main/ipsec-tools: two new fixes

* update adminport to work with huge replies
* defer handling of DH calculations for isakmp identity reponse
  (this helps to handle things in right order if we are getting
   multiple simultaneous connection requests; this also makes
   the previous receive buffer size change mostly irrelevant)

4 files changed, 307 insertions, 36 deletions

diff --git a/main/ipsec-tools/70-defer-isakmp-ident-handling.patch b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch
new file mode 100644
index 000000000..9be37aa15
--- /dev/null
+++ b/main/ipsec-tools/70-defer-isakmp-ident-handling.patch
@@ -0,0 +1,179 @@
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.63
+diff -u -r1.63 isakmp.c
+--- a/src/racoon/isakmp.c	21 Oct 2010 06:15:28 -0000	1.63
++++ b/src/racoon/isakmp.c	29 Oct 2010 10:51:28 -0000
+@@ -130,6 +130,10 @@
+ #  define SOL_UDP IPPROTO_UDP
+ # endif /* __NetBSD__ / __FreeBSD__ */
+ 
++vchar_t *postponed_buf;
++struct sockaddr_storage postponed_remote;
++struct sockaddr_storage postponed_local;
++
+ static int nostate1 __P((struct ph1handle *, vchar_t *));
+ static int nostate2 __P((struct ph2handle *, vchar_t *));
+ 
+@@ -177,7 +181,7 @@
+ 
+ static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
+ 
+-static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
++/* static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); */
+ static int ph1_main __P((struct ph1handle *, vchar_t *));
+ static int quick_main __P((struct ph2handle *, vchar_t *));
+ static int isakmp_ph1begin_r __P((vchar_t *,
+@@ -374,10 +378,17 @@
+ 	}
+ 
+ 	/* isakmp main routine */
+-	if (isakmp_main(buf, (struct sockaddr *)&remote,
+-			(struct sockaddr *)&local) != 0) goto end;
+-
+-	error = 0;
++	res = isakmp_main(buf, (struct sockaddr *)&remote,
++			  (struct sockaddr *)&local);
++	if (res == 0) {
++		error = 0;
++	} else if (res == -42424 && postponed_buf == NULL) {
++		postponed_buf    = buf;
++		postponed_remote = remote;
++		postponed_local  = local;
++		buf              = NULL;
++		error = 0;
++	}
+ 
+ end:
+ 	if (tmpbuf != NULL)
+@@ -390,7 +401,7 @@
+ /*
+  * main processing to handle isakmp payload
+  */
+-static int
++int
+ isakmp_main(msg, remote, local)
+ 	vchar_t *msg;
+ 	struct sockaddr *remote, *local;
+@@ -399,6 +410,7 @@
+ 	isakmp_index *index = (isakmp_index *)isakmp;
+ 	u_int32_t msgid = isakmp->msgid;
+ 	struct ph1handle *iph1;
++	int rc;
+ 
+ #ifdef HAVE_PRINT_ISAKMP_C
+ 	isakmp_printpacket(msg, remote, local, 0);
+@@ -604,12 +616,14 @@
+ #endif
+ 
+ 		/* call main process of phase 1 */
+-		if (ph1_main(iph1, msg) < 0) {
+-			plog(LLV_ERROR, LOCATION, iph1->remote,
+-				"phase1 negotiation failed.\n");
+-			remph1(iph1);
+-			delph1(iph1);
+-			return -1;
++		if ((rc=ph1_main(iph1, msg)) < 0) {
++			if (rc != -42424) {
++				plog(LLV_ERROR, LOCATION, iph1->remote,
++					"phase1 negotiation failed.\n");
++				remph1(iph1);
++				delph1(iph1);
++			}
++			return rc;
+ 		}
+ 		break;
+ 
+@@ -813,10 +827,11 @@
+ 				"failed to pre-process ph1 packet (side: %d, status %d).\n",
+ 				iph1->side, iph1->status);
+ 			return -1;
+-		} else {
+-			/* ignore the error and keep phase 1 handler */
+-			return 0;
+ 		}
++		if (error == -42424)
++			return error;
++		/* ignore the error and keep phase 1 handler */
++		return 0;
+ 	}
+ 
+ #ifndef ENABLE_FRAG
+Index: src/racoon/isakmp_ident.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c,v
+retrieving revision 1.13
+diff -u -r1.13 isakmp_ident.c
+--- a/src/racoon/isakmp_ident.c	18 Sep 2009 10:31:11 -0000	1.13
++++ b/src/racoon/isakmp_ident.c	29 Oct 2010 10:51:29 -0000
+@@ -1128,6 +1128,11 @@
+ 		goto end;
+ 	}
+ 
++	if (postponed_buf != msg) {
++		error = -42424;
++		goto end;
++	}
++
+ 	/* validate the type of next payload */
+ 	pbuf = isakmp_parse(msg);
+ 	if (pbuf == NULL)
+Index: src/racoon/isakmp_var.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v
+retrieving revision 1.16
+diff -u -r1.16 isakmp_var.h
+--- a/src/racoon/isakmp_var.h	3 Sep 2009 09:29:07 -0000	1.16
++++ b/src/racoon/isakmp_var.h	29 Oct 2010 10:51:29 -0000
+@@ -141,4 +141,10 @@
+ u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *));
+ #endif
+ 
++int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
++
++extern vchar_t *postponed_buf;
++extern struct sockaddr_storage postponed_remote;
++extern struct sockaddr_storage postponed_local;
++
+ #endif /* _ISAKMP_VAR_H */
+Index: src/racoon/session.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/session.c,v
+retrieving revision 1.28
+diff -u -r1.28 session.c
+--- a/src/racoon/session.c	21 Oct 2010 06:15:28 -0000	1.28
++++ b/src/racoon/session.c	29 Oct 2010 10:51:29 -0000
+@@ -172,7 +172,7 @@
+ int
+ session(void)
+ {
+-	struct timeval *timeout;
++	struct timeval *timeout, to_zero = { 0, 0 };
+ 	int error;
+ 	char pid_file[MAXPATHLEN];
+ 	FILE *fp;
+@@ -295,6 +295,8 @@
+ 
+ 		/* scheduling */
+ 		timeout = schedular();
++		if (postponed_buf != NULL)
++			timeout = &to_zero;
+ 
+ 		/* schedular can change select() mask, so we reset
+ 		 * the working copy here */
+@@ -332,6 +334,14 @@
+ 				break;
+ 		}
+ 
++		if (count == 0 && postponed_buf != NULL) {
++			(void) isakmp_main(
++				postponed_buf,
++				(struct sockaddr *) &postponed_remote,
++				(struct sockaddr *) &postponed_local);
++			vfree(postponed_buf);
++			postponed_buf = NULL;
++		}
+ 	}
+ }
+ 
diff --git a/main/ipsec-tools/70-rcvbuf-size.patch b/main/ipsec-tools/70-rcvbuf-size.patch
deleted file mode 100644
index 34e295dec..000000000
--- a/main/ipsec-tools/70-rcvbuf-size.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: src/racoon/isakmp.c
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
-retrieving revision 1.60
-diff -u -r1.60 isakmp.c
---- a/src/racoon/isakmp.c	3 Sep 2009 09:29:07 -0000	1.60
-+++ b/src/racoon/isakmp.c	20 Aug 2010 11:59:20 -0000
-@@ -1579,6 +1579,7 @@
- #ifdef ENABLE_NATT
- 	int option = -1;
- #endif
-+        int rcvSize = 16384;
- 
- 	/* warn if wildcard address - should we forbid this? */
- 	switch (addr->sa_family) {
-@@ -1706,6 +1707,17 @@
- 		goto err;
- 	}
- 
-+	/* set receive buffer size - shouldn't be too large otherwise
-+	 * we can acommodate too long backbuffer of packets and not
-+	 * able to handle any packets in real time */
-+	if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF,
-+	                (void*) &rcvSize, sizeof(rcvSize)) < 0) {
-+                plog(LLV_ERROR, LOCATION, NULL,
-+                     "failed to set SO_RCVBUF size (%s).\n",
-+                     strerror(errno));
-+                /* soft-error, continue even if this failed */
-+        }
-+
- 	if (setsockopt_bypass(fd, addr->sa_family) < 0)
- 		goto err;
- 
diff --git a/main/ipsec-tools/80-admin-big-reply-fix.patch b/main/ipsec-tools/80-admin-big-reply-fix.patch
new file mode 100644
index 000000000..d3e4b5d57
--- /dev/null
+++ b/main/ipsec-tools/80-admin-big-reply-fix.patch
@@ -0,0 +1,123 @@
+Index: src/racoon/admin.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v
+retrieving revision 1.35
+diff -u -r1.35 admin.c
+--- a/src/racoon/admin.c	21 Oct 2010 06:15:28 -0000	1.35
++++ b/src/racoon/admin.c	29 Oct 2010 10:51:28 -0000
+@@ -638,9 +638,15 @@
+ 	}
+ 
+ 	combuf = (struct admin_com *) retbuf;
+-	combuf->ac_len = tlen;
++	combuf->ac_len = (u_int16_t) tlen;
+ 	combuf->ac_cmd = req->ac_cmd & ~ADMIN_FLAG_VERSION;
+-	combuf->ac_errno = l_ac_errno;
++	if (tlen != (u_int32_t) combuf->ac_len &&
++	    l_ac_errno == 0) {
++		combuf->ac_len_high = tlen >> 16;
++		combuf->ac_cmd |= ADMIN_FLAG_LONG_REPLY;
++	} else {
++		combuf->ac_errno = l_ac_errno;
++	}
+ 	combuf->ac_proto = req->ac_proto;
+ 
+ 	if (buf != NULL)
+Index: src/racoon/admin.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.h,v
+retrieving revision 1.7
+diff -u -r1.7 admin.h
+--- a/src/racoon/admin.h	29 Aug 2008 00:30:15 -0000	1.7
++++ b/src/racoon/admin.h	29 Oct 2010 10:51:28 -0000
+@@ -49,16 +49,19 @@
+ 	union {
+ 		int16_t ac_un_errno;
+ 		uint16_t ac_un_version;
++		uint16_t ac_un_len_high;
+ 	} u;
+ 	u_int16_t ac_proto;
+ };
+ #define ac_errno u.ac_un_errno
+ #define ac_version u.ac_un_version
++#define ac_len_high u.ac_un_len_high
+ 
+ /*
+  * Version field in request is valid.
