aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/sa
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/sa')
-rw-r--r--Source/charon/sa/authenticator.c19
-rw-r--r--Source/charon/sa/child_sa.c30
-rw-r--r--Source/charon/sa/ike_sa.c15
-rw-r--r--Source/charon/sa/ike_sa_manager.c5
-rw-r--r--Source/charon/sa/states/ike_auth_requested.c11
-rw-r--r--Source/charon/sa/states/ike_sa_established.c2
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.c37
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.c5
-rw-r--r--Source/charon/sa/states/responder_init.c9
9 files changed, 55 insertions, 78 deletions
diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c
index 8b96246ac..92dee5c62 100644
--- a/Source/charon/sa/authenticator.c
+++ b/Source/charon/sa/authenticator.c
@@ -125,9 +125,6 @@ static chunk_t allocate_octets(private_authenticator_t *this,
chunk_t octets;
id_with_header[0] = my_id->get_id_type(my_id);
- /* TODO:
- * Reserved bytes are not in any case zero.
- */
id_with_header[1] = 0x00;
id_with_header[2] = 0x00;
id_with_header[3] = 0x00;
@@ -213,11 +210,11 @@ static status_t verify_auth_data (private_authenticator_t *this,
}
chunk_t my_auth_data = this->build_preshared_secret_signature(this,
- last_received_packet,
- my_nonce,
- other_id_payload,
- initiator,
- preshared_secret);
+ last_received_packet,
+ my_nonce,
+ other_id_payload,
+ initiator,
+ preshared_secret);
allocator_free_chunk(&preshared_secret);
if (auth_data.len != my_auth_data.len)
@@ -251,8 +248,8 @@ static status_t verify_auth_data (private_authenticator_t *this,
auth_data = auth_payload->get_data(auth_payload);
status = charon->credentials->get_rsa_public_key(charon->credentials,
- other_id,
- &public_key);
+ other_id,
+ &public_key);
if (status != SUCCESS)
{
other_id->destroy(other_id);
@@ -393,5 +390,5 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
this->prf = this->ike_sa->get_prf(this->ike_sa);
this->logger = this->ike_sa->get_logger(this->ike_sa);
- return &(this->public);
+ return &(this->public);
}
diff --git a/Source/charon/sa/child_sa.c b/Source/charon/sa/child_sa.c
index 64257b34b..7f19f87e6 100644
--- a/Source/charon/sa/child_sa.c
+++ b/Source/charon/sa/child_sa.c
@@ -142,7 +142,7 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
{
switch (protocols[i])
{
- case AH:
+ case PROTO_AH:
/* do we already have an spi for AH?*/
if (this->my_ah_spi == 0)
{
@@ -150,13 +150,13 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
status = charon->kernel_interface->get_spi(
charon->kernel_interface,
this->me, this->other,
- AH, FALSE,
+ PROTO_AH, FALSE,
&(this->my_ah_spi));
}
/* update proposal */
- proposal->set_spi(proposal, AH, (u_int64_t)this->my_ah_spi);
+ proposal->set_spi(proposal, PROTO_AH, (u_int64_t)this->my_ah_spi);
break;
- case ESP:
+ case PROTO_ESP:
/* do we already have an spi for ESP?*/
if (this->my_esp_spi == 0)
{
@@ -164,11 +164,11 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
status = charon->kernel_interface->get_spi(
charon->kernel_interface,
this->me, this->other,
- ESP, FALSE,
+ PROTO_ESP, FALSE,
&(this->my_esp_spi));
}
/* update proposal */
- proposal->set_spi(proposal, ESP, (u_int64_t)this->my_esp_spi);
+ proposal->set_spi(proposal, PROTO_ESP, (u_int64_t)this->my_esp_spi);
break;
default:
break;
@@ -216,14 +216,14 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
/* derive keys in order as protocols appear */
for (i = 0; i<2; i++)
{
- if (protocols[i] != UNDEFINED_PROTOCOL_ID)
+ if (protocols[i] != PROTO_NONE)
{
/* now we have to decide which spi to use. Use self allocated, if "mine",
* or the one in the proposal, if not "mine" (others). */
if (mine)
{
- if (protocols[i] == AH)
+ if (protocols[i] == PROTO_AH)
{
spi = this->my_ah_spi;
}
@@ -235,7 +235,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
else /* use proposals spi */
{
spi = proposal->get_spi(proposal, protocols[i]);
- if (protocols[i] == AH)
+ if (protocols[i] == PROTO_AH)
{
this->other_ah_spi = spi;
}
@@ -499,19 +499,17 @@ static void destroy(private_child_sa_t *this)
if (this->my_ah_spi)
{
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->other, this->my_ah_spi, AH);
+ this->other, this->my_ah_spi, PROTO_AH);
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->me, this->other_ah_spi, AH);
+ this->me, this->other_ah_spi, PROTO_AH);
}
if (this->my_esp_spi)
{
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->other, this->my_esp_spi, ESP);
+ this->other, this->my_esp_spi, PROTO_ESP);
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->me, this->other_esp_spi, ESP);
+ this->me, this->other_esp_spi, PROTO_ESP);
}
-
- charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
allocator_free(this);
}
@@ -531,7 +529,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other)
this->public.destroy = (void(*)(child_sa_t*))destroy;
/* private data */
- this->logger = charon->logger_manager->create_logger(charon->logger_manager, CHILD_SA, NULL);
+ this->logger = charon->logger_manager->get_logger(charon->logger_manager, CHILD_SA);
this->me = me;
this->other = other;
this->my_ah_spi = 0;
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index c990e1dac..622ea3402 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -321,7 +321,7 @@ static void send_delete_ike_sa_request (private_ike_sa_t *this)
this->protected.build_message(&(this->protected), INFORMATIONAL, TRUE, &informational_request);
delete_payload = delete_payload_create();
- delete_payload->set_protocol_id(delete_payload,IKE);
+ delete_payload->set_protocol_id(delete_payload, PROTO_IKE);
