Index: ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/grabmyaddr.c 2011-03-03 17:54:33.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c 2011-03-03 18:45:24.000000000 +0200 @@ -100,7 +100,7 @@ return TRUE; LIST_FOREACH(cfg, &configured, chain) { - if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0) + if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH) return TRUE; } @@ -116,7 +116,7 @@ /* Already open? */ LIST_FOREACH(my, &opened, chain) { - if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0) + if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH) return TRUE; } @@ -156,7 +156,7 @@ LIST_FOREACH(cfg, &configured, chain) { if (addr != NULL && - cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0) + cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH) continue; if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap)) return FALSE; @@ -262,7 +262,7 @@ struct myaddr *my; LIST_FOREACH(my, &opened, chain) { - if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) + if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH) return my->fd; } @@ -276,7 +276,7 @@ struct myaddr *my; LIST_FOREACH(my, &opened, chain) { - if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) + if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH) return extract_port((struct sockaddr *) &my->addr); } Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c 2011-03-03 17:54:33.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/handler.c 2011-03-03 18:48:10.000000000 +0200 @@ -120,11 +120,11 @@ LIST_FOREACH(p, &ph1tree, chain) { if (sel != NULL) { if (sel->local != NULL && - cmpsaddr(sel->local, p->local) != 0) + cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH) continue; if (sel->remote != NULL && - cmpsaddr(sel->remote, p->remote) != 0) + cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH) continue; } @@ -300,8 +300,8 @@ if (p->status < PHASE1ST_DYING) continue; - if (cmpsaddr(iph1->local, p->local) == 0 - && cmpsaddr(iph1->remote, p->remote) == 0) + if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH + && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH) migrate_ph12(p, iph1); } } @@ -547,11 +547,11 @@ continue; if (sel->src != NULL && - cmpsaddr(sel->src, p->src) != 0) + cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH) continue; if (sel->dst != NULL && - cmpsaddr(sel->dst, p->dst) != 0) + cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH) continue; } @@ -615,8 +615,8 @@ LIST_FOREACH(p, &ph2tree, chain) { if (spid == p->spid && - cmpsaddr(src, p->src) == 0 && - cmpsaddr(dst, p->dst) == 0){ + cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH && + cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){ /* Sanity check to detect zombie handlers * XXX Sould be done "somewhere" more interesting, * because we have lots of getph2byxxxx(), but this one @@ -643,8 +643,8 @@ struct ph2handle *p; LIST_FOREACH(p, &ph2tree, chain) { - if (cmpsaddr(src, p->src) == 0 && - cmpsaddr(dst, p->dst) == 0) + if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH && + cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH) return p; } @@ -947,7 +947,7 @@ struct contacted *p; LIST_FOREACH(p, &ctdtree, chain) { - if (cmpsaddr(remote, p->remote) == 0) + if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) return p; } @@ -988,7 +988,7 @@ struct contacted *p; LIST_FOREACH(p, &ctdtree, chain) { - if (cmpsaddr(remote, p->remote) == 0) { + if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) { LIST_REMOVE(p, chain); racoon_free(p->remote); racoon_free(p); @@ -1042,7 +1042,7 @@ /* * the packet was processed before, but the remote address mismatches. */ - if (cmpsaddr(remote, r->remote) != 0) + if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH) return 2; /* Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 17:54:33.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 18:50:22.000000000 +0200 @@ -468,8 +468,8 @@ /* Floating ports for NAT-T */ if (NATT_AVAILABLE(iph1) && ! (iph1->natt_flags & NAT_PORTS_CHANGED) && - ((cmpsaddr(iph1->remote, remote) != 0) || - (cmpsaddr(iph1->local, local) != 0))) + ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) || + (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH))) { /* prevent memory leak */ racoon_free(iph1->remote); @@ -510,7 +510,7 @@ #endif /* must be same addresses in one stream of a phase at least. */ - if (cmpsaddr(iph1->remote, remote) != 0) { + if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { char *saddr_db, *saddr_act; saddr_db = racoon_strdup(saddr2str(iph1->remote)); @@ -636,7 +636,7 @@ "exchange received.\n"); return -1; } - if (cmpsaddr(iph1->remote, remote) != 0) { + if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) { plog(LLV_WARNING, LOCATION, remote, "remote address mismatched. " "db=%s\n", @@ -3322,10 +3322,10 @@ * Select only SAs where src == local and dst == remote (outgoing) * or src == remote and dst == local (incoming). */ - if ((cmpsaddr(iph1->local, src) || - cmpsaddr(iph1->remote, dst)) && - (cmpsaddr(iph1->local, dst) || - cmpsaddr(iph1->remote, src))) { + if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || + cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && + (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || + cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) { msg = next; continue; } Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_inf.c 2011-03-03 17:54:34.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c 2011-03-03 18:51:05.000000000 +0200 @@ -1177,7 +1177,7 @@ /* don't delete inbound SAs at the moment */ /* XXX should we remove SAs with opposite direction as well? */ - if (cmpsaddr(dst0, dst)) { + if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) { msg = next; continue; } @@ -1355,10 +1355,10 @@ * ports. Correct thing to do is delete all entries with * same identity. -TT */ - if ((cmpsaddr(iph1->local, src) != 0 || - cmpsaddr(iph1->remote, dst) != 0) && - (cmpsaddr(iph1->local, dst) != 0 || - cmpsaddr(iph1->remote, src) != 0)) + if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH || + cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) && + (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH || + cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) continue; /* Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-03 17:54:34.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-03 18:51:48.000000000 +0200 @@ -629,7 +629,7 @@ #endif if (cmpsaddr((struct sockaddr *) &proposed_addr, - (struct sockaddr *) &got_addr) == 0) { + (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { plog(LLV_DEBUG, LOCATION, NULL, "IDci matches proposal.\n"); #ifdef ENABLE_NATT @@ -677,13 +677,13 @@ #endif if (cmpsaddr((struct sockaddr *) &proposed_addr, - (struct sockaddr *) &got_addr) == 0) { + (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { plog(LLV_DEBUG, LOCATION, NULL, "IDcr matches proposal.\n"); #ifdef ENABLE_NATT } else if (iph2->natoa_dst != NULL && cmpsaddr(iph2->natoa_dst, - (struct sockaddr *) &got_addr) == 0) { + (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) { plog(LLV_DEBUG, LOCATION, NULL, "IDcr matches NAT-OAr.\n"); #endif Index: ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/nattraversal.c 2011-03-03 17:54:34.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c 2011-03-03 18:52:20.000000000 +0200 @@ -398,8 +398,8 @@ struct natt_ka_addrs *ka = NULL, *new_addr; TAILQ_FOREACH (ka, &ka_tree, chain) { - if (cmpsaddr(ka->src, src) == 0 && - cmpsaddr(ka->dst, dst) == 0) { + if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH && + cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) { ka->in_use++; plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", saddr2str_fromto("%s->%s", src, dst), ka->in_use); @@ -462,8 +462,8 @@ plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", saddr2str_fromto("%s->%s", src, dst), ka->in_use); - if (cmpsaddr(ka->src, src) == 0 && - cmpsaddr(ka->dst, dst) == 0 && + if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH && + cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH && -- ka->in_use <= 0) { plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 17:54:34.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 18:52:50.000000000 +0200 @@ -2882,8 +2882,8 @@ u_int16_t port; /* Already up-to-date? */ - if (cmpsaddr(iph1->local, ma->local) == 0 && - cmpsaddr(iph1->remote, ma->remote) == 0) + if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH && + cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH) return 0; if (iph1->status < PHASE1ST_ESTABLISHED) { @@ -2983,8 +2983,8 @@ migrate_ph1_ike_addresses(iph2->ph1, arg); /* Already up-to-date? */ - if (cmpsaddr(iph2->src, ma->local) == 0 && - cmpsaddr(iph2->dst, ma->remote) == 0) + if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH && + cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH) return 0; /* save src/dst as sa_src/sa_dst before rewriting */ @@ -3207,8 +3207,8 @@ "changing address families (%d to %d) for endpoints.\n", osaddr->sa_family, nsaddr->sa_family); - if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) || - cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) { + if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH || + cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) { plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: " "mismatch of addresses in saidx and xisr.\n"); return -1; Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-03 17:54:34.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-03 19:09:42.000000000 +0200 @@ -142,7 +142,7 @@ plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", saddr2str((struct sockaddr *)&spidx->src)); - if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) || + if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH || spidx->prefs != prefixlen) return NULL; @@ -151,7 +151,7 @@ plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", saddr2str((struct sockaddr *)&spidx->dst)); - if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) || + if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH || spidx->prefd != prefixlen) return NULL; @@ -201,10 +201,10 @@ return 1; if (cmpsaddr((struct sockaddr *) &a->src, - (struct sockaddr *) &b->src)) + (struct sockaddr *) &b->src) != CMPSADDR_MATCH) return 1; if (cmpsaddr((struct sockaddr *) &a->dst, - (struct sockaddr *) &b->dst)) + (struct sockaddr *) &b->dst) != CMPSADDR_MATCH) return 1; #ifdef HAVE_SECCTX @@ -261,7 +261,7 @@ a, b->prefs, saddr2str((struct sockaddr *)&sa1)); plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", b, b->prefs, saddr2str((struct sockaddr *)&sa2)); - if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) + if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) return 1; #ifndef __linux__ @@ -279,7 +279,7 @@ a, b->prefd, saddr2str((struct sockaddr *)&sa1)); plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", b, b->prefd, saddr2str((struct sockaddr *)&sa2)); - if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) + if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH) return 1; #ifdef HAVE_SECCTX Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.c 2011-03-03 17:54:35.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c 2011-03-03 18:55:01.000000000 +0200 @@ -132,11 +132,13 @@ return CMPSADDR_MISMATCH; } - if (port1 == port2 || - port1 == IPSEC_PORT_ANY || - port2 == IPSEC_PORT_ANY) + if (port1 == port2) return CMPSADDR_MATCH; + if (port1 == IPSEC_PORT_ANY || + port2 == IPSEC_PORT_ANY) + return CMPSADDR_WILDPORT_MATCH; + return CMPSADDR_WOP_MATCH; } @@ -934,7 +936,7 @@ free(a2); free(a3); } - if (cmpsaddr(&sa, &naddr->sa.sa) == 0) + if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH) return naddr->prefix + port_score; return -1; Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.h 2011-03-03 17:54:35.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h 2011-03-03 18:40:30.000000000 +0200 @@ -57,8 +57,9 @@ extern const int niflags; #define CMPSADDR_MATCH 0 -#define CMPSADDR_WOP_MATCH 1 -#define CMPSADDR_MISMATCH 2 +#define CMPSADDR_WILDPORT_MATCH 1 +#define CMPSADDR_WOP_MATCH 2 +#define CMPSADDR_MISMATCH 3 extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *)); Index: ipsec-tools-cvs-HEAD/src/racoon/throttle.c =================================================================== --- ipsec-tools-cvs-HEAD.orig/src/racoon/throttle.c 2011-03-03 17:54:35.000000000 +0200 +++ ipsec-tools-cvs-HEAD/src/racoon/throttle.c 2011-03-03 18:55:31.000000000 +0200 @@ -104,7 +104,7 @@ goto restart; } - if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) { + if (cmpsaddr(addr, (struct sockaddr *) &te->host) <= CMPSADDR_WOP_MATCH) { found = 1; break; }