libreswan/libreswan-3.23-ppk-update.patch

117 lines
3.9 KiB
Diff
Raw Normal View History

diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 38fa4de..08c8d9e 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -1486,12 +1486,14 @@ typedef enum {
v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */
v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */
v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */
-
- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */
- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */
- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */
-
- /* 16432 - 40969 Unassigned */
+ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */
+ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */
+ v2N_PUZZLE = 16434, /* RFC-8019 */
+ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */
+ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */
+ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */
+
+ /* 16438 - 40969 Unassigned */
/* 40960 - 65535 Private Use */
} v2_notification_t;
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index ab6db3e..a0dab63 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = {
};
*/
-static const char *const ikev2_notify_name_private[] = {
- "v2N_USE_PPK",
- "v2N_PPK_IDENTITY",
- "v2N_NO_PPK_AUTH",
-};
-
-static enum_names ikev2_notify_names_private = {
- v2N_USE_PPK,
- v2N_NO_PPK_AUTH,
- ARRAY_REF(ikev2_notify_name_private),
- "v2N_", /* prefix */
- NULL
-};
-
/* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */
static const char *const ikev2_notify_name_16384[] = {
"v2N_INITIAL_CONTACT", /* 16384 */
@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = {
"v2N_SENDER_REQUEST_ID",
"v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */
"v2N_SIGNATURE_HASH_ALGORITHMS",
+ "v2N_CLONE_IKE_SA_SUPPORTED",
+ "v2N_CLONE_IKE_SA",
+ "v2N_PUZZLE",
+ "v2N_USE_PPK", /* 16435 */
+ "v2N_PPK_IDENTITY",
+ "v2N_NO_PPK_AUTH",
};
static enum_names ikev2_notify_names_16384 = {
v2N_INITIAL_CONTACT,
- v2N_SIGNATURE_HASH_ALGORITHMS,
+ v2N_NO_PPK_AUTH,
ARRAY_REF(ikev2_notify_name_16384),
"v2N_", /* prefix */
- &ikev2_notify_names_private
+ NULL
};
static const char *const ikev2_notify_name[] = {
diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index 258ba85..b86eea8 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
break;
}
- if (LIN(POLICY_PPK_ALLOW, policy)) {
- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
+ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
- return STF_FATAL;
- }
- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
- st->st_no_ppk_auth = no_ppk_auth;
- } else {
- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK");
+ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
+ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
+ return STF_FATAL;
}
+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
+ st->st_no_ppk_auth = no_ppk_auth;
break;
}
case v2N_MOBIKE_SUPPORTED:
@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
}
}
- /* if we found proper PPK ID, we should use that without fallback to no ppk */
- if (found_ppk)
+ /*
+ * If we found proper PPK ID and policy allows PPK, use that.
+ * Otherwise use NO_PPK_AUTH
+ */
+ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy))
freeanychunk(st->st_no_ppk_auth);
if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) {