diff --git a/0001-charon-add-optional-source-and-remote-overrides-for-.patch b/0001-charon-add-optional-source-and-remote-overrides-for-.patch index 22031db..96777d5 100644 --- a/0001-charon-add-optional-source-and-remote-overrides-for-.patch +++ b/0001-charon-add-optional-source-and-remote-overrides-for-.patch @@ -1,115 +1,37 @@ -From 921093c4c0d4be10a74f148536029fb46fd31966 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Mon, 21 Sep 2015 13:41:58 +0300 +From 1baf500104e963e0d0d410c95e7dcec899173b77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= +Date: Tue, 9 Jul 2024 19:07:57 +0200 Subject: [PATCH 1/4] charon: add optional source and remote overrides for initiate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit This introduces support for specifying optional IKE SA specific source and remote address for child sa initiation. This allows to initiate wildcard connection for known address via vici. -In addition this allows impler implementation of trap-any patches +In addition this allows simpler implementation of trap-any patches and is a prerequisite for dmvpn support. - -Signed-off-by: Timo Teräs --- - src/charon-cmd/cmd/cmd_connection.c | 2 +- - src/charon-nm/nm/nm_service.c | 2 +- - src/conftest/actions.c | 2 +- - src/libcharon/control/controller.c | 43 +++++++++++++- - src/libcharon/control/controller.h | 3 + - .../plugins/load_tester/load_tester_control.c | 1 + - .../plugins/load_tester/load_tester_plugin.c | 1 + - src/libcharon/plugins/medcli/medcli_config.c | 2 +- - src/libcharon/plugins/smp/smp.c | 3 +- - src/libcharon/plugins/stroke/stroke_control.c | 5 +- - src/libcharon/plugins/uci/uci_control.c | 3 +- - src/libcharon/plugins/vici/vici_config.c | 2 +- - src/libcharon/plugins/vici/vici_control.c | 59 +++++++++++++++++-- - .../processing/jobs/initiate_mediation_job.c | 1 + - .../processing/jobs/start_action_job.c | 2 +- - src/libcharon/sa/ike_sa_manager.c | 49 ++++++++++++++- - src/libcharon/sa/ike_sa_manager.h | 8 ++- - src/libcharon/sa/trap_manager.c | 44 ++++++-------- - src/swanctl/commands/initiate.c | 40 ++++++++++++- - 21 files changed, 225 insertions(+), 50 deletions(-) + src/libcharon/control/controller.c | 34 ++++++++++++++++-- + src/libcharon/control/controller.h | 28 +++++++++++++++ + src/libcharon/plugins/vici/vici_control.c | 41 +++++++++++++++++---- + src/libcharon/sa/ike_sa_manager.c | 34 +++++++++++++++++- + src/libcharon/sa/ike_sa_manager.h | 25 ++++++++++++- + src/libcharon/sa/trap_manager.c | 44 +++++++++-------------- + src/swanctl/commands/initiate.c | 19 +++++++++- + 7 files changed, 186 insertions(+), 39 deletions(-) -diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c -index 8e8d8236e..7df5bc9bf 100644 ---- a/src/charon-cmd/cmd/cmd_connection.c -+++ b/src/charon-cmd/cmd/cmd_connection.c -@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) - child_cfg = create_child_cfg(this, peer_cfg); - - if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) -+ NULL, NULL, controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) - { - terminate(pid); - } -diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c -index 8570ef0e3..bc74f1b90 100644 ---- a/src/charon-nm/nm/nm_service.c -+++ b/src/charon-nm/nm/nm_service.c -@@ -982,7 +982,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, - * Prepare IKE_SA - */ - ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, -- peer_cfg); -+ peer_cfg, NULL, NULL); - peer_cfg->destroy(peer_cfg); - if (!ike_sa) - { -diff --git a/src/conftest/actions.c b/src/conftest/actions.c -index b6b186117..21e329e3e 100644 ---- a/src/conftest/actions.c -+++ b/src/conftest/actions.c -@@ -66,7 +66,7 @@ static job_requeue_t initiate(char *config) - { - DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config); - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - else - { diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c -index 027f48e93..9109b20e4 100644 +index 