Skip to content

Commit

Permalink
* IKEv2: Disentable IKEv2 notifications from IKEv1
Browse files Browse the repository at this point in the history 
We were re-using the IKEv1 notification_t for IKEv2. It was confusing,
leads to errors and eventually conflicts in the IANA v1 and v2 registries.

ikev2 code now uses v2n_notification_t, notify names all prefixed
with v2N_
  • Loading branch information
@letoams
letoams committed Feb 8, 2012
1 parent e315133 commit e8963ab
Show file tree
Hide file tree
Showing 8 changed files with 205 additions and 109 deletions.
135 changes: 98 additions & 37 deletions include/ietf_constants.h
View file
Expand Up @@ -943,10 +943,11 @@ enum ike_trans_type_dh {
* See RFC2408 ISAKMP 3.14.1
*/

/* extern enum_names notification_names;
extern enum_names ipsec_notification_names;
*/

/*
* IKEv1 RFC2408 http://www.iana.org/assignments/ipsec-registry
* extern enum_names notification_names;
* extern enum_names ipsec_notification_names;
*/
typedef enum {
NOTHING_WRONG = 0, /* unofficial! */

Expand Down Expand Up @@ -980,10 +981,12 @@ typedef enum {
CERTIFICATE_UNAVAILABLE = 28,
UNSUPPORTED_EXCHANGE_TYPE = 29,
UNEQUAL_PAYLOAD_LENGTHS = 30,
/* 31-8191 RESERVED (Future Use) */

/* ISAKMP status type */
CONNECTED = 16384,

/*
* Sub-Registry: Notify Messages - Status Types (16384-24575)
*/
CONNECTED =16384, /* INITIAL_CONTACT */

/* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
* These must be sent under the protection of an ISAKMP SA.
Expand Down Expand Up @@ -1011,38 +1014,96 @@ typedef enum {
/* Netscreen / Juniper private use - notification contains internal ip */
NETSCREEN_NHTB_INFORM = 40001,

/* IKEv2 */
UNSUPPORTED_CRITICAL_PAYLOAD = 1,
INVALID_IKE_SPI = 4,
/*INVALID_MAJOR_VERSION = 5, */ /* same as ikev1 */
INVALID_SYNTAX = 7,
/*INVALID_MESSAGE_ID = 9, */ /* same as ikev1 */
/*INVALID_SPI =11, */ /* same as ikev1 */
/*NO_PROPOSAL_CHOSEN =14, */ /* same as ikev1 */
INVALID_KE_PAYLOAD =17,
/*AUTHENTICATION_FAILED =24, */ /* same as ikev1 */
SINGLE_PAIR_REQUIRED =34,
NO_ADDITIONAL_SAS =35,
INTERNAL_ADDRESS_FAILURE =36,
FAILED_CP_REQUIRED =37,
TS_UNACCEPTABLE =38,
INVALID_SELECTORS =39,

INITIAL_CONTACT =16384,
SET_WINDOW_SIZE =16385,
ADDITIONAL_TS_POSSIBLE =16386,
IPCOMP_SUPPORTED =16387,
NAT_DETECTION_SOURCE_IP =16388,
NAT_DETECTION_DESTINATION_IP =16389,
COOKIE =16390,
USE_TRANSPORT_MODE =16391,
HTTP_CERT_LOOKUP_SUPPORTED =16392,
REKEY_SA =16393,
ESP_TFC_PADDING_NOT_SUPPORTED=16394,
NON_FIRST_FRAGMENTS_ALSO =16395,

} notification_t;

