Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 151822 Details for
Bug 218386
LSPP: labeled ipsec does not work over loopback
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch that allows racoon to negotiate wih itself over loopback.
patch.0403 (text/plain), 15.74 KB, created by
Joy Latten
on 2007-04-06 00:30:28 UTC
(
hide
)
Description:
Patch that allows racoon to negotiate wih itself over loopback.
Filename:
MIME Type:
Creator:
Joy Latten
Created:
2007-04-06 00:30:28 UTC
Size:
15.74 KB
patch
obsolete
>diff -urpN ipsec-tools.new/configure.ac ipsec-tools.patch0329/configure.ac >--- ipsec-tools.new/configure.ac 2007-04-03 09:57:44.000000000 -0500 >+++ ipsec-tools.patch0329/configure.ac 2007-04-02 17:22:16.000000000 -0500 >@@ -772,6 +772,16 @@ if test "$enable_security_context" = "ye > fi > fi > >+# Option --enable-racoon-over-loopback >+AC_MSG_CHECKING(if --enable-racoon-over-loopback option is specified) >+AC_ARG_ENABLE(racoon-over-loopback, >+ [ --enable-racoon-over-loopback enable racoon to use loopback], >+ [], [enable_racoon_over_loopback=no]) >+if test $enable_racoon_over_loopback = "yes"; then >+ AC_DEFINE([ENABLE_RACOON_OVER_LOOPBACK], [], [Enable racoon to use loopback]) >+fi >+AC_MSG_RESULT($enable_racoon_over_loopback) >+ > CFLAGS="$CFLAGS $CFLAGS_ADD" > CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD" > >diff -urpN ipsec-tools.new/src/racoon/admin.c ipsec-tools.patch0329/src/racoon/admin.c >--- ipsec-tools.new/src/racoon/admin.c 2007-04-03 09:57:43.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/admin.c 2007-04-02 17:19:08.000000000 -0500 >@@ -293,7 +293,7 @@ out2: > STRDUP_FATAL(loc); > STRDUP_FATAL(rem); > >- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) { >+ if ((iph1 = getph1byaddrwop(src, dst, ANYSIDE)) == NULL) { > plog(LLV_ERROR, LOCATION, NULL, > "phase 1 for %s -> %s not found\n", loc, rem); > } else { >@@ -344,7 +344,7 @@ out2: > plog(LLV_INFO, LOCATION, NULL, > "Flushing all SAs for peer %s\n", rem); > >- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) { >+ while ((iph1 = getph1bydstaddrwop(dst, ANYSIDE)) != NULL) { > loc = racoon_strdup(saddrwop2str(iph1->local)); > STRDUP_FATAL(loc); > >diff -urpN ipsec-tools.new/src/racoon/handler.c ipsec-tools.patch0329/src/racoon/handler.c >--- ipsec-tools.new/src/racoon/handler.c 2007-04-03 09:57:44.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/handler.c 2007-04-03 11:13:08.000000000 -0500 >@@ -101,14 +101,19 @@ static void sweep_recvdpkt __P((void *)) > extern caddr_t val2str(const char *, size_t); > > struct ph1handle * >-getph1byindex(index) >+getph1byindex(index, side) > isakmp_index *index; >+ int side; > { > struct ph1handle *p; > > LIST_FOREACH(p, &ph1tree, chain) { > if (p->status == PHASE1ST_EXPIRED) > continue; >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ if (p->side != side && side != ANYSIDE) >+ continue; >+#endif > if (memcmp(&p->index, index, sizeof(*index)) == 0) > return p; > } >@@ -121,14 +126,19 @@ getph1byindex(index) > * search for isakmp handler by i_ck in index. > */ > struct ph1handle * >-getph1byindex0(index) >+getph1byindex0(index, side) > isakmp_index *index; >+ int side; > { > struct ph1handle *p; > > LIST_FOREACH(p, &ph1tree, chain) { > if (p->status == PHASE1ST_EXPIRED) > continue; >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ if (p->side != side && side != ANYSIDE) >+ continue; >+#endif > if (memcmp(&p->index, index, sizeof(cookie_t)) == 0) > return p; > } >@@ -142,14 +152,19 @@ getph1byindex0(index) > * with phase 2's destinaion. > */ > struct ph1handle * >-getph1byaddr(local, remote) >+getph1byaddr(local, remote, side) > struct sockaddr *local, *remote; >+ int side; > { > struct ph1handle *p; > > LIST_FOREACH(p, &ph1tree, chain) { > if (p->status == PHASE1ST_EXPIRED) > continue; >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ if (p->side != side && side != ANYSIDE) >+ continue; >+#endif > if (CMPSADDR(local, p->local) == 0 > && CMPSADDR(remote, p->remote) == 0) > return p; >@@ -159,14 +174,19 @@ getph1byaddr(local, remote) > } > > struct ph1handle * >-getph1byaddrwop(local, remote) >+getph1byaddrwop(local, remote, side) > struct sockaddr *local, *remote; >+ int side; > { > struct ph1handle *p; > > LIST_FOREACH(p, &ph1tree, chain) { > if (p->status == PHASE1ST_EXPIRED) > continue; >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ if (p->side != side && side != ANYSIDE) >+ continue; >+#endif > if (cmpsaddrwop(local, p->local) == 0 > && cmpsaddrwop(remote, p->remote) == 0) > return p; >@@ -181,14 +201,19 @@ getph1byaddrwop(local, remote) > * with phase 2's destinaion. > */ > struct ph1handle * >-getph1bydstaddrwop(remote) >+getph1bydstaddrwop(remote, side) > struct sockaddr *remote; >+ int side; > { > struct ph1handle *p; > > LIST_FOREACH(p, &ph1tree, chain) { > if (p->status == PHASE1ST_EXPIRED) > continue; >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ if (p->side != side && side != ANYSIDE) >+ continue; >+#endif > if (cmpsaddrwop(remote, p->remote) == 0) > return p; > } >@@ -456,13 +481,18 @@ getph2byseq(seq) > * search ph2handle with message id. > */ > struct ph2handle * >-getph2bymsgid(iph1, msgid) >+getph2bymsgid(iph1, msgid, side) > struct ph1handle *iph1; > u_int32_t msgid; >+ int side; > { > struct ph2handle *p; > > LIST_FOREACH(p, &ph2tree, chain) { >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ if (p->side != side && side != ANYSIDE) >+ continue; >+#endif > if (p->msgid == msgid) > return p; > } >@@ -501,12 +531,17 @@ getph2byid(src, dst, spid) > } > > struct ph2handle * >-getph2bysaddr(src, dst) >+getph2bysaddr(src, dst, side) > struct sockaddr *src, *dst; >+ int side; > { > struct ph2handle *p; > > LIST_FOREACH(p, &ph2tree, chain) { >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ if (p->side != side && side != ANYSIDE) >+ continue; >+#endif > if (cmpsaddrstrict(src, p->src) == 0 && > cmpsaddrstrict(dst, p->dst) == 0) > return p; >diff -urpN ipsec-tools.new/src/racoon/handler.h ipsec-tools.patch0329/src/racoon/handler.h >--- ipsec-tools.new/src/racoon/handler.h 2007-04-03 10:02:31.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/handler.h 2007-04-02 17:19:46.000000000 -0500 >@@ -424,13 +424,13 @@ struct ph1handle; > struct ph2handle; > struct policyindex; > >-extern struct ph1handle *getph1byindex __P((isakmp_index *)); >-extern struct ph1handle *getph1byindex0 __P((isakmp_index *)); >+extern struct ph1handle *getph1byindex __P((isakmp_index *, int)); >+extern struct ph1handle *getph1byindex0 __P((isakmp_index *, int)); > extern struct ph1handle *getph1byaddr __P((struct sockaddr *, >- struct sockaddr *)); >+ struct sockaddr *, int)); > extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *, >- struct