Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

isakmp_post_acquire is now called from admin commands too, add a flag so 

admin commands can be used to establish even passive links on demand.
This commit is contained in:
tteras 2010-11-12 10:36:37 +00:00
parent fafea48525
commit 939a5bdbb6
4 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/dist/ipsec-tools/src/racoon/admin.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: admin.c,v 1.36 2010/11/12 09:08:26 tteras Exp $ */
/* $NetBSD: admin.c,v 1.37 2010/11/12 10:36:37 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@ -577,7 +577,7 @@ admin_process(so2, combuf)
}
insph2(iph2);
if (isakmp_post_acquire(iph2, NULL) < 0) {
if (isakmp_post_acquire(iph2, NULL, FALSE) < 0) {
remph2(iph2);
delph2(iph2);
break;

9
crypto/dist/ipsec-tools/src/racoon/isakmp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp.c,v 1.64 2010/11/12 09:11:37 tteras Exp $ */
/* $NetBSD: isakmp.c,v 1.65 2010/11/12 10:36:37 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@ -2166,9 +2166,10 @@ isakmp_ph2delete(iph2)
* if phase1 has been finished, begin phase2.
*/
int
isakmp_post_acquire(iph2, iph1hint)
isakmp_post_acquire(iph2, iph1hint, nopassive)
struct ph2handle *iph2;
struct ph1handle *iph1hint;
int nopassive;
{
struct remoteconf *rmconf;
struct ph1handle *iph1 = NULL;
@ -2185,7 +2186,7 @@ isakmp_post_acquire(iph2, iph1hint)
* so no need to bother yet. --arno */
if (iph1hint == NULL || iph1hint->rmconf == NULL) {
rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
if (rmconf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no configuration found for %s.\n",
@ -2197,7 +2198,7 @@ isakmp_post_acquire(iph2, iph1hint)
}
/* if passive mode, ignore the acquire message */
if (rmconf->passive) {
if (nopassive && rmconf->passive) {
plog(LLV_DEBUG, LOCATION, NULL,
"because of passive mode, "
"ignore the acquire message for %s.\n",

4
crypto/dist/ipsec-tools/src/racoon/isakmp_var.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp_var.h,v 1.16 2009/09/03 09:29:07 tteras Exp $ */
/* $NetBSD: isakmp_var.h,v 1.17 2010/11/12 10:36:37 tteras Exp $ */
/* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */
@ -87,7 +87,7 @@ extern void isakmp_ph2delete_stub __P((struct sched *));
extern void isakmp_ph2delete __P((struct ph2handle *));
extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *, int));
extern int isakmp_post_getspi __P((struct ph2handle *));
extern void isakmp_chkph1there_stub __P((struct sched *));
extern void isakmp_chkph1there __P((struct ph2handle *));

10
crypto/dist/ipsec-tools/src/racoon/pfkey.c vendored
View File

@ -1,6 +1,6 @@
/* $NetBSD: pfkey.c,v 1.53 2010/10/21 06:15:28 tteras Exp $ */
/* $NetBSD: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
/* $Id: pfkey.c,v 1.53 2010/10/21 06:15:28 tteras Exp $ */
/* $Id: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -1686,7 +1686,7 @@ pk_recvexpire(mhp)
iph2->status = PHASE2ST_STATUS2;
/* start quick exchange */
if (isakmp_post_acquire(iph2, iph1hint) < 0) {
if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
plog(LLV_ERROR, LOCATION, iph2->dst,
"failed to begin ipsec sa "
"re-negotication.\n");
@ -1962,7 +1962,7 @@ pk_recvacquire(mhp)
/* start isakmp initiation by using ident exchange */
/* XXX should be looped if there are multiple phase 2 handler. */
if (isakmp_post_acquire(iph2, NULL) < 0) {
if (isakmp_post_acquire(iph2, NULL, TRUE) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to begin ipsec sa negotication.\n");
remph2(iph2);
@ -3088,7 +3088,7 @@ migrate_ph2_sa_addresses(iph2, args)
iph2->status = PHASE2ST_STATUS2;
/* and start a new negotiation */
if (isakmp_post_acquire(iph2, iph1hint) < 0) {
if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
"to begin IPsec SA renegotiation after "
"MIGRATE reception.\n");