aboutsummaryrefslogtreecommitdiffstats
path: root/main/ipsec-tools/20-grekey-support.patch
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2011-03-30 17:18:21 +0300
committerTimo Teräs <timo.teras@iki.fi>2011-03-30 17:19:16 +0300
commit2e54a215bd29a6543cf5e0c4297edec9ab1ea4a4 (patch)
treea498c9c9ae2804f5f9335d133a229594b3665082 /main/ipsec-tools/20-grekey-support.patch
parent8764f0dad8482831bbcbf3b033468e31701591a1 (diff)
downloadaports-2e54a215bd29a6543cf5e0c4297edec9ab1ea4a4.tar.bz2
aports-2e54a215bd29a6543cf5e0c4297edec9ab1ea4a4.tar.xz
main/ipsec-tools: one more fix for grekey support
sainfo matching needs to allow wildcard matching.
Diffstat (limited to 'main/ipsec-tools/20-grekey-support.patch')
-rw-r--r--main/ipsec-tools/20-grekey-support.patch106
1 files changed, 83 insertions, 23 deletions
diff --git a/main/ipsec-tools/20-grekey-support.patch b/main/ipsec-tools/20-grekey-support.patch
index b8b5c35b11..17fea3e991 100644
--- a/main/ipsec-tools/20-grekey-support.patch
+++ b/main/ipsec-tools/20-grekey-support.patch
@@ -84,7 +84,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c
Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-05 09:23:59.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-30 08:31:00.000000000 +0300
++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-30 09:41:46.000000000 +0300
@@ -444,7 +444,7 @@
/* search appropreate configuration */
@@ -190,8 +190,35 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h
Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-05 09:23:59.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-30 09:22:56.000000000 +0300
-@@ -3371,6 +3371,7 @@
++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-30 16:59:49.000000000 +0300
+@@ -3308,6 +3308,7 @@
+ const vchar_t *subnet;
+ const vchar_t *address;
+ {
++ struct in_addr *a, *b;
+ struct in_addr *mask;
+
+ if (address->l != sizeof(struct in_addr))
+@@ -3316,12 +3317,15 @@
+ if (subnet->l != (sizeof(struct in_addr)*2))
+ return 1;
+
++ a = (struct in_addr*)(subnet->v);
++ b = (struct in_addr*)(address->v);
+ mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr));
+
+- if (mask->s_addr!=0xffffffff)
+- return 1;
++ //if (mask->s_addr!=0xffffffff)
++ // return 1;
++ //return memcmp(subnet->v,address->v,address->l);
+
+- return memcmp(subnet->v,address->v,address->l);
++ return (a->s_addr & mask->s_addr) != (b->s_addr & mask->s_addr);
+ }
+
+ #ifdef INET6
+@@ -3371,6 +3375,7 @@
vchar_t ident_t;
vchar_t ident_s;
int result;
@@ -199,7 +226,37 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
/* handle wildcard IDs */
-@@ -3460,6 +3461,7 @@
+@@ -3410,12 +3415,14 @@
+
+ if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&&
+ (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) {
++ check_ports = 1;
+ result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s);
+ goto cmpid_result;
+ }
+
+ if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&&
+ (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) {
++ check_ports = 1;
+ result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t);
+ goto cmpid_result;
+ }
+@@ -3423,12 +3430,14 @@
+ #ifdef INET6
+ if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&&
+ (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
++ check_ports = 1;
+ result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s);
+ goto cmpid_result;
+ }
+
+ if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&&
+ (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) {
++ check_ports = 1;
+ result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t);
+ goto cmpid_result;
+ }
+@@ -3460,6 +3469,7 @@
case IPSECDOI_ID_IPV4_ADDR:
/* validate lengths */
@@ -207,7 +264,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
if ((ident_t.l != sizeof(struct in_addr))||
(ident_s.l != sizeof(struct in_addr)))
goto cmpid_invalid;
-@@ -3468,6 +3470,7 @@
+@@ -3468,6 +3478,7 @@
