diff options
| author |   niklas <niklas@openbsd.org> | 1999-02-27 09:59:36 +0000 |
|---|---|---|
| committer | niklas <niklas@openbsd.org> | 1999-02-27 09:59:36 +0000 |
| commit | 10a439e7ff8a3001b6ca5de591a937d1c943df1f (patch) | |
| tree | 09337b38032c8bb59a87437edc5a003297f3f9b0 | |
| parent | man page names are not paths (diff) | |
| download | wireguard-openbsd-10a439e7ff8a3001b6ca5de591a937d1c943df1f.tar.xz wireguard-openbsd-10a439e7ff8a3001b6ca5de591a937d1c943df1f.zip | |
ipsec.c: Merge with EOM 1.83
Only accept IPsec SAs when searching for such
sa.h: Merge with EOM 1.41
Stayalive connections as a default for now, init pf_encap_socket
pf_encap.c: Merge with EOM 1.45
Stayalive connections as a default for now, init pf_encap_socket
| -rw-r--r-- | sbin/isakmpd/ipsec.c | 7 | ||||
| -rw-r--r-- | sbin/isakmpd/pf_encap.c | 35 | ||||
| -rw-r--r-- | sbin/isakmpd/sa.h | 9 |
3 files changed, 40 insertions, 11 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 7c002b1175b..6df6b3b6ce6 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,5 +1,5 @@ -/* $OpenBSD: ipsec.c,v 1.5 1999/02/26 03:43:41 niklas Exp $ */ -/* $EOM: ipsec.c,v 1.82 1999/02/25 13:35:41 niklas Exp $ */ +/* $OpenBSD: ipsec.c,v 1.6 1999/02/27 09:59:36 niklas Exp $ */ +/* $EOM: ipsec.c,v 1.83 1999/02/26 14:32:18 niklas Exp $ */ /* * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. @@ -1345,6 +1345,9 @@ ipsec_sa_check (struct sa *sa, void *v_arg) int dstlen, srclen; int incoming; + if (sa->phase != 2) + return 0; + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); if (((struct sockaddr_in *)dst)->sin_addr.s_addr == arg->dst) incoming = 0; diff --git a/sbin/isakmpd/pf_encap.c b/sbin/isakmpd/pf_encap.c index aaf7f9648d5..04cde24c3aa 100644 --- a/sbin/isakmpd/pf_encap.c +++ b/sbin/isakmpd/pf_encap.c @@ -1,5 +1,5 @@ -/* $OpenBSD: pf_encap.c,v 1.5 1999/02/26 03:48:32 niklas Exp $ */ -/* $EOM: pf_encap.c,v 1.44 1999/02/25 14:03:54 niklas Exp $ */ +/* $OpenBSD: pf_encap.c,v 1.6 1999/02/27 09:59:36 niklas Exp $ */ +/* $EOM: pf_encap.c,v 1.45 1999/02/26 14:41:31 niklas Exp $ */ /* * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. @@ -107,6 +107,7 @@ pf_encap_open () "socket (PF_ENCAP, SOCK_RAW, PF_UNSPEC) failed"); return -1; } + pf_encap_socket = fd; return fd; } @@ -122,10 +123,10 @@ pf_encap_expire (struct encap_msghdr *emsg) emsg->em_not_sproto); /* - * Fin the IPsec SA. The IPsec stack has two SAs for every IKE SA, + * Find the IPsec SA. The IPsec stack has two SAs for every IKE SA, * one outgoing and one incoming, we regard expirations for any of * them as an expiration of the full IKE SA. Likewise, in - * protection suites consisitng of more than one protocol, any + * protection suites consisting of more than one protocol, any * expired individual IPsec stack SA will be seen as an expiration * of the full suite. * @@ -139,9 +140,28 @@ pf_encap_expire (struct encap_msghdr *emsg) if (!sa) return; - /* XXX We need to reestablish the on-demand route here. */ + /* + * If we want this connection to stay "forever", we should renegotiate + * already at the soft expire, and certainly at the hard expire if we + * haven't started a negotiation by then. + */ + if (sa->flags & SA_FLAG_STAYALIVE) + { + /* If we are already renegotiating, don't start over. */ + if (!exchange_lookup_by_name (sa->name, 2)) + exchange_establish (sa->name, 0, 0); + } - /* If this was a hard expire, remove the SA. */ + if (emsg->em_not_type == NOTIFY_HARD_EXPIRE) + { + /* + * XXX We need to reestablish the on-demand route here. This we need + * even if we have started a new negotiation, considering it might + * fail. + */ + } + + /* If this was a hard expire, remove the old SA, it isn't useful anymore. */ if (emsg->em_not_type == NOTIFY_HARD_EXPIRE) sa_free (sa); } @@ -661,6 +681,9 @@ pf_encap_enable_sa (struct sa *sa, int initiator) int dstlen; struct proto *proto = TAILQ_FIRST (&sa->protos); + /* XXX Hardwire for the time being. */ + sa->flags |= SA_FLAG_STAYALIVE; + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); /* XXX Check why byte ordering is backwards. */ diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index 4ea8deb5c5b..945b5fe7aba 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,5 +1,5 @@ -/* $OpenBSD: sa.h,v 1.5 1999/02/26 03:50:26 niklas Exp $ */ -/* $EOM: sa.h,v 1.40 1999/02/14 00:11:40 niklas Exp $ */ +/* $OpenBSD: sa.h,v 1.6 1999/02/27 09:59:36 niklas Exp $ */ +/* $EOM: sa.h,v 1.41 1999/02/26 14:41:32 niklas Exp $ */ /* * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. @@ -146,7 +146,10 @@ struct sa { }; /* This SA is alive. */ -#define SA_FLAG_READY 1 +#define SA_FLAG_READY 1 + +/* Renegotiate the SA at each expiry. */ +#define SA_FLAG_STAYALIVE 2 extern void proto_free (struct proto *proto); extern int sa_add_transform (struct sa *, struct payload *, int, |