summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ikev1
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2018-09-24 15:11:14 +0200
committerYves-Alexis Perez <corsac@debian.org>2018-09-24 15:11:14 +0200
commite0e280b7669435b991b7e457abd8aa450930b3e8 (patch)
tree3e6084f13b14ad2df104e2ce6e589eb96c5f7ac9 /src/libcharon/sa/ikev1
parent51a71ee15c1bcf0e82f363a16898f571e211f9c3 (diff)
downloadvyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.tar.gz
vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.zip
New upstream version 5.7.0
Diffstat (limited to 'src/libcharon/sa/ikev1')
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c1
-rw-r--r--src/libcharon/sa/ikev1/phase1.c2
-rw-r--r--src/libcharon/sa/ikev1/task_manager_v1.c8
-rw-r--r--src/libcharon/sa/ikev1/tasks/aggressive_mode.c22
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_vendor.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/main_mode.c21
-rw-r--r--src/libcharon/sa/ikev1/tasks/mode_config.c1
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/xauth.c2
9 files changed, 32 insertions, 29 deletions
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 1de05b4ec..bcea1f388 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -219,7 +219,6 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e,
encryption_algorithm_names, alg, key_size);
return NULL;
}
- key_size = crypter->get_key_size(crypter);
if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, ka))
{
return NULL;
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index 5856f829e..b99d75142 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -311,7 +311,7 @@ static void save_auth_cfg(private_phase1_t *this,
return;
}
auth = auth_cfg_create();
- /* for local config, we _copy_ entires from the config, as it contains
+ /* for local config, we _copy_ entries from the config, as it contains
* certificates we must send later. */
auth->merge(auth, this->ike_sa->get_auth_cfg(this->ike_sa, local), local);
this->ike_sa->add_auth_cfg(this->ike_sa, local, auth);
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 3472d2c35..5f6c3bbe8 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -721,6 +721,7 @@ METHOD(task_manager_t, initiate, status_t,
{
case IKE_CONNECTING:
/* close after sending an INFORMATIONAL when unestablished */
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return FAILED;
case IKE_DELETING:
/* close after sending a DELETE */
@@ -920,15 +921,16 @@ static bool process_dpd(private_task_manager_t *this, message_t *message)
}
else /* DPD_R_U_THERE_ACK */
{
- if (seq == this->dpd_send - 1)
+ if (seq == this->dpd_send)
{
+ this->dpd_send++;
this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
time_monotonic(NULL));
}
else
{
DBG1(DBG_IKE, "received invalid DPD sequence number %u "
- "(expected %u), ignored", seq, this->dpd_send - 1);
+ "(expected %u), ignored", seq, this->dpd_send);
}
}
return TRUE;
@@ -1843,7 +1845,7 @@ METHOD(task_manager_t, queue_dpd, void,
uint32_t t, retransmit;
queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
- this->dpd_send++));
+ this->dpd_send));
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
/* compute timeout in milliseconds */
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 82d647a6c..023119dd4 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -270,11 +270,6 @@ METHOD(task_t, build_i, status_t,
return FAILED;
}
id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
- if (!id)
- {
- DBG1(DBG_CFG, "own identity not known");
- return FAILED;
- }
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
id_payload = id_payload_create_from_identification(PLV1_ID, id);
this->id_data = id_payload->get_encoded(id_payload);
@@ -302,6 +297,7 @@ METHOD(task_t, build_i, status_t,
this->id_data))
{
this->id_data = chunk_empty;
+ charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
this->id_data = chunk_empty;
@@ -330,6 +326,7 @@ METHOD(task_t, build_i, status_t,
}
if (!establish(this))
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
break;
@@ -428,6 +425,7 @@ METHOD(task_t, process_r, status_t,
{
DBG1(DBG_IKE, "Aggressive Mode PSK disabled for "
"security reasons");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
break;
@@ -455,6 +453,7 @@ METHOD(task_t, process_r, status_t,
if (!id_payload)
{
DBG1(DBG_IKE, "IDii payload missing");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
@@ -465,6 +464,7 @@ METHOD(task_t, process_r, status_t,
this->method, TRUE, id);
if (!this->peer_cfg)
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
@@ -493,6 +493,7 @@ METHOD(task_t, process_r, status_t,
this->method, TRUE, NULL);
if (!this->peer_cfg)
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
@@ -502,6 +503,7 @@ METHOD(task_t, process_r, status_t,
{
DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
"IKE_SA, cancelling");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
@@ -528,6 +530,7 @@ METHOD(task_t, process_r, status_t,
}
if (!establish(this))
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
job = adopt_children_job_create(
@@ -602,11 +605,6 @@ METHOD(task_t, build_r, status_t,
}
id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
- if (!id)
- {
- DBG1(DBG_CFG, "own identity not known");
- return send_notify(this, INVALID_ID_INFORMATION);
- }
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
id_payload = id_payload_create_from_identification(PLV1_ID, id);
@@ -615,6 +613,7 @@ METHOD(task_t, build_r, status_t,
if (!this->ph1->build_auth(this->ph1, this->method, message,
id_payload->get_encoded(id_payload)))
{
+ charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
return NEED_MORE;
@@ -679,6 +678,7 @@ METHOD(task_t, process_i, status_t,
if (!id_payload)
{
DBG1(DBG_IKE, "IDir payload missing");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
id = id_payload->get_identification(id_payload);
@@ -687,6 +687,7 @@ METHOD(task_t, process_i, status_t,
{
DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid);
id->destroy(id);
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, INVALID_ID_INFORMATION);
}
this->ike_sa->set_other_id(this->ike_sa, id);
@@ -698,6 +699,7 @@ METHOD(task_t, process_i, status_t,
if (!this->ph1->verify_auth(this->ph1, this->method, message,
id_payload->get_encoded(id_payload)))
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
if (!charon->bus->authorize(charon->bus, FALSE))
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 6a296f221..b26a11bb4 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -59,7 +59,7 @@ struct private_isakmp_vendor_t {
ike_sa_t *ike_sa;
/**
- * Are we the inititator of this task
+ * Are we the initiator of this task
*/
bool initiator;
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 1f764e547..b60c84992 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -332,11 +332,6 @@ METHOD(task_t, build_i, status_t,
identification_t *id;
id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
- if (!id)
- {
- DBG1(DBG_CFG, "own identity not known");
- return send_notify(this, INVALID_ID_INFORMATION);
- }
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
id_payload = id_payload_create_from_identification(PLV1_ID, id);
message->add_payload(message, &id_payload->payload_interface);
@@ -344,6 +339,7 @@ METHOD(task_t, build_i, status_t,
if (!this->ph1->build_auth(this->ph1, this->method, message,
id_payload->get_encoded(id_payload)))
{
+ charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
@@ -445,6 +441,7 @@ METHOD(task_t, process_r, status_t,
if (!id_payload)
{
DBG1(DBG_IKE, "IDii payload missing");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
id = id_payload->get_identification(id_payload);
@@ -457,6 +454,7 @@ METHOD(task_t, process_r, status_t,
this->method, FALSE, id);
if (!this->peer_cfg)
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
@@ -472,6 +470,7 @@ METHOD(task_t, process_r, status_t,
{
DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
"cancelling");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
@@ -523,11 +522,6 @@ METHOD(task_t, build_r, status_t,
xauth_t *xauth = NULL;
id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
- if (!id)
- {
- DBG1(DBG_CFG, "own identity not known");
- return send_notify(this, INVALID_ID_INFORMATION);
- }
this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
id_payload = id_payload_create_from_identification(PLV1_ID, id);
@@ -536,6 +530,7 @@ METHOD(task_t, build_r, status_t,
if (!this->ph1->build_auth(this->ph1, this->method, message,
id_payload->get_encoded(id_payload)))
{
+ charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
@@ -562,6 +557,7 @@ METHOD(task_t, build_r, status_t,
}
if (!establish(this))
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_notify(this, AUTHENTICATION_FAILED);
}
job = adopt_children_job_create(
@@ -688,6 +684,7 @@ METHOD(task_t, process_i, status_t,
if (!id_payload)
{
DBG1(DBG_IKE, "IDir payload missing");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
id = id_payload->get_identification(id_payload);
@@ -696,6 +693,7 @@ METHOD(task_t, process_i, status_t,
{
DBG1(DBG_IKE, "IDir '%Y' does not match to '%Y'", id, cid);
id->destroy(id);
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
this->ike_sa->set_other_id(this->ike_sa, id);
@@ -703,12 +701,14 @@ METHOD(task_t, process_i, status_t,
if (!this->ph1->verify_auth(this->ph1, this->method, message,
id_payload->get_encoded(id_payload)))
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
if (!charon->bus->authorize(charon->bus, FALSE))
{
DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
"cancelling");
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
@@ -736,6 +736,7 @@ METHOD(task_t, process_i, status_t,
}
if (!establish(this))
{
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
return send_delete(this);
}
break;
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index 43897c304..9b692588d 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -583,7 +583,6 @@ static status_t build_ack(private_mode_config_t *this, message_t *message)
enumerator = this->vips->create_enumerator(this->vips);
while (enumerator->enumerate(enumerator, &host))
{
- type = INTERNAL_IP6_ADDRESS;
if (host->get_family(host) == AF_INET6)
{
type = INTERNAL_IP6_ADDRESS;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 5e5b61e7f..007e94d96 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -544,7 +544,7 @@ static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local,
hosts = get_dynamic_hosts(this->ike_sa, local);
list = this->config->get_traffic_selectors(this->config,
- local, supplied, hosts);
+ local, supplied, hosts, TRUE);
hosts->destroy(hosts);
if (list->get_first(list, (void**)&ts) == SUCCESS)
{
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index 968b4386c..bec2cfe7d 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -226,7 +226,7 @@ static bool select_compliant_config(private_xauth_t *this)
{ /* current config is fine */
return TRUE;
}
- DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
+ DBG1(DBG_CFG, "selected peer config '%s' unacceptable",
old->get_name(old));
aggressive = old->use_aggressive(old);