1 |
--- ipsec-tools-0.7/src/racoon/handler.h.acquires 2007-08-28 22:18:35.000000000 -0500 |
2 |
+++ ipsec-tools-0.7/src/racoon/handler.h 2007-08-28 22:19:57.000000000 -0500 |
3 |
@@ -284,6 +284,8 @@ |
4 |
|
5 |
u_int8_t flags; /* Flags for phase 2 */ |
6 |
u_int32_t msgid; /* msgid for phase 2 */ |
7 |
+ |
8 |
+ u_int32_t sa_count; /* num of SAs sent in SADB_ADD */ |
9 |
|
10 |
struct sainfo *sainfo; /* place holder of sainfo */ |
11 |
struct saprop *proposal; /* SA(s) proposal. */ |
12 |
--- ipsec-tools-0.7/src/racoon/pfkey.c.acquires 2007-08-01 06:52:21.000000000 -0500 |
13 |
+++ ipsec-tools-0.7/src/racoon/pfkey.c 2007-08-28 22:08:22.000000000 -0500 |
14 |
@@ -1265,7 +1265,9 @@ |
15 |
SCHED_KILL(iph2->sce); |
16 |
|
17 |
/* update status */ |
18 |
- iph2->status = PHASE2ST_ESTABLISHED; |
19 |
+ /* Do this in pk_recvadd |
20 |
+ * iph2->status = PHASE2ST_ESTABLISHED; |
21 |
+ */ |
22 |
|
23 |
#ifdef ENABLE_STATS |
24 |
gettimeofday(&iph2->end, NULL); |
25 |
@@ -1311,6 +1313,7 @@ |
26 |
struct saproto *pr; |
27 |
int proxy = 0; |
28 |
struct pfkey_send_sa_args sa_args; |
29 |
+ u_int32_t sa_sent = 0; |
30 |
|
31 |
/* sanity check */ |
32 |
if (iph2->approval == NULL) { |
33 |
@@ -1427,6 +1430,9 @@ |
34 |
return -1; |
35 |
} |
36 |
|
37 |
+ /* keep count of SAs added */ |
38 |
+ sa_sent++; |
39 |
+ |
40 |
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) |
41 |
continue; |
42 |
|
43 |
@@ -1447,6 +1453,7 @@ |
44 |
sadbsecas2str(sa_args.src, sa_args.dst, |
45 |
sa_args.satype, sa_args.spi, sa_args.mode)); |
46 |
} |
47 |
+ iph2->sa_count = sa_sent; |
48 |
return 0; |
49 |
} |
50 |
|
51 |
@@ -1502,10 +1509,20 @@ |
52 |
} |
53 |
|
54 |
/* |
55 |
- * NOTE don't update any status of phase2 handle |
56 |
- * because they must be updated by SADB_UPDATE message |
57 |
+ * Thus, update the status of phase 2 handle after all SADB_ADD |
58 |
+ * msgs have been received for the handle, rather than |
59 |
+ * after SADB_UPDATE. |
60 |
+ * |
61 |
+ * This also removes the possibilty of processing an ACQUIRE |
62 |
+ * received by kernel for SAs we are still adding. |
63 |
*/ |
64 |
|
65 |
+ if (iph2->sa_count) { |
66 |
+ iph2->sa_count = iph2->sa_count - 1; |
67 |
+ if (iph2->sa_count == 0) |
68 |
+ iph2->status = PHASE2ST_ESTABLISHED; |
69 |
+ } |
70 |
+ |
71 |
plog(LLV_INFO, LOCATION, NULL, |
72 |
"IPsec-SA established: %s\n", |
73 |
sadbsecas2str(iph2->src, iph2->dst, |
74 |
@@ -1589,8 +1606,6 @@ |
75 |
/* turn off the timer for calling isakmp_ph2expire() */ |
76 |
SCHED_KILL(iph2->sce); |
77 |
|
78 |
- iph2->status = PHASE2ST_EXPIRED; |
79 |
- |
80 |
/* INITIATOR, begin phase 2 exchange. */ |
81 |
/* allocate buffer for status management of pfkey message */ |
82 |
if (iph2->side == INITIATOR) { |
83 |
@@ -1618,6 +1633,7 @@ |
84 |
/* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ |
85 |
/* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't |
86 |
* manage IPsec SA, so delete the list */ |
87 |
+ iph2->status = PHASE2ST_EXPIRED; |
88 |
unbindph12(iph2); |
89 |
remph2(iph2); |
90 |
delph2(iph2); |
91 |
@@ -1739,8 +1755,17 @@ |
92 |
* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon |
93 |
* has to prcesss such a acquire message because racoon may |
94 |
* lost the expire message. |
95 |
+ * |
96 |
+ * When in responder role, an spid doesn't get added to |
97 |
+ * the handler since responder didn't receive acquire. |
98 |
+ * Thus there is the case that a negotiation can be occurring |
99 |
+ * and responder receives acquire for same policy. So to prevent |
100 |
+ * another identical negotiation, also check by address. |
101 |
*/ |
102 |
iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id); |
103 |
+ if (iph2[0] == NULL) |
104 |
+ iph2[0] = getph2bysaddr(src, dst); |
105 |
+ |
106 |
if (iph2[0] != NULL) { |
107 |
if (iph2[0]->status < PHASE2ST_ESTABLISHED) { |
108 |
plog(LLV_DEBUG, LOCATION, NULL, |