diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-12 14:26:27 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-12 14:26:27 +0000 |
| commit | ed3a232f58d6d8beab4d4ae03f4f78482025d9ed (patch) | |
| tree | 59c069e55fe13dc342d305286036816fa3a59d89 /sbin/iked | |
| parent | 081eb8f82ae056045ff306c1e4b9965f1fa9c2cd (diff) | |
decouple flow deletion from the ikev2_childsa_delete; ok reyk
Diffstat (limited to 'sbin/iked')
| -rw-r--r-- | sbin/iked/iked.h | 8 | ||||
| -rw-r--r-- | sbin/iked/ikev2.c | 36 | ||||
| -rw-r--r-- | sbin/iked/ikev2_pld.c | 8 |
3 files changed, 29 insertions, 23 deletions
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index b0fd72052c2..e3d8dfdc51c 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.25 2010/12/22 17:53:54 reyk Exp $ */ +/* $OpenBSD: iked.h,v 1.26 2011/01/12 14:26:26 mikeb Exp $ */ /* $vantronix: iked.h,v 1.61 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -481,10 +481,6 @@ struct iked_socket { struct sockaddr_storage sock_addr; }; -/* flags for ikev2_childsa_delete */ -#define IKED_DEL_FLOWS 0x01 -#define IKED_DEL_NOTLOADED 0x02 - /* iked.c */ void parent_reload(struct iked *, int, const char *); @@ -621,6 +617,8 @@ int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); int ikev2_childsa_enable(struct iked *, struct iked_sa *); int ikev2_childsa_delete(struct iked *, struct iked_sa *, u_int8_t, u_int64_t, u_int64_t *, int); +int ikev2_flows_delete(struct iked *, struct iked_sa *, u_int8_t); + struct ibuf * ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, size_t); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index bbcc6c13d0a..7c81be911d5 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.31 2011/01/12 14:23:53 mikeb Exp $ */ +/* $OpenBSD: ikev2.c,v 1.32 2011/01/12 14:26:26 mikeb Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -938,7 +938,7 @@ ikev2_init_done(struct iked *env, struct iked_sa *sa) sa_state(env, sa, IKEV2_STATE_ESTABLISHED); if (ret) - ikev2_childsa_delete(env, sa, 0, 0, NULL, IKED_DEL_NOTLOADED); + ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); return (ret); } @@ -1896,7 +1896,7 @@ ikev2_resp_ike_auth(struct iked *env, struct iked_sa *sa) done: if (ret) - ikev2_childsa_delete(env, sa, 0, 0, NULL, IKED_DEL_NOTLOADED); + ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); ibuf_release(e); return (ret); } @@ -2202,7 +2202,7 @@ done: sa->sa_stateflags &= ~IKED_REQ_CHILDSA; if (ret) - ikev2_childsa_delete(env, sa, 0, 0, NULL, IKED_DEL_NOTLOADED); + ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); ibuf_release(buf); return (ret); } @@ -2446,8 +2446,7 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg) if (protoid == IKEV2_SAPROTO_IKE) sa_free(env, nsa); else - ikev2_childsa_delete(env, sa, 0, 0, NULL, - IKED_DEL_NOTLOADED); + ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); } ibuf_release(e); return (ret); @@ -3618,10 +3617,9 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa) int ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, - u_int64_t spi, u_int64_t *spiptr, int flags) + u_int64_t spi, u_int64_t *spiptr, int cleanup) { struct iked_childsa *csa, key, *nextcsa = NULL; - struct iked_flow *flow, *nextflow; u_int64_t peerspi = 0; int found = 0; @@ -3631,7 +3629,7 @@ ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, if ((saproto && csa->csa_saproto != saproto) || (spi && (csa->csa_spi.spi != spi && csa->csa_peerspi != spi)) || - ((flags & IKED_DEL_NOTLOADED) && !csa->csa_loaded)) + (cleanup && csa->csa_loaded)) continue; if (pfkey_sa_delete(env->sc_pfkey, csa) != 0) @@ -3657,8 +3655,14 @@ ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, if (spiptr) *spiptr = peerspi; - if ((flags & IKED_DEL_FLOWS) == 0) - return (found ? 0 : -1); + return (found ? 0 : -1); +} + +int +ikev2_flows_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto) +{ + struct iked_flow *flow, *nextflow; + int found = 0; for (flow = TAILQ_FIRST(&sa->sa_flows); flow != NULL; flow = nextflow) { nextflow = TAILQ_NEXT(flow, flow_entry); @@ -3735,7 +3739,7 @@ ikev2_disable_rekeying(struct iked *env, struct iked_sa *sa) csa->csa_rekey = 0; } - (void)ikev2_childsa_delete(env, sa, 0, 0, NULL, IKED_DEL_NOTLOADED); + (void)ikev2_childsa_delete(env, sa, 0, 0, NULL, 1); } void @@ -3825,11 +3829,14 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop) /* delete peer's SPI */ if (ikev2_childsa_delete(env, sa, csa->csa_saproto, - csa->csa_peerspi, NULL, IKED_DEL_FLOWS | - IKED_DEL_NOTLOADED)) + csa->csa_peerspi, NULL, 1)) log_debug("%s: failed to delete CHILD SA %s", __func__, print_spi(csa->csa_peerspi, drop->spi_size)); + /* delete flows for the specified protocol */ + if (ikev2_flows_delete(env, sa, csa->csa_saproto)) + log_debug("%s: failed to delete flows", __func__); + /* Send PAYLOAD_DELETE */ if ((buf = ibuf_static()) == NULL) @@ -3941,4 +3948,3 @@ ikev2_print_id(struct iked_id *id, char *idstr, size_t idstrlen) return (0); } - diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c index 0cff2f8af22..a560e1d16ce 100644 --- a/sbin/iked/ikev2_pld.c +++ b/sbin/iked/ikev2_pld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_pld.c,v 1.18 2010/12/22 17:53:54 reyk Exp $ */ +/* $OpenBSD: ikev2_pld.c,v 1.19 2011/01/12 14:26:26 mikeb Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -847,11 +847,13 @@ ikev2_pld_delete(struct iked *env, struct ikev2_payload *pld, } if (ikev2_childsa_delete(env, sa, del->del_protoid, spi, - &localspi[i], peersas[i]->csa_rekey ? 0 : - IKED_DEL_FLOWS) == -1) + &localspi[i], 0) == -1) failed++; else found++; + + if (!peersas[i]->csa_rekey) + ikev2_flows_delete(env, sa, del->del_protoid); } /* Parsed outgoing message? */ |