[openswan] Phase15 as xauth and modecfg is called in openswan is not

avesh avesh at fedoraproject.org
Fri Aug 17 17:33:28 UTC 2012 

commit 69859b3cd806db71a93cc31e361fa984258b955a
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Fri Aug 17 13:32:56 2012 -0400

    Phase15 as xauth and modecfg is called in openswan is not
    
      handled properly when only xauth (without modecfg) is used.
    - dpd events and ike/sa lifetime expiry events are not created
      properly when xauth is used without modecfg.
      This commit addresses these issues.

 openswan-xauth-modecfg-issues.patch |  165 +++++++++++++++++++++++++++++++++++
 openswan.spec                       |   11 ++-
 2 files changed, 175 insertions(+), 1 deletions(-)
---
diff --git a/openswan-xauth-modecfg-issues.patch b/openswan-xauth-modecfg-issues.patch
new file mode 100644
index 0000000..720c225
--- /dev/null
+++ b/openswan-xauth-modecfg-issues.patch
@@ -0,0 +1,165 @@
+diff --git a/programs/pluto/dpd.c b/programs/pluto/dpd.c
+index 3837ed8..553ee88 100644
+--- a/programs/pluto/dpd.c
++++ b/programs/pluto/dpd.c
+@@ -372,7 +372,7 @@ dpd_event(struct state *st)
+ {
+     if(st==NULL) return;
+ 
+-    if(IS_PHASE1(st->st_state)) {
++    if(IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state )) {
+ 	p1_dpd_outI1(st);
+     } else {
+ 	p2_dpd_outI1(st);
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index bfadd87..a5ad3fe 100644
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -1597,7 +1597,7 @@ void process_packet_tail(struct msg_digest **mdp)
+ 		switch (np)
+ 		{
+ 		case ISAKMP_NEXT_ID:
+-		    sd = IS_PHASE1(from_state)
++		    sd = (IS_PHASE1(from_state) || IS_PHASE15(from_state))
+ 			? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
+ 		    break;
+ 
+@@ -1702,7 +1702,7 @@ void process_packet_tail(struct msg_digest **mdp)
+ 
+     /* more sanity checking: enforce most ordering constraints */
+ 
+-    if (IS_PHASE1(from_state))
++    if (IS_PHASE1(from_state) || IS_PHASE15(from_state))
+     {
+ 	/* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
+ 	 * "The SA payload MUST precede all other payloads in a phase 1 exchange."
+@@ -1987,6 +1987,22 @@ complete_v1_state_transition(struct msg_digest **mdp, stf_status result)
+ 
+ 	    change_state(st, smc->next_state);
+ 
++	    /* XAUTH negotiation withOUT modecfg ends in STATE_XAUTH_I1
++ 	     * which is wrong and creates issues further in several places
++ 	     * As per openswan design, it seems every phase 1 negotiation
++ 	     * including xauth/modecfg must end with STATE_MAIN_I4 to mark
++ 	     * actual end of phase 1. With modecfg, negotiation ends with
++ 	     * STATE_MAIN_I4 already.
++ 	     */
++	    /*if(st->st_connection->spd.this.xauth_client 
++		&& st->hidden_variables.st_xauth_client_done 
++		&& !st->st_connection->spd.this.modecfg_client
++		&& st->st_state == STATE_XAUTH_I1) {
++		DBG(DBG_CONTROL, DBG_log("As XAUTH is done and modecfg is not configured, 
++						so Phase 1 neogtiation finishes successfully"));
++		change_state(st, STATE_MAIN_I4);
++	    }*/
++
+ 	    /* Schedule for whatever timeout is specified */
+ 	    if(!md->event_already_set)
+ 	    {
+@@ -2055,7 +2071,7 @@ complete_v1_state_transition(struct msg_digest **mdp, stf_status result)
+ 		    break;
+ 
+ 		case EVENT_SA_REPLACE:	/* SA replacement event */
+-		    if (IS_PHASE1(st->st_state))
++		    if (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))
+ 		    {
+ 			/* Note: we will defer to the "negotiated" (dictated)
+ 			 * lifetime if we are POLICY_DONT_REKEY.
+diff --git a/programs/pluto/nat_traversal.c b/programs/pluto/nat_traversal.c
+index 0577daa..98152b2 100644
+--- a/programs/pluto/nat_traversal.c
++++ b/programs/pluto/nat_traversal.c
+@@ -753,10 +753,7 @@ static void nat_traversal_ka_event_state (struct state *st, void *data)
+ 	unsigned int *_kap_st = (unsigned int *)data;
+ 	const struct connection *c = st->st_connection;
+ 	if (!c) return;
+-	if ( ((st->st_state == STATE_MAIN_R3)
+-	      || (st->st_state == STATE_MAIN_I4)
+-	      || (st->st_state == STATE_AGGR_R2)
+-	      || (st->st_state == STATE_AGGR_I2))
++	if ( IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ 	     &&	(st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
+ 	     &&	((st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+ 		 || (_force_ka)))
+@@ -774,10 +771,7 @@ static void nat_traversal_ka_event_state (struct state *st, void *data)
+ 		struct state *st_newest;
