policy) + { + SIG(IKE_UP_FAILED, "no acceptable policy found"); + return FAILED; + } + + method = policy->get_auth_method(policy); + if (me->contains_wildcards(me)) + { + me = policy->get_my_id(policy); + if (me->contains_wildcards(me)) + { + SIG(IKE_UP_FAILED, "negotiation of own ID failed"); + return FAILED; + } + this->ike_sa->set_my_id(this->ike_sa, me); + } + id_payload = id_payload_create_from_identification(this->initiator, me); message->add_payload(message, (payload_t*)id_payload); @@ -118,12 +139,6 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message) message->add_payload(message, (payload_t*)id_payload); } - /* create own authenticator and add auth payload */ - policy = this->ike_sa->get_policy(this->ike_sa); - if (policy) - { - method = policy->get_auth_method(policy); - } auth = authenticator_create(this->ike_sa, method); if (auth == NULL) { @@ -198,40 +213,14 @@ static void process_payloads(private_ike_auth_t *this, message_t *message) if (this->initiator) { - identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa); - if (!idr->matches(idr, other_id, NULL)) - { - SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required", idr, - this->ike_sa->get_other_id(this->ike_sa)); - DESTROY_IF(idi); DESTROY_IF(idr); - return; - } this->ike_sa->set_other_id(this->ike_sa, idr); } else { - identification_t *my_id = this->ike_sa->get_other_id(this->ike_sa); if (idr) { - if (!idr->matches(idr, my_id, NULL)) - { - SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required", - idr, this->ike_sa->get_other_id(this->ike_sa)); - DESTROY_IF(idi); DESTROY_IF(idr); - return; - } this->ike_sa->set_my_id(this->ike_sa, idr); } - else - { - if (my_id->contains_wildcards(my_id)) - { - SIG(IKE_UP_FAILED, "own ID (%D) not defined after exchange", - my_id); - DESTROY_IF(idi); - return; - } - } this->ike_sa->set_other_id(this->ike_sa, idi); } @@ -351,13 +340,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return collect_my_init_data(this, message); } - if (!this->peer_authenticated) - { - message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); - return FAILED; - } - - if (build_payloads(this, message) == SUCCESS) + if (this->peer_authenticated && build_payloads(this, message) == SUCCESS) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D", @@ -367,6 +350,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } + message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); return FAILED; } diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c index 25a281a40..1046e6871 100644 --- a/src/charon/threads/kernel_interface.c +++ b/src/charon/threads/kernel_interface.c @@ -830,7 +830,7 @@ static char *get_interface_name(private_kernel_interface_t *this, host_t* ip) } else { - DBG1(DBG_IKE, "%H is not a local address", ip); + DBG2(DBG_IKE, "%H is not a local address", ip); } return name; } |