Module Name: src
Committed By: tteras
Date: Thu Sep 3 09:29:07 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c handler.c handler.h
isakmp.c isakmp_var.h pfkey.c
Log Message:
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
select the phase1 for rekeying the new phase2.
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.29 -r1.30 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.59 -r1.60 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
cvs rdiff -u -r1.50 -r1.51 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.31 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Thu Sep 3 09:29:07 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: admin.c,v 1.31 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.32 2009/09/03 09:29:07 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -341,7 +341,7 @@
user[len] = 0;
found = purgeph1bylogin(user);
- plog(LLV_INFO, LOCATION, NULL,
+ plog(LLV_INFO, LOCATION, NULL,
"deleted %d SA for user \"%s\"\n", found, user);
break;
@@ -360,7 +360,7 @@
rem = racoon_strdup(saddrwop2str(dst));
STRDUP_FATAL(rem);
- plog(LLV_INFO, LOCATION, NULL,
+ plog(LLV_INFO, LOCATION, NULL,
"Flushing all SAs for peer %s\n", rem);
while ((iph1 = getph1bydstaddr(dst)) != NULL) {
@@ -373,7 +373,7 @@
racoon_free(loc);
}
-
+
racoon_free(rem);
break;
}
@@ -383,14 +383,14 @@
char *data;
acp = (struct admin_com_psk *)
- ((char *)com + sizeof(*com) +
+ ((char *)com + sizeof(*com) +
sizeof(struct admin_com_indexes));
idtype = acp->id_type;
if ((id = vmalloc(acp->id_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
+ "cannot allocate memory: %s\n",
strerror(errno));
break;
}
@@ -399,7 +399,7 @@
if ((key = vmalloc(acp->key_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
+ "cannot allocate memory: %s\n",
strerror(errno));
vfree(id);
id = NULL;
@@ -474,7 +474,7 @@
rmconf->xauth->pass = key;
}
#endif
-
+
plog(LLV_INFO, LOCATION, NULL,
"accept a request to establish IKE-SA: "
"%s\n", saddrwop2str(dst));
@@ -577,7 +577,7 @@
}
insph2(iph2);
- if (isakmp_post_acquire(iph2) < 0) {
+ if (isakmp_post_acquire(iph2, NULL) < 0) {
remph2(iph2);
delph2(iph2);
break;
@@ -710,17 +710,17 @@
}
if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chown(%s, %d, %d): %s\n",
- sunaddr.sun_path, adminsock_owner,
+ plog(LLV_ERROR, LOCATION, NULL,
+ "chown(%s, %d, %d): %s\n",
+ sunaddr.sun_path, adminsock_owner,
adminsock_group, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
}
if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chmod(%s, 0%03o): %s\n",
+ plog(LLV_ERROR, LOCATION, NULL,
+ "chmod(%s, 0%03o): %s\n",
sunaddr.sun_path, adminsock_mode, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.29 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.30
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.29 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Sep 3 09:29:07 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: handler.c,v 1.29 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.30 2009/09/03 09:29:07 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -64,7 +64,7 @@
#include "evt.h"
#include "isakmp.h"
#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
+#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
#endif
#include "isakmp_inf.h"
@@ -177,8 +177,8 @@
* with phase 2's destinaion.
*/
struct ph1handle *
-getph1(rmconf, local, remote, flags)
- struct remoteconf *rmconf;
+getph1(ph1hint, local, remote, flags)
+ struct ph1handle *ph1hint;
struct sockaddr *local, *remote;
int flags;
{
@@ -202,12 +202,30 @@
continue;
}
- if (local != NULL && cmpsaddr(local, p->local) != 0)
+ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH)
continue;
- if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
+ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH)
continue;
+ if (ph1hint != NULL) {
+ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l &&
+ (ph1hint->id->l != p->id->l ||
+ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "local identity does match hint\n");
+ continue;
+ }
+ if (ph1hint->id_p && ph1hint->id_p->l &&
+ p->id_p && p->id_p->l &&
+ (ph1hint->id_p->l != p->id_p->l ||
+ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "remote identity does match hint\n");
+ continue;
+ }
+ }
+
plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
return p;
}
@@ -1155,7 +1173,7 @@
}
#ifdef ENABLE_HYBRID
-/*
+/*
* Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
* This should be in isakmp_cfg.c but ph1tree being private, it must be there
*/
@@ -1182,7 +1200,7 @@
-/*
+/*
* Reload conf code
*/
static int revalidate_ph2(struct ph2handle *iph2){
@@ -1192,11 +1210,11 @@
struct saprop *approval;
struct ph1handle *iph1;
- /*
+ /*
* Get the new sainfo using values of the old one
*/
if (iph2->sainfo != NULL) {
- iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
+ iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
iph2->sainfo->iddst, iph2->sainfo->id_i,
NULL, iph2->sainfo->remoteid);
}
@@ -1204,7 +1222,7 @@
sainfo = iph2->sainfo;
if (sainfo == NULL) {
- /*
+ /*
* Sainfo has been removed
*/
plog(LLV_DEBUG, LOCATION, NULL,
@@ -1219,7 +1237,7 @@
plog(LLV_DEBUG, LOCATION, NULL,
"No approval found !\n");
return 0;
- }
+ }
/*
* Don't care about proposals, should we do something ?
@@ -1318,7 +1336,7 @@
}
found = 0;
- for (alg = sainfo->algs[algclass_ipsec_enc];
+ for (alg = sainfo->algs[algclass_ipsec_enc];
(found == 0 && alg != NULL); alg = alg->next) {
plog(LLV_DEBUG, LOCATION, NULL,
"Reload: next ph2 enc alg...\n");
@@ -1351,7 +1369,7 @@
break;
default:
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"unexpected check_level\n");
continue;
break;
@@ -1375,7 +1393,7 @@
}
-static void
+static void
remove_ph2(struct ph2handle *iph2)
{
u_int32_t spis[2];
@@ -1467,7 +1485,7 @@
return 1;
}
-int
+int
revalidate_ph12(void)
{
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.21 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.21 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h Thu Sep 3 09:29:07 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: handler.h,v 1.21 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.22 2009/09/03 09:29:07 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -214,7 +214,7 @@
LIST_ENTRY(ph1handle) chain;
#ifdef ENABLE_HYBRID
struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
-#endif
+#endif
EVT_LISTENER_LIST(evt_listeners);
};
@@ -449,7 +449,7 @@
struct sockaddr_storage remote;
struct sockaddr_storage local;
u_int8_t version;
- u_int8_t etype;
+ u_int8_t etype;
time_t created;
int ph2cnt;
};
@@ -468,7 +468,7 @@
#define GETPH1_F_ESTABLISHED 0x0001
-extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
+extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint,
struct sockaddr *local,
struct sockaddr *remote,
int flags));
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.59 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.59 Tue Sep 1 09:24:21 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Thu Sep 3 09:29:07 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: isakmp.c,v 1.59 2009/09/01 09:24:21 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.60 2009/09/03 09:29:07 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -176,7 +176,7 @@
};
static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
-
+
static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
static int ph1_main __P((struct ph1handle *, vchar_t *));
static int quick_main __P((struct ph2handle *, vchar_t *));
@@ -190,7 +190,7 @@
static int isakmp_ph2resend __P((struct ph2handle *));
#ifdef ENABLE_FRAG
-static int frag_handler(struct ph1handle *,
+static int frag_handler(struct ph1handle *,
vchar_t *, struct sockaddr *, struct sockaddr *);
#endif
@@ -259,16 +259,16 @@
extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
}
#endif
- }
+ }
#ifdef ENABLE_NATT
- /* we don't know about portchange yet,
+ /* we don't know about portchange yet,
look for non-esp marker instead */
if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
extralen = NON_ESP_MARKER_LEN;
#endif
- /* now we know if there is an extra non-esp
+ /* now we know if there is an extra non-esp
marker at the beginning or not */
memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
@@ -309,7 +309,7 @@
if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
0, (struct sockaddr *)&remote, &remote_len)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to receive isakmp packet: %s\n",
+ "failed to receive isakmp packet: %s\n",
strerror (errno));
}
goto end;
@@ -332,11 +332,11 @@
(len - extralen));
goto end;
}
-
+
memcpy (buf->v, tmpbuf->v + extralen, buf->l);
len -= extralen;
-
+
if (len != buf->l) {
plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
"received invalid length (%d != %zu), why ?\n",
@@ -347,7 +347,7 @@
plog(LLV_DEBUG, LOCATION, NULL, "===\n");
plog(LLV_DEBUG, LOCATION, NULL,
"%d bytes message received %s\n",
- len, saddr2str_fromto("from %s to %s",
+ len, saddr2str_fromto("from %s to %s",
(struct sockaddr *)&remote,
(struct sockaddr *)&local));
plogdump(LLV_DEBUG, buf->v, buf->l);
@@ -496,12 +496,12 @@
}
/* set the flag to prevent further port floating
- (FIXME: should we allow it? E.g. when the NAT gw
+ (FIXME: should we allow it? E.g. when the NAT gw
is rebooted?) */
iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
-
+
/* print some neat info */
- plog (LLV_INFO, LOCATION, NULL,
+ plog (LLV_INFO, LOCATION, NULL,
"NAT-T: ports changed to: %s\n",
saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
@@ -668,7 +668,7 @@
return -1;
}
