diff options
| author | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-03-05 09:29:19 +0100 |
|---|---|---|
| committer | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-03-05 09:29:19 +0100 |
| commit | 365e71f706b40c32173fa06c6feaac48c1527520 (patch) | |
| tree | 54fa72a914d18c9430eaa54f3de4a2d4419198af /src/libcharon/sa/tasks | |
| parent | 5d7669b7b3563c50b3c86903e0a49373d597b8a0 (diff) | |
| parent | 568905f488e63e28778f87ac0e38d845f45bae79 (diff) | |
| download | vyos-strongswan-365e71f706b40c32173fa06c6feaac48c1527520.tar.gz vyos-strongswan-365e71f706b40c32173fa06c6feaac48c1527520.zip | |
Fixed merge, don't know why this didn't happen automatically - maybe a leftover from the svn->git conversion
Diffstat (limited to 'src/libcharon/sa/tasks')
| -rw-r--r-- | src/libcharon/sa/tasks/child_create.c | 150 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/child_rekey.c | 12 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/ike_auth.c | 211 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/ike_cert_pre.c | 33 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/ike_rekey.c | 13 |
5 files changed, 419 insertions, 0 deletions
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index 57beedba9..16f7b6d81 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -117,6 +117,14 @@ struct private_child_create_t { ipsec_mode_t mode; /** +<<<<<<< HEAD +======= + * peer accepts TFC padding for this SA + */ + bool tfcv3; + + /** +>>>>>>> upstream/4.5.1 * IPComp transform to use */ ipcomp_transform_t ipcomp; @@ -455,6 +463,7 @@ static status_t select_and_install(private_child_create_t *this, { if (this->initiator) { +<<<<<<< HEAD status_i = this->child_sa->install(this->child_sa, encr_r, integ_r, this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); status_o = this->child_sa->install(this->child_sa, encr_i, integ_i, @@ -466,6 +475,23 @@ static status_t select_and_install(private_child_create_t *this, this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); status_o = this->child_sa->install(this->child_sa, encr_r, integ_r, this->other_spi, this->other_cpi, FALSE, my_ts, other_ts); +======= + status_i = this->child_sa->install(this->child_sa, + encr_r, integ_r, this->my_spi, this->my_cpi, + TRUE, this->tfcv3, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, + encr_i, integ_i, this->other_spi, this->other_cpi, + FALSE, this->tfcv3, my_ts, other_ts); + } + else + { + status_i = this->child_sa->install(this->child_sa, + encr_i, integ_i, this->my_spi, this->my_cpi, + TRUE, this->tfcv3, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, + encr_r, integ_r, this->other_spi, this->other_cpi, + FALSE, this->tfcv3, my_ts, other_ts); +>>>>>>> upstream/4.5.1 } } chunk_clear(&integ_i); @@ -631,7 +657,17 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify ipcomp_transform_names, ipcomp); break; } +<<<<<<< HEAD } +======= + break; + } + case ESP_TFC_PADDING_NOT_SUPPORTED: + DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding", + notify_type_names, notify->get_notify_type(notify)); + this->tfcv3 = FALSE; + break; +>>>>>>> upstream/4.5.1 default: break; } @@ -691,10 +727,15 @@ static void process_payloads(private_child_create_t *this, message_t *message) enumerator->destroy(enumerator); } +<<<<<<< HEAD /** * Implementation of task_t.build for initiator */ static status_t build_i(private_child_create_t *this, message_t *message) +======= +METHOD(task_t, build_i, status_t, + private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { host_t *me, *other, *vip; peer_cfg_t *peer_cfg; @@ -831,10 +872,15 @@ static status_t build_i(private_child_create_t *this, message_t *message) return NEED_MORE; } +<<<<<<< HEAD /** * Implementation of task_t.process for responder */ static status_t process_r(private_child_create_t *this, message_t *message) +======= +METHOD(task_t, process_r, status_t, + private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { switch (message->get_exchange_type(message)) { @@ -877,10 +923,15 @@ static void handle_child_sa_failure(private_child_create_t *this, } } +<<<<<<< HEAD /** * Implementation of task_t.build for responder */ static status_t build_r(private_child_create_t *this, message_t *message) +======= +METHOD(task_t, build_r, status_t, + private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { peer_cfg_t *peer_cfg; payload_t *payload; @@ -958,7 +1009,11 @@ static status_t build_r(private_child_create_t *this, message_t *message) case INTERNAL_ADDRESS_FAILURE: case FAILED_CP_REQUIRED: { +<<<<<<< HEAD DBG1(DBG_IKE,"configuration payload negotation " +======= + DBG1(DBG_IKE,"configuration payload negotiation " +>>>>>>> upstream/4.5.1 "failed, no CHILD_SA built"); enumerator->destroy(enumerator); handle_child_sa_failure(this, message); @@ -1029,10 +1084,15 @@ static status_t build_r(private_child_create_t *this, message_t *message) return SUCCESS; } +<<<<<<< HEAD /** * Implementation of task_t.process for initiator */ static status_t process_i(private_child_create_t *this, message_t *message) +======= +METHOD(task_t, process_i, status_t, + private_child_create_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; payload_t *payload; @@ -1103,7 +1163,25 @@ static status_t process_i(private_child_create_t *this, message_t *message) return NEED_MORE; } default: +<<<<<<< HEAD + break; +======= + { + if (message->get_exchange_type(message) == CREATE_CHILD_SA) + { /* handle notifies if not handled in IKE_AUTH */ + if (type <= 16383) + { + DBG1(DBG_IKE, "received %N notify error", + notify_type_names, type); + enumerator->destroy(enumerator); + return SUCCESS; + } + DBG2(DBG_IKE, "received %N notify", + notify_type_names, type); + } break; + } +>>>>>>> upstream/4.5.1 } } } @@ -1155,6 +1233,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) return SUCCESS; } +<<<<<<< HEAD /** * Implementation of task_t.get_type */ @@ -1167,22 +1246,36 @@ static task_type_t get_type(private_child_create_t *this) * Implementation of child_create_t.use_reqid */ static void use_reqid(private_child_create_t *this, u_int32_t reqid) +======= +METHOD(child_create_t, use_reqid, void, + private_child_create_t *this, u_int32_t reqid) +>>>>>>> upstream/4.5.1 { this->reqid = reqid; } +<<<<<<< HEAD /** * Implementation of child_create_t.get_child */ static child_sa_t* get_child(private_child_create_t *this) +======= +METHOD(child_create_t, get_child, child_sa_t*, + private_child_create_t *this) +>>>>>>> upstream/4.5.1 { return this->child_sa; } +<<<<<<< HEAD /** * Implementation of child_create_t.get_lower_nonce */ static chunk_t get_lower_nonce(private_child_create_t *this) +======= +METHOD(child_create_t, get_lower_nonce, chunk_t, + private_child_create_t *this) +>>>>>>> upstream/4.5.1 { if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr, min(this->my_nonce.len, this->other_nonce.len)) < 0) @@ -1195,10 +1288,21 @@ static chunk_t get_lower_nonce(private_child_create_t *this) } } +<<<<<<< HEAD /** * Implementation of task_t.migrate */ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) +======= +METHOD(task_t, get_type, task_type_t, + private_child_create_t *this) +{ + return CHILD_CREATE; +} + +METHOD(task_t, migrate, void, + private_child_create_t *this, ike_sa_t *ike_sa) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1234,10 +1338,15 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) this->established = FALSE; } +<<<<<<< HEAD /** * Implementation of task_t.destroy */ static void destroy(private_child_create_t *this) +======= +METHOD(task_t, destroy, void, + private_child_create_t *this) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1273,6 +1382,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr) { +<<<<<<< HEAD private_child_create_t *this = malloc_thing(private_child_create_t); this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child; @@ -1285,11 +1395,44 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, { this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; +======= + private_child_create_t *this; + + INIT(this, + .public = { + .get_child = _get_child, + .get_lower_nonce = _get_lower_nonce, + .use_reqid = _use_reqid, + .task = { + .get_type = _get_type, + .migrate = _migrate, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .config = config, + .packet_tsi = tsi ? tsi->clone(tsi) : NULL, + .packet_tsr = tsr ? tsr->clone(tsr) : NULL, + .dh_group = MODP_NONE, + .keymat = ike_sa->get_keymat(ike_sa), + .mode = MODE_TUNNEL, + .tfcv3 = TRUE, + .ipcomp = IPCOMP_NONE, + .ipcomp_received = IPCOMP_NONE, + .rekey = rekey, + ); + + if (config) + { + this->public.task.build = _build_i; + this->public.task.process = _process_i; +>>>>>>> upstream/4.5.1 this->initiator = TRUE; config->get_ref(config); } else { +<<<<<<< HEAD this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; this->initiator = FALSE; @@ -1320,5 +1463,12 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, this->established = FALSE; this->rekey = rekey; +======= + this->public.task.build = _build_r; + this->public.task.process = _process_r; + this->initiator = FALSE; + } + +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index fdaaea4b8..5ffe49293 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -241,12 +241,20 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, +<<<<<<< HEAD min(this_nonce.len, other_nonce.len)) < 0) { child_sa_t *child_sa; DBG1(DBG_IKE, "CHILD_SA rekey collision won, " "deleting rekeyed child"); +======= + min(this_nonce.len, other_nonce.len)) > 0) + { + child_sa_t *child_sa; + + DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child"); +>>>>>>> upstream/4.5.1 to_delete = this->child_sa; /* don't touch child other created, it has already been deleted */ if (!this->other_child_destroyed) @@ -259,7 +267,11 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) else { DBG1(DBG_IKE, "CHILD_SA rekey collision lost, " +<<<<<<< HEAD "deleting redundant child"); +======= + "deleting rekeyed child"); +>>>>>>> upstream/4.5.1 to_delete = this->child_create->get_child(this->child_create); } } diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c index b440ec811..fbc177d6f 100644 --- a/src/libcharon/sa/tasks/ike_auth.c +++ b/src/libcharon/sa/tasks/ike_auth.c @@ -68,6 +68,14 @@ struct private_ike_auth_t { packet_t *other_packet; /** +<<<<<<< HEAD +======= + * Reserved bytes of ID payload + */ + char reserved[3]; + + /** +>>>>>>> upstream/4.5.1 * currently active authenticator, to authenticate us */ authenticator_t *my_auth; @@ -101,6 +109,14 @@ struct private_ike_auth_t { * should we send a AUTHENTICATION_FAILED notify? */ bool authentication_failed; +<<<<<<< HEAD +======= + + /** + * received an INITIAL_CONTACT? + */ + bool initial_contact; +>>>>>>> upstream/4.5.1 }; /** @@ -160,6 +176,27 @@ static status_t collect_other_init_data(private_ike_auth_t *this, } /** +<<<<<<< HEAD +======= + * Get and store reserved bytes of id_payload, required for AUTH payload + */ +static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id) +{ + u_int8_t *byte; + int i; + + for (i = 0; i < countof(this->reserved); i++) + { + byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i); + if (byte) + { + this->reserved[i] = *byte; + } + } +} + +/** +>>>>>>> upstream/4.5.1 * Get the next authentication configuration */ static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local) @@ -329,10 +366,15 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) return this->peer_cfg != NULL; } +<<<<<<< HEAD /** * Implementation of task_t.build for initiator */ static status_t build_i(private_ike_auth_t *this, message_t *message) +======= +METHOD(task_t, build_i, status_t, + private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { auth_cfg_t *cfg; @@ -367,7 +409,11 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) /* check if an authenticator is in progress */ if (this->my_auth == NULL) { +<<<<<<< HEAD identification_t *id; +======= + identification_t *idi, *idr = NULL; +>>>>>>> upstream/4.5.1 id_payload_t *id_payload; /* clean up authentication config from a previous round */ @@ -378,33 +424,73 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) cfg = get_auth_cfg(this, FALSE); if (cfg) { +<<<<<<< HEAD id = cfg->get(cfg, AUTH_RULE_IDENTITY); if (id && !id->contains_wildcards(id)) { this->ike_sa->set_other_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification( ID_RESPONDER, id); +======= + idr = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (idr && !idr->contains_wildcards(idr)) + { + this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr)); + id_payload = id_payload_create_from_identification( + ID_RESPONDER, idr); +>>>>>>> upstream/4.5.1 message->add_payload(message, (payload_t*)id_payload); } } /* add IDi */ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE); +<<<<<<< HEAD id = cfg->get(cfg, AUTH_RULE_IDENTITY); if (!id) +======= + idi = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (!idi) +>>>>>>> upstream/4.5.1 { DBG1(DBG_CFG, "configuration misses IDi"); return FAILED; } +<<<<<<< HEAD this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); id_payload = id_payload_create_from_identification(ID_INITIATOR, id); message->add_payload(message, (payload_t*)id_payload); +======= + this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi)); + id_payload = id_payload_create_from_identification(ID_INITIATOR, idi); + get_reserved_id_bytes(this, id_payload); + message->add_payload(message, (payload_t*)id_payload); + + if (idr && message->get_message_id(message) == 1 && + this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO) + { + host_t *host; + + host = this->ike_sa->get_other_host(this->ike_sa); + if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, + idi, idr, host->get_family(host))) + { + message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty); + } + } + +>>>>>>> upstream/4.5.1 /* build authentication data */ this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD this->my_packet->get_data(this->my_packet)); +======= + this->my_packet->get_data(this->my_packet), + this->reserved); +>>>>>>> upstream/4.5.1 if (!this->my_auth) { return FAILED; @@ -441,10 +527,15 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; } +<<<<<<< HEAD /** * Implementation of task_t.process for responder */ static status_t process_r(private_ike_auth_t *this, message_t *message) +======= +METHOD(task_t, process_r, status_t, + private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { auth_cfg_t *cfg, *cand; id_payload_t *id_payload; @@ -498,6 +589,10 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return FAILED; } id = id_payload->get_identification(id_payload); +<<<<<<< HEAD +======= + get_reserved_id_bytes(this, id_payload); +>>>>>>> upstream/4.5.1 this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -548,7 +643,12 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD this->my_packet->get_data(this->my_packet)); +======= + this->my_packet->get_data(this->my_packet), + this->reserved); +>>>>>>> upstream/4.5.1 if (!this->other_auth) { this->authentication_failed = TRUE; @@ -572,10 +672,20 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } +<<<<<<< HEAD /* store authentication information */ cfg = auth_cfg_create(); cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); +======= + /* If authenticated (with non-EAP) and received INITIAL_CONTACT, + * delete any existing IKE_SAs with that peer. */ + if (message->get_message_id(message) == 1 && + message->get_notify(message, INITIAL_CONTACT)) + { + this->initial_contact = TRUE; + } +>>>>>>> upstream/4.5.1 /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) @@ -585,6 +695,14 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } +<<<<<<< HEAD +======= + /* store authentication information */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + +>>>>>>> upstream/4.5.1 if (!update_cfg_candidates(this, FALSE)) { this->authentication_failed = TRUE; @@ -603,10 +721,15 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } +<<<<<<< HEAD /** * Implementation of task_t.build for responder */ static status_t build_r(private_ike_auth_t *this, message_t *message) +======= +METHOD(task_t, build_r, status_t, + private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { auth_cfg_t *cfg; @@ -662,8 +785,21 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) } id_payload = id_payload_create_from_identification(ID_RESPONDER, id); +<<<<<<< HEAD + message->add_payload(message, (payload_t*)id_payload); + +======= + get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); + if (this->initial_contact) + { + charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, + this->ike_sa, TRUE); + this->initial_contact = FALSE; + } + +>>>>>>> upstream/4.5.1 if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP) { /* EAP-only authentication */ if (!this->ike_sa->supports_extension(this->ike_sa, @@ -682,7 +818,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD this->my_packet->get_data(this->my_packet)); +======= + this->my_packet->get_data(this->my_packet), + this->reserved); +>>>>>>> upstream/4.5.1 if (!this->my_auth) { message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -744,7 +885,11 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) if (!this->do_another_auth && !this->expect_another_auth) { if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, +<<<<<<< HEAD this->ike_sa)) +======= + this->ike_sa, FALSE)) +>>>>>>> upstream/4.5.1 { DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy"); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -772,10 +917,15 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } +<<<<<<< HEAD /** * Implementation of task_t.process for initiator */ static status_t process_i(private_ike_auth_t *this, message_t *message) +======= +METHOD(task_t, process_i, status_t, + private_ike_auth_t *this, message_t *message) +>>>>>>> upstream/4.5.1 { enumerator_t *enumerator; payload_t *payload; @@ -857,6 +1007,10 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return FAILED; } id = id_payload->get_identification(id_payload); +<<<<<<< HEAD +======= + get_reserved_id_bytes(this, id_payload); +>>>>>>> upstream/4.5.1 this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -867,7 +1021,12 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), +<<<<<<< HEAD this->my_packet->get_data(this->my_packet)); +======= + this->my_packet->get_data(this->my_packet), + this->reserved); +>>>>>>> upstream/4.5.1 if (!this->other_auth) { return FAILED; @@ -893,17 +1052,28 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->other_auth->destroy(this->other_auth); this->other_auth = NULL; } +<<<<<<< HEAD /* store authentication information, reset authenticator */ cfg = auth_cfg_create(); cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); +======= +>>>>>>> upstream/4.5.1 /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) { DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling"); return FAILED; } +<<<<<<< HEAD +======= + + /* store authentication information, reset authenticator */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); +>>>>>>> upstream/4.5.1 } if (this->my_auth) @@ -964,18 +1134,28 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; } +<<<<<<< HEAD /** * Implementation of task_t.get_type */ static task_type_t get_type(private_ike_auth_t *this) +======= +METHOD(task_t, get_type, task_type_t, + private_ike_auth_t *this) +>>>>>>> upstream/4.5.1 { return IKE_AUTHENTICATE; } +<<<<<<< HEAD /** * Implementation of task_t.migrate */ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa) +======= +METHOD(task_t, migrate, void, + private_ike_auth_t *this, ike_sa_t *ike_sa) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -998,10 +1178,15 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa) this->candidates = linked_list_create(); } +<<<<<<< HEAD /** * Implementation of task_t.destroy */ static void destroy(private_ike_auth_t *this) +======= +METHOD(task_t, destroy, void, + private_ike_auth_t *this) +>>>>>>> upstream/4.5.1 { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1019,6 +1204,7 @@ static void destroy(private_ike_auth_t *this) */ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) { +<<<<<<< HEAD private_ike_auth_t *this = malloc_thing(private_ike_auth_t); this->public.task.get_type = (task_type_t(*)(task_t*))get_type; @@ -1050,6 +1236,31 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) this->expect_another_auth = TRUE; this->authentication_failed = FALSE; +======= + private_ike_auth_t *this; + + INIT(this, + .public = { + .task = { + .get_type = _get_type, + .migrate = _migrate, + .build = _build_r, + .process = _process_r, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .initiator = initiator, + .candidates = linked_list_create(), + .do_another_auth = TRUE, + .expect_another_auth = TRUE, + ); + if (initiator) + { + this->public.task.build = _build_i; + this->public.task.process = _process_i; + } +>>>>>>> upstream/4.5.1 return &this->public; } diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c index 1c0c54727..8da8d549a 100644 --- a/src/libcharon/sa/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/tasks/ike_cert_pre.c @@ -76,6 +76,10 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) { certreq_payload_t *certreq = (certreq_payload_t*)payload; enumerator_t *enumerator; +<<<<<<< HEAD +======= + u_int unknown = 0; +>>>>>>> upstream/4.5.1 chunk_t keyid; this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE); @@ -103,12 +107,26 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) } else { +<<<<<<< HEAD DBG1(DBG_IKE, "received cert request for unknown ca " "with keyid %Y", id); +======= + DBG2(DBG_IKE, "received cert request for unknown ca " + "with keyid %Y", id); + unknown++; +>>>>>>> upstream/4.5.1 } id->destroy(id); } enumerator->destroy(enumerator); +<<<<<<< HEAD +======= + if (unknown) + { + DBG1(DBG_IKE, "received %u cert requests for an unknown ca", + unknown); + } +>>>>>>> upstream/4.5.1 break; } case NOTIFY: @@ -253,11 +271,26 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) } break; } +<<<<<<< HEAD +======= + case ENC_CRL: + cert = cert_payload->get_cert(cert_payload); + if (cert) + { + DBG1(DBG_IKE, "received CRL \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); + } + break; +>>>>>>> upstream/4.5.1 case ENC_PKCS7_WRAPPED_X509: case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: +<<<<<<< HEAD case ENC_CRL: +======= +>>>>>>> upstream/4.5.1 case ENC_ARL: case ENC_SPKI: case ENC_X509_ATTRIBUTE: diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c index 1a6c140c4..1698ddd34 100644 --- a/src/libcharon/sa/tasks/ike_rekey.c +++ b/src/libcharon/sa/tasks/ike_rekey.c @@ -255,19 +255,32 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, +<<<<<<< HEAD min(this_nonce.len, other_nonce.len)) < 0) +======= + min(this_nonce.len, other_nonce.len)) > 0) +>>>>>>> upstream/4.5.1 { /* peer should delete this SA. Add a timeout just in case. */ job_t *job = (job_t*)delete_ike_sa_job_create( other->new_sa->get_id(other->new_sa), TRUE); lib->scheduler->schedule_job(lib->scheduler, job, 10); +<<<<<<< HEAD DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA"); +======= + DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete"); +>>>>>>> upstream/4.5.1 charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa); other->new_sa = NULL; } else { +<<<<<<< HEAD DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA"); +======= + DBG1(DBG_IKE, "IKE_SA rekey collision lost, " + "deleting redundant IKE_SA"); +>>>>>>> upstream/4.5.1 /* apply host for a proper delete */ host = this->ike_sa->get_my_host(this->ike_sa); this->new_sa->set_my_host(this->new_sa, host->clone(host)); |