summaryrefslogtreecommitdiff
path: root/src/charon/sa/tasks
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2008-10-29 20:30:44 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2008-10-29 20:30:44 +0000
commit74f0bbfc53cb5fa519e4e27ece53735ab51b397c (patch)
tree0dbab9c835be15577ff05b474b6361bb326d66ce /src/charon/sa/tasks
parent5c1fa2516bda1ccf8eb00178c0beb196c2020a94 (diff)
downloadvyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.tar.gz
vyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.zip
- New upstream release.
Diffstat (limited to 'src/charon/sa/tasks')
-rw-r--r--src/charon/sa/tasks/child_create.c187
-rw-r--r--src/charon/sa/tasks/child_delete.c48
-rw-r--r--src/charon/sa/tasks/ike_auth.c131
-rw-r--r--src/charon/sa/tasks/ike_cert_post.c9
-rw-r--r--src/charon/sa/tasks/ike_cert_pre.c43
-rw-r--r--src/charon/sa/tasks/ike_config.c7
-rw-r--r--src/charon/sa/tasks/ike_delete.c35
-rw-r--r--src/charon/sa/tasks/ike_init.c38
-rw-r--r--src/charon/sa/tasks/ike_me.c18
-rw-r--r--src/charon/sa/tasks/ike_mobike.c73
-rw-r--r--src/charon/sa/tasks/ike_mobike.h7
-rw-r--r--src/charon/sa/tasks/ike_natd.c45
-rw-r--r--src/charon/sa/tasks/ike_natd.h11
-rw-r--r--src/charon/sa/tasks/ike_reauth.c5
-rw-r--r--src/charon/sa/tasks/ike_rekey.c22
15 files changed, 503 insertions, 176 deletions
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index 4638da03e..bddca621b 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -14,7 +14,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: child_create.c 3920 2008-05-08 16:19:11Z tobias $
+ * $Id: child_create.c 4358 2008-09-25 13:56:23Z tobias $
*/
#include "child_create.h"
@@ -26,6 +26,7 @@
#include <encoding/payloads/ts_payload.h>
#include <encoding/payloads/nonce_payload.h>
#include <encoding/payloads/notify_payload.h>
+#include <processing/jobs/delete_ike_sa_job.h>
typedef struct private_child_create_t private_child_create_t;
@@ -98,7 +99,7 @@ struct private_child_create_t {
/**
* mode the new CHILD_SA uses (transport/tunnel/beet)
*/
- mode_t mode;
+ ipsec_mode_t mode;
/**
* IPComp transform to use
@@ -198,12 +199,12 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
if (this->proposals == NULL)
{
- SIG(CHILD_UP_FAILED, "SA payload missing in message");
+ SIG_CHD(UP_FAILED, this->child_sa, "SA payload missing in message");
return FAILED;
}
if (this->tsi == NULL || this->tsr == NULL)
{
- SIG(CHILD_UP_FAILED, "TS payloads missing in message");
+ SIG_CHD(UP_FAILED, this->child_sa, "TS payloads missing in message");
return NOT_FOUND;
}
@@ -231,7 +232,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
no_dh);
if (this->proposal == NULL)
{
- SIG(CHILD_UP_FAILED, "no acceptable proposal found");
+ SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found");
return FAILED;
}
@@ -242,15 +243,15 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
&group, NULL))
{
- SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
- diffie_hellman_group_names, this->dh_group,
- diffie_hellman_group_names, group);
+ SIG_CHD(UP_FAILED, this->child_sa, "DH group %N inacceptable, "
+ "requesting %N", diffie_hellman_group_names, this->dh_group,
+ diffie_hellman_group_names, group);
this->dh_group = group;
return INVALID_ARG;
}
else
{
- SIG(CHILD_UP_FAILED, "no acceptable proposal found");
+ SIG_CHD(UP_FAILED, this->child_sa, "no acceptable proposal found");
return FAILED;
}
}
@@ -278,7 +279,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
{
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
- SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found");
+ SIG_CHD(UP_FAILED, this->child_sa, "no acceptable traffic selectors found");
return NOT_FOUND;
}
@@ -330,7 +331,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
{
if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
{
- SIG(CHILD_UP_FAILED, "DH exchange incomplete");
+ SIG_CHD(UP_FAILED, this->child_sa, "DH exchange incomplete");
return FAILED;
}
DBG3(DBG_IKE, "DH secret %B", &secret);
@@ -340,7 +341,6 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
{
seed = chunk_cata("cc", nonce_i, nonce_r);
}
- prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
if (this->ipcomp != IPCOMP_NONE)
{
@@ -348,6 +348,16 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
this->other_cpi);
}
+ status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
+ this->mode, this->proposal->get_protocol(this->proposal));
+ if (status != SUCCESS)
+ {
+ SIG_CHD(UP_FAILED, this->child_sa,
+ "unable to install IPsec policies (SPD) in kernel");
+ return NOT_FOUND;
+ }
+
+ prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
if (this->initiator)
{
status = this->child_sa->update(this->child_sa, this->proposal,
@@ -362,18 +372,10 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
if (status != SUCCESS)
{
- SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel");
+ SIG_CHD(UP_FAILED, this->child_sa,
+ "unable to install IPsec SA (SAD) in kernel");
return FAILED;
}
-
- status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
- this->mode);
-
- if (status != SUCCESS)
- {
- SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
- return NOT_FOUND;
- }
/* add to IKE_SA, and remove from task */
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
@@ -440,29 +442,30 @@ static void build_payloads(private_child_create_t *this, message_t *message)
/**
* Adds an IPCOMP_SUPPORTED notify to the message, if possible
*/
-static void build_ipcomp_supported_notify(private_child_create_t *this, message_t *message)
+static void build_ipcomp_supported_notify(private_child_create_t *this,
+ message_t *message)
{
+ u_int16_t cpi;
+ u_int8_t tid;
+
if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
{
- DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, IPComp is disabled");
+ DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
+ "IPComp disabled");
this->ipcomp = IPCOMP_NONE;
return;
}
- u_int16_t cpi = this->child_sa->get_my_cpi(this->child_sa);
+ cpi = this->child_sa->allocate_cpi(this->child_sa);
+ tid = this->ipcomp;
if (cpi)
{
- chunk_t cpi_chunk, tid_chunk, data;
- u_int8_t tid = this->ipcomp;
- cpi_chunk = chunk_from_thing(cpi);
- tid_chunk = chunk_from_thing(tid);
- data = chunk_cat("cc", cpi_chunk, tid_chunk);
- message->add_notify(message, FALSE, IPCOMP_SUPPORTED, data);
- chunk_free(&data);
+ message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
+ chunk_cata("cc", chunk_from_thing(cpi), chunk_from_thing(tid)));
}
else
{
- DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp is disabled");
+ DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
this->ipcomp = IPCOMP_NONE;
}
}
@@ -587,7 +590,16 @@ static status_t build_i(private_child_create_t *this, message_t *message)
break;
}
- SIG(CHILD_UP_START, "establishing CHILD_SA");
+ if (this->reqid)
+ {
+ SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s{%d}",
+ this->config->get_name(this->config), this->reqid);
+ }
+ else
+ {
+ SIG_CHD(UP_START, NULL, "establishing CHILD_SA %s",
+ this->config->get_name(this->config));
+ }
/* reuse virtual IP if we already have one */
me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
@@ -638,7 +650,8 @@ static status_t build_i(private_child_create_t *this, message_t *message)
if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
{
- SIG(CHILD_UP_FAILED, "unable to allocate SPIs from kernel");
+ SIG_CHD(UP_FAILED, this->child_sa,
+ "unable to allocate SPIs from kernel");
return FAILED;
}
@@ -720,10 +733,31 @@ static status_t process_r(private_child_create_t *this, message_t *message)
}
/**
+ * handle CHILD_SA setup failure
+ */
+static void handle_child_sa_failure(private_child_create_t *this,
+ message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ lib->settings->get_bool(lib->settings,
+ "charon.close_ike_on_child_failure", FALSE))
+ {
+ /* we delay the delete for 100ms, as the IKE_AUTH response must arrive
+ * first */
+ DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
+ charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+ delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
+ 100);
+ }
+}
+
+/**
* Implementation of task_t.build for responder
*/
static status_t build_r(private_child_create_t *this, message_t *message)
{
+ payload_t *payload;
+ iterator_t *iterator;
bool no_dh = TRUE;
switch (message->get_exchange_type(message))
@@ -733,7 +767,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
case CREATE_CHILD_SA:
if (generate_nonce(&this->my_nonce) != SUCCESS)
{
- message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
+ chunk_empty);
return SUCCESS;
}
no_dh = FALSE;
@@ -750,19 +785,47 @@ static status_t build_r(private_child_create_t *this, message_t *message)
if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
{
- SIG(CHILD_UP_FAILED, "unable to create CHILD_SA while rekeying IKE_SA");
+ SIG_CHD(UP_FAILED, NULL,
+ "unable to create CHILD_SA while rekeying IKE_SA");
message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
return SUCCESS;
}
if (this->config == NULL)
{
- SIG(CHILD_UP_FAILED, "traffic selectors %#R=== %#R inacceptable",
+ SIG_CHD(UP_FAILED, NULL, "traffic selectors %#R=== %#R inacceptable",
this->tsr, this->tsi);
message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+ handle_child_sa_failure(this, message);
return SUCCESS;
}
+ /* check if ike_config_t included non-critical error notifies */
+ iterator = message->get_payload_iterator(message);
+ while (iterator->iterate(iterator, (void**)&payload))
+ {
+ if (payload->get_type(payload) == NOTIFY)
+ {
+ notify_payload_t *notify = (notify_payload_t*)payload;
+
+ switch (notify->get_notify_type(notify))
+ {
+ case INTERNAL_ADDRESS_FAILURE:
+ case FAILED_CP_REQUIRED:
+ {
+ SIG_CHD(UP_FAILED, NULL, "configuration payload negotation "
+ "failed, no CHILD_SA built");
+ iterator->destroy(iterator);
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
+ default:
+ break;
+ }
+ }
+ }
+ iterator->destroy(iterator);
+
this->child_sa = child_sa_create(
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
@@ -770,14 +833,16 @@ static status_t build_r(private_child_create_t *this, message_t *message)
this->ike_sa->get_other_id(this->ike_sa), this->config, this->reqid,
this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
- if (this->config->use_ipcomp(this->config) && this->ipcomp_received != IPCOMP_NONE)
+ if (this->config->use_ipcomp(this->config) &&
+ this->ipcomp_received != IPCOMP_NONE)
{
this->ipcomp = this->ipcomp_received;
build_ipcomp_supported_notify(this, message);
}
else if (this->ipcomp_received != IPCOMP_NONE)
{
- DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring");
+ DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
+ notify_type_names, IPCOMP_SUPPORTED);
}
switch (select_and_install(this, no_dh))
@@ -786,24 +851,33 @@ static status_t build_r(private_child_create_t *this, message_t *message)
break;
case NOT_FOUND:
message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+ handle_child_sa_failure(this, message);
return SUCCESS;
case INVALID_ARG:
{
u_int16_t group = htons(this->dh_group);
message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
chunk_from_thing(group));
+ handle_child_sa_failure(this, message);
return SUCCESS;
}
case FAILED:
default:
message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ handle_child_sa_failure(this, message);
return SUCCESS;
}
build_payloads(this, message);
- SIG(CHILD_UP_SUCCESS, "CHILD_SA '%s' established successfully",
- this->child_sa->get_name(this->child_sa));
+ SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established "
+ "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ this->child_sa->get_name(this->child_sa),
+ this->child_sa->get_reqid(this->child_sa),
+ ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+ ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+ this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+ this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
return SUCCESS;
}
@@ -855,9 +929,10 @@ static status_t process_i(private_child_create_t *this, message_t *message)
case TS_UNACCEPTABLE:
case INVALID_SELECTORS:
{
- SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built",
- notify_type_names, type);
+ SIG_CHD(UP_FAILED, this->child_sa, "received %N notify, "
+ "no CHILD_SA built", notify_type_names, type);
iterator->destroy(iterator);
+ handle_child_sa_failure(this, message);
/* an error in CHILD_SA creation is not critical */
return SUCCESS;
}
@@ -888,8 +963,9 @@ static status_t process_i(private_child_create_t *this, message_t *message)
if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
{
- SIG(CHILD_UP_FAILED, "received an IPCOMP_SUPPORTED notify but we did not "
- "send one previously, no CHILD_SA built");
+ SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify"
+ " but we did not send one previously, no CHILD_SA built");
+ handle_child_sa_failure(this, message);
return SUCCESS;
}
else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
@@ -900,15 +976,26 @@ static status_t process_i(private_child_create_t *this, message_t *message)
}
else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
{
- SIG(CHILD_UP_FAILED, "received an IPCOMP_SUPPORTED notify for a transform "
- "we did not propose, no CHILD_SA built");
+ SIG_CHD(UP_FAILED, this->child_sa, "received an IPCOMP_SUPPORTED notify"
+ " for a transform we did not propose, no CHILD_SA built");
+ handle_child_sa_failure(this, message);
return SUCCESS;
}
if (select_and_install(this, no_dh) == SUCCESS)
{
- SIG(CHILD_UP_SUCCESS, "CHILD_SA '%s' established successfully",
- this->child_sa->get_name(this->child_sa));
+ SIG_CHD(UP_SUCCESS, this->child_sa, "CHILD_SA %s{%d} established "
+ "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ this->child_sa->get_name(this->child_sa),
+ this->child_sa->get_reqid(this->child_sa),
+ ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+ ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+ this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+ this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+ }
+ else
+ {
+ handle_child_sa_failure(this, message);
}
return SUCCESS;
}
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 4156f9704..a3c74dc90 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: child_delete.c 3802 2008-04-14 08:17:18Z martin $
+ * $Id: child_delete.c 4366 2008-10-03 16:01:14Z martin $
*/
#include "child_delete.h"
@@ -44,6 +44,11 @@ struct private_child_delete_t {
bool initiator;
/**
+ * wheter to enforce delete action policy
+ */
+ bool check_delete_action;
+
+ /**
* CHILD_SAs which get deleted
*/
linked_list_t *child_sas;
@@ -54,16 +59,17 @@ struct private_child_delete_t {
*/
static void build_payloads(private_child_delete_t *this, message_t *message)
{
- iterator_t *iterator;
delete_payload_t *ah = NULL, *esp = NULL;
- u_int32_t spi;
+ iterator_t *iterator;
child_sa_t *child_sa;
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
- spi = child_sa->get_spi(child_sa, TRUE);
- switch (child_sa->get_protocol(child_sa))
+ protocol_id_t protocol = child_sa->get_protocol(child_sa);
+ u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
+
+ switch (protocol)
{
case PROTO_ESP:
if (esp == NULL)
@@ -72,6 +78,8 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
message->add_payload(message, (payload_t*)esp);
}
esp->add_spi(esp, spi);
+ DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+ protocol_id_names, protocol, ntohl(spi));
break;
case PROTO_AH:
if (ah == NULL)
@@ -80,6 +88,8 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
message->add_payload(message, (payload_t*)ah);
}
ah->add_spi(ah, spi);
+ DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+ protocol_id_names, protocol, ntohl(spi));
break;
default:
break;
@@ -119,11 +129,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
*spi, FALSE);
if (child_sa == NULL)
{
- DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, "
+ DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, "
"but no such SA", protocol_id_names, protocol, ntohl(*spi));
continue;
}
- DBG2(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x",
+ DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
protocol_id_names, protocol, ntohl(*spi));
switch (child_sa->get_state(child_sa))
@@ -139,6 +149,11 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
protocol, *spi);
continue;
}
+ case CHILD_INSTALLED:
+ if (!this->initiator)
+ { /* reestablish installed children if required */
+ this->check_delete_action = TRUE;
+ }
default:
break;
}
@@ -171,7 +186,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
child_cfg = child_sa->get_config(child_sa);
child_cfg->get_ref(child_cfg);
this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
- if (!this->initiator)
+ if (this->check_delete_action)
{ /* enforce child_cfg policy if deleted passively */
switch (child_cfg->get_close_action(child_cfg))
{
@@ -207,9 +222,14 @@ static void log_children(private_child_delete_t *this)
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
- SIG(CHILD_DOWN_START, "closing CHILD_SA %#R=== %#R",
- child_sa->get_traffic_selectors(child_sa, TRUE),
- child_sa->get_traffic_selectors(child_sa, FALSE));
+ SIG_CHD(DOWN_START, child_sa, "closing CHILD_SA %s{%d} "
+ "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ child_sa->get_name(child_sa),
+ child_sa->get_reqid(child_sa),
+ ntohl(child_sa->get_spi(child_sa, TRUE)),
+ ntohl(child_sa->get_spi(child_sa, FALSE)),
+ child_sa->get_traffic_selectors(child_sa, TRUE),
+ child_sa->get_traffic_selectors(child_sa, FALSE));
}
iterator->destroy(iterator);
}
@@ -234,7 +254,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message)
this->child_sas = linked_list_create();
process_payloads(this, message);
- SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed");
+ SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed");
return destroy_and_reestablish(this);
}
@@ -258,7 +278,7 @@ static status_t build_r(private_child_delete_t *this, message_t *message)
{
build_payloads(this, message);
}
- SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed");
+ SIG_CHD(DOWN_SUCCESS, NULL, "CHILD_SA closed");
return destroy_and_reestablish(this);
}
@@ -285,6 +305,7 @@ static child_sa_t* get_child(private_child_delete_t *this)
*/
static void migrate(private_child_delete_t *this, ike_sa_t *ike_sa)
{
+ this->check_delete_action = FALSE;
this->ike_sa = ike_sa;
this->child_sas->destroy(this->child_sas);
@@ -313,6 +334,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
this->public.task.destroy = (void(*)(task_t*))destroy;
this->ike_sa = ike_sa;
+ this->check_delete_action = FALSE;
this->child_sas = linked_list_create();
if (child_sa != NULL)
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index fd5012ee6..51f37f1b0 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details
*
- * $Id: ike_auth.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: ike_auth.c 4276 2008-08-22 10:44:51Z martin $
*/
#include "ike_auth.h"
@@ -29,7 +29,6 @@
#include <sa/authenticators/eap_authenticator.h>
-
typedef struct private_ike_auth_t private_ike_auth_t;
/**
