aboutsummaryrefslogtreecommitdiffstats
path: root/Source/charon
diff options
context:
space:
mode:
Diffstat (limited to 'Source/charon')
-rw-r--r--Source/charon/config/configuration_manager.c14
-rw-r--r--Source/charon/daemon.c2
-rw-r--r--Source/charon/daemon.h2
-rw-r--r--Source/charon/encoding/message.c1
-rw-r--r--Source/charon/sa/ike_sa.c18
-rw-r--r--Source/charon/sa/ike_sa_manager.c23
-rw-r--r--Source/charon/sa/states/ike_auth_requested.c50
-rw-r--r--Source/charon/sa/states/ike_sa_init_requested.c3
-rw-r--r--Source/charon/sa/states/ike_sa_init_responded.c5
-rw-r--r--Source/charon/threads/thread_pool.c1
10 files changed, 88 insertions, 31 deletions
diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c
index 2f7fc099f..58a831c10 100644
--- a/Source/charon/config/configuration_manager.c
+++ b/Source/charon/config/configuration_manager.c
@@ -166,7 +166,7 @@ static void load_default_config (private_configuration_manager_t *this)
sa_config_t *sa_config1, *sa_config2, *sa_config3;
traffic_selector_t *ts;
- init_config1 = init_config_create("152.96.193.131","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
+ init_config1 = init_config_create("152.96.193.130","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
init_config2 = init_config_create("152.96.193.131","152.96.193.130",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
init_config3 = init_config_create("0.0.0.0","127.0.0.1",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
ts = traffic_selector_create_from_string(1, TS_IPV4_ADDR_RANGE, "0.0.0.0", 0, "255.255.255.255", 65535);
@@ -193,15 +193,15 @@ static void load_default_config (private_configuration_manager_t *this)
init_config3->add_proposal(init_config3,1,proposals[0]);
init_config3->add_proposal(init_config3,1,proposals[1]);
- sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131",
- ID_IPV4_ADDR, "152.96.193.130",
+ sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130",
+ ID_IPV4_ADDR, "152.96.193.131",
SHARED_KEY_MESSAGE_INTEGRITY_CODE);
sa_config1->add_traffic_selector_initiator(sa_config1,ts);
sa_config1->add_traffic_selector_responder(sa_config1,ts);
- sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130",
- ID_IPV4_ADDR, "152.96.193.131",
+ sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131",
+ ID_IPV4_ADDR, "152.96.193.130",
SHARED_KEY_MESSAGE_INTEGRITY_CODE);
sa_config2->add_traffic_selector_initiator(sa_config2,ts);
@@ -238,8 +238,8 @@ static void load_default_config (private_configuration_manager_t *this)
sa_config2->add_proposal(sa_config2, &child_proposals[0]);
sa_config3->add_proposal(sa_config3, &child_proposals[0]);
- this->add_new_configuration(this,"pinflb31",init_config1,sa_config2);
- this->add_new_configuration(this,"pinflb30",init_config2,sa_config1);
+ this->add_new_configuration(this,"pinflb31",init_config1,sa_config1);
+ this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
this->add_new_configuration(this,"localhost",init_config3,sa_config3);
}
diff --git a/Source/charon/daemon.c b/Source/charon/daemon.c
index d1e0c13c2..08b759f8a 100644
--- a/Source/charon/daemon.c
+++ b/Source/charon/daemon.c
@@ -159,7 +159,7 @@ static void build_test_jobs(private_daemon_t *this)
for(i = 0; i<1; i++)
{
initiate_ike_sa_job_t *initiate_job;
- initiate_job = initiate_ike_sa_job_create("localhost");
+ initiate_job = initiate_ike_sa_job_create("pinflb30");
this->public.job_queue->add(this->public.job_queue, (job_t*)initiate_job);
}
}
diff --git a/Source/charon/daemon.h b/Source/charon/daemon.h
index 1b5048282..98d366ce9 100644
--- a/Source/charon/daemon.h
+++ b/Source/charon/daemon.h
@@ -54,7 +54,7 @@
* Port on which the daemon will
* listen for incoming traffic.
*/
-#define IKEV2_UDP_PORT 4500
+#define IKEV2_UDP_PORT 500
/**
* First retransmit timeout in milliseconds.
diff --git a/Source/charon/encoding/message.c b/Source/charon/encoding/message.c
index b9f34e5d5..a6d237550 100644
--- a/Source/charon/encoding/message.c
+++ b/Source/charon/encoding/message.c
@@ -145,6 +145,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
*/
static supported_payload_entry_t supported_ike_auth_r_payloads[] =
{
+ {NOTIFY,0,1,TRUE,TRUE},
{CERTIFICATE,0,1,TRUE,FALSE},
{ID_RESPONDER,0,1,TRUE,FALSE},
{AUTHENTICATION,1,1,TRUE,FALSE},
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 6abed041c..b9f80dfbb 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -210,7 +210,7 @@ struct private_ike_sa_t {
/**
* Last message id which was successfully replied.
*/
- u_int32_t last_replied_message_id;
+ int32_t last_replied_message_id;
/**
* a logger for this IKE_SA
@@ -431,8 +431,8 @@ static status_t resend_last_reply(private_ike_sa_t *this)
status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
{
packet_t *packet;
-
- if ((this->message_id_out -1) != message_id)
+
+ if (this->last_requested_message == NULL)
{
return NOT_FOUND;
}
@@ -441,12 +441,13 @@ status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
{
return NOT_FOUND;
}
-
- if (this->last_requested_message == NULL)
+
+ if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
{
return NOT_FOUND;
}
+ this->logger->log(this->logger, CONTROL | MORE, "Going to retransmit message with id %d",message_id);
packet = this->last_requested_message->get_packet(this->last_requested_message);
charon->send_queue->add(charon->send_queue, packet);
@@ -713,7 +714,7 @@ static status_t send_request (private_ike_sa_t *this,message_t * message)
}
/* message counter can now be increased */
- this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages");
+ this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages from %d",this->message_id_out);
this->message_id_out++;
return SUCCESS;
}
@@ -796,7 +797,10 @@ static void reset_message_buffers (private_ike_sa_t *this)
*/
static void destroy (private_ike_sa_t *this)
{
- this->logger->log(this->logger, CONTROL | MORE, "Going to destroy IKE_SA");
+ this->logger->log(this->logger, CONTROL|MOST, "Going to destroy IKE SA %llu:%llu, role %s",
+ this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
+ this->ike_sa_id->get_responder_spi(this->ike_sa_id),
+ this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
/* destroy child sa's */
this->logger->log(this->logger, CONTROL | MOST, "Destroy all child_sa's");
diff --git a/Source/charon/sa/ike_sa_manager.c b/Source/charon/sa/ike_sa_manager.c
index 49b817642..c2bc365f7 100644
--- a/Source/charon/sa/ike_sa_manager.c
+++ b/Source/charon/sa/ike_sa_manager.c
@@ -219,7 +219,8 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
ike_sa_entry_t *current;
iterator->current(iterator, (void**)&current);
- if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0) {
+ if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
+ {
/* seems to be a half ready ike_sa */
if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
&& (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
@@ -230,7 +231,18 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
break;
}
}
- if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
+ else if (ike_sa_id->get_responder_spi(ike_sa_id) == 0)
+ {
+ if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
+ && (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
+ {
+ this->logger->log(this->logger,CONTROL | MOST,"Found entry by initiator spi %d",ike_sa_id->get_initiator_spi(ike_sa_id));
+ *entry = current;
+ status = SUCCESS;
+ break;
+ }
+ }
+ if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
{
this->logger->log(this->logger,CONTROL | MOST,"Found entry by full ID");
*entry = current;
@@ -357,6 +369,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
{
bool responder_spi_set;
bool initiator_spi_set;
+ bool original_initiator;
status_t retval;
/* each access is locked */
@@ -364,8 +377,10 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
responder_spi_set = (FALSE != ike_sa_id->get_responder_spi(ike_sa_id));
initiator_spi_set = (FALSE != ike_sa_id->get_initiator_spi(ike_sa_id));
+ original_initiator = ike_sa_id->is_initiator(ike_sa_id);
- if (initiator_spi_set && responder_spi_set)
+ if ((initiator_spi_set && responder_spi_set) ||
+ ((initiator_spi_set && !responder_spi_set) && (original_initiator)))
{
/* we SHOULD have an IKE_SA for these SPIs in the list,
* if not, we can't handle the request...
