diff options
author | Timo Teräs <timo.teras@iki.fi> | 2011-03-30 17:18:21 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2011-03-30 17:19:16 +0300 |
commit | 2e54a215bd29a6543cf5e0c4297edec9ab1ea4a4 (patch) | |
tree | a498c9c9ae2804f5f9335d133a229594b3665082 /main/ipsec-tools/20-grekey-support.patch | |
parent | 8764f0dad8482831bbcbf3b033468e31701591a1 (diff) | |
download | aports-2e54a215bd29a6543cf5e0c4297edec9ab1ea4a4.tar.bz2 aports-2e54a215bd29a6543cf5e0c4297edec9ab1ea4a4.tar.xz |
main/ipsec-tools: one more fix for grekey support
sainfo matching needs to allow wildcard matching.
Diffstat (limited to 'main/ipsec-tools/20-grekey-support.patch')
-rw-r--r-- | main/ipsec-tools/20-grekey-support.patch | 106 |
1 files changed, 83 insertions, 23 deletions
diff --git a/main/ipsec-tools/20-grekey-support.patch b/main/ipsec-tools/20-grekey-support.patch index b8b5c35b11..17fea3e991 100644 --- a/main/ipsec-tools/20-grekey-support.patch +++ b/main/ipsec-tools/20-grekey-support.patch @@ -84,7 +84,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-05 09:23:59.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-30 08:31:00.000000000 +0300 ++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-30 09:41:46.000000000 +0300 @@ -444,7 +444,7 @@ /* search appropreate configuration */ @@ -190,8 +190,35 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-05 09:23:59.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-30 09:22:56.000000000 +0300 -@@ -3371,6 +3371,7 @@ ++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-30 16:59:49.000000000 +0300 +@@ -3308,6 +3308,7 @@ + const vchar_t *subnet; + const vchar_t *address; + { ++ struct in_addr *a, *b; + struct in_addr *mask; + + if (address->l != sizeof(struct in_addr)) +@@ -3316,12 +3317,15 @@ + if (subnet->l != (sizeof(struct in_addr)*2)) + return 1; + ++ a = (struct in_addr*)(subnet->v); ++ b = (struct in_addr*)(address->v); + mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr)); + +- if (mask->s_addr!=0xffffffff) +- return 1; ++ //if (mask->s_addr!=0xffffffff) ++ // return 1; ++ //return memcmp(subnet->v,address->v,address->l); + +- return memcmp(subnet->v,address->v,address->l); ++ return (a->s_addr & mask->s_addr) != (b->s_addr & mask->s_addr); + } + + #ifdef INET6 +@@ -3371,6 +3375,7 @@ vchar_t ident_t; vchar_t ident_s; int result; @@ -199,7 +226,37 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c /* handle wildcard IDs */ -@@ -3460,6 +3461,7 @@ +@@ -3410,12 +3415,14 @@ + + if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&& + (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) { ++ check_ports = 1; + result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s); + goto cmpid_result; + } + + if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&& + (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) { ++ check_ports = 1; + result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t); + goto cmpid_result; + } +@@ -3423,12 +3430,14 @@ + #ifdef INET6 + if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&& + (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { ++ check_ports = 1; + result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s); + goto cmpid_result; + } + + if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&& + (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) { ++ check_ports = 1; + result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t); + goto cmpid_result; + } +@@ -3460,6 +3469,7 @@ case IPSECDOI_ID_IPV4_ADDR: /* validate lengths */ @@ -207,7 +264,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c if ((ident_t.l != sizeof(struct in_addr))|| (ident_s.l != sizeof(struct in_addr))) goto cmpid_invalid; -@@ -3468,6 +3470,7 @@ +@@ -3468,6 +3478,7 @@ case IPSECDOI_ID_IPV4_ADDR_SUBNET: case IPSECDOI_ID_IPV4_ADDR_RANGE: /* validate lengths */ @@ -215,7 +272,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c if ((ident_t.l != (sizeof(struct in_addr)*2))|| (ident_s.l != (sizeof(struct in_addr)*2))) goto cmpid_invalid; -@@ -3476,6 +3479,7 @@ +@@ -3476,6 +3487,7 @@ #ifdef INET6 case IPSECDOI_ID_IPV6_ADDR: /* validate lengths */ @@ -223,7 +280,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c if ((ident_t.l != sizeof(struct in6_addr))|| (ident_s.l != sizeof(struct in6_addr))) goto cmpid_invalid; -@@ -3484,6 +3488,7 @@ +@@ -3484,6 +3496,7 @@ case IPSECDOI_ID_IPV6_ADDR_SUBNET: case IPSECDOI_ID_IPV6_ADDR_RANGE: /* validate lengths */ @@ -231,26 +288,29 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c if ((ident_t.l != (sizeof(struct in6_addr)*2))|| (ident_s.l != (sizeof(struct in6_addr)*2))) goto cmpid_invalid; -@@ -3502,10 +3507,15 @@ +@@ -3502,12 +3515,18 @@ } /* validate matching data and length */ - if (ident_t.l == ident_s.l) - result = memcmp(ident_t.v,ident_s.v,ident_t.l); - else -+ if (check_ports && -+ (id_bt->port != id_bs->port && id_bs->port != 0)) -+ /* if target is wildcard, source should be too, otherwise -+ * specific rule matches wildcard request */ -+ result = 1; -+ else if (ident_t.l != ident_s.l) ++ if (ident_t.l != ident_s.l) result = 1; + else + result = memcmp(ident_t.v,ident_s.v,ident_t.l); cmpid_result: ++ if (check_ports && ++ (id_bt->port != id_bs->port && id_bs->port != 0)) { ++ /* if target is wildcard, source should be too, otherwise ++ * specific rule matches wildcard request */ ++ result = 1; ++ } -@@ -4089,6 +4099,67 @@ + /* debug level output */ + if(loglevel >= LLV_DEBUG) { +@@ -4089,6 +4108,67 @@ return new; } @@ -318,7 +378,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c vchar_t * ipsecdoi_sockrange2id(laddr, haddr, ul_proto) struct sockaddr *laddr, *haddr; -@@ -4318,7 +4389,7 @@ +@@ -4318,7 +4398,7 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in); #endif saddr.sa.sa_family = AF_INET; @@ -327,7 +387,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c memcpy(&saddr.sin.sin_addr, id->v + sizeof(*id_b), sizeof(struct in_addr)); break; -@@ -4331,7 +4402,7 @@ +@@ -4331,7 +4411,7 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in6); #endif saddr.sa.sa_family = AF_INET6; @@ -336,7 +396,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c memcpy(&saddr.sin6.sin6_addr, id->v + sizeof(*id_b), sizeof(struct in6_addr)); saddr.sin6.sin6_scope_id = -@@ -4347,7 +4418,7 @@ +@@ -4347,7 +4427,7 @@ #ifdef INET6 case IPSECDOI_ID_IPV6_ADDR: #endif @@ -345,7 +405,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c break; case IPSECDOI_ID_IPV4_ADDR_SUBNET: -@@ -4403,7 +4474,9 @@ +@@ -4403,7 +4483,9 @@ plen += l; } @@ -356,7 +416,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c } break; -@@ -4415,12 +4488,12 @@ +@@ -4415,12 +4497,12 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in); #endif saddr.sa.sa_family = AF_INET; @@ -371,7 +431,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c break; #ifdef INET6 -@@ -4431,7 +4504,7 @@ +@@ -4431,7 +4513,7 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in6); #endif saddr.sa.sa_family = AF_INET6; @@ -380,7 +440,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c memcpy(&saddr.sin6.sin6_addr, id->v + sizeof(*id_b) + sizeof(struct in6_addr), sizeof(struct in6_addr)); -@@ -4440,7 +4513,7 @@ +@@ -4440,7 +4522,7 @@ ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id : 0); @@ -432,7 +492,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-14 19:18:12.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-30 08:20:18.000000000 +0300 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-30 09:41:46.000000000 +0300 @@ -2173,7 +2173,15 @@ * so no need to bother yet. --arno */ |