[Openswan dev] Small patches

Ulrich Weber uweber at astaro.de
Wed Jan 26 18:06:49 CET 2005 

Hi,

I found a few small things in 2.2.0.

First the replay_bitmap of the native Linux IPSec implementation is only 
32bit (not 64 like KLIPS).
Therefore the default replay window in native mode should be 32. See 
replay_window_netlink.diff

Secondly there are three "spd.that.virt = NULL" (two in connections.c, 
one in ipsec_doi.c).
Shouldn't be there a pfreeany before each time?

Finally I worte a small patch a few weeks ago to get rid of the 
MAX_OUTPUT_UDP_SIZE.
It uses the ioctl(FIONREAD) function to get the correct packet size and 
mallocs this size instead of MAX_OUTPUT_UDP_SIZE.
Dont know if this is faster or widely useable, especially on older linux 
systems,
but works for me and is a little bit more memory firendly.

Btw some other thing: Wouldnt it make more sense to flip the IPSec SA 
and IKE SA default lifetime ?

Greetings
 Ulrich
-------------- next part --------------
diff -Nru openswan-2.2.0.org/programs/pluto/kernel_netlink.c openswan-2.2.0/programs/pluto/kernel_netlink.c
--- openswan-2.2.0.org/programs/pluto/kernel_netlink.c	2004-12-01 09:38:26.000000000 +0100
+++ openswan-2.2.0/programs/pluto/kernel_netlink.c	2005-01-26 17:25:28.000000000 +0100
@@ -588,7 +588,7 @@
     req.p.id.proto = satype2proto(sa->satype);
     req.p.family = sa->src->u.v4.sin_family;
     req.p.mode = (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL);
-    req.p.replay_window = sa->replay_window;
+    req.p.replay_window = 32;
     req.p.reqid = sa->reqid;
     req.p.lft.soft_byte_limit = XFRM_INF;
     req.p.lft.soft_packet_limit = XFRM_INF;
-------------- next part --------------
diff -Nru -I Time /opt/code/openswan-2.2.0/programs/pluto/demux.c openswan-2.2.0/programs/pluto/demux.c
--- /opt/code/openswan-2.2.0/programs/pluto/demux.c	2004-12-01 09:38:26.000000000 +0100
+++ openswan-2.2.0/programs/pluto/demux.c	2005-01-26 14:35:48.000000000 +0100
@@ -113,6 +113,7 @@
 #include <sys/time.h>	/* only used for belt-and-suspenders select call */
 #include <sys/poll.h>	/* only used for forensic poll call */
 #include <sys/socket.h>
+#include <sys/ioctl.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <sys/queue.h>
@@ -835,9 +836,7 @@
     bool err;
 
 #ifdef NAT_TRAVERSAL
-    u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
-    u_int8_t *ptr;
-    unsigned long len;
+    u_int8_t *buffer_nat;
 
     if ((c->interface->ike_float == TRUE) && (st->st_tpacket.len != 1)) {
 	if ((unsigned long) st->st_tpacket.len >
@@ -845,16 +844,14 @@
 	    DBG_log("send_packet(): really too big");
 	    return FALSE;
 	}
-	ptr = ike_pkt;
+	buffer_nat = alloc_bytes(st->st_tpacket.len + sizeof(u_int32_t), "buffer send_packet");
 	/** Add Non-ESP marker **/
-	memset(ike_pkt, 0, sizeof(u_int32_t));
-	memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
+	memset(buffer_nat, 0, sizeof(u_int32_t));
+	memcpy(buffer_nat + sizeof(u_int32_t), st->st_tpacket.ptr,
 	    (unsigned long)st->st_tpacket.len);
-	len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
-    }
-    else {
-	ptr = st->st_tpacket.ptr;
-	len = (unsigned long) st->st_tpacket.len;
+	st->st_tpacket.len += sizeof(u_int32_t);
+	pfreeany(st->st_tpacket.ptr);
+	st->st_tpacket.ptr = buffer_nat;
     }
 #endif
 
@@ -881,17 +878,10 @@
     (void) check_msg_errqueue(c->interface, POLLOUT);
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
-#ifdef NAT_TRAVERSAL
-    err = sendto(c->interface->fd
-    	, ptr, len, 0
-    	, sockaddrof(&c->spd.that.host_addr)
-    	, sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
-#else
     err = sendto(c->interface->fd
     	, st->st_tpacket.ptr, st->st_tpacket.len, 0
     	, sockaddrof(&c->spd.that.host_addr)
     	, sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)st->st_tpacket.len;
-#endif
 
     /* restore port */
     setportof(port_buf, &c->spd.that.host_addr);
@@ -1076,11 +1066,8 @@
 {
     const struct iface *ifp = md->iface;
     int packet_len;
-    /* ??? this buffer seems *way* too big */
-    u_int8_t bigbuffer[MAX_INPUT_UDP_SIZE];
-#ifdef NAT_TRAVERSAL
-    u_int8_t *_buffer = bigbuffer;
-#endif
+    u_int8_t *buffer;
+    u_int8_t *buffer_nat;
     union
     {
 	struct sockaddr sa;
@@ -1093,7 +1080,9 @@
 
     happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
     zero(&from.sa);
-    packet_len = recvfrom(ifp->fd, bigbuffer, sizeof(bigbuffer), 0
+    ioctl(ifp->fd, FIONREAD, &packet_len);
+    buffer = alloc_bytes(packet_len, "buffer read packet");
+    packet_len = recvfrom(ifp->fd, buffer, packet_len, 0
 	, &from.sa, &from_len);
 
     /* First: digest the from address.
@@ -1184,14 +1173,17 @@
 		, ip_str(cur_from), (unsigned) cur_from_port, packet_len);
 	    return FALSE;
 	}
-	memcpy(&non_esp, _buffer, sizeof(u_int32_t));
+	memcpy(&non_esp, buffer, sizeof(u_int32_t));
 	if (non_esp != 0) {
 	    openswan_log("recvfrom %s:%u has no Non-ESP marker"
 		, ip_str(cur_from), (unsigned) cur_from_port);
 	    return FALSE;
 	}
-	_buffer += sizeof(u_int32_t);
 	packet_len -= sizeof(u_int32_t);
+	buffer_nat = alloc_bytes(packet_len, "buffer read packet");
+	memcpy(buffer_nat, buffer + sizeof(u_int32_t), packet_len);
+	pfree(buffer);
+	buffer = buffer_nat;
     }
 #endif
 
@@ -1199,11 +1191,7 @@
      * and set up md->packet_pbs to describe it.
      */
     init_pbs(&md->packet_pbs
-#ifdef NAT_TRAVERSAL
-	, clone_bytes(_buffer, packet_len, "message buffer in comm_handle()")
-#else
-	, clone_bytes(bigbuffer, packet_len, "message buffer in comm_handle()")
-#endif
+	, buffer
 	, packet_len, "packet");
 
     DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,

More information about the Dev mailing list