fixed ID selection bug when peer doesn't include IDr payload
authorMartin Willi <martin@strongswan.org>
Mon, 5 Mar 2007 15:22:50 +0000 (15:22 -0000)
committerMartin Willi <martin@strongswan.org>
Mon, 5 Mar 2007 15:22:50 +0000 (15:22 -0000)
allowing vendor ID in any messag

src/charon/encoding/message.c
src/charon/encoding/payloads/id_payload.c
src/charon/sa/tasks/ike_auth.c
src/charon/threads/kernel_interface.c

index acc3abd..3366baf 100644 (file)
@@ -125,6 +125,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
        {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
        {KEY_EXCHANGE,1,1,FALSE,FALSE},
        {NONCE,1,1,FALSE,FALSE},
+       {VENDOR_ID,0,10,FALSE,FALSE},
 };
 
 /**
@@ -135,6 +136,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
        {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
        {KEY_EXCHANGE,1,1,FALSE,FALSE},
        {NONCE,1,1,FALSE,FALSE},
+       {VENDOR_ID,0,10,FALSE,FALSE},
 };
 
 /**
@@ -152,6 +154,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
        {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
        {CONFIGURATION,0,1,TRUE,FALSE},
+       {VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 /**
@@ -167,6 +170,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
        {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
        {CONFIGURATION,0,1,TRUE,FALSE},
+       {VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 
@@ -177,6 +181,7 @@ static payload_rule_t informational_i_payload_rules[] = {
        {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
        {CONFIGURATION,0,1,TRUE,FALSE},
        {DELETE,0,1,TRUE,FALSE},
+       {VENDOR_ID,0,10,TRUE,FALSE},
        
 };
 
@@ -187,6 +192,7 @@ static payload_rule_t informational_r_payload_rules[] = {
        {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
        {CONFIGURATION,0,1,TRUE,FALSE},
        {DELETE,0,1,TRUE,FALSE},
+       {VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 /**
@@ -200,6 +206,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
        {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
        {CONFIGURATION,0,1,TRUE,FALSE},
+       {VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 /**
@@ -213,6 +220,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
        {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
        {CONFIGURATION,0,1,TRUE,FALSE},
+       {VENDOR_ID,0,10,TRUE,FALSE},
 };
 
 
index 1a8293a..74c0ce8 100644 (file)
@@ -25,6 +25,7 @@
 
 #include "id_payload.h"
 
+#include <daemon.h>
 #include <encoding/payloads/encodings.h>
 
 typedef struct private_id_payload_t private_id_payload_t;
@@ -127,6 +128,7 @@ static status_t verify(private_id_payload_t *this)
                ((this->id_type >= 12) && (this->id_type <= 200)))
        {
                /* reserved IDs */
+               DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
                return FAILED;
        }
                
index 2e54b77..4ab486a 100644 (file)
@@ -108,6 +108,27 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
        me = this->ike_sa->get_my_id(this->ike_sa);
        other = this->ike_sa->get_other_id(this->ike_sa);
        
+       
+       /* create own authenticator and add auth payload */
+       policy = this->ike_sa->get_policy(this->ike_sa);
+       if (!policy)
+       {
+               SIG(IKE_UP_FAILED, "no acceptable policy found");
+               return FAILED;
+       }
+       
+       method = policy->get_auth_method(policy);
+       if (me->contains_wildcards(me))
+       {
+               me = policy->get_my_id(policy);
+               if (me->contains_wildcards(me))
+               {
+                       SIG(IKE_UP_FAILED, "negotiation of own ID failed");
+                       return FAILED;
+               }
+               this->ike_sa->set_my_id(this->ike_sa, me);
+       }
+               
        id_payload = id_payload_create_from_identification(this->initiator, me);
        message->add_payload(message, (payload_t*)id_payload);
        
@@ -118,12 +139,6 @@ static status_t build_payloads(private_ike_auth_t *this, message_t *message)
                message->add_payload(message, (payload_t*)id_payload);
        }
        
-       /* create own authenticator and add auth payload */
-       policy = this->ike_sa->get_policy(this->ike_sa);
-       if (policy)
-       {
-               method = policy->get_auth_method(policy);
-       }
        auth = authenticator_create(this->ike_sa, method);
        if (auth == NULL)
        {
@@ -198,40 +213,14 @@ static void process_payloads(private_ike_auth_t *this, message_t *message)
        
        if (this->initiator)
        {
-               identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
-               if (!idr->matches(idr, other_id, NULL))
-               {
-                       SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required", idr, 
-                               this->ike_sa->get_other_id(this->ike_sa));
-                       DESTROY_IF(idi); DESTROY_IF(idr);
-                       return;
-               }
                this->ike_sa->set_other_id(this->ike_sa, idr);
        }
        else
        {
-               identification_t *my_id = this->ike_sa->get_other_id(this->ike_sa);
                if (idr)
                {
-                       if (!idr->matches(idr, my_id, NULL))
-                       {
-                               SIG(IKE_UP_FAILED, "received inacceptable id %D, %D required",
-                                       idr, this->ike_sa->get_other_id(this->ike_sa));
-                               DESTROY_IF(idi); DESTROY_IF(idr);
-                               return;
-                       }
                        this->ike_sa->set_my_id(this->ike_sa, idr);
                }
-               else
-               {
-                       if (my_id->contains_wildcards(my_id))
-                       {
-                               SIG(IKE_UP_FAILED, "own ID (%D) not defined after exchange",
-                                       my_id);
-                               DESTROY_IF(idi);
-                               return;
-                       }
-               }
                this->ike_sa->set_other_id(this->ike_sa, idi);
        }
        
@@ -351,13 +340,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
                return collect_my_init_data(this, message);
        }
        
-       if (!this->peer_authenticated)
-       {
-               message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
-               return FAILED;
-       }
-
-       if (build_payloads(this, message) == SUCCESS)
+       if (this->peer_authenticated && build_payloads(this, message) == SUCCESS)
        {
                this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
                SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
@@ -367,6 +350,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
                        this->ike_sa->get_other_id(this->ike_sa));
                return SUCCESS;
        }
+       message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
        return FAILED;
 }
 
index 25a281a..1046e68 100644 (file)
@@ -830,7 +830,7 @@ static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
        }
        else
        {
-               DBG1(DBG_IKE, "%H is not a local address", ip);
+               DBG2(DBG_IKE, "%H is not a local address", ip);
        }
        return name;
 }