diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2014-07-09 12:05:02 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2014-07-09 12:05:02 +0000 |
| commit | 043fc181319ee73fe6e7a764eb487a9c73af0790 (patch) | |
| tree | b71cd9b1d7c0542cbbc7e4b8837f9377acffdc7a /sbin/iked | |
| parent | f55469fb2e9fe90aa6b9ce2baedb82bad9b6745d (diff) | |
expire IPcomp SAs too; ok mikeb (some time ago)
Diffstat (limited to 'sbin/iked')
| -rw-r--r-- | sbin/iked/ikev2.c | 11 | ||||
| -rw-r--r-- | sbin/iked/pfkey.c | 14 |
2 files changed, 20 insertions, 5 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index ed958c7e70a..c2bf3573a90 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.113 2014/05/13 14:24:35 markus Exp $ */ +/* $OpenBSD: ikev2.c,v 1.114 2014/07/09 12:05:01 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -4480,7 +4480,6 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa *sa) csa->csa_dir = IPSP_DIRECTION_OUT; csa->csa_local = &sa->sa_local; csa->csa_peer = &sa->sa_peer; - csa->csa_persistent = 1; memcpy(csb, csa, sizeof(*csb)); csb->csa_spi.spi = csa->csa_peerspi; @@ -4804,6 +4803,8 @@ ikev2_rekey_sa(struct iked *env, struct iked_spi *rekey) if (csa->csa_rekey) /* See if it's already taken care of */ return (0); + if (csa->csa_saproto == IKEV2_SAPROTO_IPCOMP) /* no rekey */ + return (0); if ((sa = csa->csa_ikesa) == NULL) { log_warnx("%s: SA %s doesn't have a parent SA", __func__, print_spi(rekey->spi, rekey->spi_size)); @@ -4850,6 +4851,12 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop) log_debug("%s: failed to find a parent SA", __func__); return (0); } + if (csa->csa_saproto == IKEV2_SAPROTO_IPCOMP) { + /* matching Child SAs (e.g. ESP) should have expired by now */ + if (csa->csa_children == 0) + ikev2_ipcomp_csa_free(env, csa); + return (0); + } if (csa->csa_allocated) spi32 = htobe32(csa->csa_spi.spi); diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index b92138cb7f6..97cf5658667 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.37 2014/05/09 06:37:24 markus Exp $ */ +/* $OpenBSD: pfkey.c,v 1.38 2014/07/09 12:05:01 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -510,14 +510,18 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, struct iked_childsa *sa) sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes; sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds; + /* double the lifetime for IP compression */ + if (satype == SADB_X_SATYPE_IPCOMP) + sa_ltime_hard.sadb_lifetime_addtime *= 2; + sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8; /* set randomly to 85-95% */ jitter = 850 + arc4random_uniform(100); sa_ltime_soft.sadb_lifetime_bytes = - (lt->lt_bytes * jitter) / 1000; + (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000; sa_ltime_soft.sadb_lifetime_addtime = - (lt->lt_seconds * jitter) / 1000; + (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000; } /* XXX handle NULL encryption or NULL auth or combined encr/auth */ @@ -1794,6 +1798,10 @@ out: case SADB_SATYPE_ESP: spi.spi_protoid = IKEV2_SAPROTO_ESP; break; + case SADB_X_SATYPE_IPCOMP: + spi.spi_size = 2; + spi.spi_protoid = IKEV2_SAPROTO_IPCOMP; + break; default: log_warnx("%s: unsupported SA type %d spi %s", __func__, hdr->sadb_msg_satype, |