summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ikev1
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2016-07-16 15:19:53 +0200
committerYves-Alexis Perez <corsac@debian.org>2016-07-16 15:19:53 +0200
commitbf372706c469764d59e9f29c39e3ecbebd72b8d2 (patch)
tree0f0e296e2d50e4a7faf99ae6fa428d2681e81ea1 /src/libcharon/sa/ikev1
parent518dd33c94e041db0444c7d1f33da363bb8e3faf (diff)
downloadvyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.tar.gz
vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.zip
Imported Upstream version 5.5.0
Diffstat (limited to 'src/libcharon/sa/ikev1')
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c48
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.h8
-rw-r--r--src/libcharon/sa/ikev1/task_manager_v1.c100
-rw-r--r--src/libcharon/sa/ikev1/tasks/aggressive_mode.c17
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_delete.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_dpd.c8
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_dpd.h2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_natd.c4
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_vendor.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/main_mode.c22
-rw-r--r--src/libcharon/sa/ikev1/tasks/mode_config.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_delete.c10
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_delete.h2
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c60
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.h6
-rw-r--r--src/libcharon/sa/ikev1/tasks/xauth.c2
16 files changed, 162 insertions, 133 deletions
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index e428966ad..be6b03bef 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -32,7 +32,7 @@ typedef struct private_keymat_v1_t private_keymat_v1_t;
*/
typedef struct {
/** message ID */
- u_int32_t mid;
+ uint32_t mid;
/** current IV */
chunk_t iv;
/** last block of encrypted message */
@@ -128,7 +128,7 @@ static void iv_data_destroy(iv_data_t *this)
*/
typedef struct {
/** message ID */
- u_int32_t mid;
+ uint32_t mid;
/** Ni_b (Nonce from first message) */
chunk_t n_i;
/** Nr_b (Nonce from second message) */
@@ -272,7 +272,7 @@ static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
{
private_aead_t *this;
- u_int16_t alg, key_size;
+ uint16_t alg, key_size;
crypter_t *crypter;
chunk_t ka;
@@ -324,7 +324,7 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
/**
* Converts integrity algorithm to PRF algorithm
*/
-static u_int16_t auth_to_prf(u_int16_t alg)
+static uint16_t auth_to_prf(uint16_t alg)
{
switch (alg)
{
@@ -348,7 +348,7 @@ static u_int16_t auth_to_prf(u_int16_t alg)
/**
* Converts integrity algorithm to hash algorithm
*/
-static u_int16_t auth_to_hash(u_int16_t alg)
+static uint16_t auth_to_hash(uint16_t alg)
{
switch (alg)
{
@@ -370,7 +370,7 @@ static u_int16_t auth_to_hash(u_int16_t alg)
/**
* Adjust the key length for PRF algorithms that expect a fixed key length.
*/
-static void adjust_keylen(u_int16_t alg, chunk_t *key)
+static void adjust_keylen(uint16_t alg, chunk_t *key)
{
switch (alg)
{
@@ -393,10 +393,10 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
{
chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
chunk_t skeyid;
- u_int16_t alg;
+ uint16_t alg;
- spi_i = chunk_alloca(sizeof(u_int64_t));
- spi_r = chunk_alloca(sizeof(u_int64_t));
+ spi_i = chunk_alloca(sizeof(uint64_t));
+ spi_r = chunk_alloca(sizeof(uint64_t));
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
{ /* no PRF negotiated, use HMAC version of integrity algorithm instead */
@@ -431,8 +431,8 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
}
DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy);
- *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
- *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
+ *((uint64_t*)spi_i.ptr) = id->get_initiator_spi(id);
+ *((uint64_t*)spi_r.ptr) = id->get_responder_spi(id);
nonces = chunk_cata("cc", nonce_i, nonce_r);
switch (auth)
@@ -585,11 +585,11 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
METHOD(keymat_v1_t, derive_child_keys, bool,
private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
- u_int32_t spi_i, u_int32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
+ uint32_t spi_i, uint32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r)
{
- u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
- u_int8_t protocol;
+ uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+ uint8_t protocol;
prf_plus_t *prf_plus;
chunk_t seed, secret = chunk_empty;
bool success = FALSE;
@@ -725,7 +725,7 @@ failure:
METHOD(keymat_v1_t, create_hasher, bool,
private_keymat_v1_t *this, proposal_t *proposal)
{
- u_int16_t alg;
+ uint16_t alg;
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) ||
(alg = auth_to_hash(alg)) == HASH_UNKNOWN)
{
@@ -754,7 +754,7 @@ METHOD(keymat_v1_t, get_hash, bool,
ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash)
{
chunk_t data;
- u_int64_t spi, spi_other;
+ uint64_t spi, spi_other;
/* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
* HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
@@ -810,7 +810,7 @@ static chunk_t get_message_data(message_t *message, generator_t *generator)
{
payload_t *payload, *next;
enumerator_t *enumerator;
- u_int32_t *lenpos;
+ uint32_t *lenpos;
if (message->is_encoded(message))
{ /* inbound, although the message is generated, we cannot access the
@@ -850,7 +850,7 @@ static chunk_t get_message_data(message_t *message, generator_t *generator)
* Try to find data about a Quick Mode with the given message ID,
* if none is found, state is generated.
