diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-10-29 20:30:44 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-10-29 20:30:44 +0000 |
commit | 74f0bbfc53cb5fa519e4e27ece53735ab51b397c (patch) | |
tree | 0dbab9c835be15577ff05b474b6361bb326d66ce /src/charon/sa/tasks | |
parent | 5c1fa2516bda1ccf8eb00178c0beb196c2020a94 (diff) | |
download | vyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.tar.gz vyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.zip |
- New upstream release.
Diffstat (limited to 'src/charon/sa/tasks')
-rw-r--r-- | src/charon/sa/tasks/child_create.c | 187 | ||||
-rw-r--r-- | src/charon/sa/tasks/child_delete.c | 48 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_auth.c | 131 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_cert_post.c | 9 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_cert_pre.c | 43 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_config.c | 7 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_delete.c | 35 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_init.c | 38 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_me.c | 18 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_mobike.c | 73 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_mobike.h | 7 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_natd.c | 45 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_natd.h | 11 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_reauth.c | 5 | ||||
-rw-r--r-- | src/charon/sa/tasks/ike_rekey.c | 22 |
15 files changed, 503 insertions, 176 deletions
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c index 4638da03e..bddca621b 100644 --- a/src/charon/sa/tasks/child_create.c +++ b/src/charon/sa/tasks/child_create.c @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: child_create.c 3920 2008-05-08 16:19:11Z tobias $ + * $Id: child_create.c 4358 2008-09-25 13:56:23Z tobias $ */ #include "child_create.h" @@ -26,6 +26,7 @@ #include <encoding/payloads/ts_payload.h> #include <encoding/payloads/nonce_payload.h> #include <encoding/payloads/notify_payload.h> +#include <processing/jobs/delete_ike_sa_job.h> typedef struct private_child_create_t private_child_create_t; @@ -98,7 +99,7 @@ struct private_child_create_t { /** * mode the new CHILD_SA uses (transport/tunnel/beet) */ - mode_t mode; + ipsec_mode_t mode; /** * IPComp transform to use @@ -198,12 +199,12 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) if (this->proposals == NULL) { - SIG(CHILD_UP_FAILED, "SA payload missing in message"); + SIG_CHD(UP_FAILED, this->child_sa, "SA payload missing in message"); return FAILED; } if (this->tsi == NULL || this->tsr == NULL) { - SIG(CHILD_UP_FAILED, "TS payloads missing in message"); + SIG_CHD(UP_FAILED, this->child_sa, "TS payloads missing in message"); return NOT_FOUND; } @@ -231,7 +232,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) no_dh); if (this->proposal == NULL) { - SIG(CHILD_UP_FAILED, "no acceptable proposal found"); + SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found"); return FAILED; } @@ -242,15 +243,15 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, &group, NULL)) { - SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N", - diffie_hellman_group_names, this->dh_group, - diffie_hellman_group_names, group); + SIG_CHD(UP_FAILED, this->child_sa, "DH group %N inacceptable, " + "requesting %N", diffie_hellman_group_names, this->dh_group, + diffie_hellman_group_names, group); this->dh_group = group; return INVALID_ARG; } else { - SIG(CHILD_UP_FAILED, "no acceptable proposal found"); + SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found"); return FAILED; } } @@ -278,7 +279,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) { my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); - SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found"); + SIG_CHD(UP_FAILED, this->child_sa, "no acceptable traffic selectors found"); return NOT_FOUND; } @@ -330,7 +331,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) { if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS) { - SIG(CHILD_UP_FAILED, "DH exchange incomplete"); + SIG_CHD(UP_FAILED, this->child_sa, "DH exchange incomplete"); return FAILED; } DBG3(DBG_IKE, "DH secret %B", &secret); @@ -340,7 +341,6 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) { seed = chunk_cata("cc", nonce_i, nonce_r); } - prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed); if (this->ipcomp != IPCOMP_NONE) { @@ -348,6 +348,16 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) this->other_cpi); } + status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts, + this->mode, this->proposal->get_protocol(this->proposal)); + if (status != SUCCESS) + { + SIG_CHD(UP_FAILED, this->child_sa, + "unable to install IPsec policies (SPD) in kernel"); + return NOT_FOUND; + } + + prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed); if (this->initiator) { status = this->child_sa->update(this->child_sa, this->proposal, @@ -362,18 +372,10 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) if (status != SUCCESS) { - SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel"); + SIG_CHD(UP_FAILED, this->child_sa, + "unable to install IPsec SA (SAD) in kernel"); return FAILED; } - - status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts, - this->mode); - - if (status != SUCCESS) - { - SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel"); - return NOT_FOUND; - } /* add to IKE_SA, and remove from task */ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); this->ike_sa->add_child_sa(this->ike_sa, this->child_sa); @@ -440,29 +442,30 @@ static void build_payloads(private_child_create_t *this, message_t *message) /** * Adds an IPCOMP_SUPPORTED notify to the message, if possible */ -static void build_ipcomp_supported_notify(private_child_create_t *this, message_t *message) +static void build_ipcomp_supported_notify(private_child_create_t *this, + message_t *message) { + u_int16_t cpi; + u_int8_t tid; + if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) { - DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, IPComp is disabled"); + DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, " + "IPComp disabled"); this->ipcomp = IPCOMP_NONE; return; } - u_int16_t cpi = this->child_sa->get_my_cpi(this->child_sa); + cpi = this->child_sa->allocate_cpi(this->child_sa); + tid = this->ipcomp; if (cpi) { - chunk_t cpi_chunk, tid_chunk, data; - u_int8_t tid = this->ipcomp; - cpi_chunk = chunk_from_thing(cpi); - tid_chunk = chunk_from_thing(tid); - data = chunk_cat("cc", cpi_chunk, tid_chunk); - message->add_notify(message, FALSE, IPCOMP_SUPPORTED, data); - chunk_free(&data); + message->add_notify(message, FALSE, IPCOMP_SUPPORTED, + chunk_cata("cc", chunk_from_thing(cpi), chunk_from_thing(tid))); } else { - DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp is disabled"); + DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled"); this->ipcomp = IPCOMP_NONE; } } @@ -587,7 +590,16 @@ static status_t build_i(private_child_create_t *this, message_t *message) break; } - SIG(CHILD_UP_START, "establishing CHILD_SA"); + if (this->reqid) + { + SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s{%d}", + this->config->get_name(this->config), this->reqid); + } + else + { + SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s", + this->config->get_name(this->config)); + } /* reuse virtual IP if we already have one */ me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE); @@ -638,7 +650,8 @@ static status_t build_i(private_child_create_t *this, message_t *message) if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS) { - SIG(CHILD_UP_FAILED, "unable to allocate SPIs from kernel"); + SIG_CHD(UP_FAILED, this->child_sa, + "unable to allocate SPIs from kernel"); return FAILED; } @@ -720,10 +733,31 @@ static status_t process_r(private_child_create_t *this, message_t *message) } /** + * handle CHILD_SA setup failure + */ +static void handle_child_sa_failure(private_child_create_t *this, + message_t *message) +{ + if (message->get_exchange_type(message) == IKE_AUTH && + lib->settings->get_bool(lib->settings, + "charon.close_ike_on_child_failure", FALSE)) + { + /* we delay the delete for 100ms, as the IKE_AUTH response must arrive + * first */ + DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure"); + charon->scheduler->schedule_job(charon->scheduler, (job_t*) + delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), + 100); + } +} + +/** * Implementation of task_t.build for responder */ static status_t build_r(private_child_create_t *this, message_t *message) { + payload_t *payload; + iterator_t *iterator; bool no_dh = TRUE; switch (message->get_exchange_type(message)) @@ -733,7 +767,8 @@ static status_t build_r(private_child_create_t *this, message_t *message) case CREATE_CHILD_SA: if (generate_nonce(&this->my_nonce) != SUCCESS) { - message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); + message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, + chunk_empty); return SUCCESS; } no_dh = FALSE; @@ -750,19 +785,47 @@ static status_t build_r(private_child_create_t *this, message_t *message) if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING) { - SIG(CHILD_UP_FAILED, "unable to create CHILD_SA while rekeying IKE_SA"); + SIG_CHD(UP_FAILED, NULL, + "unable to create CHILD_SA while rekeying IKE_SA"); message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty); return SUCCESS; } if (this->config == NULL) { - SIG(CHILD_UP_FAILED, "traffic selectors %#R=== %#R inacceptable", + SIG_CHD(UP_FAILED, NULL, "traffic selectors %#R=== %#R inacceptable", this->tsr, this->tsi); message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); + handle_child_sa_failure(this, message); return SUCCESS; } + /* check if ike_config_t included non-critical error notifies */ + iterator = message->get_payload_iterator(message); + while (iterator->iterate(iterator, (void**)&payload)) + { + if (payload->get_type(payload) == NOTIFY) + { + notify_payload_t *notify = (notify_payload_t*)payload; + + switch (notify->get_notify_type(notify)) + { + case INTERNAL_ADDRESS_FAILURE: + case FAILED_CP_REQUIRED: + { + SIG_CHD(UP_FAILED, NULL, "configuration payload negotation " + "failed, no CHILD_SA built"); + iterator->destroy(iterator); + handle_child_sa_failure(this, message); + return SUCCESS; + } + default: + break; + } + } + } + iterator->destroy(iterator); + this->child_sa = child_sa_create( this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), @@ -770,14 +833,16 @@ static status_t build_r(private_child_create_t *this, message_t *message) this->ike_sa->get_other_id(this->ike_sa), this->config, this->reqid, this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)); - if (this->config->use_ipcomp(this->config) && this->ipcomp_received != IPCOMP_NONE) + if (this->config->use_ipcomp(this->config) && + this->ipcomp_received != IPCOMP_NONE) { this->ipcomp = this->ipcomp_received; build_ipcomp_supported_notify(this, message); } else if (this->ipcomp_received != IPCOMP_NONE) { - DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring"); + DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring", + notify_type_names, IPCOMP_SUPPORTED); } switch (select_and_install(this, no_dh)) @@ -786,24 +851,33 @@ static status_t build_r(private_child_create_t *this, message_t *message) break; case NOT_FOUND: message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); + handle_child_sa_failure(this, message); return SUCCESS; case INVALID_ARG: { u_int16_t group = htons(this->dh_group); message->add_notify(message, FALSE, INVALID_KE_PAYLOAD, chunk_from_thing(group)); + handle_child_sa_failure(this, message); return SUCCESS; } case FAILED: default: message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty); + handle_child_sa_failure(this, message); return SUCCESS; } build_payloads(this, message); - SIG(CHILD_UP_SUCCESS, "CHILD_SA '%s' established successfully", - this->child_sa->get_name(this->child_sa)); + SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established " + "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + this->child_sa->get_name(this->child_sa), + this->child_sa->get_reqid(this->child_sa), + ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), + ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), + this->child_sa->get_traffic_selectors(this->child_sa, TRUE), + this->child_sa->get_traffic_selectors(this->child_sa, FALSE)); return SUCCESS; } @@ -855,9 +929,10 @@ static status_t process_i(private_child_create_t *this, message_t *message) case TS_UNACCEPTABLE: case INVALID_SELECTORS: { - SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built", - notify_type_names, type); + SIG_CHD(UP_FAILED, this->child_sa, "received %N notify, " + "no CHILD_SA built", notify_type_names, type); iterator->destroy(iterator); + handle_child_sa_failure(this, message); /* an error in CHILD_SA creation is not critical */ return SUCCESS; } @@ -888,8 +963,9 @@ static status_t process_i(private_child_create_t *this, message_t *message) if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE) { - SIG(CHILD_UP_FAILED, "received an IPCOMP_SUPPORTED notify but we did not " - "send one previously, no CHILD_SA built"); + SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify" + " but we did not send one previously, no CHILD_SA built"); + handle_child_sa_failure(this, message); return SUCCESS; } else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE) @@ -900,15 +976,26 @@ static status_t process_i(private_child_create_t *this, message_t *message) } else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received) { - SIG(CHILD_UP_FAILED, "received an IPCOMP_SUPPORTED notify for a transform " - "we did not propose, no CHILD_SA built"); + SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify" + " for a transform we did not propose, no CHILD_SA built"); + handle_child_sa_failure(this, message); return SUCCESS; } if (select_and_install(this, no_dh) == SUCCESS) { - SIG(CHILD_UP_SUCCESS, "CHILD_SA '%s' established successfully", - this->child_sa->get_name(this->child_sa)); + SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established " + "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + this->child_sa->get_name(this->child_sa), + this->child_sa->get_reqid(this->child_sa), + ntohl(this->child_sa->get_spi(this->child_sa, TRUE)), + ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), + this->child_sa->get_traffic_selectors(this->child_sa, TRUE), + this->child_sa->get_traffic_selectors(this->child_sa, FALSE)); + } + else + { + handle_child_sa_failure(this, message); } return SUCCESS; } diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c index 4156f9704..a3c74dc90 100644 --- a/src/charon/sa/tasks/child_delete.c +++ b/src/charon/sa/tasks/child_delete.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: child_delete.c 3802 2008-04-14 08:17:18Z martin $ + * $Id: child_delete.c 4366 2008-10-03 16:01:14Z martin $ */ #include "child_delete.h" @@ -44,6 +44,11 @@ struct private_child_delete_t { bool initiator; /** + * wheter to enforce delete action policy + */ + bool check_delete_action; + + /** * CHILD_SAs which get deleted */ linked_list_t *child_sas; @@ -54,16 +59,17 @@ struct private_child_delete_t { */ static void build_payloads(private_child_delete_t *this, message_t *message) { - iterator_t *iterator; delete_payload_t *ah = NULL, *esp = NULL; - u_int32_t spi; + iterator_t *iterator; child_sa_t *child_sa; iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { - spi = child_sa->get_spi(child_sa, TRUE); - switch (child_sa->get_protocol(child_sa)) + protocol_id_t protocol = child_sa->get_protocol(child_sa); + u_int32_t spi = child_sa->get_spi(child_sa, TRUE); + + switch (protocol) { case PROTO_ESP: if (esp == NULL) @@ -72,6 +78,8 @@ static void build_payloads(private_child_delete_t *this, message_t *message) message->add_payload(message, (payload_t*)esp); } esp->add_spi(esp, spi); + DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", + protocol_id_names, protocol, ntohl(spi)); break; case PROTO_AH: if (ah == NULL) @@ -80,6 +88,8 @@ static void build_payloads(private_child_delete_t *this, message_t *message) message->add_payload(message, (payload_t*)ah); } ah->add_spi(ah, spi); + DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", + protocol_id_names, protocol, ntohl(spi)); break; default: break; @@ -119,11 +129,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message) *spi, FALSE); if (child_sa == NULL) { - DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, " + DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, " "but no such SA", protocol_id_names, protocol, ntohl(*spi)); continue; } - DBG2(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x", + DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x", protocol_id_names, protocol, ntohl(*spi)); switch (child_sa->get_state(child_sa)) @@ -139,6 +149,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message) protocol, *spi); continue; } + case CHILD_INSTALLED: + if (!this->initiator) + { /* reestablish installed children if required */ + this->check_delete_action = TRUE; + } default: break; } @@ -171,7 +186,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) child_cfg = child_sa->get_config(child_sa); child_cfg->get_ref(child_cfg); this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi); - if (!this->initiator) + if (this->check_delete_action) { /* enforce child_cfg policy if deleted passively */ switch (child_cfg->get_close_action(child_cfg)) { @@ -207,9 +222,14 @@ static void log_children(private_child_delete_t *this) iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { - SIG(CHILD_DOWN_START, "closing CHILD_SA %#R=== %#R", - child_sa->get_traffic_selectors(child_sa, TRUE), - child_sa->get_traffic_selectors(child_sa, FALSE)); + SIG_CHD(DOWN_START, child_sa, "closing CHILD_SA %s{%d} " + "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + child_sa->get_name(child_sa), + child_sa->get_reqid(child_sa), + ntohl(child_sa->get_spi(child_sa, TRUE)), + ntohl(child_sa->get_spi(child_sa, FALSE)), + child_sa->get_traffic_selectors(child_sa, TRUE), + child_sa->get_traffic_selectors(child_sa, FALSE)); } iterator->destroy(iterator); } @@ -234,7 +254,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message) this->child_sas = linked_list_create(); process_payloads(this, message); - SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed"); + SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed"); return destroy_and_reestablish(this); } @@ -258,7 +278,7 @@ static status_t build_r(private_child_delete_t *this, message_t *message) { build_payloads(this, message); } - SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed"); + SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed"); return destroy_and_reestablish(this); } @@ -285,6 +305,7 @@ static child_sa_t* get_child(private_child_delete_t *this) */ static void migrate(private_child_delete_t *this, ike_sa_t *ike_sa) { + this->check_delete_action = FALSE; this->ike_sa = ike_sa; this->child_sas->destroy(this->child_sas); @@ -313,6 +334,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa) this->public.task.destroy = (void(*)(task_t*))destroy; this->ike_sa = ike_sa; + this->check_delete_action = FALSE; this->child_sas = linked_list_create(); if (child_sa != NULL) diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index fd5012ee6..51f37f1b0 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details * - * $Id: ike_auth.c 4051 2008-06-10 09:08:27Z tobias $ + * $Id: ike_auth.c 4276 2008-08-22 10:44:51Z martin $ */ #include "ike_auth.h" @@ -29,7 +29,6 @@ #include <sa/authenticators/eap_authenticator.h> - typedef struct private_ike_auth_t private_ike_auth_t; /** @@ -151,6 +150,44 @@ static bool check_uniqueness(private_ike_auth_t *this) } /** + * get the authentication class of a config + */ +auth_class_t get_auth_class(peer_cfg_t *config) +{ + auth_class_t *class; + auth_info_t *auth_info; + + auth_info = config->get_auth(config); + if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class)) + { + return *class; + } + /* fallback to pubkey authentication */ + return AUTH_CLASS_PUBKEY; +} + +/** + * get the eap type/vendor + */ +static eap_type_t get_eap_type(peer_cfg_t *config, u_int32_t *vendor) +{ + auth_info_t *auth_info; + u_int *ptr; + + *vendor = 0; + auth_info = config->get_auth(config); + if (auth_info->get_item(auth_info, AUTHN_EAP_VENDOR, (void**)&ptr)) + { + *vendor = *ptr; + } + if (auth_info->get_item(auth_info, AUTHN_EAP_TYPE, (void**)&ptr)) + { + return *ptr; + } + return EAP_NAK; +} + +/** * build the AUTH payload */ static status_t build_auth(private_ike_auth_t *this, message_t *message) @@ -158,23 +195,21 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message) authenticator_t *auth; auth_payload_t *auth_payload; peer_cfg_t *config; - config_auth_method_t method; status_t status; /* create own authenticator and add auth payload */ config = this->ike_sa->get_peer_cfg(this->ike_sa); if (!config) { - SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found"); + SIG_IKE(UP_FAILED, "unable to authenticate, no peer config found"); return FAILED; } - method = config->get_auth_method(config); - auth = authenticator_create(this->ike_sa, method); + auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config)); if (auth == NULL) { - SIG(IKE_UP_FAILED, "configured authentication method %N not supported", - config_auth_method_names, method); + SIG_IKE(UP_FAILED, "configured authentication class %N not supported", + auth_class_names, get_auth_class(config)); return FAILED; } @@ -183,7 +218,7 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message) auth->destroy(auth); if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "generating authentication data failed"); + SIG_IKE(UP_FAILED, "generating authentication data failed"); return FAILED; } message->add_payload(message, (payload_t*)auth_payload); @@ -208,7 +243,7 @@ static status_t build_id(private_ike_auth_t *this, message_t *message) me = config->get_my_id(config); if (me->contains_wildcards(me)) { - SIG(IKE_UP_FAILED, "negotiation of own ID failed"); + SIG_IKE(UP_FAILED, "negotiation of own ID failed"); return FAILED; } this->ike_sa->set_my_id(this->ike_sa, me->clone(me)); @@ -245,11 +280,11 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) } auth_method = auth_payload->get_auth_method(auth_payload); - auth = authenticator_create_from_auth_payload(this->ike_sa, auth_payload); - + auth = authenticator_create_from_method(this->ike_sa, + auth_payload->get_auth_method(auth_payload)); if (auth == NULL) { - SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not " + SIG_IKE(UP_FAILED, "authentication method %N used by '%D' not " "supported", auth_method_names, auth_method, this->ike_sa->get_other_id(this->ike_sa)); return NOT_SUPPORTED; @@ -259,7 +294,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message) auth->destroy(auth); if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", + SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), auth_method_names, auth_method); return FAILED; @@ -280,7 +315,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL)) { - SIG(IKE_UP_FAILED, "ID payload missing in message"); + SIG_IKE(UP_FAILED, "ID payload missing in message"); return FAILED; } @@ -290,7 +325,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) req = this->ike_sa->get_other_id(this->ike_sa); if (!id->matches(id, req)) { - SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req); + SIG_IKE(UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req); id->destroy(id); return FAILED; } @@ -367,7 +402,7 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message) if (auth->build(auth, this->my_packet->get_data(this->my_packet), this->other_nonce, &auth_payload) != SUCCESS) { - SIG(IKE_UP_FAILED, "generating authentication data failed"); + SIG_IKE(UP_FAILED, "generating authentication data failed"); if (!this->initiator) { message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); @@ -378,12 +413,13 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message) if (!this->initiator) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } return NEED_MORE; @@ -412,9 +448,9 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message) if (!this->peer_authenticated) { - SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", + SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), - auth_method_names, AUTH_EAP); + auth_class_names, AUTH_CLASS_EAP); if (this->initiator) { return FAILED; @@ -424,12 +460,13 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message) if (this->initiator) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } return NEED_MORE; @@ -445,7 +482,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message) eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION); if (eap == NULL) { - SIG(IKE_UP_FAILED, "EAP payload missing"); + SIG_IKE(UP_FAILED, "EAP payload missing"); return FAILED; } switch (this->eap_auth->process(this->eap_auth, eap, &eap)) @@ -461,7 +498,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; default: this->eap_payload = NULL; - SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP", + SIG_IKE(UP_FAILED, "failed to authenticate against '%D' using EAP", this->ike_sa->get_other_id(this->ike_sa)); return FAILED; } @@ -496,7 +533,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) if (this->eap_payload == NULL) { - SIG(IKE_UP_FAILED, "EAP payload missing"); + SIG_IKE(UP_FAILED, "EAP payload missing"); return FAILED; } @@ -511,9 +548,9 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message) this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap; break; default: - SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed", + SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed", this->ike_sa->get_other_id(this->ike_sa), - auth_method_names, AUTH_EAP); + auth_class_names, AUTH_CLASS_EAP); status = FAILED; break; } @@ -539,7 +576,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) } config = this->ike_sa->get_peer_cfg(this->ike_sa); - if (config->get_auth_method(config) == CONF_AUTH_EAP) + if (get_auth_class(config) == AUTH_CLASS_EAP) { this->eap_auth = eap_authenticator_create(this->ike_sa); } @@ -579,13 +616,14 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) case NOT_FOUND: /* use EAP if no AUTH payload found */ this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE); - this->eap_auth = eap_authenticator_create(this->ike_sa); break; default: return NEED_MORE; } config = charon->backends->get_peer_cfg(charon->backends, + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa), this->ike_sa->get_other_auth(this->ike_sa)); @@ -594,7 +632,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) this->ike_sa->set_peer_cfg(this->ike_sa, config); config->destroy(config); } - + if (!this->peer_authenticated) + { + this->eap_auth = eap_authenticator_create(this->ike_sa); + } return NEED_MORE; } @@ -624,7 +665,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) config = this->ike_sa->get_peer_cfg(this->ike_sa); if (config == NULL) { - SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'", + SIG_IKE(UP_FAILED, "no matching config found for '%D'...'%D'", this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); @@ -648,23 +689,24 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) if (this->peer_authenticated) { this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } /* initiate EAP authenitcation */ - eap_type = config->get_eap_type(config, &eap_vendor); + eap_type = get_eap_type(config, &eap_vendor); status = this->eap_auth->initiate(this->eap_auth, eap_type, eap_vendor, &eap_payload); message->add_payload(message, (payload_t*)eap_payload); if (status != NEED_MORE) { - SIG(IKE_UP_FAILED, "unable to initiate EAP authentication"); + SIG_IKE(UP_FAILED, "unable to initiate EAP authentication"); return FAILED; } @@ -724,7 +766,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) { if (type < 16383) { - SIG(IKE_UP_FAILED, "received %N notify error", + SIG_IKE(UP_FAILED, "received %N notify error", notify_type_names, type); iterator->destroy(iterator); return FAILED; @@ -756,17 +798,18 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) auth = this->ike_sa->get_other_auth(this->ike_sa); if (!auth->complies(auth, config->get_auth(config))) { - SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed", + SIG_IKE(UP_FAILED, "authorization of '%D' for config %s failed", this->ike_sa->get_other_id(this->ike_sa), config->get_name(config)); return FAILED; } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); - SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H", + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_my_id(this->ike_sa), - this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c index 184868b28..cb533236e 100644 --- a/src/charon/sa/tasks/ike_cert_post.c +++ b/src/charon/sa/tasks/ike_cert_post.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_cert_post.c 4051 2008-06-10 09:08:27Z tobias $ + * $Id: ike_cert_post.c 4276 2008-08-22 10:44:51Z martin $ */ #include "ike_cert_post.h" @@ -98,6 +98,11 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certifi } /** + * from ike_auth.c + */ +auth_class_t get_auth_class(peer_cfg_t *config); + +/** * add certificates to message */ static void build_certs(private_ike_cert_post_t *this, message_t *message) @@ -105,7 +110,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) peer_cfg_t *peer_cfg; peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == CONF_AUTH_PUBKEY) + if (peer_cfg && get_auth_class(peer_cfg) == AUTH_CLASS_PUBKEY) { switch (peer_cfg->get_cert_policy(peer_cfg)) { diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c index 3568a214e..353b76a22 100644 --- a/src/charon/sa/tasks/ike_cert_pre.c +++ b/src/charon/sa/tasks/ike_cert_pre.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_cert_pre.c 3852 2008-04-18 21:27:08Z andreas $ + * $Id: ike_cert_pre.c 4285 2008-08-26 05:15:34Z andreas $ */ #include "ike_cert_pre.h" @@ -320,11 +320,10 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp, static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) { ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; enumerator_t *enumerator; certificate_t *cert; - auth_info_t *auth; bool restricted = FALSE; - auth_item_t item; certreq_payload_t *x509_req = NULL; ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); @@ -332,19 +331,43 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) { return; } - auth = this->ike_sa->get_other_auth(this->ike_sa); /* check if we require a specific CA for that peer */ - enumerator = auth->create_item_enumerator(auth); - while (enumerator->enumerate(enumerator, &item, &cert)) + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + if (peer_cfg) { - if (item == AUTHN_CA_CERT) + void *ptr; + identification_t *id; + auth_item_t item; + auth_info_t *auth = peer_cfg->get_auth(peer_cfg); + enumerator_t *auth_enumerator = auth->create_item_enumerator(auth); + + while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr)) { - restricted = TRUE; - add_certreq_payload(message, &x509_req, cert); + switch (item) + { + case AUTHZ_CA_CERT: + cert = (certificate_t *)ptr; + add_certreq_payload(message, &x509_req, cert); + restricted = TRUE; + break; + case AUTHZ_CA_CERT_NAME: + id = (identification_t *)ptr; + enumerator = charon->credentials->create_cert_enumerator( + charon->credentials, CERT_ANY, KEY_ANY, id, TRUE); + while (enumerator->enumerate(enumerator, &cert, TRUE)) + { + add_certreq_payload(message, &x509_req, cert); + restricted = TRUE; + } + enumerator->destroy(enumerator); + break; + default: + break; + } } + auth_enumerator->destroy(auth_enumerator); } - enumerator->destroy(enumerator); if (!restricted) { diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c index c31e62750..e89f381d3 100644 --- a/src/charon/sa/tasks/ike_config.c +++ b/src/charon/sa/tasks/ike_config.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_config.c 3800 2008-04-14 07:18:16Z martin $ + * $Id: ike_config.c 4129 2008-07-01 06:36:52Z martin $ */ #include "ike_config.h" @@ -315,7 +315,10 @@ static status_t build_r(private_ike_config_t *this, message_t *message) } if (ip == NULL) { - DBG1(DBG_IKE, "not assigning a virtual IP to peer"); + DBG1(DBG_IKE, "no virtual IP found, sending %N", + notify_type_names, INTERNAL_ADDRESS_FAILURE); + message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE, + chunk_empty); return SUCCESS; } DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip); diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c index aa7950ef7..295f908cb 100644 --- a/src/charon/sa/tasks/ike_delete.c +++ b/src/charon/sa/tasks/ike_delete.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_delete.c 3802 2008-04-14 08:17:18Z martin $ + * $Id: ike_delete.c 4211 2008-07-23 18:46:34Z andreas $ */ #include "ike_delete.h" @@ -56,11 +56,22 @@ static status_t build_i(private_ike_delete_t *this, message_t *message) { delete_payload_t *delete_payload; + SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]", + this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); + delete_payload = delete_payload_create(PROTO_IKE); message->add_payload(message, (payload_t*)delete_payload); - this->ike_sa->set_state(this->ike_sa, IKE_DELETING); - + + DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]", + this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa)); + return NEED_MORE; } @@ -74,16 +85,26 @@ static status_t process_i(private_ike_delete_t *this, message_t *message) } /** - * Implementation of task_t.process for initiator + * Implementation of task_t.process for responder */ static status_t process_r(private_ike_delete_t *this, message_t *message) { /* we don't even scan the payloads, as the message wouldn't have * come so far without being correct */ + DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]", + this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa)); + SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]", + this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); + switch (this->ike_sa->get_state(this->ike_sa)) { case IKE_ESTABLISHED: - DBG1(DBG_IKE, "deleting IKE_SA on request"); this->ike_sa->set_state(this->ike_sa, IKE_DELETING); this->ike_sa->reestablish(this->ike_sa); break; @@ -102,9 +123,11 @@ static status_t process_r(private_ike_delete_t *this, message_t *message) */ static status_t build_r(private_ike_delete_t *this, message_t *message) { + SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted"); + if (this->simultaneous) { - /* wait for peers response for our delete request, but set a timeout */ + /* wait for peer's response for our delete request, but set a timeout */ return SUCCESS; } /* completed, delete IKE_SA by returning FAILED */ diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c index 7def3a556..609b37a39 100644 --- a/src/charon/sa/tasks/ike_init.c +++ b/src/charon/sa/tasks/ike_init.c @@ -14,7 +14,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_init.c 4086 2008-06-22 11:24:33Z andreas $ + * $Id: ike_init.c 4206 2008-07-22 17:10:10Z andreas $ */ #include "ike_init.h" @@ -26,6 +26,7 @@ #include <encoding/payloads/sa_payload.h> #include <encoding/payloads/ke_payload.h> #include <encoding/payloads/nonce_payload.h> +#include <encoding/payloads/vendor_id_payload.h> /** maximum retries to do with cookies/other dh groups */ #define MAX_RETRIES 5 @@ -203,9 +204,17 @@ static void process_payloads(private_ike_init_t *this, message_t *message) case NONCE: { nonce_payload_t *nonce_payload = (nonce_payload_t*)payload; + this->other_nonce = nonce_payload->get_nonce(nonce_payload); break; } + case VENDOR_ID: + { + vendor_id_payload_t *vendor_id = (vendor_id_payload_t*)payload; + chunk_t vid = vendor_id->get_data(vendor_id); + + DBG1(DBG_ENC, "received vendor id: %#B", &vid); + } default: break; } @@ -221,14 +230,15 @@ static status_t build_i(private_ike_init_t *this, message_t *message) rng_t *rng; this->config = this->ike_sa->get_ike_cfg(this->ike_sa); - SIG(IKE_UP_START, "initiating IKE_SA '%s' to %H", + SIG_IKE(UP_START, "initiating IKE_SA %s[%d] to %H", this->ike_sa->get_name(this->ike_sa), + this->ike_sa->get_unique_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); if (this->retry++ >= MAX_RETRIES) { - SIG(IKE_UP_FAILED, "giving up after %d retries", MAX_RETRIES); + SIG_IKE(UP_FAILED, "giving up after %d retries", MAX_RETRIES); return FAILED; } @@ -239,7 +249,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message) this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group); if (this->dh == NULL) { - SIG(IKE_UP_FAILED, "configured DH group %N not supported", + SIG_IKE(UP_FAILED, "configured DH group %N not supported", diffie_hellman_group_names, this->dh_group); return FAILED; } @@ -251,7 +261,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message) rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); if (!rng) { - SIG(IKE_UP_FAILED, "error generating nonce"); + SIG_IKE(UP_FAILED, "error generating nonce"); return FAILED; } rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce); @@ -286,7 +296,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message) rng_t *rng; this->config = this->ike_sa->get_ike_cfg(this->ike_sa); - SIG(IKE_UP_START, "%H is initiating an IKE_SA", + SIG_IKE(UP_START, "%H is initiating an IKE_SA", message->get_source(message)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); @@ -366,7 +376,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message) if (this->proposal == NULL || this->other_nonce.len == 0 || this->my_nonce.len == 0) { - SIG(IKE_UP_FAILED, "received proposals inacceptable"); + SIG_IKE(UP_FAILED, "received proposals inacceptable"); message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty); return FAILED; } @@ -380,7 +390,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message) if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP, &group, NULL)) { - SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N", + SIG_CHD(UP_FAILED, NULL, "DH group %N inacceptable, requesting %N", diffie_hellman_group_names, this->dh_group, diffie_hellman_group_names, group); this->dh_group = group; @@ -390,7 +400,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message) } else { - SIG(IKE_UP_FAILED, "no acceptable proposal found"); + SIG_IKE(UP_FAILED, "no acceptable proposal found"); } return FAILED; } @@ -420,7 +430,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message) } if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "key derivation failed"); + SIG_IKE(UP_FAILED, "key derivation failed"); message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty); return FAILED; } @@ -495,7 +505,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message) { if (type < 16383) { - SIG(IKE_UP_FAILED, "received %N notify error", + SIG_IKE(UP_FAILED, "received %N notify error", notify_type_names, type); iterator->destroy(iterator); return FAILED; @@ -515,7 +525,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message) if (this->proposal == NULL || this->other_nonce.len == 0 || this->my_nonce.len == 0) { - SIG(IKE_UP_FAILED, "peer's proposal selection invalid"); + SIG_IKE(UP_FAILED, "peer's proposal selection invalid"); return FAILED; } @@ -523,7 +533,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message) !this->proposal->has_dh_group(this->proposal, this->dh_group) || this->dh->get_shared_secret(this->dh, &secret) != SUCCESS) { - SIG(IKE_UP_FAILED, "peer's DH group selection invalid"); + SIG_IKE(UP_FAILED, "peer's DH group selection invalid"); return FAILED; } @@ -552,7 +562,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message) } if (status != SUCCESS) { - SIG(IKE_UP_FAILED, "key derivation failed"); + SIG_IKE(UP_FAILED, "key derivation failed"); return FAILED; } diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c index 2d7c64d70..a203dee58 100644 --- a/src/charon/sa/tasks/ike_me.c +++ b/src/charon/sa/tasks/ike_me.