@@ -151,6 +150,44 @@ static bool check_uniqueness(private_ike_auth_t *this)
}
/**
+ * get the authentication class of a config
+ */
+auth_class_t get_auth_class(peer_cfg_t *config)
+{
+ auth_class_t *class;
+ auth_info_t *auth_info;
+
+ auth_info = config->get_auth(config);
+ if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
+ {
+ return *class;
+ }
+ /* fallback to pubkey authentication */
+ return AUTH_CLASS_PUBKEY;
+}
+
+/**
+ * get the eap type/vendor
+ */
+static eap_type_t get_eap_type(peer_cfg_t *config, u_int32_t *vendor)
+{
+ auth_info_t *auth_info;
+ u_int *ptr;
+
+ *vendor = 0;
+ auth_info = config->get_auth(config);
+ if (auth_info->get_item(auth_info, AUTHN_EAP_VENDOR, (void**)&ptr))
+ {
+ *vendor = *ptr;
+ }
+ if (auth_info->get_item(auth_info, AUTHN_EAP_TYPE, (void**)&ptr))
+ {
+ return *ptr;
+ }
+ return EAP_NAK;
+}
+
+/**
* build the AUTH payload
*/
static status_t build_auth(private_ike_auth_t *this, message_t *message)
@@ -158,23 +195,21 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
authenticator_t *auth;
auth_payload_t *auth_payload;
peer_cfg_t *config;
- config_auth_method_t method;
status_t status;
/* create own authenticator and add auth payload */
config = this->ike_sa->get_peer_cfg(this->ike_sa);
if (!config)
{
- SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found");
+ SIG_IKE(UP_FAILED, "unable to authenticate, no peer config found");
return FAILED;
}
- method = config->get_auth_method(config);
- auth = authenticator_create(this->ike_sa, method);
+ auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config));
if (auth == NULL)
{
- SIG(IKE_UP_FAILED, "configured authentication method %N not supported",
- config_auth_method_names, method);
+ SIG_IKE(UP_FAILED, "configured authentication class %N not supported",
+ auth_class_names, get_auth_class(config));
return FAILED;
}
@@ -183,7 +218,7 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
auth->destroy(auth);
if (status != SUCCESS)
{
- SIG(IKE_UP_FAILED, "generating authentication data failed");
+ SIG_IKE(UP_FAILED, "generating authentication data failed");
return FAILED;
}
message->add_payload(message, (payload_t*)auth_payload);
@@ -208,7 +243,7 @@ static status_t build_id(private_ike_auth_t *this, message_t *message)
me = config->get_my_id(config);
if (me->contains_wildcards(me))
{
- SIG(IKE_UP_FAILED, "negotiation of own ID failed");
+ SIG_IKE(UP_FAILED, "negotiation of own ID failed");
return FAILED;
}
this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
@@ -245,11 +280,11 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
}
auth_method = auth_payload->get_auth_method(auth_payload);
- auth = authenticator_create_from_auth_payload(this->ike_sa, auth_payload);
-
+ auth = authenticator_create_from_method(this->ike_sa,
+ auth_payload->get_auth_method(auth_payload));
if (auth == NULL)
{
- SIG(IKE_UP_FAILED, "authentication method %N used by '%D' not "
+ SIG_IKE(UP_FAILED, "authentication method %N used by '%D' not "
"supported", auth_method_names, auth_method,
this->ike_sa->get_other_id(this->ike_sa));
return NOT_SUPPORTED;
@@ -259,7 +294,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
auth->destroy(auth);
if (status != SUCCESS)
{
- SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+ SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
auth_method_names, auth_method);
return FAILED;
@@ -280,7 +315,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
{
- SIG(IKE_UP_FAILED, "ID payload missing in message");
+ SIG_IKE(UP_FAILED, "ID payload missing in message");
return FAILED;
}
@@ -290,7 +325,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
req = this->ike_sa->get_other_id(this->ike_sa);
if (!id->matches(id, req))
{
- SIG(IKE_UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
+ SIG_IKE(UP_FAILED, "peer ID '%D' unacceptable, '%D' required", id, req);
id->destroy(id);
return FAILED;
}
@@ -367,7 +402,7 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
if (auth->build(auth, this->my_packet->get_data(this->my_packet),
this->other_nonce, &auth_payload) != SUCCESS)
{
- SIG(IKE_UP_FAILED, "generating authentication data failed");
+ SIG_IKE(UP_FAILED, "generating authentication data failed");
if (!this->initiator)
{
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -378,12 +413,13 @@ static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
if (!this->initiator)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
return NEED_MORE;
@@ -412,9 +448,9 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
if (!this->peer_authenticated)
{
- SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+ SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
- auth_method_names, AUTH_EAP);
+ auth_class_names, AUTH_CLASS_EAP);
if (this->initiator)
{
return FAILED;
@@ -424,12 +460,13 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
if (this->initiator)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
return NEED_MORE;
@@ -445,7 +482,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
if (eap == NULL)
{
- SIG(IKE_UP_FAILED, "EAP payload missing");
+ SIG_IKE(UP_FAILED, "EAP payload missing");
return FAILED;
}
switch (this->eap_auth->process(this->eap_auth, eap, &eap))
@@ -461,7 +498,7 @@ static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
return NEED_MORE;
default:
this->eap_payload = NULL;
- SIG(IKE_UP_FAILED, "failed to authenticate against '%D' using EAP",
+ SIG_IKE(UP_FAILED, "failed to authenticate against '%D' using EAP",
this->ike_sa->get_other_id(this->ike_sa));
return FAILED;
}
@@ -496,7 +533,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
if (this->eap_payload == NULL)
{
- SIG(IKE_UP_FAILED, "EAP payload missing");
+ SIG_IKE(UP_FAILED, "EAP payload missing");
return FAILED;
}
@@ -511,9 +548,9 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
break;
default:
- SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
+ SIG_IKE(UP_FAILED, "authentication of '%D' with %N failed",
this->ike_sa->get_other_id(this->ike_sa),
- auth_method_names, AUTH_EAP);
+ auth_class_names, AUTH_CLASS_EAP);
status = FAILED;
break;
}
@@ -539,7 +576,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
}
config = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (config->get_auth_method(config) == CONF_AUTH_EAP)
+ if (get_auth_class(config) == AUTH_CLASS_EAP)
{
this->eap_auth = eap_authenticator_create(this->ike_sa);
}
@@ -579,13 +616,14 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
case NOT_FOUND:
/* use EAP if no AUTH payload found */
this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE);
- this->eap_auth = eap_authenticator_create(this->ike_sa);
break;
default:
return NEED_MORE;
}
config = charon->backends->get_peer_cfg(charon->backends,
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa),
this->ike_sa->get_other_auth(this->ike_sa));
@@ -594,7 +632,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
this->ike_sa->set_peer_cfg(this->ike_sa, config);
config->destroy(config);
}
-
+ if (!this->peer_authenticated)
+ {
+ this->eap_auth = eap_authenticator_create(this->ike_sa);
+ }
return NEED_MORE;
}
@@ -624,7 +665,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
config = this->ike_sa->get_peer_cfg(this->ike_sa);
if (config == NULL)
{
- SIG(IKE_UP_FAILED, "no matching config found for '%D'...'%D'",
+ SIG_IKE(UP_FAILED, "no matching config found for '%D'...'%D'",
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -648,23 +689,24 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
if (this->peer_authenticated)
{
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
/* initiate EAP authenitcation */
- eap_type = config->get_eap_type(config, &eap_vendor);
+ eap_type = get_eap_type(config, &eap_vendor);
status = this->eap_auth->initiate(this->eap_auth, eap_type,
eap_vendor, &eap_payload);
message->add_payload(message, (payload_t*)eap_payload);
if (status != NEED_MORE)
{
- SIG(IKE_UP_FAILED, "unable to initiate EAP authentication");
+ SIG_IKE(UP_FAILED, "unable to initiate EAP authentication");
return FAILED;
}
@@ -724,7 +766,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
{
if (type < 16383)
{
- SIG(IKE_UP_FAILED, "received %N notify error",
+ SIG_IKE(UP_FAILED, "received %N notify error",
notify_type_names, type);
iterator->destroy(iterator);
return FAILED;
@@ -756,17 +798,18 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
auth = this->ike_sa->get_other_auth(this->ike_sa);
if (!auth->complies(auth, config->get_auth(config)))
{
- SIG(IKE_UP_FAILED, "authorization of '%D' for config %s failed",
+ SIG_IKE(UP_FAILED, "authorization of '%D' for config %s failed",
this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
return FAILED;
}
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...[%D]%H",
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c
index 184868b28..cb533236e 100644
--- a/src/charon/sa/tasks/ike_cert_post.c
+++ b/src/charon/sa/tasks/ike_cert_post.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_cert_post.c 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: ike_cert_post.c 4276 2008-08-22 10:44:51Z martin $
*/
#include "ike_cert_post.h"
@@ -98,6 +98,11 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certifi
}
/**
+ * from ike_auth.c
+ */
+auth_class_t get_auth_class(peer_cfg_t *config);
+
+/**
* add certificates to message
*/
static void build_certs(private_ike_cert_post_t *this, message_t *message)
@@ -105,7 +110,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
peer_cfg_t *peer_cfg;
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == CONF_AUTH_PUBKEY)
+ if (peer_cfg && get_auth_class(peer_cfg) == AUTH_CLASS_PUBKEY)
{
switch (peer_cfg->get_cert_policy(peer_cfg))
{
diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c
index 3568a214e..353b76a22 100644
--- a/src/charon/sa/tasks/ike_cert_pre.c
+++ b/src/charon/sa/tasks/ike_cert_pre.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_cert_pre.c 3852 2008-04-18 21:27:08Z andreas $
+ * $Id: ike_cert_pre.c 4285 2008-08-26 05:15:34Z andreas $
*/
#include "ike_cert_pre.h"
@@ -320,11 +320,10 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
{
ike_cfg_t *ike_cfg;
+ peer_cfg_t *peer_cfg;
enumerator_t *enumerator;
certificate_t *cert;
- auth_info_t *auth;
bool restricted = FALSE;
- auth_item_t item;
certreq_payload_t *x509_req = NULL;
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
@@ -332,19 +331,43 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
{
return;
}
- auth = this->ike_sa->get_other_auth(this->ike_sa);
/* check if we require a specific CA for that peer */
- enumerator = auth->create_item_enumerator(auth);
- while (enumerator->enumerate(enumerator, &item, &cert))
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (peer_cfg)
{
- if (item == AUTHN_CA_CERT)
+ void *ptr;
+ identification_t *id;
+ auth_item_t item;
+ auth_info_t *auth = peer_cfg->get_auth(peer_cfg);
+ enumerator_t *auth_enumerator = auth->create_item_enumerator(auth);
+
+ while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
{
- restricted = TRUE;
- add_certreq_payload(message, &x509_req, cert);
+ switch (item)
+ {
+ case AUTHZ_CA_CERT:
+ cert = (certificate_t *)ptr;
+ add_certreq_payload(message, &x509_req, cert);
+ restricted = TRUE;
+ break;
+ case AUTHZ_CA_CERT_NAME:
+ id = (identification_t *)ptr;
+ enumerator = charon->credentials->create_cert_enumerator(
+ charon->credentials, CERT_ANY, KEY_ANY, id, TRUE);
+ while (enumerator->enumerate(enumerator, &cert, TRUE))
+ {
+ add_certreq_payload(message, &x509_req, cert);
+ restricted = TRUE;
+ }
+ enumerator->destroy(enumerator);
+ break;
+ default:
+ break;
+ }
}
+ auth_enumerator->destroy(auth_enumerator);
}
- enumerator->destroy(enumerator);
if (!restricted)
{
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index c31e62750..e89f381d3 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_config.c 3800 2008-04-14 07:18:16Z martin $
+ * $Id: ike_config.c 4129 2008-07-01 06:36:52Z martin $
*/
#include "ike_config.h"
@@ -315,7 +315,10 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
}
if (ip == NULL)
{
- DBG1(DBG_IKE, "not assigning a virtual IP to peer");
+ DBG1(DBG_IKE, "no virtual IP found, sending %N",
+ notify_type_names, INTERNAL_ADDRESS_FAILURE);
+ message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
+ chunk_empty);
return SUCCESS;
}
DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index aa7950ef7..295f908cb 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_delete.c 3802 2008-04-14 08:17:18Z martin $
+ * $Id: ike_delete.c 4211 2008-07-23 18:46:34Z andreas $
*/
#include "ike_delete.h"
@@ -56,11 +56,22 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
{
delete_payload_t *delete_payload;
+ SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
