Changeset 332:e624fa5f85ca in freeDiameter for freeDiameter/p_ce.c
- Timestamp:
- May 31, 2010, 7:09:24 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
freeDiameter/p_ce.c
r267 r332 794 794 /* Do we agree on ISI ? */ 795 795 if ( ! fd_cnx_getTLS(peer->p_cnxctx) ) { 796 796 797 /* In case of responder, the validate callback must have set the config.pic_flags.sec value already */ 797 if (!peer->p_hdr.info.config.pic_flags.sec) { 798 /* The peer did not send the Inband-Security-Id AVP, reject */ 799 TRACE_DEBUG(INFO, "No security mechanism advertised by peer '%s', sending DIAMETER_NO_COMMON_SECURITY", peer->p_hdr.info.pi_diamid); 800 ec = "DIAMETER_NO_COMMON_SECURITY"; 801 fatal = 1; 802 goto error_abort; 803 } 804 805 /* Now, check if we agree on the value IPsec */ 806 if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) { 807 isi = PI_SEC_NONE; 808 } else if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD)) { 809 isi = PI_SEC_TLS_OLD; 810 } 811 798 799 /* First case: we are not using old mechanism: ISI are deprecated, we ignore it. */ 800 if ( ! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD)) { 801 /* Just check then that the peer configuration allows for IPsec protection */ 802 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) { 803 isi = PI_SEC_NONE; 804 } else { 805 /* otherwise, we should have already been protected. Reject */ 806 TRACE_DEBUG(INFO, "Non TLS-protected CER/CEA exchanges are not allowed with this peer, rejecting."); 807 } 808 } else { 809 /* The old mechanism is allowed with this peer. Now, look into the ISI AVP values */ 810 811 /* In case no ISI was present anyway: */ 812 if (!peer->p_hdr.info.runtime.pir_isi) { 813 TRACE_DEBUG(INFO, "Inband-Security-Id AVP is missing in received CER."); 814 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) { 815 isi = PI_SEC_NONE; 816 TRACE_DEBUG(INFO, "IPsec protection allowed by configuration, allowing this mechanism to be used."); 817 } else { 818 /* otherwise, we should have already been protected. Reject */ 819 TRACE_DEBUG(INFO, "Rejecting the peer connection (please allow IPsec here or configure TLS in the remote peer)."); 820 } 821 } else { 822 /* OK, the remote peer did send the ISI AVP. */ 823 if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) { 824 /* We have allowed IPsec */ 825 isi = PI_SEC_NONE; 826 } else if (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD) { 827 /* We can agree on TLS */ 828 isi = PI_SEC_TLS_OLD; 829 } else { 830 TRACE_DEBUG(INFO, "Remote peer requested IPsec protection, but local configuration forbids it."); 831 } 832 } 833 } 834 812 835 /* If we did not find an agreement */ 813 836 if (!isi) { … … 817 840 goto error_abort; 818 841 } 842 843 /* Do not send the ISI IPsec if we are using the new mechanism */ 844 if ((isi == PI_SEC_NONE) && (! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD))) 845 isi = 0; 819 846 } 820 847
Note: See TracChangeset
for help on using the changeset viewer.