diff options
Diffstat (limited to 'src/libcharon/sa')
43 files changed, 329 insertions, 221 deletions
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c index a32b6ab12..8571274ac 100644 --- a/src/libcharon/sa/authenticator.c +++ b/src/libcharon/sa/authenticator.c @@ -86,7 +86,7 @@ authenticator_t *authenticator_create_verifier( { auth_payload_t *auth_payload; - auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH); if (auth_payload == NULL) { return (authenticator_t*)eap_authenticator_create_verifier(ike_sa, diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 720a58553..a96ab4e90 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -722,8 +722,8 @@ METHOD(child_sa_t, install, status_t, src, dst, spi, proto_ike2ip(this->protocol), this->reqid, inbound ? this->mark_in : this->mark_out, tfc, lifetime, enc_alg, encr, int_alg, integ, this->mode, - this->ipcomp, cpi, initiator, this->encap, esn, update, - src_ts, dst_ts); + this->ipcomp, cpi, this->config->get_replay_window(this->config), + initiator, this->encap, esn, update, src_ts, dst_ts); free(lifetime); @@ -731,6 +731,17 @@ METHOD(child_sa_t, install, status_t, } /** + * Check kernel interface if policy updates are required + */ +static bool require_policy_update() +{ + kernel_feature_t f; + + f = hydra->kernel_interface->get_features(hydra->kernel_interface); + return !(f & KERNEL_NO_POLICY_UPDATES); +} + +/** * Install 3 policies: out, in and forward */ static status_t install_policies_internal(private_child_sa_t *this, @@ -836,13 +847,21 @@ METHOD(child_sa_t, add_policies, status_t, priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT; + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) + { + my_sa.policy_count++; + other_sa.policy_count++; + } + enumerator->destroy(enumerator); + /* enumerate pairs of traffic selectors */ enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { /* install outbound drop policy to avoid packets leaving unencrypted * when updating policies */ - if (priority == POLICY_PRIORITY_DEFAULT) + if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) { status |= install_policies_internal(this, this->my_addr, this->other_addr, my_ts, other_ts, @@ -916,6 +935,7 @@ METHOD(child_sa_t, update, status_t, this->other_addr, this->my_addr, other, me, this->encap, encap, this->mark_in) == NOT_SUPPORTED) { + set_state(this, old); return NOT_SUPPORTED; } } @@ -929,12 +949,13 @@ METHOD(child_sa_t, update, status_t, this->my_addr, this->other_addr, me, other, this->encap, encap, this->mark_out) == NOT_SUPPORTED) { + set_state(this, old); return NOT_SUPPORTED; } } } - if (this->config->install_policy(this->config)) + if (this->config->install_policy(this->config) && require_policy_update()) { ipsec_sa_cfg_t my_sa = { .mode = this->mode, @@ -1073,7 +1094,7 @@ METHOD(child_sa_t, destroy, void, while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { del_policies_internal(this, my_ts, other_ts, priority); - if (priority == POLICY_PRIORITY_DEFAULT) + if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update()) { del_policies_internal(this, my_ts, other_ts, POLICY_PRIORITY_FALLBACK); diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 2c15dc5eb..c338cdaef 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2001,6 +2001,26 @@ METHOD(ike_sa_t, add_configuration_attribute, void, array_insert(this->attributes, ARRAY_TAIL, &entry); } +/** + * Enumerator filter for attributes + */ +static bool filter_attribute(void *null, attribute_entry_t **in, + configuration_attribute_type_t *type, void *in2, + chunk_t *data, void *in3, bool *handled) +{ + *type = (*in)->type; + *data = (*in)->data; + *handled = (*in)->handler != NULL; + return TRUE; +} + +METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*, + private_ike_sa_t *this) +{ + return enumerator_create_filter(array_create_enumerator(this->attributes), + (void*)filter_attribute, NULL, NULL); +} + METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, private_ike_sa_t *this, task_queue_t queue) { @@ -2019,7 +2039,24 @@ METHOD(ike_sa_t, queue_task, void, this->task_manager->queue_task(this->task_manager, task); } -METHOD(ike_sa_t, inherit, void, +METHOD(ike_sa_t, inherit_pre, void, + private_ike_sa_t *this, ike_sa_t *other_public) +{ + private_ike_sa_t *other = (private_ike_sa_t*)other_public; + + /* apply config and hosts */ + set_peer_cfg(this, other->peer_cfg); + set_my_host(this, other->my_host->clone(other->my_host)); + set_other_host(this, other->other_host->clone(other->other_host)); + + /* apply extensions and conditions with a few exceptions */ + this->extensions = other->extensions; + this->conditions = other->conditions; + this->conditions &= ~COND_STALE; + this->conditions &= ~COND_REAUTHENTICATING; +} + +METHOD(ike_sa_t, inherit_post, void, private_ike_sa_t *this, ike_sa_t *other_public) { private_ike_sa_t *other = (private_ike_sa_t*)other_public; @@ -2131,10 +2168,14 @@ METHOD(ike_sa_t, destroy, void, } /* remove attributes first, as we pass the IKE_SA to the handler */ + charon->bus->handle_vips(charon->bus, &this->public, FALSE); while (array_remove(this->attributes, ARRAY_TAIL, &entry)) { - hydra->attributes->release(hydra->attributes, entry.handler, - this->other_id, entry.type, entry.data); + if (entry.handler) + { + hydra->attributes->release(hydra->attributes, entry.handler, + this->other_id, entry.type, entry.data); + } free(entry.data.ptr); } /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill @@ -2288,7 +2329,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, .reestablish = _reestablish, .set_auth_lifetime = _set_auth_lifetime, .roam = _roam, - .inherit = _inherit, + .inherit_pre = _inherit_pre, + .inherit_post = _inherit_post, .generate_message = _generate_message, .reset = _reset, .get_unique_id = _get_unique_id, @@ -2296,6 +2338,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, .clear_virtual_ips = _clear_virtual_ips, .create_virtual_ip_enumerator = _create_virtual_ip_enumerator, .add_configuration_attribute = _add_configuration_attribute, + .create_attribute_enumerator = _create_attribute_enumerator, .set_kmaddress = _set_kmaddress, .create_task_enumerator = _create_task_enumerator, .flush_queue = _flush_queue, diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 00c16c05e..15fb47484 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -978,6 +978,9 @@ struct ike_sa_t { * registered at the IKE_SA. Attributes are inherit()ed and get released * when the IKE_SA is closed. * + * Unhandled attributes are passed as well, but with a NULL handler. They + * do not get released. + * * @param handler handler installed the attribute, use for release() * @param type configuration attribute type * @param data associated attribute data @@ -987,6 +990,17 @@ struct ike_sa_t { configuration_attribute_type_t type, chunk_t data); /** + * Create an enumerator over received configuration attributes. + * + * The resulting enumerator is over the configuration_attribute_type_t type, + * a value chunk_t followed by a bool flag. The boolean flag indicates if + * the attribute has been handled by an attribute handler. + * + * @return enumerator over type, value and the "handled" flag. + */ + enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this); + + /** * Set local and remote host addresses to be used for IKE. * * These addresses are communicated via the KMADDRESS field of a MIGRATE @@ -1020,6 +1034,16 @@ struct ike_sa_t { void (*queue_task)(ike_sa_t *this, task_t *task); /** + * Inherit required attributes to new SA before rekeying. + * + * Some properties of the SA must be applied before starting IKE_SA + * rekeying, such as the configuration or support extensions. + * + * @param other other IKE_SA to inherit from + */ + void (*inherit_pre)(ike_sa_t *this, ike_sa_t *other); + + /** * Inherit all attributes of other to this after rekeying. * * When rekeying is completed, all CHILD_SAs, the virtual IP and all @@ -1027,7 +1051,7 @@ struct ike_sa_t { * * @param other other IKE SA to inherit from */ - void (*inherit) (ike_sa_t *this, ike_sa_t *other); + void (*inherit_post) (ike_sa_t *this, ike_sa_t *other); /** * Reset the IKE_SA, useable when initiating fails diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index f2f81cf33..8e68e7bee 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -354,6 +354,11 @@ struct private_ike_sa_manager_t { shareable_segment_t *half_open_segments; /** + * Total number of half-open IKE_SAs. + */ + refcount_t half_open_count; + + /** * Hash table with connected_peers_t objects. */ table_item_t **connected_peers_table; @@ -764,6 +769,7 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) this->half_open_table[row] = item; } this->half_open_segments[segment].count++; + ref_get(&this->half_open_count); lock->unlock(lock); } @@ -803,6 +809,7 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) free(item); } this->half_open_segments[segment].count--; + ignore_result(ref_put(&this->half_open_count)); break; } prev = item; @@ -964,7 +971,7 @@ static bool get_init_hash(private_ike_sa_manager_t *this, message_t *message, { /* this might be the case when flush() has been called */ return FALSE; } - if (message->get_first_payload_type(message) == FRAGMENT_V1) + if (message->get_first_payload_type(message) == PLV1_FRAGMENT) { /* only hash the source IP, port and SPI for fragmented init messages */ u_int16_t port; u_int64_t spi; @@ -1306,7 +1313,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, ike_id = entry->ike_sa->get_id(entry->ike_sa); entry->checked_out = TRUE; - if (message->get_first_payload_type(message) != FRAGMENT_V1) + if (message->get_first_payload_type(message) != PLV1_FRAGMENT) { entry->processing = get_message_id_or_hash(message); } @@ -1962,13 +1969,7 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int, } else { - for (segment = 0; segment < this->segment_count; segment++) - { - lock = this->half_open_segments[segment].lock; - lock->read_lock(lock); - count += this->half_open_segments[segment].count; - lock->unlock(lock); - } + count = (u_int)ref_cur(&this->half_open_count); } return count; } diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c index ee15408c7..aa966cd5f 100644 --- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c @@ -85,7 +85,7 @@ METHOD(authenticator_t, build, status_t, } free(dh.ptr); - hash_payload = hash_payload_create(HASH_V1); + hash_payload = hash_payload_create(PLV1_HASH); hash_payload->set_hash(hash_payload, hash); message->add_payload(message, &hash_payload->payload_interface); free(hash.ptr); @@ -101,7 +101,7 @@ METHOD(authenticator_t, process, status_t, chunk_t hash, dh; auth_cfg_t *auth; - hash_payload = (hash_payload_t*)message->get_payload(message, HASH_V1); + hash_payload = (hash_payload_t*)message->get_payload(message, PLV1_HASH); if (!hash_payload) { DBG1(DBG_IKE, "HASH payload missing in message"); diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index d81c77f0d..bfe5ff449 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -108,7 +108,7 @@ METHOD(authenticator_t, build, status_t, if (private->sign(private, scheme, hash, &sig)) { - sig_payload = hash_payload_create(SIGNATURE_V1); + sig_payload = hash_payload_create(PLV1_SIGNATURE); sig_payload->set_hash(sig_payload, sig); free(sig.ptr); message->add_payload(message, &sig_payload->payload_interface); @@ -144,7 +144,7 @@ METHOD(authenticator_t, process, status_t, scheme = SIGN_ECDSA_WITH_NULL; } - sig_payload = (hash_payload_t*)message->get_payload(message, SIGNATURE_V1); + sig_payload = (hash_payload_t*)message->get_payload(message, PLV1_SIGNATURE); if (!sig_payload) { DBG1(DBG_IKE, "SIG payload missing in message"); diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index bf1b0046c..619d197bd 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -791,7 +791,7 @@ METHOD(keymat_v1_t, get_hash, bool, static bool get_nonce(message_t *message, chunk_t *n) { nonce_payload_t *nonce; - nonce = (nonce_payload_t*)message->get_payload(message, NONCE_V1); + nonce = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE); if (nonce) { *n = nonce->get_nonce(nonce); @@ -815,7 +815,7 @@ static chunk_t get_message_data(message_t *message, generator_t *generator) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == HASH_V1) + if (payload->get_type(payload) == PLV1_HASH) { continue; } @@ -835,7 +835,7 @@ static chunk_t get_message_data(message_t *message, generator_t *generator) generator->generate_payload(generator, payload); payload = next; } - payload->set_next_type(payload, NO_PAYLOAD); + payload->set_next_type(payload, PL_NONE); generator->generate_payload(generator, payload); } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index 1189d3c69..114b8a3e4 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -648,7 +648,7 @@ METHOD(phase1_t, save_sa_payload, bool, enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1) + if (payload->get_type(payload) == PLV1_SECURITY_ASSOCIATION) { sa = payload; break; @@ -682,7 +682,7 @@ METHOD(phase1_t, add_nonce_ke, bool, nonce_gen_t *nonceg; chunk_t nonce; - ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1, this->dh); + ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh); message->add_payload(message, &ke_payload->payload_interface); nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); @@ -699,7 +699,7 @@ METHOD(phase1_t, add_nonce_ke, bool, } nonceg->destroy(nonceg); - nonce_payload = nonce_payload_create(NONCE_V1); + nonce_payload = nonce_payload_create(PLV1_NONCE); nonce_payload->set_nonce(nonce_payload, nonce); message->add_payload(message, &nonce_payload->payload_interface); @@ -720,7 +720,7 @@ METHOD(phase1_t, get_nonce_ke, bool, nonce_payload_t *nonce_payload; ke_payload_t *ke_payload; - ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1); + ke_payload = (ke_payload_t*)message->get_payload(message, PLV1_KEY_EXCHANGE); if (!ke_payload) { DBG1(DBG_IKE, "KE payload missing in message"); @@ -729,7 +729,7 @@ METHOD(phase1_t, get_nonce_ke, bool, this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload)); this->dh->set_other_public_value(this->dh, this->dh_value); - nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1); + nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE); if (!nonce_payload) { DBG1(DBG_IKE, "NONCE payload missing in message"); diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index 8fc158bba..97812a5c5 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -956,7 +956,7 @@ static void send_notify(private_task_manager_t *this, message_t *request, response->set_request(response, TRUE); response->set_message_id(response, mid); response->add_payload(response, (payload_t*) - notify_payload_create_from_protocol_and_type(NOTIFY_V1, + notify_payload_create_from_protocol_and_type(PLV1_NOTIFY, PROTO_IKE, type)); me = this->ike_sa->get_my_host(this->ike_sa); @@ -1265,7 +1265,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg) chunk_t data; u_int8_t num; - payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1); + payload = (fragment_payload_t*)msg->get_payload(msg, PLV1_FRAGMENT); if (!payload) { return FAILED; @@ -1412,7 +1412,7 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) } } - if (msg->get_first_payload_type(msg) == FRAGMENT_V1) + if (msg->get_first_payload_type(msg) == PLV1_FRAGMENT) { return handle_fragment(this, msg); } @@ -1514,7 +1514,7 @@ METHOD(task_manager_t, process_message, status_t, { if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED && this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING && - msg->get_first_payload_type(msg) != FRAGMENT_V1) + msg->get_first_payload_type(msg) != PLV1_FRAGMENT) { DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", exchange_type_names, msg->get_exchange_type(msg)); diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c index 6cc3e04b3..7009ae95d 100644 --- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c +++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c @@ -133,7 +133,7 @@ static bool has_notify_errors(private_aggressive_mode_t *this, message_t *messag enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY_V1) + if (payload->get_type(payload) == PLV1_NOTIFY) { notify_payload_t *notify; notify_type_t type; @@ -167,7 +167,7 @@ static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type) u_int64_t spi_i, spi_r; chunk_t spi; - notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1, + notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY, PROTO_IKE, type); ike_sa_id = this->ike_sa->get_id(this->ike_sa); spi_i = ike_sa_id->get_initiator_spi(ike_sa_id); @@ -276,7 +276,7 @@ METHOD(task_t, build_i, status_t, return FAILED; } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); - id_payload = id_payload_create_from_identification(ID_V1, id); + id_payload = id_payload_create_from_identification(PLV1_ID, id); this->id_data = id_payload->get_encoded(id_payload); message->add_payload(message, &id_payload->payload_interface); @@ -389,7 +389,7 @@ METHOD(task_t, process_r, status_t, message->get_source(message), TRUE); sa_payload = (sa_payload_t*)message->get_payload(message, - SECURITY_ASSOCIATION_V1); + PLV1_SECURITY_ASSOCIATION); if (!sa_payload) { DBG1(DBG_IKE, "SA payload missing"); @@ -448,7 +448,7 @@ METHOD(task_t, process_r, status_t, return send_notify(this, INVALID_PAYLOAD_TYPE); } - id_payload = (id_payload_t*)message->get_payload(message, ID_V1); + id_payload = (id_payload_t*)message->get_payload(message, PLV1_ID); if (!id_payload) { DBG1(DBG_IKE, "IDii payload missing"); @@ -588,7 +588,7 @@ METHOD(task_t, build_r, status_t, } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); - id_payload = id_payload_create_from_identification(ID_V1, id); + id_payload = id_payload_create_from_identification(PLV1_ID, id); message->add_payload(message, &id_payload->payload_interface); if (!this->ph1->build_auth(this->ph1, this->method, message, @@ -614,7 +614,7 @@ METHOD(task_t, process_i, status_t, u_int32_t lifetime; sa_payload = (sa_payload_t*)message->get_payload(message, - SECURITY_ASSOCIATION_V1); + PLV1_SECURITY_ASSOCIATION); if (!sa_payload) { DBG1(DBG_IKE, "SA payload missing"); @@ -654,7 +654,7 @@ METHOD(task_t, process_i, status_t, return send_notify(this, NO_PROPOSAL_CHOSEN); } - id_payload = (id_payload_t*)message->get_payload(message, ID_V1); + id_payload = (id_payload_t*)message->get_payload(message, PLV1_ID); if (!id_payload) { DBG1(DBG_IKE, "IDir payload missing"); diff --git a/src/libcharon/sa/ikev1/tasks/informational.c b/src/libcharon/sa/ikev1/tasks/informational.c index bda1d2afb..b742dbef9 100644 --- a/src/libcharon/sa/ikev1/tasks/informational.c +++ b/src/libcharon/sa/ikev1/tasks/informational.c @@ -93,7 +93,7 @@ METHOD(task_t, process_r, status_t, { switch (payload->get_type(payload)) { - case NOTIFY_V1: + case PLV1_NOTIFY: notify = (notify_payload_t*)payload; type = notify->get_notify_type(notify); @@ -153,7 +153,7 @@ METHOD(task_t, process_r, status_t, notify_type_names, type); } continue; - case DELETE_V1: + case PLV1_DELETE: if (!this->del) { delete = (delete_payload_t*)payload; diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c index edad3b2fa..7dbbdc92f 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c @@ -68,7 +68,7 @@ static bool use_certs(private_isakmp_cert_post_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1) + if (payload->get_type(payload) == PLV1_SECURITY_ASSOCIATION) { sa_payload_t *sa_payload = (sa_payload_t*)payload; @@ -132,7 +132,7 @@ static void build_certs(private_isakmp_cert_post_t *this, message_t *message) { break; } - payload = cert_payload_create_from_cert(CERTIFICATE_V1, cert); + payload = cert_payload_create_from_cert(PLV1_CERTIFICATE, cert); if (!payload) { break; @@ -146,7 +146,7 @@ static void build_certs(private_isakmp_cert_post_t *this, message_t *message) { if (type == AUTH_RULE_IM_CERT) { - payload = cert_payload_create_from_cert(CERTIFICATE_V1, cert); + payload = cert_payload_create_from_cert(PLV1_CERTIFICATE, cert); if (payload) { DBG1(DBG_IKE, "sending issuer cert \"%Y\"", diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c index 43a0aaa36..58f856e3f 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c @@ -134,7 +134,7 @@ static void process_certreqs(private_isakmp_cert_pre_t *this, message_t *message { switch (payload->get_type(payload)) { - case CERTIFICATE_REQUEST_V1: + case PLV1_CERTREQ: { certificate_t *cert; @@ -268,7 +268,7 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == CERTIFICATE_V1) + if (payload->get_type(payload) == PLV1_CERTIFICATE) { cert_payload_t *cert_payload; cert_encoding_t encoding; @@ -377,7 +377,7 @@ static void build_certreqs(private_isakmp_cert_pre_t *this, message_t *message) } enumerator->destroy(enumerator); } - if (!message->get_payload(message, CERTIFICATE_REQUEST_V1)) + if (!message->get_payload(message, PLV1_CERTREQ)) { /* otherwise add all trusted CA certificates */ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, @@ -402,7 +402,7 @@ static bool use_certs(private_isakmp_cert_pre_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1) + if (payload->get_type(payload) == PLV1_SECURITY_ASSOCIATION) { sa_payload_t *sa_payload = (sa_payload_t*)payload; diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c index a44f3c4a9..bea0428c4 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c @@ -50,7 +50,7 @@ METHOD(task_t, build_i, status_t, this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); - delete_payload = delete_payload_create(DELETE_V1, PROTO_IKE); + delete_payload = delete_payload_create(PLV1_DELETE, PROTO_IKE); id = this->ike_sa->get_id(this->ike_sa); delete_payload->set_ike_spi(delete_payload, id->get_initiator_spi(id), id->get_responder_spi(id)); diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c index a3395a043..5522e9221 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_dpd.c @@ -55,7 +55,7 @@ METHOD(task_t, build, status_t, u_int32_t seqnr; chunk_t spi; - notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1, + notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY, PROTO_IKE, this->type); seqnr = htonl(this->seqnr); ike_sa_id = this->ike_sa->get_id(this->ike_sa); diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c index fc6ac0771..b8af6f67b 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c @@ -117,9 +117,9 @@ static payload_type_t get_nat_d_payload_type(ike_sa_t *ike_sa) { if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03)) { - return NAT_D_DRAFT_00_03_V1; + return PLV1_NAT_D_DRAFT_00_03; } - return NAT_D_V1; + return PLV1_NAT_D; } /** @@ -269,8 +269,8 @@ static void process_payloads(private_isakmp_natd_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) != NAT_D_V1 && - payload->get_type(payload) != NAT_D_DRAFT_00_03_V1) + if (payload->get_type(payload) != PLV1_NAT_D && + payload->get_type(payload) != PLV1_NAT_D_DRAFT_00_03) { continue; } @@ -334,7 +334,7 @@ METHOD(task_t, build_i, status_t, case ID_PROT: { /* add NAT-D payloads to the second request, need to process * those by the responder contained in the second response */ - if (message->get_payload(message, SECURITY_ASSOCIATION_V1)) + if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION)) { /* wait for the second exchange */ return NEED_MORE; } @@ -362,7 +362,7 @@ METHOD(task_t, process_i, status_t, case ID_PROT: { /* process NAT-D payloads in the second response, added them in the * second request already, so we're done afterwards */ - if (message->get_payload(message, SECURITY_ASSOCIATION_V1)) + if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION)) { /* wait for the second exchange */ return NEED_MORE; } @@ -407,7 +407,7 @@ METHOD(task_t, process_r, status_t, case ID_PROT: { /* process NAT-D payloads in the second request, need to add ours * to the second response */ - if (message->get_payload(message, SECURITY_ASSOCIATION_V1)) + if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION)) { /* wait for the second exchange */ return NEED_MORE; } @@ -428,7 +428,7 @@ METHOD(task_t, build_r, status_t, case ID_PROT: { /* add NAT-D payloads to second response, already processed those * contained in the second request */ - if (message->get_payload(message, SECURITY_ASSOCIATION_V1)) + if (message->get_payload(message, PLV1_SECURITY_ASSOCIATION)) { /* wait for the second exchange */ return NEED_MORE; } diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c index e07ac0ab4..426c4bd69 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c @@ -209,7 +209,7 @@ static void build(private_isakmp_vendor_t *this, message_t *message) (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation)) { DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc); - vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1, + vid_payload = vendor_id_payload_create_data(PLV1_VENDOR_ID, chunk_clone(chunk_create(vendor_ids[i].id, vendor_ids[i].len))); message->add_payload(message, &vid_payload->payload_interface); } @@ -220,7 +220,7 @@ static void build(private_isakmp_vendor_t *this, message_t *message) this->best_natt_ext == i) { DBG2(DBG_IKE, "sending %s vendor ID", vendor_natt_ids[i].desc); - vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1, + vid_payload = vendor_id_payload_create_data(PLV1_VENDOR_ID, chunk_clone(chunk_create(vendor_natt_ids[i].id, vendor_natt_ids[i].len))); message->add_payload(message, &vid_payload->payload_interface); @@ -240,7 +240,7 @@ static void process(private_isakmp_vendor_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == VENDOR_ID_V1) + if (payload->get_type(payload) == PLV1_VENDOR_ID) { vendor_id_payload_t *vid; bool found = FALSE; diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 81638169a..8a5d9ae16 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -130,7 +130,7 @@ static bool has_notify_errors(private_main_mode_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY_V1) + if (payload->get_type(payload) == PLV1_NOTIFY) { notify_payload_t *notify; notify_type_t type; @@ -176,7 +176,7 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type) u_int64_t spi_i, spi_r; chunk_t spi; - notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1, + notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY, PROTO_IKE, type); ike_sa_id = this->ike_sa->get_id(this->ike_sa); spi_i = ike_sa_id->get_initiator_spi(ike_sa_id); @@ -302,7 +302,7 @@ METHOD(task_t, build_i, status_t, return send_notify(this, INVALID_ID_INFORMATION); } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); - id_payload = id_payload_create_from_identification(ID_V1, id); + id_payload = id_payload_create_from_identification(PLV1_ID, id); message->add_payload(message, &id_payload->payload_interface); if (!this->ph1->build_auth(this->ph1, this->method, message, @@ -340,7 +340,7 @@ METHOD(task_t, process_r, status_t, message->get_source(message), TRUE); sa_payload = (sa_payload_t*)message->get_payload(message, - SECURITY_ASSOCIATION_V1); + PLV1_SECURITY_ASSOCIATION); if (!sa_payload) { DBG1(DBG_IKE, "SA payload missing"); @@ -401,7 +401,7 @@ METHOD(task_t, process_r, status_t, id_payload_t *id_payload; identification_t *id; - id_payload = (id_payload_t*)message->get_payload(message, ID_V1); + id_payload = (id_payload_t*)message->get_payload(message, PLV1_ID); if (!id_payload) { DBG1(DBG_IKE, "IDii payload missing"); @@ -488,7 +488,7 @@ METHOD(task_t, build_r, status_t, } this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); - id_payload = id_payload_create_from_identification(ID_V1, id); + id_payload = id_payload_create_from_identification(PLV1_ID, id); message->add_payload(message, &id_payload->payload_interface); if (!this->ph1->build_auth(this->ph1, this->method, message, @@ -575,7 +575,7 @@ METHOD(task_t, process_i, status_t, bool private; sa_payload = (sa_payload_t*)message->get_payload(message, - SECURITY_ASSOCIATION_V1); + PLV1_SECURITY_ASSOCIATION); if (!sa_payload) { DBG1(DBG_IKE, "SA payload missing"); @@ -627,7 +627,7 @@ METHOD(task_t, process_i, status_t, id_payload_t *id_payload; identification_t *id, *cid; - id_payload = (id_payload_t*)message->get_payload(message, ID_V1); + id_payload = (id_payload_t*)message->get_payload(message, PLV1_ID); if (!id_payload) { DBG1(DBG_IKE, "IDir payload missing"); diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 17fe02538..94026b9af 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -107,7 +107,7 @@ static configuration_attribute_t *build_vip(host_t *vip) chunk = chunk_cata("cc", chunk, prefix); } } - return configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1, + return configuration_attribute_create_chunk(PLV1_CONFIGURATION_ATTRIBUTE, type, chunk); } @@ -139,11 +139,8 @@ static void handle_attribute(private_mode_config_t *this, handler = hydra->attributes->handle(hydra->attributes, this->ike_sa->get_other_id(this->ike_sa), handler, ca->get_type(ca), ca->get_chunk(ca)); - if (handler) - { - this->ike_sa->add_configuration_attribute(this->ike_sa, - handler, ca->get_type(ca), ca->get_chunk(ca)); - } + this->ike_sa->add_configuration_attribute(this->ike_sa, + handler, ca->get_type(ca), ca->get_chunk(ca)); } /** @@ -222,7 +219,7 @@ static void process_payloads(private_mode_config_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == CONFIGURATION_V1) + if (payload->get_type(payload) == PLV1_CONFIGURATION) { cp_payload_t *cp = (cp_payload_t*)payload; configuration_attribute_t *ca; @@ -273,7 +270,7 @@ static void add_attribute(private_mode_config_t *this, cp_payload_t *cp, entry_t *entry; cp->add_attribute(cp, - configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1, + configuration_attribute_create_chunk(PLV1_CONFIGURATION_ATTRIBUTE, type, data)); INIT(entry, .type = type, @@ -296,7 +293,7 @@ static status_t build_request(private_mode_config_t *this, message_t *message) linked_list_t *vips; host_t *host; - cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST); + cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REQUEST); vips = linked_list_create(); @@ -360,7 +357,7 @@ static status_t build_set(private_mode_config_t *this, message_t *message) host_t *any4, *any6, *found; char *name; - cp = cp_payload_create_type(CONFIGURATION_V1, CFG_SET); + cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_SET); id = this->ike_sa->get_other_eap_id(this->ike_sa); config = this->ike_sa->get_peer_cfg(this->ike_sa); @@ -396,6 +393,8 @@ static status_t build_set(private_mode_config_t *this, message_t *message) any4->destroy(any4); any6->destroy(any6); + charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE); + /* query registered providers for additional attributes to include */ pools = linked_list_create_from_enumerator( config->create_pool_enumerator(config)); @@ -442,6 +441,8 @@ static void install_vips(private_mode_config_t *this) } } enumerator->destroy(enumerator); + + charon->bus->handle_vips(charon->bus, this->ike_sa, TRUE); } METHOD(task_t, process_r, status_t, @@ -470,7 +471,7 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) linked_list_t *vips, *pools; host_t *requested; - cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY); + cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REPLY); id = this->ike_sa->get_other_eap_id(this->ike_sa); config = this->ike_sa->get_peer_cfg(this->ike_sa); @@ -505,13 +506,15 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) } enumerator->destroy(enumerator); + charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE); + /* query registered providers for additional attributes to include */ enumerator = hydra->attributes->create_responder_enumerator( hydra->attributes, pools, id, vips); while (enumerator->enumerate(enumerator, &type, &value)) { cp->add_attribute(cp, - configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1, + configuration_attribute_create_chunk(PLV1_CONFIGURATION_ATTRIBUTE, type, value)); } enumerator->destroy(enumerator); @@ -535,7 +538,7 @@ static status_t build_ack(private_mode_config_t *this, message_t *message) configuration_attribute_type_t type; entry_t *entry; - cp = cp_payload_create_type(CONFIGURATION_V1, CFG_ACK); + cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_ACK); /* return empty attributes for installed IPs */ @@ -552,7 +555,7 @@ static status_t build_ack(private_mode_config_t *this, message_t *message) type = INTERNAL_IP4_ADDRESS; } cp->add_attribute(cp, configuration_attribute_create_chunk( - CONFIGURATION_ATTRIBUTE_V1, type, chunk_empty)); + PLV1_CONFIGURATION_ATTRIBUTE, type, chunk_empty)); } enumerator->destroy(enumerator); @@ -560,7 +563,7 @@ static status_t build_ack(private_mode_config_t *this, message_t *message) while (enumerator->enumerate(enumerator, &entry)) { cp->add_attribute(cp, - configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE_V1, + configuration_attribute_create_chunk(PLV1_CONFIGURATION_ATTRIBUTE, entry->type, chunk_empty)); } enumerator->destroy(enumerator); diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c index 605c10cea..499081caa 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_delete.c +++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c @@ -177,7 +177,7 @@ METHOD(task_t, build_i, status_t, DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x", protocol_id_names, this->protocol, ntohl(this->spi)); - delete_payload = delete_payload_create(DELETE_V1, this->protocol); + delete_payload = delete_payload_create(PLV1_DELETE, this->protocol); delete_payload->add_spi(delete_payload, this->spi); message->add_payload(message, &delete_payload->payload_interface); @@ -205,7 +205,7 @@ METHOD(task_t, process_r, status_t, payloads = message->create_payload_enumerator(message); while (payloads->enumerate(payloads, &payload)) { - if (payload->get_type(payload) == DELETE_V1) + if (payload->get_type(payload) == PLV1_DELETE) { delete_payload = (delete_payload_t*)payload; protocol = delete_payload->get_protocol_id(delete_payload); diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 6e7da9852..e6273682d 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -427,7 +427,7 @@ static bool add_nonce(private_quick_mode_t *this, chunk_t *nonce, } nonceg->destroy(nonceg); - nonce_payload = nonce_payload_create(NONCE_V1); + nonce_payload = nonce_payload_create(PLV1_NONCE); nonce_payload->set_nonce(nonce_payload, *nonce); message->add_payload(message, &nonce_payload->payload_interface); @@ -442,7 +442,7 @@ static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce, { nonce_payload_t *nonce_payload; - nonce_payload = (nonce_payload_t*)message->get_payload(message, NONCE_V1); + nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE); if (!nonce_payload) { DBG1(DBG_IKE, "NONCE payload missing in message"); @@ -460,7 +460,7 @@ static void add_ke(private_quick_mode_t *this, message_t *message) { ke_payload_t *ke_payload; - ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1, this->dh); + ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh); message->add_payload(message, &ke_payload->payload_interface); } @@ -471,7 +471,7 @@ static bool get_ke(private_quick_mode_t *this, message_t *message) { ke_payload_t *ke_payload; - ke_payload = (ke_payload_t*)message->get_payload(message, KEY_EXCHANGE_V1); + ke_payload = (ke_payload_t*)message->get_payload(message, PLV1_KEY_EXCHANGE); if (!ke_payload) { DBG1(DBG_IKE, "KE payload missing"); @@ -502,7 +502,7 @@ static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local, else { DBG1(DBG_IKE, "%s traffic selector missing in configuration", - local ? "local" : "local"); + local ? "local" : "remote"); ts = NULL; } list->destroy_offset(list, offsetof(traffic_selector_t, destroy)); @@ -537,7 +537,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == ID_V1) + if (payload->get_type(payload) == PLV1_ID) { id_payload = (id_payload_t*)payload; @@ -640,9 +640,9 @@ static payload_type_t get_nat_oa_payload_type(ike_sa_t *ike_sa) { if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03)) { - return NAT_OA_DRAFT_00_03_V1; + return PLV1_NAT_OA_DRAFT_00_03; } - return NAT_OA_V1; + return PLV1_NAT_OA; } /** @@ -726,7 +726,7 @@ static status_t send_notify(private_quick_mode_t *this, notify_type_t type) { notify_payload_t *notify; - notify = notify_payload_create_from_protocol_and_type(NOTIFY_V1, + notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY, this->proto, type); notify->set_spi(notify, this->spi_i); @@ -917,7 +917,7 @@ static bool has_notify_errors(private_quick_mode_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY_V1) + if (payload->get_type(payload) == PLV1_NOTIFY) { notify_payload_t *notify; notify_type_t type; @@ -1000,7 +1000,7 @@ METHOD(task_t, process_r, status_t, bool private; sa_payload = (sa_payload_t*)message->get_payload(message, - SECURITY_ASSOCIATION_V1); + PLV1_SECURITY_ASSOCIATION); if (!sa_payload) { DBG1(DBG_IKE, "sa payload missing"); @@ -1215,7 +1215,7 @@ METHOD(task_t, process_i, status_t, bool private; sa_payload = (sa_payload_t*)message->get_payload(message, - SECURITY_ASSOCIATION_V1); + PLV1_SECURITY_ASSOCIATION); if (!sa_payload) { DBG1(DBG_IKE, "sa payload missing"); diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c index f5555ecd2..bdc5d67f7 100644 --- a/src/libcharon/sa/ikev1/tasks/xauth.c +++ b/src/libcharon/sa/ikev1/tasks/xauth.c @@ -277,7 +277,7 @@ METHOD(task_t, build_i_status, status_t, { cp_payload_t *cp; - cp = cp_payload_create_type(CONFIGURATION_V1, CFG_SET); + cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_SET); cp->add_attribute(cp, configuration_attribute_create_value(XAUTH_STATUS, this->status)); @@ -291,7 +291,7 @@ METHOD(task_t, process_i_status, status_t, { cp_payload_t *cp; - cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); + cp = (cp_payload_t*)message->get_payload(message, PLV1_CONFIGURATION); if (!cp || cp->get_type(cp) != CFG_ACK) { DBG1(DBG_IKE, "received invalid XAUTH status response"); @@ -354,11 +354,11 @@ METHOD(task_t, build_r_ack, status_t, { cp_payload_t *cp; - cp = cp_payload_create_type(CONFIGURATION_V1, CFG_ACK); + cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_ACK); cp->set_identifier(cp, this->identifier); cp->add_attribute(cp, configuration_attribute_create_chunk( - CONFIGURATION_ATTRIBUTE_V1, XAUTH_STATUS, chunk_empty)); + PLV1_CONFIGURATION_ATTRIBUTE, XAUTH_STATUS, chunk_empty)); message->add_payload(message, (payload_t *)cp); @@ -382,7 +382,7 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } } - cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); + cp = (cp_payload_t*)message->get_payload(message, PLV1_CONFIGURATION); if (!cp) { DBG1(DBG_IKE, "configuration payload missing in XAuth request"); @@ -438,7 +438,7 @@ METHOD(task_t, build_r, status_t, { if (!this->cp) { /* send empty reply if building data failed */ - this->cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY); + this->cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REPLY); } message->add_payload(message, (payload_t *)this->cp); this->cp = NULL; @@ -451,7 +451,7 @@ METHOD(task_t, process_i, status_t, identification_t *id; cp_payload_t *cp; - cp = (cp_payload_t*)message->get_payload(message, CONFIGURATION_V1); + cp = (cp_payload_t*)message->get_payload(message, PLV1_CONFIGURATION); if (!cp) { DBG1(DBG_IKE, "configuration payload missing in XAuth response"); @@ -463,12 +463,6 @@ METHOD(task_t, process_i, status_t, return NEED_MORE; case SUCCESS: id = this->xauth->get_identity(this->xauth); - if (this->user && !id->matches(id, this->user)) - { - DBG1(DBG_IKE, "XAuth username '%Y' does not match to " - "configured username '%Y'", id, this->user); - break; - } DBG1(DBG_IKE, "XAuth authentication of '%Y' successful", id); if (add_auth_cfg(this, id, FALSE) && allowed(this)) { diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index b8359cc88..eed6d1996 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -450,7 +450,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, keymat_v2_t *keymat; auth_payload = (auth_payload_t*)message->get_payload(message, - AUTHENTICATION); + PLV2_AUTH); if (!auth_payload) { DBG1(DBG_IKE, "AUTH payload missing"); @@ -532,7 +532,7 @@ METHOD(authenticator_t, process_server, status_t, else { eap_payload = (eap_payload_t*)message->get_payload(message, - EXTENSIBLE_AUTHENTICATION); + PLV2_EAP); if (!eap_payload) { return FAILED; @@ -590,7 +590,7 @@ METHOD(authenticator_t, process_client, status_t, } eap_payload = (eap_payload_t*)message->get_payload(message, - EXTENSIBLE_AUTHENTICATION); + PLV2_EAP); if (eap_payload) { switch (eap_payload->get_code(eap_payload)) diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c index 997efe359..c6a4b6ba4 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c @@ -103,7 +103,7 @@ METHOD(authenticator_t, process, status_t, int keys_found = 0; keymat_v2_t *keymat; - auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH); if (!auth_payload) { return FAILED; diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 5ceff40ba..6fb14bc06 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -147,7 +147,7 @@ METHOD(authenticator_t, process, status_t, status_t status = NOT_FOUND; keymat_v2_t *keymat; - auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH); if (!auth_payload) { return FAILED; diff --git a/src/libcharon/sa/ikev2/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c index c4e5ea7a0..161c4fdaf 100644 --- a/src/libcharon/sa/ikev2/connect_manager.c +++ b/src/libcharon/sa/ikev2/connect_manager.c @@ -748,7 +748,7 @@ static status_t process_payloads(message_t *message, check_t *check) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) != NOTIFY) + if (payload->get_type(payload) != PLV2_NOTIFY) { DBG1(DBG_IKE, "ignoring payload of type '%N' while processing " "connectivity check", payload_type_names, diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index a5252ab70..ada798bdc 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -792,7 +792,7 @@ static status_t process_request(private_task_manager_t *this, { switch (payload->get_type(payload)) { - case NOTIFY: + case PLV2_NOTIFY: { /* if we find a rekey notify, its CHILD_SA rekeying */ notify = (notify_payload_t*)payload; if (notify->get_notify_type(notify) == REKEY_SA && @@ -803,8 +803,8 @@ static status_t process_request(private_task_manager_t *this, } break; } - case TRAFFIC_SELECTOR_INITIATOR: - case TRAFFIC_SELECTOR_RESPONDER: + case PLV2_TS_INITIATOR: + case PLV2_TS_RESPONDER: { /* if we don't find a TS, its IKE rekeying */ ts_found = TRUE; break; @@ -842,7 +842,7 @@ static status_t process_request(private_task_manager_t *this, { switch (payload->get_type(payload)) { - case NOTIFY: + case PLV2_NOTIFY: { notify = (notify_payload_t*)payload; switch (notify->get_notify_type(notify)) @@ -875,7 +875,7 @@ static status_t process_request(private_task_manager_t *this, } break; } - case DELETE: + case PLV2_DELETE: { delete = (delete_payload_t*)payload; if (delete->get_protocol_id(delete) == PROTO_IKE) diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index df7bc96d6..a1f01c276 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -187,7 +187,7 @@ static status_t get_nonce(message_t *message, chunk_t *nonce) { nonce_payload_t *payload; - payload = (nonce_payload_t*)message->get_payload(message, NONCE); + payload = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE); if (payload == NULL) { return FAILED; @@ -731,7 +731,7 @@ static void build_payloads(private_child_create_t *this, message_t *message) /* add nonce payload if not in IKE_AUTH */ if (message->get_exchange_type(message) == CREATE_CHILD_SA) { - nonce_payload = nonce_payload_create(NONCE); + nonce_payload = nonce_payload_create(PLV2_NONCE); nonce_payload->set_nonce(nonce_payload, this->my_nonce); message->add_payload(message, (payload_t*)nonce_payload); } @@ -739,7 +739,7 @@ static void build_payloads(private_child_create_t *this, message_t *message) /* diffie hellman exchange, if PFS enabled */ if (this->dh) { - ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE, + ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, this->dh); message->add_payload(message, (payload_t*)ke_payload); } @@ -866,11 +866,11 @@ static void process_payloads(private_child_create_t *this, message_t *message) { switch (payload->get_type(payload)) { - case SECURITY_ASSOCIATION: + case PLV2_SECURITY_ASSOCIATION: sa_payload = (sa_payload_t*)payload; this->proposals = sa_payload->get_proposals(sa_payload); break; - case KEY_EXCHANGE: + case PLV2_KEY_EXCHANGE: ke_payload = (ke_payload_t*)payload; if (!this->initiator) { @@ -884,15 +884,15 @@ static void process_payloads(private_child_create_t *this, message_t *message) ke_payload->get_key_exchange_data(ke_payload)); } break; - case TRAFFIC_SELECTOR_INITIATOR: + case PLV2_TS_INITIATOR: ts_payload = (ts_payload_t*)payload; this->tsi = ts_payload->get_traffic_selectors(ts_payload); break; - case TRAFFIC_SELECTOR_RESPONDER: + case PLV2_TS_RESPONDER: ts_payload = (ts_payload_t*)payload; this->tsr = ts_payload->get_traffic_selectors(ts_payload); break; - case NOTIFY: + case PLV2_NOTIFY: handle_notify(this, (notify_payload_t*)payload); break; default: @@ -950,7 +950,7 @@ METHOD(task_t, build_i, status_t, /* check if we want a virtual IP, but don't have one */ list = linked_list_create(); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (!this->reqid) + if (!this->rekey) { enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg); while (enumerator->enumerate(enumerator, &vip)) @@ -1192,6 +1192,12 @@ METHOD(task_t, build_r, status_t, message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty); return SUCCESS; } + if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING) + { + DBG1(DBG_IKE, "unable to create CHILD_SA while deleting IKE_SA"); + message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty); + return SUCCESS; + } if (this->config == NULL) { @@ -1211,7 +1217,7 @@ METHOD(task_t, build_r, status_t, enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY) + if (payload->get_type(payload) == PLV2_NOTIFY) { notify_payload_t *notify = (notify_payload_t*)payload; @@ -1313,7 +1319,7 @@ METHOD(task_t, build_i_delete, status_t, proto = this->proposal->get_protocol(this->proposal); spi = this->child_sa->get_spi(this->child_sa, TRUE); - del = delete_payload_create(DELETE, proto); + del = delete_payload_create(PLV2_DELETE, proto); del->add_spi(del, spi); message->add_payload(message, (payload_t*)del); @@ -1362,7 +1368,7 @@ METHOD(task_t, process_i, status_t, enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY) + if (payload->get_type(payload) == PLV2_NOTIFY) { notify_payload_t *notify = (notify_payload_t*)payload; notify_type_t type = notify->get_notify_type(notify); diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index 88b032c8b..2b1697423 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -93,7 +93,7 @@ static void build_payloads(private_child_delete_t *this, message_t *message) case PROTO_ESP: if (esp == NULL) { - esp = delete_payload_create(DELETE, PROTO_ESP); + esp = delete_payload_create(PLV2_DELETE, PROTO_ESP); message->add_payload(message, (payload_t*)esp); } esp->add_spi(esp, spi); @@ -103,7 +103,7 @@ static void build_payloads(private_child_delete_t *this, message_t *message) case PROTO_AH: if (ah == NULL) { - ah = delete_payload_create(DELETE, PROTO_AH); + ah = delete_payload_create(PLV2_DELETE, PROTO_AH); message->add_payload(message, (payload_t*)ah); } ah->add_spi(ah, spi); @@ -133,7 +133,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message) payloads = message->create_payload_enumerator(message); while (payloads->enumerate(payloads, &payload)) { - if (payload->get_type(payload) == DELETE) + if (payload->get_type(payload) == PLV2_DELETE) { delete_payload = (delete_payload_t*)payload; protocol = delete_payload->get_protocol_id(delete_payload); diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index d2003bb45..db872827d 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -171,7 +171,7 @@ METHOD(task_t, build_i, status_t, config = this->child_sa->get_config(this->child_sa); /* we just need the rekey notify ... */ - notify = notify_payload_create_from_protocol_and_type(NOTIFY, + notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY, this->protocol, REKEY_SA); notify->set_spi(notify, this->spi); message->add_payload(message, (payload_t*)notify); @@ -228,7 +228,7 @@ METHOD(task_t, build_r, status_t, this->child_create->set_config(this->child_create, config->get_ref(config)); this->child_create->task.build(&this->child_create->task, message); - if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL) + if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL) { /* rekeying failed, reuse old child */ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); @@ -332,7 +332,7 @@ METHOD(task_t, process_i, status_t, this->child_create->task.migrate(&this->child_create->task, this->ike_sa); return NEED_MORE; } - if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL) + if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL) { /* establishing new child failed, reuse old. but not when we * received a delete in the meantime */ diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 800dab07e..bf747a49e 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -132,7 +132,7 @@ static status_t collect_my_init_data(private_ike_auth_t *this, nonce_payload_t *nonce; /* get the nonce that was generated in ike_init */ - nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE); if (nonce == NULL) { return FAILED; @@ -158,7 +158,7 @@ static status_t collect_other_init_data(private_ike_auth_t *this, nonce_payload_t *nonce; /* get the nonce that was generated in ike_init */ - nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + nonce = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE); if (nonce == NULL) { return FAILED; @@ -433,7 +433,7 @@ METHOD(task_t, build_i, status_t, { this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr)); id_payload = id_payload_create_from_identification( - ID_RESPONDER, idr); + PLV2_ID_RESPONDER, idr); message->add_payload(message, (payload_t*)id_payload); } } @@ -451,7 +451,7 @@ METHOD(task_t, build_i, status_t, cfg->add(cfg, AUTH_RULE_IDENTITY, idi); } this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi)); - id_payload = id_payload_create_from_identification(ID_INITIATOR, idi); + id_payload = id_payload_create_from_identification(PLV2_ID_INITIATOR, idi); get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); @@ -498,7 +498,7 @@ METHOD(task_t, build_i, status_t, /* check for additional authentication rounds */ if (do_another_auth(this)) { - if (message->get_payload(message, AUTHENTICATION)) + if (message->get_payload(message, PLV2_AUTH)) { message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty); } @@ -525,7 +525,7 @@ METHOD(task_t, process_r, status_t, if (this->my_auth == NULL && this->do_another_auth) { /* handle (optional) IDr payload, apply proposed identity */ - id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER); + id_payload = (id_payload_t*)message->get_payload(message, PLV2_ID_RESPONDER); if (id_payload) { id = id_payload->get_identification(id_payload); @@ -558,7 +558,7 @@ METHOD(task_t, process_r, status_t, if (this->other_auth == NULL) { /* handle IDi payload */ - id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR); + id_payload = (id_payload_t*)message->get_payload(message, PLV2_ID_INITIATOR); if (!id_payload) { DBG1(DBG_IKE, "IDi payload missing"); @@ -578,7 +578,7 @@ METHOD(task_t, process_r, status_t, return NEED_MORE; } } - if (message->get_payload(message, AUTHENTICATION) == NULL) + if (message->get_payload(message, PLV2_AUTH) == NULL) { /* before authenticating with EAP, we need a EAP config */ cand = get_auth_cfg(this, FALSE); while (!cand || ( @@ -631,7 +631,7 @@ METHOD(task_t, process_r, status_t, this->other_auth = NULL; break; case NEED_MORE: - if (message->get_payload(message, AUTHENTICATION)) + if (message->get_payload(message, PLV2_AUTH)) { /* AUTH verification successful, but another build() needed */ break; } @@ -733,7 +733,7 @@ METHOD(task_t, build_r, status_t, } } - id_payload = id_payload_create_from_identification(ID_RESPONDER, id); + id_payload = id_payload_create_from_identification(PLV2_ID_RESPONDER, id); get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); @@ -780,7 +780,7 @@ METHOD(task_t, build_r, status_t, case NEED_MORE: break; default: - if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION)) + if (message->get_payload(message, PLV2_EAP)) { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */ goto peer_auth_failed_no_notify; } @@ -900,7 +900,7 @@ METHOD(task_t, process_i, status_t, enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY) + if (payload->get_type(payload) == PLV2_NOTIFY) { notify_payload_t *notify = (notify_payload_t*)payload; notify_type_t type = notify->get_notify_type(notify); @@ -956,7 +956,7 @@ METHOD(task_t, process_i, status_t, /* handle IDr payload */ id_payload = (id_payload_t*)message->get_payload(message, - ID_RESPONDER); + PLV2_ID_RESPONDER); if (!id_payload) { DBG1(DBG_IKE, "IDr payload missing"); @@ -968,7 +968,7 @@ METHOD(task_t, process_i, status_t, cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); - if (message->get_payload(message, AUTHENTICATION)) + if (message->get_payload(message, PLV2_AUTH)) { /* verify authentication data */ this->other_auth = authenticator_create_verifier(this->ike_sa, diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c index 6dbc4dec3..5a9e08de2 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c @@ -63,14 +63,14 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL)) { - return cert_payload_create_from_cert(CERTIFICATE, cert); + return cert_payload_create_from_cert(PLV2_CERTIFICATE, cert); } hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (!hasher) { DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported"); - return cert_payload_create_from_cert(CERTIFICATE, cert); + return cert_payload_create_from_cert(PLV2_CERTIFICATE, cert); } if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) @@ -83,7 +83,7 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, { hasher->destroy(hasher); chunk_free(&encoded); - return cert_payload_create_from_cert(CERTIFICATE, cert); + return cert_payload_create_from_cert(PLV2_CERTIFICATE, cert); } chunk_free(&encoded); hasher->destroy(hasher); @@ -97,7 +97,7 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, } else { - payload = cert_payload_create_from_cert(CERTIFICATE, cert); + payload = cert_payload_create_from_cert(PLV2_CERTIFICATE, cert); } enumerator->destroy(enumerator); chunk_free(&hash); @@ -145,7 +145,7 @@ static void add_im_certs(private_ike_cert_post_t *this, auth_cfg_t *auth, { if (type == AUTH_RULE_IM_CERT) { - payload = cert_payload_create_from_cert(CERTIFICATE, cert); + payload = cert_payload_create_from_cert(PLV2_CERTIFICATE, cert); if (payload) { DBG1(DBG_IKE, "sending issuer cert \"%Y\"", @@ -187,7 +187,7 @@ static void add_attribute_certs(private_ike_cert_post_t *this, if (id && id->equals(id, subject->get_issuer(subject)) && cert->get_validity(cert, NULL, NULL, NULL)) { - payload = cert_payload_create_from_cert(CERTIFICATE, cert); + payload = cert_payload_create_from_cert(PLV2_CERTIFICATE, cert); if (payload) { DBG1(DBG_IKE, "sending attribute certificate " @@ -210,7 +210,7 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) auth_payload_t *payload; auth_cfg_t *auth; - payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK) { /* no CERT payload for EAP/PSK */ diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index 558b1e914..0dac975e7 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -138,10 +138,10 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) { switch (payload->get_type(payload)) { - case CERTIFICATE_REQUEST: + case PLV2_CERTREQ: process_certreq(this, (certreq_payload_t*)payload, auth); break; - case NOTIFY: + case PLV2_NOTIFY: process_notify(this, (notify_payload_t*)payload); break; default: @@ -298,7 +298,7 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == CERTIFICATE) + if (payload->get_type(payload) == PLV2_CERTIFICATE) { cert_payload_t *cert_payload; cert_encoding_t encoding; @@ -469,7 +469,7 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) static bool final_auth(message_t *message) { /* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */ - if (message->get_payload(message, AUTHENTICATION) == NULL) + if (message->get_payload(message, PLV2_AUTH) == NULL) { return FALSE; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c index 17132feee..da06e2a36 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.c +++ b/src/libcharon/sa/ikev2/tasks/ike_config.c @@ -98,7 +98,7 @@ static configuration_attribute_t *build_vip(host_t *vip) chunk = chunk_cata("cc", chunk, prefix); } } - return configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE, + return configuration_attribute_create_chunk(PLV2_CONFIGURATION_ATTRIBUTE, type, chunk); } @@ -130,11 +130,8 @@ static void handle_attribute(private_ike_config_t *this, handler = hydra->attributes->handle(hydra->attributes, this->ike_sa->get_other_id(this->ike_sa), handler, ca->get_type(ca), ca->get_chunk(ca)); - if (handler) - { - this->ike_sa->add_configuration_attribute(this->ike_sa, - handler, ca->get_type(ca), ca->get_chunk(ca)); - } + this->ike_sa->add_configuration_attribute(this->ike_sa, + handler, ca->get_type(ca), ca->get_chunk(ca)); } /** @@ -200,7 +197,7 @@ static void process_payloads(private_ike_config_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == CONFIGURATION) + if (payload->get_type(payload) == PLV2_CONFIGURATION) { cp_payload_t *cp = (cp_payload_t*)payload; configuration_attribute_t *ca; @@ -268,7 +265,7 @@ METHOD(task_t, build_i, status_t, if (vips->get_count(vips)) { - cp = cp_payload_create_type(CONFIGURATION, CFG_REQUEST); + cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REQUEST); enumerator = vips->create_enumerator(vips); while (enumerator->enumerate(enumerator, &host)) { @@ -288,11 +285,11 @@ METHOD(task_t, build_i, status_t, /* create configuration attribute */ DBG2(DBG_IKE, "building %N attribute", configuration_attribute_type_names, type); - ca = configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE, + ca = configuration_attribute_create_chunk(PLV2_CONFIGURATION_ATTRIBUTE, type, data); if (!cp) { - cp = cp_payload_create_type(CONFIGURATION, CFG_REQUEST); + cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REQUEST); } cp->add_attribute(cp, ca); @@ -363,7 +360,7 @@ METHOD(task_t, build_r, status_t, this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found); if (!cp) { - cp = cp_payload_create_type(CONFIGURATION, CFG_REPLY); + cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REPLY); } cp->add_attribute(cp, build_vip(found)); vips->insert_last(vips, found); @@ -407,12 +404,12 @@ METHOD(task_t, build_r, status_t, { if (!cp) { - cp = cp_payload_create_type(CONFIGURATION, CFG_REPLY); + cp = cp_payload_create_type(PLV2_CONFIGURATION, CFG_REPLY); } DBG2(DBG_IKE, "building %N attribute", configuration_attribute_type_names, type); cp->add_attribute(cp, - configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE, + configuration_attribute_create_chunk(PLV2_CONFIGURATION_ATTRIBUTE, type, value)); } enumerator->destroy(enumerator); @@ -449,6 +446,8 @@ METHOD(task_t, process_i, status_t, } } enumerator->destroy(enumerator); + + charon->bus->handle_vips(charon->bus, this->ike_sa, TRUE); return SUCCESS; } return NEED_MORE; diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c index 9bc62bf2a..e972dba07 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_delete.c +++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c @@ -65,7 +65,7 @@ METHOD(task_t, build_i, status_t, this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); - delete_payload = delete_payload_create(DELETE, PROTO_IKE); + delete_payload = delete_payload_create(PLV2_DELETE, PROTO_IKE); message->add_payload(message, (payload_t*)delete_payload); if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING) diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 278bdc3f2..e3c18ea0f 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -147,9 +147,9 @@ static void build_payloads(private_ike_init_t *this, message_t *message) } message->add_payload(message, (payload_t*)sa_payload); - nonce_payload = nonce_payload_create(NONCE); + nonce_payload = nonce_payload_create(PLV2_NONCE); nonce_payload->set_nonce(nonce_payload, this->my_nonce); - ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE, this->dh); + ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, this->dh); if (this->old_sa) { /* payload order differs if we are rekeying */ @@ -176,7 +176,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message) { switch (payload->get_type(payload)) { - case SECURITY_ASSOCIATION: + case PLV2_SECURITY_ASSOCIATION: { sa_payload_t *sa_payload = (sa_payload_t*)payload; linked_list_t *proposal_list; @@ -196,7 +196,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message) offsetof(proposal_t, destroy)); break; } - case KEY_EXCHANGE: + case PLV2_KEY_EXCHANGE: { ke_payload_t *ke_payload = (ke_payload_t*)payload; @@ -213,7 +213,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message) } break; } - case NONCE: + case PLV2_NONCE: { nonce_payload_t *nonce_payload = (nonce_payload_t*)payload; @@ -449,7 +449,7 @@ METHOD(task_t, process_i, status_t, enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY) + if (payload->get_type(payload) == PLV2_NOTIFY) { notify_payload_t *notify = (notify_payload_t*)payload; notify_type_t type = notify->get_notify_type(notify); diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c index 135c06d19..a7e7505a1 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_me.c +++ b/src/libcharon/sa/ikev2/tasks/ike_me.c @@ -171,7 +171,7 @@ static void process_payloads(private_ike_me_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) != NOTIFY) + if (payload->get_type(payload) != PLV2_NOTIFY) { continue; } @@ -277,7 +277,7 @@ METHOD(task_t, build_i, status_t, { rng_t *rng; id_payload_t *id_payload; - id_payload = id_payload_create_from_identification(ID_PEER, + id_payload = id_payload_create_from_identification(PLV2_ID_PEER, this->peer_id); message->add_payload(message, (payload_t*)id_payload); @@ -339,7 +339,7 @@ METHOD(task_t, process_r, status_t, case ME_CONNECT: { id_payload_t *id_payload; - id_payload = (id_payload_t*)message->get_payload(message, ID_PEER); + id_payload = (id_payload_t*)message->get_payload(message, PLV2_ID_PEER); if (!id_payload) { DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload" @@ -534,7 +534,7 @@ METHOD(task_t, build_i_ms, status_t, case ME_CONNECT: { id_payload_t *id_payload; - id_payload = id_payload_create_from_identification(ID_PEER, + id_payload = id_payload_create_from_identification(PLV2_ID_PEER, this->peer_id); message->add_payload(message, (payload_t*)id_payload); @@ -594,7 +594,7 @@ METHOD(task_t, process_r_ms, status_t, case ME_CONNECT: { id_payload_t *id_payload; - id_payload = (id_payload_t*)message->get_payload(message, ID_PEER); + id_payload = (id_payload_t*)message->get_payload(message, PLV2_ID_PEER); if (!id_payload) { DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload" diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index ae3526f42..00ca615d8 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -96,7 +96,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message) chunk_t data; host_t *host; - if (payload->get_type(payload) != NOTIFY) + if (payload->get_type(payload) != PLV2_NOTIFY) { continue; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c index 4fc968f25..9e0eb68ce 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_natd.c +++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c @@ -172,7 +172,7 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this, { return NULL; } - notify = notify_payload_create(NOTIFY); + notify = notify_payload_create(PLV2_NOTIFY); notify->set_notify_type(notify, type); notify->set_notification_data(notify, hash); chunk_free(&hash); @@ -206,7 +206,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) != NOTIFY) + if (payload->get_type(payload) != PLV2_NOTIFY) { continue; } @@ -381,7 +381,7 @@ METHOD(task_t, build_r, status_t, /* only add notifies on successful responses. */ if (message->get_exchange_type(message) == IKE_SA_INIT && - message->get_payload(message, SECURITY_ASSOCIATION) == NULL) + message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL) { return SUCCESS; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index c3c6cf00e..444ac6ade 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -83,7 +83,7 @@ static void establish_new(private_ike_rekey_t *this) this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); - this->new_sa->inherit(this->new_sa, this->ike_sa); + this->new_sa->inherit_post(this->new_sa, this->ike_sa); charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa); charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa); this->new_sa = NULL; @@ -124,8 +124,6 @@ METHOD(task_t, build_i, status_t, private_ike_rekey_t *this, message_t *message) { ike_version_t version; - peer_cfg_t *peer_cfg; - host_t *other_host; /* create new SA only on first try */ if (this->new_sa == NULL) @@ -137,10 +135,7 @@ METHOD(task_t, build_i, status_t, { /* shouldn't happen */ return FAILED; } - peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - other_host = this->ike_sa->get_other_host(this->ike_sa); - this->new_sa->set_peer_cfg(this->new_sa, peer_cfg); - this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host)); + this->new_sa->inherit_pre(this->new_sa, this->ike_sa); this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa); this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); } @@ -153,7 +148,6 @@ METHOD(task_t, process_r, status_t, private_ike_rekey_t *this, message_t *message) { enumerator_t *enumerator; - peer_cfg_t *peer_cfg; child_sa_t *child_sa; if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING) @@ -186,9 +180,7 @@ METHOD(task_t, process_r, status_t, { /* shouldn't happen */ return FAILED; } - - peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - this->new_sa->set_peer_cfg(this->new_sa, peer_cfg); + this->new_sa->inherit_pre(this->new_sa, this->ike_sa); this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa); this->ike_init->task.process(&this->ike_init->task, message); diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c index 16ac16673..d536af218 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c @@ -92,7 +92,7 @@ METHOD(task_t, build, status_t, if (vids[i].extension == EXT_STRONGSWAN && strongswan) { DBG2(DBG_IKE, "sending %s vendor ID", vids[i].desc); - vid = vendor_id_payload_create_data(VENDOR_ID, + vid = vendor_id_payload_create_data(PLV2_VENDOR_ID, chunk_clone(get_vid_data(&vids[i]))); message->add_payload(message, &vid->payload_interface); } @@ -111,7 +111,7 @@ METHOD(task_t, process, status_t, enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == VENDOR_ID) + if (payload->get_type(payload) == PLV2_VENDOR_ID) { vendor_id_payload_t *vid; chunk_t data; diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index 94be7d433..73e1abbf3 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -49,11 +49,24 @@ static bool install_shunt_policy(child_cfg_t *child) traffic_selector_t *my_ts, *other_ts; host_t *host_any; policy_type_t policy_type; + policy_priority_t policy_prio; status_t status = SUCCESS; ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT }; - policy_type = (child->get_mode(child) == MODE_PASS) ? - POLICY_PASS : POLICY_DROP; + switch (child->get_mode(child)) + { + case MODE_PASS: + policy_type = POLICY_PASS; + policy_prio = POLICY_PRIORITY_PASS; + break; + case MODE_DROP: + policy_type = POLICY_DROP; + policy_prio = POLICY_PRIORITY_FALLBACK; + break; + default: + return FALSE; + } + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL); other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL); host_any = host_create_any(AF_INET); @@ -70,21 +83,21 @@ static bool install_shunt_policy(child_cfg_t *child) hydra->kernel_interface, host_any, host_any, my_ts, other_ts, POLICY_OUT, policy_type, &sa, child->get_mark(child, FALSE), - POLICY_PRIORITY_DEFAULT); + policy_prio); /* install in policy */ status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, host_any, host_any, other_ts, my_ts, POLICY_IN, policy_type, &sa, child->get_mark(child, TRUE), - POLICY_PRIORITY_DEFAULT); + policy_prio); /* install forward policy */ status |= hydra->kernel_interface->add_policy( hydra->kernel_interface, host_any, host_any, other_ts, my_ts, POLICY_FWD, policy_type, &sa, child->get_mark(child, TRUE), - POLICY_PRIORITY_DEFAULT); + policy_prio); } e_other_ts->destroy(e_other_ts); } @@ -137,8 +150,21 @@ static void uninstall_shunt_policy(child_cfg_t *child) enumerator_t *e_my_ts, *e_other_ts; linked_list_t *my_ts_list, *other_ts_list; traffic_selector_t *my_ts, *other_ts; + policy_priority_t policy_prio; status_t status = SUCCESS; + switch (child->get_mode(child)) + { + case MODE_PASS: + policy_prio = POLICY_PRIORITY_PASS; + break; + case MODE_DROP: + policy_prio = POLICY_PRIORITY_FALLBACK; + break; + default: + return; + } + my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL); other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL); @@ -153,19 +179,19 @@ static void uninstall_shunt_policy(child_cfg_t *child) status |= hydra->kernel_interface->del_policy( hydra->kernel_interface, my_ts, other_ts, POLICY_OUT, 0, child->get_mark(child, FALSE), - POLICY_PRIORITY_DEFAULT); + policy_prio); /* uninstall in policy */ status |= hydra->kernel_interface->del_policy( hydra->kernel_interface, other_ts, my_ts, POLICY_IN, 0, child->get_mark(child, TRUE), - POLICY_PRIORITY_DEFAULT); + policy_prio); /* uninstall forward policy */ status |= hydra->kernel_interface->del_policy( hydra->kernel_interface, other_ts, my_ts, POLICY_FWD, 0, child->get_mark(child, TRUE), - POLICY_PRIORITY_DEFAULT); + policy_prio); } e_other_ts->destroy(e_other_ts); } @@ -249,4 +275,3 @@ shunt_manager_t *shunt_manager_create() return &this->public; } - |