diff options
Diffstat (limited to 'main/ipsec-tools/10-rekey-ph1hint.patch')
| -rw-r--r-- | main/ipsec-tools/10-rekey-ph1hint.patch | 1227 |
1 files changed, 1227 insertions, 0 deletions
diff --git a/main/ipsec-tools/10-rekey-ph1hint.patch b/main/ipsec-tools/10-rekey-ph1hint.patch new file mode 100644 index 0000000000..773d609012 --- /dev/null +++ b/main/ipsec-tools/10-rekey-ph1hint.patch @@ -0,0 +1,1227 @@ +? .msg +? ChangeLog +? alpine-config +? commiters.txt +? fd-unmonitor-segv-fix.patch +? natt-and-cmpsaddr.patch +? racoon.txt +? rekeying-fixes.diff +? rpm/Makefile +? rpm/Makefile.in +? rpm/ipsec-tools.spec +? rpm/suse/Makefile +? rpm/suse/Makefile.in +? rpm/suse/ipsec-tools.spec +? src/Makefile +? src/Makefile.in +? src/include-glibc/.includes +? src/include-glibc/Makefile +? src/include-glibc/Makefile.in +? src/libipsec/.deps +? src/libipsec/.libs +? src/libipsec/Makefile +? src/libipsec/Makefile.in +? src/libipsec/ipsec_dump_policy.lo +? src/libipsec/ipsec_get_policylen.lo +? src/libipsec/ipsec_strerror.lo +? src/libipsec/key_debug.lo +? src/libipsec/libipsec.la +? src/libipsec/pfkey.lo +? src/libipsec/pfkey_dump.lo +? src/libipsec/policy_parse.c +? src/libipsec/policy_parse.h +? src/libipsec/policy_parse.lo +? src/libipsec/policy_token.c +? src/libipsec/policy_token.lo +? src/racoon/.deps +? src/racoon/.libs +? src/racoon/Makefile +? src/racoon/Makefile.in +? src/racoon/cfparse.c +? src/racoon/cfparse.h +? src/racoon/cftoken.c +? src/racoon/eaytest +? src/racoon/libracoon.la +? src/racoon/libracoon_la-kmpstat.lo +? src/racoon/libracoon_la-misc.lo +? src/racoon/libracoon_la-sockmisc.lo +? src/racoon/libracoon_la-vmbuf.lo +? src/racoon/plainrsa-gen +? src/racoon/prsa_par.c +? src/racoon/prsa_par.h +? src/racoon/prsa_tok.c +? src/racoon/racoon +? src/racoon/racoonctl +? src/racoon/samples/psk.txt +? src/racoon/samples/racoon.conf +? src/setkey/.deps +? src/setkey/.libs +? src/setkey/Makefile +? src/setkey/Makefile.in +? src/setkey/parse.c +? src/setkey/parse.h +? src/setkey/setkey +? src/setkey/token.c +Index: src/racoon/admin.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v +retrieving revision 1.31 +diff -u -r1.31 admin.c +--- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31 ++++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -341,7 +341,7 @@ + user[len] = 0; + + found = purgeph1bylogin(user); +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "deleted %d SA for user \"%s\"\n", found, user); + + break; +@@ -360,7 +360,7 @@ + rem = racoon_strdup(saddrwop2str(dst)); + STRDUP_FATAL(rem); + +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "Flushing all SAs for peer %s\n", rem); + + while ((iph1 = getph1bydstaddr(dst)) != NULL) { +@@ -373,7 +373,7 @@ + + racoon_free(loc); + } +- ++ + racoon_free(rem); + break; + } +@@ -383,14 +383,14 @@ + char *data; + + acp = (struct admin_com_psk *) +- ((char *)com + sizeof(*com) + ++ ((char *)com + sizeof(*com) + + sizeof(struct admin_com_indexes)); + + idtype = acp->id_type; + + if ((id = vmalloc(acp->id_len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "cannot allocate memory: %s\n", ++ "cannot allocate memory: %s\n", + strerror(errno)); + break; + } +@@ -399,7 +399,7 @@ + + if ((key = vmalloc(acp->key_len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "cannot allocate memory: %s\n", ++ "cannot allocate memory: %s\n", + strerror(errno)); + vfree(id); + id = NULL; +@@ -474,7 +474,7 @@ + rmconf->xauth->pass = key; + } + #endif +- ++ + plog(LLV_INFO, LOCATION, NULL, + "accept a request to establish IKE-SA: " + "%s\n", saddrwop2str(dst)); +@@ -577,7 +577,7 @@ + } + + insph2(iph2); +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, NULL) < 0) { + remph2(iph2); + delph2(iph2); + break; +@@ -710,17 +710,17 @@ + } + + if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, +- "chown(%s, %d, %d): %s\n", +- sunaddr.sun_path, adminsock_owner, ++ plog(LLV_ERROR, LOCATION, NULL, ++ "chown(%s, %d, %d): %s\n", ++ sunaddr.sun_path, adminsock_owner, + adminsock_group, strerror(errno)); + (void)close(lcconf->sock_admin); + return -1; + } + + if (chmod(sunaddr.sun_path, adminsock_mode) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, +- "chmod(%s, 0%03o): %s\n", ++ plog(LLV_ERROR, LOCATION, NULL, ++ "chmod(%s, 0%03o): %s\n", + sunaddr.sun_path, adminsock_mode, strerror(errno)); + (void)close(lcconf->sock_admin); + return -1; +Index: src/racoon/handler.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v +retrieving revision 1.29 +diff -u -r1.29 handler.c +--- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29 ++++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -64,7 +64,7 @@ + #include "evt.h" + #include "isakmp.h" + #ifdef ENABLE_HYBRID +-#include "isakmp_xauth.h" ++#include "isakmp_xauth.h" + #include "isakmp_cfg.h" + #endif + #include "isakmp_inf.h" +@@ -177,8 +177,8 @@ + * with phase 2's destinaion. + */ + struct ph1handle * +-getph1(rmconf, local, remote, flags) +- struct remoteconf *rmconf; ++getph1(ph1hint, local, remote, flags) ++ struct ph1handle *ph1hint; + struct sockaddr *local, *remote; + int flags; + { +@@ -202,12 +202,30 @@ + continue; + } + +- if (local != NULL && cmpsaddr(local, p->local) != 0) ++ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH) + continue; + +- if (remote != NULL && cmpsaddr(remote, p->remote) != 0) ++ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH) + continue; + ++ if (ph1hint != NULL) { ++ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l && ++ (ph1hint->id->l != p->id->l || ++ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) { ++ plog(LLV_DEBUG2, LOCATION, NULL, ++ "local identity does match hint\n"); ++ continue; ++ } ++ if (ph1hint->id_p && ph1hint->id_p->l && ++ p->id_p && p->id_p->l && ++ (ph1hint->id_p->l != p->id_p->l || ++ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) { ++ plog(LLV_DEBUG2, LOCATION, NULL, ++ "remote identity does match hint\n"); ++ continue; ++ } ++ } ++ + plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); + return p; + } +@@ -1155,7 +1173,7 @@ + } + + #ifdef ENABLE_HYBRID +-/* ++/* + * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise + * This should be in isakmp_cfg.c but ph1tree being private, it must be there + */ +@@ -1182,7 +1200,7 @@ + + + +-/* ++/* + * Reload conf code + */ + static int revalidate_ph2(struct ph2handle *iph2){ +@@ -1192,11 +1210,11 @@ + struct saprop *approval; + struct ph1handle *iph1; + +- /* ++ /* + * Get the new sainfo using values of the old one + */ + if (iph2->sainfo != NULL) { +- iph2->sainfo = getsainfo(iph2->sainfo->idsrc, ++ iph2->sainfo = getsainfo(iph2->sainfo->idsrc, + iph2->sainfo->iddst, iph2->sainfo->id_i, + NULL, iph2->sainfo->remoteid); + } +@@ -1204,7 +1222,7 @@ + sainfo = iph2->sainfo; + + if (sainfo == NULL) { +- /* ++ /* + * Sainfo has been removed + */ + plog(LLV_DEBUG, LOCATION, NULL, +@@ -1219,7 +1237,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, + "No approval found !\n"); + return 0; +- } ++ } + + /* + * Don't care about proposals, should we do something ? +@@ -1318,7 +1336,7 @@ + } + + found = 0; +- for (alg = sainfo->algs[algclass_ipsec_enc]; ++ for (alg = sainfo->algs[algclass_ipsec_enc]; + (found == 0 && alg != NULL); alg = alg->next) { + plog(LLV_DEBUG, LOCATION, NULL, + "Reload: next ph2 enc alg...\n"); +@@ -1351,7 +1369,7 @@ + break; + + default: +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "unexpected check_level\n"); + continue; + break; +@@ -1375,7 +1393,7 @@ + } + + +-static void ++static void + remove_ph2(struct ph2handle *iph2) + { + u_int32_t spis[2]; +@@ -1467,7 +1485,7 @@ + return 1; + } + +-int ++int + revalidate_ph12(void) + { + +Index: src/racoon/handler.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v +retrieving revision 1.21 +diff -u -r1.21 handler.h +--- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21 ++++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -214,7 +214,7 @@ + LIST_ENTRY(ph1handle) chain; + #ifdef ENABLE_HYBRID + struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ +-#endif ++#endif + EVT_LISTENER_LIST(evt_listeners); + }; + +@@ -449,7 +449,7 @@ + struct sockaddr_storage remote; + struct sockaddr_storage local; + u_int8_t version; +- u_int8_t etype; ++ u_int8_t etype; + time_t created; + int ph2cnt; + }; +@@ -468,7 +468,7 @@ + + #define GETPH1_F_ESTABLISHED 0x0001 + +-extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, ++extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, + struct sockaddr *local, + struct sockaddr *remote, + int flags)); +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.58 +diff -u -r1.58 isakmp.c +--- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58 ++++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -176,7 +176,7 @@ + }; + + static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ +- ++ + static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); + static int ph1_main __P((struct ph1handle *, vchar_t *)); + static int quick_main __P((struct ph2handle *, vchar_t *)); +@@ -190,7 +190,7 @@ + static int isakmp_ph2resend __P((struct ph2handle *)); + + #ifdef ENABLE_FRAG +-static int frag_handler(struct ph1handle *, ++static int frag_handler(struct ph1handle *, + vchar_t *, struct sockaddr *, struct sockaddr *); + #endif + +@@ -259,16 +259,16 @@ + extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl; + } + #endif +- } ++ } + + #ifdef ENABLE_NATT +- /* we don't know about portchange yet, ++ /* we don't know about portchange yet, + look for non-esp marker instead */ + if (x.non_esp[0] == 0 && x.non_esp[1] != 0) + extralen = NON_ESP_MARKER_LEN; + #endif + +- /* now we know if there is an extra non-esp ++ /* now we know if there is an extra non-esp + marker at the beginning or not */ + memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); + +@@ -309,7 +309,7 @@ + if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), + 0, (struct sockaddr *)&remote, &remote_len)) < 0) { + plog(LLV_ERROR, LOCATION, NULL, +- "failed to receive isakmp packet: %s\n", ++ "failed to receive isakmp packet: %s\n", + strerror (errno)); + } + goto end; +@@ -332,11 +332,11 @@ + (len - extralen)); + goto end; + } +- ++ + memcpy (buf->v, tmpbuf->v + extralen, buf->l); + + len -= extralen; +- ++ + if (len != buf->l) { + plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, + "received invalid length (%d != %zu), why ?\n", +@@ -347,7 +347,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(LLV_DEBUG, LOCATION, NULL, + "%d bytes message received %s\n", +- len, saddr2str_fromto("from %s to %s", ++ len, saddr2str_fromto("from %s to %s", + (struct sockaddr *)&remote, + (struct sockaddr *)&local)); + plogdump(LLV_DEBUG, buf->v, buf->l); +@@ -496,12 +496,12 @@ + } + + /* set the flag to prevent further port floating +- (FIXME: should we allow it? E.g. when the NAT gw ++ (FIXME: should we allow it? E.g. when the NAT gw + is rebooted?) */ + iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; +- ++ + /* print some neat info */ +- plog (LLV_INFO, LOCATION, NULL, ++ plog (LLV_INFO, LOCATION, NULL, + "NAT-T: ports changed to: %s\n", + saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); + +@@ -668,7 +668,7 @@ + return -1; + } + #ifdef ENABLE_HYBRID +- /* Reinit the IVM if it's still there */ ++ /* Reinit the IVM if it's still there */ + if (iph1->mode_cfg && iph1->mode_cfg->ivm) { + oakley_delivm(iph1->mode_cfg->ivm); + iph1->mode_cfg->ivm = NULL; +@@ -753,7 +753,7 @@ + + isakmp_cfg_r(iph1, msg); + break; +-#endif ++#endif + + case ISAKMP_ETYPE_NONE: + default: +@@ -822,7 +822,7 @@ + /* free resend buffer */ + if (iph1->sendbuf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "no buffer found as sendbuf\n"); ++ "no buffer found as sendbuf\n"); + return -1; + } + #endif +@@ -925,13 +925,13 @@ + log_ph1established(iph1); + plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + +- /* ++ /* + * SA up shell script hook: do it now,except if + * ISAKMP mode config was requested. In the later + * case it is done when we receive the configuration. + */ + if ((iph1->status == PHASE1ST_ESTABLISHED) && +- !iph1->rmconf->mode_cfg) { ++ !iph1->rmconf->mode_cfg) { + switch (iph1->approval->authmethod) { + #ifdef ENABLE_HYBRID + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: +@@ -1004,7 +1004,7 @@ + /* free resend buffer */ + if (iph2->sendbuf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "no buffer found as sendbuf\n"); ++ "no buffer found as sendbuf\n"); + return -1; + } + VPTRINIT(iph2->sendbuf); +@@ -1754,23 +1754,23 @@ + extralen = 0; + + #ifdef ENABLE_FRAG +- /* ++ /* + * Do not add the non ESP marker for a packet that will +- * be fragmented. The non ESP marker should appear in ++ * be fragmented. The non ESP marker should appear in + * all fragment's packets, but not in the fragmented packet + */ +- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) ++ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) + extralen = 0; + #endif + if (extralen) + plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); + +- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) +- must added just before the packet itself. For this we must ++ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) ++ must added just before the packet itself. For this we must + allocate a new buffer and release it at the end. */ + if (extralen) { + if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "vbuf allocation failed\n"); + return -1; + } +@@ -1791,17 +1791,17 @@ + if (s == -1) + return -1; + +- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, ++ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, + saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); + + #ifdef ENABLE_FRAG + if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { + if (isakmp_sendfrags(iph1, sbuf) == -1) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "isakmp_sendfrags failed\n"); + return -1; + } +- } else ++ } else + #endif + { + len = sendfromto(s, sbuf->v, sbuf->l, +@@ -1812,7 +1812,7 @@ + return -1; + } + } +- ++ + return 0; + } + +@@ -1959,7 +1959,7 @@ + iph1->status = PHASE1ST_DYING; + + /* Any fresh phase1s? */ +- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); + if (new_iph1 == NULL) { + LIST_FOREACH(p, &iph1->ph2tree, ph1bind) { + if (p->status != PHASE2ST_ESTABLISHED) +@@ -2036,7 +2036,7 @@ + char *src, *dst; + + /* Migrate established phase2s. Any fresh phase1s? */ +- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); + if (new_iph1 != NULL) + migrate_ph12(iph1, new_iph1); + +@@ -2143,12 +2143,13 @@ + * if phase1 has been finished, begin phase2. + */ + int +-isakmp_post_acquire(iph2) ++isakmp_post_acquire(iph2, iph1hint) + struct ph2handle *iph2; ++ struct ph1handle *iph1hint; + { + struct remoteconf *rmconf; + struct ph1handle *iph1 = NULL; +- ++ + plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); + + /* Search appropriate configuration with masking port. Note that +@@ -2159,12 +2160,17 @@ + * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS + * as iph2->dst hint). This scenario would require additional changes, + * so no need to bother yet. --arno */ +- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); +- if (rmconf == NULL) { +- plog(LLV_ERROR, LOCATION, NULL, +- "no configuration found for %s.\n", +- saddrwop2str(iph2->dst)); +- return -1; ++ ++ if (iph1hint == NULL || iph1hint->rmconf == NULL) { ++ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); ++ if (rmconf == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "no configuration found for %s.\n", ++ saddrwop2str(iph2->dst)); ++ return -1; ++ } ++ } else { ++ rmconf = iph1hint->rmconf; + } + + /* if passive mode, ignore the acquire message */ +@@ -2181,7 +2187,7 @@ + * some cases, we should use the ISAKMP identity to search + * matching ISAKMP. + */ +- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); ++ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0); + + /* no ISAKMP-SA found. */ + if (iph1 == NULL) { +@@ -2978,7 +2984,7 @@ + "ISAKMP-SA established %s-%s spi:%s\n", + src, dst, + isakmp_pindex(&iph1->index, 0)); +- ++ + evt_phase1(iph1, EVT_PHASE1_UP, NULL); + if(!iph1->rmconf->mode_cfg) + evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL); +@@ -3011,7 +3017,7 @@ + return plist; + } + +-vchar_t * ++vchar_t * + isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) + { + struct payload_list *ptr = *plist, *first; +@@ -3022,7 +3028,7 @@ + /* Seek to the first item. */ + while (ptr->prev) ptr = ptr->prev; + first = ptr; +- ++ + /* Compute the whole length. */ + while (ptr) { + tlen += ptr->payload->l + sizeof (struct isakmp_gen); +@@ -3064,7 +3070,7 @@ + } + + #ifdef ENABLE_FRAG +-int ++int + frag_handler(iph1, msg, remote, local) + struct ph1handle *iph1; + vchar_t *msg; +@@ -3075,7 +3081,7 @@ + + if (isakmp_frag_extract(iph1, msg) == 1) { + if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { +- plog(LLV_ERROR, LOCATION, remote, ++ plog(LLV_ERROR, LOCATION, remote, + "Packet reassembly failed\n"); + return -1; + } +@@ -3125,24 +3131,24 @@ + if (iph1->remote != NULL) { + GETNAMEINFO(iph1->remote, addrstr, portstr); + +- if (script_env_append(&envp, &envc, ++ if (script_env_append(&envp, &envc, + "REMOTE_ADDR", addrstr) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "Cannot set REMOTE_ADDR\n"); + goto out; + } + +- if (script_env_append(&envp, &envc, ++ if (script_env_append(&envp, &envc, + "REMOTE_PORT", portstr) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "Cannot set REMOTEL_PORT\n"); + goto out; + } + } + +- if (privsep_script_exec(iph1->rmconf->script[script]->v, +- script, envp) != 0) +- plog(LLV_ERROR, LOCATION, NULL, ++ if (privsep_script_exec(iph1->rmconf->script[script]->v, ++ script, envp) != 0) ++ plog(LLV_ERROR, LOCATION, NULL, + "Script %s execution failed\n", script_names[script]); + + out: +@@ -3202,7 +3208,7 @@ + argv[1] = script_names[name]; + argv[2] = NULL; + +- switch (fork()) { ++ switch (fork()) { + case 0: + execve(argv[0], argv, envp); + plog(LLV_ERROR, LOCATION, NULL, +@@ -3217,7 +3223,7 @@ + break; + default: + break; +- } ++ } + return 0; + + } +@@ -3243,7 +3249,7 @@ + iph1->status = PHASE1ST_EXPIRED; + + /* Check if we have another, still valid, phase1 SA. */ +- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED); + + /* + * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. +@@ -3319,7 +3325,7 @@ + ntohl(sa->sadb_sa_spi)); + }else{ + +- /* ++ /* + * If we have a new ph1, do not purge IPsec-SAs binded + * to a different ISAKMP-SA + */ +@@ -3331,7 +3337,7 @@ + /* If the ph2handle is established, do not purge IPsec-SA */ + if (iph2->status == PHASE2ST_ESTABLISHED || + iph2->status == PHASE2ST_EXPIRED) { +- ++ + plog(LLV_INFO, LOCATION, NULL, + "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", + ntohl(sa->sadb_sa_spi), +@@ -3342,7 +3348,7 @@ + } + } + +- ++ + pfkey_send_delete(lcconf->sock_pfkey, + msg->sadb_msg_satype, + IPSEC_MODE_ANY, +@@ -3373,7 +3379,7 @@ + sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); + } + +-void ++void + delete_spd(iph2, created) + struct ph2handle *iph2; + u_int64_t created; +@@ -3399,22 +3405,22 @@ + + plog(LLV_INFO, LOCATION, NULL, + "generated policy, deleting it.\n"); +- ++ + memset(&spidx, 0, sizeof(spidx)); + iph2->spidx_gen = (caddr_t )&spidx; +- ++ + /* make inbound policy */ + iph2->src = dst; + iph2->dst = src; + spidx.dir = IPSEC_DIR_INBOUND; + spidx.ul_proto = 0; +- +- /* ++ ++ /* + * Note: code from get_proposal_r + */ +- ++ + #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type +- ++ + /* + * make destination address in spidx from either ID payload + * or phase 1 address into a address in spidx. +@@ -3430,48 +3436,48 @@ + &spidx.prefd, &spidx.ul_proto); + if (error) + goto purge; +- ++ + #ifdef INET6 + /* + * get scopeid from the SA address. + * note that the phase 1 source address is used as +- * a destination address to search for a inbound ++ * a destination address to search for a inbound + * policy entry because rcoon is responder. + */ + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { +- if ((error = ++ if ((error = + setscopeid((struct sockaddr *)&spidx.dst, + iph2->src)) != 0) + goto purge; + } + #endif +- ++ + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR + || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) + idi2type = _XIDT(iph2->id); +- ++ + } else { +- ++ + plog(LLV_DEBUG, LOCATION, NULL, + "get a destination address of SP index " + "from phase1 address " + "due to no ID payloads found " + "OR because ID type is not address.\n"); +- ++ + /* +- * copy the SOURCE address of IKE into the +- * DESTINATION address of the key to search the ++ * copy the SOURCE address of IKE into the ++ * DESTINATION address of the key to search the + * SPD because the direction of policy is inbound. + */ + memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); + switch (spidx.dst.ss_family) { + case AF_INET: +- spidx.prefd = ++ spidx.prefd = + sizeof(struct in_addr) << 3; + break; + #ifdef INET6 + case AF_INET6: +- spidx.prefd = ++ spidx.prefd = + sizeof(struct in6_addr) << 3; + break; + #endif +@@ -3480,7 +3486,7 @@ + break; + } + } +- ++ + /* make source address in spidx */ + if (iph2->id_p != NULL + && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR +@@ -3500,7 +3506,7 @@ + * for more detail, see above of this function. + */ + if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { +- error = ++ error = + setscopeid((struct sockaddr *)&spidx.src, + iph2->dst); + if (error) +@@ -3538,12 +3544,12 @@ + memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); + switch (spidx.src.ss_family) { + case AF_INET: +- spidx.prefs = ++ spidx.prefs = + sizeof(struct in_addr) << 3; + break; + #ifdef INET6 + case AF_INET6: +- spidx.prefs = ++ spidx.prefs = + sizeof(struct in6_addr) << 3; + break; + #endif +@@ -3574,14 +3580,14 @@ + spidx.ul_proto = IPSEC_ULPROTO_ANY; + + #undef _XIDT +- ++ + /* Check if the generated SPD has the same timestamp as the SA. + * If timestamps are different, this means that the SPD entry has been + * refreshed by another SA, and should NOT be deleted with the current SA. + */ + if( created ){ + struct secpolicy *p; +- ++ + p = getsp(&spidx); + if(p != NULL){ + /* just do no test if p is NULL, because this probably just means +@@ -3646,7 +3652,7 @@ + struct sockaddr *sp_addr0, *sa_addr0; + { + struct sockaddr_in6 *sp_addr, *sa_addr; +- ++ + sp_addr = (struct sockaddr_in6 *)sp_addr0; + sa_addr = (struct sockaddr_in6 *)sa_addr0; + +Index: src/racoon/isakmp_var.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v +retrieving revision 1.15 +diff -u -r1.15 isakmp_var.h +--- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15 ++++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -87,7 +87,7 @@ + extern void isakmp_ph2delete __P((struct ph2handle *)); + + extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); +-extern int isakmp_post_acquire __P((struct ph2handle *)); ++extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *)); + extern int isakmp_post_getspi __P((struct ph2handle *)); + extern void isakmp_chkph1there_stub __P((struct sched *)); + extern void isakmp_chkph1there __P((struct ph2handle *)); +@@ -131,7 +131,7 @@ + struct remoteconf *, struct sockaddr *, struct sockaddr *)); + extern void log_ph1established __P((const struct ph1handle *)); + +-extern void script_hook __P((struct ph1handle *, int)); ++extern void script_hook __P((struct ph1handle *, int)); + extern int script_env_append __P((char ***, int *, char *, char *)); + extern int script_exec __P((char *, int, char * const *)); + +Index: src/racoon/pfkey.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v +retrieving revision 1.50 +diff -u -r1.50 pfkey.c +--- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50 ++++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -173,7 +173,7 @@ + + /* cope with old kame headers - ugly */ + #ifndef SADB_X_AALG_MD5 +-#define SADB_X_AALG_MD5 SADB_AALG_MD5 ++#define SADB_X_AALG_MD5 SADB_AALG_MD5 + #endif + #ifndef SADB_X_AALG_SHA + #define SADB_X_AALG_SHA SADB_AALG_SHA +@@ -353,7 +353,7 @@ + "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); + continue; + } +- ++ + + ml = msg->sadb_msg_len << 3; + bl = buf ? buf->l : 0; +@@ -839,7 +839,7 @@ + goto bad; + *a_keylen >>= 3; + +- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 ++ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 + && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { + /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ + *a_type = SADB_X_AALG_MD5; +@@ -919,7 +919,7 @@ + racoon_free(dst); + return -1; + } +- ++ + for (pr = pp->head; pr != NULL; pr = pr->next) { + + /* validity check */ +@@ -991,7 +991,7 @@ + * receive GETSPI from kernel. + */ + static int +-pk_recvgetspi(mhp) ++pk_recvgetspi(mhp) + caddr_t *mhp; + { + struct sadb_msg *msg; +@@ -1111,7 +1111,7 @@ + sa_args.l_addtime = iph2->lifetime_secs; + else + sa_args.l_addtime = iph2->approval->lifetime; +- sa_args.seq = iph2->seq; ++ sa_args.seq = iph2->seq; + sa_args.wsize = 4; + + if (iph2->sa_src && iph2->sa_dst) { +@@ -1163,7 +1163,7 @@ + pr->head->trns_id, + pr->head->authtype, + &sa_args.e_type, &sa_args.e_keylen, +- &sa_args.a_type, &sa_args.a_keylen, ++ &sa_args.a_type, &sa_args.a_keylen, + &sa_args.flags) < 0){ + racoon_free(sa_args.src); + racoon_free(sa_args.dst); +@@ -1221,11 +1221,11 @@ + * But it is impossible because there is not key in the + * information from the kernel. + */ +- ++ + /* change some things before backing up */ + sa_args.wsize = 4; + sa_args.l_bytes = iph2->approval->lifebyte * 1024; +- ++ + if (backupsa_to_file(&sa_args) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "backuped SA failed: %s\n", +@@ -1447,7 +1447,7 @@ + pr->head->trns_id, + pr->head->authtype, + &sa_args.e_type, &sa_args.e_keylen, +- &sa_args.a_type, &sa_args.a_keylen, ++ &sa_args.a_type, &sa_args.a_keylen, + &sa_args.flags) < 0){ + racoon_free(sa_args.src); + racoon_free(sa_args.dst); +@@ -1668,11 +1668,12 @@ + " being negotiated. Stopping negotiation.\n"); + } + +- /* turn off the timer for calling isakmp_ph2expire() */ ++ /* turn off the timer for calling isakmp_ph2expire() */ + sched_cancel(&iph2->sce); + + if (iph2->status == PHASE2ST_ESTABLISHED && + iph2->side == INITIATOR) { ++ struct ph1handle *iph1hint; + /* + * Active phase 2 expired and we were initiator. + * Begin new phase 2 exchange, so we can keep on sending +@@ -1680,11 +1681,12 @@ + */ + + /* update status for re-use */ ++ iph1hint = iph2->ph1; + initph2(iph2); + iph2->status = PHASE2ST_STATUS2; + + /* start quick exchange */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, iph1hint) < 0) { + plog(LLV_ERROR, LOCATION, iph2->dst, + "failed to begin ipsec sa " + "re-negotication.\n"); +@@ -1750,7 +1752,7 @@ + if (m_sec_ctx != NULL) { + plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", + m_sec_ctx->sadb_x_ctx_doi); +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "security context algorithm: %u\n", + m_sec_ctx->sadb_x_ctx_alg); + plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", +@@ -1960,7 +1962,7 @@ + + /* start isakmp initiation by using ident exchange */ + /* XXX should be looped if there are multiple phase 2 handler. */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, NULL) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to begin ipsec sa negotication.\n"); + remph2(iph2); +@@ -2145,7 +2147,7 @@ + p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; + p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; + p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; +- ++ + memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); + len += ctxlen; + } +@@ -2184,7 +2186,7 @@ + goto err; + } + +- /* ++ /* + * the policy level cannot be unique because the policy + * is defined later than SA, so req_id cannot be bound to SA. + */ +@@ -2217,7 +2219,7 @@ + + xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); + xisr = (struct sadb_x_ipsecrequest *)p; +- ++ + } + racoon_free(pr_rlist); + +@@ -3070,6 +3072,8 @@ + rmconf = getrmconf(iph2->dst, 0); + + if (rmconf && !rmconf->passive) { ++ struct ph1handle *iph1hint; ++ + plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " + "*during* IPsec SA negotiation. As initiator, " + "restarting it.\n"); +@@ -3079,11 +3083,12 @@ + iph2->status = PHASE2ST_EXPIRED; + + /* ... clean Phase 2 handle ... */ ++ iph1hint = iph2->ph1; + initph2(iph2); + iph2->status = PHASE2ST_STATUS2; + + /* and start a new negotiation */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, iph1hint) < 0) { + plog(LLV_ERROR, LOCATION, iph2->dst, "failed " + "to begin IPsec SA renegotiation after " + "MIGRATE reception.\n"); |