Compare commits
2 Commits
strongswan
...
5.9.2-test
| Author | SHA1 | Date | |
|---|---|---|---|
| c8476bf3d8 | |||
| 61c7333e9d |
2
.gitignore
vendored
2
.gitignore
vendored
@@ -1,5 +1,3 @@
|
||||
/strongswan-5.8.4.tar.bz2
|
||||
/strongswan-5.9.0.tar.bz2
|
||||
/strongswan-5.9.1.tar.bz2
|
||||
/strongswan-5.9.2.tar.bz2
|
||||
/strongswan-5.9.3.tar.bz2
|
||||
|
||||
105
0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
Normal file
105
0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
Normal file
@@ -0,0 +1,105 @@
|
||||
From 2ac05d5d77446a518d808a41ed628fbe66966335 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Fri, 17 Jul 2015 11:53:58 +0200
|
||||
Subject: [PATCH 1/7] ike: Adhere to IKE_SA limit when checking out by config
|
||||
|
||||
This prevents new SAs from getting created if we hit the global IKE_SA
|
||||
limit (we still allow checkout_new(), which is used for rekeying).
|
||||
---
|
||||
src/libcharon/sa/ike_sa_manager.c | 73 ++++++++++++++++---------------
|
||||
1 file changed, 38 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
|
||||
index f95ff19af..1e0ae42fe 100644
|
||||
--- a/src/libcharon/sa/ike_sa_manager.c
|
||||
+++ b/src/libcharon/sa/ike_sa_manager.c
|
||||
@@ -1434,48 +1434,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
|
||||
DBG2(DBG_MGR, "checkout IKE_SA by config");
|
||||
|
||||
- if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
|
||||
- { /* IKE_SA reuse disabled by config (not possible for IKEv1) */
|
||||
- ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
|
||||
- charon->bus->set_sa(charon->bus, ike_sa);
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- enumerator = create_table_enumerator(this);
|
||||
- while (enumerator->enumerate(enumerator, &entry, &segment))
|
||||
+ if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
|
||||
{
|
||||
- if (!wait_for_entry(this, entry, segment))
|
||||
+ enumerator = create_table_enumerator(this);
|
||||
+ while (enumerator->enumerate(enumerator, &entry, &segment))
|
||||
{
|
||||
- continue;
|
||||
- }
|
||||
- if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
|
||||
- entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
|
||||
- { /* skip IKE_SAs which are not usable, wake other waiting threads */
|
||||
+ if (!wait_for_entry(this, entry, segment))
|
||||
+ {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
|
||||
+ entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
|
||||
+ { /* skip IKE_SAs which are not usable, wake other waiting threads */
|
||||
+ entry->condvar->signal(entry->condvar);
|
||||
+ continue;
|
||||
+ }
|
||||
+ current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
|
||||
+ if (current_peer && current_peer->equals(current_peer, peer_cfg))
|
||||
+ {
|
||||
+ current_ike = current_peer->get_ike_cfg(current_peer);
|
||||
+ if (current_ike->equals(current_ike,
|
||||
+ peer_cfg->get_ike_cfg(peer_cfg)))
|
||||
+ {
|
||||
+ entry->checked_out = thread_current();
|
||||
+ ike_sa = entry->ike_sa;
|
||||
+ DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
|
||||
+ ike_sa->get_unique_id(ike_sa),
|
||||
+ current_peer->get_name(current_peer));
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ /* other threads might be waiting for this entry */
|
||||
entry->condvar->signal(entry->condvar);
|
||||
- continue;
|
||||
}
|
||||
-
|
||||
- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
|
||||
- if (current_peer && current_peer->equals(current_peer, peer_cfg))
|
||||
- {
|
||||
- current_ike = current_peer->get_ike_cfg(current_peer);
|
||||
- if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
|
||||
- {
|
||||
- entry->checked_out = thread_current();
|
||||
- ike_sa = entry->ike_sa;
|
||||
- DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
|
||||
- ike_sa->get_unique_id(ike_sa),
|
||||
- current_peer->get_name(current_peer));
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- /* other threads might be waiting for this entry */
|
||||
- entry->condvar->signal(entry->condvar);
|
||||
+ enumerator->destroy(enumerator);
|
||||
}
|
||||
- enumerator->destroy(enumerator);
|
||||
|
||||
if (!ike_sa)
|
||||
- { /* no IKE_SA using such a config, hand out a new */
|
||||
+ { /* no IKE_SA using such a config, or reuse disabled, hand out a new */
|
||||
+ if (this->ikesa_limit &&
|
||||
+ this->public.get_count(&this->public) >= this->ikesa_limit)
|
||||
+ {
|
||||
+ DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)",
|
||||
+ this->ikesa_limit);
|
||||
+ return NULL;
|
||||
+ }
|
||||
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
|
||||
}
|
||||
charon->bus->set_sa(charon->bus, ike_sa);
|
||||
--
|
||||
2.25.4
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From c2e02e7aa1aead5f5c9c6ceef7f3569d90deb20f Mon Sep 17 00:00:00 2001
|
||||
From caa6f2744717e3c3bd9b0e0fa4feff449a780ccf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:41:58 +0300
|
||||
Subject: [PATCH 1/4] charon: add optional source and remote overrides for
|
||||
Subject: [PATCH 2/7] charon: add optional source and remote overrides for
|
||||
initiate
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
@@ -18,32 +18,23 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
---
|
||||
src/charon-cmd/cmd/cmd_connection.c | 2 +-
|
||||
src/charon-nm/nm/nm_service.c | 2 +-
|
||||
src/conftest/actions.c | 2 +-
|
||||
.../backend/android_service.c | 2 +-
|
||||
src/frontends/osx/charon-xpc/xpc_dispatch.c | 1 +
|
||||
src/libcharon/control/controller.c | 44 ++++++++++++-
|
||||
src/libcharon/control/controller.c | 43 +++++++++++++-
|
||||
src/libcharon/control/controller.h | 3 +
|
||||
.../plugins/load_tester/load_tester_control.c | 1 +
|
||||
.../plugins/load_tester/load_tester_plugin.c | 1 +
|
||||
src/libcharon/plugins/medcli/medcli_config.c | 3 +-
|
||||
src/libcharon/plugins/smp/smp.c | 3 +-
|
||||
src/libcharon/plugins/stroke/stroke_control.c | 5 +-
|
||||
src/libcharon/plugins/uci/uci_control.c | 1 +
|
||||
src/libcharon/plugins/vici/vici_config.c | 2 +-
|
||||
src/libcharon/plugins/vici/vici_control.c | 61 ++++++++++++++++---
|
||||
.../processing/jobs/initiate_mediation_job.c | 1 +
|
||||
src/libcharon/plugins/vici/vici_control.c | 59 +++++++++++++++++--
|
||||
.../processing/jobs/start_action_job.c | 2 +-
|
||||
src/libcharon/sa/ike_sa_manager.c | 49 ++++++++++++++-
|
||||
src/libcharon/sa/ike_sa_manager.c | 51 +++++++++++++++-
|
||||
src/libcharon/sa/ike_sa_manager.h | 8 ++-
|
||||
src/libcharon/sa/trap_manager.c | 44 ++++++-------
|
||||
src/swanctl/commands/initiate.c | 40 +++++++++++-
|
||||
21 files changed, 227 insertions(+), 50 deletions(-)
|
||||
src/libcharon/sa/trap_manager.c | 49 +++++++--------
|
||||
src/swanctl/commands/initiate.c | 40 ++++++++++++-
|
||||
12 files changed, 219 insertions(+), 47 deletions(-)
|
||||
|
||||
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
|
||||
index 0481d78d4..805d6f198 100644
|
||||
index b91c89830..55f8d224f 100644
|
||||
--- a/src/charon-cmd/cmd/cmd_connection.c
|
||||
+++ b/src/charon-cmd/cmd/cmd_connection.c
|
||||
@@ -438,7 +438,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
|
||||
@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
|
||||
child_cfg = create_child_cfg(this, peer_cfg);
|
||||
|
||||
if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
|
||||
@@ -53,33 +44,20 @@ index 0481d78d4..805d6f198 100644
|
||||
terminate(pid);
|
||||
}
|
||||
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
|
||||
index 2d93b2fae..482170d76 100644
|
||||
index dba12764d..8b27e61e4 100644
|
||||
--- a/src/charon-nm/nm/nm_service.c
|
||||
+++ b/src/charon-nm/nm/nm_service.c
|
||||
@@ -883,7 +883,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
|
||||
@@ -849,7 +849,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
|
||||
* Prepare IKE_SA
|
||||
*/
|
||||
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
|
||||
- peer_cfg);
|
||||
+ peer_cfg, NULL, NULL);
|
||||
peer_cfg->destroy(peer_cfg);
|
||||
if (!ike_sa)
|
||||
{
|
||||
diff --git a/src/conftest/actions.c b/src/conftest/actions.c
|
||||
index 66e41f743..64ef8e9ee 100644
|
||||
--- a/src/conftest/actions.c
|
||||
+++ b/src/conftest/actions.c
|
||||
@@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config)
|
||||
{
|
||||
DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
|
||||
charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
|
||||
- NULL, NULL, 0, FALSE);
|
||||
+ NULL, NULL, NULL, NULL, 0, FALSE);
|
||||
}
|
||||
else
|
||||
{
|
||||
peer_cfg->destroy(peer_cfg);
|
||||
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
|
||||
index 46b065e3f..fbaff8730 100644
|
||||
index 0c86275e2..baa83f440 100644
|
||||
--- a/src/libcharon/control/controller.c
|
||||
+++ b/src/libcharon/control/controller.c
|
||||
@@ -15,6 +15,28 @@
|
||||
@@ -128,7 +106,7 @@ index 46b065e3f..fbaff8730 100644
|
||||
/**
|
||||
* unique ID, used for various methods
|
||||
*/
|
||||
@@ -414,10 +446,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
@@ -414,9 +446,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
ike_sa_t *ike_sa;
|
||||
interface_listener_t *listener = &job->listener;
|
||||
peer_cfg_t *peer_cfg = listener->peer_cfg;
|
||||
@@ -138,15 +116,13 @@ index 46b065e3f..fbaff8730 100644
|
||||
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
|
||||
- peer_cfg);
|
||||
+ peer_cfg, my_host, other_host);
|
||||
peer_cfg->destroy(peer_cfg);
|
||||
+
|
||||
+ if (my_host) my_host->destroy(my_host);
|
||||
+ if (other_host) other_host->destroy(other_host);
|
||||
+ DESTROY_IF(my_host);
|
||||
+ DESTROY_IF(other_host);
|
||||
+
|
||||
if (!ike_sa)
|
||||
{
|
||||
DESTROY_IF(listener->child_cfg);
|
||||
@@ -425,6 +463,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
@@ -425,6 +462,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
listener_done(listener);
|
||||
return JOB_REQUEUE_NONE;
|
||||
}
|
||||
@@ -154,7 +130,7 @@ index 46b065e3f..fbaff8730 100644
|
||||
listener->lock->lock(listener->lock);
|
||||
listener->ike_sa = ike_sa;
|
||||
listener->lock->unlock(listener->lock);
|
||||
@@ -492,6 +531,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
@@ -497,6 +535,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
|
||||
|
||||
METHOD(controller_t, initiate, status_t,
|
||||
private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
|
||||
@@ -162,7 +138,7 @@ index 46b065e3f..fbaff8730 100644
|
||||
controller_cb_t callback, void *param, u_int timeout, bool limits)
|
||||
{
|
||||
interface_job_t *job;
|
||||
@@ -514,6 +554,8 @@ METHOD(controller_t, initiate, status_t,
|
||||
@@ -519,6 +558,8 @@ METHOD(controller_t, initiate, status_t,
|
||||
.status = FAILED,
|
||||
.child_cfg = child_cfg,
|
||||
.peer_cfg = peer_cfg,
|
||||
@@ -172,7 +148,7 @@ index 46b065e3f..fbaff8730 100644
|
||||
.options.limits = limits,
|
||||
},
|
||||
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
|
||||
index b4ccfced2..7a088b122 100644
|
||||
index b4ccfced2..9945b78ad 100644
|
||||
--- a/src/libcharon/control/controller.h
|
||||
+++ b/src/libcharon/control/controller.h
|
||||
@@ -79,6 +79,8 @@ struct controller_t {
|
||||
@@ -180,7 +156,7 @@ index b4ccfced2..7a088b122 100644
|
||||
* @param peer_cfg peer_cfg to use for IKE_SA setup
|
||||
* @param child_cfg optional child_cfg to set up CHILD_SA from
|
||||
+ * @param my_host optional address hint for source
|
||||
+ * @param other_host optional address hint for destination
|
||||
+ * @param other_host optional address hint for destination
|
||||
* @param cb logging callback
|
||||
* @param param parameter to include in each call of cb
|
||||
* @param timeout timeout in ms to wait for callbacks, 0 to disable
|
||||
@@ -192,58 +168,6 @@ index b4ccfced2..7a088b122 100644
|
||||
controller_cb_t callback, void *param, u_int timeout,
|
||||
bool limits);
|
||||
|
||||
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
|
||||
index 8e89ab435..9dfd415ca 100644
|
||||
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
|
||||
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
|
||||
@@ -239,6 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
|
||||
|
||||
switch (charon->controller->initiate(charon->controller,
|
||||
peer_cfg, child_cfg->get_ref(child_cfg),
|
||||
+ NULL, NULL,
|
||||
(void*)initiate_cb, listener, 0, FALSE))
|
||||
{
|
||||
case NEED_MORE:
|
||||
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
|
||||
index 961c10406..f59294d88 100644
|
||||
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
|
||||
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
|
||||
@@ -151,6 +151,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
|
||||
|
||||
charon->controller->initiate(charon->controller,
|
||||
peer_cfg, child_cfg->get_ref(child_cfg),
|
||||
+ NULL, NULL,
|
||||
NULL, NULL, 0, FALSE);
|
||||
if (s)
|
||||
{
|
||||
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
|
||||
index e88c11d3a..d4ce4f203 100644
|
||||
--- a/src/libcharon/plugins/medcli/medcli_config.c
|
||||
+++ b/src/libcharon/plugins/medcli/medcli_config.c
|
||||
@@ -349,7 +349,8 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
|
||||
peer_cfg->get_ref(peer_cfg);
|
||||
enumerator->destroy(enumerator);
|
||||
charon->controller->initiate(charon->controller,
|
||||
- peer_cfg, child_cfg, NULL, NULL, 0, FALSE);
|
||||
+ peer_cfg, child_cfg, NULL, NULL,
|
||||
+ NULL, NULL, 0, FALSE);
|
||||
}
|
||||
else
|
||||
{
|
||||
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
|
||||
index 2953a603b..f028406fb 100644
|
||||
--- a/src/libcharon/plugins/smp/smp.c
|
||||
+++ b/src/libcharon/plugins/smp/smp.c
|
||||
@@ -493,7 +493,8 @@ static void request_control_initiate(xmlTextReaderPtr reader,
|
||||
if (child)
|
||||
{
|
||||
status = charon->controller->initiate(charon->controller,
|
||||
- peer, child, (controller_cb_t)xml_callback,
|
||||
+ peer, child, NULL, NULL,
|
||||
+ (controller_cb_t)xml_callback,
|
||||
writer, 0, FALSE);
|
||||
}
|
||||
else
|
||||
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
|
||||
index 8d84b934e..b00d0e62d 100644
|
||||
--- a/src/libcharon/plugins/stroke/stroke_control.c
|
||||
@@ -267,23 +191,11 @@ index 8d84b934e..b00d0e62d 100644
|
||||
&info, this->timeout, FALSE);
|
||||
switch (status)
|
||||
{
|
||||
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
|
||||
index b6cfda082..115e0a82e 100644
|
||||
--- a/src/libcharon/plugins/uci/uci_control.c
|
||||
+++ b/src/libcharon/plugins/uci/uci_control.c
|
||||
@@ -147,6 +147,7 @@ static void initiate(private_uci_control_t *this, char *name)
|
||||
if (enumerator->enumerate(enumerator, &child_cfg) &&
|
||||
charon->controller->initiate(charon->controller, peer_cfg,
|
||||
child_cfg->get_ref(child_cfg),
|
||||
+ NULL, NULL,
|
||||
controller_cb_empty, NULL, 0, FALSE) == SUCCESS)
|
||||
{
|
||||
write_fifo(this, "connection '%s' established\n", name);
|
||||
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
|
||||
index 2a4d58eab..0e9d24d11 100644
|
||||
index eb679290d..81f2970ae 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_config.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_config.c
|
||||
@@ -2149,7 +2149,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
|
||||
@@ -2136,7 +2136,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
|
||||
DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
|
||||
charon->controller->initiate(charon->controller,
|
||||
peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
|
||||
@@ -293,7 +205,7 @@ index 2a4d58eab..0e9d24d11 100644
|
||||
case ACTION_ROUTE:
|
||||
DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
|
||||
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
|
||||
index 4c09b578d..4c00c2be5 100644
|
||||
index 4c09b578d..1e8e788c3 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_control.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_control.c
|
||||
@@ -16,6 +16,28 @@
|
||||
@@ -325,16 +237,13 @@ index 4c09b578d..4c00c2be5 100644
|
||||
#include "vici_control.h"
|
||||
#include "vici_builder.h"
|
||||
|
||||
@@ -174,9 +196,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
|
||||
CALLBACK(initiate, vici_message_t*,
|
||||
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
|
||||
{
|
||||
+ vici_message_t* msg;
|
||||
@@ -177,6 +199,9 @@ CALLBACK(initiate, vici_message_t*,
|
||||
peer_cfg_t *peer_cfg = NULL;
|
||||
child_cfg_t *child_cfg;
|
||||
char *child, *ike, *type, *sa;
|
||||
+ host_t *my_host = NULL, *other_host = NULL;
|
||||
+ char *my_host_str, *other_host_str;
|
||||
+ vici_message_t* msg;
|
||||
+ host_t *my_host = NULL, *other_host = NULL;
|
||||
int timeout;
|
||||
bool limits;
|
||||
controller_cb_t log_cb = NULL;
|
||||
@@ -347,7 +256,7 @@ index 4c09b578d..4c00c2be5 100644
|
||||
|
||||
if (!child && !ike)
|
||||
{
|
||||
@@ -203,28 +230,48 @@ CALLBACK(initiate, vici_message_t*,
|
||||
@@ -203,6 +230,17 @@ CALLBACK(initiate, vici_message_t*,
|
||||
type = child ? "CHILD_SA" : "IKE_SA";
|
||||
sa = child ?: ike;
|
||||
|
||||
@@ -360,20 +269,19 @@ index 4c09b578d..4c00c2be5 100644
|
||||
+ other_host = host_create_from_string(other_host_str, 0);
|
||||
+ }
|
||||
+
|
||||
+ DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits);
|
||||
+ DBG1(DBG_CFG, "vici initiate '%s', me %H, other %H, limits %d", child, my_host, other_host, limits);
|
||||
+
|
||||
child_cfg = find_child_cfg(child, ike, &peer_cfg);
|
||||
|
||||
- DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
|
||||
if (!peer_cfg)
|
||||
DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
|
||||
@@ -210,21 +248,30 @@ CALLBACK(initiate, vici_message_t*,
|
||||
{
|
||||
- return send_reply(this, "%s config '%s' not found", type, sa);
|
||||
+ msg = send_reply(this, "%s config '%s' not found", type, sa);
|
||||
+ goto ret;
|
||||
return send_reply(this, "%s config '%s' not found", type, sa);
|
||||
}
|
||||
switch (charon->controller->initiate(charon->controller, peer_cfg,
|
||||
- switch (charon->controller->initiate(charon->controller, peer_cfg,
|
||||
- child_cfg, log_cb, &log, timeout, limits))
|
||||
+ child_cfg, my_host, other_host,
|
||||
+ switch (charon->controller->initiate(charon->controller,
|
||||
+ peer_cfg, child_cfg, my_host, other_host,
|
||||
+ log_cb, &log, timeout, limits))
|
||||
{
|
||||
case SUCCESS:
|
||||
@@ -396,25 +304,13 @@ index 4c09b578d..4c00c2be5 100644
|
||||
+ msg = send_reply(this, "establishing %s '%s' failed", type, sa);
|
||||
+ break;
|
||||
}
|
||||
+ret:
|
||||
+
|
||||
+ if (my_host) my_host->destroy(my_host);
|
||||
+ if (other_host) other_host->destroy(other_host);
|
||||
+ return msg;
|
||||
}
|
||||
|
||||
CALLBACK(terminate, vici_message_t*,
|
||||
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
|
||||
index 6a72499d3..eb0ad3846 100644
|
||||
--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
|
||||
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
|
||||
@@ -137,6 +137,7 @@ METHOD(job_t, initiate, job_requeue_t,
|
||||
mediation_cfg->get_ref(mediation_cfg);
|
||||
|
||||
if (charon->controller->initiate(charon->controller, mediation_cfg, NULL,
|
||||
+ NULL, NULL,
|
||||
(controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS)
|
||||
{
|
||||
mediation_cfg->destroy(mediation_cfg);
|
||||
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
|
||||
index 3a0ed879f..e3399007b 100644
|
||||
--- a/src/libcharon/processing/jobs/start_action_job.c
|
||||
@@ -429,7 +325,7 @@ index 3a0ed879f..e3399007b 100644
|
||||
case ACTION_ROUTE:
|
||||
DBG1(DBG_JOB, "start action: route '%s'", name);
|
||||
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
|
||||
index b6321cf16..a889b90ab 100644
|
||||
index 1e0ae42fe..52a18e3c2 100644
|
||||
--- a/src/libcharon/sa/ike_sa_manager.c
|
||||
+++ b/src/libcharon/sa/ike_sa_manager.c
|
||||
@@ -17,6 +17,28 @@
|
||||
@@ -461,8 +357,8 @@ index b6321cf16..a889b90ab 100644
|
||||
#include <string.h>
|
||||
#include <inttypes.h>
|
||||
|
||||
@@ -1485,7 +1507,8 @@ typedef struct {
|
||||
} config_entry_t;
|
||||
@@ -1423,7 +1445,8 @@ out:
|
||||
}
|
||||
|
||||
METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
- private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
|
||||
@@ -471,9 +367,9 @@ index b6321cf16..a889b90ab 100644
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
entry_t *entry;
|
||||
@@ -1496,7 +1519,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
@@ -1432,7 +1455,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
ike_cfg_t *current_ike;
|
||||
u_int segment;
|
||||
int i;
|
||||
|
||||
- DBG2(DBG_MGR, "checkout IKE_SA by config");
|
||||
+ if (my_host && my_host->get_port(my_host) == 0)
|
||||
@@ -484,43 +380,45 @@ index b6321cf16..a889b90ab 100644
|
||||
+ {
|
||||
+ other_host->set_port(other_host, IKEV2_UDP_PORT);
|
||||
+ }
|
||||
+ DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
|
||||
+ peer_cfg->get_name(peer_cfg), my_host, other_host);
|
||||
|
||||
if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
|
||||
{ /* IKE_SA reuse disabled by config (not possible for IKEv1) */
|
||||
@@ -1554,6 +1586,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
continue;
|
||||
}
|
||||
|
||||
+ if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
|
||||
+ {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
|
||||
+ {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
|
||||
if (current_peer && current_peer->equals(current_peer, peer_cfg))
|
||||
{
|
||||
@@ -1580,6 +1621,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
{
|
||||
ike_sa->set_peer_cfg(ike_sa, peer_cfg);
|
||||
checkout_new(this, ike_sa);
|
||||
+ if (my_host || other_host)
|
||||
+ DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
|
||||
+ peer_cfg->get_name(peer_cfg), my_host, other_host);
|
||||
|
||||
if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
|
||||
{
|
||||
@@ -1449,6 +1482,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
entry->condvar->signal(entry->condvar);
|
||||
continue;
|
||||
}
|
||||
+
|
||||
+ if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
|
||||
+ {
|
||||
+ ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
|
||||
+ {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
|
||||
if (current_peer && current_peer->equals(current_peer, peer_cfg))
|
||||
{
|
||||
@@ -1480,6 +1523,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
||||
return NULL;
|
||||
}
|
||||
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
|
||||
+ if (my_host || other_host)
|
||||
+ {
|
||||
+ ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
|
||||
+ }
|
||||
}
|
||||
charon->bus->set_sa(charon->bus, ike_sa);
|
||||
|
||||
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
|
||||
index 318620be0..f40eeb74e 100644
|
||||
index efad2e4d6..c43edabbb 100644
|
||||
--- a/src/libcharon/sa/ike_sa_manager.h
|
||||
+++ b/src/libcharon/sa/ike_sa_manager.h
|
||||
@@ -109,7 +109,8 @@ struct ike_sa_manager_t {
|
||||
@@ -93,7 +93,8 @@ struct ike_sa_manager_t {
|
||||
ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
|
||||
|
||||
/**
|
||||
@@ -530,22 +428,23 @@ index 318620be0..f40eeb74e 100644
|
||||
*
|
||||
* To initiate, a CHILD_SA may be established within an existing IKE_SA.
|
||||
* This call checks for an existing IKE_SA by comparing the configuration.
|
||||
@@ -122,9 +123,12 @@ struct ike_sa_manager_t {
|
||||
* @note The peer_config is always set on the returned IKE_SA.
|
||||
@@ -103,10 +104,13 @@ struct ike_sa_manager_t {
|
||||
* the found IKE_SA is in the DELETING state.
|
||||
*
|
||||
* @param peer_cfg configuration used to find an existing IKE_SA
|
||||
+ * @param my_host source host address for wildcard peer_cfg
|
||||
+ * @param other_host remote host address for wildcard peer_cfg
|
||||
* @return checked out/created IKE_SA
|
||||
*/
|
||||
- ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
|
||||
+ ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
|
||||
ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
|
||||
- peer_cfg_t *peer_cfg);
|
||||
+ peer_cfg_t *peer_cfg,
|
||||
+ host_t *my_host, host_t *other_host);
|
||||
|
||||
/**
|
||||
* Reset initiator SPI.
|
||||
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
|
||||
index f9f78acab..555e28ab6 100644
|
||||
index 2bc531b38..7220ea597 100644
|
||||
--- a/src/libcharon/sa/trap_manager.c
|
||||
+++ b/src/libcharon/sa/trap_manager.c
|
||||
@@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void,
|
||||
@@ -557,12 +456,12 @@ index f9f78acab..555e28ab6 100644
|
||||
bool wildcard, ignore = FALSE;
|
||||
|
||||
this->lock->read_lock(this->lock);
|
||||
@@ -508,36 +508,26 @@ METHOD(trap_manager_t, acquire, void,
|
||||
@@ -508,36 +508,27 @@ METHOD(trap_manager_t, acquire, void,
|
||||
this->lock->unlock(this->lock);
|
||||
|
||||
if (wildcard)
|
||||
- { /* the peer config would match IKE_SAs with other peers */
|
||||
- ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
|
||||
- ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
|
||||
- peer->get_ike_version(peer), TRUE);
|
||||
- if (ike_sa)
|
||||
- {
|
||||
@@ -572,32 +471,34 @@ index f9f78acab..555e28ab6 100644
|
||||
-
|
||||
- ike_sa->set_peer_cfg(ike_sa, peer);
|
||||
- ike_cfg = ike_sa->get_ike_cfg(ike_sa);
|
||||
+ {
|
||||
+ ike_cfg_t *ike_cfg;
|
||||
+ uint16_t port;
|
||||
+ uint8_t mask;
|
||||
|
||||
-
|
||||
- port = ike_cfg->get_other_port(ike_cfg);
|
||||
- dst->to_subnet(dst, &host, &mask);
|
||||
- host->set_port(host, port);
|
||||
- ike_sa->set_other_host(ike_sa, host);
|
||||
+ ike_cfg = peer->get_ike_cfg(peer);
|
||||
|
||||
-
|
||||
- port = ike_cfg->get_my_port(ike_cfg);
|
||||
- src->to_subnet(src, &host, &mask);
|
||||
- host->set_port(host, port);
|
||||
- ike_sa->set_my_host(ike_sa, host);
|
||||
+ port = ike_cfg->get_other_port(ike_cfg);
|
||||
+ dst->to_subnet(dst, &other_host, &mask);
|
||||
+ other_host->set_port(other_host, port);
|
||||
|
||||
-
|
||||
- charon->bus->set_sa(charon->bus, ike_sa);
|
||||
- }
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
{
|
||||
- ike_sa = charon->ike_sa_manager->checkout_by_config(
|
||||
- charon->ike_sa_manager, peer);
|
||||
+ ike_cfg_t *ike_cfg;
|
||||
+ uint16_t port;
|
||||
+ uint8_t mask;
|
||||
+
|
||||
+ ike_cfg = peer->get_ike_cfg(peer);
|
||||
+
|
||||
+ port = ike_cfg->get_other_port(ike_cfg);
|
||||
+ dst->to_subnet(dst, &other_host, &mask);
|
||||
+ other_host->set_port(other_host, port);
|
||||
+
|
||||
+ port = ike_cfg->get_my_port(ike_cfg);
|
||||
+ src->to_subnet(src, &my_host, &mask);
|
||||
+ my_host->set_port(my_host, port);
|
||||
@@ -605,11 +506,12 @@ index f9f78acab..555e28ab6 100644
|
||||
+ ike_sa = charon->ike_sa_manager->checkout_by_config(
|
||||
+ charon->ike_sa_manager, peer,
|
||||
+ my_host, other_host);
|
||||
+ if (my_host) my_host->destroy(my_host);
|
||||
+ if (other_host) other_host->destroy(other_host);
|
||||
peer->destroy(peer);
|
||||
|
||||
+ DESTROY_IF(my_host);
|
||||
+ DESTROY_IF(other_host);
|
||||
+
|
||||
if (ike_sa)
|
||||
{
|
||||
if (ike_sa->get_peer_cfg(ike_sa) == NULL)
|
||||
diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
|
||||
index 8ade8bf41..03b2cb0f4 100644
|
||||
--- a/src/swanctl/commands/initiate.c
|
||||
@@ -690,5 +592,5 @@ index 8ade8bf41..03b2cb0f4 100644
|
||||
{"raw", 'r', 0, "dump raw response message"},
|
||||
{"pretty", 'P', 0, "dump raw response message in pretty print"},
|
||||
--
|
||||
2.31.1
|
||||
2.25.4
|
||||
|
||||
@@ -1,18 +1,18 @@
|
||||
From e5589f7a7ddeac0de425783275d38327279eff4f Mon Sep 17 00:00:00 2001
|
||||
From 82293ee990d4c640bd5e33e894d44b70ad50ef79 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:05 +0300
|
||||
Subject: [PATCH 2/4] vici: send certificates for ike-sa events
|
||||
Subject: [PATCH 3/7] vici: send certificates for ike-sa events
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
---
|
||||
src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++----
|
||||
1 file changed, 42 insertions(+), 8 deletions(-)
|
||||
src/libcharon/plugins/vici/vici_query.c | 48 +++++++++++++++++++++----
|
||||
1 file changed, 41 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
|
||||
index fb65b1447..9a0dc1c8b 100644
|
||||
index ad07ff12d..e3f6a0d26 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_query.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_query.c
|
||||
@@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
|
||||
@@ -77,7 +77,7 @@ index fb65b1447..9a0dc1c8b 100644
|
||||
|
||||
eap = ike_sa->get_other_eap_id(ike_sa);
|
||||
|
||||
@@ -532,7 +566,7 @@ CALLBACK(list_sas, vici_message_t*,
|
||||
@@ -531,7 +565,7 @@ CALLBACK(list_sas, vici_message_t*,
|
||||
b = vici_builder_create();
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
|
||||
@@ -86,7 +86,7 @@ index fb65b1447..9a0dc1c8b 100644
|
||||
|
||||
b->begin_section(b, "child-sas");
|
||||
csas = ike_sa->create_child_sa_enumerator(ike_sa);
|
||||
@@ -1719,7 +1753,7 @@ METHOD(listener_t, ike_updown, bool,
|
||||
@@ -1717,7 +1751,7 @@ METHOD(listener_t, ike_updown, bool,
|
||||
}
|
||||
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
@@ -95,7 +95,7 @@ index fb65b1447..9a0dc1c8b 100644
|
||||
b->end_section(b);
|
||||
|
||||
this->dispatcher->raise_event(this->dispatcher,
|
||||
@@ -1744,10 +1778,10 @@ METHOD(listener_t, ike_rekey, bool,
|
||||
@@ -1742,10 +1776,10 @@ METHOD(listener_t, ike_rekey, bool,
|
||||
b = vici_builder_create();
|
||||
b->begin_section(b, old->get_name(old));
|
||||
b->begin_section(b, "old");
|
||||
@@ -108,16 +108,7 @@ index fb65b1447..9a0dc1c8b 100644
|
||||
b->end_section(b);
|
||||
b->end_section(b);
|
||||
|
||||
@@ -1778,7 +1812,7 @@ METHOD(listener_t, ike_update, bool,
|
||||
b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
|
||||
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
- list_ike(this, b, ike_sa, now);
|
||||
+ list_ike(this, b, ike_sa, now, TRUE);
|
||||
b->end_section(b);
|
||||
|
||||
this->dispatcher->raise_event(this->dispatcher,
|
||||
@@ -1808,7 +1842,7 @@ METHOD(listener_t, child_updown, bool,
|
||||
@@ -1776,7 +1810,7 @@ METHOD(listener_t, child_updown, bool,
|
||||
}
|
||||
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
@@ -126,7 +117,7 @@ index fb65b1447..9a0dc1c8b 100644
|
||||
b->begin_section(b, "child-sas");
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
|
||||
@@ -1843,7 +1877,7 @@ METHOD(listener_t, child_rekey, bool,
|
||||
@@ -1811,7 +1845,7 @@ METHOD(listener_t, child_rekey, bool,
|
||||
b = vici_builder_create();
|
||||
|
||||
b->begin_section(b, ike_sa->get_name(ike_sa));
|
||||
@@ -136,5 +127,5 @@ index fb65b1447..9a0dc1c8b 100644
|
||||
|
||||
b->begin_section(b, old->get_name(old));
|
||||
--
|
||||
2.31.1
|
||||
2.25.4
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From faa75e58ec73dc70ba296a2ec534f2f87550c960 Mon Sep 17 00:00:00 2001
|
||||
From 7df0e439a339286991dda5cc14f0eb078885401b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:11 +0300
|
||||
Subject: [PATCH 3/4] vici: add support for individual sa state changes
|
||||
Subject: [PATCH 4/7] vici: add support for individual sa state changes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
@@ -10,17 +10,17 @@ Useful for monitoring and tracking full SA.
