aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/sa
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/sa')
-rw-r--r--Source/charon/sa/authenticator.c28
-rw-r--r--Source/charon/sa/ike_sa.c36
-rw-r--r--Source/charon/sa/states/ike_auth_requested.c13
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.c3
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.c25
5 files changed, 69 insertions, 36 deletions
diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c
index d735b633e..8b96246ac 100644
--- a/Source/charon/sa/authenticator.c
+++ b/Source/charon/sa/authenticator.c
@@ -206,9 +206,9 @@ static status_t verify_auth_data (private_authenticator_t *this,
status = charon->credentials->get_shared_secret(charon->credentials,
other_id,
&preshared_secret);
- other_id->destroy(other_id);
if (status != SUCCESS)
{
+ other_id->destroy(other_id);
return status;
}
@@ -218,20 +218,26 @@ static status_t verify_auth_data (private_authenticator_t *this,
other_id_payload,
initiator,
preshared_secret);
+ allocator_free_chunk(&preshared_secret);
if (auth_data.len != my_auth_data.len)
{
allocator_free_chunk(&my_auth_data);
- return FAILED;
+ status = FAILED;
}
- if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0)
+ else if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0)
{
+ this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret successful",
+ other_id->get_string(other_id));
status = SUCCESS;
}
else
{
+ this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret failed",
+ other_id->get_string(other_id));
status = FAILED;
}
+ other_id->destroy(other_id);
allocator_free_chunk(&my_auth_data);
return status;
}
@@ -247,16 +253,28 @@ static status_t verify_auth_data (private_authenticator_t *this,
status = charon->credentials->get_rsa_public_key(charon->credentials,
other_id,
&public_key);
- other_id->destroy(other_id);
if (status != SUCCESS)
{
+ other_id->destroy(other_id);
return status;
}
octets = this->allocate_octets(this,last_received_packet, my_nonce,other_id_payload, initiator);
status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+ if (status == SUCCESS)
+ {
+ this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA successful",
+ other_id->get_string(other_id));
+ }
+ else
+ {
+ this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA failed",
+ other_id->get_string(other_id));
+ }
+ public_key->destroy(public_key);
+ other_id->destroy(other_id);
allocator_free_chunk(&octets);
return status;
}
@@ -300,6 +318,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
auth_data = this->build_preshared_secret_signature(this, last_sent_packet, other_nonce,
my_id_payload, initiator, preshared_secret);
+ allocator_free_chunk(&preshared_secret);
*auth_payload = auth_payload_create();
(*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE);
(*auth_payload)->set_data(*auth_payload, auth_data);
@@ -334,6 +353,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
(*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);
(*auth_payload)->set_data(*auth_payload, auth_data);
+ private_key->destroy(private_key);
allocator_free_chunk(&auth_data);
return SUCCESS;
}
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 6517c388c..c990e1dac 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -210,8 +210,8 @@ static status_t process_message (private_ike_sa_t *this, message_t *message)
is_request = message->get_request(message);
exchange_type = message->get_exchange_type(message);
- this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",
- (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
+ this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
+ (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type));
message_id = message->get_message_id(message);
@@ -966,53 +966,61 @@ static void destroy (private_ike_sa_t *this)
/* inform other peer of delete */
send_delete_ike_sa_request(this);
-
while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
{
child_sa->destroy(child_sa);
}
this->child_sas->destroy(this->child_sas);
- if (this->crypter_initiator != NULL)
+
+ if (this->crypter_initiator)
{
this->crypter_initiator->destroy(this->crypter_initiator);
}
- if (this->crypter_responder != NULL)
+ if (this->crypter_responder)
{
this->crypter_responder->destroy(this->crypter_responder);
}
- if (this->signer_initiator != NULL)
+ if (this->signer_initiator)
{
this->signer_initiator->destroy(this->signer_initiator);
}
- if (this->signer_responder != NULL)
+ if (this->signer_responder)
{
this->signer_responder->destroy(this->signer_responder);
}
- if (this->prf != NULL)
+ if (this->prf)
{
this->prf->destroy(this->prf);
}
- if (this->child_prf != NULL)
+ if (this->child_prf)
{
this->child_prf->destroy(this->child_prf);
}
- if (this->prf_auth_i != NULL)
+ if (this->prf_auth_i)
{
this->prf_auth_i->destroy(this->prf_auth_i);
}
- if (this->prf_auth_r != NULL)
+ if (this->prf_auth_r)
{
this->prf_auth_r->destroy(this->prf_auth_r);
}
- this->ike_sa_id->destroy(this->ike_sa_id);
- if (this->last_requested_message != NULL)
+ if (this->connection)
+ {
+ this->connection->destroy(this->connection);
+ }
+ if (this->policy)
+ {
+ this->policy->destroy(this->policy);
+ }
+ if (this->last_requested_message)
{
this->last_requested_message->destroy(this->last_requested_message);
}
- if (this->last_responded_message != NULL)
+ if (this->last_responded_message)
{
this->last_responded_message->destroy(this->last_responded_message);
}
+ this->ike_sa_id->destroy(this->ike_sa_id);
this->randomizer->destroy(this->randomizer);
this->current_state->destroy(this->current_state);
charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index c80b7f72a..3fedf431c 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -352,16 +352,17 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
}
this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
+
/* create new state */
+ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+ this->destroy_after_state_change(this);
+
connection = this->ike_sa->get_connection(this->ike_sa);
my_host = connection->get_my_host(connection);
other_host = connection->get_other_host(connection);
- this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s",
- my_host->get_address(my_host), other_host->get_address(other_host),
- mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload)));
-
- this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
- this->destroy_after_state_change(this);
+ this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s",
+ my_host->get_address(my_host), other_host->get_address(other_host));
+
return SUCCESS;
}
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 5e641f9b3..0c4b6b690 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -215,6 +215,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
iterator_t *payloads;
host_t *me;
connection_t *connection;
+ policy_t *policy;
message_t *request;
status_t status;
@@ -344,6 +345,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
connection = this->ike_sa->get_connection(this->ike_sa);
me = ike_sa_init_reply->get_destination(ike_sa_init_reply);
connection->update_my_host(connection, me->clone(me));
+ policy = this->ike_sa->get_policy(this->ike_sa);
+ policy->update_my_ts(policy, me);
/* build empty message */
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 8c93e3275..751f13517 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -247,10 +247,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
sa_request = (sa_payload_t*)payload;
break;
}
-
case TRAFFIC_SELECTOR_INITIATOR:
{
- tsi_request = (ts_payload_t*)payload;
+ tsi_request = (ts_payload_t*)payload;
break;
}
case TRAFFIC_SELECTOR_RESPONDER:
@@ -360,16 +359,15 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
}
- /* create new state */
+ /* create new state */
+ this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+ this->destroy_after_state_change(this);
+
connection = this->ike_sa->get_connection(this->ike_sa);
my_host = connection->get_my_host(connection);
other_host = connection->get_other_host(connection);
- this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s",
- my_host->get_address(my_host), other_host->get_address(other_host),
- mapping_find(auth_method_m, auth_request->get_auth_method(auth_request)));
-
- this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
- this->destroy_after_state_change(this);
+ this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s",
+ my_host->get_address(my_host), other_host->get_address(other_host));
return SUCCESS;
}
@@ -396,13 +394,13 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
{
if (my_id)
{
- this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no policy for",
+ this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA",
other_id->get_string(other_id),my_id->get_string(my_id));
my_id->destroy(my_id);
}
else
{
- this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no policy for",
+ this->logger->log(this->logger, AUDIT, "We don't have a policy for remote ID %s. Deleting IKE_SA",
other_id->get_string(other_id));
}
other_id->destroy(other_id);
@@ -416,7 +414,10 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
other_id->destroy(other_id);
/* get my id, if not requested */
- my_id = this->policy->get_my_id(this->policy);
+ my_id = this->policy->get_my_id(this->policy);
+
+ /* update others traffic selectors with actually used address */
+ this->policy->update_other_ts(this->policy, response->get_destination(response));
/* set policy in ike_sa for other states */
this->ike_sa->set_policy(this->ike_sa, this->policy);