diff options
Diffstat (limited to 'Source/charon/sa')
-rw-r--r-- | Source/charon/sa/authenticator.c | 28 | ||||
-rw-r--r-- | Source/charon/sa/ike_sa.c | 36 | ||||
-rw-r--r-- | Source/charon/sa/states/ike_auth_requested.c | 13 | ||||
-rw-r--r-- | Source/charon/sa/states/ike_sa_init_requested.c | 3 | ||||
-rw-r--r-- | Source/charon/sa/states/ike_sa_init_responded.c | 25 |
5 files changed, 69 insertions, 36 deletions
diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c index d735b633e..8b96246ac 100644 --- a/Source/charon/sa/authenticator.c +++ b/Source/charon/sa/authenticator.c @@ -206,9 +206,9 @@ static status_t verify_auth_data (private_authenticator_t *this, status = charon->credentials->get_shared_secret(charon->credentials, other_id, &preshared_secret); - other_id->destroy(other_id); if (status != SUCCESS) { + other_id->destroy(other_id); return status; } @@ -218,20 +218,26 @@ static status_t verify_auth_data (private_authenticator_t *this, other_id_payload, initiator, preshared_secret); + allocator_free_chunk(&preshared_secret); if (auth_data.len != my_auth_data.len) { allocator_free_chunk(&my_auth_data); - return FAILED; + status = FAILED; } - if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0) + else if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0) { + this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret successful", + other_id->get_string(other_id)); status = SUCCESS; } else { + this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret failed", + other_id->get_string(other_id)); status = FAILED; } + other_id->destroy(other_id); allocator_free_chunk(&my_auth_data); return status; } @@ -247,16 +253,28 @@ static status_t verify_auth_data (private_authenticator_t *this, status = charon->credentials->get_rsa_public_key(charon->credentials, other_id, &public_key); - other_id->destroy(other_id); if (status != SUCCESS) { + other_id->destroy(other_id); return status; } octets = this->allocate_octets(this,last_received_packet, my_nonce,other_id_payload, initiator); status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data); + if (status == SUCCESS) + { + this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA successful", + other_id->get_string(other_id)); + } + else + { + this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA failed", + other_id->get_string(other_id)); + } + public_key->destroy(public_key); + other_id->destroy(other_id); allocator_free_chunk(&octets); return status; } @@ -300,6 +318,7 @@ static status_t compute_auth_data (private_authenticator_t *this, auth_data = this->build_preshared_secret_signature(this, last_sent_packet, other_nonce, my_id_payload, initiator, preshared_secret); + allocator_free_chunk(&preshared_secret); *auth_payload = auth_payload_create(); (*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE); (*auth_payload)->set_data(*auth_payload, auth_data); @@ -334,6 +353,7 @@ static status_t compute_auth_data (private_authenticator_t *this, (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE); (*auth_payload)->set_data(*auth_payload, auth_data); + private_key->destroy(private_key); allocator_free_chunk(&auth_data); return SUCCESS; } diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 6517c388c..c990e1dac 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -210,8 +210,8 @@ static status_t process_message (private_ike_sa_t *this, message_t *message) is_request = message->get_request(message); exchange_type = message->get_exchange_type(message); - this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s", - (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type)); + this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s", + (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type)); message_id = message->get_message_id(message); @@ -966,53 +966,61 @@ static void destroy (private_ike_sa_t *this) /* inform other peer of delete */ send_delete_ike_sa_request(this); - while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS) { child_sa->destroy(child_sa); } this->child_sas->destroy(this->child_sas); - if (this->crypter_initiator != NULL) + + if (this->crypter_initiator) { this->crypter_initiator->destroy(this->crypter_initiator); } - if (this->crypter_responder != NULL) + if (this->crypter_responder) { this->crypter_responder->destroy(this->crypter_responder); } - if (this->signer_initiator != NULL) + if (this->signer_initiator) { this->signer_initiator->destroy(this->signer_initiator); } - if (this->signer_responder != NULL) + if (this->signer_responder) { this->signer_responder->destroy(this->signer_responder); } - if (this->prf != NULL) + if (this->prf) { this->prf->destroy(this->prf); } - if (this->child_prf != NULL) + if (this->child_prf) { this->child_prf->destroy(this->child_prf); } - if (this->prf_auth_i != NULL) + if (this->prf_auth_i) { this->prf_auth_i->destroy(this->prf_auth_i); } - if (this->prf_auth_r != NULL) + if (this->prf_auth_r) { this->prf_auth_r->destroy(this->prf_auth_r); } - this->ike_sa_id->destroy(this->ike_sa_id); - if (this->last_requested_message != NULL) + if (this->connection) + { + this->connection->destroy(this->connection); + } + if (this->policy) + { + this->policy->destroy(this->policy); + } + if (this->last_requested_message) { this->last_requested_message->destroy(this->last_requested_message); } - if (this->last_responded_message != NULL) + if (this->last_responded_message) { this->last_responded_message->destroy(this->last_responded_message); } + this->ike_sa_id->destroy(this->ike_sa_id); this->randomizer->destroy(this->randomizer); this->current_state->destroy(this->current_state); charon->logger_manager->destroy_logger(charon->logger_manager, this->logger); diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c index c80b7f72a..3fedf431c 100644 --- a/Source/charon/sa/states/ike_auth_requested.c +++ b/Source/charon/sa/states/ike_auth_requested.c @@ -352,16 +352,17 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i } this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply)); + /* create new state */ + this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); + this->destroy_after_state_change(this); + connection = this->ike_sa->get_connection(this->ike_sa); my_host = connection->get_my_host(connection); other_host = connection->get_other_host(connection); - this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", - my_host->get_address(my_host), other_host->get_address(other_host), - mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload))); - - this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); - this->destroy_after_state_change(this); + this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", + my_host->get_address(my_host), other_host->get_address(other_host)); + return SUCCESS; } diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 5e641f9b3..0c4b6b690 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -215,6 +215,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t iterator_t *payloads; host_t *me; connection_t *connection; + policy_t *policy; message_t *request; status_t status; @@ -344,6 +345,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t connection = this->ike_sa->get_connection(this->ike_sa); me = ike_sa_init_reply->get_destination(ike_sa_init_reply); connection->update_my_host(connection, me->clone(me)); + policy = this->ike_sa->get_policy(this->ike_sa); + policy->update_my_ts(policy, me); /* build empty message */ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request); diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index 8c93e3275..751f13517 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -247,10 +247,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t sa_request = (sa_payload_t*)payload; break; } - case TRAFFIC_SELECTOR_INITIATOR: { - tsi_request = (ts_payload_t*)payload; + tsi_request = (ts_payload_t*)payload; break; } case TRAFFIC_SELECTOR_RESPONDER: @@ -360,16 +359,15 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t this->ike_sa->add_child_sa(this->ike_sa, this->child_sa); } - /* create new state */ + /* create new state */ + this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); + this->destroy_after_state_change(this); + connection = this->ike_sa->get_connection(this->ike_sa); my_host = connection->get_my_host(connection); other_host = connection->get_other_host(connection); - this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", - my_host->get_address(my_host), other_host->get_address(other_host), - mapping_find(auth_method_m, auth_request->get_auth_method(auth_request))); - - this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa)); - this->destroy_after_state_change(this); + this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", + my_host->get_address(my_host), other_host->get_address(other_host)); return SUCCESS; } @@ -396,13 +394,13 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl { if (my_id) { - this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no policy for", + this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA", other_id->get_string(other_id),my_id->get_string(my_id)); my_id->destroy(my_id); } else { - this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no policy for", + this->logger->log(this->logger, AUDIT, "We don't have a policy for remote ID %s. Deleting IKE_SA", other_id->get_string(other_id)); } other_id->destroy(other_id); @@ -416,7 +414,10 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl other_id->destroy(other_id); /* get my id, if not requested */ - my_id = this->policy->get_my_id(this->policy); + my_id = this->policy->get_my_id(this->policy); + + /* update others traffic selectors with actually used address */ + this->policy->update_other_ts(this->policy, response->get_destination(response)); /* set policy in ike_sa for other states */ this->ike_sa->set_policy(this->ike_sa, this->policy); |