informational_request->add_payload(informational_request,(payload_t *)delete_payload);
@@ -502,7 +502,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
{
this->prf->destroy(this->prf);
}
- proposal->get_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, &algo);
+ proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo);
if (algo == NULL)
{
this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?");
@@ -568,7 +568,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
/* SK_ai/SK_ar used for integrity protection */
- proposal->get_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, &algo);
+ proposal->get_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, &algo);
if (algo == NULL)
{
this->logger->log(this->logger, ERROR|LEVEL2, "No integrity algoithm selected?!");
@@ -606,7 +606,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
/* SK_ei/SK_er used for encryption */
- proposal->get_algorithm(proposal, IKE, ENCRYPTION_ALGORITHM, &algo);
+ proposal->get_algorithm(proposal, PROTO_IKE, ENCRYPTION_ALGORITHM, &algo);
if (algo == NULL)
{
this->logger->log(this->logger, ERROR|LEVEL2, "No encryption algoithm selected!?");
@@ -644,7 +644,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
allocator_free_chunk(&key);
/* SK_pi/SK_pr used for authentication */
- proposal->get_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, &algo);
+ proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo);
if (this->prf_auth_i != NULL)
{
this->prf_auth_i->destroy(this->prf_auth_i);
@@ -861,7 +861,7 @@ static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, n
this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
/* set up the reply */
this->protected.build_message(&(this->protected), exchange_type, FALSE, &response);
- payload = notify_payload_create_from_protocol_and_type(IKE,type);
+ payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, type);
if ((data.ptr != NULL) && (data.len > 0))
{
this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
@@ -1023,7 +1023,6 @@ static void destroy (private_ike_sa_t *this)
this->ike_sa_id->destroy(this->ike_sa_id);
this->randomizer->destroy(this->randomizer);
this->current_state->destroy(this->current_state);
- charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
allocator_free(this);
}
@@ -1076,7 +1075,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->resend_last_reply = resend_last_reply;
/* initialize private fields */
- this->logger = charon->logger_manager->create_logger(charon->logger_manager, IKE_SA, NULL);
+ this->logger = charon->logger_manager->get_logger(charon->logger_manager, IKE_SA);
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
this->child_sas = linked_list_create();
diff --git a/Source/charon/sa/ike_sa_manager.c b/Source/charon/sa/ike_sa_manager.c
index 0eec8ea5d..ebb306a49 100644
--- a/Source/charon/sa/ike_sa_manager.c
+++ b/Source/charon/sa/ike_sa_manager.c
@@ -667,9 +667,6 @@ static void destroy(private_ike_sa_manager_t *this)
this->logger->log(this->logger,CONTROL | LEVEL2,"IKE_SA's deleted");
pthread_mutex_unlock(&(this->mutex));
- /* destroy logger at end */
- charon->logger_manager->destroy_logger(charon->logger_manager,this->logger);
-
allocator_free(this);
}
@@ -695,7 +692,7 @@ ike_sa_manager_t *ike_sa_manager_create()
this->delete_entry = delete_entry;
/* initialize private variables */
- this->logger = charon->logger_manager->create_logger(charon->logger_manager,IKE_SA_MANAGER,NULL);
+ this->logger = charon->logger_manager->get_logger(charon->logger_manager, IKE_SA_MANAGER);
this->ike_sa_list = linked_list_create();
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 3fedf431c..eecfaab1e 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -512,15 +512,8 @@ static status_t process_notify_payload(private_ike_auth_requested_t *this, notif
{
notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
- mapping_find(notify_message_type_m, notify_message_type),
- mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
-
- if (notify_payload->get_protocol_id(notify_payload) != IKE)
- {
- this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a notify for an invalid protocol. Deleting IKE_SA");
- return DELETE_ME;
- }
+ this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s",
+ mapping_find(notify_message_type_m, notify_message_type));
switch (notify_message_type)
{
diff --git a/Source/charon/sa/states/ike_sa_established.c b/Source/charon/sa/states/ike_sa_established.c
index 976ed7688..37b69c29c 100644
--- a/Source/charon/sa/states/ike_sa_established.c
+++ b/Source/charon/sa/states/ike_sa_established.c
@@ -151,7 +151,7 @@ static status_t process_message(private_ike_sa_established_t *this, message_t *m
if (delete_request)
{
- if (delete_request->get_protocol_id(delete_request) == IKE)
+ if (delete_request->get_protocol_id(delete_request) == PROTO_IKE)
{
this->logger->log(this->logger, AUDIT, "DELETE request for IKE_SA received");
response->destroy(response);
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 0c4b6b690..904dadf05 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -294,8 +294,9 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
if (status != SUCCESS)
{
payloads->destroy(payloads);
- return status;
+ return status;
}
+ break;
}
default:
{
@@ -537,11 +538,6 @@ static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message
return DELETE_ME;
}
- /* TODO:
- * Huston, we've got a problem here. Since SPIs are stored in
- * the proposal, and these proposals are shared across configs,
- * there may be some threading issues... fix it!
- */
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
this->logger->log(this->logger, CONTROL|LEVEL2, "Add SA payload to message");
@@ -595,15 +591,9 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
{
notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
- mapping_find(notify_message_type_m, notify_message_type),
- mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
-
- if (notify_payload->get_protocol_id(notify_payload) != IKE)
- {
- this->logger->log(this->logger, ERROR | LEVEL1, "Notify reply not for IKE protocol.");
- return FAILED;
- }
+ this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s",
+ mapping_find(notify_message_type_m, notify_message_type));
+
switch (notify_message_type)
{
case NO_PROPOSAL_CHOSEN:
@@ -620,16 +610,24 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
{
initiator_init_t *initiator_init_state;
chunk_t notify_data;
- diffie_hellman_group_t dh_group;
+ diffie_hellman_group_t dh_group, old_dh_group;
connection_t *connection;
+ connection = this->ike_sa->get_connection(this->ike_sa);
+ old_dh_group = connection->get_dh_group(connection);
notify_data = notify_payload->get_notification_data(notify_payload);
dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
- this->logger->log(this->logger, ERROR|LEVEL1, "Peer wouldn't accept DH group, it requested %s!",
+ /* TODO:
+ * We are very restrictive here: If the other didn't accept
+ * our DH group, and we do not accept his offer, continuation
+ * is cancelled...
+ */
+
+ this->logger->log(this->logger, AUDIT, "Peer didn't accept %s, it requested %s!",
+ mapping_find(diffie_hellman_group_m, old_dh_group),
mapping_find(diffie_hellman_group_m, dh_group));
/* check if we can accept this dh group */
- connection = this->ike_sa->get_connection(this->ike_sa);
if (!connection->check_dh_group(connection, dh_group))
{
this->logger->log(this->logger, AUDIT,
@@ -649,9 +647,6 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
this->ike_sa->set_new_state(this->ike_sa,(state_t *) initiator_init_state);
/* state has NOW changed :-) */
- this->logger->log(this->logger, CONTROL|LEVEL1, "Changed state of IKE_SA from %s to %s",
- mapping_find(ike_sa_state_m,INITIATOR_INIT), mapping_find(ike_sa_state_m,IKE_SA_INIT_REQUESTED));
-
this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy old sate object");
this->logger->log(this->logger, CONTROL|LEVEL2, "Going to retry initialization of connection");
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 751f13517..da3b68ce6 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -572,9 +572,8 @@ static status_t process_notify_payload(private_ike_sa_init_responded_t *this, no
{
notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
- mapping_find(notify_message_type_m, notify_message_type),
- mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+ this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s",
+ mapping_find(notify_message_type_m, notify_message_type));
switch (notify_message_type)
{
diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c
index 6db0a662c..a1d951b5f 100644
--- a/Source/charon/sa/states/responder_init.c
+++ b/Source/charon/sa/states/responder_init.c
@@ -344,7 +344,7 @@ static status_t build_sa_payload(private_responder_init_t *this,sa_payload_t *sa
return DELETE_ME;
}
/* get selected DH group to force policy, this is very restrictive!? */
- this->proposal->get_algorithm(this->proposal, IKE, DIFFIE_HELLMAN_GROUP, &algo);
+ this->proposal->get_algorithm(this->proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo);
this->dh_group_number = algo->algorithm;
this->logger->log(this->logger, CONTROL | LEVEL2, "SA Payload processed");
@@ -458,11 +458,10 @@ static status_t process_notify_payload(private_responder_init_t *this, notify_pa
{
notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
- mapping_find(notify_message_type_m, notify_message_type),
- mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+ this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s",
+ mapping_find(notify_message_type_m, notify_message_type));
- if (notify_payload->get_protocol_id(notify_payload) != IKE)
+ if (notify_payload->get_protocol_id(notify_payload) != PROTO_IKE)
{
this->logger->log(this->logger, ERROR | LEVEL1, "Notify reply not for IKE protocol.");
return FAILED;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-19 21:56:58 +0000