Imported Upstream version 5.1.2

6 files changed, 92 insertions, 40 deletions

diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 4d0683f0a..8c7ba8d55 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -278,6 +278,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 	{
 		DBG1(DBG_IKE, "no %N selected",
 			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+		chunk_clear(&secret);
 		return FALSE;
 	}
 	this->prf_alg = alg;
@@ -287,6 +288,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 		DBG1(DBG_IKE, "%N %N not supported!",
 			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
 			 pseudo_random_function_names, alg);
+		chunk_clear(&secret);
 		return FALSE;
 	}
 	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
@@ -339,6 +341,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
 		{
 			DBG1(DBG_IKE, "PRF of old SA %N not supported!",
 				 pseudo_random_function_names, rekey_function);
+			chunk_clear(&secret);
 			chunk_free(&full_nonce);
 			chunk_free(&fixed_nonce);
 			chunk_clear(&prf_plus_seed);
@@ -450,17 +453,6 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 	chunk_t seed, secret = chunk_empty;
 	prf_plus_t *prf_plus;
 
-	if (dh)
-	{
-		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
-		{
-			return FALSE;
-		}
-		DBG4(DBG_CHD, "DH secret %B", &secret);
-	}
-	seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
-	DBG4(DBG_CHD, "seed %B", &seed);
-
 	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
 								&enc_alg, &enc_size))
 	{
@@ -527,7 +519,21 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
 	{
 		return FALSE;
 	}
+
+	if (dh)
+	{
+		if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+		{
+			return FALSE;
+		}
+		DBG4(DBG_CHD, "DH secret %B", &secret);
+	}
+	seed = chunk_cata("scc", secret, nonce_i, nonce_r);
+	DBG4(DBG_CHD, "seed %B", &seed);
+
 	prf_plus = prf_plus_create(this->prf, TRUE, seed);
+	memwipe(seed.ptr, seed.len);
+
 	if (!prf_plus)
 	{
 		return FALSE;
@@ -590,7 +596,7 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
 	idx = chunk_cata("cc", chunk, id->get_encoding(id));
 
 	DBG3(DBG_IKE, "IDx' %B", &idx);
-	DBG3(DBG_IKE, "SK_p %B", &skp);
+	DBG4(DBG_IKE, "SK_p %B", &skp);
 	if (!this->prf->set_key(this->prf, skp) ||
 		!this->prf->allocate_bytes(this->prf, idx, &chunk))
 	{
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 8e6da1609..ac3be900f 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -184,10 +184,8 @@ METHOD(task_manager_t, flush_queue, void,
 	}
 }
 
-/**
- * flush all tasks in the task manager
- */
-static void flush(private_task_manager_t *this)
+METHOD(task_manager_t, flush, void,
+	private_task_manager_t *this)
 {
 	flush_queue(this, TASK_QUEUE_QUEUED);
 	flush_queue(this, TASK_QUEUE_PASSIVE);
@@ -1231,7 +1229,7 @@ METHOD(task_manager_t, process_message, status_t,
 		lib->scheduler->schedule_job(lib->scheduler, job,
 				lib->settings->get_int(lib->settings,
 						"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
-						charon->name));
+						lib->ns));
 	}
 	return SUCCESS;
 }
@@ -1569,6 +1567,7 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 				.adopt_child_tasks = _adopt_child_tasks,
 				.busy = _busy,
 				.create_task_enumerator = _create_task_enumerator,
+				.flush = _flush,
 				.flush_queue = _flush_queue,
 				.destroy = _destroy,
 			},
@@ -1579,11 +1578,11 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
 		.active_tasks = array_create(0, 0),
 		.passive_tasks = array_create(0, 0),
 		.retransmit_tries = lib->settings->get_int(lib->settings,
-					"%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
+					"%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
 		.retransmit_timeout = lib->settings->get_double(lib->settings,
-					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
+					"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
 		.retransmit_base = lib->settings->get_double(lib->settings,
-					"%s.retransmit_base", RETRANSMIT_BASE, charon->name),
+					"%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 7cfa537a9..df7bc96d6 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -293,7 +293,7 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
 	if (timeout)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
-								"%s.inactivity_close_ike", FALSE, charon->name);
+									"%s.inactivity_close_ike", FALSE, lib->ns);
 		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
 									  timeout, close_ike), timeout);
@@ -1072,7 +1072,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 {
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		lib->settings->get_bool(lib->settings,
-								"%s.close_ike_on_child_failure", FALSE, charon->name))
+								"%s.close_ike_on_child_failure", FALSE, lib->ns))
 	{
 		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
 		 * first */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 8f83c4884..800dab07e 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -120,7 +120,7 @@ struct private_ike_auth_t {
 static bool multiple_auth_enabled()
 {
 	return lib->settings->get_bool(lib->settings,
-							"%s.multiple_authentication", TRUE, charon->name);
+								   "%s.multiple_authentication", TRUE, lib->ns);
 }
 
 /**
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 2cbe8f8c5..bd28b29d7 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -428,7 +428,7 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
 		message->add_payload(message, (payload_t*)req);
 
 		if (lib->settings->get_bool(lib->settings,
-									"%s.hash_and_url", FALSE, charon->name))
+									"%s.hash_and_url", FALSE, lib->ns))
 		{
 			message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
 								chunk_empty);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index 2730f5876..16ac16673 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -42,24 +42,60 @@ struct private_ike_vendor_t {
 };
 
 /**
- * strongSwan specific vendor ID without version, MD5("strongSwan")
+ * Vendor ID database entry
  */
-static chunk_t strongswan_vid = chunk_from_chars(
-	0x88,0x2f,0xe5,0x6d,0x6f,0xd2,0x0d,0xbc,
-	0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
-);
+typedef struct {
+	/* Description */
+	char *desc;
+	/* extension flag negotiated with vendor ID, if any */
+	ike_extension_t extension;
+	/* length of vendor ID string, 0 for NULL terminated */
+	int len;
+	/* vendor ID string */
+	char *id;
+} vid_data_t;
+
+/**
+ * Get the data of a vendor ID as a chunk
+ */
+static chunk_t get_vid_data(vid_data_t *data)
+{
+	return chunk_create(data->id, data->len ?: strlen(data->id));
+}
+
+/**
+ * IKEv2 Vendor ID database entry
+ */
+static vid_data_t vids[] = {
+	/* strongSwan MD5("strongSwan") */
+	{ "strongSwan", EXT_STRONGSWAN, 16,
+	  "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
+	{ "Cisco Delete Reason", 0, 0,
+	  "CISCO-DELETE-REASON" },
+	{ "Cisco Copyright (c) 2009", 0, 0,
+	  "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
+	{ "FRAGMENTATION", 0, 16,
+	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3"},
+};
 
 METHOD(task_t, build, status_t,
 	private_ike_vendor_t *this, message_t *message)
 {
-	if (lib->settings->get_bool(lib->settings,
-								"%s.send_vendor_id", FALSE, charon->name))
-	{
-		vendor_id_payload_t *vid;
+	vendor_id_payload_t *vid;
+	bool strongswan;
+	int i;
 
-		vid = vendor_id_payload_create_data(VENDOR_ID,
-											chunk_clone(strongswan_vid));
-		message->add_payload(message, &vid->payload_interface);
+	strongswan = lib->settings->get_bool(lib->settings,
+							"%s.send_vendor_id", FALSE, lib->ns);
+	for (i = 0; i < countof(vids); i++)
+	{
+		if (vids[i].extension == EXT_STRONGSWAN && strongswan)
+		{
+			DBG2(DBG_IKE, "sending %s vendor ID", vids[i].desc);
+			vid = vendor_id_payload_create_data(VENDOR_ID,
+										chunk_clone(get_vid_data(&vids[i])));
+			message->add_payload(message, &vid->payload_interface);
+		}
 	}
 
 	return this->initiator ? NEED_MORE : SUCCESS;
@@ -70,6 +106,7 @@ METHOD(task_t, process, status_t,
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
+	int i;
 
 	enumerator = message->create_payload_enumerator(message);
 	while (enumerator->enumerate(enumerator, &payload))
@@ -78,16 +115,26 @@ METHOD(task_t, process, status_t,
 		{
 			vendor_id_payload_t *vid;
 			chunk_t data;
+			bool found = FALSE;
 
 			vid = (vendor_id_payload_t*)payload;
 			data = vid->get_data(vid);
 
-			if (chunk_equals(data, strongswan_vid))
+			for (i = 0; i < countof(vids); i++)
 			{
-				DBG1(DBG_IKE, "received strongSwan vendor ID");
-				this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
+				if (chunk_equals(get_vid_data(&vids[i]), data))
+				{
+					DBG1(DBG_IKE, "received %s vendor ID", vids[i].desc);
+					if (vids[i].extension)
+					{
+						this->ike_sa->enable_extension(this->ike_sa,
+													   vids[i].extension);
+					}
+					found = TRUE;
+					break;
+				}
 			}
-			else
+			if (!found)
 			{
 				DBG1(DBG_ENC, "received unknown vendor ID: %#B", &data);
 			}