Import upstream release 5.2.1

7 files changed, 128 insertions, 34 deletions

diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 7009ae95d..710bf1cd2 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -475,6 +475,9 @@ METHOD(task_t, process_r, status_t,
 		}
 		case AM_AUTH:
 		{
+			adopt_children_job_t *job = NULL;
+			xauth_t *xauth = NULL;
+
 			while (TRUE)
 			{
 				if (this->ph1->verify_auth(this->ph1, this->method, message,
@@ -504,8 +507,8 @@ METHOD(task_t, process_r, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					this->ike_sa->queue_task(this->ike_sa,
-									(task_t*)xauth_create(this->ike_sa, TRUE));
+					xauth = xauth_create(this->ike_sa, TRUE);
+					this->ike_sa->queue_task(this->ike_sa, (task_t*)xauth);
 					break;
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
@@ -524,9 +527,8 @@ METHOD(task_t, process_r, status_t,
 					{
 						return send_delete(this);
 					}
-					lib->processor->queue_job(lib->processor, (job_t*)
-									adopt_children_job_create(
-										this->ike_sa->get_id(this->ike_sa)));
+					job = adopt_children_job_create(
+											this->ike_sa->get_id(this->ike_sa));
 					break;
 			}
 			/* check for and prepare mode config push/pull */
@@ -542,10 +544,26 @@ METHOD(task_t, process_r, status_t,
 			{
 				if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
 				{
-					this->ike_sa->queue_task(this->ike_sa,
-						(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+					if (job)
+					{
+						job->queue_task(job, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
+					else if (xauth)
+					{
+						xauth->queue_mode_config_push(xauth);
+					}
+					else
+					{
+						this->ike_sa->queue_task(this->ike_sa, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
 				}
 			}
+			if (job)
+			{
+				lib->processor->queue_job(lib->processor, (job_t*)job);
+			}
 			return SUCCESS;
 		}
 		default:
diff --git a/src/libcharon/sa/ikev1/tasks/informational.c b/src/libcharon/sa/ikev1/tasks/informational.c
index b742dbef9..2798978b2 100644
--- a/src/libcharon/sa/ikev1/tasks/informational.c
+++ b/src/libcharon/sa/ikev1/tasks/informational.c
@@ -112,16 +112,16 @@ METHOD(task_t, process_r, status_t,
 													  IKEV2_UDP_PORT);
 					if (redirect)
 					{	/* treat the redirect as reauthentication */
-						DBG1(DBG_IKE, "received %N notify. redirected to %H",
+						DBG1(DBG_IKE, "received %N notify, redirected to %H",
 							 notify_type_names, type, redirect);
 						/* Cisco boxes reject the first message from 4500 */
 						me = this->ike_sa->get_my_host(this->ike_sa);
 						me->set_port(me, charon->socket->get_port(
 														charon->socket, FALSE));
 						this->ike_sa->set_other_host(this->ike_sa, redirect);
-						this->ike_sa->reauth(this->ike_sa);
+						status = this->ike_sa->reauth(this->ike_sa);
 						enumerator->destroy(enumerator);
-						return DESTROY_ME;
+						return status;
 					}
 					else
 					{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 426c4bd69..0162fd84e 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -15,7 +15,7 @@
  */
 
 /*
- * Copyright (C) 2012 Volker Rümelin
+ * Copyright (C) 2012-2014 Volker Rümelin
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -106,10 +106,15 @@ static struct {
 	  "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"},
 
 	/* Proprietary IKE fragmentation extension. Capabilities are handled
-	 * specially on receipt of this VID. */
+	 * specially on receipt of this VID. Windows peers send this VID
+	 * without capabilities, but accept it with and without capabilities. */
 	{ "FRAGMENTATION", EXT_IKE_FRAGMENTATION, FALSE, 20,
 	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00"},
 
+	/* Windows peers send this VID and a version number */
+	{ "MS NT5 ISAKMPOAKLEY", EXT_MS_WINDOWS, FALSE, 20,
+	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x00"},
+
 }, vendor_natt_ids[] = {
 
 	/* NAT-Traversal VIDs ordered by preference */
@@ -167,15 +172,27 @@ static struct {
  */
 static const u_int32_t fragmentation_ike = 0x80000000;
 
-/**
- * Check if the given vendor ID indicate support for fragmentation
- */
-static bool fragmentation_supported(chunk_t data, int i)
+static bool is_known_vid(chunk_t data, int i)
 {
-	if (vendor_ids[i].extension  == EXT_IKE_FRAGMENTATION &&
-		data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16))
+	switch (vendor_ids[i].extension)
 	{
-		return untoh32(&data.ptr[16]) & fragmentation_ike;
+		case EXT_IKE_FRAGMENTATION:
+			if (data.len >= 16 && memeq(data.ptr, vendor_ids[i].id, 16))
+			{
+				switch (data.len)
+				{
+					case 16:
+						return TRUE;
+					case 20:
+						return untoh32(&data.ptr[16]) & fragmentation_ike;
+				}
+			}
+			break;
+		case EXT_MS_WINDOWS:
+			return data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16);
+		default:
+			return chunk_equals(data, chunk_create(vendor_ids[i].id,
+												   vendor_ids[i].len));
 	}
 	return FALSE;
 }
@@ -251,9 +268,7 @@ static void process(private_isakmp_vendor_t *this, message_t *message)
 
 			for (i = 0; i < countof(vendor_ids); i++)
 			{
-				if (chunk_equals(data, chunk_create(vendor_ids[i].id,
-													vendor_ids[i].len)) ||
-					fragmentation_supported(data, i))
+				if (is_known_vid(data, i))
 				{
 					DBG1(DBG_IKE, "received %s vendor ID", vendor_ids[i].desc);
 					if (vendor_ids[i].extension)
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 8a5d9ae16..2fb4c6935 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -479,6 +479,8 @@ METHOD(task_t, build_r, status_t,
 		{
 			id_payload_t *id_payload;
 			identification_t *id;
+			adopt_children_job_t *job = NULL;
+			xauth_t *xauth = NULL;
 
 			id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
 			if (!id)
@@ -502,8 +504,8 @@ METHOD(task_t, build_r, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					this->ike_sa->queue_task(this->ike_sa,
-									(task_t*)xauth_create(this->ike_sa, TRUE));
+					xauth = xauth_create(this->ike_sa, TRUE);
+					this->ike_sa->queue_task(this->ike_sa, (task_t*)xauth);
 					break;
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
@@ -522,9 +524,8 @@ METHOD(task_t, build_r, status_t,
 					{
 						return send_notify(this, AUTHENTICATION_FAILED);
 					}
-					lib->processor->queue_job(lib->processor, (job_t*)
-									adopt_children_job_create(
-										this->ike_sa->get_id(this->ike_sa)));
+					job = adopt_children_job_create(
+											this->ike_sa->get_id(this->ike_sa));
 					break;
 			}
 			if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
@@ -539,10 +540,26 @@ METHOD(task_t, build_r, status_t,
 			{
 				if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
 				{
-					this->ike_sa->queue_task(this->ike_sa,
-						(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+					if (job)
+					{
+						job->queue_task(job, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
+					else if (xauth)
+					{
+						xauth->queue_mode_config_push(xauth);
+					}
+					else
+					{
+						this->ike_sa->queue_task(this->ike_sa, (task_t*)
+								mode_config_create(this->ike_sa, TRUE, FALSE));
+					}
 				}
 			}
+			if (job)
+			{
+				lib->processor->queue_job(lib->processor, (job_t*)job);
+			}
 			return SUCCESS;
 		}
 		default:
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index e6273682d..1133aab65 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1030,7 +1030,8 @@ METHOD(task_t, process_r, status_t,
 			}
 			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
 			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
-			if (!this->config || !this->tsi || !this->tsr)
+			if (!this->config || !this->tsi || !this->tsr ||
+				this->mode != this->config->get_mode(this->config))
 			{
 				DBG1(DBG_IKE, "no matching CHILD_SA config found");
 				return send_notify(this, INVALID_ID_INFORMATION);
@@ -1117,11 +1118,22 @@ METHOD(task_t, process_r, status_t,
 		}
 		case QM_NEGOTIATED:
 		{
-			if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
-				has_notify_errors(this, message))
+			if (has_notify_errors(this, message))
 			{
 				return SUCCESS;
 			}
+			if (message->get_exchange_type(message) == INFORMATIONAL_V1)
+			{
+				if (message->get_payload(message, PLV1_DELETE))
+				{
+					/* If the DELETE for a Quick Mode follows immediately
+					 * after rekeying, we might receive it before the
+					 * third completing Quick Mode message. Ignore it, as
+					 * it gets handled by a separately queued delete task. */
+					return NEED_MORE;
+				}
+				return SUCCESS;
+			}
 			if (!install(this))
 			{
 				ike_sa_t *ike_sa = this->ike_sa;
@@ -1198,6 +1210,14 @@ METHOD(task_t, build_r, status_t,
 			this->state = QM_NEGOTIATED;
 			return NEED_MORE;
 		}
+		case QM_NEGOTIATED:
+			if (message->get_exchange_type(message) == INFORMATIONAL_V1)
+			{
+				/* skip INFORMATIONAL response if we received a INFORMATIONAL
+				 * delete, see process_r() */
+				return ALREADY_DONE;
+			}
+			/* fall */
 		default:
 			return FAILED;
 	}
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index bdc5d67f7..a770e90ff 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -19,6 +19,7 @@
 #include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <sa/ikev1/tasks/mode_config.h>
 
 typedef struct private_xauth_t private_xauth_t;
 
@@ -74,6 +75,11 @@ struct private_xauth_t {
 	 * status of Xauth exchange
 	 */
 	xauth_status_t status;
+
+	/**
+	 * Queue a Mode Config Push mode after completing XAuth?
+	 */
+	bool mode_config_push;
 };
 
 /**
@@ -290,6 +296,7 @@ METHOD(task_t, process_i_status, status_t,
 	private_xauth_t *this, message_t *message)
 {
 	cp_payload_t *cp;
+	adopt_children_job_t *job;
 
 	cp = (cp_payload_t*)message->get_payload(message, PLV1_CONFIGURATION);
 	if (!cp || cp->get_type(cp) != CFG_ACK)
@@ -307,8 +314,13 @@ METHOD(task_t, process_i_status, status_t,
 		return FAILED;
 	}
 	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
-	lib->processor->queue_job(lib->processor, (job_t*)
-				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
+	job = adopt_children_job_create(this->ike_sa->get_id(this->ike_sa));
+	if (this->mode_config_push)
+	{
+		job->queue_task(job,
+				(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+	}
+	lib->processor->queue_job(lib->processor, (job_t*)job);
 	return SUCCESS;
 }
 
@@ -511,6 +523,12 @@ METHOD(task_t, migrate, void,
 	}
 }
 
+METHOD(xauth_t, queue_mode_config_push, void,
+	private_xauth_t *this)
+{
+	this->mode_config_push = TRUE;
+}
+
 METHOD(task_t, destroy, void,
 	private_xauth_t *this)
 {
@@ -533,6 +551,7 @@ xauth_t *xauth_create(ike_sa_t *ike_sa, bool initiator)
 				.migrate = _migrate,
 				.destroy = _destroy,
 			},
+			.queue_mode_config_push = _queue_mode_config_push,
 		},
 		.initiator = initiator,
 		.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.h b/src/libcharon/sa/ikev1/tasks/xauth.h
index 303eb31ce..ffaf32a32 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.h
+++ b/src/libcharon/sa/ikev1/tasks/xauth.h
@@ -36,6 +36,11 @@ struct xauth_t {
 	 * Implements the task_t interface
 	 */
 	task_t task;
+
+	/**
+	 * Queue a Mode Config in Push mode after completing XAuth.
+	 */
+	void (*queue_mode_config_push)(xauth_t *this);
 };
 
 /**