027f48e93..26501768d 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c -@@ -15,6 +15,28 @@ - * for more details. - */ - -+/* +@@ -1,4 +1,6 @@ + /* ++ * Copyright (C) 2023 Zoran Peričić + * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include "controller.h" - - #include -@@ -107,6 +129,16 @@ struct interface_listener_t { + * Copyright (C) 2011-2023 Tobias Brunner + * Copyright (C) 2007-2011 Martin Willi + * +@@ -107,6 +109,16 @@ struct interface_listener_t { */ ike_sa_t *ike_sa; @@ -126,15 +48,16 @@ index 027f48e93..9109b20e4 100644 /** * unique ID, used for various methods */ -@@ -417,10 +449,16 @@ METHOD(job_t, initiate_execute, job_requeue_t, +@@ -417,10 +429,16 @@ METHOD(job_t, initiate_execute, job_requeue_t, ike_sa_t *ike_sa; interface_listener_t *listener = &job->listener; peer_cfg_t *peer_cfg = listener->peer_cfg; + host_t *my_host = listener->my_host; + host_t *other_host = listener->other_host; - ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, +- ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, - peer_cfg); ++ ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager, + peer_cfg, my_host, other_host); peer_cfg->destroy(peer_cfg); + @@ -144,15 +67,23 @@ index 027f48e93..9109b20e4 100644 if (!ike_sa) { DESTROY_IF(listener->child_cfg); -@@ -499,6 +537,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, - - METHOD(controller_t, initiate, status_t, +@@ -501,6 +519,15 @@ METHOD(controller_t, initiate, status_t, private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, -+ host_t *my_host, host_t *other_host, controller_cb_t callback, void *param, level_t max_level, u_int timeout, bool limits) ++{ ++ return this->public.initiate2(this, peer_cfg, child_cfg, NULL, NULL, callback, param, max_level, timeout, limits); ++} ++ ++METHOD(controller_t, initiate2, status_t, ++ private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, ++ host_t *my_host, host_t *other_host, ++ controller_cb_t callback, void *param, level_t max_level, u_int timeout, ++ bool limits) { -@@ -523,6 +562,8 @@ METHOD(controller_t, initiate, status_t, + interface_job_t *job; + status_t status; +@@ -523,6 +550,8 @@ METHOD(controller_t, initiate, status_t, .status = FAILED, .child_cfg = child_cfg, .peer_cfg = peer_cfg, @@ -161,162 +92,65 @@ index 027f48e93..9109b20e4 100644 .lock = spinlock_create(), .options.limits = limits, }, +@@ -770,6 +799,7 @@ controller_t *controller_create(void) + .public = { + .create_ike_sa_enumerator = _create_ike_sa_enumerator, + .initiate = _initiate, ++ .initiate2 = _initiate2, + .terminate_ike = _terminate_ike, + .terminate_child = _terminate_child, + .destroy = _destroy, diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h -index 36a1d4631..a130fbb6b 100644 +index 36a1d4631..f5c60e2e7 100644 --- a/src/libcharon/control/controller.h +++ b/src/libcharon/control/controller.h -@@ -81,6 +81,8 @@ struct controller_t { - * - * @param peer_cfg peer_cfg to use for IKE_SA setup - * @param child_cfg optional child_cfg to set up CHILD_SA from -+ * @param my_host optional address hint for source -+ * @param other_host optional address hint for destination - * @param cb logging callback - * @param param parameter to include in each call of cb - * @param max_level maximum log level for which cb is invoked -@@ -95,6 +97,7 @@ struct controller_t { - */ - status_t (*initiate)(controller_t *this, - peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, -+ host_t *my_host, host_t *other_host, +@@ -98,6 +98,34 @@ struct controller_t { controller_cb_t callback, void *param, level_t max_level, u_int timeout, bool limits); -diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c -index b5356289a..ddef85b4a 100644 ---- a/src/libcharon/plugins/load_tester/load_tester_control.c -+++ b/src/libcharon/plugins/load_tester/load_tester_control.c -@@ -240,6 +240,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io) - - switch (charon->controller->initiate(charon->controller, - peer_cfg, child_cfg->get_ref(child_cfg), -+ NULL, NULL, - (void*)initiate_cb, listener, LEVEL_CTRL, 0, FALSE)) - { - case NEED_MORE: -diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c -index 695e75b83..e3f740281 100644 ---- a/src/libcharon/plugins/load_tester/load_tester_plugin.c -+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c -@@ -152,6 +152,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this) - - charon->controller->initiate(charon->controller, - peer_cfg, child_cfg->get_ref(child_cfg), -+ NULL, NULL, - NULL, NULL, 0, 0, FALSE); - if (s) - { -diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c -index 59a9358a1..6e322a9c1 100644 ---- a/src/libcharon/plugins/medcli/medcli_config.c -+++ b/src/libcharon/plugins/medcli/medcli_config.c -@@ -350,7 +350,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg) - peer_cfg->get_ref(peer_cfg); - enumerator->destroy(enumerator); - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - else - { -diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c -index 6ca9f1399..31a4e1d63 100644 ---- a/src/libcharon/plugins/smp/smp.c -+++ b/src/libcharon/plugins/smp/smp.c -@@ -495,7 +495,8 @@ static void request_control_initiate(xmlTextReaderPtr reader, - if (child) - { - status = charon->controller->initiate(charon->controller, -- peer, child, (controller_cb_t)xml_callback, -+ peer, child, NULL, NULL, -+ (controller_cb_t)xml_callback, - writer, LEVEL_CTRL, 0, FALSE); - } - else -diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c -index 2824c93cb..21ff6b31f 100644 ---- a/src/libcharon/plugins/stroke/stroke_control.c -+++ b/src/libcharon/plugins/stroke/stroke_control.c -@@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - if (msg->output_verbosity < 0) - { - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - else - { -@@ -117,7 +117,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - status_t status; - - status = charon->controller->initiate(charon->controller, -- peer_cfg, child_cfg, (controller_cb_t)stroke_log, -+ peer_cfg, child_cfg, NULL, NULL, -+ (controller_cb_t)stroke_log, - &info, msg->output_verbosity, this->timeout, FALSE); - switch (status) - { -diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c -index b033c832c..f8d1be745 100644 ---- a/src/libcharon/plugins/uci/uci_control.c -+++ b/src/libcharon/plugins/uci/uci_control.c -@@ -147,7 +147,8 @@ static void initiate(private_uci_control_t *this, char *name) - enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); - if (enumerator->enumerate(enumerator, &child_cfg) && - charon->controller->initiate(charon->controller, peer_cfg, -- child_cfg->get_ref(child_cfg), controller_cb_empty, -+ child_cfg->get_ref(child_cfg), NULL, NULL, -+ controller_cb_empty, - NULL, LEVEL_SILENT, 0, FALSE) == SUCCESS) - { - write_fifo(this, "connection '%s' established\n", name); -diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index c858e9945..a42ebf041 100644 ---- a/src/libcharon/plugins/vici/vici_config.c -+++ b/src/libcharon/plugins/vici/vici_config.c -@@ -2277,7 +2277,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, - DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - } - ++ /** ++ * Initiate a CHILD_SA, and if required, an IKE_SA. ++ * ++ * If a callback is provided the function is synchronous and thus blocks ++ * until the IKE_SA is established or failed. ++ * ++ * @param peer_cfg peer_cfg to use for IKE_SA setup ++ * @param child_cfg optional child_cfg to set up CHILD_SA from ++ * @param my_host optional address hint for source ++ * @param other_host optional address hint for destination ++ * @param cb logging callback ++ * @param param parameter to include in each call of cb ++ * @param max_level maximum log level for which cb is invoked ++ * @param timeout timeout in ms to wait for callbacks, 0 to disable ++ * @param limits whether to check limits regarding IKE_SA initiation ++ * @return ++ * - SUCCESS, if CHILD_SA established ++ * - FAILED, if setup failed ++ * - NEED_MORE, if callback returned FALSE ++ * - OUT_OF_RES if timed out ++ * - INVALID_STATE if limits prevented initiation ++ */ ++ status_t (*initiate2)(controller_t *this, ++ peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, ++ host_t *my_host, host_t *other_host, ++ controller_cb_t callback, void *param, ++ level_t max_level, u_int timeout, bool limits); ++ + /** + * Terminate an IKE_SA and all of its CHILD_SAs. + * diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 1c236d249..b3a76efa2 100644 +index 1c236d249..932d0cb5a 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c -@@ -15,6 +15,28 @@ - * for more details. - */ - -+/* +@@ -1,4 +1,6 @@ + /* ++ * Copyright (C) 2023 Zoran Peričić + * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include "vici_control.h" - #include "vici_builder.h" - -@@ -173,9 +195,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out) + * Copyright (C) 2015-2017 Tobias Brunner + * Copyright (C) 2014 Martin Willi + * +@@ -173,9 +175,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out) CALLBACK(initiate, vici_message_t*, private_vici_control_t *this, char *name, u_int id, vici_message_t *request) { @@ -329,7 +163,7 @@ index 1c236d249..b3a76efa2 100644 int timeout; bool limits; controller_cb_t log_cb = NULL; -@@ -189,6 +214,8 @@ CALLBACK(initiate, vici_message_t*, +@@ -189,6 +194,8 @@ CALLBACK(initiate, vici_message_t*, timeout = request->get_int(request, 0, "timeout"); limits = request->get_bool(request, FALSE, "init-limits"); log.level = request->get_int(request, 1, "loglevel"); @@ -338,7 +172,7 @@ index 1c236d249..b3a76efa2 100644 if (!child && !ike) { -@@ -202,28 +229,48 @@ CALLBACK(initiate, vici_message_t*, +@@ -202,28 +209,48 @@ CALLBACK(initiate, vici_message_t*, type = child ? "CHILD_SA" : "IKE_SA"; sa = child ?: ike; @@ -362,7 +196,8 @@ index 1c236d249..b3a76efa2 100644 + msg = send_reply(this, "%s config '%s' not found", type, sa); + goto ret; } - switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, +- switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, ++ switch (charon->controller->initiate2(charon->controller, peer_cfg, child_cfg, + my_host, other_host, log_cb, &log, log.level, timeout, limits)) { @@ -393,75 +228,32 @@ index 1c236d249..b3a76efa2 100644 } /** -diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c -index ed493bc76..9a1cdcda4 100644 ---- a/src/libcharon/processing/jobs/initiate_mediation_job.c -+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c -@@ -138,6 +138,7 @@ METHOD(job_t, initiate, job_requeue_t, - mediation_cfg->get_ref(mediation_cfg); - - if (charon->controller->initiate(charon->controller, mediation_cfg, NULL, -+ NULL, NULL, - (controller_cb_t)initiate_callback, this, LEVEL_CTRL, - 0, FALSE) != SUCCESS) - { -diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c -index 122e5cee9..dec458c84 100644 ---- a/src/libcharon/processing/jobs/start_action_job.c -+++ b/src/libcharon/processing/jobs/start_action_job.c -@@ -84,7 +84,7 @@ METHOD(job_t, execute, job_requeue_t, - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), - child_cfg->get_ref(child_cfg), -- NULL, NULL, 0, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, 0, FALSE); - } - } - children->destroy(children); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 7763ae844..3fb9d4c35 100644 +index 7763ae844..59852f253 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c -@@ -16,6 +16,28 @@ - * for more details. - */ - -+/* +@@ -1,4 +1,6 @@ + /* ++ * Copyright (C) 2023 Zoran Peričić + * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include - #include - -@@ -1498,7 +1520,8 @@ typedef struct { - } config_entry_t; + * Copyright (C) 2008-2022 Tobias Brunner + * Copyright (C) 2005-2011 Martin Willi + * Copyright (C) 2005 Jan Hutter +@@ -1499,6 +1501,13 @@ typedef struct { METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, -- private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) + private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) ++{ ++ return this->public.checkout_by_config2(this, peer_cfg, NULL, NULL); ++} ++ ++METHOD(ike_sa_manager_t, checkout_by_config2, ike_sa_t*, + private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg, + host_t *my_host, host_t *other_host) { enumerator_t *enumerator; entry_t *entry; -@@ -1509,7 +1532,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, +@@ -1509,7 +1518,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, u_int segment; int i; @@ -479,7 +271,7 @@ index 7763ae844..3fb9d4c35 100644 if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1) { /* IKE_SA reuse disabled by config (not possible for IKEv1) */ -@@ -1567,6 +1599,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, +@@ -1567,6 +1585,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, continue; } @@ -495,7 +287,7 @@ index 7763ae844..3fb9d4c35 100644 current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); if (current_peer && current_peer->equals(current_peer, peer_cfg)) { -@@ -1593,6 +1634,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, +@@ -1593,6 +1620,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, { ike_sa->set_peer_cfg(ike_sa, peer_cfg); checkout_new(this, ike_sa); @@ -506,8 +298,16 @@ index 7763ae844..3fb9d4c35 100644 } } charon->bus->set_sa(charon->bus, ike_sa); +@@ -2558,6 +2589,7 @@ ike_sa_manager_t *ike_sa_manager_create() + .checkout = _checkout, + .checkout_by_message = _checkout_by_message, + .checkout_by_config = _checkout_by_config, ++ .checkout_by_config2 = _checkout_by_config, + .checkout_by_id = _checkout_by_id, + .checkout_by_name = _checkout_by_name, + .new_initiator_spi = _new_initiator_spi, diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h -index 004cc2216..56ef869be 100644 +index 004cc2216..d001f5a80 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -123,7 +123,8 @@ struct ike_sa_manager_t { @@ -520,22 +320,37 @@ index 004cc2216..56ef869be 100644 * * To initiate, a CHILD_SA may be established within an existing IKE_SA. * This call checks for an existing IKE_SA by comparing the configuration. -@@ -136,9 +137,12 @@ struct ike_sa_manager_t { - * @note The peer_config is always set on the returned IKE_SA. - * - * @param peer_cfg configuration used to find an existing IKE_SA +@@ -140,6 +141,28 @@ struct ike_sa_manager_t { + */ + ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg); + ++ /** ++ * Checkout an IKE_SA for initiation by a peer_config and optional ++ * source and remote host addresses. ++ * ++ * To initiate, a CHILD_SA may be established within an existing IKE_SA. ++ * This call checks for an existing IKE_SA by comparing the configuration. ++ * If the CHILD_SA can be created in an existing IKE_SA, the matching SA ++ * is returned. ++ * If no IKE_SA is found, a new one is created and registered in the ++ * manager. This is also the case when the found IKE_SA is in an unusable ++ * state (e.g. DELETING). ++ * ++ * @note The peer_config is always set on the returned IKE_SA. ++ * ++ * @param peer_cfg configuration used to find an existing IKE_SA + * @param my_host source host address for wildcard peer_cfg + * @param other_host remote host address for wildcard peer_cfg - * @return checked out/created IKE_SA - */ -- ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg); -+ ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg, ++ * @return checked out/created IKE_SA ++ */ ++ ike_sa_t *(*checkout_by_config2)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg, + host_t *my_host, host_t *other_host); - ++ /** * Reset initiator SPI. + * diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index 1b85c66a5..f8c87437f 100644 +index 1b85c66a5..bbc480c0c 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void, @@ -592,7 +407,7 @@ index 1b85c66a5..f8c87437f 100644 + data->src->to_subnet(data->src, &my_host, &mask); + my_host->set_port(my_host, port); } -+ ike_sa = charon->ike_sa_manager->checkout_by_config( ++ ike_sa = charon->ike_sa_manager->checkout_by_config2( + charon->ike_sa_manager, peer, + my_host, other_host); + if (my_host) my_host->destroy(my_host); @@ -601,39 +416,16 @@ index 1b85c66a5..f8c87437f 100644 if (ike_sa) diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c -index e0fffb907..dcaded59d 100644 +index e0fffb907..c0fc8c595 100644 --- a/src/swanctl/commands/initiate.c +++ b/src/swanctl/commands/initiate.c -@@ -14,6 +14,28 @@ - * for more details. - */ - -+/* +@@ -1,4 +1,5 @@ + /* + * Copyright (C) 2014 Timo Teräs -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -+ * THE SOFTWARE. -+ */ -+ - #include "command.h" - - #include -@@ -38,7 +60,7 @@ static int initiate(vici_conn_t *conn) + * Copyright (C) 2014 Martin Willi + * + * Copyright (C) secunet Security Networks AG +@@ -38,7 +39,7 @@ static int initiate(vici_conn_t *conn) vici_req_t *req; vici_res_t *res; command_format_options_t format = COMMAND_FORMAT_NONE; @@ -642,7 +434,7 @@ index e0fffb907..dcaded59d 100644 int ret = 0, timeout = 0, level = 1; while (TRUE) -@@ -65,6 +87,12 @@ static int initiate(vici_conn_t *conn) +@@ -65,6 +66,12 @@ static int initiate(vici_conn_t *conn) case 'l': level = atoi(arg); continue; @@ -655,7 +447,7 @@ index e0fffb907..dcaded59d 100644 case EOF: break; default: -@@ -88,6 +116,14 @@ static int initiate(vici_conn_t *conn) +@@ -88,6 +95,14 @@ static int initiate(vici_conn_t *conn) { vici_add_key_valuef(req, "ike", "%s", ike); } @@ -670,7 +462,7 @@ index e0fffb907..dcaded59d 100644 if (timeout) { vici_add_key_valuef(req, "timeout", "%d", timeout * 1000); -@@ -134,6 +170,8 @@ static void __attribute__ ((constructor))reg() +@@ -134,6 +149,8 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"child", 'c', 1, "initiate a CHILD_SA configuration"}, {"ike", 'i', 1, "initiate an IKE_SA, or name of child's parent"}, diff --git a/0002-vici-send-certificates-for-ike-sa-events.patch b/0002-vici-send-certificates-for-ike-sa-events.patch index 6f82da2..bb64694 100644 --- a/0002-vici-send-certificates-for-ike-sa-events.patch +++ b/0002-vici-send-certificates-for-ike-sa-events.patch @@ -1,4 +1,4 @@ -From 52e75a6cd16853a04e824ba2bac32c8acfd5f25c Mon Sep 17 00:00:00 2001 +From ea77f7d906d5e7bbe44ba6e912dd386f25414492 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Sep 2015 13:42:05 +0300 Subject: [PATCH 2/4] vici: send certificates for ike-sa events diff --git a/0003-vici-add-support-for-individual-sa-state-changes.patch b/0003-vici-add-support-for-individual-sa-state-changes.patch index 1c0328b..23413e5 100644 --- a/0003-vici-add-support-for-individual-sa-state-changes.patch +++ b/0003-vici-add-support-for-individual-sa-state-changes.patch @@ -1,4 +1,4 @@ -From 91c63d771622863b2f4de1dbada28f82e2d21d7c Mon Sep 17 00:00:00 2001 +From 3f4e26a2163bf30481887795f9faad208bfc1be0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Sep 2015 13:42:11 +0300 Subject: [PATCH 3/4] vici: add support for individual sa state changes diff --git a/0004-Support-GRE-key-in-selectors.patch b/0004-Support-GRE-key-in-selectors.patch index 7b828d4..1f47942 100644 --- a/0004-Support-GRE-key-in-selectors.patch +++ b/0004-Support-GRE-key-in-selectors.patch @@ -1,4 +1,4 @@ -From 1e0d5415c1cd61df50fa27219d9ca8f76b497c6b Mon Sep 17 00:00:00 2001 +From 0ceda5a95355bb803cbcdf3eeabbcb6ec2577922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= Date: Sun, 21 Jan 2024 03:11:32 +0100 Subject: [PATCH 4/4] Support GRE key in selectors. @@ -119,7 +119,7 @@ index 55db379ff..b4340b8d1 100644 *from_port = 0; *to_port = 0xffff; diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index a42ebf041..53306f30d 100644 +index c858e9945..c72c97f76 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -715,7 +715,31 @@ CALLBACK(parse_ts, bool,