Navigation


Changeset 332:e624fa5f85ca in freeDiameter


Ignore:
Timestamp:
May 31, 2010, 7:09:24 PM (12 years ago)
Author:
Sebastien Decugis <sdecugis@nict.go.jp>
Branch:
default
Phase:
public
Message:

Attempt to fix a bug reported by Alexey Berdnikov (CER without ISI AVP)

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • extensions/acl_wl/acl_wl.c

    r258 r332  
    7777        }
    7878       
    79         /* Check the Inband-Security-Id value */
    80         res &= info->runtime.pir_isi;
    81         if (res == 0) {
    82                 TRACE_DEBUG(INFO, "Peer '%s' rejected, remotely advertised Inband-Security-Id is not compatible with whitelist flags.", info->pi_diamid);
    83                 /* We don't actually set *auth = -1, leave space for a further extension to validate the peer */
    84                 return 0;
    85         }
    86        
    87         /* Ok, the peer is whitelisted */
     79        /* Otherwise, just set the configured flags for the peer, and authorize it */
    8880        *auth = 1;
    8981       
    90         /* Now, configure the peer for the authorized mechanism */
     82        /* Save information about the security mechanism to use after CER/CEA exchange */
    9183        if ((res & PI_SEC_NONE) && (res & PI_SEC_TLS_OLD))
    9284                res = PI_SEC_NONE; /* If we authorized it, we must have an IPsec tunnel setup, no need for TLS in this case */
    9385       
    94         /* Save information about the security mechanism to use after CER/CEA exchange */
    9586        info->config.pic_flags.sec = res;
    9687        return 0;
  • freeDiameter/p_ce.c

    r267 r332  
    794794        /* Do we agree on ISI ? */
    795795        if ( ! fd_cnx_getTLS(peer->p_cnxctx) ) {
     796               
    796797                /* In case of responder, the validate callback must have set the config.pic_flags.sec value already */
    797                 if (!peer->p_hdr.info.config.pic_flags.sec) {
    798                         /* The peer did not send the Inband-Security-Id AVP, reject */
    799                         TRACE_DEBUG(INFO, "No security mechanism advertised by peer '%s', sending DIAMETER_NO_COMMON_SECURITY", peer->p_hdr.info.pi_diamid);
    800                         ec = "DIAMETER_NO_COMMON_SECURITY";
    801                         fatal = 1;
    802                         goto error_abort;
    803                 }
    804                
    805                 /* Now, check if we agree on the value IPsec */
    806                 if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) {
    807                         isi = PI_SEC_NONE;
    808                 } else if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD)) {
    809                         isi = PI_SEC_TLS_OLD;
    810                 }
    811                
     798       
     799                /* First case: we are not using old mechanism: ISI are deprecated, we ignore it. */
     800                if ( ! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD)) {
     801                        /* Just check then that the peer configuration allows for IPsec protection */
     802                        if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) {
     803                                isi = PI_SEC_NONE;
     804                        } else {
     805                                /* otherwise, we should have already been protected. Reject */
     806                                TRACE_DEBUG(INFO, "Non TLS-protected CER/CEA exchanges are not allowed with this peer, rejecting.");
     807                        }
     808                } else {
     809                        /* The old mechanism is allowed with this peer. Now, look into the ISI AVP values */
     810                       
     811                        /* In case no ISI was present anyway: */
     812                        if (!peer->p_hdr.info.runtime.pir_isi) {
     813                                TRACE_DEBUG(INFO, "Inband-Security-Id AVP is missing in received CER.");
     814                                if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) {
     815                                        isi = PI_SEC_NONE;
     816                                        TRACE_DEBUG(INFO, "IPsec protection allowed by configuration, allowing this mechanism to be used.");
     817                                } else {
     818                                        /* otherwise, we should have already been protected. Reject */
     819                                        TRACE_DEBUG(INFO, "Rejecting the peer connection (please allow IPsec here or configure TLS in the remote peer).");
     820                                }
     821                        } else {
     822                                /* OK, the remote peer did send the ISI AVP. */
     823                                if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) {
     824                                        /* We have allowed IPsec */
     825                                        isi = PI_SEC_NONE;
     826                                } else if (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD) {
     827                                        /* We can agree on TLS */
     828                                        isi = PI_SEC_TLS_OLD;
     829                                } else {
     830                                        TRACE_DEBUG(INFO, "Remote peer requested IPsec protection, but local configuration forbids it.");
     831                                }
     832                        }
     833                }
     834       
    812835                /* If we did not find an agreement */
    813836                if (!isi) {
     
    817840                        goto error_abort;
    818841                }
     842               
     843                /* Do not send the ISI IPsec if we are using the new mechanism */
     844                if ((isi == PI_SEC_NONE) && (! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD)))
     845                        isi = 0;
    819846        }
    820847       
Note: See TracChangeset for help on using the changeset viewer.