diff options
Diffstat (limited to 'src/libcharon/sa')
86 files changed, 447 insertions, 312 deletions
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c index 6c3681a2d..b77c19d00 100644 --- a/src/libcharon/sa/authenticator.c +++ b/src/libcharon/sa/authenticator.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2006-2009 Martin Willi * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h index 97c042e71..42d9ce32e 100644 --- a/src/libcharon/sa/authenticator.h +++ b/src/libcharon/sa/authenticator.h @@ -2,7 +2,7 @@ * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index a01ee9e4d..7eeb578f3 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -37,6 +37,7 @@ ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING, "REKEYED", "RETRYING", "DELETING", + "DELETED", "DESTROYING", ); @@ -888,7 +889,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, .ipcomp = this->ipcomp, .cpi = cpi, .encap = this->encap, - .hw_offload = this->config->has_option(this->config, OPT_HW_OFFLOAD), + .hw_offload = this->config->get_hw_offload(this->config), .esn = esn, .initiator = initiator, .inbound = inbound, @@ -1060,16 +1061,17 @@ static status_t install_policies_internal(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa, ipsec_sa_cfg_t *other_sa, policy_type_t type, - policy_priority_t priority, uint32_t manual_prio) + policy_priority_t priority, uint32_t manual_prio, bool outbound) { status_t status = SUCCESS; status |= install_policies_inbound(this, my_addr, other_addr, my_ts, - other_ts, my_sa, other_sa, type, - priority, manual_prio); - status |= install_policies_outbound(this, my_addr, other_addr, my_ts, - other_ts, my_sa, other_sa, type, - priority, manual_prio); + other_ts, my_sa, other_sa, type, priority, manual_prio); + if (outbound) + { + status |= install_policies_outbound(this, my_addr, other_addr, my_ts, + other_ts, my_sa, other_sa, type, priority, manual_prio); + } return status; } @@ -1153,12 +1155,15 @@ static void del_policies_internal(private_child_sa_t *this, host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts, traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa, ipsec_sa_cfg_t *other_sa, policy_type_t type, - policy_priority_t priority, uint32_t manual_prio) + policy_priority_t priority, uint32_t manual_prio, bool outbound) { - del_policies_outbound(this, my_addr, other_addr, my_ts, other_ts, my_sa, - other_sa, type, priority, manual_prio); + if (outbound) + { + del_policies_outbound(this, my_addr, other_addr, my_ts, other_ts, my_sa, + other_sa, type, priority, manual_prio); + } del_policies_inbound(this, my_addr, other_addr, my_ts, other_ts, my_sa, - other_sa, type, priority, manual_prio); + other_sa, type, priority, manual_prio); } METHOD(child_sa_t, set_policies, void, @@ -1249,18 +1254,10 @@ METHOD(child_sa_t, install_policies, status_t, enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - status |= install_policies_inbound(this, this->my_addr, - this->other_addr, my_ts, other_ts, - &my_sa, &other_sa, POLICY_IPSEC, - priority, manual_prio); - - if (install_outbound) - { - status |= install_policies_outbound(this, this->my_addr, + status |= install_policies_internal(this, this->my_addr, this->other_addr, my_ts, other_ts, - &my_sa, &other_sa, POLICY_IPSEC, - priority, manual_prio); - } + &my_sa, &other_sa, POLICY_IPSEC, priority, + manual_prio, install_outbound); if (status != SUCCESS) { break; @@ -1463,7 +1460,7 @@ static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other, } /* update his (responder) SA */ - if (this->other_spi) + if (this->other_spi && (this->outbound_state & CHILD_OUTBOUND_SA)) { kernel_ipsec_sa_id_t id = { .src = this->my_addr, @@ -1517,22 +1514,26 @@ METHOD(child_sa_t, update, status_t, traffic_selector_t *my_ts, *other_ts; uint32_t manual_prio; status_t state; + bool outbound; prepare_sa_cfg(this, &my_sa, &other_sa); manual_prio = this->config->get_manual_prio(this->config); + outbound = (this->outbound_state & CHILD_OUTBOUND_POLICIES); enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { /* install drop policy to avoid traffic leaks, acquires etc. */ - install_policies_outbound(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_DEFAULT, manual_prio); - + if (outbound) + { + install_policies_outbound(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_DEFAULT, manual_prio); + } /* remove old policies */ del_policies_internal(this, this->my_addr, this->other_addr, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, - POLICY_PRIORITY_DEFAULT, manual_prio); + POLICY_PRIORITY_DEFAULT, manual_prio, outbound); } enumerator->destroy(enumerator); @@ -1548,8 +1549,8 @@ METHOD(child_sa_t, update, status_t, if (state == NOT_SUPPORTED) { install_policies_internal(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, - POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio); + my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, + POLICY_PRIORITY_DEFAULT, manual_prio, outbound); } else { @@ -1573,15 +1574,17 @@ METHOD(child_sa_t, update, status_t, /* reinstall updated policies */ install_policies_internal(this, me, other, my_ts, other_ts, - &my_sa, &other_sa, POLICY_IPSEC, - POLICY_PRIORITY_DEFAULT, manual_prio); + &my_sa, &other_sa, POLICY_IPSEC, + POLICY_PRIORITY_DEFAULT, manual_prio, outbound); } /* remove the drop policy */ - del_policies_outbound(this, this->my_addr, this->other_addr, - old_my_ts ?: my_ts, - old_other_ts ?: other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_DEFAULT, 0); + if (outbound) + { + del_policies_outbound(this, this->my_addr, this->other_addr, + old_my_ts ?: my_ts, old_other_ts ?: other_ts, + &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_DEFAULT, 0); + } DESTROY_IF(old_my_ts); DESTROY_IF(old_other_ts); @@ -1651,16 +1654,9 @@ METHOD(child_sa_t, destroy, void, enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - if (del_outbound) - { - del_policies_outbound(this, this->my_addr, - this->other_addr, my_ts, other_ts, - &my_sa, &other_sa, POLICY_IPSEC, - priority, manual_prio); - } - del_policies_inbound(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, - POLICY_IPSEC, priority, manual_prio); + del_policies_internal(this, this->my_addr, + this->other_addr, my_ts, other_ts, &my_sa, &other_sa, + POLICY_IPSEC, priority, manual_prio, del_outbound); } enumerator->destroy(enumerator); } @@ -1754,7 +1750,7 @@ static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local) * Described in header. */ child_sa_t * child_sa_create(host_t *me, host_t* other, - child_cfg_t *config, uint32_t rekey, bool encap, + child_cfg_t *config, uint32_t reqid, bool encap, u_int mark_in, u_int mark_out) { private_child_sa_t *this; @@ -1865,21 +1861,15 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, if (!this->reqid) { - /* reuse old reqid if we are rekeying an existing CHILD_SA. While the - * reqid cache would find the same reqid for our selectors, this does - * not work in a special case: If an SA is triggered by a trap policy, - * but the negotiated SA gets narrowed, we still must reuse the same - * reqid to successfully "trigger" the SA on the kernel level. Rekeying - * such an SA requires an explicit reqid, as the cache currently knows - * the original selectors only for that reqid. */ - if (rekey) - { - this->reqid = rekey; - } - else - { - this->reqid = charon->traps->find_reqid(charon->traps, config); - } + /* reuse old reqid if we are rekeying an existing CHILD_SA and when + * initiating a trap policy. While the reqid cache would find the same + * reqid for our selectors, this does not work in a special case: If an + * SA is triggered by a trap policy, but the negotiated TS get + * narrowed, we still must reuse the same reqid to successfully + * replace the temporary SA on the kernel level. Rekeying such an SA + * requires an explicit reqid, as the cache currently knows the original + * selectors only for that reqid. */ + this->reqid = reqid; } else { diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index 49175ca01..183033f46 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -84,6 +84,11 @@ enum child_sa_state_t { CHILD_DELETING, /** + * CHILD_SA has been deleted, but not yet destroyed + */ + CHILD_DELETED, + + /** * CHILD_SA object gets destroyed */ CHILD_DESTROYING, diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c index b2a57ccfb..2a9e0d06d 100644 --- a/src/libcharon/sa/eap/eap_manager.c +++ b/src/libcharon/sa/eap/eap_manager.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h index 391c906e9..73aa76329 100644 --- a/src/libcharon/sa/eap/eap_manager.h +++ b/src/libcharon/sa/eap/eap_manager.h @@ -1,7 +1,7 @@ /* * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/eap/eap_method.c b/src/libcharon/sa/eap/eap_method.c index 9ce6ecf00..0a3c454e1 100644 --- a/src/libcharon/sa/eap/eap_method.c +++ b/src/libcharon/sa/eap/eap_method.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h index 840779727..34041e347 100644 --- a/src/libcharon/sa/eap/eap_method.h +++ b/src/libcharon/sa/eap/eap_method.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index e1f4ec95a..f39fed6f0 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2017 Tobias Brunner + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -1053,17 +1053,19 @@ METHOD(ike_sa_t, has_mapping_changed, bool, METHOD(ike_sa_t, float_ports, void, private_ike_sa_t *this) { - /* do not switch if we have a custom port from MOBIKE/NAT */ + /* even if the remote port is not 500 (e.g. because the response was natted) + * we switch the remote port if we used port 500 */ + if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT || + this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT) + { + this->other_host->set_port(this->other_host, IKEV2_NATT_PORT); + } if (this->my_host->get_port(this->my_host) == charon->socket->get_port(charon->socket, FALSE)) { this->my_host->set_port(this->my_host, charon->socket->get_port(charon->socket, TRUE)); } - if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT) - { - this->other_host->set_port(this->other_host, IKEV2_NATT_PORT); - } } METHOD(ike_sa_t, update_hosts, void, @@ -1791,8 +1793,10 @@ METHOD(ike_sa_t, destroy_child_sa, status_t, } METHOD(ike_sa_t, delete_, status_t, - private_ike_sa_t *this) + private_ike_sa_t *this, bool force) { + status_t status = DESTROY_ME; + switch (this->state) { case IKE_ESTABLISHED: @@ -1804,19 +1808,38 @@ METHOD(ike_sa_t, delete_, status_t, charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED); } this->task_manager->queue_ike_delete(this->task_manager); - return this->task_manager->initiate(this->task_manager); + status = this->task_manager->initiate(this->task_manager); + break; case IKE_CREATED: DBG1(DBG_IKE, "deleting unestablished IKE_SA"); break; case IKE_PASSIVE: break; default: - DBG1(DBG_IKE, "destroying IKE_SA in state %N " - "without notification", ike_sa_state_names, this->state); - charon->bus->ike_updown(charon->bus, &this->public, FALSE); + DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification", + ike_sa_state_names, this->state); + force = TRUE; break; } - return DESTROY_ME; + + if (force) + { + status = DESTROY_ME; + + if (this->version == IKEV2) + { /* for IKEv1 we trigger this in the ISAKMP delete task */ + switch (this->state) + { + case IKE_ESTABLISHED: + case IKE_REKEYING: + case IKE_DELETING: + charon->bus->ike_updown(charon->bus, &this->public, FALSE); + default: + break; + } + } + } + return status; } METHOD(ike_sa_t, rekey, status_t, @@ -1926,23 +1949,18 @@ static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new, enumerator = create_child_sa_enumerator(this); while (enumerator->enumerate(enumerator, (void**)&child_sa)) { + switch (child_sa->get_state(child_sa)) + { + case CHILD_REKEYED: + case CHILD_DELETED: + /* ignore CHILD_SAs in these states */ + continue; + default: + break; + } if (force) { - switch (child_sa->get_state(child_sa)) - { - case CHILD_ROUTED: - { /* move routed child directly */ - remove_child_sa(this, enumerator); - new->add_child_sa(new, child_sa); - action = ACTION_NONE; - break; - } - default: - { /* initiate/queue all other CHILD_SAs */ - action = ACTION_RESTART; - break; - } - } + action = ACTION_RESTART; } else { /* only restart CHILD_SAs that are configured accordingly */ @@ -2020,6 +2038,15 @@ METHOD(ike_sa_t, reestablish, status_t, enumerator = array_create_enumerator(this->child_sas); while (enumerator->enumerate(enumerator, (void**)&child_sa)) { + switch (child_sa->get_state(child_sa)) + { + case CHILD_REKEYED: + case CHILD_DELETED: + /* ignore CHILD_SAs in these states */ + continue; + default: + break; + } if (this->state == IKE_DELETING) { action = child_sa->get_close_action(child_sa); @@ -2035,8 +2062,7 @@ METHOD(ike_sa_t, reestablish, status_t, break; case ACTION_ROUTE: charon->traps->install(charon->traps, this->peer_cfg, - child_sa->get_config(child_sa), - child_sa->get_reqid(child_sa)); + child_sa->get_config(child_sa)); break; default: break; @@ -2348,6 +2374,31 @@ METHOD(ike_sa_t, retransmit, status_t, return this->task_manager->initiate(this->task_manager); } DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding"); + + if (this->version == IKEV1 && array_count(this->child_sas)) + { + enumerator_t *enumerator; + child_sa_t *child_sa; + + /* if reauthenticating an IKEv1 SA failed (assumed for an SA + * in this state with CHILD_SAs), try again from scratch */ + DBG1(DBG_IKE, "reauthentication failed, trying to " + "reestablish IKE_SA"); + reestablish(this); + /* trigger down events for the CHILD_SAs, as no down event + * is triggered below for IKE SAs in this state */ + enumerator = array_create_enumerator(this->child_sas); + while (enumerator->enumerate(enumerator, &child_sa)) + { + if (child_sa->get_state(child_sa) != CHILD_REKEYED && + child_sa->get_state(child_sa) != CHILD_DELETED) + { + charon->bus->child_updown(charon->bus, child_sa, + FALSE); + } + } + enumerator->destroy(enumerator); + } break; } case IKE_DELETING: @@ -2552,10 +2603,15 @@ METHOD(ike_sa_t, roam, status_t, * without config assigned */ return SUCCESS; } + if (this->version == IKEV1) + { /* ignore roam events for IKEv1 where we don't have MOBIKE and would + * have to reestablish from scratch (reauth is not enough) */ + return SUCCESS; + } /* ignore roam events if MOBIKE is not supported/enabled and the local * address is statically configured */ - if (this->version == IKEV2 && !supports_extension(this, EXT_MOBIKE) && + if (!supports_extension(this, EXT_MOBIKE) && ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE)) { DBG2(DBG_IKE, "keeping statically configured path %H - %H", diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index b4fbc56d7..316b713ee 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2017 Tobias Brunner + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -776,15 +776,18 @@ struct ike_sa_t { * * Sends a delete message to the remote peer and waits for * its response. If the response comes in, or a timeout occurs, - * the IKE SA gets deleted. + * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is + * destroyed immediately without waiting for a response. * + * @param force whether to immediately destroy the IKE_SA afterwards + * without waiting for a response * @return * - SUCCESS if deletion is initialized - * - DESTROY_ME, if the IKE_SA is not in - * an established state and can not be - * deleted (but destroyed). + * - DESTROY_ME, if destroying is forced, or the IKE_SA + * is not in an established state and can not be + * deleted (but destroyed) */ - status_t (*delete) (ike_sa_t *this); + status_t (*delete) (ike_sa_t *this, bool force); /** * Update IKE_SAs after network interfaces have changed. diff --git a/src/libcharon/sa/ike_sa_id.c b/src/libcharon/sa/ike_sa_id.c index b4e66ed73..515b3cfd3 100644 --- a/src/libcharon/sa/ike_sa_id.c +++ b/src/libcharon/sa/ike_sa_id.c @@ -2,7 +2,7 @@ * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ike_sa_id.h b/src/libcharon/sa/ike_sa_id.h index b3a9ef61f..266b62380 100644 --- a/src/libcharon/sa/ike_sa_id.h +++ b/src/libcharon/sa/ike_sa_id.h @@ -2,7 +2,7 @@ * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 101d98678..2a499db40 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -2021,7 +2021,7 @@ static status_t enforce_replace(private_ike_sa_manager_t *this, } DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer '%Y' due to " "uniqueness policy", other); - return duplicate->delete(duplicate); + return duplicate->delete(duplicate, FALSE); } METHOD(ike_sa_manager_t, check_uniqueness, bool, @@ -2266,20 +2266,7 @@ METHOD(ike_sa_manager_t, flush, void, while (enumerator->enumerate(enumerator, &entry, &segment)) { charon->bus->set_sa(charon->bus, entry->ike_sa); - if (entry->ike_sa->get_version(entry->ike_sa) == IKEV2) - { /* as the delete never gets processed, fire down events */ - switch (entry->ike_sa->get_state(entry->ike_sa)) - { - case IKE_ESTABLISHED: - case IKE_REKEYING: - case IKE_DELETING: - charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE); - break; - default: - break; - } - } - entry->ike_sa->delete(entry->ike_sa); + entry->ike_sa->delete(entry->ike_sa, TRUE); } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index 41be15a08..9e5833efc 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -18,6 +18,7 @@ #include <daemon.h> #include <sa/ikev1/keymat_v1.h> #include <encoding/payloads/hash_payload.h> +#include <credentials/certificates/x509.h> typedef struct private_pubkey_v1_authenticator_t private_pubkey_v1_authenticator_t; @@ -130,6 +131,29 @@ METHOD(authenticator_t, build, status_t, return status; } +/** + * Check if the end-entity certificate, if any, is compliant with RFC 4945 + */ +static bool is_compliant_cert(auth_cfg_t *auth) +{ + certificate_t *cert; + x509_t *x509; + + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (!cert || cert->get_type(cert) != CERT_X509) + { + return TRUE; + } + x509 = (x509_t*)cert; + if (x509->get_flags(x509) & X509_IKE_COMPLIANT) + { + return TRUE; + } + DBG1(DBG_IKE, "rejecting certificate without digitalSignature or " + "nonRepudiation keyUsage flags"); + return FALSE; +} + METHOD(authenticator_t, process, status_t, private_pubkey_v1_authenticator_t *this, message_t *message) { @@ -176,7 +200,8 @@ METHOD(authenticator_t, process, status_t, id, auth, TRUE); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { - if (public->verify(public, scheme, NULL, hash, sig)) + if (public->verify(public, scheme, NULL, hash, sig) && + is_compliant_cert(current_auth)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id, signature_scheme_names, scheme); diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c index 2a6e5c04f..c48a0deb1 100644 --- a/src/libcharon/sa/ikev1/iv_manager.c +++ b/src/libcharon/sa/ikev1/iv_manager.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2011-2016 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev1/iv_manager.h b/src/libcharon/sa/ikev1/iv_manager.h index c5273fed9..cae4f3508 100644 --- a/src/libcharon/sa/ikev1/iv_manager.h +++ b/src/libcharon/sa/ikev1/iv_manager.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2011-2016 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index 673a7a131..1de05b4ec 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2011 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h index ada5bdb04..269816a59 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.h +++ b/src/libcharon/sa/ikev1/keymat_v1.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2011 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c index 9b5f676a3..82d647a6c 100644 --- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c +++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2012 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c index df0293d4f..e4379cabf 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c index d17948cd0..81e63740e 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c @@ -2,7 +2,7 @@ * Copyright (C) 2006-2011 Tobias Brunner, * Copyright (C) 2006-2007 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.h b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h index 63947fc73..aec8f85bf 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.h +++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2011 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c index dc86fc504..6a296f221 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2012-2013 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 4c16adba3..1f764e547 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2011-2012 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c index 66ef50811..0191a45a8 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_delete.c +++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c @@ -135,6 +135,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, my_ts->destroy(my_ts); other_ts->destroy(other_ts); + child_sa->set_state(child_sa, CHILD_DELETED); if (!rekeyed) { charon->bus->child_updown(charon->bus, child_sa, FALSE); @@ -154,7 +155,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol, case ACTION_ROUTE: charon->traps->install(charon->traps, this->ike_sa->get_peer_cfg(this->ike_sa), - child_cfg, child_sa->get_reqid(child_sa)); + child_cfg); break; default: break; diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 77592e59a..5e5b61e7f 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2012-2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG @@ -1005,14 +1005,25 @@ static bool has_notify_errors(private_quick_mode_t *this, message_t *message) /** * Check if this is a rekey for an existing CHILD_SA, reuse reqid if so */ -static void check_for_rekeyed_child(private_quick_mode_t *this) +static void check_for_rekeyed_child(private_quick_mode_t *this, bool responder) { enumerator_t *enumerator, *policies; - traffic_selector_t *local, *remote; + traffic_selector_t *local, *remote, *my_ts, *other_ts; child_sa_t *child_sa; proposal_t *proposal; char *name; + if (responder) + { + my_ts = this->tsr; + other_ts = this->tsi; + } + else + { + my_ts = this->tsi; + other_ts = this->tsr; + } + name = this->config->get_name(this->config); enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa); while (this->reqid == 0 && enumerator->enumerate(enumerator, &child_sa)) @@ -1026,8 +1037,8 @@ static void check_for_rekeyed_child(private_quick_mode_t *this) case CHILD_REKEYING: policies = child_sa->create_policy_enumerator(child_sa); if (policies->enumerate(policies, &local, &remote) && - local->equals(local, this->tsr) && - remote->equals(remote, this->tsi) && + local->equals(local, my_ts) && + remote->equals(remote, other_ts) && this->proposal->equals(this->proposal, proposal)) { this->reqid = child_sa->get_reqid(child_sa); @@ -1165,7 +1176,7 @@ METHOD(task_t, process_r, status_t, } } - check_for_rekeyed_child(this); + check_for_rekeyed_child(this, TRUE); this->child_sa = child_sa_create( this->ike_sa->get_my_host(this->ike_sa), @@ -1366,6 +1377,7 @@ METHOD(task_t, process_i, status_t, { return send_notify(this, INVALID_PAYLOAD_TYPE); } + check_for_rekeyed_child(this, FALSE); if (!install(this)) { return send_notify(this, NO_PROPOSAL_CHOSEN); diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h index fe684568a..0d4c5b47c 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.h +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2011 Martin Willi * Copyright (C) 2011 revosec AG diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index 3ab59fada..bcf262725 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h index d81ebd562..859a21431 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c index 535581068..c1decb130 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h index 91c534145..7ae86b664 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 65baf8771..652b837fe 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -23,6 +23,7 @@ #include <asn1/asn1.h> #include <asn1/oid.h> #include <collections/array.h> +#include <credentials/certificates/x509.h> typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t; @@ -164,7 +165,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, signature_scheme_t schemes[] = { SIGN_RSA_EMSA_PKCS1_SHA2_384, SIGN_RSA_EMSA_PKCS1_SHA2_256, - }, contained; + }; bool found; int i, j; @@ -174,8 +175,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, found = FALSE; for (j = 0; j < array_count(selected); j++) { - array_get(selected, j, &contained); - if (scheme == contained) + array_get(selected, j, &config); + if (scheme == config->scheme) { found = TRUE; break; @@ -414,6 +415,29 @@ METHOD(authenticator_t, build, status_t, return status; } +/** + * Check if the end-entity certificate, if any, is compliant with RFC 4945 + */ +static bool is_compliant_cert(auth_cfg_t *auth) +{ + certificate_t *cert; + x509_t *x509; + + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (!cert || cert->get_type(cert) != CERT_X509) + { + return TRUE; + } + x509 = (x509_t*)cert; + if (x509->get_flags(x509) & X509_IKE_COMPLIANT) + { + return TRUE; + } + DBG1(DBG_IKE, "rejecting certificate without digitalSignature or " + "nonRepudiation keyUsage flags"); + return FALSE; +} + METHOD(authenticator_t, process, status_t, private_pubkey_authenticator_t *this, message_t *message) { @@ -479,7 +503,8 @@ METHOD(authenticator_t, process, status_t, while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { if (public->verify(public, params->scheme, params->params, octets, - auth_data)) + auth_data) && + is_compliant_cert(current_auth)) { if (auth_method != AUTH_DS) { diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h index 82bfea23b..c98e97eb9 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h @@ -1,7 +1,7 @@ /* * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c index 35856788c..ba602fc4a 100644 --- a/src/libcharon/sa/ikev2/connect_manager.c +++ b/src/libcharon/sa/ikev2/connect_manager.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/connect_manager.h b/src/libcharon/sa/ikev2/connect_manager.h index e667e1f70..bac261b35 100644 --- a/src/libcharon/sa/ikev2/connect_manager.h +++ b/src/libcharon/sa/ikev2/connect_manager.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 0c41c68d0..f8b23b66e 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -303,8 +303,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t rekey_function, chunk_t rekey_skd) { - chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed; - chunk_t spi_i, spi_r; + chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce; + chunk_t prf_plus_seed, spi_i, spi_r; prf_plus_t *prf_plus = NULL; uint16_t alg, key_size, int_alg; prf_t *rekey_prf = NULL; diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h index 084ed40f0..5dc9cda38 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.h +++ b/src/libcharon/sa/ikev2/keymat_v2.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2011-2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/mediation_manager.c b/src/libcharon/sa/ikev2/mediation_manager.c index bf5b2f4b3..ffb566591 100644 --- a/src/libcharon/sa/ikev2/mediation_manager.c +++ b/src/libcharon/sa/ikev2/mediation_manager.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/mediation_manager.h b/src/libcharon/sa/ikev2/mediation_manager.h index 5212bdb86..640b55eee 100644 --- a/src/libcharon/sa/ikev2/mediation_manager.h +++ b/src/libcharon/sa/ikev2/mediation_manager.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index 5c0ec49f0..fff567233 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -1794,9 +1794,25 @@ static void trigger_mbb_reauth(private_task_manager_t *this) enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa); while (enumerator->enumerate(enumerator, &child_sa)) { + child_create_t *child_create; + + switch (child_sa->get_state(child_sa)) + { + case CHILD_REKEYED: + case CHILD_DELETED: + /* ignore CHILD_SAs in these states */ + continue; + default: + break; + } cfg = child_sa->get_config(child_sa); - new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg), - FALSE, NULL, NULL)->task); + child_create = child_create_create(new, cfg->get_ref(cfg), + FALSE, NULL, NULL); + child_create->use_reqid(child_create, child_sa->get_reqid(child_sa)); + child_create->use_marks(child_create, + child_sa->get_mark(child_sa, TRUE).value, + child_sa->get_mark(child_sa, FALSE).value); + new->queue_task(new, &child_create->task); children = TRUE; } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 85dac6d59..c90af23b9 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -277,13 +277,11 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host) } /** - * Allocate SPIs and update proposals, we also promote the selected DH group + * Allocate local SPI */ static bool allocate_spi(private_child_create_t *this) { - enumerator_t *enumerator; proposal_t *proposal; - linked_list_t *other_dh_groups; if (this->initiator) { @@ -301,41 +299,51 @@ static bool allocate_spi(private_child_create_t *this) this->proto = this->proposal->get_protocol(this->proposal); } this->my_spi = this->child_sa->alloc_spi(this->child_sa, this->proto); - if (this->my_spi) + return this->my_spi != 0; +} + +/** + * Update the proposals with the allocated SPIs as initiator and check the DH + * group and promote it if necessary + */ +static bool update_and_check_proposals(private_child_create_t *this) +{ + enumerator_t *enumerator; + proposal_t *proposal; + linked_list_t *other_dh_groups; + bool found = FALSE; + + other_dh_groups = linked_list_create(); + enumerator = this->proposals->create_enumerator(this->proposals); + while (enumerator->enumerate(enumerator, &proposal)) { - if (this->initiator) - { - other_dh_groups = linked_list_create(); - enumerator = this->proposals->create_enumerator(this->proposals); - while (enumerator->enumerate(enumerator, &proposal)) + proposal->set_spi(proposal, this->my_spi); + + /* move the selected DH group to the front, if any */ + if (this->dh_group != MODP_NONE) + { /* proposals that don't contain the selected group are + * moved to the back */ + if (!proposal->promote_dh_group(proposal, this->dh_group)) { - proposal->set_spi(proposal, this->my_spi); - - /* move the selected DH group to the front, if any */ - if (this->dh_group != MODP_NONE && - !proposal->promote_dh_group(proposal, this->dh_group)) - { /* proposals that don't contain the selected group are - * moved to the back */ - this->proposals->remove_at(this->proposals, enumerator); - other_dh_groups->insert_last(other_dh_groups, proposal); - } + this->proposals->remove_at(this->proposals, enumerator); + other_dh_groups->insert_last(other_dh_groups, proposal); } - enumerator->destroy(enumerator); - enumerator = other_dh_groups->create_enumerator(other_dh_groups); - while (enumerator->enumerate(enumerator, (void**)&proposal)) - { /* no need to remove from the list as we destroy it anyway*/ - this->proposals->insert_last(this->proposals, proposal); + else + { + found = TRUE; } - enumerator->destroy(enumerator); - other_dh_groups->destroy(other_dh_groups); - } - else - { - this->proposal->set_spi(this->proposal, this->my_spi); } - return TRUE; } - return FALSE; + enumerator->destroy(enumerator); + enumerator = other_dh_groups->create_enumerator(other_dh_groups); + while (enumerator->enumerate(enumerator, (void**)&proposal)) + { /* no need to remove from the list as we destroy it anyway*/ + this->proposals->insert_last(this->proposals, proposal); + } + enumerator->destroy(enumerator); + other_dh_groups->destroy(other_dh_groups); + + return this->dh_group == MODP_NONE || found; } /** @@ -532,10 +540,15 @@ static status_t select_and_install(private_child_create_t *this, } this->other_spi = this->proposal->get_spi(this->proposal); - if (!this->initiator && !allocate_spi(this)) - { /* responder has no SPI allocated yet */ - DBG1(DBG_IKE, "allocating SPI failed"); - return FAILED; + if (!this->initiator) + { + if (!allocate_spi(this)) + { + /* responder has no SPI allocated yet */ + DBG1(DBG_IKE, "allocating SPI failed"); + return FAILED; + } + this->proposal->set_spi(this->proposal, this->my_spi); } this->child_sa->set_proposal(this->child_sa, this->proposal); @@ -981,7 +994,12 @@ static void process_payloads(private_child_create_t *this, message_t *message) this->dh = this->keymat->keymat.create_dh( &this->keymat->keymat, this->dh_group); } - if (this->dh) + else if (this->dh) + { + this->dh_failed = this->dh->get_dh_group(this->dh) != + ke_payload->get_dh_group_number(ke_payload); + } + if (this->dh && !this->dh_failed) { this->dh_failed = !this->dh->set_other_public_value(this->dh, ke_payload->get_key_exchange_data(ke_payload)); @@ -1111,6 +1129,14 @@ METHOD(task_t, build_i, status_t, return FAILED; } + if (!update_and_check_proposals(this)) + { + DBG1(DBG_IKE, "requested DH group %N not contained in any of our " + "proposals", + diffie_hellman_group_names, this->dh_group); + return FAILED; + } + if (this->dh_group != MODP_NONE) { this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, @@ -1544,6 +1570,15 @@ METHOD(task_t, process_i, status_t, memcpy(&group, data.ptr, data.len); group = ntohs(group); } + if (this->retry) + { + DBG1(DBG_IKE, "already retried with DH group %N, ignore" + "requested %N", diffie_hellman_group_names, + this->dh_group, diffie_hellman_group_names, group); + handle_child_sa_failure(this, message); + /* an error in CHILD_SA creation is not critical */ + return SUCCESS; + } DBG1(DBG_IKE, "peer didn't accept DH group %N, " "it requested %N", diffie_hellman_group_names, this->dh_group, diffie_hellman_group_names, group); diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index 164f8fc03..6c8b29018 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -265,6 +265,8 @@ static void process_payloads(private_child_delete_t *this, message_t *message) case CHILD_REKEYED: entry->rekeyed = TRUE; break; + case CHILD_DELETED: + /* already deleted but not yet destroyed, ignore */ case CHILD_DELETING: /* we don't send back a delete if we already initiated * a delete ourself */ @@ -324,6 +326,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) while (enumerator->enumerate(enumerator, (void**)&entry)) { child_sa = entry->child_sa; + child_sa->set_state(child_sa, CHILD_DELETED); /* signal child down event if we weren't rekeying */ protocol = child_sa->get_protocol(child_sa); if (!entry->rekeyed) @@ -374,8 +377,8 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) break; case ACTION_ROUTE: charon->traps->install(charon->traps, - this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg, - reqid); + this->ike_sa->get_peer_cfg(this->ike_sa), + child_cfg); break; default: break; @@ -456,7 +459,7 @@ METHOD(task_t, build_i, status_t, this->spi = child_sa->get_spi(child_sa, TRUE); } - if (child_sa->get_state(child_sa) == CHILD_DELETING) + if (child_sa->get_state(child_sa) == CHILD_DELETED) { /* DELETEs for this CHILD_SA were already exchanged, but it was not yet * destroyed to allow delayed packets to get processed */ this->ike_sa->destroy_child_sa(this->ike_sa, this->protocol, this->spi); diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.h b/src/libcharon/sa/ikev2/tasks/child_delete.h index 1e9b2d2f7..6b0006e6e 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.h +++ b/src/libcharon/sa/ikev2/tasks/child_delete.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index f90056658..d5188c0bc 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -145,8 +145,7 @@ static void find_child(private_child_rekey_t *this, message_t *message) child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE); if (child_sa && - child_sa->get_state(child_sa) == CHILD_DELETING && - child_sa->get_outbound_state(child_sa) == CHILD_OUTBOUND_NONE) + child_sa->get_state(child_sa) == CHILD_DELETED) { /* ignore rekeyed CHILD_SAs we keep around */ return; } @@ -213,7 +212,8 @@ METHOD(task_t, build_i, status_t, message) != NEED_MORE) { schedule_delayed_rekey(this); - return FAILED; + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + return SUCCESS; } if (message->get_exchange_type(message) == CREATE_CHILD_SA) { diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index aeaa701c9..6b63197d5 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -2,7 +2,7 @@ * Copyright (C) 2012-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.h b/src/libcharon/sa/ikev2/tasks/ike_auth.h index ca864a710..c9e42ff54 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.h +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c index 47b0a3ed1..495a353c5 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h index 4d5087ff5..f6862ca27 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h +++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c index 5a9e08de2..68af6e35b 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.h b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h index 34606b1e8..fb1614b43 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.h +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index ca17494de..284e59bb1 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2006-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h index c1f8635ce..8542497bc 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c index 6c42b81a6..4a8acb97e 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.c +++ b/src/libcharon/sa/ikev2/tasks/ike_config.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2007 Martin Willi * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.h b/src/libcharon/sa/ikev2/tasks/ike_config.h index e35457645..9bf666c81 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.h +++ b/src/libcharon/sa/ikev2/tasks/ike_config.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.h b/src/libcharon/sa/ikev2/tasks/ike_delete.h index 2d5d7cb3a..5d571f769 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_delete.h +++ b/src/libcharon/sa/ikev2/tasks/ike_delete.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_dpd.c b/src/libcharon/sa/ikev2/tasks/ike_dpd.c index 7a33f7938..d025a046d 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_dpd.c +++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_dpd.h b/src/libcharon/sa/ikev2/tasks/ike_dpd.h index 026871610..7b30bdc9c 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_dpd.h +++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.h b/src/libcharon/sa/ikev2/tasks/ike_init.h index ab169954d..d40d447c1 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.h +++ b/src/libcharon/sa/ikev2/tasks/ike_init.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c index f077ccfb5..8023da1fc 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_me.c +++ b/src/libcharon/sa/ikev2/tasks/ike_me.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.h b/src/libcharon/sa/ikev2/tasks/ike_me.h index 44a4ce69c..9e5405b61 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_me.h +++ b/src/libcharon/sa/ikev2/tasks/ike_me.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h index bb2318c9c..288b87178 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.h +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -63,7 +63,7 @@ struct ike_mobike_t { void (*dpd)(ike_mobike_t *this); /** - * Transmision hook, called by task manager. + * Transmission hook, called by task manager. * * The task manager calls this hook whenever it transmits a packet. It * allows the mobike task to send the packet on multiple paths to do path diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c index f3f32d7af..8ea903ec8 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_natd.c +++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2006-2007 Martin Willi * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.h b/src/libcharon/sa/ikev2/tasks/ike_natd.h index 9c571b8e6..3e5af5bcf 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_natd.h +++ b/src/libcharon/sa/ikev2/tasks/ike_natd.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.c b/src/libcharon/sa/ikev2/tasks/ike_reauth.c index 6f90339ea..b9f6c02a8 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_reauth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2006-2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.h b/src/libcharon/sa/ikev2/tasks/ike_reauth.h index e2e48f0d4..3733f21c8 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_reauth.h +++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.c b/src/libcharon/sa/ikev2/tasks/ike_redirect.c index f82c80f71..2c565c43a 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_redirect.c +++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.h b/src/libcharon/sa/ikev2/tasks/ike_redirect.h index afa00ce5d..5abc9acde 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_redirect.h +++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index 2f0552a33..11123b415 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -363,7 +363,7 @@ METHOD(task_t, process_i, status_t, /* IKE_SAs in state IKE_REKEYED are silently deleted, so we use * IKE_REKEYING */ this->new_sa->set_state(this->new_sa, IKE_REKEYING); - if (this->new_sa->delete(this->new_sa) == DESTROY_ME) + if (this->new_sa->delete(this->new_sa, FALSE) == DESTROY_ME) { this->new_sa->destroy(this->new_sa); } diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c index f72fbc437..8d8969ea0 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.h b/src/libcharon/sa/ikev2/tasks/ike_vendor.h index 86c711636..29832cbe9 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.h +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c index 069d51d00..941b43023 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c +++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h index 3d9aae0b3..0e48562eb 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h +++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c index d1f6a1bdc..70521b5dc 100644 --- a/src/libcharon/sa/keymat.c +++ b/src/libcharon/sa/keymat.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2011 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -65,6 +65,7 @@ int keymat_get_keylen_encr(encryption_algorithm_t alg) keylen_entry_t map[] = { {ENCR_DES, 64}, {ENCR_3DES, 192}, + {ENCR_CHACHA20_POLY1305, 256}, }; int i; diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index 17d2efe37..3fbb75880 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/redirect_manager.c b/src/libcharon/sa/redirect_manager.c index 45b7e79df..75bba3639 100644 --- a/src/libcharon/sa/redirect_manager.c +++ b/src/libcharon/sa/redirect_manager.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/redirect_manager.h b/src/libcharon/sa/redirect_manager.h index e8753265c..2bd134c7d 100644 --- a/src/libcharon/sa/redirect_manager.h +++ b/src/libcharon/sa/redirect_manager.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/redirect_provider.h b/src/libcharon/sa/redirect_provider.h index ef2288ffc..75d421227 100644 --- a/src/libcharon/sa/redirect_provider.h +++ b/src/libcharon/sa/redirect_provider.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index 3a254cea5..a83da0480 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015-2016 Tobias Brunner + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2011-2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -198,6 +198,13 @@ METHOD(shunt_manager_t, install, bool, entry_t *entry; bool found = FALSE, success; + if (!ns) + { + DBG1(DBG_CFG, "missing namespace for shunt policy '%s'", + cfg->get_name(cfg)); + return FALSE; + } + /* check if not already installed */ this->lock->write_lock(this->lock); if (this->installing == INSTALL_DISABLED) @@ -224,7 +231,7 @@ METHOD(shunt_manager_t, install, bool, return TRUE; } INIT(entry, - .ns = strdupnull(ns), + .ns = strdup(ns), .cfg = cfg->get_ref(cfg), ); this->shunts->insert_last(this->shunts, entry); @@ -369,7 +376,7 @@ METHOD(shunt_manager_t, uninstall, bool, enumerator = this->shunts->create_enumerator(this->shunts); while (enumerator->enumerate(enumerator, &entry)) { - if (streq(ns, entry->ns) && + if ((!ns || streq(ns, entry->ns)) && streq(name, entry->cfg->get_name(entry->cfg))) { this->shunts->remove_at(this->shunts, enumerator); diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h index f2b721032..3d9848c93 100644 --- a/src/libcharon/sa/shunt_manager.h +++ b/src/libcharon/sa/shunt_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015-2016 Tobias Brunner + * Copyright (C) 2015-2017 Tobias Brunner * Copyright (C) 2011 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -36,8 +36,7 @@ struct shunt_manager_t { /** * Install a policy as a shunt. * - * @param ns optional namespace (e.g. name of a connection or - * plugin), cloned + * @param ns namespace (e.g. name of a connection or plugin), cloned * @param child child configuration to install as a shunt * @return TRUE if installed successfully */ @@ -46,7 +45,10 @@ struct shunt_manager_t { /** * Uninstall a shunt policy. * - * @param ns namespace (same as given during installation) + * If no namespace is given the first matching child configuration is + * removed. + * + * @param ns namespace (same as given during installation) or NULL * @param name name of child configuration to uninstall as a shunt * @return TRUE if uninstalled successfully */ diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c index 30de08c9b..660d0eb92 100644 --- a/src/libcharon/sa/task.c +++ b/src/libcharon/sa/task.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h index 5f77149ba..1a0a1acfa 100644 --- a/src/libcharon/sa/task.h +++ b/src/libcharon/sa/task.h @@ -1,7 +1,7 @@ /* * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c index bd1191406..e1c8d23b4 100644 --- a/src/libcharon/sa/task_manager.c +++ b/src/libcharon/sa/task_manager.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2011 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 6436a2549..979f9290a 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2011-2015 Tobias Brunner + * Copyright (C) 2011-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -183,9 +183,8 @@ static bool dynamic_remote_ts(child_cfg_t *child) return found; } -METHOD(trap_manager_t, install, uint32_t, - private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child, - uint32_t reqid) +METHOD(trap_manager_t, install, bool, + private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child) { entry_t *entry, *found = NULL; ike_cfg_t *ike_cfg; @@ -197,7 +196,7 @@ METHOD(trap_manager_t, install, uint32_t, linked_list_t *proposals; proposal_t *proposal; protocol_id_t proto = PROTO_ESP; - bool wildcard = FALSE; + bool result = FALSE, wildcard = FALSE; /* try to resolve addresses */ ike_cfg = peer->get_ike_cfg(peer); @@ -213,7 +212,7 @@ METHOD(trap_manager_t, install, uint32_t, { other->destroy(other); DBG1(DBG_CFG, "installing trap failed, remote address unknown"); - return 0; + return FALSE; } else { /* depending on the traffic selectors we don't really need a remote @@ -223,7 +222,7 @@ METHOD(trap_manager_t, install, uint32_t, * which is probably not what users expect*/ DBG1(DBG_CFG, "installing trap failed, remote address unknown with " "dynamic traffic selector"); - return 0; + return FALSE; } me = ike_cfg->resolve_me(ike_cfg, other ? other->get_family(other) : AF_UNSPEC); @@ -250,12 +249,14 @@ METHOD(trap_manager_t, install, uint32_t, this->lock->unlock(this->lock); other->destroy(other); me->destroy(me); - return 0; + return FALSE; } enumerator = this->traps->create_enumerator(this->traps); while (enumerator->enumerate(enumerator, &entry)) { - if (streq(entry->name, child->get_name(child))) + if (streq(entry->name, child->get_name(child)) && + streq(entry->peer_cfg->get_name(entry->peer_cfg), + peer->get_name(peer))) { found = entry; if (entry->child_sa) @@ -275,11 +276,10 @@ METHOD(trap_manager_t, install, uint32_t, this->lock->unlock(this->lock); other->destroy(other); me->destroy(me); - return 0; + return FALSE; } /* config might have changed so update everything */ DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'", found->name); - reqid = found->child_sa->get_reqid(found->child_sa); } INIT(entry, @@ -293,7 +293,7 @@ METHOD(trap_manager_t, install, uint32_t, this->lock->unlock(this->lock); /* create and route CHILD_SA */ - child_sa = child_sa_create(me, other, child, reqid, FALSE, 0, 0); + child_sa = child_sa_create(me, other, child, 0, FALSE, 0, 0); list = linked_list_create_with_items(me, NULL); my_ts = child->get_traffic_selectors(child, TRUE, NULL, list); @@ -325,14 +325,13 @@ METHOD(trap_manager_t, install, uint32_t, this->lock->unlock(this->lock); entry->child_sa = child_sa; destroy_entry(entry); - reqid = 0; } else { - reqid = child_sa->get_reqid(child_sa); this->lock->write_lock(this->lock); entry->child_sa = child_sa; this->lock->unlock(this->lock); + result = TRUE; } if (found) { @@ -343,11 +342,11 @@ METHOD(trap_manager_t, install, uint32_t, this->installing--; this->condvar->signal(this->condvar); this->lock->unlock(this->lock); - return reqid; + return result; } METHOD(trap_manager_t, uninstall, bool, - private_trap_manager_t *this, uint32_t reqid) + private_trap_manager_t *this, char *peer, char *child) { enumerator_t *enumerator; entry_t *entry, *found = NULL; @@ -356,8 +355,8 @@ METHOD(trap_manager_t, uninstall, bool, enumerator = this->traps->create_enumerator(this->traps); while (enumerator->enumerate(enumerator, &entry)) { - if (entry->child_sa && - entry->child_sa->get_reqid(entry->child_sa) == reqid) + if (streq(entry->name, child) && + (!peer || streq(peer, entry->peer_cfg->get_name(entry->peer_cfg)))) { this->traps->remove_at(this->traps, enumerator); found = entry; @@ -369,7 +368,6 @@ METHOD(trap_manager_t, uninstall, bool, if (!found) { - DBG1(DBG_CFG, "trap %d not found to uninstall", reqid); return FALSE; } destroy_entry(found); @@ -413,31 +411,6 @@ METHOD(trap_manager_t, create_enumerator, enumerator_t*, (void*)this->lock->unlock); } -METHOD(trap_manager_t, find_reqid, uint32_t, - private_trap_manager_t *this, child_cfg_t *child) -{ - enumerator_t *enumerator; - entry_t *entry; - uint32_t reqid = 0; - - this->lock->read_lock(this->lock); - enumerator = this->traps->create_enumerator(this->traps); - while (enumerator->enumerate(enumerator, &entry)) - { - if (streq(entry->name, child->get_name(child))) - { - if (entry->child_sa) - { - reqid = entry->child_sa->get_reqid(entry->child_sa); - } - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - return reqid; -} - METHOD(trap_manager_t, acquire, void, private_trap_manager_t *this, uint32_t reqid, traffic_selector_t *src, traffic_selector_t *dst) @@ -693,7 +666,6 @@ trap_manager_t *trap_manager_create(void) .install = _install, .uninstall = _uninstall, .create_enumerator = _create_enumerator, - .find_reqid = _find_reqid, .acquire = _acquire, .flush = _flush, .destroy = _destroy, diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h index 083ea3dbf..1b67ff82f 100644 --- a/src/libcharon/sa/trap_manager.h +++ b/src/libcharon/sa/trap_manager.h @@ -1,6 +1,7 @@ /* + * Copyright (C) 2013-2017 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -37,19 +38,21 @@ struct trap_manager_t { * * @param peer peer configuration to initiate on trap * @param child child configuration to install as a trap - * @param reqid optional reqid to use - * @return reqid of installed CHILD_SA, 0 if failed + * @return TRUE if successfully installed */ - uint32_t (*install)(trap_manager_t *this, peer_cfg_t *peer, - child_cfg_t *child, uint32_t reqid); + bool (*install)(trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child); /** * Uninstall a trap policy. * - * @param id reqid of CHILD_SA to uninstall, returned by install() + * If no peer configuration name is given the first matching child + * configuration is uninstalled. + * + * @param peer peer configuration name or NULL + * @param child child configuration name * @return TRUE if uninstalled successfully */ - bool (*uninstall)(trap_manager_t *this, uint32_t reqid); + bool (*uninstall)(trap_manager_t *this, char *peer, char *child); /** * Create an enumerator over all installed traps. @@ -59,14 +62,6 @@ struct trap_manager_t { enumerator_t* (*create_enumerator)(trap_manager_t *this); /** - * Find the reqid of a child config installed as a trap. - * - * @param child CHILD_SA config to get the reqid for - * @return reqid of trap, 0 if not found - */ - uint32_t (*find_reqid)(trap_manager_t *this, child_cfg_t *child); - - /** * Acquire an SA triggered by an installed trap. * * @param reqid requid of the triggering CHILD_SA diff --git a/src/libcharon/sa/xauth/xauth_method.c b/src/libcharon/sa/xauth/xauth_method.c index 838822d1e..8f34a275d 100644 --- a/src/libcharon/sa/xauth/xauth_method.c +++ b/src/libcharon/sa/xauth/xauth_method.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/libcharon/sa/xauth/xauth_method.h b/src/libcharon/sa/xauth/xauth_method.h index c0c2024e0..134e72b06 100644 --- a/src/libcharon/sa/xauth/xauth_method.h +++ b/src/libcharon/sa/xauth/xauth_method.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the |