moved force_encap to ike_config, enables responder to enforce udp encapsulation

fixed bugs in force_encap code

9 files changed, 46 insertions, 42 deletions

diff --git a/src/charon/config/backends/sqlite_backend.c b/src/charon/config/backends/sqlite_backend.c
index be94f9b5f..9ceed9b8b 100644
--- a/src/charon/config/backends/sqlite_backend.c
+++ b/src/charon/config/backends/sqlite_backend.c
@@ -178,7 +178,8 @@ static peer_cfg_t *process_peer_cfg_row(private_sqlite_backend_t *this,
 	remote_id = identification_create_from_string((char*)sqlite3_column_text(stmt, 3));
 	if (local_host && remote_host && local_id && remote_id)
 	{
-		ike_cfg = ike_cfg_create(sqlite3_column_int(stmt, 19),  local_host, remote_host);		
+		ike_cfg = ike_cfg_create(sqlite3_column_int(stmt, 19),  FALSE,
+								 local_host, remote_host);		
 		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 		peer_cfg = peer_cfg_create(
 			(char*)sqlite3_column_text(stmt, 1),		/* name */
@@ -192,7 +193,6 @@ static peer_cfg_t *process_peer_cfg_row(private_sqlite_backend_t *this,
 			sqlite3_column_int(stmt, 10),				/* jitter */
 			sqlite3_column_int(stmt, 13),				/* reauth */
 			sqlite3_column_int(stmt, 14),				/* mobike */
-			FALSE,										/* force_encap */
 			sqlite3_column_int(stmt, 11),				/* dpd_delay */
 			sqlite3_column_int(stmt, 12),				/* dpd_action */
 			local_vip, remote_vip);
diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c
index 35f46a6b7..abb300aab 100644
--- a/src/charon/config/ike_cfg.c
+++ b/src/charon/config/ike_cfg.c
@@ -59,6 +59,11 @@ struct private_ike_cfg_t {
 	bool certreq;
 	
 	/**
+	 * enforce UDP encapsulation
+	 */
+	bool force_encap;
+	
+	/**
 	 * List of proposals to use
 	 */
 	linked_list_t *proposals;
@@ -71,6 +76,14 @@ static bool send_certreq(private_ike_cfg_t *this)
 {
 	return this->certreq;
 }
+	
+/**
+ * Implementation of ike_cfg_t.force_encap.
+ */
+static bool force_encap_meth(private_ike_cfg_t *this)
+{
+	return this->force_encap;
+}
 
 /**
  * Implementation of ike_cfg_t.get_my_host.
@@ -201,12 +214,14 @@ static void destroy(private_ike_cfg_t *this)
 /**
  * Described in header.
  */
-ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host)
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap,
+						  host_t *my_host, host_t *other_host)
 {
 	private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t);
 	
 	/* public functions */
 	this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq;
+	this->public.force_encap = (bool (*) (ike_cfg_t *))force_encap_meth;
 	this->public.get_my_host = (host_t*(*)(ike_cfg_t*))get_my_host;
 	this->public.get_other_host = (host_t*(*)(ike_cfg_t*))get_other_host;
 	this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
@@ -219,6 +234,7 @@ ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host)
 	/* private variables */
 	this->refcount = 1;
 	this->certreq = certreq;
+	this->force_encap = force_encap;
 	this->my_host = my_host;
 	this->other_host = other_host;
 	
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
index bcdc90d9e..5165d12a6 100644
--- a/src/charon/config/ike_cfg.h
+++ b/src/charon/config/ike_cfg.h
@@ -102,6 +102,14 @@ struct ike_cfg_t {
 	bool (*send_certreq) (ike_cfg_t *this);
 	
 	/**
+	 * @brief Enforce UDP encapsulation by faking NATD notifies?
+	 * 
+	 * @param this		calling object
+	 * @return			TRUE to enfoce UDP encapsulation
+	 */
+	bool (*force_encap) (ike_cfg_t *this);
+	
+	/**
 	 * @brief Get the DH group to use for IKE_SA setup.
 	 * 
 	 * @param this		calling object
@@ -140,12 +148,14 @@ struct ike_cfg_t {
  *
  * @param name			ike_cfg identifier
  * @param certreq		TRUE to send a certificate request
+ * @param force_encap	enforce UDP encapsulation by faking NATD notify
  * @param my_host		host_t representing local address
  * @param other_host	host_t representing remote address
  * @return 				ike_cfg_t object.
  * 
  * @ingroup config
  */
-ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host);
+ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap, 
+						  host_t *my_host, host_t *other_host);
 
 #endif /* IKE_CFG_H_ */
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index 7935b9703..6733df08c 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -141,11 +141,6 @@ struct private_peer_cfg_t {
 	bool use_mobike;
 	
 	/**
-	 * enforce UDP encapsulation
-	 */
-	bool force_encap;
-	
-	/**
 	 * Time before an SA gets invalid
 	 */
 	u_int32_t lifetime;
@@ -369,14 +364,6 @@ static bool use_mobike(private_peer_cfg_t *this)
 {
 	return this->use_mobike;
 }
-	
-/**
- * Implementation of peer_cfg_t.force_encap.
- */
-static bool force_encap_meth(private_peer_cfg_t *this)
-{
-	return this->force_encap;
-}
 
 /**
  * Implements peer_cfg_t.get_dpd_delay
@@ -465,7 +452,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 							auth_method_t auth_method, eap_type_t eap_type,
 							u_int32_t keyingtries, u_int32_t lifetime,
 							u_int32_t rekeytime, u_int32_t jitter,
-							bool reauth, bool mobike, bool force_encap,
+							bool reauth, bool mobike,
 							u_int32_t dpd_delay, dpd_action_t dpd_action,
 							host_t *my_virtual_ip, host_t *other_virtual_ip)
 {
@@ -490,7 +477,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime;
 	this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth;
 	this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
-	this->public.force_encap = (bool (*) (peer_cfg_t *))force_encap_meth;
 	this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay;
 	this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action;
 	this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip;
@@ -518,7 +504,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->jitter = jitter;
 	this->use_reauth = reauth;
 	this->use_mobike = mobike;
-	this->force_encap = force_encap;
 	this->dpd_delay = dpd_delay;
 	this->dpd_action = dpd_action;
 	this->my_virtual_ip = my_virtual_ip;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index ecd6bcf83..ea53a80e7 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -274,14 +274,6 @@ struct peer_cfg_t {
 	bool (*use_mobike) (peer_cfg_t *this);
 	
 	/**
-	 * @brief Enforce UDP encapsulation by faking NATD notifies?
-	 * 
-	 * @param this		calling object
-	 * @return			TRUE to enfoce UDP encapsulation
-	 */
-	bool (*force_encap) (peer_cfg_t *this);
-	
-	/**
 	 * @brief Get the DPD check interval.
 	 * 
 	 * @param this		calling object
@@ -374,7 +366,6 @@ struct peer_cfg_t {
  * @param jitter			range of random to substract from rekeytime
  * @param reauth			sould be done reauthentication instead of rekeying?
  * @param mobike			use MOBIKE (RFC4555) if peer supports it
- * @param force_encap		enforce UDP encapsulation by faking NATD notify
  * @param dpd_delay			after how many seconds of inactivity to check DPD
  * @param dpd_action		what to do with CHILD_SAs when detected a dead peer
  * @param my_virtual_ip		virtual IP for local host, or NULL
@@ -390,7 +381,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
 							auth_method_t auth_method, eap_type_t eap_type,
 							u_int32_t keyingtries, u_int32_t lifetime,
 							u_int32_t rekeytime, u_int32_t jitter,
-							bool reauth, bool mobike, bool force_encap,
+							bool reauth, bool mobike,
 							u_int32_t dpd_delay, dpd_action_t dpd_action,
 							host_t *my_virtual_ip, host_t *other_virtual_ip);
 
diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c
index 13d4b9662..f6935d547 100755
--- a/src/charon/control/interfaces/stroke_interface.c
+++ b/src/charon/control/interfaces/stroke_interface.c
@@ -522,7 +522,7 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
 	else
 	{
 		ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
-								 my_host, other_host);
+								 msg->add_conn.force_encap, my_host, other_host);
 
 		if (msg->add_conn.algorithms.ike)
 		{
@@ -572,8 +572,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
 					msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
 					msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
 					msg->add_conn.rekey.reauth, msg->add_conn.mobike, 
-					msg->add_conn.force_encap, msg->add_conn.dpd.delay,
-					msg->add_conn.dpd.action, my_vip, other_vip);
+					msg->add_conn.dpd.delay, msg->add_conn.dpd.action,
+					my_vip, other_vip);
 	}
 	
 	child_cfg = child_cfg_create(
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 27ba1263a..42cda721b 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -496,7 +496,7 @@ static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
 					this->conditions |= COND_NAT_ANY;
 					break;
 				case COND_NAT_FAKE:
-					DBG1(DBG_IKE, "faked NAT situation to enforce UDP encapsulation");
+					DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
 					this->conditions |= COND_NAT_ANY;
 					break;
 				default:
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index ff3fbb77c..32665393d 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -141,12 +141,10 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 	chunk_t hash;
 	notify_payload_t *notify;	
 	ike_sa_id_t *ike_sa_id;
-	peer_cfg_t *config;
+	ike_cfg_t *config;
 	
 	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
-	config = this->ike_sa->get_peer_cfg(this->ike_sa);
-	notify = notify_payload_create();
-	notify->set_notify_type(notify, type);
+	config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
 	{
 		hash = generate_natd_hash_faked(this);
@@ -155,6 +153,8 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
 	{
 		hash = generate_natd_hash(this, ike_sa_id, host);
 	}
+	notify = notify_payload_create();
+	notify->set_notify_type(notify, type);
 	notify->set_notification_data(notify, hash);
 	chunk_free(&hash);
 	
@@ -172,7 +172,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 	chunk_t hash, src_hash, dst_hash;
 	ike_sa_id_t *ike_sa_id;
 	host_t *me, *other;
-	peer_cfg_t *config;
+	ike_cfg_t *config;
 	
 	/* Precompute NAT-D hashes for incoming NAT notify comparison */
 	ike_sa_id = message->get_ike_sa_id(message);
@@ -238,9 +238,10 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 		this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
 									!this->dst_matched);
 		this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
-									!this->src_matched);		
-		config = this->ike_sa->get_peer_cfg(this->ike_sa);
-		if (config->force_encap(config))
+									!this->src_matched);	
+		config = this->ike_sa->get_ike_cfg(this->ike_sa);
+		if (this->dst_matched && this->src_matched &&
+			config->force_encap(config))
 		{
 			this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);	
 		}
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 69b5e5085..006cf1a21 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -228,6 +228,7 @@ int starter_stroke_add_conn(starter_conn_t *conn)
 		msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
 	}
 	msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
+	msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
 	msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
 	msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
 	msg.add_conn.dpd.delay = conn->dpd_delay;