replying to COOKIE2 mobike notify properly 4.2.2
authorMartin Willi <martin@strongswan.org>
Wed, 21 May 2008 17:56:21 +0000 (17:56 -0000)
committerMartin Willi <martin@strongswan.org>
Wed, 21 May 2008 17:56:21 +0000 (17:56 -0000)
including COOKIE2 ourself after path probing

src/charon/encoding/message.c
src/charon/sa/tasks/ike_mobike.c

index 42d169f..9b393f0 100644 (file)
@@ -308,6 +308,10 @@ static payload_rule_t informational_i_payload_rules[] = {
  */
 static payload_order_t informational_i_payload_order[] = {
 /*     payload type                                    notify type */
+       {NOTIFY,                                                UPDATE_SA_ADDRESSES},
+       {NOTIFY,                                                NAT_DETECTION_SOURCE_IP},
+       {NOTIFY,                                                NAT_DETECTION_DESTINATION_IP},
+       {NOTIFY,                                                COOKIE2},
        {NOTIFY,                                                0},
        {DELETE,                                                0},
        {CONFIGURATION,                                 0},
@@ -329,6 +333,10 @@ static payload_rule_t informational_r_payload_rules[] = {
  */
 static payload_order_t informational_r_payload_order[] = {
 /*     payload type                                    notify type */
+       {NOTIFY,                                                UPDATE_SA_ADDRESSES},
+       {NOTIFY,                                                NAT_DETECTION_SOURCE_IP},
+       {NOTIFY,                                                NAT_DETECTION_DESTINATION_IP},
+       {NOTIFY,                                                COOKIE2},
        {NOTIFY,                                                0},
        {DELETE,                                                0},
        {CONFIGURATION,                                 0},
index 62a1ad3..c27f614 100644 (file)
@@ -23,6 +23,7 @@
 #include <sa/tasks/ike_natd.h>
 #include <encoding/payloads/notify_payload.h>
 
+#define COOKIE2_SIZE 16
 
 typedef struct private_ike_mobike_t private_ike_mobike_t;
 
@@ -120,6 +121,12 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
                                this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
                                break;
                        }
+                       case COOKIE2:
+                       {
+                               chunk_free(&this->cookie2);
+                               this->cookie2 = chunk_clone(notify->get_notification_data(notify));
+                               break;
+                       }
                        case ADDITIONAL_IP6_ADDRESS:
                        {
                                family = AF_INET6;
@@ -206,6 +213,23 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 }
 
 /**
+ * build a cookie and add it to the message 
+ */
+static void build_cookie(private_ike_mobike_t *this, message_t *message)
+{
+       rng_t *rng;
+
+       chunk_free(&this->cookie2);
+       rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+       if (rng)
+       {
+               rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
+               rng->destroy(rng);
+               message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+       }
+}
+
+/**
  * update addresses of associated CHILD_SAs
  */
 static void update_children(private_ike_mobike_t *this)
@@ -292,6 +316,7 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
                if (this->update)
                {
                        message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
+                       build_cookie(this, message);
                        update_children(this);
                }
                if (this->address)
@@ -358,6 +383,11 @@ static status_t build_r(private_ike_mobike_t *this, message_t *message)
                {
                        this->natd->task.build(&this->natd->task, message);
                }
+               if (this->cookie2.ptr)
+               {
+                       message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+                       chunk_free(&this->cookie2);
+               }
                if (this->update)
                {
                        update_children(this);
@@ -387,7 +417,25 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
                        /* newer update queued, ignore this one */
                        return SUCCESS;
                }
-               process_payloads(this, message);
+               if (this->cookie2.ptr)
+               {       /* check cookie if we included none */
+                       chunk_t cookie2;
+                       
+                       cookie2 = this->cookie2;
+                       this->cookie2 = chunk_empty;
+                       process_payloads(this, message);
+                       if (!chunk_equals(cookie2, this->cookie2))
+                       {
+                               chunk_free(&cookie2);
+                               DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
+                               return FAILED;
+                       }
+                       chunk_free(&cookie2);
+               }
+               else
+               {
+                       process_payloads(this, message);
+               }
                if (this->natd)
                {
                        this->natd->task.process(&this->natd->task, message);