diff options
| author | Martin Willi <martin@revosec.ch> | 2010-03-24 14:23:56 +0100 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-03-25 14:29:10 +0100 |
| commit | 045833c79d5d28fe7f6a55969a3ebc37dbab32c6 (patch) | |
| tree | 4dc86fef32e9922abc83a0091aa3be1bac4a5593 | |
| parent | e06a6154e21c22e5fa44339a60b69a6b6e0602c0 (diff) | |
| download | strongswan-045833c79d5d28fe7f6a55969a3ebc37dbab32c6.tar.bz2 strongswan-045833c79d5d28fe7f6a55969a3ebc37dbab32c6.tar.xz | |
Release virtual IPs with the same identity as we acquired it
| -rw-r--r-- | src/libcharon/sa/ike_sa.c | 39 | ||||
| -rw-r--r-- | src/libcharon/sa/ike_sa.h | 7 | ||||
| -rw-r--r-- | src/libcharon/sa/tasks/ike_config.c | 34 |
3 files changed, 44 insertions, 36 deletions
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index cc2b95d44..1ca396d75 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -424,7 +424,7 @@ static void flush_auth_cfgs(private_ike_sa_t *this) { auth_cfg_t *cfg; - if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", TRUE)) + if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", FALSE)) { while (this->my_auths->remove_last(this->my_auths, (void**)&cfg) == SUCCESS) @@ -1409,6 +1409,38 @@ static identification_t* get_other_id(private_ike_sa_t *this) } /** + * Implementation of ike_sa_t.get_other_eap_id. + */ +static identification_t* get_other_eap_id(private_ike_sa_t *this) +{ + identification_t *id = NULL, *current; + enumerator_t *enumerator; + auth_cfg_t *cfg; + + enumerator = this->other_auths->create_enumerator(this->other_auths); + while (enumerator->enumerate(enumerator, &cfg)) + { + /* prefer EAP-Identity of last round */ + current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY); + if (!current || current->get_type(current) == ID_ANY) + { + current = cfg->get(cfg, AUTH_RULE_IDENTITY); + } + if (current && current->get_type(current) != ID_ANY) + { + id = current; + continue; + } + } + enumerator->destroy(enumerator); + if (id) + { + return id; + } + return this->other_id; +} + +/** * Implementation of ike_sa_t.set_other_id. */ static void set_other_id(private_ike_sa_t *this, identification_t *other) @@ -2029,8 +2061,8 @@ static void destroy(private_ike_sa_t *this) if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg)) { hydra->attributes->release_address(hydra->attributes, - this->peer_cfg->get_pool(this->peer_cfg), - this->other_virtual_ip, this->other_id); + this->peer_cfg->get_pool(this->peer_cfg), + this->other_virtual_ip, get_other_eap_id(this)); } this->other_virtual_ip->destroy(this->other_virtual_ip); } @@ -2103,6 +2135,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id; this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id; this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id; + this->public.get_other_eap_id = (identification_t* (*)(ike_sa_t*)) get_other_eap_id; this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension; this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension; this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition; diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 59a5a2c50..c61502edf 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -360,6 +360,13 @@ struct ike_sa_t { identification_t* (*get_other_id) (ike_sa_t *this); /** + * Get the others peer identity, but prefer an EAP-Identity. + * + * @return EAP or IKEv2 identity + */ + identification_t* (*get_other_eap_id)(ike_sa_t *this); + + /** * Set the other peer's identification. * * @param other identification diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c index c252bd9c7..58bcf0762 100644 --- a/src/libcharon/sa/tasks/ike_config.c +++ b/src/libcharon/sa/tasks/ike_config.c @@ -300,38 +300,6 @@ static status_t process_r(private_ike_config_t *this, message_t *message) } /** - * Find a peer (EAP) identity to query provider for attributes - */ -static identification_t *get_peer_identity(private_ike_config_t *this) -{ - identification_t *id = NULL, *current; - enumerator_t *enumerator; - auth_cfg_t *cfg; - - enumerator = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE); - while (enumerator->enumerate(enumerator, &cfg)) - { - /* prefer EAP-Identity of last round */ - current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY); - if (!current || current->get_type(current) == ID_ANY) - { - current = cfg->get(cfg, AUTH_RULE_IDENTITY); - } - if (current && current->get_type(current) != ID_ANY) - { - id = current; - continue; - } - } - enumerator->destroy(enumerator); - if (!id) - { /* fallback, should not happen */ - id = this->ike_sa->get_other_id(this->ike_sa); - } - return id; -} - -/** * Implementation of task_t.build for responder */ static status_t build_r(private_ike_config_t *this, message_t *message) @@ -346,7 +314,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message) peer_cfg_t *config; identification_t *id; - id = get_peer_identity(this); + id = this->ike_sa->get_other_eap_id(this->ike_sa); config = this->ike_sa->get_peer_cfg(this->ike_sa); if (config && this->virtual_ip) |