From 043fc181319ee73fe6e7a764eb487a9c73af0790 Mon Sep 17 00:00:00 2001
From: Markus Friedl <markus@cvs.openbsd.org>
Date: Wed, 9 Jul 2014 12:05:02 +0000
Subject: expire IPcomp SAs too; ok mikeb (some time ago)

---
 sbin/iked/ikev2.c | 11 +++++++++--
 sbin/iked/pfkey.c | 14 +++++++++++---
 2 files changed, 20 insertions(+), 5 deletions(-)

(limited to 'sbin/iked')

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index ed958c7e70a..c2bf3573a90 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.113 2014/05/13 14:24:35 markus Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.114 2014/07/09 12:05:01 markus Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -4480,7 +4480,6 @@ ikev2_ipcomp_enable(struct iked *env, struct iked_sa *sa)
 	csa->csa_dir = IPSP_DIRECTION_OUT;
 	csa->csa_local = &sa->sa_local;
 	csa->csa_peer = &sa->sa_peer;
-	csa->csa_persistent = 1;
 
 	memcpy(csb, csa, sizeof(*csb));
 	csb->csa_spi.spi = csa->csa_peerspi;
@@ -4804,6 +4803,8 @@ ikev2_rekey_sa(struct iked *env, struct iked_spi *rekey)
 
 	if (csa->csa_rekey)	/* See if it's already taken care of */
 		return (0);
+	if (csa->csa_saproto == IKEV2_SAPROTO_IPCOMP)	/* no rekey */
+		return (0);
 	if ((sa = csa->csa_ikesa) == NULL) {
 		log_warnx("%s: SA %s doesn't have a parent SA", __func__,
 		    print_spi(rekey->spi, rekey->spi_size));
@@ -4850,6 +4851,12 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop)
 		log_debug("%s: failed to find a parent SA", __func__);
 		return (0);
 	}
+	if (csa->csa_saproto == IKEV2_SAPROTO_IPCOMP) {
+		/* matching Child SAs (e.g. ESP) should have expired by now */
+		if (csa->csa_children == 0)
+			ikev2_ipcomp_csa_free(env, csa);
+		return (0);
+	}
 
 	if (csa->csa_allocated)
 		spi32 = htobe32(csa->csa_spi.spi);
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index b92138cb7f6..97cf5658667 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.37 2014/05/09 06:37:24 markus Exp $	*/
+/*	$OpenBSD: pfkey.c,v 1.38 2014/07/09 12:05:01 markus Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -510,14 +510,18 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, struct iked_childsa *sa)
 		sa_ltime_hard.sadb_lifetime_bytes = lt->lt_bytes;
 		sa_ltime_hard.sadb_lifetime_addtime = lt->lt_seconds;
 
+		/* double the lifetime for IP compression */
+		if (satype == SADB_X_SATYPE_IPCOMP)
+			sa_ltime_hard.sadb_lifetime_addtime *= 2;
+
 		sa_ltime_soft.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
 		sa_ltime_soft.sadb_lifetime_len = sizeof(sa_ltime_soft) / 8;
 		/* set randomly to 85-95% */
 		jitter = 850 + arc4random_uniform(100);
 		sa_ltime_soft.sadb_lifetime_bytes =
-		    (lt->lt_bytes * jitter) / 1000;
+		    (sa_ltime_hard.sadb_lifetime_bytes * jitter) / 1000;
 		sa_ltime_soft.sadb_lifetime_addtime =
-		    (lt->lt_seconds * jitter) / 1000;
+		    (sa_ltime_hard.sadb_lifetime_addtime * jitter) / 1000;
 	}
 
 	/* XXX handle NULL encryption or NULL auth or combined encr/auth */
@@ -1794,6 +1798,10 @@ out:
 		case SADB_SATYPE_ESP:
 			spi.spi_protoid = IKEV2_SAPROTO_ESP;
 			break;
+		case SADB_X_SATYPE_IPCOMP:
+			spi.spi_size = 2;
+			spi.spi_protoid = IKEV2_SAPROTO_IPCOMP;
+			break;
 		default:
 			log_warnx("%s: unsupported SA type %d spi %s",
 			    __func__, hdr->sadb_msg_satype,
-- 
cgit v1.2.3