Imported Upstream version 5.0.3

author: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
commit: 10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree: bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/libcharon/encoding
parent: 7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download: vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz
vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip
4 files changed, 19 insertions, 11 deletions
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 28fdda735..749c326a5 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -62,7 +62,7 @@
 /**
  * Max number of NAT-D payloads per IKEv1 message
  */
-#define MAX_NAT_D_PAYLOADS 5
+#define MAX_NAT_D_PAYLOADS 10
 
 /**
  * A payload rule defines the rules for a payload
@@ -151,7 +151,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
 	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
 	{NONCE,							1,	1,						FALSE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						FALSE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 };
 
@@ -181,7 +181,7 @@ static payload_rule_t ike_auth_i_rules[] = {
 	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
 	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
 	{CERTIFICATE,					0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	TRUE,	FALSE},
 	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
 #ifdef ME
 	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index d168e1c12..f7a13d728 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -108,8 +108,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
 	"IPSEC_REPLAY_COUNTER_SYNC",
 	"SECURE PASSWORD_METHOD",
 	"PSK_PERSIST",
-	"PSK_CONFIRM");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM,
+	"PSK_CONFIRM",
+	"ERX_SUPPORTED");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD_R_U_THERE",
@@ -170,7 +171,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ERX_SUPPORTED, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -213,8 +214,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATU
 	"RPL_CTR_SYN",
 	"SEC_PASSWD",
 	"PSK_PST",
-	"PSK_CFM");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, PSK_CONFIRM,
+	"PSK_CFM",
+	"ERX_SUP");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ERX_SUPPORTED,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD",
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 498c659b1..847fddc69 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -140,9 +140,11 @@ enum notify_type_t {
 	IPSEC_REPLAY_COUNTER_SYNC = 16423,
 	/* Secure password methods, RFC 6467 */
 	SECURE_PASSWORD_METHOD = 16424,
-	/* PACE - draft-kuegler-ipsecme-pace-ikev2 */
+	/* PACE, RFC 6631 */
 	PSK_PERSIST = 16425,
 	PSK_CONFIRM = 16426,
+	/* EAP Re-authentication Extension, RFC 6867 */
+	ERX_SUPPORTED = 16427,
 	/* IKEv1 initial contact */
 	INITIAL_CONTACT_IKEV1 = 24578,
 	/* IKEv1 DPD */
diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
index 15f791b95..334823db9 100644
--- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c
@@ -114,7 +114,11 @@ METHOD(payload_t, verify, status_t,
 {
 	if (this->start_port > this->end_port)
 	{
-		return FAILED;
+		/* OPAQUE ports are the only exception */
+		if (this->start_port != 0xffff && this->end_port != 0)
+		{
+			return FAILED;
+		}
 	}
 	switch (this->ts_type)
 	{
author	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
commit	10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree	bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/libcharon/encoding
parent	7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download	vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip