1 |
--- ipsec-tools-0.7/src/racoon/handler.h.acquires 2007-08-28 22:18:35.000000000 -0500 |
diff -Nurp ipsec-tools-0.8.0-p3/src/racoon/handler.h ipsec-tools-0.8.0-p103/src/racoon/handler.h |
2 |
+++ ipsec-tools-0.7/src/racoon/handler.h 2007-08-28 22:19:57.000000000 -0500 |
--- ipsec-tools-0.8.0-p3/src/racoon/handler.h 2010-11-17 12:40:41.000000000 +0200 |
3 |
@@ -284,6 +284,8 @@ |
+++ ipsec-tools-0.8.0-p103/src/racoon/handler.h 2012-03-06 12:09:55.085380720 +0200 |
4 |
|
@@ -316,6 +316,8 @@ struct ph2handle { |
5 |
|
|
6 |
u_int8_t flags; /* Flags for phase 2 */ |
u_int8_t flags; /* Flags for phase 2 */ |
7 |
u_int32_t msgid; /* msgid for phase 2 */ |
u_int32_t msgid; /* msgid for phase 2 */ |
10 |
|
|
11 |
struct sainfo *sainfo; /* place holder of sainfo */ |
struct sainfo *sainfo; /* place holder of sainfo */ |
12 |
struct saprop *proposal; /* SA(s) proposal. */ |
struct saprop *proposal; /* SA(s) proposal. */ |
13 |
--- ipsec-tools-0.7/src/racoon/pfkey.c.acquires 2007-08-01 06:52:21.000000000 -0500 |
diff -Nurp ipsec-tools-0.8.0-p3/src/racoon/pfkey.c ipsec-tools-0.8.0-p103/src/racoon/pfkey.c |
14 |
+++ ipsec-tools-0.7/src/racoon/pfkey.c 2007-08-28 22:08:22.000000000 -0500 |
--- ipsec-tools-0.8.0-p3/src/racoon/pfkey.c 2011-03-15 15:20:14.000000000 +0200 |
15 |
@@ -1265,7 +1265,9 @@ |
+++ ipsec-tools-0.8.0-p103/src/racoon/pfkey.c 2012-03-06 12:09:55.086380830 +0200 |
16 |
SCHED_KILL(iph2->sce); |
@@ -1347,7 +1347,9 @@ pk_recvupdate(mhp) |
17 |
|
sched_cancel(&iph2->sce); |
18 |
|
|
19 |
/* update status */ |
/* update status */ |
20 |
- iph2->status = PHASE2ST_ESTABLISHED; |
- iph2->status = PHASE2ST_ESTABLISHED; |
21 |
+ /* Do this in pk_recvadd |
+ /* Do this in pk_recvadd |
22 |
+ * iph2->status = PHASE2ST_ESTABLISHED; |
+ * iph2->status = PHASE2ST_ESTABLISHED; |
23 |
+ */ |
+ */ |
24 |
|
evt_phase2(iph2, EVT_PHASE2_UP, NULL); |
25 |
|
|
26 |
#ifdef ENABLE_STATS |
#ifdef ENABLE_STATS |
27 |
gettimeofday(&iph2->end, NULL); |
@@ -1379,6 +1381,7 @@ pk_sendadd(iph2) |
28 |
@@ -1311,6 +1313,7 @@ |
{ |
29 |
struct saproto *pr; |
struct saproto *pr; |
|
int proxy = 0; |
|
30 |
struct pfkey_send_sa_args sa_args; |
struct pfkey_send_sa_args sa_args; |
31 |
+ u_int32_t sa_sent = 0; |
+ u_int32_t sa_sent = 0; |
32 |
|
|
33 |
/* sanity check */ |
/* sanity check */ |
34 |
if (iph2->approval == NULL) { |
if (iph2->approval == NULL) { |
35 |
@@ -1427,6 +1430,9 @@ |
@@ -1498,6 +1501,9 @@ pk_sendadd(iph2) |
36 |
return -1; |
return -1; |
37 |
} |
} |
38 |
|
|
42 |
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) |
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) |
43 |
continue; |
continue; |
44 |
|
|
45 |
@@ -1447,6 +1453,7 @@ |
@@ -1518,6 +1524,7 @@ pk_sendadd(iph2) |
46 |
sadbsecas2str(sa_args.src, sa_args.dst, |
sadbsecas2str(sa_args.src, sa_args.dst, |
47 |
sa_args.satype, sa_args.spi, sa_args.mode)); |
sa_args.satype, sa_args.spi, sa_args.mode)); |
48 |
} |
} |
49 |
+ iph2->sa_count = sa_sent; |
+ iph2->sa_count = sa_sent; |
50 |
|
racoon_free(sa_args.src); |
51 |
|
racoon_free(sa_args.dst); |
52 |
return 0; |
return 0; |
53 |
} |
@@ -1576,10 +1583,20 @@ pk_recvadd(mhp) |
|
|
|
|
@@ -1502,10 +1509,20 @@ |
|
54 |
} |
} |
55 |
|
|
56 |
/* |
/* |
72 |
+ |
+ |
73 |
plog(LLV_INFO, LOCATION, NULL, |
plog(LLV_INFO, LOCATION, NULL, |
74 |
"IPsec-SA established: %s\n", |
"IPsec-SA established: %s\n", |
75 |
sadbsecas2str(iph2->src, iph2->dst, |
sadbsecas2str(src, dst, |
76 |
@@ -1589,8 +1606,6 @@ |
@@ -1690,6 +1707,7 @@ pk_recvexpire(mhp) |
77 |
/* turn off the timer for calling isakmp_ph2expire() */ |
plog(LLV_ERROR, LOCATION, iph2->dst, |
78 |
SCHED_KILL(iph2->sce); |
"failed to begin ipsec sa " |
79 |
|
"re-negotication.\n"); |
80 |
- iph2->status = PHASE2ST_EXPIRED; |
+ iph2->status = PHASE2ST_EXPIRED; |
81 |
- |
remph2(iph2); |
82 |
/* INITIATOR, begin phase 2 exchange. */ |
delph2(iph2); |
83 |
/* allocate buffer for status management of pfkey message */ |
return -1; |
84 |
if (iph2->side == INITIATOR) { |
@@ -1855,8 +1873,17 @@ pk_recvacquire(mhp) |
|
@@ -1618,6 +1633,7 @@ |
|
|
/* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ |
|
|
/* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't |
|
|
* manage IPsec SA, so delete the list */ |
|
|
+ iph2->status = PHASE2ST_EXPIRED; |
|
|
unbindph12(iph2); |
|
|
remph2(iph2); |
|
|
delph2(iph2); |
|
|
@@ -1739,8 +1755,17 @@ |
|
85 |
* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon |
* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon |
86 |
* has to prcesss such a acquire message because racoon may |
* has to prcesss such a acquire message because racoon may |
87 |
* lost the expire message. |
* lost the expire message. |
92 |
+ * and responder receives acquire for same policy. So to prevent |
+ * and responder receives acquire for same policy. So to prevent |
93 |
+ * another identical negotiation, also check by address. |
+ * another identical negotiation, also check by address. |
94 |
*/ |
*/ |
95 |
iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id); |
iph2 = getph2byid(src, dst, xpl->sadb_x_policy_id); |
96 |
+ if (iph2[0] == NULL) |
+ if (iph2 == NULL) |
97 |
+ iph2[0] = getph2bysaddr(src, dst); |
+ iph2 = getph2bysaddr(src, dst); |
98 |
+ |
+ |
99 |
if (iph2[0] != NULL) { |
if (iph2 != NULL) { |
100 |
if (iph2[0]->status < PHASE2ST_ESTABLISHED) { |
if (iph2->status < PHASE2ST_ESTABLISHED) { |
101 |
plog(LLV_DEBUG, LOCATION, NULL, |
plog(LLV_DEBUG, LOCATION, NULL, |