racoon

VANHULLEBUS Yvan Tue, 22 Jun 2010 02:42:20 -0700

Module Name:    src
Committed By:   vanhu
Date:           Tue Jun 22 09:41:34 UTC 2010


Modified Files:
        src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l isakmp.c
            isakmp_inf.c racoon.conf.5 remoteconf.c remoteconf.h

Log Message:
added a specific script hook when a dead peer is detected


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.41 -r1.42 \
    src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.59 -r1.60 \
    src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
cvs rdiff -u -r1.18 -r1.19 \
    src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.11 -r1.12 \
    src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37	Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.37 2009/03/12 10:57:26 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.38 2010/06/22 09:41:33 vanhu Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -237,7 +237,7 @@
 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
 
-%token SCRIPT PHASE1_UP PHASE1_DOWN
+%token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD
 
 %token NUMBER SWITCH BOOLEAN
 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
@@ -2010,6 +2010,13 @@
 			cur_rmconf->script[SCRIPT_PHASE1_DOWN] = 
 			    script_path_add(vdup($2));
 		} EOS
+	|	SCRIPT QUOTEDSTRING PHASE1_DEAD { 
+			if (cur_rmconf->script[SCRIPT_PHASE1_DEAD] != NULL)
+				vfree(cur_rmconf->script[SCRIPT_PHASE1_DEAD]);
+
+			cur_rmconf->script[SCRIPT_PHASE1_DEAD] = 
+			    script_path_add(vdup($2));
+		} EOS
 	|	MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
 	|	WEAK_PHASE1_CHECK SWITCH {
 			cur_rmconf->weak_phase1_check = $2;

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20	Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.20 2009/03/12 10:57:26 tteras Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.21 2010/06/22 09:41:33 vanhu Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -365,6 +365,7 @@
 <S_RMTS>script		{ YYD; return(SCRIPT); }
 <S_RMTS>phase1_up	{ YYD; return(PHASE1_UP); }
 <S_RMTS>phase1_down	{ YYD; return(PHASE1_DOWN); }
+<S_RMTS>phase1_dead	{ YYD; return(PHASE1_DEAD); }
 <S_RMTS>mode_cfg	{ YYD; return(MODE_CFG); }
 <S_RMTS>weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); }
 <S_RMTS>rekey		{ YYD; return(REKEY); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60	Thu Sep  3 09:29:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.60 2009/09/03 09:29:07 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -1839,6 +1839,8 @@
 		plog(LLV_ERROR, LOCATION, NULL,
 			"phase1 negotiation failed due to time up. %s\n",
 			isakmp_pindex(&iph1->index, iph1->msgid));
+		/* XXX is the peer really "dead" here ??? */
+		script_hook(iph1, SCRIPT_PHASE1_DEAD);
 		evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
 
 		return -1;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41	Fri Jul  3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.41 2009/07/03 06:41:46 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1506,6 +1506,7 @@
 			"DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n",
 			isakmp_pindex(&iph1->index, 0));
 
+		script_hook(iph1, SCRIPT_PHASE1_DEAD);
 		evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL);
 		purge_remote(iph1);
 

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.59 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.60
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.59	Wed Oct 14 18:22:04 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.59 2009/10/14 18:22:04 joerg Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.60 2010/06/22 09:41:33 vanhu Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -602,11 +602,15 @@
 .\"
 .It Ic script Ar script Ic phase1_up
 .It Ic script Ar script Ic phase1_down
-Shell scripts that get executed when a phase 1 SA goes up or down.
-Both scripts get either
+.It Ic script Ar script Ic phase1_dead
+Shell scripts that get executed when a phase 1 SA goes up or down, or
+when it is detected as dead by DPD.
+All scripts get either
 .Ic phase1_up
-or
+,
 .Ic phase1_down
+or
+.Ic phase1_dead
 as first argument, and the following
 variables are set in their environment:
 .Bl -tag -width Ds -compact

Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.18 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.19
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.18	Tue Sep  1 09:49:59 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.c,v 1.18 2009/09/01 09:49:59 tteras Exp $	*/
+/*	$NetBSD: remoteconf.c,v 1.19 2010/06/22 09:41:33 vanhu Exp $	*/
 
 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
 
@@ -84,7 +84,8 @@
 /*
  * Script hook names and script hook paths
  */
-char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
+char *script_names[SCRIPT_MAX + 1] = {
+	"phase1_up", "phase1_down", "phase1_dead" };
 
 /*%%%*/
 

Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.11 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.12
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.11	Fri Jul  3 06:41:47 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h	Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.h,v 1.11 2009/07/03 06:41:47 tteras Exp $	*/
+/*	$NetBSD: remoteconf.h,v 1.12 2010/06/22 09:41:33 vanhu Exp $	*/
 
 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
 
@@ -80,7 +80,8 @@
 /* Script hooks */
 #define SCRIPT_PHASE1_UP	0
 #define SCRIPT_PHASE1_DOWN	1
-#define SCRIPT_MAX		1
+#define SCRIPT_PHASE1_DEAD	2
+#define SCRIPT_MAX		2
 extern char *script_names[SCRIPT_MAX + 1];
 
 struct remoteconf {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

Reply via email to