fixed notify handling in IKE_AUTH
authorMartin Willi <martin@strongswan.org>
Tue, 6 Mar 2007 20:58:39 +0000 (20:58 -0000)
committerMartin Willi <martin@strongswan.org>
Tue, 6 Mar 2007 20:58:39 +0000 (20:58 -0000)
moved nonce payload before TS in CHILD_SA setup

src/charon/sa/tasks/child_create.c
src/charon/sa/tasks/ike_auth.c

index 6e74f9d..b6ce648 100644 (file)
@@ -330,12 +330,6 @@ static void build_payloads(private_child_create_t *this, message_t *message)
        }
        message->add_payload(message, (payload_t*)sa_payload);
        
-       /* add TSi/TSr payloads */
-       ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
-       message->add_payload(message, (payload_t*)ts_payload);
-       ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
-       message->add_payload(message, (payload_t*)ts_payload);
-       
        /* add nonce payload if not in IKE_AUTH */
        if (message->get_exchange_type(message) == CREATE_CHILD_SA)
        {
@@ -344,6 +338,12 @@ static void build_payloads(private_child_create_t *this, message_t *message)
                message->add_payload(message, (payload_t*)nonce_payload);
        }
        
+       /* add TSi/TSr payloads */
+       ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
+       message->add_payload(message, (payload_t*)ts_payload);
+       ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
+       message->add_payload(message, (payload_t*)ts_payload);
+
        /* add a notify if we are not in tunnel mode */
        switch (this->mode)
        {
@@ -590,13 +590,25 @@ static status_t process_i(private_child_create_t *this, message_t *message)
                        notify_payload_t *notify = (notify_payload_t*)payload;
                        notify_type_t type = notify->get_notify_type(notify);
                        
-                       if (type < 16383)
+                       switch (type)
                        {
-                               SIG(CHILD_UP_FAILED, "received %N notify error",
-                                       notify_type_names, type);
-                               iterator->destroy(iterator);
-                               /* an error in CHILD_SA creation is not critical */
-                               return SUCCESS; 
+                               /* handle notify errors related to CHILD_SA only */
+                               case NO_PROPOSAL_CHOSEN:
+                               case SINGLE_PAIR_REQUIRED:
+                               case NO_ADDITIONAL_SAS:
+                               case INTERNAL_ADDRESS_FAILURE:
+                               case FAILED_CP_REQUIRED:
+                               case TS_UNACCEPTABLE:
+                               case INVALID_SELECTORS:
+                               {
+                                       SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built",
+                                               notify_type_names, type);
+                                       iterator->destroy(iterator);
+                                       /* an error in CHILD_SA creation is not critical */
+                                       return SUCCESS;
+                               }
+                               default:
+                                       break;
                        }
                }
        }
index bbc1742..74918d5 100644 (file)
@@ -386,10 +386,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
                                case INVALID_SELECTORS:
                                        /* these are errors, but are not critical as only the
                                         * CHILD_SA won't get build, but IKE_SA establishes anyway */
-                                       DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
-                                                notify_type_names, type);
-                                       iterator->destroy(iterator);
-                                       return SUCCESS; 
+                                        break;
                                default:
                                {
                                        if (type < 16383)