Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon When rekeying phase2 use ...
details: https://anonhg.NetBSD.org/src/rev/169199dafa90
branches: trunk
changeset: 747118:169199dafa90
user: tteras <tteras%NetBSD.org@localhost>
date: Thu Sep 03 09:29:07 2009 +0000
description:
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
select the phase1 for rekeying the new phase2.
diffstat:
crypto/dist/ipsec-tools/src/racoon/admin.c | 32 ++--
crypto/dist/ipsec-tools/src/racoon/handler.c | 56 +++++--
crypto/dist/ipsec-tools/src/racoon/handler.h | 12 +-
crypto/dist/ipsec-tools/src/racoon/isakmp.c | 162 ++++++++++++-----------
crypto/dist/ipsec-tools/src/racoon/isakmp_var.h | 10 +-
crypto/dist/ipsec-tools/src/racoon/pfkey.c | 51 ++++---
6 files changed, 176 insertions(+), 147 deletions(-)
diffs (truncated from 1139 to 300 lines):
diff -r 17f26738ab6a -r 169199dafa90 crypto/dist/ipsec-tools/src/racoon/admin.c
--- a/crypto/dist/ipsec-tools/src/racoon/admin.c Thu Sep 03 08:24:06 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.c Thu Sep 03 09:29:07 2009 +0000
@@ -1,11 +1,11 @@
-/* $NetBSD: admin.c,v 1.31 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.32 2009/09/03 09:29:07 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -341,7 +341,7 @@
user[len] = 0;
found = purgeph1bylogin(user);
- plog(LLV_INFO, LOCATION, NULL,
+ plog(LLV_INFO, LOCATION, NULL,
"deleted %d SA for user \"%s\"\n", found, user);
break;
@@ -360,7 +360,7 @@
rem = racoon_strdup(saddrwop2str(dst));
STRDUP_FATAL(rem);
- plog(LLV_INFO, LOCATION, NULL,
+ plog(LLV_INFO, LOCATION, NULL,
"Flushing all SAs for peer %s\n", rem);
while ((iph1 = getph1bydstaddr(dst)) != NULL) {
@@ -373,7 +373,7 @@
racoon_free(loc);
}
-
+
racoon_free(rem);
break;
}
@@ -383,14 +383,14 @@
char *data;
acp = (struct admin_com_psk *)
- ((char *)com + sizeof(*com) +
+ ((char *)com + sizeof(*com) +
sizeof(struct admin_com_indexes));
idtype = acp->id_type;
if ((id = vmalloc(acp->id_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
+ "cannot allocate memory: %s\n",
strerror(errno));
break;
}
@@ -399,7 +399,7 @@
if ((key = vmalloc(acp->key_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
+ "cannot allocate memory: %s\n",
strerror(errno));
vfree(id);
id = NULL;
@@ -474,7 +474,7 @@
rmconf->xauth->pass = key;
}
#endif
-
+
plog(LLV_INFO, LOCATION, NULL,
"accept a request to establish IKE-SA: "
"%s\n", saddrwop2str(dst));
@@ -577,7 +577,7 @@
}
insph2(iph2);
- if (isakmp_post_acquire(iph2) < 0) {
+ if (isakmp_post_acquire(iph2, NULL) < 0) {
remph2(iph2);
delph2(iph2);
break;
@@ -710,17 +710,17 @@
}
if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chown(%s, %d, %d): %s\n",
- sunaddr.sun_path, adminsock_owner,
+ plog(LLV_ERROR, LOCATION, NULL,
+ "chown(%s, %d, %d): %s\n",
+ sunaddr.sun_path, adminsock_owner,
adminsock_group, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
}
if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chmod(%s, 0%03o): %s\n",
+ plog(LLV_ERROR, LOCATION, NULL,
+ "chmod(%s, 0%03o): %s\n",
sunaddr.sun_path, adminsock_mode, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
diff -r 17f26738ab6a -r 169199dafa90 crypto/dist/ipsec-tools/src/racoon/handler.c
--- a/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Sep 03 08:24:06 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Sep 03 09:29:07 2009 +0000
@@ -1,11 +1,11 @@
-/* $NetBSD: handler.c,v 1.29 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.30 2009/09/03 09:29:07 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -64,7 +64,7 @@
#include "evt.h"
#include "isakmp.h"
#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
+#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
#endif
#include "isakmp_inf.h"
@@ -177,8 +177,8 @@
* with phase 2's destinaion.
*/
struct ph1handle *
-getph1(rmconf, local, remote, flags)
- struct remoteconf *rmconf;
+getph1(ph1hint, local, remote, flags)
+ struct ph1handle *ph1hint;
struct sockaddr *local, *remote;
int flags;
{
@@ -202,11 +202,29 @@
continue;
}
- if (local != NULL && cmpsaddr(local, p->local) != 0)
+ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH)
+ continue;
+
+ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH)
continue;
- if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
- continue;
+ if (ph1hint != NULL) {
+ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l &&
+ (ph1hint->id->l != p->id->l ||
+ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "local identity does match hint\n");
+ continue;
+ }
+ if (ph1hint->id_p && ph1hint->id_p->l &&
+ p->id_p && p->id_p->l &&
+ (ph1hint->id_p->l != p->id_p->l ||
+ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "remote identity does match hint\n");
+ continue;
+ }
+ }
plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
return p;
@@ -1155,7 +1173,7 @@
}
#ifdef ENABLE_HYBRID
-/*
+/*
* Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
* This should be in isakmp_cfg.c but ph1tree being private, it must be there
*/
@@ -1182,7 +1200,7 @@
-/*
+/*
* Reload conf code
*/
static int revalidate_ph2(struct ph2handle *iph2){
@@ -1192,11 +1210,11 @@
struct saprop *approval;
struct ph1handle *iph1;
- /*
+ /*
* Get the new sainfo using values of the old one
*/
if (iph2->sainfo != NULL) {
- iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
+ iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
iph2->sainfo->iddst, iph2->sainfo->id_i,
NULL, iph2->sainfo->remoteid);
}
@@ -1204,7 +1222,7 @@
sainfo = iph2->sainfo;
if (sainfo == NULL) {
- /*
+ /*
* Sainfo has been removed
*/
plog(LLV_DEBUG, LOCATION, NULL,
@@ -1219,7 +1237,7 @@
plog(LLV_DEBUG, LOCATION, NULL,
"No approval found !\n");
return 0;
- }
+ }
/*
* Don't care about proposals, should we do something ?
@@ -1318,7 +1336,7 @@
}
found = 0;
- for (alg = sainfo->algs[algclass_ipsec_enc];
+ for (alg = sainfo->algs[algclass_ipsec_enc];
(found == 0 && alg != NULL); alg = alg->next) {
plog(LLV_DEBUG, LOCATION, NULL,
"Reload: next ph2 enc alg...\n");
@@ -1351,7 +1369,7 @@
break;
default:
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"unexpected check_level\n");
continue;
break;
@@ -1375,7 +1393,7 @@
}
-static void
+static void
remove_ph2(struct ph2handle *iph2)
{
u_int32_t spis[2];
@@ -1467,7 +1485,7 @@
return 1;
}
-int
+int
revalidate_ph12(void)
{
diff -r 17f26738ab6a -r 169199dafa90 crypto/dist/ipsec-tools/src/racoon/handler.h
--- a/crypto/dist/ipsec-tools/src/racoon/handler.h Thu Sep 03 08:24:06 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.h Thu Sep 03 09:29:07 2009 +0000
@@ -1,11 +1,11 @@
-/* $NetBSD: handler.h,v 1.21 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.22 2009/09/03 09:29:07 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
Home |
Main Index |
Thread Index |
Old Index