ipsec-146.3.tar.gz

author Apple <opensource@apple.com>

Thu, 10 May 2012 15:23:40 +0000 (15:23 +0000)

committer Apple <opensource@apple.com>

Thu, 10 May 2012 15:23:40 +0000 (15:23 +0000)
author Apple <opensource@apple.com>
Thu, 10 May 2012 15:23:40 +0000 (15:23 +0000)
committer Apple <opensource@apple.com>
Thu, 10 May 2012 15:23:40 +0000 (15:23 +0000)
diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c

index 489fd5c376cbad0cf5a629280c4d0db4f3e9bd16..e122adb107c7943e34f3b9b560de4417868a33a6 100644 (file)
--- a/ipsec-tools/racoon/ike_session.c
+++ b/ipsec-tools/racoon/ike_session.c
@@ -267,6 +267,15 @@ ike_session_get_session (struct sockaddr *local,
                          "still search for IKE-Session. this %s.\n",
                          saddr2str((struct sockaddr *)&p->session_id.remote));
  
                          "still search for IKE-Session. this %s.\n",
                          saddr2str((struct sockaddr *)&p->session_id.remote));
  
+               // for now: ignore any stopped sessions as they will go down
+               if (p->is_dying || p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) {
+                       plog(LLV_DEBUG, LOCATION, local,
+                                "still searching. skipping... session to %s is already stopped, active ph1 %d ph2 %d.\n",
+                                saddr2str((struct sockaddr *)&p->session_id.remote),
+                                p->ikev1_state.active_ph1cnt, p->ikev1_state.active_ph2cnt);
+                       continue;
+               }
+
                 if (memcmp(&p->session_id, &id, sizeof(id)) == 0) {
                         plog(LLV_DEBUG, LOCATION, local,
                                  "Pre-existing IKE-Session to %s. case 1.\n",
                 if (memcmp(&p->session_id, &id, sizeof(id)) == 0) {
                         plog(LLV_DEBUG, LOCATION, local,
                                  "Pre-existing IKE-Session to %s. case 1.\n",
@@ -1794,10 +1803,17 @@ ike_session_sweep_sleepwake (void)
                         plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of asserted session.\n");
                         continue;
                 }
                         plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of asserted session.\n");
                         continue;
                 }
-               
+
+               // cleanup any stopped sessions as they will go down
+               if (p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) {
+                       plog(LLV_DEBUG2, LOCATION, NULL, "sweeping stopped session.\n");
+                       ike_session_cleanup(p, ike_session_stopped_by_sleepwake);
+                       continue;
+               }
+
                 if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) {
                 if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) {
-                       p->is_dying = 1;
                         plog(LLV_DEBUG2, LOCATION, NULL, "session died while sleeping.\n");
                         plog(LLV_DEBUG2, LOCATION, NULL, "session died while sleeping.\n");
+                       ike_session_cleanup(p, ike_session_stopped_by_sleepwake);
                 }
                 if (p->traffic_monitor.sc_mon) {
                         if (p->traffic_monitor.sc_mon->xtime <= swept_at) {
                 }
                 if (p->traffic_monitor.sc_mon) {
                         if (p->traffic_monitor.sc_mon->xtime <= swept_at) {
diff --git a/ipsec-tools/racoon/ipsecSessionTracer.c b/ipsec-tools/racoon/ipsecSessionTracer.c

index 98308c25983e090c538ac2ffae71dace24f7b98b..5884aaa4bb6f610c80475b8b526aa0a8b0c7779c 100644 (file)
--- a/ipsec-tools/racoon/ipsecSessionTracer.c
+++ b/ipsec-tools/racoon/ipsecSessionTracer.c
@@ -233,7 +233,7 @@ ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCo
         char buf[1024];
  
         if (session == NULL) {
         char buf[1024];
  
         if (session == NULL) {
-               ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid session)."));
+               //ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid session)."));
                 return;
         }
         if (eventCode <= IPSECSESSIONEVENTCODE_NONE || eventCode >= IPSECSESSIONEVENTCODE_MAX) {
                 return;
         }
         if (eventCode <= IPSECSESSIONEVENTCODE_NONE || eventCode >= IPSECSESSIONEVENTCODE_MAX) {
diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c

index 849833622225c0fb9d1b3b2f3f4614d63995b644..36bd7d0611df6e6ed3e1bf8afe4430463c0d2ac4 100644 (file)
--- a/ipsec-tools/racoon/isakmp.c
+++ b/ipsec-tools/racoon/isakmp.c
@@ -954,7 +954,7 @@ ph1_main(iph1, msg)
                                                 vfree(raddr);
                                                 if (addr->force) {
                                                         (void)ike_session_update_ph1_ph2tree(iph1);
                                                 vfree(raddr);
                                                 if (addr->force) {
                                                         (void)ike_session_update_ph1_ph2tree(iph1);
-                                                       isakmp_ph1delete(iph1);
+                                                       isakmp_ph1expire(iph1);
                                                 }
                                         }
                                 }
                                                 }
                                         }
                                 }
@@ -2849,6 +2849,12 @@ isakmp_chkph1there(iph2)
  {
         struct ph1handle *iph1;
  
  {
         struct ph1handle *iph1;
  
+       if (iph2->status != PHASE2ST_STATUS2 ||
+               iph2->is_dying) {
+               plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: ph2 handle has advanced too far (status %d, STATUS2 %d, dying %d)... ignoring\n", iph2->status, PHASE2ST_STATUS2, iph2->is_dying);
+               return;
+       }
+
         iph2->retry_checkph1--;
         if (iph2->retry_checkph1 < 0 ||
                 ike_session_verify_ph2_parent_session(iph2)) {
         iph2->retry_checkph1--;
         if (iph2->retry_checkph1 < 0 ||
                 ike_session_verify_ph2_parent_session(iph2)) {
@@ -4279,6 +4285,10 @@ isakmp_plist_append_initial_contact (iph1, plist)
                                  "failed to allocate notification payload.\n");
                         return NULL;
                 }
                                  "failed to allocate notification payload.\n");
                         return NULL;
                 }
+       } else {
+               plog(LLV_DEBUG, LOCATION, iph1->remote,
+                        "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n",
+                        iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, getcontacted(iph1->remote)? 1:0);
         }
         return NULL;
  }
         }
         return NULL;
  }
diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c

index 8f151094fbc189ab8544c74e5bc64b1eb3422922..5bfbaba3b5c73349079b570682bc3b6419580a97 100644 (file)
--- a/ipsec-tools/racoon/session.c
+++ b/ipsec-tools/racoon/session.c
@@ -375,6 +375,17 @@ session(void)
                         if (update_myaddrs() && lcconf->autograbaddr)
                                 if (check_rtsock_sched == NULL) /* only schedule if not already done */
                                         check_rtsock_sched = sched_new(1, check_rtsock, NULL);
                         if (update_myaddrs() && lcconf->autograbaddr)
                                 if (check_rtsock_sched == NULL) /* only schedule if not already done */
                                         check_rtsock_sched = sched_new(1, check_rtsock, NULL);
+                               else {
+                                       // force reinit if schedule is too far off (3 seconds or more)
+                                       time_t too_far = current_time() + 3;
+                                       if (check_rtsock_sched->dead ||
+                                               check_rtsock_sched->xtime >= too_far) {
+                                               plog(LLV_DEBUG, LOCATION, NULL,
+                                                        "forced reinit of addrs\n");
+                                               update_fds = 0;
+                                               check_rtsock(NULL);
+                                       }
+                               }
                         // initfds();   //%%% BUG FIX - not needed here
                 }
                 if (update_fds) {
                         // initfds();   //%%% BUG FIX - not needed here
                 }
                 if (update_fds) {
author	Apple <opensource@apple.com>
	Thu, 10 May 2012 15:23:40 +0000 (15:23 +0000)
committer	Apple <opensource@apple.com>
	Thu, 10 May 2012 15:23:40 +0000 (15:23 +0000)
ipsec-tools/racoon/ike_session.c		patch \| blob \| blame \| history
ipsec-tools/racoon/ipsecSessionTracer.c		patch \| blob \| blame \| history
ipsec-tools/racoon/isakmp.c		patch \| blob \| blame \| history
ipsec-tools/racoon/session.c		patch \| blob \| blame \| history