From ba7a48af9f538f6b5ebd8c8039a5a92804236587 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Fri, 4 Mar 2011 13:57:21 +0200 Subject: main/ipsec-tools: update to 0.8.0 RC, and include additional patches * improve handling of setups where single node participates to multiple dmvpn networks. enable using of grekey in setkey, SPD and sainfo; also match remoteconfs using sainfo ph1id --- main/ipsec-tools/10-cmpsaddr-fix.patch | 421 +++++++++++++++++++++ main/ipsec-tools/20-grekey-support.patch | 608 ++++++++++++++++++++++++++++++ main/ipsec-tools/50-reverse-connect.patch | 70 ++-- main/ipsec-tools/APKBUILD | 12 +- 4 files changed, 1067 insertions(+), 44 deletions(-) create mode 100644 main/ipsec-tools/10-cmpsaddr-fix.patch create mode 100644 main/ipsec-tools/20-grekey-support.patch (limited to 'main/ipsec-tools') diff --git a/main/ipsec-tools/10-cmpsaddr-fix.patch b/main/ipsec-tools/10-cmpsaddr-fix.patch new file mode 100644 index 000000000..af73c2e5e --- /dev/null +++ b/main/ipsec-tools/10-cmpsaddr-fix.patch @@ -0,0 +1,421 @@ +Index: ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/grabmyaddr.c 2011-03-03 17:54:33.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c 2011-03-03 18:45:24.000000000 +0200 +@@ -100,7 +100,7 @@ + return TRUE; + + LIST_FOREACH(cfg, &configured, chain) { +- if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0) ++ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH) + return TRUE; + } + +@@ -116,7 +116,7 @@ + + /* Already open? */ + LIST_FOREACH(my, &opened, chain) { +- if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0) ++ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH) + return TRUE; + } + +@@ -156,7 +156,7 @@ + + LIST_FOREACH(cfg, &configured, chain) { + if (addr != NULL && +- cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0) ++ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH) + continue; + if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap)) + return FALSE; +@@ -262,7 +262,7 @@ + struct myaddr *my; + + LIST_FOREACH(my, &opened, chain) { +- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) ++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH) + return my->fd; + } + +@@ -276,7 +276,7 @@ + struct myaddr *my; + + LIST_FOREACH(my, &opened, chain) { +- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) ++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH) + return extract_port((struct sockaddr *) &my->addr); + } + +Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c 2011-03-03 17:54:33.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c 2011-03-03 18:48:10.000000000 +0200 +@@ -120,11 +120,11 @@ + LIST_FOREACH(p, &ph1tree, chain) { + if (sel != NULL) { + if (sel->local != NULL && +- cmpsaddr(sel->local, p->local) != 0) ++ cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH) + continue; + + if (sel->remote != NULL && +- cmpsaddr(sel->remote, p->remote) != 0) ++ cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH) + continue; + } + +@@ -300,8 +300,8 @@ + if (p->status < PHASE1ST_DYING) + continue; + +- if (cmpsaddr(iph1->local, p->local) == 0 +- && cmpsaddr(iph1->remote, p->remote) == 0) ++ if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH ++ && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH) + migrate_ph12(p, iph1); + } + } +@@ -547,11 +547,11 @@ + continue; + + if (sel->src != NULL && +- cmpsaddr(sel->src, p->src) != 0) ++ cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH) + continue; + + if (sel->dst != NULL && +- cmpsaddr(sel->dst, p->dst) != 0) ++ cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH) + continue; + } + +@@ -615,8 +615,8 @@ + + LIST_FOREACH(p, &ph2tree, chain) { + if (spid == p->spid && +- cmpsaddr(src, p->src) == 0 && +- cmpsaddr(dst, p->dst) == 0){ ++ cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH && ++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){ + /* Sanity check to detect zombie handlers + * XXX Sould be done "somewhere" more interesting, + * because we have lots of getph2byxxxx(), but this one +@@ -643,8 +643,8 @@ + struct ph2handle *p; + + LIST_FOREACH(p, &ph2tree, chain) { +- if (cmpsaddr(src, p->src) == 0 && +- cmpsaddr(dst, p->dst) == 0) ++ if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH && ++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH) + return p; + } + +@@ -947,7 +947,7 @@ + struct contacted *p; + + LIST_FOREACH(p, &ctdtree, chain) { +- if (cmpsaddr(remote, p->remote) == 0) ++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) + return p; + } + +@@ -988,7 +988,7 @@ + struct contacted *p; + + LIST_FOREACH(p, &ctdtree, chain) { +- if (cmpsaddr(remote, p->remote) == 0) { ++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) { + LIST_REMOVE(p, chain); + racoon_free(p->remote); + racoon_free(p); +@@ -1042,7 +1042,7 @@ + /* + * the packet was processed before, but the remote address mismatches. + */ +- if (cmpsaddr(remote, r->remote) != 0) ++ if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH) + return 2; + + /* +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 17:54:33.