diff options
Diffstat (limited to 'src/libcharon/plugins')
18 files changed, 230 insertions, 30 deletions
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c index 644cff029..1abbf7731 100644 --- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c +++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c @@ -64,6 +64,7 @@ typedef struct { private_bypass_lan_listener_t *listener; host_t *net; uint8_t mask; + char *iface; child_cfg_t *cfg; } bypass_policy_t; @@ -85,6 +86,7 @@ static void bypass_policy_destroy(bypass_policy_t *this) ts->destroy(ts); } this->net->destroy(this->net); + free(this->iface); free(this); } @@ -126,6 +128,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) enumerator_t *enumerator; hashtable_t *seen; bypass_policy_t *found, *lookup; + traffic_selector_t *ts; host_t *net; uint8_t mask; char *iface; @@ -146,6 +149,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) INIT(lookup, .net = net->clone(net), .mask = mask, + .iface = strdupnull(iface), ); found = seen->put(seen, lookup, lookup); if (found) @@ -160,7 +164,6 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) .mode = MODE_PASS, }; child_cfg_t *cfg; - traffic_selector_t *ts; char name[128]; ts = traffic_selector_create_from_subnet(net->clone(net), mask, @@ -176,6 +179,7 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) INIT(found, .net = net->clone(net), .mask = mask, + .iface = strdupnull(iface), .cfg = cfg, ); this->policies->put(this->policies, found, found); @@ -186,11 +190,29 @@ static job_requeue_t update_bypass(private_bypass_lan_listener_t *this) enumerator = this->policies->create_enumerator(this->policies); while (enumerator->enumerate(enumerator, NULL, &lookup)) { - if (!seen->get(seen, lookup)) + found = seen->get(seen, lookup); + if (!found) { this->policies->remove_at(this->policies, enumerator); bypass_policy_destroy(lookup); } + else if (!streq(lookup->iface, found->iface)) + { /* if the subnet is on multiple interfaces, we only get the last + * one (hopefully, they are enumerated in a consistent order) */ + ts = traffic_selector_create_from_subnet( + lookup->net->clone(lookup->net), + lookup->mask, 0, 0, 65535); + DBG1(DBG_IKE, "interface change for bypass policy for %R (from %s " + "to %s)", ts, lookup->iface, found->iface); + ts->destroy(ts); + free(lookup->iface); + lookup->iface = strdupnull(found->iface); + /* there is currently no API to update shunts, so we remove and + * reinstall it to update the route */ + charon->shunts->uninstall(charon->shunts, "bypass-lan", + lookup->cfg->get_name(lookup->cfg)); + charon->shunts->install(charon->shunts, "bypass-lan", lookup->cfg); + } } enumerator->destroy(enumerator); this->mutex->unlock(this->mutex); diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index 1e208d094..ecd92f2ef 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -489,6 +489,16 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) offer = host_create_from_chunk(AF_INET, chunk_from_thing(dhcp->your_address), 0); + if (offer->is_anyaddr(offer)) + { + server = host_create_from_chunk(AF_INET, + chunk_from_thing(dhcp->server_address), 0); + DBG1(DBG_CFG, "ignoring DHCP OFFER %+H from %H", offer, server); + server->destroy(server); + offer->destroy(offer); + return; + } + this->mutex->lock(this->mutex); enumerator = this->discover->create_enumerator(this->discover); while (enumerator->enumerate(enumerator, &transaction)) diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index fbbf6da83..ae1371b45 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -156,7 +156,7 @@ void eap_radius_build_attributes(radius_message_t *request) { ike_sa_t *ike_sa; host_t *host; - char buf[40], *station_id_fmt;; + char buf[40], *station_id_fmt, *session_id; uint32_t value; chunk_t chunk; @@ -202,6 +202,14 @@ void eap_radius_build_attributes(radius_message_t *request) host = ike_sa->get_other_host(ike_sa); snprintf(buf, sizeof(buf), station_id_fmt, host); request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf)); + + session_id = eap_radius_accounting_session_id(ike_sa); + if (session_id) + { + request->add(request, RAT_ACCT_SESSION_ID, + chunk_from_str(session_id)); + free(session_id); + } } } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index 92611492b..ecb2083c9 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015-2017 Tobias Brunner + * Copyright (C) 2015-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi @@ -17,6 +17,7 @@ */ #include "eap_radius_accounting.h" +#include "eap_radius_provider.h" #include "eap_radius_plugin.h" #include <time.h> @@ -461,6 +462,37 @@ static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, } /** + * Add any unclaimed IP addresses to the message + */ +static void add_unclaimed_ips(radius_message_t *message, ike_sa_t *ike_sa) +{ + eap_radius_provider_t *provider; + enumerator_t *enumerator; + host_t *vip; + + provider = eap_radius_provider_get(); + enumerator = provider->clear_unclaimed(provider, + ike_sa->get_unique_id(ike_sa)); + while (enumerator->enumerate(enumerator, &vip)) + { + switch (vip->get_family(vip)) + { + case AF_INET: + message->add(message, RAT_FRAMED_IP_ADDRESS, + vip->get_address(vip)); + break; + case AF_INET6: + message->add(message, RAT_FRAMED_IPV6_ADDRESS, + vip->get_address(vip)); + break; + default: + break; + } + } + enumerator->destroy(enumerator); +} + +/** * Add the Class attributes received in the Access-Accept message to the * RADIUS accounting message */ @@ -790,6 +822,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) chunk_create(entry->sid, strlen(entry->sid))); add_class_attributes(message, entry); add_ike_sa_parameters(this, message, ike_sa); + add_unclaimed_ips(message, ike_sa); value = htonl(entry->usage.bytes.sent); message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); @@ -816,7 +849,6 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) value = htonl(time_monotonic(NULL) - entry->created); message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value)); - value = htonl(entry->cause); message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value)); @@ -1070,8 +1102,27 @@ eap_radius_accounting_t *eap_radius_accounting_create() return &this->public; } -/** - * See header +/* + * Described in header + */ +char *eap_radius_accounting_session_id(ike_sa_t *ike_sa) +{ + entry_t *entry; + char *sid = NULL; + + if (singleton) + { + singleton->mutex->lock(singleton->mutex); + entry = get_or_create_entry(singleton, ike_sa->get_id(ike_sa), + ike_sa->get_unique_id(ike_sa)); + sid = strdup(entry->sid); + singleton->mutex->unlock(singleton->mutex); + } + return sid; +} + +/* + * Described in header */ void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, uint32_t interval) { diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h index dc1edcf54..1fe1107ea 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Tobias Brunner + * Copyright (C) 2017-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi @@ -50,6 +50,14 @@ struct eap_radius_accounting_t { eap_radius_accounting_t *eap_radius_accounting_create(); /** + * Get the Accounting session ID for the given IKE_SA. + * + * @param ike_sa IKE_SA for which to determine the session ID + * @return allocated session ID + */ +char *eap_radius_accounting_session_id(ike_sa_t *ike_sa); + +/** * Schedule Accounting interim updates for the given IKE_SA. * * @param ike_sa IKE_SA to send updates for diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c index 8188bb764..defabb782 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG * @@ -131,7 +134,7 @@ static entry_t* get_or_create_entry(hashtable_t *hashtable, uintptr_t id) } /** - * Put an entry to hashtable, or destroy it ife empty + * Put an entry to hashtable, or destroy it if empty */ static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry) { @@ -494,6 +497,24 @@ METHOD(eap_radius_provider_t, add_attribute, void, this->listener.mutex->unlock(this->listener.mutex); } +METHOD(eap_radius_provider_t, clear_unclaimed, enumerator_t*, + private_eap_radius_provider_t *this, uint32_t id) +{ + entry_t *entry; + + this->listener.mutex->lock(this->listener.mutex); + entry = this->listener.unclaimed->remove(this->listener.unclaimed, + (void*)(uintptr_t)id); + this->listener.mutex->unlock(this->listener.mutex); + if (!entry) + { + return enumerator_create_empty(); + } + return enumerator_create_cleaner( + entry->addrs->create_enumerator(entry->addrs), + (void*)destroy_entry, entry); +} + METHOD(eap_radius_provider_t, destroy, void, private_eap_radius_provider_t *this) { @@ -523,6 +544,7 @@ eap_radius_provider_t *eap_radius_provider_create() }, .add_framed_ip = _add_framed_ip, .add_attribute = _add_attribute, + .clear_unclaimed = _clear_unclaimed, .destroy = _destroy, }, .listener = { @@ -539,6 +561,14 @@ eap_radius_provider_t *eap_radius_provider_create() }, ); + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.accounting", FALSE, lib->ns)) + { + /* if RADIUS accounting is enabled, keep unclaimed IPs around until + * the Accounting-Stop message is sent */ + this->listener.public.message = NULL; + } + charon->bus->add_listener(charon->bus, &this->listener.public); singleton = &this->public; diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h index 80971bddb..9f1121ca3 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h @@ -1,4 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG * @@ -56,6 +59,14 @@ struct eap_radius_provider_t { configuration_attribute_type_t type, chunk_t data); /** + * Clears any unclaimed IP addresses and attributes for the given IKE_SA. + * + * @param id IKE_SA unique identifier + * @return enumerator over unclaimed IP addresses, if any + */ + enumerator_t *(*clear_unclaimed)(eap_radius_provider_t *this, uint32_t id); + + /** * Destroy a eap_radius_provider_t. */ void (*destroy)(eap_radius_provider_t *this); diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c index 34d6efc48..2553fd014 100644 --- a/src/libcharon/plugins/ha/ha_attribute.c +++ b/src/libcharon/plugins/ha/ha_attribute.c @@ -159,13 +159,13 @@ static pool_t* get_pool(private_ha_attribute_t *this, char *name) } /** - * Check if we are responsible for a bit in our bitmask + * Check if we are responsible for an offset */ -static bool responsible_for(private_ha_attribute_t *this, int bit) +static bool responsible_for(private_ha_attribute_t *this, int offset) { u_int segment; - segment = this->kernel->get_segment_int(this->kernel, bit); + segment = offset % this->segments->count(this->segments) + 1; return this->segments->is_active(this->segments, segment); } @@ -175,7 +175,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*, { enumerator_t *enumerator; pool_t *pool = NULL; - int offset = -1, byte, bit; + int offset = -1, tmp_offset, byte, bit; host_t *address; char *name; @@ -199,10 +199,11 @@ METHOD(attribute_provider_t, acquire_address, host_t*, { for (bit = 0; bit < 8; bit++) { + tmp_offset = byte * 8 + bit; if (!(pool->mask[byte] & 1 << bit) && - responsible_for(this, bit)) + responsible_for(this, tmp_offset)) { - offset = byte * 8 + bit; + offset = tmp_offset; pool->mask[byte] |= 1 << bit; break; } diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 4e3803892..ab845317f 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -138,6 +138,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty; host_t *other = NULL; bool ok = FALSE; + auth_method_t method = AUTH_RSA; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -197,6 +198,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message case HA_ALG_DH: dh_grp = value.u16; break; + case HA_AUTH_METHOD: + method = value.u16; default: break; } @@ -238,7 +241,6 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message { keymat_v1_t *keymat_v1 = (keymat_v1_t*)ike_sa->get_keymat(ike_sa); shared_key_t *shared = NULL; - auth_method_t method = AUTH_RSA; if (psk.len) { diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 2854ab76d..aae402d50 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -73,7 +73,7 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext) METHOD(listener_t, ike_keys, bool, private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey, - shared_key_t *shared) + shared_key_t *shared, auth_method_t method) { ha_message_t *m; chunk_t secret; @@ -141,6 +141,10 @@ METHOD(listener_t, ike_keys, bool, { m->add_attribute(m, HA_PSK, shared->get_key(shared)); } + else + { + m->add_attribute(m, HA_AUTH_METHOD, method); + } } m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa)); diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c index 7891b1654..28b7b0d5b 100644 --- a/src/libcharon/plugins/ha/ha_message.c +++ b/src/libcharon/plugins/ha/ha_message.c @@ -240,6 +240,7 @@ METHOD(ha_message_t, add_attribute, void, case HA_OUTBOUND_CPI: case HA_SEGMENT: case HA_ESN: + case HA_AUTH_METHOD: { uint16_t val; @@ -463,6 +464,7 @@ METHOD(enumerator_t, attribute_enumerate, bool, case HA_OUTBOUND_CPI: case HA_SEGMENT: case HA_ESN: + case HA_AUTH_METHOD: { if (this->buf.len < sizeof(uint16_t)) { diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h index 3e43dc8dc..3c0058d99 100644 --- a/src/libcharon/plugins/ha/ha_message.h +++ b/src/libcharon/plugins/ha/ha_message.h @@ -156,6 +156,8 @@ enum ha_message_attribute_t { HA_PSK, /** chunk_t, IV for next IKEv1 message */ HA_IV, + /** uint16_t, auth_method_t for IKEv1 key derivation */ + HA_AUTH_METHOD, }; /** diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index 0a407f9ef..153534915 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -433,6 +433,12 @@ METHOD(ha_segments_t, is_active, bool, return (this->active & SEGMENTS_BIT(segment)) != 0; } +METHOD(ha_segments_t, count, u_int, + private_ha_segments_t *this) +{ + return this->count; +} + METHOD(ha_segments_t, destroy, void, private_ha_segments_t *this) { @@ -459,6 +465,7 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, .deactivate = _deactivate, .handle_status = _handle_status, .is_active = _is_active, + .count = _count, .destroy = _destroy, }, .socket = socket, diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h index 10d5812c6..bc96a8d3e 100644 --- a/src/libcharon/plugins/ha/ha_segments.h +++ b/src/libcharon/plugins/ha/ha_segments.h @@ -83,6 +83,13 @@ struct ha_segments_t { bool (*is_active)(ha_segments_t *this, u_int segment); /** + * Return the number of segments + * + * @return number of segments + */ + u_int (*count)(ha_segments_t *this); + + /** * Destroy a ha_segments_t. */ void (*destroy)(ha_segments_t *this); diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 1292e0895..40fff7e05 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -2257,6 +2257,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, uint32_t replay_esn_len = 0; kernel_ipsec_del_sa_t del = { 0 }; status_t status = FAILED; + traffic_selector_t *ts; char markstr[32] = ""; /* if IPComp is used, we first update the IPComp SA */ @@ -2360,10 +2361,26 @@ METHOD(kernel_ipsec_t, update_sa, status_t, if (!id->src->ip_equals(id->src, data->new_src)) { host2xfrm(data->new_src, &sa->saddr); + + ts = selector2ts(&sa->sel, TRUE); + if (ts && ts->is_host(ts, id->src)) + { + ts->set_address(ts, data->new_src); + ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s); + } + DESTROY_IF(ts); } if (!id->dst->ip_equals(id->dst, data->new_dst)) { host2xfrm(data->new_dst, &sa->id.daddr); + + ts = selector2ts(&sa->sel, FALSE); + if (ts && ts->is_host(ts, id->dst)) + { + ts->set_address(ts, data->new_dst); + ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d); + } + DESTROY_IF(ts); } rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info); diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index dbe409a62..37170a310 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -1287,20 +1287,27 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, return; } - index = response.x_policy->sadb_x_policy_id; - this->mutex->lock(this->mutex); - if (this->policies->find_first(this->policies, policy_entry_match_byindex, - (void**)&policy, index) && - policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS) + if (response.x_sa2) { - reqid = sa->sa->cfg.reqid; + reqid = response.x_sa2->sadb_x_sa2_reqid; } else { - DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no " - "matching policy found", index); + index = response.x_policy->sadb_x_policy_id; + this->mutex->lock(this->mutex); + if (this->policies->find_first(this->policies, policy_entry_match_byindex, + (void**)&policy, index) && + policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS) + { + reqid = sa->sa->cfg.reqid; + } + else + { + DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no " + "matching policy found", index); + } + this->mutex->unlock(this->mutex); } - this->mutex->unlock(this->mutex); src_ts = sadb_address2ts(response.src); dst_ts = sadb_address2ts(response.dst); diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h index d69597881..964752f53 100644 --- a/src/libcharon/plugins/vici/libvici.h +++ b/src/libcharon/plugins/vici/libvici.h @@ -86,6 +86,10 @@ #include <stdio.h> +#ifdef __cplusplus +extern "C" { +#endif + /** * Opaque vici connection contex. */ @@ -465,4 +469,8 @@ void vici_init(); */ void vici_deinit(); +#ifdef __cplusplus +} +#endif + #endif /** LIBVICI_H_ @}*/ diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 10c62dc89..ace7a4528 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -733,7 +733,7 @@ CALLBACK(parse_ts, bool, if (host_create_from_range(buf, &lower, &upper)) { type = (lower->get_family(lower) == AF_INET) ? - TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE; + TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE; ts = traffic_selector_create_from_bytes(proto, type, lower->get_address(lower), from, upper->get_address(upper), to); @@ -2494,7 +2494,10 @@ CALLBACK(config_sn, bool, if (peer.mediated_by) { cfg.mediated_by = peer.mediated_by; - cfg.peer_id = peer.peer_id->clone(peer.peer_id); + if (peer.peer_id) + { + cfg.peer_id = peer.peer_id->clone(peer.peer_id); + } } #endif /* ME */ peer_cfg = peer_cfg_create(name, ike_cfg, &cfg); |