Martin Willi wrote:
> Hi,
>
>> add ME_AUTHORIZATION_FAILED = 8193 in the notify_payload.h file
>
>> understanding the notify_payload.c file. More specifically I
>> can't make any sense of the enumerations...
>
> If you change the enum in a header file, you'll have to update the
> enum-to-string mappings in the corresponding .c file, too.
>
> These macros create several structs with strings to map enums to
> strings. The notify types enumeration is probably the most complex
> incarnation of this struct, my apologies.
>
> Have a look at the src/libstrongswan/enum.h header, it explains in
> detail how these macros work.
>
> Regards
> Martin
>
>
The enum header helped a lot :) thanks!
I was wondering though if the ME in ME_CONNECT_FAILED has special
meaning. I assumed it was for referring to adding a private
implementation (ME as in me, self). Yet after seeing it more often,
e.g.,"ME_MEDIATION","ME_ENDPOINT","ME_CALLBACK","ME_CONNECTID",ME_CONNECTKEY","ME_CONNECTAUTH","ME_RESPONSE",
I got the impression it might have an other meaning.
Daniel Palomares wrote:
> I took this from my internal WiKi. Hope it helps you!
>
>
> Let's suppose the new payload is called |NEW_PAYLOAD|.
>
> Files to be changed:
>
> *
> |notify_payload.h| at //scr/charon/encodings/payload//
>
> It has the list of notify messages types. So, it is needed to add
> |NEW_PAYLOAD| to the |enum{}| list (|i.e.| |MOBIKE_SUPPORTED| = 16396
> and it must be between 16397 and 16395). It means also that depending on
> the value of the notify, its location is defined on the list |enum
> notify_type_t{}|. It is VERY important to understand that this list is
> the base to build all messages of IKEv2, including its extensions (see )
>
> /**
> * Notify message types.
> *
> * See IKEv2 RFC 3.10.1.
> */
> enum notify_type_t {
> /* notify error messages */
> UNSUPPORTED_CRITICAL_PAYLOAD = 1,
> INVALID_IKE_SPI = 4,
> INVALID_MAJOR_VERSION = 5,
> INVALID_SYNTAX = 7,
> INVALID_MESSAGE_ID = 9,
> INVALID_SPI = 11,
> NO_PROPOSAL_CHOSEN = 14,
> INVALID_KE_PAYLOAD = 17,
> AUTHENTICATION_FAILED = 24,
> SINGLE_PAIR_REQUIRED = 34,
> NO_ADDITIONAL_SAS = 35,
> INTERNAL_ADDRESS_FAILURE = 36,
> FAILED_CP_REQUIRED = 37,
> TS_UNACCEPTABLE = 38,
> INVALID_SELECTORS = 39,
> UNACCEPTABLE_ADDRESSES = 40,
> UNEXPECTED_NAT_DETECTED = 41,
> /* IKE-ME, private use */
> ME_CONNECT_FAILED = 8192,
> /* MOBIKE-eXtended Messages */
> MOBIKE_UNSUPPORTED_VERSION = 8193, <---------- i.e.
> This Notify was added.
>
> /* notify status messages */
> INITIAL_CONTACT = 16384,
> SET_WINDOW_SIZE = 16385,
> ADDITIONAL_TS_POSSIBLE = 16386,
> IPCOMP_SUPPORTED = 16387,
> NAT_DETECTION_SOURCE_IP = 16388,
> NAT_DETECTION_DESTINATION_IP = 16389,
> COOKIE = 16390,
> USE_TRANSPORT_MODE = 16391,
> HTTP_CERT_LOOKUP_SUPPORTED = 16392,
> REKEY_SA = 16393,
> ESP_TFC_PADDING_NOT_SUPPORTED = 16394,
> NON_FIRST_FRAGMENTS_ALSO = 16395,
> /* mobike extension, RFC4555 */
> MOBIKE_SUPPORTED = 16396,
> ADDITIONAL_IP4_ADDRESS = 16397,
> ADDITIONAL_IP6_ADDRESS = 16398,
> NO_ADDITIONAL_ADDRESSES = 16399,
> UPDATE_SA_ADDRESSES = 16400,
> COOKIE2 = 16401,
> NO_NATS_ALLOWED = 16402,
> /* repeated authentication extension, RFC4478 */
> AUTH_LIFETIME = 16403,
> /* multiple authentication exchanges, RFC 4739 */
> MULTIPLE_AUTH_SUPPORTED = 16404,
> ANOTHER_AUTH_FOLLOWS = 16405,
> /* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
> EAP_ONLY_AUTHENTICATION = 40960,
> /* BEET mode, not even a draft yet. private use */
> USE_BEET_MODE = 40961,
> /* IKE-ME, private use */
> ME_MEDIATION = 40962,
> ME_ENDPOINT = 40963,
> ME_CALLBACK = 40964,
> ME_CONNECTID = 40965,
> ME_CONNECTKEY = 40966,
> ME_CONNECTAUTH = 40967,
> ME_RESPONSE = 40968,
>
> };
>
> *
> |notify_payload.c| at //scr/charon/encodings/payload//
>
> Before knowing how to modify |notify_payload.c|, first it is mandatory
> to know how enum's are represented in the code. The following structure
> is located at //src/libstrongswan/enum.h/ :
>
> /**
> * Struct to store names for enums.
> *
> * To print the string representation of enumeration values, the strings
> * are stored in these structures. Every enum_name contains a range
> * of strings, multiple ranges are linked together.
> * Use the convenience macros to define these linked ranges.
> *
> * For a single range, use:
> * @code
> ENUM(name, first, last, string1, string2, ...)
> @endcode
> * For multiple linked ranges, use:
> * @code
> ENUM_BEGIN(name, first, last, string1, string2, ...)
> ENUM_NEXT(name, first, last, last_from_previous, string3, ...)
> ENUM_NEXT(name, first, last, last_from_previous, string4, ...)
> ENUM_END(name, last_from_previous)
> @endcode
> * The ENUM and the ENUM_END define a enum_name_t pointer with the name
> supplied
> * in "name".
> *
> * Resolving of enum names is done using a printf hook. A printf fromat
> * character %N is replaced by the enum string. Printf needs two arguments to
> * resolve a %N, the enum_name_t* (the defined name in ENUM_BEGIN) followed
> * by the numerical enum value.
> */
> struct enum_name_t {
> /** value of the first enum string */
> int first;
> /** value of the last enum string */
> int last;
> /** next enum_name_t in list */
> enum_name_t *next;
> /** array of strings containing names from first to last */
> char *names[];
> };
>
> As the |NEW_PAYLOAD| must be defined inside the enum list of IKEv2
> notify messages, it should be added in |notify_payload.c| in order to be
> displayed as a string somewhere and whenever is needed.
>
> ENUM_BEGIN(notify_type_names, UNSUPPORTED_CRITICAL_PAYLOAD,
> UNSUPPORTED_CRITICAL_PAYLOAD,
> "UNSUPPORTED_CRITICAL_PAYLOAD");
> ENUM_NEXT(notify_type_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION,
> UNSUPPORTED_CRITICAL_PAYLOAD,
> "INVALID_IKE_SPI",
> "INVALID_MAJOR_VERSION");
> ENUM_NEXT(notify_type_names, INVALID_SYNTAX, INVALID_SYNTAX,
> INVALID_MAJOR_VERSION,
> "INVALID_SYNTAX");
> ENUM_NEXT(notify_type_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID,
> INVALID_SYNTAX,
> "INVALID_MESSAGE_ID");
> ENUM_NEXT(notify_type_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
> "INVALID_SPI");
> ENUM_NEXT(notify_type_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN,
> INVALID_SPI,
> "NO_PROPOSAL_CHOSEN");
> ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD,
> NO_PROPOSAL_CHOSEN,
> "INVALID_KE_PAYLOAD");
> ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED,
> INVALID_KE_PAYLOAD,
> "AUTHENTICATION_FAILED");
> ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED,
> AUTHENTICATION_FAILED,
> "SINGLE_PAIR_REQUIRED",
> "NO_ADDITIONAL_SAS",
> "INTERNAL_ADDRESS_FAILURE",
> "FAILED_CP_REQUIRED",
> "TS_UNACCEPTABLE",
> "INVALID_SELECTORS",
> "UNACCEPTABLE_ADDRESSES",
> "UNEXPECTED_NAT_DETECTED");
> ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, MOBIKE_UNSUPPORTED_VERSION,
> UNEXPECTED_NAT_DETECTED,
> "ME_CONNECT_FAILED",
> "MOBIKE_UNSUPPORTED_VERSION");
> <------------------------------------------------------------------- Added in
> order to support MOBIKE-X
>
>
> ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS,
> MOBIKE_UNSUPPORTED_VERSION,
> "INITIAL_CONTACT",
> "SET_WINDOW_SIZE",
> "ADDITIONAL_TS_POSSIBLE",
> "IPCOMP_SUPPORTED",
> "NAT_DETECTION_SOURCE_IP",
> "NAT_DETECTION_DESTINATION_IP",
> "COOKIE",
> "USE_TRANSPORT_MODE",
> "HTTP_CERT_LOOKUP_SUPPORTED",
> "REKEY_SA",
> "ESP_TFC_PADDING_NOT_SUPPORTED",
> "NON_FIRST_FRAGMENTS_ALSO",
> "MOBIKE_SUPPORTED",
> "ADDITIONAL_IP4_ADDRESS",
> "ADDITIONAL_IP6_ADDRESS",
> "NO_ADDITIONAL_ADDRESSES",
> "UPDATE_SA_ADDRESSES",
> "COOKIE2",
> "NO_NATS_ALLOWED",
> "AUTH_LIFETIME",
> "MULTIPLE_AUTH_SUPPORTED",
> "ANOTHER_AUTH_FOLLOWS");
> ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION,
> EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS,
> "EAP_ONLY_AUTHENTICATION");
> ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE,
> EAP_ONLY_AUTHENTICATION,
> "USE_BEET_MODE");
> ENUM_NEXT(notify_type_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
> "ME_MEDIATION",
> "ME_ENDPOINT",
> "ME_CALLBACK",
> "ME_CONNECTID",
> "ME_CONNECTKEY",
> "ME_CONNECTAUTH",
> "ME_RESPONSE");
> ENUM_END(notify_type_names, ME_RESPONSE);
>
>
> ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD,
> UNSUPPORTED_CRITICAL_PAYLOAD,
> "CRIT");
> ENUM_NEXT(notify_type_short_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION,
> UNSUPPORTED_CRITICAL_PAYLOAD,
> "INVAL_IKE_SPI",
> "INVAL_MAJOR");
> ENUM_NEXT(notify_type_short_names, INVALID_SYNTAX, INVALID_SYNTAX,
> INVALID_MAJOR_VERSION,
> "INVAL_SYN");
> ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID,
> INVALID_SYNTAX,
> "INVAL_MID");
> ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI,
> INVALID_MESSAGE_ID,
> "INVAL_SPI");
> ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN,
> INVALID_SPI,
> "NO_PROP");
> ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD,
> NO_PROPOSAL_CHOSEN,
> "INVAL_KE");
> ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED,
> AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
> "AUTH_FAILED");
> ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED,
> UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED,
> "SINGLE_PAIR",
> "NO_ADD_SAS",
> "INT_ADDR_FAIL",
> "FAIL_CP_REQ",
> "TS_UNACCEPT",
> "INVAL_SEL",
> "UNACCEPT_ADDR",
> "UNEXPECT_NAT");
> ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED,
> MOBIKE_UNSUPPORTED_VERSION, UNEXPECTED_NAT_DETECTED,
> "ME_CONN_FAIL",
> "MOBIKE_UNSUP");
> <--------------------------------------------------------------------------------
> Added in order to support MOBIKE-X
>
>
> ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS,
> MOBIKE_UNSUPPORTED_VERSION,
> "INIT_CONTACT",
> "SET_WINSIZE",
> "ADD_TS_POSS",
> "IPCOMP_SUPP",
> "NATD_S_IP",
> "NATD_D_IP",
> "COOKIE",
> "USE_TRANSP",
> "HTTP_CERT_LOOK",
> "REKEY_SA",
> "ESP_TFC_PAD_N",
> "NON_FIRST_FRAG",
> "MOBIKE_SUP",
> "ADD_4_ADDR",
> "ADD_6_ADDR",
> "NO_ADD_ADDR",
> "UPD_SA_ADDR",
> "COOKIE2",
> "NO_NATS",
> "AUTH_LFT",
> "MULT_AUTH",
> "AUTH_FOLLOWS");
> ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION,
> EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS,
> "EAP_ONLY");
> ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE,
> EAP_ONLY_AUTHENTICATION,
> "BEET_MODE");
> ENUM_NEXT(notify_type_short_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
> "ME_MED",
> "ME_EP",
> "ME_CB",
> "ME_CID",
> "ME_CKEY",
> "ME_CAUTH",
> "ME_R");
> ENUM_END(notify_type_short_names, ME_RESPONSE);
>
> IMPORTANT: in the case of MOBIKE_UNSUPPORTED_VERSION, its value is 8193.
> Just between |ME_CONNECT_FAILED| and |INITIAL_CONTACT|. As in this case
> there are two different macros of the type |ENUM_NEXT|, these macros
> must be changed carefully in order to not loose link between them.
