summaryrefslogtreecommitdiff
path: root/src/pluto/connections.c
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-05-25 19:01:36 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-05-25 19:01:36 +0000
commit1ac70afcc1f7d6d2738a34308810719b0976d29f (patch)
tree805f6ce2a15d1a717781d7cbceac8408a74b6b0c /src/pluto/connections.c
parented7d79f96177044949744da10f4431c1d6242241 (diff)
downloadvyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.tar.gz
vyos-strongswan-1ac70afcc1f7d6d2738a34308810719b0976d29f.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.4.0)
Diffstat (limited to 'src/pluto/connections.c')
-rw-r--r--src/pluto/connections.c55
1 files changed, 37 insertions, 18 deletions
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index fece34eec..dd193042a 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -30,6 +30,7 @@
#include <freeswan.h>
#include "kameipsec.h"
+#include <hydra.h>
#include <credentials/certificates/ac.h>
#include <credentials/keys/private_key.h>
@@ -61,6 +62,7 @@
#include "kernel_alg.h"
#include "nat_traversal.h"
#include "virtual.h"
+#include "whack_attribute.h"
static void flush_pending_by_connection(connection_t *c); /* forward */
@@ -104,7 +106,7 @@ bool his_id_was_instantiated(const connection_t *c)
{
identification_t *host;
bool equal;
-
+
host = identification_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_addr);
equal = host->equals(host, c->spd.that.id);
host->destroy(host);
@@ -113,7 +115,7 @@ bool his_id_was_instantiated(const connection_t *c)
else
{
return TRUE;
- }
+ }
}
/**
@@ -369,11 +371,16 @@ void delete_connection(connection_t *c, bool relations)
host_t *vip;
vip = host_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_srcip);
- lib->attributes->release_address(lib->attributes, c->spd.that.pool,
- vip, c->spd.that.id);
+ hydra->attributes->release_address(hydra->attributes, c->spd.that.pool,
+ vip, c->spd.that.id);
vip->destroy(vip);
}
+ if (c->kind != CK_GOING_AWAY)
+ {
+ whack_attr->del_pool(whack_attr, c->name);
+ }
+
/* free internal data */
#ifdef DEBUG
cur_debugging = old_cur_debugging;
@@ -683,7 +690,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this,
}
/* id */
- snprintf(host_id, sizeof(host_id), "[%Y]", this->id);
+ snprintf(host_id, sizeof(host_id), "[%Y]", this->id);
/* [---hop] */
hop[0] = '\0';
@@ -769,7 +776,7 @@ static void load_end_certificate(char *filename, struct end *dst)
cert_t *cert = NULL;
certificate_t *certificate;
bool cached_cert = FALSE;
-
+
/* initialize end certificate */
dst->cert = NULL;
@@ -853,10 +860,11 @@ static void load_end_certificate(char *filename, struct end *dst)
}
static bool extract_end(struct end *dst, const whack_end_t *src,
- const char *which)
+ const char *name, bool is_left)
{
bool same_ca = FALSE;
+ dst->is_left = is_left;
dst->id = identification_create_from_string(src->id);
dst->ca = NULL;
@@ -1117,15 +1125,14 @@ void add_connection(const whack_message_t *wm)
c->tunnel_addr_family = wm->tunnel_addr_family;
c->requested_ca = NULL;
+ same_leftca = extract_end(&c->spd.this, &wm->left, wm->name, TRUE);
+ same_rightca = extract_end(&c->spd.that, &wm->right, wm->name, FALSE);
- same_leftca = extract_end(&c->spd.this, &wm->left, "left");
- same_rightca = extract_end(&c->spd.that, &wm->right, "right");
-
- if (same_rightca)
+ if (same_rightca && c->spd.this.ca)
{
c->spd.that.ca = c->spd.this.ca->clone(c->spd.this.ca);
}
- else if (same_leftca)
+ else if (same_leftca && c->spd.that.ca)
{
c->spd.this.ca = c->spd.that.ca->clone(c->spd.that.ca);
}
@@ -1196,6 +1203,17 @@ void add_connection(const whack_message_t *wm)
(void)orient(c);
+ /* if rightsourceip defines a subnet then create an in-memory pool */
+ if (whack_attr->add_pool(whack_attr, c->name,
+ c->spd.this.is_left ? &wm->right : &wm->left))
+ {
+ c->spd.that.pool = clone_str(c->name);
+ c->spd.that.modecfg = TRUE;
+ c->spd.that.has_client = FALSE;
+ /* reset the host_srcip so that it gets assigned in modecfg */
+ anyaddr(AF_INET, &c->spd.that.host_srcip);
+ }
+
if (c->ikev1)
{
connect_to_host_pair(c);
@@ -1794,7 +1812,7 @@ connection_t *build_outgoing_opportunistic_connection(struct gw_info *gw,
else
{
chunk_t encoding = gw->gw_id->get_encoding(gw->gw_id);
- id_type_t type = gw->gw_id->get_type(gw->gw_id);
+ id_type_t type = gw->gw_id->get_type(gw->gw_id);
ip_address ip_addr;
initaddr(encoding.ptr, encoding.len,
@@ -2758,7 +2776,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
loglog(RC_OPPOFAILURE,
"no suitable connection for opportunism "
- "between %s and %s with %Y as peer",
+ "between %s and %s with %Y as peer",
ocb, pcb, ac->gateways_from_dns->gw_id);
#ifdef KLIPS
@@ -3379,7 +3397,7 @@ connection_t *refine_host_connection(const struct state *st,
id_match_t match_level = peer_id->matches(peer_id, d->spd.that.id);
bool matching_id = match_level > ID_MATCH_NONE;
-
+
bool matching_auth = (d->policy & auth_policy) != LEMPTY;
bool matching_trust = trusted_ca(peer_ca
@@ -3580,7 +3598,7 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
policy_prio_t best_prio = BOTTOM_PRIO;
id_match_t match_level;
int pathlen;
-
+
const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
@@ -3675,7 +3693,8 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
}
else
{
- if (!peer_net_is_host)
+ if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg &&
+ subnetisaddr(peer_net, &c->spd.that.host_srcip)))
{
continue;
}
@@ -3843,7 +3862,7 @@ void get_peer_ca_and_groups(connection_t *c,
if (cert && ac_verify_cert(cert, strict_crl_policy))
{
ac_t *ac = (ac_t*)cert;
-
+
*peer_attributes = ac->get_groups(ac);
}
else