handle pfkey soft updates. only update when SA has been used.

7 files changed, 167 insertions, 125 deletions

diff --git a/sbin/photurisd/handle_identity_request.c b/sbin/photurisd/handle_identity_request.c
index 15d0a35a6ae..4d67ca1fbef 100644
--- a/sbin/photurisd/handle_identity_request.c
+++ b/sbin/photurisd/handle_identity_request.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char rcsid[] = "$Id: handle_identity_request.c,v 1.3 2000/12/11 21:21:17 provos Exp $";
+static char rcsid[] = "$Id: handle_identity_request.c,v 1.4 2000/12/15 01:06:50 provos Exp $";
 #endif
 
 #include <stdio.h>
@@ -52,7 +52,6 @@ static char rcsid[] = "$Id: handle_identity_request.c,v 1.3 2000/12/11 21:21:17
 #include "secrets.h"
 #include "scheme.h"
 #include "log.h"
-#include "schedule.h"
 #include "attributes.h"
 #include "md5.h"
 #ifdef IPSEC
@@ -297,7 +296,7 @@ handle_identity_request(u_char *packet, int size, char *address,
 #ifdef IPSEC
 	     kernel_insert_spi(st, spi);
 #endif
-             schedule_insert(UPDATE, st->olifetime/2, spi->SPI, SPI_SIZE); 
+	     spi_update_insert(spi);
 	}
 
 	if (st->uSPI[0] || st->uSPI[1] || st->uSPI[2] || st->uSPI[3]) {
diff --git a/sbin/photurisd/handle_identity_response.c b/sbin/photurisd/handle_identity_response.c
index 9b40ac97499..0e58986bfad 100644
--- a/sbin/photurisd/handle_identity_response.c
+++ b/sbin/photurisd/handle_identity_response.c
@@ -34,7 +34,7 @@
  */
 
 #ifndef lint
-static char rcsid[] = "$Id: handle_identity_response.c,v 1.3 2000/12/11 21:21:17 provos Exp $";
+static char rcsid[] = "$Id: handle_identity_response.c,v 1.4 2000/12/15 01:06:51 provos Exp $";
 #endif
 
 #include <stdio.h>
@@ -245,7 +245,7 @@ handle_identity_response(u_char *packet, int size, char *address,
 #ifdef IPSEC
 	     kernel_insert_spi(st, spi);
 #endif
-	     schedule_insert(UPDATE, st->olifetime/2, spi->SPI, SPI_SIZE);
+	     spi_update_insert(spi);
 	}
 	if (st->uSPI[0] || st->uSPI[1] || st->uSPI[2] || st->uSPI[3]) {
 	     /* Insert User SPI */
diff --git a/sbin/photurisd/handle_spi_needed.c b/sbin/photurisd/handle_spi_needed.c
index e75a4730172..6320fbc887a 100644
--- a/sbin/photurisd/handle_spi_needed.c
+++ b/sbin/photurisd/handle_spi_needed.c
@@ -34,7 +34,7 @@
  */
 
 #ifndef lint
-static char rcsid[] = "$Id: handle_spi_needed.c,v 1.2 2000/12/11 21:21:17 provos Exp $";
+static char rcsid[] = "$Id: handle_spi_needed.c,v 1.3 2000/12/15 01:06:51 provos Exp $";
 #endif
 
 #include <stdio.h>
@@ -51,7 +51,6 @@ static char rcsid[] = "$Id: handle_spi_needed.c,v 1.2 2000/12/11 21:21:17 provos
 #include "validity.h"
 #include "attributes.h"
 #include "secrets.h"
-#include "schedule.h"
 #include "scheme.h"
 #include "log.h"
 #include "spi.h"
@@ -188,7 +187,7 @@ handle_spi_needed(u_char *packet, int size, char *address,
 	make_session_keys(st, spi);
 
 	spi_insert(spi);
-	schedule_insert(UPDATE, st->olifetime/2, spi->SPI, SPI_SIZE);
+	spi_update_insert(spi);
 #ifdef IPSEC
 	kernel_insert_spi(st, spi);
 #endif
diff --git a/sbin/photurisd/kernel.c b/sbin/photurisd/kernel.c
index d876cf6a114..d1c6412425b 100644
--- a/sbin/photurisd/kernel.c
+++ b/sbin/photurisd/kernel.c
@@ -39,7 +39,7 @@
  */
 
 #ifndef lint
-static char rcsid[] = "$Id: kernel.c,v 1.15 2000/12/14 23:28:58 provos Exp $";
+static char rcsid[] = "$Id: kernel.c,v 1.16 2000/12/15 01:06:51 provos Exp $";
 #endif
 
 #include <time.h>
@@ -75,6 +75,7 @@ static char rcsid[] = "$Id: kernel.c,v 1.15 2000/12/14 23:28:58 provos Exp $";
 #include "state.h"
 #include "attributes.h"
 #include "buffer.h"
+#include "api.h"
 #include "spi.h"
 #include "kernel.h"
 #include "log.h"
@@ -385,10 +386,9 @@ kernel_register(int sd)
 {
      struct sadb_msg smsg, *sres;
      struct sadb_supported *ssup;
-     struct sadb_alg *salg;
      struct sadb_ext *ext;
      void *end;
-     int encfound, authfound, len;
+     int encfound, authfound;
      struct iovec iov[1];
      int cnt = 0;
 
@@ -609,9 +609,8 @@ kernel_add_lifetime(struct sadb_msg *sa, struct iovec *iov, int seconds)
 	slh.sadb_lifetime_len = sizeof(slh) / 8;
 	slh.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
 	slh.sadb_lifetime_allocations = 0;
-	slh.sadb_lifetime_bytes = 1000000000;   /* lots of bytes */
-	slh.sadb_lifetime_addtime = seconds + 60;
-	slh.sadb_lifetime_usetime = seconds; /* first use */
+	slh.sadb_lifetime_bytes = 10000000;   /* lots of bytes */
+	slh.sadb_lifetime_addtime = seconds;
 	sa->sadb_msg_len += slh.sadb_lifetime_len;
 
 	iov[cnt].iov_base = &slh;
@@ -620,9 +619,8 @@ kernel_add_lifetime(struct sadb_msg *sa, struct iovec *iov, int seconds)
 	sls.sadb_lifetime_len = sizeof(sls) / 8;
 	sls.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
 	sls.sadb_lifetime_allocations = 0;
-	sls.sadb_lifetime_bytes = 900000000;   /* lots of bytes */
-	sls.sadb_lifetime_addtime = (seconds + 60) * 9 / 10;
-	sls.sadb_lifetime_usetime = seconds * 9 / 10; /* first use */
+	sls.sadb_lifetime_bytes = 9000000;   /* lots of bytes */
+	sls.sadb_lifetime_addtime = seconds * 9 / 10;
 	sa->sadb_msg_len += slh.sadb_lifetime_len;
 
 	iov[cnt].iov_base = &sls;
@@ -1284,6 +1282,22 @@ kernel_handle_expire(struct sadb_msg *sadb)
 		spi_unlink(spi);
 		break;
 	case SADB_EXT_LIFETIME_SOFT:
+		life = (struct sadb_lifetime *)
+			pfkey_find_extension(ext, end,
+					     SADB_EXT_LIFETIME_CURRENT);
+		if (life == NULL) {
+			log_print(__FUNCTION__": no current lifetime");
+			return (-1);
+		}
+
+		if (!life->sadb_lifetime_bytes) {
+			LOG_DBG((LOG_KERNEL, 45, __FUNCTION__
+				 ": SPI %x not been used, skipping update",
+				 ntohl(sa->sadb_sa_spi)));
+			return (0);
+		}
+
+		spi_update(global_socket, (u_int8_t *)&sa->sadb_sa_spi);
 		break;
 	default:
 		log_print(__FUNCTION__": unknown extension type %d",
@@ -1304,7 +1318,6 @@ kernel_request_sa(struct sadb_msg *sadb)
 {
 	struct stateob *st;
 	time_t tm;
-	struct sadb_msg *res;
 	struct sadb_address *dst, *src;
 	struct sockaddr *dstaddr, *srcaddr;
 	struct sadb_ext *ext = (struct sadb_ext *)(sadb + 1);
@@ -1365,14 +1378,10 @@ kernel_request_sa(struct sadb_msg *sadb)
 		st->protocol = 0;
 
 		st->flags = IPSEC_NOTIFY;
-		st->flags |= IPSEC_OPT_ENC;
 
-		/* XXX - maybe see if we needs this
-		if (em->em_not_satype & NOTIFY_SATYPE_AUTH)
-			st->flags |= IPSEC_OPT_AUTH;
-		*/
+		st->flags |= sadb->sadb_msg_satype == SADB_SATYPE_ESP ?
+			IPSEC_OPT_ENC : IPSEC_OPT_AUTH;
 
-		/* XXX - handling of tunnel requests missing */
 		if (start_exchange(global_socket, st, st->address,
 				   st->port) == -1) {
 			log_print(__FUNCTION__": start_exchange() - informing kernel of failure");
@@ -1389,6 +1398,8 @@ kernel_request_sa(struct sadb_msg *sadb)
 		 * an SPI_NEEDED message.
 		 */
 	}
+
+	return (0);
 }
 
 /*
diff --git a/sbin/photurisd/schedule.c b/sbin/photurisd/schedule.c
index c33e360ff34..4d3f655404f 100644
--- a/sbin/photurisd/schedule.c
+++ b/sbin/photurisd/schedule.c
@@ -35,7 +35,7 @@
  */
 
 #ifndef lint
-static char rcsid[] = "$Id: schedule.c,v 1.2 2000/12/11 21:21:18 provos Exp $";
+static char rcsid[] = "$Id: schedule.c,v 1.3 2000/12/15 01:06:51 provos Exp $";
 #endif
 
 #define _SCHEDULE_C_
@@ -54,7 +54,6 @@ static char rcsid[] = "$Id: schedule.c,v 1.2 2000/12/11 21:21:18 provos Exp $";
 #include "photuris.h"
 #include "buffer.h"
 #include "schedule.h"
-#include "secrets.h"
 #include "log.h"
 #include "cookie.h"
 #include "modulus.h"
@@ -184,7 +183,6 @@ schedule_process(int sock)
      struct schedule *tmp, *tmp2;
      struct sockaddr_in sin;
      struct stateob *st;
-     struct spiob *spi, *nspi;
      time_t tm;
      int remove;
 
@@ -292,96 +290,9 @@ schedule_process(int sock)
 	       }
 	       break;
 	  case UPDATE:
-#ifdef DEBUG
-	  {
-	       int i = BUFFER_SIZE;
-	       bin2hex(buffer, &i, tmp->cookie, SPI_SIZE);
-	       printf("Upating SPI 0x%s\n", buffer);
-	  }
-#endif
-	       remove = 1;
-	       /* We are to create a new SPI */
-	       if ((spi = spi_find(NULL, tmp->cookie)) == NULL) {
-		    log_print("spi_find() in schedule_process()");
-		    break;
-	       }
-	       if ((st = state_find_cookies(spi->address, spi->icookie, NULL)) == NULL) {
-#ifdef DEBUG2
-		    /* 
-		     * This happens always when an exchange expires but
-		     * updates are still scheduled for it.
-		     */
-		    log_print("state_find_cookies() in schedule_process()");
-#endif
-		    break;
-	       }
-
-	       if (st->oSPIattrib != NULL)
-		    free(st->oSPIattrib);
-	       if ((st->oSPIattrib = calloc(spi->attribsize, sizeof(u_int8_t))) == NULL) {
-		    log_error("calloc() in schedule_process()");
-		    break;
-	       }
-	       st->oSPIattribsize = spi->attribsize;
-	       bcopy(spi->attributes, st->oSPIattrib, st->oSPIattribsize);
-
-	       /* We can keep our old attributes, this is only an update */
-	       if (make_spi(st, spi->local_address, st->oSPI, &(st->olifetime),
-			    &(st->oSPIattrib), &(st->oSPIattribsize)) == -1) {
-		    log_print("make_spi() in schedule_process()");
-		    break;
-	       }
-
-	       packet_size = PACKET_BUFFER_SIZE; 
-	       if (photuris_spi_update(st, packet_buffer, &packet_size) == -1) {
-		    log_print("photuris_spi_update() in schedule_process()");
-		    break;
-	       }
-
-	       /* Send the packet */
-	       sin.sin_port = htons(st->port); 
-	       sin.sin_family = AF_INET; 
-	       sin.sin_addr.s_addr = inet_addr(st->address);
-		    
-	       if (sendto(sock, packet_buffer, packet_size, 0,
-			  (struct sockaddr *) &sin, sizeof(sin)) != packet_size) {
-		    log_error("sendto() in schedule_process()");
-		    break;
-	       }
-	       
-#ifdef DEBUG
-	       printf("Sending SPI UPDATE to %s.\n", st->address);
-#endif
-	       /* Insert Owner SPI */
-	       if ((nspi = spi_new(st->address, st->oSPI)) == NULL) {
-		    log_error("spi_new() in handle_spi_needed()");
-		    break;
-	       }
-	       if ((nspi->local_address = strdup(spi->local_address)) == NULL) {
-		    log_error("strdup() in handle_spi_needed()");
-		    spi_value_reset(nspi);
-		    break;
-	       }
-	       bcopy(st->icookie, nspi->icookie, COOKIE_SIZE);
-	       nspi->flags |= SPI_OWNER;
-	       nspi->attribsize = st->oSPIattribsize;
-	       nspi->attributes = calloc(nspi->attribsize, sizeof(u_int8_t));
-	       if (nspi->attributes == NULL) {
-		    log_error("calloc() in handle_spi_needed()");
-		    spi_value_reset(nspi);
-		    break;
-	       }
-	       bcopy(st->oSPIattrib, nspi->attributes, nspi->attribsize);
-	       nspi->lifetime = time(NULL) + st->olifetime;
-
-	       make_session_keys(st, nspi);
-
-	       spi_insert(nspi);
-	       schedule_insert(UPDATE, st->olifetime/2, nspi->SPI, SPI_SIZE);
-#ifdef IPSEC
-	       kernel_insert_spi(st, nspi);
-#endif
-	       break;
+		  spi_update(sock, tmp->cookie);
+		  remove = 1;
+		  break;
 	  default:
 	       remove = 1;
 	       log_print("Unknown event in schedule_process()");
diff --git a/sbin/photurisd/spi.c b/sbin/photurisd/spi.c
index fb140b3a8f2..3bb01fa203a 100644
--- a/sbin/photurisd/spi.c
+++ b/sbin/photurisd/spi.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char rcsid[] = "$Id: spi.c,v 1.5 2000/12/14 23:28:59 provos Exp $";
+static char rcsid[] = "$Id: spi.c,v 1.6 2000/12/15 01:06:51 provos Exp $";
 #endif
 
 #define _SPI_C_
@@ -53,6 +53,7 @@ static char rcsid[] = "$Id: spi.c,v 1.5 2000/12/14 23:28:59 provos Exp $";
 #include "attributes.h"
 #include "buffer.h"
 #include "spi.h"
+#include "secrets.h"
 #include "schedule.h"
 #include "log.h"
 #ifdef IPSEC
@@ -239,9 +240,7 @@ spi_expire(void)
 	for (tmp = TAILQ_FIRST(&spihead); tmp; tmp = next) {
 		next = TAILQ_NEXT(tmp, next);
 
-		if (tmp->lifetime == -1 || 
-		    tmp->lifetime + (tmp->flags & SPI_OWNER ? 
-				     CLEANUP_TIMEOUT : 0) > tm)
+		if (tmp->lifetime == -1 || tmp->lifetime > tm)
 			continue;
 
 		LOG_DBG((LOG_SPI, 30, __FUNCTION__
@@ -256,3 +255,123 @@ spi_expire(void)
 		spi_unlink(tmp);
 	}
 }
+
+void
+spi_update_insert(struct spiob *spi)
+{
+	time_t tm = time(NULL);
+	int seconds;
+
+	seconds = spi->lifetime - tm;
+	if (seconds < 0)
+		seconds = 0;
+	seconds = seconds * 9 / 10;
+
+	schedule_insert(UPDATE, seconds, spi->SPI, SPI_SIZE);
+}
+
+void
+spi_update(int sock, u_int8_t *spinr)
+{
+	struct stateob *st;
+	struct spiob *spi, *nspi;
+	struct sockaddr_in sin;
+	
+	/* We are to create a new SPI */
+	if ((spi = spi_find(NULL, spinr)) == NULL) {
+		log_print("spi_find() in schedule_process()");
+		return;
+	}
+
+	if (!(spi->flags & SPI_OWNER))
+		return;
+
+	if (spi->flags & SPI_UPDATED) {
+		LOG_DBG((LOG_SPI, 55, __FUNCTION__": SPI %x already updated",
+			 ntohl(*(u_int32_t *)spinr)));
+		return;
+	}
+
+	LOG_DBG((LOG_SPI, 45, __FUNCTION__": updating SPI %x",
+		 ntohl(*(u_int32_t *)spinr)));
+
+
+	if ((st = state_find_cookies(spi->address, spi->icookie, NULL)) == NULL) {
+		/* 
+		 * This happens always when an exchange expires but
+		 * updates are still scheduled for it.
+		 */
+		LOG_DBG((LOG_SPI, 65, __FUNCTION__": state_find_cookies()"));
+		return;
+	}
+
+	if (st->oSPIattrib != NULL)
+		free(st->oSPIattrib);
+	if ((st->oSPIattrib = calloc(spi->attribsize, sizeof(u_int8_t))) == NULL) {
+		log_error("calloc() in schedule_process()");
+		return;
+	}
+	st->oSPIattribsize = spi->attribsize;
+	bcopy(spi->attributes, st->oSPIattrib, st->oSPIattribsize);
+
+	/* We can keep our old attributes, this is only an update */
+	if (make_spi(st, spi->local_address, st->oSPI, &(st->olifetime),
+		     &(st->oSPIattrib), &(st->oSPIattribsize)) == -1) {
+		log_print(__FUNCTION__": make_spi()");
+		return;
+	}
+
+	packet_size = PACKET_BUFFER_SIZE; 
+	if (photuris_spi_update(st, packet_buffer, &packet_size) == -1) {
+		log_print(__FUNCTION__": photuris_spi_update()");
+		return;
+	}
+
+	/* Send the packet */
+	sin.sin_port = htons(st->port); 
+	sin.sin_family = AF_INET; 
+	sin.sin_addr.s_addr = inet_addr(st->address);
+		    
+	if (sendto(sock, packet_buffer, packet_size, 0,
+		   (struct sockaddr *) &sin, sizeof(sin)) != packet_size) {
+		log_error("sendto() in schedule_process()");
+		return;
+	}
+	       
+#ifdef DEBUG
+	printf("Sending SPI UPDATE to %s.\n", st->address);
+#endif
+	/* Insert Owner SPI */
+	if ((nspi = spi_new(st->address, st->oSPI)) == NULL) {
+		log_error("spi_new() in handle_spi_needed()");
+		return;
+	}
+	if ((nspi->local_address = strdup(spi->local_address)) == NULL) {
+		log_error("strdup() in handle_spi_needed()");
+		spi_value_reset(nspi);
+		return;
+	}
+	bcopy(st->icookie, nspi->icookie, COOKIE_SIZE);
+	nspi->flags |= SPI_OWNER;
+	nspi->attribsize = st->oSPIattribsize;
+	nspi->attributes = calloc(nspi->attribsize, sizeof(u_int8_t));
+	if (nspi->attributes == NULL) {
+		log_error("calloc() in handle_spi_needed()");
+		spi_value_reset(nspi);
+		return;
+	}
+	bcopy(st->oSPIattrib, nspi->attributes, nspi->attribsize);
+	nspi->lifetime = time(NULL) + st->olifetime;
+
+	make_session_keys(st, nspi);
+
+	spi_insert(nspi);
+	spi_update_insert(nspi);
+
+#ifdef IPSEC
+	kernel_insert_spi(st, nspi);
+#endif
+
+	/* Our old SPI has been updated, dont update it again */
+	spi->flags |= SPI_UPDATED;
+}
diff --git a/sbin/photurisd/spi.h b/sbin/photurisd/spi.h
index b20224fb4d7..643ac53a6f0 100644
--- a/sbin/photurisd/spi.h
+++ b/sbin/photurisd/spi.h
@@ -27,7 +27,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* $Id: spi.h,v 1.4 2000/12/14 23:28:59 provos Exp $ */
+/* $Id: spi.h,v 1.5 2000/12/15 01:06:51 provos Exp $ */
 /*
  * spi.h: 
  * security paramter index creation.
@@ -48,9 +48,10 @@
 
 #define SPI_LIFETIME   1800            /* 30 minutes default lifetime */
 
-#define SPI_OWNER      1
-#define SPI_NOTIFY     2
-#define SPI_ESP	       8	       /* Is used for ESP */
+#define SPI_OWNER	0x0001
+#define SPI_NOTIFY	0x0002
+#define SPI_UPDATED	0x0004
+#define SPI_ESP		0x0008	       /* Is used for ESP */
 
 struct spiob {
      TAILQ_ENTRY(spiob) next;          /* Linked list */
@@ -81,5 +82,7 @@ EXTERN struct spiob *spi_find_attrib(char *address,
 				     u_int8_t *attrib, u_int16_t attribsize);
 EXTERN struct spiob *spi_find(char *, u_int8_t *);
 EXTERN void spi_expire(void);
+EXTERN void spi_update(int, u_int8_t *);
+EXTERN void spi_update_insert(struct spiob *);
 
 #endif /* _SPI_H */