summaryrefslogtreecommitdiffstats
path: root/main/ipsec-tools
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2011-03-04 13:57:21 +0200
committerTimo Teräs <timo.teras@iki.fi>2011-03-04 13:59:01 +0200
commitba7a48af9f538f6b5ebd8c8039a5a92804236587 (patch)
tree4eed1b2ba785f978c21fa9d7d80d351392cdc7af /main/ipsec-tools
parent3c275f33865a0dbd194848ddd80532ae977bb866 (diff)
downloadaports-ba7a48af9f538f6b5ebd8c8039a5a92804236587.tar.bz2
aports-ba7a48af9f538f6b5ebd8c8039a5a92804236587.tar.xz
main/ipsec-tools: update to 0.8.0 RC, and include additional patches
* improve handling of setups where single node participates to multiple dmvpn networks. enable using of grekey in setkey, SPD and sainfo; also match remoteconfs using sainfo ph1id
Diffstat (limited to 'main/ipsec-tools')
-rw-r--r--main/ipsec-tools/10-cmpsaddr-fix.patch421
-rw-r--r--main/ipsec-tools/20-grekey-support.patch608
-rw-r--r--main/ipsec-tools/50-reverse-connect.patch70
-rw-r--r--main/ipsec-tools/APKBUILD12
4 files changed, 1067 insertions, 44 deletions
diff --git a/main/ipsec-tools/10-cmpsaddr-fix.patch b/main/ipsec-tools/10-cmpsaddr-fix.patch
new file mode 100644
index 000000000..af73c2e5e
--- /dev/null
+++ b/main/ipsec-tools/10-cmpsaddr-fix.patch
@@ -0,0 +1,421 @@
+Index: ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/grabmyaddr.c 2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/grabmyaddr.c 2011-03-03 18:45:24.000000000 +0200
+@@ -100,7 +100,7 @@
+ return TRUE;
+
+ LIST_FOREACH(cfg, &configured, chain) {
+- if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
++ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH)
+ return TRUE;
+ }
+
+@@ -116,7 +116,7 @@
+
+ /* Already open? */
+ LIST_FOREACH(my, &opened, chain) {
+- if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
++ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH)
+ return TRUE;
+ }
+
+@@ -156,7 +156,7 @@
+
+ LIST_FOREACH(cfg, &configured, chain) {
+ if (addr != NULL &&
+- cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
++ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH)
+ continue;
+ if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
+ return FALSE;
+@@ -262,7 +262,7 @@
+ struct myaddr *my;
+
+ LIST_FOREACH(my, &opened, chain) {
+- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ return my->fd;
+ }
+
+@@ -276,7 +276,7 @@
+ struct myaddr *my;
+
+ LIST_FOREACH(my, &opened, chain) {
+- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
++ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ return extract_port((struct sockaddr *) &my->addr);
+ }
+
+Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c 2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c 2011-03-03 18:48:10.000000000 +0200
+@@ -120,11 +120,11 @@
+ LIST_FOREACH(p, &ph1tree, chain) {
+ if (sel != NULL) {
+ if (sel->local != NULL &&
+- cmpsaddr(sel->local, p->local) != 0)
++ cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH)
+ continue;
+
+ if (sel->remote != NULL &&
+- cmpsaddr(sel->remote, p->remote) != 0)
++ cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH)
+ continue;
+ }
+
+@@ -300,8 +300,8 @@
+ if (p->status < PHASE1ST_DYING)
+ continue;
+
+- if (cmpsaddr(iph1->local, p->local) == 0
+- && cmpsaddr(iph1->remote, p->remote) == 0)
++ if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
++ && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
+ migrate_ph12(p, iph1);
+ }
+ }
+@@ -547,11 +547,11 @@
+ continue;
+
+ if (sel->src != NULL &&
+- cmpsaddr(sel->src, p->src) != 0)
++ cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH)
+ continue;
+
+ if (sel->dst != NULL &&
+- cmpsaddr(sel->dst, p->dst) != 0)
++ cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH)
+ continue;
+ }
+
+@@ -615,8 +615,8 @@
+
+ LIST_FOREACH(p, &ph2tree, chain) {
+ if (spid == p->spid &&
+- cmpsaddr(src, p->src) == 0 &&
+- cmpsaddr(dst, p->dst) == 0){
++ cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){
+ /* Sanity check to detect zombie handlers
+ * XXX Sould be done "somewhere" more interesting,
+ * because we have lots of getph2byxxxx(), but this one
+@@ -643,8 +643,8 @@
+ struct ph2handle *p;
+
+ LIST_FOREACH(p, &ph2tree, chain) {
+- if (cmpsaddr(src, p->src) == 0 &&
+- cmpsaddr(dst, p->dst) == 0)
++ if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
++ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH)
+ return p;
+ }
+
+@@ -947,7 +947,7 @@
+ struct contacted *p;
+
+ LIST_FOREACH(p, &ctdtree, chain) {
+- if (cmpsaddr(remote, p->remote) == 0)
++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH)
+ return p;
+ }
+
+@@ -988,7 +988,7 @@
+ struct contacted *p;
+
+ LIST_FOREACH(p, &ctdtree, chain) {
+- if (cmpsaddr(remote, p->remote) == 0) {
++ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) {
+ LIST_REMOVE(p, chain);
+ racoon_free(p->remote);
+ racoon_free(p);
+@@ -1042,7 +1042,7 @@
+ /*
+ * the packet was processed before, but the remote address mismatches.
