summaryrefslogtreecommitdiff
path: root/src/libcharon/sa
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/sa')
-rw-r--r--src/libcharon/sa/authenticator.c2
-rw-r--r--src/libcharon/sa/authenticator.h2
-rw-r--r--src/libcharon/sa/child_sa.c116
-rw-r--r--src/libcharon/sa/child_sa.h5
-rw-r--r--src/libcharon/sa/eap/eap_manager.c2
-rw-r--r--src/libcharon/sa/eap/eap_manager.h2
-rw-r--r--src/libcharon/sa/eap/eap_method.c2
-rw-r--r--src/libcharon/sa/eap/eap_method.h2
-rw-r--r--src/libcharon/sa/ike_sa.c116
-rw-r--r--src/libcharon/sa/ike_sa.h15
-rw-r--r--src/libcharon/sa/ike_sa_id.c2
-rw-r--r--src/libcharon/sa/ike_sa_id.h2
-rw-r--r--src/libcharon/sa/ike_sa_manager.c17
-rw-r--r--src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c27
-rw-r--r--src/libcharon/sa/ikev1/iv_manager.c2
-rw-r--r--src/libcharon/sa/ikev1/iv_manager.h2
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c2
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.h2
-rw-r--r--src/libcharon/sa/ikev1/tasks/aggressive_mode.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_delete.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_natd.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_natd.h2
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_vendor.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/main_mode.c2
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_delete.c3
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c24
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.h2
-rw-r--r--src/libcharon/sa/ikev2/authenticators/eap_authenticator.c2
-rw-r--r--src/libcharon/sa/ikev2/authenticators/eap_authenticator.h2
-rw-r--r--src/libcharon/sa/ikev2/authenticators/psk_authenticator.c2
-rw-r--r--src/libcharon/sa/ikev2/authenticators/psk_authenticator.h2
-rw-r--r--src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c35
-rw-r--r--src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h2
-rw-r--r--src/libcharon/sa/ikev2/connect_manager.c2
-rw-r--r--src/libcharon/sa/ikev2/connect_manager.h2
-rw-r--r--src/libcharon/sa/ikev2/keymat_v2.c6
-rw-r--r--src/libcharon/sa/ikev2/keymat_v2.h2
-rw-r--r--src/libcharon/sa/ikev2/mediation_manager.c2
-rw-r--r--src/libcharon/sa/ikev2/mediation_manager.h2
-rw-r--r--src/libcharon/sa/ikev2/task_manager_v2.c20
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.c109
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.c9
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_rekey.c6
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_post.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_post.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_pre.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_pre.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_config.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_config.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_delete.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_dpd.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_dpd.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_init.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_me.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_me.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_mobike.h4
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_natd.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_natd.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_reauth.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_reauth.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_redirect.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_redirect.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_rekey.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_vendor.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_vendor.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h2
-rw-r--r--src/libcharon/sa/keymat.c3
-rw-r--r--src/libcharon/sa/keymat.h2
-rw-r--r--src/libcharon/sa/redirect_manager.c2
-rw-r--r--src/libcharon/sa/redirect_manager.h2
-rw-r--r--src/libcharon/sa/redirect_provider.h2
-rw-r--r--src/libcharon/sa/shunt_manager.c13
-rw-r--r--src/libcharon/sa/shunt_manager.h10
-rw-r--r--src/libcharon/sa/task.c2
-rw-r--r--src/libcharon/sa/task.h2
-rw-r--r--src/libcharon/sa/task_manager.c2
-rw-r--r--src/libcharon/sa/trap_manager.c64
-rw-r--r--src/libcharon/sa/trap_manager.h25
-rw-r--r--src/libcharon/sa/xauth/xauth_method.c2
-rw-r--r--src/libcharon/sa/xauth/xauth_method.h2
86 files changed, 447 insertions, 312 deletions
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c
index 6c3681a2d..b77c19d00 100644
--- a/src/libcharon/sa/authenticator.c
+++ b/src/libcharon/sa/authenticator.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h
index 97c042e71..42d9ce32e 100644
--- a/src/libcharon/sa/authenticator.h
+++ b/src/libcharon/sa/authenticator.h
@@ -2,7 +2,7 @@
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index a01ee9e4d..7eeb578f3 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -37,6 +37,7 @@ ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
"REKEYED",
"RETRYING",
"DELETING",
+ "DELETED",
"DESTROYING",
);
@@ -888,7 +889,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
.ipcomp = this->ipcomp,
.cpi = cpi,
.encap = this->encap,
- .hw_offload = this->config->has_option(this->config, OPT_HW_OFFLOAD),
+ .hw_offload = this->config->get_hw_offload(this->config),
.esn = esn,
.initiator = initiator,
.inbound = inbound,
@@ -1060,16 +1061,17 @@ static status_t install_policies_internal(private_child_sa_t *this,
host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
ipsec_sa_cfg_t *other_sa, policy_type_t type,
- policy_priority_t priority, uint32_t manual_prio)
+ policy_priority_t priority, uint32_t manual_prio, bool outbound)
{
status_t status = SUCCESS;
status |= install_policies_inbound(this, my_addr, other_addr, my_ts,
- other_ts, my_sa, other_sa, type,
- priority, manual_prio);
- status |= install_policies_outbound(this, my_addr, other_addr, my_ts,
- other_ts, my_sa, other_sa, type,
- priority, manual_prio);
+ other_ts, my_sa, other_sa, type, priority, manual_prio);
+ if (outbound)
+ {
+ status |= install_policies_outbound(this, my_addr, other_addr, my_ts,
+ other_ts, my_sa, other_sa, type, priority, manual_prio);
+ }
return status;
}
@@ -1153,12 +1155,15 @@ static void del_policies_internal(private_child_sa_t *this,
host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
ipsec_sa_cfg_t *other_sa, policy_type_t type,
- policy_priority_t priority, uint32_t manual_prio)
+ policy_priority_t priority, uint32_t manual_prio, bool outbound)
{
- del_policies_outbound(this, my_addr, other_addr, my_ts, other_ts, my_sa,
- other_sa, type, priority, manual_prio);
+ if (outbound)
+ {
+ del_policies_outbound(this, my_addr, other_addr, my_ts, other_ts, my_sa,
+ other_sa, type, priority, manual_prio);
+ }
del_policies_inbound(this, my_addr, other_addr, my_ts, other_ts, my_sa,
- other_sa, type, priority, manual_prio);
+ other_sa, type, priority, manual_prio);
}
METHOD(child_sa_t, set_policies, void,
@@ -1249,18 +1254,10 @@ METHOD(child_sa_t, install_policies, status_t,
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
- status |= install_policies_inbound(this, this->my_addr,
- this->other_addr, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_IPSEC,
- priority, manual_prio);
-
- if (install_outbound)
- {
- status |= install_policies_outbound(this, this->my_addr,
+ status |= install_policies_internal(this, this->my_addr,
this->other_addr, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_IPSEC,
- priority, manual_prio);
- }
+ &my_sa, &other_sa, POLICY_IPSEC, priority,
+ manual_prio, install_outbound);
if (status != SUCCESS)
{
break;
@@ -1463,7 +1460,7 @@ static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other,
}
/* update his (responder) SA */
- if (this->other_spi)
+ if (this->other_spi && (this->outbound_state & CHILD_OUTBOUND_SA))
{
kernel_ipsec_sa_id_t id = {
.src = this->my_addr,
@@ -1517,22 +1514,26 @@ METHOD(child_sa_t, update, status_t,
traffic_selector_t *my_ts, *other_ts;
uint32_t manual_prio;
status_t state;
+ bool outbound;
prepare_sa_cfg(this, &my_sa, &other_sa);
manual_prio = this->config->get_manual_prio(this->config);
+ outbound = (this->outbound_state & CHILD_OUTBOUND_POLICIES);
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
/* install drop policy to avoid traffic leaks, acquires etc. */
- install_policies_outbound(this, this->my_addr, this->other_addr,
- my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP,
- POLICY_PRIORITY_DEFAULT, manual_prio);
-
+ if (outbound)
+ {
+ install_policies_outbound(this, this->my_addr, this->other_addr,
+ my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP,
+ POLICY_PRIORITY_DEFAULT, manual_prio);
+ }
/* remove old policies */
del_policies_internal(this, this->my_addr, this->other_addr,
my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
- POLICY_PRIORITY_DEFAULT, manual_prio);
+ POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
}
enumerator->destroy(enumerator);
@@ -1548,8 +1549,8 @@ METHOD(child_sa_t, update, status_t,
if (state == NOT_SUPPORTED)
{
install_policies_internal(this, this->my_addr, this->other_addr,
- my_ts, other_ts, &my_sa, &other_sa,
- POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio);
+ my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
+ POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
}
else
{
@@ -1573,15 +1574,17 @@ METHOD(child_sa_t, update, status_t,
/* reinstall updated policies */
install_policies_internal(this, me, other, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_IPSEC,
- POLICY_PRIORITY_DEFAULT, manual_prio);
+ &my_sa, &other_sa, POLICY_IPSEC,
+ POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
}
/* remove the drop policy */
- del_policies_outbound(this, this->my_addr, this->other_addr,
- old_my_ts ?: my_ts,
- old_other_ts ?: other_ts,
- &my_sa, &other_sa, POLICY_DROP,
- POLICY_PRIORITY_DEFAULT, 0);
+ if (outbound)
+ {
+ del_policies_outbound(this, this->my_addr, this->other_addr,
+ old_my_ts ?: my_ts, old_other_ts ?: other_ts,
+ &my_sa, &other_sa, POLICY_DROP,
+ POLICY_PRIORITY_DEFAULT, 0);
+ }
DESTROY_IF(old_my_ts);
DESTROY_IF(old_other_ts);
@@ -1651,16 +1654,9 @@ METHOD(child_sa_t, destroy, void,
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
- if (del_outbound)
- {
- del_policies_outbound(this, this->my_addr,
- this->other_addr, my_ts, other_ts,
- &my_sa, &other_sa, POLICY_IPSEC,
- priority, manual_prio);
- }
- del_policies_inbound(this, this->my_addr, this->other_addr,
- my_ts, other_ts, &my_sa, &other_sa,
- POLICY_IPSEC, priority, manual_prio);
+ del_policies_internal(this, this->my_addr,
+ this->other_addr, my_ts, other_ts, &my_sa, &other_sa,
+ POLICY_IPSEC, priority, manual_prio, del_outbound);
}
enumerator->destroy(enumerator);
}
@@ -1754,7 +1750,7 @@ static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
* Described in header.
*/
child_sa_t * child_sa_create(host_t *me, host_t* other,
- child_cfg_t *config, uint32_t rekey, bool encap,
+ child_cfg_t *config, uint32_t reqid, bool encap,
u_int mark_in, u_int mark_out)
{
private_child_sa_t *this;
@@ -1865,21 +1861,15 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
if (!this->reqid)
{
- /* reuse old reqid if we are rekeying an existing CHILD_SA. While the
- * reqid cache would find the same reqid for our selectors, this does
- * not work in a special case: If an SA is triggered by a trap policy,
- * but the negotiated SA gets narrowed, we still must reuse the same
- * reqid to successfully "trigger" the SA on the kernel level. Rekeying
- * such an SA requires an explicit reqid, as the cache currently knows
- * the original selectors only for that reqid. */
- if (rekey)
- {
- this->reqid = rekey;
- }
- else
- {
- this->reqid = charon->traps->find_reqid(charon->traps, config);
- }
+ /* reuse old reqid if we are rekeying an existing CHILD_SA and when
+ * initiating a trap policy. While the reqid cache would find the same
+ * reqid for our selectors, this does not work in a special case: If an
+ * SA is triggered by a trap policy, but the negotiated TS get
+ * narrowed, we still must reuse the same reqid to successfully
+ * replace the temporary SA on the kernel level. Rekeying such an SA
+ * requires an explicit reqid, as the cache currently knows the original
+ * selectors only for that reqid. */
+ this->reqid = reqid;
}
else
{
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 49175ca01..183033f46 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -84,6 +84,11 @@ enum child_sa_state_t {
CHILD_DELETING,
/**
+ * CHILD_SA has been deleted, but not yet destroyed
+ */
+ CHILD_DELETED,
+
+ /**
* CHILD_SA object gets destroyed
*/
CHILD_DESTROYING,
diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c
index b2a57ccfb..2a9e0d06d 100644
--- a/src/libcharon/sa/eap/eap_manager.c
+++ b/src/libcharon/sa/eap/eap_manager.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h
index 391c906e9..73aa76329 100644
--- a/src/libcharon/sa/eap/eap_manager.h
+++ b/src/libcharon/sa/eap/eap_manager.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/eap/eap_method.c b/src/libcharon/sa/eap/eap_method.c
index 9ce6ecf00..0a3c454e1 100644