+ 		st_newest = state_with_serialno(c->newest_isakmp_sa);
+ 		if ((st_newest)
+-		    && ((st_newest->st_state==STATE_MAIN_R3)
+-			|| (st_newest->st_state==STATE_MAIN_I4)
+-			|| (st_newest->st_state == STATE_AGGR_R2)
+-			|| (st_newest->st_state == STATE_AGGR_I2))
++		    && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ 		    && (st_newest->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
+ 		    && ((st_newest->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+ 			|| (_force_ka)))
+diff --git a/programs/pluto/state.c b/programs/pluto/state.c
+index 47dd189..8b2f582 100644
+--- a/programs/pluto/state.c
++++ b/programs/pluto/state.c
+@@ -900,7 +900,7 @@ delete_states_by_peer(ip_address *peer)
+ 		DBG_log("comparing %s to %s\n", ra, peerstr);
+ 
+ 		if(sameaddr(&this->st_remoteaddr, peer)) {
+-		    if(ph1==0 && IS_PHASE1(this->st_state)) {
++		    if(ph1==0 && (IS_PHASE1(this->st_state) || IS_PHASE15(st->st_state ))) {
+ 			
+ 			whack_log(RC_COMMENT
+ 				  , "peer %s for connection %s crashed, replacing"
+@@ -1629,7 +1629,7 @@ show_states_status(void)
+ 		whack_log(RC_COMMENT, "%s", state_buf2);
+ 
+ 	  /* show any associated pending Phase 2s */
+-	  if (IS_PHASE1(st->st_state))
++	  if (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))
+ 		show_pending_phase2(st->st_connection, st);
+ 	}
+ 
+diff --git a/programs/pluto/timer.c b/programs/pluto/timer.c
+index aec3ab9..56c0d2f 100644
+--- a/programs/pluto/timer.c
++++ b/programs/pluto/timer.c
+@@ -539,7 +539,7 @@ handle_next_timer_event(void)
+ 
+ 		passert(st != NULL);
+ 		c = st->st_connection;
+-		newest = IS_PHASE1(st->st_state)
++		newest = (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))
+ 		    ? c->newest_isakmp_sa : c->newest_ipsec_sa;
+ 
+ 		if (newest != st->st_serialno
+@@ -548,7 +548,7 @@ handle_next_timer_event(void)
+ 		    /* not very interesting: no need to replace */
+ 		    DBG(DBG_LIFECYCLE
+ 			, openswan_log("not replacing stale %s SA: #%lu will do"
+-			    , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
++			    , (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"
+ 			    , newest));
+ 		}
+ 		else if (type == EVENT_SA_REPLACE_IF_USED
+@@ -573,14 +573,14 @@ handle_next_timer_event(void)
+ 		     */
+ 		    DBG(DBG_LIFECYCLE
+ 			, openswan_log("not replacing stale %s SA: inactive for %lus"
+-			    , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
++			    , (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"
+ 			    , (unsigned long)(tm - st->st_outbound_time)));
+ 		}
+ 		else
+ 		{
+ 		    DBG(DBG_LIFECYCLE
+ 			, openswan_log("replacing stale %s SA"
+-			    , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"));
++			    , (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"));
+ 		    ipsecdoi_replace(st, LEMPTY, LEMPTY, 1);
+ 		}
+ 		delete_dpd_event(st);
+@@ -597,7 +597,7 @@ handle_next_timer_event(void)
+ 		passert(st != NULL);
+ 		c = st->st_connection;
+ 
+-		if (IS_PHASE1(st->st_state))
++		if (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))
+ 		{
+ 		    satype = "ISAKMP";
+ 		    latest = c->newest_isakmp_sa;
diff --git a/openswan.spec b/openswan.spec
index f0362bc..8a95e9a 100644
--- a/openswan.spec
+++ b/openswan.spec
@@ -10,7 +10,7 @@ Summary: IPSEC implementation with IKEv1 and IKEv2 keying protocols
 Name: openswan
 Version: 2.6.38
 
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Url: http://www.openswan.org/
 Source: openswan-%{version}.tar.gz
@@ -31,6 +31,7 @@ Patch10: openswan-ikev1-aes-gcm-esp-fixes.patch
 Patch11: rhbz-831676.patch
 Patch12: rhbz-841325.patch
 Patch13: openswan-updown-netkey.patch
+Patch14: openswan-xauth-modecfg-issues.patch
 
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -105,6 +106,7 @@ install -m 644 %{SOURCE3} docs/README.x509
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 %build
 
@@ -229,6 +231,13 @@ fi
 chkconfig --add ipsec || :
 
 %changelog
+* Fri Aug 17 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-4
+- Phase15 as xauth and modecfg is called in openswan is not
+  handled properly when only xauth (without modecfg) is used.
+- dpd events and ike/sa lifetime expiry events are not created
+  properly when xauth is used without modecfg.
+  This commit addresses these issues.
+
 * Tue Aug 7 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-3
 - Ikev2 changes from rhel6 to fedora
 - Sha256 changes from rhel6 to fedora

More information about the scm-commits mailing list