Group :: Security/Networking
RPM: ipsec-tools
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: ipsec-tools-0.6.5-acquires.patch
Download
Download
diff -urpN ipsec-tools-0.6.5/src/racoon/handler.h ipsec-tools-0.6.5.sandbox/src/racoon/handler.h
--- ipsec-tools-0.6.5/src/racoon/handler.h 2005-05-07 12:26:05.000000000 -0500
+++ ipsec-tools-0.6.5.sandbox/src/racoon/handler.h 2007-04-10 10:57:52.000000000 -0500
@@ -279,6 +279,8 @@ struct ph2handle {
u_int8_t flags; /* Flags for phase 2 */
u_int32_t msgid; /* msgid for phase 2 */
+ u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
+
struct sainfo *sainfo; /* place holder of sainfo */
struct saprop *proposal; /* SA(s) proposal. */
struct saprop *approval; /* SA(s) approved. */
diff -urpN ipsec-tools-0.6.5/src/racoon/pfkey.c ipsec-tools-0.6.5.sandbox/src/racoon/pfkey.c
--- ipsec-tools-0.6.5/src/racoon/pfkey.c 2007-04-10 10:17:40.000000000 -0500
+++ ipsec-tools-0.6.5.sandbox/src/racoon/pfkey.c 2007-04-10 10:56:39.000000000 -0500
@@ -1287,7 +1287,9 @@ pk_recvupdate(mhp)
SCHED_KILL(iph2->sce);
/* update status */
- iph2->status = PHASE2ST_ESTABLISHED;
+ /* Do this in pk_recvadd
+ * iph2->status = PHASE2ST_ESTABLISHED;
+ */
#ifdef ENABLE_STATS
gettimeofday(&iph2->end, NULL);
@@ -1333,6 +1335,7 @@ pk_sendadd(iph2)
u_int8_t ctxdoi = 0, ctxalg = 0;
u_int16_t ctxstrlen = 0;
caddr_t ctxstr = NULL;
+ u_int32_t sa_sent = 0;
/* sanity check */
if (iph2->approval == NULL) {
@@ -1470,6 +1473,9 @@ pk_sendadd(iph2)
}
#endif /* ENABLE_NATT */
+ /* keep count of SAs added. */
+ sa_sent++;
+
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
continue;
@@ -1497,6 +1503,7 @@ pk_sendadd(iph2)
satype, pr->spi_p, mode));
}
+ iph2->sa_count = sa_sent;
return 0;
}
@@ -1552,9 +1559,18 @@ pk_recvadd(mhp)
}
/*
- * NOTE don't update any status of phase2 handle
- * because they must be updated by SADB_UPDATE message
+ * Thus, update the status of phase 2 handle after all SADB_ADD
+ * msgs have been received for the handle, rather than
+ * after SADB_UPDATE.
+ *
+ * This also removes the possibilty of processing an ACQUIRE
+ * received by kernel for SAs we are still adding.
*/
+ if (iph2->sa_count) {
+ iph2->sa_count = iph2->sa_count - 1;
+ if (iph2->sa_count == 0)
+ iph2->status = PHASE2ST_ESTABLISHED;
+ }
plog(LLV_INFO, LOCATION, NULL,
"IPsec-SA established: %s\n",
@@ -1639,8 +1655,6 @@ pk_recvexpire(mhp)
/* turn off the timer for calling isakmp_ph2expire() */
SCHED_KILL(iph2->sce);
- iph2->status = PHASE2ST_EXPIRED;
-
/* INITIATOR, begin phase 2 exchange. */
/* allocate buffer for status management of pfkey message */
if (iph2->side == INITIATOR) {
@@ -1668,6 +1682,7 @@ pk_recvexpire(mhp)
/* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
/* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
* manage IPsec SA, so delete the list */
+ iph2->status = PHASE2ST_EXPIRED;
unbindph12(iph2);
remph2(iph2);
delph2(iph2);
@@ -1789,8 +1804,18 @@ pk_recvacquire(mhp)
* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
* has to prcesss such a acquire message because racoon may
* lost the expire message.
+ *
+ * When in responder role, an spid doesn't get added to
+ * the handler since responder didn't receive acquire.
+ * Thus there is the case that a negotiation can be occurring
+ * and responder receives acquire for same policy. So to prevent
+ * another identical negotiation, also check by address.
*/
+
iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
+ if (iph2[0] == NULL)
+ iph2[0] = getph2bysaddr(src, dst);
+
if (iph2[0] != NULL) {
if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
plog(LLV_DEBUG, LOCATION, NULL,