may be too late to apply a revert. the code diverged now, since my last e-mail, with 8b7a22dd82a836
If you apply now, you may have to revert 8b7a22dd82a836 too. -antony On Wed, Dec 13, 2017 at 06:22:01PM +0100, Antony Antony wrote: > On Wed, Dec 13, 2017 at 11:47:03AM -0500, Paul Wouters wrote: > > On Wed, 13 Dec 2017, Antony Antony wrote: > > > > > I wonder why not revert the accident first? and comeback when you mean to. > > > that is my preference. Then there is a clear path, accident revert! > > > > Can you undo a merge commit atomically? the man page isn't looking > > promising: > > not automatically! not using single command either. However, creating a diff > and applying it soon after the accident seems easy to do. As there are more > commits on the top single patch may get harder. > > Here is one patch that revert everything that came through the merge. > A functional revert is easy, just one diff for the entire merge. > > A side effect is individual commits will not have a corresponding revert > and the future merge... you have create them again from the master. > > > And /usr/share/doc/git-1.8.3.1/howto/revert-a-faulty-merge.txt makes it > > look even less of a good idea to revert the merge? > > what do you think one patch idea? > > -antony > From b4afd19f13cf33bda929c8d33200c7975fb5d4a4 Mon Sep 17 00:00:00 2001 > From: Antony Antony <[email protected]> > Date: Wed, 13 Dec 2017 18:05:02 +0100 > Subject: [PATCH] Reverts 2b7ad4446c350cd0245b3bbc73980a7a4ee6ef6e > > Merge branch 'ipsecme-split-dns' > --- > include/ietf_constants.h | 4 +- > include/ipsecconf/confread.h | 2 - > include/ipsecconf/keywords.h | 2 - > include/whack.h | 2 - > lib/libipsecconf/confread.c | 6 --- > lib/libipsecconf/keywords.c | 3 -- > lib/libipsecconf/starterwhack.c | 5 --- > lib/libswan/constants.c | 7 +--- > lib/libwhack/whacklib.c | 4 -- > programs/pluto/connections.c | 13 ------ > programs/pluto/connections.h | 2 - > programs/pluto/ikev2.h | 2 +- > programs/pluto/ikev2_child.c | 89 > +++++++++++------------------------------ > programs/pluto/ikev2_parent.c | 72 +++++---------------------------- > programs/pluto/state.h | 1 - > programs/whack/whack.c | 18 --------- > 16 files changed, 38 insertions(+), 194 deletions(-) > > diff --git a/include/ietf_constants.h b/include/ietf_constants.h > index 3979f09df..e6092e9aa 100644 > --- a/include/ietf_constants.h > +++ b/include/ietf_constants.h > @@ -1206,9 +1206,7 @@ enum ikev2_cp_attribute_type { > IKEv2_P_CSCF_IP6_ADDRESS = 21, > IKEv2_FTT_KAT = 22, > IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23, > - IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24, > - IKEv2_INTERNAL_DNS_DOMAIN = 25, > - /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */ > + IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24 > }; > > > diff --git a/include/ipsecconf/confread.h b/include/ipsecconf/confread.h > index 049a5cecc..85d11c143 100644 > --- a/include/ipsecconf/confread.h > +++ b/include/ipsecconf/confread.h > @@ -109,8 +109,6 @@ struct starter_conn { > char *modecfg_dns2; > char *modecfg_domain; > char *modecfg_banner; > - char *internal_domain1; > - char *internal_domain2; > char *policy_label; > char *conn_mark_both; > char *conn_mark_in; > diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h > index 99f44f055..758701aff 100644 > --- a/include/ipsecconf/keywords.h > +++ b/include/ipsecconf/keywords.h > @@ -196,8 +196,6 @@ enum keyword_string_conn_field { > KSCF_MODECFGDNS1, > KSCF_MODECFGDNS2, > KSCF_MODECFGDOMAIN, > - KSCF_INTERNALDOMAIN1, > - KSCF_INTERNALDOMAIN2, > KSCF_MODECFGBANNER, > KSCF_IKE, > KSCF_ESP, > diff --git a/include/whack.h b/include/whack.h > index c8eb98475..91c8fd244 100644 > --- a/include/whack.h > +++ b/include/whack.h > @@ -305,8 +305,6 @@ struct whack_message { > ip_address modecfg_dns2; > char *modecfg_domain; > char *modecfg_banner; > - char *internal_domain1; > - char *internal_domain2; > > char *conn_mark_both; > char *conn_mark_in; > diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c > index cd7bd5004..5527ea0c3 100644 > --- a/lib/libipsecconf/confread.c > +++ b/lib/libipsecconf/confread.c > @@ -1238,8 +1238,6 @@ static bool load_conn( > str_to_conn(modecfg_dns1, KSCF_MODECFGDNS1); > str_to_conn(modecfg_dns2, KSCF_MODECFGDNS2); > str_to_conn(modecfg_domain, KSCF_MODECFGDOMAIN); > - str_to_conn(internal_domain1, KSCF_INTERNALDOMAIN1); > - str_to_conn(internal_domain2, KSCF_INTERNALDOMAIN2); > str_to_conn(modecfg_banner, KSCF_MODECFGBANNER); > > str_to_conn(conn_mark_both, KSCF_CONN_MARK_BOTH); > @@ -1411,8 +1409,6 @@ static void conn_default(struct starter_conn *conn, > > conn->modecfg_dns1 = clone_str(def->modecfg_dns1, "conn default dns1"); > conn->modecfg_dns2 = clone_str(def->modecfg_dns2, "conn default dns2"); > - conn->internal_domain1 = clone_str(def->internal_domain1, "conn default > internal-domain1"); > - conn->internal_domain2 = clone_str(def->internal_domain2, "conn default > internal-domain2"); > conn->modecfg_domain = clone_str(def->modecfg_domain, "conn default > domain"); > conn->modecfg_banner = clone_str(def->modecfg_banner, "conn default > banner"); > conn->conn_mark_both = clone_str(def->conn_mark_both, "conn default > conn_mark_both"); > @@ -1570,8 +1566,6 @@ static void confread_free_conn(struct starter_conn > *conn) > > pfreeany(conn->modecfg_dns1); > pfreeany(conn->modecfg_dns2); > - pfreeany(conn->internal_domain1); > - pfreeany(conn->internal_domain2); > > pfreeany(conn->left.virt); > pfreeany(conn->right.virt); > diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c > index a9cd32707..ff869f128 100644 > --- a/lib/libipsecconf/keywords.c > +++ b/lib/libipsecconf/keywords.c > @@ -587,9 +587,6 @@ const struct keyword_def ipsec_conf_keywords[] = { > { "modecfgdns1", kv_conn, kt_string, KSCF_MODECFGDNS1, NULL, NULL, }, > { "modecfgdns2", kv_conn, kt_string, KSCF_MODECFGDNS2, NULL, NULL, }, > > - { "internaldomain1", kv_conn, kt_string, KSCF_INTERNALDOMAIN1, NULL, > NULL }, > - { "internaldomain2", kv_conn, kt_string, KSCF_INTERNALDOMAIN2, NULL, > NULL }, > - > { "modecfgdomain", kv_conn, kt_string, KSCF_MODECFGDOMAIN, NULL, NULL, > }, > { "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, > }, > { "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, }, > diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c > index d019a63da..5fd002eff 100644 > --- a/lib/libipsecconf/starterwhack.c > +++ b/lib/libipsecconf/starterwhack.c > @@ -672,9 +672,6 @@ static int starter_whack_basic_add_conn(struct > starter_config *cfg, > starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgbanner=%s", > conn->name, msg.modecfg_banner); > > - msg.internal_domain1 = conn->internal_domain1; > - msg.internal_domain2 = conn->internal_domain2; > - > msg.conn_mark_both = conn->conn_mark_both; > starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark=%s", > conn->name, msg.conn_mark_both); > @@ -715,8 +712,6 @@ static int starter_whack_basic_add_conn(struct > starter_config *cfg, > "Ignoring modecfgdns2= entry, it is not a valid > IPv4 or IPv6 address"); > } > > - /* add sanity check for internal_dns / internal_domain */ > - > set_whack_end("left", &msg.left, &conn->left); > set_whack_end("right", &msg.right, &conn->right); > > diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c > index d98979b7b..118bdcae4 100644 > --- a/lib/libswan/constants.c > +++ b/lib/libswan/constants.c > @@ -1362,15 +1362,12 @@ static const char *const > ikev2_cp_attribute_type_name[] = { > "IKEv2_P_CSCF_IP6_ADDRESS", > "IKEv2_FTT_KAT", > "IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */ > - "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */ > - "IKEv2_INTERNAL_DNS_DOMAIN", /* draft-pauly-ipsecme-split-dns-01 */ > - /* "IKEv2_INTERNAL_DNSSEC_TA", expected > draft-pauly-ipsecme-split-dns-01 */ > + "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK" /* 3gpp */ > }; > > enum_names ikev2_cp_attribute_type_names = { > IKEv2_CP_ATTR_RESERVED, > - /* IKEv2_INTERNAL_DNSSEC_TA, */ > - IKEv2_INTERNAL_DNS_DOMAIN, > + IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK, > ARRAY_REF(ikev2_cp_attribute_type_name), > NULL, /* prefix */ > NULL > diff --git a/lib/libwhack/whacklib.c b/lib/libwhack/whacklib.c > index 1974772ca..70205afe4 100644 > --- a/lib/libwhack/whacklib.c > +++ b/lib/libwhack/whacklib.c > @@ -134,8 +134,6 @@ err_t pack_whack_msg(struct whackpacker *wp) > !pack_str(wp, &wp->msg->conn_mark_in) || /* string 31 */ > !pack_str(wp, &wp->msg->conn_mark_out) || /* string 32 */ > !pack_str(wp, &wp->msg->vti_iface) || /* string 33 */ > - !pack_str(wp, &wp->msg->internal_domain1) || > /* string 34 */ > - !pack_str(wp, &wp->msg->internal_domain2) || > /* string 35 */ > !pack_str(wp, &wp->msg->remote_host) || /* string 33 */ > wp->str_roof - wp->str_next < (ptrdiff_t)wp->msg->keyval.len) > /* key */ > { > @@ -204,8 +202,6 @@ err_t unpack_whack_msg(struct whackpacker *wp) > !unpack_str(wp, &wp->msg->conn_mark_in) || /* string 31 */ > !unpack_str(wp, &wp->msg->conn_mark_out) || /* string 32 */ > !unpack_str(wp, &wp->msg->vti_iface) || /* string 33 */ > - !unpack_str(wp, &wp->msg->internal_domain1) || /* string 34 */ > - !unpack_str(wp, &wp->msg->internal_domain2) || /* string 35 */ > !unpack_str(wp, &wp->msg->remote_host) || /* string 33 */ > wp->str_roof - wp->str_next != (ptrdiff_t)wp->msg->keyval.len) > { > diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c > index 6d8e6fa4f..e0d8d798c 100644 > --- a/programs/pluto/connections.c > +++ b/programs/pluto/connections.c > @@ -790,10 +790,6 @@ static void unshare_connection(struct connection *c) > "connection cisco_dns_info"); > c->modecfg_domain = clone_str(c->modecfg_domain, > "connection modecfg_domain"); > - c->internal_domain1 = clone_str(c->internal_domain1, > - "connection internal domain1"); > - c->internal_domain2 = clone_str(c->internal_domain2, > - "connection internal domain1"); > c->modecfg_banner = clone_str(c->modecfg_banner, > "connection modecfg_banner"); > #ifdef HAVE_LABELED_IPSEC > @@ -1666,8 +1662,6 @@ void add_connection(const struct whack_message *wm) > > c->modecfg_dns1 = wm->modecfg_dns1; > c->modecfg_dns2 = wm->modecfg_dns2; > - c->internal_domain1 = wm->internal_domain1; > - c->internal_domain2 = wm->internal_domain2; > c->modecfg_domain = wm->modecfg_domain; > c->modecfg_banner = wm->modecfg_banner; > > @@ -4046,13 +4040,6 @@ static void show_one_sr(const struct connection *c, > > #undef COMBO > > - whack_log(RC_COMMENT, > - "\"%s\"%s: internal domain1:%s, domain2:%s;", > - c->name, instance, > - c->internal_domain1, > - c->internal_domain2 > - ); > - > if (c->modecfg_banner != NULL) { > whack_log(RC_COMMENT, "\"%s\"%s: banner:%s;", > c->name, instance, c->modecfg_banner); > diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h > index 1b75ec3f3..88aa5a2c0 100644 > --- a/programs/pluto/connections.h > +++ b/programs/pluto/connections.h > @@ -332,8 +332,6 @@ struct connection { > char *cisco_dns_info; /* scratchpad for writing IP addresses */ > char *modecfg_domain; > char *modecfg_banner; > - char *internal_domain1; > - char *internal_domain2; > > u_int8_t metric; /* metric for tunnel routes */ > u_int16_t connmtu; /* mtu for tunnel routes */ > diff --git a/programs/pluto/ikev2.h b/programs/pluto/ikev2.h > index 489123841..2961593c8 100644 > --- a/programs/pluto/ikev2.h > +++ b/programs/pluto/ikev2.h > @@ -248,7 +248,7 @@ extern bool ship_v2N(enum next_payload_types_ikev2 np, > extern deltatime_t ikev2_replace_delay(struct state *st, enum event_type > *pkind, > enum original_role role); > > -stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np, > +stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 > np, > pb_stream *outpbs); > > bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st); > diff --git a/programs/pluto/ikev2_child.c b/programs/pluto/ikev2_child.c > index 8b994c901..6934cae70 100644 > --- a/programs/pluto/ikev2_child.c > +++ b/programs/pluto/ikev2_child.c > @@ -1002,7 +1002,7 @@ stf_status ikev2_child_sa_respond(struct msg_digest *md, > if (c->spd.that.has_lease && > md->chain[ISAKMP_NEXT_v2CP] != NULL && > cst->st_state != STATE_V2_REKEY_IKE_R) { > - ikev2_send_cp(pst, ISAKMP_NEXT_v2SA, outpbs); > + ikev2_send_cp(c, ISAKMP_NEXT_v2SA, outpbs); > } else if (md->chain[ISAKMP_NEXT_v2CP] != NULL) { > DBG(DBG_CONTROL, DBG_log("#%lu %s ignoring unexpected v2CP > payload", > cst->st_serialno, > @@ -1182,17 +1182,15 @@ stf_status ikev2_child_sa_respond(struct msg_digest > *md, > return STF_OK; > } > > -static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af) > +static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st) > { > ip_address ip; > char ip_str[ADDRTOT_BUF]; > struct connection *c = st->st_connection; > - err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip); > - bool responder = (st->st_state != STATE_PARENT_I2); > + err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip); > > - if ((ugh != NULL && st->st_state == STATE_PARENT_I2)) { > - libreswan_log("ERROR INTERNAL_IP%s_DNS malformed: %s", > - af == AF_INET ? "4" : "6", ugh); > + if (ugh != NULL) { > + libreswan_log("ERROR INTERNAL_IP4_DNS malformed: %s", ugh); > return FALSE; > } > > @@ -1206,15 +1204,6 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct > state *st, int af) > libreswan_log("received INTERNAL_IP4_DNS %s", > ip_str); > > - if (c->policy & POLICY_OPPORTUNISTIC) { > - libreswan_log("ignored INTERNAL_IP4_DNS CP payload for > Opportunistic IPsec"); > - return TRUE; > - } > - if (responder) { > - libreswan_log("responder INTERNAL_IP4_DNS CP ignored"); > - return TRUE; > - } > - > char *old = c->cisco_dns_info; > > if (old == NULL) { > @@ -1238,30 +1227,27 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct > state *st, int af) > return TRUE; > } > > -static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st, int af) > +static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st) > { > ip_address ip; > ipstr_buf ip_str; > struct connection *c = st->st_connection; > - err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip); > - bool responder = st->st_state != STATE_PARENT_I2; > + err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip); > > - if ((ugh != NULL && st->st_state == STATE_PARENT_I2) || isanyaddr(&ip)) > { > - libreswan_log("ERROR INTERNAL_IP%s_ADDRESS malformed: %s", > - af == AF_INET ? "4" : "6", > - ugh == NULL ? ipstr(&ip, &ip_str) : ugh); > + if (ugh != NULL) { > + libreswan_log("ERROR INTERNAL_IP4_ADDRESS malformed: %s", ugh); > return FALSE; > } > > - libreswan_log("received INTERNAL_IP%s_ADDRESS %s", > - af == AF_INET ? "4" : "6", > - ipstr(&ip, &ip_str)); > - > - if (responder) { > - libreswan_log("responder CP ignored"); > - return TRUE; > + if (isanyaddr(&ip)) { > + libreswan_log("ERROR INTERNAL_IP4_ADDRESS %s is invalid", > + ipstr(&ip, &ip_str)); > + return FALSE; > } > > + libreswan_log("received INTERNAL_IP4_ADDRESS %s", > + ipstr(&ip, &ip_str)); > + > c->spd.this.has_client = TRUE; > c->spd.this.has_internal_address = TRUE; > > @@ -1271,16 +1257,12 @@ static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct > state *st, int af) > if (sameaddr(&c->spd.this.client.addr, &ip)) { > /* The address we received is same as this side > * should we also check the host_srcip */ > - DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received > NTERNAL_IP%s_ADDRESS which is same as this.client.addr %s. Will not add CAT > iptable rules", > + DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received > NTERNAL_IP4_ADDRESS which is same as this.client.addr %s. Will not add CAT > iptable rules", > st->st_serialno, c->name, c->instance_serial, > - af == AF_INET ? "4" : "6", > ipstr(&ip, &ip_str))); > } else { > c->spd.this.client.addr = ip; > - if (af == AF_INET) > - c->spd.this.client.maskbits = 32; > - else > - c->spd.this.client.maskbits = 128; > + c->spd.this.client.maskbits = 32; > st->st_ts_this = ikev2_end_to_ts(&c->spd.this); > c->spd.this.has_cat = TRUE; /* create iptable entry */ > } > @@ -1308,17 +1290,11 @@ bool ikev2_parse_cp_r_body(struct payload_digest > *cp_pd, struct state *st) > DBG(DBG_CONTROLMORE, DBG_log("#%lu %s[%lu] parsing ISAKMP_NEXT_v2CP > payload", > st->st_serialno, c->name, c->instance_serial)); > > - if (st->st_state == STATE_PARENT_I2 && cp->isacp_type != > IKEv2_CP_CFG_REPLY) { > + if (cp->isacp_type != IKEv2_CP_CFG_REPLY) { > loglog(RC_LOG_SERIOUS, "ERROR expected IKEv2_CP_CFG_REPLY got a > %s", > enum_name(&ikev2_cp_type_names,cp->isacp_type)); > return FALSE; > } > - if (st->st_state == STATE_PARENT_R1 && cp->isacp_type != > IKEv2_CP_CFG_REQUEST) { > - libreswan_log("ERROR expected IKEv2_CP_CFG_REQUEST got a %s", > - enum_name(&ikev2_cp_type_names,cp->isacp_type)); > - return FALSE; > - } > - > while (pbs_left(attrs) > 0) { > struct ikev2_cp_attribute cp_a; > pb_stream cp_a_pbs; > @@ -1330,38 +1306,19 @@ bool ikev2_parse_cp_r_body(struct payload_digest > *cp_pd, struct state *st) > } > > switch (cp_a.type) { > - case IKEv2_INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV: > - if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET)) { > + case INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV: > + if (!ikev2_set_ia(&cp_a_pbs, st)) { > loglog(RC_LOG_SERIOUS, "ERROR malformed > INTERNAL_IP4_ADDRESS attribute"); > return FALSE; > } > break; > > - case IKEv2_INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV: > - if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET)) { > + case INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV: > + if (!ikev2_set_dns(&cp_a_pbs, st)) { > loglog(RC_LOG_SERIOUS, "ERROR malformed > INTERNAL_IP4_DNS attribute"); > return FALSE; > } > break; > - > - case IKEv2_INTERNAL_IP6_ADDRESS | ISAKMP_ATTR_AF_TLV: > - if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET6)) { > - loglog(RC_LOG_SERIOUS, "ERROR malformed > INTERNAL_IP6_ADDRESS attribute"); > - return FALSE; > - } > - break; > - > - case IKEv2_INTERNAL_IP6_DNS | ISAKMP_ATTR_AF_TLV: > - if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET6)) { > - loglog(RC_LOG_SERIOUS, "ERROR malformed > INTERNAL_IP6_DNS attribute"); > - return FALSE; > - } > - break; > - case IKEv2_INTERNAL_DNS_DOMAIN | ISAKMP_ATTR_AF_TLV: > - /* ignore their values for now - just note support */ > - libreswan_log("received INTERNAL_DNS_DOMAIN (content > ignored)"); > - st->st_seen_internal_domain = TRUE; > - break; > default: > libreswan_log("unknown attribute %s length %u", > enum_name(&ikev2_cp_attribute_type_names, > diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c > index d5da8e904..d9031bf5e 100644 > --- a/programs/pluto/ikev2_parent.c > +++ b/programs/pluto/ikev2_parent.c > @@ -2639,37 +2639,11 @@ static stf_status ikev2_ship_cp_attr_ip4(u_int16_t > type, ip_address *ip4, > return STF_OK; > } > > -static stf_status ikev2_ship_cp_attr_str(u_int16_t type, char *str, > - const char *story, pb_stream *outpbs) > -{ > - struct ikev2_cp_attribute attr; > - pb_stream a_pbs; > - > - attr.type = type; > - if (str == NULL) > - attr.len = 0; > - else > - attr.len = strlen(str); > - > - if (!out_struct(&attr, &ikev2_cp_attribute_desc, outpbs, > - &a_pbs)) > - return STF_INTERNAL_ERROR; > - > - if (attr.len > 0) { > - if (!out_raw(str, attr.len, &a_pbs, story)) > - return STF_INTERNAL_ERROR; > - } > - > - close_output_pbs(&a_pbs); > - return STF_OK; > -} > - > -stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np, > +stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 > np, > pb_stream *outpbs) > { > struct ikev2_cp cp; > pb_stream cp_pbs; > - struct connection *c = st->st_connection; > bool cfg_reply = c->spd.that.has_lease; > > DBG(DBG_CONTROLMORE, DBG_log("Send Configuration Payload %s ", > @@ -2682,11 +2656,11 @@ stf_status ikev2_send_cp(struct state *st, enum > next_payload_types_ikev2 np, > if (!out_struct(&cp, &ikev2_cp_desc, outpbs, &cp_pbs)) > return STF_INTERNAL_ERROR; > > - if (cfg_reply) { > - ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS, > - &c->spd.that.client.addr, > + ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS, > + cfg_reply ? &c->spd.that.client.addr : NULL, > "IPV4 Address", &cp_pbs); > > + if (cfg_reply) { > if (!isanyaddr(&c->modecfg_dns1)) { > ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, > &c->modecfg_dns1, > "DNS 1", &cp_pbs); > @@ -2696,19 +2670,9 @@ stf_status ikev2_send_cp(struct state *st, enum > next_payload_types_ikev2 np, > "DNS 2", &cp_pbs); > } > } else { > - ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS, > - NULL, "IPV4 Address", &cp_pbs); > ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, NULL, "DNS", > &cp_pbs); > } > > - if (st->st_seen_internal_domain) { > - /* configured means sent by server or requested limitation by > client */ > - ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, > c->internal_domain1, > - "INTERNAL DOMAIN 1", &cp_pbs); > - ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, > c->internal_domain2, > - "INTERNAL DOMAIN 2", &cp_pbs); > - } > - > close_output_pbs(&cp_pbs); > > return STF_OK; > @@ -2985,16 +2949,18 @@ static stf_status ikev2_record_fragments(struct > msg_digest *md, > static int ikev2_np_cp_or_sa(struct connection *const pc, int np, const > lset_t > st_nat_traversal) > { > + int rnp = np; > + > if (pc->spd.this.modecfg_client) { > if (pc->spd.this.cat) { > if (LHAS(st_nat_traversal, NATED_HOST)) { > - return ISAKMP_NEXT_v2CP; > + rnp = ISAKMP_NEXT_v2CP; > } > } else { > - return ISAKMP_NEXT_v2CP; > + rnp = ISAKMP_NEXT_v2CP; > } > } > - return np; > + return rnp; > } > > static stf_status ikev2_parent_inR1outI2_tail( > @@ -3238,7 +3204,7 @@ static stf_status ikev2_parent_inR1outI2_tail( > } > > if (send_cp_r == ISAKMP_NEXT_v2CP) { > - stf_status cpstat = ikev2_send_cp(pst, ISAKMP_NEXT_v2SA, > + stf_status cpstat = ikev2_send_cp(pc, ISAKMP_NEXT_v2SA, > &e_pbs_cipher); > > if (cpstat != STF_OK) > @@ -3322,7 +3288,7 @@ static stf_status ikev2_parent_inR1outI2_tail( > } > > if (cc->send_no_esp_tfc) { > - if (!ship_v2N( (cc->internal_domain1 != NULL) ? > ISAKMP_NEXT_v2CP : ISAKMP_NEXT_v2NONE, > + if (!ship_v2N(ISAKMP_NEXT_v2NONE, > ISAKMP_PAYLOAD_NONCRITICAL, > PROTO_v2_RESERVED, > &empty_chunk, > @@ -3330,14 +3296,6 @@ static stf_status ikev2_parent_inR1outI2_tail( > &e_pbs_cipher)) > return STF_INTERNAL_ERROR; > } > - > - > - /* send CP payload */ > - if (cc->internal_domain1 != NULL) { > - ikev2_send_cp(pst, ISAKMP_NEXT_v2NONE, &e_pbs_cipher); > - } > - > - > } > > const unsigned int len = pbs_offset(&e_pbs_cipher); > @@ -3601,14 +3559,6 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct > msg_digest *md) > ikev2_decode_cr(md); > } > > - /* process CP payloads */ > - if (md->chain[ISAKMP_NEXT_v2CP] != NULL) { > - if (!ikev2_parse_cp_r_body(md->chain[ISAKMP_NEXT_v2CP], st)) > - { > - return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN; > - } > - } > - > /* process AUTH payload */ > > enum keyword_authby that_authby = st->st_connection->spd.that.authby; > diff --git a/programs/pluto/state.h b/programs/pluto/state.h > index ca8fcbbb5..0a6330feb 100644 > --- a/programs/pluto/state.h > +++ b/programs/pluto/state.h > @@ -569,7 +569,6 @@ struct state { > bool st_seen_fragments; /* did we receive ike fragments > from peer, if so use them in return as well */ > bool st_seen_no_tfc; /* did we receive > ESP_TFC_PADDING_NOT_SUPPORTED */ > bool st_seen_use_transport; /* did we receive > USE_TRANSPORT_MODE */ > - bool st_seen_internal_domain; /* did we receive CP > IKEv2_INTERNAL_DNS_DOMAIN */ > generalName_t *st_requested_ca; /* collected certificate > requests */ > u_int8_t st_reply_xchg; > }; > diff --git a/programs/whack/whack.c b/programs/whack/whack.c > index 8171527aa..a547af0b6 100644 > --- a/programs/whack/whack.c > +++ b/programs/whack/whack.c > @@ -123,8 +123,6 @@ static void help(void) > " [--addresspool <network range>] \\\n" > " [--modecfgdns1 <ip-address>] [--modecfgdns2 > <ip-address>] \\\n" > " [--modecfgdomain <dns-domain>] \\\n" > - " [--internaldomain1 <dns-domain>] \\\n" > - " [--internaldomain2 <dns-domain>] \\\n" > " [--modecfgbanner <login banner>] \\\n" > " [--metric <metric>] \\\n" > " [--nflog-group <groupnum>] \\\n" > @@ -375,8 +373,6 @@ enum option_enums { > > CD_MODECFGDNS1, > CD_MODECFGDNS2, > - CD_INTERNALDOMAIN1, > - CD_INTERNALDOMAIN2, > CD_MODECFGDOMAIN, > CD_MODECFGBANNER, > CD_METRIC, > @@ -642,8 +638,6 @@ static const struct option long_opts[] = { > { "addresspool", required_argument, NULL, END_ADDRESSPOOL + OO }, > { "modecfgdns1", required_argument, NULL, CD_MODECFGDNS1 + OO }, > { "modecfgdns2", required_argument, NULL, CD_MODECFGDNS2 + OO }, > - { "internaldomain1", required_argument, NULL, CD_INTERNALDOMAIN1 + OO }, > - { "internaldomain2", required_argument, NULL, CD_INTERNALDOMAIN2 + OO }, > { "modecfgdomain", required_argument, NULL, CD_MODECFGDOMAIN + OO }, > { "modecfgbanner", required_argument, NULL, CD_MODECFGBANNER + OO }, > { "modeconfigserver", no_argument, NULL, END_MODECFGSERVER + OO }, > @@ -899,8 +893,6 @@ int main(int argc, char **argv) > msg.xauthfail = XAUTHFAIL_HARD; > msg.modecfg_domain = NULL; > msg.modecfg_banner = NULL; > - msg.internal_domain1 = NULL; > - msg.internal_domain2 = NULL; > > msg.nic_offload = nic_offload_auto; > msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT); > @@ -1887,16 +1879,6 @@ int main(int argc, char **argv) > &msg.modecfg_dns2), optarg); > continue; > > - case CD_INTERNALDOMAIN1: /* --internaldomain1 */ > - msg.internal_domain1 = strdup(optarg); > - fprintf(stderr, "whack: --internaldomain1 %s", optarg); > - continue; > - > - case CD_INTERNALDOMAIN2: /* --internaldomain2 */ > - fprintf(stderr, "whack: --internaldomain2 %s", optarg); > - msg.internal_domain2 = strdup(optarg); > - continue; > - > case CD_MODECFGDOMAIN: /* --modecfgdomain */ > msg.modecfg_domain = strdup(optarg); > continue; > -- > 2.13.6 > _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