|
||||
|
||||
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
---
|
||||
src/libcharon/plugins/vici/vici_query.c | 106 ++++++++++++++++++++++++
|
||||
1 file changed, 106 insertions(+)
|
||||
src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++
|
||||
1 file changed, 105 insertions(+)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
|
||||
index 9a0dc1c8b..b213ba432 100644
|
||||
index e3f6a0d26..9968cdd3c 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_query.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_query.c
|
||||
@@ -1719,8 +1719,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
|
||||
@@ -1717,8 +1717,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
|
||||
this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
|
||||
this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
|
||||
this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
|
||||
this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
|
||||
+ this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
|
||||
+ this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
|
||||
this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
|
||||
@@ -34,11 +34,10 @@ index 9a0dc1c8b..b213ba432 100644
|
||||
manage_command(this, "list-sas", list_sas, reg);
|
||||
manage_command(this, "list-policies", list_policies, reg);
|
||||
manage_command(this, "list-conns", list_conns, reg);
|
||||
@@ -1821,6 +1829,46 @@ METHOD(listener_t, ike_update, bool,
|
||||
@@ -1789,6 +1797,45 @@ METHOD(listener_t, ike_rekey, bool,
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
+
|
||||
+METHOD(listener_t, ike_state_change, bool,
|
||||
+ private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
|
||||
+{
|
||||
@@ -81,7 +80,7 @@ index 9a0dc1c8b..b213ba432 100644
|
||||
METHOD(listener_t, child_updown, bool,
|
||||
private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
|
||||
{
|
||||
@@ -1900,6 +1948,62 @@ METHOD(listener_t, child_rekey, bool,
|
||||
@@ -1868,6 +1915,62 @@ METHOD(listener_t, child_rekey, bool,
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@@ -144,10 +143,10 @@ index 9a0dc1c8b..b213ba432 100644
|
||||
METHOD(vici_query_t, destroy, void,
|
||||
private_vici_query_t *this)
|
||||
{
|
||||
@@ -1920,8 +2024,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
|
||||
@@ -1887,8 +1990,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
|
||||
.listener = {
|
||||
.ike_updown = _ike_updown,
|
||||
.ike_rekey = _ike_rekey,
|
||||
.ike_update = _ike_update,
|
||||
+ .ike_state_change = _ike_state_change,
|
||||
.child_updown = _child_updown,
|
||||
.child_rekey = _child_rekey,
|
||||
@@ -156,5 +155,5 @@ index 9a0dc1c8b..b213ba432 100644
|
||||
.destroy = _destroy,
|
||||
},
|
||||
--
|
||||
2.31.1
|
||||
2.25.4
|
||||
|
||||
49
0005-vici-add-deprecated-async-parameter.patch
Normal file
49
0005-vici-add-deprecated-async-parameter.patch
Normal file
@@ -0,0 +1,49 @@
|
||||
From 467ba7f78ef3d09c27ac410f147cca66a6591a1e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:15 +0300
|
||||
Subject: [PATCH 5/7] vici: add (deprecated) async parameter
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is obsoleted by the new "timeout=-1" option that achieves
|
||||
the same. Only for compatibility with old versions of quagga-nhrp.
|
||||
|
||||
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
||||
---
|
||||
src/libcharon/plugins/vici/vici_control.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
|
||||
index 1e8e788c3..12ef92334 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_control.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_control.c
|
||||
@@ -203,7 +203,7 @@ CALLBACK(initiate, vici_message_t*,
|
||||
vici_message_t* msg;
|
||||
host_t *my_host = NULL, *other_host = NULL;
|
||||
int timeout;
|
||||
- bool limits;
|
||||
+ bool limits, async;
|
||||
controller_cb_t log_cb = NULL;
|
||||
log_info_t log = {
|
||||
.dispatcher = this->dispatcher,
|
||||
@@ -214,6 +214,7 @@ CALLBACK(initiate, vici_message_t*,
|
||||
ike = request->get_str(request, NULL, "ike");
|
||||
timeout = request->get_int(request, 0, "timeout");
|
||||
limits = request->get_bool(request, FALSE, "init-limits");
|
||||
+ async = request->get_bool(request, FALSE, "async");
|
||||
log.level = request->get_int(request, 1, "loglevel");
|
||||
my_host_str = request->get_str(request, NULL, "my-host");
|
||||
other_host_str = request->get_str(request, NULL, "other-host");
|
||||
@@ -222,7 +223,7 @@ CALLBACK(initiate, vici_message_t*,
|
||||
{
|
||||
return send_reply(this, "missing configuration name");
|
||||
}
|
||||
- if (timeout >= 0)
|
||||
+ if (timeout >= 0 && !async)
|
||||
{
|
||||
log_cb = (controller_cb_t)log_vici;
|
||||
}
|
||||
--
|
||||
2.25.4
|
||||
|
||||
507
0006-support-gre-key-in-ikev1.patch
Normal file
507
0006-support-gre-key-in-ikev1.patch
Normal file
@@ -0,0 +1,507 @@
|
||||
From dffd2c31828ec4d9bf9a299952a1559675816241 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
|
||||
Date: Mon, 21 Sep 2015 13:42:18 +0300
|
||||
Subject: [PATCH 6/7] support gre key in ikev1
|
||||
|
||||
this implements gre key negotiation in ikev1 similarly to the
|
||||
ipsec-tools patch in alpine.
|
||||
|
||||
the from/to port pair is internally used as gre key for gre
|
||||
protocol traffic selectors. since from/to pairs 0/0xffff and
|
||||
0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
|
||||
will not work.
|
||||
|
||||
this is not standard compliant, and should probably not be upstreamed
|
||||
or used widely, but it is applied for interoperability with alpine
|
||||
racoon for the time being.