*/
-static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
+static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, uint32_t mid)
{
enumerator_t *enumerator;
qm_data_t *qm, *found = NULL;
@@ -885,7 +885,7 @@ static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
METHOD(keymat_v1_t, get_hash_phase2, bool,
private_keymat_v1_t *this, message_t *message, chunk_t *hash)
{
- u_int32_t mid, mid_n;
+ uint32_t mid, mid_n;
chunk_t data = chunk_empty;
bool add_message = TRUE;
char *name = "Hash";
@@ -993,7 +993,7 @@ static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
else
{
/* initial phase 2 IV = hash(last_phase1_block | mid) */
- u_int32_t net;;
+ uint32_t net;;
chunk_t data;
net = htonl(iv->mid);
@@ -1014,7 +1014,7 @@ static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
/**
* Try to find an IV for the given message ID, if not found, generate it.
*/
-static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
+static iv_data_t *lookup_iv(private_keymat_v1_t *this, uint32_t mid)
{
enumerator_t *enumerator;
iv_data_t *iv, *found = NULL;
@@ -1057,7 +1057,7 @@ static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
}
METHOD(keymat_v1_t, get_iv, bool,
- private_keymat_v1_t *this, u_int32_t mid, chunk_t *out)
+ private_keymat_v1_t *this, uint32_t mid, chunk_t *out)
{
iv_data_t *iv;
@@ -1071,7 +1071,7 @@ METHOD(keymat_v1_t, get_iv, bool,
}
METHOD(keymat_v1_t, update_iv, bool,
- private_keymat_v1_t *this, u_int32_t mid, chunk_t last_block)
+ private_keymat_v1_t *this, uint32_t mid, chunk_t last_block)
{
iv_data_t *iv = lookup_iv(this, mid);
if (iv)
@@ -1084,7 +1084,7 @@ METHOD(keymat_v1_t, update_iv, bool,
}
METHOD(keymat_v1_t, confirm_iv, bool,
- private_keymat_v1_t *this, u_int32_t mid)
+ private_keymat_v1_t *this, uint32_t mid)
{
iv_data_t *iv = lookup_iv(this, mid);
if (iv)
diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h
index cc9f3b339..46eeea8b6 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.h
+++ b/src/libcharon/sa/ikev1/keymat_v1.h
@@ -72,7 +72,7 @@ struct keymat_v1_t {
* @param integ_r allocated responders integrity key
*/
bool (*derive_child_keys)(keymat_v1_t *this, proposal_t *proposal,
- diffie_hellman_t *dh, u_int32_t spi_i, u_int32_t spi_r,
+ diffie_hellman_t *dh, uint32_t spi_i, uint32_t spi_r,
chunk_t nonce_i, chunk_t nonce_r,
chunk_t *encr_i, chunk_t *integ_i,
chunk_t *encr_r, chunk_t *integ_r);
@@ -127,7 +127,7 @@ struct keymat_v1_t {
* @param iv chunk receiving IV, internal data
* @return TRUE if IV allocated successfully
*/
- bool (*get_iv)(keymat_v1_t *this, u_int32_t mid, chunk_t *iv);
+ bool (*get_iv)(keymat_v1_t *this, uint32_t mid, chunk_t *iv);
/**
* Updates the IV for the next message with the given message ID.
@@ -141,7 +141,7 @@ struct keymat_v1_t {
* @param last_block last block of encrypted message (gets cloned)
* @return TRUE if IV updated successfully
*/
- bool (*update_iv)(keymat_v1_t *this, u_int32_t mid, chunk_t last_block);
+ bool (*update_iv)(keymat_v1_t *this, uint32_t mid, chunk_t last_block);
/**
* Confirms the updated IV for the given message ID.
