diff options
Diffstat (limited to 'src/charon/encoding/payloads')
-rw-r--r-- | src/charon/encoding/payloads/notify_payload.c | 117 | ||||
-rw-r--r-- | src/charon/encoding/payloads/notify_payload.h | 9 |
2 files changed, 95 insertions, 31 deletions
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c index a04901a90..e27d3c68f 100644 --- a/src/charon/encoding/payloads/notify_payload.c +++ b/src/charon/encoding/payloads/notify_payload.c @@ -47,14 +47,16 @@ ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL "INVALID_KE_PAYLOAD"); ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD, "AUTHENTICATION_FAILED"); -ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, INVALID_SELECTORS, AUTHENTICATION_FAILED, +ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED, "SINGLE_PAIR_REQUIRED", "NO_ADDITIONAL_SAS", "INTERNAL_ADDRESS_FAILURE", "FAILED_CP_REQUIRED", "TS_UNACCEPTABLE", - "INVALID_SELECTORS"); -ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, INVALID_SELECTORS, + "INVALID_SELECTORS", + "UNACCEPTABLE_ADDRESSES", + "UNEXPECTED_NAT_DETECTED"); +ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, UNEXPECTED_NAT_DETECTED, "INITIAL_CONTACT", "SET_WINDOW_SIZE", "ADDITIONAL_TS_POSSIBLE", @@ -79,6 +81,59 @@ ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, A "EAP_ONLY_AUTHENTICATION"); ENUM_END(notify_type_names, EAP_ONLY_AUTHENTICATION); + +ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD, + "CRIT"); +ENUM_NEXT(notify_type_short_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD, + "INVAL_IKE_SPI", + "INVAL_MAJOR"); +ENUM_NEXT(notify_type_short_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION, + "INVAL_SYN"); +ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX, + "INVAL_MID"); +ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID, + "INVAL_SPI"); +ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI, + "NO_PROP"); +ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN, + "INVAL_KE"); +ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD, + "AUTH_FAILED"); +ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED, + "SINGLE_PAIR", + "NO_ADD_SAS", + "INT_ADDR_FAIL", + "FAIL_CP_REQ", + "TS_UNACCEPT", + "INVAL_SEL", + "UNACCEPT_ADDR", + "UNEXPECT_NAT"); +ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, AUTH_LIFETIME, UNEXPECTED_NAT_DETECTED, + "INIT_CONTACT", + "SET_WINSIZE", + "ADD_TS_POSS", + "IPCOMP_SUPP", + "NATD_S_IP", + "NATD_D_IP", + "COOKIE", + "USE_TRANSP", + "HTTP_CERT_LOOK", + "REKEY_SA", + "ESP_TFC_PAD_N", + "NON_FIRST_FRAG", + "MOBIKE_SUP", + "ADD_4_ADDR", + "ADD_6_ADDR", + "NO_ADD_ADDR", + "UPD_SA_ADDR", + "COOKIE2", + "NO_NATS", + "AUTH_LFT"); +ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, AUTH_LIFETIME, + "EAP_ONLY"); +ENUM_END(notify_type_short_names, EAP_ONLY_AUTHENTICATION); + + typedef struct private_notify_payload_t private_notify_payload_t; /** @@ -189,6 +244,8 @@ encoding_rule_t notify_payload_encodings[] = { */ static status_t verify(private_notify_payload_t *this) { + bool bad_length = FALSE; + switch (this->protocol_id) { case PROTO_NONE: @@ -205,30 +262,9 @@ static status_t verify(private_notify_payload_t *this) { case INVALID_KE_PAYLOAD: { - /* check notification data */ - diffie_hellman_group_t dh_group; if (this->notification_data.len != 2) { - DBG1(DBG_ENC, "invalid notify data length for %N (%d)", - notify_type_names, this->notify_type, - this->notification_data.len); - return FAILED; - } - dh_group = ntohs(*((u_int16_t*)this->notification_data.ptr)); - switch (dh_group) - { - case MODP_768_BIT: - case MODP_1024_BIT: - case MODP_1536_BIT: - case MODP_2048_BIT: - case MODP_3072_BIT: - case MODP_4096_BIT: - case MODP_6144_BIT: - case MODP_8192_BIT: - break; - default: - DBG1(DBG_ENC, "Bad DH group (%d)", dh_group); - return FAILED; + bad_length = TRUE; } break; } @@ -237,9 +273,7 @@ static status_t verify(private_notify_payload_t *this) { if (this->notification_data.len != HASH_SIZE_SHA1) { - DBG1(DBG_ENC, "invalid %N notify length", - notify_type_names, this->notify_type); - return FAILED; + bad_length = TRUE; } break; } @@ -249,9 +283,23 @@ static status_t verify(private_notify_payload_t *this) { if (this->notification_data.len != 0) { - DBG1(DBG_ENC, "invalid %N notify", - notify_type_names, this->notify_type); - return FAILED; + bad_length = TRUE; + } + break; + } + case ADDITIONAL_IP4_ADDRESS: + { + if (this->notification_data.len != 4) + { + bad_length = TRUE; + } + break; + } + case ADDITIONAL_IP6_ADDRESS: + { + if (this->notification_data.len != 16) + { + bad_length = TRUE; } break; } @@ -259,6 +307,13 @@ static status_t verify(private_notify_payload_t *this) /* TODO: verify */ break; } + if (bad_length) + { + DBG1(DBG_ENC, "invalid notify data length for %N (%d)", + notify_type_names, this->notify_type, + this->notification_data.len); + return FAILED; + } return SUCCESS; } diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h index 431932631..231d0408d 100644 --- a/src/charon/encoding/payloads/notify_payload.h +++ b/src/charon/encoding/payloads/notify_payload.h @@ -65,6 +65,8 @@ enum notify_type_t { FAILED_CP_REQUIRED = 37, TS_UNACCEPTABLE = 38, INVALID_SELECTORS = 39, + UNACCEPTABLE_ADDRESSES = 40, + UNEXPECTED_NAT_DETECTED = 41, /* notify status messages */ INITIAL_CONTACT = 16384, SET_WINDOW_SIZE = 16385, @@ -102,6 +104,13 @@ enum notify_type_t { extern enum_name_t *notify_type_names; /** + * enum name for notify_type_t (shorter strings). + * + * @ingroup payloads + */ +extern enum_name_t *notify_type_short_names; + +/** * @brief Class representing an IKEv2-Notify Payload. * * The Notify Payload format is described in Draft section 3.10. |