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 18:50:22.000000000 +0200 +@@ -468,8 +468,8 @@ + /* Floating ports for NAT-T */ + if (NATT_AVAILABLE(iph1) && + ! (iph1->natt_flags & NAT_PORTS_CHANGED) && +- ((cmpsaddr(iph1->remote, remote) != 0) || +- (cmpsaddr(iph1->local, local) != 0))) ++ ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) || ++ (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH))) + { + /* prevent memory leak */ + racoon_free(iph1->remote); +@@ -510,7 +510,7 @@ + #endif + + /* must be same addresses in one stream of a phase at least. */ +- if (cmpsaddr(iph1->remote, remote) != 0) { ++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { + char *saddr_db, *saddr_act; + + saddr_db = racoon_strdup(saddr2str(iph1->remote)); +@@ -636,7 +636,7 @@ + "exchange received.\n"); + return -1; + } +- if (cmpsaddr(iph1->remote, remote) != 0) { ++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { + plog(LLV_WARNING, LOCATION, remote, + "remote address mismatched. " + "db=%s\n", +@@ -3322,10 +3322,10 @@ + * Select only SAs where src == local and dst == remote (outgoing) + * or src == remote and dst == local (incoming). + */ +- if ((cmpsaddr(iph1->local, src) || +- cmpsaddr(iph1->remote, dst)) && +- (cmpsaddr(iph1->local, dst) || +- cmpsaddr(iph1->remote, src))) { ++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && ++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) { + msg = next; + continue; + } +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_inf.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c 2011-03-03 18:51:05.000000000 +0200 +@@ -1177,7 +1177,7 @@ + + /* don't delete inbound SAs at the moment */ + /* XXX should we remove SAs with opposite direction as well? */ +- if (cmpsaddr(dst0, dst)) { ++ if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) { + msg = next; + continue; + } +@@ -1355,10 +1355,10 @@ + * ports. Correct thing to do is delete all entries with + * same identity. -TT + */ +- if ((cmpsaddr(iph1->local, src) != 0 || +- cmpsaddr(iph1->remote, dst) != 0) && +- (cmpsaddr(iph1->local, dst) != 0 || +- cmpsaddr(iph1->remote, src) != 0)) ++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && ++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || ++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) + continue; + + /* +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-03 18:51:48.000000000 +0200 +@@ -629,7 +629,7 @@ + #endif + + if (cmpsaddr((struct sockaddr *) &proposed_addr, +- (struct sockaddr *) &got_addr) == 0) { ++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, + "IDci matches proposal.\n"); + #ifdef ENABLE_NATT +@@ -677,13 +677,13 @@ + #endif + + if (cmpsaddr((struct sockaddr *) &proposed_addr, +- (struct sockaddr *) &got_addr) == 0) { ++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, + "IDcr matches proposal.\n"); + #ifdef ENABLE_NATT + } else if (iph2->natoa_dst != NULL + && cmpsaddr(iph2->natoa_dst, +- (struct sockaddr *) &got_addr) == 0) { ++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, + "IDcr matches NAT-OAr.\n"); + #endif +Index: ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/nattraversal.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c 2011-03-03 18:52:20.000000000 +0200 +@@ -398,8 +398,8 @@ + struct natt_ka_addrs *ka = NULL, *new_addr; + + TAILQ_FOREACH (ka, &ka_tree, chain) { +- if (cmpsaddr(ka->src, src) == 0 && +- cmpsaddr(ka->dst, dst) == 0) { ++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH && ++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) { + ka->in_use++; + plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", + saddr2str_fromto("%s->%s", src, dst), ka->in_use); +@@ -462,8 +462,8 @@ + plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", + saddr2str_fromto("%s->%s", src, dst), ka->in_use); + +- if (cmpsaddr(ka->src, src) == 0 && +- cmpsaddr(ka->dst, dst) == 0 && ++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH && ++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH && + -- ka->in_use <= 0) { + + plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); +Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 18:52:50.000000000 +0200 +@@ -2882,8 +2882,8 @@ + u_int16_t port; + + /* Already up-to-date? */ +- if (cmpsaddr(iph1->local, ma->local) == 0 && +- cmpsaddr(iph1->remote, ma->remote) == 0) ++ if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH && ++ cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH) + return 0; + + if (iph1->status < PHASE1ST_ESTABLISHED) { +@@ -2983,8 +2983,8 @@ + migrate_ph1_ike_addresses(iph2->ph1, arg); + + /* Already up-to-date? */ +- if (cmpsaddr(iph2->src, ma->local) == 0 && +- cmpsaddr(iph2->dst, ma->remote) == 0) ++ if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH && ++ cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH) + return 0; + + /* save src/dst as sa_src/sa_dst before rewriting */ +@@ -3207,8 +3207,8 @@ + "changing address families (%d to %d) for endpoints.\n", + osaddr->sa_family, nsaddr->sa_family); + +- if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) || +- cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) { ++ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH || ++ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) { + plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: " + "mismatch of addresses in saidx and xisr.\n"); + return -1; +Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-03 17:54:34.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-03 19:09:42.000000000 +0200 +@@ -142,7 +142,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", + saddr2str((struct sockaddr *)&spidx->src)); + +- if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) || ++ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH || + spidx->prefs != prefixlen) + return NULL; + +@@ -151,7 +151,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", + saddr2str((struct sockaddr *)&spidx->dst)); + +- if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) || ++ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH || + spidx->prefd != prefixlen) + return NULL; + +@@ -201,10 +201,10 @@ + return 1; + + if (cmpsaddr((struct sockaddr *) &a->src, +- (struct sockaddr *) &b->src)) ++ (struct sockaddr *) &b->src) != CMPSADDR_MATCH) + return 1; + if (cmpsaddr((struct sockaddr *) &a->dst, +- (struct sockaddr *) &b->dst)) ++ (struct sockaddr *) &b->dst) != CMPSADDR_MATCH) + return 1; + + #ifdef HAVE_SECCTX +@@ -261,7 +261,7 @@ + a, b->prefs, saddr2str((struct sockaddr *)&sa1)); + plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + b, b->prefs, saddr2str((struct sockaddr *)&sa2)); +- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) ++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) + return 1; + + #ifndef __linux__ +@@ -279,7 +279,7 @@ + a, b->prefd, saddr2str((struct sockaddr *)&sa1)); + plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", + b, b->prefd, saddr2str((struct sockaddr *)&sa2)); +- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) ++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) + return 1; + + #ifdef HAVE_SECCTX +Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.c 2011-03-03 17:54:35.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c 2011-03-03 18:55:01.000000000 +0200 +@@ -132,11 +132,13 @@ + return CMPSADDR_MISMATCH; + } + +- if (port1 == port2 || +- port1 == IPSEC_PORT_ANY || +- port2 == IPSEC_PORT_ANY) ++ if (port1 == port2) + return CMPSADDR_MATCH; + ++ if (port1 == IPSEC_PORT_ANY || ++ port2 == IPSEC_PORT_ANY) ++ return CMPSADDR_WILDPORT_MATCH; ++ + return CMPSADDR_WOP_MATCH; + } + +@@ -934,7 +936,7 @@ + free(a2); + free(a3); + } +- if (cmpsaddr(&sa, &naddr->sa.sa) == 0) ++ if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH) + return naddr->prefix + port_score; + + return -1; +Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.h 2011-03-03 17:54:35.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h 2011-03-03 18:40:30.000000000 +0200 +@@ -57,8 +57,9 @@ + extern const int niflags; + + #define CMPSADDR_MATCH 0 +-#define CMPSADDR_WOP_MATCH 1 +-#define CMPSADDR_MISMATCH 2 ++#define CMPSADDR_WILDPORT_MATCH 1 ++#define CMPSADDR_WOP_MATCH 2 ++#define CMPSADDR_MISMATCH 3 + + extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *)); + +Index: ipsec-tools-cvs-HEAD/src/racoon/throttle.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/throttle.c 2011-03-03 17:54:35.