From 25dcef4ae98946f997edc9abfc92b8cba93d5d8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Fri, 29 Oct 2010 15:19:22 +0300 Subject: main/ipsec-tools: two new fixes * update adminport to work with huge replies * defer handling of DH calculations for isakmp identity reponse (this helps to handle things in right order if we are getting multiple simultaneous connection requests; this also makes the previous receive buffer size change mostly irrelevant) --- .../70-defer-isakmp-ident-handling.patch | 179 +++++++++++++++++++++ 1 file changed, 179 insertions(+) create mode 100644 main/ipsec-tools/70-defer-isakmp-ident-handling.patch (limited to 'main/ipsec-tools/70-defer-isakmp-ident-handling.patch') diff --git a/main/ipsec-tools/70-defer-isakmp-ident-handling.patch b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch new file mode 100644 index 0000000000..9be37aa154 --- /dev/null +++ b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch @@ -0,0 +1,179 @@ +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.63 +diff -u -r1.63 isakmp.c +--- a/src/racoon/isakmp.c 21 Oct 2010 06:15:28 -0000 1.63 ++++ b/src/racoon/isakmp.c 29 Oct 2010 10:51:28 -0000 +@@ -130,6 +130,10 @@ + # define SOL_UDP IPPROTO_UDP + # endif /* __NetBSD__ / __FreeBSD__ */ + ++vchar_t *postponed_buf; ++struct sockaddr_storage postponed_remote; ++struct sockaddr_storage postponed_local; ++ + static int nostate1 __P((struct ph1handle *, vchar_t *)); + static int nostate2 __P((struct ph2handle *, vchar_t *)); + +@@ -177,7 +181,7 @@ + + static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ + +-static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); ++/* static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); */ + static int ph1_main __P((struct ph1handle *, vchar_t *)); + static int quick_main __P((struct ph2handle *, vchar_t *)); + static int isakmp_ph1begin_r __P((vchar_t *, +@@ -374,10 +378,17 @@ + } + + /* isakmp main routine */ +- if (isakmp_main(buf, (struct sockaddr *)&remote, +- (struct sockaddr *)&local) != 0) goto end; +- +- error = 0; ++ res = isakmp_main(buf, (struct sockaddr *)&remote, ++ (struct sockaddr *)&local); ++ if (res == 0) { ++ error = 0; ++ } else if (res == -42424 && postponed_buf == NULL) { ++ postponed_buf = buf; ++ postponed_remote = remote; ++ postponed_local = local; ++ buf = NULL; ++ error = 0; ++ } + + end: + if (tmpbuf != NULL) +@@ -390,7 +401,7 @@ + /* + * main processing to handle isakmp payload + */ +-static int ++int + isakmp_main(msg, remote, local) + vchar_t *msg; + struct sockaddr *remote, *local; +@@ -399,6 +410,7 @@ + isakmp_index *index = (isakmp_index *)isakmp; + u_int32_t msgid = isakmp->msgid; + struct ph1handle *iph1; ++ int rc; + + #ifdef HAVE_PRINT_ISAKMP_C + isakmp_printpacket(msg, remote, local, 0); +@@ -604,12 +616,14 @@ + #endif + + /* call main process of phase 1 */ +- if (ph1_main(iph1, msg) < 0) { +- plog(LLV_ERROR, LOCATION, iph1->remote, +- "phase1 negotiation failed.\n"); +- remph1(iph1); +- delph1(iph1); +- return -1; ++ if ((rc=ph1_main(iph1, msg)) < 0) { ++ if (rc != -42424) { ++ plog(LLV_ERROR, LOCATION, iph1->remote, ++ "phase1 negotiation failed.\n"); ++ remph1(iph1); ++ delph1(iph1); ++ } ++ return rc; + } + break; + +@@ -813,10 +827,11 @@ + "failed to pre-process ph1 packet (side: %d, status %d).\n", + iph1->side, iph1->status); + return -1; +- } else { +- /* ignore the error and keep phase 1 handler */ +- return 0; + } ++ if (error == -42424) ++ return error; ++ /* ignore the error and keep phase 1 handler */ ++ return 0; + } + + #ifndef ENABLE_FRAG +Index: src/racoon/isakmp_ident.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c,v +retrieving revision 1.13 +diff -u -r1.13 isakmp_ident.c +--- a/src/racoon/isakmp_ident.c 18 Sep 2009 10:31:11 -0000 1.13 ++++ b/src/racoon/isakmp_ident.c 29 Oct 2010 10:51:29 -0000 +@@ -1128,6 +1128,11 @@ + goto end; + } + ++ if (postponed_buf != msg) { ++ error = -42424; ++ goto end; ++ } ++ + /* validate the type of next payload */ + pbuf = isakmp_parse(msg); + if (pbuf == NULL) +Index: src/racoon/isakmp_var.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v +retrieving revision 1.16 +diff -u -r1.16 isakmp_var.h +--- a/src/racoon/isakmp_var.h 3 Sep 2009 09:29:07 -0000 1.16 ++++ b/src/racoon/isakmp_var.h 29 Oct 2010 10:51:29 -0000 +@@ -141,4 +141,10 @@ + u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *)); + #endif + ++int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); ++ ++extern vchar_t *postponed_buf; ++extern struct sockaddr_storage postponed_remote; ++extern struct sockaddr_storage postponed_local; ++ + #endif /* _ISAKMP_VAR_H */ +Index: src/racoon/session.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/session.c,v +retrieving revision 1.28 +diff -u -r1.28 session.c +--- a/src/racoon/session.c 21 Oct 2010 06:15:28 -0000 1.28 ++++ b/src/racoon/session.c 29 Oct 2010 10:51:29 -0000 +@@ -172,7 +172,7 @@ + int + session(void) + { +- struct timeval *timeout; ++ struct timeval *timeout, to_zero = { 0, 0 }; + int error; + char pid_file[MAXPATHLEN]; + FILE *fp; +@@ -295,6 +295,8 @@ + + /* scheduling */ + timeout = schedular(); ++ if (postponed_buf != NULL) ++ timeout = &to_zero; + + /* schedular can change select() mask, so we reset + * the working copy here */ +@@ -332,6 +334,14 @@ + break; + } + ++ if (count == 0 && postponed_buf != NULL) { ++ (void) isakmp_main( ++ postponed_buf, ++ (struct sockaddr *) &postponed_remote, ++ (struct sockaddr *) &postponed_local); ++ vfree(postponed_buf); ++ postponed_buf = NULL; ++ } + } + } + -- cgit v1.2.3