summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@gmail.com>2009-08-21 13:06:45 +0000
committerLeonardo Arena <rnalrd@gmail.com>2009-08-21 13:06:45 +0000
commit4f53083405e28b13463689bc983289d477b0ea35 (patch)
tree6c45f49828831c4c2208f1a110251a4292c5efdd
parent7770bb9c6c8f6df6af03b0a71227daf637281498 (diff)
parentc95c7923ee7150cc152ab8ed72544eded4cfdff4 (diff)
downloadaports-4f53083405e28b13463689bc983289d477b0ea35.tar.bz2
aports-4f53083405e28b13463689bc983289d477b0ea35.tar.xz
Merge branch 'master' of git://dev.alpinelinux.org/aports
-rw-r--r--main/busybox/0001-add-simple-beep-applet-second-version.patch (renamed from main/busybox/0001-add-simple-beep-applet.patch)93
-rw-r--r--main/busybox/APKBUILD6
-rw-r--r--main/dansguardian/APKBUILD12
-rw-r--r--main/dansguardian/dansguardian.logrotate15
-rw-r--r--main/e2fsprogs/APKBUILD3
-rw-r--r--main/e2fsprogs/e2fsprogs.post-upgrade4
-rw-r--r--main/imagemagick/APKBUILD6
-rw-r--r--main/ipsec-tools/00-verify-cert-leak.patch11
-rw-r--r--main/ipsec-tools/10-rekey-ph1hint.patch1227
-rw-r--r--main/ipsec-tools/20-natoa-fix.patch33
-rw-r--r--main/ipsec-tools/30-natt-ports-cleanup.patch393
-rw-r--r--main/ipsec-tools/40-cmpsaddr-cleanup.patch1403
-rw-r--r--main/ipsec-tools/50-reverse-connect.patch4
-rw-r--r--main/ipsec-tools/APKBUILD20
-rw-r--r--main/nmap/APKBUILD18
-rw-r--r--main/perl-archive-zip/APKBUILD4
-rw-r--r--main/perl-html-parser/APKBUILD4
-rw-r--r--main/sudo/APKBUILD9
-rw-r--r--main/tiff/APKBUILD31
-rw-r--r--main/tiff/CVE-2006-3459-3465.patch669
-rw-r--r--main/tiff/libtiff-CVE-2009-2285.patch22
-rw-r--r--main/tiff/tiff-3.8.2-CVE-2008-2327.patch64
-rw-r--r--main/tiff/tiff-3.8.2-CVE-2009-2347.patch170
-rw-r--r--main/tiff/tiff2pdf-compression.patch44
-rw-r--r--main/tiff/tiff2pdf-octal-printf.patch11
-rw-r--r--main/tiff/tiffsplit-fname-overflow.patch19
-rw-r--r--main/uclibc++/001-path_to_make.patch30
-rw-r--r--main/uclibc++/002-no_bash.patch12
-rw-r--r--main/uclibc++/003-cp_command.patch19
-rw-r--r--main/uclibc++/004-ccache_fixes.patch24
-rw-r--r--main/uclibc++/005-wrapper.patch12
-rw-r--r--main/uclibc++/006-eabi_fix.patch42
-rw-r--r--main/uclibc++/007-numeric_limits.patch66
-rw-r--r--main/uclibc++/008-integer_width.patch314
-rw-r--r--main/uclibc++/900-dependent_exception.patch68
-rw-r--r--main/uclibc++/APKBUILD22
-rw-r--r--main/vim/APKBUILD26
-rw-r--r--main/xdelta3/APKBUILD27
-rw-r--r--main/xdelta3/xdelta3-makefile.patch33
-rw-r--r--main/xdelta3/xdelta3-xz.patch12
-rw-r--r--testing/device-mapper/APKBUILD26
-rw-r--r--x11/geany/APKBUILD24
-rw-r--r--x11/qemu/APKBUILD42
-rw-r--r--x11/qemu/qemu-0.10.3-nopl-fix.patch32
-rw-r--r--x11/qemu/qemu.pre-install3
-rw-r--r--x11/sdl/APKBUILD3
46 files changed, 3182 insertions, 1950 deletions
diff --git a/main/busybox/0001-add-simple-beep-applet.patch b/main/busybox/0001-add-simple-beep-applet-second-version.patch
index 004d60791..834026fa3 100644
--- a/main/busybox/0001-add-simple-beep-applet.patch
+++ b/main/busybox/0001-add-simple-beep-applet-second-version.patch
@@ -1,16 +1,16 @@
-From 23c387cd9d1c833679bee898ef49738be8c64727 Mon Sep 17 00:00:00 2001
+From b36908b21def4916b10c62ae3e28cacb9073556e Mon Sep 17 00:00:00 2001
From: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
Date: Tue, 18 Aug 2009 22:28:09 +0200
-Subject: [PATCH] add simple beep applet
+Subject: [PATCH] add simple beep applet, second version
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
---
include/applets.h | 1 +
- include/usage.h | 9 ++++++
- miscutils/Config.in | 6 ++++
+ include/usage.h | 9 +++++
+ miscutils/Config.in | 6 +++
miscutils/Kbuild | 1 +
- miscutils/beep.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 87 insertions(+), 0 deletions(-)
+ miscutils/beep.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 118 insertions(+), 0 deletions(-)
create mode 100644 miscutils/beep.c
diff --git a/include/applets.h b/include/applets.h
@@ -76,10 +76,10 @@ index 23d7d8d..8cf3406 100644
lib-$(CONFIG_CROND) += crond.o
diff --git a/miscutils/beep.c b/miscutils/beep.c
new file mode 100644
-index 0000000..4c25454
+index 0000000..81755d8
--- /dev/null
+++ b/miscutils/beep.c
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,101 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * beep implementation for busybox
@@ -106,38 +106,67 @@ index 0000000..4c25454
+#define LENGTH (50)
+#define DELAY (0)
+#define REPETITIONS (1)
++#if 0
++typedef struct beep {
++ struct beep *next;
++ unsigned freq, length, delay, rep;
++} beep_t;
++static beep_t* new_beep(void) {
++ beep_t *beep = (beep_t*)xzalloc(sizeof(beep_t));
++ beep->freq = FREQ;
++ beep->length = LENGTH;
++ beep->delay = DELAY;
++ beep->rep = REPETITIONS;
++ return beep;
++}
++#endif
++#define GET_ARG do { if (!*++opt) opt = *++argv; } while (0)
++#define NEW_BEEP() { \
++ freq = FREQ; \
++ length = LENGTH; \
++ delay = DELAY; \
++ rep = REPETITIONS; \
++ }
++
+int beep_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+int beep_main(int argc UNUSED_PARAM, char **argv)
+{
+ int speaker = get_console_fd_or_die();
-+ llist_t *_freq = NULL, *_length = NULL, *_delay = NULL, *_rep = NULL;
+ unsigned freq, length, delay, rep;
+ unsigned long ioctl_arg;
-+ unsigned opt;
+
-+ opt_complementary = "f::l::d::r::";
-+ opt = getopt32(argv, "f:l:d:r:n", &_freq, &_length, &_delay, &_rep);
++ NEW_BEEP()
++ while (*++argv) {
++ char *opt = *argv;
+
-+ do {
-+ if (opt & OPT_f && _freq)
-+ freq = xatoul((char*)(llist_pop(&_freq)));
-+ else
-+ freq = FREQ;
-+ if (opt & OPT_l && _length)
-+ length = xatoul((char*)(llist_pop(&_length)));
-+ else
-+ length = LENGTH;
-+ if (opt & OPT_d && _delay)
-+ delay = xatoul((char*)(llist_pop(&_delay)));
-+ else
-+ delay = DELAY;
-+ if (opt & OPT_r && _rep)
-+ rep = xatoul((char*)(llist_pop(&_rep)));
-+ else
-+ rep = REPETITIONS;
++ while (*opt == '-')
++ ++opt;
+
++ switch (*opt) {
++ case 'f':
++ GET_ARG;
++ freq = xatoul(opt);
++ continue;
++ case 'l':
++ GET_ARG;
++ length = xatoul(opt);
++ continue;
++ case 'd':
++ GET_ARG;
++ delay = xatoul(opt);
++ continue;
++ case 'r':
++ GET_ARG;
++ freq = xatoul(opt);
++ continue;
++ case 'n':
++ break;
++ default:
++ bb_show_usage();
++ break;
++ }
+ while (rep) {
-+//bb_info_msg("rep[%d] freq=%d, length=%d, delay=%d\n", rep, freq, length, delay);
++//bb_info_msg("rep[%d] freq=%d, length=%d, delay=%d", rep, freq, length, delay);
+ ioctl_arg = (int)(CLOCK_TICK_RATE/freq);
+ xioctl(speaker, KIOCSOUND, (void*)ioctl_arg);
+ usleep(1000 * length);
@@ -145,7 +174,9 @@ index 0000000..4c25454
+ if (rep--)
+ usleep(delay);
+ }
-+ } while (_freq || _length || _delay || _rep);
++ if (opt && *opt == 'n')
++ NEW_BEEP()
++ }
+ if (ENABLE_FEATURE_CLEAN_UP)
+ close(speaker);
+ return EXIT_SUCCESS;
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index dc3cee488..0bf896cc1 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.14.3
-pkgrel=5
+pkgrel=6
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url=http://busybox.net
license="GPL-2"
@@ -11,7 +11,7 @@ triggers="busybox.trigger:/bin /usr/bin /sbin /usr/sbin /lib/modules/*"
source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
$pkgname-1.11.1-bb.patch
0001-install-compat-fix-for-mode-of-created-files.patch
- 0001-add-simple-beep-applet.patch
+ 0001-add-simple-beep-applet-second-version.patch
bb-tar-numeric-owner.patch
busybox-sed-3.patch
busyboxconfig"
@@ -49,7 +49,7 @@ build() {
md5sums="d170bf5f97a41aec3a505eab690d5699 busybox-1.14.3.tar.bz2
4c0f3b486eaa0674961b7ddcd0c60a9b busybox-1.11.1-bb.patch
73d39c57483084298c7e46bdbbbea8d1 0001-install-compat-fix-for-mode-of-created-files.patch
-ba66abc89c56df842c9b81759c78d890 0001-add-simple-beep-applet.patch
+3ba0529f64aadae6ce95c683e6182988 0001-add-simple-beep-applet-second-version.patch
0b5b2d7db201f90cd08f4a3164ee29a1 bb-tar-numeric-owner.patch
b75c3f419f8392dfdadd92aa24fdba8c busybox-sed-3.patch
3ece68eb92d97f3362dab7d838074d10 busyboxconfig"
diff --git a/main/dansguardian/APKBUILD b/main/dansguardian/APKBUILD
index 7bfc32814..8e15b043c 100644
--- a/main/dansguardian/APKBUILD
+++ b/main/dansguardian/APKBUILD
@@ -2,22 +2,22 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dansguardian
pkgver=2.10.1.1
-pkgrel=0
+pkgrel=1
pkgdesc="Web content filter"
url="http://dansguardian.org"
license="GPL"
-depends=
+depends="logrotate"
makedepends="zlib-dev uclibc++-dev pcre-dev pkgconfig libiconv-dev"
install="$pkgname.pre-install $pkgname.post-install"
subpackages="$pkgname-doc"
source="http://dansguardian.org/downloads/2/Stable/$pkgname-$pkgver.tar.gz
dansguardian.initd
- $install
+ dansguardian.logrotate
"
build() {
cd "$srcdir/$pkgname-$pkgver"
- export CXX=g++-uc
+ export CXX=${CXX_UC:-g++-uc}
./configure --prefix=/usr \
--sysconfdir=/etc \
@@ -32,9 +32,9 @@ build() {
make DESTDIR="$pkgdir" install
install -D -m 755 ../dansguardian.initd "$pkgdir"/etc/init.d/dansguardian
+ install -D -m 644 ../dansguardian.logrotate "$pkgdir"/etc/logrotate.d/dansguardian
}
md5sums="0987a1c9bfbdf398118386f10279611a dansguardian-2.10.1.1.tar.gz
0c04f74cd5db9fc7a8e80b407ec34214 dansguardian.initd
-ab4e1104633aad0595a8b530fceb810a dansguardian.pre-install
-e3dcc0f51e44f15a2ff152ac338999d1 dansguardian.post-install"
+85b6de01c9508e8ceff5ebb55752f8d3 dansguardian.logrotate"
diff --git a/main/dansguardian/dansguardian.logrotate b/main/dansguardian/dansguardian.logrotate
new file mode 100644
index 000000000..001d95545
--- /dev/null
+++ b/main/dansguardian/dansguardian.logrotate
@@ -0,0 +1,15 @@
+/var/log/dansguardian/*.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ nocreate
+ nocopy
+ nocopytruncate
+ compress
+
+ postrotate
+ /usr/sbin/dansguardian -r
+ endscript
+}
+
diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD
index 41ad9a0bd..12cb2ffe5 100644
--- a/main/e2fsprogs/APKBUILD
+++ b/main/e2fsprogs/APKBUILD
@@ -1,11 +1,12 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=e2fsprogs
pkgver=1.41.8
-pkgrel=1
+pkgrel=2
pkgdesc="Standard Ext2/3/4 filesystem utilities"
url="http://e2fsprogs.sourceforge.net"
license="GPL LGPL MIT"
depends=
+install="$pkgname.post-upgrade"
makedepends="util-linux-ng-dev pkgconfig"
subpackages="$pkgname-dev $pkgname-doc libcom_err"
source="http://downloads.sourceforge.net/sourceforge/e2fsprogs/e2fsprogs-$pkgver.tar.gz"
diff --git a/main/e2fsprogs/e2fsprogs.post-upgrade b/main/e2fsprogs/e2fsprogs.post-upgrade
new file mode 100644
index 000000000..d7062db5a
--- /dev/null
+++ b/main/e2fsprogs/e2fsprogs.post-upgrade
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# we no longer provide fsck. restore bb link.
+busybox --install -s
diff --git a/main/imagemagick/APKBUILD b/main/imagemagick/APKBUILD
index 183b1e82c..1f25eb39d 100644
--- a/main/imagemagick/APKBUILD
+++ b/main/imagemagick/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=imagemagick
-pkgver=6.5.3.10
-_pkgver=6.5.3-10
+pkgver=6.5.4.10
+_pkgver=6.5.4-10
pkgrel=0
pkgdesc="A collection of tools and libraries for many image formats"
url="http://www.imagemagick.org/"
@@ -32,4 +32,4 @@ build() {
}
-md5sums="d33621ea195792aeeec79900e7d1e395 ImageMagick-6.5.3-10.tar.gz"
+md5sums="3b0c0082cf29103b4868c674d73e918d ImageMagick-6.5.4-10.tar.gz"
diff --git a/main/ipsec-tools/00-verify-cert-leak.patch b/main/ipsec-tools/00-verify-cert-leak.patch
deleted file mode 100644
index 9e6781335..000000000
--- a/main/ipsec-tools/00-verify-cert-leak.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/src/racoon/crypto_openssl.c 20 Apr 2009 13:22:41 -0000 1.18
-+++ b/src/racoon/crypto_openssl.c 29 Apr 2009 10:48:51 -0000
-@@ -510,7 +510,7 @@
- X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
- #endif
- error = X509_verify_cert(csc);
-- X509_STORE_CTX_cleanup(csc);
-+ X509_STORE_CTX_free(csc);
-
- /*
- * if x509_verify_cert() is successful then the value of error is
diff --git a/main/ipsec-tools/10-rekey-ph1hint.patch b/main/ipsec-tools/10-rekey-ph1hint.patch
new file mode 100644
index 000000000..773d60901
--- /dev/null
+++ b/main/ipsec-tools/10-rekey-ph1hint.patch
@@ -0,0 +1,1227 @@
+? .msg
+? ChangeLog
+? alpine-config
+? commiters.txt
+? fd-unmonitor-segv-fix.patch
+? natt-and-cmpsaddr.patch
+? racoon.txt
+? rekeying-fixes.diff
+? rpm/Makefile
+? rpm/Makefile.in
+? rpm/ipsec-tools.spec
+? rpm/suse/Makefile
+? rpm/suse/Makefile.in
+? rpm/suse/ipsec-tools.spec
+? src/Makefile
+? src/Makefile.in
+? src/include-glibc/.includes
+? src/include-glibc/Makefile
+? src/include-glibc/Makefile.in
+? src/libipsec/.deps
+? src/libipsec/.libs
+? src/libipsec/Makefile
+? src/libipsec/Makefile.in
+? src/libipsec/ipsec_dump_policy.lo
+? src/libipsec/ipsec_get_policylen.lo
+? src/libipsec/ipsec_strerror.lo
+? src/libipsec/key_debug.lo
+? src/libipsec/libipsec.la
+? src/libipsec/pfkey.lo
+? src/libipsec/pfkey_dump.lo
+? src/libipsec/policy_parse.c
+? src/libipsec/policy_parse.h
+? src/libipsec/policy_parse.lo
+? src/libipsec/policy_token.c
+? src/libipsec/policy_token.lo
+? src/racoon/.deps
+? src/racoon/.libs
+? src/racoon/Makefile
+? src/racoon/Makefile.in
+? src/racoon/cfparse.c
+? src/racoon/cfparse.h
+? src/racoon/cftoken.c
+? src/racoon/eaytest
+? src/racoon/libracoon.la
+? src/racoon/libracoon_la-kmpstat.lo
+? src/racoon/libracoon_la-misc.lo
+? src/racoon/libracoon_la-sockmisc.lo
+? src/racoon/libracoon_la-vmbuf.lo
+? src/racoon/plainrsa-gen
+? src/racoon/prsa_par.c
+? src/racoon/prsa_par.h
+? src/racoon/prsa_tok.c
+? src/racoon/racoon
+? src/racoon/racoonctl
+? src/racoon/samples/psk.txt
+? src/racoon/samples/racoon.conf
+? src/setkey/.deps
+? src/setkey/.libs
+? src/setkey/Makefile
+? src/setkey/Makefile.in
+? src/setkey/parse.c
+? src/setkey/parse.h
+? src/setkey/setkey
+? src/setkey/token.c
+Index: src/racoon/admin.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v
+retrieving revision 1.31
+diff -u -r1.31 admin.c
+--- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31
++++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -341,7 +341,7 @@
+ user[len] = 0;
+
+ found = purgeph1bylogin(user);
+- plog(LLV_INFO, LOCATION, NULL,
++ plog(LLV_INFO, LOCATION, NULL,
+ "deleted %d SA for user \"%s\"\n", found, user);
+
+ break;
+@@ -360,7 +360,7 @@
+ rem = racoon_strdup(saddrwop2str(dst));
+ STRDUP_FATAL(rem);
+
+- plog(LLV_INFO, LOCATION, NULL,
++ plog(LLV_INFO, LOCATION, NULL,
+ "Flushing all SAs for peer %s\n", rem);
+
+ while ((iph1 = getph1bydstaddr(dst)) != NULL) {
+@@ -373,7 +373,7 @@
+
+ racoon_free(loc);
+ }
+-
++
+ racoon_free(rem);
+ break;
+ }
+@@ -383,14 +383,14 @@
+ char *data;
+
+ acp = (struct admin_com_psk *)
+- ((char *)com + sizeof(*com) +
++ ((char *)com + sizeof(*com) +
+ sizeof(struct admin_com_indexes));
+
+ idtype = acp->id_type;
+
+ if ((id = vmalloc(acp->id_len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "cannot allocate memory: %s\n",
++ "cannot allocate memory: %s\n",
+ strerror(errno));
+ break;
+ }
+@@ -399,7 +399,7 @@
+
+ if ((key = vmalloc(acp->key_len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "cannot allocate memory: %s\n",
++ "cannot allocate memory: %s\n",
+ strerror(errno));
+ vfree(id);
+ id = NULL;
+@@ -474,7 +474,7 @@
+ rmconf->xauth->pass = key;
+ }
+ #endif
+-
++
+ plog(LLV_INFO, LOCATION, NULL,
+ "accept a request to establish IKE-SA: "
+ "%s\n", saddrwop2str(dst));
+@@ -577,7 +577,7 @@
+ }
+
+ insph2(iph2);
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, NULL) < 0) {
+ remph2(iph2);
+ delph2(iph2);
+ break;
+@@ -710,17 +710,17 @@
+ }
+
+ if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
+- "chown(%s, %d, %d): %s\n",
+- sunaddr.sun_path, adminsock_owner,
++ plog(LLV_ERROR, LOCATION, NULL,
++ "chown(%s, %d, %d): %s\n",
++ sunaddr.sun_path, adminsock_owner,
+ adminsock_group, strerror(errno));
+ (void)close(lcconf->sock_admin);
+ return -1;
+ }
+
+ if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
+- "chmod(%s, 0%03o): %s\n",
++ plog(LLV_ERROR, LOCATION, NULL,
++ "chmod(%s, 0%03o): %s\n",
+ sunaddr.sun_path, adminsock_mode, strerror(errno));
+ (void)close(lcconf->sock_admin);
+ return -1;
+Index: src/racoon/handler.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v
+retrieving revision 1.29
+diff -u -r1.29 handler.c
+--- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29
++++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -64,7 +64,7 @@
+ #include "evt.h"
+ #include "isakmp.h"
+ #ifdef ENABLE_HYBRID
+-#include "isakmp_xauth.h"
++#include "isakmp_xauth.h"
+ #include "isakmp_cfg.h"
+ #endif
+ #include "isakmp_inf.h"
+@@ -177,8 +177,8 @@
+ * with phase 2's destinaion.
+ */
+ struct ph1handle *
+-getph1(rmconf, local, remote, flags)
+- struct remoteconf *rmconf;
++getph1(ph1hint, local, remote, flags)
++ struct ph1handle *ph1hint;
+ struct sockaddr *local, *remote;
+ int flags;
+ {
+@@ -202,12 +202,30 @@
+ continue;
+ }
+
+- if (local != NULL && cmpsaddr(local, p->local) != 0)
++ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH)
+ continue;
+
+- if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
++ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH)
+ continue;
+
++ if (ph1hint != NULL) {
++ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l &&
++ (ph1hint->id->l != p->id->l ||
++ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
++ plog(LLV_DEBUG2, LOCATION, NULL,
++ "local identity does match hint\n");
++ continue;
++ }
++ if (ph1hint->id_p && ph1hint->id_p->l &&
++ p->id_p && p->id_p->l &&
++ (ph1hint->id_p->l != p->id_p->l ||
++ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
++ plog(LLV_DEBUG2, LOCATION, NULL,
++ "remote identity does match hint\n");
++ continue;
++ }
++ }
++
+ plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
+ return p;
+ }
+@@ -1155,7 +1173,7 @@
+ }
+
+ #ifdef ENABLE_HYBRID
+-/*
++/*
+ * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
+ * This should be in isakmp_cfg.c but ph1tree being private, it must be there
+ */
+@@ -1182,7 +1200,7 @@
+
+
+
+-/*
++/*
+ * Reload conf code
+ */
+ static int revalidate_ph2(struct ph2handle *iph2){
+@@ -1192,11 +1210,11 @@
+ struct saprop *approval;
+ struct ph1handle *iph1;
+
+- /*
++ /*
+ * Get the new sainfo using values of the old one
+ */
+ if (iph2->sainfo != NULL) {
+- iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
++ iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
+ iph2->sainfo->iddst, iph2->sainfo->id_i,
+ NULL, iph2->sainfo->remoteid);
+ }
+@@ -1204,7 +1222,7 @@
+ sainfo = iph2->sainfo;
+
+ if (sainfo == NULL) {
+- /*
++ /*
+ * Sainfo has been removed
+ */
+ plog(LLV_DEBUG, LOCATION, NULL,
+@@ -1219,7 +1237,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "No approval found !\n");
+ return 0;
+- }
++ }
+
+ /*
+ * Don't care about proposals, should we do something ?
+@@ -1318,7 +1336,7 @@
+ }
+
+ found = 0;
+- for (alg = sainfo->algs[algclass_ipsec_enc];
++ for (alg = sainfo->algs[algclass_ipsec_enc];
+ (found == 0 && alg != NULL); alg = alg->next) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Reload: next ph2 enc alg...\n");
+@@ -1351,7 +1369,7 @@
+ break;
+
+ default:
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "unexpected check_level\n");
+ continue;
+ break;
+@@ -1375,7 +1393,7 @@
+ }
+
+
+-static void
++static void
+ remove_ph2(struct ph2handle *iph2)
+ {
+ u_int32_t spis[2];
+@@ -1467,7 +1485,7 @@
+ return 1;
+ }
+
+-int
++int
+ revalidate_ph12(void)
+ {
+
+Index: src/racoon/handler.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
+retrieving revision 1.21
+diff -u -r1.21 handler.h
+--- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21
++++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -214,7 +214,7 @@
+ LIST_ENTRY(ph1handle) chain;
+ #ifdef ENABLE_HYBRID
+ struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
+-#endif
++#endif
+ EVT_LISTENER_LIST(evt_listeners);
+ };
+
+@@ -449,7 +449,7 @@
+ struct sockaddr_storage remote;
+ struct sockaddr_storage local;
+ u_int8_t version;
+- u_int8_t etype;
++ u_int8_t etype;
+ time_t created;
+ int ph2cnt;
+ };
+@@ -468,7 +468,7 @@
+
+ #define GETPH1_F_ESTABLISHED 0x0001
+
+-extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
++extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint,
+ struct sockaddr *local,
+ struct sockaddr *remote,
+ int flags));
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.58
+diff -u -r1.58 isakmp.c
+--- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58
++++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -176,7 +176,7 @@
+ };
+
+ static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
+-
++
+ static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
+ static int ph1_main __P((struct ph1handle *, vchar_t *));
+ static int quick_main __P((struct ph2handle *, vchar_t *));
+@@ -190,7 +190,7 @@
+ static int isakmp_ph2resend __P((struct ph2handle *));
+
+ #ifdef ENABLE_FRAG
+-static int frag_handler(struct ph1handle *,
++static int frag_handler(struct ph1handle *,
+ vchar_t *, struct sockaddr *, struct sockaddr *);
+ #endif
+
+@@ -259,16 +259,16 @@
+ extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
+ }
+ #endif
+- }
++ }
+
+ #ifdef ENABLE_NATT
+- /* we don't know about portchange yet,
++ /* we don't know about portchange yet,
+ look for non-esp marker instead */
+ if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
+ extralen = NON_ESP_MARKER_LEN;
+ #endif
+
+- /* now we know if there is an extra non-esp
++ /* now we know if there is an extra non-esp
+ marker at the beginning or not */
+ memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
+
+@@ -309,7 +309,7 @@
+ if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
+ 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "failed to receive isakmp packet: %s\n",
++ "failed to receive isakmp packet: %s\n",
+ strerror (errno));
+ }
+ goto end;
+@@ -332,11 +332,11 @@
+ (len - extralen));
+ goto end;
+ }
+-
++
+ memcpy (buf->v, tmpbuf->v + extralen, buf->l);
+
+ len -= extralen;
+-
++
+ if (len != buf->l) {
+ plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
+ "received invalid length (%d != %zu), why ?\n",
+@@ -347,7 +347,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL, "===\n");
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "%d bytes message received %s\n",
+- len, saddr2str_fromto("from %s to %s",
++ len, saddr2str_fromto("from %s to %s",
+ (struct sockaddr *)&remote,
+ (struct sockaddr *)&local));
+ plogdump(LLV_DEBUG, buf->v, buf->l);
+@@ -496,12 +496,12 @@
+ }
+
+ /* set the flag to prevent further port floating
+- (FIXME: should we allow it? E.g. when the NAT gw
++ (FIXME: should we allow it? E.g. when the NAT gw
+ is rebooted?) */
+ iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
+-
++
+ /* print some neat info */
+- plog (LLV_INFO, LOCATION, NULL,
++ plog (LLV_INFO, LOCATION, NULL,
+ "NAT-T: ports changed to: %s\n",
+ saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
+
+@@ -668,7 +668,7 @@
+ return -1;
+ }
+ #ifdef ENABLE_HYBRID
+- /* Reinit the IVM if it's still there */
++ /* Reinit the IVM if it's still there */
+ if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
+ oakley_delivm(iph1->mode_cfg->ivm);
+ iph1->mode_cfg->ivm = NULL;
+@@ -753,7 +753,7 @@
+
+ isakmp_cfg_r(iph1, msg);
+ break;
+-#endif
++#endif
+
+ case ISAKMP_ETYPE_NONE:
+ default:
+@@ -822,7 +822,7 @@
+ /* free resend buffer */
+ if (iph1->sendbuf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "no buffer found as sendbuf\n");
++ "no buffer found as sendbuf\n");
+ return -1;
+ }
+ #endif
+@@ -925,13 +925,13 @@
+ log_ph1established(iph1);
+ plog(LLV_DEBUG, LOCATION, NULL, "===\n");
+
+- /*
++ /*
+ * SA up shell script hook: do it now,except if
+ * ISAKMP mode config was requested. In the later
+ * case it is done when we receive the configuration.
+ */
+ if ((iph1->status == PHASE1ST_ESTABLISHED) &&
+- !iph1->rmconf->mode_cfg) {
++ !iph1->rmconf->mode_cfg) {
+ switch (iph1->approval->authmethod) {
+ #ifdef ENABLE_HYBRID
+ case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+@@ -1004,7 +1004,7 @@
+ /* free resend buffer */
+ if (iph2->sendbuf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+- "no buffer found as sendbuf\n");
++ "no buffer found as sendbuf\n");
+ return -1;
+ }
+ VPTRINIT(iph2->sendbuf);
+@@ -1754,23 +1754,23 @@
+ extralen = 0;
+
+ #ifdef ENABLE_FRAG
+- /*
++ /*
+ * Do not add the non ESP marker for a packet that will
+- * be fragmented. The non ESP marker should appear in
++ * be fragmented. The non ESP marker should appear in
+ * all fragment's packets, but not in the fragmented packet
+ */
+- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
++ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
+ extralen = 0;
+ #endif
+ if (extralen)
+ plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
+
+- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
+- must added just before the packet itself. For this we must
++ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
++ must added just before the packet itself. For this we must
+ allocate a new buffer and release it at the end. */
+ if (extralen) {
+ if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "vbuf allocation failed\n");
+ return -1;
+ }
+@@ -1791,17 +1791,17 @@
+ if (s == -1)
+ return -1;
+
+- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
++ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
+ saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
+
+ #ifdef ENABLE_FRAG
+ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
+ if (isakmp_sendfrags(iph1, sbuf) == -1) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "isakmp_sendfrags failed\n");
+ return -1;
+ }
+- } else
++ } else
+ #endif
+ {
+ len = sendfromto(s, sbuf->v, sbuf->l,
+@@ -1812,7 +1812,7 @@
+ return -1;
+ }
+ }
+-
++
+ return 0;
+ }
+
+@@ -1959,7 +1959,7 @@
+ iph1->status = PHASE1ST_DYING;
+
+ /* Any fresh phase1s? */
+- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1);
++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
+ if (new_iph1 == NULL) {
+ LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
+ if (p->status != PHASE2ST_ESTABLISHED)
+@@ -2036,7 +2036,7 @@
+ char *src, *dst;
+
+ /* Migrate established phase2s. Any fresh phase1s? */
+- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
+ if (new_iph1 != NULL)
+ migrate_ph12(iph1, new_iph1);
+
+@@ -2143,12 +2143,13 @@
+ * if phase1 has been finished, begin phase2.
+ */
+ int
+-isakmp_post_acquire(iph2)
++isakmp_post_acquire(iph2, iph1hint)
+ struct ph2handle *iph2;
++ struct ph1handle *iph1hint;
+ {
+ struct remoteconf *rmconf;
+ struct ph1handle *iph1 = NULL;
+-
++
+ plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
+
+ /* Search appropriate configuration with masking port. Note that
+@@ -2159,12 +2160,17 @@
+ * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
+ * as iph2->dst hint). This scenario would require additional changes,
+ * so no need to bother yet. --arno */
+- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
+- if (rmconf == NULL) {
+- plog(LLV_ERROR, LOCATION, NULL,
+- "no configuration found for %s.\n",
+- saddrwop2str(iph2->dst));
+- return -1;
++
++ if (iph1hint == NULL || iph1hint->rmconf == NULL) {
++ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
++ if (rmconf == NULL) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "no configuration found for %s.\n",
++ saddrwop2str(iph2->dst));
++ return -1;
++ }
++ } else {
++ rmconf = iph1hint->rmconf;
+ }
+
+ /* if passive mode, ignore the acquire message */
+@@ -2181,7 +2187,7 @@
+ * some cases, we should use the ISAKMP identity to search
+ * matching ISAKMP.
+ */
+- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
++ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
+
+ /* no ISAKMP-SA found. */
+ if (iph1 == NULL) {
+@@ -2978,7 +2984,7 @@
+ "ISAKMP-SA established %s-%s spi:%s\n",
+ src, dst,
+ isakmp_pindex(&iph1->index, 0));
+-
++
+ evt_phase1(iph1, EVT_PHASE1_UP, NULL);
+ if(!iph1->rmconf->mode_cfg)
+ evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
+@@ -3011,7 +3017,7 @@
+ return plist;
+ }
+
+-vchar_t *
++vchar_t *
+ isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
+ {
+ struct payload_list *ptr = *plist, *first;
+@@ -3022,7 +3028,7 @@
+ /* Seek to the first item. */
+ while (ptr->prev) ptr = ptr->prev;
+ first = ptr;
+-
++
+ /* Compute the whole length. */
+ while (ptr) {
+ tlen += ptr->payload->l + sizeof (struct isakmp_gen);
+@@ -3064,7 +3070,7 @@
+ }
+
+ #ifdef ENABLE_FRAG
+-int
++int
+ frag_handler(iph1, msg, remote, local)
+ struct ph1handle *iph1;
+ vchar_t *msg;
+@@ -3075,7 +3081,7 @@
+
+ if (isakmp_frag_extract(iph1, msg) == 1) {
+ if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
+- plog(LLV_ERROR, LOCATION, remote,
++ plog(LLV_ERROR, LOCATION, remote,
+ "Packet reassembly failed\n");
+ return -1;
+ }
+@@ -3125,24 +3131,24 @@
+ if (iph1->remote != NULL) {
+ GETNAMEINFO(iph1->remote, addrstr, portstr);
+
+- if (script_env_append(&envp, &envc,
++ if (script_env_append(&envp, &envc,
+ "REMOTE_ADDR", addrstr) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot set REMOTE_ADDR\n");
+ goto out;
+ }
+
+- if (script_env_append(&envp, &envc,
++ if (script_env_append(&envp, &envc,
+ "REMOTE_PORT", portstr) != 0) {
+- plog(LLV_ERROR, LOCATION, NULL,
++ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot set REMOTEL_PORT\n");
+ goto out;
+ }
+ }
+
+- if (privsep_script_exec(iph1->rmconf->script[script]->v,
+- script, envp) != 0)
+- plog(LLV_ERROR, LOCATION, NULL,
++ if (privsep_script_exec(iph1->rmconf->script[script]->v,
++ script, envp) != 0)
++ plog(LLV_ERROR, LOCATION, NULL,
+ "Script %s execution failed\n", script_names[script]);
+
+ out:
+@@ -3202,7 +3208,7 @@
+ argv[1] = script_names[name];
+ argv[2] = NULL;
+
+- switch (fork()) {
++ switch (fork()) {
+ case 0:
+ execve(argv[0], argv, envp);
+ plog(LLV_ERROR, LOCATION, NULL,
+@@ -3217,7 +3223,7 @@
+ break;
+ default:
+ break;
+- }
++ }
+ return 0;
+
+ }
+@@ -3243,7 +3249,7 @@
+ iph1->status = PHASE1ST_EXPIRED;
+
+ /* Check if we have another, still valid, phase1 SA. */
+- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
+
+ /*
+ * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
+@@ -3319,7 +3325,7 @@
+ ntohl(sa->sadb_sa_spi));
+ }else{
+
+- /*
++ /*
+ * If we have a new ph1, do not purge IPsec-SAs binded
+ * to a different ISAKMP-SA
+ */
+@@ -3331,7 +3337,7 @@
+ /* If the ph2handle is established, do not purge IPsec-SA */
+ if (iph2->status == PHASE2ST_ESTABLISHED ||
+ iph2->status == PHASE2ST_EXPIRED) {
+-
++
+ plog(LLV_INFO, LOCATION, NULL,
+ "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
+ ntohl(sa->sadb_sa_spi),
+@@ -3342,7 +3348,7 @@
+ }
+ }
+
+-
++
+ pfkey_send_delete(lcconf->sock_pfkey,
+ msg->sadb_msg_satype,
+ IPSEC_MODE_ANY,
+@@ -3373,7 +3379,7 @@
+ sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+ }
+
+-void
++void
+ delete_spd(iph2, created)
+ struct ph2handle *iph2;
+ u_int64_t created;
+@@ -3399,22 +3405,22 @@
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "generated policy, deleting it.\n");
+-
++
+ memset(&spidx, 0, sizeof(spidx));
+ iph2->spidx_gen = (caddr_t )&spidx;
+-
++
+ /* make inbound policy */
+ iph2->src = dst;
+ iph2->dst = src;
+ spidx.dir = IPSEC_DIR_INBOUND;
+ spidx.ul_proto = 0;
+-
+- /*
++
++ /*
+ * Note: code from get_proposal_r
+ */
+-
++
+ #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
+-
++
+ /*
+ * make destination address in spidx from either ID payload
+ * or phase 1 address into a address in spidx.
+@@ -3430,48 +3436,48 @@
+ &spidx.prefd, &spidx.ul_proto);
+ if (error)
+ goto purge;
+-
++
+ #ifdef INET6
+ /*
+ * get scopeid from the SA address.
+ * note that the phase 1 source address is used as
+- * a destination address to search for a inbound
++ * a destination address to search for a inbound
+ * policy entry because rcoon is responder.
+ */
+ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
+- if ((error =
++ if ((error =
+ setscopeid((struct sockaddr *)&spidx.dst,
+ iph2->src)) != 0)
+ goto purge;
+ }
+ #endif
+-
++
+ if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
+ || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
+ idi2type = _XIDT(iph2->id);
+-
++
+ } else {
+-
++
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "get a destination address of SP index "
+ "from phase1 address "
+ "due to no ID payloads found "
+ "OR because ID type is not address.\n");
+-
++
+ /*
+- * copy the SOURCE address of IKE into the
+- * DESTINATION address of the key to search the
++ * copy the SOURCE address of IKE into the
++ * DESTINATION address of the key to search the
+ * SPD because the direction of policy is inbound.
+ */
+ memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
+ switch (spidx.dst.ss_family) {
+ case AF_INET:
+- spidx.prefd =
++ spidx.prefd =
+ sizeof(struct in_addr) << 3;
+ break;
+ #ifdef INET6
+ case AF_INET6:
+- spidx.prefd =
++ spidx.prefd =
+ sizeof(struct in6_addr) << 3;
+ break;
+ #endif
+@@ -3480,7 +3486,7 @@
+ break;
+ }
+ }
+-
++
+ /* make source address in spidx */
+ if (iph2->id_p != NULL
+ && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
+@@ -3500,7 +3506,7 @@
+ * for more detail, see above of this function.
+ */
+ if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
+- error =
++ error =
+ setscopeid((struct sockaddr *)&spidx.src,
+ iph2->dst);
+ if (error)
+@@ -3538,12 +3544,12 @@
+ memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
+ switch (spidx.src.ss_family) {
+ case AF_INET:
+- spidx.prefs =
++ spidx.prefs =
+ sizeof(struct in_addr) << 3;
+ break;
+ #ifdef INET6
+ case AF_INET6:
+- spidx.prefs =
++ spidx.prefs =
+ sizeof(struct in6_addr) << 3;
+ break;
+ #endif
+@@ -3574,14 +3580,14 @@
+ spidx.ul_proto = IPSEC_ULPROTO_ANY;
+
+ #undef _XIDT
+-
++
+ /* Check if the generated SPD has the same timestamp as the SA.
+ * If timestamps are different, this means that the SPD entry has been
+ * refreshed by another SA, and should NOT be deleted with the current SA.
+ */
+ if( created ){
+ struct secpolicy *p;
+-
++
+ p = getsp(&spidx);
+ if(p != NULL){
+ /* just do no test if p is NULL, because this probably just means
+@@ -3646,7 +3652,7 @@
+ struct sockaddr *sp_addr0, *sa_addr0;
+ {
+ struct sockaddr_in6 *sp_addr, *sa_addr;
+-
++
+ sp_addr = (struct sockaddr_in6 *)sp_addr0;
+ sa_addr = (struct sockaddr_in6 *)sa_addr0;
+
+Index: src/racoon/isakmp_var.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v
+retrieving revision 1.15
+diff -u -r1.15 isakmp_var.h
+--- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15
++++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -87,7 +87,7 @@
+ extern void isakmp_ph2delete __P((struct ph2handle *));
+
+ extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
+-extern int isakmp_post_acquire __P((struct ph2handle *));
++extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
+ extern int isakmp_post_getspi __P((struct ph2handle *));
+ extern void isakmp_chkph1there_stub __P((struct sched *));
+ extern void isakmp_chkph1there __P((struct ph2handle *));
+@@ -131,7 +131,7 @@
+ struct remoteconf *, struct sockaddr *, struct sockaddr *));
+ extern void log_ph1established __P((const struct ph1handle *));
+
+-extern void script_hook __P((struct ph1handle *, int));
++extern void script_hook __P((struct ph1handle *, int));
+ extern int script_env_append __P((char ***, int *, char *, char *));
+ extern int script_exec __P((char *, int, char * const *));
+
+Index: src/racoon/pfkey.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v
+retrieving revision 1.50
+diff -u -r1.50 pfkey.c
+--- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50
++++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000
+@@ -5,7 +5,7 @@
+ /*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+- *
++ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+@@ -17,7 +17,7 @@
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+- *
++ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+@@ -173,7 +173,7 @@
+
+ /* cope with old kame headers - ugly */
+ #ifndef SADB_X_AALG_MD5
+-#define SADB_X_AALG_MD5 SADB_AALG_MD5
++#define SADB_X_AALG_MD5 SADB_AALG_MD5
+ #endif
+ #ifndef SADB_X_AALG_SHA
+ #define SADB_X_AALG_SHA SADB_AALG_SHA
+@@ -353,7 +353,7 @@
+ "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
+ continue;
+ }
+-
++
+
+ ml = msg->sadb_msg_len << 3;
+ bl = buf ? buf->l : 0;
+@@ -839,7 +839,7 @@
+ goto bad;
+ *a_keylen >>= 3;
+
+- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
++ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
+ && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
+ /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
+ *a_type = SADB_X_AALG_MD5;
+@@ -919,7 +919,7 @@
+ racoon_free(dst);
+ return -1;
+ }
+-
++
+ for (pr = pp->head; pr != NULL; pr = pr->next) {
+
+ /* validity check */
+@@ -991,7 +991,7 @@
+ * receive GETSPI from kernel.
+ */
+ static int
+-pk_recvgetspi(mhp)
++pk_recvgetspi(mhp)
+ caddr_t *mhp;
+ {
+ struct sadb_msg *msg;
+@@ -1111,7 +1111,7 @@
+ sa_args.l_addtime = iph2->lifetime_secs;
+ else
+ sa_args.l_addtime = iph2->approval->lifetime;
+- sa_args.seq = iph2->seq;
++ sa_args.seq = iph2->seq;
+ sa_args.wsize = 4;
+
+ if (iph2->sa_src && iph2->sa_dst) {
+@@ -1163,7 +1163,7 @@
+ pr->head->trns_id,
+ pr->head->authtype,
+ &sa_args.e_type, &sa_args.e_keylen,
+- &sa_args.a_type, &sa_args.a_keylen,
++ &sa_args.a_type, &sa_args.a_keylen,
+ &sa_args.flags) < 0){
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+@@ -1221,11 +1221,11 @@
+ * But it is impossible because there is not key in the
+ * information from the kernel.
+ */
+-
++
+ /* change some things before backing up */
+ sa_args.wsize = 4;
+ sa_args.l_bytes = iph2->approval->lifebyte * 1024;
+-
++
+ if (backupsa_to_file(&sa_args) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "backuped SA failed: %s\n",
+@@ -1447,7 +1447,7 @@
+ pr->head->trns_id,
+ pr->head->authtype,
+ &sa_args.e_type, &sa_args.e_keylen,
+- &sa_args.a_type, &sa_args.a_keylen,
++ &sa_args.a_type, &sa_args.a_keylen,
+ &sa_args.flags) < 0){
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+@@ -1668,11 +1668,12 @@
+ " being negotiated. Stopping negotiation.\n");
+ }
+
+- /* turn off the timer for calling isakmp_ph2expire() */
++ /* turn off the timer for calling isakmp_ph2expire() */
+ sched_cancel(&iph2->sce);
+
+ if (iph2->status == PHASE2ST_ESTABLISHED &&
+ iph2->side == INITIATOR) {
++ struct ph1handle *iph1hint;
+ /*
+ * Active phase 2 expired and we were initiator.
+ * Begin new phase 2 exchange, so we can keep on sending
+@@ -1680,11 +1681,12 @@
+ */
+
+ /* update status for re-use */
++ iph1hint = iph2->ph1;
+ initph2(iph2);
+ iph2->status = PHASE2ST_STATUS2;
+
+ /* start quick exchange */
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->dst,
+ "failed to begin ipsec sa "
+ "re-negotication.\n");
+@@ -1750,7 +1752,7 @@
+ if (m_sec_ctx != NULL) {
+ plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+- plog(LLV_INFO, LOCATION, NULL,
++ plog(LLV_INFO, LOCATION, NULL,
+ "security context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
+@@ -1960,7 +1962,7 @@
+
+ /* start isakmp initiation by using ident exchange */
+ /* XXX should be looped if there are multiple phase 2 handler. */
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, NULL) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to begin ipsec sa negotication.\n");
+ remph2(iph2);
+@@ -2145,7 +2147,7 @@
+ p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
+ p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
+ p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
+-
++
+ memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
+ len += ctxlen;
+ }
+@@ -2184,7 +2186,7 @@
+ goto err;
+ }
+
+- /*
++ /*
+ * the policy level cannot be unique because the policy
+ * is defined later than SA, so req_id cannot be bound to SA.
+ */
+@@ -2217,7 +2219,7 @@
+
+ xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
+ xisr = (struct sadb_x_ipsecrequest *)p;
+-
++
+ }
+ racoon_free(pr_rlist);
+
+@@ -3070,6 +3072,8 @@
+ rmconf = getrmconf(iph2->dst, 0);
+
+ if (rmconf && !rmconf->passive) {
++ struct ph1handle *iph1hint;
++
+ plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
+ "*during* IPsec SA negotiation. As initiator, "
+ "restarting it.\n");
+@@ -3079,11 +3083,12 @@
+ iph2->status = PHASE2ST_EXPIRED;
+
+ /* ... clean Phase 2 handle ... */
++ iph1hint = iph2->ph1;
+ initph2(iph2);
+ iph2->status = PHASE2ST_STATUS2;
+
+ /* and start a new negotiation */
+- if (isakmp_post_acquire(iph2) < 0) {
++ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
+ "to begin IPsec SA renegotiation after "
+ "MIGRATE reception.\n");
diff --git a/main/ipsec-tools/20-natoa-fix.patch b/main/ipsec-tools/20-natoa-fix.patch
deleted file mode 100644
index 91d7224e2..000000000
--- a/main/ipsec-tools/20-natoa-fix.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Fix nat-oa parsing when rekeying.
-
-From: Timo Teras <timo.teras@iki.fi>
-
-
----
-
- src/racoon/handler.c | 11 +++++++++++
- 1 files changed, 11 insertions(+), 0 deletions(-)
-
-
-diff --git a/src/racoon/handler.c b/src/racoon/handler.c
-index 6f91beb..960b5b3 100644
---- a/src/racoon/handler.c
-+++ b/src/racoon/handler.c
-@@ -736,6 +736,17 @@ initph2(iph2)
- oakley_delivm(iph2->ivm);
- iph2->ivm = NULL;
- }
-+
-+#ifdef ENABLE_NATT
-+ if (iph2->natoa_src) {
-+ racoon_free(iph2->natoa_src);
-+ iph2->natoa_src = NULL;
-+ }
-+ if (iph2->natoa_dst) {
-+ racoon_free(iph2->natoa_dst);
-+ iph2->natoa_dst = NULL;
-+ }
-+#endif
- }
-
- /*
diff --git a/main/ipsec-tools/30-natt-ports-cleanup.patch b/main/ipsec-tools/30-natt-ports-cleanup.patch
deleted file mode 100644
index 19360347d..000000000
--- a/main/ipsec-tools/30-natt-ports-cleanup.patch
+++ /dev/null
@@ -1,393 +0,0 @@
-From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
-
-From: Timo Teras <timo.teras@iki.fi>
-
-NAT-T port information.
----
-
- src/libipsec/libpfkey.h | 12 ++++++++
- src/libipsec/pfkey.c | 49 +++++++++++++++++++++++++++++++++
- src/racoon/isakmp.c | 11 +++++++
- src/racoon/isakmp_inf.c | 37 +++++++++++++------------
- src/racoon/pfkey.c | 69 +++++++++++++++++++++++++++++++++--------------
- src/racoon/pfkey.h | 1 +
- 6 files changed, 140 insertions(+), 39 deletions(-)
-
-
-diff --git a/src/libipsec/libpfkey.h b/src/libipsec/libpfkey.h
-index 8a503dd..c9b228b 100644
---- a/src/libipsec/libpfkey.h
-+++ b/src/libipsec/libpfkey.h
-@@ -117,6 +117,10 @@ u_int pfkey_set_softrate __P((u_int, u_int));
- u_int pfkey_get_softrate __P((u_int));
- int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
-+int pfkey_send_getspi_nat __P((int, u_int, u_int,
-+ struct sockaddr *, struct sockaddr *, u_int8_t, u_int16_t, u_int16_t,
-+ u_int32_t, u_int32_t, u_int32_t, u_int32_t));
-+
- int pfkey_send_update2 __P((struct pfkey_send_sa_args *));
- int pfkey_send_add2 __P((struct pfkey_send_sa_args *));
- int pfkey_send_delete __P((int, u_int, u_int,
-@@ -155,6 +159,14 @@ int pfkey_send_migrate __P((int, struct sockaddr *, struct sockaddr *,
- caddr_t, int, u_int32_t));
- #endif
-
-+/* XXX should be somewhere else !!!
-+ */
-+#ifdef SADB_X_NAT_T_NEW_MAPPING
-+#define PFKEY_ADDR_X_PORT(ext) (ntohs(((struct sadb_x_nat_t_port *)ext)->sadb_x_nat_t_port_port))
-+#define PFKEY_ADDR_X_NATTYPE(ext) ( ext != NULL && ((struct sadb_x_nat_t_type *)ext)->sadb_x_nat_t_type_type )
-+#endif
-+
-+
- int pfkey_open __P((void));
- void pfkey_close __P((int));
- int pfkey_set_buffer_size __P((int, int));
-diff --git a/src/libipsec/pfkey.c b/src/libipsec/pfkey.c
-index 0a944c2..b39ffca 100644
---- a/src/libipsec/pfkey.c
-+++ b/src/libipsec/pfkey.c
-@@ -380,10 +380,12 @@ pfkey_get_softrate(type)
- * -1 : error occured, and set errno.
- */
- int
--pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
-+pfkey_send_getspi_nat(so, satype, mode, src, dst, natt_type, sport, dport, min, max, reqid, seq)
- int so;
- u_int satype, mode;
- struct sockaddr *src, *dst;
-+ u_int8_t natt_type;
-+ u_int16_t sport, dport;
- u_int32_t min, max, reqid, seq;
- {
- struct sadb_msg *newmsg;
-@@ -431,6 +433,14 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
- len += sizeof(struct sadb_spirange);
- }
-
-+#ifdef SADB_X_EXT_NAT_T_TYPE
-+ if(natt_type||sport||dport){
-+ len += sizeof(struct sadb_x_nat_t_type);
-+ len += sizeof(struct sadb_x_nat_t_port);
-+ len += sizeof(struct sadb_x_nat_t_port);
-+ }
-+#endif
-+
- if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
- __ipsec_set_strerror(strerror(errno));
- return -1;
-@@ -466,6 +476,32 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
- return -1;
- }
-
-+#ifdef SADB_X_EXT_NAT_T_TYPE
-+ /* Add nat-t messages */
-+ if (natt_type) {
-+ p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE,
-+ natt_type);
-+ if (!p) {
-+ free(newmsg);
-+ return -1;
-+ }
-+
-+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT,
-+ sport);
-+ if (!p) {
-+ free(newmsg);
-+ return -1;
-+ }
-+
-+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT,
-+ dport);
-+ if (!p) {
-+ free(newmsg);
-+ return -1;
-+ }
-+ }
-+#endif
-+
- /* proccessing spi range */
- if (need_spirange) {
- struct sadb_spirange spirange;
-@@ -501,6 +537,17 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
- return len;
- }
-
-+int
-+pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
-+ int so;
-+ u_int satype, mode;
-+ struct sockaddr *src, *dst;
-+ u_int32_t min, max, reqid, seq;
-+{
-+ return pfkey_send_getspi_nat(so, satype, mode, src, dst, 0, 0, 0,
-+ min, max, reqid, seq);
-+}
-+
- /*
- * sending SADB_UPDATE message to the kernel.
- * The length of key material is a_keylen + e_keylen.
-diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
-index c8670f6..fe51653 100644
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -3324,6 +3324,17 @@ purge_remote(iph1)
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-+#ifdef SADB_X_NAT_T_NEW_MAPPING
-+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-+ /* NAT-T is enabled for this SADB entry; copy
-+ * the ports from NAT-T extensions */
-+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
-+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
-+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-+ }
-+#endif
-+
- if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
- sa->sadb_sa_state != SADB_SASTATE_MATURE &&
- sa->sadb_sa_state != SADB_SASTATE_DYING) {
-diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c
-index 1ada07f..a712825 100644
---- a/src/racoon/isakmp_inf.c
-+++ b/src/racoon/isakmp_inf.c
-@@ -1128,8 +1128,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
- size_t i;
- caddr_t mhp[SADB_EXT_MAX + 1];
- #ifdef ENABLE_NATT
-- struct sadb_x_nat_t_type *natt_type;
-- struct sadb_x_nat_t_port *natt_port;
-+ int natt_port_forced;
- #endif
-
- plog(LLV_DEBUG2, LOCATION, NULL,
-@@ -1184,22 +1183,25 @@ purge_ipsec_spi(dst0, proto, spi, n)
- continue;
- }
- #ifdef ENABLE_NATT
-- natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
-- if (natt_type && natt_type->sadb_x_nat_t_type_type) {
-+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
- /* NAT-T is enabled for this SADB entry; copy
- * the ports from NAT-T extensions */
-- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
-- if (extract_port(src) == 0 && natt_port != NULL)
-- set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
--
-- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
-- if (extract_port(dst) == 0 && natt_port != NULL)
-- set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
-- }else{
-- /* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation
-- */
-+ if (extract_port(src) == 0 &&
-+ mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) {
-+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-+ }
-+
-+ if (extract_port(dst) == 0 &&
-+ mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) {
-+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-+ }
-+ natt_port_forced = 0;
-+ } else {
-+ /* Force default UDP ports, so
-+ * CMPSADDR will match SAs with NO encapsulation */
- set_port(src, PORT_ISAKMP);
- set_port(dst, PORT_ISAKMP);
-+ natt_port_forced = 1;
- }
- #endif
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
-@@ -1215,10 +1217,9 @@ purge_ipsec_spi(dst0, proto, spi, n)
- }
-
- #ifdef ENABLE_NATT
-- if (natt_type == NULL ||
-- ! natt_type->sadb_x_nat_t_type_type) {
-- /* Set back port to 0 if it was forced to default UDP port
-- */
-+ if (natt_port_forced) {
-+ /* Set back port to 0 if it was forced
-+ * to default UDP port */
- set_port(src, 0);
- set_port(dst, 0);
- }
-diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
-index 610cc09..c210c5e 100644
---- a/src/racoon/pfkey.c
-+++ b/src/racoon/pfkey.c
-@@ -769,6 +769,28 @@ keylen_ealg(enctype, encklen)
- return res;
- }
-
-+void
-+pk_fixup_sa_addresses(mhp)
-+ caddr_t *mhp;
-+{
-+ struct sockaddr *src, *dst;
-+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
-+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-+#ifdef ENABLE_NATT
-+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-+ /* NAT-T is enabled for this SADB entry; copy
-+ * the ports from NAT-T extensions */
-+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
-+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
-+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-+ }
-+#else
-+ set_port(src, 0);
-+ set_port(dst, 0);
-+#endif
-+}
-+
- int
- pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
- e_type, e_keylen, a_type, a_keylen, flags)
-@@ -866,6 +888,8 @@ pk_sendgetspi(iph2)
- struct saprop *pp;
- struct saproto *pr;
- u_int32_t minspi, maxspi;
-+ u_int8_t natt_type = 0;
-+ u_int16_t sport = 0, dport = 0;
-
- if (iph2->side == INITIATOR)
- pp = iph2->proposal;
-@@ -919,19 +943,27 @@ pk_sendgetspi(iph2)
- }
-
- #ifdef ENABLE_NATT
-- if (! pr->udp_encap) {
-- /* Remove port information, that SA doesn't use it */
-- set_port(iph2->src, 0);
-- set_port(iph2->dst, 0);
-+ if (pr->udp_encap) {
-+ natt_type = iph2->ph1->natt_options->encaps_type;
-+ sport=extract_port(src);
-+ dport=extract_port(dst);
- }
- #endif
-+ /* Always remove port information, it will be sent in
-+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-+ set_port(src, 0);
-+ set_port(dst, 0);
-+
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
-- if (pfkey_send_getspi(
-+ if (pfkey_send_getspi_nat(
- lcconf->sock_pfkey,
- satype,
- mode,
- dst, /* src of SA */
- src, /* dst of SA */
-+ natt_type,
-+ dport,
-+ sport,
- minspi, maxspi,
- pr->reqid_in, iph2->seq) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -1157,13 +1189,13 @@ pk_sendupdate(iph2)
- #ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
- #endif
-- } else {
-- /* Remove port information, that SA doesn't use it */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
- }
--
- #endif
-+ /* Always remove port information, it will be sent in
-+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-+ set_port(sa_args.src, 0);
-+ set_port(sa_args.dst, 0);
-+
- /* more info to fill in */
- sa_args.spi = pr->spi;
- sa_args.reqid = pr->reqid_in;
-@@ -1236,6 +1268,7 @@ pk_recvupdate(mhp)
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-@@ -1328,7 +1361,6 @@ pk_recvupdate(mhp)
- /* Force the update of ph2's ports, as there is at least one
- * situation where they'll mismatch with ph1's values
- */
--
- #ifdef ENABLE_NATT
- set_port(iph2->src, extract_port(iph2->ph1->local));
- set_port(iph2->dst, extract_port(iph2->ph1->remote));
-@@ -1456,17 +1488,12 @@ pk_sendadd(iph2)
- #ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
- #endif
-- } else {
-- /* Remove port information, that SA doesn't use it */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
- }
--
--#else
-- /* Remove port information, it is not used without NAT-T */
-+#endif
-+ /* Always remove port information, it will be sent in
-+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
- set_port(sa_args.src, 0);
- set_port(sa_args.dst, 0);
--#endif
-
- /* more info to fill in */
- sa_args.spi = pr->spi_p;
-@@ -1596,6 +1623,7 @@ pk_recvexpire(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -1721,6 +1749,7 @@ pk_recvacquire(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-+ pk_fixup_sa_addresses(mhp);
- sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -1971,6 +2000,7 @@ pk_recvdelete(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -2709,7 +2739,6 @@ pk_recvspddump(mhp)
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
--
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-diff --git a/src/racoon/pfkey.h b/src/racoon/pfkey.h
-index a3acd1c..f1b037d 100644
---- a/src/racoon/pfkey.h
-+++ b/src/racoon/pfkey.h
-@@ -52,6 +52,7 @@ extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int));
- extern int pk_checkalg __P((int, int, int));
-
- struct ph2handle;
-+extern void pk_fixup_sa_addresses __P((caddr_t *mhp));
- extern int pk_sendgetspi __P((struct ph2handle *));
- extern int pk_sendupdate __P((struct ph2handle *));
- extern int pk_sendadd __P((struct ph2handle *));
diff --git a/main/ipsec-tools/40-cmpsaddr-cleanup.patch b/main/ipsec-tools/40-cmpsaddr-cleanup.patch
deleted file mode 100644
index c5e3e4b33..000000000
--- a/main/ipsec-tools/40-cmpsaddr-cleanup.patch
+++ /dev/null
@@ -1,1403 +0,0 @@
-Get rid of CMPSADDR hack in port comparisons. Trac #295.
-
-From: Timo Teras <timo.teras@iki.fi>
-
-
----
-
- src/racoon/admin.c | 37 ++++---
- src/racoon/grabmyaddr.c | 22 ++--
- src/racoon/handler.c | 41 +++-----
- src/racoon/handler.h | 7 -
- src/racoon/isakmp.c | 90 ++++-------------
- src/racoon/isakmp_cfg.c | 9 --
- src/racoon/isakmp_inf.c | 111 ++++-----------------
- src/racoon/isakmp_quick.c | 29 +++---
- src/racoon/nattraversal.c | 8 +-
- src/racoon/pfkey.c | 52 +++-------
- src/racoon/policy.c | 22 ++--
- src/racoon/remoteconf.c | 30 +-----
- src/racoon/remoteconf.h | 3 -
- src/racoon/sockmisc.c | 234 +++------------------------------------------
- src/racoon/sockmisc.h | 15 +--
- src/racoon/throttle.c | 2
- 16 files changed, 170 insertions(+), 542 deletions(-)
-
-
-diff --git a/src/racoon/admin.c b/src/racoon/admin.c
-index 576e191..b67e545 100644
---- a/src/racoon/admin.c
-+++ b/src/racoon/admin.c
-@@ -167,6 +167,14 @@ end:
- return error;
- }
-
-+static int admin_ph1_delete_sa(struct ph1handle *iph1, void *arg)
-+{
-+ if (iph1->status >= PHASE1ST_ESTABLISHED)
-+ isakmp_info_send_d1(iph1);
-+ purge_remote(iph1);
-+ return 0;
-+}
-+
- /*
- * main child's process.
- */
-@@ -257,7 +265,7 @@ admin_process(so2, combuf)
- break;
- }
-
-- iph1 = getph1byaddrwop(src, dst);
-+ iph1 = getph1byaddr(src, dst, 0);
- if (iph1 == NULL) {
- l_ac_errno = ENOENT;
- break;
-@@ -292,30 +300,25 @@ admin_process(so2, combuf)
-
- case ADMIN_DELETE_SA: {
- struct ph1handle *iph1;
-- struct sockaddr *dst;
-- struct sockaddr *src;
-+ struct ph1selector sel;
- char *loc, *rem;
-
-- src = (struct sockaddr *)
-+ memset(&sel, 0, sizeof(sel));
-+ sel.local = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->src;
-- dst = (struct sockaddr *)
-+ sel.remote = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->dst;
-
-- loc = racoon_strdup(saddrwop2str(src));
-- rem = racoon_strdup(saddrwop2str(dst));
-+ loc = racoon_strdup(saddr2str(sel.local));
-+ rem = racoon_strdup(saddr2str(sel.remote));
- STRDUP_FATAL(loc);
- STRDUP_FATAL(rem);
-
-- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "phase 1 for %s -> %s not found\n", loc, rem);
-- } else {
-- if (iph1->status >= PHASE1ST_ESTABLISHED)
-- isakmp_info_send_d1(iph1);
-- purge_remote(iph1);
-- }
-+ plog(LLV_INFO, LOCATION, NULL,
-+ "admin delete-sa %s %s\n", loc, rem);
-+ enumph1(&sel, admin_ph1_delete_sa, NULL);
-
- racoon_free(loc);
- racoon_free(rem);
-@@ -360,7 +363,7 @@ admin_process(so2, combuf)
- plog(LLV_INFO, LOCATION, NULL,
- "Flushing all SAs for peer %s\n", rem);
-
-- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
-+ while ((iph1 = getph1bydstaddr(dst)) != NULL) {
- loc = racoon_strdup(saddrwop2str(iph1->local));
- STRDUP_FATAL(loc);
-
-@@ -429,7 +432,7 @@ admin_process(so2, combuf)
- l_ac_errno = -1;
-
- /* connected already? */
-- ph1 = getph1byaddrwop(src, dst);
-+ ph1 = getph1byaddr(src, dst, 0);
- if (ph1 != NULL) {
- event_list = &ph1->evt_listeners;
- if (ph1->status == PHASE1ST_ESTABLISHED)
-diff --git a/src/racoon/grabmyaddr.c b/src/racoon/grabmyaddr.c
-index f866dd5..cb1b638 100644
---- a/src/racoon/grabmyaddr.c
-+++ b/src/racoon/grabmyaddr.c
-@@ -100,7 +100,7 @@ myaddr_configured(addr)
- return TRUE;
-
- LIST_FOREACH(cfg, &configured, chain) {
-- if (cmpsaddrstrict(addr, (struct sockaddr *) &cfg->addr) == 0)
-+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
- return TRUE;
- }
-
-@@ -116,7 +116,7 @@ myaddr_open(addr, udp_encap)
-
- /* Already open? */
- LIST_FOREACH(my, &opened, chain) {
-- if (cmpsaddrstrict(addr, (struct sockaddr *) &my->addr) == 0)
-+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
- return TRUE;
- }
-
-@@ -156,7 +156,7 @@ myaddr_open_all_configured(addr)
-
- LIST_FOREACH(cfg, &configured, chain) {
- if (addr != NULL &&
-- cmpsaddrwop(addr, (struct sockaddr *) &cfg->addr) != 0)
-+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
- continue;
- if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
- return FALSE;
-@@ -187,8 +187,8 @@ myaddr_close_all_open(addr)
- for (my = LIST_FIRST(&opened); my; my = next) {
- next = LIST_NEXT(my, chain);
-
-- if (!cmpsaddrwop((struct sockaddr *) &addr,
-- (struct sockaddr *) &my->addr))
-+ if (!cmpsaddr((struct sockaddr *) &addr,
-+ (struct sockaddr *) &my->addr))
- myaddr_delete(my);
- }
- }
-@@ -261,7 +261,7 @@ myaddr_getfd(addr)
- struct myaddr *my;
-
- LIST_FOREACH(my, &opened, chain) {
-- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
-+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
- return my->fd;
- }
-
-@@ -273,19 +273,13 @@ myaddr_getsport(addr)
- struct sockaddr *addr;
- {
- struct myaddr *my;
-- int bestmatch_port = -1;
-
- LIST_FOREACH(my, &opened, chain) {
-- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
-+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
- return extract_port((struct sockaddr *) &my->addr);
-- if (cmpsaddrwop((struct sockaddr *) &my->addr, addr) != 0)
-- continue;
-- if (bestmatch_port == -1 ||
-- extract_port((struct sockaddr *) &my->addr) == PORT_ISAKMP)
-- bestmatch_port = extract_port((struct sockaddr *) &my->addr);
- }
-
-- return bestmatch_port;
-+ return PORT_ISAKMP;
- }
-
- void
-diff --git a/src/racoon/handler.c b/src/racoon/handler.c
-index 960b5b3..b33986f 100644
---- a/src/racoon/handler.c
-+++ b/src/racoon/handler.c
-@@ -120,11 +120,11 @@ enumph1(sel, enum_func, enum_arg)
- LIST_FOREACH(p, &ph1tree, chain) {
- if (sel != NULL) {
- if (sel->local != NULL &&
-- CMPSADDR(sel->local, p->local) != 0)
-+ cmpsaddr(sel->local, p->local) != 0)
- continue;
-
- if (sel->remote != NULL &&
-- CMPSADDR(sel->remote, p->remote) != 0)
-+ cmpsaddr(sel->remote, p->remote) != 0)
- continue;
- }
-
-@@ -201,17 +201,12 @@ getph1(rmconf, local, remote, flags)
- "status %d, skipping\n", p->status);
- continue;
- }
-- if (flags & GETPH1_F_WITHOUT_PORTS) {
-- if (local != NULL && cmpsaddrwop(local, p->local) != 0)
-- continue;
-- if (remote != NULL && cmpsaddrwop(remote, p->remote) != 0)
-- continue;
-- } else {
-- if (local != NULL && CMPSADDR(local, p->local) != 0)
-- continue;
-- if (remote != NULL && CMPSADDR(remote, p->remote) != 0)
-- continue;
-- }
-+
-+ if (local != NULL && cmpsaddr(local, p->local) != 0)
-+ continue;
-+
-+ if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
-+ continue;
-
- plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
- return p;
-@@ -287,8 +282,8 @@ void migrate_dying_ph12(iph1)
- if (p->status < PHASE1ST_DYING)
- continue;
-
-- if (CMPSADDR(iph1->local, p->local) == 0
-- && CMPSADDR(iph1->remote, p->remote) == 0)
-+ if (cmpsaddr(iph1->local, p->local) == 0
-+ && cmpsaddr(iph1->remote, p->remote) == 0)
- migrate_ph12(p, iph1);
- }
- }
-@@ -518,11 +513,11 @@ enumph2(sel, enum_func, enum_arg)
- continue;
-
- if (sel->src != NULL &&
-- CMPSADDR(sel->src, p->src) != 0)
-+ cmpsaddr(sel->src, p->src) != 0)
- continue;
-
- if (sel->dst != NULL &&
-- CMPSADDR(sel->dst, p->dst) != 0)
-+ cmpsaddr(sel->dst, p->dst) != 0)
- continue;
- }
-
-@@ -586,8 +581,8 @@ getph2byid(src, dst, spid)
-
- LIST_FOREACH(p, &ph2tree, chain) {
- if (spid == p->spid &&
-- cmpsaddrwild(src, p->src) == 0 &&
-- cmpsaddrwild(dst, p->dst) == 0){
-+ cmpsaddr(src, p->src) == 0 &&
-+ cmpsaddr(dst, p->dst) == 0){
- /* Sanity check to detect zombie handlers
- * XXX Sould be done "somewhere" more interesting,
- * because we have lots of getph2byxxxx(), but this one
-@@ -614,8 +609,8 @@ getph2bysaddr(src, dst)
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
-- if (cmpsaddrstrict(src, p->src) == 0 &&
-- cmpsaddrstrict(dst, p->dst) == 0)
-+ if (cmpsaddr(src, p->src) == 0 &&
-+ cmpsaddr(dst, p->dst) == 0)
- return p;
- }
-
-@@ -918,7 +913,7 @@ getcontacted(remote)
- struct contacted *p;
-
- LIST_FOREACH(p, &ctdtree, chain) {
-- if (cmpsaddrstrict(remote, p->remote) == 0)
-+ if (cmpsaddr(remote, p->remote) == 0)
- return p;
- }
-
-@@ -997,7 +992,7 @@ check_recvdpkt(remote, local, rbuf)
- /*
- * the packet was processed before, but the remote address mismatches.
- */
-- if (cmpsaddrstrict(remote, r->remote) != 0)
-+ if (cmpsaddr(remote, r->remote) != 0)
- return 2;
-
- /*
-diff --git a/src/racoon/handler.h b/src/racoon/handler.h
-index c31753d..8f19c88 100644
---- a/src/racoon/handler.h
-+++ b/src/racoon/handler.h
-@@ -467,7 +467,6 @@ extern int enumph1 __P((struct ph1selector *ph1sel,
- void *enum_arg));
-
- #define GETPH1_F_ESTABLISHED 0x0001
--#define GETPH1_F_WITHOUT_PORTS 0x0002
-
- extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
- struct sockaddr *local,
-@@ -476,10 +475,8 @@ extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
-
- #define getph1byaddr(local, remote, est) \
- getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0)
--#define getph1byaddrwop(local, remote) \
-- getph1(NULL, local, remote, GETPH1_F_WITHOUT_PORTS)
--#define getph1bydstaddrwop(remote) \
-- getph1(NULL, NULL, remote, GETPH1_F_WITHOUT_PORTS)
-+#define getph1bydstaddr(remote) \
-+ getph1(NULL, NULL, remote, 0)
-
- #ifdef ENABLE_HYBRID
- struct ph1handle *getph1bylogin __P((char *));
-diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
-index fe51653..0de16d1 100644
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -475,8 +475,8 @@ isakmp_main(msg, remote, local)
- /* Floating ports for NAT-T */
- if (NATT_AVAILABLE(iph1) &&
- ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
-- ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
-- (cmpsaddrstrict(iph1->local, local) != 0)))
-+ ((cmpsaddr(iph1->remote, remote) != 0) ||
-+ (cmpsaddr(iph1->local, local) != 0)))
- {
- /* prevent memory leak */
- racoon_free(iph1->remote);
-@@ -517,7 +517,7 @@ isakmp_main(msg, remote, local)
- #endif
-
- /* must be same addresses in one stream of a phase at least. */
-- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
-+ if (cmpsaddr(iph1->remote, remote) != 0) {
- char *saddr_db, *saddr_act;
-
- saddr_db = racoon_strdup(saddr2str(iph1->remote));
-@@ -643,7 +643,7 @@ isakmp_main(msg, remote, local)
- "exchange received.\n");
- return -1;
- }
-- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
-+ if (cmpsaddr(iph1->remote, remote) != 0) {
- plog(LLV_WARNING, LOCATION, remote,
- "remote address mismatched. "
- "db=%s\n",
-@@ -1275,6 +1275,12 @@ isakmp_ph2begin_i(iph1, iph2)
- }
- #endif
-
-+ /* fixup ph2 ports for this ph1 */
-+ if (extract_port(iph2->src) == 0)
-+ set_port(iph2->src, extract_port(iph1->local));
-+ if (extract_port(iph2->dst) == 0)
-+ set_port(iph2->dst, extract_port(iph1->remote));
-+
- /* found ISAKMP-SA. */
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
-@@ -1353,15 +1359,6 @@ isakmp_ph2begin_r(iph1, msg)
- delph2(iph2);
- return -1;
- }
--#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
-- if (set_port(iph2->dst, 0) == NULL ||
-- set_port(iph2->src, 0) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "invalid family: %d\n", iph2->dst->sa_family);
-- delph2(iph2);
-- return -1;
-- }
--#endif
-
- /* add new entry to isakmp status table */
- insph2(iph2);
-@@ -2186,23 +2183,12 @@ isakmp_post_acquire(iph2)
- return 0;
- }
-
-- /*
-- * Search isakmp status table by address and port
-- * If NAT-T is in use, consider null ports as a
-- * wildcard and use IKE ports instead.
-+ /*
-+ * XXX Searching by IP addresses + ports might fail on
-+ * some cases, we should use the ISAKMP identity to search
-+ * matching ISAKMP.
- */
--#ifdef ENABLE_NATT
-- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
-- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
-- set_port(iph2->src, extract_port(iph1->local));
-- set_port(iph2->dst, extract_port(iph1->remote));
-- }
-- } else {
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-- }
--#else
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
--#endif
-
- /* no ISAKMP-SA found. */
- if (iph1 == NULL) {
-@@ -2380,26 +2366,8 @@ isakmp_chkph1there(iph2)
- return;
- }
-
-- /*
-- * Search isakmp status table by address and port
-- * If NAT-T is in use, consider null ports as a
-- * wildcard and use IKE ports instead.
-- */
--#ifdef ENABLE_NATT
-- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
-- if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
-- }
-- } else {
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-- if(iph1 != NULL)
-- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
-- }
--#else
-+ /* Search isakmp status table by address and port */
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
--#endif
-
- /* XXX Even if ph1 as responder is there, should we not start
- * phase 2 negotiation ? */
-@@ -3321,20 +3289,10 @@ purge_remote(iph1)
- msg = next;
- continue;
- }
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
--#ifdef SADB_X_NAT_T_NEW_MAPPING
-- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-- /* NAT-T is enabled for this SADB entry; copy
-- * the ports from NAT-T extensions */
-- if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
-- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-- if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
-- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-- }
--#endif
--
- if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
- sa->sadb_sa_state != SADB_SASTATE_MATURE &&
- sa->sadb_sa_state != SADB_SASTATE_DYING) {
-@@ -3346,22 +3304,14 @@ purge_remote(iph1)
- * check in/outbound SAs.
- * Select only SAs where src == local and dst == remote (outgoing)
- * or src == remote and dst == local (incoming).
-- * XXX we sometime have src/dst ports set to 0 and want to match
-- * iph1->local/remote with ports set to 500. This is a bug, see trac:2
- */
--#ifdef ENABLE_NATT
-- if ((cmpsaddrmagic(iph1->local, src) || cmpsaddrmagic(iph1->remote, dst)) &&
-- (cmpsaddrmagic(iph1->local, dst) || cmpsaddrmagic(iph1->remote, src))) {
-- msg = next;
-- continue;
-- }
--#else
-- if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
-- (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
-+ if ((cmpsaddr(iph1->local, src) ||
-+ cmpsaddr(iph1->remote, dst)) &&
-+ (cmpsaddr(iph1->local, dst) ||
-+ cmpsaddr(iph1->remote, src))) {
- msg = next;
- continue;
- }
--#endif
-
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
-diff --git a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
-index 62916f8..df763f8 100644
---- a/src/racoon/isakmp_cfg.c
-+++ b/src/racoon/isakmp_cfg.c
-@@ -1151,15 +1151,6 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange)
- goto end;
- }
-
--#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
-- if (set_port(iph2->dst, 0) == NULL ||
-- set_port(iph2->src, 0) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "invalid family: %d\n", iph1->remote->sa_family);
-- delph2(iph2);
-- goto end;
-- }
--#endif
- iph2->side = INITIATOR;
- iph2->status = PHASE2ST_START;
-
-diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c
-index a712825..6fa3498 100644
---- a/src/racoon/isakmp_inf.c
-+++ b/src/racoon/isakmp_inf.c
-@@ -903,15 +903,6 @@ isakmp_info_send_common(iph1, payload, np, flags)
- delph2(iph2);
- goto end;
- }
--#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
-- if (set_port(iph2->dst, 0) == NULL ||
-- set_port(iph2->src, 0) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "invalid family: %d\n", iph1->remote->sa_family);
-- delph2(iph2);
-- goto end;
-- }
--#endif
- iph2->side = INITIATOR;
- iph2->status = PHASE2ST_START;
- iph2->msgid = isakmp_newmsgid2(iph1);
-@@ -1127,9 +1118,6 @@ purge_ipsec_spi(dst0, proto, spi, n)
- u_int64_t created;
- size_t i;
- caddr_t mhp[SADB_EXT_MAX + 1];
--#ifdef ENABLE_NATT
-- int natt_port_forced;
--#endif
-
- plog(LLV_DEBUG2, LOCATION, NULL,
- "purge_ipsec_spi:\n");
-@@ -1169,6 +1157,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
- msg = next;
- continue;
- }
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
-@@ -1182,28 +1171,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
- msg = next;
- continue;
- }
--#ifdef ENABLE_NATT
-- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
-- /* NAT-T is enabled for this SADB entry; copy
-- * the ports from NAT-T extensions */
-- if (extract_port(src) == 0 &&
-- mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) {
-- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
-- }
-
-- if (extract_port(dst) == 0 &&
-- mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) {
-- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
-- }
-- natt_port_forced = 0;
-- } else {
-- /* Force default UDP ports, so
-- * CMPSADDR will match SAs with NO encapsulation */
-- set_port(src, PORT_ISAKMP);
-- set_port(dst, PORT_ISAKMP);
-- natt_port_forced = 1;
-- }
--#endif
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
-
-@@ -1211,19 +1179,11 @@ purge_ipsec_spi(dst0, proto, spi, n)
-
- /* don't delete inbound SAs at the moment */
- /* XXX should we remove SAs with opposite direction as well? */
-- if (CMPSADDR(dst0, dst)) {
-+ if (cmpsaddr(dst0, dst)) {
- msg = next;
- continue;
- }
-
--#ifdef ENABLE_NATT
-- if (natt_port_forced) {
-- /* Set back port to 0 if it was forced
-- * to default UDP port */
-- set_port(src, 0);
-- set_port(dst, 0);
-- }
--#endif
- for (i = 0; i < n; i++) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "check spi(packet)=%u spi(db)=%u.\n",
-@@ -1354,37 +1314,33 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
-
-- while (msg < end) {
-+ for (; msg < end; msg = next) {
- if ((msg->sadb_msg_len << 3) < sizeof(*msg))
- break;
-+
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
-- if (msg->sadb_msg_type != SADB_DUMP) {
-- msg = next;
-+ if (msg->sadb_msg_type != SADB_DUMP)
- continue;
-- }
-
- if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey_check (%s)\n", ipsec_strerror());
-- msg = next;
- continue;
- }
-
- if (mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
-- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
-- msg = next;
-+ || mhp[SADB_EXT_ADDRESS_DST] == NULL)
- continue;
-- }
-+
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
- if (sa->sadb_sa_state != SADB_SASTATE_MATURE
-- && sa->sadb_sa_state != SADB_SASTATE_DYING) {
-- msg = next;
-+ && sa->sadb_sa_state != SADB_SASTATE_DYING)
- continue;
-- }
-
- /*
- * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that
-@@ -1394,39 +1350,18 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- * racoon only deletes SA which is matched both the
- * source address and the destination accress.
- */
--#ifdef ENABLE_NATT
-- /*
-- * XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs
-- * from this peer !
-- */
-- if(iph1->natt_flags & NAT_DETECTED){
-- if (CMPSADDR(iph1->local, src) == 0 &&
-- CMPSADDR(iph1->remote, dst) == 0)
-- ;
-- else if (CMPSADDR(iph1->remote, src) == 0 &&
-- CMPSADDR(iph1->local, dst) == 0)
-- ;
-- else {
-- msg = next;
-- continue;
-- }
-- } else
--#endif
-- /* If there is no NAT-T, we don't have to check addr + port...
-- * XXX what about a configuration with a remote peers which is not
-- * NATed, but which NATs some other peers ?
-- * Here, the INITIAl-CONTACT would also flush all those NATed peers !!
-- */
-- if (cmpsaddrwop(iph1->local, src) == 0 &&
-- cmpsaddrwop(iph1->remote, dst) == 0)
-- ;
-- else if (cmpsaddrwop(iph1->remote, src) == 0 &&
-- cmpsaddrwop(iph1->local, dst) == 0)
-- ;
-- else {
-- msg = next;
-+
-+ /*
-+ * Check that the IP and port match. But this is not optimal,
-+ * since NAT-T can make the peer have multiple different
-+ * ports. Correct thing to do is delete all entries with
-+ * same identity. -TT
-+ */
-+ if ((cmpsaddr(iph1->local, src) != 0 ||
-+ cmpsaddr(iph1->remote, dst) != 0) &&
-+ (cmpsaddr(iph1->local, dst) != 0 ||
-+ cmpsaddr(iph1->remote, src) != 0))
- continue;
-- }
-
- /*
- * Make sure this is an SATYPE that we manage.
-@@ -1438,10 +1373,8 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- msg->sadb_msg_satype)
- break;
- }
-- if (i == pfkey_nsatypes) {
-- msg = next;
-+ if (i == pfkey_nsatypes)
- continue;
-- }
-
- plog(LLV_INFO, LOCATION, NULL,
- "purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
-@@ -1461,8 +1394,6 @@ isakmp_info_recv_initialcontact(iph1, protectedph2)
- remph2(iph2);
- delph2(iph2);
- }
--
-- msg = next;
- }
-
- vfree(buf);
-diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
-index 804c1bf..46c84c1 100644
---- a/src/racoon/isakmp_quick.c
-+++ b/src/racoon/isakmp_quick.c
-@@ -610,17 +610,19 @@ quick_i2recv(iph2, msg0)
- error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
- goto end;
- }
-+#ifdef ENABLE_NATT
-+ set_port(iph2->natoa_src,
-+ extract_port((struct sockaddr *) &proposed_addr));
-+#endif
-
-- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
-- (struct sockaddr *) &got_addr) == 0) {
-+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDci matches proposal.\n");
- #ifdef ENABLE_NATT
- } else if (iph2->natoa_src != NULL
-- && cmpsaddrwop(iph2->natoa_src,
-- (struct sockaddr *) &got_addr) == 0
-- && extract_port((struct sockaddr *) &proposed_addr) ==
-- extract_port((struct sockaddr *) &got_addr)) {
-+ && cmpsaddr(iph2->natoa_src,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDci matches NAT-OAi.\n");
- #endif
-@@ -656,16 +658,19 @@ quick_i2recv(iph2, msg0)
- goto end;
- }
-
-- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
-- (struct sockaddr *) &got_addr) == 0) {
-+#ifdef ENABLE_NATT
-+ set_port(iph2->natoa_dst,
-+ extract_port((struct sockaddr *) &proposed_addr));
-+#endif
-+
-+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDcr matches proposal.\n");
- #ifdef ENABLE_NATT
- } else if (iph2->natoa_dst != NULL
-- && cmpsaddrwop(iph2->natoa_dst,
-- (struct sockaddr *) &got_addr) == 0
-- && extract_port((struct sockaddr *) &proposed_addr) ==
-- extract_port((struct sockaddr *) &got_addr)) {
-+ && cmpsaddr(iph2->natoa_dst,
-+ (struct sockaddr *) &got_addr) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "IDcr matches NAT-OAr.\n");
- #endif
-diff --git a/src/racoon/nattraversal.c b/src/racoon/nattraversal.c
-index f23341a..92095de 100644
---- a/src/racoon/nattraversal.c
-+++ b/src/racoon/nattraversal.c
-@@ -379,8 +379,8 @@ natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst)
- struct natt_ka_addrs *ka = NULL, *new_addr;
-
- TAILQ_FOREACH (ka, &ka_tree, chain) {
-- if (cmpsaddrstrict(ka->src, src) == 0 &&
-- cmpsaddrstrict(ka->dst, dst) == 0) {
-+ if (cmpsaddr(ka->src, src) == 0 &&
-+ cmpsaddr(ka->dst, dst) == 0) {
- ka->in_use++;
- plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
-@@ -443,8 +443,8 @@ natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst)
- plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
-
-- if (cmpsaddrstrict(ka->src, src) == 0 &&
-- cmpsaddrstrict(ka->dst, dst) == 0 &&
-+ if (cmpsaddr(ka->src, src) == 0 &&
-+ cmpsaddr(ka->dst, dst) == 0 &&
- -- ka->in_use <= 0) {
-
- plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
-diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
-index c210c5e..3778ef2 100644
---- a/src/racoon/pfkey.c
-+++ b/src/racoon/pfkey.c
-@@ -774,8 +774,12 @@ pk_fixup_sa_addresses(mhp)
- caddr_t *mhp;
- {
- struct sockaddr *src, *dst;
-+
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-+ set_port(src, PORT_ISAKMP);
-+ set_port(dst, PORT_ISAKMP);
-+
- #ifdef ENABLE_NATT
- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
- /* NAT-T is enabled for this SADB entry; copy
-@@ -785,9 +789,6 @@ pk_fixup_sa_addresses(mhp)
- if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
- }
--#else
-- set_port(src, 0);
-- set_port(dst, 0);
- #endif
- }
-
-@@ -949,10 +950,6 @@ pk_sendgetspi(iph2)
- dport=extract_port(dst);
- }
- #endif
-- /* Always remove port information, it will be sent in
-- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-- set_port(src, 0);
-- set_port(dst, 0);
-
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
- if (pfkey_send_getspi_nat(
-@@ -1009,6 +1006,7 @@ pk_recvgetspi(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-+ pk_fixup_sa_addresses(mhp);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -1183,18 +1181,14 @@ pk_sendupdate(iph2)
- #ifdef ENABLE_NATT
- if (pr->udp_encap) {
- sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
-- sa_args.l_natt_sport = extract_port (iph2->ph1->remote);
-- sa_args.l_natt_dport = extract_port (iph2->ph1->local);
-+ sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
-+ sa_args.l_natt_dport = extract_port(iph2->ph1->local);
- sa_args.l_natt_oa = iph2->natoa_src;
- #ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
- #endif
- }
- #endif
-- /* Always remove port information, it will be sent in
-- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
-
- /* more info to fill in */
- sa_args.spi = pr->spi;
-@@ -1358,14 +1352,6 @@ pk_recvupdate(mhp)
- /* turn off schedule */
- sched_cancel(&iph2->scr);
-
-- /* Force the update of ph2's ports, as there is at least one
-- * situation where they'll mismatch with ph1's values
-- */
--#ifdef ENABLE_NATT
-- set_port(iph2->src, extract_port(iph2->ph1->local));
-- set_port(iph2->dst, extract_port(iph2->ph1->remote));
--#endif
--
- /*
- * since we are going to reuse the phase2 handler, we need to
- * remain it and refresh all the references between ph1 and ph2 to use.
-@@ -1418,7 +1404,7 @@ pk_sendadd(iph2)
- racoon_free(sa_args.src);
- racoon_free(sa_args.dst);
- return -1;
-- }
-+ }
-
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- /* validity check */
-@@ -1490,11 +1476,6 @@ pk_sendadd(iph2)
- #endif
- }
- #endif
-- /* Always remove port information, it will be sent in
-- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
-- set_port(sa_args.src, 0);
-- set_port(sa_args.dst, 0);
--
- /* more info to fill in */
- sa_args.spi = pr->spi_p;
- sa_args.reqid = pr->reqid_out;
-@@ -1559,6 +1540,7 @@ pk_recvadd(mhp)
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
-+ pk_fixup_sa_addresses(mhp);
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-@@ -1749,7 +1731,9 @@ pk_recvacquire(mhp)
- }
- msg = (struct sadb_msg *)mhp[0];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
-- pk_fixup_sa_addresses(mhp);
-+ /* acquire does not have nat-t ports; so do not bother setting
-+ * the default port 500; just use the port zero for wildcard
-+ * matching the get a valid natted destination */
- sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-@@ -2884,8 +2868,8 @@ migrate_ph1_ike_addresses(iph1, arg)
- u_int16_t port;
-
- /* Already up-to-date? */
-- if (cmpsaddrwop(iph1->local, ma->local) == 0 &&
-- cmpsaddrwop(iph1->remote, ma->remote) == 0)
-+ if (cmpsaddr(iph1->local, ma->local) == 0 &&
-+ cmpsaddr(iph1->remote, ma->remote) == 0)
- return 0;
-
- if (iph1->status < PHASE1ST_ESTABLISHED) {
-@@ -2985,8 +2969,8 @@ migrate_ph2_ike_addresses(iph2, arg)
- migrate_ph1_ike_addresses(iph2->ph1, arg);
-
- /* Already up-to-date? */
-- if (CMPSADDR(iph2->src, ma->local) == 0 &&
-- CMPSADDR(iph2->dst, ma->remote) == 0)
-+ if (cmpsaddr(iph2->src, ma->local) == 0 &&
-+ cmpsaddr(iph2->dst, ma->remote) == 0)
- return 0;
-
- /* save src/dst as sa_src/sa_dst before rewriting */
-@@ -3206,8 +3190,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new)
- "changing address families (%d to %d) for endpoints.\n",
- osaddr->sa_family, nsaddr->sa_family);
-
-- if (CMPSADDR(osaddr, (struct sockaddr *)&saidx->src) ||
-- CMPSADDR(odaddr, (struct sockaddr *)&saidx->dst)) {
-+ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
-+ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
- plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
- "mismatch of addresses in saidx and xisr.\n");
- return -1;
-diff --git a/src/racoon/policy.c b/src/racoon/policy.c
-index 850fa6b..058753f 100644
---- a/src/racoon/policy.c
-+++ b/src/racoon/policy.c
-@@ -141,16 +141,18 @@ getsp_r(spidx, iph2)
- saddr2str(iph2->src));
- plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
- saddr2str((struct sockaddr *)&spidx->src));
-- if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src)
-- || spidx->prefs != prefixlen)
-+
-+ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
-+ spidx->prefs != prefixlen)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
- saddr2str(iph2->dst));
- plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
- saddr2str((struct sockaddr *)&spidx->dst));
-- if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst)
-- || spidx->prefd != prefixlen)
-+
-+ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
-+ spidx->prefd != prefixlen)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n");
-@@ -198,11 +200,11 @@ cmpspidxstrict(a, b)
- || a->ul_proto != b->ul_proto)
- return 1;
-
-- if (cmpsaddrstrict((struct sockaddr *)&a->src,
-- (struct sockaddr *)&b->src))
-+ if (cmpsaddr((struct sockaddr *) &a->src,
-+ (struct sockaddr *) &b->src))
- return 1;
-- if (cmpsaddrstrict((struct sockaddr *)&a->dst,
-- (struct sockaddr *)&b->dst))
-+ if (cmpsaddr((struct sockaddr *) &a->dst,
-+ (struct sockaddr *) &b->dst))
- return 1;
-
- #ifdef HAVE_SECCTX
-@@ -259,7 +261,7 @@ cmpspidxwild(a, b)
- a, b->prefs, saddr2str((struct sockaddr *)&sa1));
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- b, b->prefs, saddr2str((struct sockaddr *)&sa2));
-- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
-+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
- return 1;
-
- #ifndef __linux__
-@@ -277,7 +279,7 @@ cmpspidxwild(a, b)
- a, b->prefd, saddr2str((struct sockaddr *)&sa1));
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- b, b->prefd, saddr2str((struct sockaddr *)&sa2));
-- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
-+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
- return 1;
-
- #ifdef HAVE_SECCTX
-diff --git a/src/racoon/remoteconf.c b/src/racoon/remoteconf.c
-index 73d80bc..88c622c 100644
---- a/src/racoon/remoteconf.c
-+++ b/src/racoon/remoteconf.c
-@@ -200,15 +200,9 @@ rmconf_match_type(rmsel, rmconf)
- /* Check address */
- if (rmsel->remote != NULL) {
- if (rmconf->remote->sa_family != AF_UNSPEC) {
-- if (rmsel->flags & GETRMCONF_F_NO_PORTS) {
-- if (cmpsaddrwop(rmsel->remote,
-- rmconf->remote) != 0)
-- return 0;
-- } else {
-- if (cmpsaddrstrict(rmsel->remote,
-- rmconf->remote) != 0)
-- return 0;
-- }
-+ if (cmpsaddr(rmsel->remote, rmconf->remote) != 0)
-+ return 0;
-+
- /* Address matched */
- ret = 2;
- }
-@@ -262,7 +256,7 @@ void rmconf_selector_from_ph1(rmsel, iph1)
- struct ph1handle *iph1;
- {
- memset(rmsel, 0, sizeof(*rmsel));
-- rmsel->flags = GETRMCONF_F_NO_PORTS;
-+ rmsel->flags = 0;
- rmsel->remote = iph1->remote;
- rmsel->etype = iph1->etype;
- rmsel->approval = iph1->approval;
-@@ -357,22 +351,8 @@ getrmconf(remote, flags)
- int n = 0;
-
- memset(&ctx, 0, sizeof(ctx));
-- ctx.sel.flags = flags | GETRMCONF_F_NO_PORTS;
-+ ctx.sel.flags = flags;
- ctx.sel.remote = remote;
--#ifndef ENABLE_NATT
-- /*
-- * We never have ports set in our remote configurations, but when
-- * NAT-T is enabled, the kernel can have policies with ports and
-- * send us an acquire message for a destination that has a port set.
-- * If we do this port check here, we don't find the remote config.
-- *
-- * In an ideal world, we would be able to have remote conf with
-- * port, and the port could be a wildcard. That test could be used.
-- */
-- if (remote->sa_family != AF_UNSPEC &&
-- extract_port(remote) != IPSEC_PORT_ANY)
-- ctx.sel.flags &= ~GETRMCONF_F_NO_PORTS;
--#endif /* ENABLE_NATT */
-
- if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
- plog(LLV_ERROR, LOCATION, remote,
-diff --git a/src/racoon/remoteconf.h b/src/racoon/remoteconf.h
-index 38faf03..b2e9e4a 100644
---- a/src/racoon/remoteconf.h
-+++ b/src/racoon/remoteconf.h
-@@ -189,8 +189,7 @@ extern int enumrmconf __P((struct rmconfselector *rmsel,
- void *enum_arg));
-
- #define GETRMCONF_F_NO_ANONYMOUS 0x0001
--#define GETRMCONF_F_NO_PORTS 0x0002
--#define GETRMCONF_F_NO_PASSIVE 0x0004
-+#define GETRMCONF_F_NO_PASSIVE 0x0002
-
- #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)
-
-diff --git a/src/racoon/sockmisc.c b/src/racoon/sockmisc.c
-index 5c1f9c7..2bc2177 100644
---- a/src/racoon/sockmisc.c
-+++ b/src/racoon/sockmisc.c
-@@ -80,87 +77,28 @@
- const int niflags = 0;
-
- /*
-- * compare two sockaddr without port number.
-- * OUT: 0: equal.
-- * 1: not equal.
-- */
--int
--cmpsaddrwop(addr1, addr2)
-- const struct sockaddr *addr1;
-- const struct sockaddr *addr2;
--{
-- caddr_t sa1, sa2;
--
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
--
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
--
--#endif /* __linux__ */
--
-- switch (addr1->sa_family) {
-- case AF_UNSPEC:
-- break;
-- case AF_INET:
-- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
-- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-- break;
--#ifdef INET6
-- case AF_INET6:
-- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
-- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
-- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-- break;
--#endif
-- default:
-- return 1;
-- }
--
-- return 0;
--}
--
--/*
- * compare two sockaddr with port, taking care wildcard.
- * addr1 is a subject address, addr2 is in a database entry.
- * OUT: 0: equal.
- * 1: not equal.
- */
- int
--cmpsaddrwild(addr1, addr2)
-+cmpsaddr(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
- {
- caddr_t sa1, sa2;
- u_short port1, port2;
-
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
-+ if (addr1 == NULL && addr2 == NULL)
-+ return CMPSADDR_MATCH;
-
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
-+ if (addr1 == NULL || addr2 == NULL)
-+ return CMPSADDR_MISMATCH;
-
--#endif /* __linux__ */
-+ if (addr1->sa_family != addr2->sa_family ||
-+ sysdep_sa_len(addr1) != sysdep_sa_len(addr2))
-+ return CMPSADDR_MISMATCH;
-
- switch (addr1->sa_family) {
- case AF_UNSPEC:
-@@ -170,12 +108,8 @@ cmpsaddrwild(addr1, addr2)
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- port1 = ((struct sockaddr_in *)addr1)->sin_port;
- port2 = ((struct sockaddr_in *)addr2)->sin_port;
-- if (!(port1 == IPSEC_PORT_ANY ||
-- port2 == IPSEC_PORT_ANY ||
-- port1 == port2))
-- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-+ return CMPSADDR_MISMATCH;
- break;
- #ifdef INET6
- case AF_INET6:
-@@ -183,155 +117,23 @@ cmpsaddrwild(addr1, addr2)
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
-- if (!(port1 == IPSEC_PORT_ANY ||
-- port2 == IPSEC_PORT_ANY ||
-- port1 == port2))
-- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-+ return CMPSADDR_MISMATCH;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-+ return CMPSADDR_MISMATCH;
- break;
- #endif
- default:
-- return 1;
-+ return CMPSADDR_MISMATCH;
- }
-
-- return 0;
--}
--
--/*
-- * compare two sockaddr with port, taking care specific situation:
-- * one addr has 0 as port, and the other has 500 (network order), return equal
-- * OUT: 0: equal.
-- * 1: not equal.
-- */
--int
--cmpsaddrmagic(addr1, addr2)
-- const struct sockaddr *addr1;
-- const struct sockaddr *addr2;
--{
-- caddr_t sa1, sa2;
-- u_short port1, port2;
--
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
--
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
-+ if (port1 == port2 ||
-+ port1 == IPSEC_PORT_ANY ||
-+ port2 == IPSEC_PORT_ANY)
-+ return CMPSADDR_MATCH;
-
--#endif /* __linux__ */
--
-- switch (addr1->sa_family) {
-- case AF_UNSPEC:
-- break;
-- case AF_INET:
-- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
-- port1 = ((struct sockaddr_in *)addr1)->sin_port;
-- port2 = ((struct sockaddr_in *)addr2)->sin_port;
-- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: port1 == %d, port2 == %d\n", port1, port2);
-- if (!((port1 == IPSEC_PORT_ANY && port2 == ntohs(PORT_ISAKMP)) ||
-- (port2 == IPSEC_PORT_ANY && port1 == ntohs(PORT_ISAKMP)) ||
-- (port1 == port2))){
-- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports mismatch\n");
-- return 1;
-- }
-- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports matched\n");
-- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-- break;
--#ifdef INET6
-- case AF_INET6:
-- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
-- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
-- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
-- if (!((port1 == IPSEC_PORT_ANY && port2 == PORT_ISAKMP) ||
-- (port2 == IPSEC_PORT_ANY && port1 == PORT_ISAKMP) ||
-- (port1 == port2)))
-- return 1;
-- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
-- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-- break;
--#endif
-- default:
-- return 1;
-- }
--
-- return 0;
--}
--
--/*
-- * compare two sockaddr with strict match on port.
-- * OUT: 0: equal.
-- * 1: not equal.
-- */
--int
--cmpsaddrstrict(addr1, addr2)
-- const struct sockaddr *addr1;
-- const struct sockaddr *addr2;
--{
-- caddr_t sa1, sa2;
-- u_short port1, port2;
--
-- if (addr1 == 0 && addr2 == 0)
-- return 0;
-- if (addr1 == 0 || addr2 == 0)
-- return 1;
--
--#ifdef __linux__
-- if (addr1->sa_family != addr2->sa_family)
-- return 1;
--#else
-- if (addr1->sa_len != addr2->sa_len
-- || addr1->sa_family != addr2->sa_family)
-- return 1;
--
--#endif /* __linux__ */
--
-- switch (addr1->sa_family) {
-- case AF_INET:
-- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
-- port1 = ((struct sockaddr_in *)addr1)->sin_port;
-- port2 = ((struct sockaddr_in *)addr2)->sin_port;
-- if (port1 != port2)
-- return 1;
-- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
-- return 1;
-- break;
--#ifdef INET6
-- case AF_INET6:
-- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
-- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
-- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
-- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
-- if (port1 != port2)
-- return 1;
-- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
-- return 1;
-- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
-- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
-- return 1;
-- break;
--#endif
-- default:
-- return 1;
-- }
--
-- return 0;
-+ return CMPSADDR_WOP_MATCH;
- }
-
- /* get local address against the destination. */
-@@ -1129,7 +931,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr)
- free(a2);
- free(a3);
- }
-- if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0)
-+ if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
- return naddr->prefix + port_score;
-
- return -1;
-diff --git a/src/racoon/sockmisc.h b/src/racoon/sockmisc.h
-index fcc286f..0a58f44 100644
---- a/src/racoon/sockmisc.h
-+++ b/src/racoon/sockmisc.h
-@@ -54,16 +54,11 @@ struct netaddr {
-
- extern const int niflags;
-
--extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *));
--extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *));
--extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *));
--extern int cmpsaddrmagic __P((const struct sockaddr *, const struct sockaddr *));
--
--#ifdef ENABLE_NATT
--#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2))
--#else
--#define CMPSADDR(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2))
--#endif
-+#define CMPSADDR_MATCH 0
-+#define CMPSADDR_WOP_MATCH 1
-+#define CMPSADDR_MISMATCH 2
-+
-+extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
-
- extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
-
-diff --git a/src/racoon/throttle.c b/src/racoon/throttle.c
-index 5ab62c3..64b566b 100644
---- a/src/racoon/throttle.c
-+++ b/src/racoon/throttle.c
-@@ -104,7 +104,7 @@ restart:
- goto restart;
- }
-
-- if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) {
-+ if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
- found = 1;
- break;
- }
diff --git a/main/ipsec-tools/50-reverse-connect.patch b/main/ipsec-tools/50-reverse-connect.patch
index c49eae347..f29c3d509 100644
--- a/main/ipsec-tools/50-reverse-connect.patch
+++ b/main/ipsec-tools/50-reverse-connect.patch
@@ -125,9 +125,9 @@ index b33986f..9fd3817 100644
+ * to firewall or nat */
+ if (iph1->side == RESPONDER && p->side == INITIATOR &&
+ p->status < PHASE1ST_MSG3RECEIVED) {
++ /* Do not delete ph1, since if the node is not NATted,
++ * and we delete it we might get phase2's lost */
+ evt_list_move(&p->evt_listeners, &iph1->evt_listeners);
-+ remph1(p);
-+ delph1(p);
+ }
}
}
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index f7a78026f..db1d28bf1 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -1,8 +1,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ipsec-tools
-pkgver=0.8_alpha20090422
-_myver=0.8-alpha20090422
-pkgrel=1
+pkgver=0.8_alpha20090820
+_myver=0.8-alpha20090820
+pkgrel=0
pkgdesc="User-space IPsec tools for various IPsec implementations"
url="http://ipsec-tools.sourceforge.net/"
license="BSD"
@@ -12,10 +12,7 @@ subpackages="$pkgname-doc $pkgname-dev"
source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
racoon.initd
racoon.confd
- 00-verify-cert-leak.patch
- 20-natoa-fix.patch
- 30-natt-ports-cleanup.patch
- 40-cmpsaddr-cleanup.patch
+ 10-rekey-ph1hint.patch
50-reverse-connect.patch
60-debug-quick.patch
"
@@ -48,12 +45,9 @@ build() {
install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
}
-md5sums="8327401b5d1aa91e9c554d2cc536f823 ipsec-tools-0.8-alpha20090422.tar.gz
+md5sums="8b79f9e773043a47d636b4c6f59b84eb ipsec-tools-0.8-alpha20090820.tar.gz
fce62b52b598be268e27609f470f8e9b racoon.initd
2d00250cf72da7f2f559c91b65a48747 racoon.confd
-e0abf570c29519e8e36406dfc3bbe3c8 00-verify-cert-leak.patch
-2adb8796c75f62811b08c8370c75312c 20-natoa-fix.patch
-17b3f05426537afa1e94947c39b10163 30-natt-ports-cleanup.patch
-5fcaf5a01340132d4bfe55997bc5c60b 40-cmpsaddr-cleanup.patch
-91eb6da2726c4ed83df990f6908a7553 50-reverse-connect.patch
+4ee586cc6c6f1e0dd7a8bd9da0f5111d 10-rekey-ph1hint.patch
+13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
baa13d7f0f48955c792f7fcd42a8587a 60-debug-quick.patch"
diff --git a/main/nmap/APKBUILD b/main/nmap/APKBUILD
index bb0407876..363c2d47c 100644
--- a/main/nmap/APKBUILD
+++ b/main/nmap/APKBUILD
@@ -1,12 +1,12 @@
# Contributor: Leonardo Arena <rnalrd@gmail.com>
# Maintainer: Leonardo Arena <rnalrd@gmail.com>
pkgname=nmap
-pkgver=4.76
-pkgrel=2
+pkgver=5.00
+pkgrel=0
pkgdesc="A network exploration tool and security/port scanner"
url="http:/nmap.org"
license="custom:GPL"
-depends="pcre libpcap uclibc++ openssl lua"
+depends=
makedepends="uclibc++-dev libpcap-dev openssl-dev lua-dev"
install=
subpackages="$pkgname-doc $pkgname-nse"
@@ -22,7 +22,7 @@ build() {
patch -p1 < $i || return 1
done
- export CXX=g++-uc
+ export CXX=${CXX_UC:-g++-uc}
./configure --prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
@@ -36,12 +36,14 @@ build() {
# install custom GPL2 license
install -D -m644 COPYING ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE
}
-
+
nse() {
+ pkgdesc="nmap scripting engine"
mkdir -p "$subpkgdir"/usr/share/$pkgname
- mv "$pkgdir"/usr/share/$pkgname/nselib "$subpkgdir"/usr/share/$pkgname/
- mv "$pkgdir"/usr/share/$pkgname/scripts "$subpkgdir"/usr/share/$pkgname/
+ mv "$pkgdir"/usr/share/$pkgname/nselib \
+ "$pkgdir"/usr/share/$pkgname/scripts \
+ "$subpkgdir"/usr/share/$pkgname/
}
-md5sums="54b5c9e3f44c1adde17df68170eb7cfe nmap-4.76.tgz
+md5sums="6b5b28f421cae71fd2710c1247c8db66 nmap-5.00.tgz
507b0936aaafaeddebad309b0924de39 nmap-4.53-uclibc++-output.cc.patch"
diff --git a/main/perl-archive-zip/APKBUILD b/main/perl-archive-zip/APKBUILD
index 7e8d32019..6ec65c473 100644
--- a/main/perl-archive-zip/APKBUILD
+++ b/main/perl-archive-zip/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Leonardo Arena <rnalrd@gmail.com>
pkgname=perl-archive-zip
_realname=Archive-Zip
-pkgver=1.26
+pkgver=1.30
pkgrel=0
pkgdesc="Provide a perl interface to ZIP archive files."
url="http://search.cpan.org/dist/Archive-Zip/"
@@ -23,4 +23,4 @@ build() {
find "$pkgdir" -name perllocal.pod -delete
}
-md5sums="a2e1cc1d99dbaebc41421295c93f61b5 Archive-Zip-1.26.tar.gz"
+md5sums="40153666e7538b410e001aa8a810e702 Archive-Zip-1.30.tar.gz"
diff --git a/main/perl-html-parser/APKBUILD b/main/perl-html-parser/APKBUILD
index 5e374b94f..8a3c48f6e 100644
--- a/main/perl-html-parser/APKBUILD
+++ b/main/perl-html-parser/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Leonardo Arena <rnalrd@gmail.com>
pkgname=perl-html-parser
_realname=HTML-Parser
-pkgver=3.60
+pkgver=3.61
pkgrel=0
pkgdesc="Parse section of HTML documents"
url="http://search.cpan.org/~gaas/HTML-Parser-3.60/"
@@ -23,4 +23,4 @@ build() {
find "$pkgdir" -name perllocal.pod -delete
}
-md5sums="fb97ea7e5bd832b079d8660732f9d8d9 HTML-Parser-3.60.tar.gz"
+md5sums="098d9551721d29d55a0a4ad83a3ebef5 HTML-Parser-3.61.tar.gz"
diff --git a/main/sudo/APKBUILD b/main/sudo/APKBUILD
index 75fd70f3c..4a4ad4176 100644
--- a/main/sudo/APKBUILD
+++ b/main/sudo/APKBUILD
@@ -1,16 +1,17 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=sudo
-pkgver=1.7.2
+pkgver=1.7.2_p1
+_realver=1.7.2p1
pkgrel=0
pkgdesc="Give certain users the ability to run some commands as root"
url="http://www.sudo.ws/sudo/"
license='custom ISC'
depends=
-source="ftp://ftp.sudo.ws/pub/sudo/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.sudo.ws/pub/sudo/$pkgname-$_realver.tar.gz"
subpackages="$pkgname-doc"
build() {
- cd "$srcdir/$pkgname-$pkgver"
+ cd "$srcdir/$pkgname-$_realver"
./configure --prefix=/usr \
--with-env-editor \
@@ -22,4 +23,4 @@ build() {
make -j1 DESTDIR="$pkgdir" install || return 1
}
-md5sums="9caba8719c3e0f163880a05f02a48249 sudo-1.7.2.tar.gz"
+md5sums="4449d466a774f5ce401c9c0e3866c026 sudo-1.7.2p1.tar.gz"
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index c580a84a3..4b3484651 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,17 +2,33 @@
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=3.8.2
-pkgrel=0
+pkgrel=1
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
license="GPL"
-depends="uclibc"
+depends=
subpackages="$pkgname-doc $pkgname-dev"
-source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz
+ CVE-2006-3459-3465.patch
+ libtiff-CVE-2009-2285.patch
+ tiff-3.8.2-CVE-2008-2327.patch
+ tiff-3.8.2-CVE-2009-2347.patch
+ tiff2pdf-compression.patch
+ tiff2pdf-octal-printf.patch
+ tiffsplit-fname-overflow.patch
+ "
build() {
cd "$srcdir/$pkgname-$pkgver"
+ patch -p1 < ../tiff2pdf-octal-printf.patch || return 1
+ patch -p1 < ../tiffsplit-fname-overflow.patch || return 1
+ patch -p1 < ../CVE-2006-3459-3465.patch || return 1
+ patch -p1 < ../tiff2pdf-compression.patch || return 1
+ patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1
+ patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1
+ patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1
+
./configure --prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
@@ -23,4 +39,11 @@ build() {
}
-md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz"
+md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz
+624d3067e6a4c0680767eb62253ea980 CVE-2006-3459-3465.patch
+ff61077408727a82281f77a94f555e2a libtiff-CVE-2009-2285.patch
+c2c2e22557d9c63011df5777dda6a86b tiff-3.8.2-CVE-2008-2327.patch
+d3b02693cca83e63005b162edd43016b tiff-3.8.2-CVE-2009-2347.patch
+b443ffca9d498bb3a88c17da0200025b tiff2pdf-compression.patch
+d54368687d2645ffbbe6c2df384b11bf tiff2pdf-octal-printf.patch
+323352fd60a7bd3ffac8724c3c031669 tiffsplit-fname-overflow.patch"
diff --git a/main/tiff/CVE-2006-3459-3465.patch b/main/tiff/CVE-2006-3459-3465.patch
new file mode 100644
index 000000000..cb55b03e7
--- /dev/null
+++ b/main/tiff/CVE-2006-3459-3465.patch
@@ -0,0 +1,669 @@
+diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
+--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
+@@ -122,6 +122,7 @@
+ {
+ static const char module[] = "_TIFFVSetField";
+
++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
+@@ -195,10 +196,12 @@
+ break;
+ case TIFFTAG_ORIENTATION:
+ v = va_arg(ap, uint32);
++ const TIFFFieldInfo* fip;
+ if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
++ fip = _TIFFFieldWithTag(tif, tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "Bad value %lu for \"%s\" tag ignored",
+- v, _TIFFFieldWithTag(tif, tag)->field_name);
++ v, fip ? fip->field_name : "Unknown");
+ } else
+ td->td_orientation = (uint16) v;
+ break;
+@@ -387,11 +390,15 @@
+ * happens, for example, when tiffcp is used to convert between
+ * compression schemes and codec-specific tags are blindly copied.
+ */
++ /*
++ * better not dereference fip if it is NULL.
++ * -- taviso@google.com 15 Jun 2006
++ */
+ if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ status = 0;
+ break;
+ }
+@@ -468,7 +475,7 @@
+ if (fip->field_type == TIFF_ASCII)
+ _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
+ else {
+- tv->value = _TIFFmalloc(tv_size * tv->count);
++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
+ if (!tv->value) {
+ status = 0;
+ goto end;
+@@ -563,7 +570,7 @@
+ }
+ }
+ if (status) {
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++ TIFFSetFieldBit(tif, fip->field_bit);
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ }
+
+@@ -572,12 +579,12 @@
+ return (status);
+ badvalue:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
+- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ badvalue32:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
+- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ }
+@@ -813,12 +820,16 @@
+ * If the client tries to get a tag that is not valid
+ * for the image's codec then we'll arrive here.
+ */
++ /*
++ * dont dereference fip if it's NULL.
++ * -- taviso@google.com 15 Jun 2006
++ */
+ if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
+ {
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ ret_val = 0;
+ break;
+ }
+diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
+--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
+@@ -775,7 +775,8 @@
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
+ "Internal error, unknown tag 0x%x",
+ (unsigned int) tag);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+@@ -789,7 +790,8 @@
+ if (!fip) {
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
+ "Internal error, unknown tag %s", field_name);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
+--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
+@@ -29,6 +29,9 @@
+ *
+ * Directory Read Support Routines.
+ */
++
++#include <limits.h>
++
+ #include "tiffiop.h"
+
+ #define IGNORE 0 /* tag placeholder used below */
+@@ -81,6 +84,7 @@
+ uint16 dircount;
+ toff_t nextdiroff;
+ int diroutoforderwarning = 0;
++ int compressionknown = 0;
+ toff_t* new_dirlist;
+
+ tif->tif_diroff = tif->tif_nextdiroff;
+@@ -147,13 +151,20 @@
+ } else {
+ toff_t off = tif->tif_diroff;
+
+- if (off + sizeof (uint16) > tif->tif_size) {
+- TIFFErrorExt(tif->tif_clientdata, module,
+- "%s: Can not read TIFF directory count",
+- tif->tif_name);
+- return (0);
++ /*
++ * Check for integer overflow when validating the dir_off, otherwise
++ * a very high offset may cause an OOB read and crash the client.
++ * -- taviso@google.com, 14 Jun 2006.
++ */
++ if (off + sizeof (uint16) > tif->tif_size ||
++ off > (UINT_MAX - sizeof(uint16))) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Can not read TIFF directory count",
++ tif->tif_name);
++ return (0);
+ } else
+- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
++ _TIFFmemcpy(&dircount, tif->tif_base + off,
++ sizeof (uint16));
+ off += sizeof (uint16);
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabShort(&dircount);
+@@ -254,6 +265,7 @@
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
++
+ if (fix >= tif->tif_nfields ||
+ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+
+@@ -264,17 +276,23 @@
+ dp->tdir_tag,
+ dp->tdir_tag,
+ dp->tdir_type);
+-
+- TIFFMergeFieldInfo(tif,
+- _TIFFCreateAnonFieldInfo(tif,
+- dp->tdir_tag,
+- (TIFFDataType) dp->tdir_type),
+- 1 );
++ /*
++ * creating anonymous fields prior to knowing the compression
++ * algorithm (ie, when the field info has been merged) could cause
++ * crashes with pathological directories.
++ * -- taviso@google.com 15 Jun 2006
++ */
++ if (compressionknown)
++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
++ (TIFFDataType) dp->tdir_type), 1 );
++ else goto ignore;
++
+ fix = 0;
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
+ }
++
+ /*
+ * Null out old tags that we ignore.
+ */
+@@ -326,6 +344,7 @@
+ dp->tdir_type, dp->tdir_offset);
+ if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
+ goto bad;
++ else compressionknown++;
+ break;
+ /* XXX: workaround for broken TIFFs */
+ } else if (dp->tdir_type == TIFF_LONG) {
+@@ -540,6 +559,7 @@
+ * Attempt to deal with a missing StripByteCounts tag.
+ */
+ if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * Some manufacturers violate the spec by not giving
+ * the size of the strips. In this case, assume there
+@@ -556,7 +576,7 @@
+ "%s: TIFF directory is missing required "
+ "\"%s\" field, calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ /*
+@@ -580,6 +600,7 @@
+ } else if (td->td_nstrips == 1
+ && td->td_stripoffset[0] != 0
+ && BYTECOUNTLOOKSBAD) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Plexus (and others) sometimes give a value of zero for
+ * a tag when they don't know what the correct value is! Try
+@@ -589,13 +610,14 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if(EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
+ && td->td_nstrips > 2
+ && td->td_compression == COMPRESSION_NONE
+ && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Some vendors fill StripByteCount array with absolutely
+ * wrong values (it can be equal to StripOffset array, for
+@@ -604,7 +626,7 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ }
+@@ -870,7 +892,13 @@
+
+ register TIFFDirEntry *dp;
+ register TIFFDirectory *td = &tif->tif_dir;
+- uint16 i;
++
++ /* i is used to iterate over td->td_nstrips, so must be
++ * at least the same width.
++ * -- taviso@google.com 15 Jun 2006
++ */
++
++ uint32 i;
+
+ if (td->td_stripbytecount)
+ _TIFFfree(td->td_stripbytecount);
+@@ -947,16 +975,18 @@
+ static int
+ CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
+ {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++
+ if (count > dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (0);
+ } else if (count < dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (1);
+ }
+@@ -970,6 +1000,7 @@
+ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
+ {
+ int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ tsize_t cc = dir->tdir_count * w;
+
+ /* Check for overflow. */
+@@ -1013,7 +1044,7 @@
+ bad:
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Error fetching data for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ return (tsize_t) 0;
+ }
+
+@@ -1039,10 +1070,12 @@
+ static int
+ cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
+ {
++ const TIFFFieldInfo* fip;
+ if (denom == 0) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "%s: Rational with zero denominator (num = %lu)",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
++ fip ? fip->field_name : "Unknown", num);
+ return (0);
+ } else {
+ if (dir->tdir_type == TIFF_RATIONAL)
+@@ -1159,6 +1192,20 @@
+ static int
+ TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
+ {
++ /*
++ * Prevent overflowing the v stack arrays below by performing a sanity
++ * check on tdir_count, this should never be greater than two.
++ * -- taviso@google.com 14 Jun 2006.
++ */
++ if (dir->tdir_count > 2) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
++ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
++ fip ? fip->field_name : "Unknown",
++ dir->tdir_count);
++ return 0;
++ }
++
+ switch (dir->tdir_type) {
+ case TIFF_BYTE:
+ case TIFF_SBYTE:
+@@ -1329,14 +1376,15 @@
+ case TIFF_DOUBLE:
+ return (TIFFFetchDoubleArray(tif, dir, (double*) v));
+ default:
++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ /* TIFF_NOTYPE */
+ /* TIFF_ASCII */
+ /* TIFF_UNDEFINED */
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "cannot read TIFF_ANY type %d for field \"%s\"",
+ dir->tdir_type,
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+- return (0);
++ fip ? fip->field_name : "Unknown");
++ return (0); }
+ }
+ return (1);
+ }
+@@ -1351,6 +1399,9 @@
+ int ok = 0;
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+
++ if (fip == NULL) {
++ return (0);
++ }
+ if (dp->tdir_count > 1) { /* array of values */
+ char* cp = NULL;
+
+@@ -1493,6 +1544,7 @@
+ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1510,9 +1562,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1534,6 +1587,7 @@
+ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1551,9 +1605,10 @@
+ check_count = samples;
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1574,6 +1629,7 @@
+ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1591,9 +1647,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
+--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
+@@ -1136,6 +1136,7 @@
+ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
+ {
+ Fax3BaseState* sp = Fax3State(tif);
++ const TIFFFieldInfo* fip;
+
+ assert(sp != 0);
+ assert(sp->vsetparent != 0);
+@@ -1181,7 +1182,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
+diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
+--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
+@@ -722,15 +722,31 @@
+ segment_width = TIFFhowmany(segment_width, sp->h_sampling);
+ segment_height = TIFFhowmany(segment_height, sp->v_sampling);
+ }
+- if (sp->cinfo.d.image_width != segment_width ||
+- sp->cinfo.d.image_height != segment_height) {
++ if (sp->cinfo.d.image_width < segment_width ||
++ sp->cinfo.d.image_height < segment_height) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
+ segment_width,
+ segment_height,
+ sp->cinfo.d.image_width,
+ sp->cinfo.d.image_height);
++ }
++
++ if (sp->cinfo.d.image_width > segment_width ||
++ sp->cinfo.d.image_height > segment_height) {
++ /*
++ * This case could be dangerous, if the strip or tile size has been
++ * reported as less than the amount of data jpeg will return, some
++ * potential security issues arise. Catch this case and error out.
++ * -- taviso@google.com 14 Jun 2006
++ */
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "JPEG strip/tile size exceeds expected dimensions,"
++ "expected %dx%d, got %dx%d", segment_width, segment_height,
++ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
++ return (0);
+ }
++
+ if (sp->cinfo.d.num_components !=
+ (td->td_planarconfig == PLANARCONFIG_CONTIG ?
+ td->td_samplesperpixel : 1)) {
+@@ -761,6 +777,22 @@
+ sp->cinfo.d.comp_info[0].v_samp_factor,
+ sp->h_sampling, sp->v_sampling);
+
++ /*
++ * There are potential security issues here for decoders that
++ * have already allocated buffers based on the expected sampling
++ * factors. Lets check the sampling factors dont exceed what
++ * we were expecting.
++ * -- taviso@google.com 14 June 2006
++ */
++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Cannot honour JPEG sampling factors that"
++ " exceed those specified.");
++ return (0);
++ }
++
++
+ /*
+ * XXX: Files written by the Intergraph software
+ * has different sampling factors stored in the
+@@ -1521,15 +1553,18 @@
+ {
+ JPEGState *sp = JState(tif);
+
+- assert(sp != 0);
++ /* assert(sp != 0); */
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+- if( sp->cinfo_initialized )
+- TIFFjpeg_destroy(sp); /* release libjpeg resources */
+- if (sp->jpegtables) /* tag value */
+- _TIFFfree(sp->jpegtables);
++ if (sp != NULL) {
++ if( sp->cinfo_initialized )
++ TIFFjpeg_destroy(sp); /* release libjpeg resources */
++ if (sp->jpegtables) /* tag value */
++ _TIFFfree(sp->jpegtables);
++ }
++
+ _TIFFfree(tif->tif_data); /* release local state */
+ tif->tif_data = NULL;
+
+@@ -1541,6 +1576,7 @@
+ {
+ JPEGState* sp = JState(tif);
+ TIFFDirectory* td = &tif->tif_dir;
++ const TIFFFieldInfo* fip;
+ uint32 v32;
+
+ assert(sp != NULL);
+@@ -1606,7 +1642,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
+@@ -1726,7 +1768,11 @@
+ {
+ JPEGState* sp = JState(tif);
+
+- assert(sp != NULL);
++ /* assert(sp != NULL); */
++ if (sp == NULL) {
++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
++ return;
++ }
+
+ (void) flags;
+ if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
+diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
+--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
+@@ -105,11 +105,16 @@
+ * as codes of the form <color><npixels>
+ * until we've filled the scanline.
+ */
++ /*
++ * Ensure the run does not exceed the scanline
++ * bounds, potentially resulting in a security issue.
++ * -- taviso@google.com 14 Jun 2006.
++ */
+ op = row;
+ for (;;) {
+ grey = (n>>6) & 0x3;
+ n &= 0x3f;
+- while (n-- > 0)
++ while (n-- > 0 && npixels < imagewidth)
+ SETPIXEL(op, grey);
+ if (npixels >= (int) imagewidth)
+ break;
+diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
+--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
+@@ -768,7 +768,19 @@
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabArrayOfShort(up, nsamples);
+
+- for (i = 0; i < nsamples; i += llen, up += llen) {
++ /*
++ * if llen is not an exact multiple of nsamples, the decode operation
++ * may overflow the output buffer, so truncate it enough to prevent that
++ * but still salvage as much data as possible.
++ * -- taviso@google.com 14th June 2006
++ */
++ if (nsamples % llen)
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "%s: stride %lu is not a multiple of sample count, "
++ "%lu, data truncated.", tif->tif_name, llen, nsamples);
++
++
++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
+ switch (sp->user_datafmt) {
+ case PIXARLOGDATAFMT_FLOAT:
+ horizontalAccumulateF(up, llen, sp->stride,
+diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
+--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
+@@ -31,6 +31,8 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+
++#include <limits.h>
++
+ int TIFFFillStrip(TIFF*, tstrip_t);
+ int TIFFFillTile(TIFF*, ttile_t);
+ static int TIFFStartStrip(TIFF*, tstrip_t);
+@@ -272,7 +274,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
++ /*
++ * This sanity check could potentially overflow, causing an OOB read.
++ * verify that offset + bytecount is > offset.
++ * -- taviso@google.com 14 Jun 2006
++ */
++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
+ /*
+ * This error message might seem strange, but it's
+ * what would happen if a read were done instead.
+@@ -470,7 +478,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
++ /*
++ * We must check this calculation doesnt overflow, potentially
++ * causing an OOB read.
++ * -- taviso@google.com 15 Jun 2006
++ */
++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
+ tif->tif_curtile = NOTILE;
+ return (0);
+ }
diff --git a/main/tiff/libtiff-CVE-2009-2285.patch b/main/tiff/libtiff-CVE-2009-2285.patch
new file mode 100644
index 000000000..435a84b53
--- /dev/null
+++ b/main/tiff/libtiff-CVE-2009-2285.patch
@@ -0,0 +1,22 @@
+Index: tiff-3.8.2/libtiff/tif_lzw.c
+===================================================================
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c
++++ tiff-3.8.2/libtiff/tif_lzw.c
+@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
+ NextCode(tif, sp, bp, code, GetNextCode);
+ if (code == CODE_EOI)
+ break;
+- if (code == CODE_CLEAR) {
++ if (code >= CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
+ NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ if (code == CODE_EOI)
+ break;
+- if (code == CODE_CLEAR) {
++ if (code >= CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
diff --git a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch
new file mode 100644
index 000000000..e6d74a67a
--- /dev/null
+++ b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch
@@ -0,0 +1,64 @@
+Fixes security issues in libTIFF's handling of LZW-encoded
+images. The use of uninitialized data could lead to a buffer
+underflow and a crash or arbitrary code execution.
+
+CVE-ID: CVE-2008-2327
+Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
+
+Index: tiff-3.8.2/libtiff/tif_lzw.c
+===================================================================
+--- tiff-3.8.2.orig/libtiff/tif_lzw.c
++++ tiff-3.8.2/libtiff/tif_lzw.c
+@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
+ sp->dec_codetab[code].length = 1;
+ sp->dec_codetab[code].next = NULL;
+ } while (code--);
++ /*
++ * Zero-out the unused entries
++ */
++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
++
+ }
+ return (1);
+ }
+@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask-1;
+ NextCode(tif, sp, bp, code, GetNextCode);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
+ *op++ = (char)code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
+@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask;
+ NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
+ *op++ = code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
diff --git a/main/tiff/tiff-3.8.2-CVE-2009-2347.patch b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch
new file mode 100644
index 000000000..039d7336a
--- /dev/null
+++ b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch
@@ -0,0 +1,170 @@
+Fix several places in tiff2rgba and rgb2ycbcr that were being careless about
+possible integer overflow in calculation of buffer sizes.
+
+CVE-2009-2347
+
+
+diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c
+--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400
++++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400
+@@ -202,6 +202,17 @@
+ #undef LumaBlue
+ #undef V2Code
+
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++ tsize_t prod = m1 * m2;
++
++ if (m1 && prod / m1 != m2)
++ prod = 0; /* overflow */
++
++ return prod;
++}
++
+ /*
+ * Convert a strip of RGB data to YCbCr and
+ * sample to generate the output data.
+@@ -278,10 +289,19 @@
+ float floatv;
+ char *stringv;
+ uint32 longv;
++ tsize_t raster_size;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++
++ raster_size = multiply(multiply(width, height), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) width, (unsigned long) height);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c
+--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500
++++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400
+@@ -124,6 +124,17 @@
+ return (0);
+ }
+
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
++{
++ tsize_t prod = m1 * m2;
++
++ if (m1 && prod / m1 != m2)
++ prod = 0; /* overflow */
++
++ return prod;
++}
++
+ static int
+ cvt_by_tile( TIFF *in, TIFF *out )
+
+@@ -133,6 +144,7 @@
+ uint32 tile_width, tile_height;
+ uint32 row, col;
+ uint32 *wrk_line;
++ tsize_t raster_size;
+ int ok = 1;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -150,7 +162,14 @@
+ /*
+ * Allocate tile buffer
+ */
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) tile_width, (unsigned long) tile_height);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -158,7 +177,7 @@
+
+ /*
+ * Allocate a scanline buffer for swapping during the vertical
+- * mirroring pass.
++ * mirroring pass. (Request can't overflow given prior checks.)
+ */
+ wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+ if (!wrk_line) {
+@@ -226,6 +245,7 @@
+ uint32 width, height; /* image width & height */
+ uint32 row;
+ uint32 *wrk_line;
++ tsize_t raster_size;
+ int ok = 1;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+@@ -241,7 +261,14 @@
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) width, (unsigned long) rowsperstrip);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -249,7 +276,7 @@
+
+ /*
+ * Allocate a scanline buffer for swapping during the vertical
+- * mirroring pass.
++ * mirroring pass. (Request can't overflow given prior checks.)
+ */
+ wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+ if (!wrk_line) {
+@@ -328,14 +355,22 @@
+ uint32* raster; /* retrieve RGBA image */
+ uint32 width, height; /* image width & height */
+ uint32 row;
+-
++ tsize_t raster_size;
++
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+
+ rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+
+- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32));
++ raster_size = multiply(multiply(width, height), sizeof (uint32));
++ if (!raster_size) {
++ TIFFError(TIFFFileName(in),
++ "Can't allocate buffer for raster of size %lux%lu",
++ (unsigned long) width, (unsigned long) height);
++ return (0);
++ }
++ raster = (uint32*)_TIFFmalloc(raster_size);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -353,7 +388,7 @@
+ */
+ if( no_alpha )
+ {
+- int pixel_count = width * height;
++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height;
+ unsigned char *src, *dst;
+
+ src = (unsigned char *) raster;
+
diff --git a/main/tiff/tiff2pdf-compression.patch b/main/tiff/tiff2pdf-compression.patch
new file mode 100644
index 000000000..2dae2dcd1
--- /dev/null
+++ b/main/tiff/tiff2pdf-compression.patch
@@ -0,0 +1,44 @@
+--- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35
++++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36
+@@ -937,7 +937,7 @@
+
+ #ifdef JPEG_SUPPORT
+ if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){
+- if(t2p->pdf_defaultcompressionquality<100 ||
++ if(t2p->pdf_defaultcompressionquality>100 ||
+ t2p->pdf_defaultcompressionquality<1){
+ t2p->pdf_defaultcompressionquality=0;
+ }
+@@ -945,25 +945,17 @@
+ #endif
+ #ifdef ZIP_SUPPORT
+ if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){
+- switch (t2p->pdf_defaultcompressionquality){
+- case 1: case 10: case 11: case 12: case 13: case 14: case 15:
+- case 101: case 110: case 111: case 112: case 113: case 114: case 115:
+- case 201: case 210: case 211: case 212: case 213: case 214: case 215:
+- case 301: case 310: case 311: case 312: case 313: case 314: case 315:
+- case 401: case 410: case 411: case 412: case 413: case 414: case 415:
+- case 501: case 510: case 511: case 512: case 513: case 514: case 515:
+- case 601: case 610: case 611: case 612: case 613: case 614: case 615:
+- case 701: case 710: case 711: case 712: case 713: case 714: case 715:
+- case 801: case 810: case 811: case 812: case 813: case 814: case 815:
+- case 901: case 910: case 911: case 912: case 913: case 914: case 915:
+- break;
+- default:
+- t2p->pdf_defaultcompressionquality=0;
++ uint16 m=t2p->pdf_defaultcompressionquality%100;
++ if(t2p->pdf_defaultcompressionquality/100 > 9 ||
++ (m>1 && m<10) || m>15){
++ t2p->pdf_defaultcompressionquality=0;
+ }
+ if(t2p->pdf_defaultcompressionquality%100 !=0){
++ t2p->pdf_defaultcompressionquality/=100;
++ t2p->pdf_defaultcompressionquality*=100;
+ TIFFError(
+ TIFF2PDF_MODULE,
+- "PNG Group predictor differencing not implemented, assuming compresion quality %u",
++ "PNG Group predictor differencing not implemented, assuming compression quality %u",
+ t2p->pdf_defaultcompressionquality);
+ }
+ t2p->pdf_defaultcompressionquality%=100;
diff --git a/main/tiff/tiff2pdf-octal-printf.patch b/main/tiff/tiff2pdf-octal-printf.patch
new file mode 100644
index 000000000..f35b07237
--- /dev/null
+++ b/main/tiff/tiff2pdf-octal-printf.patch
@@ -0,0 +1,11 @@
+--- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500
++++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400
+@@ -3668,7 +3668,7 @@
+ written += TIFFWriteFile(output, (tdata_t) "(", 1);
+ for (i=0;i<len;i++){
+ if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
+- sprintf(buffer, "\\%.3o", pdfstr[i]);
++ sprintf(buffer, "\\%.3hho", pdfstr[i]);
+ written += TIFFWriteFile(output, (tdata_t) buffer, 4);
+ } else {
+ switch (pdfstr[i]){
diff --git a/main/tiff/tiffsplit-fname-overflow.patch b/main/tiff/tiffsplit-fname-overflow.patch
new file mode 100644
index 000000000..cc225890a
--- /dev/null
+++ b/main/tiff/tiffsplit-fname-overflow.patch
@@ -0,0 +1,19 @@
+--- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500
++++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400
+@@ -61,14 +61,13 @@
+ return (-3);
+ }
+ if (argc > 2)
+- strcpy(fname, argv[2]);
++ snprintf(fname, sizeof(fname), "%s", argv[2]);
+ in = TIFFOpen(argv[1], "r");
+ if (in != NULL) {
+ do {
+ char path[1024+1];
+ newfilename();
+- strcpy(path, fname);
+- strcat(path, ".tif");
++ snprintf(path, sizeof(path), "%s.tif", fname);
+ out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
+ if (out == NULL)
+ return (-2);
diff --git a/main/uclibc++/001-path_to_make.patch b/main/uclibc++/001-path_to_make.patch
new file mode 100644
index 000000000..840dac326
--- /dev/null
+++ b/main/uclibc++/001-path_to_make.patch
@@ -0,0 +1,30 @@
+diff -ur old/Makefile dev/Makefile
+--- old/Makefile Sat Oct 14 17:49:55 2006
++++ dev/Makefile Sat Oct 14 17:50:18 2006
+@@ -1,4 +1,3 @@
+-MAKE = make
+ SUBDIRS = bin include src
+
+ # User defines:
+@@ -43,10 +42,10 @@
+ #Menu configuration system
+
+ extra/config/conf:
+- make -C extra/config conf
++ $(MAKE) -C extra/config conf
+
+ extra/config/mconf:
+- make -C extra/config ncurses mconf
++ $(MAKE) -C extra/config ncurses mconf
+
+ menuconfig: extra/config/mconf
+ @./extra/config/mconf extra/Configs/Config.in
+@@ -71,7 +70,7 @@
+
+ include/system_configuration.h: .config
+ @if [ ! -x ./extra/config/conf ] ; then \
+- make -C extra/config conf; \
++ $(MAKE) -C extra/config conf; \
+ fi;
+ @./extra/config/conf -o extra/Configs/Config.in
+
diff --git a/main/uclibc++/002-no_bash.patch b/main/uclibc++/002-no_bash.patch
new file mode 100644
index 000000000..69b2275a5
--- /dev/null
+++ b/main/uclibc++/002-no_bash.patch
@@ -0,0 +1,12 @@
+diff -ur old/bin/Makefile dev/bin/Makefile
+--- old/bin/Makefile Sat Oct 14 17:49:54 2006
++++ dev/bin/Makefile Sat Oct 14 17:57:33 2006
+@@ -13,7 +13,7 @@
+ $(INSTALL) -m 755 $(WRAPPER) $(PREFIX)$(UCLIBCXX_RUNTIME_BINDIR)
+
+ $(WRAPPER):
+- echo "#!/bin/bash" > $(WRAPPER)
++ echo "#!/bin/sh" > $(WRAPPER)
+ echo "" >> $(WRAPPER)
+ echo 'WRAPPER_INCLUDEDIR="$${WRAPPER_INCLUDEDIR:=-I$(UCLIBCXX_RUNTIME_INCLUDEDIR)}"' >> $(WRAPPER)
+ echo 'WRAPPER_LIBDIR="$${WRAPPER_LIBDIR:=-L$(UCLIBCXX_RUNTIME_LIBDIR)}"' >> $(WRAPPER)
diff --git a/main/uclibc++/003-cp_command.patch b/main/uclibc++/003-cp_command.patch
new file mode 100644
index 000000000..53d0ed7af
--- /dev/null
+++ b/main/uclibc++/003-cp_command.patch
@@ -0,0 +1,19 @@
+diff -ur old/src/Makefile dev/src/Makefile
+--- old/src/Makefile Sat Oct 14 17:49:54 2006
++++ dev/src/Makefile Sat Oct 14 18:02:30 2006
+@@ -25,12 +25,14 @@
+
+ all: libgcc_eh libsupc $(EXOBJS) $(ALLBIN)
+
++CP = cp -fPR
++
+ install:
+ $(INSTALL) -d $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR)
+ ifneq ($(BUILD_ONLY_STATIC_LIB),y)
+ $(INSTALL) -m 755 $(SHARED_FULLNAME) \
+ $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR)
+- cp -fa $(SHARED_MAJORNAME) $(LIBNAME).so $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR)
++ $(CP) $(SHARED_MAJORNAME) $(LIBNAME).so $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR)
+ endif
+ ifeq ($(BUILD_STATIC_LIB),y)
+ $(INSTALL) -m 644 $(LIBNAME).a $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR)
diff --git a/main/uclibc++/004-ccache_fixes.patch b/main/uclibc++/004-ccache_fixes.patch
new file mode 100644
index 000000000..10ceb792b
--- /dev/null
+++ b/main/uclibc++/004-ccache_fixes.patch
@@ -0,0 +1,24 @@
+diff -ruN uClibc++-0.2.2-old/src/abi/libgcc_eh/Makefile uClibc++-0.2.2-new/src/abi/libgcc_eh/Makefile
+--- uClibc++-0.2.2-old/src/abi/libgcc_eh/Makefile 2007-06-04 00:51:13.000000000 +0200
++++ uClibc++-0.2.2-new/src/abi/libgcc_eh/Makefile 2007-09-03 21:51:07.000000000 +0200
+@@ -16,7 +16,7 @@
+ #
+ #else
+ # echo Binary
+- $(AR) x $(shell CC=$(CC) $(TOPDIR)/scripts/find_libgcc_eh.sh)
++ $(AR) x $(shell CC="$(CC)" $(TOPDIR)/scripts/find_libgcc_eh.sh)
+ #endif
+ #endif
+
+diff -ruN uClibc++-0.2.2-old/src/abi/libsupc/Makefile uClibc++-0.2.2-new/src/abi/libsupc/Makefile
+--- uClibc++-0.2.2-old/src/abi/libsupc/Makefile 2007-06-04 00:51:13.000000000 +0200
++++ uClibc++-0.2.2-new/src/abi/libsupc/Makefile 2007-09-03 21:51:17.000000000 +0200
+@@ -14,7 +14,7 @@
+ #
+ #else
+ # echo Binary
+- $(AR) x $(shell CC=$(CC) $(TOPDIR)/scripts/find_libsupc.sh)
++ $(AR) x $(shell CC="$(CC)" $(TOPDIR)/scripts/find_libsupc.sh)
+ $(RM) -f new_op*.o del_op*.o pure.o new_handler.o eh_alloc.o eh_globals.o
+ #
+ #endif
diff --git a/main/uclibc++/005-wrapper.patch b/main/uclibc++/005-wrapper.patch
new file mode 100644
index 000000000..b526a901f
--- /dev/null
+++ b/main/uclibc++/005-wrapper.patch
@@ -0,0 +1,12 @@
+diff -ruN uClibc++-0.2.2-old/bin/Makefile uClibc++-0.2.2-new/bin/Makefile
+--- uClibc++-0.2.2-old/bin/Makefile 2007-09-23 13:46:10.000000000 +0200
++++ uClibc++-0.2.2-new/bin/Makefile 2007-09-23 13:47:03.000000000 +0200
+@@ -25,7 +25,7 @@
+ echo 'while [ -n "$$1" ]' >> $(WRAPPER)
+ echo 'do' >> $(WRAPPER)
+ echo ' WRAPPER_OPTIONS="$$WRAPPER_OPTIONS $$1"' >> $(WRAPPER)
+- echo ' if [ "$$1" = "-c" -o "$$1" = "-E" -o "$$1" = "-S" ]' >> $(WRAPPER)
++ echo ' if [ "$$1" = "-c" -o "$$1" = "-E" -o "$$1" = "-S" -o "$$1" = "-MF" ]' >> $(WRAPPER)
+ echo ' then' >> $(WRAPPER)
+ echo ' WRAPPER_INCLIB="N"' >> $(WRAPPER)
+ echo ' fi' >> $(WRAPPER)
diff --git a/main/uclibc++/006-eabi_fix.patch b/main/uclibc++/006-eabi_fix.patch
new file mode 100644
index 000000000..bc970a716
--- /dev/null
+++ b/main/uclibc++/006-eabi_fix.patch
@@ -0,0 +1,42 @@
+Index: uClibc++-0.2.2/include/typeinfo
+===================================================================
+--- uClibc++-0.2.2.orig/include/typeinfo 2008-02-13 00:37:04.000000000 +0100
++++ uClibc++-0.2.2/include/typeinfo 2008-02-13 00:37:34.000000000 +0100
+@@ -44,6 +44,7 @@
+ class __class_type_info;
+ } // namespace __cxxabiv1
+
++#ifndef __GXX_MERGED_TYPEINFO_NAMES
+ #if !__GXX_WEAK__
+ // If weak symbols are not supported, typeinfo names are not merged.
+ #define __GXX_MERGED_TYPEINFO_NAMES 0
+@@ -51,6 +52,7 @@
+ // On platforms that support weak symbols, typeinfo names are merged.
+ #define __GXX_MERGED_TYPEINFO_NAMES 1
+ #endif
++#endif
+
+ namespace std
+ {
+Index: uClibc++-0.2.2/include/unwind-cxx.h
+===================================================================
+--- uClibc++-0.2.2.orig/include/unwind-cxx.h 2008-02-13 00:38:04.000000000 +0100
++++ uClibc++-0.2.2/include/unwind-cxx.h 2008-02-13 00:40:32.000000000 +0100
+@@ -135,6 +135,7 @@
+
+ // This is the exception class we report -- "GNUCC++\0".
+ const _Unwind_Exception_Class __gxx_exception_class
++#ifndef __ARM_EABI_UNWINDER__
+ = ((((((((_Unwind_Exception_Class) 'G'
+ << 8 | (_Unwind_Exception_Class) 'N')
+ << 8 | (_Unwind_Exception_Class) 'U')
+@@ -143,6 +144,9 @@
+ << 8 | (_Unwind_Exception_Class) '+')
+ << 8 | (_Unwind_Exception_Class) '+')
+ << 8 | (_Unwind_Exception_Class) '\0');
++#else
++= "GNUC++";
++#endif
+
+ // GNU C++ personality routine, Version 0.
+ extern "C" _Unwind_Reason_Code __gxx_personality_v0
diff --git a/main/uclibc++/007-numeric_limits.patch b/main/uclibc++/007-numeric_limits.patch
new file mode 100644
index 000000000..1ed7d6c6e
--- /dev/null
+++ b/main/uclibc++/007-numeric_limits.patch
@@ -0,0 +1,66 @@
+Index: uClibc++-0.2.2/include/limits
+===================================================================
+--- uClibc++-0.2.2/include/limits (revision 1877)
++++ uClibc++-0.2.2/include/limits (revision 1878)
+@@ -143,6 +143,53 @@
+ static T signaling_NaN();
+ };
+
++template <> class numeric_limits<bool> {
++public:
++ typedef bool T;
++ // General -- meaningful for all specializations.
++ static const bool is_specialized = true;
++ static T min(){
++ return false;
++ }
++ static T max(){
++ return true;
++ }
++ static const int radix = 2;
++ static const int digits = 1;
++ static const int digits10 = 0;
++ static const bool is_signed = false;
++ static const bool is_integer = true;
++ static const bool is_exact = true;
++ static const bool traps = false;
++ static const bool is_modulo = false;
++ static const bool is_bounded = true;
++
++ // Floating point specific.
++
++ static T epsilon(){
++ return 0;
++ }
++ static T round_error(){
++ return 0;
++ }
++ static const int min_exponent10 = 0;
++ static const int max_exponent10 = 0;
++ static const int min_exponent = 0;
++
++ static const int max_exponent = 0;
++ static const bool has_infinity = false;
++ static const bool has_quiet_NaN = false;
++ static const bool has_signaling_NaN = false;
++ static const bool is_iec559 = false;
++ static const bool has_denorm = false;
++ static const bool tinyness_before = false;
++ static const float_round_style round_style = round_indeterminate;
++ static T denorm_min();
++ static T infinity();
++ static T quiet_NaN();
++ static T signaling_NaN();
++};
++
+ template <> class numeric_limits<unsigned char> {
+ public:
+ typedef unsigned char T;
+@@ -567,6 +614,7 @@
+ };
+
+ template <> class numeric_limits<double> {
++public:
+ typedef double numeric_type;
+
+ static const bool is_specialized = true;
diff --git a/main/uclibc++/008-integer_width.patch b/main/uclibc++/008-integer_width.patch
new file mode 100644
index 000000000..c467e6011
--- /dev/null
+++ b/main/uclibc++/008-integer_width.patch
@@ -0,0 +1,314 @@
+Index: uClibc++-0.2.2/include/ostream
+===================================================================
+--- uClibc++-0.2.2/include/ostream (revision 708)
++++ uClibc++-0.2.2/include/ostream (revision 709)
+@@ -129,6 +129,18 @@
+ return *this;
+ }
+
++ _UCXXEXPORT void printout(const char_type* s, streamsize n)
++ {
++ int extra = ios::width() - n;
++ if ((ios::flags()&ios::adjustfield) == ios::right)
++ while (extra-- > 0)
++ put(ios::fill());
++ write(s, n);
++ if ((ios::flags()&ios::adjustfield) == ios::left)
++ while (extra-- > 0)
++ put(ios::fill());
++ }
++
+ protected:
+ basic_ostream(const basic_ostream<charT,traits> &){ }
+ basic_ostream<charT,traits> & operator=(const basic_ostream<charT,traits> &){ return *this; }
+@@ -142,15 +154,15 @@
+ sentry s(*this);
+ if( basic_ios<charT,traits>::flags() & ios_base::boolalpha){
+ if(n){
+- write("true", 4);
++ printout("true", 4);
+ }else{
+- write("false", 5);
++ printout("false", 5);
+ }
+ }else{
+ if(n){
+- write("1", 1);
++ printout("1", 1);
+ }else{
+- write("0", 1);
++ printout("0", 1);
+ }
+ }
+ if(basic_ios<charT,traits>::flags() & ios_base::unitbuf){
+@@ -219,7 +231,7 @@
+ template <class charT, class traits> _UCXXEXPORT basic_ostream<charT,traits>& basic_ostream<charT, traits>::operator<<(void* p){
+ sentry s(*this);
+ char buffer[20];
+- write(buffer, snprintf(buffer, 20, "%p", p) );
++ printout(buffer, snprintf(buffer, 20, "%p", p) );
+ if(basic_ios<charT,traits>::flags() & ios_base::unitbuf){
+ flush();
+ }
+@@ -356,7 +368,7 @@
+ operator<<(basic_ostream<charT,traits>& out, const charT* c)
+ {
+ typename basic_ostream<charT,traits>::sentry s(out);
+- out.write(c, traits::length(c) );
++ out.printout(c, traits::length(c) );
+ return out;
+ }
+
+@@ -364,7 +376,7 @@
+ operator<<(basic_ostream<charT,traits>& out, const char* c)
+ {
+ typename basic_ostream<charT,traits>::sentry s(out);
+- out.write(c, char_traits<char>::length(c) );
++ out.printout(c, char_traits<char>::length(c) );
+ return out;
+ }
+
+@@ -373,7 +385,7 @@
+ operator<<(basic_ostream<char,traits>& out, const char* c)
+ {
+ typename basic_ostream<char,traits>::sentry s(out);
+- out.write(c, traits::length(c));
++ out.printout(c, traits::length(c));
+ return out;
+ }
+
+@@ -389,7 +401,7 @@
+ temp[i] = out.widen(c[i]);
+ }
+
+- out.write(temp, numChars);
++ out.printout(temp, numChars);
+ return out;
+ }
+ #endif
+@@ -399,7 +411,7 @@
+ operator<<(basic_ostream<char,traits>& out, const signed char* c)
+ {
+ typename basic_ostream<char,traits>::sentry s(out);
+- out.write(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c)));
++ out.printout(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c)));
+ return out;
+ }
+
+@@ -407,7 +419,7 @@
+ operator<<(basic_ostream<char,traits>& out, const unsigned char* c)
+ {
+ typename basic_ostream<char,traits>::sentry s(out);
+- out.write(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c)));
++ out.printout(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c)));
+ return out;
+ }
+
+Index: uClibc++-0.2.2/include/ostream_helpers
+===================================================================
+--- uClibc++-0.2.2/include/ostream_helpers (revision 708)
++++ uClibc++-0.2.2/include/ostream_helpers (revision 709)
+@@ -88,7 +88,7 @@
+ }
+ }
+
+- stream.write(buffer, snprintf(buffer, 20, formatString, n) );
++ stream.printout(buffer, snprintf(buffer, 20, formatString, n) );
+
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+@@ -135,7 +135,7 @@
+ }
+ }
+
+- stream.write(buffer, snprintf(buffer, 20, formatString, n));
++ stream.printout(buffer, snprintf(buffer, 20, formatString, n));
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+ }
+@@ -182,7 +182,7 @@
+ }
+ }
+
+- stream.write(buffer, snprintf(buffer, 27, formatString, n) );
++ stream.printout(buffer, snprintf(buffer, 27, formatString, n) );
+
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+@@ -228,7 +228,7 @@
+ }
+ }
+
+- stream.write(buffer, snprintf(buffer, 27, formatString, n) );
++ stream.printout(buffer, snprintf(buffer, 27, formatString, n) );
+
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+@@ -256,7 +256,7 @@
+ } else {
+ length = snprintf(buffer, 32, "%*.*g",static_cast<int>(stream.width()),static_cast<int>(stream.precision()), f);
+ }
+- stream.write(buffer, length);
++ stream.printout(buffer, length);
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+ }
+@@ -280,7 +280,7 @@
+ } else {
+ length = snprintf(buffer, 32, "%*.*Lg", static_cast<int>(stream.width()), static_cast<int>(stream.precision()), f);
+ }
+- stream.write(buffer, length);
++ stream.printout(buffer, length);
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+ }
+@@ -295,25 +295,25 @@
+ {
+ wchar_t buffer[20];
+ if( stream.flags() & ios_base::dec){
+- stream.write(buffer, swprintf(buffer, 20, L"%ld", n));
++ stream.printout(buffer, swprintf(buffer, 20, L"%ld", n));
+ }else if( stream.flags() & ios_base::oct){
+ if( stream.flags() & ios_base::showbase){
+- stream.write(buffer, swprintf(buffer, 20, L"%#lo", n));
++ stream.printout(buffer, swprintf(buffer, 20, L"%#lo", n));
+ }else{
+- stream.write(buffer, swprintf(buffer, 20, L"%lo", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%lo", n) );
+ }
+ }else if (stream.flags() & ios_base::hex){
+ if(stream.flags() & ios_base::showbase){
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 20, L"%#lX", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%#lX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 20, L"%#lx", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%#lx", n) );
+ }
+ }else{
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 20, L"%lX", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%lX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 20, L"%lx", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%lx", n) );
+ }
+ }
+ }
+@@ -329,25 +329,25 @@
+ {
+ wchar_t buffer[20];
+ if( stream.flags() & ios_base::dec){
+- stream.write(buffer, swprintf(buffer, 20, L"%lu", n));
++ stream.printout(buffer, swprintf(buffer, 20, L"%lu", n));
+ }else if( stream.flags() & ios_base::oct){
+ if( stream.flags() & ios_base::showbase){
+- stream.write(buffer, swprintf(buffer, 20, L"%#lo", n));
++ stream.printout(buffer, swprintf(buffer, 20, L"%#lo", n));
+ }else{
+- stream.write(buffer, swprintf(buffer, 20, L"%lo", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%lo", n) );
+ }
+ }else if (stream.flags() & ios_base::hex){
+ if(stream.flags() & ios_base::showbase){
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 20, L"%#lX", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%#lX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 20, L"%#lx", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%#lx", n) );
+ }
+ }else{
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 20, L"%lX", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%lX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 20, L"%lx", n) );
++ stream.printout(buffer, swprintf(buffer, 20, L"%lx", n) );
+ }
+ }
+ }
+@@ -365,25 +365,25 @@
+ {
+ wchar_t buffer[28];
+ if( stream.flags() & ios_base::dec){
+- stream.write(buffer, swprintf(buffer, 27, L"%lld", n));
++ stream.printout(buffer, swprintf(buffer, 27, L"%lld", n));
+ }else if( stream.flags() & ios_base::oct){
+ if( stream.flags() & ios_base::showbase){
+- stream.write(buffer, swprintf(buffer, 27, L"%#llo", n));
++ stream.printout(buffer, swprintf(buffer, 27, L"%#llo", n));
+ }else{
+- stream.write(buffer, swprintf(buffer, 27, L"%llo", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%llo", n) );
+ }
+ }else if (stream.flags() & ios_base::hex){
+ if(stream.flags() & ios_base::showbase){
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 27, L"%#llX", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%#llX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 27, L"%#llx", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%#llx", n) );
+ }
+ }else{
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 27, L"%llX", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%llX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 27, L"%llx", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%llx", n) );
+ }
+ }
+ }
+@@ -399,25 +399,25 @@
+ {
+ wchar_t buffer[28];
+ if( stream.flags() & ios_base::dec){
+- stream.write(buffer, swprintf(buffer, 27, L"%llu", n));
++ stream.printout(buffer, swprintf(buffer, 27, L"%llu", n));
+ }else if( stream.flags() & ios_base::oct){
+ if( stream.flags() & ios_base::showbase){
+- stream.write(buffer, swprintf(buffer, 27, L"%#llo", n));
++ stream.printout(buffer, swprintf(buffer, 27, L"%#llo", n));
+ }else{
+- stream.write(buffer, swprintf(buffer, 27, L"%llo", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%llo", n) );
+ }
+ }else if (stream.flags() & ios_base::hex){
+ if(stream.flags() & ios_base::showbase){
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 27, L"%#llX", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%#llX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 27, L"%#llx", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%#llx", n) );
+ }
+ }else{
+ if(stream.flags() & ios_base::uppercase){
+- stream.write(buffer, swprintf(buffer, 27, L"%llX", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%llX", n) );
+ }else{
+- stream.write(buffer, swprintf(buffer, 27, L"%llx", n) );
++ stream.printout(buffer, swprintf(buffer, 27, L"%llx", n) );
+ }
+ }
+ }
+@@ -447,7 +447,7 @@
+ } else {
+ swprintf(format_string, 32, L"%%%u.%ug", static_cast<int>(stream.width()), static_cast<unsigned int>(stream.precision()));
+ }
+- stream.write(buffer, swprintf(buffer, 32, format_string, f) );
++ stream.printout(buffer, swprintf(buffer, 32, format_string, f) );
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+ }
+@@ -471,7 +471,7 @@
+ } else {
+ swprintf(format_string, 32, L"%%%u.%uLg", static_cast<unsigned int>(stream.width()), static_cast<unsigned int>(stream.precision()));
+ }
+- stream.write(buffer, swprintf(buffer, 32, format_string, f) );
++ stream.printout(buffer, swprintf(buffer, 32, format_string, f) );
+ if(stream.flags() & ios_base::unitbuf){
+ stream.flush();
+ }
diff --git a/main/uclibc++/900-dependent_exception.patch b/main/uclibc++/900-dependent_exception.patch
new file mode 100644
index 000000000..3a5cb7dbc
--- /dev/null
+++ b/main/uclibc++/900-dependent_exception.patch
@@ -0,0 +1,68 @@
+--- a/src/eh_alloc.cpp 2007-06-03 23:51:13.000000000 +0100
++++ b/src/eh_alloc.cpp 2009-07-13 09:42:39.000000000 +0100
+@@ -42,4 +42,21 @@
+ free( (char *)(vptr) - sizeof(__cxa_exception) );
+ }
+
++#if __GNUC__ * 100 + __GNUC_MINOR__ >= 404
++extern "C" __cxa_dependent_exception* __cxa_allocate_dependent_exception() throw(){
++ __cxa_dependent_exception *retval;
++
++ retval = static_cast<__cxa_dependent_exception*>(malloc(sizeof(__cxa_dependent_exception)));
++ if(0 == retval){
++ std::terminate();
++ }
++ memset (retval, 0, sizeof(__cxa_dependent_exception));
++ return retval ;
++}
++
++extern "C" void __cxa_free_dependent_exception(__cxa_dependent_exception *vptr) throw(){
++ free( vptr );
++}
++#endif
++
+ }
+--- a/include/unwind-cxx.h 2009-07-13 10:01:11.000000000 +0100
++++ b/include/unwind-cxx.h 2009-07-13 10:14:08.000000000 +0100
+@@ -79,6 +79,41 @@
+ _Unwind_Exception unwindHeader;
+ };
+
++#if __GNUC__ * 100 + __GNUC_MINOR__ >= 404
++// A dependent C++ exception object consists of a wrapper around an unwind
++// object header with additional C++ specific information, containing a pointer
++// to a primary exception object.
++
++struct __cxa_dependent_exception
++{
++ // The primary exception this thing depends on.
++ void *primaryException;
++
++ // The C++ standard has entertaining rules wrt calling set_terminate
++ // and set_unexpected in the middle of the exception cleanup process.
++ std::unexpected_handler unexpectedHandler;
++ std::terminate_handler terminateHandler;
++
++ // The caught exception stack threads through here.
++ __cxa_exception *nextException;
++
++ // How many nested handlers have caught this exception. A negated
++ // value is a signal that this object has been rethrown.
++ int handlerCount;
++
++ // Cache parsed handler data from the personality routine Phase 1
++ // for Phase 2 and __cxa_call_unexpected.
++ int handlerSwitchValue;
++ const unsigned char *actionRecord;
++ const unsigned char *languageSpecificData;
++ _Unwind_Ptr catchTemp;
++ void *adjustedPtr;
++
++ // The generic exception header. Must be last.
++ _Unwind_Exception unwindHeader;
++};
++
++#endif
+ // Each thread in a C++ program has access to a __cxa_eh_globals object.
+ struct __cxa_eh_globals
+ {
diff --git a/main/uclibc++/APKBUILD b/main/uclibc++/APKBUILD
index e6545e482..6a40ba549 100644
--- a/main/uclibc++/APKBUILD
+++ b/main/uclibc++/APKBUILD
@@ -1,14 +1,23 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=uclibc++
pkgver=0.2.2
-pkgrel=3
+pkgrel=5
pkgdesc="Embedded C++ library"
url="http://cxx.uclibc.org/"
license='GPL-2'
depends=
-makedepends=
+makedepends="bash"
subpackages="$pkgname-dev"
source="http://cxx.uclibc.org/src/uClibc++-$pkgver.tar.bz2
+ 001-path_to_make.patch
+ 002-no_bash.patch
+ 003-cp_command.patch
+ 004-ccache_fixes.patch
+ 005-wrapper.patch
+ 006-eabi_fix.patch
+ 007-numeric_limits.patch
+ 008-integer_width.patch
+ 900-dependent_exception.patch
associative_base.patch
uclibc++-gcc-4.3.patch
uclibc++config
@@ -42,6 +51,15 @@ dev() {
md5sums="1ceef3209cca88be8f1bd9de99735954 uClibc++-0.2.2.tar.bz2
+ce1016fb83c23c83486f35f4cd1b64ab 001-path_to_make.patch
+2a9bee5e88bf94d3870517891d5129d6 002-no_bash.patch
+8068b394de053ed94a742d1ed9657b99 003-cp_command.patch
+363dc1cd86052f44212c2f3ac15926da 004-ccache_fixes.patch
+3689f8d77984ca66554e14cacbeb796c 005-wrapper.patch
+99e625748c0e6d5fc7cef8484cbac587 006-eabi_fix.patch
+d335b8f1c9d4682a220a082a371277e4 007-numeric_limits.patch
+2c431d4ad46a244f2f50baf40b85f7d2 008-integer_width.patch
+4e9c416c2a107f7d814f938fa57901a5 900-dependent_exception.patch
5689baa3f3bf8488c0a5d27a690d30fa associative_base.patch
4c7b499e4697225378acef25f6364e9b uclibc++-gcc-4.3.patch
2f573c1e2a0c7a320ea4685cc3ce9e2a uclibc++config"
diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index b4ecb2a1d..a6ce2f622 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=vim
_srcver=7.2
-_patchver=234
+_patchver=245
pkgver=$_srcver.$_patchver
pkgrel=1
pkgdesc="advanced text editor"
@@ -249,6 +249,17 @@ source="ftp://ftp.vim.org/pub/vim/unix/vim-7.2.tar.bz2
ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.232
ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.233
ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.234
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.235
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.236
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.237
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.238
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.239
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.240
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.241
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.242
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.243
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.244
+ ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.245
"
# this generates the patches list
@@ -282,6 +293,7 @@ build() {
md5sums="f0901284b338e448bfd79ccca0041254 vim-7.2.tar.bz2
35e04482f07c57221c9a751aaa3b8dac vim-7.2-extra.tar.gz
+97aecde2ab504e543a96bec84b3b5638 vimrc
7c2dc4a956cf315e546e347bc349968c 7.2.001
7f16f80814f1e071a689806c2056b39d 7.2.002
0de916fdfd450a4a0d95bed44ae2c398 7.2.003
@@ -516,4 +528,14 @@ b97e5d33fa4fb8a1ea1308558bb33d41 7.2.228
5e5cfa4e5ee34cbbdd01c27ece1b7398 7.2.232
9fa12db95776e9174ca7c95172a48838 7.2.233
a46776a6914ec2972ada91b33b0cfb39 7.2.234
-97aecde2ab504e543a96bec84b3b5638 vimrc"
+4121105bf052ebac02bd9891c232137a 7.2.235
+e9ca47c42d7de7b27910e3b35e533ecd 7.2.236
+f48f3e3f58a7a82a1c14fd61072c69f0 7.2.237
+5b9cc79b5448fb71ac1b2870a861119d 7.2.238
+28a8a33a3e2ceef51f838c2dc9fceac2 7.2.239
+212989ec4f90d697183c7cfb363cd453 7.2.240
+45f0effee324a20881e254c1b59dd5f8 7.2.241
+464fc788e592b19cd4d8a21d3d8b789e 7.2.242
+eb8132b8f89393e7f39734e607fc3925 7.2.243
+15c654c51220c2ad94b47d6013626aef 7.2.244
+d5ecb198dfea237e96b5ae12b9381383 7.2.245"
diff --git a/main/xdelta3/APKBUILD b/main/xdelta3/APKBUILD
new file mode 100644
index 000000000..fece127a6
--- /dev/null
+++ b/main/xdelta3/APKBUILD
@@ -0,0 +1,27 @@
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=xdelta3
+pkgver=3.0v
+pkgrel=0
+pkgdesc="A diff utility which works with binary files"
+url="http://xdelta.org/"
+license="GPL"
+depends=
+makedepends=
+source="http://xdelta.googlecode.com/files/$pkgname.0v.tar.gz
+ $pkgname-makefile.patch
+ $pkgname-xz.patch"
+
+build ()
+{
+ cd $srcdir/xdelta$pkgver
+ patch -Np1 -i $srcdir/xdelta3-makefile.patch
+ patch -Np1 -i $srcdir/xdelta3-xz.patch
+ make xdelta3 || return 1
+ install -D xdelta3 "$pkgdir"/usr/bin/xdelta3
+# python ./setup.py install --root "$pkgdir"
+# make xdelta3module.so || return 1
+# install -m644 {xdelta3.py,xdelta3module.so} "$pkgdir"/usr/lib/python2.6/site-packages
+}
+md5sums="6b5faeb88028a1211cb047e49b687a3a xdelta3.0v.tar.gz
+35aa0d20a27791addeb929591a78bd3f xdelta3-makefile.patch
+fb1e685d810a15f04b7bdbc9a3f3e635 xdelta3-xz.patch"
diff --git a/main/xdelta3/xdelta3-makefile.patch b/main/xdelta3/xdelta3-makefile.patch
new file mode 100644
index 000000000..f7fc6a657
--- /dev/null
+++ b/main/xdelta3/xdelta3-makefile.patch
@@ -0,0 +1,33 @@
+diff -Naur xdelta3.0v-old/Makefile xdelta3.0v/Makefile
+--- xdelta3.0v-old/Makefile 2009-03-12 01:44:51.000000000 +0000
++++ xdelta3.0v/Makefile 2009-03-14 17:02:33.000000000 +0000
+@@ -4,7 +4,7 @@
+ UNAME = $(shell uname)
+ CYGWIN = $(findstring CYGWIN, $(UNAME))
+ DARWIN = $(findstring Darwin, $(UNAME))
+-PYVER = 2.5
++PYVER = 2.6
+
+ ifeq ("$(CYGWIN)", "")
+ SWIGTGT = xdelta3module.so
+@@ -200,6 +200,9 @@
+ xdelta3.o: $(SOURCES)
+ $(CC) -O3 $(CFLAGS) -c xdelta3.c $(SWIG_FLAGS) -o xdelta3.o
+
++xdelta3_PIC.o: $(SOURCES)
++ $(CC) -O3 $(CFLAGS) -fPIC -c xdelta3.c $(SWIG_FLAGS) -o xdelta3_PIC.o
++
+ xdelta3_wrap.o: xdelta3_wrap.c
+ $(CC) -O3 $(CFLAGS) $(SWIG_FLAGS) \
+ -DHAVE_CONFIG_H \
+@@ -218,8 +221,8 @@
+ cp $(SWIGTGT) /usr/lib/python$(PYVER)/site-packages
+
+ ifeq ("$(DARWIN)", "")
+-xdelta3module.so: xdelta3_wrap.o xdelta3.o
+- ld -shared xdelta3.o xdelta3_wrap.o \
++xdelta3module.so: xdelta3_wrap.o xdelta3_PIC.o
++ cc -shared xdelta3_PIC.o xdelta3_wrap.o \
+ -o xdelta3module.so \
+ /usr/lib/libpython$(PYVER).so \
+ -lc
diff --git a/main/xdelta3/xdelta3-xz.patch b/main/xdelta3/xdelta3-xz.patch
new file mode 100644
index 000000000..3527406c1
--- /dev/null
+++ b/main/xdelta3/xdelta3-xz.patch
@@ -0,0 +1,12 @@
+diff -ruNa a/xdelta3-main.h b/xdelta3-main.h
+--- a/xdelta3-main.h 2009-01-30 05:59:02.000000000 +0100
++++ b/xdelta3-main.h 2009-05-13 12:43:00.000000000 +0200
+@@ -355,6 +355,7 @@
+ RD_NONEXTERNAL },
+ { "bzip2", "-cf", "bzip2", "-dcf", "B", "BZh", 3, 0 },
+ { "gzip", "-cf", "gzip", "-dcf", "G", "\037\213", 2, 0 },
++ { "xz", "-cf", "xz", "-dcf", "Y", "\xfd\x37\x7a\x58\x5a\x00", 2, 0 },
+ { "compress", "-cf", "uncompress", "-cf", "Z", "\037\235", 2, 0 },
+
+ /* TODO: add commandline support for magic-less formats */
+
diff --git a/testing/device-mapper/APKBUILD b/testing/device-mapper/APKBUILD
deleted file mode 100644
index aaca6808f..000000000
--- a/testing/device-mapper/APKBUILD
+++ /dev/null
@@ -1,26 +0,0 @@
-# Contributor: Leonardo Arena <rnalrd@gmail.com>
-# Maintainer: Leonardo Arena <rnalrd@gmail.com>
-pkgname=device-mapper
-pkgver=1.02.28
-pkgrel=0
-pkgdesc="Device mapper ioctl library"
-url="http://sources.redhat.com/pub/dm/"
-license="GPL-2"
-depends="uclibc"
-makedepends=""
-install=
-subpackages="$pkgname-doc $pkgname-dev"
-source="ftp://sources.redhat.com/pub/dm/$pkgname.$pkgver.tgz"
-
-build() {
- cd "$srcdir/$pkgname.$pkgver"
-
- ./configure --prefix=/usr \
- --sysconfdir=/etc \
- --mandir=/usr/share/man \
- --infodir=/usr/share/info
- make || return 1
- make DESTDIR="$pkgdir" install
-}
-
-md5sums="c9ae0776994a419f9e1ba842164bb626 device-mapper.1.02.28.tgz"
diff --git a/x11/geany/APKBUILD b/x11/geany/APKBUILD
new file mode 100644
index 000000000..cb1f4b9a4
--- /dev/null
+++ b/x11/geany/APKBUILD
@@ -0,0 +1,24 @@
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=geany
+pkgver=0.18
+pkgrel=0
+pkgdesc="A fast and lightweight IDE"
+url="http://www.geany.org"
+license="GPL"
+subpackages="$pkgname-dev $pkgname-doc"
+makedepends="gtk+-dev intltool perl-xml-parser vte-dev"
+depends=
+depends_dev="gtk+-dev"
+install=
+source="http://download.$pkgname.org/$pkgname-$pkgver.tar.gz"
+
+build()
+{
+ cd "$srcdir"/$pkgname-$pkgver
+ ./configure --prefix=/usr
+ make || return 1
+ sed -i 's|MimeType=text/plain;|MimeType=|' geany.desktop || return 1
+ sed -i 's|Sh=|Sh=APKBUILD;|' data/filetype_extensions.conf || return 1
+ make DESTDIR="$pkgdir" install || return 1
+}
+md5sums="e5d4075dcb486d3cec958c2bac9ce8f4 geany-0.18.tar.gz"
diff --git a/x11/qemu/APKBUILD b/x11/qemu/APKBUILD
new file mode 100644
index 000000000..f451eec7c
--- /dev/null
+++ b/x11/qemu/APKBUILD
@@ -0,0 +1,42 @@
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=qemu
+pkgver=0.10.6
+pkgrel=0
+pkgdesc="QEMU is a generic machine emulator and virtualizer"
+url="http://www.nongnu.org/qemu/"
+license="GPL-2 LGPL-2"
+makedepends="zlib-dev sdl-dev alsa-lib-dev gnutls-dev"
+depends=
+install="qemu.pre-install"
+source="http://savannah.nongnu.org/download/$pkgname/$pkgname-$pkgver.tar.gz
+ qemu-0.10.3-nopl-fix.patch"
+
+build()
+{
+ cd "$srcdir"/$pkgname-$pkgver
+ # avoid fdt till an updated release appears
+ sed -i -e 's:fdt="yes":fdt="no":' configure
+ # prevent docs to get automatically installed
+ sed -i '/$(DESTDIR)$(docdir)/d' Makefile
+ # Alter target makefiles to accept CFLAGS
+ sed -i 's/^\(C\|OP_C\|HELPER_C\)FLAGS=/\1FLAGS+=/' \
+ Makefile Makefile.target tests/Makefile
+ sed -i 's/^VL_LDFLAGS=$/VL_LDFLAGS=-Wl,-z,execheap/' \
+ Makefile.target
+ patch -p0 -i ../qemu-0.10.3-nopl-fix.patch || return 1
+ export CFLAGS="$CFLAGS -fno-pie -fno-stack-protector"
+
+ ./configure --prefix=/usr \
+ --audio-drv-list=oss,alsa,sdl \
+ --audio-card-list=ac97,sb16,es1370,adlib \
+ --disable-darwin-user \
+ --disable-bsd-user \
+ --disable-kqemu \
+ --cc="$CC"
+
+ make || return 1
+ make DESTDIR="$pkgdir" install || return 1
+}
+
+md5sums="e28f4b2d6faef178da44c03224feecb6 qemu-0.10.6.tar.gz
+aef31109b7cde6e31b9dac37c3f8a033 qemu-0.10.3-nopl-fix.patch"
diff --git a/x11/qemu/qemu-0.10.3-nopl-fix.patch b/x11/qemu/qemu-0.10.3-nopl-fix.patch
new file mode 100644
index 000000000..bdef0efc3
--- /dev/null
+++ b/x11/qemu/qemu-0.10.3-nopl-fix.patch
@@ -0,0 +1,32 @@
+--- i386-dis.c 2009-03-22 00:05:48.000000000 +0100
++++ i386-dis_new.c 2009-04-21 08:31:08.000000000 +0200
+@@ -784,13 +784,13 @@
+ { "movhpX", EX, XM, SIMD_Fixup, 'l' },
+ /* 18 */
+ { GRP14 },
+- { "(bad)", XX, XX, XX },
+- { "(bad)", XX, XX, XX },
+- { "(bad)", XX, XX, XX },
+- { "(bad)", XX, XX, XX },
+- { "(bad)", XX, XX, XX },
+- { "(bad)", XX, XX, XX },
+- { "(bad)", XX, XX, XX },
++ { "nopQ", Ev, XX, XX },
++ { "nopQ", Ev, XX, XX },
++ { "nopQ", Ev, XX, XX },
++ { "nopQ", Ev, XX, XX },
++ { "nopQ", Ev, XX, XX },
++ { "nopQ", Ev, XX, XX },
++ { "nopQ", Ev, XX, XX },
+ /* 20 */
+ { "movL", Rm, Cm, XX },
+ { "movL", Rm, Dm, XX },
+@@ -1072,7 +1072,7 @@
+ /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
+ /* ------------------------------- */
+ /* 00 */ 1,1,1,1,0,0,0,0,0,0,0,0,0,1,0,1, /* 0f */
+- /* 10 */ 1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0, /* 1f */
++ /* 10 */ 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, /* 1f */
+ /* 20 */ 1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,1, /* 2f */
+ /* 30 */ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* 3f */
+ /* 40 */ 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, /* 4f */
diff --git a/x11/qemu/qemu.pre-install b/x11/qemu/qemu.pre-install
new file mode 100644
index 000000000..42ec0482c
--- /dev/null
+++ b/x11/qemu/qemu.pre-install
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+addgroup kvm
diff --git a/x11/sdl/APKBUILD b/x11/sdl/APKBUILD
index 421c8f9ec..3a4a71b0d 100644
--- a/x11/sdl/APKBUILD
+++ b/x11/sdl/APKBUILD
@@ -1,12 +1,13 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=sdl
pkgver=1.2.13
-pkgrel=0
+pkgrel=1
pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard"
url="http://www.libsdl.org"
license="LGPL"
subpackages="$pkgname-dev $pkgname-doc"
depends=
+depends_dev="libx11-dev"
makedepends="libxext-dev libxrender-dev libx11-dev libice-dev libsm-dev
libxrandr-dev mesa-dev alsa-lib-dev"
source="http://www.libsdl.org/release/SDL-$pkgver.tar.gz"