void rekeyit() { struct state *st = NULL; struct pcr_kenonce *kn = &crypto_req->pcr_d.kn; fprintf(stderr, "now pretend that the keylife timer is up, and rekey the connection\n"); show_states_status(); timer_list(); st = state_with_serialno(2); /* capture the rekey message */ send_packet_setup_pcap("OUTPUT/rekeyikev2-I1.pcap"); if(st) { DBG(DBG_LIFECYCLE , openswan_log("replacing stale %s SA" , (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec")); ipsecdoi_replace(st, LEMPTY, LEMPTY, 1); } else { fprintf(stderr, "no state #2 found\n"); } passert(kn->oakley_group == tc14_oakleygroup); /* now fill in the KE values from a constant.. not calculated */ clonetowirechunk(&kn->thespace, kn->space, &kn->secret, tc14_secret,tc14_secret_len); clonetowirechunk(&kn->thespace, kn->space, &kn->n, tc14_ni, tc14_ni_len); /* maybe change nonce for rekey? */ clonetowirechunk(&kn->thespace, kn->space, &kn->gi, tc14_gi, tc14_gi_len); run_continuation(crypto_req); send_packet_close(); }
static void connection_state(struct state *st, void *data) { struct log_conn_info *lc = data; if (!st || st == lc->ignore || !st->st_connection || !lc->conn) return; if (st->st_connection != lc->conn) { if (lc->conn->IPhost_pair != st->st_connection->IPhost_pair || !same_peer_ids(lc->conn, st->st_connection, NULL)) return; /* phase1 is shared with another connnection */ } /* ignore undefined states (ie., just deleted) */ if (st->st_state == STATE_UNDEFINED) return; if (IS_PHASE1(st->st_state)) { if (lc->tunnel < tun_phase1) lc->tunnel = tun_phase1; if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)) { if (lc->tunnel < tun_phase1up) lc->tunnel = tun_phase1up; lc->phase1 = p1_up; } else { if (lc->phase1 < p1_init) lc->phase1 = p1_init; if (IS_ISAKMP_ENCRYPTED(st->st_state) && lc->phase1 < p1_encrypt) lc->phase1 = p1_encrypt; if (IS_ISAKMP_AUTHENTICATED(st->st_state) && lc->phase1 < p1_auth) lc->phase1 = p1_auth; } } else lc->phase1 = p1_down; /* only phase one shares across connections, so we can quit now */ if (st->st_connection != lc->conn) return; if (IS_PHASE15(st->st_state)) { if (lc->tunnel < tun_phase15) lc->tunnel = tun_phase15; } if (IS_QUICK(st->st_state)) { if (lc->tunnel < tun_phase2) lc->tunnel = tun_phase2; if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) { if (lc->tunnel < tun_up) lc->tunnel = tun_up; lc->phase2 = p2_up; } else { if (lc->phase2 < p2_neg) lc->phase2 = p2_neg; } } }
void dpd_event(struct state *st) { if (st == NULL) return; if (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state )) p1_dpd_outI1(st); else p2_dpd_outI1(st); }
void dpd_event(struct state *st) { if(st==NULL) return; if(IS_PHASE1(st->st_state)) { p1_dpd_outI1(st); } else { p2_dpd_outI1(st); } }
/* * this routine accepts the I3 packet, and the causes a rekey to be queued */ void recv_pcap_I3_rekey(u_char *user , const struct pcap_pkthdr *h , const u_char *bytes) { struct state *st = NULL; struct pcr_kenonce *kn = &crypto_req->pcr_d.kn; /* create a socket for a possible whack process that is doing --up */ int fake_whack_fd = open("/dev/null", O_RDWR); passert(fake_whack_fd != -1); recv_pcap_packet(user, h, bytes); fprintf(stderr, "now pretend that the keylife timer is up, and rekey the connection\n"); show_states_status(); timer_list(); st = state_with_serialno(2); st->st_whack_sock = fake_whack_fd; if(st) { DBG(DBG_LIFECYCLE , openswan_log("replacing stale %s SA" , (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec")); ipsecdoi_replace(st, LEMPTY, LEMPTY, 1); } else { fprintf(stderr, "no state #2 found\n"); } /* find new state! */ st = state_with_serialno(3); passert(st->st_whack_sock != -1); passert(kn->oakley_group == SS(oakleygroup)); /* now fill in the KE values from a constant.. not calculated */ clonetowirechunk(&kn->thespace, kn->space, &kn->secret, SS(secret.ptr),SS(secret.len)); clonetowirechunk(&kn->thespace, kn->space, &kn->n, SS(ni.ptr), SS(ni.len)); /* maybe change nonce for rekey? */ clonetowirechunk(&kn->thespace, kn->space, &kn->gi, SS(gi.ptr), SS(gi.len)); run_continuation(crypto_req); }