[openswan] Phase15 as xauth and modecfg is called in openswan is not
avesh
avesh at fedoraproject.org
Fri Aug 17 17:33:28 UTC 2012
commit 69859b3cd806db71a93cc31e361fa984258b955a
Author: Avesh Agarwal <avagarwa at redhat.com>
Date: Fri Aug 17 13:32:56 2012 -0400
Phase15 as xauth and modecfg is called in openswan is not
handled properly when only xauth (without modecfg) is used.
- dpd events and ike/sa lifetime expiry events are not created
properly when xauth is used without modecfg.
This commit addresses these issues.
openswan-xauth-modecfg-issues.patch | 165 +++++++++++++++++++++++++++++++++++
openswan.spec | 11 ++-
2 files changed, 175 insertions(+), 1 deletions(-)
---
diff --git a/openswan-xauth-modecfg-issues.patch b/openswan-xauth-modecfg-issues.patch
new file mode 100644
index 0000000..720c225
--- /dev/null
+++ b/openswan-xauth-modecfg-issues.patch
@@ -0,0 +1,165 @@
+diff --git a/programs/pluto/dpd.c b/programs/pluto/dpd.c
+index 3837ed8..553ee88 100644
+--- a/programs/pluto/dpd.c
++++ b/programs/pluto/dpd.c
+@@ -372,7 +372,7 @@ dpd_event(struct state *st)
+ {
+ if(st==NULL) return;
+
+- if(IS_PHASE1(st->st_state)) {
++ if(IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state )) {
+ p1_dpd_outI1(st);
+ } else {
+ p2_dpd_outI1(st);
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index bfadd87..a5ad3fe 100644
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -1597,7 +1597,7 @@ void process_packet_tail(struct msg_digest **mdp)
+ switch (np)
+ {
+ case ISAKMP_NEXT_ID:
+- sd = IS_PHASE1(from_state)
++ sd = (IS_PHASE1(from_state) || IS_PHASE15(from_state))
+ ? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
+ break;
+
+@@ -1702,7 +1702,7 @@ void process_packet_tail(struct msg_digest **mdp)
+
+ /* more sanity checking: enforce most ordering constraints */
+
+- if (IS_PHASE1(from_state))
++ if (IS_PHASE1(from_state) || IS_PHASE15(from_state))
+ {
+ /* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
+ * "The SA payload MUST precede all other payloads in a phase 1 exchange."
+@@ -1987,6 +1987,22 @@ complete_v1_state_transition(struct msg_digest **mdp, stf_status result)
+
+ change_state(st, smc->next_state);
+
++ /* XAUTH negotiation withOUT modecfg ends in STATE_XAUTH_I1
++ * which is wrong and creates issues further in several places
++ * As per openswan design, it seems every phase 1 negotiation
++ * including xauth/modecfg must end with STATE_MAIN_I4 to mark
++ * actual end of phase 1. With modecfg, negotiation ends with
++ * STATE_MAIN_I4 already.
++ */
++ /*if(st->st_connection->spd.this.xauth_client
++ && st->hidden_variables.st_xauth_client_done
++ && !st->st_connection->spd.this.modecfg_client
++ && st->st_state == STATE_XAUTH_I1) {
++ DBG(DBG_CONTROL, DBG_log("As XAUTH is done and modecfg is not configured,
++ so Phase 1 neogtiation finishes successfully"));
++ change_state(st, STATE_MAIN_I4);
++ }*/
++
+ /* Schedule for whatever timeout is specified */
+ if(!md->event_already_set)
+ {
+@@ -2055,7 +2071,7 @@ complete_v1_state_transition(struct msg_digest **mdp, stf_status result)
+ break;
+
+ case EVENT_SA_REPLACE: /* SA replacement event */
+- if (IS_PHASE1(st->st_state))
++ if (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))
+ {
+ /* Note: we will defer to the "negotiated" (dictated)
+ * lifetime if we are POLICY_DONT_REKEY.
