diff options
Diffstat (limited to 'src/pluto/connections.c')
| -rw-r--r-- | src/pluto/connections.c | 44 |
1 files changed, 29 insertions, 15 deletions
diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 960aaa1f5..eb1570163 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -1043,10 +1043,10 @@ add_connection(const whack_message_t *wm) c->sa_keying_tries = wm->sa_keying_tries; /* RFC 3706 DPD */ - c->dpd_delay = wm->dpd_delay; - c->dpd_timeout = wm->dpd_timeout; - c->dpd_action = wm->dpd_action; - + c->dpd_delay = wm->dpd_delay; + c->dpd_timeout = wm->dpd_timeout; + c->dpd_action = wm->dpd_action; + c->addr_family = wm->addr_family; c->tunnel_addr_family = wm->tunnel_addr_family; @@ -3213,13 +3213,17 @@ find_host_connection(const ip_address *me, u_int16_t my_port if (policy != LEMPTY) { + lset_t auth_requested = policy & POLICY_ID_AUTH_MASK; + /* if we have requirements for the policy, * choose the first matching connection. */ while (c != NULL) { - if ((c->policy & policy) == policy) - break; + if (c->policy & auth_requested) + { + break; + } c = c->hp_next; } } @@ -3326,11 +3330,17 @@ refine_host_connection(const struct state *st, const struct id *peer_id if (psk == NULL) return NULL; /* cannot determine PSK! */ break; - + case XAUTHInitPreShared: + case XAUTHRespPreShared: + auth_policy = POLICY_XAUTH_PSK; + break; case OAKLEY_RSA_SIG: auth_policy = POLICY_RSASIG; break; - + case XAUTHInitRSA: + case XAUTHRespRSA: + auth_policy = POLICY_XAUTH_RSASIG; + break; default: bad_case(auth); } @@ -3353,17 +3363,21 @@ refine_host_connection(const struct state *st, const struct id *peer_id bool matching_id = match_id(peer_id , &d->spd.that.id, &wildcards); + bool matching_auth = (d->policy & auth_policy) != LEMPTY; + bool matching_trust = trusted_ca(peer_ca , d->spd.that.ca, &peer_pathlen); bool matching_request = match_requested_ca(c->requested_ca , d->spd.this.ca, &our_pathlen); - bool match = matching_id && matching_trust && matching_request; - + bool match = matching_id && matching_auth && + matching_trust && matching_request; + DBG(DBG_CONTROLMORE, - DBG_log("%s: %s match (id: %s, trust: %s, request: %s)" + DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s)" , d->name , match ? "full":" no" , match_name[matching_id] + , match_name[matching_auth] , match_name[matching_trust] , match_name[matching_request]) ) @@ -3382,13 +3396,11 @@ refine_host_connection(const struct state *st, const struct id *peer_id continue; } - /* authentication used must fit policy of this connection */ - if ((d->policy & auth_policy) == LEMPTY) - continue; /* our auth isn't OK for this connection */ - switch (auth) { case OAKLEY_PRESHARED_KEY: + case XAUTHInitPreShared: + case XAUTHRespPreShared: /* secret must match the one we already used */ { const chunk_t *dpsk = get_preshared_secret(d); @@ -3404,6 +3416,8 @@ refine_host_connection(const struct state *st, const struct id *peer_id break; case OAKLEY_RSA_SIG: + case XAUTHInitRSA: + case XAUTHRespRSA: /* * We must at least be able to find our private key .*/ |