#ifdef ENABLE_HYBRID
- /* Reinit the IVM if it's still there */
+ /* Reinit the IVM if it's still there */
if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
oakley_delivm(iph1->mode_cfg->ivm);
iph1->mode_cfg->ivm = NULL;
@@ -753,7 +753,7 @@
isakmp_cfg_r(iph1, msg);
break;
-#endif
+#endif
case ISAKMP_ETYPE_NONE:
default:
@@ -822,7 +822,7 @@
/* free resend buffer */
if (iph1->sendbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "no buffer found as sendbuf\n");
+ "no buffer found as sendbuf\n");
return -1;
}
#endif
@@ -925,13 +925,13 @@
log_ph1established(iph1);
plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- /*
+ /*
* SA up shell script hook: do it now,except if
* ISAKMP mode config was requested. In the later
* case it is done when we receive the configuration.
*/
if ((iph1->status == PHASE1ST_ESTABLISHED) &&
- !iph1->rmconf->mode_cfg) {
+ !iph1->rmconf->mode_cfg) {
switch (iph1->approval->authmethod) {
#ifdef ENABLE_HYBRID
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
@@ -1004,7 +1004,7 @@
/* free resend buffer */
if (iph2->sendbuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "no buffer found as sendbuf\n");
+ "no buffer found as sendbuf\n");
return -1;
}
VPTRINIT(iph2->sendbuf);
@@ -1754,23 +1754,23 @@
extralen = 0;
#ifdef ENABLE_FRAG
- /*
+ /*
* Do not add the non ESP marker for a packet that will
- * be fragmented. The non ESP marker should appear in
+ * be fragmented. The non ESP marker should appear in
* all fragment's packets, but not in the fragmented packet
*/
- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
+ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
extralen = 0;
#endif
if (extralen)
plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
- must added just before the packet itself. For this we must
+ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
+ must added just before the packet itself. For this we must
allocate a new buffer and release it at the end. */
if (extralen) {
if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"vbuf allocation failed\n");
return -1;
}
@@ -1791,17 +1791,17 @@
if (s == -1)
return -1;
- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
+ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
#ifdef ENABLE_FRAG
if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
if (isakmp_sendfrags(iph1, sbuf) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"isakmp_sendfrags failed\n");
return -1;
}
- } else
+ } else
#endif
{
len = sendfromto(s, sbuf->v, sbuf->l,
@@ -1812,7 +1812,7 @@
return -1;
}
}
-
+
return 0;
}
@@ -1959,7 +1959,7 @@
iph1->status = PHASE1ST_DYING;
/* Any fresh phase1s? */
- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1);
+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
if (new_iph1 == NULL) {
LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
if (p->status != PHASE2ST_ESTABLISHED)
@@ -2036,7 +2036,7 @@
char *src, *dst;
/* Migrate established phase2s. Any fresh phase1s? */
- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
if (new_iph1 != NULL)
migrate_ph12(iph1, new_iph1);
@@ -2143,12 +2143,13 @@
* if phase1 has been finished, begin phase2.
*/
int
-isakmp_post_acquire(iph2)
+isakmp_post_acquire(iph2, iph1hint)
struct ph2handle *iph2;
+ struct ph1handle *iph1hint;
{
struct remoteconf *rmconf;
struct ph1handle *iph1 = NULL;
-
+
plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
/* Search appropriate configuration with masking port. Note that
@@ -2159,12 +2160,17 @@
* address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
* as iph2->dst hint). This scenario would require additional changes,
* so no need to bother yet. --arno */
- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
- if (rmconf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no configuration found for %s.\n",
- saddrwop2str(iph2->dst));
- return -1;
+
+ if (iph1hint == NULL || iph1hint->rmconf == NULL) {
+ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
+ if (rmconf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "no configuration found for %s.\n",
+ saddrwop2str(iph2->dst));
+ return -1;
+ }
+ } else {
+ rmconf = iph1hint->rmconf;
}
/* if passive mode, ignore the acquire message */
@@ -2181,7 +2187,7 @@
* some cases, we should use the ISAKMP identity to search
* matching ISAKMP.
