rpms/ipsec-tools/devel ipsec-tools-0.7.1-loopback.patch, 1.1, 1.2 ipsec-tools.spec, 1.56, 1.57 ipsec-tools-0.7-contextsize.patch, 1.1, NONE
Tomáš Mráz (tmraz)
fedora-extras-commits at redhat.com
Wed Jul 30 18:52:26 UTC 2008
- Previous message (by thread): rpms/pyroom/F-8 pyroom, NONE, 1.1 pyroom.desktop, NONE, 1.1 pyroom.spec, NONE, 1.1 sources, 1.1, 1.2
- Next message (by thread): rpms/kernel/devel kernel.spec, 1.824, 1.825 linux-2.6-wireless.patch, 1.47, 1.48
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/ipsec-tools/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2480
Modified Files:
ipsec-tools-0.7.1-loopback.patch ipsec-tools.spec
Removed Files:
ipsec-tools-0.7-contextsize.patch
Log Message:
* Wed Jul 30 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-2
- Different approach to allow racoon to add loopback SAs for
labeled IPSec (without ISAKMP)
ipsec-tools-0.7.1-loopback.patch:
Index: ipsec-tools-0.7.1-loopback.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/ipsec-tools-0.7.1-loopback.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ipsec-tools-0.7.1-loopback.patch 29 Jul 2008 12:31:24 -0000 1.1
+++ ipsec-tools-0.7.1-loopback.patch 30 Jul 2008 18:51:56 -0000 1.2
@@ -1,521 +1,357 @@
diff -up ipsec-tools-0.7.1/configure.ac.loopback ipsec-tools-0.7.1/configure.ac
--- ipsec-tools-0.7.1/configure.ac.loopback 2008-07-22 15:53:46.000000000 +0200
-+++ ipsec-tools-0.7.1/configure.ac 2008-07-29 09:57:26.000000000 +0200
-@@ -794,6 +794,16 @@ if test "$enable_security_context" = "ye
++++ ipsec-tools-0.7.1/configure.ac 2008-07-30 20:00:21.000000000 +0200
+@@ -794,6 +794,27 @@ if test "$enable_security_context" = "ye
fi
fi
-+# Option --enable-racoon-over-loopback
-+AC_MSG_CHECKING(if --enable-racoon-over-loopback option is specified)
-+AC_ARG_ENABLE(racoon-over-loopback,
-+ [ --enable-racoon-over-loopback enable racoon to use loopback],
-+ [], [enable_racoon_over_loopback=no])
-+if test $enable_racoon_over_loopback = "yes"; then
-+ AC_DEFINE([ENABLE_RACOON_OVER_LOOPBACK], [], [Enable racoon to use loopback])
++AC_MSG_CHECKING(whether to support Auditing)
++AC_ARG_ENABLE(audit,
++ [ --enable-audit build audit daemon support for SELinux],
++ enable_audit=$enableval,enable_audit=auto)
++
++AC_MSG_RESULT($enable_audit)
++
++# libaudit detection
++if test x$enable_audit = xno ; then
++ have_libaudit=no;
++else
++ AC_CHECK_LIB(audit, audit_log_user_avc_message,
++ have_libaudit=yes, have_libaudit=no)
++fi
++AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
++if test x$have_libaudit = xyes ; then
++ AUDIT_LIBS="-laudit"
++ AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support])
+fi
-+AC_MSG_RESULT($enable_racoon_over_loopback)
++AC_SUBST(AUDIT_LIBS)
+
CFLAGS="$CFLAGS $CFLAGS_ADD"
CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
-diff -up ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.loopback ipsec-tools-0.7.1/src/racoon/isakmp_inf.c
---- ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.loopback 2008-07-11 10:08:42.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/isakmp_inf.c 2008-07-29 11:38:29.000000000 +0200
-@@ -383,7 +383,7 @@ isakmp_info_recv_n(iph1, notify, msgid,
- "delete phase1 handle.\n");
- return -1;
- } else {
-- if (getph2bymsgid(iph1, msgid) == NULL) {
-+ if (getph2bymsgid(iph1, msgid, iph1->side) == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "fatal %s notify messsage, "
- "phase1 should be deleted.\n",
-@@ -512,7 +512,7 @@ isakmp_info_recv_d(iph1, delete, msgid,
- return 0;
- }
-
-- del_ph1=getph1byindex((isakmp_index *)(delete + 1));
-+ del_ph1=getph1byindex((isakmp_index *)(delete + 1), ANYSIDE);
- if(del_ph1 != NULL){
-
- EVT_PUSH(del_ph1->local, del_ph1->remote,
-@@ -641,7 +641,7 @@ isakmp_info_send_d2(iph2)
- * don't send delete information if there is no phase 1 handler.
- * It's nonsensical to negotiate phase 1 to send the information.
- */
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-+ iph1 = getph1byaddr(iph2->src, iph2->dst, 0, ANYSIDE);
- if (iph1 == NULL){
- plog(LLV_DEBUG2, LOCATION, NULL,
- "No ph1 handler found, could not send DELETE_SA\n");
-@@ -1110,7 +1110,7 @@ purge_isakmp_spi(proto, spi, n)
- size_t i;
-
- for (i = 0; i < n; i++) {
-- iph1 = getph1byindex(&spi[i]);
-+ iph1 = getph1byindex(&spi[i], ANYSIDE);
- if (!iph1)
- continue;
-
-diff -up ipsec-tools-0.7.1/src/racoon/isakmp_xauth.c.loopback ipsec-tools-0.7.1/src/racoon/isakmp_xauth.c
---- ipsec-tools-0.7.1/src/racoon/isakmp_xauth.c.loopback 2007-08-07 06:49:24.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/isakmp_xauth.c 2008-07-29 09:57:26.000000000 +0200
-@@ -360,7 +360,7 @@ xauth_reply_stub(args)
- struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args;
- struct ph1handle *iph1;
-
-- if ((iph1 = getph1byindex(&xra->index)) != NULL)
-+ if ((iph1 = getph1byindex(&xra->index, ANYSIDE)) != NULL)
- (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
- else
- plog(LLV_ERROR, LOCATION, NULL,
-diff -up ipsec-tools-0.7.1/src/racoon/isakmp.h.loopback ipsec-tools-0.7.1/src/racoon/isakmp.h
---- ipsec-tools-0.7.1/src/racoon/isakmp.h.loopback 2006-09-09 18:22:09.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/isakmp.h 2008-07-29 09:57:26.000000000 +0200
-@@ -39,6 +39,8 @@
- /* must include <netinet/in.h> first. */
- /* must include "isakmp_var.h" first. */
-
-+#define ANYSIDE -1 /* either INITIATOR or RESPONDER */
-+
- #define INITIATOR 0 /* synonym sender */
- #define RESPONDER 1 /* synonym receiver */
-
-diff -up ipsec-tools-0.7.1/src/racoon/handler.c.loopback ipsec-tools-0.7.1/src/racoon/handler.c
---- ipsec-tools-0.7.1/src/racoon/handler.c.loopback 2008-01-11 15:12:00.000000000 +0100
-+++ ipsec-tools-0.7.1/src/racoon/handler.c 2008-07-29 11:29:31.000000000 +0200
-@@ -101,14 +101,19 @@ static void sweep_recvdpkt __P((void *))
- extern caddr_t val2str(const char *, size_t);
-
- struct ph1handle *
--getph1byindex(index)
-+getph1byindex(index, side)
- isakmp_index *index;
-+ int side;
- {
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ if (p->side != side && side != ANYSIDE)
-+ continue;
-+#endif
- if (memcmp(&p->index, index, sizeof(*index)) == 0)
- return p;
- }
-@@ -121,14 +126,19 @@ getph1byindex(index)
- * search for isakmp handler by i_ck in index.
- */
- struct ph1handle *
--getph1byindex0(index)
-+getph1byindex0(index, side)
- isakmp_index *index;
-+ int side;
- {
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ if (p->side != side && side != ANYSIDE)
-+ continue;
-+#endif
- if (memcmp(&p->index, index, sizeof(cookie_t)) == 0)
- return p;
- }
-@@ -142,9 +152,10 @@ getph1byindex0(index)
- * with phase 2's destinaion.
- */
- struct ph1handle *
--getph1byaddr(local, remote, established)
-+getph1byaddr(local, remote, established, side)
- struct sockaddr *local, *remote;
- int established;
-+ int side;
- {
- struct ph1handle *p;
-
-@@ -155,6 +166,10 @@ getph1byaddr(local, remote, established)
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
-+ #ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ if (p->side != side && side != ANYSIDE)
-+ continue;
-+ #endif
- plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str(p->local));
- plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str(p->remote));
-
-@@ -175,14 +190,19 @@ getph1byaddr(local, remote, established)
- }
-
- struct ph1handle *
--getph1byaddrwop(local, remote)
-+getph1byaddrwop(local, remote, side)
- struct sockaddr *local, *remote;
-+ int side;
- {
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ if (p->side != side && side != ANYSIDE)
-+ continue;
-+#endif
- if (cmpsaddrwop(local, p->local) == 0
- && cmpsaddrwop(remote, p->remote) == 0)
- return p;
-@@ -197,14 +217,19 @@ getph1byaddrwop(local, remote)
- * with phase 2's destinaion.
- */
- struct ph1handle *
--getph1bydstaddrwop(remote)
-+getph1bydstaddrwop(remote, side)
- struct sockaddr *remote;
-+ int side;
- {
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ if (p->side != side && side != ANYSIDE)
-+ continue;
-+#endif
- if (cmpsaddrwop(remote, p->remote) == 0)
- return p;
+diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/racoon/pfkey.c
+--- ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback 2008-07-30 19:59:10.000000000 +0200
++++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-07-30 20:34:11.000000000 +0200
+@@ -99,6 +99,7 @@
+ #include "nattraversal.h"
+ #include "crypto_openssl.h"
+ #include "grabmyaddr.h"
++#include "sockmisc.h"
+
+ #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
+ #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
+@@ -972,6 +973,45 @@ pk_recvgetspi(mhp)
+ return -1;
}
-@@ -472,13 +497,18 @@ getph2byseq(seq)
- * search ph2handle with message id.
- */
- struct ph2handle *
--getph2bymsgid(iph1, msgid)
-+getph2bymsgid(iph1, msgid, side)
- struct ph1handle *iph1;
- u_int32_t msgid;
-+ int side;
- {
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ if (p->side != side && side != ANYSIDE)
-+ continue;
-+#endif
- if (p->msgid == msgid)
- return p;
+
++#ifdef HAVE_SECCTX
++ if (iph2->loopback == 1) {
++ u_int satype, reqid;
++ struct sockaddr *src;
++
++ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
++ if (cmpsaddrstrict(src, dst) == 0) {
++ /* yep, this is loopback. install SA */
++ satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id);
++ if (satype == ~0) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "invalid proto_id %d\n",
++ iph2->proposal->head->proto_id);
++ return -1;
++ }
++
++ reqid = iph2->proposal->head->reqid_in;
++
++ iph2->status = PHASE2ST_ADDSA;
++ if (pfkey_send_update(lcconf->sock_pfkey, satype,
++ IPSEC_MODE_TRANSPORT, src, dst, sa->sadb_sa_spi,
++ reqid, 0, NULL, SADB_EALG_NULL, 0, SADB_AALG_NONE,
++ 0, 0, 0, 0, iph2->proposal->lifetime, 0,
++ iph2->seq, iph2->proposal->sctx.ctx_doi,
++ iph2->proposal->sctx.ctx_alg,
++ iph2->proposal->sctx.ctx_str,
++ iph2->proposal->sctx.ctx_strlen) < 0) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "failed to update loopback SA: %s\n",
++ ipsec_strerror());
++ remph2(iph2);
++ delph2(iph2);
++ return -1;
++ }
++ }
++ return 0;
++ }
++#endif /* HAVE SECCTX */
++
+ /* set SPI, and check to get all spi whether or not */
+ allspiok = 1;
+ notfound = 1;
+@@ -1222,6 +1262,26 @@ pk_recvupdate(mhp)
+ return -1;
}
-@@ -517,12 +547,17 @@ getph2byid(src, dst, spid)
- }
- struct ph2handle *
--getph2bysaddr(src, dst)
-+getph2bysaddr(src, dst, side)
- struct sockaddr *src, *dst;
-+ int side;
- {
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ if (p->side != side && side != ANYSIDE)
-+ continue;
++#ifdef HAVE_SECCTX
++ /* get update for loopback here */
++ if (iph2->loopback == 1 && (cmpsaddrstrict(src, dst) == 0)) {
++ plog(LLV_INFO, LOCATION, NULL,
++ "IPsec-SA established without ISAKMP: %s\n",
++ sadbsecas2str(iph2->dst, iph2->src,
++ msg->sadb_msg_satype, sa->sadb_sa_spi,
++ IPSEC_MODE_TRANSPORT));
++