|
||||
---
|
||||
src/libcharon/encoding/payloads/id_payload.c | 68 ++++++++++++++-----
|
||||
src/libcharon/encoding/payloads/id_payload.h | 6 +-
|
||||
.../kernel_netlink/kernel_netlink_ipsec.c | 40 ++++++++---
|
||||
src/libcharon/plugins/stroke/stroke_config.c | 5 ++
|
||||
src/libcharon/plugins/unity/unity_narrow.c | 2 +-
|
||||
src/libcharon/plugins/vici/vici_config.c | 9 ++-
|
||||
src/libcharon/sa/ikev1/tasks/quick_mode.c | 16 +++--
|
||||
.../selectors/traffic_selector.c | 33 ++++++++-
|
||||
.../selectors/traffic_selector.h | 31 +++++++++
|
||||
9 files changed, 171 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
|
||||
index b2f1adbbc..6b44d0cf6 100644
|
||||
--- a/src/libcharon/encoding/payloads/id_payload.c
|
||||
+++ b/src/libcharon/encoding/payloads/id_payload.c
|
||||
@@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*,
|
||||
* Create a traffic selector from an range ID
|
||||
*/
|
||||
static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
|
||||
- ts_type_t type)
|
||||
+ ts_type_t type,
|
||||
+ uint16_t from_port, uint16_t to_port)
|
||||
{
|
||||
return traffic_selector_create_from_bytes(this->protocol_id, type,
|
||||
- chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
|
||||
- chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
|
||||
+ chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port,
|
||||
+ chunk_skip(this->id_data, this->id_data.len / 2), to_port);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a traffic selector from an subnet ID
|
||||
*/
|
||||
static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
|
||||
- ts_type_t type)
|
||||
+ ts_type_t type,
|
||||
+ uint16_t from_port, uint16_t to_port)
|
||||
{
|
||||
traffic_selector_t *ts;
|
||||
chunk_t net, netmask;
|
||||
@@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
|
||||
netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
|
||||
}
|
||||
ts = traffic_selector_create_from_bytes(this->protocol_id, type,
|
||||
- net, this->port, netmask, this->port ?: 65535);
|
||||
+ net, from_port, netmask, to_port);
|
||||
chunk_free(&netmask);
|
||||
return ts;
|
||||
}
|
||||
@@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
|
||||
* Create a traffic selector from an IP ID
|
||||
*/
|
||||
static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
|
||||
- ts_type_t type)
|
||||
+ ts_type_t type,
|
||||
+ uint16_t from_port, uint16_t to_port)
|
||||
{
|
||||
return traffic_selector_create_from_bytes(this->protocol_id, type,
|
||||
- this->id_data, this->port, this->id_data, this->port ?: 65535);
|
||||
+ this->id_data, from_port, this->id_data, to_port);
|
||||
}
|
||||
|
||||
METHOD(id_payload_t, get_ts, traffic_selector_t*,
|
||||
- private_id_payload_t *this)
|
||||
+ private_id_payload_t *this, id_payload_t *other_, bool initiator)
|
||||
{
|
||||
+ private_id_payload_t *other = (private_id_payload_t *) other_;
|
||||
+ uint16_t from_port, to_port;
|
||||
+
|
||||
+ if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE)
|
||||
+ {
|
||||
+ if (initiator)
|
||||
+ {
|
||||
+ from_port = this->port;
|
||||
+ to_port = other->port;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ from_port = other->port;
|
||||
+ to_port = this->port;
|
||||
+ }
|
||||
+ if (from_port == 0 && to_port == 0)
|
||||
+ to_port = 0xffff;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ from_port = this->port;
|
||||
+ to_port = this->port ?: 0xffff;
|
||||
+ }
|
||||
+
|
||||
switch (this->id_type)
|
||||
{
|
||||
case ID_IPV4_ADDR_SUBNET:
|
||||
if (this->id_data.len == 8)
|
||||
{
|
||||
- return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
|
||||
+ return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV6_ADDR_SUBNET:
|
||||
if (this->id_data.len == 32)
|
||||
{
|
||||
- return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
|
||||
+ return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV4_ADDR_RANGE:
|
||||
if (this->id_data.len == 8)
|
||||
{
|
||||
- return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
|
||||
+ return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV6_ADDR_RANGE:
|
||||
if (this->id_data.len == 32)
|
||||
{
|
||||
- return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
|
||||
+ return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV4_ADDR:
|
||||
if (this->id_data.len == 4)
|
||||
{
|
||||
- return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
|
||||
+ return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
case ID_IPV6_ADDR:
|
||||
if (this->id_data.len == 16)
|
||||
{
|
||||
- return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
|
||||
+ return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
@@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
|
||||
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator)
|
||||
{
|
||||
private_id_payload_t *this;
|
||||
uint8_t mask;
|
||||
@@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
|
||||
ts->get_from_address(ts), ts->get_to_address(ts));
|
||||
net->destroy(net);
|
||||
}
|
||||
- this->port = ts->get_from_port(ts);
|
||||
this->protocol_id = ts->get_protocol(ts);
|
||||
+ if (initiator || this->protocol_id != IPPROTO_GRE)
|
||||
+ {
|
||||
+ this->port = ts->get_from_port(ts);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ this->port = ts->get_to_port(ts);
|
||||
+ if (this->port == 0xffff && ts->get_from_port(ts) == 0)
|
||||
+ this->port = 0;
|
||||
+ }
|
||||
this->payload_length += this->id_data.len;
|
||||
|
||||
return &this->public;
|
||||
diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
|
||||
index 044268180..1e2306b16 100644
|
||||
--- a/src/libcharon/encoding/payloads/id_payload.h
|
||||
+++ b/src/libcharon/encoding/payloads/id_payload.h
|
||||
@@ -48,11 +48,11 @@ struct id_payload_t {
|
||||
identification_t *(*get_identification) (id_payload_t *this);
|
||||
|
||||
/**
|
||||
- * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
|
||||
+ * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair.
|
||||
*
|
||||
* @return traffic selector, NULL on failure
|
||||
*/
|
||||
- traffic_selector_t* (*get_ts)(id_payload_t *this);
|
||||
+ traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator);
|
||||
|
||||
/**
|
||||
* Get encoded payload without fixed payload header (used for IKEv1).
|
||||
@@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
|
||||
* @param ts traffic selector
|
||||
* @return PLV1_ID id_payload_t object.
|
||||
*/
|
||||
-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
|
||||
+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator);
|
||||
|
||||
#endif /** ID_PAYLOAD_H_ @}*/
|
||||
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
|
||||
index ef0d424bd..a0948f7c0 100644
|
||||
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
|
||||
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
|
||||
@@ -814,7 +814,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
|
||||
ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
|
||||
ts2ports(dst, &sel.dport, &sel.dport_mask);
|
||||
ts2ports(src, &sel.sport, &sel.sport_mask);
|
||||
- if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
|
||||
+ if (sel.proto == IPPROTO_GRE)
|
||||
+ {
|
||||
+ sel.sport = htons(src->get_from_port(src));
|
||||
+ sel.dport = htons(src->get_to_port(src));
|
||||
+ sel.sport_mask = ~0;
|
||||
+ sel.dport_mask = ~0;
|
||||
+ if (sel.sport == htons(0) && sel.dport == htons(0xffff))
|
||||
+ {
|
||||
+ sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0;
|
||||
+ }
|
||||
+ }
|
||||
+ else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
|
||||
(sel.dport || sel.sport))
|
||||
{
|
||||
/* the kernel expects the ICMP type and code in the source and
|
||||
@@ -838,7 +849,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
{
|
||||
u_char *addr;
|
||||
uint8_t prefixlen;
|
||||
- uint16_t port = 0;
|
||||
+ uint16_t from_port = 0, to_port = 65535;
|
||||
host_t *host = NULL;
|
||||
|
||||
if (src)
|
||||
@@ -847,7 +858,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
prefixlen = sel->prefixlen_s;
|
||||
if (sel->sport_mask)
|
||||
{
|
||||
- port = ntohs(sel->sport);
|
||||
+ from_port = to_port = ntohs(sel->sport);
|
||||
}
|
||||
}
|
||||
else
|
||||
@@ -856,14 +867,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
prefixlen = sel->prefixlen_d;
|
||||
if (sel->dport_mask)
|
||||
{
|
||||
- port = ntohs(sel->dport);
|
||||
+ from_port = to_port = ntohs(sel->dport);
|
||||
}
|
||||
}
|
||||
- if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
|
||||
+ if (sel->proto == IPPROTO_GRE)
|
||||
+ {
|
||||
+ if (sel->sport_mask)
|
||||
+ {
|
||||
+ from_port = ntohs(sel->sport);
|
||||
+ to_port = ntohs(sel->dport);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ from_port = 0;
|
||||
+ to_port = 0xffff;
|
||||
+ }
|
||||
+ }
|
||||
+ else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
|
||||
{ /* convert ICMP[v6] message type and code as supplied by the kernel in
|
||||
* source and destination ports (both in network order) */
|
||||
- port = (sel->sport >> 8) | (sel->dport & 0xff00);
|
||||
- port = ntohs(port);
|
||||
+ from_port = (sel->sport >> 8) | (sel->dport & 0xff00);
|
||||
+ from_port = to_port = ntohs(from_port);
|
||||
}
|
||||
/* The Linux 2.6 kernel does not set the selector's family field,
|
||||
* so as a kludge we additionally test the prefix length.
