current/SOURCES/ipsec-tools-0.7-acquires.patch

--- ipsec-tools-0.7/src/racoon/handler.h.acquires       2007-08-28 22:18:35.000000000 -0500
+++ ipsec-tools-0.7/src/racoon/handler.h        2007-08-28 22:19:57.000000000 -0500
@@ -284,6 +284,8 @@
 
        u_int8_t flags;                 /* Flags for phase 2 */
        u_int32_t msgid;                /* msgid for phase 2 */
+  
+       u_int32_t sa_count;             /* num of SAs sent in SADB_ADD */
 
        struct sainfo *sainfo;          /* place holder of sainfo */
        struct saprop *proposal;        /* SA(s) proposal. */
--- ipsec-tools-0.7/src/racoon/pfkey.c.acquires 2007-08-01 06:52:21.000000000 -0500
+++ ipsec-tools-0.7/src/racoon/pfkey.c  2007-08-28 22:08:22.000000000 -0500
@@ -1265,7 +1265,9 @@
        SCHED_KILL(iph2->sce);
        
        /* update status */
-       iph2->status = PHASE2ST_ESTABLISHED;
+       /* Do this in pk_recvadd
+        * iph2->status = PHASE2ST_ESTABLISHED;
+        */
 
 #ifdef ENABLE_STATS
        gettimeofday(&iph2->end, NULL);
@@ -1311,6 +1313,7 @@
        struct saproto *pr;
        int proxy = 0;
        struct pfkey_send_sa_args sa_args;
+       u_int32_t sa_sent = 0;
 
        /* sanity check */
        if (iph2->approval == NULL) {
@@ -1427,6 +1430,9 @@
                        return -1;
                }
 
+               /* keep count of SAs added */
+               sa_sent++;
+
                if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
                        continue;
 
@@ -1447,6 +1453,7 @@
                        sadbsecas2str(sa_args.src, sa_args.dst,
                        sa_args.satype, sa_args.spi, sa_args.mode));
        }
+       iph2->sa_count = sa_sent;
        return 0;
 }
 
@@ -1502,10 +1509,20 @@
        }
 
        /*
-        * NOTE don't update any status of phase2 handle
-        * because they must be updated by SADB_UPDATE message
+        * Thus, update the status of phase 2 handle after all SADB_ADD
+        * msgs have been received for the handle, rather than
+        * after SADB_UPDATE.
+        *
+        * This also removes the possibilty of processing an ACQUIRE
+        * received by kernel for SAs we are still adding.
         */
 
+       if (iph2->sa_count) {
+         iph2->sa_count = iph2->sa_count - 1;
+         if (iph2->sa_count == 0)
+           iph2->status = PHASE2ST_ESTABLISHED;
+       }
+
        plog(LLV_INFO, LOCATION, NULL,
                "IPsec-SA established: %s\n",
                sadbsecas2str(iph2->src, iph2->dst,
@@ -1589,8 +1606,6 @@
        /* turn off the timer for calling isakmp_ph2expire() */ 
        SCHED_KILL(iph2->sce);
 
-       iph2->status = PHASE2ST_EXPIRED;
-
        /* INITIATOR, begin phase 2 exchange. */
        /* allocate buffer for status management of pfkey message */
        if (iph2->side == INITIATOR) {
@@ -1618,6 +1633,7 @@
        /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
        /* RESPONDER always delete ph2handle, keep silent.  RESPONDER doesn't
         * manage IPsec SA, so delete the list */
+       iph2->status = PHASE2ST_EXPIRED;
        unbindph12(iph2);
        remph2(iph2);
        delph2(iph2);
@@ -1739,8 +1755,17 @@
         *    2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
         *       has to prcesss such a acquire message because racoon may
         *       lost the expire message.
+        *
+        * When in responder role, an spid doesn't get added to
+        * the handler since responder didn't receive acquire.
+        * Thus there is the case that a negotiation can be occurring
+        * and responder receives acquire for same policy. So to prevent
+        * another identical negotiation, also check by address.
         */
        iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
+       if (iph2[0] == NULL)
+         iph2[0] = getph2bysaddr(src, dst);
+
        if (iph2[0] != NULL) {
                if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
                        plog(LLV_DEBUG, LOCATION, NULL,
1	--- ipsec-tools-0.7/src/racoon/handler.h.acquires 2007-08-28 22:18:35.000000000 -0500
2	+++ ipsec-tools-0.7/src/racoon/handler.h 2007-08-28 22:19:57.000000000 -0500
3	@@ -284,6 +284,8 @@
4
5	u_int8_t flags; /* Flags for phase 2 */
6	u_int32_t msgid; /* msgid for phase 2 */
7	+
8	+ u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
9
10	struct sainfo sainfo; / place holder of sainfo */
11	struct saprop proposal; / SA(s) proposal. */
12	--- ipsec-tools-0.7/src/racoon/pfkey.c.acquires 2007-08-01 06:52:21.000000000 -0500
13	+++ ipsec-tools-0.7/src/racoon/pfkey.c 2007-08-28 22:08:22.000000000 -0500
14	@@ -1265,7 +1265,9 @@
15	SCHED_KILL(iph2->sce);
16
17	/* update status */
18	- iph2->status = PHASE2ST_ESTABLISHED;
19	+ /* Do this in pk_recvadd
20	+ * iph2->status = PHASE2ST_ESTABLISHED;
21	+ */
22
23	#ifdef ENABLE_STATS
24	gettimeofday(&iph2->end, NULL);
25	@@ -1311,6 +1313,7 @@
26	struct saproto *pr;
27	int proxy = 0;
28	struct pfkey_send_sa_args sa_args;
29	+ u_int32_t sa_sent = 0;
30
31	/* sanity check */
32	if (iph2->approval == NULL) {
33	@@ -1427,6 +1430,9 @@
34	return -1;
35	}
36
37	+ /* keep count of SAs added */
38	+ sa_sent++;
39	+
40	if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
41	continue;
42
43	@@ -1447,6 +1453,7 @@
44	sadbsecas2str(sa_args.src, sa_args.dst,
45	sa_args.satype, sa_args.spi, sa_args.mode));
46	}
47	+ iph2->sa_count = sa_sent;
48	return 0;
49	}
50
51	@@ -1502,10 +1509,20 @@
52	}
53
54	/*
55	- * NOTE don't update any status of phase2 handle
56	- * because they must be updated by SADB_UPDATE message
57	+ * Thus, update the status of phase 2 handle after all SADB_ADD
58	+ * msgs have been received for the handle, rather than
59	+ * after SADB_UPDATE.
60	+ *
61	+ * This also removes the possibilty of processing an ACQUIRE
62	+ * received by kernel for SAs we are still adding.
63	*/
64
65	+ if (iph2->sa_count) {
66	+ iph2->sa_count = iph2->sa_count - 1;
67	+ if (iph2->sa_count == 0)
68	+ iph2->status = PHASE2ST_ESTABLISHED;
69	+ }
70	+
71	plog(LLV_INFO, LOCATION, NULL,
72	"IPsec-SA established: %s\n",
73	sadbsecas2str(iph2->src, iph2->dst,
74	@@ -1589,8 +1606,6 @@
75	/* turn off the timer for calling isakmp_ph2expire() */
76	SCHED_KILL(iph2->sce);
77
78	- iph2->status = PHASE2ST_EXPIRED;
79	-
80	/* INITIATOR, begin phase 2 exchange. */
81	/* allocate buffer for status management of pfkey message */
82	if (iph2->side == INITIATOR) {
83	@@ -1618,6 +1633,7 @@
84	/* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
85	/* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
86	* manage IPsec SA, so delete the list */
87	+ iph2->status = PHASE2ST_EXPIRED;
88	unbindph12(iph2);
89	remph2(iph2);
90	delph2(iph2);
91	@@ -1739,8 +1755,17 @@
92	* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
93	* has to prcesss such a acquire message because racoon may
94	* lost the expire message.
95	+ *
96	+ * When in responder role, an spid doesn't get added to
97	+ * the handler since responder didn't receive acquire.
98	+ * Thus there is the case that a negotiation can be occurring
99	+ * and responder receives acquire for same policy. So to prevent
100	+ * another identical negotiation, also check by address.
101	*/
102	iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
103	+ if (iph2[0] == NULL)
104	+ iph2[0] = getph2bysaddr(src, dst);
105	+
106	if (iph2[0] != NULL) {
107	if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
108	plog(LLV_DEBUG, LOCATION, NULL,