summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2010-10-29 15:19:22 +0300
committerTimo Teräs <timo.teras@iki.fi>2010-10-29 15:19:22 +0300
commit25dcef4ae98946f997edc9abfc92b8cba93d5d8a (patch)
treecac1fc23d5849e92d843710522403f4d462a0379
parent2ecaffa7b438d977c163eac6885f089971533279 (diff)
main/ipsec-tools: two new fixes
* update adminport to work with huge replies * defer handling of DH calculations for isakmp identity reponse (this helps to handle things in right order if we are getting multiple simultaneous connection requests; this also makes the previous receive buffer size change mostly irrelevant)
-rw-r--r--main/ipsec-tools/70-defer-isakmp-ident-handling.patch179
-rw-r--r--main/ipsec-tools/70-rcvbuf-size.patch33
-rw-r--r--main/ipsec-tools/80-admin-big-reply-fix.patch123
-rw-r--r--main/ipsec-tools/APKBUILD8
4 files changed, 307 insertions, 36 deletions
diff --git a/main/ipsec-tools/70-defer-isakmp-ident-handling.patch b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch
new file mode 100644
index 00000000000..9be37aa1545
--- /dev/null
+++ b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch
@@ -0,0 +1,179 @@
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.63
+diff -u -r1.63 isakmp.c
+--- a/src/racoon/isakmp.c 21 Oct 2010 06:15:28 -0000 1.63
++++ b/src/racoon/isakmp.c 29 Oct 2010 10:51:28 -0000
+@@ -130,6 +130,10 @@
+ # define SOL_UDP IPPROTO_UDP
+ # endif /* __NetBSD__ / __FreeBSD__ */
+
++vchar_t *postponed_buf;
++struct sockaddr_storage postponed_remote;
++struct sockaddr_storage postponed_local;
++
+ static int nostate1 __P((struct ph1handle *, vchar_t *));
+ static int nostate2 __P((struct ph2handle *, vchar_t *));
+
+@@ -177,7 +181,7 @@
+
+ static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
+
+-static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
++/* static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); */
+ static int ph1_main __P((struct ph1handle *, vchar_t *));
+ static int quick_main __P((struct ph2handle *, vchar_t *));
+ static int isakmp_ph1begin_r __P((vchar_t *,
+@@ -374,10 +378,17 @@
+ }
+
+ /* isakmp main routine */
+- if (isakmp_main(buf, (struct sockaddr *)&remote,
+- (struct sockaddr *)&local) != 0) goto end;
+-
+- error = 0;
++ res = isakmp_main(buf, (struct sockaddr *)&remote,
++ (struct sockaddr *)&local);
++ if (res == 0) {
++ error = 0;
++ } else if (res == -42424 && postponed_buf == NULL) {
++ postponed_buf = buf;
++ postponed_remote = remote;
++ postponed_local = local;
++ buf = NULL;
++ error = 0;
++ }
+
+ end:
+ if (tmpbuf != NULL)
+@@ -390,7 +401,7 @@
+ /*
+ * main processing to handle isakmp payload
+ */
+-static int
++int
+ isakmp_main(msg, remote, local)
+ vchar_t *msg;
+ struct sockaddr *remote, *local;
+@@ -399,6 +410,7 @@
+ isakmp_index *index = (isakmp_index *)isakmp;
+ u_int32_t msgid = isakmp->msgid;
+ struct ph1handle *iph1;
++ int rc;
+
+ #ifdef HAVE_PRINT_ISAKMP_C
+ isakmp_printpacket(msg, remote, local, 0);
+@@ -604,12 +616,14 @@
+ #endif
+
+ /* call main process of phase 1 */
+- if (ph1_main(iph1, msg) < 0) {
+- plog(LLV_ERROR, LOCATION, iph1->remote,
+- "phase1 negotiation failed.\n");
+- remph1(iph1);
+- delph1(iph1);
+- return -1;
++ if ((rc=ph1_main(iph1, msg)) < 0) {
++ if (rc != -42424) {
++ plog(LLV_ERROR, LOCATION, iph1->remote,
++ "phase1 negotiation failed.\n");
++ remph1(iph1);
++ delph1(iph1);
++ }
++ return rc;
+ }
+ break;
+
+@@ -813,10 +827,11 @@
+ "failed to pre-process ph1 packet (side: %d, status %d).\n",
+ iph1->side, iph1->status);
+ return -1;
+- } else {
+- /* ignore the error and keep phase 1 handler */
+- return 0;
+ }
++ if (error == -42424)
++ return error;
++ /* ignore the error and keep phase 1 handler */
++ return 0;
+ }
+
+ #ifndef ENABLE_FRAG
+Index: src/racoon/isakmp_ident.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c,v
+retrieving revision 1.13
+diff -u -r1.13 isakmp_ident.c
+--- a/src/racoon/isakmp_ident.c 18 Sep 2009 10:31:11 -0000 1.13
++++ b/src/racoon/isakmp_ident.c 29 Oct 2010 10:51:29 -0000
+@@ -1128,6 +1128,11 @@
+ goto end;
+ }
+
++ if (postponed_buf != msg) {
++ error = -42424;
++ goto end;
++ }
++
+ /* validate the type of next payload */
+ pbuf = isakmp_parse(msg);
+ if (pbuf == NULL)
+Index: src/racoon/isakmp_var.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v
+retrieving revision 1.16
+diff -u -r1.16 isakmp_var.h
+--- a/src/racoon/isakmp_var.h 3 Sep 2009 09:29:07 -0000 1.16
++++ b/src/racoon/isakmp_var.h 29 Oct 2010 10:51:29 -0000
+@@ -141,4 +141,10 @@
+ u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *));
+ #endif
+
++int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
++
++extern vchar_t *postponed_buf;
++extern struct sockaddr_storage postponed_remote;
++extern struct sockaddr_storage postponed_local;
++
+ #endif /* _ISAKMP_VAR_H */
+Index: src/racoon/session.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/session.c,v
+retrieving revision 1.28
+diff -u -r1.28 session.c
+--- a/src/racoon/session.c 21 Oct 2010 06:15:28 -0000 1.28
++++ b/src/racoon/session.c 29 Oct 2010 10:51:29 -0000
+@@ -172,7 +172,7 @@
+ int
+ session(void)
+ {
+- struct timeval *timeout;
++ struct timeval *timeout, to_zero = { 0, 0 };
+ int error;
+ char pid_file[MAXPATHLEN];
+ FILE *fp;
+@@ -295,6 +295,8 @@
+
+ /* scheduling */
+ timeout = schedular();
++ if (postponed_buf != NULL)
++ timeout = &to_zero;
+
+ /* schedular can change select() mask, so we reset
+ * the working copy here */
+@@ -332,6 +334,14 @@
+ break;
+ }
+
++ if (count == 0 && postponed_buf != NULL) {
++ (void) isakmp_main(
++ postponed_buf,
++ (struct sockaddr *) &postponed_remote,
++ (struct sockaddr *) &postponed_local);
++ vfree(postponed_buf);
++ postponed_buf = NULL;
++ }
+ }
+ }
+
diff --git a/main/ipsec-tools/70-rcvbuf-size.patch b/main/ipsec-tools/70-rcvbuf-size.patch
deleted file mode 100644
index 34e295decfc..00000000000
--- a/main/ipsec-tools/70-rcvbuf-size.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: src/racoon/isakmp.c
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
-retrieving revision 1.60
-diff -u -r1.60 isakmp.c
---- a/src/racoon/isakmp.c 3 Sep 2009 09:29:07 -0000 1.60
-+++ b/src/racoon/isakmp.c 20 Aug 2010 11:59:20 -0000
-@@ -1579,6 +1579,7 @@
- #ifdef ENABLE_NATT
- int option = -1;
- #endif
-+ int rcvSize = 16384;
-
- /* warn if wildcard address - should we forbid this? */
- switch (addr->sa_family) {
-@@ -1706,6 +1707,17 @@
- goto err;
- }
-
-+ /* set receive buffer size - shouldn't be too large otherwise
-+ * we can acommodate too long backbuffer of packets and not
-+ * able to handle any packets in real time */
-+ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF,
-+ (void*) &rcvSize, sizeof(rcvSize)) < 0) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "failed to set SO_RCVBUF size (%s).\n",
-+ strerror(errno));
-+ /* soft-error, continue even if this failed */
-+ }
-+
- if (setsockopt_bypass(fd, addr->sa_family) < 0)
- goto err;
-
diff --git a/main/ipsec-tools/80-admin-big-reply-fix.patch b/main/ipsec-tools/80-admin-big-reply-fix.patch
new file mode 100644
index 00000000000..d3e4b5d570d
--- /dev/null
+++ b/main/ipsec-tools/80-admin-big-reply-fix.patch
@@ -0,0 +1,123 @@
+Index: src/racoon/admin.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v
+retrieving revision 1.35
+diff -u -r1.35 admin.c
+--- a/src/racoon/admin.c 21 Oct 2010 06:15:28 -0000 1.35
++++ b/src/racoon/admin.c 29 Oct 2010 10:51:28 -0000
+@@ -638,9 +638,15 @@
+ }
+
+ combuf = (struct admin_com *) retbuf;
+- combuf->ac_len = tlen;
++ combuf->ac_len = (u_int16_t) tlen;
+ combuf->ac_cmd = req->ac_cmd & ~ADMIN_FLAG_VERSION;
+- combuf->ac_errno = l_ac_errno;
++ if (tlen != (u_int32_t) combuf->ac_len &&
++ l_ac_errno == 0) {
++ combuf->ac_len_high = tlen >> 16;
++ combuf->ac_cmd |= ADMIN_FLAG_LONG_REPLY;
++ } else {
++ combuf->ac_errno = l_ac_errno;
++ }
+ combuf->ac_proto = req->ac_proto;
+
+ if (buf != NULL)
+Index: src/racoon/admin.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.h,v
+retrieving revision 1.7
+diff -u -r1.7 admin.h
+--- a/src/racoon/admin.h 29 Aug 2008 00:30:15 -0000 1.7
++++ b/src/racoon/admin.h 29 Oct 2010 10:51:28 -0000
+@@ -49,16 +49,19 @@
+ union {
+ int16_t ac_un_errno;
+ uint16_t ac_un_version;
++ uint16_t ac_un_len_high;
+ } u;
+ u_int16_t ac_proto;
+ };
+ #define ac_errno u.ac_un_errno
+ #define ac_version u.ac_un_version
++#define ac_len_high u.ac_un_len_high
+
+ /*
+ * Version field in request is valid.