|
||||
@@ -880,7 +904,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
|
||||
if (host)
|
||||
{
|
||||
return traffic_selector_create_from_subnet(host, prefixlen,
|
||||
- sel->proto, port, port ?: 65535);
|
||||
+ sel->proto, from_port, to_port);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
|
||||
index 175b6b549..db3e558f6 100644
|
||||
--- a/src/libcharon/plugins/stroke/stroke_config.c
|
||||
+++ b/src/libcharon/plugins/stroke/stroke_config.c
|
||||
@@ -936,6 +936,11 @@ static bool parse_protoport(char *token, uint16_t *from_port,
|
||||
*from_port = 0xffff;
|
||||
*to_port = 0;
|
||||
}
|
||||
+ else if (*port && *protocol == IPPROTO_GRE)
|
||||
+ {
|
||||
+ p = strtol(port, &endptr, 0);
|
||||
+ traffic_selector_split_grekey(p, from_port, to_port);
|
||||
+ }
|
||||
else if (*port)
|
||||
{
|
||||
svc = getservbyname(port, NULL);
|
||||
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
|
||||
index afbd6cc7e..911fe70c6 100644
|
||||
--- a/src/libcharon/plugins/unity/unity_narrow.c
|
||||
+++ b/src/libcharon/plugins/unity/unity_narrow.c
|
||||
@@ -248,7 +248,7 @@ METHOD(listener_t, message, bool,
|
||||
if (!first)
|
||||
{
|
||||
id_payload = (id_payload_t*)payload;
|
||||
- tsr = id_payload->get_ts(id_payload);
|
||||
+ tsr = id_payload->get_ts(id_payload, NULL, FALSE);
|
||||
break;
|
||||
}
|
||||
first = FALSE;
|
||||
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
|
||||
index 81f2970ae..92ab77a00 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_config.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_config.c
|
||||
@@ -709,8 +709,13 @@ CALLBACK(parse_ts, bool,
|
||||
}
|
||||
else if (*port && !streq(port, "any"))
|
||||
{
|
||||
- svc = getservbyname(port, NULL);
|
||||
- if (svc)
|
||||
+ if (proto == IPPROTO_GRE)
|
||||
+ {
|
||||
+ p = strtol(port, &end, 0);
|
||||
+ if (*end) return FALSE;
|
||||
+ traffic_selector_split_grekey(p, &from, &to);
|
||||
+ }
|
||||
+ else if ((svc = getservbyname(port, NULL)) != NULL)
|
||||
{
|
||||
from = to = ntohs(svc->s_port);
|
||||
}
|
||||
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
|
||||
index 50c280fe5..049da8847 100644
|
||||
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
|
||||
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
|
||||
@@ -552,9 +552,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
|
||||
{
|
||||
id_payload_t *id_payload;
|
||||
|
||||
- id_payload = id_payload_create_from_ts(this->tsi);
|
||||
+ id_payload = id_payload_create_from_ts(this->tsi, TRUE);
|
||||
message->add_payload(message, &id_payload->payload_interface);
|
||||
- id_payload = id_payload_create_from_ts(this->tsr);
|
||||
+ id_payload = id_payload_create_from_ts(this->tsr, FALSE);
|
||||
message->add_payload(message, &id_payload->payload_interface);
|
||||
}
|
||||
|
||||
@@ -565,7 +565,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
|
||||
{
|
||||
traffic_selector_t *tsi = NULL, *tsr = NULL;
|
||||
enumerator_t *enumerator;
|
||||
- id_payload_t *id_payload;
|
||||
+ id_payload_t *idi = NULL, *idr = NULL;
|
||||
payload_t *payload;
|
||||
host_t *hsi, *hsr;
|
||||
bool first = TRUE;
|
||||
@@ -575,20 +575,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
|
||||
{
|
||||
if (payload->get_type(payload) == PLV1_ID)
|
||||
{
|
||||
- id_payload = (id_payload_t*)payload;
|
||||
-
|
||||
if (first)
|
||||
{
|
||||
- tsi = id_payload->get_ts(id_payload);
|
||||
+ idi = (id_payload_t*)payload;
|
||||
first = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
- tsr = id_payload->get_ts(id_payload);
|
||||
+ idr = (id_payload_t*)payload;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
+ if (idi && idr) {
|
||||
+ tsi = idi->get_ts(idi, idr, TRUE);
|
||||
+ tsr = idr->get_ts(idr, idi, FALSE);
|
||||
+ }
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
/* create host2host selectors if ID payloads missing */
|
||||
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
|
||||
index cfd2b029d..d01e2ccec 100644
|
||||
--- a/src/libstrongswan/selectors/traffic_selector.c
|
||||
+++ b/src/libstrongswan/selectors/traffic_selector.c
|
||||
@@ -198,6 +198,14 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
|
||||
return print_in_hook(data, "%d", type);
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * Print GRE key
|
||||
+ */
|
||||
+static int print_grekey(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
|
||||
+{
|
||||
+ return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port));
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Described in header.
|
||||
*/
|
||||
@@ -303,7 +311,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
|
||||
{
|
||||
written += print_in_hook(data, "/");
|
||||
|
||||
- if (this->from_port == this->to_port)
|
||||
+ if (this->protocol == IPPROTO_GRE)
|
||||
+ {
|
||||
+ written += print_grekey(data, this->from_port, this->to_port);
|
||||
+ }
|
||||
+ else if (this->from_port == this->to_port)
|
||||
{
|
||||
struct servent *serv;
|
||||
|
||||
@@ -377,7 +389,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
|
||||
/* select protocol, which is not zero */
|
||||
protocol = max(this->protocol, other->protocol);
|
||||
|
||||
- if ((is_opaque(this) && is_opaque(other)) ||
|
||||
+ if (this->protocol == IPPROTO_GRE)
|
||||
+ {
|
||||
+ if (is_any(this))
|
||||
+ {
|
||||
+ from_port = other->from_port;
|
||||
+ to_port = other->to_port;
|
||||
+ }
|
||||
+ else if (is_any(other) ||
|
||||
+ (this->from_port == other->from_port &&
|
||||
+ this->to_port == other->to_port))
|
||||
+ {
|
||||
+ from_port = this->from_port;
|
||||
+ to_port = this->to_port;
|
||||
+ }
|
||||
+ else
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ else if ((is_opaque(this) && is_opaque(other)) ||
|
||||
(is_opaque(this) && is_any(other)) ||
|
||||
(is_opaque(other) && is_any(this)))
|
||||
{
|
||||
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
|
||||
index 03f7a6d8c..b27ca4ad1 100644
|
||||
--- a/src/libstrongswan/selectors/traffic_selector.h
|
||||
+++ b/src/libstrongswan/selectors/traffic_selector.h
|
||||
@@ -120,6 +120,9 @@ struct traffic_selector_t {
|
||||
* 8 bits and the code in the least significant 8 bits. Use the utility
|
||||
* functions to extract them.
|
||||
*
|
||||
+ * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored
|
||||
+ * in the from port. Use the utility function to merge and split them.
