diff options
Diffstat (limited to 'src/pluto/ipsec_doi.c')
| -rw-r--r-- | src/pluto/ipsec_doi.c | 78 |
1 files changed, 50 insertions, 28 deletions
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 34c42e294..4a6a7c872 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -260,7 +260,7 @@ static linked_list_t* collect_rw_ca_candidates(struct msg_digest *md) { new_entry = FALSE; break; - } + } } enumerator->destroy(enumerator); @@ -702,7 +702,7 @@ void accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p) { struct isakmp_delete *d = &(p->payload.delete); - identification_t *this_id, *that_id; + identification_t *this_id = NULL, *that_id = NULL; ip_address peer_addr; size_t sizespi; int i; @@ -1568,7 +1568,7 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr) s->tried_cnt++; scheme = oakley_to_signature_scheme(s->st->st_oakley.auth); - pub_key->get_fingerprint(pub_key, KEY_ID_PUBKEY_INFO_SHA1, &keyid); + pub_key->get_fingerprint(pub_key, KEYID_PUBKEY_INFO_SHA1, &keyid); if (pub_key->verify(pub_key, scheme, s->hash, s->sig)) { @@ -1944,27 +1944,34 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa, bool has_client = c->spd.this.has_client || c->spd.that.has_client || c->spd.this.protocol || c->spd.that.protocol || c->spd.this.port || c->spd.that.port; - bool send_natoa = FALSE; u_int8_t np = ISAKMP_NEXT_NONE; + connection_t *ph1_c = isakmp_sa->st_connection; if (c->spd.this.modecfg && !c->spd.this.has_client && - isanyaddr(&c->spd.this.host_srcip)) + c->spd.this.host_srcip->is_anyaddr(c->spd.this.host_srcip)) { - connection_t *ph1_c = isakmp_sa->st_connection; + host_t * ph1_srcip = ph1_c->spd.this.host_srcip; - if (ph1_c->spd.this.modecfg && !isanyaddr(&ph1_c->spd.this.host_srcip)) + if (ph1_c->spd.this.modecfg && !ph1_srcip->is_anyaddr(ph1_srcip)) { - char srcip[ADDRTOT_BUF]; - - c->spd.this.host_srcip = ph1_c->spd.this.host_srcip; + c->spd.this.host_srcip->destroy(c->spd.this.host_srcip); + c->spd.this.host_srcip = ph1_srcip->clone(ph1_srcip); c->spd.this.client = ph1_c->spd.this.client; c->spd.this.has_client = TRUE; - addrtot(&c->spd.this.host_srcip, 0, srcip, sizeof(srcip)); - plog("inheriting virtual IP source address %s from ModeCfg", srcip); + plog("inheriting virtual IP source address %H from ModeCfg", ph1_srcip); } } + if (ph1_c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) && + ph1_c->xauth_identity && !c->xauth_identity) + { + DBG(DBG_CONTROL, + DBG_log("inheriting XAUTH identity %Y", ph1_c->xauth_identity) + ) + c->xauth_identity = ph1_c->xauth_identity->clone(ph1_c->xauth_identity); + } + st->st_whack_sock = whack_sock; st->st_connection = c; set_cur_state(st); /* we must reset before exit */ @@ -3535,7 +3542,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) struct state *const st = md->st; pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs; pb_stream id_pbs; /* ID Payload; also used for hash calculation */ - + connection_t *c = st->st_connection; certpolicy_t cert_policy = c->spd.this.sendcert; cert_t *mycert = c->spd.this.cert; @@ -3638,7 +3645,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) } if (send_cert) { - bool success; + bool success = FALSE; chunk_t cert_encoding; pb_stream cert_pbs; @@ -3650,9 +3657,12 @@ stf_status main_inR2_outI3(struct msg_digest *md) { return STF_INTERNAL_ERROR; } - cert_encoding = mycert->cert->get_encoding(mycert->cert); - success = out_chunk(cert_encoding, &cert_pbs, "CERT"); - free(cert_encoding.ptr); + if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER, + &cert_encoding)) + { + success = out_chunk(cert_encoding, &cert_pbs, "CERT"); + free(cert_encoding.ptr); + } if (!success) { return STF_INTERNAL_ERROR; @@ -4079,7 +4089,7 @@ main_inI3_outR3_tail(struct msg_digest *md } if (send_cert) { - bool success; + bool success = FALSE; chunk_t cert_encoding; pb_stream cert_pbs; struct isakmp_cert cert_hd; @@ -4091,9 +4101,12 @@ main_inI3_outR3_tail(struct msg_digest *md { return STF_INTERNAL_ERROR; } - cert_encoding = mycert->cert->get_encoding(mycert->cert); - success = out_chunk(cert_encoding, &cert_pbs, "CERT"); - free(cert_encoding.ptr); + if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER, + &cert_encoding)) + { + success = out_chunk(cert_encoding, &cert_pbs, "CERT"); + free(cert_encoding.ptr); + } if (!success) { return STF_INTERNAL_ERROR; @@ -4888,23 +4901,32 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, /* Plain Road Warrior: * instantiate, carrying over authenticated peer ID */ + host_t *vip = c->spd.that.host_srcip; + p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port , his_net, c->spd.that.id); - /* inherit any virtual IP assigned by a Mode Config exchange */ + /* inherit any virtual IP assigned by a Mode Config exchange */ if (p->spd.that.modecfg && c->spd.that.modecfg && - subnetisaddr(his_net, &c->spd.that.host_srcip)) + subnetisaddr(his_net, (ip_address*)vip->get_sockaddr(vip))) { - char srcip[ADDRTOT_BUF]; - DBG(DBG_CONTROL, - addrtot(&c->spd.that.host_srcip, 0, srcip, sizeof(srcip)); - DBG_log("inheriting virtual IP source address %s from ModeCfg", srcip) + DBG_log("inheriting virtual IP source address %H from ModeCfg", vip) ) - p->spd.that.host_srcip = c->spd.that.host_srcip; + p->spd.that.host_srcip->destroy(p->spd.that.host_srcip); + p->spd.that.host_srcip = vip->clone(vip); p->spd.that.client = c->spd.that.client; p->spd.that.has_client = TRUE; } + + if (c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) && + c->xauth_identity && !p->xauth_identity) + { + DBG(DBG_CONTROL, + DBG_log("inheriting XAUTH identity %Y", c->xauth_identity) + ) + p->xauth_identity = c->xauth_identity->clone(c->xauth_identity); + } } } #ifdef DEBUG |