pana_paa_factory.cxx

Diameter协议栈

   if (ipId == NULL) {
       throw (PANA_Exception(PANA_Exception::INVALID_MESSAGE, 
              "PDI has no IP address assigned to packet"));
   }

   AAA_StringAvpContainerWidget NotificationAvp(msg.avpList());
   diameter_octetstring_t *note = NotificationAvp.GetAvp
       (PANA_AVPNAME_NOTIFICATION);
   if (note) {
       ACE_DEBUG((LM_INFO, "(%P|%t) NOTIFICATION: %s\n",
           note->data()));
   }
    
   ACE_INET_Addr addr;
   PANA_DeviceIdConverter::FormatToAddr(*ipId, addr);
   addr.set_port_number(msg.srcPort());
   PacFound(addr);
   delete &msg;
}

void PANA_PaaSessionFactory::StatelessTxPSR(ACE_INET_Addr &addr)
{
   /*
    7.2  PANA-Start-Request (PSR)

     The PANA-Start-Request (PSR) message is sent by the PAA to the PaC to
     advertise availability of the PAA and start PANA authentication.  The
     PAA sets the sequence number to an initial random value.

      PANA-Start-Request ::= < PANA-Header: 2, REQ [,SEP] >
                             [ Nonce ]
                             [ Cookie ]
                             [ EAP-Payload ]
                             [ NAP-Information ]
                          *  [ ISP-Information ]
                             [ Protection-Capability]
                             [ PPAC ]
                             [ Notification ]
                          *  [ AVP ]
    */
    boost::shared_ptr<PANA_Message> msg(new PANA_Message);

    // Populate header
    msg->type() = PANA_MTYPE_PSR;
    msg->seq() = PANA_SerialNumber::GenerateISN();
    msg->flags().request = true;
    msg->flags().separate = PANA_CFG_GENERAL().m_SeparateAuth;

    // add cookie
    diameter_octetstring_t cookie;
    diameter_address_t id;
    PANA_AddrConverter::ToAAAAddress(addr, id);
    PANA_COOKIE_GENERATE(id.value, cookie);
    AAA_StringAvpWidget cookieAvp(PANA_AVPNAME_COOKIE);
    cookieAvp.Get().assign(cookie.data(), cookie.size());
    msg->avpList().add(cookieAvp());

    // add ppac
    if (PANA_CFG_GENERAL().m_PPAC() > 0) {
        AAA_UInt32AvpWidget ppacAvp(PANA_AVPNAME_PPAC);
        ppacAvp.Get() = ACE_HTONL(PANA_CFG_GENERAL().m_PPAC());
        msg->avpList().add(ppacAvp());
    }

    // add protection capability
    if (m_Flags.i.CarryPcapInPSR) {
        AAA_UInt32AvpWidget pcapAvp(PANA_AVPNAME_PROTECTIONCAP);
        pcapAvp.Get() = ACE_HTONL(PANA_CFG_GENERAL().m_ProtectionCap);
        msg->avpList().add(pcapAvp());
    }
    
    // add nap information
    if (PANA_CFG_PAA().m_NapInfo.m_Id > 0) {
        AAA_GroupedAvpWidget napAvp(PANA_AVPNAME_NAPINFO);
        PANA_ProviderInfoTool infoTool;
        infoTool.Add(napAvp.Get(), PANA_CFG_PAA().m_NapInfo);
        msg->avpList().add(napAvp());
    }

    // add ISP information
    if (! PANA_CFG_PAA().m_IspInfo.empty()) {
        PANA_CfgProviderList::iterator i;
        AAA_GroupedAvpWidget ispAvp(PANA_AVPNAME_ISPINFO);
        for (i = PANA_CFG_PAA().m_IspInfo.begin();
             i != PANA_CFG_PAA().m_IspInfo.end();
             i++) {
            PANA_ProviderInfoTool infoTool;
            infoTool.Add(ispAvp.Get(), *(*i));
        }
        msg->avpList().add(ispAvp());
    }

   /*
     Protection-Capability and Post-PANA-Address-Configuration AVPs MAY be
     optionally included in the PANA-Start-Request in order to indicate
     required and available capabilities for the network access.  These
     AVPs MAY be used by the PaC for assessing the capability match even
     before the authentication takes place.  But these AVPs are provided
     during the insecure discovery phase, there are certain security risks
     involved in using the provided information.  See Section 9 for
     further discussion on this.

     ...
     ...

