Print this page
Current snapshot of OpenSolaris port.
Checkpoint
Checkpoint
Merge from parent.
Merge with WIDE update.
Pull from WIDE.
Pull from WIDE.
Checkpoint
Re-update.
blah
WIDE update
Update from WIDE.
@@ -54,14 +54,20 @@
# include <netinet6/ipsec.h>
#else
# ifdef HAVE_NETIPSEC_IPSEC_H
# include <netipsec/ipsec.h>
# else
+# ifndef sun /* XXX KEBE SAYS OpenSolaris */
# include <linux/ipsec.h>
# endif
+# endif
#endif
+#ifdef sun /* XXX KEBE SAYS OpenSolaris */
+#define IPSEC_ULPROTO_ANY 0
+#endif
+
#include "racoon.h"
#include "isakmp.h"
#include "ikev2.h"
#include "keyed_hash.h"
@@ -307,11 +313,15 @@
/*
* set the flag to prevent further port floating.
* (FIXME: should we allow it? E.g. when the NAT gw
* is rebooted?)
*/
+#ifdef sun
+ iph1->natt_flags |= NAT_PORTS_CHANGED;
+#else
iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
+#endif
}
#endif
/* must be same addresses in one stream of a phase at least. */
if (rcs_cmpsa(iph1->remote, remote) != 0) {
@@ -833,10 +843,16 @@
/* turn off schedule */
if (iph2->scr)
SCHED_KILL(iph2->scr);
+#ifdef sun
+ /* Bail now to await inverse-ACQUIRE response. */
+ if (iph2->status == PHASE2ST_START && iph2->side == RESPONDER)
+ return (0);
+#endif /* sun/OpenSolaris */
+
/* send */
plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
if ((ph2exchange[etypesw2(isakmp->etype)]
[iph2->side]
[iph2->status]) (iph2, msg) != 0) {
@@ -1134,10 +1150,75 @@
return;
}
return;
}
+#ifdef sun
+static int
+isakmp_ph2_inv_acquire(invacq_t *invacq)
+{
+ struct ph2handle *iph2 = invacq->iph2;
+ struct rcpfk_msg *param = invacq->answer;
+ struct isakmp *isakmp = (struct isakmp *)iph2->msg1->v;
+
+ sadb_request_finish(&invacq->request);
+ free(invacq);
+
+ /*
+ * Initialize iph2->selector, iph2->proposal, and iph2-> with the results of an
+ * inverse-ACQUIRE.
+ *
+ * XXX KEBE SAYS -- We need a way to figure out a p2_pfs equivalent
+ * for racoon2. We store this in Phase I/PAD state in in.iked.
+ */
+
+ /* Then send the Quick Mode reply. */
+ /* assert(iph2->status == PHASE2ST_STATUS2); */
+
+ /* change status of isakmp status entry */
+ iph2->status = PHASE2ST_STATUS2;
+
+ if (extract_extended_acquire(param, &iph2->selector, NULL) != 0) {
+ /* XXX KEBE SAYS MORE ERROR HANDLING? */
+ return (-1);
+ }
+
+ /* XXX KEBE SAYS FILL ME IN XXX */
+
+ if (set_proposal_from_policy(iph2, iph2->ph1->rmconf,
+ iph2->selector->pl) != 0) {
+ /* XXX KEBE SAYS MORE ERROR HANDLING? */
+ return (-1);
+ }
+
+ if (ipsecdoi_selectph2proposal(iph2) < 0) {
+ /* XXX KEBE SAYS MORE ERROR HANDLING? PROPER RETURN? */
+ isakmp_info_send_n1(iph2->ph1, ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN,
+ NULL);
+ return (-1);
+ }
+
+ /* The following was moved here from quick_main(). */
+ plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
+ if ((ph2exchange[etypesw2(isakmp->etype)]
+ [iph2->side]
+ [iph2->status]) (iph2, iph2->msg1) < 0) {
+ plog(PLOG_PROTOERR, PLOGLOC, 0,
+ "failed to process packet.\n");
+ /* don't release handler */
+ return -1;
+ }
+#ifdef ENABLE_STATS
+ gettimeofday(&end, NULL);
+ syslog(LOG_NOTICE, "%s(%s): %8.6f",
+ "phase2",
+ s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
+ timedelta(&start, &end));
+#endif
+}
+#endif
+
/* new negotiation of phase 2 for responder */
static int
isakmp_ph2begin_r(struct ph1handle *iph1, rc_vchar_t *msg)
{
struct isakmp *isakmp = (struct isakmp *)msg->v;
@@ -1204,10 +1285,11 @@
#ifdef ENABLE_STATS
gettimeofday(&start, NULL);
#endif
+
error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
[iph2->side]
[iph2->status]) (iph2, msg);
if (error != 0) {
plog(PLOG_INTERR, PLOGLOC, 0,
@@ -1222,10 +1304,37 @@
remph2(iph2);
delph2(iph2);
return -1;
}
+#ifdef sun
+ /* XXX KEBE ASKS - how do you insert inverse-ACQUIRE here? */
+
+ /* Assume iph2->msg1 contains a copy of "msg" we passed-in. */
+ {
+ invacq_t *invacq = malloc(sizeof (*invacq));
+ uint32_t newseq = sadb_new_seq();
+
+ /*
+ * Use newseq to avoid using iph2's, which already has a
+ * record via a previous sadb_request_initalize() call.
+ */
+
+ if (invacq == NULL)
+ return (-1);
+
+ invacq->iph2 = iph2;
+ sadb_request_initialize(&invacq->request,
+ NULL /* KEBE - reqmethod */, NULL /* KEBE - respmethod */,
+ newseq, invacq);
+ invacq->receiver = isakmp_ph2_inv_acquire;
+
+ /* Okay, now we send the inverse-ACQUIRE itself. */
+ /* XXX KEBE SAYS CODE ME */
+ ikev1_send_inverse_acquire(iph2, newseq);
+ }
+#else
/* send */
plog(PLOG_DEBUG, PLOGLOC, NULL, "===\n");
if ((ph2exchange[etypesw2(isakmp->etype)]
[iph2->side]
[iph2->status]) (iph2, msg) < 0) {
@@ -1239,10 +1348,11 @@
syslog(LOG_NOTICE, "%s(%s): %8.6f",
"phase2",
s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
timedelta(&start, &end));
#endif
+#endif /* sun/OpenSolaris */
return 0;
}
/* called from scheduler */