summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
diff options
context:
space:
mode:
authorNiklas Hallqvist <niklas@cvs.openbsd.org>1999-04-19 21:07:43 +0000
committerNiklas Hallqvist <niklas@cvs.openbsd.org>1999-04-19 21:07:43 +0000
commit6b4bf50053691d23856fa79cfb2c6d00b51396ac (patch)
tree9a39cfb94a7e08157ad6fe315b51c6deba2cbf3d /sbin/isakmpd
parentee3489de2a0b92be232779adbae9e46d84458c92 (diff)
./pf_encap.c: Merge with EOM 1.63
remove warning Simplify the checks of existing exchanges by moving it into exchange_establish. This means we need to change the finalize API. Try to make PF_ENCAP support handle multiple connections to a single security gateway. Sigh, log the SPIs in network byte order, please
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r--sbin/isakmpd/pf_encap.c75
1 files changed, 19 insertions, 56 deletions
diff --git a/sbin/isakmpd/pf_encap.c b/sbin/isakmpd/pf_encap.c
index 35738af416d..53a0dacc7e2 100644
--- a/sbin/isakmpd/pf_encap.c
+++ b/sbin/isakmpd/pf_encap.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: pf_encap.c,v 1.11 1999/04/05 21:02:48 niklas Exp $ */
-/* $EOM: pf_encap.c,v 1.60 1999/04/05 08:07:55 niklas Exp $ */
+/* $OpenBSD: pf_encap.c,v 1.12 1999/04/19 21:07:42 niklas Exp $ */
+/* $EOM: pf_encap.c,v 1.63 1999/04/15 19:03:04 niklas Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -71,7 +71,6 @@
((a) > 0 ? (1 + (((a) - 1) | (sizeof (long) - 1))) : sizeof (long))
static void pf_encap_deregister_on_demand_connection (char *);
-static char *pf_encap_on_demand_connection (in_addr_t);
static int pf_encap_register_on_demand_connection (in_addr_t, char *);
static void pf_encap_request_sa (struct encap_msghdr *);
@@ -121,7 +120,7 @@ pf_encap_expire (struct encap_msghdr *emsg)
log_debug (LOG_SYSDEP, 20,
"pf_encap_expire: NOTIFY_%s_EXPIRE dst %s spi %x sproto %d",
emsg->em_not_type == NOTIFY_SOFT_EXPIRE ? "SOFT" : "HARD",
- inet_ntoa (emsg->em_not_dst), emsg->em_not_spi,
+ inet_ntoa (emsg->em_not_dst), htonl (emsg->em_not_spi),
emsg->em_not_sproto);
/*
@@ -149,11 +148,7 @@ pf_encap_expire (struct encap_msghdr *emsg)
*/
if ((sa->flags & (SA_FLAG_STAYALIVE | SA_FLAG_REPLACED))
== SA_FLAG_STAYALIVE)
- {
- /* If we are already renegotiating, don't start over. */
- if (!exchange_lookup_by_name (sa->name, 2))
- exchange_establish (sa->name, 0, 0);
- }
+ exchange_establish (sa->name, 0, 0);
if (emsg->em_not_type == NOTIFY_HARD_EXPIRE)
{
@@ -188,7 +183,6 @@ pf_encap_notify (struct encap_msghdr *emsg)
case NOTIFY_SOFT_EXPIRE:
case NOTIFY_HARD_EXPIRE:
pf_encap_expire (emsg);
- free (emsg);
break;
case NOTIFY_REQUEST_SA:
@@ -198,9 +192,9 @@ pf_encap_notify (struct encap_msghdr *emsg)
default:
log_print ("pf_encap_notify: unknown notify message type (%d)",
emsg->em_not_type);
- free (emsg);
break;
}
+ free (emsg);
}
void
@@ -290,15 +284,6 @@ pf_encap_write (struct encap_msghdr *em)
return 0;
}
-static void
-pf_encap_finalize_request_sa (void *v_emsg, int fail)
-{
- struct encap_msghdr *emsg = v_emsg;
-
- pf_encap_write (emsg);
- free (emsg);
-}
-
/*
* We are asked to setup an SA that can protect packets like the one described
* in EMSG. We are supposed to deallocate EMSG too.
@@ -306,31 +291,25 @@ pf_encap_finalize_request_sa (void *v_emsg, int fail)
static void
pf_encap_request_sa (struct encap_msghdr *emsg)
{
- char *conn;
+ struct on_demand_connection *node;
log_debug (LOG_SYSDEP, 10,
"pf_encap_request_sa: SA requested for %s type %d",
inet_ntoa (emsg->em_not_dst), emsg->em_not_satype);
- /* XXX pf_encap_on_demand_connection should return a list of connections. */
- conn = pf_encap_on_demand_connection (emsg->em_not_dst.s_addr);
- if (!conn)
- /* Not ours. */
- goto bail_out;
-
/*
- * If a connection or an SA for this connections already exists, drop it.
- * XXX Perhaps this test is better to have in exchange_establish.
- * XXX We are leaking emsg here.
- */
- if (exchange_lookup_by_name (conn, 2) || sa_lookup_by_name (conn, 2))
- goto bail_out;
-
- exchange_establish (conn, pf_encap_finalize_request_sa, emsg);
- return;
-
- bail_out:
- free (emsg);
+ * In my mind this is rediculous, PF_ENCAP is just broken. Well, to
+ * describe how it is broken it suffices to say that REQUEST_SA messages
+ * does not tell which of all connections using a specific security
+ * gateway needs to be brought up. So we have to bring them all up.
+ * I won't bother replying to the PF_ENCAP socket because the kernel
+ * does not require it when this request is due to a SPI 1 route.
+ */
+ for (node = LIST_FIRST (&on_demand_connections); node;
+ node = LIST_NEXT (node, link))
+ if (emsg->em_not_dst.s_addr == node->dst
+ && !sa_lookup_by_name (node->conn, 2))
+ exchange_establish (node->conn, 0, 0);
}
/*
@@ -722,7 +701,7 @@ pf_encap_delete_spi (struct sa *sa, struct proto *proto, int incoming)
return -1;
}
-/* Enable a flow given a SA. */
+/* Enable a flow given an SA. */
int
pf_encap_enable_sa (struct sa *sa)
{
@@ -1027,19 +1006,3 @@ pf_encap_deregister_on_demand_connection (char *conn)
break;
}
}
-
-/*
- * Return a phase 2 connection name given a security gateway's IP-address.
- * XXX Does only handle 1-1 mappings so far.
- */
-static char *
-pf_encap_on_demand_connection (in_addr_t dst)
-{
- struct on_demand_connection *node;
-
- for (node = LIST_FIRST (&on_demand_connections); node;
- node = LIST_NEXT (node, link))
- if (dst == node->dst)
- return node->conn;
- return 0;
-}