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
case IPSECDOI_ID_IPV4_ADDR_RANGE:
/* validate lengths */
@@ -215,7 +272,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
if ((ident_t.l != (sizeof(struct in_addr)*2))||
(ident_s.l != (sizeof(struct in_addr)*2)))
goto cmpid_invalid;
-@@ -3476,6 +3479,7 @@
+@@ -3476,6 +3487,7 @@
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR:
/* validate lengths */
@@ -223,7 +280,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
if ((ident_t.l != sizeof(struct in6_addr))||
(ident_s.l != sizeof(struct in6_addr)))
goto cmpid_invalid;
-@@ -3484,6 +3488,7 @@
+@@ -3484,6 +3496,7 @@
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
case IPSECDOI_ID_IPV6_ADDR_RANGE:
/* validate lengths */
@@ -231,26 +288,29 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
if ((ident_t.l != (sizeof(struct in6_addr)*2))||
(ident_s.l != (sizeof(struct in6_addr)*2)))
goto cmpid_invalid;
-@@ -3502,10 +3507,15 @@
+@@ -3502,12 +3515,18 @@
}
/* validate matching data and length */
- if (ident_t.l == ident_s.l)
- result = memcmp(ident_t.v,ident_s.v,ident_t.l);
- else
-+ if (check_ports &&
-+ (id_bt->port != id_bs->port && id_bs->port != 0))
-+ /* if target is wildcard, source should be too, otherwise
-+ * specific rule matches wildcard request */
-+ result = 1;
-+ else if (ident_t.l != ident_s.l)
++ if (ident_t.l != ident_s.l)
result = 1;
+ else
+ result = memcmp(ident_t.v,ident_s.v,ident_t.l);
cmpid_result:
++ if (check_ports &&
++ (id_bt->port != id_bs->port && id_bs->port != 0)) {
++ /* if target is wildcard, source should be too, otherwise
++ * specific rule matches wildcard request */
++ result = 1;
++ }
-@@ -4089,6 +4099,67 @@
+ /* debug level output */
+ if(loglevel >= LLV_DEBUG) {
+@@ -4089,6 +4108,67 @@
return new;
}
@@ -318,7 +378,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
vchar_t *
ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
struct sockaddr *laddr, *haddr;
-@@ -4318,7 +4389,7 @@
+@@ -4318,7 +4398,7 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in);
#endif
saddr.sa.sa_family = AF_INET;
@@ -327,7 +387,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
memcpy(&saddr.sin.sin_addr,
id->v + sizeof(*id_b), sizeof(struct in_addr));
break;
-@@ -4331,7 +4402,7 @@
+@@ -4331,7 +4411,7 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in6);
#endif
saddr.sa.sa_family = AF_INET6;
@@ -336,7 +396,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
memcpy(&saddr.sin6.sin6_addr,
id->v + sizeof(*id_b), sizeof(struct in6_addr));
saddr.sin6.sin6_scope_id =
-@@ -4347,7 +4418,7 @@
+@@ -4347,7 +4427,7 @@
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR:
#endif
@@ -345,7 +405,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
break;
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
-@@ -4403,7 +4474,9 @@
+@@ -4403,7 +4483,9 @@
plen += l;
}
@@ -356,7 +416,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
}
break;
-@@ -4415,12 +4488,12 @@
+@@ -4415,12 +4497,12 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in);
#endif
saddr.sa.sa_family = AF_INET;
@@ -371,7 +431,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
break;
#ifdef INET6
-@@ -4431,7 +4504,7 @@
+@@ -4431,7 +4513,7 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in6);
#endif
saddr.sa.sa_family = AF_INET6;
@@ -380,7 +440,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
memcpy(&saddr.sin6.sin6_addr,
id->v + sizeof(*id_b) + sizeof(struct in6_addr),
sizeof(struct in6_addr));
-@@ -4440,7 +4513,7 @@
+@@ -4440,7 +4522,7 @@
? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
: 0);
@@ -432,7 +492,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c
Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-14 19:18:12.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-30 08:20:18.000000000 +0300
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-30 09:41:46.000000000 +0300
@@ -2173,7 +2173,15 @@
* so no need to bother yet. --arno */