++ /* turn off the timer for calling pfkey_timeover() */
++ SCHED_KILL(iph2->sce);
++
++ iph2->sce = sched_new(iph2->proposal->lifetime,
++ isakmp_ph2expire_stub, iph2);
++
++ iph2->status = PHASE2ST_ESTABLISHED;
++ return 0;
++ }
+#endif
- if (cmpsaddrstrict(src, p->src) == 0 &&
- cmpsaddrstrict(dst, p->dst) == 0)
- return p;
-@@ -1128,7 +1163,7 @@ static int revalidate_ph2(struct ph2hand
- if (iph2->ph1 != NULL)
- iph1=iph2->ph1;
- else
-- iph1=getph1byaddr(iph2->src, iph2->dst, 0);
-+ iph1=getph1byaddr(iph2->src, iph2->dst, 0, ANYSIDE);
-
- if(iph1 != NULL && iph1->rmconf != NULL) {
- check_level = iph1->rmconf->pcheck_level;
-diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/racoon/pfkey.c
---- ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback 2008-07-29 09:57:26.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-07-29 09:57:26.000000000 +0200
-@@ -1264,10 +1264,11 @@ pk_recvupdate(mhp)
++
+ /* check to complete all keys ? */
+ for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
+ proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
+@@ -1264,11 +1324,6 @@ pk_recvupdate(mhp)
/* turn off the timer for calling pfkey_timeover() */
SCHED_KILL(iph2->sce);
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
- /* update status */
+- /* update status */
- /* Do this in pk_recvadd
- * iph2->status = PHASE2ST_ESTABLISHED;
- */
-+ if (cmpsaddrstrict(iph2->ph1->local, iph2->ph1->remote) == 0)
-+ iph2->status = PHASE2ST_ESTABLISHED;
-+#endif
-
+-
#ifdef ENABLE_STATS
gettimeofday(&iph2->end, NULL);
-@@ -1322,6 +1323,12 @@ pk_sendadd(iph2)
- return -1;
- }
-
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ /* This prevents adding the same SA twice, since done in update */
-+ if (cmpsaddrstrict(iph2->ph1->local, iph2->ph1->remote) == 0)
-+ return 0;
-+#endif
+ syslog(LOG_NOTICE, "%s(%s): %8.6f",
+@@ -1657,6 +1712,7 @@ pk_recvacquire(mhp)
+ struct sadb_x_sec_ctx *m_sec_ctx;
+ #endif /* HAVE_SECCTX */
+ struct policyindex spidx;
++ int do_listen = 0;
+
+
+ /* ignore this message because of local test mode. */
+@@ -1681,6 +1737,12 @@ pk_recvacquire(mhp)
+ m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+
+ if (m_sec_ctx != NULL) {
++ if (m_sec_ctx->sadb_x_ctx_len > MAX_CTXSTR_SIZE) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "ignoring ACQUIRE: security context is greater than MAX, %d.\n",
++ MAX_CTXSTR_SIZE);
++ return -1;
++ }
+ plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+ plog(LLV_INFO, LOCATION, NULL,
+@@ -1730,7 +1792,6 @@ pk_recvacquire(mhp)
+ */
+ struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ struct myaddrs *p;
+- int do_listen = 0;
+ for (p = lcconf->myaddrs; p; p = p->next) {
+ if (!cmpsaddrwop(p->addr, sa)) {
+ do_listen = 1;
+@@ -1853,6 +1914,73 @@ pk_recvacquire(mhp)
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "new acquire %s\n", spidx2str(&sp_out->spidx));
+
++#ifdef HAVE_SECCTX
++ /*
++ * If the src address in the ACQUIRE is one we listen on and
++ * the src and dst addresses are the same, then assume this
++ * packet arrived over loopback and just get an SPI and
++ * install the SA.
++ */
++ if (do_listen && m_sec_ctx && (cmpsaddrstrict(src, dst) == 0)) {
++ struct saprop *newpp;
++ struct saproto *newpr;
++ iph2[n]->loopback = 1;
++ newpp = newsaprop();
++ if (newpp == NULL) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "failed to allocate saprop.\n");
++ delph2(iph2[n]);
++ return -1;
++ }
++ /* allocate to hold reqid */
++ newpr = newsaproto();
++ if (newpr == NULL) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "failed to allocate saproto.\n");
++ delph2(iph2[n]);
++ return -1;
++ }
+
- if (iph2->side == INITIATOR)
- proxy = iph2->ph1->rmconf->support_proxy;
- else if (iph2->sainfo && iph2->sainfo->id_i)
-@@ -1764,7 +1771,7 @@ pk_recvacquire(mhp)
- */
- iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
- if (iph2[0] == NULL)
-- iph2[0] = getph2bysaddr(src, dst);
-+ iph2[0] = getph2bysaddr(src, dst, ANYSIDE);
-
- if (iph2[0] != NULL) {
- if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
-diff -up ipsec-tools-0.7.1/src/racoon/isakmp.c.loopback ipsec-tools-0.7.1/src/racoon/isakmp.c
---- ipsec-tools-0.7.1/src/racoon/isakmp.c.loopback 2008-07-11 10:08:41.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/isakmp.c 2008-07-29 11:37:16.000000000 +0200
-@@ -387,6 +387,36 @@ end:
- return(error);
- }
-
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+/*
-+ * isakmp phase 1 search helper
-+ */
-+static struct ph1handle *
-+isakmp_ph1pickside(iph1_i, iph1_r, local)
-+ struct ph1handle *iph1_i, *iph1_r;
-+ struct sockaddr *local;
-+{
-+ if (iph1_i == NULL && iph1_r != NULL) {
-+ if (cmpsaddrstrict(iph1_r->remote, local) != 0)
-+ return iph1_r;
-+ else
-+ return NULL;
-+ } else if (iph1_i != NULL && iph1_r == NULL) {
-+ if (cmpsaddrstrict(iph1_i->remote, local) != 0)
-+ return iph1_i;
-+ else
-+ return NULL;
-+ } else if (iph1_i != NULL && iph1_r != NULL) {
-+ if (iph1_r->status < iph1_i->status)
-+ return iph1_r;
-+ else
-+ return iph1_i;
-+ }
++ newpr->reqid_out = sp_out->req->saidx.reqid;
++ newpr->reqid_in = sp_in->req->saidx.reqid;
++ newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto);
++
++ inssaprotorev(newpp, newpr);
++ iph2[n]->proposal = newpp;
++ printsaprop0(LLV_DEBUG, newpp);
+
-+ return NULL;
-+}
-+#endif
++ set_secctx_in_proposal(iph2[n], spidx);
++ iph2[n]->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
+
- /*
- * main processing to handle isakmp payload
- */
-@@ -453,7 +483,15 @@ isakmp_main(msg, remote, local)
- }
- }
++ insph2(iph2[n]);
++
++ iph2[n]->status = PHASE2ST_GETSPISENT;
++ plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
++ if (pfkey_send_getspi(
++ lcconf->sock_pfkey,
++ iph2[n]->satype,
++ IPSEC_MODE_TRANSPORT,
++ dst, /* src of SA */
++ src, /* dst of SA */
++ 0, 0,
++ newpr->reqid_in, iph2[n]->seq) < 0) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "ipseclib failed send getspi (%s)\n",
++ ipsec_strerror());
++ delph2(iph2[n]);
++ return -1;
++ }
++ iph2[n]->sce = sched_new(lcconf->wait_ph2complete,
++ pfkey_timeover_stub, iph2[n]);
++
++ plog(LLV_DEBUG, LOCATION, NULL,
++ "pfkey GETSPI sent: %s\n",
++ sadbsecas2str(dst, src, iph2[n]->satype, 0,
++ IPSEC_MODE_TRANSPORT));
++ return 0;
++ }
++#endif /* HAVE_SECCTX */
++
+ /* get sainfo */
+ {
+ vchar_t *idsrc, *iddst;
+diff -up ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback ipsec-tools-0.7.1/src/racoon/Makefile.am
+--- ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback 2008-07-23 15:54:16.000000000 +0200
++++ ipsec-tools-0.7.1/src/racoon/Makefile.am 2008-07-30 20:25:07.000000000 +0200
+@@ -39,7 +39,7 @@ racoon_SOURCES = \
+ EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
+ isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
+ racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
+- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
++ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
+ racoon_DEPENDENCIES = \
+ $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
+ vmbuf.o sockmisc.o misc.o
+diff -up ipsec-tools-0.7.1/src/racoon/policy.h.loopback ipsec-tools-0.7.1/src/racoon/policy.h
+--- ipsec-tools-0.7.1/src/racoon/policy.h.loopback 2007-06-07 22:34:19.000000000 +0200
++++ ipsec-tools-0.7.1/src/racoon/policy.h 2008-07-30 20:27:48.000000000 +0200
+@@ -38,7 +38,12 @@
+
-- iph1 = getph1byindex(index);
+ #ifdef HAVE_SECCTX
+-#define MAX_CTXSTR_SIZE 50
+
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ iph1 = isakmp_ph1pickside(getph1byindex(index, INITIATOR),
-+ getph1byindex(index, RESPONDER),
-+ local);
-+#else
-+ iph1 = getph1byindex(index, ANYSIDE);
++/* Current LSPP policy is 1024 compartments, 5 chars each 'c1024'. SE Linux
++ * will attempt to combine so, worst case is all odd or even numbers. The
++ * context size of SE Linux types is max'ed around 256. We allow 16 for
++ * sensitivity */
++#define MAX_CTXSTR_SIZE 3344 /* (6 * 512) + 256 + 16 */
+ struct security_ctx {
+ u_int8_t ctx_doi; /* Security Context DOI */
+ u_int8_t ctx_alg; /* Security Context Algorithm */
+@@ -152,6 +157,9 @@ extern void initsp __P((void));
+ extern struct ipsecrequest *newipsecreq __P((void));
+
+ extern const char *spidx2str __P((const struct policyindex *));
++#ifdef HAVE_LIBAUDIT
++extern void audit_init __P((void));
++#endif
+ #ifdef HAVE_SECCTX
+ #include <selinux/selinux.h>
+ extern int get_security_context __P((vchar_t *, struct policyindex *));
+diff -up ipsec-tools-0.7.1/src/racoon/main.c.loopback ipsec-tools-0.7.1/src/racoon/main.c
+--- ipsec-tools-0.7.1/src/racoon/main.c.loopback 2007-06-07 22:34:18.000000000 +0200
++++ ipsec-tools-0.7.1/src/racoon/main.c 2008-07-30 20:31:07.000000000 +0200
+@@ -169,6 +169,9 @@ main(ac, av)
+ #ifdef HAVE_SECCTX
+ init_avc();
+ #endif
++#ifdef HAVE_LIBAUDIT
++ audit_init();
+#endif
-+
- if (iph1 != NULL) {
- /* validity check */
- if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
-@@ -553,7 +591,15 @@ isakmp_main(msg, remote, local)
- */
-
- /* search for phase1 handle by index without r_ck */
-- iph1 = getph1byindex0(index);
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ iph1 = isakmp_ph1pickside(
-+ getph1byindex0(index, INITIATOR),
-+ getph1byindex0(index, RESPONDER),
-+ local);
-+#else
-+ iph1=getph1byindex0(index, ANYSIDE);
+ eay_init();
+ initlcconf();
+ initrmconf();
+diff -up ipsec-tools-0.7.1/src/racoon/handler.h.loopback ipsec-tools-0.7.1/src/racoon/handler.h
+--- ipsec-tools-0.7.1/src/racoon/handler.h.loopback 2008-07-30 19:59:10.000000000 +0200
++++ ipsec-tools-0.7.1/src/racoon/handler.h 2008-07-30 20:29:25.000000000 +0200
+@@ -286,6 +286,7 @@ struct ph2handle {
+ u_int32_t msgid; /* msgid for phase 2 */
+
+ u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
++ u_int8_t loopback;
+
+ struct sainfo *sainfo; /* place holder of sainfo */
+ struct saprop *proposal; /* SA(s) proposal. */
+diff -up ipsec-tools-0.7.1/src/racoon/security.c.loopback ipsec-tools-0.7.1/src/racoon/security.c
+--- ipsec-tools-0.7.1/src/racoon/security.c.loopback 2007-06-07 22:34:19.000000000 +0200
++++ ipsec-tools-0.7.1/src/racoon/security.c 2008-07-30 20:00:34.000000000 +0200
+@@ -55,6 +55,60 @@
+ #include "proposal.h"
+ #include "strnames.h"
+ #include "handler.h"
++#ifdef HAVE_LIBAUDIT
++#include <unistd.h>
++#include "libaudit.h"
+#endif
+
- if (iph1 == NULL) {
- /*it must be the 1st message from a initiator.*/
- if (memcmp(&isakmp->r_ck, r_ck0,
-@@ -629,7 +675,7 @@ isakmp_main(msg, remote, local)
- * NOTE: We think such informational exchange should be ignored.
- */
- if (iph1 == NULL) {
-- iph1 = getph1byindex0(index);
-+ iph1 = getph1byindex0(index, INITIATOR);
- if (iph1 == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
- "unknown Informational "
-@@ -656,6 +702,9 @@ isakmp_main(msg, remote, local)
- case ISAKMP_ETYPE_QUICK:
- {
- struct ph2handle *iph2;
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ struct ph2handle *iph2_i, *iph2_r;
-+#endif
-
- if (iph1 == NULL) {
- isakmp_info_send_nx(isakmp, remote, local,
-@@ -688,8 +737,31 @@ isakmp_main(msg, remote, local)
- return -1;
- }
-
-- /* search isakmp phase 2 stauts record. */
-- iph2 = getph2bymsgid(iph1, msgid);
-+ /* search isakmp phase 2 status record. */
-+#ifdef ENABLE_RACOON_OVER_LOOPBACK
-+ iph2_i = getph2bymsgid(iph1, msgid, INITIATOR);
-+ iph2_r = getph2bymsgid(iph1, msgid, RESPONDER);
-+ if (iph2_i == NULL && iph2_r != NULL) {
-+ if (cmpsaddrstrict(iph1->remote, local) != 0)
-+ iph2 = iph2_r;
-+ else
-+ iph2 = NULL;
-+ } else if (iph2_i != NULL && iph2_r == NULL) {
-+ if (cmpsaddrstrict(iph1->remote, local) != 0)
-+ iph2 = iph2_i;
-+ else
-+ iph2 = NULL;
-+ } else if (iph2_i != NULL && iph2_r != NULL) {
-+ if (iph2_r->status < iph2_i->status)
-+ iph2 = iph2_r;
-+ else
-+ iph2 = iph2_i;
-+ } else
-+ iph2 = NULL;
-+#else
-+ iph2 = getph2bymsgid(iph1, msgid, ANYSIDE);
-+#endif
++static void log_callback (const char *fmt, ...);
+
- if (iph2 == NULL) {
- /* it must be new negotiation as responder */
- if (isakmp_ph2begin_r(iph1, msg) < 0)
-@@ -2165,15 +2237,15 @@ isakmp_post_acquire(iph2)
- */
- #ifdef ENABLE_NATT
- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
-- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
-+ if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst, ANYSIDE)) != NULL) {
- set_port(iph2->src, extract_port(iph1->local));
- set_port(iph2->dst, extract_port(iph1->remote));
- }
- } else {
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-+ iph1 = getph1byaddr(iph2->src, iph2->dst, 0, ANYSIDE);
- }
- #else
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-+ iph1 = getph1byaddr(iph2->src, iph2->dst, 0, ANYSIDE);
- #endif
-
- /* no ISAKMP-SA found. */
-@@ -2300,17 +2372,17 @@ isakmp_chkph1there(iph2)
- #ifdef ENABLE_NATT
- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
-- if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
-+ if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst, ANYSIDE)) != NULL){
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
- }
- } else {
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-+ iph1 = getph1byaddr(iph2->src, iph2->dst, 0, ANYSIDE);
- if(iph1 != NULL)
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
- }
- #else
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-+ iph1 = getph1byaddr(iph2->src, iph2->dst, 0, ANYSIDE);
- #endif
-
- /* XXX Even if ph1 as responder is there, should we not start
-@@ -2574,7 +2646,7 @@ isakmp_newmsgid2(iph1)
-
- do {
- msgid2 = eay_random();
-- } while (getph2bymsgid(iph1, msgid2));
-+ } while (getph2bymsgid(iph1, msgid2, iph1->side));
-
- return msgid2;
- }
-@@ -3189,7 +3261,7 @@ purge_remote(iph1)
- iph1->status = PHASE1ST_EXPIRED;
-
- /* Check if we have another, still valid, phase1 SA. */
-- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
-+ new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1, ANYSIDE);
-
- /*
- * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
-diff -up ipsec-tools-0.7.1/src/racoon/handler.h.loopback ipsec-tools-0.7.1/src/racoon/handler.h
---- ipsec-tools-0.7.1/src/racoon/handler.h.loopback 2008-07-29 09:57:26.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/handler.h 2008-07-29 11:32:03.000000000 +0200
-@@ -425,13 +425,13 @@ struct ph1handle;
- struct ph2handle;
- struct policyindex;
-
--extern struct ph1handle *getph1byindex __P((isakmp_index *));
--extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
-+extern struct ph1handle *getph1byindex __P((isakmp_index *, int));
-+extern struct ph1handle *getph1byindex0 __P((isakmp_index *, int));
- extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
-- struct sockaddr *, int));
-+ struct sockaddr *, int, int));
- extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
-- struct sockaddr *));
--extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
-+ struct sockaddr *, int));
-+extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *, int));
- #ifdef ENABLE_HYBRID
- struct ph1handle *getph1bylogin __P((char *));
- int purgeph1bylogin __P((char *));
-@@ -448,8 +448,9 @@ extern struct ph2handle *getph2byspidx _
- extern struct ph2handle *getph2byspid __P((u_int32_t));
- extern struct ph2handle *getph2byseq __P((u_int32_t));
- extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
-- struct sockaddr *));
--extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
-+ struct sockaddr *, int));
-+extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t,
-+ int));
- extern struct ph2handle *getph2byid __P((struct sockaddr *,
- struct sockaddr *, u_int32_t));
- extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
-diff -up ipsec-tools-0.7.1/src/racoon/admin.c.loopback ipsec-tools-0.7.1/src/racoon/admin.c
---- ipsec-tools-0.7.1/src/racoon/admin.c.loopback 2008-06-18 09:30:19.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/admin.c 2008-07-29 09:57:26.000000000 +0200
-@@ -289,7 +289,7 @@ out2:
- STRDUP_FATAL(loc);
- STRDUP_FATAL(rem);
-
-- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
-+ if ((iph1 = getph1byaddrwop(src, dst, ANYSIDE)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "phase 1 for %s -> %s not found\n", loc, rem);
- } else {
-@@ -340,7 +340,7 @@ out2:
- plog(LLV_INFO, LOCATION, NULL,
- "Flushing all SAs for peer %s\n", rem);
-
-- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
-+ while ((iph1 = getph1bydstaddrwop(dst, ANYSIDE)) != NULL) {
- loc = racoon_strdup(saddrwop2str(iph1->local));
- STRDUP_FATAL(loc);
++static const struct avc_log_callback log_cb =
++{
++ .func_log = log_callback,
++ .func_audit = NULL
++};
++
++#ifdef HAVE_LIBAUDIT
++static int audit_fd = -1;
++void
++audit_init(void)
++{
++ audit_fd = audit_open();
++ if (audit_fd < 0) {
++ /* If kernel doesn't support audit, bail out */
++ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT)
++ return;
++ /* If unprivileged, bail out */
++ if (errno == EPERM && getuid() != 0)
++ return;
++ plog (LLV_ERROR, LOCATION, NULL,
++ "Failed opening connection to the audit subsystem");
++ }
++}
++#endif /* HAVE_LIBAUDIT */
++
++static void
++log_callback (const char *fmt, ...)
++{
++ va_list ap;
++ va_start(ap, fmt);
++#ifdef HAVE_LIBAUDIT
++ if (audit_fd >= 0) {
++ char buf[PATH_MAX*2];
++
++ /* FIXME: need to change this to show real user */
++ vsnprintf(buf, sizeof(buf), fmt, ap);
++ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC,
++ buf, NULL, NULL, NULL, -1);
++ return;
++ } else
++#endif /* HAVE_LIBAUDIT */
++ {
++ vsyslog (LOG_INFO, fmt, ap);
++ va_end(ap);
++ }
++}
+ /*
+ * Get the security context information from SA.
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- ipsec-tools.spec 29 Jul 2008 12:31:24 -0000 1.56
+++ ipsec-tools.spec 30 Jul 2008 18:51:56 -0000 1.57
@@ -1,6 +1,6 @@
Name: ipsec-tools
Version: 0.7.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
@@ -15,7 +15,6 @@
# the following patches were also submitted upstream:
Patch5: ipsec-tools-0.7-iface.patch
Patch6: ipsec-tools-0.7-dupsplit.patch
-Patch7: ipsec-tools-0.7-contextsize.patch
Patch9: ipsec-tools-0.7-splitcidr.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
@@ -38,7 +37,6 @@
%patch4 -p1 -b .loopback
%patch5 -p1 -b .iface
%patch6 -p1 -b .dupsplit
-%patch7 -p1 -b .ctxsize
%patch9 -p1 -b .splitcidr
./bootstrap
@@ -59,7 +57,6 @@
--enable-gssapi \
--enable-natt \
--enable-security-context \
- --enable-racoon-over-loopback \
--enable-audit
make
@@ -119,6 +116,10 @@
%config(noreplace) /etc/racoon/racoon.conf
%changelog
+* Wed Jul 30 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-2
+- Different approach to allow racoon to add loopback SAs for
+ labeled IPSec (without ISAKMP)
+
* Tue Jul 29 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-1
- Update to a new upstream version
--- ipsec-tools-0.7-contextsize.patch DELETED ---
- Previous message (by thread): rpms/pyroom/F-8 pyroom, NONE, 1.1 pyroom.desktop, NONE, 1.1 pyroom.spec, NONE, 1.1 sources, 1.1, 1.2
- Next message (by thread): rpms/kernel/devel kernel.spec, 1.824, 1.825 linux-2.6-wireless.patch, 1.47, 1.48
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list