diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/frontends/android/jni/libandroidbridge/backend/android_service.c | 57 | ||||
| -rw-r--r-- | src/libcharon/config/child_cfg.c | 11 | ||||
| -rw-r--r-- | src/libcharon/config/proposal.c | 10 |
3 files changed, 69 insertions, 9 deletions
diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index e60c491c1..881ff00f1 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -418,6 +418,31 @@ CALLBACK(terminate, job_requeue_t, return JOB_REQUEUE_NONE; } +/** + * Reestablish the IKE_SA with the given unique ID + */ +CALLBACK(reestablish, job_requeue_t, + u_int32_t *id) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, + *id, FALSE); + if (ike_sa) + { + if (ike_sa->reauth(ike_sa) == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + } + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + } + return JOB_REQUEUE_NONE; +} + METHOD(listener_t, child_updown, bool, private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) @@ -484,6 +509,20 @@ METHOD(listener_t, alert, bool, charonservice->update_status(charonservice, CHARONSERVICE_PEER_AUTH_ERROR); break; + case ALERT_KEEP_ON_CHILD_SA_FAILURE: + { + u_int32_t *id = malloc_thing(u_int32_t); + + /* because close_ike_on_child_failure is set this is only + * triggered when CHILD_SA rekeying failed. reestablish it in + * the hope that the initial setup works again. */ + *id = ike_sa->get_unique_id(ike_sa); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)reestablish, id, free, + (callback_job_cancel_t)return_false, JOB_PRIO_HIGH)); + break; + } case ALERT_PEER_INIT_UNREACHABLE: this->lock->read_lock(this->lock); if (this->tunfd < 0) @@ -634,8 +673,8 @@ static job_requeue_t initiate(private_android_service_t *this) auth_cfg_t *auth; lifetime_cfg_t lifetime = { .time = { - .life = 10800, /* 3h */ - .rekey = 10200, /* 2h50min */ + .life = 3600, /* 1h */ + .rekey = 3000, /* 50min */ .jitter = 300 /* 5min */ } }; @@ -687,8 +726,18 @@ static job_requeue_t initiate(private_android_service_t *this) child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_RESTART, ACTION_RESTART, FALSE, 0, 0, NULL, NULL, 0); - /* create an ESP proposal with the algorithms currently supported by - * libipsec, no PFS for now */ + /* create ESP proposals with and without DH groups, let responder decide + * if PFS is used */ + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128gcm16-aes256gcm16-ecp256")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128-sha256-ecp256-modp3072")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes256-sha384-ecp521-modp8192")); + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128-aes192-aes256-sha1-sha256-sha384-sha512-" + "ecp256-ecp384-ecp521-" + "modp2048-modp3072-modp4096-modp1024")); child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, "aes128gcm16-aes256gcm16")); child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 7e4a1433d..ed7c0d406 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -163,6 +163,11 @@ METHOD(child_cfg_t, add_proposal, void, } } +static bool match_proposal(proposal_t *item, proposal_t *proposal) +{ + return item->equals(item, proposal); +} + METHOD(child_cfg_t, get_proposals, linked_list_t*, private_child_cfg_t *this, bool strip_dh) { @@ -178,6 +183,12 @@ METHOD(child_cfg_t, get_proposals, linked_list_t*, { current->strip_dh(current, MODP_NONE); } + if (proposals->find_first(proposals, (linked_list_match_t)match_proposal, + NULL, current) == SUCCESS) + { + current->destroy(current); + continue; + } proposals->insert_last(proposals, current); } enumerator->destroy(enumerator); diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 4d881cd2f..50d3c6f66 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -337,7 +337,7 @@ static bool algo_list_equals(private_proposal_t *this, proposal_t *other, break; } } - if (e2->enumerate(e2, &alg2, ks2)) + if (e2->enumerate(e2, &alg2, &ks2)) { /* other has more algs */ equals = FALSE; @@ -594,7 +594,7 @@ METHOD(proposal_t, destroy, void, } /* - * Describtion in header-file + * Described in header */ proposal_t *proposal_create(protocol_id_t protocol, u_int number) { @@ -787,7 +787,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) } /* - * Describtion in header-file + * Described in header */ proposal_t *proposal_create_default(protocol_id_t protocol) { @@ -826,7 +826,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol) } /* - * Describtion in header-file + * Described in header */ proposal_t *proposal_create_default_aead(protocol_id_t protocol) { @@ -853,7 +853,7 @@ proposal_t *proposal_create_default_aead(protocol_id_t protocol) } /* - * Describtion in header-file + * Described in header */ proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs) { |