diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2012-06-08 13:01:08 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2012-06-08 21:24:41 +0200 |
| commit | 1d315bddd34033fb1679697f90a9294e2ebdcb96 (patch) | |
| tree | 157888b2e984bdc64a05179ccfa9d7353244dd7b /src | |
| parent | e5f0f9ff969f867faf3fb243468d658c4ab9e154 (diff) | |
| download | strongswan-1d315bddd34033fb1679697f90a9294e2ebdcb96.tar.bz2 strongswan-1d315bddd34033fb1679697f90a9294e2ebdcb96.tar.xz | |
implemented the right|leftallowany feature
Diffstat (limited to 'src')
| -rw-r--r-- | src/charon-nm/nm/nm_service.c | 4 | ||||
| -rw-r--r-- | src/conftest/config.c | 4 | ||||
| -rw-r--r-- | src/libcharon/config/backend_manager.c | 31 | ||||
| -rw-r--r-- | src/libcharon/config/ike_cfg.c | 27 | ||||
| -rw-r--r-- | src/libcharon/config/ike_cfg.h | 57 | ||||
| -rw-r--r-- | src/libcharon/plugins/android/android_service.c | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/ha/ha_tunnel.c | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/load_tester/load_tester_config.c | 6 | ||||
| -rw-r--r-- | src/libcharon/plugins/maemo/maemo_service.c | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/medcli/medcli_config.c | 8 | ||||
| -rw-r--r-- | src/libcharon/plugins/medsrv/medsrv_config.c | 3 | ||||
| -rw-r--r-- | src/libcharon/plugins/sql/sql_config.c | 3 | ||||
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_config.c | 12 | ||||
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_list.c | 12 | ||||
| -rw-r--r-- | src/libcharon/plugins/uci/uci_config.c | 8 | ||||
| -rw-r--r-- | src/libcharon/sa/ike_sa.c | 21 | ||||
| -rw-r--r-- | src/libcharon/sa/trap_manager.c | 4 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 1 | ||||
| -rw-r--r-- | src/stroke/stroke_msg.h | 1 |
19 files changed, 137 insertions, 77 deletions
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index 61b6a6c91..d6ecd20a5 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -496,8 +496,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * Set up configurations */ - ike_cfg = ike_cfg_create(TRUE, encap, - "0.0.0.0", IKEV2_UDP_PORT, (char*)address, IKEV2_UDP_PORT); + ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", FALSE, IKEV2_UDP_PORT, + (char*)address, FALSE, IKEV2_UDP_PORT); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); peer_cfg = peer_cfg_create(priv->name, IKEV2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ diff --git a/src/conftest/config.c b/src/conftest/config.c index d45d512a2..a3f23f3a4 100644 --- a/src/conftest/config.c +++ b/src/conftest/config.c @@ -103,9 +103,9 @@ static ike_cfg_t *load_ike_config(private_config_t *this, ike_cfg = ike_cfg_create(TRUE, settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config), - settings->get_str(settings, "configs.%s.lhost", "%any", config), + settings->get_str(settings, "configs.%s.lhost", "%any", config), FALSE, settings->get_int(settings, "configs.%s.lport", 500, config), - settings->get_str(settings, "configs.%s.rhost", "%any", config), + settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE, settings->get_int(settings, "configs.%s.rport", 500, config)); token = settings->get_str(settings, "configs.%s.proposal", NULL, config); if (token) diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c index 507f26d2f..09e123e67 100644 --- a/src/libcharon/config/backend_manager.c +++ b/src/libcharon/config/backend_manager.c @@ -78,12 +78,14 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data) static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { host_t *me_cand, *other_cand; + char *my_addr, *other_addr; + bool my_allow_any, other_allow_any; ike_cfg_match_t match = MATCH_NONE; if (me) { - me_cand = host_create_from_dns(cand->get_my_addr(cand), - me->get_family(me), 0); + my_addr = cand->get_my_addr(cand, &my_allow_any); + me_cand = host_create_from_dns(my_addr, me->get_family(me), 0); if (!me_cand) { return MATCH_NONE; @@ -92,7 +94,7 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_ME; } - else if (me_cand->is_anyaddr(me_cand)) + else if (my_allow_any || me_cand->is_anyaddr(me_cand)) { match += MATCH_ANY; } @@ -110,8 +112,8 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) if (other) { - other_cand = host_create_from_dns(cand->get_other_addr(cand), - other->get_family(other), 0); + other_addr = cand->get_other_addr(cand, &other_allow_any); + other_cand = host_create_from_dns(other_addr, other->get_family(other), 0); if (!other_cand) { return MATCH_NONE; @@ -120,7 +122,7 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_OTHER; } - else if (other_cand->is_anyaddr(other_cand)) + else if (other_allow_any || other_cand->is_anyaddr(other_cand)) { match += MATCH_ANY; } @@ -142,6 +144,8 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, private_backend_manager_t *this, host_t *me, host_t *other) { ike_cfg_t *current, *found = NULL; + char *my_addr, *other_addr; + bool my_allow_any, other_allow_any; enumerator_t *enumerator; ike_cfg_match_t match, best = MATCH_ANY; ike_data_t *data; @@ -164,9 +168,11 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, DBG3(DBG_CFG, "ike config match: %d (%H %H)", match, me, other); if (match) { - DBG2(DBG_CFG, " candidate: %s...%s, prio %d", - current->get_my_addr(current), - current->get_other_addr(current), match); + my_addr = current->get_my_addr(current, &my_allow_any); + other_addr = current->get_other_addr(current, &other_allow_any); + DBG2(DBG_CFG, " candidate: %s%s...%s%s, prio %d", + my_allow_any ? "%":"", my_addr, + other_allow_any ? "%":"", other_addr, match); if (match > best) { DESTROY_IF(found); @@ -180,8 +186,11 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, this->lock->unlock(this->lock); if (found) { - DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d", - found->get_my_addr(found), found->get_other_addr(found), best); + my_addr = found->get_my_addr(found, &my_allow_any); + other_addr = found->get_other_addr(found, &other_allow_any); + DBG2(DBG_CFG, "found matching ike config: %s%s...%s%s with prio %d", + my_allow_any ? "%":"", my_addr, + other_allow_any ? "%":"", other_addr, best); } return found; } diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 342b9ddbe..5055a931c 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -49,6 +49,16 @@ struct private_ike_cfg_t { char *other; /** + * Allow override of local address + */ + bool my_allow_any; + + /** + * Allow override of remote address + */ + bool other_allow_any; + + /** * our source port */ u_int16_t my_port; @@ -87,14 +97,22 @@ METHOD(ike_cfg_t, force_encap_, bool, } METHOD(ike_cfg_t, get_my_addr, char*, - private_ike_cfg_t *this) + private_ike_cfg_t *this, bool *allow_any) { + if (allow_any) + { + *allow_any = this->my_allow_any; + } return this->me; } METHOD(ike_cfg_t, get_other_addr, char*, - private_ike_cfg_t *this) + private_ike_cfg_t *this, bool *allow_any) { + if (allow_any) + { + *allow_any = this->other_allow_any; + } return this->other; } @@ -260,7 +278,8 @@ METHOD(ike_cfg_t, destroy, void, * Described in header. */ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap, - char *me, u_int16_t my_port, char *other, u_int16_t other_port) + char *me, bool my_allow_any, u_int16_t my_port, + char *other, bool other_allow_any, u_int16_t other_port) { private_ike_cfg_t *this; @@ -285,6 +304,8 @@ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap, .force_encap = force_encap, .me = strdup(me), .other = strdup(other), + .my_allow_any = my_allow_any, + .other_allow_any = other_allow_any, .my_port = my_port, .other_port = other_port, .proposals = linked_list_create(), diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index f1edde255..691d223a3 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -41,28 +41,30 @@ struct ike_cfg_t { /** * Get own address. * - * @return string of address/DNS name + * @param allow_any allow any address to match + * @return string of address/DNS name */ - char* (*get_my_addr) (ike_cfg_t *this); + char* (*get_my_addr) (ike_cfg_t *this, bool *allow_any); /** - * Get peers address. + * Get peer's address. * - * @return string of address/DNS name + * @param allow_any allow any address to match + * @return string of address/DNS name */ - char* (*get_other_addr) (ike_cfg_t *this); + char* (*get_other_addr) (ike_cfg_t *this, bool *allow_any); /** * Get the port to use as our source port. * - * @return source address port, host order + * @return source address port, host order */ u_int16_t (*get_my_port)(ike_cfg_t *this); /** * Get the port to use as destination port. * - * @return destination address, host order + * @return destination address, host order */ u_int16_t (*get_other_port)(ike_cfg_t *this); @@ -72,7 +74,7 @@ struct ike_cfg_t { * The first added proposal has the highest priority, the last * added the lowest. * - * @param proposal proposal to add + * @param proposal proposal to add */ void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal); @@ -81,7 +83,7 @@ struct ike_cfg_t { * * Returned list and its proposals must be destroyed after use. * - * @return list containing all the proposals + * @return list containing all the proposals */ linked_list_t* (*get_proposals) (ike_cfg_t *this); @@ -90,9 +92,9 @@ struct ike_cfg_t { * * Returned proposal must be destroyed after use. * - * @param proposals list of proposals to select from - * @param private accept algorithms from a private range - * @return selected proposal, or NULL if none matches. + * @param proposals list of proposals to select from + * @param private accept algorithms from a private range + * @return selected proposal, or NULL if none matches. */ proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals, bool private); @@ -100,36 +102,36 @@ struct ike_cfg_t { /** * Should we send a certificate request in IKE_SA_INIT? * - * @return certificate request sending policy + * @return certificate request sending policy */ bool (*send_certreq) (ike_cfg_t *this); /** * Enforce UDP encapsulation by faking NATD notifies? * - * @return TRUE to enfoce UDP encapsulation + * @return TRUE to enfoce UDP encapsulation */ bool (*force_encap) (ike_cfg_t *this); /** * Get the DH group to use for IKE_SA setup. * - * @return dh group to use for initialization + * @return dh group to use for initialization */ diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this); /** * Check if two IKE configs are equal. * - * @param other other to check for equality - * @return TRUE if other equal to this + * @param other other to check for equality + * @return TRUE if other equal to this */ bool (*equals)(ike_cfg_t *this, ike_cfg_t *other); /** * Increase reference count. * - * @return reference to this + * @return reference to this */ ike_cfg_t* (*get_ref) (ike_cfg_t *this); @@ -147,15 +149,18 @@ struct ike_cfg_t { * * Supplied hosts become owned by ike_cfg, the name gets cloned. * - * @param certreq TRUE to send a certificate request - * @param force_encap enforce UDP encapsulation by faking NATD notify - * @param me address/DNS name of local peer - * @param my_port IKE port to use as source, 500 uses IKEv2 port floating - * @param other address/DNS name of remote peer - * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating - * @return ike_cfg_t object. + * @param certreq TRUE to send a certificate request + * @param force_encap enforce UDP encapsulation by faking NATD notify + * @param me address/DNS name of local peer + * @param my_allow_any allow override of local address by any address + * @param my_port IKE port to use as source, 500 uses IKEv2 port floating + * @param other address/DNS name of remote peer + * @param other_allow_any allow override of remote address by any address + * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating + * @return ike_cfg_t object. */ ike_cfg_t *ike_cfg_create(bool certreq, bool force_encap, - char *me, u_int16_t my_port, char *other, u_int16_t other_port); + char *me, bool my_allow_any, u_int16_t my_port, + char *other, bool other_allow_any, u_int16_t other_port); #endif /** IKE_CFG_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c index a25ca3612..f4e7e5097 100644 --- a/src/libcharon/plugins/android/android_service.c +++ b/src/libcharon/plugins/android/android_service.c @@ -269,8 +269,8 @@ static job_requeue_t initiate(private_android_service_t *this) this->creds->set_username_password(this->creds, user, password); } - ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, - hostname, IKEV2_UDP_PORT); + ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE, IKEV2_UDP_PORT, + hostname, FALSE, IKEV2_UDP_PORT); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); peer_cfg = peer_cfg_create("android", IKEV2, ike_cfg, CERT_SEND_IF_ASKED, diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index 6558ea3b7..d1edb3e55 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -203,8 +203,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, lib->credmgr->add_set(lib->credmgr, &this->creds.public); /* create config and backend */ - ike_cfg = ike_cfg_create(FALSE, FALSE, local, IKEV2_UDP_PORT, - remote, IKEV2_UDP_PORT); + ike_cfg = ike_cfg_create(FALSE, FALSE, local, FALSE, IKEV2_UDP_PORT, + remote, FALSE, IKEV2_UDP_PORT); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); peer_cfg = peer_cfg_create("ha", IKEV2, ike_cfg, CERT_NEVER_SEND, UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30, diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index 75ac1ff49..d041d4cdc 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -251,12 +251,14 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) if (this->port && num) { ike_cfg = ike_cfg_create(FALSE, FALSE, - this->local, this->port + num - 1, this->remote, IKEV2_NATT_PORT); + this->local, FALSE, this->port + num - 1, + this->remote, FALSE, IKEV2_NATT_PORT); } else { ike_cfg = ike_cfg_create(FALSE, FALSE, - this->local, IKEV2_UDP_PORT, this->remote, IKEV2_UDP_PORT); + this->local, FALSE, IKEV2_UDP_PORT, + this->remote, FALSE, IKEV2_UDP_PORT); } ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal)); peer_cfg = peer_cfg_create("load-test", IKEV2, ike_cfg, diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c index 1d1bb63d8..0e834918e 100644 --- a/src/libcharon/plugins/maemo/maemo_service.c +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -323,8 +323,8 @@ static gboolean initiate_connection(private_maemo_service_t *this, NULL); } - ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, - hostname, IKEV2_UDP_PORT); + ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", FALSE, IKEV2_UDP_PORT, + hostname, FALSE, IKEV2_UDP_PORT); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); peer_cfg = peer_cfg_create(this->current, IKEV2, ike_cfg, diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index 3b99144f0..15d4ffa3f 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -119,7 +119,8 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, return NULL; } ike_cfg = ike_cfg_create(FALSE, FALSE, - "0.0.0.0", IKEV2_UDP_PORT, address, IKEV2_UDP_PORT); + "0.0.0.0", FALSE, IKEV2_UDP_PORT, + address, FALSE, IKEV2_UDP_PORT); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); med_cfg = peer_cfg_create( "mediation", IKEV2, ike_cfg, @@ -394,8 +395,9 @@ medcli_config_t *medcli_config_create(database_t *db) .db = db, .rekey = lib->settings->get_time(lib->settings, "medcli.rekey", 1200), .dpd = lib->settings->get_time(lib->settings, "medcli.dpd", 300), - .ike = ike_cfg_create(FALSE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, - "0.0.0.0", IKEV2_UDP_PORT), + .ike = ike_cfg_create(FALSE, FALSE, + "0.0.0.0", FALSE, IKEV2_UDP_PORT, + "0.0.0.0", FALSE, IKEV2_UDP_PORT), ); this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE)); diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c index 42564734f..ef3b04497 100644 --- a/src/libcharon/plugins/medsrv/medsrv_config.c +++ b/src/libcharon/plugins/medsrv/medsrv_config.c @@ -141,7 +141,8 @@ medsrv_config_t *medsrv_config_create(database_t *db) .rekey = lib->settings->get_time(lib->settings, "medsrv.rekey", 1200), .dpd = lib->settings->get_time(lib->settings, "medsrv.dpd", 300), .ike = ike_cfg_create(FALSE, FALSE, - "0.0.0.0", IKEV2_UDP_PORT, "0.0.0.0", IKEV2_UDP_PORT), + "0.0.0.0", FALSE, IKEV2_UDP_PORT, + "0.0.0.0", FALSE, IKEV2_UDP_PORT), ); this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE)); diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index c2d4b6885..dd9a0b09d 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -259,7 +259,8 @@ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e, ike_cfg_t *ike_cfg; ike_cfg = ike_cfg_create(certreq, force_encap, - local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT); + local, FALSE, IKEV2_UDP_PORT, + remote, FALSE, IKEV2_UDP_PORT); add_ike_proposals(this, ike_cfg, id); return ike_cfg; } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 6b8dc234b..910acf18f 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -225,9 +225,13 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg } } ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND, - msg->add_conn.force_encap, - msg->add_conn.me.address, msg->add_conn.me.ikeport, - msg->add_conn.other.address, msg->add_conn.other.ikeport); + msg->add_conn.force_encap, + msg->add_conn.me.address, + msg->add_conn.me.allow_any, + msg->add_conn.me.ikeport, + msg->add_conn.other.address, + msg->add_conn.other.allow_any, + msg->add_conn.other.ikeport); add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL); return ike_cfg; } @@ -625,7 +629,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, } else { - if (strchr(ike_cfg->get_my_addr(ike_cfg), ':')) + if (strchr(ike_cfg->get_my_addr(ike_cfg, NULL), ':')) { vip = host_create_any(AF_INET6); } diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index a179adfe0..88523ea46 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -500,6 +500,9 @@ METHOD(stroke_list_t, status, void, charon->backends, NULL, NULL, NULL, NULL, IKE_ANY); while (enumerator->enumerate(enumerator, &peer_cfg)) { + char *my_addr, *other_addr; + bool my_allow_any, other_allow_any; + if (name && !streq(name, peer_cfg->get_name(peer_cfg))) { continue; @@ -507,9 +510,12 @@ METHOD(stroke_list_t, status, void, ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); ike_version = peer_cfg->get_ike_version(peer_cfg); - fprintf(out, "%12s: %s...%s %N", peer_cfg->get_name(peer_cfg), - ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg), - ike_version_names, ike_version); + my_addr = ike_cfg->get_my_addr(ike_cfg, &my_allow_any); + other_addr = ike_cfg->get_other_addr(ike_cfg, &other_allow_any); + fprintf(out, "%12s: %s%s...%s%s %N", peer_cfg->get_name(peer_cfg), + my_allow_any ? "%":"", my_addr, + other_allow_any ? "%":"", other_addr, + ike_version_names, ike_version); if (ike_version == IKEV1 && peer_cfg->use_aggressive(peer_cfg)) { diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index eb2c4b330..9b0fd73ad 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -169,7 +169,8 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool, { DESTROY_IF(this->peer_cfg); ike_cfg = ike_cfg_create(FALSE, FALSE, - local_addr, IKEV2_UDP_PORT, remote_addr, IKEV2_UDP_PORT); + local_addr, FALSE, IKEV2_UDP_PORT, + remote_addr, FALSE, IKEV2_UDP_PORT); ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE)); this->peer_cfg = peer_cfg_create( name, IKEV2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO, @@ -265,8 +266,9 @@ METHOD(enumerator_t, ike_enumerator_enumerate, bool, &local_addr, &remote_addr, &ike_proposal)) { DESTROY_IF(this->ike_cfg); - this->ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, IKEV2_UDP_PORT, - remote_addr, IKEV2_UDP_PORT); + this->ike_cfg = ike_cfg_create(FALSE, FALSE, + local_addr, FALSE, IKEV2_UDP_PORT, + remote_addr, FALSE, IKEV2_UDP_PORT); this->ike_cfg->add_proposal(this->ike_cfg, create_proposal(ike_proposal, PROTO_IKE)); diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index c104ff973..a13a7a3b6 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1039,8 +1039,12 @@ static void resolve_hosts(private_ike_sa_t *this) } else { - host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg), - 0, this->ike_cfg->get_other_port(this->ike_cfg)); + char *other_addr; + u_int16_t other_port; + + other_addr = this->ike_cfg->get_other_addr(this->ike_cfg, NULL); + other_port = this->ike_cfg->get_other_port(this->ike_cfg); + host = host_create_from_dns(other_addr, 0, other_port); } if (host) { @@ -1054,6 +1058,8 @@ static void resolve_hosts(private_ike_sa_t *this) } else { + char *my_addr; + u_int16_t my_port; int family = 0; /* use same address family as for other */ @@ -1061,8 +1067,9 @@ static void resolve_hosts(private_ike_sa_t *this) { family = this->other_host->get_family(this->other_host); } - host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg), - family, this->ike_cfg->get_my_port(this->ike_cfg)); + my_addr = this->ike_cfg->get_my_addr(this->ike_cfg, NULL); + my_port = this->ike_cfg->get_my_port(this->ike_cfg); + host = host_create_from_dns(my_addr, family, my_port); if (host && host->is_anyaddr(host) && !this->other_host->is_anyaddr(this->other_host)) @@ -1076,9 +1083,7 @@ static void resolve_hosts(private_ike_sa_t *this) } else { /* fallback to address family specific %any(6), if configured */ - host = host_create_from_dns( - this->ike_cfg->get_my_addr(this->ike_cfg), - 0, this->ike_cfg->get_my_port(this->ike_cfg)); + host = host_create_from_dns(my_addr, 0, my_port); } } } @@ -1108,7 +1113,7 @@ METHOD(ike_sa_t, initiate, status_t, #endif /* ME */ ) { - char *addr = this->ike_cfg->get_other_addr(this->ike_cfg); + char *addr = this->ike_cfg->get_other_addr(this->ike_cfg, NULL); bool is_anyaddr = streq(addr, "%any") || streq(addr, "%any6"); if (is_anyaddr || !this->retry_initiate_interval) diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 9a6d4ebcf..e03e30695 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -127,14 +127,14 @@ METHOD(trap_manager_t, install, u_int32_t, /* try to resolve addresses */ ike_cfg = peer->get_ike_cfg(peer); - other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), + other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg, NULL), 0, ike_cfg->get_other_port(ike_cfg)); if (!other || other->is_anyaddr(other)) { DBG1(DBG_CFG, "installing trap failed, remote address unknown"); return 0; } - me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg), + me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg, NULL), other->get_family(other), ike_cfg->get_my_port(ike_cfg)); if (!me || me->is_anyaddr(me)) { diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 72b3f1a89..4fdd5bea3 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -186,6 +186,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->sendcert = conn_end->sendcert; msg_end->hostaccess = conn_end->hostaccess; msg_end->tohost = !conn_end->has_client; + msg_end->allow_any = conn_end->allow_any; msg_end->protocol = conn_end->protocol; msg_end->port = conn_end->port; } diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index e1ac684e2..cc0819fda 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -162,6 +162,7 @@ struct stroke_end_t { int sendcert; int hostaccess; int tohost; + int allow_any; u_int8_t protocol; u_int16_t port; }; |