Commit a0a65d61 authored by Timo Teräs's avatar Timo Teräs

testing/ipsec-tools: two new fixes

 * update adminport to work with huge replies
 * defer handling of DH calculations for isakmp identity reponse
   (this helps to handle things in right order if we are getting
    multiple simultaneous connection requests; this also makes
    the previous receive buffer size change mostly irrelevant)
parent 39e9e298
Index: src/racoon/isakmp.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
retrieving revision 1.63
diff -u -r1.63 isakmp.c
--- a/src/racoon/isakmp.c 21 Oct 2010 06:15:28 -0000 1.63
+++ b/src/racoon/isakmp.c 29 Oct 2010 10:51:28 -0000
@@ -130,6 +130,10 @@
# define SOL_UDP IPPROTO_UDP
# endif /* __NetBSD__ / __FreeBSD__ */
+vchar_t *postponed_buf;
+struct sockaddr_storage postponed_remote;
+struct sockaddr_storage postponed_local;
+
static int nostate1 __P((struct ph1handle *, vchar_t *));
static int nostate2 __P((struct ph2handle *, vchar_t *));
@@ -177,7 +181,7 @@
static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
-static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
+/* static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); */
static int ph1_main __P((struct ph1handle *, vchar_t *));
static int quick_main __P((struct ph2handle *, vchar_t *));
static int isakmp_ph1begin_r __P((vchar_t *,
@@ -374,10 +378,17 @@
}
/* isakmp main routine */
- if (isakmp_main(buf, (struct sockaddr *)&remote,
- (struct sockaddr *)&local) != 0) goto end;
-
- error = 0;
+ res = isakmp_main(buf, (struct sockaddr *)&remote,
+ (struct sockaddr *)&local);
+ if (res == 0) {
+ error = 0;
+ } else if (res == -42424 && postponed_buf == NULL) {
+ postponed_buf = buf;
+ postponed_remote = remote;
+ postponed_local = local;
+ buf = NULL;
+ error = 0;
+ }
end:
if (tmpbuf != NULL)
@@ -390,7 +401,7 @@
/*
* main processing to handle isakmp payload
*/
-static int
+int
isakmp_main(msg, remote, local)
vchar_t *msg;
struct sockaddr *remote, *local;
@@ -399,6 +410,7 @@
isakmp_index *index = (isakmp_index *)isakmp;
u_int32_t msgid = isakmp->msgid;
struct ph1handle *iph1;
+ int rc;
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(msg, remote, local, 0);
@@ -604,12 +616,14 @@
#endif
/* call main process of phase 1 */
- if (ph1_main(iph1, msg) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "phase1 negotiation failed.\n");
- remph1(iph1);
- delph1(iph1);
- return -1;
+ if ((rc=ph1_main(iph1, msg)) < 0) {
+ if (rc != -42424) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "phase1 negotiation failed.\n");
+ remph1(iph1);
+ delph1(iph1);
+ }
+ return rc;
}
break;
@@ -813,10 +827,11 @@
"failed to pre-process ph1 packet (side: %d, status %d).\n",
iph1->side, iph1->status);
return -1;
- } else {
- /* ignore the error and keep phase 1 handler */
- return 0;
}
+ if (error == -42424)
+ return error;
+ /* ignore the error and keep phase 1 handler */
+ return 0;
}
#ifndef ENABLE_FRAG
Index: src/racoon/isakmp_ident.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c,v
retrieving revision 1.13
diff -u -r1.13 isakmp_ident.c
--- a/src/racoon/isakmp_ident.c 18 Sep 2009 10:31:11 -0000 1.13
+++ b/src/racoon/isakmp_ident.c 29 Oct 2010 10:51:29 -0000
@@ -1128,6 +1128,11 @@
goto end;
}
+ if (postponed_buf != msg) {
+ error = -42424;
+ goto end;
+ }
+
/* validate the type of next payload */
pbuf = isakmp_parse(msg);
if (pbuf == NULL)
Index: src/racoon/isakmp_var.h
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v
retrieving revision 1.16
diff -u -r1.16 isakmp_var.h
--- a/src/racoon/isakmp_var.h 3 Sep 2009 09:29:07 -0000 1.16
+++ b/src/racoon/isakmp_var.h 29 Oct 2010 10:51:29 -0000
@@ -141,4 +141,10 @@
u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *));
#endif
+int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
+
+extern vchar_t *postponed_buf;
+extern struct sockaddr_storage postponed_remote;
+extern struct sockaddr_storage postponed_local;
+
#endif /* _ISAKMP_VAR_H */
Index: src/racoon/session.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/session.c,v
retrieving revision 1.28
diff -u -r1.28 session.c
--- a/src/racoon/session.c 21 Oct 2010 06:15:28 -0000 1.28
+++ b/src/racoon/session.c 29 Oct 2010 10:51:29 -0000
@@ -172,7 +172,7 @@
int
session(void)
{
- struct timeval *timeout;
+ struct timeval *timeout, to_zero = { 0, 0 };
int error;
char pid_file[MAXPATHLEN];
FILE *fp;
@@ -295,6 +295,8 @@
/* scheduling */
timeout = schedular();
+ if (postponed_buf != NULL)
+ timeout = &to_zero;
/* schedular can change select() mask, so we reset
* the working copy here */
@@ -332,6 +334,14 @@
break;
}
+ if (count == 0 && postponed_buf != NULL) {
+ (void) isakmp_main(
+ postponed_buf,
+ (struct sockaddr *) &postponed_remote,
+ (struct sockaddr *) &postponed_local);
+ vfree(postponed_buf);
+ postponed_buf = NULL;
+ }
}
}
Index: src/racoon/isakmp.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
retrieving revision 1.60
diff -u -r1.60 isakmp.c
--- a/src/racoon/isakmp.c 3 Sep 2009 09:29:07 -0000 1.60
+++ b/src/racoon/isakmp.c 20 Aug 2010 11:59:20 -0000
@@ -1579,6 +1579,7 @@
#ifdef ENABLE_NATT
int option = -1;
#endif
+ int rcvSize = 16384;
/* warn if wildcard address - should we forbid this? */
switch (addr->sa_family) {
@@ -1706,6 +1707,17 @@
goto err;
}
+ /* set receive buffer size - shouldn't be too large otherwise
+ * we can acommodate too long backbuffer of packets and not
+ * able to handle any packets in real time */
+ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF,
+ (void*) &rcvSize, sizeof(rcvSize)) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to set SO_RCVBUF size (%s).\n",
+ strerror(errno));
+ /* soft-error, continue even if this failed */
+ }
+
if (setsockopt_bypass(fd, addr->sa_family) < 0)
goto err;
Index: src/racoon/admin.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v
retrieving revision 1.35
diff -u -r1.35 admin.c
--- a/src/racoon/admin.c 21 Oct 2010 06:15:28 -0000 1.35
+++ b/src/racoon/admin.c 29 Oct 2010 10:51:28 -0000
@@ -638,9 +638,15 @@
}
combuf = (struct admin_com *) retbuf;
- combuf->ac_len = tlen;
+ combuf->ac_len = (u_int16_t) tlen;
combuf->ac_cmd = req->ac_cmd & ~ADMIN_FLAG_VERSION;
- combuf->ac_errno = l_ac_errno;
+ if (tlen != (u_int32_t) combuf->ac_len &&
+ l_ac_errno == 0) {
+ combuf->ac_len_high = tlen >> 16;
+ combuf->ac_cmd |= ADMIN_FLAG_LONG_REPLY;
+ } else {
+ combuf->ac_errno = l_ac_errno;
+ }
combuf->ac_proto = req->ac_proto;
if (buf != NULL)
Index: src/racoon/admin.h
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.h,v
retrieving revision 1.7
diff -u -r1.7 admin.h
--- a/src/racoon/admin.h 29 Aug 2008 00:30:15 -0000 1.7
+++ b/src/racoon/admin.h 29 Oct 2010 10:51:28 -0000
@@ -49,16 +49,19 @@
union {
int16_t ac_un_errno;
uint16_t ac_un_version;
+ uint16_t ac_un_len_high;
} u;
u_int16_t ac_proto;
};
#define ac_errno u.ac_un_errno
#define ac_version u.ac_un_version
+#define ac_len_high u.ac_un_len_high
/*
* Version field in request is valid.
*/
#define ADMIN_FLAG_VERSION 0x8000
+#define ADMIN_FLAG_LONG_REPLY 0x8000
/*
* No data follows as the data.
Index: src/racoon/kmpstat.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v
retrieving revision 1.6
diff -u -r1.6 kmpstat.c
--- a/src/racoon/kmpstat.c 2 Oct 2007 09:47:45 -0000 1.6
+++ b/src/racoon/kmpstat.c 29 Oct 2010 10:51:29 -0000
@@ -138,7 +138,7 @@
{
struct admin_com h, *com;
caddr_t buf;
- int len;
+ int len, rlen;
int l = 0;
caddr_t p;
@@ -153,19 +153,25 @@
if (len < sizeof(h))
goto bad1;
- if (h.ac_errno) {
+ if (h.ac_errno && !(h.ac_cmd & ADMIN_FLAG_LONG_REPLY)) {
errno = h.ac_errno;
goto bad1;
}
+ /* real length */
+ if (h.ac_cmd & ADMIN_FLAG_LONG_REPLY)
+ rlen = ((u_int32_t)h.ac_len) + (((u_int32_t)h.ac_len_high) << 16);
+ else
+ rlen = h.ac_len;
+
/* allocate buffer */
- if ((*combufp = vmalloc(h.ac_len)) == NULL)
+ if ((*combufp = vmalloc(rlen)) == NULL)
goto bad1;
/* read real message */
p = (*combufp)->v;
- while (l < len) {
- if ((len = recv(so, p, h.ac_len, 0)) < 0) {
+ while (l < rlen) {
+ if ((len = recv(so, p, rlen - l, 0)) < 0) {
perror("recv");
goto bad2;
}
Index: src/racoon/racoonctl.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c,v
retrieving revision 1.17
diff -u -r1.17 racoonctl.c
--- a/src/racoon/racoonctl.c 20 Apr 2009 13:22:00 -0000 1.17
+++ b/src/racoon/racoonctl.c 29 Oct 2010 10:51:29 -0000
@@ -1426,10 +1426,14 @@
int len;
com = (struct admin_com *)combuf->v;
- len = com->ac_len - sizeof(*com);
+ if (com->ac_cmd & ADMIN_FLAG_LONG_REPLY)
+ len = ((u_int32_t)com->ac_len) + (((u_int32_t)com->ac_len_high) << 16);
+ else
+ len = com->ac_len;
+ len -= sizeof(*com);
buf = combuf->v + sizeof(*com);
- switch (com->ac_cmd) {
+ switch (com->ac_cmd & ~ADMIN_FLAG_LONG_REPLY) {
case ADMIN_SHOW_SCHED:
print_schedule(buf, len);
break;
......@@ -2,7 +2,7 @@
pkgname=ipsec-tools
pkgver=0.8_alpha20101022
_myver=0.8-alpha20101022
pkgrel=0
pkgrel=1
pkgdesc="User-space IPsec tools for various IPsec implementations"
url="http://ipsec-tools.sourceforge.net/"
license="BSD"
......@@ -14,8 +14,9 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
racoon.confd
10-revert-utmpx.patch
50-reverse-connect.patch
70-rcvbuf-size.patch
70-defer-isakmp-ident-handling.patch
75-racoonctl-rcvbuf.patch
80-admin-big-reply-fix.patch
90-dpd-window-fix.patch
"
......@@ -61,6 +62,7 @@ md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz
2d00250cf72da7f2f559c91b65a48747 racoon.confd
90b629020b95bca6824cefde244fa6b2 10-revert-utmpx.patch
13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
f40c78e4ca4b92d2bf74e4fcf3a8d91f 70-rcvbuf-size.patch
94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch
2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch
c3898b162d284bc163f99cc52925b52a 80-admin-big-reply-fix.patch
0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment