aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon/sa
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon/sa')
-rw-r--r--Source/charon/sa/child_sa.c2
-rw-r--r--Source/charon/sa/ike_sa.c2
-rw-r--r--Source/charon/sa/states/ike_auth_requested.c28
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.c48
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.c34
5 files changed, 73 insertions, 41 deletions
diff --git a/Source/charon/sa/child_sa.c b/Source/charon/sa/child_sa.c
index 8871b73a1..a678ea9b8 100644
--- a/Source/charon/sa/child_sa.c
+++ b/Source/charon/sa/child_sa.c
@@ -479,7 +479,7 @@ static void log_status(private_child_sa_t *this, logger_t *logger, char* name)
{
logger = this->logger;
}
- logger->log(logger, CONTROL|LEVEL1, "\"%s\": protected with ESP (%x/%x), AH (%x,%x):",
+ logger->log(logger, CONTROL|LEVEL1, "\"%s\": protected with ESP (0x%x/0x%x), AH (0x%x,0x%x):",
name,
htonl(this->my_esp_spi), htonl(this->other_esp_spi),
htonl(this->my_ah_spi), htonl(this->other_ah_spi));
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 99531d75e..6322eb8e9 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -1007,7 +1007,7 @@ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
{
logger = this->logger;
}
- logger->log(logger, CONTROL|LEVEL1, "\"%s\": IKE_SA in state %s, SPIs: %llx %llx",
+ logger->log(logger, CONTROL|LEVEL1, "\"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
name,
mapping_find(ike_sa_state_m, this->current_state->get_state(this->current_state)),
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 00c38a887..3d49f440f 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -373,26 +373,26 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
{
identification_t *other_id, *configured_other_id;
+ connection_t *connection;
other_id = idr_payload->get_identification(idr_payload);
-
configured_other_id = this->policy->get_other_id(this->policy);
- if (configured_other_id)
+
+ this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
+ configured_other_id->get_string(configured_other_id),
+ other_id->get_string(other_id));
+
+ if (!other_id->belongs_to(other_id, configured_other_id))
{
- this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
- configured_other_id->get_string(configured_other_id),
- other_id->get_string(other_id));
-
- if (!other_id->equals(other_id, configured_other_id))
- {
- other_id->destroy(other_id);
- this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not requested ID. Deleting IKE_SA");
- return DELETE_ME;
- }
+ other_id->destroy(other_id);
+ this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not acceptable ID. Deleting IKE_SA");
+ return DELETE_ME;
}
- other_id->destroy(other_id);
- /* TODO do we have to store other_id somewhere ? */
+ connection = this->ike_sa->get_connection(this->ike_sa);
+ connection->update_other_id(connection, other_id->clone(other_id));
+
+ this->policy->update_other_id(this->policy, other_id);
return SUCCESS;
}
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index e3769303c..311cdf0a0 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -135,6 +135,19 @@ struct private_ike_sa_init_requested_t {
status_t (*build_id_payload) (private_ike_sa_init_requested_t *this,id_payload_t **id_payload, message_t *response);
/**
+ * Build IDr payload for IKE_AUTH request.
+ *
+ * Only built when the ID of the responder contains no wildcards.
+ *
+ * @param this calling object
+ * @param response created payload will be added to this message_t object
+ * @return
+ * - SUCCESS
+ * - FAILED
+ */
+ status_t (*build_idr_payload) (private_ike_sa_init_requested_t *this, message_t *response);
+
+ /**
* Build AUTH payload for IKE_AUTH request.
*
* @param this calling object
@@ -351,13 +364,19 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
/* build empty message */
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
- status = this->build_id_payload(this, &id_payload,request);
+ status = this->build_id_payload(this, &id_payload, request);
+ if (status != SUCCESS)
+ {
+ request->destroy(request);
+ return status;
+ }
+ status = this->build_idr_payload(this, request);
if (status != SUCCESS)
{
request->destroy(request);
return status;
}
- status = this->build_auth_payload(this,(id_payload_t *) id_payload, request);
+ status = this->build_auth_payload(this, (id_payload_t*)id_payload, request);
if (status != SUCCESS)
{
request->destroy(request);
@@ -477,9 +496,8 @@ static status_t build_id_payload (private_ike_sa_init_requested_t *this,id_paylo
identification_t *identification;
policy = this->ike_sa->get_policy(this->ike_sa);
- /* identification_t object gets NOT cloned here */
identification = policy->get_my_id(policy);
- new_id_payload = id_payload_create_from_identification(TRUE,identification);
+ new_id_payload = id_payload_create_from_identification(TRUE, identification);
this->logger->log(this->logger, CONTROL|LEVEL2, "Add ID payload to message");
request->add_payload(request,(payload_t *) new_id_payload);
@@ -490,6 +508,27 @@ static status_t build_id_payload (private_ike_sa_init_requested_t *this,id_paylo
}
/**
+ * Implementation of private_ike_sa_init_requested_t.build_idr_payload.
+ */
+static status_t build_idr_payload (private_ike_sa_init_requested_t *this, message_t *request)
+{
+ policy_t *policy;
+ id_payload_t *idr_payload;
+ identification_t *identification;
+
+ policy = this->ike_sa->get_policy(this->ike_sa);
+ identification = policy->get_other_id(policy);
+ if (!identification->contains_wildcards(identification))
+ {
+ idr_payload = id_payload_create_from_identification(FALSE, identification);
+
+ this->logger->log(this->logger, CONTROL|LEVEL2, "Add IDr payload to message");
+ request->add_payload(request,(payload_t *) idr_payload);
+ }
+ return SUCCESS;
+}
+
+/**
* Implementation of private_ike_sa_init_requested_t.build_auth_payload.
*/
static status_t build_auth_payload (private_ike_sa_init_requested_t *this, id_payload_t *my_id_payload, message_t *request)
@@ -741,6 +780,7 @@ ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa
this->build_tsi_payload = build_tsi_payload;
this->build_tsr_payload = build_tsr_payload;
this->build_id_payload = build_id_payload;
+ this->build_idr_payload = build_idr_payload;
this->build_sa_payload = build_sa_payload;
this->process_notify_payload = process_notify_payload;
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 54c0cc26b..e40b0cf22 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -382,39 +382,31 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
connection_t *connection;
id_payload_t *idr_response;
+ connection = this->ike_sa->get_connection(this->ike_sa);
+
+ /* update adresses, as connection may contain wildcards, or wrong IDs */
other_id = request_idi->get_identification(request_idi);
if (request_idr)
{
my_id = request_idr->get_identification(request_idr);
+ connection->update_my_id(connection, my_id);
+ }
+ else
+ {
+ my_id = connection->get_my_id(connection);
}
+ connection->update_other_id(connection, other_id);
/* build new sa config */
- connection = this->ike_sa->get_connection(this->ike_sa);
this->policy = charon->policies->get_policy(charon->policies, my_id, other_id);
if (this->policy == NULL)
- {
- if (my_id)
- {
- this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA",
- other_id->get_string(other_id),my_id->get_string(my_id));
- my_id->destroy(my_id);
- }
- else
- {
- this->logger->log(this->logger, AUDIT, "We don't have a policy for remote ID %s. Deleting IKE_SA",
- other_id->get_string(other_id));
- }
- other_id->destroy(other_id);
- return DELETE_ME;
- }
-
- if (my_id)
{
- my_id->destroy(my_id);
+ this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA",
+ my_id->get_string(my_id), other_id->get_string(other_id));
+ return DELETE_ME;
}
- other_id->destroy(other_id);
- /* get my id, if not requested */
+ /* get my id from policy, which must contain a fully qualified valid id */
my_id = this->policy->get_my_id(this->policy);
/* update others traffic selectors with actually used address */
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 23:34:34 +0000