+  */
+ #define ADMIN_FLAG_VERSION	0x8000
++#define ADMIN_FLAG_LONG_REPLY	0x8000
+ 
+ /*
+  * No data follows as the data.
+Index: src/racoon/kmpstat.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v
+retrieving revision 1.6
+diff -u -r1.6 kmpstat.c
+--- a/src/racoon/kmpstat.c	2 Oct 2007 09:47:45 -0000	1.6
++++ b/src/racoon/kmpstat.c	29 Oct 2010 10:51:29 -0000
+@@ -138,7 +138,7 @@
+ {
+ 	struct admin_com h, *com;
+ 	caddr_t buf;
+-	int len;
++	int len, rlen;
+ 	int l = 0;
+ 	caddr_t p;
+ 
+@@ -153,19 +153,25 @@
+ 	if (len < sizeof(h))
+ 		goto bad1;
+ 
+-	if (h.ac_errno) {
++	if (h.ac_errno && !(h.ac_cmd & ADMIN_FLAG_LONG_REPLY)) {
+ 		errno = h.ac_errno;
+ 		goto bad1;
+ 	}
+ 
++	/* real length */
++	if (h.ac_cmd & ADMIN_FLAG_LONG_REPLY)
++		rlen = ((u_int32_t)h.ac_len) + (((u_int32_t)h.ac_len_high) << 16);
++	else
++		rlen = h.ac_len;
++
+ 	/* allocate buffer */
+-	if ((*combufp = vmalloc(h.ac_len)) == NULL)
++	if ((*combufp = vmalloc(rlen)) == NULL)
+ 		goto bad1;
+ 
+ 	/* read real message */
+ 	p = (*combufp)->v;
+-	while (l < len) {
+-		if ((len = recv(so, p, h.ac_len, 0)) < 0) {
++	while (l < rlen) {
++		if ((len = recv(so, p, rlen - l, 0)) < 0) {
+ 			perror("recv");
+ 			goto bad2;
+ 		}
+Index: src/racoon/racoonctl.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c,v
+retrieving revision 1.17
+diff -u -r1.17 racoonctl.c
+--- a/src/racoon/racoonctl.c	20 Apr 2009 13:22:00 -0000	1.17
++++ b/src/racoon/racoonctl.c	29 Oct 2010 10:51:29 -0000
+@@ -1426,10 +1426,14 @@
+         int len;
+ 
+ 	com = (struct admin_com *)combuf->v;
+-	len = com->ac_len - sizeof(*com);
++	if (com->ac_cmd & ADMIN_FLAG_LONG_REPLY)
++		len = ((u_int32_t)com->ac_len) + (((u_int32_t)com->ac_len_high) << 16);
++	else
++		len = com->ac_len;
++	len -= sizeof(*com);
+ 	buf = combuf->v + sizeof(*com);
+ 
+-	switch (com->ac_cmd) {
++	switch (com->ac_cmd & ~ADMIN_FLAG_LONG_REPLY) {
+ 	case ADMIN_SHOW_SCHED:
+ 		print_schedule(buf, len);
+ 		break;
+ 
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index 7421b05d7..8315f484b 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=ipsec-tools
 pkgver=0.8_alpha20101022
 _myver=0.8-alpha20101022
-pkgrel=0
+pkgrel=1
 pkgdesc="User-space IPsec tools for various IPsec implementations"
 url="http://ipsec-tools.sourceforge.net/"
 license="BSD"
@@ -13,8 +13,9 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
 	racoon.initd
 	racoon.confd
 	50-reverse-connect.patch
-	70-rcvbuf-size.patch
+	70-defer-isakmp-ident-handling.patch
 	75-racoonctl-rcvbuf.patch
+	80-admin-big-reply-fix.patch
 	90-dpd-window-fix.patch
 	"
 
@@ -59,6 +60,7 @@ md5sums="1492b83edc944b5d32d2eff51e33399e  ipsec-tools-0.8-alpha20101022.tar.gz
 74f12ed04ed273a738229c0bfbf829cc  racoon.initd
 2d00250cf72da7f2f559c91b65a48747  racoon.confd
 13bda94a598aabf593280e04ea16065d  50-reverse-connect.patch
-f40c78e4ca4b92d2bf74e4fcf3a8d91f  70-rcvbuf-size.patch
+94773c94233e14cdce0fa02ff780a43e  70-defer-isakmp-ident-handling.patch
 2d5d24c4a3684a38584f88720f71c7d6  75-racoonctl-rcvbuf.patch
+c3898b162d284bc163f99cc52925b52a  80-admin-big-reply-fix.patch
 0391a6967ad19673588302bc8b17e0e2  90-dpd-window-fix.patch"