summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/sa/tasks')
-rw-r--r--src/libcharon/sa/tasks/child_create.c148
-rw-r--r--src/libcharon/sa/tasks/child_delete.c1
-rw-r--r--src/libcharon/sa/tasks/child_rekey.c19
-rw-r--r--src/libcharon/sa/tasks/ike_auth.c169
-rw-r--r--src/libcharon/sa/tasks/ike_cert_pre.c18
-rw-r--r--src/libcharon/sa/tasks/ike_config.c2
-rw-r--r--src/libcharon/sa/tasks/ike_rekey.c214
7 files changed, 101 insertions, 470 deletions
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index 16f7b6d81..fc02a334b 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -117,14 +117,11 @@ struct private_child_create_t {
ipsec_mode_t mode;
/**
-<<<<<<< HEAD
-=======
* peer accepts TFC padding for this SA
*/
bool tfcv3;
/**
->>>>>>> upstream/4.5.1
* IPComp transform to use
*/
ipcomp_transform_t ipcomp;
@@ -463,19 +460,6 @@ static status_t select_and_install(private_child_create_t *this,
{
if (this->initiator)
{
-<<<<<<< HEAD
- status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
- this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
- status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
- this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
- }
- else
- {
- status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
- this->my_spi, this->my_cpi, TRUE, my_ts, other_ts);
- status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
- this->other_spi, this->other_cpi, FALSE, my_ts, other_ts);
-=======
status_i = this->child_sa->install(this->child_sa,
encr_r, integ_r, this->my_spi, this->my_cpi,
TRUE, this->tfcv3, my_ts, other_ts);
@@ -491,7 +475,6 @@ static status_t select_and_install(private_child_create_t *this,
status_o = this->child_sa->install(this->child_sa,
encr_r, integ_r, this->other_spi, this->other_cpi,
FALSE, this->tfcv3, my_ts, other_ts);
->>>>>>> upstream/4.5.1
}
}
chunk_clear(&integ_i);
@@ -657,9 +640,6 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
ipcomp_transform_names, ipcomp);
break;
}
-<<<<<<< HEAD
- }
-=======
break;
}
case ESP_TFC_PADDING_NOT_SUPPORTED:
@@ -667,7 +647,6 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
notify_type_names, notify->get_notify_type(notify));
this->tfcv3 = FALSE;
break;
->>>>>>> upstream/4.5.1
default:
break;
}
@@ -727,15 +706,8 @@ static void process_payloads(private_child_create_t *this, message_t *message)
enumerator->destroy(enumerator);
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_child_create_t *this, message_t *message)
-=======
METHOD(task_t, build_i, status_t,
private_child_create_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
host_t *me, *other, *vip;
peer_cfg_t *peer_cfg;
@@ -872,15 +844,8 @@ METHOD(task_t, build_i, status_t,
return NEED_MORE;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_child_create_t *this, message_t *message)
-=======
METHOD(task_t, process_r, status_t,
private_child_create_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
switch (message->get_exchange_type(message))
{
@@ -923,15 +888,8 @@ static void handle_child_sa_failure(private_child_create_t *this,
}
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_child_create_t *this, message_t *message)
-=======
METHOD(task_t, build_r, status_t,
private_child_create_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
peer_cfg_t *peer_cfg;
payload_t *payload;
@@ -1009,11 +967,7 @@ METHOD(task_t, build_r, status_t,
case INTERNAL_ADDRESS_FAILURE:
case FAILED_CP_REQUIRED:
{
-<<<<<<< HEAD
- DBG1(DBG_IKE,"configuration payload negotation "
-=======
DBG1(DBG_IKE,"configuration payload negotiation "
->>>>>>> upstream/4.5.1
"failed, no CHILD_SA built");
enumerator->destroy(enumerator);
handle_child_sa_failure(this, message);