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/throttle.c 2011-03-03 18:55:31.000000000 +0200 +@@ -104,7 +104,7 @@ + goto restart; + } + +- if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) { ++ if (cmpsaddr(addr, (struct sockaddr *) &te->host) <= CMPSADDR_WOP_MATCH) { + found = 1; + break; + } diff --git a/main/ipsec-tools/20-grekey-support.patch b/main/ipsec-tools/20-grekey-support.patch new file mode 100644 index 000000000..9ad2bca74 --- /dev/null +++ b/main/ipsec-tools/20-grekey-support.patch @@ -0,0 +1,608 @@ +Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c 2011-03-03 19:28:29.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c 2011-03-03 19:29:42.000000000 +0200 +@@ -232,7 +232,7 @@ + "\n" + " : \"isakmp\" \n" + " : {\"esp\",\"ah\"} \n" +-" \n" ++" [grekey ]\n" + " : \"inet\" or \"inet6\"\n" + " : \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n" + "\n", +@@ -819,7 +819,7 @@ + { + int family; + +- if (ac != 3 && ac != 4) { ++ if (ac < 3) { + errno = EINVAL; + return NULL; + } +@@ -861,10 +861,8 @@ + struct sockaddr *src = NULL, *dst = NULL; + int ulproto; + +- if (ac != 2 && ac != 3) { +- errno = EINVAL; +- return NULL; +- } ++ if (ac < 2) ++ goto bad_args; + + if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1) + goto bad; +@@ -901,13 +899,34 @@ + + av++; + ac--; +- if(ac){ ++ if (ac) { + ulproto = get_ulproto(*av); + if (ulproto == -1) + goto bad; +- }else ++ av++; ++ ac--; ++ } else + ulproto=0; + ++ if (ac == 2 && strcmp(av[0], "grekey") == 0) { ++ int a, b, c, d; ++ unsigned long u; ++ ++ if (sscanf(av[1], "%d.%d.%d.%d", &a, &b, &c, &d) == 4) { ++ set_port(src, (a << 8) + b); ++ set_port(dst, (c << 8) + d); ++ } else if (sscanf(av[1], "%lu", &u) == 1) { ++ set_port(src, u >> 16); ++ set_port(dst, u & 0xffff); ++ } else ++ goto bad_args; ++ av += 2; ++ ac -= 2; ++ } ++ ++ if (ac != 0) ++ goto bad_args; ++ + ci = (struct admin_com_indexes *)buf->v; + if(p_prefs) + ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */ +@@ -926,7 +945,9 @@ + + return buf; + +- bad: ++bad_args: ++ errno = EINVAL; ++bad: + if (p_name) + racoon_free(p_name); + if (p_port) +Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-03 19:28:29.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-03 21:16:47.000000000 +0200 +@@ -444,7 +444,7 @@ + + /* search appropreate configuration */ + if (name == NULL) +- rmconf = getrmconf(dst, 0); ++ rmconf = getrmconf(dst, 0, 0); + else + rmconf = getrmconf_by_name(name); + if (rmconf == NULL) { +@@ -536,6 +536,16 @@ + spidx.prefs = ndx->prefd; + spidx.prefd = ndx->prefs; + spidx.ul_proto = ndx->ul_proto; ++ switch (ndx->ul_proto) { ++ case IPPROTO_ICMP: ++ case IPPROTO_ICMPV6: ++ case IPPROTO_GRE: ++ /* Ports are UL specific data, and should ++ * not get swapped */ ++ set_port((struct sockaddr *) &spidx.src, extract_port(src)); ++ set_port((struct sockaddr *) &spidx.dst, extract_port(dst)); ++ break; ++ } + + sp_in = getsp_r(&spidx); + if (sp_in) { +Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l 2011-03-03 19:57:26.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l 2011-03-04 13:07:03.000000000 +0200 +@@ -288,6 +288,7 @@ + any { YYD; return(ANY); } + from { YYD; return(FROM); } + group { YYD; return(GROUP); } ++grekey { YYD; return(GREKEY); } + /* sainfo spec */ + {bcl} { BEGIN S_SAINFS; return(BOC); } + {semi} { BEGIN S_INI; return(EOS); } +Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y 2011-03-03 19:57:30.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y 2011-03-04 13:09:01.000000000 +0200 +@@ -213,7 +213,7 @@ + /* algorithm */ + %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE + /* sainfo */ +-%token SAINFO FROM ++%token SAINFO FROM GREKEY + /* remote */ + %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS + %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE +@@ -1301,6 +1301,35 @@ + cur_sainfo->idsrc = $1; + cur_sainfo->iddst = $2; + } ++ | sainfo_id sainfo_id GREKEY ADDRSTRING ++ { ++ int a, b, c, d; ++ ++ if (sscanf($4->v, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) { ++ a = ipsecdoi_fixup_id_uldata( ++ $1, $2, IPPROTO_GRE, ++ (a << 8) + b, (c << 8) + d); ++ } else { ++ yyerror("grekey format unrecognized."); ++ return -1; ++ } ++ if (a != 0) { ++ yyerror("ul_proto needs to be 'gre' to use grekey."); ++ return -1; ++ } ++ cur_sainfo->idsrc = $1; ++ cur_sainfo->iddst = $2; ++ } ++ | sainfo_id sainfo_id GREKEY NUMBER ++ { ++ if (ipsecdoi_fixup_id_uldata($1, $2, IPPROTO_GRE, ++ ($4) >> 16, ($4) & 0xffff) != 0) { ++ yyerror("ul_proto needs to be 'gre' to use grekey."); ++ return -1; ++ } ++ cur_sainfo->idsrc = $1; ++ cur_sainfo->iddst = $2; ++ } + ; + sainfo_id + : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto +@@ -1667,7 +1696,7 @@ + { + struct remoteconf *from, *new; + +- from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS); ++ from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS, 0); + if (from == NULL) { + yyerror("failed to get remoteconf for %s.", + saddr2str($4)); +Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h 2011-03-03 20:19:23.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h 2011-03-03 20:42:35.000000000 +0200 +@@ -227,6 +227,9 @@ + extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int)); + extern int ipsecdoi_setid2 __P((struct ph2handle *)); + extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int)); ++extern int ipsecdoi_fixup_id_uldata __P((vchar_t *, vchar_t *, u_int16_t, u_int16_t, u_int16_t)); ++extern int ipsecdoi_id_has_port __P((vchar_t *)); ++ + extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *, + u_int8_t *, u_int16_t *)); + extern char *ipsecdoi_id2str __P((const vchar_t *)); +Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-03 20:19:23.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-03 21:01:16.000000000 +0200 +@@ -3371,6 +3371,7 @@ + vchar_t ident_t; + vchar_t ident_s; + int result; ++ int check_ports = 0; + + /* handle wildcard IDs */ + +@@ -3460,6 +3461,7 @@ + + case IPSECDOI_ID_IPV4_ADDR: + /* validate lengths */ ++ check_ports = 1; + if ((ident_t.l != sizeof(struct in_addr))|| + (ident_s.l != sizeof(struct in_addr))) + goto cmpid_invalid; +@@ -3468,6 +3470,7 @@ + case IPSECDOI_ID_IPV4_ADDR_SUBNET: + case IPSECDOI_ID_IPV4_ADDR_RANGE: + /* validate lengths */ ++ check_ports = 1; + if ((ident_t.l != (sizeof(struct in_addr)*2))|| + (ident_s.l != (sizeof(struct in_addr)*2))) + goto cmpid_invalid; +@@ -3476,6 +3479,7 @@ + #ifdef INET6 + case IPSECDOI_ID_IPV6_ADDR: + /* validate lengths */ ++ check_ports = 1; + if ((ident_t.l != sizeof(struct in6_addr))|| + (ident_s.l != sizeof(struct in6_addr))) + goto cmpid_invalid; +@@ -3484,6 +3488,7 @@ + case IPSECDOI_ID_IPV6_ADDR_SUBNET: + case IPSECDOI_ID_IPV6_ADDR_RANGE: + /* validate lengths */ ++ check_ports = 1; + if ((ident_t.l != (sizeof(struct in6_addr)*2))|| + (ident_s.l != (sizeof(struct in6_addr)*2))) + goto cmpid_invalid; +@@ -3502,10 +3507,15 @@ + } + + /* validate matching data and length */ +- if (ident_t.l == ident_s.l) +- result = memcmp(ident_t.v,ident_s.v,ident_t.l); +- else ++ if (check_ports && ++ (id_bt->port != id_bs->port && id_bs->port != 0)) ++ /* if target is wildcard, source should be too, otherwise ++ * specific rule matches wildcard request */ + result = 1; ++ else if (ident_t.l != ident_s.l) ++ result = 1; ++ else ++ result = memcmp(ident_t.v,ident_s.v,ident_t.l); + + cmpid_result: + +@@ -4089,6 +4099,44 @@ + return new; + } + ++int ipsecdoi_fixup_id_uldata(srcid, dstid, ul_proto, ul_data1, ul_data2) ++ vchar_t *srcid, *dstid; ++ u_int16_t ul_proto; ++ u_int16_t ul_data1, ul_data2; ++{ ++ struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v; ++ struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v; ++ ++ if (src->proto_id != ul_proto || ++ dst->proto_id != ul_proto) ++ return -1; ++ ++ src->port = htons(ul_data1); ++ dst->port = htons(ul_data2); ++ ++ return 0; ++} ++ ++int ipsecdoi_id_has_port(id) ++ vchar_t *id; ++{ ++ struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *) id->v; ++ ++ switch (id_b->type) { ++ case IPSECDOI_ID_IPV4_ADDR: ++ case IPSECDOI_ID_IPV4_ADDR_SUBNET: ++ case IPSECDOI_ID_IPV4_ADDR_RANGE: ++ case IPSECDOI_ID_IPV6_ADDR: ++ case IPSECDOI_ID_IPV6_ADDR_SUBNET: ++ case IPSECDOI_ID_IPV6_ADDR_RANGE: ++ if (ntohs(id_b->port) != 0) ++ return 1; ++ break; ++ } ++ return 0; ++} ++ ++ + vchar_t * + ipsecdoi_sockrange2id(laddr, haddr, ul_proto) + struct sockaddr *laddr, *haddr; +@@ -4318,7 +4366,7 @@ + saddr.sa.sa_len = sizeof(struct sockaddr_in); + #endif + saddr.sa.sa_family = AF_INET; +- saddr.sin.sin_port = IPSEC_PORT_ANY; ++ saddr.sin.sin_port = id_b->port; + memcpy(&saddr.sin.sin_addr, + id->v + sizeof(*id_b), sizeof(struct in_addr)); + break; +@@ -4331,7 +4379,7 @@ + saddr.sa.sa_len = sizeof(struct sockaddr_in6); + #endif + saddr.sa.sa_family = AF_INET6; +- saddr.sin6.sin6_port = IPSEC_PORT_ANY; ++ saddr.sin6.sin6_port = id_b->port; + memcpy(&saddr.sin6.sin6_addr, + id->v + sizeof(*id_b), sizeof(struct in6_addr)); + saddr.sin6.sin6_scope_id = +@@ -4347,7 +4395,7 @@ + #ifdef INET6 + case IPSECDOI_ID_IPV6_ADDR: + #endif +- len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr.sa)); ++ len = snprintf( buf, BUFLEN, "%s", saddr2str(&saddr.sa)); + break; + + case IPSECDOI_ID_IPV4_ADDR_SUBNET: +@@ -4403,7 +4451,9 @@ + plen += l; + } + +- len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr.sa), plen); ++ len = snprintf(buf, BUFLEN, "%s/%i[%d]", ++ saddrwop2str(&saddr.sa), plen, ++ ntohs(id_b->port)); + } + break; + +@@ -4415,12 +4465,12 @@ + saddr.sa.sa_len = sizeof(struct sockaddr_in); + #endif + saddr.sa.sa_family = AF_INET; +- saddr.sin.sin_port = IPSEC_PORT_ANY; ++ saddr.sin.sin_port = id_b->port; + memcpy(&saddr.sin.sin_addr, + id->v + sizeof(*id_b) + sizeof(struct in_addr), + sizeof(struct in_addr)); + +- len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa)); ++ len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa)); + break; + + #ifdef INET6 +@@ -4431,7 +4481,7 @@ + saddr.sa.sa_len = sizeof(struct sockaddr_in6); + #endif + saddr.sa.sa_family = AF_INET6; +- saddr.sin6.sin6_port = IPSEC_PORT_ANY; ++ saddr.sin6.sin6_port = id_b->port; + memcpy(&saddr.sin6.sin6_addr, + id->v + sizeof(*id_b) + sizeof(struct in6_addr), + sizeof(struct in6_addr)); +@@ -4440,7 +4490,7 @@ + ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id + : 0); + +- len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa)); ++ len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa)); + break; + #endif + +Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c 2011-03-03 20:07:44.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c 2011-03-03 20:55:02.000000000 +0200 +@@ -124,7 +124,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, + "evaluating sainfo: %s\n", sainfostr); + +- if(s->remoteid != remoteid) { ++ if (remoteid != -1 && s->remoteid != remoteid) { + plog(LLV_DEBUG, LOCATION, NULL, + "remoteid mismatch: %u != %u\n", + s->remoteid, remoteid); +@@ -234,16 +234,22 @@ + int pri = 0; + + if(s->remoteid) +- pri += 3; ++ pri += 7; + + if(s->id_i) +- pri += 3; ++ pri += 7; + +- if(s->idsrc) ++ if(s->idsrc) { + pri++; ++ if (ipsecdoi_id_has_port(s->idsrc)) ++ pri += 2; ++ } + +- if(s->iddst) ++ if(s->iddst) { + pri++; ++ if (ipsecdoi_id_has_port(s->iddst)) ++ pri += 2; ++ } + + return pri; + } +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 20:55:57.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 21:14:13.000000000 +0200 +@@ -2170,7 +2170,15 @@ + * so no need to bother yet. --arno */ + + if (iph1hint == NULL || iph1hint->rmconf == NULL) { +- rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0); ++ int flags = 0; ++ uint32_t remoteid; ++ if (nopassive) ++ flags |= GETRMCONF_F_NO_PASSIVE; ++ if (iph2->sainfo != NULL) { ++ flags |= GETRMCONF_F_HAS_REMOTEID; ++ remoteid = iph2->sainfo->remoteid; ++ } ++ rmconf = getrmconf(iph2->dst, flags, remoteid); + if (rmconf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + "no configuration found for %s.\n", +@@ -2246,7 +2254,7 @@ + struct secpolicy *sp_out, *sp_in; + { + struct remoteconf *conf; +- uint32_t remoteid = 0; ++ uint32_t remoteid = -1; + + plog(LLV_DEBUG, LOCATION, NULL, + "new acquire %s\n", spidx2str(&sp_out->spidx)); +@@ -2273,7 +2281,7 @@ + return -1; + } + +- conf = getrmconf(iph2->dst, 0); ++ conf = getrmconf(iph2->dst, 0, 0); + if (conf != NULL) + remoteid = conf->ph1id; + else +Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c 2011-03-03 21:06:03.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c 2011-03-03 21:17:09.000000000 +0200 +@@ -217,6 +217,13 @@ + return MATCH_NONE; + } + ++ if ((rmsel->flags & GETRMCONF_F_HAS_REMOTEID) && ++ rmsel->remoteid != rmconf->ph1id){ ++ plog(LLV_DEBUG2, LOCATION, rmsel->remote, ++ "Not matched: remote_id did not match.\n"); ++ return MATCH_NONE; ++ } ++ + ret |= MATCH_BASIC; + + /* Check address */ +@@ -387,9 +394,10 @@ + */ + + struct remoteconf * +-getrmconf(remote, flags) ++getrmconf(remote, flags, remoteid) + struct sockaddr *remote; + int flags; ++ uint32_t remoteid; + { + struct rmconf_find_context ctx; + int n = 0; +@@ -397,6 +405,7 @@ + memset(&ctx, 0, sizeof(ctx)); + ctx.sel.flags = flags; + ctx.sel.remote = remote; ++ ctx.sel.remoteid = remoteid; + + if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) { + plog(LLV_ERROR, LOCATION, remote, +Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h 2011-03-03 21:06:03.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h 2011-03-03 21:10:53.000000000 +0200 +@@ -178,6 +178,7 @@ + int flags; + struct sockaddr *remote; + int etype; ++ uint32_t remoteid; + struct isakmpsa *approval; + vchar_t *identity; + vchar_t *certificate_request; +@@ -191,12 +192,13 @@ + + #define GETRMCONF_F_NO_ANONYMOUS 0x0001 + #define GETRMCONF_F_NO_PASSIVE 0x0002 ++#define GETRMCONF_F_HAS_REMOTEID 0x0004 + + #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1) + + extern int rmconf_match_identity __P((struct remoteconf *rmconf, + vchar_t *id_p)); +-extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags)); ++extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags, uint32_t remoteid)); + extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1)); + extern struct remoteconf *getrmconf_by_name __P((const char *name)); + +Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 21:14:45.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 21:16:17.000000000 +0200 +@@ -2898,7 +2898,7 @@ + + /* If we are not acting as initiator, let's just leave and + * let the remote peer handle the restart */ +- rmconf = getrmconf(ma->remote, 0); ++ rmconf = getrmconf(ma->remote, 0, 0); + if (rmconf == NULL || !rmconf->passive) { + iph1->status = PHASE1ST_EXPIRED; + sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); +@@ -3068,8 +3068,10 @@ + + if (iph2->ph1 && iph2->ph1->rmconf) + rmconf = iph2->ph1->rmconf; ++ else if (iph2->sainfo != NULL) ++ rmconf = getrmconf(iph2->dst, GETRMCONF_F_HAS_REMOTEID, iph2->sainfo->remoteid); + else +- rmconf = getrmconf(iph2->dst, 0); ++ rmconf = getrmconf(iph2->dst, 0, 0); + + if (rmconf && !rmconf->passive) { + struct ph1handle *iph1hint; +Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8 +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8 2011-03-04 11:48:30.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8 2011-03-04 11:48:56.000000000 +0200 +@@ -453,7 +453,7 @@ + .Pp + A second example of requiring transport mode encryption of specific + GRE tunnel: +-.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ; ++.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 -P in ipsec esp/transport//require ; + .Pp + .Em Note : + .Ar upperspec +Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5 2011-03-04 11:57:36.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 2011-03-04 12:01:13.000000000 +0200 +@@ -981,6 +981,7 @@ + .Bl -tag -width Ds -compact + .It Ic sainfo Po Ar local_id | Ic anonymous Pc \ + Po Ar remote_id | Ic clientaddr | Ic anonymous Pc \ ++Bo Ic grekey Ar key Bc \ + Bo Ic from Ar idtype Bo Ar string Bc Bc Bo Ic group Ar string Bc \ + Ic { Ar statements Ic } + Defines the parameters of the IKE phase 2 (IPsec-SA establishment). +@@ -1026,6 +1027,15 @@ + to restrict policy generation when racoon is acting as a client gateway + for peers with dynamic ip addresses. + .Pp ++If both ++.Ar local_id ++and ++.Ar remote_id ++are specified with GRE as upper layer protocol, the upper layer GRE ++key match can be specified with ++.Ic grekey ++.Ar key . ++.Pp + The + .Ic from + keyword allows an sainfo to only match for peers that use a specific phase1 +Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y 2011-03-04 13:04:05.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/setkey/parse.y 2011-03-04 13:04:09.000000000 +0200 +@@ -856,6 +856,17 @@ + } + $$.len = strlen($$.buf); + } ++ | DECSTRING ++ { ++ char tmp[16]; ++ sprintf(tmp, "%lu", $1); ++ $$.buf = strdup(tmp); ++ if (!$$.buf) { ++ yyerror("insufficient memory"); ++ return -1; ++ } ++ $$.len = strlen(tmp); ++ } + ; + + context_spec diff --git a/main/ipsec-tools/50-reverse-connect.patch b/main/ipsec-tools/50-reverse-connect.patch index f29c3d509..54e77a397 100644 --- a/main/ipsec-tools/50-reverse-connect.patch +++ b/main/ipsec-tools/50-reverse-connect.patch @@ -13,11 +13,11 @@ over pending phase1:s. Useful when the other party is firewalled or NATted. 5 files changed, 83 insertions(+), 12 deletions(-) -diff --git a/src/racoon/admin.c b/src/racoon/admin.c -index b67e545..710c9bf 100644 ---- a/src/racoon/admin.c -+++ b/src/racoon/admin.c -@@ -414,11 +414,23 @@ admin_process(so2, combuf) +Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-03 21:16:47.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-04 13:50:30.000000000 +0200 +@@ -414,11 +414,23 @@ struct sockaddr *dst; struct sockaddr *src; char *name = NULL; @@ -41,11 +41,11 @@ index b67e545..710c9bf 100644 if (com->ac_cmd == ADMIN_ESTABLISH_SA && com->ac_len > sizeof(*com) + sizeof(*ndx)) name = (char *) ((caddr_t) ndx + sizeof(*ndx)); -diff --git a/src/racoon/evt.c b/src/racoon/evt.c -index 4ce1334..000c1f8 100644 ---- a/src/racoon/evt.c -+++ b/src/racoon/evt.c -@@ -396,4 +396,17 @@ evt_list_cleanup(list) +Index: ipsec-tools-cvs-HEAD/src/racoon/evt.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/evt.c 2011-03-03 19:25:50.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/evt.c 2011-03-04 13:50:30.000000000 +0200 +@@ -396,4 +396,17 @@ evt_unsubscribe(LIST_FIRST(list)); } @@ -63,11 +63,11 @@ index 4ce1334..000c1f8 100644 +} + #endif /* ENABLE_ADMINPORT */ -diff --git a/src/racoon/evt.h b/src/racoon/evt.h -index 0ce65bd..ba7fb57 100644 ---- a/src/racoon/evt.h -+++ b/src/racoon/evt.h -@@ -124,6 +124,8 @@ void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata)); +Index: ipsec-tools-cvs-HEAD/src/racoon/evt.h +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/evt.h 2011-03-03 19:25:50.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/evt.h 2011-03-04 13:50:30.000000000 +0200 +@@ -124,6 +124,8 @@ vchar_t *evt_dump __P((void)); int evt_subscribe __P((struct evt_listener_list *list, int fd)); @@ -76,7 +76,7 @@ index 0ce65bd..ba7fb57 100644 void evt_list_init __P((struct evt_listener_list *list)); void evt_list_cleanup __P((struct evt_listener_list *list)); -@@ -136,6 +138,7 @@ void evt_list_cleanup __P((struct evt_listener_list *list)); +@@ -136,6 +138,7 @@ #define evt_phase2(ph2, type, optdata) ; #define evt_subscribe(eventlist, fd) ; @@ -84,17 +84,11 @@ index 0ce65bd..ba7fb57 100644 #define evt_list_init(eventlist) ; #define evt_list_cleanup(eventlist) ; #define evt_get_fdmask(nfds, fdset) nfds -diff --git a/src/racoon/handler.c b/src/racoon/handler.c -index b33986f..9fd3817 100644 ---- a/src/racoon/handler.c -+++ b/src/racoon/handler.c -@@ -269,26 +269,40 @@ migrate_ph12(old_iph1, new_iph1) - } - - /* -- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1 -+ * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1. - */ +Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c 2011-03-03 19:29:31.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c 2011-03-04 13:53:01.000000000 +0200 +@@ -292,17 +292,32 @@ void migrate_dying_ph12(iph1) struct ph1handle *iph1; { @@ -114,8 +108,8 @@ index b33986f..9fd3817 100644 + iph1->rmconf != p->rmconf) continue; -- if (cmpsaddr(iph1->local, p->local) == 0 -- && cmpsaddr(iph1->remote, p->remote) == 0) +- if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH +- && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH) + /* migrate phase2:s from expiring entries */ + if (p->status >= PHASE1ST_DYING) migrate_ph12(p, iph1); @@ -132,15 +126,11 @@ index b33986f..9fd3817 100644 } } -- - /* - * dump isakmp-sa - */ -diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c -index 0de16d1..2dfda2f 100644 ---- a/src/racoon/isakmp.c -+++ b/src/racoon/isakmp.c -@@ -2138,13 +2138,33 @@ isakmp_ph2delete(iph2) +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 21:14:13.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-04 13:50:30.000000000 +0200 +@@ -2138,13 +2138,33 @@ remph2(iph2); delph2(iph2); @@ -176,7 +166,7 @@ index 0de16d1..2dfda2f 100644 /* * receive ACQUIRE from kernel, and begin either phase1 or phase2. * if phase1 has been finished, begin phase2. -@@ -2220,8 +2240,14 @@ isakmp_post_acquire(iph2) +@@ -2235,8 +2255,14 @@ /*NOTREACHED*/ } @@ -193,7 +183,7 @@ index 0de16d1..2dfda2f 100644 /* found ISAKMP-SA. */ plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); -@@ -2388,7 +2414,10 @@ isakmp_chkph1there(iph2) +@@ -2403,7 +2429,10 @@ plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); /* begin quick mode */ diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index 6e4a009fd..3e9609bb7 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=ipsec-tools -pkgver=0.8_alpha20101208 -_myver=0.8-alpha20101208 +pkgver=0.8.0_rc1 +_myver=0.8.0.RC pkgrel=0 pkgdesc="User-space IPsec tools for various IPsec implementations" url="http://ipsec-tools.sourceforge.net/" @@ -13,6 +13,8 @@ subpackages="$pkgname-doc $pkgname-dev" source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz racoon.initd racoon.confd + 10-cmpsaddr-fix.patch + 20-grekey-support.patch 50-reverse-connect.patch 70-defer-isakmp-ident-handling.patch 75-racoonctl-rcvbuf.patch @@ -55,9 +57,11 @@ package() { install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon } -md5sums="9da0417ea19629777d7d7a555667f6d8 ipsec-tools-0.8-alpha20101208.tar.gz +md5sums="9473d0ce8746f16281fce1b75a9fffa3 ipsec-tools-0.8.0.RC.tar.gz 74f12ed04ed273a738229c0bfbf829cc racoon.initd 2d00250cf72da7f2f559c91b65a48747 racoon.confd -13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch +e4c9ae678bf80518107690bde97dc14b 10-cmpsaddr-fix.patch +64a859d51f57206a11e52f6ad4830ec5 20-grekey-support.patch +f97205eea3dc68d2437a2ad8720f4520 50-reverse-connect.patch 94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch 2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch" -- cgit v1.2.3