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_me.c 3806 2008-04-15 05:56:35Z martin $ + * $Id: ike_me.c 4355 2008-09-25 07:56:58Z tobias $ */ #include "ike_me.h" @@ -128,7 +128,7 @@ static void add_endpoints_to_message(message_t *message, linked_list_t *endpoint */ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message) { - iterator_t *iterator; + enumerator_t *enumerator; host_t *addr, *host; u_int16_t port; @@ -136,9 +136,9 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message) host = this->ike_sa->get_my_host(this->ike_sa); port = host->get_port(host); - iterator = charon->kernel_interface->create_address_iterator( - charon->kernel_interface); - while (iterator->iterate(iterator, (void**)&addr)) + enumerator = charon->kernel_interface->create_address_enumerator( + charon->kernel_interface, FALSE, FALSE); + while (enumerator->enumerate(enumerator, (void**)&addr)) { host = addr->clone(addr); host->set_port(host, port); @@ -148,7 +148,7 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message) host->destroy(host); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); host = this->ike_sa->get_server_reflexive_host(this->ike_sa); if (host) @@ -461,7 +461,8 @@ static status_t process_i(private_ike_me_t *this, message_t *message) this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint->clone(endpoint)); } /* FIXME: what if it failed? e.g. AUTH failure */ - SIG(CHILD_UP_SUCCESS, "established mediation connection without CHILD_SA successfully"); + SIG_CHD(UP_SUCCESS, NULL, "established mediation connection " + "without CHILD_SA successfully"); break; } @@ -641,7 +642,8 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message) /* FIXME: we actually must delete any existing IKE_SAs with the same remote id */ this->ike_sa->act_as_mediation_server(this->ike_sa); - SIG(CHILD_UP_SUCCESS, "established mediation connection without CHILD_SA successfully"); + SIG_CHD(UP_SUCCESS, NULL, "established mediation connection " + "without CHILD_SA successfully"); break; } diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c index 23c68b9e9..f6ee3f6ad 100644 --- a/src/charon/sa/tasks/ike_mobike.c +++ b/src/charon/sa/tasks/ike_mobike.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_mobike.c 4006 2008-05-23 15:43:42Z martin $ + * $Id: ike_mobike.c 4394 2008-10-09 08:25:11Z martin $ */ #include "ike_mobike.h" @@ -117,8 +117,19 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message) { case MOBIKE_SUPPORTED: { - DBG1(DBG_IKE, "peer supports MOBIKE"); - this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE); + peer_cfg_t *peer_cfg; + + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + if (!this->initiator && + peer_cfg && !peer_cfg->use_mobike(peer_cfg)) + { + DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config"); + } + else + { + DBG1(DBG_IKE, "peer supports MOBIKE"); + this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE); + } break; } case COOKIE2: @@ -177,15 +188,15 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message) */ static void build_address_list(private_ike_mobike_t *this, message_t *message) { - iterator_t *iterator; + enumerator_t *enumerator; host_t *host, *me; notify_type_t type; bool additional = FALSE; me = this->ike_sa->get_my_host(this->ike_sa); - iterator = charon->kernel_interface->create_address_iterator( - charon->kernel_interface); - while (iterator->iterate(iterator, (void**)&host)) + enumerator = charon->kernel_interface->create_address_enumerator( + charon->kernel_interface, FALSE, FALSE); + while (enumerator->enumerate(enumerator, (void**)&host)) { if (me->ip_equals(me, host)) { /* "ADDITIONAL" means do not include IKE_SAs host */ @@ -209,7 +220,7 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message) { message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); } /** @@ -266,7 +277,7 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet) other_old = this->ike_sa->get_other_host(this->ike_sa); me = charon->kernel_interface->get_source_addr( - charon->kernel_interface, other_old); + charon->kernel_interface, other_old, NULL); if (me) { me->set_port(me, me->ip_equals(me, me_old) ? @@ -278,7 +289,7 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet) while (iterator->iterate(iterator, (void**)&other)) { me = charon->kernel_interface->get_source_addr( - charon->kernel_interface, other); + charon->kernel_interface, other, NULL); if (me) { if (me->get_family(me) != other->get_family(other)) @@ -318,6 +329,24 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message) } else if (message->get_exchange_type(message) == INFORMATIONAL) { + host_t *old, *new; + + /* we check if the existing address is still valid */ + old = message->get_source(message); + new = charon->kernel_interface->get_source_addr(charon->kernel_interface, + message->get_destination(message), old); + if (new) + { + if (!new->ip_equals(new, old)) + { + new->set_port(new, old->get_port(old)); + message->set_source(message, new); + } + else + { + new->destroy(new); + } + } if (this->update) { message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty); @@ -423,7 +452,7 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message) return SUCCESS; } if (this->cookie2.ptr) - { /* check cookie if we included none */ + { /* check cookie if we included one */ chunk_t cookie2; cookie2 = this->cookie2; @@ -444,6 +473,13 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message) if (this->natd) { this->natd->task.process(&this->natd->task, message); + if (this->natd->has_mapping_changed(this->natd)) + { + /* force an update if mappings have changed */ + this->update = this->check = TRUE; + DBG1(DBG_IKE, "detected changes in NAT mappings, " + "initiating MOBIKE update"); + } } if (this->update) { @@ -496,6 +532,20 @@ static void roam(private_ike_mobike_t *this, bool address) } /** + * Implementation of ike_mobike_t.dpd + */ +static void dpd(private_ike_mobike_t *this) +{ + if (!this->natd) + { + this->natd = ike_natd_create(this->ike_sa, this->initiator); + } + this->address = FALSE; + this->ike_sa->set_pending_updates(this->ike_sa, + this->ike_sa->get_pending_updates(this->ike_sa) + 1); +} + +/** * Implementation of ike_mobike_t.is_probing. */ static bool is_probing(private_ike_mobike_t *this) @@ -545,6 +595,7 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator) private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t); this->public.roam = (void(*)(ike_mobike_t*,bool))roam; + this->public.dpd = (void(*)(ike_mobike_t*))dpd; this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit; this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing; this->public.task.get_type = (task_type_t(*)(task_t*))get_type; diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h index 9dd29970e..f8f094456 100644 --- a/src/charon/sa/tasks/ike_mobike.h +++ b/src/charon/sa/tasks/ike_mobike.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_mobike.h 3589 2008-03-13 14:14:44Z martin $ + * $Id: ike_mobike.h 4368 2008-10-06 13:37:04Z martin $ */ /** @@ -55,6 +55,11 @@ struct ike_mobike_t { void (*roam)(ike_mobike_t *this, bool address); /** + * Use the task for a DPD check which detects changes in NAT mappings. + */ + void (*dpd)(ike_mobike_t *this); + + /** * Transmision hook, called by task manager. * * The task manager calls this hook whenever it transmits a packet. It diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c index 69e5bac26..9e62fcbdf 100644 --- a/src/charon/sa/tasks/ike_natd.c +++ b/src/charon/sa/tasks/ike_natd.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_natd.c 3806 2008-04-15 05:56:35Z martin $ + * $Id: ike_natd.c 4386 2008-10-08 08:23:46Z martin $ */ #include "ike_natd.h" @@ -72,6 +72,11 @@ struct private_ike_natd_t { * Have we found a matching destination address NAT hash? */ bool dst_matched; + + /** + * whether NAT mappings for our NATed address has changed + */ + bool mapping_changed; }; @@ -192,15 +197,24 @@ static void process_payloads(private_ike_natd_t *this, message_t *message) case NAT_DETECTION_DESTINATION_IP: { this->dst_seen = TRUE; + hash = notify->get_notification_data(notify); if (!this->dst_matched) { - hash = notify->get_notification_data(notify); DBG3(DBG_IKE, "received dst_hash %B", &hash); if (chunk_equals(hash, dst_hash)) { this->dst_matched = TRUE; } } + /* RFC4555 says we should also compare against IKE_SA_INIT + * NATD payloads, but this does not work: We are running + * there at port 500, but use 4500 afterwards... */ + if (message->get_exchange_type(message) == INFORMATIONAL && + this->initiator && !this->dst_matched) + { + this->mapping_changed = this->ike_sa->has_mapping_changed( + this->ike_sa, hash); + } break; } case NAT_DETECTION_SOURCE_IP: @@ -300,7 +314,7 @@ static status_t process_i(private_ike_natd_t *this, message_t *message) static status_t build_i(private_ike_natd_t *this, message_t *message) { notify_payload_t *notify; - iterator_t *iterator; + enumerator_t *enumerator; host_t *host; if (this->hasher == NULL) @@ -327,9 +341,8 @@ static status_t build_i(private_ike_natd_t *this, message_t *message) } else { - host = charon->kernel_interface->get_source_addr( - charon->kernel_interface, - this->ike_sa->get_other_host(this->ike_sa)); + host = charon->kernel_interface->get_source_addr(charon->kernel_interface, + this->ike_sa->get_other_host(this->ike_sa), NULL); if (host) { /* 2. */ host->set_port(host, IKEV2_UDP_PORT); @@ -339,14 +352,14 @@ static status_t build_i(private_ike_natd_t *this, message_t *message) } else { /* 3. */ - iterator = charon->kernel_interface->create_address_iterator( - charon->kernel_interface); - while (iterator->iterate(iterator, (void**)&host)) + enumerator = charon->kernel_interface->create_address_enumerator( + charon->kernel_interface, FALSE, FALSE); + while (enumerator->enumerate(enumerator, (void**)&host)) { notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host); message->add_payload(message, (payload_t*)notify); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); } } return NEED_MORE; @@ -415,6 +428,15 @@ static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa) this->dst_seen = FALSE; this->src_matched = FALSE; this->dst_matched = FALSE; + this->mapping_changed = FALSE; +} + +/** + * Implementation of ike_natd_t.has_mapping_changed + */ +static bool has_mapping_changed(private_ike_natd_t *this) +{ + return this->mapping_changed; } /** @@ -448,6 +470,8 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator) this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; } + this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed; + this->ike_sa = ike_sa; this->initiator = initiator; this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); @@ -455,6 +479,7 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator) this->dst_seen = FALSE; this->src_matched = FALSE; this->dst_matched = FALSE; + this->mapping_changed = FALSE; return &this->public; } diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h index d78c931d9..7e1e58bc0 100644 --- a/src/charon/sa/tasks/ike_natd.h +++ b/src/charon/sa/tasks/ike_natd.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_natd.h 3589 2008-03-13 14:14:44Z martin $ + * $Id: ike_natd.h 4368 2008-10-06 13:37:04Z martin $ */ /** @@ -38,6 +38,15 @@ struct ike_natd_t { * Implements the task_t interface */ task_t task; + + /** + * Check if the NAT mapping has changed for our address. + * + * MOBIKE uses NAT payloads in DPD to detect changes in the NAT mappings. + * + * @return TRUE if mappings have changed + */ + bool (*has_mapping_changed)(ike_natd_t *this); }; /** diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c index 854e9359d..b84b2a387 100644 --- a/src/charon/sa/tasks/ike_reauth.c +++ b/src/charon/sa/tasks/ike_reauth.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_reauth.c 3793 2008-04-11 08:14:48Z martin $ + * $Id: ike_reauth.c 4211 2008-07-23 18:46:34Z andreas $ */ #include "ike_reauth.h" @@ -65,7 +65,8 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message) /* process delete response first */ this->ike_delete->task.process(&this->ike_delete->task, message); - + SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted"); + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); /* reauthenticate only if we have children */ diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index 9c0d1805c..6c4ef4354 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: ike_rekey.c 3589 2008-03-13 14:14:44Z martin $ + * $Id: ike_rekey.c 4211 2008-07-23 18:46:34Z andreas $ */ #include "ike_rekey.h" @@ -69,6 +69,7 @@ struct private_ike_rekey_t { static status_t build_i(private_ike_rekey_t *this, message_t *message) { peer_cfg_t *peer_cfg; + host_t *other_host; /* create new SA only on first try */ if (this->new_sa == NULL) @@ -77,7 +78,9 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message) TRUE); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + other_host = this->ike_sa->get_other_host(this->ike_sa); this->new_sa->set_peer_cfg(this->new_sa, peer_cfg); + this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host)); this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa); this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); } @@ -87,7 +90,7 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message) } /** - * Implementation of task_t.process for initiator + * Implementation of task_t.process for responder */ static status_t process_r(private_ike_rekey_t *this, message_t *message) { @@ -149,6 +152,13 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message) this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + this->new_sa->get_name(this->new_sa), + this->new_sa->get_unique_id(this->new_sa), + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); return SUCCESS; } @@ -188,6 +198,14 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) } this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); + SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]", + this->new_sa->get_name(this->new_sa), + this->new_sa->get_unique_id(this->new_sa), + this->ike_sa->get_my_host(this->ike_sa), + this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_other_host(this->ike_sa), + this->ike_sa->get_other_id(this->ike_sa)); + to_delete = this->ike_sa->get_id(this->ike_sa); /* check for collisions */ |