@@ -152,7 +152,7 @@ struct keymat_v1_t {
* @param mid message ID
* @return TRUE if IV confirmed successfully
*/
- bool (*confirm_iv)(keymat_v1_t *this, u_int32_t mid);
+ bool (*confirm_iv)(keymat_v1_t *this, uint32_t mid);
};
/**
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 3c601a4fa..b0c4f5f84 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2007-2015 Tobias Brunner
+ * Copyright (C) 2007-2016 Tobias Brunner
* Copyright (C) 2007-2011 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -67,7 +67,7 @@ struct exchange_t {
/**
* Message ID used for this transaction
*/
- u_int32_t mid;
+ uint32_t mid;
/**
* generated packet for retransmission
@@ -104,12 +104,12 @@ struct private_task_manager_t {
/**
* Message ID of the last response
*/
- u_int32_t mid;
+ uint32_t mid;
/**
* Hash of a previously received message
*/
- u_int32_t hash;
+ uint32_t hash;
/**
* packet(s) for retransmission
@@ -119,7 +119,7 @@ struct private_task_manager_t {
/**
* Sequence number of the last sent message
*/
- u_int32_t seqnr;
+ uint32_t seqnr;
/**
* how many times we have retransmitted so far
@@ -135,12 +135,12 @@ struct private_task_manager_t {
/**
* Message ID of the exchange
*/
- u_int32_t mid;
+ uint32_t mid;
/**
* Hashes of old responses we can ignore
*/
- u_int32_t old_hashes[MAX_OLD_HASHES];
+ uint32_t old_hashes[MAX_OLD_HASHES];
/**
* Position in old hash array
@@ -150,7 +150,7 @@ struct private_task_manager_t {
/**
* Sequence number of the last sent message
*/
- u_int32_t seqnr;
+ uint32_t seqnr;
/**
* how many times we have retransmitted so far
@@ -212,12 +212,12 @@ struct private_task_manager_t {
/**
* Sequence number for sending DPD requests
*/
- u_int32_t dpd_send;
+ uint32_t dpd_send;
/**
* Sequence number for received DPD requests
*/
- u_int32_t dpd_recv;
+ uint32_t dpd_recv;
};
/**
@@ -341,11 +341,11 @@ static bool generate_message(private_task_manager_t *this, message_t *message,
/**
* Retransmit a packet (or its fragments)
*/
-static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
+static status_t retransmit_packet(private_task_manager_t *this, uint32_t seqnr,
u_int mid, u_int retransmitted, array_t *packets)
{
packet_t *packet;
- u_int32_t t;
+ uint32_t t;
array_get(packets, 0, &packet);
if (retransmitted > this->retransmit_tries)
@@ -354,14 +354,15 @@ static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
return DESTROY_ME;
}
- t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
+ t = (uint32_t)(this->retransmit_timeout * 1000.0 *
pow(this->retransmit_base, retransmitted));
if (retransmitted)
{
DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
- charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
+ charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
+ retransmitted);
}
send_packets(this, packets);
lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
@@ -370,7 +371,7 @@ static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
}
METHOD(task_manager_t, retransmit, status_t,
- private_task_manager_t *this, u_int32_t seqnr)
+ private_task_manager_t *this, uint32_t seqnr)
{
status_t status = SUCCESS;
@@ -514,26 +515,26 @@ METHOD(task_manager_t, initiate, status_t,
new_mid = TRUE;
break;
}
- if (!mode_config_expected(this) &&
- activate_task(this, TASK_QUICK_MODE))
+ if (activate_task(this, TASK_ISAKMP_DELETE))
{
- exchange = QUICK_MODE;
+ exchange = INFORMATIONAL_V1;
new_mid = TRUE;
break;
}
- if (activate_task(this, TASK_INFORMATIONAL))
+ if (activate_task(this, TASK_QUICK_DELETE))
{
exchange = INFORMATIONAL_V1;
new_mid = TRUE;
break;
}
- if (activate_task(this, TASK_QUICK_DELETE))
+ if (!mode_config_expected(this) &&
+ activate_task(this, TASK_QUICK_MODE))
{
- exchange = INFORMATIONAL_V1;
+ exchange = QUICK_MODE;
new_mid = TRUE;
break;
}
- if (activate_task(this, TASK_ISAKMP_DELETE))
+ if (activate_task(this, TASK_INFORMATIONAL))
{
exchange = INFORMATIONAL_V1;
new_mid = TRUE;
@@ -807,7 +808,7 @@ static void send_notify(private_task_manager_t *this, message_t *request,
message_t *response;
array_t *packets = NULL;
host_t *me, *other;
- u_int32_t mid;
+ uint32_t mid;
if (request->get_exchange_type(request) == INFORMATIONAL_V1)
{ /* don't respond to INFORMATIONAL requests to avoid a notify war */
@@ -857,7 +858,7 @@ static bool process_dpd(private_task_manager_t *this, message_t *message)
{
notify_payload_t *notify;
notify_type_t type;
- u_int32_t seq;
+ uint32_t seq;
chunk_t data;
type = DPD_R_U_THERE;
@@ -910,7 +911,7 @@ static bool process_dpd(private_task_manager_t *this, message_t *message)
* Check if we already have a quick mode task queued for the exchange with the
* given message ID
*/
-static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid)
+static bool have_quick_mode_task(private_task_manager_t *this, uint32_t mid)
{
enumerator_t *enumerator;
quick_mode_t *qm;
@@ -935,9 +936,9 @@ static bool have_quick_mode_task(private_task_manager_t *this, u_int32_t mid)
}
/**
- * Check if we still have an aggressive mode task queued
+ * Check if we still have a specific task queued
*/
-static bool have_aggressive_mode_task(private_task_manager_t *this)
+static bool have_task_queued(private_task_manager_t *this, task_type_t type)
{
enumerator_t *enumerator;
task_t *task;
@@ -946,7 +947,7 @@ static bool have_aggressive_mode_task(private_task_manager_t *this)
enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
while (enumerator->enumerate(enumerator, &task))
{
- if (task->get_type(task) == TASK_AGGRESSIVE_MODE)
+ if (task->get_type(task) == type)
{
found = TRUE;
break;
@@ -1180,6 +1181,12 @@ static status_t process_response(private_task_manager_t *this,
}
enumerator->destroy(enumerator);
+ if (this->initiating.retransmitted)
+ {
+ packet_t *packet = NULL;
+ array_get(this->initiating.packets, 0, &packet);
+ charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
+ }
this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
clear_packets(this->initiating.packets);
@@ -1305,7 +1312,7 @@ static status_t queue_message(private_task_manager_t *this, message_t *msg)
METHOD(task_manager_t, process_message, status_t,
private_task_manager_t *this, message_t *msg)
{
- u_int32_t hash, mid, i;
+ uint32_t hash, mid, i;
host_t *me, *other;
status_t status;
@@ -1405,7 +1412,7 @@ METHOD(task_manager_t, process_message, status_t,
/* drop XAuth/Mode Config/Quick Mode messages until we received the last
* Aggressive Mode message. since Informational messages are not
* retransmitted we queue them. */
- if (have_aggressive_mode_task(this))
+ if (have_task_queued(this, TASK_AGGRESSIVE_MODE))
{
if (msg->get_exchange_type(msg) == INFORMATIONAL_V1)
{
@@ -1427,6 +1434,13 @@ METHOD(task_manager_t, process_message, status_t,
return queue_message(this, msg);
}
+ /* some peers send INITIAL_CONTACT notifies during XAuth, cache it */
+ if (have_task_queued(this, TASK_XAUTH) &&
+ msg->get_exchange_type(msg) == INFORMATIONAL_V1)
+ {
+ return queue_message(this, msg);
+ }
+
msg->set_request(msg, TRUE);
charon->bus->message(charon->bus, msg, TRUE, FALSE);
status = parse_message(this, msg);
@@ -1499,8 +1513,8 @@ static bool has_queued(private_task_manager_t *this, task_type_t type)
return found;
}
-METHOD(task_manager_t, queue_task, void,
- private_task_manager_t *this, task_t *task)
+METHOD(task_manager_t, queue_task_delayed, void,
+ private_task_manager_t *this, task_t *task, uint32_t delay)
{
task_type_t type = task->get_type(task);
@@ -1521,6 +1535,12 @@ METHOD(task_manager_t, queue_task, void,
this->queued_tasks->insert_last(this->queued_tasks, task);
}
+METHOD(task_manager_t, queue_task, void,
+ private_task_manager_t *this, task_t *task)
+{
+ queue_task_delayed(this, task, 0);
+}
+
METHOD(task_manager_t, queue_ike, void,
private_task_manager_t *this)
{
@@ -1660,7 +1680,7 @@ METHOD(task_manager_t, queue_mobike, void,
}
METHOD(task_manager_t, queue_child, void,
- private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
+ private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
traffic_selector_t *tsi, traffic_selector_t *tsr)
{
quick_mode_t *task;
@@ -1739,7 +1759,7 @@ static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
}
METHOD(task_manager_t, queue_child_rekey, void,
- private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
+ private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
{
child_sa_t *child_sa;
child_cfg_t *cfg;
@@ -1754,6 +1774,7 @@ METHOD(task_manager_t, queue_child_rekey, void,
{
if (is_redundant(this, child_sa))
{
+ child_sa->set_state(child_sa, CHILD_REKEYED);
queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
protocol, spi, FALSE, FALSE));
}
@@ -1774,7 +1795,7 @@ METHOD(task_manager_t, queue_child_rekey, void,
}
METHOD(task_manager_t, queue_child_delete, void,
- private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+ private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
bool expired)
{
queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
@@ -1785,7 +1806,7 @@ METHOD(task_manager_t, queue_dpd, void,
private_task_manager_t *this)
{
peer_cfg_t *peer_cfg;
- u_int32_t t, retransmit;
+ uint32_t t, retransmit;
queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
this->dpd_send++));
@@ -1798,7 +1819,7 @@ METHOD(task_manager_t, queue_dpd, void,
/* use the same timeout as a retransmitting IKE message would have */
for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
{
- t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
+ t += (uint32_t)(this->retransmit_timeout * 1000.0 *
pow(this->retransmit_base, retransmit));
}
}
@@ -1871,7 +1892,7 @@ METHOD(task_manager_t, incr_mid, void,
}
METHOD(task_manager_t, reset, void,
- private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
+ private_task_manager_t *this, uint32_t initiate, uint32_t respond)
{
enumerator_t *enumerator;
task_t *task;
@@ -1960,6 +1981,7 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
.task_manager = {
.process_message = _process_message,
.queue_task = _queue_task,
+ .queue_task_delayed = _queue_task_delayed,
.queue_ike = _queue_ike,
.queue_ike_rekey = _queue_ike_rekey,
.queue_ike_reauth = _queue_ike_reauth,
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 710bf1cd2..9b5f676a3 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -77,7 +77,7 @@ struct private_aggressive_mode_t {
/**
* Negotiated SA lifetime
*/
- u_int32_t lifetime;
+ uint32_t lifetime;
/**
* Negotiated authentication method
@@ -164,7 +164,7 @@ static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type)
{
notify_payload_t *notify;
ike_sa_id_t *ike_sa_id;
- u_int64_t spi_i, spi_r;
+ uint64_t spi_i, spi_r;
chunk_t spi;
notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
@@ -219,7 +219,7 @@ METHOD(task_t, build_i, status_t,
linked_list_t *proposals;
identification_t *id;
packet_t *packet;
- u_int16_t group;
+ uint16_t group;
DBG0(DBG_IKE, "initiating Aggressive Mode IKE_SA %s[%d] to %H",
this->ike_sa->get_name(this->ike_sa),
@@ -377,7 +377,8 @@ METHOD(task_t, process_r, status_t,
id_payload_t *id_payload;
identification_t *id;
linked_list_t *list;
- u_int16_t group;
+ uint16_t group;
+ bool prefer_configured;
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
DBG0(DBG_IKE, "%H is initiating a Aggressive Mode IKE_SA",
@@ -401,8 +402,10 @@ METHOD(task_t, process_r, status_t,
}
list = sa_payload->get_proposals(sa_payload);
+ prefer_configured = lib->settings->get_bool(lib->settings,
+ "%s.prefer_configured_proposals", TRUE, lib->ns);
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, FALSE);
+ list, FALSE, prefer_configured);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
@@ -629,7 +632,7 @@ METHOD(task_t, process_i, status_t,
id_payload_t *id_payload;
identification_t *id, *cid;
linked_list_t *list;
- u_int32_t lifetime;
+ uint32_t lifetime;
sa_payload = (sa_payload_t*)message->get_payload(message,
PLV1_SECURITY_ASSOCIATION);
@@ -640,7 +643,7 @@ METHOD(task_t, process_i, status_t,
}
list = sa_payload->get_proposals(sa_payload);
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, FALSE);
+ list, FALSE, TRUE);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
index a56805afb..df0293d4f 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -81,7 +81,7 @@ METHOD(task_t, process_r, status_t,
payload_t *payload;
delete_payload_t *delete_payload;
ike_sa_id_t *id;
- u_int64_t spi_i, spi_r;
+ uint64_t spi_i, spi_r;
bool found = FALSE;
/* some peers send DELETE payloads for other IKE_SAs, e.g. those for expired
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
index 5522e9221..840d352b1 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c
@@ -33,7 +33,7 @@ struct private_isakmp_dpd_t {
/**
* Sequence number.
*/
- u_int32_t seqnr;
+ uint32_t seqnr;
/**
* DPD notify type
@@ -51,8 +51,8 @@ METHOD(task_t, build, status_t,
{
notify_payload_t *notify;
ike_sa_id_t *ike_sa_id;
- u_int64_t spi_i, spi_r;
- u_int32_t seqnr;
+ uint64_t spi_i, spi_r;
+ uint32_t seqnr;
chunk_t spi;
notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
@@ -100,7 +100,7 @@ METHOD(task_t, destroy, void,
* Described in header.
*/
isakmp_dpd_t *isakmp_dpd_create(ike_sa_t *ike_sa, notify_type_t type,
- u_int32_t seqnr)
+ uint32_t seqnr)
{
private_isakmp_dpd_t *this;
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
index 06a0175eb..9a69b423c 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.h
@@ -47,6 +47,6 @@ struct isakmp_dpd_t {
* @return ISAKMP_DPD task to handle by the task_manager
*/
isakmp_dpd_t *isakmp_dpd_create(ike_sa_t *ike_sa, notify_type_t type,
- u_int32_t seqnr);
+ uint32_t seqnr);
#endif /** ISAKMP_DPD_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index cb1a31371..d17948cd0 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -129,8 +129,8 @@ static chunk_t generate_natd_hash(private_isakmp_natd_t *this,
{
hasher_t *hasher;
chunk_t natd_chunk, natd_hash;
- u_int64_t spi_i, spi_r;
- u_int16_t port;
+ uint64_t spi_i, spi_r;
+ uint16_t port;
hasher = this->keymat->get_hasher(this->keymat);
if (!hasher)
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index 0162fd84e..f28b83e8a 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -170,7 +170,7 @@ static struct {
* for fragmentation of base ISAKMP messages (Cisco adds that and thus sends
* 0xc0000000)
*/
-static const u_int32_t fragmentation_ike = 0x80000000;
+static const uint32_t fragmentation_ike = 0x80000000;
static bool is_known_vid(chunk_t data, int i)
{
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 3ea4a2a85..628ea0de8 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -77,7 +77,7 @@ struct private_main_mode_t {
/**
* Negotiated SA lifetime
*/
- u_int32_t lifetime;
+ uint32_t lifetime;
/**
* Negotiated authentication method
@@ -173,7 +173,7 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type)
{
notify_payload_t *notify;
ike_sa_id_t *ike_sa_id;
- u_int64_t spi_i, spi_r;
+ uint64_t spi_i, spi_r;
chunk_t spi;
notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
@@ -215,7 +215,7 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
host_t *host;
notify_payload_t *notify;
ike_sa_id_t *ike_sa_id;
- u_int64_t spi_i, spi_r;
+ uint64_t spi_i, spi_r;
chunk_t spi;
idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
@@ -303,7 +303,7 @@ METHOD(task_t, build_i, status_t,
}
case MM_SA:
{
- u_int16_t group;
+ uint16_t group;
if (!this->ph1->create_hasher(this->ph1))
{
@@ -367,7 +367,7 @@ METHOD(task_t, process_r, status_t,
{
linked_list_t *list;
sa_payload_t *sa_payload;
- bool private;
+ bool private, prefer_configured;
this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
@@ -392,9 +392,11 @@ METHOD(task_t, process_r, status_t,
list = sa_payload->get_proposals(sa_payload);
private = this->ike_sa->supports_extension(this->ike_sa,
- EXT_STRONGSWAN);
+ EXT_STRONGSWAN);
+ prefer_configured = lib->settings->get_bool(lib->settings,
+ "%s.prefer_configured_proposals", TRUE, lib->ns);
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, private);
+ list, private, prefer_configured);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
@@ -411,7 +413,7 @@ METHOD(task_t, process_r, status_t,
}
case MM_SA:
{
- u_int16_t group;
+ uint16_t group;
if (!this->ph1->create_hasher(this->ph1))
{
@@ -627,7 +629,7 @@ METHOD(task_t, process_i, status_t,
linked_list_t *list;
sa_payload_t *sa_payload;
auth_method_t method;
- u_int32_t lifetime;
+ uint32_t lifetime;
bool private;
sa_payload = (sa_payload_t*)message->get_payload(message,
@@ -641,7 +643,7 @@ METHOD(task_t, process_i, status_t,
private = this->ike_sa->supports_extension(this->ike_sa,
EXT_STRONGSWAN);
this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
- list, private);
+ list, private, TRUE);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index b9f924009..7098d24a2 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -58,7 +58,7 @@ struct private_mode_config_t {
/**
* Identifier to include in response
*/
- u_int16_t identifier;
+ uint16_t identifier;
};
/**
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index ade59a2dd..66ef50811 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -69,7 +69,7 @@ struct private_quick_delete_t {
/**
* Inbound SPI of CHILD_SA to delete
*/
- u_int32_t spi;
+ uint32_t spi;
/**
* Send delete even if SA does not exist
@@ -86,9 +86,9 @@ struct private_quick_delete_t {
* Delete the specified CHILD_SA, if found
*/
static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
- u_int32_t spi, bool remote_close)
+ uint32_t spi, bool remote_close)
{
- u_int64_t bytes_in, bytes_out;
+ uint64_t bytes_in, bytes_out;
child_sa_t *child_sa;
linked_list_t *my_ts, *other_ts;
child_cfg_t *child_cfg;
@@ -200,7 +200,7 @@ METHOD(task_t, process_r, status_t,
payload_t *payload;
delete_payload_t *delete_payload;
protocol_id_t protocol;
- u_int32_t spi;
+ uint32_t spi;
payloads = message->create_payload_enumerator(message);
while (payloads->enumerate(payloads, &payload))
@@ -260,7 +260,7 @@ METHOD(task_t, destroy, void,
* Described in header.
*/
quick_delete_t *quick_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
- u_int32_t spi, bool force, bool expired)
+ uint32_t spi, bool force, bool expired)
{
private_quick_delete_t *this;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.h b/src/libcharon/sa/ikev1/tasks/quick_delete.h
index 4df30c8fe..6227b364b 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.h
@@ -50,6 +50,6 @@ struct quick_delete_t {
* @return quick_delete task to handle by the task_manager
*/
quick_delete_t *quick_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
- u_int32_t spi, bool force, bool expired);
+ uint32_t spi, bool force, bool expired);
#endif /** QUICK_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index b4fe04663..bbd1cb09f 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -98,22 +98,22 @@ struct private_quick_mode_t {
/**
* Initiators ESP SPI
*/
- u_int32_t spi_i;
+ uint32_t spi_i;
/**
* Responder ESP SPI
*/
- u_int32_t spi_r;
+ uint32_t spi_r;
/**
* Initiators IPComp CPI
*/
- u_int16_t cpi_i;
+ uint16_t cpi_i;
/**
* Responders IPComp CPI
*/
- u_int16_t cpi_r;
+ uint16_t cpi_r;
/**
* selected CHILD_SA proposal
@@ -143,17 +143,17 @@ struct private_quick_mode_t {
/**
* Negotiated lifetime of new SA
*/
- u_int32_t lifetime;
+ uint32_t lifetime;
/**
- * Negotaited lifebytes of new SA
+ * Negotiated lifebytes of new SA
*/
- u_int64_t lifebytes;
+ uint64_t lifebytes;
/**
* Reqid to use, 0 for auto-allocate
*/
- u_int32_t reqid;
+ uint32_t reqid;
/**
* Explicit inbound mark value to use, if any
@@ -168,7 +168,7 @@ struct private_quick_mode_t {
/**
* SPI of SA we rekey
*/
- u_int32_t rekey;
+ uint32_t rekey;
/**
* Delete old child after successful rekey
@@ -193,7 +193,7 @@ struct private_quick_mode_t {
/**
* Message ID of handled quick mode exchange
*/
- u_int32_t mid;
+ uint32_t mid;
/** states of quick mode */
enum {
@@ -207,7 +207,7 @@ struct private_quick_mode_t {
*/
static void schedule_inactivity_timeout(private_quick_mode_t *this)
{
- u_int32_t timeout;
+ uint32_t timeout;
bool close_ike;
timeout = this->config->get_inactivity(this->config);
@@ -722,12 +722,12 @@ static void get_lifetimes(private_quick_mode_t *this)
{
lifetime_cfg_t *lft;
- lft = this->config->get_lifetime(this->config);
+ lft = this->config->get_lifetime(this->config, TRUE);
if (lft->time.life)
{
this->lifetime = lft->time.life;
}
- else if (lft->bytes.life)
+ if (lft->bytes.life)
{
this->lifebytes = lft->bytes.life;
}
@@ -739,8 +739,8 @@ static void get_lifetimes(private_quick_mode_t *this)
*/
static void apply_lifetimes(private_quick_mode_t *this, sa_payload_t *sa_payload)
{
- u_int32_t lifetime;
- u_int64_t lifebytes;
+ uint32_t lifetime;
+ uint64_t lifebytes;
lifetime = sa_payload->get_lifetime(sa_payload);
lifebytes = sa_payload->get_lifebytes(sa_payload);
@@ -863,7 +863,7 @@ METHOD(task_t, build_i, status_t,
if (group != MODP_NONE)
{
proposal_t *proposal;
- u_int16_t preferred_group;
+ uint16_t preferred_group;
proposal = this->ike_sa->get_proposal(this->ike_sa);
proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
@@ -1007,7 +1007,6 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
{
case CHILD_INSTALLED:
case CHILD_REKEYING:
- case CHILD_REKEYED:
policies = child_sa->create_policy_enumerator(child_sa);
