? .msg ? ChangeLog ? alpine-config ? commiters.txt ? fd-unmonitor-segv-fix.patch ? natt-and-cmpsaddr.patch ? racoon.txt ? rekeying-fixes.diff ? rpm/Makefile ? rpm/Makefile.in ? rpm/ipsec-tools.spec ? rpm/suse/Makefile ? rpm/suse/Makefile.in ? rpm/suse/ipsec-tools.spec ? src/Makefile ? src/Makefile.in ? src/include-glibc/.includes ? src/include-glibc/Makefile ? src/include-glibc/Makefile.in ? src/libipsec/.deps ? src/libipsec/.libs ? src/libipsec/Makefile ? src/libipsec/Makefile.in ? src/libipsec/ipsec_dump_policy.lo ? src/libipsec/ipsec_get_policylen.lo ? src/libipsec/ipsec_strerror.lo ? src/libipsec/key_debug.lo ? src/libipsec/libipsec.la ? src/libipsec/pfkey.lo ? src/libipsec/pfkey_dump.lo ? src/libipsec/policy_parse.c ? src/libipsec/policy_parse.h ? src/libipsec/policy_parse.lo ? src/libipsec/policy_token.c ? src/libipsec/policy_token.lo ? src/racoon/.deps ? src/racoon/.libs ? src/racoon/Makefile ? src/racoon/Makefile.in ? src/racoon/cfparse.c ? src/racoon/cfparse.h ? src/racoon/cftoken.c ? src/racoon/eaytest ? src/racoon/libracoon.la ? src/racoon/libracoon_la-kmpstat.lo ? src/racoon/libracoon_la-misc.lo ? src/racoon/libracoon_la-sockmisc.lo ? src/racoon/libracoon_la-vmbuf.lo ? src/racoon/plainrsa-gen ? src/racoon/prsa_par.c ? src/racoon/prsa_par.h ? src/racoon/prsa_tok.c ? src/racoon/racoon ? src/racoon/racoonctl ? src/racoon/samples/psk.txt ? src/racoon/samples/racoon.conf ? src/setkey/.deps ? src/setkey/.libs ? src/setkey/Makefile ? src/setkey/Makefile.in ? src/setkey/parse.c ? src/setkey/parse.h ? src/setkey/setkey ? src/setkey/token.c Index: src/racoon/admin.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v retrieving revision 1.31 diff -u -r1.31 admin.c --- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31 +++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000 @@ -5,7 +5,7 @@ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -341,7 +341,7 @@ user[len] = 0; found = purgeph1bylogin(user); - plog(LLV_INFO, LOCATION, NULL, + plog(LLV_INFO, LOCATION, NULL, "deleted %d SA for user \"%s\"\n", found, user); break; @@ -360,7 +360,7 @@ rem = racoon_strdup(saddrwop2str(dst)); STRDUP_FATAL(rem); - plog(LLV_INFO, LOCATION, NULL, + plog(LLV_INFO, LOCATION, NULL, "Flushing all SAs for peer %s\n", rem); while ((iph1 = getph1bydstaddr(dst)) != NULL) { @@ -373,7 +373,7 @@ racoon_free(loc); } - + racoon_free(rem); break; } @@ -383,14 +383,14 @@ char *data; acp = (struct admin_com_psk *) - ((char *)com + sizeof(*com) + + ((char *)com + sizeof(*com) + sizeof(struct admin_com_indexes)); idtype = acp->id_type; if ((id = vmalloc(acp->id_len)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", + "cannot allocate memory: %s\n", strerror(errno)); break; } @@ -399,7 +399,7 @@ if ((key = vmalloc(acp->key_len)) == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory: %s\n", + "cannot allocate memory: %s\n", strerror(errno)); vfree(id); id = NULL; @@ -474,7 +474,7 @@ rmconf->xauth->pass = key; } #endif - + plog(LLV_INFO, LOCATION, NULL, "accept a request to establish IKE-SA: " "%s\n", saddrwop2str(dst)); @@ -577,7 +577,7 @@ } insph2(iph2); - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, NULL) < 0) { remph2(iph2); delph2(iph2); break; @@ -710,17 +710,17 @@ } if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "chown(%s, %d, %d): %s\n", - sunaddr.sun_path, adminsock_owner, + plog(LLV_ERROR, LOCATION, NULL, + "chown(%s, %d, %d): %s\n", + sunaddr.sun_path, adminsock_owner, adminsock_group, strerror(errno)); (void)close(lcconf->sock_admin); return -1; } if (chmod(sunaddr.sun_path, adminsock_mode) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "chmod(%s, 0%03o): %s\n", + plog(LLV_ERROR, LOCATION, NULL, + "chmod(%s, 0%03o): %s\n", sunaddr.sun_path, adminsock_mode, strerror(errno)); (void)close(lcconf->sock_admin); return -1; Index: src/racoon/handler.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v retrieving revision 1.29 diff -u -r1.29 handler.c --- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29 +++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000 @@ -5,7 +5,7 @@ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -64,7 +64,7 @@ #include "evt.h" #include "isakmp.h" #ifdef ENABLE_HYBRID -#include "isakmp_xauth.h" +#include "isakmp_xauth.h" #include "isakmp_cfg.h" #endif #include "isakmp_inf.h" @@ -177,8 +177,8 @@ * with phase 2's destinaion. */ struct ph1handle * -getph1(rmconf, local, remote, flags) - struct remoteconf *rmconf; +getph1(ph1hint, local, remote, flags) + struct ph1handle *ph1hint; struct sockaddr *local, *remote; int flags; { @@ -202,12 +202,30 @@ continue; } - if (local != NULL && cmpsaddr(local, p->local) != 0) + if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH) continue; - if (remote != NULL && cmpsaddr(remote, p->remote) != 0) + if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH) continue; + if (ph1hint != NULL) { + if (ph1hint->id && ph1hint->id->l && p->id && p->id->l && + (ph1hint->id->l != p->id->l || + memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) { + plog(LLV_DEBUG2, LOCATION, NULL, + "local identity does match hint\n"); + continue; + } + if (ph1hint->id_p && ph1hint->id_p->l && + p->id_p && p->id_p->l && + (ph1hint->id_p->l != p->id_p->l || + memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) { + plog(LLV_DEBUG2, LOCATION, NULL, + "remote identity does match hint\n"); + continue; + } + } + plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); return p; } @@ -1155,7 +1173,7 @@ } #ifdef ENABLE_HYBRID -/* +/* * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise * This should be in isakmp_cfg.c but ph1tree being private, it must be there */ @@ -1182,7 +1200,7 @@ -/* +/* * Reload conf code */ static int revalidate_ph2(struct ph2handle *iph2){ @@ -1192,11 +1210,11 @@ struct saprop *approval; struct ph1handle *iph1; - /* + /* * Get the new sainfo using values of the old one */ if (iph2->sainfo != NULL) { - iph2->sainfo = getsainfo(iph2->sainfo->idsrc, + iph2->sainfo = getsainfo(iph2->sainfo->idsrc, iph2->sainfo->iddst, iph2->sainfo->id_i, NULL, iph2->sainfo->remoteid); } @@ -1204,7 +1222,7 @@ sainfo = iph2->sainfo; if (sainfo == NULL) { - /* + /* * Sainfo has been removed */ plog(LLV_DEBUG, LOCATION, NULL, @@ -1219,7 +1237,7 @@ plog(LLV_DEBUG, LOCATION, NULL, "No approval found !\n"); return 0; - } + } /* * Don't care about proposals, should we do something ? @@ -1318,7 +1336,7 @@ } found = 0; - for (alg = sainfo->algs[algclass_ipsec_enc]; + for (alg = sainfo->algs[algclass_ipsec_enc]; (found == 0 && alg != NULL); alg = alg->next) { plog(LLV_DEBUG, LOCATION, NULL, "Reload: next ph2 enc alg...\n"); @@ -1351,7 +1369,7 @@ break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "unexpected check_level\n"); continue; break; @@ -1375,7 +1393,7 @@ } -static void +static void remove_ph2(struct ph2handle *iph2) { u_int32_t spis[2]; @@ -1467,7 +1485,7 @@ return 1; } -int +int revalidate_ph12(void) { Index: src/racoon/handler.h =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v retrieving revision 1.21 diff -u -r1.21 handler.h --- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21 +++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000 @@ -5,7 +5,7 @@ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -214,7 +214,7 @@ LIST_ENTRY(ph1handle) chain; #ifdef ENABLE_HYBRID struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ -#endif +#endif EVT_LISTENER_LIST(evt_listeners); }; @@ -449,7 +449,7 @@ struct sockaddr_storage remote; struct sockaddr_storage local; u_int8_t version; - u_int8_t etype; + u_int8_t etype; time_t created; int ph2cnt; }; @@ -468,7 +468,7 @@ #define GETPH1_F_ESTABLISHED 0x0001 -extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, +extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, struct sockaddr *local, struct sockaddr *remote, int flags)); Index: src/racoon/isakmp.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v retrieving revision 1.58 diff -u -r1.58 isakmp.c --- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58 +++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000 @@ -5,7 +5,7 @@ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -176,7 +176,7 @@ }; static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ - + static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); static int ph1_main __P((struct ph1handle *, vchar_t *)); static int quick_main __P((struct ph2handle *, vchar_t *)); @@ -190,7 +190,7 @@ static int isakmp_ph2resend __P((struct ph2handle *)); #ifdef ENABLE_FRAG -static int frag_handler(struct ph1handle *, +static int frag_handler(struct ph1handle *, vchar_t *, struct sockaddr *, struct sockaddr *); #endif @@ -259,16 +259,16 @@ extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl; } #endif - } + } #ifdef ENABLE_NATT - /* we don't know about portchange yet, + /* we don't know about portchange yet, look for non-esp marker instead */ if (x.non_esp[0] == 0 && x.non_esp[1] != 0) extralen = NON_ESP_MARKER_LEN; #endif - /* now we know if there is an extra non-esp + /* now we know if there is an extra non-esp marker at the beginning or not */ memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); @@ -309,7 +309,7 @@ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), 0, (struct sockaddr *)&remote, &remote_len)) < 0) { plog(LLV_ERROR, LOCATION, NULL, - "failed to receive isakmp packet: %s\n", + "failed to receive isakmp packet: %s\n", strerror (errno)); } goto end; @@ -332,11 +332,11 @@ (len - extralen)); goto end; } - + memcpy (buf->v, tmpbuf->v + extralen, buf->l); len -= extralen; - + if (len != buf->l) { plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, "received invalid length (%d != %zu), why ?\n", @@ -347,7 +347,7 @@ plog(LLV_DEBUG, LOCATION, NULL, "===\n"); plog(LLV_DEBUG, LOCATION, NULL, "%d bytes message received %s\n", - len, saddr2str_fromto("from %s to %s", + len, saddr2str_fromto("from %s to %s", (struct sockaddr *)&remote, (struct sockaddr *)&local)); plogdump(LLV_DEBUG, buf->v, buf->l); @@ -496,12 +496,12 @@ } /* set the flag to prevent further port floating - (FIXME: should we allow it? E.g. when the NAT gw + (FIXME: should we allow it? E.g. when the NAT gw is rebooted?) */ iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; - + /* print some neat info */ - plog (LLV_INFO, LOCATION, NULL, + plog (LLV_INFO, LOCATION, NULL, "NAT-T: ports changed to: %s\n", saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); @@ -668,7 +668,7 @@ return -1; } #ifdef ENABLE_HYBRID - /* Reinit the IVM if it's still there */ + /* Reinit the IVM if it's still there */ if (iph1->mode_cfg && iph1->mode_cfg->ivm) { oakley_delivm(iph1->mode_cfg->ivm); iph1->mode_cfg->ivm = NULL; @@ -753,7 +753,7 @@ isakmp_cfg_r(iph1, msg); break; -#endif +#endif case ISAKMP_ETYPE_NONE: default: @@ -822,7 +822,7 @@ /* free resend buffer */ if (iph1->sendbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); + "no buffer found as sendbuf\n"); return -1; } #endif @@ -925,13 +925,13 @@ log_ph1established(iph1); plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - /* + /* * SA up shell script hook: do it now,except if * ISAKMP mode config was requested. In the later * case it is done when we receive the configuration. */ if ((iph1->status == PHASE1ST_ESTABLISHED) && - !iph1->rmconf->mode_cfg) { + !iph1->rmconf->mode_cfg) { switch (iph1->approval->authmethod) { #ifdef ENABLE_HYBRID case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: @@ -1004,7 +1004,7 @@ /* free resend buffer */ if (iph2->sendbuf == NULL) { plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); + "no buffer found as sendbuf\n"); return -1; } VPTRINIT(iph2->sendbuf); @@ -1754,23 +1754,23 @@ extralen = 0; #ifdef ENABLE_FRAG - /* + /* * Do not add the non ESP marker for a packet that will - * be fragmented. The non ESP marker should appear in + * be fragmented. The non ESP marker should appear in * all fragment's packets, but not in the fragmented packet */ - if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) + if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) extralen = 0; #endif if (extralen) plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); - /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) - must added just before the packet itself. For this we must + /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) + must added just before the packet itself. For this we must allocate a new buffer and release it at the end. */ if (extralen) { if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "vbuf allocation failed\n"); return -1; } @@ -1791,17 +1791,17 @@ if (s == -1) return -1; - plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, + plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); #ifdef ENABLE_FRAG if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { if (isakmp_sendfrags(iph1, sbuf) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "isakmp_sendfrags failed\n"); return -1; } - } else + } else #endif { len = sendfromto(s, sbuf->v, sbuf->l, @@ -1812,7 +1812,7 @@ return -1; } } - + return 0; } @@ -1959,7 +1959,7 @@ iph1->status = PHASE1ST_DYING; /* Any fresh phase1s? */ - new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1); + new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); if (new_iph1 == NULL) { LIST_FOREACH(p, &iph1->ph2tree, ph1bind) { if (p->status != PHASE2ST_ESTABLISHED) @@ -2036,7 +2036,7 @@ char *src, *dst; /* Migrate established phase2s. Any fresh phase1s? */ - new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); + new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); if (new_iph1 != NULL) migrate_ph12(iph1, new_iph1); @@ -2143,12 +2143,13 @@ * if phase1 has been finished, begin phase2. */ int -isakmp_post_acquire(iph2) +isakmp_post_acquire(iph2, iph1hint) struct ph2handle *iph2; + struct ph1handle *iph1hint; { struct remoteconf *rmconf; struct ph1handle *iph1 = NULL; - + plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); /* Search appropriate configuration with masking port. Note that @@ -2159,12 +2160,17 @@ * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS * as iph2->dst hint). This scenario would require additional changes, * so no need to bother yet. --arno */ - rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); - if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no configuration found for %s.\n", - saddrwop2str(iph2->dst)); - return -1; + + if (iph1hint == NULL || iph1hint->rmconf == NULL) { + rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); + if (rmconf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "no configuration found for %s.\n", + saddrwop2str(iph2->dst)); + return -1; + } + } else { + rmconf = iph1hint->rmconf; } /* if passive mode, ignore the acquire message */ @@ -2181,7 +2187,7 @@ * some cases, we should use the ISAKMP identity to search * matching ISAKMP. */ - iph1 = getph1byaddr(iph2->src, iph2->dst, 0); + iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0); /* no ISAKMP-SA found. */ if (iph1 == NULL) { @@ -2978,7 +2984,7 @@ "ISAKMP-SA established %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); - + evt_phase1(iph1, EVT_PHASE1_UP, NULL); if(!iph1->rmconf->mode_cfg) evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL); @@ -3011,7 +3017,7 @@ return plist; } -vchar_t * +vchar_t * isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) { struct payload_list *ptr = *plist, *first; @@ -3022,7 +3028,7 @@ /* Seek to the first item. */ while (ptr->prev) ptr = ptr->prev; first = ptr; - + /* Compute the whole length. */ while (ptr) { tlen += ptr->payload->l + sizeof (struct isakmp_gen); @@ -3064,7 +3070,7 @@ } #ifdef ENABLE_FRAG -int +int frag_handler(iph1, msg, remote, local) struct ph1handle *iph1; vchar_t *msg; @@ -3075,7 +3081,7 @@ if (isakmp_frag_extract(iph1, msg) == 1) { if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { - plog(LLV_ERROR, LOCATION, remote, + plog(LLV_ERROR, LOCATION, remote, "Packet reassembly failed\n"); return -1; } @@ -3125,24 +3131,24 @@ if (iph1->remote != NULL) { GETNAMEINFO(iph1->remote, addrstr, portstr); - if (script_env_append(&envp, &envc, + if (script_env_append(&envp, &envc, "REMOTE_ADDR", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTE_ADDR\n"); goto out; } - if (script_env_append(&envp, &envc, + if (script_env_append(&envp, &envc, "REMOTE_PORT", portstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, NULL, "Cannot set REMOTEL_PORT\n"); goto out; } } - if (privsep_script_exec(iph1->rmconf->script[script]->v, - script, envp) != 0) - plog(LLV_ERROR, LOCATION, NULL, + if (privsep_script_exec(iph1->rmconf->script[script]->v, + script, envp) != 0) + plog(LLV_ERROR, LOCATION, NULL, "Script %s execution failed\n", script_names[script]); out: @@ -3202,7 +3208,7 @@ argv[1] = script_names[name]; argv[2] = NULL; - switch (fork()) { + switch (fork()) { case 0: execve(argv[0], argv, envp); plog(LLV_ERROR, LOCATION, NULL, @@ -3217,7 +3223,7 @@ break; default: break; - } + } return 0; } @@ -3243,7 +3249,7 @@ iph1->status = PHASE1ST_EXPIRED; /* Check if we have another, still valid, phase1 SA. */ - new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); + new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED); /* * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. @@ -3319,7 +3325,7 @@ ntohl(sa->sadb_sa_spi)); }else{ - /* + /* * If we have a new ph1, do not purge IPsec-SAs binded * to a different ISAKMP-SA */ @@ -3331,7 +3337,7 @@ /* If the ph2handle is established, do not purge IPsec-SA */ if (iph2->status == PHASE2ST_ESTABLISHED || iph2->status == PHASE2ST_EXPIRED) { - + plog(LLV_INFO, LOCATION, NULL, "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", ntohl(sa->sadb_sa_spi), @@ -3342,7 +3348,7 @@ } } - + pfkey_send_delete(lcconf->sock_pfkey, msg->sadb_msg_satype, IPSEC_MODE_ANY, @@ -3373,7 +3379,7 @@ sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); } -void +void delete_spd(iph2, created) struct ph2handle *iph2; u_int64_t created; @@ -3399,22 +3405,22 @@ plog(LLV_INFO, LOCATION, NULL, "generated policy, deleting it.\n"); - + memset(&spidx, 0, sizeof(spidx)); iph2->spidx_gen = (caddr_t )&spidx; - + /* make inbound policy */ iph2->src = dst; iph2->dst = src; spidx.dir = IPSEC_DIR_INBOUND; spidx.ul_proto = 0; - - /* + + /* * Note: code from get_proposal_r */ - + #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type - + /* * make destination address in spidx from either ID payload * or phase 1 address into a address in spidx. @@ -3430,48 +3436,48 @@ &spidx.prefd, &spidx.ul_proto); if (error) goto purge; - + #ifdef INET6 /* * get scopeid from the SA address. * note that the phase 1 source address is used as - * a destination address to search for a inbound + * a destination address to search for a inbound * policy entry because rcoon is responder. */ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { - if ((error = + if ((error = setscopeid((struct sockaddr *)&spidx.dst, iph2->src)) != 0) goto purge; } #endif - + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) idi2type = _XIDT(iph2->id); - + } else { - + plog(LLV_DEBUG, LOCATION, NULL, "get a destination address of SP index " "from phase1 address " "due to no ID payloads found " "OR because ID type is not address.\n"); - + /* - * copy the SOURCE address of IKE into the - * DESTINATION address of the key to search the + * copy the SOURCE address of IKE into the + * DESTINATION address of the key to search the * SPD because the direction of policy is inbound. */ memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); switch (spidx.dst.ss_family) { case AF_INET: - spidx.prefd = + spidx.prefd = sizeof(struct in_addr) << 3; break; #ifdef INET6 case AF_INET6: - spidx.prefd = + spidx.prefd = sizeof(struct in6_addr) << 3; break; #endif @@ -3480,7 +3486,7 @@ break; } } - + /* make source address in spidx */ if (iph2->id_p != NULL && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR @@ -3500,7 +3506,7 @@ * for more detail, see above of this function. */ if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { - error = + error = setscopeid((struct sockaddr *)&spidx.src, iph2->dst); if (error) @@ -3538,12 +3544,12 @@ memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); switch (spidx.src.ss_family) { case AF_INET: - spidx.prefs = + spidx.prefs = sizeof(struct in_addr) << 3; break; #ifdef INET6 case AF_INET6: - spidx.prefs = + spidx.prefs = sizeof(struct in6_addr) << 3; break; #endif @@ -3574,14 +3580,14 @@ spidx.ul_proto = IPSEC_ULPROTO_ANY; #undef _XIDT - + /* Check if the generated SPD has the same timestamp as the SA. * If timestamps are different, this means that the SPD entry has been * refreshed by another SA, and should NOT be deleted with the current SA. */ if( created ){ struct secpolicy *p; - + p = getsp(&spidx); if(p != NULL){ /* just do no test if p is NULL, because this probably just means @@ -3646,7 +3652,7 @@ struct sockaddr *sp_addr0, *sa_addr0; { struct sockaddr_in6 *sp_addr, *sa_addr; - + sp_addr = (struct sockaddr_in6 *)sp_addr0; sa_addr = (struct sockaddr_in6 *)sa_addr0; Index: src/racoon/isakmp_var.h =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v retrieving revision 1.15 diff -u -r1.15 isakmp_var.h --- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15 +++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000 @@ -5,7 +5,7 @@ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -87,7 +87,7 @@ extern void isakmp_ph2delete __P((struct ph2handle *)); extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); -extern int isakmp_post_acquire __P((struct ph2handle *)); +extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *)); extern int isakmp_post_getspi __P((struct ph2handle *)); extern void isakmp_chkph1there_stub __P((struct sched *)); extern void isakmp_chkph1there __P((struct ph2handle *)); @@ -131,7 +131,7 @@ struct remoteconf *, struct sockaddr *, struct sockaddr *)); extern void log_ph1established __P((const struct ph1handle *)); -extern void script_hook __P((struct ph1handle *, int)); +extern void script_hook __P((struct ph1handle *, int)); extern int script_env_append __P((char ***, int *, char *, char *)); extern int script_exec __P((char *, int, char * const *)); Index: src/racoon/pfkey.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v retrieving revision 1.50 diff -u -r1.50 pfkey.c --- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50 +++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000 @@ -5,7 +5,7 @@ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -17,7 +17,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -173,7 +173,7 @@ /* cope with old kame headers - ugly */ #ifndef SADB_X_AALG_MD5 -#define SADB_X_AALG_MD5 SADB_AALG_MD5 +#define SADB_X_AALG_MD5 SADB_AALG_MD5 #endif #ifndef SADB_X_AALG_SHA #define SADB_X_AALG_SHA SADB_AALG_SHA @@ -353,7 +353,7 @@ "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); continue; } - + ml = msg->sadb_msg_len << 3; bl = buf ? buf->l : 0; @@ -839,7 +839,7 @@ goto bad; *a_keylen >>= 3; - if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 + if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ *a_type = SADB_X_AALG_MD5; @@ -919,7 +919,7 @@ racoon_free(dst); return -1; } - + for (pr = pp->head; pr != NULL; pr = pr->next) { /* validity check */ @@ -991,7 +991,7 @@ * receive GETSPI from kernel. */ static int -pk_recvgetspi(mhp) +pk_recvgetspi(mhp) caddr_t *mhp; { struct sadb_msg *msg; @@ -1111,7 +1111,7 @@ sa_args.l_addtime = iph2->lifetime_secs; else sa_args.l_addtime = iph2->approval->lifetime; - sa_args.seq = iph2->seq; + sa_args.seq = iph2->seq; sa_args.wsize = 4; if (iph2->sa_src && iph2->sa_dst) { @@ -1163,7 +1163,7 @@ pr->head->trns_id, pr->head->authtype, &sa_args.e_type, &sa_args.e_keylen, - &sa_args.a_type, &sa_args.a_keylen, + &sa_args.a_type, &sa_args.a_keylen, &sa_args.flags) < 0){ racoon_free(sa_args.src); racoon_free(sa_args.dst); @@ -1221,11 +1221,11 @@ * But it is impossible because there is not key in the * information from the kernel. */ - + /* change some things before backing up */ sa_args.wsize = 4; sa_args.l_bytes = iph2->approval->lifebyte * 1024; - + if (backupsa_to_file(&sa_args) < 0) { plog(LLV_ERROR, LOCATION, NULL, "backuped SA failed: %s\n", @@ -1447,7 +1447,7 @@ pr->head->trns_id, pr->head->authtype, &sa_args.e_type, &sa_args.e_keylen, - &sa_args.a_type, &sa_args.a_keylen, + &sa_args.a_type, &sa_args.a_keylen, &sa_args.flags) < 0){ racoon_free(sa_args.src); racoon_free(sa_args.dst); @@ -1668,11 +1668,12 @@ " being negotiated. Stopping negotiation.\n"); } - /* turn off the timer for calling isakmp_ph2expire() */ + /* turn off the timer for calling isakmp_ph2expire() */ sched_cancel(&iph2->sce); if (iph2->status == PHASE2ST_ESTABLISHED && iph2->side == INITIATOR) { + struct ph1handle *iph1hint; /* * Active phase 2 expired and we were initiator. * Begin new phase 2 exchange, so we can keep on sending @@ -1680,11 +1681,12 @@ */ /* update status for re-use */ + iph1hint = iph2->ph1; initph2(iph2); iph2->status = PHASE2ST_STATUS2; /* start quick exchange */ - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, iph1hint) < 0) { plog(LLV_ERROR, LOCATION, iph2->dst, "failed to begin ipsec sa " "re-negotication.\n"); @@ -1750,7 +1752,7 @@ if (m_sec_ctx != NULL) { plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", m_sec_ctx->sadb_x_ctx_doi); - plog(LLV_INFO, LOCATION, NULL, + plog(LLV_INFO, LOCATION, NULL, "security context algorithm: %u\n", m_sec_ctx->sadb_x_ctx_alg); plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", @@ -1960,7 +1962,7 @@ /* start isakmp initiation by using ident exchange */ /* XXX should be looped if there are multiple phase 2 handler. */ - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, NULL) < 0) { plog(LLV_ERROR, LOCATION, NULL, "failed to begin ipsec sa negotication.\n"); remph2(iph2); @@ -2145,7 +2147,7 @@ p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; - + memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); len += ctxlen; } @@ -2184,7 +2186,7 @@ goto err; } - /* + /* * the policy level cannot be unique because the policy * is defined later than SA, so req_id cannot be bound to SA. */ @@ -2217,7 +2219,7 @@ xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); xisr = (struct sadb_x_ipsecrequest *)p; - + } racoon_free(pr_rlist); @@ -3070,6 +3072,8 @@ rmconf = getrmconf(iph2->dst, 0); if (rmconf && !rmconf->passive) { + struct ph1handle *iph1hint; + plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " "*during* IPsec SA negotiation. As initiator, " "restarting it.\n"); @@ -3079,11 +3083,12 @@ iph2->status = PHASE2ST_EXPIRED; /* ... clean Phase 2 handle ... */ + iph1hint = iph2->ph1; initph2(iph2); iph2->status = PHASE2ST_STATUS2; /* and start a new negotiation */ - if (isakmp_post_acquire(iph2) < 0) { + if (isakmp_post_acquire(iph2, iph1hint) < 0) { plog(LLV_ERROR, LOCATION, iph2->dst, "failed " "to begin IPsec SA renegotiation after " "MIGRATE reception.\n");