Merge branch 'android-pfs'
Changes how CHILD_SA rekeying errors are handled in the Android app and adds CHILD_SA proposals with DH groups.
This commit is contained in:
commit
f640af5b7a
|
@ -418,6 +418,31 @@ CALLBACK(terminate, job_requeue_t,
|
|||
return JOB_REQUEUE_NONE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Reestablish the IKE_SA with the given unique ID
|
||||
*/
|
||||
CALLBACK(reestablish, job_requeue_t,
|
||||
u_int32_t *id)
|
||||
{
|
||||
ike_sa_t *ike_sa;
|
||||
|
||||
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
|
||||
*id, FALSE);
|
||||
if (ike_sa)
|
||||
{
|
||||
if (ike_sa->reauth(ike_sa) == DESTROY_ME)
|
||||
{
|
||||
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
|
||||
ike_sa);
|
||||
}
|
||||
else
|
||||
{
|
||||
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||
}
|
||||
}
|
||||
return JOB_REQUEUE_NONE;
|
||||
}
|
||||
|
||||
METHOD(listener_t, child_updown, bool,
|
||||
private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
|
||||
bool up)
|
||||
|
@ -484,6 +509,20 @@ METHOD(listener_t, alert, bool,
|
|||
charonservice->update_status(charonservice,
|
||||
CHARONSERVICE_PEER_AUTH_ERROR);
|
||||
break;
|
||||
case ALERT_KEEP_ON_CHILD_SA_FAILURE:
|
||||
{
|
||||
u_int32_t *id = malloc_thing(u_int32_t);
|
||||
|
||||
/* because close_ike_on_child_failure is set this is only
|
||||
* triggered when CHILD_SA rekeying failed. reestablish it in
|
||||
* the hope that the initial setup works again. */
|
||||
*id = ike_sa->get_unique_id(ike_sa);
|
||||
lib->processor->queue_job(lib->processor,
|
||||
(job_t*)callback_job_create_with_prio(
|
||||
(callback_job_cb_t)reestablish, id, free,
|
||||
(callback_job_cancel_t)return_false, JOB_PRIO_HIGH));
|
||||
break;
|
||||
}
|
||||
case ALERT_PEER_INIT_UNREACHABLE:
|
||||
this->lock->read_lock(this->lock);
|
||||
if (this->tunfd < 0)
|
||||
|
@ -634,8 +673,8 @@ static job_requeue_t initiate(private_android_service_t *this)
|
|||
auth_cfg_t *auth;
|
||||
lifetime_cfg_t lifetime = {
|
||||
.time = {
|
||||
.life = 10800, /* 3h */
|
||||
.rekey = 10200, /* 2h50min */
|
||||
.life = 3600, /* 1h */
|
||||
.rekey = 3000, /* 50min */
|
||||
.jitter = 300 /* 5min */
|
||||
}
|
||||
};
|
||||
|
@ -687,8 +726,18 @@ static job_requeue_t initiate(private_android_service_t *this)
|
|||
child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
|
||||
ACTION_NONE, ACTION_RESTART, ACTION_RESTART,
|
||||
FALSE, 0, 0, NULL, NULL, 0);
|
||||
/* create an ESP proposal with the algorithms currently supported by
|
||||
* libipsec, no PFS for now */
|
||||
/* create ESP proposals with and without DH groups, let responder decide
|
||||
* if PFS is used */
|
||||
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
|
||||
"aes128gcm16-aes256gcm16-ecp256"));
|
||||
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
|
||||
"aes128-sha256-ecp256-modp3072"));
|
||||
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
|
||||
"aes256-sha384-ecp521-modp8192"));
|
||||
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
|
||||
"aes128-aes192-aes256-sha1-sha256-sha384-sha512-"
|
||||
"ecp256-ecp384-ecp521-"
|
||||
"modp2048-modp3072-modp4096-modp1024"));
|
||||
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
|
||||
"aes128gcm16-aes256gcm16"));
|
||||
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
|
||||
|
|
|
@ -163,6 +163,11 @@ METHOD(child_cfg_t, add_proposal, void,
|
|||
}
|
||||
}
|
||||
|
||||
static bool match_proposal(proposal_t *item, proposal_t *proposal)
|
||||
{
|
||||
return item->equals(item, proposal);
|
||||
}
|
||||
|
||||
METHOD(child_cfg_t, get_proposals, linked_list_t*,
|
||||
private_child_cfg_t *this, bool strip_dh)
|
||||
{
|
||||
|
@ -178,6 +183,12 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*,
|
|||
{
|
||||
current->strip_dh(current, MODP_NONE);
|
||||
}
|
||||
if (proposals->find_first(proposals, (linked_list_match_t)match_proposal,
|
||||
NULL, current) == SUCCESS)
|
||||
{
|
||||
current->destroy(current);
|
||||
continue;
|
||||
}
|
||||
proposals->insert_last(proposals, current);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
|
|
@ -337,7 +337,7 @@ static bool algo_list_equals(private_proposal_t *this, proposal_t *other,
|
|||
break;
|
||||
}
|
||||
}
|
||||
if (e2->enumerate(e2, &alg2, ks2))
|
||||
if (e2->enumerate(e2, &alg2, &ks2))
|
||||
{
|
||||
/* other has more algs */
|
||||
equals = FALSE;
|
||||
|
@ -594,7 +594,7 @@ METHOD(proposal_t, destroy, void,
|
|||
}
|
||||
|
||||
/*
|
||||
* Describtion in header-file
|
||||
* Described in header
|
||||
*/
|
||||
proposal_t *proposal_create(protocol_id_t protocol, u_int number)
|
||||
{
|
||||
|
@ -787,7 +787,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
|||
}
|
||||
|
||||
/*
|
||||
* Describtion in header-file
|
||||
* Described in header
|
||||
*/
|
||||
proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
{
|
||||
|
@ -826,7 +826,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
|||
}
|
||||
|
||||
/*
|
||||
* Describtion in header-file
|
||||
* Described in header
|
||||
*/
|
||||
proposal_t *proposal_create_default_aead(protocol_id_t protocol)
|
||||
{
|
||||
|
@ -853,7 +853,7 @@ proposal_t *proposal_create_default_aead(protocol_id_t protocol)
|
|||
}
|
||||
|
||||
/*
|
||||
* Describtion in header-file
|
||||
* Described in header
|
||||
*/
|
||||
proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue