aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Willi <martin@strongswan.org>2007-03-05 15:22:50 +0000
committerMartin Willi <martin@strongswan.org>2007-03-05 15:22:50 +0000
commit5bf1be3c9fedd8ba81a653b65b17629f63ede078 (patch)
treef53b7afd250b53f10bb61f9277fed83616a6a364
parent03ffdf75260f2bc55c8a453039b2601e9d35a90a (diff)
downloadstrongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.bz2
strongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.xz
fixed ID selection bug when peer doesn't include IDr payload
allowing vendor ID in any messag
-rw-r--r--src/charon/encoding/message.c8
-rw-r--r--src/charon/encoding/payloads/id_payload.c2
-rw-r--r--src/charon/sa/tasks/ike_auth.c62
-rw-r--r--src/charon/threads/kernel_interface.c2
4 files changed, 34 insertions, 40 deletions
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index acc3abd1b..3366baf77 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -125,6 +125,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
{KEY_EXCHANGE,1,1,FALSE,FALSE},
{NONCE,1,1,FALSE,FALSE},
+ {VENDOR_ID,0,10,FALSE,FALSE},
};
/**
@@ -135,6 +136,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
{KEY_EXCHANGE,1,1,FALSE,FALSE},
{NONCE,1,1,FALSE,FALSE},
+ {VENDOR_ID,0,10,FALSE,FALSE},
};
/**
@@ -152,6 +154,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
+ {VENDOR_ID,0,10,TRUE,FALSE},
};
/**
@@ -167,6 +170,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
+ {VENDOR_ID,0,10,TRUE,FALSE},
};
@@ -177,6 +181,7 @@ static payload_rule_t informational_i_payload_rules[] = {
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{DELETE,0,1,TRUE,FALSE},
+ {VENDOR_ID,0,10,TRUE,FALSE},
};
@@ -187,6 +192,7 @@ static payload_rule_t informational_r_payload_rules[] = {
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
{DELETE,0,1,TRUE,FALSE},
+ {VENDOR_ID,0,10,TRUE,FALSE},
};
/**
@@ -200,6 +206,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
+ {VENDOR_ID,0,10,TRUE,FALSE},
};
/**
@@ -213,6 +220,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
{CONFIGURATION,0,1,TRUE,FALSE},
+ {VENDOR_ID,0,10,TRUE,FALSE},
};
diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c
index 1a8293a76..74c0ce870 100644
--- a/src/charon/encoding/payloads/id_payload.c
+++ b/src/charon/encoding/payloads/id_payload.c
@@ -25,6 +25,7 @@
#include "id_payload.h"
+#include <daemon.h>
#include <encoding/payloads/encodings.h>
typedef struct private_id_payload_t private_id_payload_t;
@@ -127,6 +128,7 @@ static status_t verify(private_id_payload_t *this)
((this->id_type >= 12) && (this->id_type <= 200)))
{
/* reserved IDs */
+ DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
return FAILED;
}
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 2e54b7797..4ab486ac7 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -108,6 +108,27 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
me = this->ike_sa->get_my_id(this->ike_sa);
other = this->ike_sa->get_other_id(this->ike_sa);
+
+ /* create own authenticator and add auth payload */
+ policy = this->ike_sa->get_policy(this->ike_sa);
+ if (!policy)
+ {
+ SIG(IKE_UP_FAILED, "no acceptable policy found");
+ return FAILED;
+ }
+
+ method = policy->get_auth_method(policy);
+ if (me->contains_wildcards(me))
+ {
+ me = policy->get_my_id(policy);
+ if (me->contains_wildcards(me))
+ {
+ SIG(IKE_UP_FAILED, "negotiation of own ID failed");
+ return FAILED;
+ }
+ this->ike_sa->set_my_id(this->ike_sa, me);
+ }
+
id_payload = id_payload_create_from_identification(this->initiator, me);
message->add_payload(message, (payload_t*)id_payload);
@@ -118,12 +139,6 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
message->add_payload(message, (payload_t*)id_payload);
}
- /* create own authenticator and add auth payload */
- policy = this->ike_sa->get_policy(this->ike_sa);
- if (policy)
- {
- method = policy->get_auth_method(policy);
- }
auth = authenticator_create(this->ike_sa, method);
if (auth == NULL)
{
@@ -198,40 +213,14 @@ static void process_payloads(private_ike_auth_t *this, message_t *message)
if (this->initiator)
{
- identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
- if (!idr->matches(idr, other_id, NULL))
- {
- SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required", idr,
- this->ike_sa->get_other_id(this->ike_sa));
- DESTROY_IF(idi); DESTROY_IF(idr);
- return;
- }
this->ike_sa->set_other_id(this->ike_sa, idr);
}
else
{
- identification_t *my_id = this->ike_sa->get_other_id(this->ike_sa);
if (idr)
{
- if (!idr->matches(idr, my_id, NULL))
- {
- SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required",
- idr, this->ike_sa->get_other_id(this->ike_sa));
- DESTROY_IF(idi); DESTROY_IF(idr);
- return;
- }
this->ike_sa->set_my_id(this->ike_sa, idr);
}
- else
- {
- if (my_id->contains_wildcards(my_id))
- {
- SIG(IKE_UP_FAILED, "own ID (%D) not defined after exchange",
- my_id);
- DESTROY_IF(idi);
- return;
- }
- }
this->ike_sa->set_other_id(this->ike_sa, idi);
}
@@ -351,13 +340,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
return collect_my_init_data(this, message);
}
- if (!this->peer_authenticated)
- {
- message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
- return FAILED;
- }
-
- if (build_payloads(this, message) == SUCCESS)
+ if (this->peer_authenticated && build_payloads(this, message) == SUCCESS)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
@@ -367,6 +350,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
return FAILED;
}
diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c
index 25a281a40..1046e6871 100644
--- a/src/charon/threads/kernel_interface.c
+++ b/src/charon/threads/kernel_interface.c
@@ -830,7 +830,7 @@ static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
}
else
{
- DBG1(DBG_IKE, "%H is not a local address", ip);
+ DBG2(DBG_IKE, "%H is not a local address", ip);
}
return name;
}