- code cleaned
authorJan Hutter <jhutter@hsr.ch>
Tue, 6 Dec 2005 10:12:42 +0000 (10:12 -0000)
committerJan Hutter <jhutter@hsr.ch>
Tue, 6 Dec 2005 10:12:42 +0000 (10:12 -0000)
Source/charon/sa/states/ike_auth_requested.c
Source/charon/sa/states/ike_auth_requested.h

index 7e01fcf..69ccd0b 100644 (file)
@@ -42,22 +42,22 @@ typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
  */
 struct private_ike_auth_requested_t {
        /**
-        * methods of the state_t interface
+        * Public interface of ike_auth_requested_t.
         */
        ike_auth_requested_t public;
        
        /**
-        * Assigned IKE_SA
+        * Assigned IKE_SA.
         */
         protected_ike_sa_t *ike_sa;
         
        /**
-        * SA config, just a copy of the one stored in the ike_sa
+        * SA config, just a copy of the one stored in the ike_sa.
         */
        sa_config_t *sa_config; 
        
        /**
-        * Received nonce from responder
+        * Received nonce from responder.
         */
        chunk_t received_nonce;
        
@@ -72,29 +72,55 @@ struct private_ike_auth_requested_t {
        chunk_t ike_sa_init_reply_data;
         
        /**
-        * Logger used to log data 
+        * Assigned Logger.
         * 
         * Is logger of ike_sa!
         */
        logger_t *logger;
        
        /**
-        * process the IDr payload (check if other id is valid)
+        * Process the IDr payload (check if other id is valid)
+        * 
+        * @param this                  calling object
+        * @param idr_payload   ID payload of responder
+        * @return                              
+        *                                              - SUCCESS
+        *                                              - DELETE_ME
         */
        status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
        
        /**
-        * process the SA payload (check if selected proposals are valid, setup child sa)
+        * Process the SA payload (check if selected proposals are valid, setup child sa)
+        * 
+        * @param this                  calling object
+        * @param sa_payload    SA payload of responder
+        *
+        *                                              - SUCCESS
+        *                                              - DELETE_ME
         */
        status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
        
        /**
-        * process the AUTH payload (check authenticity of message)
+        * Process the AUTH payload (check authenticity of message)
+        * 
+        * @param this                          calling object
+        * @param auth_payload          AUTH payload of responder
+        * @param other_id_payload      ID payload of responder
+        *
+        *                                              - SUCCESS
+        *                                              - DELETE_ME
         */
        status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
        
        /**
-        * process the TS payload (check if selected traffic selectors are valid)
+        * Process the TS payload (check if selected traffic selectors are valid)
+        * 
+        * @param this                  calling object
+        * @param ts_initiator  TRUE if TS payload is TSi, FALSE for TSr
+        * @param ts_payload    TS payload of responder
+        *
+        *                                              - SUCCESS
+        *                                              - DELETE_ME
         */
        status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
         
@@ -106,21 +132,19 @@ struct private_ike_auth_requested_t {
  */
 static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
 {
-       status_t status;
-       signer_t *signer;
-       crypter_t *crypter;
-       iterator_t *payloads;
-       exchange_type_t exchange_type;
+       ts_payload_t *tsi_payload, *tsr_payload;
        id_payload_t *idr_payload = NULL;
        auth_payload_t *auth_payload;
        sa_payload_t *sa_payload;
-       ts_payload_t *tsi_payload, *tsr_payload;
+       iterator_t *payloads;
+       crypter_t *crypter;
+       signer_t *signer;
+       status_t status;
        
-       exchange_type = ike_auth_reply->get_exchange_type(ike_auth_reply);
-       if (exchange_type != IKE_AUTH)
+       if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH)
        {
                this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state ike_auth_requested",
-                                                       mapping_find(exchange_type_m,exchange_type));
+                                                       mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply)));
                return FAILED;
        }
        
@@ -196,7 +220,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
                                {
                                        this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol");
                                        payloads->destroy(payloads);
-                                       return FAILED;  
+                                       return DELETE_ME;       
                                }
                                
                                switch (notify_payload->get_notify_message_type(notify_payload))
@@ -224,22 +248,32 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
                                        default:
                                        {
                                                /*
-                                                * If an unrecognized Notify type is received, the IKE_SA gets destroyed.
+                                                * - In case of unknown error: IKE_SA gets destroyed.
+                                                * - In case of unknown status: logging
                                                 * 
                                                 */
-                                               
-                                               this->logger->log(this->logger, ERROR, "Notify type %s not recognized in state ike_auth_requested.",
-                                                                                 mapping_find(notify_message_type_m,notify_payload->get_notify_message_type(notify_payload)));
-                                               payloads->destroy(payloads);
-                                               return DELETE_ME;       
+                                               notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
+                                               if (notify_message_type < 16383)
+                                               {
+                                                       this->logger->log(this->logger, ERROR, "Notify error type %d not recognized in state IKE_AUTH_REQUESTED.",
+                                                                                         notify_message_type);
+                                                       payloads->destroy(payloads);
+                                                       return DELETE_ME;       
+
+                                               }
+                                               else
+                                               {
+                                                       this->logger->log(this->logger, ERROR, "Notify status type %d not handled in state IKE_AUTH_REQUESTED.",
+                                                                                         notify_message_type);
+                                                       break;
+                                               }
                                        }
                                }
                        }
                        default:
                        {
-                               this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
-                               payloads->destroy(payloads);
-                               return FAILED;
+                               this->logger->log(this->logger, ERROR, "Payload id %d not handled in state IKE_AUTH_REQUESTED", payload->get_type(payload));
+                               break;
                        }
                }
        }
@@ -308,7 +342,7 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo
                {
                        other_id->destroy(other_id);
                        this->logger->log(this->logger, ERROR, "IKE_AUTH reply didn't contain requested id");
-                       return FAILED;  
+                       return DELETE_ME;       
                }
        }
        
@@ -335,13 +369,13 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR, "responders sa payload contained no proposals");
-               return FAILED;
+               return DELETE_ME;
        }
        if (proposal_count > 1)
        {
                allocator_free(proposals);
                this->logger->log(this->logger, ERROR, "responders sa payload contained more than one proposal");
-               return FAILED;
+               return DELETE_ME;
        }
        
        proposal_chosen = this->sa_config->select_proposal(this->sa_config, ah_spi, esp_spi, proposals, proposal_count);
@@ -349,7 +383,7 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
        {
                this->logger->log(this->logger, ERROR, "responder selected an not offered proposal");
                allocator_free(proposals);
-               return FAILED;
+               return DELETE_ME;
        }
        else
        {
@@ -377,7 +411,7 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR, "Could not verify AUTH data. Error status: %s",mapping_find(status_m,status));
-               return FAILED;  
+               return DELETE_ME;       
        }
 
        this->logger->log(this->logger, CONTROL | MORE, "AUTH data verified");
@@ -408,7 +442,7 @@ static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_i
        if (ts_selected_count != ts_received_count)
        {
                this->logger->log(this->logger, ERROR, "responder selected invalid traffic selectors");
-               status = FAILED;        
+               status = DELETE_ME;     
        }
        
        /* cleanup */
index c4caaca..677b19d 100644 (file)
@@ -33,14 +33,17 @@ typedef struct ike_auth_requested_t ike_auth_requested_t;
  * @brief This class represents an IKE_SA, which has requested an IKE_AUTH.
  * 
  * The state accpets IKE_AUTH responses. It proves the authenticity
- * and sets up the first child sa. After that, it processes to the 
- * IKE_SA_ESTABLISHED state.
+ * and sets up the first child sa. After that, it changes IKE_SA state to 
+ * IKE_SA_ESTABLISHED.
+ * 
+ * @ Constructors:
+ *  - ike_auth_requested_create()
  * 
  * @ingroup states
  */
 struct ike_auth_requested_t {
        /**
-        * methods of the state_t interface
+        * The state_t interface.
         */
        state_t state_interface;
 
@@ -49,12 +52,17 @@ struct ike_auth_requested_t {
 /**
  * Constructor of class ike_auth_requested_t
  * 
- * @param ike_sa               assigned ike_sa object
- * @param received_nonce       Received nonce value
- * @return                             created ike_auth_requested_t object
+ * @param ike_sa                                       assigned ike_sa object
+ * @param sent_nonce                           Sent nonce value in IKE_SA_INIT request
+ * @param received_nonce                       Received nonce value in IKE_SA_INIT response
+ * @param ike_sa_init_reply_data               binary representation of IKE_SA_INIT reply 
+ * @return                                                     created ike_auth_requested_t object
  * 
  * @ingroup states
  */
-ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_repy_data);
+ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,
+                                                                                               chunk_t sent_nonce,
+                                                                                               chunk_t received_nonce,
+                                                                                               chunk_t ike_sa_init_reply_data);
 
 #endif /*IKE_AUTH_REQUESTED_H_*/