if (policies->enumerate(policies, &local, &remote) &&
local->equals(local, this->tsr) &&
@@ -1026,9 +1025,10 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
child_sa->get_unique_id(child_sa));
}
policies->destroy(policies);
- break;
- default:
- break;
+ break;
+ case CHILD_REKEYED:
+ default:
+ break;
}
}
}
@@ -1050,8 +1050,8 @@ METHOD(task_t, process_r, status_t,
sa_payload_t *sa_payload;
linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
peer_cfg_t *peer_cfg;
- u_int16_t group;
- bool private;
+ uint16_t group;
+ bool private, prefer_configured;
sa_payload = (sa_payload_t*)message->get_payload(message,
PLV1_SECURITY_ASSOCIATION);
@@ -1109,8 +1109,10 @@ METHOD(task_t, process_r, status_t,
}
private = this->ike_sa->supports_extension(this->ike_sa,
EXT_STRONGSWAN);
- this->proposal = this->config->select_proposal(this->config,
- list, FALSE, private);
+ prefer_configured = lib->settings->get_bool(lib->settings,
+ "%s.prefer_configured_proposals", TRUE, lib->ns);
+ this->proposal = this->config->select_proposal(this->config, list,
+ FALSE, private, prefer_configured);
list->destroy_offset(list, offsetof(proposal_t, destroy));
get_lifetimes(this);
@@ -1323,8 +1325,8 @@ METHOD(task_t, process_i, status_t,
}
private = this->ike_sa->supports_extension(this->ike_sa,
EXT_STRONGSWAN);
- this->proposal = this->config->select_proposal(this->config,
- list, FALSE, private);
+ this->proposal = this->config->select_proposal(this->config, list,
+ FALSE, private, TRUE);
list->destroy_offset(list, offsetof(proposal_t, destroy));
if (!this->proposal)
{
@@ -1365,14 +1367,14 @@ METHOD(task_t, get_type, task_type_t,
return TASK_QUICK_MODE;
}
-METHOD(quick_mode_t, get_mid, u_int32_t,
+METHOD(quick_mode_t, get_mid, uint32_t,
private_quick_mode_t *this)
{
return this->mid;
}
METHOD(quick_mode_t, use_reqid, void,
- private_quick_mode_t *this, u_int32_t reqid)
+ private_quick_mode_t *this, uint32_t reqid)
{
this->reqid = reqid;
}
@@ -1385,7 +1387,7 @@ METHOD(quick_mode_t, use_marks, void,
}
METHOD(quick_mode_t, rekey, void,
- private_quick_mode_t *this, u_int32_t spi)
+ private_quick_mode_t *this, uint32_t spi)
{
this->rekey = spi;
}
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
index 062d63465..fe684568a 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -46,14 +46,14 @@ struct quick_mode_t {
*
* @return message ID, or 0 (not defined yet or as initiator)
*/
- u_int32_t (*get_mid)(quick_mode_t *this);
+ uint32_t (*get_mid)(quick_mode_t *this);
/**
* Use a specific reqid to install this CHILD_SA.
*
* @param reqid reqid to use
*/
- void (*use_reqid)(quick_mode_t *this, u_int32_t reqid);
+ void (*use_reqid)(quick_mode_t *this, uint32_t reqid);
/**
* Use specific mark values, overriding configuration.
@@ -68,7 +68,7 @@ struct quick_mode_t {
*
* @param spi spi of SA to rekey
*/
- void (*rekey)(quick_mode_t *this, u_int32_t spi);
+ void (*rekey)(quick_mode_t *this, uint32_t spi);
};
/**
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index ecdfc780d..968b4386c 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -68,7 +68,7 @@ struct private_xauth_t {
/**
* received identifier
*/
- u_int16_t identifier;
+ uint16_t identifier;
/**
* status of Xauth exchange