--- a/src/libcharon/sa/eap/eap_method.c
+++ b/src/libcharon/sa/eap/eap_method.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
index 840779727..34041e347 100644
--- a/src/libcharon/sa/eap/eap_method.h
+++ b/src/libcharon/sa/eap/eap_method.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index e1f4ec95a..f39fed6f0 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2017 Tobias Brunner
+ * Copyright (C) 2006-2018 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -1053,17 +1053,19 @@ METHOD(ike_sa_t, has_mapping_changed, bool,
METHOD(ike_sa_t, float_ports, void,
private_ike_sa_t *this)
{
- /* do not switch if we have a custom port from MOBIKE/NAT */
+ /* even if the remote port is not 500 (e.g. because the response was natted)
+ * we switch the remote port if we used port 500 */
+ if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
+ this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
+ {
+ this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
+ }
if (this->my_host->get_port(this->my_host) ==
charon->socket->get_port(charon->socket, FALSE))
{
this->my_host->set_port(this->my_host,
charon->socket->get_port(charon->socket, TRUE));
}
- if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
- {
- this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
- }
}
METHOD(ike_sa_t, update_hosts, void,
@@ -1791,8 +1793,10 @@ METHOD(ike_sa_t, destroy_child_sa, status_t,
}
METHOD(ike_sa_t, delete_, status_t,
- private_ike_sa_t *this)
+ private_ike_sa_t *this, bool force)
{
+ status_t status = DESTROY_ME;
+
switch (this->state)
{
case IKE_ESTABLISHED:
@@ -1804,19 +1808,38 @@ METHOD(ike_sa_t, delete_, status_t,
charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
}
this->task_manager->queue_ike_delete(this->task_manager);
- return this->task_manager->initiate(this->task_manager);
+ status = this->task_manager->initiate(this->task_manager);
+ break;
case IKE_CREATED:
DBG1(DBG_IKE, "deleting unestablished IKE_SA");
break;
case IKE_PASSIVE:
break;
default:
- DBG1(DBG_IKE, "destroying IKE_SA in state %N "
- "without notification", ike_sa_state_names, this->state);
- charon->bus->ike_updown(charon->bus, &this->public, FALSE);
+ DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
+ ike_sa_state_names, this->state);
+ force = TRUE;
break;
}
- return DESTROY_ME;
+
+ if (force)
+ {
+ status = DESTROY_ME;
+
+ if (this->version == IKEV2)
+ { /* for IKEv1 we trigger this in the ISAKMP delete task */
+ switch (this->state)
+ {
+ case IKE_ESTABLISHED:
+ case IKE_REKEYING:
+ case IKE_DELETING:
+ charon->bus->ike_updown(charon->bus, &this->public, FALSE);
+ default:
+ break;
+ }
+ }
+ }
+ return status;
}
METHOD(ike_sa_t, rekey, status_t,
@@ -1926,23 +1949,18 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
enumerator = create_child_sa_enumerator(this);
while (enumerator->enumerate(enumerator, (void**)&child_sa))
{
+ switch (child_sa->get_state(child_sa))
+ {
+ case CHILD_REKEYED:
+ case CHILD_DELETED:
+ /* ignore CHILD_SAs in these states */
+ continue;
+ default:
+ break;
+ }
if (force)
{
- switch (child_sa->get_state(child_sa))
- {
- case CHILD_ROUTED:
- { /* move routed child directly */
- remove_child_sa(this, enumerator);
- new->add_child_sa(new, child_sa);
- action = ACTION_NONE;
- break;
- }
- default:
- { /* initiate/queue all other CHILD_SAs */
- action = ACTION_RESTART;
- break;
- }
- }
+ action = ACTION_RESTART;
}
else
{ /* only restart CHILD_SAs that are configured accordingly */
@@ -2020,6 +2038,15 @@ METHOD(ike_sa_t, reestablish, status_t,
enumerator = array_create_enumerator(this->child_sas);
while (enumerator->enumerate(enumerator, (void**)&child_sa))
{
+ switch (child_sa->get_state(child_sa))
+ {
+ case CHILD_REKEYED:
+ case CHILD_DELETED:
+ /* ignore CHILD_SAs in these states */
+ continue;
+ default:
+ break;
+ }
if (this->state == IKE_DELETING)
{
action = child_sa->get_close_action(child_sa);
@@ -2035,8 +2062,7 @@ METHOD(ike_sa_t, reestablish, status_t,
break;
case ACTION_ROUTE:
charon->traps->install(charon->traps, this->peer_cfg,
- child_sa->get_config(child_sa),
- child_sa->get_reqid(child_sa));
+ child_sa->get_config(child_sa));
break;
default:
break;
@@ -2348,6 +2374,31 @@ METHOD(ike_sa_t, retransmit, status_t,
return this->task_manager->initiate(this->task_manager);
}
DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
+
+ if (this->version == IKEV1 && array_count(this->child_sas))
+ {
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+
+ /* if reauthenticating an IKEv1 SA failed (assumed for an SA
+ * in this state with CHILD_SAs), try again from scratch */
+ DBG1(DBG_IKE, "reauthentication failed, trying to "
+ "reestablish IKE_SA");
+ reestablish(this);
+ /* trigger down events for the CHILD_SAs, as no down event
+ * is triggered below for IKE SAs in this state */
+ enumerator = array_create_enumerator(this->child_sas);
+ while (enumerator->enumerate(enumerator, &child_sa))
+ {
+ if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
+ child_sa->get_state(child_sa) != CHILD_DELETED)
+ {
+ charon->bus->child_updown(charon->bus, child_sa,
+ FALSE);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
break;
}
case IKE_DELETING:
@@ -2552,10 +2603,15 @@ METHOD(ike_sa_t, roam, status_t,
* without config assigned */
return SUCCESS;
}
+ if (this->version == IKEV1)
+ { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
+ * have to reestablish from scratch (reauth is not enough) */
+ return SUCCESS;
+ }
/* ignore roam events if MOBIKE is not supported/enabled and the local
* address is statically configured */
- if (this->version == IKEV2 && !supports_extension(this, EXT_MOBIKE) &&
+ if (!supports_extension(this, EXT_MOBIKE) &&
ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
{
DBG2(DBG_IKE, "keeping statically configured path %H - %H",
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index b4fbc56d7..316b713ee 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2017 Tobias Brunner
+ * Copyright (C) 2006-2018 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -776,15 +776,18 @@ struct ike_sa_t {
*
* Sends a delete message to the remote peer and waits for
* its response. If the response comes in, or a timeout occurs,
- * the IKE SA gets deleted.
+ * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is
+ * destroyed immediately without waiting for a response.
*
+ * @param force whether to immediately destroy the IKE_SA afterwards
+ * without waiting for a response
* @return
* - SUCCESS if deletion is initialized
- * - DESTROY_ME, if the IKE_SA is not in
- * an established state and can not be
- * deleted (but destroyed).
+ * - DESTROY_ME, if destroying is forced, or the IKE_SA
+ * is not in an established state and can not be
+ * deleted (but destroyed)
*/
- status_t (*delete) (ike_sa_t *this);
+ status_t (*delete) (ike_sa_t *this, bool force);
/**
* Update IKE_SAs after network interfaces have changed.
diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c
index b4e66ed73..515b3cfd3 100644
--- a/src/libcharon/sa/ike_sa_id.c
+++ b/src/libcharon/sa/ike_sa_id.c
@@ -2,7 +2,7 @@
* Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ike_sa_id.h b/src/libcharon/sa/ike_sa_id.h
index b3a9ef61f..266b62380 100644
--- a/src/libcharon/sa/ike_sa_id.h
+++ b/src/libcharon/sa/ike_sa_id.h
@@ -2,7 +2,7 @@
* Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 101d98678..2a499db40 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -2021,7 +2021,7 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
}
DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer '%Y' due to "
"uniqueness policy", other);
- return duplicate->delete(duplicate);
+ return duplicate->delete(duplicate, FALSE);
}
METHOD(ike_sa_manager_t, check_uniqueness, bool,
@@ -2266,20 +2266,7 @@ METHOD(ike_sa_manager_t, flush, void,
while (enumerator->enumerate(enumerator, &entry, &segment))
{
charon->bus->set_sa(charon->bus, entry->ike_sa);
- if (entry->ike_sa->get_version(entry->ike_sa) == IKEV2)
- { /* as the delete never gets processed, fire down events */
- switch (entry->ike_sa->get_state(entry->ike_sa))
- {
- case IKE_ESTABLISHED:
- case IKE_REKEYING:
- case IKE_DELETING:
- charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
- break;
- default:
- break;
- }
- }
- entry->ike_sa->delete(entry->ike_sa);
+ entry->ike_sa->delete(entry->ike_sa, TRUE);
}
enumerator->destroy(enumerator);
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index 41be15a08..9e5833efc 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -18,6 +18,7 @@
#include <daemon.h>
#include <sa/ikev1/keymat_v1.h>
#include <encoding/payloads/hash_payload.h>
+#include <credentials/certificates/x509.h>
typedef struct private_pubkey_v1_authenticator_t private_pubkey_v1_authenticator_t;
@@ -130,6 +131,29 @@ METHOD(authenticator_t, build, status_t,
return status;
}
+/**
+ * Check if the end-entity certificate, if any, is compliant with RFC 4945
+ */
+static bool is_compliant_cert(auth_cfg_t *auth)
+{
+ certificate_t *cert;
+ x509_t *x509;
+
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!cert || cert->get_type(cert) != CERT_X509)
+ {
+ return TRUE;
+ }
+ x509 = (x509_t*)cert;
+ if (x509->get_flags(x509) & X509_IKE_COMPLIANT)
+ {
+ return TRUE;
+ }
+ DBG1(DBG_IKE, "rejecting certificate without digitalSignature or "
+ "nonRepudiation keyUsage flags");
+ return FALSE;
+}
+
METHOD(authenticator_t, process, status_t,
private_pubkey_v1_authenticator_t *this, message_t *message)
{
@@ -176,7 +200,8 @@ METHOD(authenticator_t, process, status_t,
id, auth, TRUE);
while (enumerator->enumerate(enumerator, &public, &current_auth))
{
- if (public->verify(public, scheme, NULL, hash, sig))
+ if (public->verify(public, scheme, NULL, hash, sig) &&
+ is_compliant_cert(current_auth))
{
DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
id, signature_scheme_names, scheme);
diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c
index 2a6e5c04f..c48a0deb1 100644
--- a/src/libcharon/sa/ikev1/iv_manager.c
+++ b/src/libcharon/sa/ikev1/iv_manager.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011-2016 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/iv_manager.h b/src/libcharon/sa/ikev1/iv_manager.h
index c5273fed9..cae4f3508 100644
--- a/src/libcharon/sa/ikev1/iv_manager.h
+++ b/src/libcharon/sa/ikev1/iv_manager.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011-2016 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 673a7a131..1de05b4ec 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h
index ada5bdb04..269816a59 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.h
+++ b/src/libcharon/sa/ikev1/keymat_v1.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
index 9b5f676a3..82d647a6c 100644
--- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2012 Martin Willi
* Copyright (C) 2012 revosec AG
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
index df0293d4f..e4379cabf 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index d17948cd0..81e63740e 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -2,7 +2,7 @@
* Copyright (C) 2006-2011 Tobias Brunner,
* Copyright (C) 2006-2007 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.h b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
index 63947fc73..aec8f85bf 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
index dc86fc504..6a296f221 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2012-2013 Tobias Brunner
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 4c16adba3..1f764e547 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011-2012 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index 66ef50811..0191a45a8 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -135,6 +135,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
my_ts->destroy(my_ts);
other_ts->destroy(other_ts);
+ child_sa->set_state(child_sa, CHILD_DELETED);
if (!rekeyed)
{
charon->bus->child_updown(charon->bus, child_sa, FALSE);
@@ -154,7 +155,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
case ACTION_ROUTE:
charon->traps->install(charon->traps,
this->ike_sa->get_peer_cfg(this->ike_sa),
- child_cfg, child_sa->get_reqid(child_sa));
+ child_cfg);
break;
default:
break;
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 77592e59a..5e5b61e7f 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2012-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
@@ -1005,14 +1005,25 @@ static bool has_notify_errors(private_quick_mode_t *this, message_t *message)
/**
* Check if this is a rekey for an existing CHILD_SA, reuse reqid if so
*/
-static void check_for_rekeyed_child(private_quick_mode_t *this)
+static void check_for_rekeyed_child(private_quick_mode_t *this, bool responder)
{
enumerator_t *enumerator, *policies;
- traffic_selector_t *local, *remote;
+ traffic_selector_t *local, *remote, *my_ts, *other_ts;
child_sa_t *child_sa;
proposal_t *proposal;
char *name;
+ if (responder)
+ {
+ my_ts = this->tsr;
+ other_ts = this->tsi;
+ }
+ else
+ {
+ my_ts = this->tsi;
+ other_ts = this->tsr;
+ }
+
name = this->config->get_name(this->config);
enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
while (this->reqid == 0 && enumerator->enumerate(enumerator, &child_sa))
@@ -1026,8 +1037,8 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
case CHILD_REKEYING:
policies = child_sa->create_policy_enumerator(child_sa);
if (policies->enumerate(policies, &local, &remote) &&
- local->equals(local, this->tsr) &&
- remote->equals(remote, this->tsi) &&
+ local->equals(local, my_ts) &&
+ remote->equals(remote, other_ts) &&
this->proposal->equals(this->proposal, proposal))
{
this->reqid = child_sa->get_reqid(child_sa);
@@ -1165,7 +1176,7 @@ METHOD(task_t, process_r, status_t,
}
}
- check_for_rekeyed_child(this);
+ check_for_rekeyed_child(this, TRUE);
this->child_sa = child_sa_create(
this->ike_sa->get_my_host(this->ike_sa),
@@ -1366,6 +1377,7 @@ METHOD(task_t, process_i, status_t,
{
return send_notify(this, INVALID_PAYLOAD_TYPE);
}
+ check_for_rekeyed_child(this, FALSE);
if (!install(this))
{
return send_notify(this, NO_PROPOSAL_CHOSEN);
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
index fe684568a..0d4c5b47c 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index 3ab59fada..bcf262725 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2012 Tobias Brunner
* Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h
index d81ebd562..859a21431 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
index 535581068..c1decb130 100644
--- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h
index 91c534145..7ae86b664 100644
--- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h
+++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 65baf8771..652b837fe 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2017 Tobias Brunner
+ * Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
@@ -23,6 +23,7 @@
#include <asn1/asn1.h>
#include <asn1/oid.h>
#include <collections/array.h>
+#include <credentials/certificates/x509.h>
typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
@@ -164,7 +165,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
signature_scheme_t schemes[] = {
SIGN_RSA_EMSA_PKCS1_SHA2_384,
SIGN_RSA_EMSA_PKCS1_SHA2_256,
- }, contained;
+ };
bool found;
int i, j;
@@ -174,8 +175,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
found = FALSE;
for (j = 0; j < array_count(selected); j++)
{
- array_get(selected, j, &contained);
- if (scheme == contained)
+ array_get(selected, j, &config);
+ if (scheme == config->scheme)
{
found = TRUE;
break;
@@ -414,6 +415,29 @@ METHOD(authenticator_t, build, status_t,
return status;
}
+/**
+ * Check if the end-entity certificate, if any, is compliant with RFC 4945
+ */
+static bool is_compliant_cert(auth_cfg_t *auth)
+{
+ certificate_t *cert;
+ x509_t *x509;
+
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!cert || cert->get_type(cert) != CERT_X509)
+ {
+ return TRUE;
+ }
+ x509 = (x509_t*)cert;
+ if (x509->get_flags(x509) & X509_IKE_COMPLIANT)
+ {
+ return TRUE;
+ }
+ DBG1(DBG_IKE, "rejecting certificate without digitalSignature or "
+ "nonRepudiation keyUsage flags");
+ return FALSE;
+}
+
METHOD(authenticator_t, process, status_t,
private_pubkey_authenticator_t *this, message_t *message)
{
@@ -479,7 +503,8 @@ METHOD(authenticator_t, process, status_t,
while (enumerator->enumerate(enumerator, &public, &current_auth))
{
if (public->verify(public, params->scheme, params->params, octets,
- auth_data))
+ auth_data) &&
+ is_compliant_cert(current_auth))
{
if (auth_method != AUTH_DS)
{
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h
index 82bfea23b..c98e97eb9 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2008 Tobias Brunner
* Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c
index 35856788c..ba602fc4a 100644
--- a/src/libcharon/sa/ikev2/connect_manager.c
+++ b/src/libcharon/sa/ikev2/connect_manager.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/connect_manager.h b/src/libcharon/sa/ikev2/connect_manager.h
index e667e1f70..bac261b35 100644
--- a/src/libcharon/sa/ikev2/connect_manager.h
+++ b/src/libcharon/sa/ikev2/connect_manager.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 0c41c68d0..f8b23b66e 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -303,8 +303,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
pseudo_random_function_t rekey_function, chunk_t rekey_skd)
{
- chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
- chunk_t spi_i, spi_r;
+ chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce;
+ chunk_t prf_plus_seed, spi_i, spi_r;
prf_plus_t *prf_plus = NULL;
uint16_t alg, key_size, int_alg;
prf_t *rekey_prf = NULL;
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
index 084ed40f0..5dc9cda38 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.h
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/mediation_manager.c b/src/libcharon/sa/ikev2/mediation_manager.c
index bf5b2f4b3..ffb566591 100644
--- a/src/libcharon/sa/ikev2/mediation_manager.c
+++ b/src/libcharon/sa/ikev2/mediation_manager.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/mediation_manager.h b/src/libcharon/sa/ikev2/mediation_manager.h
index 5212bdb86..640b55eee 100644
--- a/src/libcharon/sa/ikev2/mediation_manager.h
+++ b/src/libcharon/sa/ikev2/mediation_manager.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 5c0ec49f0..fff567233 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1794,9 +1794,25 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
while (enumerator->enumerate(enumerator, &child_sa))
{
+ child_create_t *child_create;
+
+ switch (child_sa->get_state(child_sa))
+ {
+ case CHILD_REKEYED:
+ case CHILD_DELETED:
+ /* ignore CHILD_SAs in these states */
+ continue;
+ default:
+ break;
+ }
cfg = child_sa->get_config(child_sa);
- new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
- FALSE, NULL, NULL)->task);
+ child_create = child_create_create(new, cfg->get_ref(cfg),
+ FALSE, NULL, NULL);
+ child_create->use_reqid(child_create, child_sa->get_reqid(child_sa));
+ child_create->use_marks(child_create,
+ child_sa->get_mark(child_sa, TRUE).value,
+ child_sa->get_mark(child_sa, FALSE).value);
+ new->queue_task(new, &child_create->task);
children = TRUE;
}
enumerator->destroy(enumerator);
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 85dac6d59..c90af23b9 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -277,13 +277,11 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
}
/**
- * Allocate SPIs and update proposals, we also promote the selected DH group
+ * Allocate local SPI
*/
static bool allocate_spi(private_child_create_t *this)
{
- enumerator_t *enumerator;
proposal_t *proposal;
- linked_list_t *other_dh_groups;
if (this->initiator)
{
@@ -301,41 +299,51 @@ static bool allocate_spi(private_child_create_t *this)
this->proto = this->proposal->get_protocol(this->proposal);
}
this->my_spi = this->child_sa->alloc_spi(this->child_sa, this->proto);
- if (this->my_spi)
+ return this->my_spi != 0;
+}
+
+/**
+ * Update the proposals with the allocated SPIs as initiator and check the DH
+ * group and promote it if necessary
+ */
+static bool update_and_check_proposals(private_child_create_t *this)
+{
+ enumerator_t *enumerator;
+ proposal_t *proposal;
+ linked_list_t *other_dh_groups;
+ bool found = FALSE;
+
+ other_dh_groups = linked_list_create();
+ enumerator = this->proposals->create_enumerator(this->proposals);
+ while (enumerator->enumerate(enumerator, &proposal))
{
- if (this->initiator)
- {
- other_dh_groups = linked_list_create();
- enumerator = this->proposals->create_enumerator(this->proposals);
- while (enumerator->enumerate(enumerator, &proposal))
+ proposal->set_spi(proposal, this->my_spi);
+
+ /* move the selected DH group to the front, if any */
+ if (this->dh_group != MODP_NONE)
+ { /* proposals that don't contain the selected group are
+ * moved to the back */
+ if (!proposal->promote_dh_group(proposal, this->dh_group))
{
- proposal->set_spi(proposal, this->my_spi);
-
- /* move the selected DH group to the front, if any */
- if (this->dh_group != MODP_NONE &&
- !proposal->promote_dh_group(proposal, this->dh_group))
- { /* proposals that don't contain the selected group are
- * moved to the back */
- this->proposals->remove_at(this->proposals, enumerator);
- other_dh_groups->insert_last(other_dh_groups, proposal);
- }
+ this->proposals->remove_at(this->proposals, enumerator);
+ other_dh_groups->insert_last(other_dh_groups, proposal);
}
- enumerator->destroy(enumerator);
- enumerator = other_dh_groups->create_enumerator(other_dh_groups);
- while (enumerator->enumerate(enumerator, (void**)&proposal))
- { /* no need to remove from the list as we destroy it anyway*/
- this->proposals->insert_last(this->proposals, proposal);
+ else
+ {
+ found = TRUE;
}
- enumerator->destroy(enumerator);
- other_dh_groups->destroy(other_dh_groups);
- }
- else
- {
- this->proposal->set_spi(this->proposal, this->my_spi);
}
- return TRUE;
}
- return FALSE;
+ enumerator->destroy(enumerator);
+ enumerator = other_dh_groups->create_enumerator(other_dh_groups);
+ while (enumerator->enumerate(enumerator, (void**)&proposal))
+ { /* no need to remove from the list as we destroy it anyway*/
+ this->proposals->insert_last(this->proposals, proposal);
+ }
+ enumerator->destroy(enumerator);
+ other_dh_groups->destroy(other_dh_groups);
+
+ return this->dh_group == MODP_NONE || found;
}
/**
@@ -532,10 +540,15 @@ static status_t select_and_install(private_child_create_t *this,
}
this->other_spi = this->proposal->get_spi(this->proposal);
- if (!this->initiator && !allocate_spi(this))
- { /* responder has no SPI allocated yet */
- DBG1(DBG_IKE, "allocating SPI failed");
- return FAILED;
+ if (!this->initiator)
+ {
+ if (!allocate_spi(this))
+ {
+ /* responder has no SPI allocated yet */
+ DBG1(DBG_IKE, "allocating SPI failed");
+ return FAILED;
+ }
+ this->proposal->set_spi(this->proposal, this->my_spi);
}
this->child_sa->set_proposal(this->child_sa, this->proposal);
@@ -981,7 +994,12 @@ static void process_payloads(private_child_create_t *this, message_t *message)
this->dh = this->keymat->keymat.create_dh(
&this->keymat->keymat, this->dh_group);
}
- if (this->dh)
+ else if (this->dh)
+ {
+ this->dh_failed = this->dh->get_dh_group(this->dh) !=
+ ke_payload->get_dh_group_number(ke_payload);
+ }
+ if (this->dh && !this->dh_failed)
{
this->dh_failed = !this->dh->set_other_public_value(this->dh,
ke_payload->get_key_exchange_data(ke_payload));
@@ -1111,6 +1129,14 @@ METHOD(task_t, build_i, status_t,
return FAILED;
}
+ if (!update_and_check_proposals(this))
+ {
+ DBG1(DBG_IKE, "requested DH group %N not contained in any of our "
+ "proposals",
+ diffie_hellman_group_names, this->dh_group);
+ return FAILED;
+ }
+
if (this->dh_group != MODP_NONE)
{
this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
@@ -1544,6 +1570,15 @@ METHOD(task_t, process_i, status_t,
memcpy(&group, data.ptr, data.len);
group = ntohs(group);
}
+ if (this->retry)
+ {
+ DBG1(DBG_IKE, "already retried with DH group %N, ignore"
+ "requested %N", diffie_hellman_group_names,
+ this->dh_group, diffie_hellman_group_names, group);
+ handle_child_sa_failure(this, message);
+ /* an error in CHILD_SA creation is not critical */
+ return SUCCESS;
+ }
DBG1(DBG_IKE, "peer didn't accept DH group %N, "
"it requested %N", diffie_hellman_group_names,
this->dh_group, diffie_hellman_group_names, group);
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 164f8fc03..6c8b29018 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -265,6 +265,8 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
case CHILD_REKEYED:
entry->rekeyed = TRUE;
break;
+ case CHILD_DELETED:
+ /* already deleted but not yet destroyed, ignore */
case CHILD_DELETING:
/* we don't send back a delete if we already initiated
* a delete ourself */
@@ -324,6 +326,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
while (enumerator->enumerate(enumerator, (void**)&entry))
{
child_sa = entry->child_sa;
+ child_sa->set_state(child_sa, CHILD_DELETED);
/* signal child down event if we weren't rekeying */
protocol = child_sa->get_protocol(child_sa);
if (!entry->rekeyed)
@@ -374,8 +377,8 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
break;
case ACTION_ROUTE:
charon->traps->install(charon->traps,
- this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg,
- reqid);
+ this->ike_sa->get_peer_cfg(this->ike_sa),
+ child_cfg);
break;
default:
break;
@@ -456,7 +459,7 @@ METHOD(task_t, build_i, status_t,
this->spi = child_sa->get_spi(child_sa, TRUE);
}
- if (child_sa->get_state(child_sa) == CHILD_DELETING)
+ if (child_sa->get_state(child_sa) == CHILD_DELETED)
{ /* DELETEs for this CHILD_SA were already exchanged, but it was not yet
* destroyed to allow delayed packets to get processed */
this->ike_sa->destroy_child_sa(this->ike_sa, this->protocol, this->spi);
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.h b/src/libcharon/sa/ikev2/tasks/child_delete.h
index 1e9b2d2f7..6b0006e6e 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.h
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index f90056658..d5188c0bc 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -145,8 +145,7 @@ static void find_child(private_child_rekey_t *this, message_t *message)
child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
spi, FALSE);
if (child_sa &&
- child_sa->get_state(child_sa) == CHILD_DELETING &&
- child_sa->get_outbound_state(child_sa) == CHILD_OUTBOUND_NONE)
+ child_sa->get_state(child_sa) == CHILD_DELETED)
{ /* ignore rekeyed CHILD_SAs we keep around */
return;
}
@@ -213,7 +212,8 @@ METHOD(task_t, build_i, status_t,
message) != NEED_MORE)
{
schedule_delayed_rekey(this);
- return FAILED;
+ message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+ return SUCCESS;
}
if (message->get_exchange_type(message) == CREATE_CHILD_SA)
{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index aeaa701c9..6b63197d5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -2,7 +2,7 @@
* Copyright (C) 2012-2015 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.h b/src/libcharon/sa/ikev2/tasks/ike_auth.h
index ca864a710..c9e42ff54 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
index 47b0a3ed1..495a353c5 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h
index 4d5087ff5..f6862ca27 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
index 5a9e08de2..68af6e35b 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2008 Tobias Brunner
* Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.h b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h
index 34606b1e8..fb1614b43 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index ca17494de..284e59bb1 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2008 Tobias Brunner
* Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
index c1f8635ce..8542497bc 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index 6c42b81a6..4a8acb97e 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2007 Martin Willi
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.h b/src/libcharon/sa/ikev2/tasks/ike_config.h
index e35457645..9bf666c81 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.h b/src/libcharon/sa/ikev2/tasks/ike_delete.h
index 2d5d7cb3a..5d571f769 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_delete.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_dpd.c b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
index 7a33f7938..d025a046d 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_dpd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_dpd.h b/src/libcharon/sa/ikev2/tasks/ike_dpd.h
index 026871610..7b30bdc9c 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_dpd.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.h b/src/libcharon/sa/ikev2/tasks/ike_init.h
index ab169954d..d40d447c1 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c
index f077ccfb5..8023da1fc 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_me.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.h b/src/libcharon/sa/ikev2/tasks/ike_me.h
index 44a4ce69c..9e5405b61 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_me.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
index bb2318c9c..288b87178 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -63,7 +63,7 @@ struct ike_mobike_t {
void (*dpd)(ike_mobike_t *this);
/**
- * Transmision hook, called by task manager.
+ * Transmission hook, called by task manager.
*
* The task manager calls this hook whenever it transmits a packet. It
* allows the mobike task to send the packet on multiple paths to do path
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index f3f32d7af..8ea903ec8 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2007 Martin Willi
* Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.h b/src/libcharon/sa/ikev2/tasks/ike_natd.h
index 9c571b8e6..3e5af5bcf 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.c b/src/libcharon/sa/ikev2/tasks/ike_reauth.c
index 6f90339ea..b9f6c02a8 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_reauth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006-2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.h b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
index e2e48f0d4..3733f21c8 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_reauth.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.c b/src/libcharon/sa/ikev2/tasks/ike_redirect.c
index f82c80f71..2c565c43a 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_redirect.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.h b/src/libcharon/sa/ikev2/tasks/ike_redirect.h
index afa00ce5d..5abc9acde 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_redirect.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index 2f0552a33..11123b415 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -363,7 +363,7 @@ METHOD(task_t, process_i, status_t,
/* IKE_SAs in state IKE_REKEYED are silently deleted, so we use
* IKE_REKEYING */
this->new_sa->set_state(this->new_sa, IKE_REKEYING);
- if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+ if (this->new_sa->delete(this->new_sa, FALSE) == DESTROY_ME)
{
this->new_sa->destroy(this->new_sa);
}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index f72fbc437..8d8969ea0 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.h b/src/libcharon/sa/ikev2/tasks/ike_vendor.h
index 86c711636..29832cbe9 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c
index 069d51d00..941b43023 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h
index 3d9aae0b3..0e48562eb 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
index d1f6a1bdc..70521b5dc 100644
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -65,6 +65,7 @@ int keymat_get_keylen_encr(encryption_algorithm_t alg)
keylen_entry_t map[] = {
{ENCR_DES, 64},
{ENCR_3DES, 192},
+ {ENCR_CHACHA20_POLY1305, 256},
};
int i;
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index 17d2efe37..3fbb75880 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/redirect_manager.c b/src/libcharon/sa/redirect_manager.c
index 45b7e79df..75bba3639 100644
--- a/src/libcharon/sa/redirect_manager.c
+++ b/src/libcharon/sa/redirect_manager.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/redirect_manager.h b/src/libcharon/sa/redirect_manager.h
index e8753265c..2bd134c7d 100644
--- a/src/libcharon/sa/redirect_manager.h
+++ b/src/libcharon/sa/redirect_manager.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/redirect_provider.h b/src/libcharon/sa/redirect_provider.h
index ef2288ffc..75d421227 100644
--- a/src/libcharon/sa/redirect_provider.h
+++ b/src/libcharon/sa/redirect_provider.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 3a254cea5..a83da0480 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2016 Tobias Brunner
+ * Copyright (C) 2015-2017 Tobias Brunner
* Copyright (C) 2011-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -198,6 +198,13 @@ METHOD(shunt_manager_t, install, bool,
entry_t *entry;
bool found = FALSE, success;
+ if (!ns)
+ {
+ DBG1(DBG_CFG, "missing namespace for shunt policy '%s'",
+ cfg->get_name(cfg));
+ return FALSE;
+ }
+
/* check if not already installed */
this->lock->write_lock(this->lock);
if (this->installing == INSTALL_DISABLED)
@@ -224,7 +231,7 @@ METHOD(shunt_manager_t, install, bool,
return TRUE;
}
INIT(entry,
- .ns = strdupnull(ns),
+ .ns = strdup(ns),
.cfg = cfg->get_ref(cfg),
);
this->shunts->insert_last(this->shunts, entry);
@@ -369,7 +376,7 @@ METHOD(shunt_manager_t, uninstall, bool,
enumerator = this->shunts->create_enumerator(this->shunts);
while (enumerator->enumerate(enumerator, &entry))
{
- if (streq(ns, entry->ns) &&
+ if ((!ns || streq(ns, entry->ns)) &&
streq(name, entry->cfg->get_name(entry->cfg)))
{
this->shunts->remove_at(this->shunts, enumerator);
diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
index f2b721032..3d9848c93 100644
--- a/src/libcharon/sa/shunt_manager.h
+++ b/src/libcharon/sa/shunt_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2016 Tobias Brunner
+ * Copyright (C) 2015-2017 Tobias Brunner
* Copyright (C) 2011 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -36,8 +36,7 @@ struct shunt_manager_t {
/**
* Install a policy as a shunt.
*
- * @param ns optional namespace (e.g. name of a connection or
- * plugin), cloned
+ * @param ns namespace (e.g. name of a connection or plugin), cloned
* @param child child configuration to install as a shunt
* @return TRUE if installed successfully
*/
@@ -46,7 +45,10 @@ struct shunt_manager_t {
/**
* Uninstall a shunt policy.
*
- * @param ns namespace (same as given during installation)
+ * If no namespace is given the first matching child configuration is
+ * removed.
+ *
+ * @param ns namespace (same as given during installation) or NULL
* @param name name of child configuration to uninstall as a shunt
* @return TRUE if uninstalled successfully
*/
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
index 30de08c9b..660d0eb92 100644
--- a/src/libcharon/sa/task.c
+++ b/src/libcharon/sa/task.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2007 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index 5f77149ba..1a0a1acfa 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2007-2015 Tobias Brunner
* Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index bd1191406..e1c8d23b4 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2011 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 6436a2549..979f9290a 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2011-2015 Tobias Brunner
+ * Copyright (C) 2011-2017 Tobias Brunner
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -183,9 +183,8 @@ static bool dynamic_remote_ts(child_cfg_t *child)
return found;
}
-METHOD(trap_manager_t, install, uint32_t,
- private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child,
- uint32_t reqid)
+METHOD(trap_manager_t, install, bool,
+ private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child)
{
entry_t *entry, *found = NULL;
ike_cfg_t *ike_cfg;
@@ -197,7 +196,7 @@ METHOD(trap_manager_t, install, uint32_t,
linked_list_t *proposals;
proposal_t *proposal;
protocol_id_t proto = PROTO_ESP;
- bool wildcard = FALSE;
+ bool result = FALSE, wildcard = FALSE;
/* try to resolve addresses */
ike_cfg = peer->get_ike_cfg(peer);
@@ -213,7 +212,7 @@ METHOD(trap_manager_t, install, uint32_t,
{
other->destroy(other);
DBG1(DBG_CFG, "installing trap failed, remote address unknown");
- return 0;
+ return FALSE;
}
else
{ /* depending on the traffic selectors we don't really need a remote
@@ -223,7 +222,7 @@ METHOD(trap_manager_t, install, uint32_t,
* which is probably not what users expect*/
DBG1(DBG_CFG, "installing trap failed, remote address unknown with "
"dynamic traffic selector");
- return 0;
+ return FALSE;
}
me = ike_cfg->resolve_me(ike_cfg, other ? other->get_family(other)
: AF_UNSPEC);
@@ -250,12 +249,14 @@ METHOD(trap_manager_t, install, uint32_t,
this->lock->unlock(this->lock);
other->destroy(other);
me->destroy(me);
- return 0;
+ return FALSE;
}
enumerator = this->traps->create_enumerator(this->traps);
while (enumerator->enumerate(enumerator, &entry))
{
- if (streq(entry->name, child->get_name(child)))
+ if (streq(entry->name, child->get_name(child)) &&
+ streq(entry->peer_cfg->get_name(entry->peer_cfg),
+ peer->get_name(peer)))
{
found = entry;
if (entry->child_sa)
@@ -275,11 +276,10 @@ METHOD(trap_manager_t, install, uint32_t,
this->lock->unlock(this->lock);
other->destroy(other);
me->destroy(me);
- return 0;
+ return FALSE;
}
/* config might have changed so update everything */
DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'", found->name);
- reqid = found->child_sa->get_reqid(found->child_sa);
}
INIT(entry,
@@ -293,7 +293,7 @@ METHOD(trap_manager_t, install, uint32_t,
this->lock->unlock(this->lock);
/* create and route CHILD_SA */
- child_sa = child_sa_create(me, other, child, reqid, FALSE, 0, 0);
+ child_sa = child_sa_create(me, other, child, 0, FALSE, 0, 0);
list = linked_list_create_with_items(me, NULL);
my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
@@ -325,14 +325,13 @@ METHOD(trap_manager_t, install, uint32_t,
this->lock->unlock(this->lock);
entry->child_sa = child_sa;
destroy_entry(entry);
- reqid = 0;
}
else
{
- reqid = child_sa->get_reqid(child_sa);
this->lock->write_lock(this->lock);
entry->child_sa = child_sa;
this->lock->unlock(this->lock);
+ result = TRUE;
}
if (found)
{
@@ -343,11 +342,11 @@ METHOD(trap_manager_t, install, uint32_t,
this->installing--;
this->condvar->signal(this->condvar);
this->lock->unlock(this->lock);
- return reqid;
+ return result;
}
METHOD(trap_manager_t, uninstall, bool,
- private_trap_manager_t *this, uint32_t reqid)
+ private_trap_manager_t *this, char *peer, char *child)
{
enumerator_t *enumerator;
entry_t *entry, *found = NULL;
@@ -356,8 +355,8 @@ METHOD(trap_manager_t, uninstall, bool,
enumerator = this->traps->create_enumerator(this->traps);
while (enumerator->enumerate(enumerator, &entry))
{
- if (entry->child_sa &&
- entry->child_sa->get_reqid(entry->child_sa) == reqid)
+ if (streq(entry->name, child) &&
+ (!peer || streq(peer, entry->peer_cfg->get_name(entry->peer_cfg))))
{
this->traps->remove_at(this->traps, enumerator);
found = entry;
@@ -369,7 +368,6 @@ METHOD(trap_manager_t, uninstall, bool,
if (!found)
{
- DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
return FALSE;
}
destroy_entry(found);
@@ -413,31 +411,6 @@ METHOD(trap_manager_t, create_enumerator, enumerator_t*,
(void*)this->lock->unlock);
}
-METHOD(trap_manager_t, find_reqid, uint32_t,
- private_trap_manager_t *this, child_cfg_t *child)
-{
- enumerator_t *enumerator;
- entry_t *entry;
- uint32_t reqid = 0;
-
- this->lock->read_lock(this->lock);
- enumerator = this->traps->create_enumerator(this->traps);
- while (enumerator->enumerate(enumerator, &entry))
- {
- if (streq(entry->name, child->get_name(child)))
- {
- if (entry->child_sa)
- {
- reqid = entry->child_sa->get_reqid(entry->child_sa);
- }
- break;
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
- return reqid;
-}
-
METHOD(trap_manager_t, acquire, void,
private_trap_manager_t *this, uint32_t reqid,
traffic_selector_t *src, traffic_selector_t *dst)
@@ -693,7 +666,6 @@ trap_manager_t *trap_manager_create(void)
.install = _install,
.uninstall = _uninstall,
.create_enumerator = _create_enumerator,
- .find_reqid = _find_reqid,
.acquire = _acquire,
.flush = _flush,
.destroy = _destroy,
diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h
index 083ea3dbf..1b67ff82f 100644
--- a/src/libcharon/sa/trap_manager.h
+++ b/src/libcharon/sa/trap_manager.h
@@ -1,6 +1,7 @@
/*
+ * Copyright (C) 2013-2017 Tobias Brunner
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -37,19 +38,21 @@ struct trap_manager_t {
*
* @param peer peer configuration to initiate on trap
* @param child child configuration to install as a trap
- * @param reqid optional reqid to use
- * @return reqid of installed CHILD_SA, 0 if failed
+ * @return TRUE if successfully installed
*/
- uint32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
- child_cfg_t *child, uint32_t reqid);
+ bool (*install)(trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child);
/**
* Uninstall a trap policy.
*
- * @param id reqid of CHILD_SA to uninstall, returned by install()
+ * If no peer configuration name is given the first matching child
+ * configuration is uninstalled.
+ *
+ * @param peer peer configuration name or NULL
+ * @param child child configuration name
* @return TRUE if uninstalled successfully
*/
- bool (*uninstall)(trap_manager_t *this, uint32_t reqid);
+ bool (*uninstall)(trap_manager_t *this, char *peer, char *child);
/**
* Create an enumerator over all installed traps.
@@ -59,14 +62,6 @@ struct trap_manager_t {
enumerator_t* (*create_enumerator)(trap_manager_t *this);
/**
- * Find the reqid of a child config installed as a trap.
- *
- * @param child CHILD_SA config to get the reqid for
- * @return reqid of trap, 0 if not found
- */
- uint32_t (*find_reqid)(trap_manager_t *this, child_cfg_t *child);
-
- /**
* Acquire an SA triggered by an installed trap.
*
* @param reqid requid of the triggering CHILD_SA
diff --git a/src/libcharon/sa/xauth/xauth_method.c b/src/libcharon/sa/xauth/xauth_method.c
index 838822d1e..8f34a275d 100644
--- a/src/libcharon/sa/xauth/xauth_method.c
+++ b/src/libcharon/sa/xauth/xauth_method.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/libcharon/sa/xauth/xauth_method.h b/src/libcharon/sa/xauth/xauth_method.h
index c0c2024e0..134e72b06 100644
--- a/src/libcharon/sa/xauth/xauth_method.h
+++ b/src/libcharon/sa/xauth/xauth_method.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the