aboutsummaryrefslogtreecommitdiffstats
path: root/main/ipsec-tools
diff options
context:
space:
mode:
Diffstat (limited to 'main/ipsec-tools')
-rw-r--r--main/ipsec-tools/00-verify-cert-leak.patch11
-rw-r--r--main/ipsec-tools/10-rekey-ph1hint.patch1227
-rw-r--r--main/ipsec-tools/20-natoa-fix.patch33
-rw-r--r--main/ipsec-tools/30-natt-ports-cleanup.patch393
-rw-r--r--main/ipsec-tools/40-cmpsaddr-cleanup.patch1403
-rw-r--r--main/ipsec-tools/50-reverse-connect.patch4
-rw-r--r--main/ipsec-tools/APKBUILD20
7 files changed, 1236 insertions, 1855 deletions
diff --git a/main/ipsec-tools/00-verify-cert-leak.patch b/main/ipsec-tools/00-verify-cert-leak.patch
deleted file mode 100644
index 9e67813359..0000000000
--- a/main/ipsec-tools/00-verify-cert-leak.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/src/racoon/crypto_openssl.c 20 Apr 2009 13:22:41 -0000 1.18
-+++ b/src/racoon/crypto_openssl.c 29 Apr 2009 10:48:51 -0000
-@@ -510,7 +510,7 @@
- X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
- #endif
- error = X509_verify_cert(csc);
-- X509_STORE_CTX_cleanup(csc);
-+ X509_STORE_CTX_free(csc);
-
- /*
- * if x509_verify_cert() is successful then the value of error is
diff --git a/main/ipsec-tools/10-rekey-ph1hint.patch b/main/ipsec-tools/10-rekey-ph1hint.patch
new file mode 100644
index 0000000000..773d609012
--- /dev/null
+++ b/main/ipsec-tools/10-rekey-ph1hint.patch
@@ -0,0 +1,1227 @@
+? .msg
+? ChangeLog
+? alpine-config
+? commiters.txt
+? fd-unmonitor-segv-fix.patch
+? natt-and-cmpsaddr.patch
+? racoon.txt
+? rekeying-fixes.diff
+? rpm/Makefile
+? rpm/Makefile.in
+? rpm/ipsec-tools.spec
+? rpm/suse/Makefile
+? rpm/suse/Makefile.in
+? rpm/suse/ipsec-tools.spec
+? src/Makefile
+? src/Makefile.in
+? src/include-glibc/.includes
+? src/include-glibc/Makefile
+? src/include-glibc/Makefile.in
+? src/libipsec/.deps
+? src/libipsec/.libs
+? src/libipsec/Makefile
+? src/libipsec/Makefile.in
+? src/libipsec/ipsec_dump_policy.lo
+? src/libipsec/ipsec_get_policylen.lo
+? src/libipsec/ipsec_strerror.lo
+? src/libipsec/key_debug.lo
+? src/libipsec/libipsec.la
+? src/libipsec/pfkey.lo
+? src/libipsec/pfkey_dump.lo
+? src/libipsec/policy_parse.c
+? src/libipsec/policy_parse.h
+? src/libipsec/policy_parse.lo
+? src/libipsec/policy_token.c
+? src/libipsec/policy_token.lo
+? src/racoon/.deps
+? src/racoon/.libs
+? src/racoon/Makefile
+? src/racoon/Makefile.in
+? src/racoon/cfparse.c
+? src/racoon/cfparse.h
+? src/racoon/cftoken.c
+? src/racoon/eaytest
+? src/racoon/libracoon.la
+? src/racoon/libracoon_la-kmpstat.lo
+? src/racoon/libracoon_la-misc.lo
+? src/racoon/libracoon_la-sockmisc.lo
+? src/racoon/libracoon_la-vmbuf.lo
+? src/racoon/plainrsa-gen
+? src/racoon/prsa_par.c
+? src/racoon/prsa_par.h
+? src/racoon/prsa_tok.c
+? src/racoon/racoon
+? src/racoon/racoonctl
+? src/racoon/samples/psk.txt
+? src/racoon/samples/racoon.conf
+? src/setkey/.deps
+? src/setkey/.libs
+? src/setkey/Makefile
+? src/setkey/Makefile.in
+? src/setkey/parse.c
+? src/setkey/parse.h
+? src/setkey/setkey
+? src/setkey/token.c
+Index: src/racoon/admin.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v
+retrieving revision 1.31
+diff -u -r1.31 admin.c
+--- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31
++++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -341,7 +341,7 @@
+ user[len] = 0;
+
+ found = purgeph1bylogin(user);
+- plog(LLV_INFO, LOCATION, NULL,
++ plog(LLV_INFO, LOCATION, NULL,
+ "deleted %d SA for user \"%s\"\n", found, user);
+
+ break;
+@@ -360,7 +360,7 @@
+ rem = racoon_strdup(saddrwop2str(dst));
+ STRDUP_FATAL(rem);
+
+- plog(LLV_INFO, LOCATION, NULL,
++ plog(LLV_INFO, LOCATION, NULL,
+ "Flushing all SAs for peer %s\n", rem);
+
+ while ((iph1 = getph1bydstaddr(dst)) != NULL) {
+@@ -373,7 +373,7 @@
+
+ racoon_free(loc);
+ }
+-
++
+ racoon_free(rem);
+ break;
+ }
+@@ -383,14 +383,14 @@
+ char *data;
+
+ acp = (struct admin_com_psk *)
+- ((char *)com + sizeof(*com) +
++ ((char *)com + sizeof(*com) +
+ sizeof(struct admin_com_indexes));
+
+ idtype = acp->id_type;
+
+ if ((id = vmalloc(acp->id_len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "cannot allocate memory: %s\n",
++ "cannot allocate memory: %s\n",
+ strerror(errno));
+ break;
+ }
+@@ -399,7 +399,7 @@
+
+ if ((key = vmalloc(acp->key_len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "cannot allocate memory: %s\n",
++ "cannot allocate memory: %s\n",
+ strerror(errno));
+ vfree(id);
+ id = NULL;
+@@ -474,7 +474,7 @@
+ rmconf->xauth->pass = key;
+ }
+ #endif
+-
++
+ plog(LLV_INFO, LOCATION, NULL,
+ "accept a request to establish IKE-SA: "
+ "%s\n", saddrwop2str(dst));
+@@ -577,7 +577,7 @@
+ }
+
+ insph2(iph2);
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, NULL) < 0) {
+ remph2(iph2);
+ delph2(iph2);
+ break;
+@@ -710,17 +710,17 @@
+ }
+
+ if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
+- "chown(%s, %d, %d): %s\n",
+- sunaddr.sun_path, adminsock_owner,
++ plog(LLV_ERROR, LOCATION, NULL,
++ "chown(%s, %d, %d): %s\n",
++ sunaddr.sun_path, adminsock_owner,
+ adminsock_group, strerror(errno));
+ (void)close(lcconf->sock_admin);
+ return -1;
+ }
+
+ if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
+- "chmod(%s, 0%03o): %s\n",
++ plog(LLV_ERROR, LOCATION, NULL,
++ "chmod(%s, 0%03o): %s\n",
+ sunaddr.sun_path, adminsock_mode, strerror(errno));
+ (void)close(lcconf->sock_admin);
+ return -1;
+Index: src/racoon/handler.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v
+retrieving revision 1.29
+diff -u -r1.29 handler.c
+--- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29
++++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -64,7 +64,7 @@
+ #include "evt.h"
+ #include "isakmp.h"
+ #ifdef ENABLE_HYBRID
+-#include "isakmp_xauth.h"
++#include "isakmp_xauth.h"
+ #include "isakmp_cfg.h"
+ #endif
+ #include "isakmp_inf.h"
+@@ -177,8 +177,8 @@
+ * with phase 2's destinaion.
+ */
+ struct ph1handle *
+-getph1(rmconf, local, remote, flags)
+- struct remoteconf *rmconf;
++getph1(ph1hint, local, remote, flags)
++ struct ph1handle *ph1hint;
+ struct sockaddr *local, *remote;
+ int flags;
+ {
+@@ -202,12 +202,30 @@
+ continue;
+ }
+
+- if (local != NULL && cmpsaddr(local, p->local) != 0)
++ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH)
+ continue;
+
+- if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
++ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH)
+ continue;
+
++ if (ph1hint != NULL) {
++ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l &&
++ (ph1hint->id->l != p->id->l ||
++ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
++ plog(LLV_DEBUG2, LOCATION, NULL,
++ "local identity does match hint\n");
++ continue;
++ }
++ if (ph1hint->id_p && ph1hint->id_p->l &&
++ p->id_p && p->id_p->l &&
++ (ph1hint->id_p->l != p->id_p->l ||
++ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
++ plog(LLV_DEBUG2, LOCATION, NULL,
++ "remote identity does match hint\n");
++ continue;
++ }
++ }
++
+ plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
+ return p;
+ }
+@@ -1155,7 +1173,7 @@
+ }
+
+ #ifdef ENABLE_HYBRID
+-/*
++/*
+ * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
+ * This should be in isakmp_cfg.c but ph1tree being private, it must be there
+ */
+@@ -1182,7 +1200,7 @@
+
+
+
+-/*
++/*
+ * Reload conf code
+ */
+ static int revalidate_ph2(struct ph2handle *iph2){
+@@ -1192,11 +1210,11 @@
+ struct saprop *approval;
+ struct ph1handle *iph1;
+
+- /*
++ /*
+ * Get the new sainfo using values of the old one
+ */
+ if (iph2->sainfo != NULL) {
+- iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
++ iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
+ iph2->sainfo->iddst, iph2->sainfo->id_i,
+ NULL, iph2->sainfo->remoteid);
+ }
+@@ -1204,7 +1222,7 @@
+ sainfo = iph2->sainfo;
+
+ if (sainfo == NULL) {
+- /*
++ /*
+ * Sainfo has been removed
+ */
+ plog(LLV_DEBUG, LOCATION, NULL,
+@@ -1219,7 +1237,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "No approval found !\n");
+ return 0;
+- }
++ }
+
+ /*
+ * Don't care about proposals, should we do something ?
+@@ -1318,7 +1336,7 @@
+ }
+
+ found = 0;
+- for (alg = sainfo->algs[algclass_ipsec_enc];
++ for (alg = sainfo->algs[algclass_ipsec_enc];
+ (found == 0 && alg != NULL); alg = alg->next) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Reload: next ph2 enc alg...\n");
+@@ -1351,7 +1369,7 @@
+ break;
+
+ default:
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "unexpected check_level\n");
+ continue;
+ break;
+@@ -1375,7 +1393,7 @@
+ }
+
+
+-static void
++static void
+ remove_ph2(struct ph2handle *iph2)
+ {
+ u_int32_t spis[2];
+@@ -1467,7 +1485,7 @@
+ return 1;
+ }
+
+-int
++int
+ revalidate_ph12(void)
+ {
+
+Index: src/racoon/handler.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
+retrieving revision 1.21
+diff -u -r1.21 handler.h
+--- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21
++++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -214,7 +214,7 @@
+ LIST_ENTRY(ph1handle) chain;
+ #ifdef ENABLE_HYBRID
+ struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
+-#endif
++#endif
+ EVT_LISTENER_LIST(evt_listeners);
+ };
+
+@@ -449,7 +449,7 @@
+ struct sockaddr_storage remote;
+ struct sockaddr_storage local;
+ u_int8_t version;
+- u_int8_t etype;
++ u_int8_t etype;
+ time_t created;
+ int ph2cnt;
+ };
+@@ -468,7 +468,7 @@
+
+ #define GETPH1_F_ESTABLISHED 0x0001
+
+-extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
++extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint,
+ struct sockaddr *local,
+ struct sockaddr *remote,
+ int flags));
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.58
+diff -u -r1.58 isakmp.c
+--- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58
++++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -176,7 +176,7 @@
+ };
+
+ static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
+-
++
+ static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
+ static int ph1_main __P((struct ph1handle *, vchar_t *));
+ static int quick_main __P((struct ph2handle *, vchar_t *));
+@@ -190,7 +190,7 @@
+ static int isakmp_ph2resend __P((struct ph2handle *));
+
+ #ifdef ENABLE_FRAG
+-static int frag_handler(struct ph1handle *,
++static int frag_handler(struct ph1handle *,
+ vchar_t *, struct sockaddr *, struct sockaddr *);
+ #endif
+
+@@ -259,16 +259,16 @@
+ extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
+ }
+ #endif
+- }
++ }
+
+ #ifdef ENABLE_NATT
+- /* we don't know about portchange yet,
++ /* we don't know about portchange yet,
+ look for non-esp marker instead */
+ if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
+ extralen = NON_ESP_MARKER_LEN;
+ #endif
+
+- /* now we know if there is an extra non-esp
++ /* now we know if there is an extra non-esp
+ marker at the beginning or not */
+ memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
+
+@@ -309,7 +309,7 @@
+ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
+ 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "failed to receive isakmp packet: %s\n",
++ "failed to receive isakmp packet: %s\n",
+ strerror (errno));
+ }
+ goto end;
+@@ -332,11 +332,11 @@
+ (len - extralen));
+ goto end;
+ }
+-
++
+ memcpy (buf->v, tmpbuf->v + extralen, buf->l);
+
+ len -= extralen;
+-
++
+ if (len != buf->l) {
+ plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
+ "received invalid length (%d != %zu), why ?\n",
+@@ -347,7 +347,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL, "===\n");
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "%d bytes message received %s\n",
+- len, saddr2str_fromto("from %s to %s",
++ len, saddr2str_fromto("from %s to %s",
+ (struct sockaddr *)&remote,
+ (struct sockaddr *)&local));
+ plogdump(LLV_DEBUG, buf->v, buf->l);
+@@ -496,12 +496,12 @@
+ }
+
+ /* set the flag to prevent further port floating
+- (FIXME: should we allow it? E.g. when the NAT gw
++ (FIXME: should we allow it? E.g. when the NAT gw
+ is rebooted?) */
+ iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
+-
++
+ /* print some neat info */
+- plog (LLV_INFO, LOCATION, NULL,
++ plog (LLV_INFO, LOCATION, NULL,
+ "NAT-T: ports changed to: %s\n",
+ saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
+
+@@ -668,7 +668,7 @@
+ return -1;
+ }
+ #ifdef ENABLE_HYBRID
+- /* Reinit the IVM if it's still there */
++ /* Reinit the IVM if it's still there */
+ if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
+ oakley_delivm(iph1->mode_cfg->ivm);
+ iph1->mode_cfg->ivm = NULL;
+@@ -753,7 +753,7 @@
+
+ isakmp_cfg_r(iph1, msg);
+ break;
+-#endif
++#endif
+
+ case ISAKMP_ETYPE_NONE:
+ default:
+@@ -822,7 +822,7 @@
+ /* free resend buffer */
+ if (iph1->sendbuf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "no buffer found as sendbuf\n");
++ "no buffer found as sendbuf\n");
+ return -1;
+ }
+ #endif
+@@ -925,13 +925,13 @@
+ log_ph1established(iph1);
+ plog(LLV_DEBUG, LOCATION, NULL, "===\n");
+
+- /*
++ /*
+ * SA up shell script hook: do it now,except if
+ * ISAKMP mode config was requested. In the later
+ * case it is done when we receive the configuration.
+ */
+ if ((iph1->status == PHASE1ST_ESTABLISHED) &&
+- !iph1->rmconf->mode_cfg) {
++ !iph1->rmconf->mode_cfg) {
+ switch (iph1->approval->authmethod) {
+ #ifdef ENABLE_HYBRID
+ case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+@@ -1004,7 +1004,7 @@
+ /* free resend buffer */
+ if (iph2->sendbuf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "no buffer found as sendbuf\n");
++ "no buffer found as sendbuf\n");
+ return -1;
+ }
+ VPTRINIT(iph2->sendbuf);
+@@ -1754,23 +1754,23 @@
+ extralen = 0;
+
+ #ifdef ENABLE_FRAG
+- /*
++ /*
+ * Do not add the non ESP marker for a packet that will
+- * be fragmented. The non ESP marker should appear in
++ * be fragmented. The non ESP marker should appear in
+ * all fragment's packets, but not in the fragmented packet
+ */
+- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
++ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
+ extralen = 0;
+ #endif
+ if (extralen)
+ plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
+
+- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
+- must added just before the packet itself. For this we must
++ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
++ must added just before the packet itself. For this we must
+ allocate a new buffer and release it at the end. */
+ if (extralen) {
+ if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "vbuf allocation failed\n");
+ return -1;
+ }
+@@ -1791,17 +1791,17 @@
+ if (s == -1)
+ return -1;
+
+- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
++ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
+ saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
+
+ #ifdef ENABLE_FRAG
+ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
+ if (isakmp_sendfrags(iph1, sbuf) == -1) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "isakmp_sendfrags failed\n");
+ return -1;
+ }
+- } else
++ } else
+ #endif
+ {
+ len = sendfromto(s, sbuf->v, sbuf->l,
+@@ -1812,7 +1812,7 @@
+ return -1;
+ }
+ }
+-
++
+ return 0;
+ }
+
+@@ -1959,7 +1959,7 @@
+ iph1->status = PHASE1ST_DYING;
+
+ /* Any fresh phase1s? */
+- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1);
++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
+ if (new_iph1 == NULL) {
+ LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
+ if (p->status != PHASE2ST_ESTABLISHED)
+@@ -2036,7 +2036,7 @@
+ char *src, *dst;
+
+ /* Migrate established phase2s. Any fresh phase1s? */
+- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
+ if (new_iph1 != NULL)
+ migrate_ph12(iph1, new_iph1);
+
+@@ -2143,12 +2143,13 @@
+ * if phase1 has been finished, begin phase2.
+ */
+ int
+-isakmp_post_acquire(iph2)
++isakmp_post_acquire(iph2, iph1hint)
+ struct ph2handle *iph2;
++ struct ph1handle *iph1hint;
+ {
+ struct remoteconf *rmconf;
+ struct ph1handle *iph1 = NULL;
+-
++
+ plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
+
+ /* Search appropriate configuration with masking port. Note that
+@@ -2159,12 +2160,17 @@
+ * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
+ * as iph2->dst hint). This scenario would require additional changes,
+ * so no need to bother yet. --arno */
+- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
+- if (rmconf == NULL) {
+- plog(LLV_ERROR, LOCATION, NULL,
+- "no configuration found for %s.\n",
+- saddrwop2str(iph2->dst));
+- return -1;
++
++ if (iph1hint == NULL || iph1hint->rmconf == NULL) {
++ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
++ if (rmconf == NULL) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "no configuration found for %s.\n",
++ saddrwop2str(iph2->dst));
++ return -1;
++ }
++ } else {
++ rmconf = iph1hint->rmconf;
+ }
+
+ /* if passive mode, ignore the acquire message */
+@@ -2181,7 +2187,7 @@
+ * some cases, we should use the ISAKMP identity to search
+ * matching ISAKMP.
+ */
+- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
++ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
+
+ /* no ISAKMP-SA found. */
+ if (iph1 == NULL) {
+@@ -2978,7 +2984,7 @@
+ "ISAKMP-SA established %s-%s spi:%s\n",
+ src, dst,
+ isakmp_pindex(&iph1->index, 0));
+-
++
+ evt_phase1(iph1, EVT_PHASE1_UP, NULL);
+ if(!iph1->rmconf->mode_cfg)
+ evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
+@@ -3011,7 +3017,7 @@
+ return plist;
+ }
+
+-vchar_t *
++vchar_t *
+ isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
+ {
+ struct payload_list *ptr = *plist, *first;
+@@ -3022,7 +3028,7 @@
+ /* Seek to the first item. */
+ while (ptr->prev) ptr = ptr->prev;
+ first = ptr;
+-
++
+ /* Compute the whole length. */
+ while (ptr) {
+ tlen += ptr->payload->l + sizeof (struct isakmp_gen);
+@@ -3064,7 +3070,7 @@
+ }
+
+ #ifdef ENABLE_FRAG
+-int
++int
+ frag_handler(iph1, msg, remote, local)
+ struct ph1handle *iph1;
+ vchar_t *msg;
+@@ -3075,7 +3081,7 @@
+
+ if (isakmp_frag_extract(iph1, msg) == 1) {
+ if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
+- plog(LLV_ERROR, LOCATION, remote,
++ plog(LLV_ERROR, LOCATION, remote,
+ "Packet reassembly failed\n");
+ return -1;
+ }
+@@ -3125,24 +3131,24 @@
+ if (iph1->remote != NULL) {
+ GETNAMEINFO(iph1->remote, addrstr, portstr);
+
+- if (script_env_append(&envp, &envc,
++ if (script_env_append(&envp, &envc,
+ "REMOTE_ADDR", addrstr) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot set REMOTE_ADDR\n");
+ goto out;
+ }
+
+- if (script_env_append(&envp, &envc,
++ if (script_env_append(&envp, &envc,
+ "REMOTE_PORT", portstr) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot set REMOTEL_PORT\n");
+ goto out;
+ }
+ }
+
+- if (privsep_script_exec(iph1->rmconf->script[script]->v,
+- script, envp) != 0)
+- plog(LLV_ERROR, LOCATION, NULL,
++ if (privsep_script_exec(iph1->rmconf->script[script]->v,
++ script, envp) != 0)
++ plog(LLV_ERROR, LOCATION, NULL,
+ "Script %s execution failed\n", script_names[script]);
+
+ out:
+@@ -3202,7 +3208,7 @@
+ argv[1] = script_names[name];
+ argv[2] = NULL;
+
+- switch (fork()) {
++ switch (fork()) {
+ case 0:
+ execve(argv[0], argv, envp);
+ plog(LLV_ERROR, LOCATION, NULL,
+@@ -3217,7 +3223,7 @@
+ break;
+ default:
+ break;
+- }
++ }
+ return 0;
+
+ }
+@@ -3243,7 +3249,7 @@
+ iph1->status = PHASE1ST_EXPIRED;
+
+ /* Check if we have another, still valid, phase1 SA. */
+- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
+
+ /*
+ * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
+@@ -3319,7 +3325,7 @@
+ ntohl(sa->sadb_sa_spi));
+ }else{
+
+- /*
++ /*
+ * If we have a new ph1, do not purge IPsec-SAs binded
+ * to a different ISAKMP-SA
+ */
+@@ -3331,7 +3337,7 @@
+ /* If the ph2handle is established, do not purge IPsec-SA */
+ if (iph2->status == PHASE2ST_ESTABLISHED ||
+ iph2->status == PHASE2ST_EXPIRED) {
+-
++
+ plog(LLV_INFO, LOCATION, NULL,
+ "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
+ ntohl(sa->sadb_sa_spi),
+@@ -3342,7 +3348,7 @@
+ }
+ }
+
+-
++
+ pfkey_send_delete(lcconf->sock_pfkey,
+ msg->sadb_msg_satype,
+ IPSEC_MODE_ANY,
+@@ -3373,7 +3379,7 @@
+ sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+ }
+
+-void
++void
+ delete_spd(iph2, created)
+ struct ph2handle *iph2;
+ u_int64_t created;
+@@ -3399,22 +3405,22 @@
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "generated policy, deleting it.\n");
+-
++
+ memset(&spidx, 0, sizeof(spidx));
+ iph2->spidx_gen = (caddr_t )&spidx;
+-
++
+ /* make inbound policy */
+ iph2->src = dst;
+ iph2->dst = src;
+ spidx.dir = IPSEC_DIR_INBOUND;
+ spidx.ul_proto = 0;
+-
+- /*
++
++ /*
+ * Note: code from get_proposal_r
+ */
+-
++
+ #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
+-
++
+ /*
+ * make destination address in spidx from either ID payload
+ * or phase 1 address into a address in spidx.
+@@ -3430,48 +3436,48 @@
+ &spidx.prefd, &spidx.ul_proto);
+ if (error)
+ goto purge;
+-
++
+ #ifdef INET6
+ /*
+ * get scopeid from the SA address.
+ * note that the phase 1 source address is used as
+- * a destination address to search for a inbound
++ * a destination address to search for a inbound
+ * policy entry because rcoon is responder.
+ */
+ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
+- if ((error =
++ if ((error =
+ setscopeid((struct sockaddr *)&spidx.dst,
+ iph2->src)) != 0)
+ goto purge;
+ }
+ #endif
+-
++
+ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
+ || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
+ idi2type = _XIDT(iph2->id);
+-
++
+ } else {
+-
++
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "get a destination address of SP index "
+ "from phase1 address "
+ "due to no ID payloads found "
+ "OR because ID type is not address.\n");
+-
++
+ /*
+- * copy the SOURCE address of IKE into the
+- * DESTINATION address of the key to search the
++ * copy the SOURCE address of IKE into the
++ * DESTINATION address of the key to search the
+ * SPD because the direction of policy is inbound.
+ */
+ memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
+ switch (spidx.dst.ss_family) {
+ case AF_INET:
+- spidx.prefd =
++ spidx.prefd =
+ sizeof(struct in_addr) << 3;
+ break;
+ #ifdef INET6
+ case AF_INET6:
+- spidx.prefd =
++ spidx.prefd =
+ sizeof(struct in6_addr) << 3;
+ break;
+ #endif
+@@ -3480,7 +3486,7 @@
+ break;
+ }
+ }
+-
++
+ /* make source address in spidx */
+ if (iph2->id_p != NULL
+ && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
+@@ -3500,7 +3506,7 @@
+ * for more detail, see above of this function.
+ */
+ if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
+- error =
++ error =
+ setscopeid((struct sockaddr *)&spidx.src,
+ iph2->dst);
+ if (error)
+@@ -3538,12 +3544,12 @@
+ memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
+ switch (spidx.src.ss_family) {
+ case AF_INET:
+- spidx.prefs =
++ spidx.prefs =
+ sizeof(struct in_addr) << 3;
+ break;
+ #ifdef INET6
+ case AF_INET6:
+- spidx.prefs =
++ spidx.prefs =
+ sizeof(struct in6_addr) << 3;
+ break;
+ #endif
+@@ -3574,14 +3580,14 @@
+ spidx.ul_proto = IPSEC_ULPROTO_ANY;
+
+ #undef _XIDT
+-
++
+ /* Check if the generated SPD has the same timestamp as the SA.
+ * If timestamps are different, this means that the SPD entry has been
+ * refreshed by another SA, and should NOT be deleted with the current SA.
+ */
+ if( created ){
+ struct secpolicy *p;
+-
++
+ p = getsp(&spidx);
+ if(p != NULL){
+ /* just do no test if p is NULL, because this probably just means
+@@ -3646,7 +3652,7 @@
+ struct sockaddr *sp_addr0, *sa_addr0;
+ {
+ struct sockaddr_in6 *sp_addr, *sa_addr;
+-
++
+ sp_addr = (struct sockaddr_in6 *)sp_addr0;
+ sa_addr = (struct sockaddr_in6 *)sa_addr0;
+
+Index: src/racoon/isakmp_var.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v
+retrieving revision 1.15
+diff -u -r1.15 isakmp_var.h
+--- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15
++++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -87,7 +87,7 @@
+ extern void isakmp_ph2delete __P((struct ph2handle *));
+
+ extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
+-extern int isakmp_post_acquire __P((struct ph2handle *));
++extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
+ extern int isakmp_post_getspi __P((struct ph2handle *));
+ extern void isakmp_chkph1there_stub __P((struct sched *));
+ extern void isakmp_chkph1there __P((struct ph2handle *));
+@@ -131,7 +131,7 @@
+ struct remoteconf *, struct sockaddr *, struct sockaddr *));
+ extern void log_ph1established __P((const struct ph1handle *));
+
+-extern void script_hook __P((struct ph1handle *, int));
++extern void script_hook __P((struct ph1handle *, int));
+ extern int script_env_append __P((char ***, int *, char *, char *));
+ extern int script_exec __P((char *, int, char * const *));
+
+Index: src/racoon/pfkey.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v
+retrieving revision 1.50
+diff -u -r1.50 pfkey.c
+--- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50
++++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -173,7 +173,7 @@
+
+ /* cope with old kame headers - ugly */
+ #ifndef SADB_X_AALG_MD5
+-#define SADB_X_AALG_MD5 SADB_AALG_MD5
++#define SADB_X_AALG_MD5 SADB_AALG_MD5
+ #endif
+ #ifndef SADB_X_AALG_SHA
+ #define SADB_X_AALG_SHA SADB_AALG_SHA
+@@ -353,7 +353,7 @@
+ "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
+ continue;
+ }
+-
++
+
+ ml = msg->sadb_msg_len << 3;
+ bl = buf ? buf->l : 0;
+@@ -839,7 +839,7 @@
+ goto bad;
+ *a_keylen >>= 3;
+
+- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
++ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
+ && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
+ /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
+ *a_type = SADB_X_AALG_MD5;
+@@ -919,7 +919,7 @@
+ racoon_free(dst);
+ return -1;
+ }
+-
++
+ for (pr = pp->head; pr != NULL; pr = pr->next) {
+
+ /* validity check */
+@@ -991,7 +991,7 @@
+ * receive GETSPI from kernel.
+ */
+ static int
+-pk_recvgetspi(mhp)
++pk_recvgetspi(mhp)
+ caddr_t *mhp;
+ {
+ struct sadb_msg *msg;
+@@ -1111,7 +1111,7 @@
+ sa_args.l_addtime = iph2->lifetime_secs;
+ else
+ sa_args.l_addtime = iph2->approval->lifetime;
+- sa_args.seq = iph2->seq;
++ sa_args.seq = iph2->seq;
+ sa_args.wsize = 4;
+
+ if (iph2->sa_src && iph2->sa_dst) {
+@@ -1163,7 +1163,7 @@
+ pr->head->trns_id,
+ pr->head->authtype,
+ &sa_args.e_type, &sa_args.e_keylen,
+- &sa_args.a_type, &sa_args.a_keylen,
++ &sa_args.a_type, &sa_args.a_keylen,
+ &sa_args.flags) < 0){
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+@@ -1221,11 +1221,11 @@
+ * But it is impossible because there is not key in the
+ * information from the kernel.
+ */
+-
++
+ /* change some things before backing up */
+ sa_args.wsize = 4;
+ sa_args.l_bytes = iph2->approval->lifebyte * 1024;
+-
++
+ if (backupsa_to_file(&sa_args) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "backuped SA failed: %s\n",
+@@ -1447,7 +1447,7 @@
+ pr->head->trns_id,
+ pr->head->authtype,
+ &sa_args.e_type, &sa_args.e_keylen,
+- &sa_args.a_type, &sa_args.a_keylen,
++ &sa_args.a_type, &sa_args.a_keylen,
+ &sa_args.flags) < 0){
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+@@ -1668,11 +1668,12 @@
+ " being negotiated. Stopping negotiation.\n");
+ }
+
+- /* turn off the timer for calling isakmp_ph2expire() */
++ /* turn off the timer for calling isakmp_ph2expire() */
+ sched_cancel(&iph2->sce);
+
+ if (iph2->status == PHASE2ST_ESTABLISHED &&
+ iph2->side == INITIATOR) {
++ struct ph1handle *iph1hint;
+ /*
+ * Active phase 2 expired and we were initiator.
+ * Begin new phase 2 exchange, so we can keep on sending
+@@ -1680,11 +1681,12 @@
+ */
+
+ /* update status for re-use */
++ iph1hint = iph2->ph1;
+ initph2(iph2);
+ iph2->status = PHASE2ST_STATUS2;
+
+ /* start quick exchange */
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->dst,
+ "failed to begin ipsec sa "
+ "re-negotication.\n");
+@@ -1750,7 +1752,7 @@
+ if (m_sec_ctx != NULL) {
+ plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+- plog(LLV_INFO, LOCATION, NULL,
++ plog(LLV_INFO, LOCATION, NULL,
+ "security context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
+@@ -1960,7 +1962,7 @@
+
+ /* start isakmp initiation by using ident exchange */
+ /* XXX should be looped if there are multiple phase 2 handler. */
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, NULL) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to begin ipsec sa negotication.\n");
+ remph2(iph2);
+@@ -2145,7 +2147,7 @@
+ p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
+ p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
+ p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
+-
++
+ memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
+ len += ctxlen;
+ }
+@@ -2184,7 +2186,7 @@
+ goto err;
+ }
+
+- /*
++ /*
+ * the policy level cannot be unique because the policy
+ * is defined later than SA, so req_id cannot be bound to SA.
+ */
+@@ -2217,7 +2219,7 @@
+
+ xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
+ xisr = (struct sadb_x_ipsecrequest *)p;
+-
++
+ }
+ racoon_free(pr_rlist);
+
+@@ -3070,6 +3072,8 @@
+ rmconf = getrmconf(iph2->dst, 0);
+
+ if (rmconf && !rmconf->passive) {
++ struct ph1handle *iph1hint;
++
+ plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
+ "*during* IPsec SA negotiation. As initiator, "
+ "restarting it.\n");
+@@ -3079,11 +3083,12 @@
+ iph2->status = PHASE2ST_EXPIRED;
+
+ /* ... clean Phase 2 handle ... */
++ iph1hint = iph2->ph1;
+ initph2(iph2);
+ iph2->status = PHASE2ST_STATUS2;
+
+ /* and start a new negotiation */
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
+ "to begin IPsec SA renegotiation after "
+ "MIGRATE reception.\n");
diff --git a/main/ipsec-tools/20-natoa-fix.patch b/main/ipsec-tools/20-natoa-fix.patch
deleted file mode 100644
index 91d7224e2a..0000000000
--- a/main/ipsec-tools/20-natoa-fix.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Fix nat-oa parsing when rekeying.
-
-From: Timo Teras <timo.teras@iki.fi>
-
-
----
-
- src/racoon/handler.c | 11 +++++++++++
- 1 files changed, 11 insertions(+), 0 deletions(-)
-
-
-diff --git a/src/racoon/handler.c b/src/racoon/handler.c
-index 6f91beb..960b5b3 100644
---- a/src/racoon/handler.c
-+++ b/src/racoon/handler.c
-@@ -736,6 +736,17 @@ initph2(iph2)
- oakley_delivm(iph2->ivm);
- iph2->ivm = NULL;
- }
-+
-+#ifdef ENABLE_NATT
-+ if (iph2->natoa_src) {
-+ racoon_free(iph2->natoa_src);
-+ iph2->natoa_src = NULL;
-+ }
-+ if (iph2->natoa_dst) {
-+ racoon_free(iph2->natoa_dst);
-+ iph2->natoa_dst = NULL;
-+ }
-+#endif
- }
-
- /*
diff --git a/main/ipsec-tools/30-natt-ports-cleanup.patch b/main/ipsec-tools/30-natt-ports-cleanup.patch
deleted file mode 100644
index 19360347da..0000000000
--- a/main/ipsec-tools/30-natt-ports-cleanup.patch
+++ /dev/null
@@ -1,393 +0,0 @@
-From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
-
-From: Timo Teras <timo.teras@iki.fi>
-
-NAT-T port information.
----
-
- src/libipsec/libpfkey.h | 12 ++++++++
- src/libipsec/pfkey.c | 49 +++++++++++++++++++++++++++++++++
- src/racoon/isakmp.c | 11 +++++++
- src/racoon/isakmp_inf.c | 37 +++++++++++++------------
- src/racoon/pfkey.c | 69 +++++++++++++++++++++++++++++++++--------------
- src/racoon/pfkey.h | 1 +
- 6 files changed, 140 insertions(+), 39 deletions(-)
-
-
-diff --git a/src/libipsec/libpfkey.h b/src/libipsec/libpfkey.h
-index 8a503dd..c9b228b 100644
---- a/src/libipsec/libpfkey.h
-+++ b/src/libipsec/libpfkey.h
-@@ -117,6 +117,10 @@ u_int pfkey_set_softrate __P((u_int, u_int));
- u_int pfkey_get_softrate __P((u_int));
- int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
-+int pfkey_send_getspi_nat __P((int, u_int, u_int,
-+ struct sockaddr *, struct sockaddr *, u_int8_t, u_int16_t, u_int16_t,
-+ u_int32_t, u_int32_t, u_int32_t, u_int32_t));
-+
- int pfkey_send_update2 __P((struct pfkey_send_sa_args *));
- int pfkey_send_add2 __P((struct pfkey_send_sa_args *));
- int pfkey_send_delete __P((int, u_int, u_int,
-@@ -155,6 +159,14 @@ int pfkey_send_migrate __P((int, struct sockaddr *, struct sockaddr *,
- caddr_t, int, u_int32_t));
- #endif
-
-+/* XXX should be somewhere else !!!
-+ */
-+#ifdef SADB_X_NAT_T_NEW_MAPPING
-+#define PFKEY_ADDR_X_PORT(ext) (ntohs(((struct sadb_x_nat_t_port *)ext)->sadb_x_nat_t_port_port))
-+#define PFKEY_ADDR_X_NATTYPE(ext) ( ext != NULL && ((struct sadb_x_nat_t_type *)ext)->sadb_x_nat_t_type_type )
-+#endif
-+
-+
- int pfkey_open __P((void));
- void pfkey_close __P((int));
- int pfkey_set_buffer_size __P((int, int));
-diff --git a/src/libipsec/pfkey.c b/src/libipsec/pfkey.c
-index 0a944c2..b39ffca 100644
---- a/src/libipsec/pfkey.c
-+++ b/src/libipsec/pfkey.c
-@@ -380,10 +380,12 @@ pfkey_get_softrate(type)
- * -1 : error occured, and set errno.
- */
- int
--pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
-+pfkey_send_getspi_nat(so, satype, mode, src, dst, natt_type, sport, dport, min, max, reqid, seq)
- int so;
- u_int satype, mode;
- struct sockaddr *src, *dst;
-+ u_int8_t natt_type;
-+ u_int16_t sport, dport;
- u_int32_t min, max, reqid, seq;
- {
- struct sadb_msg *newmsg;
-@@ -431,6 +433,14 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
- len += sizeof(struct sadb_spirange);
- }
-
-+#ifdef SADB_X_EXT_NAT_T_TYPE
-+ if(natt_type||sport||dport){
-+ len += sizeof(struct sadb_x_nat_t_type);
-+ len += sizeof(struct sadb_x_nat_t_port);
-+ len += sizeof(struct sadb_x_nat_t_port);
-+ }
-+#endif
-+
- if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
- __ipsec_set_strerror(strerror(errno));
- return -1;
-@@ -466,6 +476,32 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
- return -1;
- }
-
-+#ifdef SADB_X_EXT_NAT_T_TYPE
-+ /* Add nat-t messages */
-+ if (natt_type) {
-+ p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE,
-+ natt_type);
-+ if (!p) {
-+ free(newmsg);
-+ return -1;
-+ }
-+
-+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT,
-+ sport);
-+ if (!p) {
-+ free(newmsg);
-+ return -1;
-+ }
-+
-+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT,
-+ dport);
-+ if (!p) {
-+ free(newmsg);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- /* proccessing spi range */
- if (need_spirange) {
- struct sadb_spirange spirange;
-@@ -501,6 +537,17 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
- return len;
- }
-
-+int
-+pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
-+ int so;
-+ u_int satype, mode;
-+ struct sockaddr *src, *dst;
-+ u_int32_t min, max, reqid, seq;
-+{
-+ return pfkey_send_getspi_nat(so, satype, mode, src, dst, 0, 0, 0,
-+ min, max, reqid, seq);
-+}
-+
- /*
- * sending SADB_UPDATE message to the kernel.
- * The length of key material is a_keylen + e_keylen.
-diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
-index c8670f6..fe51653 100644
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -3324,6 +3324,17 @@ purge_remote(iph1)
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-+#ifdef SADB_X_NAT_T_NEW_MAPPING
-+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-+ /* NAT-T is enabled for this SADB entry; copy
-+ * the ports from NAT-T extensions */
-+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
-+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
-+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-+ }
-+#endif
-+
- if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
- sa->sadb_sa_state != SADB_SASTATE_MATURE &&
- sa->sadb_sa_state != SADB_SASTATE_DYING) {
-diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c
-index 1ada07f..a712825 100644
---- a/src/racoon/isakmp_inf.c
-+++ b/src/racoon/isakmp_inf.c
-@@ -1128,8 +1128,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
- size_t i;
- caddr_t mhp[SADB_EXT_MAX + 1];
- #ifdef ENABLE_NATT
-- struct sadb_x_nat_t_type *natt_type;
-- struct sadb_x_nat_t_port *natt_port;
-+ int natt_port_forced;
- #endif
-
- plog(LLV_DEBUG2, LOCATION, NULL,
-@@ -1184,22 +1183,25 @@ purge_ipsec_spi(dst0, proto, spi, n)
- continue;
- }
- #ifdef ENABLE_NATT
-- natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
-- if (natt_type && natt_type->sadb_x_nat_t_type_type) {
-+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
- /* NAT-T is enabled for this SADB entry; copy
- * the ports from NAT-T extensions */
-- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
-- if (extract_port(src) == 0 && natt_port != NULL)
-- set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
--
-- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
-- if (extract_port(dst) == 0 && natt_port != NULL)
-- set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
-- }else{
-- /* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation
-- */
-+ if (extract_port(src) == 0 &&
-+ mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) {
-+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-+ }
-+
-+ if (extract_port(dst) == 0 &&
-+ mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) {
-+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-+ }
-+ natt_port_forced = 0;
-+ } else {
-+ /* Force default UDP ports, so
-+ * CMPSADDR will match SAs with NO encapsulation */
- set_port(src, PORT_ISAKMP);
- set_port(dst, PORT_ISAKMP);
-+ natt_port_forced = 1;
- }
- #endif
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
-@@ -1215,10 +1217,9 @@ purge_ipsec_spi(dst0, proto, spi, n)
- }
-
- #ifdef ENABLE_NATT
-- if (natt_type == NULL ||
-- ! natt_type->sadb_x_nat_t_type_type) {
-- /* Set back port to 0 if it was forced to default UDP port
-- */
-+ if (natt_port_forced) {
-+ /* Set back port to 0 if it was forced
-+ * to default UDP port */
- set_port(src, 0);
- set_port(dst, 0);
- }
-diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
-index 610cc09..c210c5e 100644
---- a/src/racoon/pfkey.c
-+++ b/src/racoon/pfkey.c
-@@ -769,6 +769,28 @@ keylen_ealg(enctype, encklen)
- return res;
- }
-
-+void
-+pk_fixup_sa_addresses(mhp)
-+ caddr_t *mhp;
-+{
-+ struct sockaddr *src, *dst;
-+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
-+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-+#ifdef ENABLE_NATT
-+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-+ /* NAT-T is enabled for this SADB entry; copy
-+ * the ports from NAT-T extensions */
-+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
-+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
-+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-+ }
-+#else
-+ set_port(src, 0);
-+ set_port(dst, 0);
-+#endif
-+}
-+
- int
- pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
- e_type, e_keylen, a_type, a_keylen, flags)
-@@ -866,6 +888,8 @@ pk_sendgetspi(iph2)
- struct saprop *pp;
- struct saproto *pr;
- u_int32_t minspi, maxspi;
-+ u_int8_t natt_type = 0;
-+ u_int16_t sport = 0, dport = 0;
-
- if (iph2->side == INITIATOR)
- pp = iph2->proposal;
-@@ -919,19 +943,27 @@ pk_sendgetspi(iph2)
- }
-
- #ifdef ENABLE_NATT
-- if (! pr->udp_encap) {
-- /* Remove port information, that SA doesn't use it */
-- set_port(iph2->src, 0);
-- set_port(iph2->dst, 0);
-+ if (pr->udp_encap) {
-+ natt_type = iph2->ph1->natt_options->encaps_type;
-+ sport=extract_port(src);
-+ dport=extract_port(dst);
- }
- #endif
-+ /* Always remove port information, it will be sent in
-+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-+ set_port(src, 0);
-+ set_port(dst, 0);
-+
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
-- if (pfkey_send_getspi(
-+ if (pfkey_send_getspi_nat(
- lcconf->sock_pfkey,
- satype,
- mode,
- dst, /* src of SA */
- src, /* dst of SA */
-+ natt_type,
-+ dport,
-+ sport,
- minspi, maxspi,
- pr->reqid_in, iph2->seq) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1157,13 +1189,13 @@ pk_sendupdate(iph2)
- #ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
- #endif
-- } else {
-- /* Remove port information, that SA doesn't use it */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
- }
--
- #endif
-+ /* Always remove port information, it will be sent in
-+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-+ set_port(sa_args.src, 0);
-+ set_port(sa_args.dst, 0);
-+
- /* more info to fill in */
- sa_args.spi = pr->spi;
- sa_args.reqid = pr->reqid_in;
-@@ -1236,6 +1268,7 @@ pk_recvupdate(mhp)
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-@@ -1328,7 +1361,6 @@ pk_recvupdate(mhp)
- /* Force the update of ph2's ports, as there is at least one
- * situation where they'll mismatch with ph1's values
- */
--
- #ifdef ENABLE_NATT
- set_port(iph2->src, extract_port(iph2->ph1->local));
- set_port(iph2->dst, extract_port(iph2->ph1->remote));
-@@ -1456,17 +1488,12 @@ pk_sendadd(iph2)
- #ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
- #endif
-- } else {
-- /* Remove port information, that SA doesn't use it */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
- }
--
--#else
-- /* Remove port information, it is not used without NAT-T */
-+#endif
-+ /* Always remove port information, it will be sent in
-+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
- set_port(sa_args.src, 0);
- set_port(sa_args.dst, 0);
--#endif
-
- /* more info to fill in */
- sa_args.spi = pr->spi_p;
-@@ -1596,6 +1623,7 @@ pk_recvexpire(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -1721,6 +1749,7 @@ pk_recvacquire(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-+ pk_fixup_sa_addresses(mhp);
- sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -1971,6 +2000,7 @@ pk_recvdelete(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -2709,7 +2739,6 @@ pk_recvspddump(mhp)
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
--
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-diff --git a/src/racoon/pfkey.h b/src/racoon/pfkey.h
-index a3acd1c..f1b037d 100644
---- a/src/racoon/pfkey.h
-+++ b/src/racoon/pfkey.h
-@@ -52,6 +52,7 @@ extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int));
- extern int pk_checkalg __P((int, int, int));
-
- struct ph2handle;
-+extern void pk_fixup_sa_addresses __P((caddr_t *mhp));
- extern int pk_sendgetspi __P((struct ph2handle *));
- extern int pk_sendupdate __P((struct ph2handle *));
- extern int pk_sendadd __P((struct ph2handle *));
diff --git a/main/ipsec-tools/40-cmpsaddr-cleanup.patch b/main/ipsec-tools/40-cmpsaddr-cleanup.patch
deleted file mode 100644
index c5e3e4b330..0000000000
--- a/main/ipsec-tools/40-cmpsaddr-cleanup.patch
+++ /dev/null
@@ -1,1403 +0,0 @@
-Get rid of CMPSADDR hack in port comparisons. Trac #295.
-
-From: Timo Teras <timo.teras@iki.fi>
-
-
----
-
- src/racoon/admin.c | 37 ++++---
- src/racoon/grabmyaddr.c | 22 ++--
- src/racoon/handler.c | 41 +++-----
- src/racoon/handler.h | 7 -
- src/racoon/isakmp.c | 90 ++++-------------
- src/racoon/isakmp_cfg.c | 9 --
- src/racoon/isakmp_inf.c | 111 ++++-----------------
- src/racoon/isakmp_quick.c | 29 +++---
- src/racoon/nattraversal.c | 8 +-
- src/racoon/pfkey.c | 52 +++-------
- src/racoon/policy.c | 22 ++--
- src/racoon/remoteconf.c | 30 +-----
- src/racoon/remoteconf.h | 3 -
- src/racoon/sockmisc.c | 234 +++------------------------------------------
- src/racoon/sockmisc.h | 15 +--
- src/racoon/throttle.c | 2
- 16 files changed, 170 insertions(+), 542 deletions(-)
-
-
-diff --git a/src/racoon/admin.c b/src/racoon/admin.c
-index 576e191..b67e545 100644
---- a/src/racoon/admin.c
-+++ b/src/racoon/admin.c
-@@ -167,6 +167,14 @@ end:
- return error;
- }
-
-+static int admin_ph1_delete_sa(struct ph1handle *iph1, void *arg)
-+{
-+ if (iph1->status >= PHASE1ST_ESTABLISHED)
-+ isakmp_info_send_d1(iph1);
-+ purge_remote(iph1);
-+ return 0;
-+}
-+
- /*
- * main child's process.
- */
-@@ -257,7 +265,7 @@ admin_process(so2, combuf)
- break;
- }
-
-- iph1 = getph1byaddrwop(src, dst);
-+ iph1 = getph1byaddr(src, dst, 0);
- if (iph1 == NULL) {
- l_ac_errno = ENOENT;
- break;
-@@ -292,30 +300,25 @@ admin_process(so2, combuf)
-
- case ADMIN_DELETE_SA: {
- struct ph1handle *iph1;
-- struct sockaddr *dst;
-- struct sockaddr *src;
-+ struct ph1selector sel;
- char *loc, *rem;
-
-- src = (struct sockaddr *)
-+ memset(&sel, 0, sizeof(sel));
-+ sel.local = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->src;
-- dst = (struct sockaddr *)
-+ sel.remote = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->dst;
-
-- loc = racoon_strdup(saddrwop2str(src));
-- rem = racoon_strdup(saddrwop2str(dst));
-+ loc = racoon_strdup(saddr2str(sel.local));
-+ rem = racoon_strdup(saddr2str(sel.remote));
- STRDUP_FATAL(loc);
- STRDUP_FATAL(rem);
-
-- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "phase 1 for %s -> %s not found\n", loc, rem);
-- } else {
-- if (iph1->status >= PHASE1ST_ESTABLISHED)
-- isakmp_info_send_d1(iph1);
-- purge_remote(iph1);
-- }
-+ plog(LLV_INFO, LOCATION, NULL,
-+ "admin delete-sa %s %s\n", loc, rem);
-+ enumph1(&sel, admin_ph1_delete_sa, NULL);
-
- racoon_free(loc);
- racoon_free(rem);
-@@ -360,7 +363,7 @@ admin_process(so2, combuf)
- plog(LLV_INFO, LOCATION, NULL,
- "Flushing all SAs for peer %s\n", rem);
-
-- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
-+ while ((iph1 = getph1bydstaddr(dst)) != NULL) {
- loc = racoon_strdup(saddrwop2str(iph1->local));
- STRDUP_FATAL(loc);
-
-@@ -429,7 +432,7 @@ admin_process(so2, combuf)
- l_ac_errno = -1;
-
- /* connected already? */
-- ph1 = getph1byaddrwop(src, dst);
-+ ph1 = getph1byaddr(src, dst, 0);
- if (ph1 != NULL) {
- event_list = &ph1->evt_listeners;
- if (ph1->status == PHASE1ST_ESTABLISHED)
-diff --git a/src/racoon/grabmyaddr.c b/src/racoon/grabmyaddr.c
-index f866dd5..cb1b638 100644
---- a/src/racoon/grabmyaddr.c
-+++ b/src/racoon/grabmyaddr.c
-@@ -100,7 +100,7 @@ myaddr_configured(addr)
- return TRUE;
-
- LIST_FOREACH(cfg, &configured, chain) {
-- if (cmpsaddrstrict(addr, (struct sockaddr *) &cfg->addr) == 0)
-+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
- return TRUE;
- }
-
-@@ -116,7 +116,7 @@ myaddr_open(addr, udp_encap)
-
- /* Already open? */
- LIST_FOREACH(my, &opened, chain) {
-- if (cmpsaddrstrict(addr, (struct sockaddr *) &my->addr) == 0)
-+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
- return TRUE;
- }
-
-@@ -156,7 +156,7 @@ myaddr_open_all_configured(addr)
-
- LIST_FOREACH(cfg, &configured, chain) {
- if (addr != NULL &&
-- cmpsaddrwop(addr, (struct sockaddr *) &cfg->addr) != 0)
-+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
- continue;
- if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
- return FALSE;
-@@ -187,8 +187,8 @@ myaddr_close_all_open(addr)
- for (my = LIST_FIRST(&opened); my; my = next) {
- next = LIST_NEXT(my, chain);
-
-- if (!cmpsaddrwop((struct sockaddr *) &addr,
-- (struct sockaddr *) &my->addr))
-+ if (!cmpsaddr((struct sockaddr *) &addr,
-+ (struct sockaddr *) &my->addr))
- myaddr_delete(my);
- }
- }
-@@ -261,7 +261,7 @@ myaddr_getfd(addr)
- struct myaddr *my;
-
- LIST_FOREACH(my, &opened, chain) {
-- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
-+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
- return my->fd;
- }
-
-@@ -273,19 +273,13 @@ myaddr_getsport(addr)
- struct sockaddr *addr;
- {
- struct myaddr *my;
-- int bestmatch_port = -1;
-
- LIST_FOREACH(my, &opened, chain) {
-- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
-+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
- return extract_port((struct sockaddr *) &my->addr);
-- if (cmpsaddrwop((struct sockaddr *) &my->addr, addr) != 0)
-- continue;
-- if (bestmatch_port == -1 ||
-- extract_port((struct sockaddr *) &my->addr) == PORT_ISAKMP)
-- bestmatch_port = extract_port((struct sockaddr *) &my->addr);
- }
-
-- return bestmatch_port;
-+ return PORT_ISAKMP;
- }
-
- void
-diff --git a/src/racoon/handler.c b/src/racoon/handler.c
-index 960b5b3..b33986f 100644
---- a/src/racoon/handler.c
-+++ b/src/racoon/handler.c
-@@ -120,11 +120,11 @@ enumph1(sel, enum_func, enum_arg)
- LIST_FOREACH(p, &ph1tree, chain) {
- if (sel != NULL) {
- if (sel->local != NULL &&
-- CMPSADDR(sel->local, p->local) != 0)
-+ cmpsaddr(sel->local, p->local) != 0)
- continue;
-
- if (sel->remote != NULL &&
-- CMPSADDR(sel->remote, p->remote) != 0)
-+ cmpsaddr(sel->remote, p->remote) != 0)
- continue;
- }
-
-@@ -201,17 +201,12 @@ getph1(rmconf, local, remote, flags)
- "status %d, skipping\n", p->status);
- continue;
- }
-- if (flags & GETPH1_F_WITHOUT_PORTS) {
-- if (local != NULL && cmpsaddrwop(local, p->local) != 0)
-- continue;
-- if (remote != NULL && cmpsaddrwop(remote, p->remote) != 0)
-- continue;
-- } else {
-- if (local != NULL && CMPSADDR(local, p->local) != 0)
-- continue;
-- if (remote != NULL && CMPSADDR(remote, p->remote) != 0)
-- continue;
-- }
-+
-+ if (local != NULL && cmpsaddr(local, p->local) != 0)
-+ continue;
-+
-+ if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
-+ continue;
-
- plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
- return p;
-@@ -287,8 +282,8 @@ void migrate_dying_ph12(iph1)
- if (p->status < PHASE1ST_DYING)
- continue;
-
-- if (CMPSADDR(iph1->local, p->local) == 0
-- && CMPSADDR(iph1->remote, p->remote) == 0)
-+ if (cmpsaddr(iph1->local, p->local) == 0
-+ && cmpsaddr(iph1->remote, p->remote) == 0)
- migrate_ph12(p, iph1);
- }
- }
-@@ -518,11 +513,11 @@ enumph2(sel, enum_func, enum_arg)
- continue;
-
- if (sel->src != NULL &&
-- CMPSADDR(sel->src, p->src) != 0)
-+ cmpsaddr(sel->src, p->src) != 0)
- continue;
-
- if (sel->dst != NULL &&
-- CMPSADDR(sel->dst, p->dst) != 0)
-+ cmpsaddr(sel->dst, p->dst) != 0)
- continue;
- }
-
-@@ -586,8 +581,8 @@ getph2byid(src, dst, spid)
-
- LIST_FOREACH(p, &ph2tree, chain) {
- if (spid == p->spid &&
-- cmpsaddrwild(src, p->src) == 0 &&
-- cmpsaddrwild(dst, p->dst) == 0){
-+ cmpsaddr(src, p->src) == 0 &&
-+ cmpsaddr(dst, p->dst) == 0){
- /* Sanity check to detect zombie handlers
- * XXX Sould be done "somewhere" more interesting,
- * because we have lots of getph2byxxxx(), but this one
-@@ -614,8 +609,8 @@ getph2bysaddr(src, dst)
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
-- if (cmpsaddrstrict(src, p->src) == 0 &&
-- cmpsaddrstrict(dst, p->dst) == 0)
-+ if (cmpsaddr(src, p->src) == 0 &&
-+ cmpsaddr(dst, p->dst) == 0)
- return p;
- }
-
-@@ -918,7 +913,7 @@ getcontacted(remote)
- struct contacted *p;
-
- LIST_FOREACH(p, &ctdtree, chain) {
-- if (cmpsaddrstrict(remote, p->remote) == 0)
-+ if (cmpsaddr(remote, p->remote) == 0)
- return p;
- }
-
-@@ -997,7 +992,7 @@ check_recvdpkt(remote, local, rbuf)
- /*
- * the packet was processed before, but the remote address mismatches.
- */
-- if (cmpsaddrstrict(remote, r->remote) != 0)
-+ if (cmpsaddr(remote, r->remote) != 0)
- return 2;
-
- /*
-diff --git a/src/racoon/handler.h b/src/racoon/handler.h
-index c31753d..8f19c88 100644
---- a/src/racoon/handler.h
-+++ b/src/racoon/handler.h
-@@ -467,7 +467,6 @@ extern int enumph1 __P((struct ph1selector *ph1sel,
- void *enum_arg));
-
- #define GETPH1_F_ESTABLISHED 0x0001
--#define GETPH1_F_WITHOUT_PORTS 0x0002
-
- extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
- struct sockaddr *local,
-@@ -476,10 +475,8 @@ extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
-
- #define getph1byaddr(local, remote, est) \
- getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0)
--#define getph1byaddrwop(local, remote) \
-- getph1(NULL, local, remote, GETPH1_F_WITHOUT_PORTS)
--#define getph1bydstaddrwop(remote) \
-- getph1(NULL, NULL, remote, GETPH1_F_WITHOUT_PORTS)
-+#define getph1bydstaddr(remote) \
-+ getph1(NULL, NULL, remote, 0)
-
- #ifdef ENABLE_HYBRID
- struct ph1handle *getph1bylogin __P((char *));
-diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
-index fe51653..0de16d1 100644
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -475,8 +475,8 @@ isakmp_main(msg, remote, local)
- /* Floating ports for NAT-T */
- if (NATT_AVAILABLE(iph1) &&
- ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
-- ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
-- (cmpsaddrstrict(iph1->local, local) != 0)))
-+ ((cmpsaddr(iph1->remote, remote) != 0) ||
-+ (cmpsaddr(iph1->local, local) != 0)))
- {
- /* prevent memory leak */
- racoon_free(iph1->remote);
-@@ -517,7 +517,7 @@ isakmp_main(msg, remote, local)
- #endif
-
- /* must be same addresses in one stream of a phase at least. */
-- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
-+ if (cmpsaddr(iph1->remote, remote) != 0) {
- char *saddr_db, *saddr_act;
-
- saddr_db = racoon_strdup(saddr2str(iph1->remote));
-@@ -643,7 +643,7 @@ isakmp_main(msg, remote, local)
- "exchange received.\n");
- return -1;
- }
-- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
-+ if (cmpsaddr(iph1->remote, remote) != 0) {
- plog(LLV_WARNING, LOCATION, remote,
- "remote address mismatched. "
- "db=%s\n",
-@@ -1275,6 +1275,12 @@ isakmp_ph2begin_i(iph1, iph2)
- }
- #endif
-
-+ /* fixup ph2 ports for this ph1 */
-+ if (extract_port(iph2->src) == 0)
-+ set_port(iph2->src, extract_port(iph1->local));
-+ if (extract_port(iph2->dst) == 0)
-+ set_port(iph2->dst, extract_port(iph1->remote));
-+
- /* found ISAKMP-SA. */
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
-@@ -1353,15 +1359,6 @@ isakmp_ph2begin_r(iph1, msg)
- delph2(iph2);
- return -1;
- }
--#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
-- if (set_port(iph2->dst, 0) == NULL ||
-- set_port(iph2->src, 0) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "invalid family: %d\n", iph2->dst->sa_family);
-- delph2(iph2);
-- return -1;
-- }
--#endif
-
- /* add new entry to isakmp status table */
- insph2(iph2);
-@@ -2186,23 +2183,12 @@ isakmp_post_acquire(iph2)
- return 0;
- }
-
-- /*
-- * Search isakmp status table by address and port
-- * If NAT-T is in use, consider null ports as a
-- * wildcard and use IKE ports instead.
-+ /*
-+ * XXX Searching by IP addresses + ports might fail on
-+ * some cases, we should use the ISAKMP identity to search
-+ * matching ISAKMP.
- */
--#ifdef ENABLE_NATT
-- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
-- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
-- set_port(iph2->src, extract_port(iph1->local));
-- set_port(iph2->dst, extract_port(iph1->remote));
-- }
-- } else {
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-- }
--#else
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
--#endif
-
- /* no ISAKMP-SA found. */
- if (iph1 == NULL) {
-@@ -2380,26 +2366,8 @@ isakmp_chkph1there(iph2)
- return;
- }
-
-- /*
-- * Search isakmp status table by address and port
-- * If NAT-T is in use, consider null ports as a
-- * wildcard and use IKE ports instead.
-- */
--#ifdef ENABLE_NATT
-- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
-- if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
-- }
-- } else {
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-- if(iph1 != NULL)
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
-- }
--#else
-+ /* Search isakmp status table by address and port */
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
--#endif
-
- /* XXX Even if ph1 as responder is there, should we not start
- * phase 2 negotiation ? */
-@@ -3321,20 +3289,10 @@ purge_remote(iph1)
- msg = next;
- continue;
- }
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
--#ifdef SADB_X_NAT_T_NEW_MAPPING
-- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-- /* NAT-T is enabled for this SADB entry; copy
-- * the ports from NAT-T extensions */
-- if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
-- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-- if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
-- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-- }
--#endif
--
- if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
- sa->sadb_sa_state != SADB_SASTATE_MATURE &&
- sa->sadb_sa_state != SADB_SASTATE_DYING) {
-@@ -3346,22 +3304,14 @@ purge_remote(iph1)
- * check in/outbound SAs.
- * Select only SAs where src == local and dst == remote (outgoing)
- * or src == remote and dst == local (incoming).
-- * XXX we sometime have src/dst ports set to 0 and want to match
-- * iph1->local/remote with ports set to 500. This is a bug, see trac:2
- */
--#ifdef ENABLE_NATT
-- if ((cmpsaddrmagic(iph1->local, src) || cmpsaddrmagic(iph1->remote, dst)) &&
-- (cmpsaddrmagic(iph1->local, dst) || cmpsaddrmagic(iph1->remote, src))) {
-- msg = next;
-- continue;
-- }
--#else
-- if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
-- (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
-+ if ((cmpsaddr(iph1->local, src) ||
-+ cmpsaddr(iph1->remote, dst)) &&
-+ (cmpsaddr(iph1->local, dst) ||
-+ cmpsaddr(iph1->remote, src))) {
- msg = next;
- continue;
- }
--#endif
-
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
-diff --git a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
-index 62916f8..df763f8 100644
---- a/src/racoon/isakmp_cfg.c
-+++ b/src/racoon/isakmp_cfg.c
-@@ -1151,15 +1151,6 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange)
- goto end;
- }
-
--#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
-- if (set_port(iph2->dst, 0) == NULL ||
-- set_port(iph2->src, 0) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "invalid family: %d\n", iph1->remote->sa_family);
-- delph2(iph2);
-- goto end;
-- }
--#endif
- iph2->side = INITIATOR;
- iph2->status = PHASE2ST_START;
-
-diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c
-index a712825..6fa3498 100644
---- a/src/racoon/isakmp_inf.c
-+++ b/src/racoon/isakmp_inf.c
-@@ -903,15 +903,6 @@ isakmp_info_send_common(iph1, payload, np, flags)
- delph2(iph2);
- goto end;
- }
--#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
-- if (set_port(iph2->dst, 0) == NULL ||
-- set_port(iph2->src, 0) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "invalid family: %d\n", iph1->remote->sa_family);
-- delph2(iph2);
-- goto end;
-- }
--#endif
- iph2->side = INITIATOR;
- iph2->status = PHASE2ST_START;
- iph2->msgid = isakmp_newmsgid2(iph1);
-@@ -1127,9 +1118,6 @@ purge_ipsec_spi(dst0, proto, spi, n)
- u_int64_t created;
- size_t i;
- caddr_t mhp[SADB_EXT_MAX + 1];
--#ifdef ENABLE_NATT
-- int natt_port_forced;
--#endif
-
- plog(LLV_DEBUG2, LOCATION, NULL,
- "purge_ipsec_spi:\n");
-@@ -1169,6 +1157,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
- msg = next;
- continue;
- }
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
-@@ -1182,28 +1171,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
- msg = next;
- continue;
- }
--#ifdef ENABLE_NATT
-- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-- /* NAT-T is enabled for this SADB entry; copy
-- * the ports from NAT-T extensions */
-- if (extract_port(src) == 0 &&
-- mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) {
-- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-- }
-
-- if (extract_port(dst) == 0 &&
-- mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) {
-- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-- }
-- natt_port_forced = 0;
-- } else {
-- /* Force default UDP ports, so
-- * CMPSADDR will match SAs with NO encapsulation */
-- set_port(src, PORT_ISAKMP);
-- set_port(dst, PORT_ISAKMP);
-- natt_port_forced = 1;
-- }
--#endif
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
-
-@@ -1211,19 +1179,11 @@ purge_ipsec_spi(dst0, proto, spi, n)
-
- /* don't delete inbound SAs at the moment */
- /* XXX should we remove SAs with opposite direction as well? */
-- if (CMPSADDR(dst0, dst)) {
-+ if (cmpsaddr(dst0, dst)) {
- msg = next;
- continue;
- }
-
--#ifdef ENABLE_NATT
-- if (natt_port_forced) {
-- /* Set back port to 0 if it was forced
-- * to default UDP port */
-- set_port(src, 0);
-- set_port(dst, 0);
-- }
--#endif
- for (i = 0; i < n; i++) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "check spi(packet)=%u spi(db)=%u.\n",
-@@ -1354,37 +1314,33 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
-
-- while (msg < end) {
-+ for (; msg < end; msg = next) {
- if ((msg->sadb_msg_len << 3) < sizeof(*msg))
- break;
-+
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
-- if (msg->sadb_msg_type != SADB_DUMP) {
-- msg = next;
-+ if (msg->sadb_msg_type != SADB_DUMP)
- continue;
-- }
-
- if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey_check (%s)\n", ipsec_strerror());
-- msg = next;
- continue;
- }
-
- if (mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
-- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
-- msg = next;
-+ || mhp[SADB_EXT_ADDRESS_DST] == NULL)
- continue;
-- }
-+
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
- if (sa->sadb_sa_state != SADB_SASTATE_MATURE
-- && sa->sadb_sa_state != SADB_SASTATE_DYING) {
-- msg = next;
-+ && sa->sadb_sa_state != SADB_SASTATE_DYING)
- continue;
-- }
-
- /*
- * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that
-@@ -1394,39 +1350,18 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- * racoon only deletes SA which is matched both the
- * source address and the destination accress.
- */
--#ifdef ENABLE_NATT
-- /*
-- * XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs
-- * from this peer !
-- */
-- if(iph1->natt_flags & NAT_DETECTED){
-- if (CMPSADDR(iph1->local, src) == 0 &&
-- CMPSADDR(iph1->remote, dst) == 0)
-- ;
-- else if (CMPSADDR(iph1->remote, src) == 0 &&
-- CMPSADDR(iph1->local, dst) == 0)
-- ;
-- else {
-- msg = next;
-- continue;
-- }
-- } else
--#endif
-- /* If there is no NAT-T, we don't have to check addr + port...
-- * XXX what about a configuration with a remote peers which is not
-- * NATed, but which NATs some other peers ?
-- * Here, the INITIAl-CONTACT would also flush all those NATed peers !!
-- */
-- if (cmpsaddrwop(iph1->local, src) == 0 &&
-- cmpsaddrwop(iph1->remote, dst) == 0)
-- ;
-- else if (cmpsaddrwop(iph1->remote, src) == 0 &&
-- cmpsaddrwop(iph1->local, dst) == 0)
-- ;
-- else {
-- msg = next;
-+
-+ /*
-+ * Check that the IP and port match. But this is not optimal,
-+ * since NAT-T can make the peer have multiple different
-+ * ports. Correct thing to do is delete all entries with
-+ * same identity. -TT
-+ */
-+ if ((cmpsaddr(iph1->local, src) != 0 ||
-+ cmpsaddr(iph1->remote, dst) != 0) &&
-+ (cmpsaddr(iph1->local, dst) != 0 ||
-+ cmpsaddr(iph1->remote, src) != 0))
- continue;
-- }
-
- /*
- * Make sure this is an SATYPE that we manage.
-@@ -1438,10 +1373,8 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- msg->sadb_msg_satype)
- break;
- }
-- if (i == pfkey_nsatypes) {
-- msg = next;
-+ if (i == pfkey_nsatypes)
- continue;
-- }
-
- plog(LLV_INFO, LOCATION, NULL,
- "purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
-@@ -1461,8 +1394,6 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- remph2(iph2);
- delph2(iph2);
- }
--
-- msg = next;
- }
-
- vfree(buf);
-diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
-index 804c1bf..46c84c1 100644
---- a/src/racoon/isakmp_quick.c
-+++ b/src/racoon/isakmp_quick.c
-@@ -610,17 +610,19 @@ quick_i2recv(iph2, msg0)
- error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
- goto end;
- }
-+#ifdef ENABLE_NATT
-+ set_port(iph2->natoa_src,
-+ extract_port((struct sockaddr *) &proposed_addr));
-+#endif
-
-- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
-- (struct sockaddr *) &got_addr) == 0) {
-+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDci matches proposal.\n");
- #ifdef ENABLE_NATT
- } else if (iph2->natoa_src != NULL
-- && cmpsaddrwop(iph2->natoa_src,
-- (struct sockaddr *) &got_addr) == 0
-- && extract_port((struct sockaddr *) &proposed_addr) ==
-- extract_port((struct sockaddr *) &got_addr)) {
-+ && cmpsaddr(iph2->natoa_src,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDci matches NAT-OAi.\n");
- #endif
-@@ -656,16 +658,19 @@ quick_i2recv(iph2, msg0)
- goto end;
- }
-
-- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
-- (struct sockaddr *) &got_addr) == 0) {
-+#ifdef ENABLE_NATT
-+ set_port(iph2->natoa_dst,
-+ extract_port((struct sockaddr *) &proposed_addr));
-+#endif
-+
-+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDcr matches proposal.\n");
- #ifdef ENABLE_NATT
- } else if (iph2->natoa_dst != NULL
-- && cmpsaddrwop(iph2->natoa_dst,
-- (struct sockaddr *) &got_addr) == 0
-- && extract_port((struct sockaddr *) &proposed_addr) ==
-- extract_port((struct sockaddr *) &got_addr)) {
-+ && cmpsaddr(iph2->natoa_dst,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDcr matches NAT-OAr.\n");
- #endif
-diff --git a/src/racoon/nattraversal.c b/src/racoon/nattraversal.c
-index f23341a..92095de 100644
---- a/src/racoon/nattraversal.c
-+++ b/src/racoon/nattraversal.c
-@@ -379,8 +379,8 @@ natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst)
- struct natt_ka_addrs *ka = NULL, *new_addr;
-
- TAILQ_FOREACH (ka, &ka_tree, chain) {
-- if (cmpsaddrstrict(ka->src, src) == 0 &&
-- cmpsaddrstrict(ka->dst, dst) == 0) {
-+ if (cmpsaddr(ka->src, src) == 0 &&
-+ cmpsaddr(ka->dst, dst) == 0) {
- ka->in_use++;
- plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
-@@ -443,8 +443,8 @@ natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst)
- plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
-
-- if (cmpsaddrstrict(ka->src, src) == 0 &&
-- cmpsaddrstrict(ka->dst, dst) == 0 &&
-+ if (cmpsaddr(ka->src, src) == 0 &&
-+ cmpsaddr(ka->dst, dst) == 0 &&
- -- ka->in_use <= 0) {
-
- plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
-diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
-index c210c5e..3778ef2 100644
---- a/src/racoon/pfkey.c
-+++ b/src/racoon/pfkey.c
-@@ -774,8 +774,12 @@ pk_fixup_sa_addresses(mhp)
- caddr_t *mhp;
- {
- struct sockaddr *src, *dst;
-+
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-+ set_port(src, PORT_ISAKMP);
-+ set_port(dst, PORT_ISAKMP);
-+
- #ifdef ENABLE_NATT
- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
- /* NAT-T is enabled for this SADB entry; copy
-@@ -785,9 +789,6 @@ pk_fixup_sa_addresses(mhp)
- if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
- }
--#else
-- set_port(src, 0);
-- set_port(dst, 0);
- #endif
- }
-
-@@ -949,10 +950,6 @@ pk_sendgetspi(iph2)
- dport=extract_port(dst);
- }
- #endif
-- /* Always remove port information, it will be sent in
-- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-- set_port(src, 0);
-- set_port(dst, 0);
-
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
- if (pfkey_send_getspi_nat(
-@@ -1009,6 +1006,7 @@ pk_recvgetspi(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -1183,18 +1181,14 @@ pk_sendupdate(iph2)
- #ifdef ENABLE_NATT
- if (pr->udp_encap) {
- sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
-- sa_args.l_natt_sport = extract_port (iph2->ph1->remote);
-- sa_args.l_natt_dport = extract_port (iph2->ph1->local);
-+ sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
-+ sa_args.l_natt_dport = extract_port(iph2->ph1->local);
- sa_args.l_natt_oa = iph2->natoa_src;
- #ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
- #endif
- }
- #endif
-- /* Always remove port information, it will be sent in
-- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
-
- /* more info to fill in */
- sa_args.spi = pr->spi;
-@@ -1358,14 +1352,6 @@ pk_recvupdate(mhp)
- /* turn off schedule */
- sched_cancel(&iph2->scr);
-
-- /* Force the update of ph2's ports, as there is at least one
-- * situation where they'll mismatch with ph1's values
-- */
--#ifdef ENABLE_NATT
-- set_port(iph2->src, extract_port(iph2->ph1->local));
-- set_port(iph2->dst, extract_port(iph2->ph1->remote));
--#endif
--
- /*
- * since we are going to reuse the phase2 handler, we need to
- * remain it and refresh all the references between ph1 and ph2 to use.
-@@ -1418,7 +1404,7 @@ pk_sendadd(iph2)
- racoon_free(sa_args.src);
- racoon_free(sa_args.dst);
- return -1;
-- }
-+ }
-
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- /* validity check */
-@@ -1490,11 +1476,6 @@ pk_sendadd(iph2)
- #endif
- }
- #endif
-- /* Always remove port information, it will be sent in
-- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
--
- /* more info to fill in */
- sa_args.spi = pr->spi_p;
- sa_args.reqid = pr->reqid_out;
-@@ -1559,6 +1540,7 @@ pk_recvadd(mhp)
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-@@ -1749,7 +1731,9 @@ pk_recvacquire(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-- pk_fixup_sa_addresses(mhp);
-+ /* acquire does not have nat-t ports; so do not bother setting
-+ * the default port 500; just use the port zero for wildcard
-+ * matching the get a valid natted destination */
- sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -2884,8 +2868,8 @@ migrate_ph1_ike_addresses(iph1, arg)
- u_int16_t port;
-
- /* Already up-to-date? */
-- if (cmpsaddrwop(iph1->local, ma->local) == 0 &&
-- cmpsaddrwop(iph1->remote, ma->remote) == 0)
-+ if (cmpsaddr(iph1->local, ma->local) == 0 &&
-+ cmpsaddr(iph1->remote, ma->remote) == 0)
- return 0;
-
- if (iph1->status < PHASE1ST_ESTABLISHED) {
-@@ -2985,8 +2969,8 @@ migrate_ph2_ike_addresses(iph2, arg)
- migrate_ph1_ike_addresses(iph2->ph1, arg);
-
- /* Already up-to-date? */
-- if (CMPSADDR(iph2->src, ma->local) == 0 &&
-- CMPSADDR(iph2->dst, ma->remote) == 0)
-+ if (cmpsaddr(iph2->src, ma->local) == 0 &&
-+ cmpsaddr(iph2->dst, ma->remote) == 0)
- return 0;
-
- /* save src/dst as sa_src/sa_dst before rewriting */
-@@ -3206,8 +3190,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new)
- "changing address families (%d to %d) for endpoints.\n",
- osaddr->sa_family, nsaddr->sa_family);
-
-- if (CMPSADDR(osaddr, (struct sockaddr *)&saidx->src) ||
-- CMPSADDR(odaddr, (struct sockaddr *)&saidx->dst)) {
-+ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
-+ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
- plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
- "mismatch of addresses in saidx and xisr.\n");
- return -1;
-diff --git a/src/racoon/policy.c b/src/racoon/policy.c
-index 850fa6b..058753f 100644
---- a/src/racoon/policy.c
-+++ b/src/racoon/policy.c
-@@ -141,16 +141,18 @@ getsp_r(spidx, iph2)
- saddr2str(iph2->src));
- plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
- saddr2str((struct sockaddr *)&spidx->src));
-- if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src)
-- || spidx->prefs != prefixlen)
-+
-+ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
-+ spidx->prefs != prefixlen)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
- saddr2str(iph2->dst));
- plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
- saddr2str((struct sockaddr *)&spidx->dst));
-- if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst)
-- || spidx->prefd != prefixlen)
-+
-+ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
-+ spidx->prefd != prefixlen)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n");
-@@ -198,11 +200,11 @@ cmpspidxstrict(a, b)
- || a->ul_proto != b->ul_proto)
- return 1;
-
-- if (cmpsaddrstrict((struct sockaddr *)&a->src,
-- (struct sockaddr *)&b->src))
-+ if (cmpsaddr((struct sockaddr *) &a->src,
-+ (struct sockaddr *) &b->src))
- return 1;
-- if (cmpsaddrstrict((struct sockaddr *)&a->dst,
-- (struct sockaddr *)&b->dst))
-+ if (cmpsaddr((struct sockaddr *) &a->dst,
-+ (struct sockaddr *) &b->dst))
- return 1;
-
- #ifdef HAVE_SECCTX
-@@ -259,7 +261,7 @@ cmpspidxwild(a, b)
- a, b->prefs, saddr2str((struct sockaddr *)&sa1));
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- b, b->prefs, saddr2str((struct sockaddr *)&sa2));
-- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
-+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
- return 1;
-
- #ifndef __linux__
-@@ -277,7 +279,7 @@ cmpspidxwild(a, b)
- a, b->prefd, saddr2str((struct sockaddr *)&sa1));
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- b, b->prefd, saddr2str((struct sockaddr *)&sa2));
-- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
-+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
- return 1;
-
- #ifdef HAVE_SECCTX
-diff --git a/src/racoon/remoteconf.c b/src/racoon/remoteconf.c
-index 73d80bc..88c622c 100644
---- a/src/racoon/remoteconf.c
-+++ b/src/racoon/remoteconf.c
-@@ -200,15 +200,9 @@ rmconf_match_type(rmsel, rmconf)
- /* Check address */
- if (rmsel->remote != NULL) {
- if (rmconf->remote->sa_family != AF_UNSPEC) {
-- if (rmsel->flags & GETRMCONF_F_NO_PORTS) {
-- if (cmpsaddrwop(rmsel->remote,
-- rmconf->remote) != 0)
-- return 0;
-- } else {
-- if (cmpsaddrstrict(rmsel->remote,
-- rmconf->remote) != 0)
-- return 0;
-- }
-+ if (cmpsaddr(rmsel->remote, rmconf->remote) != 0)
-+ return 0;
-+
- /* Address matched */
- ret = 2;
- }
-@@ -262,7 +256,7 @@ void rmconf_selector_from_ph1(rmsel, iph1)
- struct ph1handle *iph1;
- {
- memset(rmsel, 0, sizeof(*rmsel));
-- rmsel->flags = GETRMCONF_F_NO_PORTS;
-+ rmsel->flags = 0;
- rmsel->remote = iph1->remote;
- rmsel->etype = iph1->etype;
- rmsel->approval = iph1->approval;
-@@ -357,22 +351,8 @@ getrmconf(remote, flags)
- int n = 0;
-
- memset(&ctx, 0, sizeof(ctx));
-- ctx.sel.flags = flags | GETRMCONF_F_NO_PORTS;
-+ ctx.sel.flags = flags;
- ctx.sel.remote = remote;
--#ifndef ENABLE_NATT
-- /*
-- * We never have ports set in our remote configurations, but when
-- * NAT-T is enabled, the kernel can have policies with ports and
-- * send us an acquire message for a destination that has a port set.
-- * If we do this port check here, we don't find the remote config.
-- *
-- * In an ideal world, we would be able to have remote conf with
-- * port, and the port could be a wildcard. That test could be used.
-- */
-- if (remote->sa_family != AF_UNSPEC &&
-- extract_port(remote) != IPSEC_PORT_ANY)
-- ctx.sel.flags &= ~GETRMCONF_F_NO_PORTS;
--#endif /* ENABLE_NATT */
-
- if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
- plog(LLV_ERROR, LOCATION, remote,
-diff --git a/src/racoon/remoteconf.h b/src/racoon/remoteconf.h
-index 38faf03..b2e9e4a 100644
---- a/src/racoon/remoteconf.h
-+++ b/src/racoon/remoteconf.h
-@@ -189,8 +189,7 @@ extern int enumrmconf __P((struct rmconfselector *rmsel,
- void *enum_arg));
-
- #define GETRMCONF_F_NO_ANONYMOUS 0x0001
--#define GETRMCONF_F_NO_PORTS 0x0002
--#define GETRMCONF_F_NO_PASSIVE 0x0004
-+#define GETRMCONF_F_NO_PASSIVE 0x0002
-
- #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)
-
-diff --git a/src/racoon/sockmisc.c b/src/racoon/sockmisc.c
-index 5c1f9c7..2bc2177 100644
---- a/src/racoon/sockmisc.c
-+++ b/src/racoon/sockmisc.c
-@@ -80,87 +77,28 @@
- const int niflags = 0;
-
- /*
-- * compare two sockaddr without port number.
-- * OUT: 0: equal.
-- * 1: not equal.
-- */
--int
--cmpsaddrwop(addr1, addr2)
-- const struct sockaddr *addr1;
-- const struct sockaddr *addr2;
--{
-- caddr_t sa1, sa2;
--
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
--
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
--
--#endif /* __linux__ */
--
-- switch (addr1->sa_family) {
-- case AF_UNSPEC:
-- break;
-- case AF_INET:
-- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
-- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-- break;
--#ifdef INET6
-- case AF_INET6:
-- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
-- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
-- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-- break;
--#endif
-- default:
-- return 1;
-- }
--
-- return 0;
--}
--
--/*
- * compare two sockaddr with port, taking care wildcard.
- * addr1 is a subject address, addr2 is in a database entry.
- * OUT: 0: equal.
- * 1: not equal.
- */
- int
--cmpsaddrwild(addr1, addr2)
-+cmpsaddr(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
- {
- caddr_t sa1, sa2;
- u_short port1, port2;
-
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
-+ if (addr1 == NULL && addr2 == NULL)
-+ return CMPSADDR_MATCH;
-
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
-+ if (addr1 == NULL || addr2 == NULL)
-+ return CMPSADDR_MISMATCH;
-
--#endif /* __linux__ */
-+ if (addr1->sa_family != addr2->sa_family ||
-+ sysdep_sa_len(addr1) != sysdep_sa_len(addr2))
-+ return CMPSADDR_MISMATCH;
-
- switch (addr1->sa_family) {
- case AF_UNSPEC:
-@@ -170,12 +108,8 @@ cmpsaddrwild(addr1, addr2)
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- port1 = ((struct sockaddr_in *)addr1)->sin_port;
- port2 = ((struct sockaddr_in *)addr2)->sin_port;
-- if (!(port1 == IPSEC_PORT_ANY ||
-- port2 == IPSEC_PORT_ANY ||
-- port1 == port2))
-- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-+ return CMPSADDR_MISMATCH;
- break;
- #ifdef INET6
- case AF_INET6:
-@@ -183,155 +117,23 @@ cmpsaddrwild(addr1, addr2)
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
-- if (!(port1 == IPSEC_PORT_ANY ||
-- port2 == IPSEC_PORT_ANY ||
-- port1 == port2))
-- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-+ return CMPSADDR_MISMATCH;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-+ return CMPSADDR_MISMATCH;
- break;
- #endif
- default:
-- return 1;
-+ return CMPSADDR_MISMATCH;
- }
-
-- return 0;
--}
--
--/*
-- * compare two sockaddr with port, taking care specific situation:
-- * one addr has 0 as port, and the other has 500 (network order), return equal
-- * OUT: 0: equal.
-- * 1: not equal.
-- */
--int
--cmpsaddrmagic(addr1, addr2)
-- const struct sockaddr *addr1;
-- const struct sockaddr *addr2;
--{
-- caddr_t sa1, sa2;
-- u_short port1, port2;
--
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
--
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
-+ if (port1 == port2 ||
-+ port1 == IPSEC_PORT_ANY ||
-+ port2 == IPSEC_PORT_ANY)
-+ return CMPSADDR_MATCH;
-
--#endif /* __linux__ */
--
-- switch (addr1->sa_family) {
-- case AF_UNSPEC:
-- break;
-- case AF_INET:
-- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
-- port1 = ((struct sockaddr_in *)addr1)->sin_port;
-- port2 = ((struct sockaddr_in *)addr2)->sin_port;
-- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: port1 == %d, port2 == %d\n", port1, port2);
-- if (!((port1 == IPSEC_PORT_ANY && port2 == ntohs(PORT_ISAKMP)) ||
-- (port2 == IPSEC_PORT_ANY && port1 == ntohs(PORT_ISAKMP)) ||
-- (port1 == port2))){
-- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports mismatch\n");
-- return 1;
-- }
-- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports matched\n");
-- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-- break;
--#ifdef INET6
-- case AF_INET6:
-- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
-- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
-- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
-- if (!((port1 == IPSEC_PORT_ANY && port2 == PORT_ISAKMP) ||
-- (port2 == IPSEC_PORT_ANY && port1 == PORT_ISAKMP) ||
-- (port1 == port2)))
-- return 1;
-- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
-- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-- break;
--#endif
-- default:
-- return 1;
-- }
--
-- return 0;
--}
--
--/*
-- * compare two sockaddr with strict match on port.
-- * OUT: 0: equal.
-- * 1: not equal.
-- */
--int
--cmpsaddrstrict(addr1, addr2)
-- const struct sockaddr *addr1;
-- const struct sockaddr *addr2;
--{
-- caddr_t sa1, sa2;
-- u_short port1, port2;
--
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
--
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
--
--#endif /* __linux__ */
--
-- switch (addr1->sa_family) {
-- case AF_INET:
-- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
-- port1 = ((struct sockaddr_in *)addr1)->sin_port;
-- port2 = ((struct sockaddr_in *)addr2)->sin_port;
-- if (port1 != port2)
-- return 1;
-- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-- break;
--#ifdef INET6
-- case AF_INET6:
-- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
-- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
-- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
-- if (port1 != port2)
-- return 1;
-- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
-- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-- break;
--#endif
-- default:
-- return 1;
-- }
--
-- return 0;
-+ return CMPSADDR_WOP_MATCH;
- }
-
- /* get local address against the destination. */
-@@ -1129,7 +931,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr)
- free(a2);
- free(a3);
- }
-- if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0)
-+ if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
- return naddr->prefix + port_score;
-
- return -1;
-diff --git a/src/racoon/sockmisc.h b/src/racoon/sockmisc.h
-index fcc286f..0a58f44 100644
---- a/src/racoon/sockmisc.h
-+++ b/src/racoon/sockmisc.h
-@@ -54,16 +54,11 @@ struct netaddr {
-
- extern const int niflags;
-
--extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *));
--extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *));
--extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *));
--extern int cmpsaddrmagic __P((const struct sockaddr *, const struct sockaddr *));
--
--#ifdef ENABLE_NATT
--#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2))
--#else
--#define CMPSADDR(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2))
--#endif
-+#define CMPSADDR_MATCH 0
-+#define CMPSADDR_WOP_MATCH 1
-+#define CMPSADDR_MISMATCH 2
-+
-+extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
-
- extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
-
-diff --git a/src/racoon/throttle.c b/src/racoon/throttle.c
-index 5ab62c3..64b566b 100644
---- a/src/racoon/throttle.c
-+++ b/src/racoon/throttle.c
-@@ -104,7 +104,7 @@ restart:
- goto restart;
- }
-
-- if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) {
-+ if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
- found = 1;
- break;
- }
diff --git a/main/ipsec-tools/50-reverse-connect.patch b/main/ipsec-tools/50-reverse-connect.patch
index c49eae347f..f29c3d5091 100644
--- a/main/ipsec-tools/50-reverse-connect.patch
+++ b/main/ipsec-tools/50-reverse-connect.patch
@@ -125,9 +125,9 @@ index b33986f..9fd3817 100644
+ * to firewall or nat */
+ if (iph1->side == RESPONDER && p->side == INITIATOR &&
+ p->status < PHASE1ST_MSG3RECEIVED) {
++ /* Do not delete ph1, since if the node is not NATted,
++ * and we delete it we might get phase2's lost */
+ evt_list_move(&p->evt_listeners, &iph1->evt_listeners);
-+ remph1(p);
-+ delph1(p);
+ }
}
}
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index f7a78026f6..db1d28bf14 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -1,8 +1,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ipsec-tools
-pkgver=0.8_alpha20090422
-_myver=0.8-alpha20090422
-pkgrel=1
+pkgver=0.8_alpha20090820
+_myver=0.8-alpha20090820
+pkgrel=0
pkgdesc="User-space IPsec tools for various IPsec implementations"
url="http://ipsec-tools.sourceforge.net/"
license="BSD"
@@ -12,10 +12,7 @@ subpackages="$pkgname-doc $pkgname-dev"
source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
racoon.initd
racoon.confd
- 00-verify-cert-leak.patch
- 20-natoa-fix.patch
- 30-natt-ports-cleanup.patch
- 40-cmpsaddr-cleanup.patch
+ 10-rekey-ph1hint.patch
50-reverse-connect.patch
60-debug-quick.patch
"
@@ -48,12 +45,9 @@ build() {
install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
}
-md5sums="8327401b5d1aa91e9c554d2cc536f823 ipsec-tools-0.8-alpha20090422.tar.gz
+md5sums="8b79f9e773043a47d636b4c6f59b84eb ipsec-tools-0.8-alpha20090820.tar.gz
fce62b52b598be268e27609f470f8e9b racoon.initd
2d00250cf72da7f2f559c91b65a48747 racoon.confd
-e0abf570c29519e8e36406dfc3bbe3c8 00-verify-cert-leak.patch
-2adb8796c75f62811b08c8370c75312c 20-natoa-fix.patch
-17b3f05426537afa1e94947c39b10163 30-natt-ports-cleanup.patch
-5fcaf5a01340132d4bfe55997bc5c60b 40-cmpsaddr-cleanup.patch
-91eb6da2726c4ed83df990f6908a7553 50-reverse-connect.patch
+4ee586cc6c6f1e0dd7a8bd9da0f5111d 10-rekey-ph1hint.patch
+13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
baa13d7f0f48955c792f7fcd42a8587a 60-debug-quick.patch"