[Swan-dev] ipsecme-split-dns

Antony Antony antony at phenome.org
Wed Dec 13 17:22:01 UTC 2017


On Wed, Dec 13, 2017 at 11:47:03AM -0500, Paul Wouters wrote:
> On Wed, 13 Dec 2017, Antony Antony wrote:
> 
> > I wonder why not revert the accident first? and comeback when you mean to.
> > that is my preference. Then there is a clear path, accident revert!
> 
> Can you undo a merge commit atomically? the man page isn't looking
> promising: 

not automatically! not using single command either. However, creating a diff 
and applying it soon after the accident seems easy to do. As there are more 
commits on the top single patch may get harder.

Here is one patch that revert everything that came through the merge.
A functional revert is easy, just one diff for the entire merge.

A side effect is individual commits will not have a corresponding revert
and the future merge... you have create them again from the master.

> And /usr/share/doc/git-1.8.3.1/howto/revert-a-faulty-merge.txt makes it
> look even less of a good idea to revert the merge?

what do you think one patch idea? 

-antony
-------------- next part --------------
>From b4afd19f13cf33bda929c8d33200c7975fb5d4a4 Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Wed, 13 Dec 2017 18:05:02 +0100
Subject: [PATCH] Reverts 2b7ad4446c350cd0245b3bbc73980a7a4ee6ef6e

Merge branch 'ipsecme-split-dns'
---
 include/ietf_constants.h        |  4 +-
 include/ipsecconf/confread.h    |  2 -
 include/ipsecconf/keywords.h    |  2 -
 include/whack.h                 |  2 -
 lib/libipsecconf/confread.c     |  6 ---
 lib/libipsecconf/keywords.c     |  3 --
 lib/libipsecconf/starterwhack.c |  5 ---
 lib/libswan/constants.c         |  7 +---
 lib/libwhack/whacklib.c         |  4 --
 programs/pluto/connections.c    | 13 ------
 programs/pluto/connections.h    |  2 -
 programs/pluto/ikev2.h          |  2 +-
 programs/pluto/ikev2_child.c    | 89 +++++++++++------------------------------
 programs/pluto/ikev2_parent.c   | 72 +++++----------------------------
 programs/pluto/state.h          |  1 -
 programs/whack/whack.c          | 18 ---------
 16 files changed, 38 insertions(+), 194 deletions(-)

diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 3979f09df..e6092e9aa 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -1206,9 +1206,7 @@ enum ikev2_cp_attribute_type {
 	IKEv2_P_CSCF_IP6_ADDRESS = 21,
 	IKEv2_FTT_KAT = 22,
 	IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23,
-	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24,
-	IKEv2_INTERNAL_DNS_DOMAIN = 25,
-	/* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */
+	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24
 };
 
 
diff --git a/include/ipsecconf/confread.h b/include/ipsecconf/confread.h
index 049a5cecc..85d11c143 100644
--- a/include/ipsecconf/confread.h
+++ b/include/ipsecconf/confread.h
@@ -109,8 +109,6 @@ struct starter_conn {
 	char *modecfg_dns2;
 	char *modecfg_domain;
 	char *modecfg_banner;
-	char *internal_domain1;
-	char *internal_domain2;
 	char *policy_label;
 	char *conn_mark_both;
 	char *conn_mark_in;
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 99f44f055..758701aff 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -196,8 +196,6 @@ enum keyword_string_conn_field {
 	KSCF_MODECFGDNS1,
 	KSCF_MODECFGDNS2,
 	KSCF_MODECFGDOMAIN,
-	KSCF_INTERNALDOMAIN1,
-	KSCF_INTERNALDOMAIN2,
 	KSCF_MODECFGBANNER,
 	KSCF_IKE,
 	KSCF_ESP,
diff --git a/include/whack.h b/include/whack.h
index c8eb98475..91c8fd244 100644
--- a/include/whack.h
+++ b/include/whack.h
@@ -305,8 +305,6 @@ struct whack_message {
 	ip_address modecfg_dns2;
 	char *modecfg_domain;
 	char *modecfg_banner;
-	char *internal_domain1;
-	char *internal_domain2;
 
 	char *conn_mark_both;
 	char *conn_mark_in;
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index cd7bd5004..5527ea0c3 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -1238,8 +1238,6 @@ static bool load_conn(
 	str_to_conn(modecfg_dns1, KSCF_MODECFGDNS1);
 	str_to_conn(modecfg_dns2, KSCF_MODECFGDNS2);
 	str_to_conn(modecfg_domain, KSCF_MODECFGDOMAIN);
-	str_to_conn(internal_domain1, KSCF_INTERNALDOMAIN1);
-	str_to_conn(internal_domain2, KSCF_INTERNALDOMAIN2);
 	str_to_conn(modecfg_banner, KSCF_MODECFGBANNER);
 
 	str_to_conn(conn_mark_both, KSCF_CONN_MARK_BOTH);
@@ -1411,8 +1409,6 @@ static void conn_default(struct starter_conn *conn,
 
 	conn->modecfg_dns1 = clone_str(def->modecfg_dns1, "conn default dns1");
 	conn->modecfg_dns2 = clone_str(def->modecfg_dns2, "conn default dns2");
-	conn->internal_domain1 = clone_str(def->internal_domain1, "conn default internal-domain1");
-	conn->internal_domain2 = clone_str(def->internal_domain2, "conn default internal-domain2");
 	conn->modecfg_domain = clone_str(def->modecfg_domain, "conn default domain");
 	conn->modecfg_banner = clone_str(def->modecfg_banner, "conn default banner");
 	conn->conn_mark_both = clone_str(def->conn_mark_both, "conn default conn_mark_both");
@@ -1570,8 +1566,6 @@ static void confread_free_conn(struct starter_conn *conn)
 
 	pfreeany(conn->modecfg_dns1);
 	pfreeany(conn->modecfg_dns2);
-	pfreeany(conn->internal_domain1);
-	pfreeany(conn->internal_domain2);
 
 	pfreeany(conn->left.virt);
 	pfreeany(conn->right.virt);
diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
index a9cd32707..ff869f128 100644
--- a/lib/libipsecconf/keywords.c
+++ b/lib/libipsecconf/keywords.c
@@ -587,9 +587,6 @@ const struct keyword_def ipsec_conf_keywords[] = {
   { "modecfgdns1",  kv_conn,  kt_string,  KSCF_MODECFGDNS1, NULL, NULL, },
   { "modecfgdns2",  kv_conn,  kt_string,  KSCF_MODECFGDNS2, NULL, NULL, },
 
-  { "internaldomain1",  kv_conn,  kt_string,  KSCF_INTERNALDOMAIN1,  NULL, NULL },
-  { "internaldomain2",  kv_conn,  kt_string,  KSCF_INTERNALDOMAIN2,  NULL, NULL },
-
   { "modecfgdomain",  kv_conn,  kt_string,  KSCF_MODECFGDOMAIN, NULL, NULL, },
   { "modecfgbanner",  kv_conn,  kt_string,  KSCF_MODECFGBANNER, NULL, NULL, },
   { "mark",  kv_conn,  kt_string,  KSCF_CONN_MARK_BOTH, NULL, NULL, },
diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
index d019a63da..5fd002eff 100644
--- a/lib/libipsecconf/starterwhack.c
+++ b/lib/libipsecconf/starterwhack.c
@@ -672,9 +672,6 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
 	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgbanner=%s",
 		conn->name, msg.modecfg_banner);
 
-	msg.internal_domain1 = conn->internal_domain1;
-	msg.internal_domain2 = conn->internal_domain2;
-
 	msg.conn_mark_both = conn->conn_mark_both;
 	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark=%s",
 		conn->name, msg.conn_mark_both);
@@ -715,8 +712,6 @@ static int starter_whack_basic_add_conn(struct starter_config *cfg,
 				"Ignoring modecfgdns2= entry, it is not a valid IPv4 or IPv6 address");
 	}
 
-	/* add sanity check for internal_dns / internal_domain */
-
 	set_whack_end("left",  &msg.left, &conn->left);
 	set_whack_end("right", &msg.right, &conn->right);
 
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index d98979b7b..118bdcae4 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -1362,15 +1362,12 @@ static const char *const ikev2_cp_attribute_type_name[] = {
 	"IKEv2_P_CSCF_IP6_ADDRESS",
 	"IKEv2_FTT_KAT",
 	"IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */
-	"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */
-	"IKEv2_INTERNAL_DNS_DOMAIN", /* draft-pauly-ipsecme-split-dns-01 */
-	/* "IKEv2_INTERNAL_DNSSEC_TA", expected draft-pauly-ipsecme-split-dns-01 */
+	"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK" /* 3gpp */
 };
 
 enum_names ikev2_cp_attribute_type_names = {
 	IKEv2_CP_ATTR_RESERVED,
-	/* IKEv2_INTERNAL_DNSSEC_TA, */
-	IKEv2_INTERNAL_DNS_DOMAIN,
+	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK,
 	ARRAY_REF(ikev2_cp_attribute_type_name),
 	NULL, /* prefix */
 	NULL
diff --git a/lib/libwhack/whacklib.c b/lib/libwhack/whacklib.c
index 1974772ca..70205afe4 100644
--- a/lib/libwhack/whacklib.c
+++ b/lib/libwhack/whacklib.c
@@ -134,8 +134,6 @@ err_t pack_whack_msg(struct whackpacker *wp)
 	    !pack_str(wp, &wp->msg->conn_mark_in) ||		/* string 31 */
 	    !pack_str(wp, &wp->msg->conn_mark_out) ||		/* string 32 */
 	    !pack_str(wp, &wp->msg->vti_iface) ||		/* string 33 */
-	    !pack_str(wp, &wp->msg->internal_domain1) ||                          /* string 34 */
-	    !pack_str(wp, &wp->msg->internal_domain2) ||                          /* string 35 */
 	    !pack_str(wp, &wp->msg->remote_host) ||		/* string 33 */
 	    wp->str_roof - wp->str_next < (ptrdiff_t)wp->msg->keyval.len)	/* key */
 	{
@@ -204,8 +202,6 @@ err_t unpack_whack_msg(struct whackpacker *wp)
 	    !unpack_str(wp, &wp->msg->conn_mark_in) ||		/* string 31 */
 	    !unpack_str(wp, &wp->msg->conn_mark_out) ||		/* string 32 */
 	    !unpack_str(wp, &wp->msg->vti_iface) ||		/* string 33 */
-	    !unpack_str(wp, &wp->msg->internal_domain1) ||      /* string 34 */
-	    !unpack_str(wp, &wp->msg->internal_domain2) ||      /* string 35 */
 	    !unpack_str(wp, &wp->msg->remote_host) ||		/* string 33 */
 	    wp->str_roof - wp->str_next != (ptrdiff_t)wp->msg->keyval.len)
 	{
diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index 6d8e6fa4f..e0d8d798c 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -790,10 +790,6 @@ static void unshare_connection(struct connection *c)
 				"connection cisco_dns_info");
 	c->modecfg_domain = clone_str(c->modecfg_domain,
 				"connection modecfg_domain");
-	c->internal_domain1 = clone_str(c->internal_domain1,
-				"connection internal domain1");
-	c->internal_domain2 = clone_str(c->internal_domain2,
-				"connection internal domain1");
 	c->modecfg_banner = clone_str(c->modecfg_banner,
 				"connection modecfg_banner");
 #ifdef HAVE_LABELED_IPSEC
@@ -1666,8 +1662,6 @@ void add_connection(const struct whack_message *wm)
 
 		c->modecfg_dns1 = wm->modecfg_dns1;
 		c->modecfg_dns2 = wm->modecfg_dns2;
-		c->internal_domain1 = wm->internal_domain1;
-		c->internal_domain2 = wm->internal_domain2;
 		c->modecfg_domain = wm->modecfg_domain;
 		c->modecfg_banner = wm->modecfg_banner;
 
@@ -4046,13 +4040,6 @@ static void show_one_sr(const struct connection *c,
 
 #undef COMBO
 
-	whack_log(RC_COMMENT,
-		"\"%s\"%s:   internal domain1:%s, domain2:%s;",
-		c->name, instance,
-		c->internal_domain1,
-		c->internal_domain2
-		);
-
 	if (c->modecfg_banner != NULL) {
 		whack_log(RC_COMMENT, "\"%s\"%s: banner:%s;",
 		c->name, instance, c->modecfg_banner);
diff --git a/programs/pluto/connections.h b/programs/pluto/connections.h
index 1b75ec3f3..88aa5a2c0 100644
--- a/programs/pluto/connections.h
+++ b/programs/pluto/connections.h
@@ -332,8 +332,6 @@ struct connection {
 	char *cisco_dns_info; /* scratchpad for writing IP addresses */
 	char *modecfg_domain;
 	char *modecfg_banner;
-	char *internal_domain1;
-	char *internal_domain2;
 
 	u_int8_t metric;	/* metric for tunnel routes */
 	u_int16_t connmtu;	/* mtu for tunnel routes */
diff --git a/programs/pluto/ikev2.h b/programs/pluto/ikev2.h
index 489123841..2961593c8 100644
--- a/programs/pluto/ikev2.h
+++ b/programs/pluto/ikev2.h
@@ -248,7 +248,7 @@ extern bool ship_v2N(enum next_payload_types_ikev2 np,
 extern deltatime_t ikev2_replace_delay(struct state *st, enum event_type *pkind,
 				       enum original_role role);
 
-stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
+stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 np,
 		pb_stream *outpbs);
 
 bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st);
diff --git a/programs/pluto/ikev2_child.c b/programs/pluto/ikev2_child.c
index 8b994c901..6934cae70 100644
--- a/programs/pluto/ikev2_child.c
+++ b/programs/pluto/ikev2_child.c
@@ -1002,7 +1002,7 @@ stf_status ikev2_child_sa_respond(struct msg_digest *md,
 	if (c->spd.that.has_lease &&
 			md->chain[ISAKMP_NEXT_v2CP] != NULL &&
 			cst->st_state != STATE_V2_REKEY_IKE_R) {
-		ikev2_send_cp(pst, ISAKMP_NEXT_v2SA, outpbs);
+		ikev2_send_cp(c, ISAKMP_NEXT_v2SA, outpbs);
 	} else if (md->chain[ISAKMP_NEXT_v2CP] != NULL) {
 		DBG(DBG_CONTROL, DBG_log("#%lu %s ignoring unexpected v2CP payload",
 					cst->st_serialno,
@@ -1182,17 +1182,15 @@ stf_status ikev2_child_sa_respond(struct msg_digest *md,
 	return STF_OK;
 }
 
-static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
+static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st)
 {
 	ip_address ip;
 	char ip_str[ADDRTOT_BUF];
 	struct connection *c = st->st_connection;
-	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip);
-	bool responder = (st->st_state != STATE_PARENT_I2);
+	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip);
 
-	if ((ugh != NULL && st->st_state == STATE_PARENT_I2)) {
-		libreswan_log("ERROR INTERNAL_IP%s_DNS malformed: %s",
-			af == AF_INET ? "4" : "6", ugh);
+	if (ugh != NULL) {
+		libreswan_log("ERROR INTERNAL_IP4_DNS malformed: %s", ugh);
 		return FALSE;
 	}
 
@@ -1206,15 +1204,6 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
 	libreswan_log("received INTERNAL_IP4_DNS %s",
 			ip_str);
 
-	if (c->policy & POLICY_OPPORTUNISTIC) {
-		libreswan_log("ignored INTERNAL_IP4_DNS CP payload for Opportunistic IPsec");
-		return TRUE;
-	}
-	if (responder) {
-		libreswan_log("responder INTERNAL_IP4_DNS CP ignored");
-		return TRUE;
-	}
-
 	char *old = c->cisco_dns_info;
 
 	if (old == NULL) {
@@ -1238,30 +1227,27 @@ static bool ikev2_set_dns(pb_stream *cp_a_pbs, struct state *st, int af)
 	return TRUE;
 }
 
-static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st, int af)
+static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st)
 {
 	ip_address ip;
 	ipstr_buf ip_str;
 	struct connection *c = st->st_connection;
-	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), af, &ip);
-	bool responder = st->st_state != STATE_PARENT_I2;
+	err_t ugh = initaddr(cp_a_pbs->cur, pbs_left(cp_a_pbs), AF_INET, &ip);
 
-	if ((ugh != NULL && st->st_state == STATE_PARENT_I2) || isanyaddr(&ip)) {
-		libreswan_log("ERROR INTERNAL_IP%s_ADDRESS malformed: %s",
-			af == AF_INET ? "4" : "6",
-			ugh == NULL ? ipstr(&ip, &ip_str) : ugh);
+	if (ugh != NULL) {
+		libreswan_log("ERROR INTERNAL_IP4_ADDRESS malformed: %s", ugh);
 		return FALSE;
 	}
 
-	libreswan_log("received INTERNAL_IP%s_ADDRESS %s",
-			af == AF_INET ? "4" : "6",
-			 ipstr(&ip, &ip_str));
-
-	if (responder) {
-		libreswan_log("responder CP ignored");
-		return TRUE;
+	if (isanyaddr(&ip)) {
+		libreswan_log("ERROR INTERNAL_IP4_ADDRESS %s is invalid",
+			ipstr(&ip, &ip_str));
+		return FALSE;
 	}
 
+	libreswan_log("received INTERNAL_IP4_ADDRESS %s",
+			ipstr(&ip, &ip_str));
+
 	c->spd.this.has_client = TRUE;
 	c->spd.this.has_internal_address = TRUE;
 
@@ -1271,16 +1257,12 @@ static bool ikev2_set_ia(pb_stream *cp_a_pbs, struct state *st, int af)
 		if (sameaddr(&c->spd.this.client.addr, &ip)) {
 			/* The address we received is same as this side
 			 * should we also check the host_srcip */
-			DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received NTERNAL_IP%s_ADDRESS which is same as this.client.addr %s. Will not add CAT iptable rules",
+			DBG(DBG_CONTROL, DBG_log("#%lu %s[%lu] received NTERNAL_IP4_ADDRESS which is same as this.client.addr %s. Will not add CAT iptable rules",
 				st->st_serialno, c->name, c->instance_serial,
-				af == AF_INET ? "4" : "6",
 				ipstr(&ip, &ip_str)));
 		} else {
 			c->spd.this.client.addr = ip;
-			if (af == AF_INET)
-				c->spd.this.client.maskbits = 32;
-			else
-				c->spd.this.client.maskbits = 128;
+			c->spd.this.client.maskbits = 32;
 			st->st_ts_this = ikev2_end_to_ts(&c->spd.this);
 			c->spd.this.has_cat = TRUE; /* create iptable entry */
 		}
@@ -1308,17 +1290,11 @@ bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st)
 	DBG(DBG_CONTROLMORE, DBG_log("#%lu %s[%lu] parsing ISAKMP_NEXT_v2CP payload",
 				st->st_serialno, c->name, c->instance_serial));
 
-	if (st->st_state == STATE_PARENT_I2 && cp->isacp_type !=  IKEv2_CP_CFG_REPLY) {
+	if (cp->isacp_type !=  IKEv2_CP_CFG_REPLY) {
 		loglog(RC_LOG_SERIOUS, "ERROR expected IKEv2_CP_CFG_REPLY got a %s",
 			enum_name(&ikev2_cp_type_names,cp->isacp_type));
 		return FALSE;
 	}
-	if (st->st_state == STATE_PARENT_R1 && cp->isacp_type !=  IKEv2_CP_CFG_REQUEST) {
-		libreswan_log("ERROR expected IKEv2_CP_CFG_REQUEST got a %s",
-			enum_name(&ikev2_cp_type_names,cp->isacp_type));
-		return FALSE;
-	}
-
 	while (pbs_left(attrs) > 0) {
 		struct ikev2_cp_attribute cp_a;
 		pb_stream cp_a_pbs;
@@ -1330,38 +1306,19 @@ bool ikev2_parse_cp_r_body(struct payload_digest *cp_pd, struct state *st)
 		}
 
 		switch (cp_a.type) {
-		case IKEv2_INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV:
-			if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET)) {
+		case INTERNAL_IP4_ADDRESS | ISAKMP_ATTR_AF_TLV:
+			if (!ikev2_set_ia(&cp_a_pbs, st)) {
 				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP4_ADDRESS attribute");
 				return FALSE;
 			}
 			break;
 
-		case IKEv2_INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV:
-			if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET)) {
+		case INTERNAL_IP4_DNS | ISAKMP_ATTR_AF_TLV:
+			if (!ikev2_set_dns(&cp_a_pbs, st)) {
 				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP4_DNS attribute");
 				return FALSE;
 			}
 			break;
-
-		case IKEv2_INTERNAL_IP6_ADDRESS | ISAKMP_ATTR_AF_TLV:
-			if (!ikev2_set_ia(&cp_a_pbs, st, AF_INET6)) {
-				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP6_ADDRESS attribute");
-				return FALSE;
-			}
-			break;
-
-		case IKEv2_INTERNAL_IP6_DNS | ISAKMP_ATTR_AF_TLV:
-			if (!ikev2_set_dns(&cp_a_pbs, st, AF_INET6)) {
-				loglog(RC_LOG_SERIOUS, "ERROR malformed INTERNAL_IP6_DNS attribute");
-				return FALSE;
-			}
-			break;
-		case IKEv2_INTERNAL_DNS_DOMAIN | ISAKMP_ATTR_AF_TLV:
-			/* ignore their values for now - just note support */
-			libreswan_log("received INTERNAL_DNS_DOMAIN (content ignored)");
-			st->st_seen_internal_domain = TRUE;
-			break;
 		default:
 			libreswan_log("unknown attribute %s length %u",
 				enum_name(&ikev2_cp_attribute_type_names,
diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index d5da8e904..d9031bf5e 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -2639,37 +2639,11 @@ static stf_status ikev2_ship_cp_attr_ip4(u_int16_t type, ip_address *ip4,
 	return STF_OK;
 }
 
-static stf_status ikev2_ship_cp_attr_str(u_int16_t type, char *str,
-		const char *story, pb_stream *outpbs)
-{
-	struct ikev2_cp_attribute attr;
-	pb_stream a_pbs;
-
-	attr.type = type;
-	if (str == NULL)
-		attr.len = 0;
-	else
-		attr.len = strlen(str);
-
-	if (!out_struct(&attr, &ikev2_cp_attribute_desc, outpbs,
-				&a_pbs))
-		return STF_INTERNAL_ERROR;
-
-	if (attr.len > 0) {
-		if (!out_raw(str, attr.len, &a_pbs, story))
-			return STF_INTERNAL_ERROR;
-	}
-
-	close_output_pbs(&a_pbs);
-	return STF_OK;
-}
-
-stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
+stf_status ikev2_send_cp(struct connection *c, enum next_payload_types_ikev2 np,
 				  pb_stream *outpbs)
 {
 	struct ikev2_cp cp;
 	pb_stream cp_pbs;
-	struct connection *c = st->st_connection;
 	bool cfg_reply = c->spd.that.has_lease;
 
 	DBG(DBG_CONTROLMORE, DBG_log("Send Configuration Payload %s ",
@@ -2682,11 +2656,11 @@ stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
 	if (!out_struct(&cp, &ikev2_cp_desc, outpbs, &cp_pbs))
 		return STF_INTERNAL_ERROR;
 
-	if (cfg_reply) {
-		ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
-			&c->spd.that.client.addr,
+	ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
+			cfg_reply ? &c->spd.that.client.addr : NULL,
 			"IPV4 Address", &cp_pbs);
 
+	if (cfg_reply) {
 		if (!isanyaddr(&c->modecfg_dns1)) {
 			ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, &c->modecfg_dns1,
 					"DNS 1", &cp_pbs);
@@ -2696,19 +2670,9 @@ stf_status ikev2_send_cp(struct state *st, enum next_payload_types_ikev2 np,
 					"DNS 2", &cp_pbs);
 		}
 	} else {
-		ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_ADDRESS,
-			 NULL, "IPV4 Address", &cp_pbs);
 		ikev2_ship_cp_attr_ip4(IKEv2_INTERNAL_IP4_DNS, NULL, "DNS", &cp_pbs);
 	}
 
-	if (st->st_seen_internal_domain) {
-		/* configured means sent by server or requested limitation by client */
-		ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, c->internal_domain1,
-				"INTERNAL DOMAIN 1", &cp_pbs);
-		ikev2_ship_cp_attr_str(IKEv2_INTERNAL_DNS_DOMAIN, c->internal_domain2,
-				"INTERNAL DOMAIN 2", &cp_pbs);
-	}
-
 	close_output_pbs(&cp_pbs);
 
 	return STF_OK;
@@ -2985,16 +2949,18 @@ static stf_status ikev2_record_fragments(struct msg_digest *md,
 static int ikev2_np_cp_or_sa(struct connection *const pc, int np, const lset_t
 	   st_nat_traversal)
 {
+	int rnp = np;
+
 	if (pc->spd.this.modecfg_client) {
 		if (pc->spd.this.cat) {
 			if (LHAS(st_nat_traversal, NATED_HOST)) {
-				return ISAKMP_NEXT_v2CP;
+				rnp = ISAKMP_NEXT_v2CP;
 			}
 		} else {
-			return ISAKMP_NEXT_v2CP;
+			rnp = ISAKMP_NEXT_v2CP;
 		}
 	}
-	return np;
+	return rnp;
 }
 
 static stf_status ikev2_parent_inR1outI2_tail(
@@ -3238,7 +3204,7 @@ static stf_status ikev2_parent_inR1outI2_tail(
 	}
 
 	if (send_cp_r == ISAKMP_NEXT_v2CP) {
-		stf_status cpstat = ikev2_send_cp(pst, ISAKMP_NEXT_v2SA,
+		stf_status cpstat = ikev2_send_cp(pc, ISAKMP_NEXT_v2SA,
 				&e_pbs_cipher);
 
 		if (cpstat != STF_OK)
@@ -3322,7 +3288,7 @@ static stf_status ikev2_parent_inR1outI2_tail(
 		}
 
 		if (cc->send_no_esp_tfc) {
-			if (!ship_v2N( (cc->internal_domain1 != NULL) ? ISAKMP_NEXT_v2CP : ISAKMP_NEXT_v2NONE,
+			if (!ship_v2N(ISAKMP_NEXT_v2NONE,
 					ISAKMP_PAYLOAD_NONCRITICAL,
 					PROTO_v2_RESERVED,
 					&empty_chunk,
@@ -3330,14 +3296,6 @@ static stf_status ikev2_parent_inR1outI2_tail(
 					&e_pbs_cipher))
 				return STF_INTERNAL_ERROR;
 		}
-
-
-		/* send CP payload */
-		if (cc->internal_domain1 != NULL) {
-			ikev2_send_cp(pst, ISAKMP_NEXT_v2NONE, &e_pbs_cipher);
-		}
-
-
 	}
 
 	const unsigned int len = pbs_offset(&e_pbs_cipher);
@@ -3601,14 +3559,6 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
 		ikev2_decode_cr(md);
 	}
 
-	/* process CP payloads */
-	if (md->chain[ISAKMP_NEXT_v2CP] != NULL) {
-		if (!ikev2_parse_cp_r_body(md->chain[ISAKMP_NEXT_v2CP], st))
-		{
-			return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
-		}
-	}
-
 	/* process AUTH payload */
 
 	enum keyword_authby that_authby = st->st_connection->spd.that.authby;
diff --git a/programs/pluto/state.h b/programs/pluto/state.h
index ca8fcbbb5..0a6330feb 100644
--- a/programs/pluto/state.h
+++ b/programs/pluto/state.h
@@ -569,7 +569,6 @@ struct state {
 	bool st_seen_fragments;                 /* did we receive ike fragments from peer, if so use them in return as well */
 	bool st_seen_no_tfc;			/* did we receive ESP_TFC_PADDING_NOT_SUPPORTED */
 	bool st_seen_use_transport;		/* did we receive USE_TRANSPORT_MODE */
-	bool st_seen_internal_domain;		/* did we receive CP IKEv2_INTERNAL_DNS_DOMAIN */
 	generalName_t *st_requested_ca;		/* collected certificate requests */
 	u_int8_t st_reply_xchg;
 };
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 8171527aa..a547af0b6 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -123,8 +123,6 @@ static void help(void)
 		"	[--addresspool <network range>] \\\n"
 		"	[--modecfgdns1 <ip-address>] [--modecfgdns2 <ip-address>] \\\n"
 		"	[--modecfgdomain <dns-domain>] \\\n"
-		"	[--internaldomain1 <dns-domain>] \\\n"
-		"	[--internaldomain2 <dns-domain>] \\\n"
 		"	[--modecfgbanner <login banner>] \\\n"
 		"	[--metric <metric>] \\\n"
 		"	[--nflog-group <groupnum>] \\\n"
@@ -375,8 +373,6 @@ enum option_enums {
 
 	CD_MODECFGDNS1,
 	CD_MODECFGDNS2,
-	CD_INTERNALDOMAIN1,
-	CD_INTERNALDOMAIN2,
 	CD_MODECFGDOMAIN,
 	CD_MODECFGBANNER,
 	CD_METRIC,
@@ -642,8 +638,6 @@ static const struct option long_opts[] = {
 	{ "addresspool", required_argument, NULL, END_ADDRESSPOOL + OO },
 	{ "modecfgdns1", required_argument, NULL, CD_MODECFGDNS1 + OO },
 	{ "modecfgdns2", required_argument, NULL, CD_MODECFGDNS2 + OO },
-	{ "internaldomain1", required_argument, NULL, CD_INTERNALDOMAIN1 + OO },
-	{ "internaldomain2", required_argument, NULL, CD_INTERNALDOMAIN2 + OO },
 	{ "modecfgdomain", required_argument, NULL, CD_MODECFGDOMAIN + OO },
 	{ "modecfgbanner", required_argument, NULL, CD_MODECFGBANNER + OO },
 	{ "modeconfigserver", no_argument, NULL, END_MODECFGSERVER + OO },
@@ -899,8 +893,6 @@ int main(int argc, char **argv)
 	msg.xauthfail = XAUTHFAIL_HARD;
 	msg.modecfg_domain = NULL;
 	msg.modecfg_banner = NULL;
-	msg.internal_domain1 = NULL;
-	msg.internal_domain2 = NULL;
 
 	msg.nic_offload = nic_offload_auto;
 	msg.sa_ike_life_seconds = deltatime(IKE_SA_LIFETIME_DEFAULT);
@@ -1887,16 +1879,6 @@ int main(int argc, char **argv)
 				      &msg.modecfg_dns2), optarg);
 			continue;
 
-		case CD_INTERNALDOMAIN1:	/* --internaldomain1 */
-			msg.internal_domain1 = strdup(optarg);
-			fprintf(stderr, "whack: --internaldomain1 %s", optarg);
-			continue;
-
-		case CD_INTERNALDOMAIN2:	/* --internaldomain2 */
-			fprintf(stderr, "whack: --internaldomain2 %s", optarg);
-			msg.internal_domain2 = strdup(optarg);
-			continue;
-
 		case CD_MODECFGDOMAIN:	/* --modecfgdomain */
 			msg.modecfg_domain = strdup(optarg);
 			continue;
-- 
2.13.6



More information about the Swan-dev mailing list