delete_payload = delete_payload_create(PROTO_IKE);
message->add_payload(message, (payload_t*)delete_payload);
-
this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
-
+
+ DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa));
+
return NEED_MORE;
}
@@ -74,16 +85,26 @@ static status_t process_i(private_ike_delete_t *this, message_t *message)
}
/**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
*/
static status_t process_r(private_ike_delete_t *this, message_t *message)
{
/* we don't even scan the payloads, as the message wouldn't have
* come so far without being correct */
+ DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa));
+ SIG_IKE(DOWN_START, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
switch (this->ike_sa->get_state(this->ike_sa))
{
case IKE_ESTABLISHED:
- DBG1(DBG_IKE, "deleting IKE_SA on request");
this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
this->ike_sa->reestablish(this->ike_sa);
break;
@@ -102,9 +123,11 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
*/
static status_t build_r(private_ike_delete_t *this, message_t *message)
{
+ SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted");
+
if (this->simultaneous)
{
- /* wait for peers response for our delete request, but set a timeout */
+ /* wait for peer's response for our delete request, but set a timeout */
return SUCCESS;
}
/* completed, delete IKE_SA by returning FAILED */
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 7def3a556..609b37a39 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -14,7 +14,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_init.c 4086 2008-06-22 11:24:33Z andreas $
+ * $Id: ike_init.c 4206 2008-07-22 17:10:10Z andreas $
*/
#include "ike_init.h"
@@ -26,6 +26,7 @@
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/ke_payload.h>
#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
/** maximum retries to do with cookies/other dh groups */
#define MAX_RETRIES 5
@@ -203,9 +204,17 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
case NONCE:
{
nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
+
this->other_nonce = nonce_payload->get_nonce(nonce_payload);
break;
}
+ case VENDOR_ID:
+ {
+ vendor_id_payload_t *vendor_id = (vendor_id_payload_t*)payload;
+ chunk_t vid = vendor_id->get_data(vendor_id);
+
+ DBG1(DBG_ENC, "received vendor id: %#B", &vid);
+ }
default:
break;
}
@@ -221,14 +230,15 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
rng_t *rng;
this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
- SIG(IKE_UP_START, "initiating IKE_SA '%s' to %H",
+ SIG_IKE(UP_START, "initiating IKE_SA %s[%d] to %H",
this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa));
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
if (this->retry++ >= MAX_RETRIES)
{
- SIG(IKE_UP_FAILED, "giving up after %d retries", MAX_RETRIES);
+ SIG_IKE(UP_FAILED, "giving up after %d retries", MAX_RETRIES);
return FAILED;
}
@@ -239,7 +249,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group);
if (this->dh == NULL)
{
- SIG(IKE_UP_FAILED, "configured DH group %N not supported",
+ SIG_IKE(UP_FAILED, "configured DH group %N not supported",
diffie_hellman_group_names, this->dh_group);
return FAILED;
}
@@ -251,7 +261,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
- SIG(IKE_UP_FAILED, "error generating nonce");
+ SIG_IKE(UP_FAILED, "error generating nonce");
return FAILED;
}
rng->allocate_bytes(rng, NONCE_SIZE, &this->my_nonce);
@@ -286,7 +296,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
rng_t *rng;
this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
- SIG(IKE_UP_START, "%H is initiating an IKE_SA",
+ SIG_IKE(UP_START, "%H is initiating an IKE_SA",
message->get_source(message));
this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
@@ -366,7 +376,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
if (this->proposal == NULL ||
this->other_nonce.len == 0 || this->my_nonce.len == 0)
{
- SIG(IKE_UP_FAILED, "received proposals inacceptable");
+ SIG_IKE(UP_FAILED, "received proposals inacceptable");
message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
return FAILED;
}
@@ -380,7 +390,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
&group, NULL))
{
- SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
+ SIG_CHD(UP_FAILED, NULL, "DH group %N inacceptable, requesting %N",
diffie_hellman_group_names, this->dh_group,
diffie_hellman_group_names, group);
this->dh_group = group;
@@ -390,7 +400,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
}
else
{
- SIG(IKE_UP_FAILED, "no acceptable proposal found");
+ SIG_IKE(UP_FAILED, "no acceptable proposal found");
}
return FAILED;
}
@@ -420,7 +430,7 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
}
if (status != SUCCESS)
{
- SIG(IKE_UP_FAILED, "key derivation failed");
+ SIG_IKE(UP_FAILED, "key derivation failed");
message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
return FAILED;
}
@@ -495,7 +505,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
{
if (type < 16383)
{
- SIG(IKE_UP_FAILED, "received %N notify error",
+ SIG_IKE(UP_FAILED, "received %N notify error",
notify_type_names, type);
iterator->destroy(iterator);
return FAILED;
@@ -515,7 +525,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
if (this->proposal == NULL ||
this->other_nonce.len == 0 || this->my_nonce.len == 0)
{
- SIG(IKE_UP_FAILED, "peer's proposal selection invalid");
+ SIG_IKE(UP_FAILED, "peer's proposal selection invalid");
return FAILED;
}
@@ -523,7 +533,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
!this->proposal->has_dh_group(this->proposal, this->dh_group) ||
this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
{
- SIG(IKE_UP_FAILED, "peer's DH group selection invalid");
+ SIG_IKE(UP_FAILED, "peer's DH group selection invalid");
return FAILED;
}
@@ -552,7 +562,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
}
if (status != SUCCESS)
{
- SIG(IKE_UP_FAILED, "key derivation failed");
+ SIG_IKE(UP_FAILED, "key derivation failed");
return FAILED;
}
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
index 2d7c64d70..a203dee58 100644
--- a/src/charon/sa/tasks/ike_me.c
+++ b/src/charon/sa/tasks/ike_me.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_me.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: ike_me.c 4355 2008-09-25 07:56:58Z tobias $
*/
#include "ike_me.h"
@@ -128,7 +128,7 @@ static void add_endpoints_to_message(message_t *message, linked_list_t *endpoint
*/
static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
host_t *addr, *host;
u_int16_t port;
@@ -136,9 +136,9 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
host = this->ike_sa->get_my_host(this->ike_sa);
port = host->get_port(host);
- iterator = charon->kernel_interface->create_address_iterator(
- charon->kernel_interface);
- while (iterator->iterate(iterator, (void**)&addr))
+ enumerator = charon->kernel_interface->create_address_enumerator(
+ charon->kernel_interface, FALSE, FALSE);
+ while (enumerator->enumerate(enumerator, (void**)&addr))
{
host = addr->clone(addr);
host->set_port(host, port);
@@ -148,7 +148,7 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
host->destroy(host);
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
host = this->ike_sa->get_server_reflexive_host(this->ike_sa);
if (host)
@@ -461,7 +461,8 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint->clone(endpoint));
}
/* FIXME: what if it failed? e.g. AUTH failure */
- SIG(CHILD_UP_SUCCESS, "established mediation connection without CHILD_SA successfully");
+ SIG_CHD(UP_SUCCESS, NULL, "established mediation connection "
+ "without CHILD_SA successfully");
break;
}
@@ -641,7 +642,8 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message)
/* FIXME: we actually must delete any existing IKE_SAs with the same remote id */
this->ike_sa->act_as_mediation_server(this->ike_sa);
- SIG(CHILD_UP_SUCCESS, "established mediation connection without CHILD_SA successfully");
+ SIG_CHD(UP_SUCCESS, NULL, "established mediation connection "
+ "without CHILD_SA successfully");
break;
}
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
index 23c68b9e9..f6ee3f6ad 100644
--- a/src/charon/sa/tasks/ike_mobike.c
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_mobike.c 4006 2008-05-23 15:43:42Z martin $
+ * $Id: ike_mobike.c 4394 2008-10-09 08:25:11Z martin $
*/
#include "ike_mobike.h"
@@ -117,8 +117,19 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
{
case MOBIKE_SUPPORTED:
{
- DBG1(DBG_IKE, "peer supports MOBIKE");
- this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
+ peer_cfg_t *peer_cfg;
+
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (!this->initiator &&
+ peer_cfg && !peer_cfg->use_mobike(peer_cfg))
+ {
+ DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
+ }
+ else
+ {
+ DBG1(DBG_IKE, "peer supports MOBIKE");
+ this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
+ }
break;
}
case COOKIE2:
@@ -177,15 +188,15 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
*/
static void build_address_list(private_ike_mobike_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
host_t *host, *me;
notify_type_t type;
bool additional = FALSE;
me = this->ike_sa->get_my_host(this->ike_sa);
- iterator = charon->kernel_interface->create_address_iterator(
- charon->kernel_interface);
- while (iterator->iterate(iterator, (void**)&host))
+ enumerator = charon->kernel_interface->create_address_enumerator(
+ charon->kernel_interface, FALSE, FALSE);
+ while (enumerator->enumerate(enumerator, (void**)&host))
{
if (me->ip_equals(me, host))
{ /* "ADDITIONAL" means do not include IKE_SAs host */
@@ -209,7 +220,7 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
{
message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -266,7 +277,7 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
other_old = this->ike_sa->get_other_host(this->ike_sa);
me = charon->kernel_interface->get_source_addr(
- charon->kernel_interface, other_old);
+ charon->kernel_interface, other_old, NULL);
if (me)
{
me->set_port(me, me->ip_equals(me, me_old) ?
@@ -278,7 +289,7 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
while (iterator->iterate(iterator, (void**)&other))
{
me = charon->kernel_interface->get_source_addr(
- charon->kernel_interface, other);
+ charon->kernel_interface, other, NULL);
if (me)
{
if (me->get_family(me) != other->get_family(other))
@@ -318,6 +329,24 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
+ host_t *old, *new;
+
+ /* we check if the existing address is still valid */
+ old = message->get_source(message);
+ new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+ message->get_destination(message), old);
+ if (new)
+ {
+ if (!new->ip_equals(new, old))
+ {
+ new->set_port(new, old->get_port(old));
+ message->set_source(message, new);
+ }
+ else
+ {
+ new->destroy(new);
+ }
+ }
if (this->update)
{
message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
@@ -423,7 +452,7 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
return SUCCESS;
}
if (this->cookie2.ptr)
- { /* check cookie if we included none */
+ { /* check cookie if we included one */
chunk_t cookie2;
cookie2 = this->cookie2;
@@ -444,6 +473,13 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
if (this->natd)
{
this->natd->task.process(&this->natd->task, message);
+ if (this->natd->has_mapping_changed(this->natd))
+ {
+ /* force an update if mappings have changed */
+ this->update = this->check = TRUE;
+ DBG1(DBG_IKE, "detected changes in NAT mappings, "
+ "initiating MOBIKE update");
+ }
}
if (this->update)
{
@@ -496,6 +532,20 @@ static void roam(private_ike_mobike_t *this, bool address)
}
/**
+ * Implementation of ike_mobike_t.dpd
+ */
+static void dpd(private_ike_mobike_t *this)
+{
+ if (!this->natd)
+ {
+ this->natd = ike_natd_create(this->ike_sa, this->initiator);
+ }
+ this->address = FALSE;
+ this->ike_sa->set_pending_updates(this->ike_sa,
+ this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+/**
* Implementation of ike_mobike_t.is_probing.
*/
static bool is_probing(private_ike_mobike_t *this)
@@ -545,6 +595,7 @@ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
+ this->public.dpd = (void(*)(ike_mobike_t*))dpd;
this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing;
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
index 9dd29970e..f8f094456 100644
--- a/src/charon/sa/tasks/ike_mobike.h
+++ b/src/charon/sa/tasks/ike_mobike.h
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_mobike.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_mobike.h 4368 2008-10-06 13:37:04Z martin $
*/
/**
@@ -55,6 +55,11 @@ struct ike_mobike_t {
void (*roam)(ike_mobike_t *this, bool address);
/**
+ * Use the task for a DPD check which detects changes in NAT mappings.
+ */
+ void (*dpd)(ike_mobike_t *this);
+
+ /**
* Transmision hook, called by task manager.
*
* The task manager calls this hook whenever it transmits a packet. It
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index 69e5bac26..9e62fcbdf 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_natd.c 3806 2008-04-15 05:56:35Z martin $
+ * $Id: ike_natd.c 4386 2008-10-08 08:23:46Z martin $
*/
#include "ike_natd.h"
@@ -72,6 +72,11 @@ struct private_ike_natd_t {
* Have we found a matching destination address NAT hash?
*/
bool dst_matched;
+
+ /**
+ * whether NAT mappings for our NATed address has changed
+ */
+ bool mapping_changed;
};
@@ -192,15 +197,24 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
case NAT_DETECTION_DESTINATION_IP:
{
this->dst_seen = TRUE;
+ hash = notify->get_notification_data(notify);
if (!this->dst_matched)
{
- hash = notify->get_notification_data(notify);
DBG3(DBG_IKE, "received dst_hash %B", &hash);
if (chunk_equals(hash, dst_hash))
{
this->dst_matched = TRUE;
}
}
+ /* RFC4555 says we should also compare against IKE_SA_INIT
+ * NATD payloads, but this does not work: We are running
+ * there at port 500, but use 4500 afterwards... */
+ if (message->get_exchange_type(message) == INFORMATIONAL &&
+ this->initiator && !this->dst_matched)
+ {
+ this->mapping_changed = this->ike_sa->has_mapping_changed(
+ this->ike_sa, hash);
+ }
break;
}
case NAT_DETECTION_SOURCE_IP:
@@ -300,7 +314,7 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
static status_t build_i(private_ike_natd_t *this, message_t *message)
{
notify_payload_t *notify;
- iterator_t *iterator;
+ enumerator_t *enumerator;
host_t *host;
if (this->hasher == NULL)
@@ -327,9 +341,8 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
}
else
{
- host = charon->kernel_interface->get_source_addr(
- charon->kernel_interface,
- this->ike_sa->get_other_host(this->ike_sa));
+ host = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+ this->ike_sa->get_other_host(this->ike_sa), NULL);
if (host)
{ /* 2. */
host->set_port(host, IKEV2_UDP_PORT);
@@ -339,14 +352,14 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
}
else
{ /* 3. */
- iterator = charon->kernel_interface->create_address_iterator(
- charon->kernel_interface);
- while (iterator->iterate(iterator, (void**)&host))
+ enumerator = charon->kernel_interface->create_address_enumerator(
+ charon->kernel_interface, FALSE, FALSE);
+ while (enumerator->enumerate(enumerator, (void**)&host))
{
notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
message->add_payload(message, (payload_t*)notify);
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
}
return NEED_MORE;
@@ -415,6 +428,15 @@ static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa)
this->dst_seen = FALSE;
this->src_matched = FALSE;
this->dst_matched = FALSE;
+ this->mapping_changed = FALSE;
+}
+
+/**
+ * Implementation of ike_natd_t.has_mapping_changed
+ */
+static bool has_mapping_changed(private_ike_natd_t *this)
+{
+ return this->mapping_changed;
}
/**
@@ -448,6 +470,8 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
+ this->public.has_mapping_changed = (bool(*)(ike_natd_t*))has_mapping_changed;
+
this->ike_sa = ike_sa;
this->initiator = initiator;
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
@@ -455,6 +479,7 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
this->dst_seen = FALSE;
this->src_matched = FALSE;
this->dst_matched = FALSE;
+ this->mapping_changed = FALSE;
return &this->public;
}
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
index d78c931d9..7e1e58bc0 100644
--- a/src/charon/sa/tasks/ike_natd.h
+++ b/src/charon/sa/tasks/ike_natd.h
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_natd.h 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_natd.h 4368 2008-10-06 13:37:04Z martin $
*/
/**
@@ -38,6 +38,15 @@ struct ike_natd_t {
* Implements the task_t interface
*/
task_t task;
+
+ /**
+ * Check if the NAT mapping has changed for our address.
+ *
+ * MOBIKE uses NAT payloads in DPD to detect changes in the NAT mappings.
+ *
+ * @return TRUE if mappings have changed
+ */
+ bool (*has_mapping_changed)(ike_natd_t *this);
};
/**
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
index 854e9359d..b84b2a387 100644
--- a/src/charon/sa/tasks/ike_reauth.c
+++ b/src/charon/sa/tasks/ike_reauth.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_reauth.c 3793 2008-04-11 08:14:48Z martin $
+ * $Id: ike_reauth.c 4211 2008-07-23 18:46:34Z andreas $
*/
#include "ike_reauth.h"
@@ -65,7 +65,8 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
/* process delete response first */
this->ike_delete->task.process(&this->ike_delete->task, message);
-
+ SIG_IKE(DOWN_SUCCESS, "IKE_SA deleted");
+
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
/* reauthenticate only if we have children */
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index 9c0d1805c..6c4ef4354 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: ike_rekey.c 3589 2008-03-13 14:14:44Z martin $
+ * $Id: ike_rekey.c 4211 2008-07-23 18:46:34Z andreas $
*/
#include "ike_rekey.h"
@@ -69,6 +69,7 @@ struct private_ike_rekey_t {
static status_t build_i(private_ike_rekey_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
+ host_t *other_host;
/* create new SA only on first try */
if (this->new_sa == NULL)
@@ -77,7 +78,9 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
TRUE);
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ other_host = this->ike_sa->get_other_host(this->ike_sa);
this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
+ this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host));
this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
}
@@ -87,7 +90,7 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
}
/**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
*/
static status_t process_r(private_ike_rekey_t *this, message_t *message)
{
@@ -149,6 +152,13 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ this->new_sa->get_name(this->new_sa),
+ this->new_sa->get_unique_id(this->new_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
@@ -188,6 +198,14 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
}
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+ SIG_IKE(UP_SUCCESS, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ this->new_sa->get_name(this->new_sa),
+ this->new_sa->get_unique_id(this->new_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
to_delete = this->ike_sa->get_id(this->ike_sa);
/* check for collisions */