> Otherwise, somewhere in the code, at the moment when strings of notify
> are needed (for example in the log file), the program is not going to
> display the correct information. Note that there are two types of ENUMS,
> the long and short types of names. So, one must modify both in the same
> manner.
>
> *
> |message.c| at /scr/charon/encodings//
>
> It controls the order of the payload which is going to be sent in the
> message exchange. A |NEW_PAYLOAD| would be added depending on his
> architecture and operation. For example, |MOBIKE_UNSUPPORTED_VERSION| is
> a notify payload that could exists as a responder or as a initiator(only
> to terminate a MOBIKE-X connection), then it is needed to add a new
> payload in the payload order defined in this file. Also, it is mandatory
> to know when the |NEW_PAYLOAD| is taking place. For
> |MOBIKE_UNSUPPORTED_VERSION|, it just could happen during |IKE_AUTH| or
> as |INFORMATIONAL|. So let's take a look how it should be added:
>
> .
> .
> .
> /**
> * payload order for IKE_AUTH responder
> */
> static payload_order_t ike_auth_r_payload_order[] = {
>
>
> /* payload type notify type */
> {ID_RESPONDER, 0},
> {CERTIFICATE, 0},
> {AUTHENTICATION, 0},
> {EXTENSIBLE_AUTHENTICATION, 0},
> {CONFIGURATION, 0},
> {NOTIFY,
> IPCOMP_SUPPORTED},
> {NOTIFY,
> USE_TRANSPORT_MODE},
> {NOTIFY,
> ESP_TFC_PADDING_NOT_SUPPORTED},
> {NOTIFY,
> NON_FIRST_FRAGMENTS_ALSO},
> {SECURITY_ASSOCIATION, 0},
> {TRAFFIC_SELECTOR_INITIATOR, 0},
> {TRAFFIC_SELECTOR_RESPONDER, 0},
> {NOTIFY, AUTH_LIFETIME},
> {NOTIFY,
> MOBIKE_SUPPORTED},
> {NOTIFY,
> MOBIKE_UNSUPPORTED_VERSION}, <------------- Added Here as responder for
> IKE_AUTH
>
>
> {NOTIFY,
> ADDITIONAL_IP4_ADDRESS},
> {NOTIFY,
> ADDITIONAL_IP6_ADDRESS},
> {NOTIFY,
> NO_ADDITIONAL_ADDRESSES},
> {NOTIFY, 0},
> {VENDOR_ID, 0},
> };
> .
> .
> .
>
> /**
>
>
> * payload order for IKE_AUTH initiator
> */
> static payload_order_t ike_auth_i_payload_order[] = {
>
>
> /* payload type notify type */
> {ID_INITIATOR, 0},
> {CERTIFICATE, 0},
> {NOTIFY,
> INITIAL_CONTACT},
> {NOTIFY,
> HTTP_CERT_LOOKUP_SUPPORTED},
> {CERTIFICATE_REQUEST, 0},
> {ID_RESPONDER, 0},
> {AUTHENTICATION, 0},
> {EXTENSIBLE_AUTHENTICATION, 0},
> {CONFIGURATION, 0},
> {NOTIFY,
> IPCOMP_SUPPORTED},
> {NOTIFY,
> USE_TRANSPORT_MODE},
> {NOTIFY,
> ESP_TFC_PADDING_NOT_SUPPORTED},
> {NOTIFY,
> NON_FIRST_FRAGMENTS_ALSO},
> {SECURITY_ASSOCIATION, 0},
> {TRAFFIC_SELECTOR_INITIATOR, 0},
> {TRAFFIC_SELECTOR_RESPONDER, 0},
> {NOTIFY,
> MOBIKE_SUPPORTED},
> {NOTIFY,
> MOBIKE_UNSUPPORTED_VERSION}, <------------- Added Here as initiator for
> IKE_AUTH
>
>
> {NOTIFY,
> ADDITIONAL_IP4_ADDRESS},
> {NOTIFY,
> ADDITIONAL_IP6_ADDRESS},
> {NOTIFY,
> NO_ADDITIONAL_ADDRESSES},
> {NOTIFY, 0},
> {VENDOR_ID, 0},
> };
> .
> .
> .
>
>
>
> Daniel Palomares Velásquez
> Orange Labs de France Télécom
> Doctorate Student
>
>
This also helped a lot, I always liked learning by example :)
Especially thanks for pointing out that I needed to change message.c I
was not aware I needed to change that one to and I bet you saved me days
of debugging.
Yours sincerely,
Jan Willem Beusink
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
