From 25dcef4ae98946f997edc9abfc92b8cba93d5d8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Fri, 29 Oct 2010 15:19:22 +0300 Subject: main/ipsec-tools: two new fixes * update adminport to work with huge replies * defer handling of DH calculations for isakmp identity reponse (this helps to handle things in right order if we are getting multiple simultaneous connection requests; this also makes the previous receive buffer size change mostly irrelevant) --- .../70-defer-isakmp-ident-handling.patch | 179 +++++++++++++++++++++ main/ipsec-tools/70-rcvbuf-size.patch | 33 ---- main/ipsec-tools/80-admin-big-reply-fix.patch | 123 ++++++++++++++ main/ipsec-tools/APKBUILD | 8 +- 4 files changed, 307 insertions(+), 36 deletions(-) create mode 100644 main/ipsec-tools/70-defer-isakmp-ident-handling.patch delete mode 100644 main/ipsec-tools/70-rcvbuf-size.patch create mode 100644 main/ipsec-tools/80-admin-big-reply-fix.patch diff --git a/main/ipsec-tools/70-defer-isakmp-ident-handling.patch b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch new file mode 100644 index 000000000..9be37aa15 --- /dev/null +++ b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch @@ -0,0 +1,179 @@ +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.63 +diff -u -r1.63 isakmp.c +--- a/src/racoon/isakmp.c 21 Oct 2010 06:15:28 -0000 1.63 ++++ b/src/racoon/isakmp.c 29 Oct 2010 10:51:28 -0000 +@@ -130,6 +130,10 @@ + # define SOL_UDP IPPROTO_UDP + # endif /* __NetBSD__ / __FreeBSD__ */ + ++vchar_t *postponed_buf; ++struct sockaddr_storage postponed_remote; ++struct sockaddr_storage postponed_local; ++ + static int nostate1 __P((struct ph1handle *, vchar_t *)); + static int nostate2 __P((struct ph2handle *, vchar_t *)); + +@@ -177,7 +181,7 @@ + + static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ + +-static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); ++/* static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); */ + static int ph1_main __P((struct ph1handle *, vchar_t *)); + static int quick_main __P((struct ph2handle *, vchar_t *)); + static int isakmp_ph1begin_r __P((vchar_t *, +@@ -374,10 +378,17 @@ + } + + /* isakmp main routine */ +- if (isakmp_main(buf, (struct sockaddr *)&remote, +- (struct sockaddr *)&local) != 0) goto end; +- +- error = 0; ++ res = isakmp_main(buf, (struct sockaddr *)&remote, ++ (struct sockaddr *)&local); ++ if (res == 0) { ++ error = 0; ++ } else if (res == -42424 && postponed_buf == NULL) { ++ postponed_buf = buf; ++ postponed_remote = remote; ++ postponed_local = local; ++ buf = NULL; ++ error = 0; ++ } + + end: + if (tmpbuf != NULL) +@@ -390,7 +401,7 @@ + /* + * main processing to handle isakmp payload + */ +-static int ++int + isakmp_main(msg, remote, local) + vchar_t *msg; + struct sockaddr *remote, *local; +@@ -399,6 +410,7 @@ + isakmp_index *index = (isakmp_index *)isakmp; + u_int32_t msgid = isakmp->msgid; + struct ph1handle *iph1; ++ int rc; + + #ifdef HAVE_PRINT_ISAKMP_C + isakmp_printpacket(msg, remote, local, 0); +@@ -604,12 +616,14 @@ + #endif + + /* call main process of phase 1 */ +- if (ph1_main(iph1, msg) < 0) { +- plog(LLV_ERROR, LOCATION, iph1->remote, +- "phase1 negotiation failed.\n"); +- remph1(iph1); +- delph1(iph1); +- return -1; ++ if ((rc=ph1_main(iph1, msg)) < 0) { ++ if (rc != -42424) { ++ plog(LLV_ERROR, LOCATION, iph1->remote, ++ "phase1 negotiation failed.\n"); ++ remph1(iph1); ++ delph1(iph1); ++ } ++ return rc; + } + break; + +@@ -813,10 +827,11 @@ + "failed to pre-process ph1 packet (side: %d, status %d).\n", + iph1->side, iph1->status); + return -1; +- } else { +- /* ignore the error and keep phase 1 handler */ +- return 0; + } ++ if (error == -42424) ++ return error; ++ /* ignore the error and keep phase 1 handler */ ++ return 0; + } + + #ifndef ENABLE_FRAG +Index: src/racoon/isakmp_ident.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c,v +retrieving revision 1.13 +diff -u -r1.13 isakmp_ident.c +--- a/src/racoon/isakmp_ident.c 18 Sep 2009 10:31:11 -0000 1.13 ++++ b/src/racoon/isakmp_ident.c 29 Oct 2010 10:51:29 -0000 +@@ -1128,6 +1128,11 @@ + goto end; + } + ++ if (postponed_buf != msg) { ++ error = -42424; ++ goto end; ++ } ++ + /* validate the type of next payload */ + pbuf = isakmp_parse(msg); + if (pbuf == NULL) +Index: src/racoon/isakmp_var.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v +retrieving revision 1.16 +diff -u -r1.16 isakmp_var.h +--- a/src/racoon/isakmp_var.h 3 Sep 2009 09:29:07 -0000 1.16 ++++ b/src/racoon/isakmp_var.h 29 Oct 2010 10:51:29 -0000 +@@ -141,4 +141,10 @@ + u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *)); + #endif + ++int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); ++ ++extern vchar_t *postponed_buf; ++extern struct sockaddr_storage postponed_remote; ++extern struct sockaddr_storage postponed_local; ++ + #endif /* _ISAKMP_VAR_H */ +Index: src/racoon/session.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/session.c,v +retrieving revision 1.28 +diff -u -r1.28 session.c +--- a/src/racoon/session.c 21 Oct 2010 06:15:28 -0000 1.28 ++++ b/src/racoon/session.c 29 Oct 2010 10:51:29 -0000 +@@ -172,7 +172,7 @@ + int + session(void) + { +- struct timeval *timeout; ++ struct timeval *timeout, to_zero = { 0, 0 }; + int error; + char pid_file[MAXPATHLEN]; + FILE *fp; +@@ -295,6 +295,8 @@ + + /* scheduling */ + timeout = schedular(); ++ if (postponed_buf != NULL) ++ timeout = &to_zero; + + /* schedular can change select() mask, so we reset + * the working copy here */ +@@ -332,6 +334,14 @@ + break; + } + ++ if (count == 0 && postponed_buf != NULL) { ++ (void) isakmp_main( ++ postponed_buf, ++ (struct sockaddr *) &postponed_remote, ++ (struct sockaddr *) &postponed_local); ++ vfree(postponed_buf); ++ postponed_buf = NULL; ++ } + } + } + diff --git a/main/ipsec-tools/70-rcvbuf-size.patch b/main/ipsec-tools/70-rcvbuf-size.patch deleted file mode 100644 index 34e295dec..000000000 --- a/main/ipsec-tools/70-rcvbuf-size.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: src/racoon/isakmp.c -=================================================================== -RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v -retrieving revision 1.60 -diff -u -r1.60 isakmp.c ---- a/src/racoon/isakmp.c 3 Sep 2009 09:29:07 -0000 1.60 -+++ b/src/racoon/isakmp.c 20 Aug 2010 11:59:20 -0000 -@@ -1579,6 +1579,7 @@ - #ifdef ENABLE_NATT - int option = -1; - #endif -+ int rcvSize = 16384; - - /* warn if wildcard address - should we forbid this? */ - switch (addr->sa_family) { -@@ -1706,6 +1707,17 @@ - goto err; - } - -+ /* set receive buffer size - shouldn't be too large otherwise -+ * we can acommodate too long backbuffer of packets and not -+ * able to handle any packets in real time */ -+ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, -+ (void*) &rcvSize, sizeof(rcvSize)) < 0) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to set SO_RCVBUF size (%s).\n", -+ strerror(errno)); -+ /* soft-error, continue even if this failed */ -+ } -+ - if (setsockopt_bypass(fd, addr->sa_family) < 0) - goto err; - diff --git a/main/ipsec-tools/80-admin-big-reply-fix.patch b/main/ipsec-tools/80-admin-big-reply-fix.patch new file mode 100644 index 000000000..d3e4b5d57 --- /dev/null +++ b/main/ipsec-tools/80-admin-big-reply-fix.patch @@ -0,0 +1,123 @@ +Index: src/racoon/admin.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v +retrieving revision 1.35 +diff -u -r1.35 admin.c +--- a/src/racoon/admin.c 21 Oct 2010 06:15:28 -0000 1.35 ++++ b/src/racoon/admin.c 29 Oct 2010 10:51:28 -0000 +@@ -638,9 +638,15 @@ + } + + combuf = (struct admin_com *) retbuf; +- combuf->ac_len = tlen; ++ combuf->ac_len = (u_int16_t) tlen; + combuf->ac_cmd = req->ac_cmd & ~ADMIN_FLAG_VERSION; +- combuf->ac_errno = l_ac_errno; ++ if (tlen != (u_int32_t) combuf->ac_len && ++ l_ac_errno == 0) { ++ combuf->ac_len_high = tlen >> 16; ++ combuf->ac_cmd |= ADMIN_FLAG_LONG_REPLY; ++ } else { ++ combuf->ac_errno = l_ac_errno; ++ } + combuf->ac_proto = req->ac_proto; + + if (buf != NULL) +Index: src/racoon/admin.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.h,v +retrieving revision 1.7 +diff -u -r1.7 admin.h +--- a/src/racoon/admin.h 29 Aug 2008 00:30:15 -0000 1.7 ++++ b/src/racoon/admin.h 29 Oct 2010 10:51:28 -0000 +@@ -49,16 +49,19 @@ + union { + int16_t ac_un_errno; + uint16_t ac_un_version; ++ uint16_t ac_un_len_high; + } u; + u_int16_t ac_proto; + }; + #define ac_errno u.ac_un_errno + #define ac_version u.ac_un_version ++#define ac_len_high u.ac_un_len_high + + /* + * Version field in request is valid. + */ + #define ADMIN_FLAG_VERSION 0x8000 ++#define ADMIN_FLAG_LONG_REPLY 0x8000 + + /* + * No data follows as the data. +Index: src/racoon/kmpstat.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v +retrieving revision 1.6 +diff -u -r1.6 kmpstat.c +--- a/src/racoon/kmpstat.c 2 Oct 2007 09:47:45 -0000 1.6 ++++ b/src/racoon/kmpstat.c 29 Oct 2010 10:51:29 -0000 +@@ -138,7 +138,7 @@ + { + struct admin_com h, *com; + caddr_t buf; +- int len; ++ int len, rlen; + int l = 0; + caddr_t p; + +@@ -153,19 +153,25 @@ + if (len < sizeof(h)) + goto bad1; + +- if (h.ac_errno) { ++ if (h.ac_errno && !(h.ac_cmd & ADMIN_FLAG_LONG_REPLY)) { + errno = h.ac_errno; + goto bad1; + } + ++ /* real length */ ++ if (h.ac_cmd & ADMIN_FLAG_LONG_REPLY) ++ rlen = ((u_int32_t)h.ac_len) + (((u_int32_t)h.ac_len_high) << 16); ++ else ++ rlen = h.ac_len; ++ + /* allocate buffer */ +- if ((*combufp = vmalloc(h.ac_len)) == NULL) ++ if ((*combufp = vmalloc(rlen)) == NULL) + goto bad1; + + /* read real message */ + p = (*combufp)->v; +- while (l < len) { +- if ((len = recv(so, p, h.ac_len, 0)) < 0) { ++ while (l < rlen) { ++ if ((len = recv(so, p, rlen - l, 0)) < 0) { + perror("recv"); + goto bad2; + } +Index: src/racoon/racoonctl.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c,v +retrieving revision 1.17 +diff -u -r1.17 racoonctl.c +--- a/src/racoon/racoonctl.c 20 Apr 2009 13:22:00 -0000 1.17 ++++ b/src/racoon/racoonctl.c 29 Oct 2010 10:51:29 -0000 +@@ -1426,10 +1426,14 @@ + int len; + + com = (struct admin_com *)combuf->v; +- len = com->ac_len - sizeof(*com); ++ if (com->ac_cmd & ADMIN_FLAG_LONG_REPLY) ++ len = ((u_int32_t)com->ac_len) + (((u_int32_t)com->ac_len_high) << 16); ++ else ++ len = com->ac_len; ++ len -= sizeof(*com); + buf = combuf->v + sizeof(*com); + +- switch (com->ac_cmd) { ++ switch (com->ac_cmd & ~ADMIN_FLAG_LONG_REPLY) { + case ADMIN_SHOW_SCHED: + print_schedule(buf, len); + break; + diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index 7421b05d7..8315f484b 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD @@ -2,7 +2,7 @@ pkgname=ipsec-tools pkgver=0.8_alpha20101022 _myver=0.8-alpha20101022 -pkgrel=0 +pkgrel=1 pkgdesc="User-space IPsec tools for various IPsec implementations" url="http://ipsec-tools.sourceforge.net/" license="BSD" @@ -13,8 +13,9 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz racoon.initd racoon.confd 50-reverse-connect.patch - 70-rcvbuf-size.patch + 70-defer-isakmp-ident-handling.patch 75-racoonctl-rcvbuf.patch + 80-admin-big-reply-fix.patch 90-dpd-window-fix.patch " @@ -59,6 +60,7 @@ md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz 74f12ed04ed273a738229c0bfbf829cc racoon.initd 2d00250cf72da7f2f559c91b65a48747 racoon.confd 13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch -f40c78e4ca4b92d2bf74e4fcf3a8d91f 70-rcvbuf-size.patch +94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch 2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch +c3898b162d284bc163f99cc52925b52a 80-admin-big-reply-fix.patch 0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch" -- cgit v1.2.3