@@ -1084,15 +1038,8 @@ METHOD(task_t, build_r, status_t,
return SUCCESS;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_child_create_t *this, message_t *message)
-=======
METHOD(task_t, process_i, status_t,
private_child_create_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
enumerator_t *enumerator;
payload_t *payload;
@@ -1163,9 +1110,6 @@ METHOD(task_t, process_i, status_t,
return NEED_MORE;
}
default:
-<<<<<<< HEAD
- break;
-=======
{
if (message->get_exchange_type(message) == CREATE_CHILD_SA)
{ /* handle notifies if not handled in IKE_AUTH */
@@ -1181,7 +1125,6 @@ METHOD(task_t, process_i, status_t,
}
break;
}
->>>>>>> upstream/4.5.1
}
}
}
@@ -1233,49 +1176,20 @@ METHOD(task_t, process_i, status_t,
return SUCCESS;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_child_create_t *this)
-{
- return CHILD_CREATE;
-}
-
-/**
- * Implementation of child_create_t.use_reqid
- */
-static void use_reqid(private_child_create_t *this, u_int32_t reqid)
-=======
METHOD(child_create_t, use_reqid, void,
private_child_create_t *this, u_int32_t reqid)
->>>>>>> upstream/4.5.1
{
this->reqid = reqid;
}
-<<<<<<< HEAD
-/**
- * Implementation of child_create_t.get_child
- */
-static child_sa_t* get_child(private_child_create_t *this)
-=======
METHOD(child_create_t, get_child, child_sa_t*,
private_child_create_t *this)
->>>>>>> upstream/4.5.1
{
return this->child_sa;
}
-<<<<<<< HEAD
-/**
- * Implementation of child_create_t.get_lower_nonce
- */
-static chunk_t get_lower_nonce(private_child_create_t *this)
-=======
METHOD(child_create_t, get_lower_nonce, chunk_t,
private_child_create_t *this)
->>>>>>> upstream/4.5.1
{
if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
min(this->my_nonce.len, this->other_nonce.len)) < 0)
@@ -1288,12 +1202,6 @@ METHOD(child_create_t, get_lower_nonce, chunk_t,
}
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
-=======
METHOD(task_t, get_type, task_type_t,
private_child_create_t *this)
{
@@ -1302,7 +1210,6 @@ METHOD(task_t, get_type, task_type_t,
METHOD(task_t, migrate, void,
private_child_create_t *this, ike_sa_t *ike_sa)
->>>>>>> upstream/4.5.1
{
chunk_free(&this->my_nonce);
chunk_free(&this->other_nonce);
@@ -1338,15 +1245,8 @@ METHOD(task_t, migrate, void,
this->established = FALSE;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_child_create_t *this)
-=======
METHOD(task_t, destroy, void,
private_child_create_t *this)
->>>>>>> upstream/4.5.1
{
chunk_free(&this->my_nonce);
chunk_free(&this->other_nonce);
@@ -1382,20 +1282,6 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
child_cfg_t *config, bool rekey,
traffic_selector_t *tsi, traffic_selector_t *tsr)
{
-<<<<<<< HEAD
- private_child_create_t *this = malloc_thing(private_child_create_t);
-
- this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
- this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
- this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
- this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
- this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
- this->public.task.destroy = (void(*)(task_t*))destroy;
- if (config)
- {
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-=======
private_child_create_t *this;
INIT(this,
@@ -1426,49 +1312,15 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
{
this->public.task.build = _build_i;
this->public.task.process = _process_i;
->>>>>>> upstream/4.5.1
this->initiator = TRUE;
config->get_ref(config);
}
else
{
-<<<<<<< HEAD
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
- this->initiator = FALSE;
- }
-
- this->ike_sa = ike_sa;
- this->config = config;
- this->my_nonce = chunk_empty;
- this->other_nonce = chunk_empty;
- this->proposals = NULL;