     In networks where lower-layers are not secured prior to running PANA,
     the capability discovery enabled through inclusion of
     Protection-Capability and Post-PANA-Address-Configuration AVPs in a
     PANA-Start-Request message is susceptible to spoofing leading to
     denial-of service attacks.  Therefore, usage of these AVPs during the
     discovery and initial handshake phase in such insecure networks is
     NOT RECOMMENDED.  The same AVPs are delivered via an
     integrity-protected PANA-Bind-Request upon successful authentication.
    */

    PANA_DeviceId ipId;
    PANA_DeviceIdConverter::PopulateFromAddr(addr, ipId);
    msg->srcDevices().clone(ipId);
    msg->srcPort() = addr.get_port_number();

    ACE_DEBUG((LM_INFO, "(%P|%t) TxPSR: Stateless, S-flag=%d, seq=%d\n",
               msg->flags().separate, msg->seq()));

    m_UdpChannel.Send(msg);
}

void PANA_PaaSessionFactory::StatelessRxPSA(PANA_Message &msg)
{
    /*
     7.3  PANA-Start-Answer (PSA)

      The PANA-Start-Answer (PSA) message is sent by the PaC to the PAA in
      response to a PANA-Start-Request message.  This message completes the
      handshake to start PANA authentication.

      PANA-Start-Answer ::= < PANA-Header: 2 [,SEP] >
                            [ Nonce ]
                            [ Cookie ]
                            [ EAP-Payload ]
                            [ ISP-Information ]
                            [ Notification ]
                         *  [ AVP ]
    */

   ACE_DEBUG((LM_INFO, "(%P|%t) RxPSA: Stateless, S-flag %d, seq=%d\n",
                       msg.flags().separate, msg.seq()));

   PANA_DeviceId *ipId = PANA_DeviceIdConverter::GetIpOnlyAddress
                              (msg.srcDevices(),
                               (bool)PANA_CFG_GENERAL().m_IPv6Enabled);
   if (ipId == NULL) {
       throw (PANA_Exception(PANA_Exception::INVALID_MESSAGE, 
              "Cannot determine the device ID of peer"));
   }

   //////////////////////////////////////////////////////////////////
   // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   // - - - - - - - (PSA processing without mobility support) - - - -
   // Rx:PSA &&                if (SEPARATE==Set &&       WAIT_EAP_MSG
   // USE_COOKIE==Set &&           PSA.S_flag==0)
   // (!PSA.exist_avp            SEPARATE=Unset;
   //   ("Session-Id") ||      EAP_Restart();
   //  MOBILITY==Unset ||
   //  (MOBILITY==Set &&
   //  !retrieve_pana_sa
   //    (PSA.SESSION_ID)))

   // first level validation
   if (! ValidateCookie(msg)) {
      throw (PANA_Exception(PANA_Exception::NO_MEMORY, 
                           "PSA received with invalid cookie"));
   }

   PANA_PaaSession *session = Create();
   if (session == NULL) {
      throw (PANA_Exception(PANA_Exception::NO_MEMORY, 
                           "Failed to auth agent session"));
   }
   ACE_DEBUG((LM_INFO, "(%P|%t) New session created [stateless discovery]\n"));  

   // save address of PaC       
   session->m_PAA.PacDeviceId() = *ipId;
   PANA_DeviceIdConverter::FormatToAddr(*ipId, 
       session->m_PAA.PacIpAddress());
   session->m_PAA.PacIpAddress().set_port_number(msg.srcPort());

   // save initial seq number
   session->m_PAA.LastTxSeqNum() = msg.seq();

   // add to session database permanently
   PANA_SESSIONDB_ADD(session->SessionId(), *session);
   session->Receive(msg);
}

bool PANA_PaaSessionFactory::ValidateCookie(PANA_Message &msg)
{
   AAA_StringAvpContainerWidget cookieAvp(msg.avpList());
   diameter_octetstring_t *cookie = cookieAvp.GetAvp(PANA_AVPNAME_COOKIE);
   if (cookie) {
       PANA_DeviceId *ipId = PANA_DeviceIdConverter::GetIpOnlyAddress
           (msg.srcDevices(), (bool)PANA_CFG_GENERAL().m_IPv6Enabled);

       ACE_DEBUG((LM_INFO, "(%P|%t) Validating cookie\n"));

       return PANA_COOKIE_VERIFY(ipId->value, *cookie);
   }
   return (true);
}