Commit d96c2a55 authored by Timo Teräs's avatar Timo Teräs

testing/ipsec-tools: experimental build of new ipsec-tools

latest snapshot of ipsec-tools upstream CVS repository, with
couple of additional patches (and one upstream revert to make
it compile with uclibc)
parent 10871b20
Index: src/racoon/isakmp_cfg.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c,v
retrieving revision 1.24
retrieving revision 1.23
diff -u -r1.24 -r1.23
--- a/src/racoon/isakmp_cfg.c 21 Sep 2010 13:14:17 -0000 1.24
+++ b/src/racoon/isakmp_cfg.c 4 Aug 2010 09:16:58 -0000 1.23
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.23 2010/08/04 09:16:58 vanhu Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -38,7 +38,7 @@
#include <sys/socket.h>
#include <sys/queue.h>
-#include <utmpx.h>
+#include <utmp.h>
#if defined(__APPLE__) && defined(__MACH__)
#include <util.h>
#endif
@@ -1661,7 +1661,8 @@
int inout;
{
int error = 0;
- struct utmpx ut;
+ struct utmp ut;
+ char term[UT_LINESIZE];
char addr[NI_MAXHOST];
if (usr == NULL || usr[0]=='\0') {
@@ -1670,33 +1671,36 @@
return -1;
}
- memset(&ut, 0, sizeof ut);
- gettimeofday((struct timeval *)&ut.ut_tv, NULL);
- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
+ sprintf(term, TERMSPEC, port);
switch (inout) {
case ISAKMP_CFG_LOGIN:
- ut.ut_type = USER_PROCESS;
- strncpy(ut.ut_user, usr, sizeof ut.ut_user);
+ strncpy(ut.ut_name, usr, UT_NAMESIZE);
+ ut.ut_name[UT_NAMESIZE - 1] = '\0';
+
+ strncpy(ut.ut_line, term, UT_LINESIZE);
+ ut.ut_line[UT_LINESIZE - 1] = '\0';
GETNAMEINFO_NULL(raddr, addr);
- strncpy(ut.ut_host, addr, sizeof ut.ut_host);
+ strncpy(ut.ut_host, addr, UT_HOSTSIZE);
+ ut.ut_host[UT_HOSTSIZE - 1] = '\0';
+ ut.ut_time = time(NULL);
+
plog(LLV_INFO, LOCATION, NULL,
"Accounting : '%s' logging on '%s' from %s.\n",
- ut.ut_user, ut.ut_id, addr);
+ ut.ut_name, ut.ut_line, ut.ut_host);
- pututxline(&ut);
+ login(&ut);
break;
case ISAKMP_CFG_LOGOUT:
- ut.ut_type = DEAD_PROCESS;
plog(LLV_INFO, LOCATION, NULL,
"Accounting : '%s' unlogging from '%s'.\n",
- usr, ut.ut_id);
+ usr, term);
- pututxline(&ut);
+ logout(term);
break;
default:
When new ISAKMP is required, allow incoming reverse connection to take
From: Timo Teras <timo.teras@iki.fi>
over pending phase1:s. Useful when the other party is firewalled or NATted.
---
src/racoon/admin.c | 12 ++++++++++++
src/racoon/evt.c | 13 +++++++++++++
src/racoon/evt.h | 3 +++
src/racoon/handler.c | 28 +++++++++++++++++++++-------
src/racoon/isakmp.c | 39 ++++++++++++++++++++++++++++++++++-----
5 files changed, 83 insertions(+), 12 deletions(-)
diff --git a/src/racoon/admin.c b/src/racoon/admin.c
index b67e545..710c9bf 100644
--- a/src/racoon/admin.c
+++ b/src/racoon/admin.c
@@ -414,11 +414,23 @@ admin_process(so2, combuf)
struct sockaddr *dst;
struct sockaddr *src;
char *name = NULL;
+ char *loc, *rem;
ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com));
src = (struct sockaddr *) &ndx->src;
dst = (struct sockaddr *) &ndx->dst;
+ loc = racoon_strdup(saddr2str(src));
+ rem = racoon_strdup(saddr2str(dst));
+ STRDUP_FATAL(loc);
+ STRDUP_FATAL(rem);
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "admin establish-sa %x %s %s\n",
+ com->ac_proto, loc, rem);
+ racoon_free(loc);
+ racoon_free(rem);
+
if (com->ac_cmd == ADMIN_ESTABLISH_SA &&
com->ac_len > sizeof(*com) + sizeof(*ndx))
name = (char *) ((caddr_t) ndx + sizeof(*ndx));
diff --git a/src/racoon/evt.c b/src/racoon/evt.c
index 4ce1334..000c1f8 100644
--- a/src/racoon/evt.c
+++ b/src/racoon/evt.c
@@ -396,4 +396,17 @@ evt_list_cleanup(list)
evt_unsubscribe(LIST_FIRST(list));
}
+void
+evt_list_move(from, to)
+ struct evt_listener_list *from, *to;
+{
+ struct evt_listener *l;
+
+ while (!LIST_EMPTY(from)) {
+ l = LIST_FIRST(from);
+ LIST_REMOVE(l, ll_chain);
+ LIST_INSERT_HEAD(to, l, ll_chain);
+ }
+}
+
#endif /* ENABLE_ADMINPORT */
diff --git a/src/racoon/evt.h b/src/racoon/evt.h
index 0ce65bd..ba7fb57 100644
--- a/src/racoon/evt.h
+++ b/src/racoon/evt.h
@@ -124,6 +124,8 @@ void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata));
vchar_t *evt_dump __P((void));
int evt_subscribe __P((struct evt_listener_list *list, int fd));
+void evt_list_move __P((struct evt_listener_list *from,
+ struct evt_listener_list *to));
void evt_list_init __P((struct evt_listener_list *list));
void evt_list_cleanup __P((struct evt_listener_list *list));
@@ -136,6 +138,7 @@ void evt_list_cleanup __P((struct evt_listener_list *list));
#define evt_phase2(ph2, type, optdata) ;
#define evt_subscribe(eventlist, fd) ;
+#deifne evt_list_move(from, to) ;
#define evt_list_init(eventlist) ;
#define evt_list_cleanup(eventlist) ;
#define evt_get_fdmask(nfds, fdset) nfds
diff --git a/src/racoon/handler.c b/src/racoon/handler.c
index b33986f..9fd3817 100644
--- a/src/racoon/handler.c
+++ b/src/racoon/handler.c
@@ -269,26 +269,40 @@ migrate_ph12(old_iph1, new_iph1)
}
/*
- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1
+ * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1.
*/
void migrate_dying_ph12(iph1)
struct ph1handle *iph1;
{
- struct ph1handle *p;
+ struct ph1handle *p, *next;
- LIST_FOREACH(p, &ph1tree, chain) {
+ for (p = LIST_FIRST(&ph1tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
if (p == iph1)
continue;
- if (p->status < PHASE1ST_DYING)
+
+ /* Same remote? */
+ if (cmpsaddr(iph1->local, p->local) > CMPSADDR_WOP_MATCH ||
+ cmpsaddr(iph1->remote, p->remote) > CMPSADDR_WOP_MATCH ||
+ iph1->rmconf != p->rmconf)
continue;
- if (cmpsaddr(iph1->local, p->local) == 0
- && cmpsaddr(iph1->remote, p->remote) == 0)
+ /* migrate phase2:s from expiring entries */
+ if (p->status >= PHASE1ST_DYING)
migrate_ph12(p, iph1);
+
+ /* and allow reverse connections to release
+ * pending connections that do not work due
+ * to firewall or nat */
+ if (iph1->side == RESPONDER && p->side == INITIATOR &&
+ p->status < PHASE1ST_MSG3RECEIVED) {
+ /* Do not delete ph1, since if the node is not NATted,
+ * and we delete it we might get phase2's lost */
+ evt_list_move(&p->evt_listeners, &iph1->evt_listeners);
+ }
}
}
-
/*
* dump isakmp-sa
*/
diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
index 0de16d1..2dfda2f 100644
--- a/src/racoon/isakmp.c
+++ b/src/racoon/isakmp.c
@@ -2138,13 +2138,33 @@ isakmp_ph2delete(iph2)
remph2(iph2);
delph2(iph2);
-
- return;
}
/* %%%
* Interface between PF_KEYv2 and ISAKMP
*/
+
+static void
+isakmp_chkph2there(p)
+ struct sched *p;
+{
+ struct ph2handle *iph2 = container_of(p, struct ph2handle, sce);
+ struct ph2handle *tmp;
+
+ /* Check if a similar phase2 appared meanwhile */
+ remph2(iph2);
+ tmp = getph2byid(iph2->src, iph2->dst, iph2->spid);
+ if (tmp == NULL) {
+ /* Nope, lets start this then */
+ insph2(iph2);
+ isakmp_chkph1there(iph2);
+ } else {
+ /* Yes, delete this initiation attempt as redundant */
+ evt_phase2(iph2, EVT_PHASE2_UP, NULL);
+ delph2(iph2);
+ }
+}
+
/*
* receive ACQUIRE from kernel, and begin either phase1 or phase2.
* if phase1 has been finished, begin phase2.
@@ -2220,8 +2240,14 @@ isakmp_post_acquire(iph2)
/*NOTREACHED*/
}
- /* found established ISAKMP-SA */
- /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
+ /* found established ISAKMP-SA, if this is a RESPONDER ISAKMP-SA
+ * add a small delay; this will make sure the initiator gets
+ * an first attempt at rekeying, and usually avoids duplicate ph2:s */
+ if (iph1->side == RESPONDER) {
+ iph2->retry_checkph1 = 1;
+ sched_schedule(&iph2->sce, 1, isakmp_chkph2there);
+ return 0;
+ }
/* found ISAKMP-SA. */
plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
@@ -2388,7 +2414,10 @@ isakmp_chkph1there(iph2)
plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
/* begin quick mode */
- (void)isakmp_ph2begin_i(iph1, iph2);
+ if (isakmp_ph2begin_i(iph1, iph2)) {
+ remph2(iph2);
+ delph2(iph2);
+ }
return;
}
Index: src/racoon/isakmp.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
retrieving revision 1.60
diff -u -r1.60 isakmp.c
--- a/src/racoon/isakmp.c 3 Sep 2009 09:29:07 -0000 1.60
+++ b/src/racoon/isakmp.c 20 Aug 2010 11:59:20 -0000
@@ -1579,6 +1579,7 @@
#ifdef ENABLE_NATT
int option = -1;
#endif
+ int rcvSize = 16384;
/* warn if wildcard address - should we forbid this? */
switch (addr->sa_family) {
@@ -1706,6 +1707,17 @@
goto err;
}
+ /* set receive buffer size - shouldn't be too large otherwise
+ * we can acommodate too long backbuffer of packets and not
+ * able to handle any packets in real time */
+ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF,
+ (void*) &rcvSize, sizeof(rcvSize)) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to set SO_RCVBUF size (%s).\n",
+ strerror(errno));
+ /* soft-error, continue even if this failed */
+ }
+
if (setsockopt_bypass(fd, addr->sa_family) < 0)
goto err;
Index: src/racoon/kmpstat.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v
retrieving revision 1.6
diff -u -r1.6 kmpstat.c
--- a/src/racoon/kmpstat.c 2 Oct 2007 09:47:45 -0000 1.6
+++ b/src/racoon/kmpstat.c 14 Oct 2010 12:48:22 -0000
@@ -99,6 +99,7 @@
com_init()
{
struct sockaddr_un name;
+ int rcvSize;
memset(&name, 0, sizeof(name));
name.sun_family = AF_UNIX;
@@ -114,6 +115,17 @@
return -1;
}
+ /* set receive buffer size - should be relative large:
+ * racoon daemon will try to send all info in one go, if
+ * it does not fit we'll miss stuff */
+ rcvSize = 1024 * 1024;
+ if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
+ (void*) &rcvSize, sizeof(rcvSize)) < 0) {
+ rcvSize = 512 * 1024;
+ (void) setsockopt(so, SOL_SOCKET, SO_RCVBUF,
+ (void*) &rcvSize, sizeof(rcvSize));
+ }
+
return 0;
}
Index: src/racoon/isakmp_inf.c
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v
retrieving revision 1.41
diff -u -r1.41 isakmp_inf.c
--- a/src/racoon/isakmp_inf.c 3 Jul 2009 06:41:46 -0000 1.41
+++ b/src/racoon/isakmp_inf.c 5 May 2010 15:56:38 -0000
@@ -1450,17 +1450,16 @@
struct isakmp_pl_ru *ru;
u_int32_t msgid;
{
+ u_int32_t seq;
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There-Ack received\n");
- /* XXX Maintain window of acceptable sequence numbers ?
- * => ru->data <= iph2->dpd_seq &&
- * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */
- if (ntohl(ru->data) != iph1->dpd_seq-1) {
+ seq = ntohl(ru->data);
+ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "Wrong DPD sequence number (%d, %d expected).\n",
- ntohl(ru->data), iph1->dpd_seq-1);
+ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n",
+ seq, iph1->dpd_last_ack, iph1->dpd_seq);
return 0;
}
@@ -1472,6 +1471,7 @@
}
iph1->dpd_fails = 0;
+ iph1->dpd_last_ack = seq;
sched_cancel(&iph1->dpd_r_u);
isakmp_sched_r_u(iph1, 0);
@@ -1535,12 +1535,13 @@
memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
- if (iph1->dpd_seq == 0){
+ if (iph1->dpd_seq == 0) {
/* generate a random seq which is not too big */
- srand(time(NULL));
- iph1->dpd_seq = rand() & 0x0fff;
+ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
}
+ iph1->dpd_seq++;
+ iph1->dpd_fails++;
ru->data = htonl(iph1->dpd_seq);
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
@@ -1549,12 +1550,6 @@
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There sent (%d)\n", error);
- /* will be decreased if ACK received... */
- iph1->dpd_fails++;
-
- /* XXX should be increased only when ACKed ? */
- iph1->dpd_seq++;
-
/* Reschedule the r_u_there with a short delay,
* will be deleted/rescheduled if ACK received before */
isakmp_sched_r_u(iph1, 1);
Index: src/racoon/handler.h
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
retrieving revision 1.22
diff -u -r1.22 handler.h
--- a/src/racoon/handler.h 3 Sep 2009 09:29:07 -0000 1.22
+++ b/src/racoon/handler.h 5 May 2010 15:56:39 -0000
@@ -202,7 +202,8 @@
#ifdef ENABLE_DPD
int dpd_support; /* Does remote supports DPD ? */
- u_int16_t dpd_seq; /* DPD seq number to receive */
+ u_int32_t dpd_last_ack;
+ u_int32_t dpd_seq; /* DPD seq number to receive */
u_int8_t dpd_fails; /* number of failures */
struct sched dpd_r_u;
#endif
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ipsec-tools
pkgver=0.8_alpha20101022
_myver=0.8-alpha20101022
pkgrel=0
pkgdesc="User-space IPsec tools for various IPsec implementations"
url="http://ipsec-tools.sourceforge.net/"
license="BSD"
depends=""
makedepends="openssl-dev bison flex"
subpackages="$pkgname-doc $pkgname-dev"
source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
racoon.initd
racoon.confd
10-revert-utmpx.patch
50-reverse-connect.patch
70-rcvbuf-size.patch
75-racoonctl-rcvbuf.patch
90-dpd-window-fix.patch
"
_builddir="$srcdir"/$pkgname-$_myver
prepare() {
cd "$_builddir"
for i in ../*.patch; do
msg "Applying $i..."
patch -p1 -i $i || return 1
done
sed -i 's:-Werror::g' configure
}
build() {
cd "$_builddir"
./configure --prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--localstatedir=/var/lib \
--with-kernel-headers=/usr/include \
--disable-security-context \
--enable-adminport \
--enable-dpd \
--enable-frag \
--enable-hybrid \
--enable-ipv6 \
--enable-natt
make || return 1
}
package() {
cd "$_builddir"
make DESTDIR="$pkgdir" install
install -D -m755 ../racoon.initd "$pkgdir"/etc/init.d/racoon
install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
}
md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz
74f12ed04ed273a738229c0bfbf829cc racoon.initd
2d00250cf72da7f2f559c91b65a48747 racoon.confd
90b629020b95bca6824cefde244fa6b2 10-revert-utmpx.patch
13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
f40c78e4ca4b92d2bf74e4fcf3a8d91f 70-rcvbuf-size.patch
2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch
0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch"
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipsec-tools/files/racoon.conf.d,v 1.3 2004/07/14 23:29:57 agriffis Exp $
# Config file for /etc/init.d/racoon
# See the manual pages for racoon or run `racoon --help`
# for valid command-line options
RACOON_OPTS="-4"
SETKEY_OPTS=""
RACOON_CONF="/etc/racoon/racoon.conf"
RACOON_PSK_FILE="/etc/racoon/psk.txt"
SETKEY_CONF="/etc/ipsec.conf"
# Comment or remove the following if you don't want the policy tables
# to be flushed when racoon is stopped.
RACOON_RESET_TABLES="true"
#!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
before netmount
use net
after firewall ntp-client
provide ipsec
}
checkconfig() {
if [ ! -e ${SETKEY_CONF} ] ; then
eerror "You need to configure setkey before starting racoon."
return 1
fi
if [ ! -e ${RACOON_CONF} ] ; then
eerror "You need a configuration file to start racoon."
return 1
fi
if [ ! -z ${RACOON_PSK_FILE} ] ; then
if [ ! -f ${RACOON_PSK_FILE} ] ; then
eerror "PSK file not found as specified."
eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon."
return 1
fi
case "`ls -Lldn ${RACOON_PSK_FILE}`" in
-r--------*)
;;
*)
eerror "Your defined PSK file should be mode 400 for security!"
return 1
;;
esac
fi
}
start() {
checkconfig || return 1
einfo "Loading ipsec policies from ${SETKEY_CONF}."
/usr/sbin/setkey ${SETKEY_OPTS} -f ${SETKEY_CONF}
if [ $? -eq 1 ] ; then
eerror "Error while loading ipsec policies"
fi
ebegin "Starting racoon"
start-stop-daemon -S -x /usr/sbin/racoon -- -f ${RACOON_CONF} ${RACOON_OPTS}
eend $?
}
stop() {
ebegin "Stopping racoon"
start-stop-daemon -K -p /var/run/racoon.pid
eend $?
if [ -n "${RACOON_RESET_TABLES}" ]; then
ebegin "Flushing policy entries"
/usr/sbin/setkey -F
/usr/sbin/setkey -FP
eend $?
fi
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment