summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ikev2
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2015-11-18 15:19:06 +0100
committerYves-Alexis Perez <corsac@debian.org>2015-11-18 15:19:06 +0100
commitfb6324eb165d1577bc4541bc2fc6758c56da2a95 (patch)
treeafbc98168e056e7839ac0dc434db8f88ffb34833 /src/libcharon/sa/ikev2
parentea6a577e967da0ee954b06b7bdc6796e97eb9b2b (diff)
parent1e980d6be0ef0e243c6fe82b5e855454b97e24a4 (diff)
downloadvyos-strongswan-fb6324eb165d1577bc4541bc2fc6758c56da2a95.tar.gz
vyos-strongswan-fb6324eb165d1577bc4541bc2fc6758c56da2a95.zip
Merge tag 'upstream/5.3.4'
Upstream version 5.3.4
Diffstat (limited to 'src/libcharon/sa/ikev2')
-rw-r--r--src/libcharon/sa/ikev2/keymat_v2.c1
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.c4
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.c4
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_mobike.c6
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_natd.c28
5 files changed, 18 insertions, 25 deletions
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index fce0840e3..55cb5dd9c 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -527,6 +527,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
case ENCR_AES_CTR:
+ case ENCR_CAMELLIA_CTR:
case ENCR_NULL_AUTH_AES_GMAC:
case ENCR_CHACHA20_POLY1305:
enc_size += 4;
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index e08f3dab1..97f73d851 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -712,7 +712,7 @@ static status_t select_and_install(private_child_create_t *this,
this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
- "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
this->child_sa->get_name(this->child_sa),
this->child_sa->get_unique_id(this->child_sa),
ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
@@ -1245,7 +1245,7 @@ METHOD(task_t, build_r, status_t,
}
if (this->config == NULL)
{
- DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
+ DBG1(DBG_IKE, "traffic selectors %#R === %#R inacceptable",
this->tsr, this->tsi);
charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index f0b11e291..877ae0531 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -266,7 +266,7 @@ static void log_children(private_child_delete_t *this)
if (this->expired)
{
DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
- "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
@@ -277,7 +277,7 @@ static void log_children(private_child_delete_t *this)
child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, NULL);
DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i "
- "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
+ "(%llu bytes) %.8x_o (%llu bytes) and TS %#R === %#R",
child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index 11b0bb281..cbdc5e797 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -339,7 +339,11 @@ METHOD(ike_mobike_t, transmit, bool,
{
if (me->ip_equals(me, me_old))
{
- charon->sender->send(charon->sender, packet->clone(packet));
+ copy = packet->clone(packet);
+ /* hosts might have been updated by a peer's MOBIKE exchange */
+ copy->set_source(copy, me_old->clone(me_old));
+ copy->set_destination(copy, other_old->clone(other_old));
+ charon->sender->send(charon->sender, copy);
me->destroy(me);
return TRUE;
}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index 9e0eb68ce..dd34c1234 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -129,25 +129,6 @@ static chunk_t generate_natd_hash(private_ike_natd_t *this,
}
/**
- * build a faked NATD payload to enforce UDP encap
- */
-static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
-{
- rng_t *rng;
- chunk_t chunk;
-
- rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- if (!rng || !rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk))
- {
- DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
- DESTROY_IF(rng);
- return chunk_empty;
- }
- rng->destroy(rng);
- return chunk;
-}
-
-/**
* Build a NAT detection notify payload.
*/
static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
@@ -162,7 +143,14 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
config = this->ike_sa->get_ike_cfg(this->ike_sa);
if (force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
{
- hash = generate_natd_hash_faked(this);
+ u_int32_t addr;
+
+ /* chunk_hash() is randomly keyed so this produces a random IPv4 address
+ * that changes with every restart but otherwise stays the same */
+ addr = chunk_hash(chunk_from_chars(0x00, 0x00, 0x00, 0x00));
+ host = host_create_from_chunk(AF_INET, chunk_from_thing(addr), 0);
+ hash = generate_natd_hash(this, ike_sa_id, host);
+ host->destroy(host);
}
else
{