*/
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
+ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
/* no ISAKMP-SA found. */
if (iph1 == NULL) {
@@ -2978,7 +2984,7 @@
"ISAKMP-SA established %s-%s spi:%s\n",
src, dst,
isakmp_pindex(&iph1->index, 0));
-
+
evt_phase1(iph1, EVT_PHASE1_UP, NULL);
if(!iph1->rmconf->mode_cfg)
evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
@@ -3011,7 +3017,7 @@
return plist;
}
-vchar_t *
+vchar_t *
isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
{
struct payload_list *ptr = *plist, *first;
@@ -3022,7 +3028,7 @@
/* Seek to the first item. */
while (ptr->prev) ptr = ptr->prev;
first = ptr;
-
+
/* Compute the whole length. */
while (ptr) {
tlen += ptr->payload->l + sizeof (struct isakmp_gen);
@@ -3064,7 +3070,7 @@
}
#ifdef ENABLE_FRAG
-int
+int
frag_handler(iph1, msg, remote, local)
struct ph1handle *iph1;
vchar_t *msg;
@@ -3075,7 +3081,7 @@
if (isakmp_frag_extract(iph1, msg) == 1) {
if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
+ plog(LLV_ERROR, LOCATION, remote,
"Packet reassembly failed\n");
return -1;
}
@@ -3212,7 +3218,7 @@
argv[1] = script_names[name];
argv[2] = NULL;
- switch (fork()) {
+ switch (fork()) {
case 0:
execve(argv[0], argv, envp);
plog(LLV_ERROR, LOCATION, NULL,
@@ -3227,7 +3233,7 @@
break;
default:
break;
- }
+ }
return 0;
}
@@ -3253,7 +3259,7 @@
iph1->status = PHASE1ST_EXPIRED;
/* Check if we have another, still valid, phase1 SA. */
- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
/*
* Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
@@ -3329,7 +3335,7 @@
ntohl(sa->sadb_sa_spi));
}else{
- /*
+ /*
* If we have a new ph1, do not purge IPsec-SAs binded
* to a different ISAKMP-SA
*/
@@ -3341,7 +3347,7 @@
/* If the ph2handle is established, do not purge IPsec-SA */
if (iph2->status == PHASE2ST_ESTABLISHED ||
iph2->status == PHASE2ST_EXPIRED) {
-
+
plog(LLV_INFO, LOCATION, NULL,
"keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
ntohl(sa->sadb_sa_spi),
@@ -3352,7 +3358,7 @@
}
}
-
+
pfkey_send_delete(lcconf->sock_pfkey,
msg->sadb_msg_satype,
IPSEC_MODE_ANY,
@@ -3383,7 +3389,7 @@
sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
}
-void
+void
delete_spd(iph2, created)
struct ph2handle *iph2;
u_int64_t created;
@@ -3409,22 +3415,22 @@
plog(LLV_INFO, LOCATION, NULL,
"generated policy, deleting it.\n");
-
+
memset(&spidx, 0, sizeof(spidx));
iph2->spidx_gen = (caddr_t )&spidx;
-
+
/* make inbound policy */
iph2->src = dst;
iph2->dst = src;
spidx.dir = IPSEC_DIR_INBOUND;
spidx.ul_proto = 0;
-
- /*
+
+ /*
* Note: code from get_proposal_r
*/
-
+
#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
-
+
/*
* make destination address in spidx from either ID payload
* or phase 1 address into a address in spidx.
@@ -3440,48 +3446,48 @@
&spidx.prefd, &spidx.ul_proto);
if (error)
goto purge;
-
+
#ifdef INET6
/*
* get scopeid from the SA address.
* note that the phase 1 source address is used as
- * a destination address to search for a inbound
+ * a destination address to search for a inbound
* policy entry because rcoon is responder.
*/
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
- if ((error =
+ if ((error =
setscopeid((struct sockaddr *)&spidx.dst,
iph2->src)) != 0)
goto purge;
}
#endif
-
+
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
idi2type = _XIDT(iph2->id);
-
+
} else {
-
+
plog(LLV_DEBUG, LOCATION, NULL,
"get a destination address of SP index "
"from phase1 address "
"due to no ID payloads found "
"OR because ID type is not address.\n");
-
+
/*
- * copy the SOURCE address of IKE into the
- * DESTINATION address of the key to search the
+ * copy the SOURCE address of IKE into the
+ * DESTINATION address of the key to search the
* SPD because the direction of policy is inbound.