+ */
+- if (cmpsaddr(remote, r->remote) != 0)
++ if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH)
+ return 2;
+
+ /*
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 17:54:33.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 18:50:22.000000000 +0200
+@@ -468,8 +468,8 @@
+ /* Floating ports for NAT-T */
+ if (NATT_AVAILABLE(iph1) &&
+ ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
+- ((cmpsaddr(iph1->remote, remote) != 0) ||
+- (cmpsaddr(iph1->local, local) != 0)))
++ ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) ||
++ (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH)))
+ {
+ /* prevent memory leak */
+ racoon_free(iph1->remote);
+@@ -510,7 +510,7 @@
+ #endif
+
+ /* must be same addresses in one stream of a phase at least. */
+- if (cmpsaddr(iph1->remote, remote) != 0) {
++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
+ char *saddr_db, *saddr_act;
+
+ saddr_db = racoon_strdup(saddr2str(iph1->remote));
+@@ -636,7 +636,7 @@
+ "exchange received.\n");
+ return -1;
+ }
+- if (cmpsaddr(iph1->remote, remote) != 0) {
++ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
+ plog(LLV_WARNING, LOCATION, remote,
+ "remote address mismatched. "
+ "db=%s\n",
+@@ -3322,10 +3322,10 @@
+ * Select only SAs where src == local and dst == remote (outgoing)
+ * or src == remote and dst == local (incoming).
+ */
+- if ((cmpsaddr(iph1->local, src) ||
+- cmpsaddr(iph1->remote, dst)) &&
+- (cmpsaddr(iph1->local, dst) ||
+- cmpsaddr(iph1->remote, src))) {
++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) {
+ msg = next;
+ continue;
+ }
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_inf.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_inf.c 2011-03-03 18:51:05.000000000 +0200
+@@ -1177,7 +1177,7 @@
+
+ /* don't delete inbound SAs at the moment */
+ /* XXX should we remove SAs with opposite direction as well? */
+- if (cmpsaddr(dst0, dst)) {
++ if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) {
+ msg = next;
+ continue;
+ }
+@@ -1355,10 +1355,10 @@
+ * ports. Correct thing to do is delete all entries with
+ * same identity. -TT
+ */
+- if ((cmpsaddr(iph1->local, src) != 0 ||
+- cmpsaddr(iph1->remote, dst) != 0) &&
+- (cmpsaddr(iph1->local, dst) != 0 ||
+- cmpsaddr(iph1->remote, src) != 0))
++ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
++ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
++ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH))
+ continue;
+
+ /*
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-03 18:51:48.000000000 +0200
+@@ -629,7 +629,7 @@
+ #endif
+
+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
+- (struct sockaddr *) &got_addr) == 0) {
++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "IDci matches proposal.\n");
+ #ifdef ENABLE_NATT
+@@ -677,13 +677,13 @@
+ #endif
+
+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
+- (struct sockaddr *) &got_addr) == 0) {
++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "IDcr matches proposal.\n");
+ #ifdef ENABLE_NATT
+ } else if (iph2->natoa_dst != NULL
+ && cmpsaddr(iph2->natoa_dst,
+- (struct sockaddr *) &got_addr) == 0) {
++ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "IDcr matches NAT-OAr.\n");
+ #endif
+Index: ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/nattraversal.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/nattraversal.c 2011-03-03 18:52:20.000000000 +0200
+@@ -398,8 +398,8 @@
+ struct natt_ka_addrs *ka = NULL, *new_addr;
+
+ TAILQ_FOREACH (ka, &ka_tree, chain) {
+- if (cmpsaddr(ka->src, src) == 0 &&
+- cmpsaddr(ka->dst, dst) == 0) {
++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) {
+ ka->in_use++;
+ plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
+ saddr2str_fromto("%s->%s", src, dst), ka->in_use);
+@@ -462,8 +462,8 @@
+ plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
+ saddr2str_fromto("%s->%s", src, dst), ka->in_use);
+
+- if (cmpsaddr(ka->src, src) == 0 &&
+- cmpsaddr(ka->dst, dst) == 0 &&
++ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
++ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH &&
+ -- ka->in_use <= 0) {
+
+ plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
+Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 18:52:50.000000000 +0200
+@@ -2882,8 +2882,8 @@
+ u_int16_t port;
+
+ /* Already up-to-date? */
+- if (cmpsaddr(iph1->local, ma->local) == 0 &&
+- cmpsaddr(iph1->remote, ma->remote) == 0)
++ if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH &&
++ cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH)
+ return 0;
+
+ if (iph1->status < PHASE1ST_ESTABLISHED) {
+@@ -2983,8 +2983,8 @@
+ migrate_ph1_ike_addresses(iph2->ph1, arg);
+
+ /* Already up-to-date? */
+- if (cmpsaddr(iph2->src, ma->local) == 0 &&
+- cmpsaddr(iph2->dst, ma->remote) == 0)
++ if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH &&
++ cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH)
+ return 0;
+
+ /* save src/dst as sa_src/sa_dst before rewriting */
+@@ -3207,8 +3207,8 @@
+ "changing address families (%d to %d) for endpoints.\n",
+ osaddr->sa_family, nsaddr->sa_family);
+
+- if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
+- cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
++ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH ||
++ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) {
+ plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
+ "mismatch of addresses in saidx and xisr.\n");
+ return -1;
+Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-03 17:54:34.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-03 19:09:42.000000000 +0200
+@@ -142,7 +142,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
+ saddr2str((struct sockaddr *)&spidx->src));
+
+- if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
++ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH ||
+ spidx->prefs != prefixlen)
+ return NULL;
+
+@@ -151,7 +151,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
+ saddr2str((struct sockaddr *)&spidx->dst));
+
+- if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
++ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH ||
+ spidx->prefd != prefixlen)
+ return NULL;
+
+@@ -201,10 +201,10 @@
+ return 1;
+
+ if (cmpsaddr((struct sockaddr *) &a->src,
+- (struct sockaddr *) &b->src))
++ (struct sockaddr *) &b->src) != CMPSADDR_MATCH)
+ return 1;
+ if (cmpsaddr((struct sockaddr *) &a->dst,
+- (struct sockaddr *) &b->dst))
++ (struct sockaddr *) &b->dst) != CMPSADDR_MATCH)
+ return 1;
+
+ #ifdef HAVE_SECCTX
+@@ -261,7 +261,7 @@
+ a, b->prefs, saddr2str((struct sockaddr *)&sa1));
+ plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
+ b, b->prefs, saddr2str((struct sockaddr *)&sa2));
+- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
+ return 1;
+
+ #ifndef __linux__
+@@ -279,7 +279,7 @@
+ a, b->prefd, saddr2str((struct sockaddr *)&sa1));
+ plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
+ b, b->prefd, saddr2str((struct sockaddr *)&sa2));
+- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
++ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
+ return 1;
+
+ #ifdef HAVE_SECCTX
+Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.c 2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.c 2011-03-03 18:55:01.000000000 +0200
+@@ -132,11 +132,13 @@
+ return CMPSADDR_MISMATCH;
+ }
+
+- if (port1 == port2 ||
+- port1 == IPSEC_PORT_ANY ||
+- port2 == IPSEC_PORT_ANY)
++ if (port1 == port2)
+ return CMPSADDR_MATCH;
+
++ if (port1 == IPSEC_PORT_ANY ||
++ port2 == IPSEC_PORT_ANY)
++ return CMPSADDR_WILDPORT_MATCH;
++
+ return CMPSADDR_WOP_MATCH;
+ }
+
+@@ -934,7 +936,7 @@
+ free(a2);
+ free(a3);
+ }
+- if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
++ if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH)
+ return naddr->prefix + port_score;
+
+ return -1;
+Index: ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sockmisc.h 2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sockmisc.h 2011-03-03 18:40:30.000000000 +0200
+@@ -57,8 +57,9 @@
+ extern const int niflags;
+
+ #define CMPSADDR_MATCH 0
+-#define CMPSADDR_WOP_MATCH 1
+-#define CMPSADDR_MISMATCH 2
++#define CMPSADDR_WILDPORT_MATCH 1
++#define CMPSADDR_WOP_MATCH 2
++#define CMPSADDR_MISMATCH 3
+
+ extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
+
+Index: ipsec-tools-cvs-HEAD/src/racoon/throttle.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/throttle.c 2011-03-03 17:54:35.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/throttle.c 2011-03-03 18:55:31.000000000 +0200
+@@ -104,7 +104,7 @@
+ goto restart;
+ }
+
+- if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
++ if (cmpsaddr(addr, (struct sockaddr *) &te->host) <= CMPSADDR_WOP_MATCH) {
+ found = 1;
+ break;
+ }
diff --git a/main/ipsec-tools/20-grekey-support.patch b/main/ipsec-tools/20-grekey-support.patch
new file mode 100644
index 000000000..9ad2bca74
--- /dev/null
+++ b/main/ipsec-tools/20-grekey-support.patch
@@ -0,0 +1,608 @@
+Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c 2011-03-03 19:28:29.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c 2011-03-03 19:29:42.000000000 +0200
+@@ -232,7 +232,7 @@
+ "\n"
+ " <saopts>: \"isakmp\" <family> <src> <dst>\n"
+ " : {\"esp\",\"ah\"} <family> <src/prefixlen/port> <dst/prefixlen/port>\n"
+-" <ul_proto>\n"
++" <ul_proto> [grekey <grekey>]\n"
+ " <family>: \"inet\" or \"inet6\"\n"
+ " <ul_proto>: \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n"
+ "\n",
+@@ -819,7 +819,7 @@
+ {
+ int family;
+
+- if (ac != 3 && ac != 4) {
++ if (ac < 3) {
+ errno = EINVAL;
+ return NULL;
+ }
+@@ -861,10 +861,8 @@
+ struct sockaddr *src = NULL, *dst = NULL;
+ int ulproto;
+
+- if (ac != 2 && ac != 3) {
+- errno = EINVAL;
+- return NULL;
+- }
++ if (ac < 2)
++ goto bad_args;
+
+ if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1)
+ goto bad;
+@@ -901,13 +899,34 @@
+
+ av++;
+ ac--;
+- if(ac){
++ if (ac) {
+ ulproto = get_ulproto(*av);
+ if (ulproto == -1)
+ goto bad;
+- }else
++ av++;
++ ac--;
++ } else
+ ulproto=0;
+
++ if (ac == 2 && strcmp(av[0], "grekey") == 0) {
++ int a, b, c, d;
++ unsigned long u;
++
++ if (sscanf(av[1], "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
++ set_port(src, (a << 8) + b);
++ set_port(dst, (c << 8) + d);
++ } else if (sscanf(av[1], "%lu", &u) == 1) {
++ set_port(src, u >> 16);
++ set_port(dst, u & 0xffff);
++ } else
++ goto bad_args;
++ av += 2;
++ ac -= 2;
++ }
++
++ if (ac != 0)
++ goto bad_args;
++
+ ci = (struct admin_com_indexes *)buf->v;
+ if(p_prefs)
+ ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
+@@ -926,7 +945,9 @@
+
+ return buf;
+
+- bad:
++bad_args:
++ errno = EINVAL;
++bad:
+ if (p_name)
+ racoon_free(p_name);
+ if (p_port)
+Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-03 19:28:29.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-03 21:16:47.000000000 +0200
+@@ -444,7 +444,7 @@
+
+ /* search appropreate configuration */
+ if (name == NULL)
+- rmconf = getrmconf(dst, 0);
++ rmconf = getrmconf(dst, 0, 0);
+ else
+ rmconf = getrmconf_by_name(name);
+ if (rmconf == NULL) {
+@@ -536,6 +536,16 @@
+ spidx.prefs = ndx->prefd;
+ spidx.prefd = ndx->prefs;
+ spidx.ul_proto = ndx->ul_proto;
++ switch (ndx->ul_proto) {
++ case IPPROTO_ICMP:
++ case IPPROTO_ICMPV6:
++ case IPPROTO_GRE:
++ /* Ports are UL specific data, and should
++ * not get swapped */
++ set_port((struct sockaddr *) &spidx.src, extract_port(src));
++ set_port((struct sockaddr *) &spidx.dst, extract_port(dst));
++ break;
++ }
+
+ sp_in = getsp_r(&spidx);
+ if (sp_in) {
+Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l 2011-03-03 19:57:26.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l 2011-03-04 13:07:03.000000000 +0200
+@@ -288,6 +288,7 @@
+ <S_SAINF>any { YYD; return(ANY); }
+ <S_SAINF>from { YYD; return(FROM); }
+ <S_SAINF>group { YYD; return(GROUP); }
++<S_SAINF>grekey { YYD; return(GREKEY); }
+ /* sainfo spec */
+ <S_SAINF>{bcl} { BEGIN S_SAINFS; return(BOC); }
+ <S_SAINF>{semi} { BEGIN S_INI; return(EOS); }
+Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y 2011-03-03 19:57:30.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y 2011-03-04 13:09:01.000000000 +0200
+@@ -213,7 +213,7 @@
+ /* algorithm */
+ %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
+ /* sainfo */
+-%token SAINFO FROM
++%token SAINFO FROM GREKEY
+ /* remote */
+ %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
+ %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
+@@ -1301,6 +1301,35 @@
+ cur_sainfo->idsrc = $1;
+ cur_sainfo->iddst = $2;
+ }
++ | sainfo_id sainfo_id GREKEY ADDRSTRING
++ {
++ int a, b, c, d;
++
++ if (sscanf($4->v, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
++ a = ipsecdoi_fixup_id_uldata(
++ $1, $2, IPPROTO_GRE,
++ (a << 8) + b, (c << 8) + d);
++ } else {
++ yyerror("grekey format unrecognized.");
++ return -1;
++ }
++ if (a != 0) {
++ yyerror("ul_proto needs to be 'gre' to use grekey.");
++ return -1;
++ }
++ cur_sainfo->idsrc = $1;
++ cur_sainfo->iddst = $2;
++ }
++ | sainfo_id sainfo_id GREKEY NUMBER
++ {
++ if (ipsecdoi_fixup_id_uldata($1, $2, IPPROTO_GRE,
++ ($4) >> 16, ($4) & 0xffff) != 0) {
++ yyerror("ul_proto needs to be 'gre' to use grekey.");
++ return -1;
++ }
++ cur_sainfo->idsrc = $1;
++ cur_sainfo->iddst = $2;
++ }
+ ;
+ sainfo_id
+ : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
+@@ -1667,7 +1696,7 @@
+ {
+ struct remoteconf *from, *new;
+
+- from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
++ from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS, 0);
+ if (from == NULL) {
+ yyerror("failed to get remoteconf for %s.",
+ saddr2str($4));
+Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h 2011-03-03 20:19:23.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h 2011-03-03 20:42:35.000000000 +0200
+@@ -227,6 +227,9 @@
+ extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
+ extern int ipsecdoi_setid2 __P((struct ph2handle *));
+ extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
++extern int ipsecdoi_fixup_id_uldata __P((vchar_t *, vchar_t *, u_int16_t, u_int16_t, u_int16_t));
++extern int ipsecdoi_id_has_port __P((vchar_t *));
++
+ extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
+ u_int8_t *, u_int16_t *));
+ extern char *ipsecdoi_id2str __P((const vchar_t *));
+Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-03 20:19:23.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-03 21:01:16.000000000 +0200
+@@ -3371,6 +3371,7 @@
+ vchar_t ident_t;
+ vchar_t ident_s;
+ int result;
++ int check_ports = 0;
+
+ /* handle wildcard IDs */
+
+@@ -3460,6 +3461,7 @@
+
+ case IPSECDOI_ID_IPV4_ADDR:
+ /* validate lengths */
++ check_ports = 1;
+ if ((ident_t.l != sizeof(struct in_addr))||
+ (ident_s.l != sizeof(struct in_addr)))
+ goto cmpid_invalid;
+@@ -3468,6 +3470,7 @@
+ case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+ case IPSECDOI_ID_IPV4_ADDR_RANGE:
+ /* validate lengths */
++ check_ports = 1;
+ if ((ident_t.l != (sizeof(struct in_addr)*2))||
+ (ident_s.l != (sizeof(struct in_addr)*2)))
+ goto cmpid_invalid;
+@@ -3476,6 +3479,7 @@
+ #ifdef INET6
+ case IPSECDOI_ID_IPV6_ADDR:
+ /* validate lengths */
++ check_ports = 1;
+ if ((ident_t.l != sizeof(struct in6_addr))||
+ (ident_s.l != sizeof(struct in6_addr)))
+ goto cmpid_invalid;
+@@ -3484,6 +3488,7 @@
+ case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+ case IPSECDOI_ID_IPV6_ADDR_RANGE:
+ /* validate lengths */
++ check_ports = 1;
+ if ((ident_t.l != (sizeof(struct in6_addr)*2))||
+ (ident_s.l != (sizeof(struct in6_addr)*2)))
+ goto cmpid_invalid;
+@@ -3502,10 +3507,15 @@
+ }
+
+ /* validate matching data and length */
+- if (ident_t.l == ident_s.l)
+- result = memcmp(ident_t.v,ident_s.v,ident_t.l);
+- else
++ if (check_ports &&
++ (id_bt->port != id_bs->port && id_bs->port != 0))
++ /* if target is wildcard, source should be too, otherwise
++ * specific rule matches wildcard request */
+ result = 1;
++ else if (ident_t.l != ident_s.l)
++ result = 1;
++ else
++ result = memcmp(ident_t.v,ident_s.v,ident_t.l);
+
+ cmpid_result:
+
+@@ -4089,6 +4099,44 @@
+ return new;
+ }
+
++int ipsecdoi_fixup_id_uldata(srcid, dstid, ul_proto, ul_data1, ul_data2)
++ vchar_t *srcid, *dstid;
++ u_int16_t ul_proto;
++ u_int16_t ul_data1, ul_data2;
++{
++ struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v;
++ struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v;
++
++ if (src->proto_id != ul_proto ||
++ dst->proto_id != ul_proto)
++ return -1;
++
++ src->port = htons(ul_data1);
++ dst->port = htons(ul_data2);
++
++ return 0;
++}
++
++int ipsecdoi_id_has_port(id)
++ vchar_t *id;
++{
++ struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *) id->v;
++
++ switch (id_b->type) {
++ case IPSECDOI_ID_IPV4_ADDR:
++ case IPSECDOI_ID_IPV4_ADDR_SUBNET:
++ case IPSECDOI_ID_IPV4_ADDR_RANGE:
++ case IPSECDOI_ID_IPV6_ADDR:
++ case IPSECDOI_ID_IPV6_ADDR_SUBNET:
++ case IPSECDOI_ID_IPV6_ADDR_RANGE:
++ if (ntohs(id_b->port) != 0)
++ return 1;
++ break;
++ }
++ return 0;
++}
++
++
+ vchar_t *
+ ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
+ struct sockaddr *laddr, *haddr;
+@@ -4318,7 +4366,7 @@
+ saddr.sa.sa_len = sizeof(struct sockaddr_in);
+ #endif
+ saddr.sa.sa_family = AF_INET;
+- saddr.sin.sin_port = IPSEC_PORT_ANY;
++ saddr.sin.sin_port = id_b->port;
+ memcpy(&saddr.sin.sin_addr,
