- The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
+- The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not
+ correctly implemented when sending either a CRETRY or SRETRY batch. These
+ batches can only be sent in the "Decided" state and a CRETRY batch can
+ immediately carry all messages usually transported by a CDATA batch. It is
+ currently not possible to send a SRETRY batch since full-duplex mode for
+ PT-TLS transport is not supported.
+
strongswan-5.7.2
----------------
}
return FALSE;
case PB_STATE_CLIENT_WORKING:
- if (this->is_server && type == PB_BATCH_CDATA)
+ if (this->is_server &&
+ (type == PB_BATCH_CDATA || type == PB_BATCH_CRETRY))
{
this->state = PB_STATE_SERVER_WORKING;
break;
}
- if (this->is_server && type == PB_BATCH_CRETRY)
- {
- break;
- }
if (type == PB_BATCH_CLOSE)
{
this->state = PB_STATE_END;
if (this->request_handshake_retry)
{
- if (state != PB_STATE_INIT)
+ if (state == PB_STATE_DECIDED)
{
+
build_retry_batch(this);
+
+ /* Restart the measurements */
+ tnc->imcs->notify_connection_change(tnc->imcs,
+ this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+ this->send_msg = TRUE;
+ this->mutex->unlock(this->mutex);
+ tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
+ this->mutex->lock(this->mutex);
+ this->send_msg = FALSE;
}
/* Reset the flag for the next handshake retry request */
{
this->batch_type = PB_BATCH_CDATA;
}
- if (this->batch_type == PB_BATCH_CDATA)
+ if (this->batch_type == PB_BATCH_CDATA || this->batch_type == PB_BATCH_CRETRY)
{
this->messages->insert_last(this->messages, msg);
}
return;
}
change_batch_type(this, PB_BATCH_SRETRY);
-
- this->recs->clear_recommendation(this->recs);
-
- /* Handshake will be retried with next incoming CDATA batch */
- this->retry_handshake = TRUE;
}
METHOD(tnccs_20_handler_t, process, status_t,
pb_tnc_msg_t *msg;
bool empty = TRUE;
- if (batch_type == PB_BATCH_CDATA)
- {
- /* retry handshake after a previous SRETRY batch */
- if (this->retry_handshake)
- {
- tnc->imvs->notify_connection_change(tnc->imvs,
- this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
- this->retry_handshake = FALSE;
- }
- }
- else if (batch_type == PB_BATCH_CRETRY)
+ if (batch_type == PB_BATCH_CRETRY ||
+ (batch_type == PB_BATCH_CDATA && this->retry_handshake))
{
- /* Send an SRETRY batch in response */
- this->mutex->lock(this->mutex);
- build_retry_batch(this);
- this->mutex->unlock(this->mutex);
+ this->recs->clear_recommendation(this->recs);
+ tnc->imvs->notify_connection_change(tnc->imvs,
+ this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+ this->retry_handshake = FALSE;
}
enumerator = batch->create_msg_enumerator(batch);
if (this->request_handshake_retry)
{
- if (state != PB_STATE_INIT)
+ if (state == PB_STATE_DECIDED)
{
build_retry_batch(this);
+
+ /* Handshake will be retried with next incoming CDATA batch */
+ this->retry_handshake = TRUE;
}
/* Reset the flag for the next handshake retry request */
projects / thirdparty / strongswan.git / commitdiff
