Import upstream release 5.2.1

2 files changed, 61 insertions, 16 deletions

diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 4d411f68e..1e04ebced 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -234,6 +234,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GEM = @GEM@
 GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
@@ -294,6 +295,7 @@ PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
 RUBYINCLUDE = @RUBYINCLUDE@
 RUBYLIB = @RUBYLIB@
 SED = @SED@
@@ -359,6 +361,8 @@ ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
 ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
 linux_headers = @linux_headers@
@@ -406,6 +410,10 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
 target_alias = @target_alias@
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
index 9f72a80da..52a2c7f24 100644
--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -139,6 +139,23 @@ static void narrow_responder_post(child_cfg_t *child_cfg, linked_list_t *local)
 	configured->destroy(configured);
 }
 
+/**
+ * Check if any Split-Include attributes are active on this IKE_SA
+ */
+static bool has_split_includes(private_unity_narrow_t *this, ike_sa_t *ike_sa)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+	bool has;
+
+	enumerator = this->handler->create_include_enumerator(this->handler,
+												ike_sa->get_unique_id(ike_sa));
+	has = enumerator->enumerate(enumerator, &ts);
+	enumerator->destroy(enumerator);
+
+	return has;
+}
+
 METHOD(listener_t, narrow, bool,
 	private_unity_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 	narrow_hook_t type, linked_list_t *local, linked_list_t *remote)
@@ -146,23 +163,43 @@ METHOD(listener_t, narrow, bool,
 	if (ike_sa->get_version(ike_sa) == IKEV1 &&
 		ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
 	{
-		switch (type)
+		/* depending on who initiates a rekeying the hooks will not match the
+		 * roles in the IKE_SA */
+		if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
 		{
-			case NARROW_INITIATOR_PRE_AUTH:
-				narrow_pre(remote, "other");
-				break;
-			case NARROW_INITIATOR_POST_AUTH:
-				narrow_initiator(this, ike_sa,
-								 child_sa->get_config(child_sa), remote);
-				break;
-			case NARROW_RESPONDER:
-				narrow_pre(local, "us");
-				break;
-			case NARROW_RESPONDER_POST:
-				narrow_responder_post(child_sa->get_config(child_sa), local);
-				break;
-			default:
-				break;
+			switch (type)
+			{
+				case NARROW_INITIATOR_PRE_AUTH:
+				case NARROW_RESPONDER:
+					if (has_split_includes(this, ike_sa))
+					{
+						narrow_pre(remote, "other");
+					}
+					break;
+				case NARROW_INITIATOR_POST_AUTH:
+				case NARROW_RESPONDER_POST:
+					narrow_initiator(this, ike_sa,
+									 child_sa->get_config(child_sa), remote);
+					break;
+				default:
+					break;
+			}
+		}
+		else
+		{
+			switch (type)
+			{
+				case NARROW_INITIATOR_PRE_AUTH:
+				case NARROW_RESPONDER:
+					narrow_pre(local, "us");
+					break;
+				case NARROW_INITIATOR_POST_AUTH:
+				case NARROW_RESPONDER_POST:
+					narrow_responder_post(child_sa->get_config(child_sa), local);
+					break;
+				default:
+					break;
+			}
 		}
 	}
 	return TRUE;