diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2003-05-16 20:31:17 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2003-05-16 20:31:17 +0000 |
commit | 18ce05ff967e462641e8b32272e5a921ec86d104 (patch) | |
tree | 0277f62e15fd08432214112b31f75d1f5bb129fe /sbin/isakmpd | |
parent | b5af3da96ec9e884c01675914196237f0191a818 (diff) |
If the "Renegotiate-on-HUP" tag is defined in the [General] section, a
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs,
i.e all connections.
ok niklas@, tested and ok kjell@.
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/init.c | 5 | ||||
-rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 8 | ||||
-rw-r--r-- | sbin/isakmpd/sa.c | 26 | ||||
-rw-r--r-- | sbin/isakmpd/sa.h | 3 |
4 files changed, 37 insertions, 5 deletions
diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c index ce6009024dc..7af305733b3 100644 --- a/sbin/isakmpd/init.c +++ b/sbin/isakmpd/init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: init.c,v 1.21 2003/05/15 00:28:53 ho Exp $ */ +/* $OpenBSD: init.c,v 1.22 2003/05/16 20:31:15 ho Exp $ */ /* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */ /* @@ -141,6 +141,7 @@ reinit (void) * XXX "These" (non-existant) reinitializations should not be done. * cookie_reinit (); * ui_reinit (); - * sa_reinit (); */ + + sa_reinit (); } diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index 9bc7dd1467d..0ca8c5dfc36 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.77 2003/05/10 21:13:41 jmc Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.78 2003/05/16 20:31:16 ho Exp $ .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -190,6 +190,12 @@ The default is "/etc/isakmpd/pubkeys". Read .Xr isakmpd 8 for the required naming convention of the files in here. +.It Em Renegotiate-on-HUP +If this tag is defined, whatever the value is, +.Nm isakmpd +will renegotiate all current phase 2 SAs when the daemon receives +a SIGHUP signal, or a 'R' is sent to the FIFO interface. (See +.Xr isakmpd 8 ) . .It Em Retransmits How many times should a message be retransmitted before giving up. .It Em Shared-SADB diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c index 330803d0bb2..de97253b734 100644 --- a/sbin/isakmpd/sa.c +++ b/sbin/isakmpd/sa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.c,v 1.68 2003/05/15 02:28:56 ho Exp $ */ +/* $OpenBSD: sa.c,v 1.69 2003/05/16 20:31:16 ho Exp $ */ /* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ /* @@ -46,6 +46,7 @@ #include "sysdep.h" +#include "conf.h" #include "connection.h" #include "cookie.h" #include "doi.h" @@ -979,6 +980,29 @@ sa_hard_expire (void *v_sa) sa_delete (sa, 1); } +void +sa_reinit (void) +{ + struct sa *sa; + char *tag; + int i; + + /* For now; only do this if we have the proper tag configured. */ + tag = conf_get_str ("General", "Renegotiate-on-HUP"); + if (!tag) + return; + + /* Get phase 2 SAs. Soft expire those without active exchanges. */ + for (i = 0; i <= bucket_mask; i++) + for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link)) + if (sa->phase == 2) + if (exchange_lookup_by_name (sa->name, sa->phase) == 0) + { + timer_remove_event (sa->soft_death); + sa_soft_expire (sa); + } +} + /* * Get an SA attribute's flag value out of textual description. */ diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index 683d5f47a64..2fe21adf18d 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.h,v 1.30 2003/05/15 02:28:56 ho Exp $ */ +/* $OpenBSD: sa.h,v 1.31 2003/05/16 20:31:16 ho Exp $ */ /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ /* @@ -220,6 +220,7 @@ extern struct sa *sa_find (int (*) (struct sa *, void *), void *); extern int sa_flag (char *); extern void sa_free (struct sa *); extern void sa_init (void); +extern void sa_reinit (void); extern struct sa *sa_isakmp_lookup_by_peer (struct sockaddr *, socklen_t); extern void sa_isakmp_upgrade (struct message *); extern struct sa *sa_lookup (u_int8_t *, u_int8_t *); |