fixed ID selection bug when peer doesn't include IDr payload

allowing vendor ID in any messag
author: Martin Willi <martin@strongswan.org> 2007-03-05 15:22:50 +0000
committer: Martin Willi <martin@strongswan.org> 2007-03-05 15:22:50 +0000
commit: 5bf1be3c9fedd8ba81a653b65b17629f63ede078 (patch)
tree: f53b7afd250b53f10bb61f9277fed83616a6a364
parent: 03ffdf75260f2bc55c8a453039b2601e9d35a90a (diff)
download: strongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.bz2
strongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.xz
4 files changed, 34 insertions, 40 deletions
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index acc3abd1b..3366baf77 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -125,6 +125,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
 	{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
 	{KEY_EXCHANGE,1,1,FALSE,FALSE},
 	{NONCE,1,1,FALSE,FALSE},
+	{VENDOR_ID,0,10,FALSE,FALSE},
 };
 
 /**
@@ -135,6 +136,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
 	{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
 	{KEY_EXCHANGE,1,1,FALSE,FALSE},
 	{NONCE,1,1,FALSE,FALSE},
+	{VENDOR_ID,0,10,FALSE,FALSE},
 };
 
 /**
@@ -152,6 +154,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
 	{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
 	{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
 	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 /**
@@ -167,6 +170,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
 	{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
 	{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
 	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 
@@ -177,6 +181,7 @@ static payload_rule_t informational_i_payload_rules[] = {
 	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
 	{CONFIGURATION,0,1,TRUE,FALSE},
 	{DELETE,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
 	
 };
 
@@ -187,6 +192,7 @@ static payload_rule_t informational_r_payload_rules[] = {
 	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
 	{CONFIGURATION,0,1,TRUE,FALSE},
 	{DELETE,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 /**
@@ -200,6 +206,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
 	{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
 	{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
 	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 /**
@@ -213,6 +220,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
 	{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
 	{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
 	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 
diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c
index 1a8293a76..74c0ce870 100644
--- a/src/charon/encoding/payloads/id_payload.c
+++ b/src/charon/encoding/payloads/id_payload.c
@@ -25,6 +25,7 @@
 
 #include "id_payload.h"
 
+#include <daemon.h>
 #include <encoding/payloads/encodings.h>
 
 typedef struct private_id_payload_t private_id_payload_t;
@@ -127,6 +128,7 @@ static status_t verify(private_id_payload_t *this)
 		((this->id_type >= 12) && (this->id_type <= 200)))
 	{
 		/* reserved IDs */
+		DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
 		return FAILED;
 	}
 		
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 2e54b7797..4ab486ac7 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -108,6 +108,27 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
 	me = this->ike_sa->get_my_id(this->ike_sa);
 	other = this->ike_sa->get_other_id(this->ike_sa);
 	
+	
+	/* create own authenticator and add auth payload */
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	if (!policy)
+	{
+		SIG(IKE_UP_FAILED, "no acceptable policy found");
+		return FAILED;
+	}
+	
+	method = policy->get_auth_method(policy);
+	if (me->contains_wildcards(me))
+	{
+		me = policy->get_my_id(policy);
+		if (me->contains_wildcards(me))
+		{
+			SIG(IKE_UP_FAILED, "negotiation of own ID failed");
+			return FAILED;
+		}
+		this->ike_sa->set_my_id(this->ike_sa, me);
+	}
+		
 	id_payload = id_payload_create_from_identification(this->initiator, me);
 	message->add_payload(message, (payload_t*)id_payload);
 	
@@ -118,12 +139,6 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
 		message->add_payload(message, (payload_t*)id_payload);
 	}
 	
-	/* create own authenticator and add auth payload */
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	if (policy)
-	{
-		method = policy->get_auth_method(policy);
-	}
 	auth = authenticator_create(this->ike_sa, method);
 	if (auth == NULL)
 	{
@@ -198,40 +213,14 @@ static void process_payloads(private_ike_auth_t *this, message_t *message)
 	
 	if (this->initiator)
 	{
-		identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
-		if (!idr->matches(idr, other_id, NULL))
-		{
-			SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required", idr, 
-				this->ike_sa->get_other_id(this->ike_sa));
-			DESTROY_IF(idi); DESTROY_IF(idr);
-			return;
-		}
 		this->ike_sa->set_other_id(this->ike_sa, idr);
 	}
 	else
 	{
-		identification_t *my_id = this->ike_sa->get_other_id(this->ike_sa);
 		if (idr)
 		{
-			if (!idr->matches(idr, my_id, NULL))
-			{
-				SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required",
-					idr, this->ike_sa->get_other_id(this->ike_sa));
-				DESTROY_IF(idi); DESTROY_IF(idr);
-				return;
-			}
 			this->ike_sa->set_my_id(this->ike_sa, idr);
 		}
-		else
-		{
-			if (my_id->contains_wildcards(my_id))
-			{
-				SIG(IKE_UP_FAILED, "own ID (%D) not defined after exchange",
-					my_id);
-				DESTROY_IF(idi);
-				return;
-			}
-		}
 		this->ike_sa->set_other_id(this->ike_sa, idi);
 	}
 	
@@ -351,13 +340,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 		return collect_my_init_data(this, message);
 	}
 	
-	if (!this->peer_authenticated)
-	{
-		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-		return FAILED;
-	}
-
-	if (build_payloads(this, message) == SUCCESS)
+	if (this->peer_authenticated && build_payloads(this, message) == SUCCESS)
 	{
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 		SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
@@ -367,6 +350,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 			this->ike_sa->get_other_id(this->ike_sa));
 		return SUCCESS;
 	}
+	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 	return FAILED;
 }
 
diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c
index 25a281a40..1046e6871 100644
--- a/src/charon/threads/kernel_interface.c
+++ b/src/charon/threads/kernel_interface.c
@@ -830,7 +830,7 @@ static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
 	}
 	else
 	{
-		DBG1(DBG_IKE, "%H is not a local address", ip);
+		DBG2(DBG_IKE, "%H is not a local address", ip);
 	}
 	return name;
 }
author	Martin Willi <martin@strongswan.org>	2007-03-05 15:22:50 +0000
committer	Martin Willi <martin@strongswan.org>	2007-03-05 15:22:50 +0000
commit	5bf1be3c9fedd8ba81a653b65b17629f63ede078 (patch)
tree	f53b7afd250b53f10bb61f9277fed83616a6a364
parent	03ffdf75260f2bc55c8a453039b2601e9d35a90a (diff)
download	strongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.bz2 strongswan-5bf1be3c9fedd8ba81a653b65b17629f63ede078.tar.xz