/*
* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13
* IKEv2 is very similar, but different. Let's not re-use and confuse */
typedef enum {
/* IKEv2 */
/* 0-8191 Reserved, ExpertReview */
v2N_NOTHING_WRONG = 0, /* unofficial! */
v2N_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
/* Reserved = 2, */
/* Reserved = 3, */
v2N_INVALID_IKE_SPI = 4,
v2N_INVALID_MAJOR_VERSION = 5, /* same as ikev1 */
/* Reserved = 6, */
v2N_INVALID_SYNTAX = 7,
/* Reserved = 8, */
v2N_INVALID_MESSAGE_ID = 9, /* same as ikev1 */
/* Reserved =10, */
V2_INVALID_SPI =11, /* same as ikev1 */
/* Reserved =12, */
/* Reserved =13, */
v2N_NO_PROPOSAL_CHOSEN =14, /* same as ikev1 */
/* Reserved =15, */
/* Reserved =16, */
v2N_INVALID_KE_PAYLOAD =17,
/* Reserved = 18 to 23, */
v2N_AUTHENTICATION_FAILED =24, /* same as ikev1 */
/* Reserved = 25 to 33, */
v2N_SINGLE_PAIR_REQUIRED =34,
v2N_NO_ADDITIONAL_SAS =35,
v2N_INTERNAL_ADDRESS_FAILURE =36,
v2N_FAILED_CP_REQUIRED =37,
v2N_TS_UNACCEPTABLE =38,
v2N_INVALID_SELECTORS =39,
v2N_UNACCEPTABLE_ADDRESSES =40,
v2N_UNEXPECTED_NAT_DETECTED =41,
v2N_USE_ASSIGNED_HoA =42, /* RFC 5026 */
v2N_TEMPORARY_FAILURE =43,
v2N_CHILD_SA_NOT_FOUND =44,

/* old IKEv1 entries - might be in private use for IKEv2N */
v2N_INITIAL_CONTACT =16384,
v2N_SET_WINDOW_SIZE =16385,
v2N_ADDITIONAL_TS_POSSIBLE =16386,
v2N_IPCOMP_SUPPORTED =16387,
v2N_NAT_DETECTION_SOURCE_IP =16388,
v2N_NAT_DETECTION_DESTINATION_IP =16389,
v2N_COOKIE =16390,
v2N_USE_TRANSPORT_MODE =16391,
v2N_HTTP_CERT_LOOKUP_SUPPORTED =16392,
v2N_REKEY_SA =16393,
v2N_ESP_TFC_PADDING_NOT_SUPPORTED=16394,
v2N_NON_FIRST_FRAGMENTS_ALSO =16395,

/* IKEv2N extensions */
v2N_MOBIKE_SUPPORTED =16396, /* RFC-4555 */
v2N_ADDITIONAL_IP4_ADDRESS =16397, /* RFC-4555 */
v2N_ADDITIONAL_IP6_ADDRESS =16398, /* RFC-4555 */
v2N_NO_ADDITIONAL_ADDRESSES =16399, /* RFC-4555 */
v2N_UPDATE_SA_ADDRESSES =16400, /* RFC-4555 */
v2N_COOKIE2 =16401, /* RFC-4555 */
v2N_NO_NATS_ALLOWED =16402, /* RFC-4555 */
v2N_AUTH_LIFETIME =16403, /* RFC-4478 */
v2N_MULTIPLE_AUTH_SUPPORTED =16404, /* RFC-4739 */
v2N_ANOTHER_AUTH_FOLLOWS =16405, /* RFC-4739 */
v2N_REDIRECT_SUPPORTED =16406, /* RFC-5685 */
v2N_REDIRECT =16407, /* RFC-5685 */
v2N_REDIRECTED_FROM =16408, /* RFC-5685 */
v2N_TICKET_LT_OPAQUE =16409, /* RFC-5723 */
v2N_TICKET_REQUEST =16410, /* RFC-5723 */
v2N_TICKET_ACK =16411, /* RFC-5723 */
v2N_TICKET_NACK =16412, /* RFC-5723 */
v2N_TICKET_OPAQUE =16413, /* RFC-5723 */
v2N_LINK_ID =16414, /* RFC-5739 */
v2N_USE_WESP_MODE =16415, /* RFC-5840 */
v2N_ROHC_SUPPORTED =16416, /* RFC-5857 */
v2N_EAP_ONLY_AUTHENTICATION =16417, /* RFC-5998 */
v2N_CHILDLESS_IKEV2_SUPPORTED =16418, /* RFC-6023 */
v2N_QUICK_CRASH_DETECTION =16419, /* RFC-6290 */
v2N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED =16420, /* RFC-6311 */
v2N_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED =16421, /* RFC-6311 */
v2N_IKEV2_MESSAGE_ID_SYNC =16422, /* RFC-6311 */
v2N_IPSEC_REPLAY_COUNTER_SYNC =16423, /* RFC-6311 */
v2N_SECURE_PASSWORD_METHODS =16424, /* RFC-6467 */

