Print this page
Current snapshot of OpenSolaris port.
Checkpoint
Checkpoint
Merge from parent.
Merge with WIDE update.
Pull from WIDE.
Pull from WIDE.
Checkpoint
Re-update.
blah
WIDE update
Update from WIDE.
*** 54,67 ****
--- 54,73 ----
# include <netinet6/ipsec.h>
#else
# ifdef HAVE_NETIPSEC_IPSEC_H
# include <netipsec/ipsec.h>
# else
+ # ifndef sun /* XXX KEBE SAYS OpenSolaris */
# include <linux/ipsec.h>
# endif
+ # endif
#endif
+ #ifdef sun /* XXX KEBE SAYS OpenSolaris */
+ #define IPSEC_ULPROTO_ANY 0
+ #endif
+
#include "racoon.h"
#include "isakmp.h"
#include "ikev2.h"
#include "keyed_hash.h"
*** 307,317 ****
--- 313,327 ----
/*
* set the flag to prevent further port floating.
* (FIXME: should we allow it? E.g. when the NAT gw
* is rebooted?)
*/
+ #ifdef sun
+ iph1->natt_flags |= NAT_PORTS_CHANGED;
+ #else
iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
+ #endif
}
#endif
/* must be same addresses in one stream of a phase at least. */
if (rcs_cmpsa(iph1->remote, remote) != 0) {
*** 833,842 ****
--- 843,858 ----
/* turn off schedule */
if (iph2->scr)
SCHED_KILL(iph2->scr);
+ #ifdef sun
+ /* Bail now to await inverse-ACQUIRE response. */
+ if (iph2->status == PHASE2ST_START && iph2->side == RESPONDER)
+ return (0);
+ #endif /* sun/OpenSolaris */
+
/* send */
plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
if ((ph2exchange[etypesw2(isakmp->etype)]
[iph2->side]
[iph2->status]) (iph2, msg) != 0) {
*** 1134,1143 ****
--- 1150,1224 ----
return;
}
return;
}
+ #ifdef sun
+ static int
+ isakmp_ph2_inv_acquire(invacq_t *invacq)
+ {
+ struct ph2handle *iph2 = invacq->iph2;
+ struct rcpfk_msg *param = invacq->answer;
+ struct isakmp *isakmp = (struct isakmp *)iph2->msg1->v;
+
+ sadb_request_finish(&invacq->request);
+ free(invacq);
+
+ /*
+ * Initialize iph2->selector, iph2->proposal, and iph2-> with the results of an
+ * inverse-ACQUIRE.
+ *
+ * XXX KEBE SAYS -- We need a way to figure out a p2_pfs equivalent
+ * for racoon2. We store this in Phase I/PAD state in in.iked.
+ */
+
+ /* Then send the Quick Mode reply. */
+ /* assert(iph2->status == PHASE2ST_STATUS2); */
+
+ /* change status of isakmp status entry */
+ iph2->status = PHASE2ST_STATUS2;
+
+ if (extract_extended_acquire(param, &iph2->selector, NULL) != 0) {
+ /* XXX KEBE SAYS MORE ERROR HANDLING? */
+ return (-1);
+ }
+
+ /* XXX KEBE SAYS FILL ME IN XXX */
+
+ if (set_proposal_from_policy(iph2, iph2->ph1->rmconf,
+ iph2->selector->pl) != 0) {
+ /* XXX KEBE SAYS MORE ERROR HANDLING? */
+ return (-1);
+ }
+
+ if (ipsecdoi_selectph2proposal(iph2) < 0) {
+ /* XXX KEBE SAYS MORE ERROR HANDLING? PROPER RETURN? */
+ isakmp_info_send_n1(iph2->ph1, ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN,
+ NULL);
+ return (-1);
+ }
+
+ /* The following was moved here from quick_main(). */
+ plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
+ if ((ph2exchange[etypesw2(isakmp->etype)]
+ [iph2->side]
+ [iph2->status]) (iph2, iph2->msg1) < 0) {
+ plog(PLOG_PROTOERR, PLOGLOC, 0,
+ "failed to process packet.\n");
+ /* don't release handler */
+ return -1;
+ }
+ #ifdef ENABLE_STATS
+ gettimeofday(&end, NULL);
+ syslog(LOG_NOTICE, "%s(%s): %8.6f",
+ "phase2",
+ s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
+ timedelta(&start, &end));
+ #endif
+ }
+ #endif
+
/* new negotiation of phase 2 for responder */
static int
isakmp_ph2begin_r(struct ph1handle *iph1, rc_vchar_t *msg)
{
struct isakmp *isakmp = (struct isakmp *)msg->v;
*** 1204,1213 ****
--- 1285,1295 ----
#ifdef ENABLE_STATS
gettimeofday(&start, NULL);
#endif
+
error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
[iph2->side]
[iph2->status]) (iph2, msg);
if (error != 0) {
plog(PLOG_INTERR, PLOGLOC, 0,
*** 1222,1231 ****
--- 1304,1340 ----
remph2(iph2);
delph2(iph2);
return -1;
}
+ #ifdef sun
+ /* XXX KEBE ASKS - how do you insert inverse-ACQUIRE here? */
+
+ /* Assume iph2->msg1 contains a copy of "msg" we passed-in. */
+ {
+ invacq_t *invacq = malloc(sizeof (*invacq));
+ uint32_t newseq = sadb_new_seq();
+
+ /*
+ * Use newseq to avoid using iph2's, which already has a
+ * record via a previous sadb_request_initalize() call.
+ */
+
+ if (invacq == NULL)
+ return (-1);
+
+ invacq->iph2 = iph2;
+ sadb_request_initialize(&invacq->request,
+ NULL /* KEBE - reqmethod */, NULL /* KEBE - respmethod */,
+ newseq, invacq);
+ invacq->receiver = isakmp_ph2_inv_acquire;
+
+ /* Okay, now we send the inverse-ACQUIRE itself. */
+ /* XXX KEBE SAYS CODE ME */
+ ikev1_send_inverse_acquire(iph2, newseq);
+ }
+ #else
/* send */
plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
if ((ph2exchange[etypesw2(isakmp->etype)]
[iph2->side]
[iph2->status]) (iph2, msg) < 0) {
*** 1239,1248 ****
--- 1348,1358 ----
syslog(LOG_NOTICE, "%s(%s): %8.6f",
"phase2",
s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
timedelta(&start, &end));
#endif
+ #endif /* sun/OpenSolaris */
return 0;
}
/* called from scheduler */