sockaddr *)); >-extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *)); >+ struct sockaddr *, int)); >+extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *, int)); > #ifdef ENABLE_HYBRID > struct ph1handle *getph1bylogin __P((char *)); > int purgeph1bylogin __P((char *)); >@@ -447,8 +447,9 @@ extern struct ph2handle *getph2byspidx _ > extern struct ph2handle *getph2byspid __P((u_int32_t)); > extern struct ph2handle *getph2byseq __P((u_int32_t)); > extern struct ph2handle *getph2bysaddr __P((struct sockaddr *, >- struct sockaddr *)); >-extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t)); >+ struct sockaddr *, int)); >+extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t, >+ int)); > extern struct ph2handle *getph2byid __P((struct sockaddr *, > struct sockaddr *, u_int32_t)); > extern struct ph2handle *getph2bysaidx __P((struct sockaddr *, >diff -urpN ipsec-tools.new/src/racoon/isakmp.c ipsec-tools.patch0329/src/racoon/isakmp.c >--- ipsec-tools.new/src/racoon/isakmp.c 2007-04-03 09:57:44.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/isakmp.c 2007-04-03 10:51:41.000000000 -0500 >@@ -406,6 +406,36 @@ end: > return(error); > } > >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+/* >+ * isakmp phase 1 search helper >+ */ >+static struct ph1handle * >+isakmp_ph1pickside(iph1_i, iph1_r, local) >+ struct ph1handle *iph1_i, *iph1_r; >+ struct sockaddr *local; >+{ >+ if (iph1_i == NULL && iph1_r != NULL) { >+ if (cmpsaddrstrict(iph1_r->remote, local) != 0) >+ return iph1_r; >+ else >+ return NULL; >+ } else if (iph1_i != NULL && iph1_r == NULL) { >+ if (cmpsaddrstrict(iph1_i->remote, local) != 0) >+ return iph1_i; >+ else >+ return NULL; >+ } else if (iph1_i != NULL && iph1_r != NULL) { >+ if (iph1_r->status < iph1_i->status) >+ return iph1_r; >+ else >+ return iph1_i; >+ } >+ >+ return NULL; >+} >+#endif >+ > /* > * main processing to handle isakmp payload > */ >@@ -472,7 +502,14 @@ isakmp_main(msg, remote, local) > } > } > >- iph1 = getph1byindex(index); >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ iph1 = isakmp_ph1pickside(getph1byindex(index, INITIATOR), >+ getph1byindex(index, RESPONDER), >+ local); >+#else >+ iph1 = getph1byindex(index, ANYSIDE); >+#endif >+ > if (iph1 != NULL) { > /* validity check */ > if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 && >@@ -572,7 +609,15 @@ isakmp_main(msg, remote, local) > */ > > /* search for phase1 handle by index without r_ck */ >- iph1 = getph1byindex0(index); >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ iph1 = isakmp_ph1pickside( >+ getph1byindex0(index, INITIATOR), >+ getph1byindex0(index, RESPONDER), >+ local); >+#else >+ iph1 = getph1byindex0(index, ANYSIDE); >+#endif >+ > if (iph1 == NULL) { > /*it must be the 1st message from a initiator.*/ > if (memcmp(&isakmp->r_ck, r_ck0, >@@ -648,7 +693,7 @@ isakmp_main(msg, remote, local) > * NOTE: We think such informational exchange should be ignored. > */ > if (iph1 == NULL) { >- iph1 = getph1byindex0(index); >+ iph1 = getph1byindex0(index, INITIATOR); > if (iph1 == NULL) { > plog(LLV_ERROR, LOCATION, remote, > "unknown Informational " >@@ -675,6 +720,7 @@ isakmp_main(msg, remote, local) > case ISAKMP_ETYPE_QUICK: > { > struct ph2handle *iph2; >+ struct ph2handle *iph2_i, *iph2_r; > > if (iph1 == NULL) { > isakmp_info_send_nx(isakmp, remote, local, >@@ -708,7 +754,30 @@ isakmp_main(msg, remote, local) > } > > /* search isakmp phase 2 stauts record. */ >- iph2 = getph2bymsgid(iph1, msgid); >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ iph2_i = getph2bymsgid(iph1, msgid, INITIATOR); >+ iph2_r = getph2bymsgid(iph1, msgid, RESPONDER); >+ if (iph2_i == NULL && iph2_r != NULL) { >+ if (cmpsaddrstrict(iph1->remote, local) != 0) >+ iph2 = iph2_r; >+ else >+ iph2 = NULL; >+ } else if (iph2_i != NULL && iph2_r == NULL) { >+ if (cmpsaddrstrict(iph1->remote, local) != 0) >+ iph2 = iph2_i; >+ else >+ iph2 = NULL; >+ } else if (iph2_i != NULL && iph2_r != NULL) { >+ if (iph2_r->status < iph2_i->status) >+ iph2 = iph2_r; >+ else >+ iph2 = iph2_i; >+ } else >+ iph2 = NULL; >+#else >+ iph2 = getph2bymsgid(iph1, msgid, ANYSIDE); >+#endif >+ > if (iph2 == NULL) { > /* it must be new negotiation as responder */ > if (isakmp_ph2begin_r(iph1, msg) < 0) >@@ -2218,15 +2287,17 @@ isakmp_post_acquire(iph2) > */ > #ifdef ENABLE_NATT > if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { >- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { >+ if ((iph1 = getph1byaddrwop(iph2->src, >+ iph2->dst, >+ ANYSIDE)) != NULL) { > set_port(iph2->src, extract_port(iph1->local)); > set_port(iph2->dst, extract_port(iph1->remote)); > } > } else { >- iph1 = getph1byaddr(iph2->src, iph2->dst); >+ iph1 = getph1byaddr(iph2->src, iph2->dst, ANYSIDE); > } > #else >- iph1 = getph1byaddr(iph2->src, iph2->dst); >+ iph1 = getph1byaddr(iph2->src, iph2->dst, ANYSIDE); > #endif > > /* no ISAKMP-SA found. */ >@@ -2352,15 +2423,17 @@ isakmp_chkph1there(iph2) > */ > #ifdef ENABLE_NATT > if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { >- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { >+ if ((iph1 = getph1byaddrwop(iph2->src, >+ iph2->dst, >+ ANYSIDE)) != NULL) { > set_port(iph2->src, extract_port(iph1->local)); > set_port(iph2->dst, extract_port(iph1->remote)); > } > } else { >- iph1 = getph1byaddr(iph2->src, iph2->dst); >+ iph1 = getph1byaddr(iph2->src, iph2->dst, ANYSIDE); > } > #else >- iph1 = getph1byaddr(iph2->src, iph2->dst); >+ iph1 = getph1byaddr(iph2->src, iph2->dst, ANYSIDE); > #endif > > /* XXX Even if ph1 as responder is there, should we not start >@@ -2609,7 +2682,7 @@ isakmp_newmsgid2(iph1) > > do { > msgid2 = eay_random(); >- } while (getph2bymsgid(iph1, msgid2)); >+ } while (getph2bymsgid(iph1, msgid2, iph1->side)); > > return msgid2; > } >@@ -3272,7 +3345,7 @@ purge_remote(iph1) > iph1->status = PHASE1ST_EXPIRED; > > /* Check if we have another, still valid, phase1 SA. */ >- new_iph1 = getph1byaddr(iph1->local, iph1->remote); >+ new_iph1 = getph1byaddr(iph1->local, iph1->remote, ANYSIDE); > > /* > * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. >diff -urpN ipsec-tools.new/src/racoon/isakmp.h ipsec-tools.patch0329/src/racoon/isakmp.h >--- ipsec-tools.new/src/racoon/isakmp.h 2007-04-03 09:57:43.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/isakmp.h 2007-04-02 17:19:57.000000000 -0500 >@@ -39,6 +39,8 @@ > /* must include <netinet/in.h> first. */ > /* must include "isakmp_var.h" first. */ > >+#define ANYSIDE -1 /* either INITIATOR or RESPONDER */ >+ > #define INITIATOR 0 /* synonym sender */ > #define RESPONDER 1 /* synonym receiver */ > >diff -urpN ipsec-tools.new/src/racoon/isakmp_inf.c ipsec-tools.patch0329/src/racoon/isakmp_inf.c >--- ipsec-tools.new/src/racoon/isakmp_inf.c 2007-04-03 09:57:44.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/isakmp_inf.c 2007-04-03 11:16:01.000000000 -0500 >@@ -387,7 +387,7 @@ isakmp_info_recv_n(iph1, notify, msgid, > "delete phase1 handle.\n"); > return -1; > } else { >- if (getph2bymsgid(iph1, msgid) == NULL) { >+ if (getph2bymsgid(iph1, msgid, iph1->side) == NULL) { > plog(LLV_ERROR, LOCATION, iph1->remote, > "fatal %s notify messsage, " > "phase1 should be deleted.\n", >@@ -516,7 +516,7 @@ isakmp_info_recv_d(iph1, delete, msgid, > return 0; > } > >- del_ph1=getph1byindex((isakmp_index *)(delete + 1)); >+ del_ph1=getph1byindex((isakmp_index *)(delete + 1), ANYSIDE); > if(del_ph1 != NULL){ > > EVT_PUSH(del_ph1->local, del_ph1->remote, >@@ -644,7 +644,7 @@ isakmp_info_send_d2(iph2) > * don't send delete information if there is no phase 1 handler. > * It's nonsensical to negotiate phase 1 to send the information. > */ >- iph1 = getph1byaddr(iph2->src, iph2->dst); >+ iph1 = getph1byaddr(iph2->src, iph2->dst, ANYSIDE); > if (iph1 == NULL) > return 0; > >@@ -1127,7 +1127,7 @@ purge_isakmp_spi(proto, spi, n) > size_t i; > > for (i = 0; i < n; i++) { >- iph1 = getph1byindex(&spi[i]); >+ iph1 = getph1byindex(&spi[i], ANYSIDE); > if (!iph1) > continue; > >diff -urpN ipsec-tools.new/src/racoon/isakmp_xauth.c ipsec-tools.patch0329/src/racoon/isakmp_xauth.c >--- ipsec-tools.new/src/racoon/isakmp_xauth.c 2007-04-03 09:57:44.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/isakmp_xauth.c 2007-04-02 17:20:24.000000000 -0500 >@@ -360,7 +360,7 @@ xauth_reply_stub(args) > struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args; > struct ph1handle *iph1; > >- if ((iph1 = getph1byindex(&xra->index)) != NULL) >+ if ((iph1 = getph1byindex(&xra->index, ANYSIDE)) != NULL) > (void)xauth_reply(iph1, xra->port, xra->id, xra->res); > else > plog(LLV_ERROR, LOCATION, NULL, >diff -urpN ipsec-tools.new/src/racoon/pfkey.c ipsec-tools.patch0329/src/racoon/pfkey.c >--- ipsec-tools.new/src/racoon/pfkey.c 2007-04-03 10:02:31.000000000 -0500 >+++ ipsec-tools.patch0329/src/racoon/pfkey.c 2007-04-03 14:39:22.000000000 -0500 >@@ -1268,10 +1268,11 @@ pk_recvupdate(mhp) > /* turn off the timer for calling pfkey_timeover() */ > SCHED_KILL(iph2->sce); > >+#ifdef ENABLE_RACOON_OVER_LOOPBACK > /* update status */ >- /* Do this in pk_recvadd >- * iph2->status = PHASE2ST_ESTABLISHED; >- */ >+ if (cmpsaddrstrict(iph2->ph1->local, iph2->ph1->remote) == 0) >+ iph2->status = PHASE2ST_ESTABLISHED; >+#endif > > #ifdef ENABLE_STATS > gettimeofday(&iph2->end, NULL); >@@ -1317,6 +1318,12 @@ pk_sendadd(iph2) > return -1; > } > >+#ifdef ENABLE_RACOON_OVER_LOOPBACK >+ /* This prevents adding the same SA twice, since done in update */ >+ if (cmpsaddrstrict(iph2->ph1->local, iph2->ph1->remote) == 0) >+ return 0; >+#endif >+ > if (iph2->side == INITIATOR) > proxy = iph2->ph1->rmconf->support_proxy; > else if (iph2->sainfo && iph2->sainfo->id_i) >@@ -1761,7 +1768,7 @@ pk_recvacquire(mhp) > > iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id); > if (iph2[0] == NULL) >- iph2[0] = getph2bysaddr(src, dst); >+ iph2[0] = getph2bysaddr(src, dst, ANYSIDE); > > if (iph2[0] != NULL) { > if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=151822">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 218386
: 151822