@@ -422,7 +437,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
retval = NOT_FOUND;
}
}
- else if (initiator_spi_set && !responder_spi_set)
+ else if ((initiator_spi_set && !responder_spi_set) && (!original_initiator))
{
/* an IKE_SA_INIT from an another endpoint,
* he is the initiator.
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 64881cc85..723550d8d 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -28,6 +28,7 @@
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/notify_payload.h>
#include <transforms/signers/signer.h>
#include <transforms/crypters/crypter.h>
#include <sa/states/ike_sa_established.h>
@@ -87,7 +88,7 @@ struct private_ike_auth_requested_t {
/**
* Implements state_t.process_message
*/
-static status_t process_message(private_ike_auth_requested_t *this, message_t *request)
+static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
{
status_t status;
signer_t *signer;
@@ -99,7 +100,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
sa_payload_t *sa_payload;
ts_payload_t *tsi_payload, *tsr_payload;
- exchange_type = request->get_exchange_type(request);
+ exchange_type = ike_auth_reply->get_exchange_type(ike_auth_reply);
if (exchange_type != IKE_AUTH)
{
this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested",
@@ -107,7 +108,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
return FAILED;
}
- if (request->get_request(request))
+ if (ike_auth_reply->get_request(ike_auth_reply))
{
this->logger->log(this->logger, ERROR | MORE, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
return FAILED;
@@ -118,7 +119,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
/* parse incoming message */
- status = request->parse_body(request, crypter, signer);
+ status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
@@ -128,7 +129,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
/* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
- payloads = request->get_payload_iterator(request);
+ payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
while (payloads->has_next(payloads))
{
payload_t *payload;
@@ -166,10 +167,43 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
tsr_payload = (ts_payload_t*)payload;
break;
}
+ case NOTIFY:
+ {
+ notify_payload_t *notify_payload = (notify_payload_t *) payload;
+
+
+ this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
+ mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
+ mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+
+ if (notify_payload->get_protocol_id(notify_payload) != IKE)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
+ payloads->destroy(payloads);
+ return FAILED;
+ }
+
+ switch (notify_payload->get_notify_message_type(notify_payload))
+ {
+ default:
+ {
+ /*
+ * If an unrecognized Notify type is received, the IKE_SA gets destroyed.
+ *
+ */
+
+ this->logger->log(this->logger, ERROR, "Notify type %s not recognized in state ike_auth_requested.",
+ mapping_find(notify_message_type_m,notify_payload->get_notify_message_type(notify_payload)));
+ payloads->destroy(payloads);
+ return DELETE_ME;
+ }
+ }
+ }
default:
{
- /* can't happen, since message is verified, notify's? */
- break;
+ this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
+ payloads->destroy(payloads);
+ return FAILED;
}
}
}
@@ -208,7 +242,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
return status;
}
- this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
+ this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH response successfully handled. IKE_SA established.");
/* create new state */
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index ebca25ffc..806c024c5 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -391,7 +391,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
request->destroy(request);
return DELETE_ME;
}
- this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
+
+ this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
/* state can now be changed */
this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index ddc9c4012..ac8566d00 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -162,8 +162,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
}
default:
{
- /* can't happen, since message is verified, notify's? */
- break;
+ this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
+ payloads->destroy(payloads);
+ return FAILED;
}
}
}
diff --git a/Source/charon/threads/thread_pool.c b/Source/charon/threads/thread_pool.c
index 87f25233f..26c4d1f29 100644
--- a/Source/charon/threads/thread_pool.c
+++ b/Source/charon/threads/thread_pool.c
@@ -342,6 +342,7 @@ static void process_retransmit_request_job(private_thread_pool_t *this, retransm
status = charon->ike_sa_manager->checkout(charon->ike_sa_manager,ike_sa_id, &ike_sa);
if (status != SUCCESS)
{
+ job->destroy(job);
this->worker_logger->log(this->worker_logger, ERROR, "IKE SA could not be checked out. Allready deleted?");
return;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 16:19:08 +0000