From 93762ec711925b48478d6979a212129ed8f0a134 Mon Sep 17 00:00:00 2001 From: Apple Date: Thu, 11 Nov 2010 17:18:40 +0000 Subject: [PATCH] ipsec-93.10.tar.gz --- ipsec-tools/racoon/remoteconf.c | 21 ++++++++- ipsec-tools/racoon/remoteconf.h | 2 +- ipsec-tools/racoon/schedule.c | 3 ++ ipsec-tools/racoon/schedule.h | 2 + ipsec-tools/racoon/session.c | 75 +++++++++++++++++++++------------ 5 files changed, 72 insertions(+), 31 deletions(-) diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index e2ca900..c9eb64a 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -193,14 +193,31 @@ getrmconf_strict(remote, allow_anon) } int -no_remote_configs() +no_remote_configs(ignore_anonymous) + int ignore_anonymous; { struct remoteconf *p; +#if !TARGET_OS_EMBEDDED + static const char default_idv[] = "macuser@localhost"; + static const int default_idv_len = sizeof(default_idv) - 1; +#endif TAILQ_FOREACH(p, &rmtree, chain) { - if (p->remote->sa_family == AF_UNSPEC) /* anonymous */ + if (ignore_anonymous) { + if (p->remote->sa_family == AF_UNSPEC) /* anonymous */ + continue; + } +#if !TARGET_OS_EMBEDDED + // ignore the default btmm ipv6 config thats always present in racoon.conf + if (p->remote->sa_family == AF_INET6 && + p->idvtype == IDTYPE_USERFQDN && + p->idv != NULL && + p->idv->l == default_idv_len && + strncmp(p->idv->v, default_idv, p->idv->l) == 0) { continue; + } +#endif return 0; } return 1; diff --git a/ipsec-tools/racoon/remoteconf.h b/ipsec-tools/racoon/remoteconf.h index ee171da..f01b227 100644 --- a/ipsec-tools/racoon/remoteconf.h +++ b/ipsec-tools/racoon/remoteconf.h @@ -233,7 +233,7 @@ extern struct remoteconf *getrmconf_strict extern int link_rmconf_to_ph1 __P((struct remoteconf *)); extern int unlink_rmconf_from_ph1 __P((struct remoteconf *)); #endif -extern int no_remote_configs __P((void)); +extern int no_remote_configs __P((int)); extern struct remoteconf *copyrmconf __P((struct sockaddr *)); extern struct remoteconf *newrmconf __P((void)); extern struct remoteconf *duprmconf __P((struct remoteconf *)); diff --git a/ipsec-tools/racoon/schedule.c b/ipsec-tools/racoon/schedule.c index 74f5f20..fe82c30 100644 --- a/ipsec-tools/racoon/schedule.c +++ b/ipsec-tools/racoon/schedule.c @@ -51,7 +51,10 @@ #include "var.h" #include "gcmalloc.h" +#if !defined(__LP64__) +// year 2038 problem and fix for 32-bit only #define FIXY2038PROBLEM +#endif #ifndef TAILQ_FOREACH #define TAILQ_FOREACH(elm, head, field) \ diff --git a/ipsec-tools/racoon/schedule.h b/ipsec-tools/racoon/schedule.h index bd66593..e7e7477 100644 --- a/ipsec-tools/racoon/schedule.h +++ b/ipsec-tools/racoon/schedule.h @@ -67,6 +67,8 @@ do { \ /* must be called after it's called from scheduler. */ #define SCHED_INIT(s) (s) = NULL +#define SELECT_SEC_MAX 86400 /* kernel's upper limit is actually 100000000 */ +#define SELECT_USEC_MAX 1000000 /* kernel's upper limit */ struct scheddump { time_t xtime; diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c index bcc4ad0..c5c98da 100644 --- a/ipsec-tools/racoon/session.c +++ b/ipsec-tools/racoon/session.c @@ -127,6 +127,19 @@ static int dying = 0; static struct sched *check_rtsock_sched = NULL; int terminated = 0; +static void +reinit_socks (void) +{ + isakmp_close(); + close(lcconf->rtsock); + initmyaddr(); + if (isakmp_open() < 0) { + plog(LLV_ERROR2, LOCATION, NULL, + "failed to reopen isakmp sockets\n"); + } + initfds(); +} + int session(void) { @@ -226,7 +239,20 @@ session(void) /* scheduling */ timeout = schedular(); - + // Workaround: make sure timeout is playing nice + if (timeout) { + if (timeout->tv_usec < 0 || timeout->tv_usec > SELECT_USEC_MAX ) { + timeout->tv_sec += ((__typeof__(timeout->tv_sec))timeout->tv_usec)/SELECT_USEC_MAX; + timeout->tv_usec %= SELECT_USEC_MAX; + } + if (timeout->tv_sec > SELECT_SEC_MAX /* tv_sec is unsigned */) { + timeout->tv_sec = SELECT_SEC_MAX; + } + if (!timeout->tv_sec && !timeout->tv_usec) { + timeout->tv_sec = 1; + } + } + if (dying) rfds = maskdying; else @@ -238,18 +264,10 @@ session(void) continue; default: plog(LLV_ERROR2, LOCATION, NULL, - "failed select (%s)\n", - strerror(errno)); - /* serious socket problem - close all listening sockets and re-open */ - if (lcconf->autograbaddr) { - isakmp_close(); - initfds(); - sched_new(5, check_rtsock, NULL); - } else { - isakmp_close_sockets(); - isakmp_open(); - initfds(); - } + "failed select (%s) nfds %d\n", + strerror(errno), nfds); + reinit_socks(); + update_fds = 0; continue; } /*NOTREACHED*/ @@ -291,18 +309,8 @@ session(void) break; } if (error == -2) { - if (lcconf->autograbaddr) { - /* serious socket problem - close all listening sockets and re-open */ - isakmp_close(); - initfds(); - sched_new(5, check_rtsock, NULL); - continue; - } else { - isakmp_close_sockets(); - isakmp_open(); - initfds(); - continue; - } + reinit_socks(); + update_fds = 0; } if (FD_ISSET(lcconf->sock_pfkey, &rfds)) @@ -539,7 +547,7 @@ check_sigreq() #endif /* __APPLE__ */ initfds(); #if TARGET_OS_EMBEDDED - if (no_remote_configs()) { + if (no_remote_configs(TRUE)) { EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL); pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); #ifdef ENABLE_FASTQUIT @@ -649,6 +657,15 @@ check_flushsa() return; } +#if !TARGET_OS_EMBEDDED + // abort exit if policies/config/control state is still there + if (vpn_control_connected() || + policies_installed() || + !no_remote_configs(FALSE)) { + return; + } +#endif + close_session(); #if !TARGET_OS_EMBEDDED if (lcconf->vt) @@ -673,12 +690,14 @@ check_auto_exit(void) if (lcconf->auto_exit_sched != NULL) { /* exit scheduled? */ if (lcconf->auto_exit_state != LC_AUTOEXITSTATE_ENABLED || vpn_control_connected() /* vpn control connected */ - || policies_installed()) /* policies installed in kernel */ + || policies_installed() /* policies installed in kernel */ + || !no_remote_configs(FALSE)) /* remote or anonymous configs */ SCHED_KILL(lcconf->auto_exit_sched); } else { /* exit not scheduled */ if (lcconf->auto_exit_state == LC_AUTOEXITSTATE_ENABLED && !vpn_control_connected() - && !policies_installed()) + && !policies_installed() + && no_remote_configs(FALSE)) if (lcconf->auto_exit_delay == 0) auto_exit_do(NULL); /* immediate exit */ else -- 2.47.2