|
||||
+ *
|
||||
* @return port
|
||||
*/
|
||||
uint16_t (*get_from_port)(traffic_selector_t *this);
|
||||
@@ -134,6 +137,9 @@ struct traffic_selector_t {
|
||||
* 8 bits and the code in the least significant 8 bits. Use the utility
|
||||
* functions to extract them.
|
||||
*
|
||||
+ * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored
|
||||
+ * in the to port. Use the utility function to merge and split them.
|
||||
+ *
|
||||
* @return port
|
||||
*/
|
||||
uint16_t (*get_to_port)(traffic_selector_t *this);
|
||||
@@ -277,6 +283,31 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
|
||||
int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
|
||||
void *opts);
|
||||
|
||||
+/**
|
||||
+ * Reconstruct the 32-bit GRE KEY in host order from a from/to ports.
|
||||
+ *
|
||||
+ * @param from_port port number in host order
|
||||
+ * @param to_port port number in host order
|
||||
+ * @return GRE KEY in host order
|
||||
+ */
|
||||
+static inline uint32_t traffic_selector_grekey(uint16_t from_port, uint16_t to_port)
|
||||
+{
|
||||
+ return (from_port << 16) | to_port;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * Split 32-bit GRE KEY in host order to from/to ports.
|
||||
+ *
|
||||
+ * @param grekey grekey in host order
|
||||
+ * @param from_port from port in host order
|
||||
+ * @param to_port to port in host order
|
||||
+ */
|
||||
+static inline void traffic_selector_split_grekey(uint32_t grekey, uint16_t *from_port, uint16_t *to_port)
|
||||
+{
|
||||
+ *from_port = grekey >> 16;
|
||||
+ *to_port = grekey & 0xffff;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Create a new traffic selector using human readable params.
|
||||
*
|
||||
--
|
||||
2.25.4
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From 1057ecaa416c81b0e3fd4b26e1c8c301d1749ecb Mon Sep 17 00:00:00 2001
|
||||
From a0dedc6cae5828d048bcbb16392d17b7a168a260 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
|
||||
Date: Wed, 22 Jan 2020 13:12:39 +0100
|
||||
Subject: [PATCH 4/4] vyos-terminate-connections-source-dest
|
||||
Subject: [PATCH 7/7] vyos-terminate-connections-source-dest
|
||||
|
||||
---
|
||||
src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
|
||||
@@ -9,10 +9,10 @@ Subject: [PATCH 4/4] vyos-terminate-connections-source-dest
|
||||
2 files changed, 41 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
|
||||
index 4c00c2be5..8936e93ae 100644
|
||||
index 12ef92334..d9cf1add5 100644
|
||||
--- a/src/libcharon/plugins/vici/vici_control.c
|
||||
+++ b/src/libcharon/plugins/vici/vici_control.c
|
||||
@@ -278,12 +278,13 @@ CALLBACK(terminate, vici_message_t*,
|
||||
@@ -279,12 +279,13 @@ CALLBACK(terminate, vici_message_t*,
|
||||
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
|
||||
{
|
||||
enumerator_t *enumerator, *isas, *csas;
|
||||
@@ -27,7 +27,7 @@ index 4c00c2be5..8936e93ae 100644
|
||||
array_t *ids;
|
||||
vici_builder_t *builder;
|
||||
controller_cb_t log_cb = NULL;
|
||||
@@ -299,12 +300,23 @@ CALLBACK(terminate, vici_message_t*,
|
||||
@@ -300,12 +301,23 @@ CALLBACK(terminate, vici_message_t*,
|
||||
force = request->get_bool(request, FALSE, "force");
|
||||
timeout = request->get_int(request, 0, "timeout");
|
||||
log.level = request->get_int(request, 1, "loglevel");
|
||||
@@ -53,7 +53,7 @@ index 4c00c2be5..8936e93ae 100644
|
||||
if (ike_id)
|
||||
{
|
||||
DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
|
||||
@@ -367,6 +379,15 @@ CALLBACK(terminate, vici_message_t*,
|
||||
@@ -368,6 +380,15 @@ CALLBACK(terminate, vici_message_t*,
|
||||
{
|
||||
array_insert(ids, ARRAY_TAIL, &ike_id);
|
||||
}
|
||||
@@ -120,5 +120,5 @@ index 2309843b2..37d0bde3f 100644
|
||||
{"child-id", 'C', 1, "terminate by CHILD_SA reqid"},
|
||||
{"ike-id", 'I', 1, "terminate by IKE_SA unique identifier"},
|
||||
--
|
||||
2.31.1
|
||||
2.25.4
|
||||
|
||||
2
sources
2
sources
@@ -1 +1 @@
|
||||
SHA512 (strongswan-5.9.3.tar.bz2) = 09bd78225415422c8f55c9f0dea2ca70111f42f0deacfaaac30c422109ff64180f6a6a47c6bc54238e8403f0b2f8520122c1eabbeda3f915427fadb838a5df51
|
||||
SHA512 (strongswan-5.9.1.tar.bz2) = 222625e77bd86959da6dd7346cfa9f92569fc396a494bb95ddf2c8e0680b7e8041541e8a14320517a0c735d713ae0fdc0d0c4694215e812817814b0b4efc3497
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
%global _hardened_build 1
|
||||
#%%define prerelease dr1
|
||||
%global dist .nhrp.9%{?dist}
|
||||
%global dist .nhrp.3%{?dist}
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.9.3
|
||||
Version: 5.9.1
|
||||
Release: 1%{?dist}
|
||||
Summary: An OpenSource IPsec-based VPN and TNC solution
|
||||
License: GPLv2+
|
||||
@@ -14,10 +14,13 @@ Patch0: strongswan-5.9.1-runtime-dir.patch
|
||||
Patch1: strongswan-5.6.0-uintptr_t.patch
|
||||
Patch3: strongswan-5.6.2-CVE-2018-5388.patch
|
||||
|
||||
Patch10: 0001-charon-add-optional-source-and-remote-overrides-for-.patch
|
||||
Patch11: 0002-vici-send-certificates-for-ike-sa-events.patch
|
||||
Patch12: 0003-vici-add-support-for-individual-sa-state-changes.patch
|
||||
Patch13: 0004-vyos-terminate-connections-source-dest.patch
|
||||
Patch10: 0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
|
||||
Patch11: 0002-charon-add-optional-source-and-remote-overrides-for-.patch
|
||||
Patch12: 0003-vici-send-certificates-for-ike-sa-events.patch
|
||||
Patch13: 0004-vici-add-support-for-individual-sa-state-changes.patch
|
||||
Patch14: 0005-vici-add-deprecated-async-parameter.patch
|
||||
Patch15: 0006-support-gre-key-in-ikev1.patch
|
||||
Patch16: 0007-vyos-terminate-connections-source-dest.patch
|
||||
|
||||
# only needed for pre-release versions
|
||||
#BuildRequires: autoconf automake
|
||||
@@ -96,6 +99,9 @@ PT-TLS to support TNC over TLS.
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
|
||||
%build
|
||||
# only for snapshots
|
||||
@@ -230,7 +236,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
|
||||
%files
|
||||
%doc README NEWS TODO ChangeLog
|
||||
%license COPYING
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
|
||||
%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
|
||||
%config(noreplace) %{_sysconfdir}/strongswan/*
|
||||
%dir %{_libdir}/strongswan
|
||||
%exclude %{_libdir}/strongswan/imcvs
|
||||
@@ -287,19 +293,8 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
|
||||
%{_libexecdir}/strongswan/charon-nm
|
||||
|
||||
%changelog
|
||||
* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
|
||||
- Resolves: rhbz#1979574 strongswan-5.9.3 is available
|
||||
- Make strongswan main dir world readable so apps can find strongswan.conf
|
||||
|
||||
* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
|
||||
- Resolves: rhbz#1896545 strongswan-5.9.2 is available
|
||||
|
||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
|
||||
- Rebuilt for updated systemd-rpm-macros
|
||||
See https://pagure.io/fesco/issue/2583.
|
||||
|
||||
* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
|
||||
- Resolves: rhbz#1896545 strongswan-5.9.1 is available
|
||||
- Resolves: rhbz# 1896545 strongswan-5.9.1 is available
|
||||
|
||||
* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
|
||||
- Build with with capabilities support
|
||||
|
||||
Reference in New Issue
Block a user