replace iked_transform pointer with xform id, since target of pointer

might be freed (e.g. on ike sa rekey); ok mikeb@

diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 34d8204..a1665f0 100644 (file)
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: iked.h,v 1.79 2014/05/08 13:11:16 blambert Exp $      */
+/*     $OpenBSD: iked.h,v 1.80 2014/05/09 06:29:46 markus Exp $        */
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -174,10 +174,10 @@ struct iked_childsa {
        struct iked_spi                  csa_spi;
 
        struct ibuf                     *csa_encrkey;   /* encryption key */
-       struct iked_transform           *csa_encrxf;    /* encryption xform */
+       u_int16_t                        csa_encrid;    /* encryption xform id */
 
        struct ibuf                     *csa_integrkey; /* auth key */
-       struct iked_transform           *csa_integrxf;  /* auth xform */
+       u_int16_t                        csa_integrid;  /* auth xform id */
 
        struct iked_id                  *csa_srcid;
        struct iked_id                  *csa_dstid;

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 888b09b..37feb43 100644 (file)
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ikev2.c,v 1.110 2014/05/07 12:57:13 markus Exp $      */
+/*     $OpenBSD: ikev2.c,v 1.111 2014/05/09 06:29:46 markus Exp $      */
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -4372,8 +4372,10 @@ ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa,
                        childsa_free(csa);
                        goto done;
                }
-               csa->csa_encrxf = encrxf;
-               csa->csa_integrxf = integrxf;
+               if (encrxf)
+                       csa->csa_encrid = encrxf->xform_id;
+               if (integrxf)
+                       csa->csa_integrid = integrxf->xform_id;
 
                if ((csb = calloc(1, sizeof(*csb))) == NULL) {
                        log_debug("%s: failed to get CHILD SA", __func__);

diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index c9b7483..afe2d60 100644 (file)
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfkey.c,v 1.35 2014/05/07 13:09:43 markus Exp $       */
+/*     $OpenBSD: pfkey.c,v 1.36 2014/05/09 06:29:46 markus Exp $       */
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -540,20 +540,20 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, struct iked_childsa *sa)
                    ntohs(udpencap.sadb_x_udpencap_port));
        }
 
-       if (sa->csa_integrxf)
+       if (sa->csa_integrid)
                if (pfkey_map(pfkey_integr,
-                   sa->csa_integrxf->xform_id, &sadb.sadb_sa_auth) == -1) {
+                   sa->csa_integrid, &sadb.sadb_sa_auth) == -1) {
                        log_warnx("%s: unsupported integrity algorithm %s",
-                           __func__, print_map(sa->csa_integrxf->xform_id,
+                           __func__, print_map(sa->csa_integrid,
                            ikev2_xformauth_map));
                        return (-1);
                }
 
-       if (sa->csa_encrxf)
+       if (sa->csa_encrid)
                if (pfkey_map(pfkey_encr,
-                   sa->csa_encrxf->xform_id, &sadb.sadb_sa_encrypt) == -1) {
+                   sa->csa_encrid, &sadb.sadb_sa_encrypt) == -1) {
                        log_warnx("%s: unsupported encryption algorithm %s",
-                           __func__, print_map(sa->csa_encrxf->xform_id,
+                           __func__, print_map(sa->csa_encrid,
                            ikev2_xformencr_map));
                        return (-1);
                }