diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2018-09-24 15:11:14 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2018-09-24 15:11:14 +0200 |
commit | e0e280b7669435b991b7e457abd8aa450930b3e8 (patch) | |
tree | 3e6084f13b14ad2df104e2ce6e589eb96c5f7ac9 /src/libcharon/sa/ikev1 | |
parent | 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (diff) | |
download | vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.tar.gz vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.zip |
New upstream version 5.7.0
Diffstat (limited to 'src/libcharon/sa/ikev1')
-rw-r--r-- | src/libcharon/sa/ikev1/keymat_v1.c | 1 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/phase1.c | 2 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/task_manager_v1.c | 8 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/aggressive_mode.c | 22 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/isakmp_vendor.c | 2 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/main_mode.c | 21 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/mode_config.c | 1 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/quick_mode.c | 2 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/xauth.c | 2 |
9 files changed, 32 insertions, 29 deletions
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index 1de05b4ec..bcea1f388 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -219,7 +219,6 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e, encryption_algorithm_names, alg, key_size); return NULL; } - key_size = crypter->get_key_size(crypter); if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, ka)) { return NULL; diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index 5856f829e..b99d75142 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -311,7 +311,7 @@ static void save_auth_cfg(private_phase1_t *this, return; } auth = auth_cfg_create(); - /* for local config, we _copy_ entires from the config, as it contains + /* for local config, we _copy_ entries from the config, as it contains * certificates we must send later. */ auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local); this->ike_sa->add_auth_cfg(this->ike_sa, local, auth); diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 3472d2c35..5f6c3bbe8 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -721,6 +721,7 @@ METHOD(task_manager_t, initiate, status_t, { case IKE_CONNECTING: /* close after sending an INFORMATIONAL when unestablished */ + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return FAILED; case IKE_DELETING: /* close after sending a DELETE */ @@ -920,15 +921,16 @@ static bool process_dpd(private_task_manager_t *this, message_t *message) } else /* DPD_R_U_THERE_ACK */ { - if (seq == this->dpd_send - 1) + if (seq == this->dpd_send) { + this->dpd_send++; this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL)); } else { DBG1(DBG_IKE, "received invalid DPD sequence number %u " - "(expected %u), ignored", seq, this->dpd_send - 1); + "(expected %u), ignored", seq, this->dpd_send); } } return TRUE; @@ -1843,7 +1845,7 @@ METHOD(task_manager_t, queue_dpd, void, uint32_t t, retransmit; queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE, - this->dpd_send++)); + this->dpd_send)); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); /* compute timeout in milliseconds */ diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c index 82d647a6c..023119dd4 100644 --- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c +++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c @@ -270,11 +270,6 @@ METHOD(task_t, build_i, status_t, return FAILED; } id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return FAILED; - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); this->id_data = id_payload->get_encoded(id_payload); @@ -302,6 +297,7 @@ METHOD(task_t, build_i, status_t, this->id_data)) { this->id_data = chunk_empty; + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } this->id_data = chunk_empty; @@ -330,6 +326,7 @@ METHOD(task_t, build_i, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } break; @@ -428,6 +425,7 @@ METHOD(task_t, process_r, status_t, { DBG1(DBG_IKE, "Aggressive Mode PSK disabled for " "security reasons"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } break; @@ -455,6 +453,7 @@ METHOD(task_t, process_r, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDii payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, INVALID_PAYLOAD_TYPE); } @@ -465,6 +464,7 @@ METHOD(task_t, process_r, status_t, this->method, TRUE, id); if (!this->peer_cfg) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); @@ -493,6 +493,7 @@ METHOD(task_t, process_r, status_t, this->method, TRUE, NULL); if (!this->peer_cfg) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); @@ -502,6 +503,7 @@ METHOD(task_t, process_r, status_t, { DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids " "IKE_SA, cancelling"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } @@ -528,6 +530,7 @@ METHOD(task_t, process_r, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } job = adopt_children_job_create( @@ -602,11 +605,6 @@ METHOD(task_t, build_r, status_t, } id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return send_notify(this, INVALID_ID_INFORMATION); - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); @@ -615,6 +613,7 @@ METHOD(task_t, build_r, status_t, if (!this->ph1->build_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } return NEED_MORE; @@ -679,6 +678,7 @@ METHOD(task_t, process_i, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDir payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } id = id_payload->get_identification(id_payload); @@ -687,6 +687,7 @@ METHOD(task_t, process_i, status_t, { DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid); id->destroy(id); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, INVALID_ID_INFORMATION); } this->ike_sa->set_other_id(this->ike_sa, id); @@ -698,6 +699,7 @@ METHOD(task_t, process_i, status_t, if (!this->ph1->verify_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } if (!charon->bus->authorize(charon->bus, FALSE)) diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c index 6a296f221..b26a11bb4 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c @@ -59,7 +59,7 @@ struct private_isakmp_vendor_t { ike_sa_t *ike_sa; /** - * Are we the inititator of this task + * Are we the initiator of this task */ bool initiator; diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 1f764e547..b60c84992 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -332,11 +332,6 @@ METHOD(task_t, build_i, status_t, identification_t *id; id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return send_notify(this, INVALID_ID_INFORMATION); - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); message->add_payload(message, &id_payload->payload_interface); @@ -344,6 +339,7 @@ METHOD(task_t, build_i, status_t, if (!this->ph1->build_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } @@ -445,6 +441,7 @@ METHOD(task_t, process_r, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDii payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, INVALID_PAYLOAD_TYPE); } id = id_payload->get_identification(id_payload); @@ -457,6 +454,7 @@ METHOD(task_t, process_r, status_t, this->method, FALSE, id); if (!this->peer_cfg) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg); @@ -472,6 +470,7 @@ METHOD(task_t, process_r, status_t, { DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, " "cancelling"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } @@ -523,11 +522,6 @@ METHOD(task_t, build_r, status_t, xauth_t *xauth = NULL; id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE); - if (!id) - { - DBG1(DBG_CFG, "own identity not known"); - return send_notify(this, INVALID_ID_INFORMATION); - } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(PLV1_ID, id); @@ -536,6 +530,7 @@ METHOD(task_t, build_r, status_t, if (!this->ph1->build_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } @@ -562,6 +557,7 @@ METHOD(task_t, build_r, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_notify(this, AUTHENTICATION_FAILED); } job = adopt_children_job_create( @@ -688,6 +684,7 @@ METHOD(task_t, process_i, status_t, if (!id_payload) { DBG1(DBG_IKE, "IDir payload missing"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } id = id_payload->get_identification(id_payload); @@ -696,6 +693,7 @@ METHOD(task_t, process_i, status_t, { DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid); id->destroy(id); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } this->ike_sa->set_other_id(this->ike_sa, id); @@ -703,12 +701,14 @@ METHOD(task_t, process_i, status_t, if (!this->ph1->verify_auth(this->ph1, this->method, message, id_payload->get_encoded(id_payload))) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } if (!charon->bus->authorize(charon->bus, FALSE)) { DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, " "cancelling"); + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } @@ -736,6 +736,7 @@ METHOD(task_t, process_i, status_t, } if (!establish(this)) { + charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return send_delete(this); } break; diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 43897c304..9b692588d 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -583,7 +583,6 @@ static status_t build_ack(private_mode_config_t *this, message_t *message) enumerator = this->vips->create_enumerator(this->vips); while (enumerator->enumerate(enumerator, &host)) { - type = INTERNAL_IP6_ADDRESS; if (host->get_family(host) == AF_INET6) { type = INTERNAL_IP6_ADDRESS; diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 5e5b61e7f..007e94d96 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -544,7 +544,7 @@ static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local, hosts = get_dynamic_hosts(this->ike_sa, local); list = this->config->get_traffic_selectors(this->config, - local, supplied, hosts); + local, supplied, hosts, TRUE); hosts->destroy(hosts); if (list->get_first(list, (void**)&ts) == SUCCESS) { diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index 968b4386c..bec2cfe7d 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -226,7 +226,7 @@ static bool select_compliant_config(private_xauth_t *this) { /* current config is fine */ return TRUE; } - DBG1(DBG_CFG, "selected peer config '%s' inacceptable", + DBG1(DBG_CFG, "selected peer config '%s' unacceptable", old->get_name(old)); aggressive = old->use_aggressive(old); |