diff options
author | Timo Teräs <timo.teras@iki.fi> | 2011-03-04 13:57:21 +0200 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2011-03-04 13:59:01 +0200 |
commit | ba7a48af9f538f6b5ebd8c8039a5a92804236587 (patch) | |
tree | 4eed1b2ba785f978c21fa9d7d80d351392cdc7af /main/ipsec-tools/10-cmpsaddr-fix.patch | |
parent | 3c275f33865a0dbd194848ddd80532ae977bb866 (diff) | |
download | aports-ba7a48af9f538f6b5ebd8c8039a5a92804236587.tar.bz2 aports-ba7a48af9f538f6b5ebd8c8039a5a92804236587.tar.xz |
main/ipsec-tools: update to 0.8.0 RC, and include additional patches
* improve handling of setups where single node participates to
multiple dmvpn networks. enable using of grekey in setkey,
SPD and sainfo; also match remoteconfs using sainfo ph1id
Diffstat (limited to 'main/ipsec-tools/10-cmpsaddr-fix.patch')
-rw-r--r-- | main/ipsec-tools/10-cmpsaddr-fix.patch | 421 |
1 files changed, 421 insertions, 0 deletions
diff --git a/main/ipsec-tools/10-cmpsaddr-fix.patch b/main/ipsec-tools/10-cmpsaddr-fix.patch new file mode 100644 index 0000000000..af73c2e5e1 --- /dev/null +++ b/main/ipsec-tools/10-cmpsaddr-fix.patch @@ -0,0 +1,421 @@ +Index: ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/grabmyaddr.c 2011-03-03 17:54:33.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c 2011-03-03 18:45:24.000000000 +0200 +@@ -100,7 +100,7 @@ + return TRUE; + + LIST_FOREACH(cfg, &configured, chain) { +- if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0) ++ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH) + return TRUE; + } + +@@ -116,7 +116,7 @@ + + /* Already open? */ + LIST_FOREACH(my, &opened, chain) { +- if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0) ++ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH) + return TRUE; + } + +@@ -156,7 +156,7 @@ + + LIST_FOREACH(cfg, &configured, chain) { + if (addr != NULL && +- cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0) ++ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH) + continue; + if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap)) + return FALSE; +@@ -262,7 +262,7 @@ + struct myaddr *my; + + LIST_FOREACH(my, &opened, chain) { +- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) ++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH) + return my->fd; + } + +@@ -276,7 +276,7 @@ + struct myaddr *my; + + LIST_FOREACH(my, &opened, chain) { +- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) ++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH) + return extract_port((struct sockaddr *) &my->addr); + } + +Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c 2011-03-03 17:54:33.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c 2011-03-03 18:48:10.000000000 +0200 +@@ -120,11 +120,11 @@ + LIST_FOREACH(p, &ph1tree, chain) { + if (sel != NULL) { + if (sel->local != NULL && +- cmpsaddr(sel->local, p->local) != 0) ++ cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH) + continue; + + if (sel->remote != NULL && +- cmpsaddr(sel->remote, p->remote) != 0) ++ cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH) + continue; + } + +@@ -300,8 +300,8 @@ + if (p->status < PHASE1ST_DYING) + continue; + +- if (cmpsaddr(iph1->local, p->local) == 0 +- && cmpsaddr(iph1->remote, p->remote) == 0) ++ if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH ++ && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH) + migrate_ph12(p, iph1); + } + } +@@ -547,11 +547,11 @@ + continue; + + if (sel->src != NULL && +- cmpsaddr(sel->src, p->src) != 0) ++ cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH) + continue; + + if (sel->dst != NULL && +- cmpsaddr(sel->dst, p->dst) != 0) ++ cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH) + continue; + } + +@@ -615,8 +615,8 @@ + + LIST_FOREACH(p, &ph2tree, chain) { + if (spid == p->spid && +- cmpsaddr(src, p->src) == 0 && +- cmpsaddr(dst, p->dst) == 0){ ++ cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH && ++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){ + /* Sanity check to detect zombie handlers + * XXX Sould be done "somewhere" more interesting, + * because we have lots of getph2byxxxx(), but this one +@@ -643,8 +643,8 @@ + struct ph2handle *p; + + LIST_FOREACH(p, &ph2tree, chain) { +- if (cmpsaddr(src, p->src) == 0 && +- cmpsaddr(dst, p->dst) == 0) ++ if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH && ++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH) + return p; + } + +@@ -947,7 +947,7 @@ + struct contacted *p; + + LIST_FOREACH(p, &ctdtree, chain) { +- if (cmpsaddr(remote, p->remote) == 0) ++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) + return p; + } + +@@ -988,7 +988,7 @@ + struct contacted *p; + + LIST_FOREACH(p, &ctdtree, chain) { +- if (cmpsaddr(remote, p->remote) == 0) { ++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) { + LIST_REMOVE(p, chain); + racoon_free(p->remote); + racoon_free(p); +@@ -1042,7 +1042,7 @@ + /* + * the packet was processed before, but the remote address mismatches. + */ +- if (cmpsaddr(remote, r->remote) != 0) ++ if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH) + return 2; + + /* +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 17:54:33.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 18:50:22.000000000 +0200 +@@ -468,8 +468,8 @@ + /* Floating ports for NAT-T */ + if (NATT_AVAILABLE(iph1) && + ! (iph1->natt_flags & NAT_PORTS_CHANGED) && +- ((cmpsaddr(iph1->remote, remote) != 0) || +- (cmpsaddr(iph1->local, local) != 0))) ++ ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) || ++ (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH))) + { + /* prevent memory leak */ + racoon_free(iph1->remote); +@@ -510,7 +510,7 @@ + #endif + + /* must be same addresses in one stream of a phase at least. */ +- if (cmpsaddr(iph1->remote, remote) != 0) { ++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { + char *saddr_db, *saddr_act; + + saddr_db = racoon_strdup(saddr2str(iph1->remote)); +@@ -636,7 +636,7 @@ + "exchange received.\n"); + return -1; + } +- if (cmpsaddr(iph1->remote, remote) != 0) { ++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { + plog(LLV_WARNING, LOCATION, remote, + "remote address mismatched. " + "db=%s\n", +@@ -3322,10 +3322,10 @@ + * Select only SAs where src == local and dst == remote (outgoing) + * or src == remote and dst == local (incoming). + */ +- if ((cmpsaddr(iph1->local, src) || +- cmpsaddr(iph1->remote, dst)) && +- (cmpsaddr(iph1->local, dst) || +- cmpsaddr(iph1->remote, src))) { ++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && ++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) { + msg = next; + continue; + } +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_inf.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c 2011-03-03 18:51:05.000000000 +0200 +@@ -1177,7 +1177,7 @@ + + /* don't delete inbound SAs at the moment */ + /* XXX should we remove SAs with opposite direction as well? */ +- if (cmpsaddr(dst0, dst)) { ++ if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) { + msg = next; + continue; + } +@@ -1355,10 +1355,10 @@ + * ports. Correct thing to do is delete all entries with + * same identity. -TT + */ +- if ((cmpsaddr(iph1->local, src) != 0 || +- cmpsaddr(iph1->remote, dst) != 0) && +- (cmpsaddr(iph1->local, dst) != 0 || +- cmpsaddr(iph1->remote, src) != 0)) ++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && ++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) + continue; + + /* +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-03 18:51:48.000000000 +0200 +@@ -629,7 +629,7 @@ + #endif + + if (cmpsaddr((struct sockaddr *) &proposed_addr, +- (struct sockaddr *) &got_addr) == 0) { ++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, + "IDci matches proposal.\n"); + #ifdef ENABLE_NATT +@@ -677,13 +677,13 @@ + #endif + + if (cmpsaddr((struct sockaddr *) &proposed_addr, +- (struct sockaddr *) &got_addr) == 0) { ++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, + "IDcr matches proposal.\n"); + #ifdef ENABLE_NATT + } else if (iph2->natoa_dst != NULL + && cmpsaddr(iph2->natoa_dst, +- (struct sockaddr *) &got_addr) == 0) { ++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, + "IDcr matches NAT-OAr.\n"); + #endif +Index: ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/nattraversal.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c 2011-03-03 18:52:20.000000000 +0200 +@@ -398,8 +398,8 @@ + struct natt_ka_addrs *ka = NULL, *new_addr; + + TAILQ_FOREACH (ka, &ka_tree, chain) { +- if (cmpsaddr(ka->src, src) == 0 && +- cmpsaddr(ka->dst, dst) == 0) { ++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH && ++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) { + ka->in_use++; + plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", + saddr2str_fromto("%s->%s", src, dst), ka->in_use); +@@ -462,8 +462,8 @@ + plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", + saddr2str_fromto("%s->%s", src, dst), ka->in_use); + +- if (cmpsaddr(ka->src, src) == 0 && +- cmpsaddr(ka->dst, dst) == 0 && ++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH && ++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH && + -- ka->in_use <= 0) { + + plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); +Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 18:52:50.000000000 +0200 +@@ -2882,8 +2882,8 @@ + u_int16_t port; + + /* Already up-to-date? */ +- if (cmpsaddr(iph1->local, ma->local) == 0 && +- cmpsaddr(iph1->remote, ma->remote) == 0) ++ if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH && ++ cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH) + return 0; + + if (iph1->status < PHASE1ST_ESTABLISHED) { +@@ -2983,8 +2983,8 @@ + migrate_ph1_ike_addresses(iph2->ph1, arg); + + /* Already up-to-date? */ +- if (cmpsaddr(iph2->src, ma->local) == 0 && +- cmpsaddr(iph2->dst, ma->remote) == 0) ++ if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH && ++ cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH) + return 0; + + /* save src/dst as sa_src/sa_dst before rewriting */ +@@ -3207,8 +3207,8 @@ + "changing address families (%d to %d) for endpoints.\n", + osaddr->sa_family, nsaddr->sa_family); + +- if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) || +- cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) { ++ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH || ++ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: " + "mismatch of addresses in saidx and xisr.\n"); + return -1; +Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-03 19:09:42.000000000 +0200 +@@ -142,7 +142,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", + saddr2str((struct sockaddr *)&spidx->src)); + +- if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) || ++ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH || + spidx->prefs != prefixlen) + return NULL; + +@@ -151,7 +151,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", + saddr2str((struct sockaddr *)&spidx->dst)); + +- if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) || ++ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH || + spidx->prefd != prefixlen) + return NULL; + +@@ -201,10 +201,10 @@ + return 1; + + if (cmpsaddr((struct sockaddr *) &a->src, +- (struct sockaddr *) &b->src)) ++ (struct sockaddr *) &b->src) != CMPSADDR_MATCH) + return 1; + if (cmpsaddr((struct sockaddr *) &a->dst, +- (struct sockaddr *) &b->dst)) ++ (struct sockaddr *) &b->dst) != CMPSADDR_MATCH) + return 1; + + #ifdef HAVE_SECCTX +@@ -261,7 +261,7 @@ + a, b->prefs, saddr2str((struct sockaddr *)&sa1)); + plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + b, b->prefs, saddr2str((struct sockaddr *)&sa2)); +- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) ++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) + return 1; + + #ifndef __linux__ +@@ -279,7 +279,7 @@ + a, b->prefd, saddr2str((struct sockaddr *)&sa1)); + plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + b, b->prefd, saddr2str((struct sockaddr *)&sa2)); +- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) ++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) + return 1; + + #ifdef HAVE_SECCTX +Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.c 2011-03-03 17:54:35.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c 2011-03-03 18:55:01.000000000 +0200 +@@ -132,11 +132,13 @@ + return CMPSADDR_MISMATCH; + } + +- if (port1 == port2 || +- port1 == IPSEC_PORT_ANY || +- port2 == IPSEC_PORT_ANY) ++ if (port1 == port2) + return CMPSADDR_MATCH; + ++ if (port1 == IPSEC_PORT_ANY || ++ port2 == IPSEC_PORT_ANY) ++ return CMPSADDR_WILDPORT_MATCH; ++ + return CMPSADDR_WOP_MATCH; + } + +@@ -934,7 +936,7 @@ + free(a2); + free(a3); + } +- if (cmpsaddr(&sa, &naddr->sa.sa) == 0) ++ if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH) + return naddr->prefix + port_score; + + return -1; +Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.h 2011-03-03 17:54:35.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h 2011-03-03 18:40:30.000000000 +0200 +@@ -57,8 +57,9 @@ + extern const int niflags; + + #define CMPSADDR_MATCH 0 +-#define CMPSADDR_WOP_MATCH 1 +-#define CMPSADDR_MISMATCH 2 ++#define CMPSADDR_WILDPORT_MATCH 1 ++#define CMPSADDR_WOP_MATCH 2 ++#define CMPSADDR_MISMATCH 3 + + extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *)); + +Index: ipsec-tools-cvs-HEAD/src/racoon/throttle.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/throttle.c 2011-03-03 17:54:35.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/throttle.c 2011-03-03 18:55:31.000000000 +0200 +@@ -104,7 +104,7 @@ + goto restart; + } + +- if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) { ++ if (cmpsaddr(addr, (struct sockaddr *) &te->host) <= CMPSADDR_WOP_MATCH) { + found = 1; + break; + } |