/* 16425 - 40969 Unassigned */
/* 40960 - 65535 Private Use */
} v2_notification_t;


/* Public key algorithm number
* Same numbering as used in DNSsec
Expand Down
2 changes: 1 addition & 1 deletion include/packet.h
View file
Expand Up @@ -809,7 +809,7 @@ struct ikev2_notify
u_int16_t isan_length; /* Payload length */
u_int8_t isan_protoid; /* Protocol ID: noSA=0,IKE=1,AH=2,ESP=3 */
u_int8_t isan_spisize; /* SPI size: 0 for IKE_SA */
u_int16_t isan_type; /* Notification type, see notification_t */
u_int16_t isan_type; /* Notification type, see v2_notification_t */
};
extern struct_desc ikev2_notify_desc;

Expand Down
91 changes: 63 additions & 28 deletions lib/libopenswan/constants.c
View file
Expand Up @@ -944,8 +944,9 @@ enum_names ipsec_notification_names =
{ IPSEC_RESPONDER_LIFETIME, IPSEC_INITIAL_CONTACT,
ipsec_notification_name, &notification_status_names };

/* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */
static const char *const ikev2_notify_name_16384[] = {
"v2N_INITIAL_CONTACT",
"v2N_INITIAL_CONTACT", /* 16384 */
"v2N_SET_WINDOW_SIZE",
"v2N_ADDITIONAL_TS_POSSIBLE",
"v2N_IPCOMP_SUPPORTED",
Expand All @@ -957,56 +958,90 @@ static const char *const ikev2_notify_name_16384[] = {
"v2N_REKEY_SA",
"v2N_ESP_TFC_PADDING_NOT_SUPPORTED",
"v2N_NON_FIRST_FRAGMENTS_ALSO",
"v2N_MOBIKE_SUPPORTED",
"v2N_ADDITIONAL_IP4_ADDRESS",
"v2N_ADDITIONAL_IP6_ADDRESS",
"v2N_NO_ADDITIONAL_ADDRESSES",
"v2N_UPDATE_SA_ADDRESSES",
"v2N_COOKIE2",
"v2N_NO_NATS_ALLOWED",
"v2N_AUTH_LIFETIME",
"v2N_MULTIPLE_AUTH_SUPPORTED",
"v2N_ANOTHER_AUTH_FOLLOWS",
"v2N_REDIRECT_SUPPORTED",
"v2N_REDIRECT",
"v2N_REDIRECTED_FROM",
"v2N_TICKET_LT_OPAQUE",
"v2N_TICKET_REQUEST",
"v2N_TICKET_ACK",
"v2N_TICKET_NACK",
"v2N_TICKET_OPAQUE",
"v2N_LINK_ID",
"v2N_USE_WESP_MODE",
"v2N_ROHC_SUPPORTED",
"v2N_EAP_ONLY_AUTHENTICATION",
"v2N_CHILDLESS_IKEV2_SUPPORTED",
"v2N_QUICK_CRASH_DETECTION",
"v2N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED",
"v2N_IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED",
"v2N_IKEV2_MESSAGE_ID_SYNC",
"v2N_IPSEC_REPLAY_COUNTER_SYNC",
"v2N_SECURE_PASSWORD_METHODS", /* 16423 */
};

static const char *const ikev2_notify_name[] = {
"v2N_RESERVED",
"v2N_RESERVED", /* unofficial "OK" */
"v2N_UNSUPPORTED_CRITICAL_PAYLOAD",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED_2",
"v2N_UNUSED_3",
"v2N_INVALID_IKE_SPI",
"v2N_INVALID_MAJOR_VERSION",
"v2N_UNUSED",
"v2N_UNUSED_6",
"v2N_INVALID_SYNTAX",
"v2N_UNUSED",
"v2N_UNUSED_8",
"v2N_INVALID_MESSAGE_ID",
"v2N_UNUSED",
"v2N_UNUSED_10",
"v2N_INVALID_SPI",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED_12",
"v2N_UNUSED_13",
"v2N_NO_PROPOSAL_CHOSEN",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED_15",
"v2N_UNUSED_16",
"v2N_INVALID_KE_PAYLOAD",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED_18",
"v2N_UNUSED_19",
"v2N_UNUSED_20",
"v2N_UNUSED_21",
"v2N_UNUSED_22",
"v2N_UNUSED_23",
"v2N_AUTHENTICATION_FAILED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED",
"v2N_UNUSED_25",
"v2N_UNUSED_26",
"v2N_UNUSED_27",
"v2N_UNUSED_28",
"v2N_UNUSED_29",
"v2N_UNUSED_30",
"v2N_UNUSED_31",
"v2N_UNUSED_32",
"v2N_UNUSED_33",
"v2N_SINGLE_PAIR_REQUIRED",
"v2N_NO_ADDITIONAL_SAS",
"v2N_INTERNAL_ADDRESS_FAILURE",
"v2N_FAILED_CP_REQUIRED",
"v2N_TS_UNACCEPTABLE",
"v2N_INVALID_SELECTORS",
"v2N_UNACCEPTABLE_ADDRESSES",
"v2N_UNEXPECTED_NAT_DETECTED",
"v2N_USE_ASSIGNED_HoA",
"v2N_TEMPORARY_FAILURE",
"v2N_CHILD_SA_NOT_FOUND", /* 45 */
};

enum_names ikev2_notify_names_16384 =
{ INITIAL_CONTACT, NON_FIRST_FRAGMENTS_ALSO, ikev2_notify_name_16384, NULL};
{ v2N_INITIAL_CONTACT, v2N_SECURE_PASSWORD_METHODS, ikev2_notify_name_16384, NULL};

enum_names ikev2_notify_names =
{ 0, INVALID_SELECTORS, ikev2_notify_name, &ikev2_notify_names_16384};
{ 0, v2N_CHILD_SA_NOT_FOUND, ikev2_notify_name, &ikev2_notify_names_16384};

/* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-19 */
static const char *const ikev2_ts_type_name[] = {
Expand Down
2 changes: 1 addition & 1 deletion programs/pluto/ikev2.c
View file
Expand Up @@ -956,7 +956,7 @@ void complete_v2_state_transition(struct msg_digest **mdp
}
}

notification_t
v2_notification_t
accept_v2_nonce(struct msg_digest *md, chunk_t *dest, const char *name)
{
return accept_nonce(md, dest, name, ISAKMP_NEXT_v2Ni);
Expand Down
10 changes: 5 additions & 5 deletions programs/pluto/ikev2.h
View file
Expand Up @@ -37,10 +37,10 @@ extern stf_status ikev2parent_inR2(struct msg_digest *md);

extern const struct state_v2_microcode *ikev2_parent_firststate(void);

extern notification_t accept_v2_nonce(struct msg_digest *md, chunk_t *dest
extern v2_notification_t accept_v2_nonce(struct msg_digest *md, chunk_t *dest
, const char *name);

/* MAGIC: perform f, a function that returns notification_t
/* MAGIC: perform f, a function that returns v2_notification_t
* and return from the ENCLOSING stf_status returning function if it fails.
*/
#define RETURN_STF_FAILURE2(f, xf) \
Expand All @@ -50,7 +50,7 @@ extern notification_t accept_v2_nonce(struct msg_digest *md, chunk_t *dest

#define RETURN_STF_FAILURE(f) RETURN_STF_FAILURE2(f, NULL)

extern notification_t ikev2_parse_parent_sa_body(
extern v2_notification_t ikev2_parse_parent_sa_body(
pb_stream *sa_pbs, /* body of input SA Payload */
const struct ikev2_sa *sa_prop UNUSED, /* header of input SA Payload */
pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
Expand All @@ -59,7 +59,7 @@ extern notification_t ikev2_parse_parent_sa_body(
* tranform can appear. */
);

extern notification_t ikev2_parse_child_sa_body(
extern v2_notification_t ikev2_parse_child_sa_body(
pb_stream *sa_pbs, /* body of input SA Payload */
const struct ikev2_sa *sa_prop UNUSED, /* header of input SA Payload */
pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
Expand All @@ -69,7 +69,7 @@ extern notification_t ikev2_parse_child_sa_body(
);

#if 0
extern notification_t parse_ikev2_sa_body(pb_stream *sa_pbs
extern v2_notification_t parse_ikev2_sa_body(pb_stream *sa_pbs
, const struct ikev2_sa *sa
, pb_stream *r_sa_pbs
, struct state *st
Expand Down

0 comments on commit e8963ab

Please sign in to comment.