- this->proposal = NULL;
- this->tsi = NULL;
- this->tsr = NULL;
- this->packet_tsi = tsi ? tsi->clone(tsi) : NULL;
- this->packet_tsr = tsr ? tsr->clone(tsr) : NULL;
- this->dh = NULL;
- this->dh_group = MODP_NONE;
- this->keymat = ike_sa->get_keymat(ike_sa);
- this->child_sa = NULL;
- this->mode = MODE_TUNNEL;
- this->ipcomp = IPCOMP_NONE;
- this->ipcomp_received = IPCOMP_NONE;
- this->my_spi = 0;
- this->other_spi = 0;
- this->my_cpi = 0;
- this->other_cpi = 0;
- this->reqid = 0;
- this->established = FALSE;
- this->rekey = rekey;
-
-=======
this->public.task.build = _build_r;
this->public.task.process = _process_r;
this->initiator = FALSE;
}
->>>>>>> upstream/4.5.1
return &this->public;
}
diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c
index 45e97e4cd..e6834a93c 100644
--- a/src/libcharon/sa/tasks/child_delete.c
+++ b/src/libcharon/sa/tasks/child_delete.c
@@ -163,6 +163,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
protocol, spi);
continue;
}
+ /* fall through */
case CHILD_INSTALLED:
if (!this->initiator)
{ /* reestablish installed children if required */
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
index 5ffe49293..b39a5fc67 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -241,20 +241,11 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
/* if we have the lower nonce, delete rekeyed SA. If not, delete
* the redundant. */
if (memcmp(this_nonce.ptr, other_nonce.ptr,
-<<<<<<< HEAD
- min(this_nonce.len, other_nonce.len)) < 0)
- {
- child_sa_t *child_sa;
-
- DBG1(DBG_IKE, "CHILD_SA rekey collision won, "
- "deleting rekeyed child");
-=======
min(this_nonce.len, other_nonce.len)) > 0)
{
child_sa_t *child_sa;
DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child");
->>>>>>> upstream/4.5.1
to_delete = this->child_sa;
/* don't touch child other created, it has already been deleted */
if (!this->other_child_destroyed)
@@ -267,11 +258,7 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
else
{
DBG1(DBG_IKE, "CHILD_SA rekey collision lost, "
-<<<<<<< HEAD
- "deleting redundant child");
-=======
"deleting rekeyed child");
->>>>>>> upstream/4.5.1
to_delete = this->child_create->get_child(this->child_create);
}
}
@@ -395,7 +382,7 @@ static void collide(private_child_rekey_t *this, task_t *other)
if (other->get_type(other) == CHILD_REKEY)
{
private_child_rekey_t *rekey = (private_child_rekey_t*)other;
- if (rekey == NULL || rekey->child_sa != this->child_sa)
+ if (rekey->child_sa != this->child_sa)
{
/* not the same child => no collision */
other->destroy(other);
@@ -412,7 +399,7 @@ static void collide(private_child_rekey_t *this, task_t *other)
other->destroy(other);
return;
}
- if (del == NULL || del->get_child(del) != this->child_sa)
+ if (del->get_child(del) != this->child_sa)
{
/* not the same child => no collision */
other->destroy(other);
@@ -425,6 +412,8 @@ static void collide(private_child_rekey_t *this, task_t *other)
other->destroy(other);
return;
}
+ DBG1(DBG_IKE, "detected %N collision with %N", task_type_names, CHILD_REKEY,
+ task_type_names, other->get_type(other));
DESTROY_IF(this->collision);
this->collision = other;
}
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index fbc177d6f..0756c7d60 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -68,14 +68,11 @@ struct private_ike_auth_t {
packet_t *other_packet;
/**
-<<<<<<< HEAD
-=======
* Reserved bytes of ID payload
*/
char reserved[3];
/**
->>>>>>> upstream/4.5.1
* currently active authenticator, to authenticate us
*/
authenticator_t *my_auth;
@@ -109,14 +106,11 @@ struct private_ike_auth_t {
* should we send a AUTHENTICATION_FAILED notify?
*/
bool authentication_failed;
-<<<<<<< HEAD
-=======
/**
* received an INITIAL_CONTACT?
*/
bool initial_contact;
->>>>>>> upstream/4.5.1
};
/**
@@ -176,8 +170,6 @@ static status_t collect_other_init_data(private_ike_auth_t *this,
}
/**
-<<<<<<< HEAD
-=======
* Get and store reserved bytes of id_payload, required for AUTH payload
*/
static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
@@ -196,7 +188,6 @@ static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
}
/**
->>>>>>> upstream/4.5.1
* Get the next authentication configuration
*/
static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
@@ -366,15 +357,8 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
return this->peer_cfg != NULL;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_auth_t *this, message_t *message)
-=======
METHOD(task_t, build_i, status_t,
private_ike_auth_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
auth_cfg_t *cfg;
@@ -409,11 +393,7 @@ METHOD(task_t, build_i, status_t,
/* check if an authenticator is in progress */
if (this->my_auth == NULL)
{
-<<<<<<< HEAD
- identification_t *id;
-=======
identification_t *idi, *idr = NULL;
->>>>>>> upstream/4.5.1
id_payload_t *id_payload;
/* clean up authentication config from a previous round */
@@ -424,44 +404,24 @@ METHOD(task_t, build_i, status_t,
cfg = get_auth_cfg(this, FALSE);
if (cfg)
{
-<<<<<<< HEAD
- id = cfg->get(cfg, AUTH_RULE_IDENTITY);
- if (id && !id->contains_wildcards(id))
- {
- this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
- id_payload = id_payload_create_from_identification(
- ID_RESPONDER, id);
-=======
idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
if (idr && !idr->contains_wildcards(idr))
{
this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
id_payload = id_payload_create_from_identification(
ID_RESPONDER, idr);
->>>>>>> upstream/4.5.1
message->add_payload(message, (payload_t*)id_payload);
}
}
/* add IDi */
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
-<<<<<<< HEAD
- id = cfg->get(cfg, AUTH_RULE_IDENTITY);
- if (!id)
-=======
idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
if (!idi)
->>>>>>> upstream/4.5.1
{
DBG1(DBG_CFG, "configuration misses IDi");
return FAILED;
}
-<<<<<<< HEAD
- this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
- id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
- message->add_payload(message, (payload_t*)id_payload);
-
-=======
this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
get_reserved_id_bytes(this, id_payload);
@@ -480,17 +440,12 @@ METHOD(task_t, build_i, status_t,
}
}
->>>>>>> upstream/4.5.1
/* build authentication data */
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
-<<<<<<< HEAD
- this->my_packet->get_data(this->my_packet));
-=======
this->my_packet->get_data(this->my_packet),
this->reserved);
->>>>>>> upstream/4.5.1
if (!this->my_auth)
{
return FAILED;
@@ -527,15 +482,8 @@ METHOD(task_t, build_i, status_t,
return NEED_MORE;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_auth_t *this, message_t *message)
-=======
METHOD(task_t, process_r, status_t,
private_ike_auth_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
auth_cfg_t *cfg, *cand;
id_payload_t *id_payload;
@@ -589,10 +537,7 @@ METHOD(task_t, process_r, status_t,
return FAILED;
}
id = id_payload->get_identification(id_payload);
-<<<<<<< HEAD
-=======
get_reserved_id_bytes(this, id_payload);
->>>>>>> upstream/4.5.1
this->ike_sa->set_other_id(this->ike_sa, id);
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
@@ -643,12 +588,8 @@ METHOD(task_t, process_r, status_t,
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
-<<<<<<< HEAD
- this->my_packet->get_data(this->my_packet));
-=======
this->my_packet->get_data(this->my_packet),
this->reserved);
->>>>>>> upstream/4.5.1
if (!this->other_auth)
{
this->authentication_failed = TRUE;
@@ -672,12 +613,6 @@ METHOD(task_t, process_r, status_t,
return NEED_MORE;
}
-<<<<<<< HEAD
- /* store authentication information */
- cfg = auth_cfg_create();
- cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
- this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-=======
/* If authenticated (with non-EAP) and received INITIAL_CONTACT,
* delete any existing IKE_SAs with that peer. */
if (message->get_message_id(message) == 1 &&
@@ -685,7 +620,6 @@ METHOD(task_t, process_r, status_t,
{
this->initial_contact = TRUE;
}
->>>>>>> upstream/4.5.1
/* another auth round done, invoke authorize hook */
if (!charon->bus->authorize(charon->bus, FALSE))
@@ -695,14 +629,11 @@ METHOD(task_t, process_r, status_t,
return NEED_MORE;
}
-<<<<<<< HEAD
-=======
/* store authentication information */
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
->>>>>>> upstream/4.5.1
if (!update_cfg_candidates(this, FALSE))
{
this->authentication_failed = TRUE;
@@ -721,15 +652,8 @@ METHOD(task_t, process_r, status_t,
return NEED_MORE;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_auth_t *this, message_t *message)
-=======
METHOD(task_t, build_r, status_t,
private_ike_auth_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
auth_cfg_t *cfg;
@@ -785,10 +709,6 @@ METHOD(task_t, build_r, status_t,
}
id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
-<<<<<<< HEAD
- message->add_payload(message, (payload_t*)id_payload);
-
-=======
get_reserved_id_bytes(this, id_payload);
message->add_payload(message, (payload_t*)id_payload);
@@ -799,7 +719,6 @@ METHOD(task_t, build_r, status_t,
this->initial_contact = FALSE;
}
->>>>>>> upstream/4.5.1
if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
{ /* EAP-only authentication */
if (!this->ike_sa->supports_extension(this->ike_sa,
@@ -818,12 +737,8 @@ METHOD(task_t, build_r, status_t,
this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
-<<<<<<< HEAD
- this->my_packet->get_data(this->my_packet));
-=======
this->my_packet->get_data(this->my_packet),
this->reserved);
->>>>>>> upstream/4.5.1
if (!this->my_auth)
{
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
@@ -885,11 +800,7 @@ METHOD(task_t, build_r, status_t,
if (!this->do_another_auth && !this->expect_another_auth)
{
if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-<<<<<<< HEAD
- this->ike_sa))
-=======
this->ike_sa, FALSE))
->>>>>>> upstream/4.5.1
{
DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
@@ -917,15 +828,8 @@ METHOD(task_t, build_r, status_t,
return NEED_MORE;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_auth_t *this, message_t *message)
-=======
METHOD(task_t, process_i, status_t,
private_ike_auth_t *this, message_t *message)
->>>>>>> upstream/4.5.1
{
enumerator_t *enumerator;
payload_t *payload;
@@ -1007,10 +911,7 @@ METHOD(task_t, process_i, status_t,
return FAILED;
}
id = id_payload->get_identification(id_payload);
-<<<<<<< HEAD
-=======
get_reserved_id_bytes(this, id_payload);
->>>>>>> upstream/4.5.1
this->ike_sa->set_other_id(this->ike_sa, id);
cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
@@ -1021,12 +922,8 @@ METHOD(task_t, process_i, status_t,
this->other_auth = authenticator_create_verifier(this->ike_sa,
message, this->other_nonce, this->my_nonce,
this->other_packet->get_data(this->other_packet),
-<<<<<<< HEAD
- this->my_packet->get_data(this->my_packet));
-=======
this->my_packet->get_data(this->my_packet),
this->reserved);
->>>>>>> upstream/4.5.1
if (!this->other_auth)
{
return FAILED;
@@ -1052,28 +949,17 @@ METHOD(task_t, process_i, status_t,
this->other_auth->destroy(this->other_auth);
this->other_auth = NULL;
}
-<<<<<<< HEAD
- /* store authentication information, reset authenticator */
- cfg = auth_cfg_create();
- cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
- this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
-=======
->>>>>>> upstream/4.5.1
/* another auth round done, invoke authorize hook */
if (!charon->bus->authorize(charon->bus, FALSE))
{
DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
return FAILED;
}
-<<<<<<< HEAD
-=======
/* store authentication information, reset authenticator */
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
->>>>>>> upstream/4.5.1
}
if (this->my_auth)
@@ -1134,28 +1020,14 @@ METHOD(task_t, process_i, status_t,
return NEED_MORE;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_auth_t *this)
-=======
METHOD(task_t, get_type, task_type_t,
private_ike_auth_t *this)
->>>>>>> upstream/4.5.1
{
return IKE_AUTHENTICATE;
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
-=======
METHOD(task_t, migrate, void,
private_ike_auth_t *this, ike_sa_t *ike_sa)
->>>>>>> upstream/4.5.1
{
chunk_free(&this->my_nonce);
chunk_free(&this->other_nonce);
@@ -1178,15 +1050,8 @@ METHOD(task_t, migrate, void,
this->candidates = linked_list_create();
}
-<<<<<<< HEAD
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_auth_t *this)
-=======
METHOD(task_t, destroy, void,
private_ike_auth_t *this)
->>>>>>> upstream/4.5.1
{
chunk_free(&this->my_nonce);
chunk_free(&this->other_nonce);
@@ -1204,39 +1069,6 @@ METHOD(task_t, destroy, void,
*/
ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
{
-<<<<<<< HEAD
- private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-
- this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
- this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
- this->public.task.destroy = (void(*)(task_t*))destroy;
-
- if (initiator)
- {
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
- }
- else
- {
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
- }
-
- this->ike_sa = ike_sa;
- this->initiator = initiator;
- this->my_nonce = chunk_empty;
- this->other_nonce = chunk_empty;
- this->my_packet = NULL;
- this->other_packet = NULL;
- this->peer_cfg = NULL;
- this->candidates = linked_list_create();
- this->my_auth = NULL;
- this->other_auth = NULL;
- this->do_another_auth = TRUE;
- this->expect_another_auth = TRUE;
- this->authentication_failed = FALSE;
-
-=======
private_ike_auth_t *this;
INIT(this,
@@ -1260,7 +1092,6 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
this->public.task.build = _build_i;
this->public.task.process = _process_i;
}
->>>>>>> upstream/4.5.1
return &this->public;
}
diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c
index 8da8d549a..a59b8dcce 100644
--- a/src/libcharon/sa/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/tasks/ike_cert_pre.c
@@ -76,10 +76,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
{
certreq_payload_t *certreq = (certreq_payload_t*)payload;
enumerator_t *enumerator;
-<<<<<<< HEAD
-=======
u_int unknown = 0;
->>>>>>> upstream/4.5.1
chunk_t keyid;
this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
@@ -107,26 +104,18 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
}
else
{
-<<<<<<< HEAD
- DBG1(DBG_IKE, "received cert request for unknown ca "
- "with keyid %Y", id);
-=======
DBG2(DBG_IKE, "received cert request for unknown ca "
"with keyid %Y", id);
unknown++;
->>>>>>> upstream/4.5.1
}
id->destroy(id);
}
enumerator->destroy(enumerator);
-<<<<<<< HEAD
-=======
if (unknown)
{
DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
unknown);
}
->>>>>>> upstream/4.5.1
break;
}
case NOTIFY:
@@ -271,8 +260,6 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
}
break;
}
-<<<<<<< HEAD
-=======
case ENC_CRL:
cert = cert_payload->get_cert(cert_payload);
if (cert)
@@ -282,15 +269,10 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
}
break;
->>>>>>> upstream/4.5.1
case ENC_PKCS7_WRAPPED_X509:
case ENC_PGP:
case ENC_DNS_SIGNED_KEY:
case ENC_KERBEROS_TOKEN:
-<<<<<<< HEAD
- case ENC_CRL:
-=======
->>>>>>> upstream/4.5.1
case ENC_ARL:
case ENC_SPKI:
case ENC_X509_ATTRIBUTE:
diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c
index c92b5bca5..a61663c48 100644
--- a/src/libcharon/sa/tasks/ike_config.c
+++ b/src/libcharon/sa/tasks/ike_config.c
@@ -317,7 +317,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
id = this->ike_sa->get_other_eap_id(this->ike_sa);
config = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (config && this->virtual_ip)
+ if (this->virtual_ip)
{
DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
if (config->get_pool(config))
diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c
index 1698ddd34..c055dabc1 100644
--- a/src/libcharon/sa/tasks/ike_rekey.c
+++ b/src/libcharon/sa/tasks/ike_rekey.c
@@ -68,9 +68,45 @@ struct private_ike_rekey_t {
};
/**
- * Implementation of task_t.build for initiator, after rekeying
+ * Establish the new replacement IKE_SA
*/
-static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
+static void establish_new(private_ike_rekey_t *this)
+{
+ if (this->new_sa)
+ {
+ this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+ DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
+ this->new_sa->get_name(this->new_sa),
+ this->new_sa->get_unique_id(this->new_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
+ this->new_sa->inherit(this->new_sa, this->ike_sa);
+ charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+ this->new_sa = NULL;
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
+}
+
+METHOD(task_t, process_r_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ establish_new(this);
+ return this->ike_delete->task.process(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, build_r_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, build_i_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
/* update exchange type to INFORMATIONAL for the delete */
message->set_exchange_type(message, INFORMATIONAL);
@@ -78,18 +114,14 @@ static status_t build_i_delete(private_ike_rekey_t *this, message_t *message)
return this->ike_delete->task.build(&this->ike_delete->task, message);
}
-/**
- * Implementation of task_t.process for initiator, after rekeying
- */
-static status_t process_i_delete(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, process_i_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
return this->ike_delete->task.process(&this->ike_delete->task, message);
}
-/**
- * Implementation of task_t.build for initiator
- */
-static status_t build_i(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, build_i, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
host_t *other_host;
@@ -112,10 +144,8 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
return NEED_MORE;
}
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, process_r, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
iterator_t *iterator;
@@ -156,10 +186,8 @@ static status_t process_r(private_ike_rekey_t *this, message_t *message)
return NEED_MORE;
}
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, build_r, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
if (this->new_sa == NULL)
{
@@ -174,22 +202,17 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
}
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
- this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
- this->new_sa->get_name(this->new_sa),
- this->new_sa->get_unique_id(this->new_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
-
- return SUCCESS;
+
+ /* rekeying successful, delete the IKE_SA using a subtask */
+ this->ike_delete = ike_delete_create(this->ike_sa, FALSE);
+ this->public.task.build = _build_r_delete;
+ this->public.task.process = _process_r_delete;
+
+ return NEED_MORE;
}
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_rekey_t *this, message_t *message)
+METHOD(task_t, process_i, status_t,
+ private_ike_rekey_t *this, message_t *message)
{
if (message->get_notify(message, NO_ADDITIONAL_SAS))
{
@@ -228,15 +251,6 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
break;
}
- this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
- this->new_sa->get_name(this->new_sa),
- this->new_sa->get_unique_id(this->new_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
-
/* check for collisions */
if (this->collision &&
this->collision->get_type(this->collision) == IKE_REKEY)
@@ -255,53 +269,40 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
/* if we have the lower nonce, delete rekeyed SA. If not, delete
* the redundant. */
if (memcmp(this_nonce.ptr, other_nonce.ptr,
-<<<<<<< HEAD
- min(this_nonce.len, other_nonce.len)) < 0)
-=======
min(this_nonce.len, other_nonce.len)) > 0)
->>>>>>> upstream/4.5.1
{
/* peer should delete this SA. Add a timeout just in case. */
job_t *job = (job_t*)delete_ike_sa_job_create(
other->new_sa->get_id(other->new_sa), TRUE);
lib->scheduler->schedule_job(lib->scheduler, job, 10);
-<<<<<<< HEAD
- DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
-=======
DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete");
->>>>>>> upstream/4.5.1
charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
other->new_sa = NULL;
}
else
{
-<<<<<<< HEAD
- DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
-=======
DBG1(DBG_IKE, "IKE_SA rekey collision lost, "
"deleting redundant IKE_SA");
->>>>>>> upstream/4.5.1
/* apply host for a proper delete */
host = this->ike_sa->get_my_host(this->ike_sa);
this->new_sa->set_my_host(this->new_sa, host->clone(host));
host = this->ike_sa->get_other_host(this->ike_sa);
this->new_sa->set_other_host(this->new_sa, host->clone(host));
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ this->new_sa->set_state(this->new_sa, IKE_REKEYING);
if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
{
- charon->ike_sa_manager->checkin_and_destroy(
- charon->ike_sa_manager, this->new_sa);
+ this->new_sa->destroy(this->new_sa);
}
else
{
charon->ike_sa_manager->checkin(
charon->ike_sa_manager, this->new_sa);
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
}
- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- /* inherit to other->new_sa in destroy() */
- this->new_sa = other->new_sa;
- other->new_sa = NULL;
+ this->new_sa = NULL;
+ establish_new(other);
return SUCCESS;
}
}
@@ -309,32 +310,33 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
charon->bus->set_sa(charon->bus, this->ike_sa);
}
+ establish_new(this);
+
/* rekeying successful, delete the IKE_SA using a subtask */
this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
+ this->public.task.build = _build_i_delete;
+ this->public.task.process = _process_i_delete;
return NEED_MORE;
}
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_rekey_t *this)
+METHOD(task_t, get_type, task_type_t,
+ private_ike_rekey_t *this)
{
return IKE_REKEY;
}
-static void collide(private_ike_rekey_t* this, task_t *other)
+METHOD(ike_rekey_t, collide, void,
+ private_ike_rekey_t* this, task_t *other)
{
+ DBG1(DBG_IKE, "detected %N collision with %N", task_type_names, IKE_REKEY,
+ task_type_names, other->get_type(other));
DESTROY_IF(this->collision);
this->collision = other;
}
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
+METHOD(task_t, migrate, void,
+ private_ike_rekey_t *this, ike_sa_t *ike_sa)
{
if (this->ike_init)
{
@@ -344,13 +346,7 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
{
this->ike_delete->task.destroy(&this->ike_delete->task);
}
- if (this->new_sa)
- {
- charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
- this->new_sa);
- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- }
+ DESTROY_IF(this->new_sa);
DESTROY_IF(this->collision);
this->collision = NULL;
@@ -360,28 +356,9 @@ static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
this->ike_delete = NULL;
}
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_rekey_t *this)
+METHOD(task_t, destroy, void,
+ private_ike_rekey_t *this)
{
- if (this->new_sa)
- {
- if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED &&
- this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME)
- {
- /* invoke hook if rekeying was successful */
- charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
- }
- else
- {
- charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
- this->new_sa);
- }
- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- }
if (this->ike_init)
{
this->ike_init->task.destroy(&this->ike_init->task);
@@ -390,6 +367,7 @@ static void destroy(private_ike_rekey_t *this)
{
this->ike_delete->task.destroy(&this->ike_delete->task);
}
+ DESTROY_IF(this->new_sa);
DESTROY_IF(this->collision);
free(this);
}
@@ -399,29 +377,27 @@ static void destroy(private_ike_rekey_t *this)
*/
ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
{
- private_ike_rekey_t *this = malloc_thing(private_ike_rekey_t);
-
- this->public.collide = (void(*)(ike_rekey_t*,task_t*))collide;
- this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
- this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
- this->public.task.destroy = (void(*)(task_t*))destroy;
+ private_ike_rekey_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .build = _build_r,
+ .process = _process_r,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .collide = _collide,
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ );
if (initiator)
{
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
}
- else
- {
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
- }
-
- this->ike_sa = ike_sa;
- this->new_sa = NULL;
- this->ike_init = NULL;
- this->ike_delete = NULL;
- this->initiator = initiator;
- this->collision = NULL;
return &this->public;
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-07 18:13:00 +0000