summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>2003-05-16 20:31:17 +0000
committerHakan Olsson <ho@cvs.openbsd.org>2003-05-16 20:31:17 +0000
commit18ce05ff967e462641e8b32272e5a921ec86d104 (patch)
tree0277f62e15fd08432214112b31f75d1f5bb129fe /sbin/isakmpd
parentb5af3da96ec9e884c01675914196237f0191a818 (diff)
If the "Renegotiate-on-HUP" tag is defined in the [General] section, a
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs, i.e all connections. ok niklas@, tested and ok kjell@.
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r--sbin/isakmpd/init.c5
-rw-r--r--sbin/isakmpd/isakmpd.conf.58
-rw-r--r--sbin/isakmpd/sa.c26
-rw-r--r--sbin/isakmpd/sa.h3
4 files changed, 37 insertions, 5 deletions
diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c
index ce6009024dc..7af305733b3 100644
--- a/sbin/isakmpd/init.c
+++ b/sbin/isakmpd/init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: init.c,v 1.21 2003/05/15 00:28:53 ho Exp $ */
+/* $OpenBSD: init.c,v 1.22 2003/05/16 20:31:15 ho Exp $ */
/* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */
/*
@@ -141,6 +141,7 @@ reinit (void)
* XXX "These" (non-existant) reinitializations should not be done.
* cookie_reinit ();
* ui_reinit ();
- * sa_reinit ();
*/
+
+ sa_reinit ();
}
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 9bc7dd1467d..0ca8c5dfc36 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.77 2003/05/10 21:13:41 jmc Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.78 2003/05/16 20:31:16 ho Exp $
.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
.\"
.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved.
@@ -190,6 +190,12 @@ The default is "/etc/isakmpd/pubkeys".
Read
.Xr isakmpd 8
for the required naming convention of the files in here.
+.It Em Renegotiate-on-HUP
+If this tag is defined, whatever the value is,
+.Nm isakmpd
+will renegotiate all current phase 2 SAs when the daemon receives
+a SIGHUP signal, or a 'R' is sent to the FIFO interface. (See
+.Xr isakmpd 8 ) .
.It Em Retransmits
How many times should a message be retransmitted before giving up.
.It Em Shared-SADB
diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index 330803d0bb2..de97253b734 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.c,v 1.68 2003/05/15 02:28:56 ho Exp $ */
+/* $OpenBSD: sa.c,v 1.69 2003/05/16 20:31:16 ho Exp $ */
/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */
/*
@@ -46,6 +46,7 @@
#include "sysdep.h"
+#include "conf.h"
#include "connection.h"
#include "cookie.h"
#include "doi.h"
@@ -979,6 +980,29 @@ sa_hard_expire (void *v_sa)
sa_delete (sa, 1);
}
+void
+sa_reinit (void)
+{
+ struct sa *sa;
+ char *tag;
+ int i;
+
+ /* For now; only do this if we have the proper tag configured. */
+ tag = conf_get_str ("General", "Renegotiate-on-HUP");
+ if (!tag)
+ return;
+
+ /* Get phase 2 SAs. Soft expire those without active exchanges. */
+ for (i = 0; i <= bucket_mask; i++)
+ for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link))
+ if (sa->phase == 2)
+ if (exchange_lookup_by_name (sa->name, sa->phase) == 0)
+ {
+ timer_remove_event (sa->soft_death);
+ sa_soft_expire (sa);
+ }
+}
+
/*
* Get an SA attribute's flag value out of textual description.
*/
diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h
index 683d5f47a64..2fe21adf18d 100644
--- a/sbin/isakmpd/sa.h
+++ b/sbin/isakmpd/sa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.h,v 1.30 2003/05/15 02:28:56 ho Exp $ */
+/* $OpenBSD: sa.h,v 1.31 2003/05/16 20:31:16 ho Exp $ */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
/*
@@ -220,6 +220,7 @@ extern struct sa *sa_find (int (*) (struct sa *, void *), void *);
extern int sa_flag (char *);
extern void sa_free (struct sa *);
extern void sa_init (void);
+extern void sa_reinit (void);
extern struct sa *sa_isakmp_lookup_by_peer (struct sockaddr *, socklen_t);
extern void sa_isakmp_upgrade (struct message *);
extern struct sa *sa_lookup (u_int8_t *, u_int8_t *);