+ id->v + sizeof(*id_b), sizeof(struct in_addr));
+ break;
+@@ -4331,7 +4379,7 @@
+ saddr.sa.sa_len = sizeof(struct sockaddr_in6);
+ #endif
+ saddr.sa.sa_family = AF_INET6;
+- saddr.sin6.sin6_port = IPSEC_PORT_ANY;
++ saddr.sin6.sin6_port = id_b->port;
+ memcpy(&saddr.sin6.sin6_addr,
+ id->v + sizeof(*id_b), sizeof(struct in6_addr));
+ saddr.sin6.sin6_scope_id =
+@@ -4347,7 +4395,7 @@
+ #ifdef INET6
+ case IPSECDOI_ID_IPV6_ADDR:
+ #endif
+- len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr.sa));
++ len = snprintf( buf, BUFLEN, "%s", saddr2str(&saddr.sa));
+ break;
+
+ case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+@@ -4403,7 +4451,9 @@
+ plen += l;
+ }
+
+- len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr.sa), plen);
++ len = snprintf(buf, BUFLEN, "%s/%i[%d]",
++ saddrwop2str(&saddr.sa), plen,
++ ntohs(id_b->port));
+ }
+ break;
+
+@@ -4415,12 +4465,12 @@
+ saddr.sa.sa_len = sizeof(struct sockaddr_in);
+ #endif
+ saddr.sa.sa_family = AF_INET;
+- saddr.sin.sin_port = IPSEC_PORT_ANY;
++ saddr.sin.sin_port = id_b->port;
+ memcpy(&saddr.sin.sin_addr,
+ id->v + sizeof(*id_b) + sizeof(struct in_addr),
+ sizeof(struct in_addr));
+
+- len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
++ len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
+ break;
+
+ #ifdef INET6
+@@ -4431,7 +4481,7 @@
+ saddr.sa.sa_len = sizeof(struct sockaddr_in6);
+ #endif
+ saddr.sa.sa_family = AF_INET6;
+- saddr.sin6.sin6_port = IPSEC_PORT_ANY;
++ saddr.sin6.sin6_port = id_b->port;
+ memcpy(&saddr.sin6.sin6_addr,
+ id->v + sizeof(*id_b) + sizeof(struct in6_addr),
+ sizeof(struct in6_addr));
+@@ -4440,7 +4490,7 @@
+ ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
+ : 0);
+
+- len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
++ len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
+ break;
+ #endif
+
+Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c 2011-03-03 20:07:44.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c 2011-03-03 20:55:02.000000000 +0200
+@@ -124,7 +124,7 @@
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "evaluating sainfo: %s\n", sainfostr);
+
+- if(s->remoteid != remoteid) {
++ if (remoteid != -1 && s->remoteid != remoteid) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "remoteid mismatch: %u != %u\n",
+ s->remoteid, remoteid);
+@@ -234,16 +234,22 @@
+ int pri = 0;
+
+ if(s->remoteid)
+- pri += 3;
++ pri += 7;
+
+ if(s->id_i)
+- pri += 3;
++ pri += 7;
+
+- if(s->idsrc)
++ if(s->idsrc) {
+ pri++;
++ if (ipsecdoi_id_has_port(s->idsrc))
++ pri += 2;
++ }
+
+- if(s->iddst)
++ if(s->iddst) {
+ pri++;
++ if (ipsecdoi_id_has_port(s->iddst))
++ pri += 2;
++ }
+
+ return pri;
+ }
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 20:55:57.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 21:14:13.000000000 +0200
+@@ -2170,7 +2170,15 @@
+ * so no need to bother yet. --arno */
+
+ if (iph1hint == NULL || iph1hint->rmconf == NULL) {
+- rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
++ int flags = 0;
++ uint32_t remoteid;
++ if (nopassive)
++ flags |= GETRMCONF_F_NO_PASSIVE;
++ if (iph2->sainfo != NULL) {
++ flags |= GETRMCONF_F_HAS_REMOTEID;
++ remoteid = iph2->sainfo->remoteid;
++ }
++ rmconf = getrmconf(iph2->dst, flags, remoteid);
+ if (rmconf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "no configuration found for %s.\n",
+@@ -2246,7 +2254,7 @@
+ struct secpolicy *sp_out, *sp_in;
+ {
+ struct remoteconf *conf;
+- uint32_t remoteid = 0;
++ uint32_t remoteid = -1;
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "new acquire %s\n", spidx2str(&sp_out->spidx));
+@@ -2273,7 +2281,7 @@
+ return -1;
+ }
+
+- conf = getrmconf(iph2->dst, 0);
++ conf = getrmconf(iph2->dst, 0, 0);
+ if (conf != NULL)
+ remoteid = conf->ph1id;
+ else
+Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c 2011-03-03 21:06:03.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c 2011-03-03 21:17:09.000000000 +0200
+@@ -217,6 +217,13 @@
+ return MATCH_NONE;
+ }
+
++ if ((rmsel->flags & GETRMCONF_F_HAS_REMOTEID) &&
++ rmsel->remoteid != rmconf->ph1id){
++ plog(LLV_DEBUG2, LOCATION, rmsel->remote,
++ "Not matched: remote_id did not match.\n");
++ return MATCH_NONE;
++ }
++
+ ret |= MATCH_BASIC;
+
+ /* Check address */
+@@ -387,9 +394,10 @@
+ */
+
+ struct remoteconf *
+-getrmconf(remote, flags)
++getrmconf(remote, flags, remoteid)
+ struct sockaddr *remote;
+ int flags;
++ uint32_t remoteid;
+ {
+ struct rmconf_find_context ctx;
+ int n = 0;
+@@ -397,6 +405,7 @@
+ memset(&ctx, 0, sizeof(ctx));
+ ctx.sel.flags = flags;
+ ctx.sel.remote = remote;
++ ctx.sel.remoteid = remoteid;
+
+ if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
+ plog(LLV_ERROR, LOCATION, remote,
+Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h 2011-03-03 21:06:03.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h 2011-03-03 21:10:53.000000000 +0200
+@@ -178,6 +178,7 @@
+ int flags;
+ struct sockaddr *remote;
+ int etype;
++ uint32_t remoteid;
+ struct isakmpsa *approval;
+ vchar_t *identity;
+ vchar_t *certificate_request;
+@@ -191,12 +192,13 @@
+
+ #define GETRMCONF_F_NO_ANONYMOUS 0x0001
+ #define GETRMCONF_F_NO_PASSIVE 0x0002
++#define GETRMCONF_F_HAS_REMOTEID 0x0004
+
+ #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)
+
+ extern int rmconf_match_identity __P((struct remoteconf *rmconf,
+ vchar_t *id_p));
+-extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags));
++extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags, uint32_t remoteid));
+ extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1));
+ extern struct remoteconf *getrmconf_by_name __P((const char *name));
+
+Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 21:14:45.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 21:16:17.000000000 +0200
+@@ -2898,7 +2898,7 @@
+
+ /* If we are not acting as initiator, let's just leave and
+ * let the remote peer handle the restart */
+- rmconf = getrmconf(ma->remote, 0);
++ rmconf = getrmconf(ma->remote, 0, 0);
+ if (rmconf == NULL || !rmconf->passive) {
+ iph1->status = PHASE1ST_EXPIRED;
+ sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
+@@ -3068,8 +3068,10 @@
+
+ if (iph2->ph1 && iph2->ph1->rmconf)
+ rmconf = iph2->ph1->rmconf;
++ else if (iph2->sainfo != NULL)
++ rmconf = getrmconf(iph2->dst, GETRMCONF_F_HAS_REMOTEID, iph2->sainfo->remoteid);
+ else
+- rmconf = getrmconf(iph2->dst, 0);
++ rmconf = getrmconf(iph2->dst, 0, 0);
+
+ if (rmconf && !rmconf->passive) {
+ struct ph1handle *iph1hint;
+Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8 2011-03-04 11:48:30.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8 2011-03-04 11:48:56.000000000 +0200
+@@ -453,7 +453,7 @@
+ .Pp
+ A second example of requiring transport mode encryption of specific
+ GRE tunnel:
+-.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ;
++.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 -P in ipsec esp/transport//require ;
+ .Pp
+ .Em Note :
+ .Ar upperspec
+Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5 2011-03-04 11:57:36.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 2011-03-04 12:01:13.000000000 +0200
+@@ -981,6 +981,7 @@
+ .Bl -tag -width Ds -compact
+ .It Ic sainfo Po Ar local_id | Ic anonymous Pc \
+ Po Ar remote_id | Ic clientaddr | Ic anonymous Pc \
++Bo Ic grekey Ar key Bc \
+ Bo Ic from Ar idtype Bo Ar string Bc Bc Bo Ic group Ar string Bc \
+ Ic { Ar statements Ic }
+ Defines the parameters of the IKE phase 2 (IPsec-SA establishment).
+@@ -1026,6 +1027,15 @@
+ to restrict policy generation when racoon is acting as a client gateway
+ for peers with dynamic ip addresses.
+ .Pp
++If both
++.Ar local_id
++and
++.Ar remote_id
++are specified with GRE as upper layer protocol, the upper layer GRE
++key match can be specified with
++.Ic grekey
++.Ar key .
++.Pp
+ The
+ .Ic from
+ keyword allows an sainfo to only match for peers that use a specific phase1
+Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y 2011-03-04 13:04:05.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/setkey/parse.y 2011-03-04 13:04:09.000000000 +0200
+@@ -856,6 +856,17 @@
+ }
+ $$.len = strlen($$.buf);
+ }
++ | DECSTRING
++ {
++ char tmp[16];
++ sprintf(tmp, "%lu", $1);
++ $$.buf = strdup(tmp);
++ if (!$$.buf) {
++ yyerror("insufficient memory");
++ return -1;
++ }
++ $$.len = strlen(tmp);
++ }
+ ;
+
+ context_spec
diff --git a/main/ipsec-tools/50-reverse-connect.patch b/main/ipsec-tools/50-reverse-connect.patch
index f29c3d509..54e77a397 100644
--- a/main/ipsec-tools/50-reverse-connect.patch
+++ b/main/ipsec-tools/50-reverse-connect.patch
@@ -13,11 +13,11 @@ over pending phase1:s. Useful when the other party is firewalled or NATted.
5 files changed, 83 insertions(+), 12 deletions(-)
-diff --git a/src/racoon/admin.c b/src/racoon/admin.c
-index b67e545..710c9bf 100644
---- a/src/racoon/admin.c
-+++ b/src/racoon/admin.c
-@@ -414,11 +414,23 @@ admin_process(so2, combuf)
+Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-03 21:16:47.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-04 13:50:30.000000000 +0200
+@@ -414,11 +414,23 @@
struct sockaddr *dst;
struct sockaddr *src;
char *name = NULL;
@@ -41,11 +41,11 @@ index b67e545..710c9bf 100644
if (com->ac_cmd == ADMIN_ESTABLISH_SA &&
com->ac_len > sizeof(*com) + sizeof(*ndx))
name = (char *) ((caddr_t) ndx + sizeof(*ndx));
-diff --git a/src/racoon/evt.c b/src/racoon/evt.c
-index 4ce1334..000c1f8 100644
---- a/src/racoon/evt.c
-+++ b/src/racoon/evt.c
-@@ -396,4 +396,17 @@ evt_list_cleanup(list)
+Index: ipsec-tools-cvs-HEAD/src/racoon/evt.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/evt.c 2011-03-03 19:25:50.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/evt.c 2011-03-04 13:50:30.000000000 +0200
+@@ -396,4 +396,17 @@
evt_unsubscribe(LIST_FIRST(list));
}
@@ -63,11 +63,11 @@ index 4ce1334..000c1f8 100644
+}
+
#endif /* ENABLE_ADMINPORT */
-diff --git a/src/racoon/evt.h b/src/racoon/evt.h
-index 0ce65bd..ba7fb57 100644
---- a/src/racoon/evt.h
-+++ b/src/racoon/evt.h
-@@ -124,6 +124,8 @@ void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata));
+Index: ipsec-tools-cvs-HEAD/src/racoon/evt.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/evt.h 2011-03-03 19:25:50.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/evt.h 2011-03-04 13:50:30.000000000 +0200
+@@ -124,6 +124,8 @@
vchar_t *evt_dump __P((void));
int evt_subscribe __P((struct evt_listener_list *list, int fd));
@@ -76,7 +76,7 @@ index 0ce65bd..ba7fb57 100644
void evt_list_init __P((struct evt_listener_list *list));
void evt_list_cleanup __P((struct evt_listener_list *list));
-@@ -136,6 +138,7 @@ void evt_list_cleanup __P((struct evt_listener_list *list));
+@@ -136,6 +138,7 @@
#define evt_phase2(ph2, type, optdata) ;
#define evt_subscribe(eventlist, fd) ;
@@ -84,17 +84,11 @@ index 0ce65bd..ba7fb57 100644
#define evt_list_init(eventlist) ;
#define evt_list_cleanup(eventlist) ;
#define evt_get_fdmask(nfds, fdset) nfds
-diff --git a/src/racoon/handler.c b/src/racoon/handler.c
-index b33986f..9fd3817 100644
---- a/src/racoon/handler.c
-+++ b/src/racoon/handler.c
-@@ -269,26 +269,40 @@ migrate_ph12(old_iph1, new_iph1)
- }
-
- /*
-- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1
-+ * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1.
- */
+Index: ipsec-tools-cvs-HEAD/src/racoon/handler.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/handler.c 2011-03-03 19:29:31.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/handler.c 2011-03-04 13:53:01.000000000 +0200
+@@ -292,17 +292,32 @@
void migrate_dying_ph12(iph1)
struct ph1handle *iph1;
{
@@ -114,8 +108,8 @@ index b33986f..9fd3817 100644
+ iph1->rmconf != p->rmconf)
continue;
-- if (cmpsaddr(iph1->local, p->local) == 0
-- && cmpsaddr(iph1->remote, p->remote) == 0)
+- if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
+- && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
+ /* migrate phase2:s from expiring entries */
+ if (p->status >= PHASE1ST_DYING)
migrate_ph12(p, iph1);
@@ -132,15 +126,11 @@ index b33986f..9fd3817 100644
}
}
--
- /*
- * dump isakmp-sa
- */
-diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
-index 0de16d1..2dfda2f 100644
---- a/src/racoon/isakmp.c
-+++ b/src/racoon/isakmp.c
-@@ -2138,13 +2138,33 @@ isakmp_ph2delete(iph2)
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 21:14:13.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-04 13:50:30.000000000 +0200
+@@ -2138,13 +2138,33 @@
remph2(iph2);
delph2(iph2);
@@ -176,7 +166,7 @@ index 0de16d1..2dfda2f 100644
/*
* receive ACQUIRE from kernel, and begin either phase1 or phase2.
* if phase1 has been finished, begin phase2.
-@@ -2220,8 +2240,14 @@ isakmp_post_acquire(iph2)
+@@ -2235,8 +2255,14 @@
/*NOTREACHED*/
}
@@ -193,7 +183,7 @@ index 0de16d1..2dfda2f 100644
/* found ISAKMP-SA. */
plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
-@@ -2388,7 +2414,10 @@ isakmp_chkph1there(iph2)
+@@ -2403,7 +2429,10 @@
plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
/* begin quick mode */
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index 6e4a009fd..3e9609bb7 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ipsec-tools
-pkgver=0.8_alpha20101208
-_myver=0.8-alpha20101208
+pkgver=0.8.0_rc1
+_myver=0.8.0.RC
pkgrel=0
pkgdesc="User-space IPsec tools for various IPsec implementations"
url="http://ipsec-tools.sourceforge.net/"
@@ -13,6 +13,8 @@ subpackages="$pkgname-doc $pkgname-dev"
source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
racoon.initd
racoon.confd
+ 10-cmpsaddr-fix.patch
+ 20-grekey-support.patch
50-reverse-connect.patch
70-defer-isakmp-ident-handling.patch
75-racoonctl-rcvbuf.patch
@@ -55,9 +57,11 @@ package() {
install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
}
-md5sums="9da0417ea19629777d7d7a555667f6d8 ipsec-tools-0.8-alpha20101208.tar.gz
+md5sums="9473d0ce8746f16281fce1b75a9fffa3 ipsec-tools-0.8.0.RC.tar.gz
74f12ed04ed273a738229c0bfbf829cc racoon.initd
2d00250cf72da7f2f559c91b65a48747 racoon.confd
-13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
+e4c9ae678bf80518107690bde97dc14b 10-cmpsaddr-fix.patch
+64a859d51f57206a11e52f6ad4830ec5 20-grekey-support.patch
+f97205eea3dc68d2437a2ad8720f4520 50-reverse-connect.patch
94773c94233e14cdce0fa02ff780a43e 70-defer-isakmp-ident-handling.patch
2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch"