aboutsummaryrefslogtreecommitdiffstats
path: root/main/ipsec-tools/10-cmpsaddr-fix.patch
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2011-03-04 13:57:21 +0200
committerTimo Teräs <timo.teras@iki.fi>2011-03-04 13:59:01 +0200
commitba7a48af9f538f6b5ebd8c8039a5a92804236587 (patch)
tree4eed1b2ba785f978c21fa9d7d80d351392cdc7af /main/ipsec-tools/10-cmpsaddr-fix.patch
parent3c275f33865a0dbd194848ddd80532ae977bb866 (diff)
downloadaports-ba7a48af9f538f6b5ebd8c8039a5a92804236587.tar.bz2
aports-ba7a48af9f538f6b5ebd8c8039a5a92804236587.tar.xz
main/ipsec-tools: update to 0.8.0 RC, and include additional patches
* improve handling of setups where single node participates to multiple dmvpn networks. enable using of grekey in setkey, SPD and sainfo; also match remoteconfs using sainfo ph1id
Diffstat (limited to 'main/ipsec-tools/10-cmpsaddr-fix.patch')
-rw-r--r--main/ipsec-tools/10-cmpsaddr-fix.patch421
1 files changed, 421 insertions, 0 deletions
diff --git a/main/ipsec-tools/10-cmpsaddr-fix.patch b/main/ipsec-tools/10-cmpsaddr-fix.patch
new file mode 100644
index 0000000000..af73c2e5e1
--- /dev/null
+++ b/main/ipsec-tools/10-cmpsaddr-fix.patch
@@ -0,0 +1,421 @@
+Index: ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/grabmyaddr.c 2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c 2011-03-03 18:45:24.000000000 +0200
+@@ -100,7 +100,7 @@
+ return TRUE;
+
+ LIST_FOREACH(cfg, &configured, chain) {
+- if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
++ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH)
+ return TRUE;
+ }
+
+@@ -116,7 +116,7 @@
+
+ /* Already open? */
+ LIST_FOREACH(my, &opened, chain) {
+- if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
++ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH)
+ return TRUE;
+ }
+
+@@ -156,7 +156,7 @@
+
+ LIST_FOREACH(cfg, &configured, chain) {
+ if (addr != NULL &&
+- cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
++ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH)
+ continue;
+ if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
+ return FALSE;
+@@ -262,7 +262,7 @@
+ struct myaddr *my;
+
+ LIST_FOREACH(my, &opened, chain) {
+- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ return my->fd;
+ }
+
+@@ -276,7 +276,7 @@
+ struct myaddr *my;
+
+ LIST_FOREACH(my, &opened, chain) {
+- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ return extract_port((struct sockaddr *) &my->addr);
+ }
+
+Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c 2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c 2011-03-03 18:48:10.000000000 +0200
+@@ -120,11 +120,11 @@
+ LIST_FOREACH(p, &ph1tree, chain) {
+ if (sel != NULL) {
+ if (sel->local != NULL &&
+- cmpsaddr(sel->local, p->local) != 0)
++ cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH)
+ continue;
+
+ if (sel->remote != NULL &&
+- cmpsaddr(sel->remote, p->remote) != 0)
++ cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH)
+ continue;
+ }
+
+@@ -300,8 +300,8 @@
+ if (p->status < PHASE1ST_DYING)
+ continue;
+
+- if (cmpsaddr(iph1->local, p->local) == 0
+- && cmpsaddr(iph1->remote, p->remote) == 0)
++ if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
++ && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
+ migrate_ph12(p, iph1);
+ }
+ }
+@@ -547,11 +547,11 @@
+ continue;
+
+ if (sel->src != NULL &&
+- cmpsaddr(sel->src, p->src) != 0)
++ cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH)
+ continue;
+
+ if (sel->dst != NULL &&
+- cmpsaddr(sel->dst, p->dst) != 0)
++ cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH)
+ continue;
+ }
+
+@@ -615,8 +615,8 @@
+
+ LIST_FOREACH(p, &ph2tree, chain) {
+ if (spid == p->spid &&
+- cmpsaddr(src, p->src) == 0 &&
+- cmpsaddr(dst, p->dst) == 0){
++ cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){
+ /* Sanity check to detect zombie handlers
+ * XXX Sould be done "somewhere" more interesting,
+ * because we have lots of getph2byxxxx(), but this one
+@@ -643,8 +643,8 @@
+ struct ph2handle *p;
+
+ LIST_FOREACH(p, &ph2tree, chain) {
+- if (cmpsaddr(src, p->src) == 0 &&
+- cmpsaddr(dst, p->dst) == 0)
++ if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH)
+ return p;
+ }
+
+@@ -947,7 +947,7 @@
+ struct contacted *p;
+
+ LIST_FOREACH(p, &ctdtree, chain) {
+- if (cmpsaddr(remote, p->remote) == 0)
++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH)
+ return p;
+ }
+
+@@ -988,7 +988,7 @@
+ struct contacted *p;
+
+ LIST_FOREACH(p, &ctdtree, chain) {
+- if (cmpsaddr(remote, p->remote) == 0) {
++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) {
+ LIST_REMOVE(p, chain);
+ racoon_free(p->remote);
+ racoon_free(p);
+@@ -1042,7 +1042,7 @@
+ /*
+ * the packet was processed before, but the remote address mismatches.
+ */
+- if (cmpsaddr(remote, r->remote) != 0)
++ if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH)
+ return 2;
+
+ /*
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 18:50:22.000000000 +0200
+@@ -468,8 +468,8 @@
+ /* Floating ports for NAT-T */
+ if (NATT_AVAILABLE(iph1) &&
+ ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
+- ((cmpsaddr(iph1->remote, remote) != 0) ||
+- (cmpsaddr(iph1->local, local) != 0)))
++ ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) ||
++ (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH)))
+ {
+ /* prevent memory leak */
+ racoon_free(iph1->remote);
+@@ -510,7 +510,7 @@
+ #endif
+
+ /* must be same addresses in one stream of a phase at least. */
+- if (cmpsaddr(iph1->remote, remote) != 0) {
++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
+ char *saddr_db, *saddr_act;
+
+ saddr_db = racoon_strdup(saddr2str(iph1->remote));
+@@ -636,7 +636,7 @@
+ "exchange received.\n");
+ return -1;
+ }
+- if (cmpsaddr(iph1->remote, remote) != 0) {
++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
+ plog(LLV_WARNING, LOCATION, remote,
+ "remote address mismatched. "
+ "db=%s\n",
+@@ -3322,10 +3322,10 @@
+ * Select only SAs where src == local and dst == remote (outgoing)
+ * or src == remote and dst == local (incoming).
+ */
+- if ((cmpsaddr(iph1->local, src) ||
+- cmpsaddr(iph1->remote, dst)) &&
+- (cmpsaddr(iph1->local, dst) ||
+- cmpsaddr(iph1->remote, src))) {
++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) {
+ msg = next;
+ continue;
+ }
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_inf.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c 2011-03-03 18:51:05.000000000 +0200
+@@ -1177,7 +1177,7 @@
+
+ /* don't delete inbound SAs at the moment */
+ /* XXX should we remove SAs with opposite direction as well? */
+- if (cmpsaddr(dst0, dst)) {
++ if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) {
+ msg = next;
+ continue;
+ }
+@@ -1355,10 +1355,10 @@
+ * ports. Correct thing to do is delete all entries with
+ * same identity. -TT
+ */
+- if ((cmpsaddr(iph1->local, src) != 0 ||
+- cmpsaddr(iph1->remote, dst) != 0) &&
+- (cmpsaddr(iph1->local, dst) != 0 ||
+- cmpsaddr(iph1->remote, src) != 0))
++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH))
+ continue;
+
+ /*
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-03 18:51:48.000000000 +0200
+@@ -629,7 +629,7 @@
+ #endif
+
+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
+- (struct sockaddr *) &got_addr) == 0) {
++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "IDci matches proposal.\n");
+ #ifdef ENABLE_NATT
+@@ -677,13 +677,13 @@
+ #endif
+
+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
+- (struct sockaddr *) &got_addr) == 0) {
++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "IDcr matches proposal.\n");
+ #ifdef ENABLE_NATT
+ } else if (iph2->natoa_dst != NULL
+ && cmpsaddr(iph2->natoa_dst,
+- (struct sockaddr *) &got_addr) == 0) {
++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "IDcr matches NAT-OAr.\n");
+ #endif
+Index: ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/nattraversal.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c 2011-03-03 18:52:20.000000000 +0200
+@@ -398,8 +398,8 @@
+ struct natt_ka_addrs *ka = NULL, *new_addr;
+
+ TAILQ_FOREACH (ka, &ka_tree, chain) {
+- if (cmpsaddr(ka->src, src) == 0 &&
+- cmpsaddr(ka->dst, dst) == 0) {
++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) {
+ ka->in_use++;
+ plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
+ saddr2str_fromto("%s->%s", src, dst), ka->in_use);
+@@ -462,8 +462,8 @@
+ plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
+ saddr2str_fromto("%s->%s", src, dst), ka->in_use);
+
+- if (cmpsaddr(ka->src, src) == 0 &&
+- cmpsaddr(ka->dst, dst) == 0 &&
++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH &&
+ -- ka->in_use <= 0) {
+
+ plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
+Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 18:52:50.000000000 +0200
+@@ -2882,8 +2882,8 @@
+ u_int16_t port;
+
+ /* Already up-to-date? */
+- if (cmpsaddr(iph1->local, ma->local) == 0 &&
+- cmpsaddr(iph1->remote, ma->remote) == 0)
++ if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH &&
++ cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH)
+ return 0;
+
+ if (iph1->status < PHASE1ST_ESTABLISHED) {
+@@ -2983,8 +2983,8 @@
+ migrate_ph1_ike_addresses(iph2->ph1, arg);
+
+ /* Already up-to-date? */
+- if (cmpsaddr(iph2->src, ma->local) == 0 &&
+- cmpsaddr(iph2->dst, ma->remote) == 0)
++ if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH &&
++ cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH)
+ return 0;
+
+ /* save src/dst as sa_src/sa_dst before rewriting */
+@@ -3207,8 +3207,8 @@
+ "changing address families (%d to %d) for endpoints.\n",
+ osaddr->sa_family, nsaddr->sa_family);
+
+- if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
+- cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
++ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH ||
++ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
+ "mismatch of addresses in saidx and xisr.\n");
+ return -1;
+Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-03 19:09:42.000000000 +0200
+@@ -142,7 +142,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
+ saddr2str((struct sockaddr *)&spidx->src));
+
+- if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
++ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH ||
+ spidx->prefs != prefixlen)
+ return NULL;
+
+@@ -151,7 +151,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
+ saddr2str((struct sockaddr *)&spidx->dst));
+
+- if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
++ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH ||
+ spidx->prefd != prefixlen)
+ return NULL;
+
+@@ -201,10 +201,10 @@
+ return 1;
+
+ if (cmpsaddr((struct sockaddr *) &a->src,
+- (struct sockaddr *) &b->src))
++ (struct sockaddr *) &b->src) != CMPSADDR_MATCH)
+ return 1;
+ if (cmpsaddr((struct sockaddr *) &a->dst,
+- (struct sockaddr *) &b->dst))
++ (struct sockaddr *) &b->dst) != CMPSADDR_MATCH)
+ return 1;
+
+ #ifdef HAVE_SECCTX
+@@ -261,7 +261,7 @@
+ a, b->prefs, saddr2str((struct sockaddr *)&sa1));
+ plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
+ b, b->prefs, saddr2str((struct sockaddr *)&sa2));
+- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
+ return 1;
+
+ #ifndef __linux__
+@@ -279,7 +279,7 @@
+ a, b->prefd, saddr2str((struct sockaddr *)&sa1));
+ plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
+ b, b->prefd, saddr2str((struct sockaddr *)&sa2));
+- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
+ return 1;
+
+ #ifdef HAVE_SECCTX
+Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.c 2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c 2011-03-03 18:55:01.000000000 +0200
+@@ -132,11 +132,13 @@
+ return CMPSADDR_MISMATCH;
+ }
+
+- if (port1 == port2 ||
+- port1 == IPSEC_PORT_ANY ||
+- port2 == IPSEC_PORT_ANY)
++ if (port1 == port2)
+ return CMPSADDR_MATCH;
+
++ if (port1 == IPSEC_PORT_ANY ||
++ port2 == IPSEC_PORT_ANY)
++ return CMPSADDR_WILDPORT_MATCH;
++
+ return CMPSADDR_WOP_MATCH;
+ }
+
+@@ -934,7 +936,7 @@
+ free(a2);
+ free(a3);
+ }
+- if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
++ if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH)
+ return naddr->prefix + port_score;
+
+ return -1;
+Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.h 2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h 2011-03-03 18:40:30.000000000 +0200
+@@ -57,8 +57,9 @@
+ extern const int niflags;
+
+ #define CMPSADDR_MATCH 0
+-#define CMPSADDR_WOP_MATCH 1
+-#define CMPSADDR_MISMATCH 2
++#define CMPSADDR_WILDPORT_MATCH 1
++#define CMPSADDR_WOP_MATCH 2
++#define CMPSADDR_MISMATCH 3
+
+ extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
+
+Index: ipsec-tools-cvs-HEAD/src/racoon/throttle.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/throttle.c 2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/throttle.c 2011-03-03 18:55:31.000000000 +0200
+@@ -104,7 +104,7 @@
+ goto restart;
+ }
+
+- if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
++ if (cmpsaddr(addr, (struct sockaddr *) &te->host) <= CMPSADDR_WOP_MATCH) {
+ found = 1;
+ break;
+ }