*/
memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
switch (spidx.dst.ss_family) {
case AF_INET:
- spidx.prefd =
+ spidx.prefd =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
- spidx.prefd =
+ spidx.prefd =
sizeof(struct in6_addr) << 3;
break;
#endif
@@ -3490,7 +3496,7 @@
break;
}
}
-
+
/* make source address in spidx */
if (iph2->id_p != NULL
&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
@@ -3510,7 +3516,7 @@
* for more detail, see above of this function.
*/
if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
- error =
+ error =
setscopeid((struct sockaddr *)&spidx.src,
iph2->dst);
if (error)
@@ -3548,12 +3554,12 @@
memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
switch (spidx.src.ss_family) {
case AF_INET:
- spidx.prefs =
+ spidx.prefs =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
- spidx.prefs =
+ spidx.prefs =
sizeof(struct in6_addr) << 3;
break;
#endif
@@ -3584,14 +3590,14 @@
spidx.ul_proto = IPSEC_ULPROTO_ANY;
#undef _XIDT
-
+
/* Check if the generated SPD has the same timestamp as the SA.
* If timestamps are different, this means that the SPD entry has been
* refreshed by another SA, and should NOT be deleted with the current SA.
*/
if( created ){
struct secpolicy *p;
-
+
p = getsp(&spidx);
if(p != NULL){
/* just do no test if p is NULL, because this probably just means
@@ -3656,7 +3662,7 @@
struct sockaddr *sp_addr0, *sa_addr0;
{
struct sockaddr_in6 *sp_addr, *sa_addr;
-
+
sp_addr = (struct sockaddr_in6 *)sp_addr0;
sa_addr = (struct sockaddr_in6 *)sa_addr0;
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h:1.15 src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h:1.16
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h:1.15 Mon Apr 20 13:24:36 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h Thu Sep 3 09:29:07 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: isakmp_var.h,v 1.15 2009/04/20 13:24:36 tteras Exp $ */
+/* $NetBSD: isakmp_var.h,v 1.16 2009/09/03 09:29:07 tteras Exp $ */
/* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -87,7 +87,7 @@
extern void isakmp_ph2delete __P((struct ph2handle *));
extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
-extern int isakmp_post_acquire __P((struct ph2handle *));
+extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
extern int isakmp_post_getspi __P((struct ph2handle *));
extern void isakmp_chkph1there_stub __P((struct sched *));
extern void isakmp_chkph1there __P((struct ph2handle *));
@@ -131,7 +131,7 @@
struct remoteconf *, struct sockaddr *, struct sockaddr *));
extern void log_ph1established __P((const struct ph1handle *));
-extern void script_hook __P((struct ph1handle *, int));
+extern void script_hook __P((struct ph1handle *, int));
extern int script_env_append __P((char ***, int *, char *, char *));
extern int script_exec __P((char *, int, char * const *));
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.50 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.50 Mon Aug 10 08:22:13 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Thu Sep 3 09:29:07 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: pfkey.c,v 1.50 2009/08/10 08:22:13 tteras Exp $ */
+/* $NetBSD: pfkey.c,v 1.51 2009/09/03 09:29:07 tteras Exp $ */
-/* $Id: pfkey.c,v 1.50 2009/08/10 08:22:13 tteras Exp $ */
+/* $Id: pfkey.c,v 1.51 2009/09/03 09:29:07 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -173,7 +173,7 @@
/* cope with old kame headers - ugly */
#ifndef SADB_X_AALG_MD5
-#define SADB_X_AALG_MD5 SADB_AALG_MD5
+#define SADB_X_AALG_MD5 SADB_AALG_MD5
#endif
#ifndef SADB_X_AALG_SHA
#define SADB_X_AALG_SHA SADB_AALG_SHA
@@ -353,7 +353,7 @@
"type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
continue;
}
-
+
ml = msg->sadb_msg_len << 3;
bl = buf ? buf->l : 0;
@@ -839,7 +839,7 @@
goto bad;
*a_keylen >>= 3;
- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
+ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
&& hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
/* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
*a_type = SADB_X_AALG_MD5;
@@ -919,7 +919,7 @@
racoon_free(dst);
return -1;
}
-
+
for (pr = pp->head; pr != NULL; pr = pr->next) {
/* validity check */
@@ -991,7 +991,7 @@
* receive GETSPI from kernel.
*/
static int
-pk_recvgetspi(mhp)
+pk_recvgetspi(mhp)
caddr_t *mhp;
{
struct sadb_msg *msg;
@@ -1111,7 +1111,7 @@
sa_args.l_addtime = iph2->lifetime_secs;
else
sa_args.l_addtime = iph2->approval->lifetime;
- sa_args.seq = iph2->seq;
+ sa_args.seq = iph2->seq;
sa_args.wsize = 4;
if (iph2->sa_src && iph2->sa_dst) {
@@ -1163,7 +1163,7 @@
pr->head->trns_id,
pr->head->authtype,
&sa_args.e_type, &sa_args.e_keylen,
- &sa_args.a_type, &sa_args.a_keylen,
+ &sa_args.a_type, &sa_args.a_keylen,
&sa_args.flags) < 0){
racoon_free(sa_args.src);
racoon_free(sa_args.dst);
@@ -1221,11 +1221,11 @@
* But it is impossible because there is not key in the
* information from the kernel.
*/
-
+
/* change some things before backing up */
sa_args.wsize = 4;
sa_args.l_bytes = iph2->approval->lifebyte * 1024;
-
+
if (backupsa_to_file(&sa_args) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"backuped SA failed: %s\n",
@@ -1447,7 +1447,7 @@
pr->head->trns_id,
pr->head->authtype,
&sa_args.e_type, &sa_args.e_keylen,
- &sa_args.a_type, &sa_args.a_keylen,
+ &sa_args.a_type, &sa_args.a_keylen,
&sa_args.flags) < 0){
racoon_free(sa_args.src);
racoon_free(sa_args.dst);
@@ -1668,11 +1668,12 @@
" being negotiated. Stopping negotiation.\n");
}
- /* turn off the timer for calling isakmp_ph2expire() */
+ /* turn off the timer for calling isakmp_ph2expire() */
sched_cancel(&iph2->sce);
if (iph2->status == PHASE2ST_ESTABLISHED &&
iph2->side == INITIATOR) {
+ struct ph1handle *iph1hint;
/*
* Active phase 2 expired and we were initiator.
* Begin new phase 2 exchange, so we can keep on sending
@@ -1680,11 +1681,12 @@
*/
/* update status for re-use */
+ iph1hint = iph2->ph1;
initph2(iph2);
iph2->status = PHASE2ST_STATUS2;
/* start quick exchange */
- if (isakmp_post_acquire(iph2) < 0) {
+ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
plog(LLV_ERROR, LOCATION, iph2->dst,
"failed to begin ipsec sa "
"re-negotication.\n");
@@ -1750,7 +1752,7 @@
if (m_sec_ctx != NULL) {
plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
m_sec_ctx->sadb_x_ctx_doi);
- plog(LLV_INFO, LOCATION, NULL,
+ plog(LLV_INFO, LOCATION, NULL,
"security context algorithm: %u\n",
m_sec_ctx->sadb_x_ctx_alg);
plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
@@ -1960,7 +1962,7 @@
/* start isakmp initiation by using ident exchange */
/* XXX should be looped if there are multiple phase 2 handler. */
- if (isakmp_post_acquire(iph2) < 0) {
+ if (isakmp_post_acquire(iph2, NULL) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to begin ipsec sa negotication.\n");
remph2(iph2);
@@ -2145,7 +2147,7 @@
p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
-
+
memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
len += ctxlen;
}
@@ -2184,7 +2186,7 @@
goto err;
}
- /*
+ /*
* the policy level cannot be unique because the policy
* is defined later than SA, so req_id cannot be bound to SA.
*/
@@ -2217,7 +2219,7 @@
xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
xisr = (struct sadb_x_ipsecrequest *)p;
-
+
}
racoon_free(pr_rlist);
@@ -3070,6 +3072,8 @@
rmconf = getrmconf(iph2->dst, 0);
if (rmconf && !rmconf->passive) {
+ struct ph1handle *iph1hint;
+
plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
"*during* IPsec SA negotiation. As initiator, "
"restarting it.\n");
@@ -3079,11 +3083,12 @@
iph2->status = PHASE2ST_EXPIRED;
/* ... clean Phase 2 handle ... */
+ iph1hint = iph2->ph1;
initph2(iph2);
iph2->status = PHASE2ST_STATUS2;
/* and start a new negotiation */
- if (isakmp_post_acquire(iph2) < 0) {
+ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
"to begin IPsec SA renegotiation after "
"MIGRATE reception.\n");
