Imported Upstream version 5.0.3

author: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
commit: 10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree: bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/libcharon/sa/ikev1/tasks
parent: 7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download: vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz
vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip
5 files changed, 92 insertions, 56 deletions
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 7336d5d64..6b00706bf 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_aggressive_mode_t private_aggressive_mode_t;
 
@@ -299,8 +300,14 @@ METHOD(task_t, build_i, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					/* wait for XAUTH request */
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
 					break;
+				}
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA:
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index bc9d4bbc3..441bd7a78 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_main_mode_t private_main_mode_t;
 
@@ -638,8 +639,14 @@ METHOD(task_t, process_i, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					/* wait for XAUTH request */
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
 					break;
+				}
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA:
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index db48bc58e..e9f06cbe3 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -97,8 +97,8 @@ static bool delete_child(private_quick_delete_t *this,
 	}
 	else
 	{
-		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
-		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, NULL);
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
 
 		DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs "
 			 "%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 1eae6aa93..7a0fb5788 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -576,12 +576,12 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 	if (!tsi)
 	{
 		tsi = traffic_selector_create_from_subnet(hsi->clone(hsi),
-							hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0);
+					hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (!tsr)
 	{
 		tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
-							hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0);
+					hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0, 65535);
 	}
 	if (this->mode == MODE_TRANSPORT && this->udp &&
 	   (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))
@@ -594,20 +594,27 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 
 	if (this->initiator)
 	{
+		traffic_selector_t *tsisub, *tsrsub;
+
 		/* check if peer selection is valid */
-		if (!tsr->is_contained_in(tsr, this->tsr) ||
-			!tsi->is_contained_in(tsi, this->tsi))
+		tsisub = this->tsi->get_subset(this->tsi, tsi);
+		tsrsub = this->tsr->get_subset(this->tsr, tsr);
+		if (!tsisub || !tsrsub)
 		{
 			DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
 				 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
+			DESTROY_IF(tsisub);
+			DESTROY_IF(tsrsub);
 			tsi->destroy(tsi);
 			tsr->destroy(tsr);
 			return FALSE;
 		}
+		tsi->destroy(tsi);
+		tsr->destroy(tsr);
 		this->tsi->destroy(this->tsi);
 		this->tsr->destroy(this->tsr);
-		this->tsi = tsi;
-		this->tsr = tsr;
+		this->tsi = tsisub;
+		this->tsr = tsrsub;
 	}
 	else
 	{
@@ -914,30 +921,37 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
 	enumerator_t *enumerator, *policies;
 	traffic_selector_t *local, *remote;
 	child_sa_t *child_sa;
+	proposal_t *proposal;
+	char *name;
 
+	name = this->config->get_name(this->config);
 	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
 	while (this->reqid == 0 && enumerator->enumerate(enumerator, &child_sa))
 	{
-		if (child_sa->get_state(child_sa) == CHILD_INSTALLED &&
-			streq(child_sa->get_name(child_sa),
-				  this->config->get_name(this->config)))
+		if (streq(child_sa->get_name(child_sa), name))
 		{
-			policies = child_sa->create_policy_enumerator(child_sa);
-			if (policies->enumerate(policies, &local, &remote))
+			proposal = child_sa->get_proposal(child_sa);
+			switch (child_sa->get_state(child_sa))
 			{
-				if (local->equals(local, this->tsr) &&
-					remote->equals(remote, this->tsi) &&
-					this->proposal->equals(this->proposal,
-										   child_sa->get_proposal(child_sa)))
-				{
-					this->reqid = child_sa->get_reqid(child_sa);
-					this->rekey = child_sa->get_spi(child_sa, TRUE);
-					child_sa->set_state(child_sa, CHILD_REKEYING);
-					DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
-						 child_sa->get_name(child_sa), this->reqid);
-				}
+				case CHILD_INSTALLED:
+				case CHILD_REKEYING:
+					policies = child_sa->create_policy_enumerator(child_sa);
+					if (policies->enumerate(policies, &local, &remote) &&
+						local->equals(local, this->tsr) &&
+						remote->equals(remote, this->tsi) &&
+						this->proposal->equals(this->proposal, proposal))
+					{
+						this->reqid = child_sa->get_reqid(child_sa);
+						this->rekey = child_sa->get_spi(child_sa, TRUE);
+						child_sa->set_state(child_sa, CHILD_REKEYING);
+						DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
+							 child_sa->get_name(child_sa), this->reqid);
+					}
+					policies->destroy(policies);
+				break;
+			default:
+				break;
 			}
-			policies->destroy(policies);
 		}
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index 10bea5636..31114e592 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -286,21 +286,55 @@ METHOD(task_t, build_i_status, status_t,
 	return NEED_MORE;
 }
 
+METHOD(task_t, process_i_status, status_t,
+	private_xauth_t *this, message_t *message)
+{
+	cp_payload_t *cp;
+
+	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
+	if (!cp || cp->get_type(cp) != CFG_ACK)
+	{
+		DBG1(DBG_IKE, "received invalid XAUTH status response");
+		return FAILED;
+	}
+	if (this->status != XAUTH_OK)
+	{
+		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
+		return FAILED;
+	}
+	if (!establish(this))
+	{
+		return FAILED;
+	}
+	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
+	lib->processor->queue_job(lib->processor, (job_t*)
+				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
+	return SUCCESS;
+}
+
 METHOD(task_t, build_i, status_t,
 	private_xauth_t *this, message_t *message)
 {
 	if (!this->xauth)
 	{
-		cp_payload_t *cp;
+		cp_payload_t *cp = NULL;
 
 		this->xauth = load_method(this);
 		if (!this->xauth)
 		{
 			return FAILED;
 		}
-		if (this->xauth->initiate(this->xauth, &cp) != NEED_MORE)
+		switch (this->xauth->initiate(this->xauth, &cp))
 		{
-			return FAILED;
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				DESTROY_IF(cp);
+				this->status = XAUTH_OK;
+				this->public.task.process = _process_i_status;
+				return build_i_status(this, message);
+			default:
+				return FAILED;
 		}
 		message->add_payload(message, (payload_t *)cp);
 		return NEED_MORE;
@@ -411,32 +445,6 @@ METHOD(task_t, build_r, status_t,
 	return NEED_MORE;
 }
 
-METHOD(task_t, process_i_status, status_t,
-	private_xauth_t *this, message_t *message)
-{
-	cp_payload_t *cp;
-
-	cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1);
-	if (!cp || cp->get_type(cp) != CFG_ACK)
-	{
-		DBG1(DBG_IKE, "received invalid XAUTH status response");
-		return FAILED;
-	}
-	if (this->status != XAUTH_OK)
-	{
-		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
-		return FAILED;
-	}
-	if (!establish(this))
-	{
-		return FAILED;
-	}
-	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
-	lib->processor->queue_job(lib->processor, (job_t*)
-				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
-	return SUCCESS;
-}
-
 METHOD(task_t, process_i, status_t,
 	private_xauth_t *this, message_t *message)
 {
author	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
commit	10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree	bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/libcharon/sa/ikev1/tasks
parent	7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download	vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip