Merge branch 'push-mode-reauth'
Fixes IKEv1 re-authentication when using push mode by reassigning the same IP lease to the client.
This commit is contained in:
Martin Willi
commit
cb98380fe9
|
|
@ -17,6 +17,7 @@
|
|||
|
||||
#include <daemon.h>
|
||||
#include <hydra.h>
|
||||
#include <collections/array.h>
|
||||
|
||||
typedef struct private_adopt_children_job_t private_adopt_children_job_t;
|
||||
|
||||
|
|
@ -34,11 +35,17 @@ struct private_adopt_children_job_t {
|
|||
* IKE_SA id to adopt children from
|
||||
*/
|
||||
ike_sa_id_t *id;
|
||||
|
||||
/**
|
||||
* Tasks queued for execution
|
||||
*/
|
||||
array_t *tasks;
|
||||
};
|
||||
|
||||
METHOD(job_t, destroy, void,
|
||||
private_adopt_children_job_t *this)
|
||||
{
|
||||
array_destroy_offset(this->tasks, offsetof(task_t, destroy));
|
||||
this->id->destroy(this->id);
|
||||
free(this);
|
||||
}
|
||||
|
|
@ -149,6 +156,32 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
}
|
||||
}
|
||||
children->destroy_offset(children, offsetof(child_sa_t, destroy));
|
||||
|
||||
if (array_count(this->tasks))
|
||||
{
|
||||
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
|
||||
this->id);
|
||||
if (ike_sa)
|
||||
{
|
||||
task_t *task;
|
||||
|
||||
while (array_remove(this->tasks, ARRAY_HEAD, &task))
|
||||
{
|
||||
task->migrate(task, ike_sa);
|
||||
ike_sa->queue_task(ike_sa, task);
|
||||
}
|
||||
if (ike_sa->initiate(ike_sa, NULL, 0, NULL, NULL) == DESTROY_ME)
|
||||
{
|
||||
charon->ike_sa_manager->checkin_and_destroy(
|
||||
charon->ike_sa_manager, ike_sa);
|
||||
}
|
||||
else
|
||||
{
|
||||
charon->ike_sa_manager->checkin(charon->ike_sa_manager,
|
||||
ike_sa);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return JOB_REQUEUE_NONE;
|
||||
}
|
||||
|
|
@ -159,6 +192,12 @@ METHOD(job_t, get_priority, job_priority_t,
|
|||
return JOB_PRIO_HIGH;
|
||||
}
|
||||
|
||||
METHOD(adopt_children_job_t, queue_task, void,
|
||||
private_adopt_children_job_t *this, task_t *task)
|
||||
{
|
||||
array_insert_create(&this->tasks, ARRAY_TAIL, task);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
|
|
@ -173,6 +212,7 @@ adopt_children_job_t *adopt_children_job_create(ike_sa_id_t *id)
|
|||
.get_priority = _get_priority,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.queue_task = _queue_task,
|
||||
},
|
||||
.id = id->clone(id),
|
||||
);
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@
|
|||
#include <library.h>
|
||||
#include <processing/jobs/job.h>
|
||||
#include <sa/ike_sa_id.h>
|
||||
#include <sa/task.h>
|
||||
|
||||
typedef struct adopt_children_job_t adopt_children_job_t;
|
||||
|
||||
|
|
@ -36,6 +37,13 @@ struct adopt_children_job_t {
|
|||
* Implements job_t.
|
||||
*/
|
||||
job_t job_interface;
|
||||
|
||||
/**
|
||||
* Queue a job for execution after completing migration.
|
||||
*
|
||||
* @param task task to queue for execution
|
||||
*/
|
||||
void (*queue_task)(adopt_children_job_t *this, task_t *task);
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -475,6 +475,9 @@ METHOD(task_t, process_r, status_t,
|
|||
}
|
||||
case AM_AUTH:
|
||||
{
|
||||
adopt_children_job_t *job = NULL;
|
||||
xauth_t *xauth = NULL;
|
||||
|
||||
while (TRUE)
|
||||
{
|
||||
if (this->ph1->verify_auth(this->ph1, this->method, message,
|
||||
|
|
@ -504,8 +507,8 @@ METHOD(task_t, process_r, status_t,
|
|||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
case AUTH_HYBRID_INIT_RSA:
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)xauth_create(this->ike_sa, TRUE));
|
||||
xauth = xauth_create(this->ike_sa, TRUE);
|
||||
this->ike_sa->queue_task(this->ike_sa, (task_t*)xauth);
|
||||
break;
|
||||
case AUTH_XAUTH_RESP_PSK:
|
||||
case AUTH_XAUTH_RESP_RSA:
|
||||
|
|
@ -524,9 +527,8 @@ METHOD(task_t, process_r, status_t,
|
|||
{
|
||||
return send_delete(this);
|
||||
}
|
||||
lib->processor->queue_job(lib->processor, (job_t*)
|
||||
adopt_children_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa)));
|
||||
job = adopt_children_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa));
|
||||
break;
|
||||
}
|
||||
/* check for and prepare mode config push/pull */
|
||||
|
|
@ -542,10 +544,26 @@ METHOD(task_t, process_r, status_t,
|
|||
{
|
||||
if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
|
||||
if (job)
|
||||
{
|
||||
job->queue_task(job, (task_t*)
|
||||
mode_config_create(this->ike_sa, TRUE, FALSE));
|
||||
}
|
||||
else if (xauth)
|
||||
{
|
||||
xauth->queue_mode_config_push(xauth);
|
||||
}
|
||||
else
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa, (task_t*)
|
||||
mode_config_create(this->ike_sa, TRUE, FALSE));
|
||||
}
|
||||
}
|
||||
}
|
||||
if (job)
|
||||
{
|
||||
lib->processor->queue_job(lib->processor, (job_t*)job);
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
default:
|
||||
|
|
|
|||
|
|
@ -479,6 +479,8 @@ METHOD(task_t, build_r, status_t,
|
|||
{
|
||||
id_payload_t *id_payload;
|
||||
identification_t *id;
|
||||
adopt_children_job_t *job = NULL;
|
||||
xauth_t *xauth = NULL;
|
||||
|
||||
id = this->ph1->get_id(this->ph1, this->peer_cfg, TRUE);
|
||||
if (!id)
|
||||
|
|
@ -502,8 +504,8 @@ METHOD(task_t, build_r, status_t,
|
|||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
case AUTH_HYBRID_INIT_RSA:
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)xauth_create(this->ike_sa, TRUE));
|
||||
xauth = xauth_create(this->ike_sa, TRUE);
|
||||
this->ike_sa->queue_task(this->ike_sa, (task_t*)xauth);
|
||||
break;
|
||||
case AUTH_XAUTH_RESP_PSK:
|
||||
case AUTH_XAUTH_RESP_RSA:
|
||||
|
|
@ -522,9 +524,8 @@ METHOD(task_t, build_r, status_t,
|
|||
{
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
lib->processor->queue_job(lib->processor, (job_t*)
|
||||
adopt_children_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa)));
|
||||
job = adopt_children_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa));
|
||||
break;
|
||||
}
|
||||
if (this->ph1->has_virtual_ip(this->ph1, this->peer_cfg))
|
||||
|
|
@ -539,10 +540,26 @@ METHOD(task_t, build_r, status_t,
|
|||
{
|
||||
if (!this->peer_cfg->use_pull_mode(this->peer_cfg))
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
|
||||
if (job)
|
||||
{
|
||||
job->queue_task(job, (task_t*)
|
||||
mode_config_create(this->ike_sa, TRUE, FALSE));
|
||||
}
|
||||
else if (xauth)
|
||||
{
|
||||
xauth->queue_mode_config_push(xauth);
|
||||
}
|
||||
else
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa, (task_t*)
|
||||
mode_config_create(this->ike_sa, TRUE, FALSE));
|
||||
}
|
||||
}
|
||||
}
|
||||
if (job)
|
||||
{
|
||||
lib->processor->queue_job(lib->processor, (job_t*)job);
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
default:
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@
|
|||
#include <hydra.h>
|
||||
#include <encoding/payloads/cp_payload.h>
|
||||
#include <processing/jobs/adopt_children_job.h>
|
||||
#include <sa/ikev1/tasks/mode_config.h>
|
||||
|
||||
typedef struct private_xauth_t private_xauth_t;
|
||||
|
||||
|
|
@ -74,6 +75,11 @@ struct private_xauth_t {
|
|||
* status of Xauth exchange
|
||||
*/
|
||||
xauth_status_t status;
|
||||
|
||||
/**
|
||||
* Queue a Mode Config Push mode after completing XAuth?
|
||||
*/
|
||||
bool mode_config_push;
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
@ -290,6 +296,7 @@ METHOD(task_t, process_i_status, status_t,
|
|||
private_xauth_t *this, message_t *message)
|
||||
{
|
||||
cp_payload_t *cp;
|
||||
adopt_children_job_t *job;
|
||||
|
||||
cp = (cp_payload_t*)message->get_payload(message, PLV1_CONFIGURATION);
|
||||
if (!cp || cp->get_type(cp) != CFG_ACK)
|
||||
|
|
@ -307,8 +314,13 @@ METHOD(task_t, process_i_status, status_t,
|
|||
return FAILED;
|
||||
}
|
||||
this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
|
||||
lib->processor->queue_job(lib->processor, (job_t*)
|
||||
adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
|
||||
job = adopt_children_job_create(this->ike_sa->get_id(this->ike_sa));
|
||||
if (this->mode_config_push)
|
||||
{
|
||||
job->queue_task(job,
|
||||
(task_t*)mode_config_create(this->ike_sa, TRUE, FALSE));
|
||||
}
|
||||
lib->processor->queue_job(lib->processor, (job_t*)job);
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
|
@ -511,6 +523,12 @@ METHOD(task_t, migrate, void,
|
|||
}
|
||||
}
|
||||
|
||||
METHOD(xauth_t, queue_mode_config_push, void,
|
||||
private_xauth_t *this)
|
||||
{
|
||||
this->mode_config_push = TRUE;
|
||||
}
|
||||
|
||||
METHOD(task_t, destroy, void,
|
||||
private_xauth_t *this)
|
||||
{
|
||||
|
|
@ -533,6 +551,7 @@ xauth_t *xauth_create(ike_sa_t *ike_sa, bool initiator)
|
|||
.migrate = _migrate,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.queue_mode_config_push = _queue_mode_config_push,
|
||||
},
|
||||
.initiator = initiator,
|
||||
.ike_sa = ike_sa,
|
||||
|
|
|
|||
|
|
@ -36,6 +36,11 @@ struct xauth_t {
|
|||
* Implements the task_t interface
|
||||
*/
|
||||
task_t task;
|
||||
|
||||
/**
|
||||
* Queue a Mode Config in Push mode after completing XAuth.
|
||||
*/
|
||||
void (*queue_mode_config_push)(xauth_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in New Issue