Hi,
this patch adds support for left-/rightallowany to charon:
* Pass the left-/rightallowany options from starter through the
stroke plugin into charon.
* In get_ike_match(), take "allowany" into account when looking for
an IKE connection definition matching an incoming IKE_SA_INIT request.
* Adapt plugins other than stroke to the new signature of ike_cfg_create(),
keeping their previous behaviour of left-/rightallowany=no.
Regards,
Mirko
diff --git a/src/conftest/config.c b/src/conftest/config.c
index 9521412..f68e703 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -104,8 +104,10 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
ike_cfg = ike_cfg_create(TRUE,
settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config),
settings->get_str(settings, "configs.%s.lhost", "%any", config),
+ FALSE,
settings->get_int(settings, "configs.%s.lport", 500, config),
settings->get_str(settings, "configs.%s.rhost", "%any", config),
+ FALSE,
settings->get_int(settings, "configs.%s.rport", 500, config));
token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
if (token)
diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
index a93457e..28bab03 100644
--- a/src/libcharon/config/backend_manager.c
+++ b/src/libcharon/config/backend_manager.c
@@ -78,30 +78,43 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
{
host_t *me_cand, *other_cand;
+ bool me_cand_allow_any, other_cand_allow_any;
ike_cfg_match_t match = MATCH_NONE;
if (me)
{
me_cand = host_create_from_dns(cand->get_my_addr(cand),
me->get_family(me), 0);
+ me_cand_allow_any = cand->get_my_allow_any(cand);
+
if (!me_cand)
{
- return MATCH_NONE;
- }
- if (me_cand->ip_equals(me_cand, me))
- {
- match += MATCH_ME;
- }
- else if (me_cand->is_anyaddr(me_cand))
- {
- match += MATCH_ANY;
+ if (me_cand_allow_any)
+ {
+ match += MATCH_ANY;
+ }
+ else
+ {
+ return MATCH_NONE;
+ }
}
else
- {
+ {
+ if (me_cand->ip_equals(me_cand, me))
+ {
+ match += MATCH_ME;
+ }
+ else if (me_cand->is_anyaddr(me_cand) || me_cand_allow_any)
+ {
+ match += MATCH_ANY;
+ }
+ else
+ {
+ me_cand->destroy(me_cand);
+ return MATCH_NONE;
+ }
me_cand->destroy(me_cand);
- return MATCH_NONE;
}
- me_cand->destroy(me_cand);
}
else
{
@@ -112,24 +125,36 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
{
other_cand = host_create_from_dns(cand->get_other_addr(cand),
other->get_family(other), 0);
+ other_cand_allow_any = cand->get_other_allow_any(cand);
+
if (!other_cand)
{
- return MATCH_NONE;
- }
- if (other_cand->ip_equals(other_cand, other))
- {
- match += MATCH_OTHER;
- }
- else if (other_cand->is_anyaddr(other_cand))
- {
- match += MATCH_ANY;
+ if (other_cand_allow_any)
+ {
+ match += MATCH_ANY;
+ }
+ else
+ {
+ return MATCH_NONE;
+ }
}
else
{
+ if (other_cand->ip_equals(other_cand, other))
+ {
+ match += MATCH_OTHER;
+ }
+ else if (other_cand->is_anyaddr(other_cand) || other_cand_allow_any)
+ {
+ match += MATCH_ANY;
+ }
+ else
+ {
+ other_cand->destroy(other_cand);
+ return MATCH_NONE;
+ }
other_cand->destroy(other_cand);
- return MATCH_NONE;
}
- other_cand->destroy(other_cand);
}
else
{
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 342b9dd..4b2fda6 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -49,6 +49,16 @@ struct private_ike_cfg_t {
char *other;
/**
+ * Allow any address on local host
+ */
+ bool me_allow_any;
+
+ /**
+ * Accept requests from any remote host
+ */
+ bool other_allow_any;
+
+ /**
* our source port
*/
u_int16_t my_port;
@@ -98,6 +108,18 @@ METHOD(ike_cfg_t, get_other_addr, char*,
return this->other;
}
+METHOD(ike_cfg_t, get_my_allow_any, bool,
+ private_ike_cfg_t *this)
+{
+ return this->me_allow_any;
+}
+
+METHOD(ike_cfg_t, get_other_allow_any, bool,
+ private_ike_cfg_t *this)
+{
+ return this->other_allow_any;
+}
+
METHOD(ike_cfg_t, get_my_port, u_int16_t,
private_ike_cfg_t *this)
{
@@ -260,7 +282,8 @@ METHOD(ike_cfg_t, destroy, void,
* Described in header.
*/
ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
- char *me, u_int16_t my_port, char *other, u_int16_t other_port)
+ char *me, bool me_allow_any, u_int16_t my_port,
+ char *other, bool other_allow_any, u_int16_t other_port)
{
private_ike_cfg_t *this;
@@ -270,6 +293,8 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
.force_encap = _force_encap_,
.get_my_addr = _get_my_addr,
.get_other_addr = _get_other_addr,
+ .get_my_allow_any = _get_my_allow_any,
+ .get_other_allow_any = _get_other_allow_any,
.get_my_port = _get_my_port,
.get_other_port = _get_other_port,
.add_proposal = _add_proposal,
@@ -285,6 +310,8 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
.force_encap = force_encap,
.me = strdup(me),
.other = strdup(other),
+ .me_allow_any = me_allow_any,
+ .other_allow_any = other_allow_any,
.my_port = my_port,
.other_port = other_port,
.proposals = linked_list_create(),
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index f1edde2..cb1ac61 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -53,6 +53,16 @@ struct ike_cfg_t {
char* (*get_other_addr) (ike_cfg_t *this);
/**
+ * Check if we allow any address on local host
+ */
+ bool (*get_my_allow_any) (ike_cfg_t *this);
+
+ /**
+ * Check if we accept requests from any remote host
+ */
+ bool (*get_other_allow_any) (ike_cfg_t *this);
+
+ /**
* Get the port to use as our source port.
*
* @return source address port, host order
@@ -150,12 +160,15 @@ struct ike_cfg_t {
* @param certreq TRUE to send a certificate request
* @param force_encap enforce UDP encapsulation by faking NATD notify
* @param me address/DNS name of local peer
+ * @param me_allow_any if we allow any address on local host
* @param my_port IKE port to use as source, 500 uses IKEv2 port floating
* @param other address/DNS name of remote peer
+ * @param other_allow_any if we accept requests from any remote host
* @param other_port IKE port to use as dest, 500 uses IKEv2 port floating
* @return ike_cfg_t object.
*/
ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
- char *me, u_int16_t my_port, char *other, u_int16_t other_port);
+ char *me, bool me_allow_any, u_int16_t my_port,
+ char *other, bool other_allow_any, u_int16_t other_port);
#endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index 487567f..8fc0f20 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -269,8 +269,8 @@ static job_requeue_t initiate(private_android_service_t *this)
this->creds->set_username_password(this->creds, user, password);
}
- ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
- hostname, IKEV2_UDP_PORT);
+ ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+ hostname, FALSE, IKEV2_UDP_PORT);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create("android", 2, ike_cfg, CERT_SEND_IF_ASKED,
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index 299053e..26c0f68 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -203,8 +203,8 @@ static void setup_tunnel(private_ha_tunnel_t *this,
lib->credmgr->add_set(lib->credmgr, &this->creds.public);
/* create config and backend */
- ike_cfg = ike_cfg_create(FALSE, FALSE, local, IKEV2_UDP_PORT,
- remote, IKEV2_UDP_PORT);
+ ike_cfg = ike_cfg_create(FALSE, FALSE, local, FALSE, IKEV2_UDP_PORT,
+ remote, FALSE, IKEV2_UDP_PORT);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create("ha", 2, ike_cfg, CERT_NEVER_SEND,
UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, 30,
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 6bc6f91..99b946f 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -241,12 +241,12 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
if (this->port && num)
{
ike_cfg = ike_cfg_create(FALSE, FALSE,
- "0.0.0.0", this->port + num - 1, this->remote, IKEV2_NATT_PORT);
+ "0.0.0.0", FALSE, this->port + num - 1, this->remote, FALSE, IKEV2_NATT_PORT);
}
else
{
ike_cfg = ike_cfg_create(FALSE, FALSE,
- "0.0.0.0", IKEV2_UDP_PORT, this->remote, IKEV2_UDP_PORT);
+ "0.0.0.0", FALSE, IKEV2_UDP_PORT, this->remote, FALSE, IKEV2_UDP_PORT);
}
ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index 6675e1d..936714c 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -323,8 +323,8 @@ static gboolean initiate_connection(private_maemo_service_t *this,
NULL);
}
- ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
- hostname, IKEV2_UDP_PORT);
+ ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+ hostname, FALSE, IKEV2_UDP_PORT);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED,
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index ee3e954..ed3951f 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -119,7 +119,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
return NULL;
}
ike_cfg = ike_cfg_create(FALSE, FALSE,
- "0.0.0.0", IKEV2_UDP_PORT, address, IKEV2_UDP_PORT);
+ "0.0.0.0", FALSE, IKEV2_UDP_PORT, address, FALSE, IKEV2_UDP_PORT);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
med_cfg = peer_cfg_create(
"mediation", 2, ike_cfg,
@@ -391,8 +391,8 @@ medcli_config_t *medcli_config_create(database_t *db)
.db = db,
.rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200),
.dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300),
- .ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
- "0.0.0.0", IKEV2_UDP_PORT),
+ .ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", FALSE, IKEV2_UDP_PORT,
+ "0.0.0.0", FALSE, IKEV2_UDP_PORT),
);
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
index 6cacb34..f50b16c 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.c
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -140,7 +140,7 @@ medsrv_config_t *medsrv_config_create(database_t *db)
.rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200),
.dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300),
.ike = ike_cfg_create(FALSE, FALSE,
- "0.0.0.0", IKEV2_UDP_PORT, "0.0.0.0", IKEV2_UDP_PORT),
+ "0.0.0.0", FALSE, IKEV2_UDP_PORT, "0.0.0.0", FALSE, IKEV2_UDP_PORT),
);
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c
index a6783fc..65af95d 100644
--- a/src/libcharon/plugins/nm/nm_service.c
+++ b/src/libcharon/plugins/nm/nm_service.c
@@ -497,7 +497,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
* Set up configurations
*/
ike_cfg = ike_cfg_create(TRUE, encap,
- "0.0.0.0", IKEV2_UDP_PORT, (char*)address, IKEV2_UDP_PORT);
+ "0.0.0.0", FALSE, IKEV2_UDP_PORT, (char*)address, FALSE, IKEV2_UDP_PORT);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg,
CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index dc01601..19b4d44 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -259,7 +259,7 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e,
ike_cfg_t *ike_cfg;
ike_cfg = ike_cfg_create(certreq, force_encap,
- local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT);
+ local, FALSE, IKEV2_UDP_PORT, remote, FALSE, IKEV2_UDP_PORT);
add_ike_proposals(this, ike_cfg, id);
return ike_cfg;
}
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index f09c741..1a691e2 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -225,8 +225,10 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
}
ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
msg->add_conn.force_encap,
- msg->add_conn.me.address, msg->add_conn.me.ikeport,
- msg->add_conn.other.address, msg->add_conn.other.ikeport);
+ msg->add_conn.me.address, msg->add_conn.me.allow_any,
+ msg->add_conn.me.ikeport,
+ msg->add_conn.other.address, msg->add_conn.other.allow_any,
+ msg->add_conn.other.ikeport);
add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
return ike_cfg;
}
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index 2f5e59b..7dd306d 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -169,7 +169,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
{
DESTROY_IF(this->peer_cfg);
ike_cfg = ike_cfg_create(FALSE, FALSE,
- local_addr, IKEV2_UDP_PORT, remote_addr, IKEV2_UDP_PORT);
+ local_addr, FALSE, IKEV2_UDP_PORT, remote_addr, FALSE, IKEV2_UDP_PORT);
ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
this->peer_cfg = peer_cfg_create(
name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index e399b1c..f8986d0 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -178,6 +178,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
msg_end->address = push_string(msg, buffer);
}
+ msg_end->allow_any = conn_end->allow_any;
msg_end->ikeport = conn_end->ikeport;
msg_end->subnets = push_string(msg, conn_end->subnet);
msg_end->sourceip = push_string(msg, conn_end->sourceip);
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index f3c525b..5858b9a 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -154,6 +154,7 @@ struct stroke_end_t {
char *cert_policy;
char *updown;
char *address;
+ bool allow_any;
u_int16_t ikeport;
char *sourceip;
int sourceip_mask;
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
