aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/network/receiver.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/network/receiver.c')
-rw-r--r--src/libcharon/network/receiver.c117
1 files changed, 84 insertions, 33 deletions
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index cfb1408ef..fcc730439 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -40,6 +40,8 @@
#define BLOCK_THRESHOLD_DEFAULT 5
/** length of the secret to use for cookie calculation */
#define SECRET_LENGTH 16
+/** Length of a notify payload header */
+#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
typedef struct private_receiver_t private_receiver_t;
@@ -141,34 +143,34 @@ struct private_receiver_t {
/**
* send a notify back to the sender
*/
-static void send_notify(message_t *request, notify_type_t type, chunk_t data)
+static void send_notify(message_t *request, int major, exchange_type_t exchange,
+ notify_type_t type, chunk_t data)
{
- if (request->get_request(request) &&
- request->get_exchange_type(request) == IKE_SA_INIT)
+ ike_sa_id_t *ike_sa_id;
+ message_t *response;
+ host_t *src, *dst;
+ packet_t *packet;
+
+ response = message_create(major, 0);
+ response->set_exchange_type(response, exchange);
+ response->add_notify(response, FALSE, type, data);
+ dst = request->get_source(request);
+ src = request->get_destination(request);
+ response->set_source(response, src->clone(src));
+ response->set_destination(response, dst->clone(dst));
+ if (major == IKEV2_MAJOR_VERSION)
{
- message_t *response;
- host_t *src, *dst;
- packet_t *packet;
- ike_sa_id_t *ike_sa_id;
-
- response = message_create();
- dst = request->get_source(request);
- src = request->get_destination(request);
- response->set_source(response, src->clone(src));
- response->set_destination(response, dst->clone(dst));
- response->set_exchange_type(response, request->get_exchange_type(request));
response->set_request(response, FALSE);
- response->set_message_id(response, 0);
- ike_sa_id = request->get_ike_sa_id(request);
- ike_sa_id->switch_initiator(ike_sa_id);
- response->set_ike_sa_id(response, ike_sa_id);
- response->add_notify(response, FALSE, type, data);
- if (response->generate(response, NULL, &packet) == SUCCESS)
- {
- charon->sender->send(charon->sender, packet);
- response->destroy(response);
- }
}
+ response->set_message_id(response, 0);
+ ike_sa_id = request->get_ike_sa_id(request);
+ ike_sa_id->switch_initiator(ike_sa_id);
+ response->set_ike_sa_id(response, ike_sa_id);
+ if (response->generate(response, NULL, &packet) == SUCCESS)
+ {
+ charon->sender->send(charon->sender, packet);
+ }
+ response->destroy(response);
}
/**
@@ -308,8 +310,9 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
half_open = charon->ike_sa_manager->get_half_open_count(
charon->ike_sa_manager, NULL);
- /* check for cookies */
- if (cookie_required(this, half_open, now) && !check_cookie(this, message))
+ /* check for cookies in IKEv2 */
+ if (message->get_major_version(message) == IKEV2_MAJOR_VERSION &&
+ cookie_required(this, half_open, now) && !check_cookie(this, message))
{
chunk_t cookie;
@@ -320,7 +323,7 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
message->get_destination(message));
DBG2(DBG_NET, "sending COOKIE notify to %H",
message->get_source(message));
- send_notify(message, COOKIE, cookie);
+ send_notify(message, IKEV2_MAJOR_VERSION, IKE_SA_INIT, COOKIE, cookie);
chunk_free(&cookie);
if (++this->secret_used > COOKIE_REUSE)
{
@@ -328,7 +331,7 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
DBG1(DBG_NET, "generating new cookie secret after %d uses",
this->secret_used);
memcpy(this->secret_old, this->secret, SECRET_LENGTH);
- this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
+ this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
this->secret_switch = now;
this->secret_used = 0;
}
@@ -380,9 +383,11 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
*/
static job_requeue_t receive_packets(private_receiver_t *this)
{
+ ike_sa_id_t *id;
packet_t *packet;
message_t *message;
status_t status;
+ bool supported = TRUE;
/* read in a packet */
status = charon->socket->receive(charon->socket, &packet);
@@ -409,16 +414,50 @@ static job_requeue_t receive_packets(private_receiver_t *this)
}
/* check IKE major version */
- if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+ switch (message->get_major_version(message))
+ {
+ case IKEV2_MAJOR_VERSION:
+#ifndef USE_IKEV2
+ if (message->get_exchange_type(message) == IKE_SA_INIT &&
+ message->get_request(message))
+ {
+ send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
+ INVALID_MAJOR_VERSION, chunk_empty);
+ supported = FALSE;
+ }
+#endif /* USE_IKEV2 */
+ break;
+ case IKEV1_MAJOR_VERSION:
+#ifndef USE_IKEV1
+ if (message->get_exchange_type(message) == ID_PROT ||
+ message->get_exchange_type(message) == AGGRESSIVE)
+ {
+ send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
+ INVALID_MAJOR_VERSION, chunk_empty);
+ supported = FALSE;
+ }
+#endif /* USE_IKEV1 */
+ break;
+ default:
+#ifdef USE_IKEV2
+ send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
+ INVALID_MAJOR_VERSION, chunk_empty);
+#endif /* USE_IKEV2 */
+#ifdef USE_IKEV1
+ send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
+ INVALID_MAJOR_VERSION, chunk_empty);
+#endif /* USE_IKEV1 */
+ supported = FALSE;
+ break;
+ }
+ if (!supported)
{
- DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
- "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
+ DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, sending "
+ "INVALID_MAJOR_VERSION", message->get_major_version(message),
message->get_minor_version(message), packet->get_source(packet));
- send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
message->destroy(message);
return JOB_REQUEUE_DIRECT;
}
-
if (message->get_request(message) &&
message->get_exchange_type(message) == IKE_SA_INIT)
{
@@ -428,6 +467,18 @@ static job_requeue_t receive_packets(private_receiver_t *this)
return JOB_REQUEUE_DIRECT;
}
}
+ if (message->get_exchange_type(message) == ID_PROT ||
+ message->get_exchange_type(message) == AGGRESSIVE)
+ {
+ id = message->get_ike_sa_id(message);
+ if (id->get_responder_spi(id) == 0 &&
+ drop_ike_sa_init(this, message))
+ {
+ message->destroy(message);
+ return JOB_REQUEUE_DIRECT;
+ }
+ }
+
if (this->receive_delay)
{
if (this->receive_delay_type == 0 ||
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-10 18:53:49 +0000