+ */
+ #define ADMIN_FLAG_VERSION 0x8000
++#define ADMIN_FLAG_LONG_REPLY 0x8000
+
+ /*
+ * No data follows as the data.
+Index: src/racoon/kmpstat.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v
+retrieving revision 1.6
+diff -u -r1.6 kmpstat.c
+--- a/src/racoon/kmpstat.c 2 Oct 2007 09:47:45 -0000 1.6
++++ b/src/racoon/kmpstat.c 29 Oct 2010 10:51:29 -0000
+@@ -138,7 +138,7 @@
+ {
+ struct admin_com h, *com;
+ caddr_t buf;
+- int len;
++ int len, rlen;
+ int l = 0;
+ caddr_t p;
+
+@@ -153,19 +153,25 @@
+ if (len < sizeof(h))
+ goto bad1;
+
+- if (h.ac_errno) {
++ if (h.ac_errno && !(h.ac_cmd & ADMIN_FLAG_LONG_REPLY)) {
+ errno = h.ac_errno;
+ goto bad1;
+ }
+
++ /* real length */
++ if (h.ac_cmd & ADMIN_FLAG_LONG_REPLY)
++ rlen = ((u_int32_t)h.ac_len) + (((u_int32_t)h.ac_len_high) << 16);
++ else
++ rlen = h.ac_len;
++
+ /* allocate buffer */
+- if ((*combufp = vmalloc(h.ac_len)) == NULL)
++ if ((*combufp = vmalloc(rlen)) == NULL)
+ goto bad1;
+
+ /* read real message */
+ p = (*combufp)->v;
+- while (l < len) {
+- if ((len = recv(so, p, h.ac_len, 0)) < 0) {
++ while (l < rlen) {
++ if ((len = recv(so, p, rlen - l, 0)) < 0) {
+ perror("recv");
+ goto bad2;
+ }
+Index: src/racoon/racoonctl.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c,v
+retrieving revision 1.17
+diff -u -r1.17 racoonctl.c
+--- a/src/racoon/racoonctl.c 20 Apr 2009 13:22:00 -0000 1.17
++++ b/src/racoon/racoonctl.c 29 Oct 2010 10:51:29 -0000
+@@ -1426,10 +1426,14 @@
+ int len;
+
+ com = (struct admin_com *)combuf->v;
+- len = com->ac_len - sizeof(*com);
++ if (com->ac_cmd & ADMIN_FLAG_LONG_REPLY)
++ len = ((u_int32_t)com->ac_len) + (((u_int32_t)com->ac_len_high) << 16);
++ else
++ len = com->ac_len;
++ len -= sizeof(*com);
+ buf = combuf->v + sizeof(*com);
+
+- switch (com->ac_cmd) {
++ switch (com->ac_cmd & ~ADMIN_FLAG_LONG_REPLY) {
+ case ADMIN_SHOW_SCHED:
+ print_schedule(buf, len);
+ break;
+
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index 7421b05d77a..8315f484bd6 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -2,7 +2,7 @@
pkgname=ipsec-tools
pkgver=0.8_alpha20101022
_myver=0.8-alpha20101022
-pkgrel=0
+pkgrel=1
pkgdesc="User-space IPsec tools for various IPsec implementations"
url="http://ipsec-tools.sourceforge.net/"
license="BSD"
@@ -13,8 +13,9 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
racoon.initd
racoon.confd
50-reverse-connect.patch
- 70-rcvbuf-size.patch
+ 70-defer-isakmp-ident-handling.patch
75-racoonctl-rcvbuf.patch
+ 80-admin-big-reply-fix.patch
90-dpd-window-fix.patch
"
@@ -59,6 +60,7 @@ md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz
74f12ed04ed273a738229c0bfbf829cc racoon.initd
2d00250cf72da7f2f559c91b65a48747 racoon.confd
13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
-f40c78e4ca4b92d2bf74e4fcf3a8d91f 70-rcvbuf-size.patch
+94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch
2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch
+c3898b162d284bc163f99cc52925b52a 80-admin-big-reply-fix.patch
0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch"