diff options
Diffstat (limited to 'main/ipsec-tools')
-rw-r--r-- | main/ipsec-tools/10-rekey-ph1hint.patch | 1227 | ||||
-rw-r--r-- | main/ipsec-tools/APKBUILD | 8 |
2 files changed, 3 insertions, 1232 deletions
diff --git a/main/ipsec-tools/10-rekey-ph1hint.patch b/main/ipsec-tools/10-rekey-ph1hint.patch deleted file mode 100644 index 773d609012..0000000000 --- a/main/ipsec-tools/10-rekey-ph1hint.patch +++ /dev/null @@ -1,1227 +0,0 @@ -? .msg -? ChangeLog -? alpine-config -? commiters.txt -? fd-unmonitor-segv-fix.patch -? natt-and-cmpsaddr.patch -? racoon.txt -? rekeying-fixes.diff -? rpm/Makefile -? rpm/Makefile.in -? rpm/ipsec-tools.spec -? rpm/suse/Makefile -? rpm/suse/Makefile.in -? rpm/suse/ipsec-tools.spec -? src/Makefile -? src/Makefile.in -? src/include-glibc/.includes -? src/include-glibc/Makefile -? src/include-glibc/Makefile.in -? src/libipsec/.deps -? src/libipsec/.libs -? src/libipsec/Makefile -? src/libipsec/Makefile.in -? src/libipsec/ipsec_dump_policy.lo -? src/libipsec/ipsec_get_policylen.lo -? src/libipsec/ipsec_strerror.lo -? src/libipsec/key_debug.lo -? src/libipsec/libipsec.la -? src/libipsec/pfkey.lo -? src/libipsec/pfkey_dump.lo -? src/libipsec/policy_parse.c -? src/libipsec/policy_parse.h -? src/libipsec/policy_parse.lo -? src/libipsec/policy_token.c -? src/libipsec/policy_token.lo -? src/racoon/.deps -? src/racoon/.libs -? src/racoon/Makefile -? src/racoon/Makefile.in -? src/racoon/cfparse.c -? src/racoon/cfparse.h -? src/racoon/cftoken.c -? src/racoon/eaytest -? src/racoon/libracoon.la -? src/racoon/libracoon_la-kmpstat.lo -? src/racoon/libracoon_la-misc.lo -? src/racoon/libracoon_la-sockmisc.lo -? src/racoon/libracoon_la-vmbuf.lo -? src/racoon/plainrsa-gen -? src/racoon/prsa_par.c -? src/racoon/prsa_par.h -? src/racoon/prsa_tok.c -? src/racoon/racoon -? src/racoon/racoonctl -? src/racoon/samples/psk.txt -? src/racoon/samples/racoon.conf -? src/setkey/.deps -? src/setkey/.libs -? src/setkey/Makefile -? src/setkey/Makefile.in -? src/setkey/parse.c -? src/setkey/parse.h -? src/setkey/setkey -? src/setkey/token.c -Index: src/racoon/admin.c -=================================================================== -RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v -retrieving revision 1.31 -diff -u -r1.31 admin.c ---- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31 -+++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000 -@@ -5,7 +5,7 @@ - /* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. -- * -+ * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: -@@ -17,7 +17,7 @@ - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. -- * -+ * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -@@ -341,7 +341,7 @@ - user[len] = 0; - - found = purgeph1bylogin(user); -- plog(LLV_INFO, LOCATION, NULL, -+ plog(LLV_INFO, LOCATION, NULL, - "deleted %d SA for user \"%s\"\n", found, user); - - break; -@@ -360,7 +360,7 @@ - rem = racoon_strdup(saddrwop2str(dst)); - STRDUP_FATAL(rem); - -- plog(LLV_INFO, LOCATION, NULL, -+ plog(LLV_INFO, LOCATION, NULL, - "Flushing all SAs for peer %s\n", rem); - - while ((iph1 = getph1bydstaddr(dst)) != NULL) { -@@ -373,7 +373,7 @@ - - racoon_free(loc); - } -- -+ - racoon_free(rem); - break; - } -@@ -383,14 +383,14 @@ - char *data; - - acp = (struct admin_com_psk *) -- ((char *)com + sizeof(*com) + -+ ((char *)com + sizeof(*com) + - sizeof(struct admin_com_indexes)); - - idtype = acp->id_type; - - if ((id = vmalloc(acp->id_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, -- "cannot allocate memory: %s\n", -+ "cannot allocate memory: %s\n", - strerror(errno)); - break; - } -@@ -399,7 +399,7 @@ - - if ((key = vmalloc(acp->key_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, -- "cannot allocate memory: %s\n", -+ "cannot allocate memory: %s\n", - strerror(errno)); - vfree(id); - id = NULL; -@@ -474,7 +474,7 @@ - rmconf->xauth->pass = key; - } - #endif -- -+ - plog(LLV_INFO, LOCATION, NULL, - "accept a request to establish IKE-SA: " - "%s\n", saddrwop2str(dst)); -@@ -577,7 +577,7 @@ - } - - insph2(iph2); -- if (isakmp_post_acquire(iph2) < 0) { -+ if (isakmp_post_acquire(iph2, NULL) < 0) { - remph2(iph2); - delph2(iph2); - break; -@@ -710,17 +710,17 @@ - } - - if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) { -- plog(LLV_ERROR, LOCATION, NULL, -- "chown(%s, %d, %d): %s\n", -- sunaddr.sun_path, adminsock_owner, -+ plog(LLV_ERROR, LOCATION, NULL, -+ "chown(%s, %d, %d): %s\n", -+ sunaddr.sun_path, adminsock_owner, - adminsock_group, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; - } - - if (chmod(sunaddr.sun_path, adminsock_mode) != 0) { -- plog(LLV_ERROR, LOCATION, NULL, -- "chmod(%s, 0%03o): %s\n", -+ plog(LLV_ERROR, LOCATION, NULL, -+ "chmod(%s, 0%03o): %s\n", - sunaddr.sun_path, adminsock_mode, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; -Index: src/racoon/handler.c -=================================================================== -RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v -retrieving revision 1.29 -diff -u -r1.29 handler.c ---- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29 -+++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000 -@@ -5,7 +5,7 @@ - /* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. -- * -+ * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: -@@ -17,7 +17,7 @@ - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. -- * -+ * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -@@ -64,7 +64,7 @@ - #include "evt.h" - #include "isakmp.h" - #ifdef ENABLE_HYBRID --#include "isakmp_xauth.h" -+#include "isakmp_xauth.h" - #include "isakmp_cfg.h" - #endif - #include "isakmp_inf.h" -@@ -177,8 +177,8 @@ - * with phase 2's destinaion. - */ - struct ph1handle * --getph1(rmconf, local, remote, flags) -- struct remoteconf *rmconf; -+getph1(ph1hint, local, remote, flags) -+ struct ph1handle *ph1hint; - struct sockaddr *local, *remote; - int flags; - { -@@ -202,12 +202,30 @@ - continue; - } - -- if (local != NULL && cmpsaddr(local, p->local) != 0) -+ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH) - continue; - -- if (remote != NULL && cmpsaddr(remote, p->remote) != 0) -+ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH) - continue; - -+ if (ph1hint != NULL) { -+ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l && -+ (ph1hint->id->l != p->id->l || -+ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) { -+ plog(LLV_DEBUG2, LOCATION, NULL, -+ "local identity does match hint\n"); -+ continue; -+ } -+ if (ph1hint->id_p && ph1hint->id_p->l && -+ p->id_p && p->id_p->l && -+ (ph1hint->id_p->l != p->id_p->l || -+ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) { -+ plog(LLV_DEBUG2, LOCATION, NULL, -+ "remote identity does match hint\n"); -+ continue; -+ } -+ } -+ - plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); - return p; - } -@@ -1155,7 +1173,7 @@ - } - - #ifdef ENABLE_HYBRID --/* -+/* - * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise - * This should be in isakmp_cfg.c but ph1tree being private, it must be there - */ -@@ -1182,7 +1200,7 @@ - - - --/* -+/* - * Reload conf code - */ - static int revalidate_ph2(struct ph2handle *iph2){ -@@ -1192,11 +1210,11 @@ - struct saprop *approval; - struct ph1handle *iph1; - -- /* -+ /* - * Get the new sainfo using values of the old one - */ - if (iph2->sainfo != NULL) { -- iph2->sainfo = getsainfo(iph2->sainfo->idsrc, -+ iph2->sainfo = getsainfo(iph2->sainfo->idsrc, - iph2->sainfo->iddst, iph2->sainfo->id_i, - NULL, iph2->sainfo->remoteid); - } -@@ -1204,7 +1222,7 @@ - sainfo = iph2->sainfo; - - if (sainfo == NULL) { -- /* -+ /* - * Sainfo has been removed - */ - plog(LLV_DEBUG, LOCATION, NULL, -@@ -1219,7 +1237,7 @@ - plog(LLV_DEBUG, LOCATION, NULL, - "No approval found !\n"); - return 0; -- } -+ } - - /* - * Don't care about proposals, should we do something ? -@@ -1318,7 +1336,7 @@ - } - - found = 0; -- for (alg = sainfo->algs[algclass_ipsec_enc]; -+ for (alg = sainfo->algs[algclass_ipsec_enc]; - (found == 0 && alg != NULL); alg = alg->next) { - plog(LLV_DEBUG, LOCATION, NULL, - "Reload: next ph2 enc alg...\n"); -@@ -1351,7 +1369,7 @@ - break; - - default: -- plog(LLV_ERROR, LOCATION, NULL, -+ plog(LLV_ERROR, LOCATION, NULL, - "unexpected check_level\n"); - continue; - break; -@@ -1375,7 +1393,7 @@ - } - - --static void -+static void - remove_ph2(struct ph2handle *iph2) - { - u_int32_t spis[2]; -@@ -1467,7 +1485,7 @@ - return 1; - } - --int -+int - revalidate_ph12(void) - { - -Index: src/racoon/handler.h -=================================================================== -RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v -retrieving revision 1.21 -diff -u -r1.21 handler.h ---- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21 -+++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000 -@@ -5,7 +5,7 @@ - /* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. -- * -+ * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: -@@ -17,7 +17,7 @@ - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. -- * -+ * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -@@ -214,7 +214,7 @@ - LIST_ENTRY(ph1handle) chain; - #ifdef ENABLE_HYBRID - struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ --#endif -+#endif - EVT_LISTENER_LIST(evt_listeners); - }; - -@@ -449,7 +449,7 @@ - struct sockaddr_storage remote; - struct sockaddr_storage local; - u_int8_t version; -- u_int8_t etype; -+ u_int8_t etype; - time_t created; - int ph2cnt; - }; -@@ -468,7 +468,7 @@ - - #define GETPH1_F_ESTABLISHED 0x0001 - --extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, -+extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, - struct sockaddr *local, - struct sockaddr *remote, - int flags)); -Index: src/racoon/isakmp.c -=================================================================== -RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v -retrieving revision 1.58 -diff -u -r1.58 isakmp.c ---- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58 -+++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000 -@@ -5,7 +5,7 @@ - /* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. -- * -+ * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: -@@ -17,7 +17,7 @@ - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. -- * -+ * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -@@ -176,7 +176,7 @@ - }; - - static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ -- -+ - static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); - static int ph1_main __P((struct ph1handle *, vchar_t *)); - static int quick_main __P((struct ph2handle *, vchar_t *)); -@@ -190,7 +190,7 @@ - static int isakmp_ph2resend __P((struct ph2handle *)); - - #ifdef ENABLE_FRAG --static int frag_handler(struct ph1handle *, -+static int frag_handler(struct ph1handle *, - vchar_t *, struct sockaddr *, struct sockaddr *); - #endif - -@@ -259,16 +259,16 @@ - extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl; - } - #endif -- } -+ } - - #ifdef ENABLE_NATT -- /* we don't know about portchange yet, -+ /* we don't know about portchange yet, - look for non-esp marker instead */ - if (x.non_esp[0] == 0 && x.non_esp[1] != 0) - extralen = NON_ESP_MARKER_LEN; - #endif - -- /* now we know if there is an extra non-esp -+ /* now we know if there is an extra non-esp - marker at the beginning or not */ - memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); - -@@ -309,7 +309,7 @@ - if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), - 0, (struct sockaddr *)&remote, &remote_len)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, -- "failed to receive isakmp packet: %s\n", -+ "failed to receive isakmp packet: %s\n", - strerror (errno)); - } - goto end; -@@ -332,11 +332,11 @@ - (len - extralen)); - goto end; - } -- -+ - memcpy (buf->v, tmpbuf->v + extralen, buf->l); - - len -= extralen; -- -+ - if (len != buf->l) { - plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, - "received invalid length (%d != %zu), why ?\n", -@@ -347,7 +347,7 @@ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - plog(LLV_DEBUG, LOCATION, NULL, - "%d bytes message received %s\n", -- len, saddr2str_fromto("from %s to %s", -+ len, saddr2str_fromto("from %s to %s", - (struct sockaddr *)&remote, - (struct sockaddr *)&local)); - plogdump(LLV_DEBUG, buf->v, buf->l); -@@ -496,12 +496,12 @@ - } - - /* set the flag to prevent further port floating -- (FIXME: should we allow it? E.g. when the NAT gw -+ (FIXME: should we allow it? E.g. when the NAT gw - is rebooted?) */ - iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; -- -+ - /* print some neat info */ -- plog (LLV_INFO, LOCATION, NULL, -+ plog (LLV_INFO, LOCATION, NULL, - "NAT-T: ports changed to: %s\n", - saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); - -@@ -668,7 +668,7 @@ - return -1; - } - #ifdef ENABLE_HYBRID -- /* Reinit the IVM if it's still there */ -+ /* Reinit the IVM if it's still there */ - if (iph1->mode_cfg && iph1->mode_cfg->ivm) { - oakley_delivm(iph1->mode_cfg->ivm); - iph1->mode_cfg->ivm = NULL; -@@ -753,7 +753,7 @@ - - isakmp_cfg_r(iph1, msg); - break; --#endif -+#endif - - case ISAKMP_ETYPE_NONE: - default: -@@ -822,7 +822,7 @@ - /* free resend buffer */ - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, -- "no buffer found as sendbuf\n"); -+ "no buffer found as sendbuf\n"); - return -1; - } - #endif -@@ -925,13 +925,13 @@ - log_ph1established(iph1); - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - -- /* -+ /* - * SA up shell script hook: do it now,except if - * ISAKMP mode config was requested. In the later - * case it is done when we receive the configuration. - */ - if ((iph1->status == PHASE1ST_ESTABLISHED) && -- !iph1->rmconf->mode_cfg) { -+ !iph1->rmconf->mode_cfg) { - switch (iph1->approval->authmethod) { - #ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: -@@ -1004,7 +1004,7 @@ - /* free resend buffer */ - if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, -- "no buffer found as sendbuf\n"); -+ "no buffer found as sendbuf\n"); - return -1; - } - VPTRINIT(iph2->sendbuf); -@@ -1754,23 +1754,23 @@ - extralen = 0; - - #ifdef ENABLE_FRAG -- /* -+ /* - * Do not add the non ESP marker for a packet that will -- * be fragmented. The non ESP marker should appear in -+ * be fragmented. The non ESP marker should appear in - * all fragment's packets, but not in the fragmented packet - */ -- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) -+ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) - extralen = 0; - #endif - if (extralen) - plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); - -- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) -- must added just before the packet itself. For this we must -+ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) -+ must added just before the packet itself. For this we must - allocate a new buffer and release it at the end. */ - if (extralen) { - if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -+ plog(LLV_ERROR, LOCATION, NULL, - "vbuf allocation failed\n"); - return -1; - } -@@ -1791,17 +1791,17 @@ - if (s == -1) - return -1; - -- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, -+ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, - saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); - - #ifdef ENABLE_FRAG - if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { - if (isakmp_sendfrags(iph1, sbuf) == -1) { -- plog(LLV_ERROR, LOCATION, NULL, -+ plog(LLV_ERROR, LOCATION, NULL, - "isakmp_sendfrags failed\n"); - return -1; - } -- } else -+ } else - #endif - { - len = sendfromto(s, sbuf->v, sbuf->l, -@@ -1812,7 +1812,7 @@ - return -1; - } - } -- -+ - return 0; - } - -@@ -1959,7 +1959,7 @@ - iph1->status = PHASE1ST_DYING; - - /* Any fresh phase1s? */ -- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1); -+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); - if (new_iph1 == NULL) { - LIST_FOREACH(p, &iph1->ph2tree, ph1bind) { - if (p->status != PHASE2ST_ESTABLISHED) -@@ -2036,7 +2036,7 @@ - char *src, *dst; - - /* Migrate established phase2s. Any fresh phase1s? */ -- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); -+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); - if (new_iph1 != NULL) - migrate_ph12(iph1, new_iph1); - -@@ -2143,12 +2143,13 @@ - * if phase1 has been finished, begin phase2. - */ - int --isakmp_post_acquire(iph2) -+isakmp_post_acquire(iph2, iph1hint) - struct ph2handle *iph2; -+ struct ph1handle *iph1hint; - { - struct remoteconf *rmconf; - struct ph1handle *iph1 = NULL; -- -+ - plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); - - /* Search appropriate configuration with masking port. Note that -@@ -2159,12 +2160,17 @@ - * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS - * as iph2->dst hint). This scenario would require additional changes, - * so no need to bother yet. --arno */ -- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); -- if (rmconf == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "no configuration found for %s.\n", -- saddrwop2str(iph2->dst)); -- return -1; -+ -+ if (iph1hint == NULL || iph1hint->rmconf == NULL) { -+ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); -+ if (rmconf == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "no configuration found for %s.\n", -+ saddrwop2str(iph2->dst)); -+ return -1; -+ } -+ } else { -+ rmconf = iph1hint->rmconf; - } - - /* if passive mode, ignore the acquire message */ -@@ -2181,7 +2187,7 @@ - * some cases, we should use the ISAKMP identity to search - * matching ISAKMP. - */ -- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); -+ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0); - - /* no ISAKMP-SA found. */ - if (iph1 == NULL) { -@@ -2978,7 +2984,7 @@ - "ISAKMP-SA established %s-%s spi:%s\n", - src, dst, - isakmp_pindex(&iph1->index, 0)); -- -+ - evt_phase1(iph1, EVT_PHASE1_UP, NULL); - if(!iph1->rmconf->mode_cfg) - evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL); -@@ -3011,7 +3017,7 @@ - return plist; - } - --vchar_t * -+vchar_t * - isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) - { - struct payload_list *ptr = *plist, *first; -@@ -3022,7 +3028,7 @@ - /* Seek to the first item. */ - while (ptr->prev) ptr = ptr->prev; - first = ptr; -- -+ - /* Compute the whole length. */ - while (ptr) { - tlen += ptr->payload->l + sizeof (struct isakmp_gen); -@@ -3064,7 +3070,7 @@ - } - - #ifdef ENABLE_FRAG --int -+int - frag_handler(iph1, msg, remote, local) - struct ph1handle *iph1; - vchar_t *msg; -@@ -3075,7 +3081,7 @@ - - if (isakmp_frag_extract(iph1, msg) == 1) { - if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { -- plog(LLV_ERROR, LOCATION, remote, -+ plog(LLV_ERROR, LOCATION, remote, - "Packet reassembly failed\n"); - return -1; - } -@@ -3125,24 +3131,24 @@ - if (iph1->remote != NULL) { - GETNAMEINFO(iph1->remote, addrstr, portstr); - -- if (script_env_append(&envp, &envc, -+ if (script_env_append(&envp, &envc, - "REMOTE_ADDR", addrstr) != 0) { -- plog(LLV_ERROR, LOCATION, NULL, -+ plog(LLV_ERROR, LOCATION, NULL, - "Cannot set REMOTE_ADDR\n"); - goto out; - } - -- if (script_env_append(&envp, &envc, -+ if (script_env_append(&envp, &envc, - "REMOTE_PORT", portstr) != 0) { -- plog(LLV_ERROR, LOCATION, NULL, -+ plog(LLV_ERROR, LOCATION, NULL, - "Cannot set REMOTEL_PORT\n"); - goto out; - } - } - -- if (privsep_script_exec(iph1->rmconf->script[script]->v, -- script, envp) != 0) -- plog(LLV_ERROR, LOCATION, NULL, -+ if (privsep_script_exec(iph1->rmconf->script[script]->v, -+ script, envp) != 0) -+ plog(LLV_ERROR, LOCATION, NULL, - "Script %s execution failed\n", script_names[script]); - - out: -@@ -3202,7 +3208,7 @@ - argv[1] = script_names[name]; - argv[2] = NULL; - -- switch (fork()) { -+ switch (fork()) { - case 0: - execve(argv[0], argv, envp); - plog(LLV_ERROR, LOCATION, NULL, -@@ -3217,7 +3223,7 @@ - break; - default: - break; -- } -+ } - return 0; - - } -@@ -3243,7 +3249,7 @@ - iph1->status = PHASE1ST_EXPIRED; - - /* Check if we have another, still valid, phase1 SA. */ -- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); -+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED); - - /* - * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. -@@ -3319,7 +3325,7 @@ - ntohl(sa->sadb_sa_spi)); - }else{ - -- /* -+ /* - * If we have a new ph1, do not purge IPsec-SAs binded - * to a different ISAKMP-SA - */ -@@ -3331,7 +3337,7 @@ - /* If the ph2handle is established, do not purge IPsec-SA */ - if (iph2->status == PHASE2ST_ESTABLISHED || - iph2->status == PHASE2ST_EXPIRED) { -- -+ - plog(LLV_INFO, LOCATION, NULL, - "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", - ntohl(sa->sadb_sa_spi), -@@ -3342,7 +3348,7 @@ - } - } - -- -+ - pfkey_send_delete(lcconf->sock_pfkey, - msg->sadb_msg_satype, - IPSEC_MODE_ANY, -@@ -3373,7 +3379,7 @@ - sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); - } - --void -+void - delete_spd(iph2, created) - struct ph2handle *iph2; - u_int64_t created; -@@ -3399,22 +3405,22 @@ - - plog(LLV_INFO, LOCATION, NULL, - "generated policy, deleting it.\n"); -- -+ - memset(&spidx, 0, sizeof(spidx)); - iph2->spidx_gen = (caddr_t )&spidx; -- -+ - /* make inbound policy */ - iph2->src = dst; - iph2->dst = src; - spidx.dir = IPSEC_DIR_INBOUND; - spidx.ul_proto = 0; -- -- /* -+ -+ /* - * Note: code from get_proposal_r - */ -- -+ - #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type -- -+ - /* - * make destination address in spidx from either ID payload - * or phase 1 address into a address in spidx. -@@ -3430,48 +3436,48 @@ - &spidx.prefd, &spidx.ul_proto); - if (error) - goto purge; -- -+ - #ifdef INET6 - /* - * get scopeid from the SA address. - * note that the phase 1 source address is used as -- * a destination address to search for a inbound -+ * a destination address to search for a inbound - * policy entry because rcoon is responder. - */ - if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { -- if ((error = -+ if ((error = - setscopeid((struct sockaddr *)&spidx.dst, - iph2->src)) != 0) - goto purge; - } - #endif -- -+ - if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR - || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) - idi2type = _XIDT(iph2->id); -- -+ - } else { -- -+ - plog(LLV_DEBUG, LOCATION, NULL, - "get a destination address of SP index " - "from phase1 address " - "due to no ID payloads found " - "OR because ID type is not address.\n"); -- -+ - /* -- * copy the SOURCE address of IKE into the -- * DESTINATION address of the key to search the -+ * copy the SOURCE address of IKE into the -+ * DESTINATION address of the key to search the - * SPD because the direction of policy is inbound. - */ - memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); - switch (spidx.dst.ss_family) { - case AF_INET: -- spidx.prefd = -+ spidx.prefd = - sizeof(struct in_addr) << 3; - break; - #ifdef INET6 - case AF_INET6: -- spidx.prefd = -+ spidx.prefd = - sizeof(struct in6_addr) << 3; - break; - #endif -@@ -3480,7 +3486,7 @@ - break; - } - } -- -+ - /* make source address in spidx */ - if (iph2->id_p != NULL - && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR -@@ -3500,7 +3506,7 @@ - * for more detail, see above of this function. - */ - if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { -- error = -+ error = - setscopeid((struct sockaddr *)&spidx.src, - iph2->dst); - if (error) -@@ -3538,12 +3544,12 @@ - memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); - switch (spidx.src.ss_family) { - case AF_INET: -- spidx.prefs = -+ spidx.prefs = - sizeof(struct in_addr) << 3; - break; - #ifdef INET6 - case AF_INET6: -- spidx.prefs = -+ spidx.prefs = - sizeof(struct in6_addr) << 3; - break; - #endif -@@ -3574,14 +3580,14 @@ - spidx.ul_proto = IPSEC_ULPROTO_ANY; - - #undef _XIDT -- -+ - /* Check if the generated SPD has the same timestamp as the SA. - * If timestamps are different, this means that the SPD entry has been - * refreshed by another SA, and should NOT be deleted with the current SA. - */ - if( created ){ - struct secpolicy *p; -- -+ - p = getsp(&spidx); - if(p != NULL){ - /* just do no test if p is NULL, because this probably just means -@@ -3646,7 +3652,7 @@ - struct sockaddr *sp_addr0, *sa_addr0; - { - struct sockaddr_in6 *sp_addr, *sa_addr; -- -+ - sp_addr = (struct sockaddr_in6 *)sp_addr0; - sa_addr = (struct sockaddr_in6 *)sa_addr0; - -Index: src/racoon/isakmp_var.h -=================================================================== -RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v -retrieving revision 1.15 -diff -u -r1.15 isakmp_var.h ---- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15 -+++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000 -@@ -5,7 +5,7 @@ - /* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. -- * -+ * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: -@@ -17,7 +17,7 @@ - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. -- * -+ * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -@@ -87,7 +87,7 @@ - extern void isakmp_ph2delete __P((struct ph2handle *)); - - extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); --extern int isakmp_post_acquire __P((struct ph2handle *)); -+extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *)); - extern int isakmp_post_getspi __P((struct ph2handle *)); - extern void isakmp_chkph1there_stub __P((struct sched *)); - extern void isakmp_chkph1there __P((struct ph2handle *)); -@@ -131,7 +131,7 @@ - struct remoteconf *, struct sockaddr *, struct sockaddr *)); - extern void log_ph1established __P((const struct ph1handle *)); - --extern void script_hook __P((struct ph1handle *, int)); -+extern void script_hook __P((struct ph1handle *, int)); - extern int script_env_append __P((char ***, int *, char *, char *)); - extern int script_exec __P((char *, int, char * const *)); - -Index: src/racoon/pfkey.c -=================================================================== -RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v -retrieving revision 1.50 -diff -u -r1.50 pfkey.c ---- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50 -+++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000 -@@ -5,7 +5,7 @@ - /* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. -- * -+ * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: -@@ -17,7 +17,7 @@ - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. -- * -+ * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -@@ -173,7 +173,7 @@ - - /* cope with old kame headers - ugly */ - #ifndef SADB_X_AALG_MD5 --#define SADB_X_AALG_MD5 SADB_AALG_MD5 -+#define SADB_X_AALG_MD5 SADB_AALG_MD5 - #endif - #ifndef SADB_X_AALG_SHA - #define SADB_X_AALG_SHA SADB_AALG_SHA -@@ -353,7 +353,7 @@ - "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); - continue; - } -- -+ - - ml = msg->sadb_msg_len << 3; - bl = buf ? buf->l : 0; -@@ -839,7 +839,7 @@ - goto bad; - *a_keylen >>= 3; - -- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 -+ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 - && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { - /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ - *a_type = SADB_X_AALG_MD5; -@@ -919,7 +919,7 @@ - racoon_free(dst); - return -1; - } -- -+ - for (pr = pp->head; pr != NULL; pr = pr->next) { - - /* validity check */ -@@ -991,7 +991,7 @@ - * receive GETSPI from kernel. - */ - static int --pk_recvgetspi(mhp) -+pk_recvgetspi(mhp) - caddr_t *mhp; - { - struct sadb_msg *msg; -@@ -1111,7 +1111,7 @@ - sa_args.l_addtime = iph2->lifetime_secs; - else - sa_args.l_addtime = iph2->approval->lifetime; -- sa_args.seq = iph2->seq; -+ sa_args.seq = iph2->seq; - sa_args.wsize = 4; - - if (iph2->sa_src && iph2->sa_dst) { -@@ -1163,7 +1163,7 @@ - pr->head->trns_id, - pr->head->authtype, - &sa_args.e_type, &sa_args.e_keylen, -- &sa_args.a_type, &sa_args.a_keylen, -+ &sa_args.a_type, &sa_args.a_keylen, - &sa_args.flags) < 0){ - racoon_free(sa_args.src); - racoon_free(sa_args.dst); -@@ -1221,11 +1221,11 @@ - * But it is impossible because there is not key in the - * information from the kernel. - */ -- -+ - /* change some things before backing up */ - sa_args.wsize = 4; - sa_args.l_bytes = iph2->approval->lifebyte * 1024; -- -+ - if (backupsa_to_file(&sa_args) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "backuped SA failed: %s\n", -@@ -1447,7 +1447,7 @@ - pr->head->trns_id, - pr->head->authtype, - &sa_args.e_type, &sa_args.e_keylen, -- &sa_args.a_type, &sa_args.a_keylen, -+ &sa_args.a_type, &sa_args.a_keylen, - &sa_args.flags) < 0){ - racoon_free(sa_args.src); - racoon_free(sa_args.dst); -@@ -1668,11 +1668,12 @@ - " being negotiated. Stopping negotiation.\n"); - } - -- /* turn off the timer for calling isakmp_ph2expire() */ -+ /* turn off the timer for calling isakmp_ph2expire() */ - sched_cancel(&iph2->sce); - - if (iph2->status == PHASE2ST_ESTABLISHED && - iph2->side == INITIATOR) { -+ struct ph1handle *iph1hint; - /* - * Active phase 2 expired and we were initiator. - * Begin new phase 2 exchange, so we can keep on sending -@@ -1680,11 +1681,12 @@ - */ - - /* update status for re-use */ -+ iph1hint = iph2->ph1; - initph2(iph2); - iph2->status = PHASE2ST_STATUS2; - - /* start quick exchange */ -- if (isakmp_post_acquire(iph2) < 0) { -+ if (isakmp_post_acquire(iph2, iph1hint) < 0) { - plog(LLV_ERROR, LOCATION, iph2->dst, - "failed to begin ipsec sa " - "re-negotication.\n"); -@@ -1750,7 +1752,7 @@ - if (m_sec_ctx != NULL) { - plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", - m_sec_ctx->sadb_x_ctx_doi); -- plog(LLV_INFO, LOCATION, NULL, -+ plog(LLV_INFO, LOCATION, NULL, - "security context algorithm: %u\n", - m_sec_ctx->sadb_x_ctx_alg); - plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", -@@ -1960,7 +1962,7 @@ - - /* start isakmp initiation by using ident exchange */ - /* XXX should be looped if there are multiple phase 2 handler. */ -- if (isakmp_post_acquire(iph2) < 0) { -+ if (isakmp_post_acquire(iph2, NULL) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to begin ipsec sa negotication.\n"); - remph2(iph2); -@@ -2145,7 +2147,7 @@ - p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; - p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; - p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; -- -+ - memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); - len += ctxlen; - } -@@ -2184,7 +2186,7 @@ - goto err; - } - -- /* -+ /* - * the policy level cannot be unique because the policy - * is defined later than SA, so req_id cannot be bound to SA. - */ -@@ -2217,7 +2219,7 @@ - - xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); - xisr = (struct sadb_x_ipsecrequest *)p; -- -+ - } - racoon_free(pr_rlist); - -@@ -3070,6 +3072,8 @@ - rmconf = getrmconf(iph2->dst, 0); - - if (rmconf && !rmconf->passive) { -+ struct ph1handle *iph1hint; -+ - plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " - "*during* IPsec SA negotiation. As initiator, " - "restarting it.\n"); -@@ -3079,11 +3083,12 @@ - iph2->status = PHASE2ST_EXPIRED; - - /* ... clean Phase 2 handle ... */ -+ iph1hint = iph2->ph1; - initph2(iph2); - iph2->status = PHASE2ST_STATUS2; - - /* and start a new negotiation */ -- if (isakmp_post_acquire(iph2) < 0) { -+ if (isakmp_post_acquire(iph2, iph1hint) < 0) { - plog(LLV_ERROR, LOCATION, iph2->dst, "failed " - "to begin IPsec SA renegotiation after " - "MIGRATE reception.\n"); diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index db1d28bf14..1b792b0b48 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=ipsec-tools -pkgver=0.8_alpha20090820 -_myver=0.8-alpha20090820 +pkgver=0.8_alpha20090903 +_myver=0.8-alpha20090903 pkgrel=0 pkgdesc="User-space IPsec tools for various IPsec implementations" url="http://ipsec-tools.sourceforge.net/" @@ -12,7 +12,6 @@ subpackages="$pkgname-doc $pkgname-dev" source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz racoon.initd racoon.confd - 10-rekey-ph1hint.patch 50-reverse-connect.patch 60-debug-quick.patch " @@ -45,9 +44,8 @@ build() { install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon } -md5sums="8b79f9e773043a47d636b4c6f59b84eb ipsec-tools-0.8-alpha20090820.tar.gz +md5sums="8ec28d4e89c0f5e49ae2caa7463fbcfd ipsec-tools-0.8-alpha20090903.tar.gz fce62b52b598be268e27609f470f8e9b racoon.initd 2d00250cf72da7f2f559c91b65a48747 racoon.confd -4ee586cc6c6f1e0dd7a8bd9da0f5111d 10-rekey-ph1hint.patch 13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch baa13d7f0f48955c792f7fcd42a8587a 60-debug-quick.patch" |