+diff --git a/programs/pluto/nat_traversal.c b/programs/pluto/nat_traversal.c
+index 0577daa..98152b2 100644
+--- a/programs/pluto/nat_traversal.c
++++ b/programs/pluto/nat_traversal.c
+@@ -753,10 +753,7 @@ static void nat_traversal_ka_event_state (struct state *st, void *data)
+ unsigned int *_kap_st = (unsigned int *)data;
+ const struct connection *c = st->st_connection;
+ if (!c) return;
+- if ( ((st->st_state == STATE_MAIN_R3)
+- || (st->st_state == STATE_MAIN_I4)
+- || (st->st_state == STATE_AGGR_R2)
+- || (st->st_state == STATE_AGGR_I2))
++ if ( IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ && (st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
+ && ((st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+ || (_force_ka)))
+@@ -774,10 +771,7 @@ static void nat_traversal_ka_event_state (struct state *st, void *data)
+ struct state *st_newest;
+ st_newest = state_with_serialno(c->newest_isakmp_sa);
+ if ((st_newest)
+- && ((st_newest->st_state==STATE_MAIN_R3)
+- || (st_newest->st_state==STATE_MAIN_I4)
+- || (st_newest->st_state == STATE_AGGR_R2)
+- || (st_newest->st_state == STATE_AGGR_I2))
++ && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ && (st_newest->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
+ && ((st_newest->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+ || (_force_ka)))
+diff --git a/programs/pluto/state.c b/programs/pluto/state.c
+index 47dd189..8b2f582 100644
+--- a/programs/pluto/state.c
++++ b/programs/pluto/state.c
+@@ -900,7 +900,7 @@ delete_states_by_peer(ip_address *peer)
+ DBG_log("comparing %s to %s\n", ra, peerstr);
+
+ if(sameaddr(&this->st_remoteaddr, peer)) {
+- if(ph1==0 && IS_PHASE1(this->st_state)) {
++ if(ph1==0 && (IS_PHASE1(this->st_state) || IS_PHASE15(st->st_state ))) {
+
+ whack_log(RC_COMMENT
+ , "peer %s for connection %s crashed, replacing"
+@@ -1629,7 +1629,7 @@ show_states_status(void)
+ whack_log(RC_COMMENT, "%s", state_buf2);
+
+ /* show any associated pending Phase 2s */
+- if (IS_PHASE1(st->st_state))
++ if (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))
+ show_pending_phase2(st->st_connection, st);
+ }
+
+diff --git a/programs/pluto/timer.c b/programs/pluto/timer.c
+index aec3ab9..56c0d2f 100644
+--- a/programs/pluto/timer.c
++++ b/programs/pluto/timer.c
+@@ -539,7 +539,7 @@ handle_next_timer_event(void)
+
+ passert(st != NULL);
+ c = st->st_connection;
+- newest = IS_PHASE1(st->st_state)
++ newest = (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))
+ ? c->newest_isakmp_sa : c->newest_ipsec_sa;
+
+ if (newest != st->st_serialno
+@@ -548,7 +548,7 @@ handle_next_timer_event(void)
+ /* not very interesting: no need to replace */
+ DBG(DBG_LIFECYCLE
+ , openswan_log("not replacing stale %s SA: #%lu will do"
+- , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
++ , (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"
+ , newest));
+ }
+ else if (type == EVENT_SA_REPLACE_IF_USED
+@@ -573,14 +573,14 @@ handle_next_timer_event(void)
+ */
+ DBG(DBG_LIFECYCLE
+ , openswan_log("not replacing stale %s SA: inactive for %lus"
+- , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
++ , (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"
+ , (unsigned long)(tm - st->st_outbound_time)));
+ }
+ else
+ {
+ DBG(DBG_LIFECYCLE
+ , openswan_log("replacing stale %s SA"
+- , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"));
++ , (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"));
+ ipsecdoi_replace(st, LEMPTY, LEMPTY, 1);
+ }
+ delete_dpd_event(st);
+@@ -597,7 +597,7 @@ handle_next_timer_event(void)
+ passert(st != NULL);
+ c = st->st_connection;
+
+- if (IS_PHASE1(st->st_state))
++ if (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))
+ {
+ satype = "ISAKMP";
+ latest = c->newest_isakmp_sa;
diff --git a/openswan.spec b/openswan.spec
index f0362bc..8a95e9a 100644
--- a/openswan.spec
+++ b/openswan.spec
@@ -10,7 +10,7 @@ Summary: IPSEC implementation with IKEv1 and IKEv2 keying protocols
Name: openswan
Version: 2.6.38
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -31,6 +31,7 @@ Patch10: openswan-ikev1-aes-gcm-esp-fixes.patch
Patch11: rhbz-831676.patch
Patch12: rhbz-841325.patch
Patch13: openswan-updown-netkey.patch
+Patch14: openswan-xauth-modecfg-issues.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -105,6 +106,7 @@ install -m 644 %{SOURCE3} docs/README.x509
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
%build
@@ -229,6 +231,13 @@ fi
chkconfig --add ipsec || :
%changelog
+* Fri Aug 17 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-4
+- Phase15 as xauth and modecfg is called in openswan is not
+ handled properly when only xauth (without modecfg) is used.
+- dpd events and ike/sa lifetime expiry events are not created
+ properly when xauth is used without modecfg.
+ This commit addresses these issues.
+
* Tue Aug 7 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-3
- Ikev2 changes from rhel6 to fedora
- Sha256 changes from rhel6 to fedora
More information about the scm-commits
mailing list