summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ikev1
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/sa/ikev1')
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c8
-rw-r--r--src/libcharon/sa/ikev1/task_manager_v1.c54
-rw-r--r--src/libcharon/sa/ikev1/tasks/aggressive_mode.c67
-rw-r--r--src/libcharon/sa/ikev1/tasks/main_mode.c66
-rw-r--r--src/libcharon/sa/ikev1/tasks/mode_config.c269
-rw-r--r--src/libcharon/sa/ikev1/tasks/mode_config.h3
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_delete.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c91
-rw-r--r--src/libcharon/sa/ikev1/tasks/xauth.c2
9 files changed, 455 insertions, 107 deletions
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 39e4cad20..bf1b0046c 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -196,6 +196,13 @@ METHOD(aead_t, get_iv_size, size_t,
return 0;
}
+METHOD(aead_t, get_iv_gen, iv_gen_t*,
+ private_aead_t *this)
+{
+ /* IVs are retrieved via keymat_v1.get_iv() */
+ return NULL;
+}
+
METHOD(aead_t, get_key_size, size_t,
private_aead_t *this)
{
@@ -304,6 +311,7 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
.get_block_size = _get_block_size,
.get_icv_size = _get_icv_size,
.get_iv_size = _get_iv_size,
+ .get_iv_gen = _get_iv_gen,
.get_key_size = _get_key_size,
.set_key = _set_key,
.destroy = _aead_destroy,
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 857cb027e..597416e36 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -413,7 +413,6 @@ static bool send_packet(private_task_manager_t *this, bool request,
{
bool use_frags = FALSE;
ike_cfg_t *ike_cfg;
- host_t *src, *dst;
chunk_t data;
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
@@ -438,15 +437,18 @@ static bool send_packet(private_task_manager_t *this, bool request,
fragment_payload_t *fragment;
u_int8_t num, count;
size_t len, frag_size;
- bool nat;
-
- /* reduce size due to non-ESP marker */
- nat = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
- frag_size = this->frag.size - (nat ? 4 : 0);
+ host_t *src, *dst;
src = packet->get_source(packet);
dst = packet->get_destination(packet);
- count = (data.len / (frag_size + 1)) + 1;
+
+ frag_size = this->frag.size;
+ if (dst->get_port(dst) != IKEV2_UDP_PORT &&
+ src->get_port(src) != IKEV2_UDP_PORT)
+ { /* reduce size due to non-ESP marker */
+ frag_size -= 4;
+ }
+ count = data.len / frag_size + (data.len % frag_size ? 1 : 0);
DBG1(DBG_IKE, "sending IKE message with length of %zu bytes in "
"%hhu fragments", data.len, count);
@@ -537,23 +539,40 @@ static bool mode_config_expected(private_task_manager_t *this)
enumerator_t *enumerator;
peer_cfg_t *peer_cfg;
char *pool;
+ bool local;
host_t *host;
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
if (peer_cfg)
{
- enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
- if (!enumerator->enumerate(enumerator, &pool))
- { /* no pool configured */
+ if (peer_cfg->use_pull_mode(peer_cfg))
+ {
+ enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+ if (!enumerator->enumerate(enumerator, &pool))
+ { /* no pool configured */
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
enumerator->destroy(enumerator);
- return FALSE;
+
+ local = FALSE;
}
- enumerator->destroy(enumerator);
+ else
+ {
+ enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
+ if (!enumerator->enumerate(enumerator, &host))
+ { /* not requesting a vip */
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ enumerator->destroy(enumerator);
+ local = TRUE;
+ }
enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
- FALSE);
+ local);
if (!enumerator->enumerate(enumerator, &host))
- { /* have a pool, but no VIP assigned yet */
+ { /* expecting a VIP exchange, but no VIP assigned yet */
enumerator->destroy(enumerator);
return TRUE;
}
@@ -1085,7 +1104,8 @@ static status_t process_request(private_task_manager_t *this,
case TRANSACTION:
if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
{
- task = (task_t *)mode_config_create(this->ike_sa, FALSE);
+ task = (task_t *)mode_config_create(this->ike_sa,
+ FALSE, TRUE);
}
else
{
@@ -1253,7 +1273,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
return FAILED;
}
- if (this->frag.id != payload->get_id(payload))
+ if (!this->frag.list || this->frag.id != payload->get_id(payload))
{
clear_fragments(this, payload->get_id(payload));
this->frag.list = linked_list_create();
@@ -1765,7 +1785,7 @@ static bool have_equal_ts(child_sa_t *child1, child_sa_t *child2, bool local)
{
equal = ts1->equals(ts1, ts2);
}
- e1->destroy(e1);
+ e2->destroy(e2);
e1->destroy(e1);
return equal;
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 6b00706bf..46cbb879b 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -196,6 +196,17 @@ static status_t send_delete(private_aggressive_mode_t *this)
return ALREADY_DONE;
}
+/**
+ * Schedule a timeout for the IKE_SA should it not establish
+ */
+static void schedule_timeout(ike_sa_t *ike_sa)
+{
+ job_t *job;
+
+ job = (job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE);
+ lib->scheduler->schedule_job(lib->scheduler, job, HALF_OPEN_IKE_SA_TIMEOUT);
+}
+
METHOD(task_t, build_i, status_t,
private_aggressive_mode_t *this, message_t *message)
{
@@ -300,20 +311,15 @@ METHOD(task_t, build_i, status_t,
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
- { /* wait for XAUTH request, since this may never come,
- * we queue a timeout */
- job_t *job = (job_t*)delete_ike_sa_job_create(
- this->ike_sa->get_id(this->ike_sa), FALSE);
- lib->scheduler->schedule_job(lib->scheduler, job,
- HALF_OPEN_IKE_SA_TIMEOUT);
+ /* wait for XAUTH request */
+ schedule_timeout(this->ike_sa);
break;
- }
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
this->ike_sa->queue_task(this->ike_sa,
(task_t*)xauth_create(this->ike_sa, TRUE));
- return SUCCESS;
+ break;
default:
if (charon->ike_sa_manager->check_uniqueness(
charon->ike_sa_manager, this->ike_sa, FALSE))
@@ -328,10 +334,30 @@ METHOD(task_t, build_i, status_t,
}
break;
}
+ /* check for and prepare mode config push/pull */
if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
{
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
+ }
+ else
+ {
+ schedule_timeout(this->ike_sa);
+ }
+ }
+ else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
+ {
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ schedule_timeout(this->ike_sa);
+ }
+ else
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+ }
}
return SUCCESS;
}
@@ -482,7 +508,7 @@ METHOD(task_t, process_r, status_t,
case AUTH_HYBRID_INIT_RSA:
this->ike_sa->queue_task(this->ike_sa,
(task_t*)xauth_create(this->ike_sa, TRUE));
- return SUCCESS;
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
@@ -505,11 +531,22 @@ METHOD(task_t, process_r, status_t,
this->ike_sa->get_id(this->ike_sa)));
break;
}
- if (!this->ph1->has_pool(this->ph1, this->peer_cfg) &&
- this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+ /* check for and prepare mode config push/pull */
+ if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
{
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
+ }
+ }
+ else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
+ {
+ if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+ }
}
return SUCCESS;
}
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 441bd7a78..81638169a 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -504,7 +504,7 @@ METHOD(task_t, build_r, status_t,
case AUTH_HYBRID_INIT_RSA:
this->ike_sa->queue_task(this->ike_sa,
(task_t*)xauth_create(this->ike_sa, TRUE));
- return SUCCESS;
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
@@ -527,11 +527,21 @@ METHOD(task_t, build_r, status_t,
this->ike_sa->get_id(this->ike_sa)));
break;
}
