fixed different bugs when checking out ike sa and retransmitting
authorJan Hutter <jhutter@hsr.ch>
Fri, 2 Dec 2005 15:40:04 +0000 (15:40 -0000)
committerJan Hutter <jhutter@hsr.ch>
Fri, 2 Dec 2005 15:40:04 +0000 (15:40 -0000)
requests

Source/charon/config/configuration_manager.c
Source/charon/daemon.c
Source/charon/daemon.h
Source/charon/encoding/message.c
Source/charon/sa/ike_sa.c
Source/charon/sa/ike_sa_manager.c
Source/charon/sa/states/ike_auth_requested.c
Source/charon/sa/states/ike_sa_init_requested.c
Source/charon/sa/states/ike_sa_init_responded.c
Source/charon/threads/thread_pool.c

index 2f7fc09..58a831c 100644 (file)
@@ -166,7 +166,7 @@ static void load_default_config (private_configuration_manager_t *this)
        sa_config_t *sa_config1, *sa_config2, *sa_config3;
        traffic_selector_t *ts;
        
-       init_config1 = init_config_create("152.96.193.131","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
+       init_config1 = init_config_create("152.96.193.130","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
        init_config2 = init_config_create("152.96.193.131","152.96.193.130",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
        init_config3 = init_config_create("0.0.0.0","127.0.0.1",IKEV2_UDP_PORT,IKEV2_UDP_PORT);
        ts = traffic_selector_create_from_string(1, TS_IPV4_ADDR_RANGE, "0.0.0.0", 0, "255.255.255.255", 65535);
@@ -193,15 +193,15 @@ static void load_default_config (private_configuration_manager_t *this)
        init_config3->add_proposal(init_config3,1,proposals[0]);
        init_config3->add_proposal(init_config3,1,proposals[1]);
        
-       sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131", 
-                                                                 ID_IPV4_ADDR, "152.96.193.130",
+       sa_config1 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130", 
+                                                                 ID_IPV4_ADDR, "152.96.193.131",
                                                                  SHARED_KEY_MESSAGE_INTEGRITY_CODE);
                                                                  
        sa_config1->add_traffic_selector_initiator(sa_config1,ts);
        sa_config1->add_traffic_selector_responder(sa_config1,ts);
 
-       sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.130", 
-                                                                 ID_IPV4_ADDR, "152.96.193.131",
+       sa_config2 = sa_config_create(ID_IPV4_ADDR, "152.96.193.131", 
+                                                                 ID_IPV4_ADDR, "152.96.193.130",
                                                                  SHARED_KEY_MESSAGE_INTEGRITY_CODE);
 
        sa_config2->add_traffic_selector_initiator(sa_config2,ts);
@@ -238,8 +238,8 @@ static void load_default_config (private_configuration_manager_t *this)
        sa_config2->add_proposal(sa_config2, &child_proposals[0]);
        sa_config3->add_proposal(sa_config3, &child_proposals[0]);
 
-       this->add_new_configuration(this,"pinflb31",init_config1,sa_config2);
-       this->add_new_configuration(this,"pinflb30",init_config2,sa_config1);
+       this->add_new_configuration(this,"pinflb31",init_config1,sa_config1);
+       this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
        this->add_new_configuration(this,"localhost",init_config3,sa_config3);
 
 }
index d1e0c13..08b759f 100644 (file)
@@ -159,7 +159,7 @@ static void build_test_jobs(private_daemon_t *this)
        for(i = 0; i<1; i++)
        {
                initiate_ike_sa_job_t *initiate_job;
-               initiate_job = initiate_ike_sa_job_create("localhost");
+               initiate_job = initiate_ike_sa_job_create("pinflb30");
                this->public.job_queue->add(this->public.job_queue, (job_t*)initiate_job);
        }
 }
index 1b50482..98d366c 100644 (file)
@@ -54,7 +54,7 @@
  * Port on which the daemon will 
  * listen for incoming traffic.
  */
-#define IKEV2_UDP_PORT 4500
+#define IKEV2_UDP_PORT 500
 
 /**
  * First retransmit timeout in milliseconds.
index b9f34e5..a6d2375 100644 (file)
@@ -145,6 +145,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
  */
 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
 {
+       {NOTIFY,0,1,TRUE,TRUE},
        {CERTIFICATE,0,1,TRUE,FALSE},
        {ID_RESPONDER,0,1,TRUE,FALSE},
        {AUTHENTICATION,1,1,TRUE,FALSE},
index 6abed04..b9f80df 100644 (file)
@@ -210,7 +210,7 @@ struct private_ike_sa_t {
        /**
         * Last message id which was successfully replied.
         */
-       u_int32_t last_replied_message_id;
+       int32_t last_replied_message_id;
        
        /**
         * a logger for this IKE_SA
@@ -431,8 +431,8 @@ static status_t resend_last_reply(private_ike_sa_t *this)
 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
 {
        packet_t *packet;
-       
-       if ((this->message_id_out -1) != message_id)
+               
+       if (this->last_requested_message == NULL)
        {
                return NOT_FOUND;
        }
@@ -441,12 +441,13 @@ status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
        {
                return NOT_FOUND;
        }
-       
-       if (this->last_requested_message == NULL)
+
+       if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
        {
                return NOT_FOUND;
        }
        
+       this->logger->log(this->logger, CONTROL | MORE, "Going to retransmit message with id %d",message_id);
        packet = this->last_requested_message->get_packet(this->last_requested_message);
        charon->send_queue->add(charon->send_queue, packet);
        
@@ -713,7 +714,7 @@ static status_t send_request (private_ike_sa_t *this,message_t * message)
        }
        
        /* message counter can now be increased */
-       this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages");
+       this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages from %d",this->message_id_out);
        this->message_id_out++;
        return SUCCESS; 
 }
@@ -796,7 +797,10 @@ static void reset_message_buffers (private_ike_sa_t *this)
  */
 static void destroy (private_ike_sa_t *this)
 {
-       this->logger->log(this->logger, CONTROL | MORE, "Going to destroy IKE_SA");
+       this->logger->log(this->logger, CONTROL|MOST, "Going to destroy IKE SA %llu:%llu, role %s", 
+                                         this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
+                                         this->ike_sa_id->get_responder_spi(this->ike_sa_id),
+                                         this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
 
        /* destroy child sa's */
        this->logger->log(this->logger, CONTROL | MOST, "Destroy all child_sa's");
index 49b8176..c2bc365 100644 (file)
@@ -219,7 +219,8 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
                ike_sa_entry_t *current;
                
                iterator->current(iterator, (void**)&current);
-               if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0) {
+               if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
+               {
                        /* seems to be a half ready ike_sa */
                        if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
                                && (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
@@ -230,7 +231,18 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
                                break;
                        }
                }
-                if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
+               else if (ike_sa_id->get_responder_spi(ike_sa_id) == 0)
+               {
+                       if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
+                               && (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
+                       {
+                               this->logger->log(this->logger,CONTROL | MOST,"Found entry by initiator spi %d",ike_sa_id->get_initiator_spi(ike_sa_id));
+                               *entry = current;
+                               status = SUCCESS;
+                               break;
+                       }                       
+               }
+               if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
                {
                        this->logger->log(this->logger,CONTROL | MOST,"Found entry by full ID");
                        *entry = current;
@@ -357,6 +369,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
 {
        bool responder_spi_set;
        bool initiator_spi_set;
+       bool original_initiator;
        status_t retval;
        
        /* each access is locked */
@@ -364,8 +377,10 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
        
        responder_spi_set = (FALSE != ike_sa_id->get_responder_spi(ike_sa_id));
        initiator_spi_set = (FALSE != ike_sa_id->get_initiator_spi(ike_sa_id));
+       original_initiator = ike_sa_id->is_initiator(ike_sa_id);
        
-       if (initiator_spi_set && responder_spi_set)
+       if ((initiator_spi_set && responder_spi_set) ||
+               ((initiator_spi_set && !responder_spi_set) && (original_initiator)))
        {
                /* we SHOULD have an IKE_SA for these SPIs in the list,
                 * if not, we can't handle the request...
@@ -422,7 +437,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
                        retval = NOT_FOUND;
                }
        }
-       else if (initiator_spi_set && !responder_spi_set)
+       else if ((initiator_spi_set && !responder_spi_set) && (!original_initiator))
        {
                /* an IKE_SA_INIT from an another endpoint,
                 * he is the initiator.
index 64881cc..723550d 100644 (file)
@@ -28,6 +28,7 @@
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/notify_payload.h>
 #include <transforms/signers/signer.h>
 #include <transforms/crypters/crypter.h>
 #include <sa/states/ike_sa_established.h>
@@ -87,7 +88,7 @@ struct private_ike_auth_requested_t {
 /**
  * Implements state_t.process_message
  */
-static status_t process_message(private_ike_auth_requested_t *this, message_t *request)
+static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
 {
        status_t status;
        signer_t *signer;
@@ -99,7 +100,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
        sa_payload_t *sa_payload;
        ts_payload_t *tsi_payload, *tsr_payload;
        
-       exchange_type = request->get_exchange_type(request);
+       exchange_type = ike_auth_reply->get_exchange_type(ike_auth_reply);
        if (exchange_type != IKE_AUTH)
        {
                this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested",
@@ -107,7 +108,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
                return FAILED;
        }
        
-       if (request->get_request(request))
+       if (ike_auth_reply->get_request(ike_auth_reply))
        {
                this->logger->log(this->logger, ERROR | MORE, "Only responses of type IKE_AUTH supported in state ike_auth_requested");
                return FAILED;
@@ -118,7 +119,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
        crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
        
        /* parse incoming message */
-       status = request->parse_body(request, crypter, signer);
+       status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
@@ -128,7 +129,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
        this->sa_config = this->ike_sa->get_sa_config(this->ike_sa);
        
        /* iterate over incoming payloads. Message is verified, we can be sure there are the required payloads */
-       payloads = request->get_payload_iterator(request);
+       payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
        while (payloads->has_next(payloads))
        {
                payload_t *payload;
@@ -166,10 +167,43 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
                                tsr_payload = (ts_payload_t*)payload;
                                break;  
                        }
+                       case NOTIFY:
+                       {
+                               notify_payload_t *notify_payload = (notify_payload_t *) payload;
+                               
+                               
+                               this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
+                                                                 mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
+                                                                 mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+                                                                 
+                               if (notify_payload->get_protocol_id(notify_payload) != IKE)
+                               {
+                                       this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
+                                       payloads->destroy(payloads);
+                                       return FAILED;  
+                               }
+                               
+                               switch (notify_payload->get_notify_message_type(notify_payload))
+                               {
+                                       default:
+                                       {
+                                               /*
+                                                * If an unrecognized Notify type is received, the IKE_SA gets destroyed.
+                                                * 
+                                                */
+                                               
+                                               this->logger->log(this->logger, ERROR, "Notify type %s not recognized in state ike_auth_requested.",
+                                                                                 mapping_find(notify_message_type_m,notify_payload->get_notify_message_type(notify_payload)));
+                                               payloads->destroy(payloads);
+                                               return DELETE_ME;       
+                                       }
+                               }
+                       }
                        default:
                        {
-                               /* can't happen, since message is verified, notify's? */
-                               break;
+                               this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
+                               payloads->destroy(payloads);
+                               return FAILED;
                        }
                }
        }
@@ -208,7 +242,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *r
                return status;
        }
 
-       this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
+       this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
        this->logger->log(this->logger, CONTROL | MORE, "IKE_AUTH response successfully handled. IKE_SA established.");
        
        /* create new state */
index ebca25f..806c024 100644 (file)
@@ -391,7 +391,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
                request->destroy(request);
                return DELETE_ME;
        }
-       this->ike_sa->set_last_replied_message_id(this->ike_sa,request->get_message_id(request));
+       
+       this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
 
        /* state can now be changed */
        this->logger->log(this->logger, CONTROL|MOST, "Create next state object");
index ddc9c40..ac8566d 100644 (file)
@@ -162,8 +162,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                        }
                        default:
                        {
-                               /* can't happen, since message is verified, notify's? */
-                               break;
+                               this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
+                               payloads->destroy(payloads);
+                               return FAILED;
                        }
                }
        }
index 87f2523..26c4d1f 100644 (file)
@@ -342,6 +342,7 @@ static void process_retransmit_request_job(private_thread_pool_t *this, retransm
        status = charon->ike_sa_manager->checkout(charon->ike_sa_manager,ike_sa_id, &ike_sa);
        if (status != SUCCESS)
        {
+               job->destroy(job);
                this->worker_logger->log(this->worker_logger, ERROR, "IKE SA could not be checked out. Allready deleted?");
                return;
        }