enabling reauthentication on mediation connections
This commit is contained in:
parent
4a03518112
commit
78abba428f
|
@ -2011,7 +2011,12 @@ static status_t reestablish(private_ike_sa_t *this)
|
|||
{
|
||||
DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
|
||||
if (this->other_virtual_ip != NULL ||
|
||||
has_condition(this, COND_EAP_AUTHENTICATED))
|
||||
has_condition(this, COND_EAP_AUTHENTICATED)
|
||||
#ifdef ME
|
||||
/* if we are mediation server we too cannot reauth the IKE_SA */
|
||||
|| this->is_mediation_server
|
||||
#endif /* ME */
|
||||
)
|
||||
{
|
||||
time_t now = time(NULL);
|
||||
|
||||
|
|
|
@ -61,13 +61,21 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
|
|||
host_t *host;
|
||||
iterator_t *iterator;
|
||||
child_sa_t *child_sa;
|
||||
peer_cfg_t *peer_cfg;
|
||||
|
||||
/* process delete response first */
|
||||
this->ike_delete->task.process(&this->ike_delete->task, message);
|
||||
|
||||
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
|
||||
|
||||
/* reestablish only if we have children */
|
||||
iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
|
||||
if (iterator->get_count(iterator) == 0)
|
||||
if (iterator->get_count(iterator) == 0
|
||||
#ifdef ME
|
||||
/* we allow a peer to reauth a mediation connection (without CHILD_SA) */
|
||||
&& !peer_cfg->is_mediation(peer_cfg)
|
||||
#endif /* ME */
|
||||
)
|
||||
{
|
||||
DBG1(DBG_IKE, "unable to reestablish IKE_SA, no CHILD_SA to recreate");
|
||||
iterator->destroy(iterator);
|
||||
|
@ -76,7 +84,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
|
|||
|
||||
new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
|
||||
|
||||
new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
|
||||
new->set_peer_cfg(new, peer_cfg);
|
||||
host = this->ike_sa->get_other_host(this->ike_sa);
|
||||
new->set_other_host(new, host->clone(host));
|
||||
host = this->ike_sa->get_my_host(this->ike_sa);
|
||||
|
@ -88,6 +96,20 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
|
|||
new->set_virtual_ip(new, TRUE, host);
|
||||
}
|
||||
|
||||
#ifdef ME
|
||||
/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
|
||||
if (peer_cfg->is_mediation(peer_cfg))
|
||||
{
|
||||
if (new->initiate(new, NULL) == DESTROY_ME)
|
||||
{
|
||||
charon->ike_sa_manager->checkin_and_destroy(
|
||||
charon->ike_sa_manager, new);
|
||||
DBG1(DBG_IKE, "reestablishing IKE_SA failed");
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
#endif /* ME */
|
||||
|
||||
while (iterator->iterate(iterator, (void**)&child_sa))
|
||||
{
|
||||
switch (child_sa->get_state(child_sa))
|
||||
|
|
Loading…
Reference in New Issue