- if (!this->ph1->has_pool(this->ph1, this->peer_cfg) &&
- this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+ if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
+ {
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
+ }
+ }
+ else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
{
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
+ if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+ }
}
return SUCCESS;
}
@@ -540,6 +550,17 @@ METHOD(task_t, build_r, status_t,
}
}
+/**
+ * Schedule a timeout for the IKE_SA should it not establish
+ */
+static void schedule_timeout(ike_sa_t *ike_sa)
+{
+ job_t *job;
+
+ job = (job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE);
+ lib->scheduler->schedule_job(lib->scheduler, job, HALF_OPEN_IKE_SA_TIMEOUT);
+}
+
METHOD(task_t, process_i, status_t,
private_main_mode_t *this, message_t *message)
{
@@ -639,20 +660,15 @@ METHOD(task_t, process_i, status_t,
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
- { /* wait for XAUTH request, since this may never come,
- * we queue a timeout */
- job_t *job = (job_t*)delete_ike_sa_job_create(
- this->ike_sa->get_id(this->ike_sa), FALSE);
- lib->scheduler->schedule_job(lib->scheduler, job,
- HALF_OPEN_IKE_SA_TIMEOUT);
+ /* wait for XAUTH request */
+ schedule_timeout(this->ike_sa);
break;
- }
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
this->ike_sa->queue_task(this->ike_sa,
(task_t*)xauth_create(this->ike_sa, TRUE));
- return SUCCESS;
+ break;
default:
if (charon->ike_sa_manager->check_uniqueness(
charon->ike_sa_manager, this->ike_sa, FALSE))
@@ -667,10 +683,30 @@ METHOD(task_t, process_i, status_t,
}
break;
}
+ /* check for and prepare mode config push/pull */
if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
{
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, TRUE));
+ }
+ else
+ {
+ schedule_timeout(this->ike_sa);
+ }
+ }
+ else if (this->ph1->has_pool(this->ph1, this->peer_cfg))
+ {
+ if (this->peer_cfg->use_pull_mode(this->peer_cfg))
+ {
+ schedule_timeout(this->ike_sa);
+ }
+ else
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
+ }
}
return SUCCESS;
}
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index ce897727a..17fe02538 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -42,14 +42,19 @@ struct private_mode_config_t {
bool initiator;
/**
+ * Use pull (CFG_REQUEST/RESPONSE) or push (CFG_SET/ACK)?
+ */
+ bool pull;
+
+ /**
* Received list of virtual IPs, host_t*
*/
linked_list_t *vips;
/**
- * list of attributes requested and its handler, entry_t
+ * Requested/received list of attributes, entry_t
*/
- linked_list_t *requested;
+ linked_list_t *attributes;
/**
* Identifier to include in response
@@ -58,12 +63,12 @@ struct private_mode_config_t {
};
/**
- * Entry for a requested attribute and the requesting handler
+ * Entry for a attribute and associated handler
*/
typedef struct {
- /** attribute requested */
+ /** attribute type */
configuration_attribute_type_t type;
- /** handler requesting this attribute */
+ /** handler for this attribute */
attribute_handler_t *handler;
} entry_t;
@@ -117,13 +122,13 @@ static void handle_attribute(private_mode_config_t *this,
entry_t *entry;
/* find the handler which requested this attribute */
- enumerator = this->requested->create_enumerator(this->requested);
+ enumerator = this->attributes->create_enumerator(this->attributes);
while (enumerator->enumerate(enumerator, &entry))
{
if (entry->type == ca->get_type(ca))
{
handler = entry->handler;
- this->requested->remove_at(this->requested, enumerator);
+ this->attributes->remove_at(this->attributes, enumerator);
free(entry);
break;
}
@@ -180,7 +185,7 @@ static void process_attribute(private_mode_config_t *this,
}
default:
{
- if (this->initiator)
+ if (this->initiator == this->pull)
{
handle_attribute(this, ca);
}
@@ -189,6 +194,24 @@ static void process_attribute(private_mode_config_t *this,
}
/**
+ * Check if config allows push mode when acting as task responder
+ */
+static bool accept_push(private_mode_config_t *this)
+{
+ enumerator_t *enumerator;
+ peer_cfg_t *config;
+ bool vip;
+ host_t *host;
+
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ enumerator = config->create_virtual_ip_enumerator(config);
+ vip = enumerator->enumerate(enumerator, &host);
+ enumerator->destroy(enumerator);
+
+ return vip && !config->use_pull_mode(config);
+}
+
+/**
* Scan for configuration payloads and attributes
*/
static void process_payloads(private_mode_config_t *this, message_t *message)
@@ -206,6 +229,15 @@ static void process_payloads(private_mode_config_t *this, message_t *message)
switch (cp->get_type(cp))
{
+ case CFG_SET:
+ /* when acting as a responder, we detect the mode using
+ * the type of configuration payload. But we should double
+ * check the peer is allowed to use push mode on us. */
+ if (!this->initiator && accept_push(this))
+ {
+ this->pull = FALSE;
+ }
+ /* FALL */
case CFG_REQUEST:
this->identifier = cp->get_identifier(cp);
/* FALL */
@@ -219,6 +251,8 @@ static void process_payloads(private_mode_config_t *this, message_t *message)
}
attributes->destroy(attributes);
break;
+ case CFG_ACK:
+ break;
default:
DBG1(DBG_IKE, "ignoring %N config payload",
config_type_names, cp->get_type(cp));
@@ -229,8 +263,29 @@ static void process_payloads(private_mode_config_t *this, message_t *message)
enumerator->destroy(enumerator);
}
-METHOD(task_t, build_i, status_t,
- private_mode_config_t *this, message_t *message)
+/**
+ * Add an attribute to a configuration payload, and store it in task
+ */
+static void add_attribute(private_mode_config_t *this, cp_payload_t *cp,
+ configuration_attribute_type_t type, chunk_t data,
+ attribute_handler_t *handler)
+{
+ entry_t *entry;
+
+ cp->add_attribute(cp,
+ configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1,
+ type, data));
+ INIT(entry,
+ .type = type,
+ .handler = handler,
+ );
+ this->attributes->insert_last(this->attributes, entry);
+}
+
+/**
+ * Build a CFG_REQUEST as initiator
+ */
+static status_t build_request(private_mode_config_t *this, message_t *message)
{
cp_payload_t *cp;
enumerator_t *enumerator;
@@ -279,18 +334,7 @@ METHOD(task_t, build_i, status_t,
this->ike_sa->get_other_id(this->ike_sa), vips);
while (enumerator->enumerate(enumerator, &handler, &type, &data))
{
- entry_t *entry;
-
- DBG2(DBG_IKE, "building %N attribute",
- configuration_attribute_type_names, type);
- cp->add_attribute(cp,
- configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1,
- type, data));
- INIT(entry,
- .type = type,
- .handler = handler,
- );
- this->requested->insert_last(this->requested, entry);
+ add_attribute(this, cp, type, data, handler);
}
enumerator->destroy(enumerator);
@@ -301,15 +345,121 @@ METHOD(task_t, build_i, status_t,
return NEED_MORE;
}
+/**
+ * Build a CFG_SET as initiator
+ */
+static status_t build_set(private_mode_config_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ configuration_attribute_type_t type;
+ chunk_t value;
+ cp_payload_t *cp;
+ peer_cfg_t *config;
+ identification_t *id;
+ linked_list_t *pools;
+ host_t *any4, *any6, *found;
+ char *name;
+
+ cp = cp_payload_create_type(CONFIGURATION_V1, CFG_SET);
+
+ id = this->ike_sa->get_other_eap_id(this->ike_sa);
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ any4 = host_create_any(AF_INET);
+ any6 = host_create_any(AF_INET6);
+
+ this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
+
+ /* in push mode, we ask each configured pool for an address */
+ enumerator = config->create_pool_enumerator(config);
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ pools = linked_list_create_with_items(name, NULL);
+ /* try IPv4, then IPv6 */
+ found = hydra->attributes->acquire_address(hydra->attributes,
+ pools, id, any4);
+ if (!found)
+ {
+ found = hydra->attributes->acquire_address(hydra->attributes,
+ pools, id, any6);
+ }
+ pools->destroy(pools);
+ if (found)
+ {
+ DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
+ this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
+ cp->add_attribute(cp, build_vip(found));
+ this->vips->insert_last(this->vips, found);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ any4->destroy(any4);
+ any6->destroy(any6);
+
+ /* query registered providers for additional attributes to include */
+ pools = linked_list_create_from_enumerator(
+ config->create_pool_enumerator(config));
+ enumerator = hydra->attributes->create_responder_enumerator(
+ hydra->attributes, pools, id, this->vips);
+ while (enumerator->enumerate(enumerator, &type, &value))
+ {
+ add_attribute(this, cp, type, value, NULL);
+ }
+ enumerator->destroy(enumerator);
+ pools->destroy(pools);
+
+ message->add_payload(message, (payload_t*)cp);
+
+ return SUCCESS;
+}
+
+METHOD(task_t, build_i, status_t,
+ private_mode_config_t *this, message_t *message)
+{
+ if (this->pull)
+ {
+ return build_request(this, message);
+ }
+ return build_set(this, message);
+}
+
+/**
+ * Store received virtual IPs to the IKE_SA, install them
+ */
+static void install_vips(private_mode_config_t *this)
+{
+ enumerator_t *enumerator;
+ host_t *host;
+
+ this->ike_sa->clear_virtual_ips(this->ike_sa, TRUE);
+
+ enumerator = this->vips->create_enumerator(this->vips);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ if (!host->is_anyaddr(host))
+ {
+ this->ike_sa->add_virtual_ip(this->ike_sa, TRUE, host);
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
METHOD(task_t, process_r, status_t,
private_mode_config_t *this, message_t *message)
{
process_payloads(this, message);
+
+ if (!this->pull)
+ {
+ install_vips(this);
+ }
return NEED_MORE;
}
-METHOD(task_t, build_r, status_t,
- private_mode_config_t *this, message_t *message)
+/**
+ * Build CFG_REPLY message after receiving CFG_REQUEST
+ */
+static status_t build_reply(private_mode_config_t *this, message_t *message)
{
enumerator_t *enumerator;
configuration_attribute_type_t type;
@@ -360,8 +510,6 @@ METHOD(task_t, build_r, status_t,
hydra->attributes, pools, id, vips);
while (enumerator->enumerate(enumerator, &type, &value))
{
- DBG2(DBG_IKE, "building %N attribute",
- configuration_attribute_type_names, type);
cp->add_attribute(cp,
configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1,
type, value));
@@ -376,26 +524,72 @@ METHOD(task_t, build_r, status_t,
return SUCCESS;
}
-METHOD(task_t, process_i, status_t,
- private_mode_config_t *this, message_t *message)
+/**
+ * Build CFG_ACK for a received CFG_SET
+ */
+static status_t build_ack(private_mode_config_t *this, message_t *message)
{
+ cp_payload_t *cp;
enumerator_t *enumerator;
host_t *host;
+ configuration_attribute_type_t type;
+ entry_t *entry;
- process_payloads(this, message);
+ cp = cp_payload_create_type(CONFIGURATION_V1, CFG_ACK);
- this->ike_sa->clear_virtual_ips(this->ike_sa, TRUE);
+ /* return empty attributes for installed IPs */
enumerator = this->vips->create_enumerator(this->vips);
while (enumerator->enumerate(enumerator, &host))
{
- if (!host->is_anyaddr(host))
+ type = INTERNAL_IP6_ADDRESS;
+ if (host->get_family(host) == AF_INET6)
{
- this->ike_sa->add_virtual_ip(this->ike_sa, TRUE, host);
+ type = INTERNAL_IP6_ADDRESS;
}
+ else
+ {
+ type = INTERNAL_IP4_ADDRESS;
+ }
+ cp->add_attribute(cp, configuration_attribute_create_chunk(
+ CONFIGURATION_ATTRIBUTE_V1, type, chunk_empty));
}
enumerator->destroy(enumerator);
+ enumerator = this->attributes->create_enumerator(this->attributes);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ cp->add_attribute(cp,
+ configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1,
+ entry->type, chunk_empty));
+ }
+ enumerator->destroy(enumerator);
+
+ cp->set_identifier(cp, this->identifier);
+ message->add_payload(message, (payload_t*)cp);
+
+ return SUCCESS;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_mode_config_t *this, message_t *message)
+{
+ if (this->pull)
+ {
+ return build_reply(this, message);
+ }
+ return build_ack(this, message);
+}
+
+METHOD(task_t, process_i, status_t,
+ private_mode_config_t *this, message_t *message)
+{
+ process_payloads(this, message);
+
+ if (this->pull)
+ {
+ install_vips(this);
+ }
return SUCCESS;
}
@@ -411,22 +605,22 @@ METHOD(task_t, migrate, void,
this->ike_sa = ike_sa;
this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
this->vips = linked_list_create();
- this->requested->destroy_function(this->requested, free);
- this->requested = linked_list_create();
+ this->attributes->destroy_function(this->attributes, free);
+ this->attributes = linked_list_create();
}
METHOD(task_t, destroy, void,
private_mode_config_t *this)
{
this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
- this->requested->destroy_function(this->requested, free);
+ this->attributes->destroy_function(this->attributes, free);
free(this);
}
/*
* Described in header.
*/
-mode_config_t *mode_config_create(ike_sa_t *ike_sa, bool initiator)
+mode_config_t *mode_config_create(ike_sa_t *ike_sa, bool initiator, bool pull)
{
private_mode_config_t *this;
@@ -439,8 +633,9 @@ mode_config_t *mode_config_create(ike_sa_t *ike_sa, bool initiator)
},
},
.initiator = initiator,
+ .pull = initiator ? pull : TRUE,
.ike_sa = ike_sa,
- .requested = linked_list_create(),
+ .attributes = linked_list_create(),
.vips = linked_list_create(),
);
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.h b/src/libcharon/sa/ikev1/tasks/mode_config.h
index 462bee374..c2da7a086 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.h
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.h
@@ -43,8 +43,9 @@ struct mode_config_t {
*
* @param ike_sa IKE_SA this task works for
* @param initiator TRUE for initiator
+ * @param pull TRUE to pull, FALSE to push (applies if initiator only)
* @return mode_config task to handle by the task_manager
*/
-mode_config_t *mode_config_create(ike_sa_t *ike_sa, bool initiator);
+mode_config_t *mode_config_create(ike_sa_t *ike_sa, bool initiator, bool pull);
#endif /** MODE_CONFIG_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index 1a2cdb777..605c10cea 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -177,7 +177,7 @@ METHOD(task_t, build_i, status_t,
DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
protocol_id_names, this->protocol, ntohl(this->spi));
- delete_payload = delete_payload_create(DELETE_V1, PROTO_ESP);
+ delete_payload = delete_payload_create(DELETE_V1, this->protocol);
delete_payload->add_spi(delete_payload, this->spi);
message->add_payload(message, &delete_payload->payload_interface);
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 6271e5b05..12ee594b9 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -165,6 +165,11 @@ struct private_quick_mode_t {
*/
ipsec_mode_t mode;
+ /*
+ * SA protocol (ESP|AH) negotiated
+ */
+ protocol_id_t proto;
+
/**
* Use UDP encapsulation
*/
@@ -722,7 +727,7 @@ static status_t send_notify(private_quick_mode_t *this, notify_type_t type)
notify_payload_t *notify;
notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1,
- PROTO_ESP, type);
+ this->proto, type);
notify->set_spi(notify, this->spi_i);
this->ike_sa->queue_task(this->ike_sa,
@@ -733,6 +738,38 @@ static status_t send_notify(private_quick_mode_t *this, notify_type_t type)
return ALREADY_DONE;
}
+/**
+ * Prepare a list of proposals from child_config containing only the specified
+ * DH group, unless it is set to MODP_NONE.
+ */
+static linked_list_t *get_proposals(private_quick_mode_t *this,
+ diffie_hellman_group_t group)
+{
+ linked_list_t *list;
+ proposal_t *proposal;
+ enumerator_t *enumerator;
+
+ list = this->config->get_proposals(this->config, FALSE);
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &proposal))
+ {
+ if (group != MODP_NONE)
+ {
+ if (!proposal->has_dh_group(proposal, group))
+ {
+ list->remove_at(list, enumerator);
+ proposal->destroy(proposal);
+ continue;
+ }
+ proposal->strip_dh(proposal, group);
+ }
+ proposal->set_spi(proposal, this->spi_i);
+ }
+ enumerator->destroy(enumerator);
+
+ return list;
+}
+
METHOD(task_t, build_i, status_t,
private_quick_mode_t *this, message_t *message)
{
@@ -740,7 +777,6 @@ METHOD(task_t, build_i, status_t,
{
case QM_INIT:
{
- enumerator_t *enumerator;
sa_payload_t *sa_payload;
linked_list_t *list, *tsi, *tsr;
proposal_t *proposal;
@@ -770,42 +806,55 @@ METHOD(task_t, build_i, status_t,
}
}
- this->spi_i = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+ list = this->config->get_proposals(this->config, MODP_NONE);
+ if (list->get_first(list, (void**)&proposal) == SUCCESS)
+ {
+ this->proto = proposal->get_protocol(proposal);
+ }
+ list->destroy_offset(list, offsetof(proposal_t, destroy));
+ this->spi_i = this->child_sa->alloc_spi(this->child_sa, this->proto);
if (!this->spi_i)
{
DBG1(DBG_IKE, "allocating SPI from kernel failed");
return FAILED;
}
+
group = this->config->get_dh_group(this->config);
if (group != MODP_NONE)
{
+ proposal_t *proposal;
+ u_int16_t preferred_group;
+
+ proposal = this->ike_sa->get_proposal(this->ike_sa);
+ proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+ &preferred_group, NULL);
+ /* try the negotiated DH group from IKE_SA */
+ list = get_proposals(this, preferred_group);
+ if (list->get_count(list))
+ {
+ group = preferred_group;
+ }
+ else
+ {
+ /* fall back to the first configured DH group */
+ list->destroy(list);
+ list = get_proposals(this, group);
+ }
+
this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
group);
if (!this->dh)
{
DBG1(DBG_IKE, "configured DH group %N not supported",
diffie_hellman_group_names, group);
+ list->destroy_offset(list, offsetof(proposal_t, destroy));
return FAILED;
}
}
-
- list = this->config->get_proposals(this->config, FALSE);
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, &proposal))
+ else
{
- if (group != MODP_NONE)
- {
- if (!proposal->has_dh_group(proposal, group))
- {
- list->remove_at(list, enumerator);
- proposal->destroy(proposal);
- continue;
- }
- proposal->strip_dh(proposal, group);
- }
- proposal->set_spi(proposal, this->spi_i);
+ list = get_proposals(this, MODP_NONE);
}
- enumerator->destroy(enumerator);
get_lifetimes(this);
encap = get_encap(this->ike_sa, this->udp);
@@ -1103,7 +1152,8 @@ METHOD(task_t, build_r, status_t,
sa_payload_t *sa_payload;
encap_t encap;
- this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+ this->proto = this->proposal->get_protocol(this->proposal);
+ this->spi_r = this->child_sa->alloc_spi(this->child_sa, this->proto);
if (!this->spi_r)
{
DBG1(DBG_IKE, "allocating SPI from kernel failed");
@@ -1311,6 +1361,7 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
.state = QM_INIT,
.tsi = tsi ? tsi->clone(tsi) : NULL,
.tsr = tsr ? tsr->clone(tsr) : NULL,
+ .proto = PROTO_ESP,
);
if (config)
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index 31114e592..f5555ecd2 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -127,7 +127,7 @@ static xauth_method_t *load_method(private_xauth_t* this)
{
if (name)
{
- DBG1(DBG_CFG, "no XAuth method found named '%s'", name);
+ DBG1(DBG_CFG, "no XAuth method found for '%s'", name);
}
else
{