moved force_encap to ike_config, enables responder to enforce udp encapsulation
authorMartin Willi <martin@strongswan.org>
Mon, 1 Oct 2007 16:41:34 +0000 (16:41 -0000)
committerMartin Willi <martin@strongswan.org>
Mon, 1 Oct 2007 16:41:34 +0000 (16:41 -0000)
fixed bugs in force_encap code

src/charon/config/backends/sqlite_backend.c
src/charon/config/ike_cfg.c
src/charon/config/ike_cfg.h
src/charon/config/peer_cfg.c
src/charon/config/peer_cfg.h
src/charon/control/interfaces/stroke_interface.c
src/charon/sa/ike_sa.c
src/charon/sa/tasks/ike_natd.c
src/starter/starterstroke.c

index be94f9b..9ceed9b 100644 (file)
@@ -178,7 +178,8 @@ static peer_cfg_t *process_peer_cfg_row(private_sqlite_backend_t *this,
        remote_id = identification_create_from_string((char*)sqlite3_column_text(stmt, 3));
        if (local_host && remote_host && local_id && remote_id)
        {
-               ike_cfg = ike_cfg_create(sqlite3_column_int(stmt, 19),  local_host, remote_host);               
+               ike_cfg = ike_cfg_create(sqlite3_column_int(stmt, 19),  FALSE,
+                                                                local_host, remote_host);              
                ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
                peer_cfg = peer_cfg_create(
                        (char*)sqlite3_column_text(stmt, 1),            /* name */
@@ -192,7 +193,6 @@ static peer_cfg_t *process_peer_cfg_row(private_sqlite_backend_t *this,
                        sqlite3_column_int(stmt, 10),                           /* jitter */
                        sqlite3_column_int(stmt, 13),                           /* reauth */
                        sqlite3_column_int(stmt, 14),                           /* mobike */
-                       FALSE,                                                                          /* force_encap */
                        sqlite3_column_int(stmt, 11),                           /* dpd_delay */
                        sqlite3_column_int(stmt, 12),                           /* dpd_action */
                        local_vip, remote_vip);
index 35f46a6..abb300a 100644 (file)
@@ -59,6 +59,11 @@ struct private_ike_cfg_t {
        bool certreq;
        
        /**
+        * enforce UDP encapsulation
+        */
+       bool force_encap;
+       
+       /**
         * List of proposals to use
         */
        linked_list_t *proposals;
@@ -71,6 +76,14 @@ static bool send_certreq(private_ike_cfg_t *this)
 {
        return this->certreq;
 }
+       
+/**
+ * Implementation of ike_cfg_t.force_encap.
+ */
+static bool force_encap_meth(private_ike_cfg_t *this)
+{
+       return this->force_encap;
+}
 
 /**
  * Implementation of ike_cfg_t.get_my_host.
@@ -201,12 +214,14 @@ static void destroy(private_ike_cfg_t *this)
 /**
  * Described in header.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host)
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+                                                 host_t *my_host, host_t *other_host)
 {
        private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t);
        
        /* public functions */
        this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq;
+       this->public.force_encap = (bool (*) (ike_cfg_t *))force_encap_meth;
        this->public.get_my_host = (host_t*(*)(ike_cfg_t*))get_my_host;
        this->public.get_other_host = (host_t*(*)(ike_cfg_t*))get_other_host;
        this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
@@ -219,6 +234,7 @@ ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host)
        /* private variables */
        this->refcount = 1;
        this->certreq = certreq;
+       this->force_encap = force_encap;
        this->my_host = my_host;
        this->other_host = other_host;
        
index bcdc90d..5165d12 100644 (file)
@@ -102,6 +102,14 @@ struct ike_cfg_t {
        bool (*send_certreq) (ike_cfg_t *this);
        
        /**
+        * @brief Enforce UDP encapsulation by faking NATD notifies?
+        * 
+        * @param this          calling object
+        * @return                      TRUE to enfoce UDP encapsulation
+        */
+       bool (*force_encap) (ike_cfg_t *this);
+       
+       /**
         * @brief Get the DH group to use for IKE_SA setup.
         * 
         * @param this          calling object
@@ -140,12 +148,14 @@ struct ike_cfg_t {
  *
  * @param name                 ike_cfg identifier
  * @param certreq              TRUE to send a certificate request
+ * @param force_encap  enforce UDP encapsulation by faking NATD notify
  * @param my_host              host_t representing local address
  * @param other_host   host_t representing remote address
  * @return                             ike_cfg_t object.
  * 
  * @ingroup config
  */
-ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host);
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap, 
+                                                 host_t *my_host, host_t *other_host);
 
 #endif /* IKE_CFG_H_ */
index 7935b97..6733df0 100644 (file)
@@ -141,11 +141,6 @@ struct private_peer_cfg_t {
        bool use_mobike;
        
        /**
-        * enforce UDP encapsulation
-        */
-       bool force_encap;
-       
-       /**
         * Time before an SA gets invalid
         */
        u_int32_t lifetime;
@@ -369,14 +364,6 @@ static bool use_mobike(private_peer_cfg_t *this)
 {
        return this->use_mobike;
 }
-       
-/**
- * Implementation of peer_cfg_t.force_encap.
- */
-static bool force_encap_meth(private_peer_cfg_t *this)
-{
-       return this->force_encap;
-}
 
 /**
  * Implements peer_cfg_t.get_dpd_delay
@@ -465,7 +452,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
                                                        auth_method_t auth_method, eap_type_t eap_type,
                                                        u_int32_t keyingtries, u_int32_t lifetime,
                                                        u_int32_t rekeytime, u_int32_t jitter,
-                                                       bool reauth, bool mobike, bool force_encap,
+                                                       bool reauth, bool mobike,
                                                        u_int32_t dpd_delay, dpd_action_t dpd_action,
                                                        host_t *my_virtual_ip, host_t *other_virtual_ip)
 {
@@ -490,7 +477,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
        this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime;
        this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth;
        this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
-       this->public.force_encap = (bool (*) (peer_cfg_t *))force_encap_meth;
        this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay;
        this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action;
        this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip;
@@ -518,7 +504,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
        this->jitter = jitter;
        this->use_reauth = reauth;
        this->use_mobike = mobike;
-       this->force_encap = force_encap;
        this->dpd_delay = dpd_delay;
        this->dpd_action = dpd_action;
        this->my_virtual_ip = my_virtual_ip;
index ecd6bcf..ea53a80 100644 (file)
@@ -274,14 +274,6 @@ struct peer_cfg_t {
        bool (*use_mobike) (peer_cfg_t *this);
        
        /**
-        * @brief Enforce UDP encapsulation by faking NATD notifies?
-        * 
-        * @param this          calling object
-        * @return                      TRUE to enfoce UDP encapsulation
-        */
-       bool (*force_encap) (peer_cfg_t *this);
-       
-       /**
         * @brief Get the DPD check interval.
         * 
         * @param this          calling object
@@ -374,7 +366,6 @@ struct peer_cfg_t {
  * @param jitter                       range of random to substract from rekeytime
  * @param reauth                       sould be done reauthentication instead of rekeying?
  * @param mobike                       use MOBIKE (RFC4555) if peer supports it
- * @param force_encap          enforce UDP encapsulation by faking NATD notify
  * @param dpd_delay                    after how many seconds of inactivity to check DPD
  * @param dpd_action           what to do with CHILD_SAs when detected a dead peer
  * @param my_virtual_ip                virtual IP for local host, or NULL
@@ -390,7 +381,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
                                                        auth_method_t auth_method, eap_type_t eap_type,
                                                        u_int32_t keyingtries, u_int32_t lifetime,
                                                        u_int32_t rekeytime, u_int32_t jitter,
-                                                       bool reauth, bool mobike, bool force_encap,
+                                                       bool reauth, bool mobike,
                                                        u_int32_t dpd_delay, dpd_action_t dpd_action,
                                                        host_t *my_virtual_ip, host_t *other_virtual_ip);
 
index 13d4b96..f6935d5 100755 (executable)
@@ -522,7 +522,7 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
        else
        {
                ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
-                                                                my_host, other_host);
+                                                                msg->add_conn.force_encap, my_host, other_host);
 
                if (msg->add_conn.algorithms.ike)
                {
@@ -572,8 +572,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
                                        msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
                                        msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
                                        msg->add_conn.rekey.reauth, msg->add_conn.mobike, 
-                                       msg->add_conn.force_encap, msg->add_conn.dpd.delay,
-                                       msg->add_conn.dpd.action, my_vip, other_vip);
+                                       msg->add_conn.dpd.delay, msg->add_conn.dpd.action,
+                                       my_vip, other_vip);
        }
        
        child_cfg = child_cfg_create(
index 27ba126..42cda72 100644 (file)
@@ -496,7 +496,7 @@ static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
                                        this->conditions |= COND_NAT_ANY;
                                        break;
                                case COND_NAT_FAKE:
-                                       DBG1(DBG_IKE, "faked NAT situation to enforce UDP encapsulation");
+                                       DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
                                        this->conditions |= COND_NAT_ANY;
                                        break;
                                default:
index ff3fbb7..3266539 100644 (file)
@@ -141,12 +141,10 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
        chunk_t hash;
        notify_payload_t *notify;       
        ike_sa_id_t *ike_sa_id;
-       peer_cfg_t *config;
+       ike_cfg_t *config;
        
        ike_sa_id = this->ike_sa->get_id(this->ike_sa);
-       config = this->ike_sa->get_peer_cfg(this->ike_sa);
-       notify = notify_payload_create();
-       notify->set_notify_type(notify, type);
+       config = this->ike_sa->get_ike_cfg(this->ike_sa);
        if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
        {
                hash = generate_natd_hash_faked(this);
@@ -155,6 +153,8 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
        {
                hash = generate_natd_hash(this, ike_sa_id, host);
        }
+       notify = notify_payload_create();
+       notify->set_notify_type(notify, type);
        notify->set_notification_data(notify, hash);
        chunk_free(&hash);
        
@@ -172,7 +172,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
        chunk_t hash, src_hash, dst_hash;
        ike_sa_id_t *ike_sa_id;
        host_t *me, *other;
-       peer_cfg_t *config;
+       ike_cfg_t *config;
        
        /* Precompute NAT-D hashes for incoming NAT notify comparison */
        ike_sa_id = message->get_ike_sa_id(message);
@@ -238,9 +238,10 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
                this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
                                                                        !this->dst_matched);
                this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
-                                                                       !this->src_matched);            
-               config = this->ike_sa->get_peer_cfg(this->ike_sa);
-               if (config->force_encap(config))
+                                                                       !this->src_matched);    
+               config = this->ike_sa->get_ike_cfg(this->ike_sa);
+               if (this->dst_matched && this->src_matched &&
+                       config->force_encap(config))
                {
                        this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE); 
                }
index 69b5e50..006cf1a 100644 (file)
@@ -228,6 +228,7 @@ int starter_stroke_add_conn(starter_conn_t *conn)
                msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
        }
        msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
+       msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
        msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
        msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
        msg.add_conn.dpd.delay = conn->dpd_delay;