--- old/iked/ikev1/ikev1.c Fri Mar 27 12:09:53 2009 +++ new/iked/ikev1/ikev1.c Fri Mar 27 12:09:53 2009 @@ -56,10 +56,16 @@ # ifdef HAVE_NETIPSEC_IPSEC_H # include # else -# include +# ifndef sun /* XXX KEBE SAYS OpenSolaris */ +# include +# endif # endif #endif +#ifdef sun /* XXX KEBE SAYS OpenSolaris */ +#define IPSEC_ULPROTO_ANY 0 +#endif + #include "racoon.h" #include "isakmp.h" @@ -309,7 +315,11 @@ * (FIXME: should we allow it? E.g. when the NAT gw * is rebooted?) */ +#ifdef sun + iph1->natt_flags |= NAT_PORTS_CHANGED; +#else iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; +#endif } #endif @@ -835,6 +845,12 @@ if (iph2->scr) SCHED_KILL(iph2->scr); +#ifdef sun + /* Bail now to await inverse-ACQUIRE response. */ + if (iph2->status == PHASE2ST_START && iph2->side == RESPONDER) + return (0); +#endif /* sun/OpenSolaris */ + /* send */ plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n"); if ((ph2exchange[etypesw2(isakmp->etype)] @@ -1136,6 +1152,71 @@ return; } +#ifdef sun +static int +isakmp_ph2_inv_acquire(invacq_t *invacq) +{ + struct ph2handle *iph2 = invacq->iph2; + struct rcpfk_msg *param = invacq->answer; + struct isakmp *isakmp = (struct isakmp *)iph2->msg1->v; + + sadb_request_finish(&invacq->request); + free(invacq); + + /* + * Initialize iph2->selector, iph2->proposal, and iph2-> with the results of an + * inverse-ACQUIRE. + * + * XXX KEBE SAYS -- We need a way to figure out a p2_pfs equivalent + * for racoon2. We store this in Phase I/PAD state in in.iked. + */ + + /* Then send the Quick Mode reply. */ + /* assert(iph2->status == PHASE2ST_STATUS2); */ + + /* change status of isakmp status entry */ + iph2->status = PHASE2ST_STATUS2; + + if (extract_extended_acquire(param, &iph2->selector, NULL) != 0) { + /* XXX KEBE SAYS MORE ERROR HANDLING? */ + return (-1); + } + + /* XXX KEBE SAYS FILL ME IN XXX */ + + if (set_proposal_from_policy(iph2, iph2->ph1->rmconf, + iph2->selector->pl) != 0) { + /* XXX KEBE SAYS MORE ERROR HANDLING? */ + return (-1); + } + + if (ipsecdoi_selectph2proposal(iph2) < 0) { + /* XXX KEBE SAYS MORE ERROR HANDLING? PROPER RETURN? */ + isakmp_info_send_n1(iph2->ph1, ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN, + NULL); + return (-1); + } + + /* The following was moved here from quick_main(). */ + plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n"); + if ((ph2exchange[etypesw2(isakmp->etype)] + [iph2->side] + [iph2->status]) (iph2, iph2->msg1) < 0) { + plog(PLOG_PROTOERR, PLOGLOC, 0, + "failed to process packet.\n"); + /* don't release handler */ + return -1; + } +#ifdef ENABLE_STATS + gettimeofday(&end, NULL); + syslog(LOG_NOTICE, "%s(%s): %8.6f", + "phase2", + s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), + timedelta(&start, &end)); +#endif +} +#endif + /* new negotiation of phase 2 for responder */ static int isakmp_ph2begin_r(struct ph1handle *iph1, rc_vchar_t *msg) @@ -1206,6 +1287,7 @@ gettimeofday(&start, NULL); #endif + error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] [iph2->side] [iph2->status]) (iph2, msg); @@ -1224,6 +1306,33 @@ return -1; } +#ifdef sun + /* XXX KEBE ASKS - how do you insert inverse-ACQUIRE here? */ + + /* Assume iph2->msg1 contains a copy of "msg" we passed-in. */ + { + invacq_t *invacq = malloc(sizeof (*invacq)); + uint32_t newseq = sadb_new_seq(); + + /* + * Use newseq to avoid using iph2's, which already has a + * record via a previous sadb_request_initalize() call. + */ + + if (invacq == NULL) + return (-1); + + invacq->iph2 = iph2; + sadb_request_initialize(&invacq->request, + NULL /* KEBE - reqmethod */, NULL /* KEBE - respmethod */, + newseq, invacq); + invacq->receiver = isakmp_ph2_inv_acquire; + + /* Okay, now we send the inverse-ACQUIRE itself. */ + /* XXX KEBE SAYS CODE ME */ + ikev1_send_inverse_acquire(iph2, newseq); + } +#else /* send */ plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n"); if ((ph2exchange[etypesw2(isakmp->etype)] @@ -1241,6 +1350,7 @@ s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), timedelta(&start, &end)); #endif +#endif /* sun/OpenSolaris */ return 0; }