fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)4.0.3

author: Martin Willi <martin@strongswan.org> 2006-08-23 09:25:41 +0000
committer: Martin Willi <martin@strongswan.org> 2006-08-23 09:25:41 +0000
commit: d03ab568a6c98e0afa2087fd291636621a22802e (patch)
tree: cd9c4a87e458a62905db8cf8a482fe23447b133e /src
parent: 3183006de229901b15385f7a39976987c49f630d (diff)
download: strongswan-d03ab568a6c98e0afa2087fd291636621a22802e.tar.bz2
strongswan-d03ab568a6c98e0afa2087fd291636621a22802e.tar.xz
2 files changed, 26 insertions, 35 deletions
diff --git a/src/charon/sa/transactions/rekey_ike_sa.c b/src/charon/sa/transactions/rekey_ike_sa.c
index bc75e6ba9..d35d2c245 100644
--- a/src/charon/sa/transactions/rekey_ike_sa.c
+++ b/src/charon/sa/transactions/rekey_ike_sa.c
@@ -140,17 +140,9 @@ static u_int32_t requested(private_rekey_ike_sa_t *this)
 /**
  * Implementation of rekey_ike_sa_t.use_dh_group.
  */
-static bool use_dh_group(private_rekey_ike_sa_t *this, diffie_hellman_group_t dh_group)
+static void use_dh_group(private_rekey_ike_sa_t *this, diffie_hellman_group_t dh_group)
 {
-	if (this->connection->check_dh_group(this->connection, dh_group))
-	{
-		this->diffie_hellman = diffie_hellman_create(dh_group);
-		if (this->diffie_hellman)
-		{
-			return TRUE;
-		}
-	}
-	return FALSE;
+	this->diffie_hellman = diffie_hellman_create(dh_group);
 }
 
 /**
@@ -190,7 +182,9 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
 		return SUCCESS;
 	}
 	
-	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+	/* check for correct state, except when retrying with another dh group */
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED &&
+	    !this->diffie_hellman)
 	{
 		this->logger->log(this->logger, ERROR,
 						  "tried to rekey in state %s, aborted",
@@ -509,6 +503,24 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
 	/* apply for notify processing */
 	this->next = next;
 	
+	
+	/* get a connection to replace current IKE_SA */
+	this->connection = charon->connections->get_connection_by_name(
+					charon->connections, this->ike_sa->get_name(this->ike_sa));
+	/* if connection lookup by name fails, try it with the hosts */
+	if (this->connection == NULL)
+	{
+		this->connection = charon->connections->get_connection_by_hosts(
+								charon->connections, me, other);
+		if (this->connection == NULL)
+		{
+			this->logger->log(this->logger, ERROR,
+								"no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN");
+			build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
+			return FAILED;
+		}
+	}
+	
 	/* Iterate over all payloads. */
 	payloads = request->get_payload_iterator(request);
 	while (payloads->has_next(payloads))
@@ -570,26 +582,6 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
 		nonce_response->set_nonce(nonce_response, this->nonce_r);
 	}
 	
-	{	/* get a connection to replace current IKE_SA */
-		this->connection = charon->connections->get_connection_by_name(
-							charon->connections,
-							this->ike_sa->get_name(this->ike_sa));
-		/* if connection lookup by name fails, try it with the hosts */
-		if (this->connection == NULL)
-		{
-			this->connection = charon->connections->get_connection_by_hosts(
-														charon->connections,
-														me, other);
-			if (this->connection == NULL)
-			{
-				this->logger->log(this->logger, ERROR,
-								  "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN");
-				build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
-				return FAILED;
-			}
-		}
-	}
-	
 	{	/* process SA payload */
 		linked_list_t *proposal_list;
 		sa_payload_t *sa_response;
@@ -649,7 +641,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
 			notify_chunk.ptr = (u_int8_t*)&notify_group;
 			notify_chunk.len = sizeof(notify_group);
 			build_notify(INVALID_KE_PAYLOAD, notify_chunk, response, TRUE);
-			return DESTROY_ME;
+			return FAILED;
 		}
 		this->diffie_hellman->set_other_public_value(this->diffie_hellman,
 								ke_request->get_key_exchange_data(ke_request));
@@ -911,7 +903,7 @@ rekey_ike_sa_t *rekey_ike_sa_create(ike_sa_t *ike_sa)
 	this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
 	
 	/* public functions */
-	this->public.use_dh_group = (bool(*)(rekey_ike_sa_t*,diffie_hellman_group_t))use_dh_group;
+	this->public.use_dh_group = (void(*)(rekey_ike_sa_t*,diffie_hellman_group_t))use_dh_group;
 	this->public.cancel = (void(*)(rekey_ike_sa_t*))cancel;
 	
 	/* private data */
diff --git a/src/charon/sa/transactions/rekey_ike_sa.h b/src/charon/sa/transactions/rekey_ike_sa.h
index f5e9d07da..f9b4491e3 100644
--- a/src/charon/sa/transactions/rekey_ike_sa.h
+++ b/src/charon/sa/transactions/rekey_ike_sa.h
@@ -54,9 +54,8 @@ struct rekey_ike_sa_t {
 	 * 
 	 * @param this		calling object
 	 * @param dh_group	diffie hellman group to use
-	 * @return			FALSE, if DH group not allowed/supported
 	 */
-	bool (*use_dh_group) (rekey_ike_sa_t* this, diffie_hellman_group_t dh_group);
+	void (*use_dh_group) (rekey_ike_sa_t* this, diffie_hellman_group_t dh_group);
 	
 	/**
 	 * @brief Cancel the request.
author	Martin Willi <martin@strongswan.org>	2006-08-23 09:25:41 +0000
committer	Martin Willi <martin@strongswan.org>	2006-08-23 09:25:41 +0000
commit	d03ab568a6c98e0afa2087fd291636621a22802e (patch)
tree	cd9c4a87e458a62905db8cf8a482fe23447b133e /src
parent	3183006de229901b15385f7a39976987c49f630d (diff)
download	strongswan-d03ab568a6c98e0afa2087fd291636621a22802e.tar.bz2 strongswan-d03ab568a6c98e0afa2087fd291636621a22802e.tar.xz