diff options
| author | Leonardo Arena <rnalrd@gmail.com> | 2009-08-21 13:06:45 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@gmail.com> | 2009-08-21 13:06:45 +0000 |
| commit | 4f53083405e28b13463689bc983289d477b0ea35 (patch) | |
| tree | 6c45f49828831c4c2208f1a110251a4292c5efdd /main | |
| parent | 7770bb9c6c8f6df6af03b0a71227daf637281498 (diff) | |
| parent | c95c7923ee7150cc152ab8ed72544eded4cfdff4 (diff) | |
| download | aports-4f53083405e28b13463689bc983289d477b0ea35.tar.bz2 aports-4f53083405e28b13463689bc983289d477b0ea35.tar.xz | |
Merge branch 'master' of git://dev.alpinelinux.org/aports
Diffstat (limited to 'main')
40 files changed, 3079 insertions, 1923 deletions
diff --git a/main/busybox/0001-add-simple-beep-applet.patch b/main/busybox/0001-add-simple-beep-applet-second-version.patch index 004d60791..834026fa3 100644 --- a/main/busybox/0001-add-simple-beep-applet.patch +++ b/main/busybox/0001-add-simple-beep-applet-second-version.patch @@ -1,16 +1,16 @@ -From 23c387cd9d1c833679bee898ef49738be8c64727 Mon Sep 17 00:00:00 2001 +From b36908b21def4916b10c62ae3e28cacb9073556e Mon Sep 17 00:00:00 2001 From: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> Date: Tue, 18 Aug 2009 22:28:09 +0200 -Subject: [PATCH] add simple beep applet +Subject: [PATCH] add simple beep applet, second version Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> --- include/applets.h | 1 + - include/usage.h | 9 ++++++ - miscutils/Config.in | 6 ++++ + include/usage.h | 9 +++++ + miscutils/Config.in | 6 +++ miscutils/Kbuild | 1 + - miscutils/beep.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 87 insertions(+), 0 deletions(-) + miscutils/beep.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 118 insertions(+), 0 deletions(-) create mode 100644 miscutils/beep.c diff --git a/include/applets.h b/include/applets.h @@ -76,10 +76,10 @@ index 23d7d8d..8cf3406 100644 lib-$(CONFIG_CROND) += crond.o diff --git a/miscutils/beep.c b/miscutils/beep.c new file mode 100644 -index 0000000..4c25454 +index 0000000..81755d8 --- /dev/null +++ b/miscutils/beep.c -@@ -0,0 +1,70 @@ +@@ -0,0 +1,101 @@ +/* vi: set sw=4 ts=4: */ +/* + * beep implementation for busybox @@ -106,38 +106,67 @@ index 0000000..4c25454 +#define LENGTH (50) +#define DELAY (0) +#define REPETITIONS (1) ++#if 0 ++typedef struct beep { ++ struct beep *next; ++ unsigned freq, length, delay, rep; ++} beep_t; ++static beep_t* new_beep(void) { ++ beep_t *beep = (beep_t*)xzalloc(sizeof(beep_t)); ++ beep->freq = FREQ; ++ beep->length = LENGTH; ++ beep->delay = DELAY; ++ beep->rep = REPETITIONS; ++ return beep; ++} ++#endif ++#define GET_ARG do { if (!*++opt) opt = *++argv; } while (0) ++#define NEW_BEEP() { \ ++ freq = FREQ; \ ++ length = LENGTH; \ ++ delay = DELAY; \ ++ rep = REPETITIONS; \ ++ } ++ +int beep_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; +int beep_main(int argc UNUSED_PARAM, char **argv) +{ + int speaker = get_console_fd_or_die(); -+ llist_t *_freq = NULL, *_length = NULL, *_delay = NULL, *_rep = NULL; + unsigned freq, length, delay, rep; + unsigned long ioctl_arg; -+ unsigned opt; + -+ opt_complementary = "f::l::d::r::"; -+ opt = getopt32(argv, "f:l:d:r:n", &_freq, &_length, &_delay, &_rep); ++ NEW_BEEP() ++ while (*++argv) { ++ char *opt = *argv; + -+ do { -+ if (opt & OPT_f && _freq) -+ freq = xatoul((char*)(llist_pop(&_freq))); -+ else -+ freq = FREQ; -+ if (opt & OPT_l && _length) -+ length = xatoul((char*)(llist_pop(&_length))); -+ else -+ length = LENGTH; -+ if (opt & OPT_d && _delay) -+ delay = xatoul((char*)(llist_pop(&_delay))); -+ else -+ delay = DELAY; -+ if (opt & OPT_r && _rep) -+ rep = xatoul((char*)(llist_pop(&_rep))); -+ else -+ rep = REPETITIONS; ++ while (*opt == '-') ++ ++opt; + ++ switch (*opt) { ++ case 'f': ++ GET_ARG; ++ freq = xatoul(opt); ++ continue; ++ case 'l': ++ GET_ARG; ++ length = xatoul(opt); ++ continue; ++ case 'd': ++ GET_ARG; ++ delay = xatoul(opt); ++ continue; ++ case 'r': ++ GET_ARG; ++ freq = xatoul(opt); ++ continue; ++ case 'n': ++ break; ++ default: ++ bb_show_usage(); ++ break; ++ } + while (rep) { -+//bb_info_msg("rep[%d] freq=%d, length=%d, delay=%d\n", rep, freq, length, delay); ++//bb_info_msg("rep[%d] freq=%d, length=%d, delay=%d", rep, freq, length, delay); + ioctl_arg = (int)(CLOCK_TICK_RATE/freq); + xioctl(speaker, KIOCSOUND, (void*)ioctl_arg); + usleep(1000 * length); @@ -145,7 +174,9 @@ index 0000000..4c25454 + if (rep--) + usleep(delay); + } -+ } while (_freq || _length || _delay || _rep); ++ if (opt && *opt == 'n') ++ NEW_BEEP() ++ } + if (ENABLE_FEATURE_CLEAN_UP) + close(speaker); + return EXIT_SUCCESS; diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index dc3cee488..0bf896cc1 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.14.3 -pkgrel=5 +pkgrel=6 pkgdesc="Size optimized toolbox of many common UNIX utilities" url=http://busybox.net license="GPL-2" @@ -11,7 +11,7 @@ triggers="busybox.trigger:/bin /usr/bin /sbin /usr/sbin /lib/modules/*" source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 $pkgname-1.11.1-bb.patch 0001-install-compat-fix-for-mode-of-created-files.patch - 0001-add-simple-beep-applet.patch + 0001-add-simple-beep-applet-second-version.patch bb-tar-numeric-owner.patch busybox-sed-3.patch busyboxconfig" @@ -49,7 +49,7 @@ build() { md5sums="d170bf5f97a41aec3a505eab690d5699 busybox-1.14.3.tar.bz2 4c0f3b486eaa0674961b7ddcd0c60a9b busybox-1.11.1-bb.patch 73d39c57483084298c7e46bdbbbea8d1 0001-install-compat-fix-for-mode-of-created-files.patch -ba66abc89c56df842c9b81759c78d890 0001-add-simple-beep-applet.patch +3ba0529f64aadae6ce95c683e6182988 0001-add-simple-beep-applet-second-version.patch 0b5b2d7db201f90cd08f4a3164ee29a1 bb-tar-numeric-owner.patch b75c3f419f8392dfdadd92aa24fdba8c busybox-sed-3.patch 3ece68eb92d97f3362dab7d838074d10 busyboxconfig" diff --git a/main/dansguardian/APKBUILD b/main/dansguardian/APKBUILD index 7bfc32814..8e15b043c 100644 --- a/main/dansguardian/APKBUILD +++ b/main/dansguardian/APKBUILD @@ -2,22 +2,22 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dansguardian pkgver=2.10.1.1 -pkgrel=0 +pkgrel=1 pkgdesc="Web content filter" url="http://dansguardian.org" license="GPL" -depends= +depends="logrotate" makedepends="zlib-dev uclibc++-dev pcre-dev pkgconfig libiconv-dev" install="$pkgname.pre-install $pkgname.post-install" subpackages="$pkgname-doc" source="http://dansguardian.org/downloads/2/Stable/$pkgname-$pkgver.tar.gz dansguardian.initd - $install + dansguardian.logrotate " build() { cd "$srcdir/$pkgname-$pkgver" - export CXX=g++-uc + export CXX=${CXX_UC:-g++-uc} ./configure --prefix=/usr \ --sysconfdir=/etc \ @@ -32,9 +32,9 @@ build() { make DESTDIR="$pkgdir" install install -D -m 755 ../dansguardian.initd "$pkgdir"/etc/init.d/dansguardian + install -D -m 644 ../dansguardian.logrotate "$pkgdir"/etc/logrotate.d/dansguardian } md5sums="0987a1c9bfbdf398118386f10279611a dansguardian-2.10.1.1.tar.gz 0c04f74cd5db9fc7a8e80b407ec34214 dansguardian.initd -ab4e1104633aad0595a8b530fceb810a dansguardian.pre-install -e3dcc0f51e44f15a2ff152ac338999d1 dansguardian.post-install" +85b6de01c9508e8ceff5ebb55752f8d3 dansguardian.logrotate" diff --git a/main/dansguardian/dansguardian.logrotate b/main/dansguardian/dansguardian.logrotate new file mode 100644 index 000000000..001d95545 --- /dev/null +++ b/main/dansguardian/dansguardian.logrotate @@ -0,0 +1,15 @@ +/var/log/dansguardian/*.log { + rotate 4 + weekly + missingok + notifempty + nocreate + nocopy + nocopytruncate + compress + + postrotate + /usr/sbin/dansguardian -r + endscript +} + diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD index 41ad9a0bd..12cb2ffe5 100644 --- a/main/e2fsprogs/APKBUILD +++ b/main/e2fsprogs/APKBUILD @@ -1,11 +1,12 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=e2fsprogs pkgver=1.41.8 -pkgrel=1 +pkgrel=2 pkgdesc="Standard Ext2/3/4 filesystem utilities" url="http://e2fsprogs.sourceforge.net" license="GPL LGPL MIT" depends= +install="$pkgname.post-upgrade" makedepends="util-linux-ng-dev pkgconfig" subpackages="$pkgname-dev $pkgname-doc libcom_err" source="http://downloads.sourceforge.net/sourceforge/e2fsprogs/e2fsprogs-$pkgver.tar.gz" diff --git a/main/e2fsprogs/e2fsprogs.post-upgrade b/main/e2fsprogs/e2fsprogs.post-upgrade new file mode 100644 index 000000000..d7062db5a --- /dev/null +++ b/main/e2fsprogs/e2fsprogs.post-upgrade @@ -0,0 +1,4 @@ +#!/bin/sh + +# we no longer provide fsck. restore bb link. +busybox --install -s diff --git a/main/imagemagick/APKBUILD b/main/imagemagick/APKBUILD index 183b1e82c..1f25eb39d 100644 --- a/main/imagemagick/APKBUILD +++ b/main/imagemagick/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=imagemagick -pkgver=6.5.3.10 -_pkgver=6.5.3-10 +pkgver=6.5.4.10 +_pkgver=6.5.4-10 pkgrel=0 pkgdesc="A collection of tools and libraries for many image formats" url="http://www.imagemagick.org/" @@ -32,4 +32,4 @@ build() { } -md5sums="d33621ea195792aeeec79900e7d1e395 ImageMagick-6.5.3-10.tar.gz" +md5sums="3b0c0082cf29103b4868c674d73e918d ImageMagick-6.5.4-10.tar.gz" diff --git a/main/ipsec-tools/00-verify-cert-leak.patch b/main/ipsec-tools/00-verify-cert-leak.patch deleted file mode 100644 index 9e6781335..000000000 --- a/main/ipsec-tools/00-verify-cert-leak.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/src/racoon/crypto_openssl.c 20 Apr 2009 13:22:41 -0000 1.18 -+++ b/src/racoon/crypto_openssl.c 29 Apr 2009 10:48:51 -0000 -@@ -510,7 +510,7 @@ - X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL); - #endif - error = X509_verify_cert(csc); -- X509_STORE_CTX_cleanup(csc); -+ X509_STORE_CTX_free(csc); - - /* - * if x509_verify_cert() is successful then the value of error is diff --git a/main/ipsec-tools/10-rekey-ph1hint.patch b/main/ipsec-tools/10-rekey-ph1hint.patch new file mode 100644 index 000000000..773d60901 --- /dev/null +++ b/main/ipsec-tools/10-rekey-ph1hint.patch @@ -0,0 +1,1227 @@ +? .msg +? ChangeLog +? alpine-config +? commiters.txt +? fd-unmonitor-segv-fix.patch +? natt-and-cmpsaddr.patch +? racoon.txt +? rekeying-fixes.diff +? rpm/Makefile +? rpm/Makefile.in +? rpm/ipsec-tools.spec +? rpm/suse/Makefile +? rpm/suse/Makefile.in +? rpm/suse/ipsec-tools.spec +? src/Makefile +? src/Makefile.in +? src/include-glibc/.includes +? src/include-glibc/Makefile +? src/include-glibc/Makefile.in +? src/libipsec/.deps +? src/libipsec/.libs +? src/libipsec/Makefile +? src/libipsec/Makefile.in +? src/libipsec/ipsec_dump_policy.lo +? src/libipsec/ipsec_get_policylen.lo +? src/libipsec/ipsec_strerror.lo +? src/libipsec/key_debug.lo +? src/libipsec/libipsec.la +? src/libipsec/pfkey.lo +? src/libipsec/pfkey_dump.lo +? src/libipsec/policy_parse.c +? src/libipsec/policy_parse.h +? src/libipsec/policy_parse.lo +? src/libipsec/policy_token.c +? src/libipsec/policy_token.lo +? src/racoon/.deps +? src/racoon/.libs +? src/racoon/Makefile +? src/racoon/Makefile.in +? src/racoon/cfparse.c +? src/racoon/cfparse.h +? src/racoon/cftoken.c +? src/racoon/eaytest +? src/racoon/libracoon.la +? src/racoon/libracoon_la-kmpstat.lo +? src/racoon/libracoon_la-misc.lo +? src/racoon/libracoon_la-sockmisc.lo +? src/racoon/libracoon_la-vmbuf.lo +? src/racoon/plainrsa-gen +? src/racoon/prsa_par.c +? src/racoon/prsa_par.h +? src/racoon/prsa_tok.c +? src/racoon/racoon +? src/racoon/racoonctl +? src/racoon/samples/psk.txt +? src/racoon/samples/racoon.conf +? src/setkey/.deps +? src/setkey/.libs +? src/setkey/Makefile +? src/setkey/Makefile.in +? src/setkey/parse.c +? src/setkey/parse.h +? src/setkey/setkey +? src/setkey/token.c +Index: src/racoon/admin.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v +retrieving revision 1.31 +diff -u -r1.31 admin.c +--- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31 ++++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -341,7 +341,7 @@ + user[len] = 0; + + found = purgeph1bylogin(user); +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "deleted %d SA for user \"%s\"\n", found, user); + + break; +@@ -360,7 +360,7 @@ + rem = racoon_strdup(saddrwop2str(dst)); + STRDUP_FATAL(rem); + +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "Flushing all SAs for peer %s\n", rem); + + while ((iph1 = getph1bydstaddr(dst)) != NULL) { +@@ -373,7 +373,7 @@ + + racoon_free(loc); + } +- ++ + racoon_free(rem); + break; + } +@@ -383,14 +383,14 @@ + char *data; + + acp = (struct admin_com_psk *) +- ((char *)com + sizeof(*com) + ++ ((char *)com + sizeof(*com) + + sizeof(struct admin_com_indexes)); + + idtype = acp->id_type; + + if ((id = vmalloc(acp->id_len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "cannot allocate memory: %s\n", ++ "cannot allocate memory: %s\n", + strerror(errno)); + break; + } +@@ -399,7 +399,7 @@ + + if ((key = vmalloc(acp->key_len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "cannot allocate memory: %s\n", ++ "cannot allocate memory: %s\n", + strerror(errno)); + vfree(id); + id = NULL; +@@ -474,7 +474,7 @@ + rmconf->xauth->pass = key; + } + #endif +- ++ + plog(LLV_INFO, LOCATION, NULL, + "accept a request to establish IKE-SA: " + "%s\n", saddrwop2str(dst)); +@@ -577,7 +577,7 @@ + } + + insph2(iph2); +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, NULL) < 0) { + remph2(iph2); + delph2(iph2); + break; +@@ -710,17 +710,17 @@ + } + + if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, +- "chown(%s, %d, %d): %s\n", +- sunaddr.sun_path, adminsock_owner, ++ plog(LLV_ERROR, LOCATION, NULL, ++ "chown(%s, %d, %d): %s\n", ++ sunaddr.sun_path, adminsock_owner, + adminsock_group, strerror(errno)); + (void)close(lcconf->sock_admin); + return -1; + } + + if (chmod(sunaddr.sun_path, adminsock_mode) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, +- "chmod(%s, 0%03o): %s\n", ++ plog(LLV_ERROR, LOCATION, NULL, ++ "chmod(%s, 0%03o): %s\n", + sunaddr.sun_path, adminsock_mode, strerror(errno)); + (void)close(lcconf->sock_admin); + return -1; +Index: src/racoon/handler.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v +retrieving revision 1.29 +diff -u -r1.29 handler.c +--- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29 ++++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -64,7 +64,7 @@ + #include "evt.h" + #include "isakmp.h" + #ifdef ENABLE_HYBRID +-#include "isakmp_xauth.h" ++#include "isakmp_xauth.h" + #include "isakmp_cfg.h" + #endif + #include "isakmp_inf.h" +@@ -177,8 +177,8 @@ + * with phase 2's destinaion. + */ + struct ph1handle * +-getph1(rmconf, local, remote, flags) +- struct remoteconf *rmconf; ++getph1(ph1hint, local, remote, flags) ++ struct ph1handle *ph1hint; + struct sockaddr *local, *remote; + int flags; + { +@@ -202,12 +202,30 @@ + continue; + } + +- if (local != NULL && cmpsaddr(local, p->local) != 0) ++ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH) + continue; + +- if (remote != NULL && cmpsaddr(remote, p->remote) != 0) ++ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH) + continue; + ++ if (ph1hint != NULL) { ++ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l && ++ (ph1hint->id->l != p->id->l || ++ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) { ++ plog(LLV_DEBUG2, LOCATION, NULL, ++ "local identity does match hint\n"); ++ continue; ++ } ++ if (ph1hint->id_p && ph1hint->id_p->l && ++ p->id_p && p->id_p->l && ++ (ph1hint->id_p->l != p->id_p->l || ++ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) { ++ plog(LLV_DEBUG2, LOCATION, NULL, ++ "remote identity does match hint\n"); ++ continue; ++ } ++ } ++ + plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); + return p; + } +@@ -1155,7 +1173,7 @@ + } + + #ifdef ENABLE_HYBRID +-/* ++/* + * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise + * This should be in isakmp_cfg.c but ph1tree being private, it must be there + */ +@@ -1182,7 +1200,7 @@ + + + +-/* ++/* + * Reload conf code + */ + static int revalidate_ph2(struct ph2handle *iph2){ +@@ -1192,11 +1210,11 @@ + struct saprop *approval; + struct ph1handle *iph1; + +- /* ++ /* + * Get the new sainfo using values of the old one + */ + if (iph2->sainfo != NULL) { +- iph2->sainfo = getsainfo(iph2->sainfo->idsrc, ++ iph2->sainfo = getsainfo(iph2->sainfo->idsrc, + iph2->sainfo->iddst, iph2->sainfo->id_i, + NULL, iph2->sainfo->remoteid); + } +@@ -1204,7 +1222,7 @@ + sainfo = iph2->sainfo; + + if (sainfo == NULL) { +- /* ++ /* + * Sainfo has been removed + */ + plog(LLV_DEBUG, LOCATION, NULL, +@@ -1219,7 +1237,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, + "No approval found !\n"); + return 0; +- } ++ } + + /* + * Don't care about proposals, should we do something ? +@@ -1318,7 +1336,7 @@ + } + + found = 0; +- for (alg = sainfo->algs[algclass_ipsec_enc]; ++ for (alg = sainfo->algs[algclass_ipsec_enc]; + (found == 0 && alg != NULL); alg = alg->next) { + plog(LLV_DEBUG, LOCATION, NULL, + "Reload: next ph2 enc alg...\n"); +@@ -1351,7 +1369,7 @@ + break; + + default: +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "unexpected check_level\n"); + continue; + break; +@@ -1375,7 +1393,7 @@ + } + + +-static void ++static void + remove_ph2(struct ph2handle *iph2) + { + u_int32_t spis[2]; +@@ -1467,7 +1485,7 @@ + return 1; + } + +-int ++int + revalidate_ph12(void) + { + +Index: src/racoon/handler.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v +retrieving revision 1.21 +diff -u -r1.21 handler.h +--- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21 ++++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -214,7 +214,7 @@ + LIST_ENTRY(ph1handle) chain; + #ifdef ENABLE_HYBRID + struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ +-#endif ++#endif + EVT_LISTENER_LIST(evt_listeners); + }; + +@@ -449,7 +449,7 @@ + struct sockaddr_storage remote; + struct sockaddr_storage local; + u_int8_t version; +- u_int8_t etype; ++ u_int8_t etype; + time_t created; + int ph2cnt; + }; +@@ -468,7 +468,7 @@ + + #define GETPH1_F_ESTABLISHED 0x0001 + +-extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, ++extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, + struct sockaddr *local, + struct sockaddr *remote, + int flags)); +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.58 +diff -u -r1.58 isakmp.c +--- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58 ++++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -176,7 +176,7 @@ + }; + + static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ +- ++ + static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); + static int ph1_main __P((struct ph1handle *, vchar_t *)); + static int quick_main __P((struct ph2handle *, vchar_t *)); +@@ -190,7 +190,7 @@ + static int isakmp_ph2resend __P((struct ph2handle *)); + + #ifdef ENABLE_FRAG +-static int frag_handler(struct ph1handle *, ++static int frag_handler(struct ph1handle *, + vchar_t *, struct sockaddr *, struct sockaddr *); + #endif + +@@ -259,16 +259,16 @@ + extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl; + } + #endif +- } ++ } + + #ifdef ENABLE_NATT +- /* we don't know about portchange yet, ++ /* we don't know about portchange yet, + look for non-esp marker instead */ + if (x.non_esp[0] == 0 && x.non_esp[1] != 0) + extralen = NON_ESP_MARKER_LEN; + #endif + +- /* now we know if there is an extra non-esp ++ /* now we know if there is an extra non-esp + marker at the beginning or not */ + memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); + +@@ -309,7 +309,7 @@ + if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), + 0, (struct sockaddr *)&remote, &remote_len)) < 0) { + plog(LLV_ERROR, LOCATION, NULL, +- "failed to receive isakmp packet: %s\n", ++ "failed to receive isakmp packet: %s\n", + strerror (errno)); + } + goto end; +@@ -332,11 +332,11 @@ + (len - extralen)); + goto end; + } +- ++ + memcpy (buf->v, tmpbuf->v + extralen, buf->l); + + len -= extralen; +- ++ + if (len != buf->l) { + plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, + "received invalid length (%d != %zu), why ?\n", +@@ -347,7 +347,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(LLV_DEBUG, LOCATION, NULL, + "%d bytes message received %s\n", +- len, saddr2str_fromto("from %s to %s", ++ len, saddr2str_fromto("from %s to %s", + (struct sockaddr *)&remote, + (struct sockaddr *)&local)); + plogdump(LLV_DEBUG, buf->v, buf->l); +@@ -496,12 +496,12 @@ + } + + /* set the flag to prevent further port floating +- (FIXME: should we allow it? E.g. when the NAT gw ++ (FIXME: should we allow it? E.g. when the NAT gw + is rebooted?) */ + iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; +- ++ + /* print some neat info */ +- plog (LLV_INFO, LOCATION, NULL, ++ plog (LLV_INFO, LOCATION, NULL, + "NAT-T: ports changed to: %s\n", + saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); + +@@ -668,7 +668,7 @@ + return -1; + } + #ifdef ENABLE_HYBRID +- /* Reinit the IVM if it's still there */ ++ /* Reinit the IVM if it's still there */ + if (iph1->mode_cfg && iph1->mode_cfg->ivm) { + oakley_delivm(iph1->mode_cfg->ivm); + iph1->mode_cfg->ivm = NULL; +@@ -753,7 +753,7 @@ + + isakmp_cfg_r(iph1, msg); + break; +-#endif ++#endif + + case ISAKMP_ETYPE_NONE: + default: +@@ -822,7 +822,7 @@ + /* free resend buffer */ + if (iph1->sendbuf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "no buffer found as sendbuf\n"); ++ "no buffer found as sendbuf\n"); + return -1; + } + #endif +@@ -925,13 +925,13 @@ + log_ph1established(iph1); + plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + +- /* ++ /* + * SA up shell script hook: do it now,except if + * ISAKMP mode config was requested. In the later + * case it is done when we receive the configuration. + */ + if ((iph1->status == PHASE1ST_ESTABLISHED) && +- !iph1->rmconf->mode_cfg) { ++ !iph1->rmconf->mode_cfg) { + switch (iph1->approval->authmethod) { + #ifdef ENABLE_HYBRID + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: +@@ -1004,7 +1004,7 @@ + /* free resend buffer */ + if (iph2->sendbuf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "no buffer found as sendbuf\n"); ++ "no buffer found as sendbuf\n"); + return -1; + } + VPTRINIT(iph2->sendbuf); +@@ -1754,23 +1754,23 @@ + extralen = 0; + + #ifdef ENABLE_FRAG +- /* ++ /* + * Do not add the non ESP marker for a packet that will +- * be fragmented. The non ESP marker should appear in ++ * be fragmented. The non ESP marker should appear in + * all fragment's packets, but not in the fragmented packet + */ +- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) ++ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) + extralen = 0; + #endif + if (extralen) + plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); + +- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) +- must added just before the packet itself. For this we must ++ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) ++ must added just before the packet itself. For this we must + allocate a new buffer and release it at the end. */ + if (extralen) { + if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "vbuf allocation failed\n"); + return -1; + } +@@ -1791,17 +1791,17 @@ + if (s == -1) + return -1; + +- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, ++ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, + saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); + + #ifdef ENABLE_FRAG + if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { + if (isakmp_sendfrags(iph1, sbuf) == -1) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "isakmp_sendfrags failed\n"); + return -1; + } +- } else ++ } else + #endif + { + len = sendfromto(s, sbuf->v, sbuf->l, +@@ -1812,7 +1812,7 @@ + return -1; + } + } +- ++ + return 0; + } + +@@ -1959,7 +1959,7 @@ + iph1->status = PHASE1ST_DYING; + + /* Any fresh phase1s? */ +- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); + if (new_iph1 == NULL) { + LIST_FOREACH(p, &iph1->ph2tree, ph1bind) { + if (p->status != PHASE2ST_ESTABLISHED) +@@ -2036,7 +2036,7 @@ + char *src, *dst; + + /* Migrate established phase2s. Any fresh phase1s? */ +- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); + if (new_iph1 != NULL) + migrate_ph12(iph1, new_iph1); + +@@ -2143,12 +2143,13 @@ + * if phase1 has been finished, begin phase2. + */ + int +-isakmp_post_acquire(iph2) ++isakmp_post_acquire(iph2, iph1hint) + struct ph2handle *iph2; ++ struct ph1handle *iph1hint; + { + struct remoteconf *rmconf; + struct ph1handle *iph1 = NULL; +- ++ + plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); + + /* Search appropriate configuration with masking port. Note that +@@ -2159,12 +2160,17 @@ + * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS + * as iph2->dst hint). This scenario would require additional changes, + * so no need to bother yet. --arno */ +- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); +- if (rmconf == NULL) { +- plog(LLV_ERROR, LOCATION, NULL, +- "no configuration found for %s.\n", +- saddrwop2str(iph2->dst)); +- return -1; ++ ++ if (iph1hint == NULL || iph1hint->rmconf == NULL) { ++ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); ++ if (rmconf == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "no configuration found for %s.\n", ++ saddrwop2str(iph2->dst)); ++ return -1; ++ } ++ } else { ++ rmconf = iph1hint->rmconf; + } + + /* if passive mode, ignore the acquire message */ +@@ -2181,7 +2187,7 @@ + * some cases, we should use the ISAKMP identity to search + * matching ISAKMP. + */ +- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); ++ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0); + + /* no ISAKMP-SA found. */ + if (iph1 == NULL) { +@@ -2978,7 +2984,7 @@ + "ISAKMP-SA established %s-%s spi:%s\n", + src, dst, + isakmp_pindex(&iph1->index, 0)); +- ++ + evt_phase1(iph1, EVT_PHASE1_UP, NULL); + if(!iph1->rmconf->mode_cfg) + evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL); +@@ -3011,7 +3017,7 @@ + return plist; + } + +-vchar_t * ++vchar_t * + isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) + { + struct payload_list *ptr = *plist, *first; +@@ -3022,7 +3028,7 @@ + /* Seek to the first item. */ + while (ptr->prev) ptr = ptr->prev; + first = ptr; +- ++ + /* Compute the whole length. */ + while (ptr) { + tlen += ptr->payload->l + sizeof (struct isakmp_gen); +@@ -3064,7 +3070,7 @@ + } + + #ifdef ENABLE_FRAG +-int ++int + frag_handler(iph1, msg, remote, local) + struct ph1handle *iph1; + vchar_t *msg; +@@ -3075,7 +3081,7 @@ + + if (isakmp_frag_extract(iph1, msg) == 1) { + if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { +- plog(LLV_ERROR, LOCATION, remote, ++ plog(LLV_ERROR, LOCATION, remote, + "Packet reassembly failed\n"); + return -1; + } +@@ -3125,24 +3131,24 @@ + if (iph1->remote != NULL) { + GETNAMEINFO(iph1->remote, addrstr, portstr); + +- if (script_env_append(&envp, &envc, ++ if (script_env_append(&envp, &envc, + "REMOTE_ADDR", addrstr) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "Cannot set REMOTE_ADDR\n"); + goto out; + } + +- if (script_env_append(&envp, &envc, ++ if (script_env_append(&envp, &envc, + "REMOTE_PORT", portstr) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "Cannot set REMOTEL_PORT\n"); + goto out; + } + } + +- if (privsep_script_exec(iph1->rmconf->script[script]->v, +- script, envp) != 0) +- plog(LLV_ERROR, LOCATION, NULL, ++ if (privsep_script_exec(iph1->rmconf->script[script]->v, ++ script, envp) != 0) ++ plog(LLV_ERROR, LOCATION, NULL, + "Script %s execution failed\n", script_names[script]); + + out: +@@ -3202,7 +3208,7 @@ + argv[1] = script_names[name]; + argv[2] = NULL; + +- switch (fork()) { ++ switch (fork()) { + case 0: + execve(argv[0], argv, envp); + plog(LLV_ERROR, LOCATION, NULL, +@@ -3217,7 +3223,7 @@ + break; + default: + break; +- } ++ } + return 0; + + } +@@ -3243,7 +3249,7 @@ + iph1->status = PHASE1ST_EXPIRED; + + /* Check if we have another, still valid, phase1 SA. */ +- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED); + + /* + * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. +@@ -3319,7 +3325,7 @@ + ntohl(sa->sadb_sa_spi)); + }else{ + +- /* ++ /* + * If we have a new ph1, do not purge IPsec-SAs binded + * to a different ISAKMP-SA + */ +@@ -3331,7 +3337,7 @@ + /* If the ph2handle is established, do not purge IPsec-SA */ + if (iph2->status == PHASE2ST_ESTABLISHED || + iph2->status == PHASE2ST_EXPIRED) { +- ++ + plog(LLV_INFO, LOCATION, NULL, + "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", + ntohl(sa->sadb_sa_spi), +@@ -3342,7 +3348,7 @@ + } + } + +- ++ + pfkey_send_delete(lcconf->sock_pfkey, + msg->sadb_msg_satype, + IPSEC_MODE_ANY, +@@ -3373,7 +3379,7 @@ + sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); + } + +-void ++void + delete_spd(iph2, created) + struct ph2handle *iph2; + u_int64_t created; +@@ -3399,22 +3405,22 @@ + + plog(LLV_INFO, LOCATION, NULL, + "generated policy, deleting it.\n"); +- ++ + memset(&spidx, 0, sizeof(spidx)); + iph2->spidx_gen = (caddr_t )&spidx; +- ++ + /* make inbound policy */ + iph2->src = dst; + iph2->dst = src; + spidx.dir = IPSEC_DIR_INBOUND; + spidx.ul_proto = 0; +- +- /* ++ ++ /* + * Note: code from get_proposal_r + */ +- ++ + #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type +- ++ + /* + * make destination address in spidx from either ID payload + * or phase 1 address into a address in spidx. +@@ -3430,48 +3436,48 @@ + &spidx.prefd, &spidx.ul_proto); + if (error) + goto purge; +- ++ + #ifdef INET6 + /* + * get scopeid from the SA address. + * note that the phase 1 source address is used as +- * a destination address to search for a inbound ++ * a destination address to search for a inbound + * policy entry because rcoon is responder. + */ + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { +- if ((error = ++ if ((error = + setscopeid((struct sockaddr *)&spidx.dst, + iph2->src)) != 0) + goto purge; + } + #endif +- ++ + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR + || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) + idi2type = _XIDT(iph2->id); +- ++ + } else { +- ++ + plog(LLV_DEBUG, LOCATION, NULL, + "get a destination address of SP index " + "from phase1 address " + "due to no ID payloads found " + "OR because ID type is not address.\n"); +- ++ + /* +- * copy the SOURCE address of IKE into the +- * DESTINATION address of the key to search the ++ * copy the SOURCE address of IKE into the ++ * DESTINATION address of the key to search the + * SPD because the direction of policy is inbound. + */ + memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); + switch (spidx.dst.ss_family) { + case AF_INET: +- spidx.prefd = ++ spidx.prefd = + sizeof(struct in_addr) << 3; + break; + #ifdef INET6 + case AF_INET6: +- spidx.prefd = ++ spidx.prefd = + sizeof(struct in6_addr) << 3; + break; + #endif +@@ -3480,7 +3486,7 @@ + break; + } + } +- ++ + /* make source address in spidx */ + if (iph2->id_p != NULL + && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR +@@ -3500,7 +3506,7 @@ + * for more detail, see above of this function. + */ + if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { +- error = ++ error = + setscopeid((struct sockaddr *)&spidx.src, + iph2->dst); + if (error) +@@ -3538,12 +3544,12 @@ + memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); + switch (spidx.src.ss_family) { + case AF_INET: +- spidx.prefs = ++ spidx.prefs = + sizeof(struct in_addr) << 3; + break; + #ifdef INET6 + case AF_INET6: +- spidx.prefs = ++ spidx.prefs = + sizeof(struct in6_addr) << 3; + break; + #endif +@@ -3574,14 +3580,14 @@ + spidx.ul_proto = IPSEC_ULPROTO_ANY; + + #undef _XIDT +- ++ + /* Check if the generated SPD has the same timestamp as the SA. + * If timestamps are different, this means that the SPD entry has been + * refreshed by another SA, and should NOT be deleted with the current SA. + */ + if( created ){ + struct secpolicy *p; +- ++ + p = getsp(&spidx); + if(p != NULL){ + /* just do no test if p is NULL, because this probably just means +@@ -3646,7 +3652,7 @@ + struct sockaddr *sp_addr0, *sa_addr0; + { + struct sockaddr_in6 *sp_addr, *sa_addr; +- ++ + sp_addr = (struct sockaddr_in6 *)sp_addr0; + sa_addr = (struct sockaddr_in6 *)sa_addr0; + +Index: src/racoon/isakmp_var.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v +retrieving revision 1.15 +diff -u -r1.15 isakmp_var.h +--- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15 ++++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -87,7 +87,7 @@ + extern void isakmp_ph2delete __P((struct ph2handle *)); + + extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); +-extern int isakmp_post_acquire __P((struct ph2handle *)); ++extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *)); + extern int isakmp_post_getspi __P((struct ph2handle *)); + extern void isakmp_chkph1there_stub __P((struct sched *)); + extern void isakmp_chkph1there __P((struct ph2handle *)); +@@ -131,7 +131,7 @@ + struct remoteconf *, struct sockaddr *, struct sockaddr *)); + extern void log_ph1established __P((const struct ph1handle *)); + +-extern void script_hook __P((struct ph1handle *, int)); ++extern void script_hook __P((struct ph1handle *, int)); + extern int script_env_append __P((char ***, int *, char *, char *)); + extern int script_exec __P((char *, int, char * const *)); + +Index: src/racoon/pfkey.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v +retrieving revision 1.50 +diff -u -r1.50 pfkey.c +--- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50 ++++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -173,7 +173,7 @@ + + /* cope with old kame headers - ugly */ + #ifndef SADB_X_AALG_MD5 +-#define SADB_X_AALG_MD5 SADB_AALG_MD5 ++#define SADB_X_AALG_MD5 SADB_AALG_MD5 + #endif + #ifndef SADB_X_AALG_SHA + #define SADB_X_AALG_SHA SADB_AALG_SHA +@@ -353,7 +353,7 @@ + "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); + continue; + } +- ++ + + ml = msg->sadb_msg_len << 3; + bl = buf ? buf->l : 0; +@@ -839,7 +839,7 @@ + goto bad; + *a_keylen >>= 3; + +- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 ++ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 + && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { + /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ + *a_type = SADB_X_AALG_MD5; +@@ -919,7 +919,7 @@ + racoon_free(dst); + return -1; + } +- ++ + for (pr = pp->head; pr != NULL; pr = pr->next) { + + /* validity check */ +@@ -991,7 +991,7 @@ + * receive GETSPI from kernel. + */ + static int +-pk_recvgetspi(mhp) ++pk_recvgetspi(mhp) + caddr_t *mhp; + { + struct sadb_msg *msg; +@@ -1111,7 +1111,7 @@ + sa_args.l_addtime = iph2->lifetime_secs; + else + sa_args.l_addtime = iph2->approval->lifetime; +- sa_args.seq = iph2->seq; ++ sa_args.seq = iph2->seq; + sa_args.wsize = 4; + + if (iph2->sa_src && iph2->sa_dst) { +@@ -1163,7 +1163,7 @@ + pr->head->trns_id, + pr->head->authtype, + &sa_args.e_type, &sa_args.e_keylen, +- &sa_args.a_type, &sa_args.a_keylen, ++ &sa_args.a_type, &sa_args.a_keylen, + &sa_args.flags) < 0){ + racoon_free(sa_args.src); + racoon_free(sa_args.dst); +@@ -1221,11 +1221,11 @@ + * But it is impossible because there is not key in the + * information from the kernel. + */ +- ++ + /* change some things before backing up */ + sa_args.wsize = 4; + sa_args.l_bytes = iph2->approval->lifebyte * 1024; +- ++ + if (backupsa_to_file(&sa_args) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "backuped SA failed: %s\n", +@@ -1447,7 +1447,7 @@ + pr->head->trns_id, + pr->head->authtype, + &sa_args.e_type, &sa_args.e_keylen, +- &sa_args.a_type, &sa_args.a_keylen, ++ &sa_args.a_type, &sa_args.a_keylen, + &sa_args.flags) < 0){ + racoon_free(sa_args.src); + racoon_free(sa_args.dst); +@@ -1668,11 +1668,12 @@ + " being negotiated. Stopping negotiation.\n"); + } + +- /* turn off the timer for calling isakmp_ph2expire() */ ++ /* turn off the timer for calling isakmp_ph2expire() */ + sched_cancel(&iph2->sce); + + if (iph2->status == PHASE2ST_ESTABLISHED && + iph2->side == INITIATOR) { ++ struct ph1handle *iph1hint; + /* + * Active phase 2 expired and we were initiator. + * Begin new phase 2 exchange, so we can keep on sending +@@ -1680,11 +1681,12 @@ + */ + + /* update status for re-use */ ++ iph1hint = iph2->ph1; + initph2(iph2); + iph2->status = PHASE2ST_STATUS2; + + /* start quick exchange */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, iph1hint) < 0) { + plog(LLV_ERROR, LOCATION, iph2->dst, + "failed to begin ipsec sa " + "re-negotication.\n"); +@@ -1750,7 +1752,7 @@ + if (m_sec_ctx != NULL) { + plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", + m_sec_ctx->sadb_x_ctx_doi); +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "security context algorithm: %u\n", + m_sec_ctx->sadb_x_ctx_alg); + plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", +@@ -1960,7 +1962,7 @@ + + /* start isakmp initiation by using ident exchange */ + /* XXX should be looped if there are multiple phase 2 handler. */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, NULL) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to begin ipsec sa negotication.\n"); + remph2(iph2); +@@ -2145,7 +2147,7 @@ + p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; + p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; + p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; +- ++ + memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); + len += ctxlen; + } +@@ -2184,7 +2186,7 @@ + goto err; + } + +- /* ++ /* + * the policy level cannot be unique because the policy + * is defined later than SA, so req_id cannot be bound to SA. + */ +@@ -2217,7 +2219,7 @@ + + xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); + xisr = (struct sadb_x_ipsecrequest *)p; +- ++ + } + racoon_free(pr_rlist); + +@@ -3070,6 +3072,8 @@ + rmconf = getrmconf(iph2->dst, 0); + + if (rmconf && !rmconf->passive) { ++ struct ph1handle *iph1hint; ++ + plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " + "*during* IPsec SA negotiation. As initiator, " + "restarting it.\n"); +@@ -3079,11 +3083,12 @@ + iph2->status = PHASE2ST_EXPIRED; + + /* ... clean Phase 2 handle ... */ ++ iph1hint = iph2->ph1; + initph2(iph2); + iph2->status = PHASE2ST_STATUS2; + + /* and start a new negotiation */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, iph1hint) < 0) { + plog(LLV_ERROR, LOCATION, iph2->dst, "failed " + "to begin IPsec SA renegotiation after " + "MIGRATE reception.\n"); diff --git a/main/ipsec-tools/20-natoa-fix.patch b/main/ipsec-tools/20-natoa-fix.patch deleted file mode 100644 index 91d7224e2..000000000 --- a/main/ipsec-tools/20-natoa-fix.patch +++ /dev/null @@ -1,33 +0,0 @@ -Fix nat-oa parsing when rekeying. - -From: Timo Teras <timo.teras@iki.fi> - - ---- - - src/racoon/handler.c | 11 +++++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) - - -diff --git a/src/racoon/handler.c b/src/racoon/handler.c -index 6f91beb..960b5b3 100644 ---- a/src/racoon/handler.c -+++ b/src/racoon/handler.c -@@ -736,6 +736,17 @@ initph2(iph2) - oakley_delivm(iph2->ivm); - iph2->ivm = NULL; - } -+ -+#ifdef ENABLE_NATT -+ if (iph2->natoa_src) { -+ racoon_free(iph2->natoa_src); -+ iph2->natoa_src = NULL; -+ } -+ if (iph2->natoa_dst) { -+ racoon_free(iph2->natoa_dst); -+ iph2->natoa_dst = NULL; -+ } -+#endif - } - - /* diff --git a/main/ipsec-tools/30-natt-ports-cleanup.patch b/main/ipsec-tools/30-natt-ports-cleanup.patch deleted file mode 100644 index 19360347d..000000000 --- a/main/ipsec-tools/30-natt-ports-cleanup.patch +++ /dev/null @@ -1,393 +0,0 @@ -From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the - -From: Timo Teras <timo.teras@iki.fi> - -NAT-T port information. ---- - - src/libipsec/libpfkey.h | 12 ++++++++ - src/libipsec/pfkey.c | 49 +++++++++++++++++++++++++++++++++ - src/racoon/isakmp.c | 11 +++++++ - src/racoon/isakmp_inf.c | 37 +++++++++++++------------ - src/racoon/pfkey.c | 69 +++++++++++++++++++++++++++++++++-------------- - src/racoon/pfkey.h | 1 + - 6 files changed, 140 insertions(+), 39 deletions(-) - - -diff --git a/src/libipsec/libpfkey.h b/src/libipsec/libpfkey.h -index 8a503dd..c9b228b 100644 ---- a/src/libipsec/libpfkey.h -+++ b/src/libipsec/libpfkey.h -@@ -117,6 +117,10 @@ u_int pfkey_set_softrate __P((u_int, u_int)); - u_int pfkey_get_softrate __P((u_int)); - int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); -+int pfkey_send_getspi_nat __P((int, u_int, u_int, -+ struct sockaddr *, struct sockaddr *, u_int8_t, u_int16_t, u_int16_t, -+ u_int32_t, u_int32_t, u_int32_t, u_int32_t)); -+ - int pfkey_send_update2 __P((struct pfkey_send_sa_args *)); - int pfkey_send_add2 __P((struct pfkey_send_sa_args *)); - int pfkey_send_delete __P((int, u_int, u_int, -@@ -155,6 +159,14 @@ int pfkey_send_migrate __P((int, struct sockaddr *, struct sockaddr *, - caddr_t, int, u_int32_t)); - #endif - -+/* XXX should be somewhere else !!! -+ */ -+#ifdef SADB_X_NAT_T_NEW_MAPPING -+#define PFKEY_ADDR_X_PORT(ext) (ntohs(((struct sadb_x_nat_t_port *)ext)->sadb_x_nat_t_port_port)) -+#define PFKEY_ADDR_X_NATTYPE(ext) ( ext != NULL && ((struct sadb_x_nat_t_type *)ext)->sadb_x_nat_t_type_type ) -+#endif -+ -+ - int pfkey_open __P((void)); - void pfkey_close __P((int)); - int pfkey_set_buffer_size __P((int, int)); -diff --git a/src/libipsec/pfkey.c b/src/libipsec/pfkey.c -index 0a944c2..b39ffca 100644 ---- a/src/libipsec/pfkey.c -+++ b/src/libipsec/pfkey.c -@@ -380,10 +380,12 @@ pfkey_get_softrate(type) - * -1 : error occured, and set errno. - */ - int --pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) -+pfkey_send_getspi_nat(so, satype, mode, src, dst, natt_type, sport, dport, min, max, reqid, seq) - int so; - u_int satype, mode; - struct sockaddr *src, *dst; -+ u_int8_t natt_type; -+ u_int16_t sport, dport; - u_int32_t min, max, reqid, seq; - { - struct sadb_msg *newmsg; -@@ -431,6 +433,14 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) - len += sizeof(struct sadb_spirange); - } - -+#ifdef SADB_X_EXT_NAT_T_TYPE -+ if(natt_type||sport||dport){ -+ len += sizeof(struct sadb_x_nat_t_type); -+ len += sizeof(struct sadb_x_nat_t_port); -+ len += sizeof(struct sadb_x_nat_t_port); -+ } -+#endif -+ - if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { - __ipsec_set_strerror(strerror(errno)); - return -1; -@@ -466,6 +476,32 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) - return -1; - } - -+#ifdef SADB_X_EXT_NAT_T_TYPE -+ /* Add nat-t messages */ -+ if (natt_type) { -+ p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, -+ natt_type); -+ if (!p) { -+ free(newmsg); -+ return -1; -+ } -+ -+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT, -+ sport); -+ if (!p) { -+ free(newmsg); -+ return -1; -+ } -+ -+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT, -+ dport); -+ if (!p) { -+ free(newmsg); -+ return -1; -+ } -+ } -+#endif -+ - /* proccessing spi range */ - if (need_spirange) { - struct sadb_spirange spirange; -@@ -501,6 +537,17 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) - return len; - } - -+int -+pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) -+ int so; -+ u_int satype, mode; -+ struct sockaddr *src, *dst; -+ u_int32_t min, max, reqid, seq; -+{ -+ return pfkey_send_getspi_nat(so, satype, mode, src, dst, 0, 0, 0, -+ min, max, reqid, seq); -+} -+ - /* - * sending SADB_UPDATE message to the kernel. - * The length of key material is a_keylen + e_keylen. -diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c -index c8670f6..fe51653 100644 ---- a/src/racoon/isakmp.c -+++ b/src/racoon/isakmp.c -@@ -3324,6 +3324,17 @@ purge_remote(iph1) - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -+#ifdef SADB_X_NAT_T_NEW_MAPPING -+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -+ /* NAT-T is enabled for this SADB entry; copy -+ * the ports from NAT-T extensions */ -+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) -+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) -+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -+ } -+#endif -+ - if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && - sa->sadb_sa_state != SADB_SASTATE_MATURE && - sa->sadb_sa_state != SADB_SASTATE_DYING) { -diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c -index 1ada07f..a712825 100644 ---- a/src/racoon/isakmp_inf.c -+++ b/src/racoon/isakmp_inf.c -@@ -1128,8 +1128,7 @@ purge_ipsec_spi(dst0, proto, spi, n) - size_t i; - caddr_t mhp[SADB_EXT_MAX + 1]; - #ifdef ENABLE_NATT -- struct sadb_x_nat_t_type *natt_type; -- struct sadb_x_nat_t_port *natt_port; -+ int natt_port_forced; - #endif - - plog(LLV_DEBUG2, LOCATION, NULL, -@@ -1184,22 +1183,25 @@ purge_ipsec_spi(dst0, proto, spi, n) - continue; - } - #ifdef ENABLE_NATT -- natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE]; -- if (natt_type && natt_type->sadb_x_nat_t_type_type) { -+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { - /* NAT-T is enabled for this SADB entry; copy - * the ports from NAT-T extensions */ -- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT]; -- if (extract_port(src) == 0 && natt_port != NULL) -- set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port)); -- -- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT]; -- if (extract_port(dst) == 0 && natt_port != NULL) -- set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port)); -- }else{ -- /* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation -- */ -+ if (extract_port(src) == 0 && -+ mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) { -+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -+ } -+ -+ if (extract_port(dst) == 0 && -+ mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) { -+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -+ } -+ natt_port_forced = 0; -+ } else { -+ /* Force default UDP ports, so -+ * CMPSADDR will match SAs with NO encapsulation */ - set_port(src, PORT_ISAKMP); - set_port(dst, PORT_ISAKMP); -+ natt_port_forced = 1; - } - #endif - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); -@@ -1215,10 +1217,9 @@ purge_ipsec_spi(dst0, proto, spi, n) - } - - #ifdef ENABLE_NATT -- if (natt_type == NULL || -- ! natt_type->sadb_x_nat_t_type_type) { -- /* Set back port to 0 if it was forced to default UDP port -- */ -+ if (natt_port_forced) { -+ /* Set back port to 0 if it was forced -+ * to default UDP port */ - set_port(src, 0); - set_port(dst, 0); - } -diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c -index 610cc09..c210c5e 100644 ---- a/src/racoon/pfkey.c -+++ b/src/racoon/pfkey.c -@@ -769,6 +769,28 @@ keylen_ealg(enctype, encklen) - return res; - } - -+void -+pk_fixup_sa_addresses(mhp) -+ caddr_t *mhp; -+{ -+ struct sockaddr *src, *dst; -+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); -+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); -+#ifdef ENABLE_NATT -+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -+ /* NAT-T is enabled for this SADB entry; copy -+ * the ports from NAT-T extensions */ -+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) -+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) -+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -+ } -+#else -+ set_port(src, 0); -+ set_port(dst, 0); -+#endif -+} -+ - int - pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, - e_type, e_keylen, a_type, a_keylen, flags) -@@ -866,6 +888,8 @@ pk_sendgetspi(iph2) - struct saprop *pp; - struct saproto *pr; - u_int32_t minspi, maxspi; -+ u_int8_t natt_type = 0; -+ u_int16_t sport = 0, dport = 0; - - if (iph2->side == INITIATOR) - pp = iph2->proposal; -@@ -919,19 +943,27 @@ pk_sendgetspi(iph2) - } - - #ifdef ENABLE_NATT -- if (! pr->udp_encap) { -- /* Remove port information, that SA doesn't use it */ -- set_port(iph2->src, 0); -- set_port(iph2->dst, 0); -+ if (pr->udp_encap) { -+ natt_type = iph2->ph1->natt_options->encaps_type; -+ sport=extract_port(src); -+ dport=extract_port(dst); - } - #endif -+ /* Always remove port information, it will be sent in -+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -+ set_port(src, 0); -+ set_port(dst, 0); -+ - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); -- if (pfkey_send_getspi( -+ if (pfkey_send_getspi_nat( - lcconf->sock_pfkey, - satype, - mode, - dst, /* src of SA */ - src, /* dst of SA */ -+ natt_type, -+ dport, -+ sport, - minspi, maxspi, - pr->reqid_in, iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1157,13 +1189,13 @@ pk_sendupdate(iph2) - #ifdef SADB_X_EXT_NAT_T_FRAG - sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; - #endif -- } else { -- /* Remove port information, that SA doesn't use it */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); - } -- - #endif -+ /* Always remove port information, it will be sent in -+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -+ set_port(sa_args.src, 0); -+ set_port(sa_args.dst, 0); -+ - /* more info to fill in */ - sa_args.spi = pr->spi; - sa_args.reqid = pr->reqid_in; -@@ -1236,6 +1268,7 @@ pk_recvupdate(mhp) - return -1; - } - msg = (struct sadb_msg *)mhp[0]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -@@ -1328,7 +1361,6 @@ pk_recvupdate(mhp) - /* Force the update of ph2's ports, as there is at least one - * situation where they'll mismatch with ph1's values - */ -- - #ifdef ENABLE_NATT - set_port(iph2->src, extract_port(iph2->ph1->local)); - set_port(iph2->dst, extract_port(iph2->ph1->remote)); -@@ -1456,17 +1488,12 @@ pk_sendadd(iph2) - #ifdef SADB_X_EXT_NAT_T_FRAG - sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; - #endif -- } else { -- /* Remove port information, that SA doesn't use it */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); - } -- --#else -- /* Remove port information, it is not used without NAT-T */ -+#endif -+ /* Always remove port information, it will be sent in -+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ - set_port(sa_args.src, 0); - set_port(sa_args.dst, 0); --#endif - - /* more info to fill in */ - sa_args.spi = pr->spi_p; -@@ -1596,6 +1623,7 @@ pk_recvexpire(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -1721,6 +1749,7 @@ pk_recvacquire(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; -+ pk_fixup_sa_addresses(mhp); - sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -1971,6 +2000,7 @@ pk_recvdelete(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -2709,7 +2739,6 @@ pk_recvspddump(mhp) - return -1; - } - msg = (struct sadb_msg *)mhp[0]; -- - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; -diff --git a/src/racoon/pfkey.h b/src/racoon/pfkey.h -index a3acd1c..f1b037d 100644 ---- a/src/racoon/pfkey.h -+++ b/src/racoon/pfkey.h -@@ -52,6 +52,7 @@ extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int)); - extern int pk_checkalg __P((int, int, int)); - - struct ph2handle; -+extern void pk_fixup_sa_addresses __P((caddr_t *mhp)); - extern int pk_sendgetspi __P((struct ph2handle *)); - extern int pk_sendupdate __P((struct ph2handle *)); - extern int pk_sendadd __P((struct ph2handle *)); diff --git a/main/ipsec-tools/40-cmpsaddr-cleanup.patch b/main/ipsec-tools/40-cmpsaddr-cleanup.patch deleted file mode 100644 index c5e3e4b33..000000000 --- a/main/ipsec-tools/40-cmpsaddr-cleanup.patch +++ /dev/null @@ -1,1403 +0,0 @@ -Get rid of CMPSADDR hack in port comparisons. Trac #295. - -From: Timo Teras <timo.teras@iki.fi> - - ---- - - src/racoon/admin.c | 37 ++++--- - src/racoon/grabmyaddr.c | 22 ++-- - src/racoon/handler.c | 41 +++----- - src/racoon/handler.h | 7 - - src/racoon/isakmp.c | 90 ++++------------- - src/racoon/isakmp_cfg.c | 9 -- - src/racoon/isakmp_inf.c | 111 ++++----------------- - src/racoon/isakmp_quick.c | 29 +++--- - src/racoon/nattraversal.c | 8 +- - src/racoon/pfkey.c | 52 +++------- - src/racoon/policy.c | 22 ++-- - src/racoon/remoteconf.c | 30 +----- - src/racoon/remoteconf.h | 3 - - src/racoon/sockmisc.c | 234 +++------------------------------------------ - src/racoon/sockmisc.h | 15 +-- - src/racoon/throttle.c | 2 - 16 files changed, 170 insertions(+), 542 deletions(-) - - -diff --git a/src/racoon/admin.c b/src/racoon/admin.c -index 576e191..b67e545 100644 ---- a/src/racoon/admin.c -+++ b/src/racoon/admin.c -@@ -167,6 +167,14 @@ end: - return error; - } - -+static int admin_ph1_delete_sa(struct ph1handle *iph1, void *arg) -+{ -+ if (iph1->status >= PHASE1ST_ESTABLISHED) -+ isakmp_info_send_d1(iph1); -+ purge_remote(iph1); -+ return 0; -+} -+ - /* - * main child's process. - */ -@@ -257,7 +265,7 @@ admin_process(so2, combuf) - break; - } - -- iph1 = getph1byaddrwop(src, dst); -+ iph1 = getph1byaddr(src, dst, 0); - if (iph1 == NULL) { - l_ac_errno = ENOENT; - break; -@@ -292,30 +300,25 @@ admin_process(so2, combuf) - - case ADMIN_DELETE_SA: { - struct ph1handle *iph1; -- struct sockaddr *dst; -- struct sockaddr *src; -+ struct ph1selector sel; - char *loc, *rem; - -- src = (struct sockaddr *) -+ memset(&sel, 0, sizeof(sel)); -+ sel.local = (struct sockaddr *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->src; -- dst = (struct sockaddr *) -+ sel.remote = (struct sockaddr *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->dst; - -- loc = racoon_strdup(saddrwop2str(src)); -- rem = racoon_strdup(saddrwop2str(dst)); -+ loc = racoon_strdup(saddr2str(sel.local)); -+ rem = racoon_strdup(saddr2str(sel.remote)); - STRDUP_FATAL(loc); - STRDUP_FATAL(rem); - -- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "phase 1 for %s -> %s not found\n", loc, rem); -- } else { -- if (iph1->status >= PHASE1ST_ESTABLISHED) -- isakmp_info_send_d1(iph1); -- purge_remote(iph1); -- } -+ plog(LLV_INFO, LOCATION, NULL, -+ "admin delete-sa %s %s\n", loc, rem); -+ enumph1(&sel, admin_ph1_delete_sa, NULL); - - racoon_free(loc); - racoon_free(rem); -@@ -360,7 +363,7 @@ admin_process(so2, combuf) - plog(LLV_INFO, LOCATION, NULL, - "Flushing all SAs for peer %s\n", rem); - -- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) { -+ while ((iph1 = getph1bydstaddr(dst)) != NULL) { - loc = racoon_strdup(saddrwop2str(iph1->local)); - STRDUP_FATAL(loc); - -@@ -429,7 +432,7 @@ admin_process(so2, combuf) - l_ac_errno = -1; - - /* connected already? */ -- ph1 = getph1byaddrwop(src, dst); -+ ph1 = getph1byaddr(src, dst, 0); - if (ph1 != NULL) { - event_list = &ph1->evt_listeners; - if (ph1->status == PHASE1ST_ESTABLISHED) -diff --git a/src/racoon/grabmyaddr.c b/src/racoon/grabmyaddr.c -index f866dd5..cb1b638 100644 ---- a/src/racoon/grabmyaddr.c -+++ b/src/racoon/grabmyaddr.c -@@ -100,7 +100,7 @@ myaddr_configured(addr) - return TRUE; - - LIST_FOREACH(cfg, &configured, chain) { -- if (cmpsaddrstrict(addr, (struct sockaddr *) &cfg->addr) == 0) -+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0) - return TRUE; - } - -@@ -116,7 +116,7 @@ myaddr_open(addr, udp_encap) - - /* Already open? */ - LIST_FOREACH(my, &opened, chain) { -- if (cmpsaddrstrict(addr, (struct sockaddr *) &my->addr) == 0) -+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0) - return TRUE; - } - -@@ -156,7 +156,7 @@ myaddr_open_all_configured(addr) - - LIST_FOREACH(cfg, &configured, chain) { - if (addr != NULL && -- cmpsaddrwop(addr, (struct sockaddr *) &cfg->addr) != 0) -+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0) - continue; - if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap)) - return FALSE; -@@ -187,8 +187,8 @@ myaddr_close_all_open(addr) - for (my = LIST_FIRST(&opened); my; my = next) { - next = LIST_NEXT(my, chain); - -- if (!cmpsaddrwop((struct sockaddr *) &addr, -- (struct sockaddr *) &my->addr)) -+ if (!cmpsaddr((struct sockaddr *) &addr, -+ (struct sockaddr *) &my->addr)) - myaddr_delete(my); - } - } -@@ -261,7 +261,7 @@ myaddr_getfd(addr) - struct myaddr *my; - - LIST_FOREACH(my, &opened, chain) { -- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0) -+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) - return my->fd; - } - -@@ -273,19 +273,13 @@ myaddr_getsport(addr) - struct sockaddr *addr; - { - struct myaddr *my; -- int bestmatch_port = -1; - - LIST_FOREACH(my, &opened, chain) { -- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0) -+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) - return extract_port((struct sockaddr *) &my->addr); -- if (cmpsaddrwop((struct sockaddr *) &my->addr, addr) != 0) -- continue; -- if (bestmatch_port == -1 || -- extract_port((struct sockaddr *) &my->addr) == PORT_ISAKMP) -- bestmatch_port = extract_port((struct sockaddr *) &my->addr); - } - -- return bestmatch_port; -+ return PORT_ISAKMP; - } - - void -diff --git a/src/racoon/handler.c b/src/racoon/handler.c -index 960b5b3..b33986f 100644 ---- a/src/racoon/handler.c -+++ b/src/racoon/handler.c -@@ -120,11 +120,11 @@ enumph1(sel, enum_func, enum_arg) - LIST_FOREACH(p, &ph1tree, chain) { - if (sel != NULL) { - if (sel->local != NULL && -- CMPSADDR(sel->local, p->local) != 0) -+ cmpsaddr(sel->local, p->local) != 0) - continue; - - if (sel->remote != NULL && -- CMPSADDR(sel->remote, p->remote) != 0) -+ cmpsaddr(sel->remote, p->remote) != 0) - continue; - } - -@@ -201,17 +201,12 @@ getph1(rmconf, local, remote, flags) - "status %d, skipping\n", p->status); - continue; - } -- if (flags & GETPH1_F_WITHOUT_PORTS) { -- if (local != NULL && cmpsaddrwop(local, p->local) != 0) -- continue; -- if (remote != NULL && cmpsaddrwop(remote, p->remote) != 0) -- continue; -- } else { -- if (local != NULL && CMPSADDR(local, p->local) != 0) -- continue; -- if (remote != NULL && CMPSADDR(remote, p->remote) != 0) -- continue; -- } -+ -+ if (local != NULL && cmpsaddr(local, p->local) != 0) -+ continue; -+ -+ if (remote != NULL && cmpsaddr(remote, p->remote) != 0) -+ continue; - - plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); - return p; -@@ -287,8 +282,8 @@ void migrate_dying_ph12(iph1) - if (p->status < PHASE1ST_DYING) - continue; - -- if (CMPSADDR(iph1->local, p->local) == 0 -- && CMPSADDR(iph1->remote, p->remote) == 0) -+ if (cmpsaddr(iph1->local, p->local) == 0 -+ && cmpsaddr(iph1->remote, p->remote) == 0) - migrate_ph12(p, iph1); - } - } -@@ -518,11 +513,11 @@ enumph2(sel, enum_func, enum_arg) - continue; - - if (sel->src != NULL && -- CMPSADDR(sel->src, p->src) != 0) -+ cmpsaddr(sel->src, p->src) != 0) - continue; - - if (sel->dst != NULL && -- CMPSADDR(sel->dst, p->dst) != 0) -+ cmpsaddr(sel->dst, p->dst) != 0) - continue; - } - -@@ -586,8 +581,8 @@ getph2byid(src, dst, spid) - - LIST_FOREACH(p, &ph2tree, chain) { - if (spid == p->spid && -- cmpsaddrwild(src, p->src) == 0 && -- cmpsaddrwild(dst, p->dst) == 0){ -+ cmpsaddr(src, p->src) == 0 && -+ cmpsaddr(dst, p->dst) == 0){ - /* Sanity check to detect zombie handlers - * XXX Sould be done "somewhere" more interesting, - * because we have lots of getph2byxxxx(), but this one -@@ -614,8 +609,8 @@ getph2bysaddr(src, dst) - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { -- if (cmpsaddrstrict(src, p->src) == 0 && -- cmpsaddrstrict(dst, p->dst) == 0) -+ if (cmpsaddr(src, p->src) == 0 && -+ cmpsaddr(dst, p->dst) == 0) - return p; - } - -@@ -918,7 +913,7 @@ getcontacted(remote) - struct contacted *p; - - LIST_FOREACH(p, &ctdtree, chain) { -- if (cmpsaddrstrict(remote, p->remote) == 0) -+ if (cmpsaddr(remote, p->remote) == 0) - return p; - } - -@@ -997,7 +992,7 @@ check_recvdpkt(remote, local, rbuf) - /* - * the packet was processed before, but the remote address mismatches. - */ -- if (cmpsaddrstrict(remote, r->remote) != 0) -+ if (cmpsaddr(remote, r->remote) != 0) - return 2; - - /* -diff --git a/src/racoon/handler.h b/src/racoon/handler.h -index c31753d..8f19c88 100644 ---- a/src/racoon/handler.h -+++ b/src/racoon/handler.h -@@ -467,7 +467,6 @@ extern int enumph1 __P((struct ph1selector *ph1sel, - void *enum_arg)); - - #define GETPH1_F_ESTABLISHED 0x0001 --#define GETPH1_F_WITHOUT_PORTS 0x0002 - - extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, - struct sockaddr *local, -@@ -476,10 +475,8 @@ extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, - - #define getph1byaddr(local, remote, est) \ - getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0) --#define getph1byaddrwop(local, remote) \ -- getph1(NULL, local, remote, GETPH1_F_WITHOUT_PORTS) --#define getph1bydstaddrwop(remote) \ -- getph1(NULL, NULL, remote, GETPH1_F_WITHOUT_PORTS) -+#define getph1bydstaddr(remote) \ -+ getph1(NULL, NULL, remote, 0) - - #ifdef ENABLE_HYBRID - struct ph1handle *getph1bylogin __P((char *)); -diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c -index fe51653..0de16d1 100644 ---- a/src/racoon/isakmp.c -+++ b/src/racoon/isakmp.c -@@ -475,8 +475,8 @@ isakmp_main(msg, remote, local) - /* Floating ports for NAT-T */ - if (NATT_AVAILABLE(iph1) && - ! (iph1->natt_flags & NAT_PORTS_CHANGED) && -- ((cmpsaddrstrict(iph1->remote, remote) != 0) || -- (cmpsaddrstrict(iph1->local, local) != 0))) -+ ((cmpsaddr(iph1->remote, remote) != 0) || -+ (cmpsaddr(iph1->local, local) != 0))) - { - /* prevent memory leak */ - racoon_free(iph1->remote); -@@ -517,7 +517,7 @@ isakmp_main(msg, remote, local) - #endif - - /* must be same addresses in one stream of a phase at least. */ -- if (cmpsaddrstrict(iph1->remote, remote) != 0) { -+ if (cmpsaddr(iph1->remote, remote) != 0) { - char *saddr_db, *saddr_act; - - saddr_db = racoon_strdup(saddr2str(iph1->remote)); -@@ -643,7 +643,7 @@ isakmp_main(msg, remote, local) - "exchange received.\n"); - return -1; - } -- if (cmpsaddrstrict(iph1->remote, remote) != 0) { -+ if (cmpsaddr(iph1->remote, remote) != 0) { - plog(LLV_WARNING, LOCATION, remote, - "remote address mismatched. " - "db=%s\n", -@@ -1275,6 +1275,12 @@ isakmp_ph2begin_i(iph1, iph2) - } - #endif - -+ /* fixup ph2 ports for this ph1 */ -+ if (extract_port(iph2->src) == 0) -+ set_port(iph2->src, extract_port(iph1->local)); -+ if (extract_port(iph2->dst) == 0) -+ set_port(iph2->dst, extract_port(iph1->remote)); -+ - /* found ISAKMP-SA. */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); -@@ -1353,15 +1359,6 @@ isakmp_ph2begin_r(iph1, msg) - delph2(iph2); - return -1; - } --#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) -- if (set_port(iph2->dst, 0) == NULL || -- set_port(iph2->src, 0) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "invalid family: %d\n", iph2->dst->sa_family); -- delph2(iph2); -- return -1; -- } --#endif - - /* add new entry to isakmp status table */ - insph2(iph2); -@@ -2186,23 +2183,12 @@ isakmp_post_acquire(iph2) - return 0; - } - -- /* -- * Search isakmp status table by address and port -- * If NAT-T is in use, consider null ports as a -- * wildcard and use IKE ports instead. -+ /* -+ * XXX Searching by IP addresses + ports might fail on -+ * some cases, we should use the ISAKMP identity to search -+ * matching ISAKMP. - */ --#ifdef ENABLE_NATT -- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { -- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { -- set_port(iph2->src, extract_port(iph1->local)); -- set_port(iph2->dst, extract_port(iph1->remote)); -- } -- } else { -- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); -- } --#else - iph1 = getph1byaddr(iph2->src, iph2->dst, 0); --#endif - - /* no ISAKMP-SA found. */ - if (iph1 == NULL) { -@@ -2380,26 +2366,8 @@ isakmp_chkph1there(iph2) - return; - } - -- /* -- * Search isakmp status table by address and port -- * If NAT-T is in use, consider null ports as a -- * wildcard and use IKE ports instead. -- */ --#ifdef ENABLE_NATT -- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n"); -- if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){ -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n"); -- } -- } else { -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n"); -- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); -- if(iph1 != NULL) -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n"); -- } --#else -+ /* Search isakmp status table by address and port */ - iph1 = getph1byaddr(iph2->src, iph2->dst, 0); --#endif - - /* XXX Even if ph1 as responder is there, should we not start - * phase 2 negotiation ? */ -@@ -3321,20 +3289,10 @@ purge_remote(iph1) - msg = next; - continue; - } -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - --#ifdef SADB_X_NAT_T_NEW_MAPPING -- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -- /* NAT-T is enabled for this SADB entry; copy -- * the ports from NAT-T extensions */ -- if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) -- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -- if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) -- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -- } --#endif -- - if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && - sa->sadb_sa_state != SADB_SASTATE_MATURE && - sa->sadb_sa_state != SADB_SASTATE_DYING) { -@@ -3346,22 +3304,14 @@ purge_remote(iph1) - * check in/outbound SAs. - * Select only SAs where src == local and dst == remote (outgoing) - * or src == remote and dst == local (incoming). -- * XXX we sometime have src/dst ports set to 0 and want to match -- * iph1->local/remote with ports set to 500. This is a bug, see trac:2 - */ --#ifdef ENABLE_NATT -- if ((cmpsaddrmagic(iph1->local, src) || cmpsaddrmagic(iph1->remote, dst)) && -- (cmpsaddrmagic(iph1->local, dst) || cmpsaddrmagic(iph1->remote, src))) { -- msg = next; -- continue; -- } --#else -- if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) && -- (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) { -+ if ((cmpsaddr(iph1->local, src) || -+ cmpsaddr(iph1->remote, dst)) && -+ (cmpsaddr(iph1->local, dst) || -+ cmpsaddr(iph1->remote, src))) { - msg = next; - continue; - } --#endif - - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); -diff --git a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c -index 62916f8..df763f8 100644 ---- a/src/racoon/isakmp_cfg.c -+++ b/src/racoon/isakmp_cfg.c -@@ -1151,15 +1151,6 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange) - goto end; - } - --#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) -- if (set_port(iph2->dst, 0) == NULL || -- set_port(iph2->src, 0) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "invalid family: %d\n", iph1->remote->sa_family); -- delph2(iph2); -- goto end; -- } --#endif - iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; - -diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c -index a712825..6fa3498 100644 ---- a/src/racoon/isakmp_inf.c -+++ b/src/racoon/isakmp_inf.c -@@ -903,15 +903,6 @@ isakmp_info_send_common(iph1, payload, np, flags) - delph2(iph2); - goto end; - } --#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) -- if (set_port(iph2->dst, 0) == NULL || -- set_port(iph2->src, 0) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "invalid family: %d\n", iph1->remote->sa_family); -- delph2(iph2); -- goto end; -- } --#endif - iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; - iph2->msgid = isakmp_newmsgid2(iph1); -@@ -1127,9 +1118,6 @@ purge_ipsec_spi(dst0, proto, spi, n) - u_int64_t created; - size_t i; - caddr_t mhp[SADB_EXT_MAX + 1]; --#ifdef ENABLE_NATT -- int natt_port_forced; --#endif - - plog(LLV_DEBUG2, LOCATION, NULL, - "purge_ipsec_spi:\n"); -@@ -1169,6 +1157,7 @@ purge_ipsec_spi(dst0, proto, spi, n) - msg = next; - continue; - } -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; -@@ -1182,28 +1171,7 @@ purge_ipsec_spi(dst0, proto, spi, n) - msg = next; - continue; - } --#ifdef ENABLE_NATT -- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -- /* NAT-T is enabled for this SADB entry; copy -- * the ports from NAT-T extensions */ -- if (extract_port(src) == 0 && -- mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) { -- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -- } - -- if (extract_port(dst) == 0 && -- mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) { -- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -- } -- natt_port_forced = 0; -- } else { -- /* Force default UDP ports, so -- * CMPSADDR will match SAs with NO encapsulation */ -- set_port(src, PORT_ISAKMP); -- set_port(dst, PORT_ISAKMP); -- natt_port_forced = 1; -- } --#endif - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); - -@@ -1211,19 +1179,11 @@ purge_ipsec_spi(dst0, proto, spi, n) - - /* don't delete inbound SAs at the moment */ - /* XXX should we remove SAs with opposite direction as well? */ -- if (CMPSADDR(dst0, dst)) { -+ if (cmpsaddr(dst0, dst)) { - msg = next; - continue; - } - --#ifdef ENABLE_NATT -- if (natt_port_forced) { -- /* Set back port to 0 if it was forced -- * to default UDP port */ -- set_port(src, 0); -- set_port(dst, 0); -- } --#endif - for (i = 0; i < n; i++) { - plog(LLV_DEBUG, LOCATION, NULL, - "check spi(packet)=%u spi(db)=%u.\n", -@@ -1354,37 +1314,33 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); - -- while (msg < end) { -+ for (; msg < end; msg = next) { - if ((msg->sadb_msg_len << 3) < sizeof(*msg)) - break; -+ - next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); -- if (msg->sadb_msg_type != SADB_DUMP) { -- msg = next; -+ if (msg->sadb_msg_type != SADB_DUMP) - continue; -- } - - if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "pfkey_check (%s)\n", ipsec_strerror()); -- msg = next; - continue; - } - - if (mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL -- || mhp[SADB_EXT_ADDRESS_DST] == NULL) { -- msg = next; -+ || mhp[SADB_EXT_ADDRESS_DST] == NULL) - continue; -- } -+ - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - - if (sa->sadb_sa_state != SADB_SASTATE_MATURE -- && sa->sadb_sa_state != SADB_SASTATE_DYING) { -- msg = next; -+ && sa->sadb_sa_state != SADB_SASTATE_DYING) - continue; -- } - - /* - * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that -@@ -1394,39 +1350,18 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - * racoon only deletes SA which is matched both the - * source address and the destination accress. - */ --#ifdef ENABLE_NATT -- /* -- * XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs -- * from this peer ! -- */ -- if(iph1->natt_flags & NAT_DETECTED){ -- if (CMPSADDR(iph1->local, src) == 0 && -- CMPSADDR(iph1->remote, dst) == 0) -- ; -- else if (CMPSADDR(iph1->remote, src) == 0 && -- CMPSADDR(iph1->local, dst) == 0) -- ; -- else { -- msg = next; -- continue; -- } -- } else --#endif -- /* If there is no NAT-T, we don't have to check addr + port... -- * XXX what about a configuration with a remote peers which is not -- * NATed, but which NATs some other peers ? -- * Here, the INITIAl-CONTACT would also flush all those NATed peers !! -- */ -- if (cmpsaddrwop(iph1->local, src) == 0 && -- cmpsaddrwop(iph1->remote, dst) == 0) -- ; -- else if (cmpsaddrwop(iph1->remote, src) == 0 && -- cmpsaddrwop(iph1->local, dst) == 0) -- ; -- else { -- msg = next; -+ -+ /* -+ * Check that the IP and port match. But this is not optimal, -+ * since NAT-T can make the peer have multiple different -+ * ports. Correct thing to do is delete all entries with -+ * same identity. -TT -+ */ -+ if ((cmpsaddr(iph1->local, src) != 0 || -+ cmpsaddr(iph1->remote, dst) != 0) && -+ (cmpsaddr(iph1->local, dst) != 0 || -+ cmpsaddr(iph1->remote, src) != 0)) - continue; -- } - - /* - * Make sure this is an SATYPE that we manage. -@@ -1438,10 +1373,8 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - msg->sadb_msg_satype) - break; - } -- if (i == pfkey_nsatypes) { -- msg = next; -+ if (i == pfkey_nsatypes) - continue; -- } - - plog(LLV_INFO, LOCATION, NULL, - "purging spi=%u.\n", ntohl(sa->sadb_sa_spi)); -@@ -1461,8 +1394,6 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - remph2(iph2); - delph2(iph2); - } -- -- msg = next; - } - - vfree(buf); -diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c -index 804c1bf..46c84c1 100644 ---- a/src/racoon/isakmp_quick.c -+++ b/src/racoon/isakmp_quick.c -@@ -610,17 +610,19 @@ quick_i2recv(iph2, msg0) - error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; - goto end; - } -+#ifdef ENABLE_NATT -+ set_port(iph2->natoa_src, -+ extract_port((struct sockaddr *) &proposed_addr)); -+#endif - -- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr, -- (struct sockaddr *) &got_addr) == 0) { -+ if (cmpsaddr((struct sockaddr *) &proposed_addr, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDci matches proposal.\n"); - #ifdef ENABLE_NATT - } else if (iph2->natoa_src != NULL -- && cmpsaddrwop(iph2->natoa_src, -- (struct sockaddr *) &got_addr) == 0 -- && extract_port((struct sockaddr *) &proposed_addr) == -- extract_port((struct sockaddr *) &got_addr)) { -+ && cmpsaddr(iph2->natoa_src, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDci matches NAT-OAi.\n"); - #endif -@@ -656,16 +658,19 @@ quick_i2recv(iph2, msg0) - goto end; - } - -- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr, -- (struct sockaddr *) &got_addr) == 0) { -+#ifdef ENABLE_NATT -+ set_port(iph2->natoa_dst, -+ extract_port((struct sockaddr *) &proposed_addr)); -+#endif -+ -+ if (cmpsaddr((struct sockaddr *) &proposed_addr, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDcr matches proposal.\n"); - #ifdef ENABLE_NATT - } else if (iph2->natoa_dst != NULL -- && cmpsaddrwop(iph2->natoa_dst, -- (struct sockaddr *) &got_addr) == 0 -- && extract_port((struct sockaddr *) &proposed_addr) == -- extract_port((struct sockaddr *) &got_addr)) { -+ && cmpsaddr(iph2->natoa_dst, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDcr matches NAT-OAr.\n"); - #endif -diff --git a/src/racoon/nattraversal.c b/src/racoon/nattraversal.c -index f23341a..92095de 100644 ---- a/src/racoon/nattraversal.c -+++ b/src/racoon/nattraversal.c -@@ -379,8 +379,8 @@ natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst) - struct natt_ka_addrs *ka = NULL, *new_addr; - - TAILQ_FOREACH (ka, &ka_tree, chain) { -- if (cmpsaddrstrict(ka->src, src) == 0 && -- cmpsaddrstrict(ka->dst, dst) == 0) { -+ if (cmpsaddr(ka->src, src) == 0 && -+ cmpsaddr(ka->dst, dst) == 0) { - ka->in_use++; - plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); -@@ -443,8 +443,8 @@ natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst) - plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); - -- if (cmpsaddrstrict(ka->src, src) == 0 && -- cmpsaddrstrict(ka->dst, dst) == 0 && -+ if (cmpsaddr(ka->src, src) == 0 && -+ cmpsaddr(ka->dst, dst) == 0 && - -- ka->in_use <= 0) { - - plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); -diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c -index c210c5e..3778ef2 100644 ---- a/src/racoon/pfkey.c -+++ b/src/racoon/pfkey.c -@@ -774,8 +774,12 @@ pk_fixup_sa_addresses(mhp) - caddr_t *mhp; - { - struct sockaddr *src, *dst; -+ - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); -+ set_port(src, PORT_ISAKMP); -+ set_port(dst, PORT_ISAKMP); -+ - #ifdef ENABLE_NATT - if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { - /* NAT-T is enabled for this SADB entry; copy -@@ -785,9 +789,6 @@ pk_fixup_sa_addresses(mhp) - if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) - set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); - } --#else -- set_port(src, 0); -- set_port(dst, 0); - #endif - } - -@@ -949,10 +950,6 @@ pk_sendgetspi(iph2) - dport=extract_port(dst); - } - #endif -- /* Always remove port information, it will be sent in -- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -- set_port(src, 0); -- set_port(dst, 0); - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); - if (pfkey_send_getspi_nat( -@@ -1009,6 +1006,7 @@ pk_recvgetspi(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -1183,18 +1181,14 @@ pk_sendupdate(iph2) - #ifdef ENABLE_NATT - if (pr->udp_encap) { - sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; -- sa_args.l_natt_sport = extract_port (iph2->ph1->remote); -- sa_args.l_natt_dport = extract_port (iph2->ph1->local); -+ sa_args.l_natt_sport = extract_port(iph2->ph1->remote); -+ sa_args.l_natt_dport = extract_port(iph2->ph1->local); - sa_args.l_natt_oa = iph2->natoa_src; - #ifdef SADB_X_EXT_NAT_T_FRAG - sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; - #endif - } - #endif -- /* Always remove port information, it will be sent in -- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); - - /* more info to fill in */ - sa_args.spi = pr->spi; -@@ -1358,14 +1352,6 @@ pk_recvupdate(mhp) - /* turn off schedule */ - sched_cancel(&iph2->scr); - -- /* Force the update of ph2's ports, as there is at least one -- * situation where they'll mismatch with ph1's values -- */ --#ifdef ENABLE_NATT -- set_port(iph2->src, extract_port(iph2->ph1->local)); -- set_port(iph2->dst, extract_port(iph2->ph1->remote)); --#endif -- - /* - * since we are going to reuse the phase2 handler, we need to - * remain it and refresh all the references between ph1 and ph2 to use. -@@ -1418,7 +1404,7 @@ pk_sendadd(iph2) - racoon_free(sa_args.src); - racoon_free(sa_args.dst); - return -1; -- } -+ } - - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - /* validity check */ -@@ -1490,11 +1476,6 @@ pk_sendadd(iph2) - #endif - } - #endif -- /* Always remove port information, it will be sent in -- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); -- - /* more info to fill in */ - sa_args.spi = pr->spi_p; - sa_args.reqid = pr->reqid_out; -@@ -1559,6 +1540,7 @@ pk_recvadd(mhp) - return -1; - } - msg = (struct sadb_msg *)mhp[0]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -@@ -1749,7 +1731,9 @@ pk_recvacquire(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; -- pk_fixup_sa_addresses(mhp); -+ /* acquire does not have nat-t ports; so do not bother setting -+ * the default port 500; just use the port zero for wildcard -+ * matching the get a valid natted destination */ - sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -2884,8 +2868,8 @@ migrate_ph1_ike_addresses(iph1, arg) - u_int16_t port; - - /* Already up-to-date? */ -- if (cmpsaddrwop(iph1->local, ma->local) == 0 && -- cmpsaddrwop(iph1->remote, ma->remote) == 0) -+ if (cmpsaddr(iph1->local, ma->local) == 0 && -+ cmpsaddr(iph1->remote, ma->remote) == 0) - return 0; - - if (iph1->status < PHASE1ST_ESTABLISHED) { -@@ -2985,8 +2969,8 @@ migrate_ph2_ike_addresses(iph2, arg) - migrate_ph1_ike_addresses(iph2->ph1, arg); - - /* Already up-to-date? */ -- if (CMPSADDR(iph2->src, ma->local) == 0 && -- CMPSADDR(iph2->dst, ma->remote) == 0) -+ if (cmpsaddr(iph2->src, ma->local) == 0 && -+ cmpsaddr(iph2->dst, ma->remote) == 0) - return 0; - - /* save src/dst as sa_src/sa_dst before rewriting */ -@@ -3206,8 +3190,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new) - "changing address families (%d to %d) for endpoints.\n", - osaddr->sa_family, nsaddr->sa_family); - -- if (CMPSADDR(osaddr, (struct sockaddr *)&saidx->src) || -- CMPSADDR(odaddr, (struct sockaddr *)&saidx->dst)) { -+ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) || -+ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) { - plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: " - "mismatch of addresses in saidx and xisr.\n"); - return -1; -diff --git a/src/racoon/policy.c b/src/racoon/policy.c -index 850fa6b..058753f 100644 ---- a/src/racoon/policy.c -+++ b/src/racoon/policy.c -@@ -141,16 +141,18 @@ getsp_r(spidx, iph2) - saddr2str(iph2->src)); - plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", - saddr2str((struct sockaddr *)&spidx->src)); -- if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src) -- || spidx->prefs != prefixlen) -+ -+ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) || -+ spidx->prefs != prefixlen) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", - saddr2str(iph2->dst)); - plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", - saddr2str((struct sockaddr *)&spidx->dst)); -- if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst) -- || spidx->prefd != prefixlen) -+ -+ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) || -+ spidx->prefd != prefixlen) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n"); -@@ -198,11 +200,11 @@ cmpspidxstrict(a, b) - || a->ul_proto != b->ul_proto) - return 1; - -- if (cmpsaddrstrict((struct sockaddr *)&a->src, -- (struct sockaddr *)&b->src)) -+ if (cmpsaddr((struct sockaddr *) &a->src, -+ (struct sockaddr *) &b->src)) - return 1; -- if (cmpsaddrstrict((struct sockaddr *)&a->dst, -- (struct sockaddr *)&b->dst)) -+ if (cmpsaddr((struct sockaddr *) &a->dst, -+ (struct sockaddr *) &b->dst)) - return 1; - - #ifdef HAVE_SECCTX -@@ -259,7 +261,7 @@ cmpspidxwild(a, b) - a, b->prefs, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - b, b->prefs, saddr2str((struct sockaddr *)&sa2)); -- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) -+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) - return 1; - - #ifndef __linux__ -@@ -277,7 +279,7 @@ cmpspidxwild(a, b) - a, b->prefd, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - b, b->prefd, saddr2str((struct sockaddr *)&sa2)); -- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) -+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) - return 1; - - #ifdef HAVE_SECCTX -diff --git a/src/racoon/remoteconf.c b/src/racoon/remoteconf.c -index 73d80bc..88c622c 100644 ---- a/src/racoon/remoteconf.c -+++ b/src/racoon/remoteconf.c -@@ -200,15 +200,9 @@ rmconf_match_type(rmsel, rmconf) - /* Check address */ - if (rmsel->remote != NULL) { - if (rmconf->remote->sa_family != AF_UNSPEC) { -- if (rmsel->flags & GETRMCONF_F_NO_PORTS) { -- if (cmpsaddrwop(rmsel->remote, -- rmconf->remote) != 0) -- return 0; -- } else { -- if (cmpsaddrstrict(rmsel->remote, -- rmconf->remote) != 0) -- return 0; -- } -+ if (cmpsaddr(rmsel->remote, rmconf->remote) != 0) -+ return 0; -+ - /* Address matched */ - ret = 2; - } -@@ -262,7 +256,7 @@ void rmconf_selector_from_ph1(rmsel, iph1) - struct ph1handle *iph1; - { - memset(rmsel, 0, sizeof(*rmsel)); -- rmsel->flags = GETRMCONF_F_NO_PORTS; -+ rmsel->flags = 0; - rmsel->remote = iph1->remote; - rmsel->etype = iph1->etype; - rmsel->approval = iph1->approval; -@@ -357,22 +351,8 @@ getrmconf(remote, flags) - int n = 0; - - memset(&ctx, 0, sizeof(ctx)); -- ctx.sel.flags = flags | GETRMCONF_F_NO_PORTS; -+ ctx.sel.flags = flags; - ctx.sel.remote = remote; --#ifndef ENABLE_NATT -- /* -- * We never have ports set in our remote configurations, but when -- * NAT-T is enabled, the kernel can have policies with ports and -- * send us an acquire message for a destination that has a port set. -- * If we do this port check here, we don't find the remote config. -- * -- * In an ideal world, we would be able to have remote conf with -- * port, and the port could be a wildcard. That test could be used. -- */ -- if (remote->sa_family != AF_UNSPEC && -- extract_port(remote) != IPSEC_PORT_ANY) -- ctx.sel.flags &= ~GETRMCONF_F_NO_PORTS; --#endif /* ENABLE_NATT */ - - if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) { - plog(LLV_ERROR, LOCATION, remote, -diff --git a/src/racoon/remoteconf.h b/src/racoon/remoteconf.h -index 38faf03..b2e9e4a 100644 ---- a/src/racoon/remoteconf.h -+++ b/src/racoon/remoteconf.h -@@ -189,8 +189,7 @@ extern int enumrmconf __P((struct rmconfselector *rmsel, - void *enum_arg)); - - #define GETRMCONF_F_NO_ANONYMOUS 0x0001 --#define GETRMCONF_F_NO_PORTS 0x0002 --#define GETRMCONF_F_NO_PASSIVE 0x0004 -+#define GETRMCONF_F_NO_PASSIVE 0x0002 - - #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1) - -diff --git a/src/racoon/sockmisc.c b/src/racoon/sockmisc.c -index 5c1f9c7..2bc2177 100644 ---- a/src/racoon/sockmisc.c -+++ b/src/racoon/sockmisc.c -@@ -80,87 +77,28 @@ - const int niflags = 0; - - /* -- * compare two sockaddr without port number. -- * OUT: 0: equal. -- * 1: not equal. -- */ --int --cmpsaddrwop(addr1, addr2) -- const struct sockaddr *addr1; -- const struct sockaddr *addr2; --{ -- caddr_t sa1, sa2; -- -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -- --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -- --#endif /* __linux__ */ -- -- switch (addr1->sa_family) { -- case AF_UNSPEC: -- break; -- case AF_INET: -- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; -- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; -- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -- break; --#ifdef INET6 -- case AF_INET6: -- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; -- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; -- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != -- ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -- break; --#endif -- default: -- return 1; -- } -- -- return 0; --} -- --/* - * compare two sockaddr with port, taking care wildcard. - * addr1 is a subject address, addr2 is in a database entry. - * OUT: 0: equal. - * 1: not equal. - */ - int --cmpsaddrwild(addr1, addr2) -+cmpsaddr(addr1, addr2) - const struct sockaddr *addr1; - const struct sockaddr *addr2; - { - caddr_t sa1, sa2; - u_short port1, port2; - -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -+ if (addr1 == NULL && addr2 == NULL) -+ return CMPSADDR_MATCH; - --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -+ if (addr1 == NULL || addr2 == NULL) -+ return CMPSADDR_MISMATCH; - --#endif /* __linux__ */ -+ if (addr1->sa_family != addr2->sa_family || -+ sysdep_sa_len(addr1) != sysdep_sa_len(addr2)) -+ return CMPSADDR_MISMATCH; - - switch (addr1->sa_family) { - case AF_UNSPEC: -@@ -170,12 +108,8 @@ cmpsaddrwild(addr1, addr2) - sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; - port1 = ((struct sockaddr_in *)addr1)->sin_port; - port2 = ((struct sockaddr_in *)addr2)->sin_port; -- if (!(port1 == IPSEC_PORT_ANY || -- port2 == IPSEC_PORT_ANY || -- port1 == port2)) -- return 1; - if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -+ return CMPSADDR_MISMATCH; - break; - #ifdef INET6 - case AF_INET6: -@@ -183,155 +117,23 @@ cmpsaddrwild(addr1, addr2) - sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; - port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; - port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; -- if (!(port1 == IPSEC_PORT_ANY || -- port2 == IPSEC_PORT_ANY || -- port1 == port2)) -- return 1; - if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -+ return CMPSADDR_MISMATCH; - if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != - ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -+ return CMPSADDR_MISMATCH; - break; - #endif - default: -- return 1; -+ return CMPSADDR_MISMATCH; - } - -- return 0; --} -- --/* -- * compare two sockaddr with port, taking care specific situation: -- * one addr has 0 as port, and the other has 500 (network order), return equal -- * OUT: 0: equal. -- * 1: not equal. -- */ --int --cmpsaddrmagic(addr1, addr2) -- const struct sockaddr *addr1; -- const struct sockaddr *addr2; --{ -- caddr_t sa1, sa2; -- u_short port1, port2; -- -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -- --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -+ if (port1 == port2 || -+ port1 == IPSEC_PORT_ANY || -+ port2 == IPSEC_PORT_ANY) -+ return CMPSADDR_MATCH; - --#endif /* __linux__ */ -- -- switch (addr1->sa_family) { -- case AF_UNSPEC: -- break; -- case AF_INET: -- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; -- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; -- port1 = ((struct sockaddr_in *)addr1)->sin_port; -- port2 = ((struct sockaddr_in *)addr2)->sin_port; -- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: port1 == %d, port2 == %d\n", port1, port2); -- if (!((port1 == IPSEC_PORT_ANY && port2 == ntohs(PORT_ISAKMP)) || -- (port2 == IPSEC_PORT_ANY && port1 == ntohs(PORT_ISAKMP)) || -- (port1 == port2))){ -- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports mismatch\n"); -- return 1; -- } -- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports matched\n"); -- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -- break; --#ifdef INET6 -- case AF_INET6: -- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; -- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; -- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; -- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; -- if (!((port1 == IPSEC_PORT_ANY && port2 == PORT_ISAKMP) || -- (port2 == IPSEC_PORT_ANY && port1 == PORT_ISAKMP) || -- (port1 == port2))) -- return 1; -- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != -- ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -- break; --#endif -- default: -- return 1; -- } -- -- return 0; --} -- --/* -- * compare two sockaddr with strict match on port. -- * OUT: 0: equal. -- * 1: not equal. -- */ --int --cmpsaddrstrict(addr1, addr2) -- const struct sockaddr *addr1; -- const struct sockaddr *addr2; --{ -- caddr_t sa1, sa2; -- u_short port1, port2; -- -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -- --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -- --#endif /* __linux__ */ -- -- switch (addr1->sa_family) { -- case AF_INET: -- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; -- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; -- port1 = ((struct sockaddr_in *)addr1)->sin_port; -- port2 = ((struct sockaddr_in *)addr2)->sin_port; -- if (port1 != port2) -- return 1; -- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -- break; --#ifdef INET6 -- case AF_INET6: -- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; -- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; -- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; -- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; -- if (port1 != port2) -- return 1; -- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != -- ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -- break; --#endif -- default: -- return 1; -- } -- -- return 0; -+ return CMPSADDR_WOP_MATCH; - } - - /* get local address against the destination. */ -@@ -1129,7 +931,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr) - free(a2); - free(a3); - } -- if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0) -+ if (cmpsaddr(&sa, &naddr->sa.sa) == 0) - return naddr->prefix + port_score; - - return -1; -diff --git a/src/racoon/sockmisc.h b/src/racoon/sockmisc.h -index fcc286f..0a58f44 100644 ---- a/src/racoon/sockmisc.h -+++ b/src/racoon/sockmisc.h -@@ -54,16 +54,11 @@ struct netaddr { - - extern const int niflags; - --extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *)); --extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *)); --extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *)); --extern int cmpsaddrmagic __P((const struct sockaddr *, const struct sockaddr *)); -- --#ifdef ENABLE_NATT --#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2)) --#else --#define CMPSADDR(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2)) --#endif -+#define CMPSADDR_MATCH 0 -+#define CMPSADDR_WOP_MATCH 1 -+#define CMPSADDR_MISMATCH 2 -+ -+extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *)); - - extern struct sockaddr *getlocaladdr __P((struct sockaddr *)); - -diff --git a/src/racoon/throttle.c b/src/racoon/throttle.c -index 5ab62c3..64b566b 100644 ---- a/src/racoon/throttle.c -+++ b/src/racoon/throttle.c -@@ -104,7 +104,7 @@ restart: - goto restart; - } - -- if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) { -+ if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) { - found = 1; - break; - } diff --git a/main/ipsec-tools/50-reverse-connect.patch b/main/ipsec-tools/50-reverse-connect.patch index c49eae347..f29c3d509 100644 --- a/main/ipsec-tools/50-reverse-connect.patch +++ b/main/ipsec-tools/50-reverse-connect.patch @@ -125,9 +125,9 @@ index b33986f..9fd3817 100644 + * to firewall or nat */ + if (iph1->side == RESPONDER && p->side == INITIATOR && + p->status < PHASE1ST_MSG3RECEIVED) { ++ /* Do not delete ph1, since if the node is not NATted, ++ * and we delete it we might get phase2's lost */ + evt_list_move(&p->evt_listeners, &iph1->evt_listeners); -+ remph1(p); -+ delph1(p); + } } } diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index f7a78026f..db1d28bf1 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD @@ -1,8 +1,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=ipsec-tools -pkgver=0.8_alpha20090422 -_myver=0.8-alpha20090422 -pkgrel=1 +pkgver=0.8_alpha20090820 +_myver=0.8-alpha20090820 +pkgrel=0 pkgdesc="User-space IPsec tools for various IPsec implementations" url="http://ipsec-tools.sourceforge.net/" license="BSD" @@ -12,10 +12,7 @@ subpackages="$pkgname-doc $pkgname-dev" source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz racoon.initd racoon.confd - 00-verify-cert-leak.patch - 20-natoa-fix.patch - 30-natt-ports-cleanup.patch - 40-cmpsaddr-cleanup.patch + 10-rekey-ph1hint.patch 50-reverse-connect.patch 60-debug-quick.patch " @@ -48,12 +45,9 @@ build() { install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon } -md5sums="8327401b5d1aa91e9c554d2cc536f823 ipsec-tools-0.8-alpha20090422.tar.gz +md5sums="8b79f9e773043a47d636b4c6f59b84eb ipsec-tools-0.8-alpha20090820.tar.gz fce62b52b598be268e27609f470f8e9b racoon.initd 2d00250cf72da7f2f559c91b65a48747 racoon.confd -e0abf570c29519e8e36406dfc3bbe3c8 00-verify-cert-leak.patch -2adb8796c75f62811b08c8370c75312c 20-natoa-fix.patch -17b3f05426537afa1e94947c39b10163 30-natt-ports-cleanup.patch -5fcaf5a01340132d4bfe55997bc5c60b 40-cmpsaddr-cleanup.patch -91eb6da2726c4ed83df990f6908a7553 50-reverse-connect.patch +4ee586cc6c6f1e0dd7a8bd9da0f5111d 10-rekey-ph1hint.patch +13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch baa13d7f0f48955c792f7fcd42a8587a 60-debug-quick.patch" diff --git a/main/nmap/APKBUILD b/main/nmap/APKBUILD index bb0407876..363c2d47c 100644 --- a/main/nmap/APKBUILD +++ b/main/nmap/APKBUILD @@ -1,12 +1,12 @@ # Contributor: Leonardo Arena <rnalrd@gmail.com> # Maintainer: Leonardo Arena <rnalrd@gmail.com> pkgname=nmap -pkgver=4.76 -pkgrel=2 +pkgver=5.00 +pkgrel=0 pkgdesc="A network exploration tool and security/port scanner" url="http:/nmap.org" license="custom:GPL" -depends="pcre libpcap uclibc++ openssl lua" +depends= makedepends="uclibc++-dev libpcap-dev openssl-dev lua-dev" install= subpackages="$pkgname-doc $pkgname-nse" @@ -22,7 +22,7 @@ build() { patch -p1 < $i || return 1 done - export CXX=g++-uc + export CXX=${CXX_UC:-g++-uc} ./configure --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ @@ -36,12 +36,14 @@ build() { # install custom GPL2 license install -D -m644 COPYING ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE } - + nse() { + pkgdesc="nmap scripting engine" mkdir -p "$subpkgdir"/usr/share/$pkgname - mv "$pkgdir"/usr/share/$pkgname/nselib "$subpkgdir"/usr/share/$pkgname/ - mv "$pkgdir"/usr/share/$pkgname/scripts "$subpkgdir"/usr/share/$pkgname/ + mv "$pkgdir"/usr/share/$pkgname/nselib \ + "$pkgdir"/usr/share/$pkgname/scripts \ + "$subpkgdir"/usr/share/$pkgname/ } -md5sums="54b5c9e3f44c1adde17df68170eb7cfe nmap-4.76.tgz +md5sums="6b5b28f421cae71fd2710c1247c8db66 nmap-5.00.tgz 507b0936aaafaeddebad309b0924de39 nmap-4.53-uclibc++-output.cc.patch" diff --git a/main/perl-archive-zip/APKBUILD b/main/perl-archive-zip/APKBUILD index 7e8d32019..6ec65c473 100644 --- a/main/perl-archive-zip/APKBUILD +++ b/main/perl-archive-zip/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Leonardo Arena <rnalrd@gmail.com> pkgname=perl-archive-zip _realname=Archive-Zip -pkgver=1.26 +pkgver=1.30 pkgrel=0 pkgdesc="Provide a perl interface to ZIP archive files." url="http://search.cpan.org/dist/Archive-Zip/" @@ -23,4 +23,4 @@ build() { find "$pkgdir" -name perllocal.pod -delete } -md5sums="a2e1cc1d99dbaebc41421295c93f61b5 Archive-Zip-1.26.tar.gz" +md5sums="40153666e7538b410e001aa8a810e702 Archive-Zip-1.30.tar.gz" diff --git a/main/perl-html-parser/APKBUILD b/main/perl-html-parser/APKBUILD index 5e374b94f..8a3c48f6e 100644 --- a/main/perl-html-parser/APKBUILD +++ b/main/perl-html-parser/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Leonardo Arena <rnalrd@gmail.com> pkgname=perl-html-parser _realname=HTML-Parser -pkgver=3.60 +pkgver=3.61 pkgrel=0 pkgdesc="Parse section of HTML documents" url="http://search.cpan.org/~gaas/HTML-Parser-3.60/" @@ -23,4 +23,4 @@ build() { find "$pkgdir" -name perllocal.pod -delete } -md5sums="fb97ea7e5bd832b079d8660732f9d8d9 HTML-Parser-3.60.tar.gz" +md5sums="098d9551721d29d55a0a4ad83a3ebef5 HTML-Parser-3.61.tar.gz" diff --git a/main/sudo/APKBUILD b/main/sudo/APKBUILD index 75fd70f3c..4a4ad4176 100644 --- a/main/sudo/APKBUILD +++ b/main/sudo/APKBUILD @@ -1,16 +1,17 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=sudo -pkgver=1.7.2 +pkgver=1.7.2_p1 +_realver=1.7.2p1 pkgrel=0 pkgdesc="Give certain users the ability to run some commands as root" url="http://www.sudo.ws/sudo/" license='custom ISC' depends= -source="ftp://ftp.sudo.ws/pub/sudo/$pkgname-$pkgver.tar.gz" +source="ftp://ftp.sudo.ws/pub/sudo/$pkgname-$_realver.tar.gz" subpackages="$pkgname-doc" build() { - cd "$srcdir/$pkgname-$pkgver" + cd "$srcdir/$pkgname-$_realver" ./configure --prefix=/usr \ --with-env-editor \ @@ -22,4 +23,4 @@ build() { make -j1 DESTDIR="$pkgdir" install || return 1 } -md5sums="9caba8719c3e0f163880a05f02a48249 sudo-1.7.2.tar.gz" +md5sums="4449d466a774f5ce401c9c0e3866c026 sudo-1.7.2p1.tar.gz" diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index c580a84a3..4b3484651 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -2,17 +2,33 @@ # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=tiff pkgver=3.8.2 -pkgrel=0 +pkgrel=1 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" license="GPL" -depends="uclibc" +depends= subpackages="$pkgname-doc $pkgname-dev" -source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz" +source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz + CVE-2006-3459-3465.patch + libtiff-CVE-2009-2285.patch + tiff-3.8.2-CVE-2008-2327.patch + tiff-3.8.2-CVE-2009-2347.patch + tiff2pdf-compression.patch + tiff2pdf-octal-printf.patch + tiffsplit-fname-overflow.patch + " build() { cd "$srcdir/$pkgname-$pkgver" + patch -p1 < ../tiff2pdf-octal-printf.patch || return 1 + patch -p1 < ../tiffsplit-fname-overflow.patch || return 1 + patch -p1 < ../CVE-2006-3459-3465.patch || return 1 + patch -p1 < ../tiff2pdf-compression.patch || return 1 + patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1 + patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1 + patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1 + ./configure --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ @@ -23,4 +39,11 @@ build() { } -md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz" +md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz +624d3067e6a4c0680767eb62253ea980 CVE-2006-3459-3465.patch +ff61077408727a82281f77a94f555e2a libtiff-CVE-2009-2285.patch +c2c2e22557d9c63011df5777dda6a86b tiff-3.8.2-CVE-2008-2327.patch +d3b02693cca83e63005b162edd43016b tiff-3.8.2-CVE-2009-2347.patch +b443ffca9d498bb3a88c17da0200025b tiff2pdf-compression.patch +d54368687d2645ffbbe6c2df384b11bf tiff2pdf-octal-printf.patch +323352fd60a7bd3ffac8724c3c031669 tiffsplit-fname-overflow.patch" diff --git a/main/tiff/CVE-2006-3459-3465.patch b/main/tiff/CVE-2006-3459-3465.patch new file mode 100644 index 000000000..cb55b03e7 --- /dev/null +++ b/main/tiff/CVE-2006-3459-3465.patch @@ -0,0 +1,669 @@ +diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c +--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c +--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c +--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include <limits.h> ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c +--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c +--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c +--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +@@ -105,11 +105,16 @@ + * as codes of the form <color><npixels> + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c +--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c +--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include <stdio.h> + ++#include <limits.h> ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } diff --git a/main/tiff/libtiff-CVE-2009-2285.patch b/main/tiff/libtiff-CVE-2009-2285.patch new file mode 100644 index 000000000..435a84b53 --- /dev/null +++ b/main/tiff/libtiff-CVE-2009-2285.patch @@ -0,0 +1,22 @@ +Index: tiff-3.8.2/libtiff/tif_lzw.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_lzw.c ++++ tiff-3.8.2/libtiff/tif_lzw.c +@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); +@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); diff --git a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch new file mode 100644 index 000000000..e6d74a67a --- /dev/null +++ b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch @@ -0,0 +1,64 @@ +Fixes security issues in libTIFF's handling of LZW-encoded +images. The use of uninitialized data could lead to a buffer +underflow and a crash or arbitrary code execution. + +CVE-ID: CVE-2008-2327 +Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 + +Index: tiff-3.8.2/libtiff/tif_lzw.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_lzw.c ++++ tiff-3.8.2/libtiff/tif_lzw.c +@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ + } + return (1); + } +@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; diff --git a/main/tiff/tiff-3.8.2-CVE-2009-2347.patch b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch new file mode 100644 index 000000000..039d7336a --- /dev/null +++ b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch @@ -0,0 +1,170 @@ +Fix several places in tiff2rgba and rgb2ycbcr that were being careless about +possible integer overflow in calculation of buffer sizes. + +CVE-2009-2347 + + +diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c +--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 ++++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400 +@@ -202,6 +202,17 @@ + #undef LumaBlue + #undef V2Code + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + /* + * Convert a strip of RGB data to YCbCr and + * sample to generate the output data. +@@ -278,10 +289,19 @@ + float floatv; + char *stringv; + uint32 longv; ++ tsize_t raster_size; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c +--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400 +@@ -124,6 +124,17 @@ + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -133,6 +144,7 @@ + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -150,7 +162,14 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -158,7 +177,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -226,6 +245,7 @@ + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -241,7 +261,14 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -249,7 +276,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { +@@ -328,14 +355,22 @@ + uint32* raster; /* retrieve RGBA image */ + uint32 width, height; /* image width & height */ + uint32 row; +- ++ tsize_t raster_size; ++ + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -353,7 +388,7 @@ + */ + if( no_alpha ) + { +- int pixel_count = width * height; ++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; + unsigned char *src, *dst; + + src = (unsigned char *) raster; + diff --git a/main/tiff/tiff2pdf-compression.patch b/main/tiff/tiff2pdf-compression.patch new file mode 100644 index 000000000..2dae2dcd1 --- /dev/null +++ b/main/tiff/tiff2pdf-compression.patch @@ -0,0 +1,44 @@ +--- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35 ++++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36 +@@ -937,7 +937,7 @@ + + #ifdef JPEG_SUPPORT + if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){ +- if(t2p->pdf_defaultcompressionquality<100 || ++ if(t2p->pdf_defaultcompressionquality>100 || + t2p->pdf_defaultcompressionquality<1){ + t2p->pdf_defaultcompressionquality=0; + } +@@ -945,25 +945,17 @@ + #endif + #ifdef ZIP_SUPPORT + if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){ +- switch (t2p->pdf_defaultcompressionquality){ +- case 1: case 10: case 11: case 12: case 13: case 14: case 15: +- case 101: case 110: case 111: case 112: case 113: case 114: case 115: +- case 201: case 210: case 211: case 212: case 213: case 214: case 215: +- case 301: case 310: case 311: case 312: case 313: case 314: case 315: +- case 401: case 410: case 411: case 412: case 413: case 414: case 415: +- case 501: case 510: case 511: case 512: case 513: case 514: case 515: +- case 601: case 610: case 611: case 612: case 613: case 614: case 615: +- case 701: case 710: case 711: case 712: case 713: case 714: case 715: +- case 801: case 810: case 811: case 812: case 813: case 814: case 815: +- case 901: case 910: case 911: case 912: case 913: case 914: case 915: +- break; +- default: +- t2p->pdf_defaultcompressionquality=0; ++ uint16 m=t2p->pdf_defaultcompressionquality%100; ++ if(t2p->pdf_defaultcompressionquality/100 > 9 || ++ (m>1 && m<10) || m>15){ ++ t2p->pdf_defaultcompressionquality=0; + } + if(t2p->pdf_defaultcompressionquality%100 !=0){ ++ t2p->pdf_defaultcompressionquality/=100; ++ t2p->pdf_defaultcompressionquality*=100; + TIFFError( + TIFF2PDF_MODULE, +- "PNG Group predictor differencing not implemented, assuming compresion quality %u", ++ "PNG Group predictor differencing not implemented, assuming compression quality %u", + t2p->pdf_defaultcompressionquality); + } + t2p->pdf_defaultcompressionquality%=100; diff --git a/main/tiff/tiff2pdf-octal-printf.patch b/main/tiff/tiff2pdf-octal-printf.patch new file mode 100644 index 000000000..f35b07237 --- /dev/null +++ b/main/tiff/tiff2pdf-octal-printf.patch @@ -0,0 +1,11 @@ +--- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400 +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;i<len;i++){ + if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ +- sprintf(buffer, "\\%.3o", pdfstr[i]); ++ sprintf(buffer, "\\%.3hho", pdfstr[i]); + written += TIFFWriteFile(output, (tdata_t) buffer, 4); + } else { + switch (pdfstr[i]){ diff --git a/main/tiff/tiffsplit-fname-overflow.patch b/main/tiff/tiffsplit-fname-overflow.patch new file mode 100644 index 000000000..cc225890a --- /dev/null +++ b/main/tiff/tiffsplit-fname-overflow.patch @@ -0,0 +1,19 @@ +--- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500 ++++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400 +@@ -61,14 +61,13 @@ + return (-3); + } + if (argc > 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2); diff --git a/main/uclibc++/001-path_to_make.patch b/main/uclibc++/001-path_to_make.patch new file mode 100644 index 000000000..840dac326 --- /dev/null +++ b/main/uclibc++/001-path_to_make.patch @@ -0,0 +1,30 @@ +diff -ur old/Makefile dev/Makefile +--- old/Makefile Sat Oct 14 17:49:55 2006 ++++ dev/Makefile Sat Oct 14 17:50:18 2006 +@@ -1,4 +1,3 @@ +-MAKE = make + SUBDIRS = bin include src + + # User defines: +@@ -43,10 +42,10 @@ + #Menu configuration system + + extra/config/conf: +- make -C extra/config conf ++ $(MAKE) -C extra/config conf + + extra/config/mconf: +- make -C extra/config ncurses mconf ++ $(MAKE) -C extra/config ncurses mconf + + menuconfig: extra/config/mconf + @./extra/config/mconf extra/Configs/Config.in +@@ -71,7 +70,7 @@ + + include/system_configuration.h: .config + @if [ ! -x ./extra/config/conf ] ; then \ +- make -C extra/config conf; \ ++ $(MAKE) -C extra/config conf; \ + fi; + @./extra/config/conf -o extra/Configs/Config.in + diff --git a/main/uclibc++/002-no_bash.patch b/main/uclibc++/002-no_bash.patch new file mode 100644 index 000000000..69b2275a5 --- /dev/null +++ b/main/uclibc++/002-no_bash.patch @@ -0,0 +1,12 @@ +diff -ur old/bin/Makefile dev/bin/Makefile +--- old/bin/Makefile Sat Oct 14 17:49:54 2006 ++++ dev/bin/Makefile Sat Oct 14 17:57:33 2006 +@@ -13,7 +13,7 @@ + $(INSTALL) -m 755 $(WRAPPER) $(PREFIX)$(UCLIBCXX_RUNTIME_BINDIR) + + $(WRAPPER): +- echo "#!/bin/bash" > $(WRAPPER) ++ echo "#!/bin/sh" > $(WRAPPER) + echo "" >> $(WRAPPER) + echo 'WRAPPER_INCLUDEDIR="$${WRAPPER_INCLUDEDIR:=-I$(UCLIBCXX_RUNTIME_INCLUDEDIR)}"' >> $(WRAPPER) + echo 'WRAPPER_LIBDIR="$${WRAPPER_LIBDIR:=-L$(UCLIBCXX_RUNTIME_LIBDIR)}"' >> $(WRAPPER) diff --git a/main/uclibc++/003-cp_command.patch b/main/uclibc++/003-cp_command.patch new file mode 100644 index 000000000..53d0ed7af --- /dev/null +++ b/main/uclibc++/003-cp_command.patch @@ -0,0 +1,19 @@ +diff -ur old/src/Makefile dev/src/Makefile +--- old/src/Makefile Sat Oct 14 17:49:54 2006 ++++ dev/src/Makefile Sat Oct 14 18:02:30 2006 +@@ -25,12 +25,14 @@ + + all: libgcc_eh libsupc $(EXOBJS) $(ALLBIN) + ++CP = cp -fPR ++ + install: + $(INSTALL) -d $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR) + ifneq ($(BUILD_ONLY_STATIC_LIB),y) + $(INSTALL) -m 755 $(SHARED_FULLNAME) \ + $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR) +- cp -fa $(SHARED_MAJORNAME) $(LIBNAME).so $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR) ++ $(CP) $(SHARED_MAJORNAME) $(LIBNAME).so $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR) + endif + ifeq ($(BUILD_STATIC_LIB),y) + $(INSTALL) -m 644 $(LIBNAME).a $(PREFIX)$(UCLIBCXX_RUNTIME_LIBDIR) diff --git a/main/uclibc++/004-ccache_fixes.patch b/main/uclibc++/004-ccache_fixes.patch new file mode 100644 index 000000000..10ceb792b --- /dev/null +++ b/main/uclibc++/004-ccache_fixes.patch @@ -0,0 +1,24 @@ +diff -ruN uClibc++-0.2.2-old/src/abi/libgcc_eh/Makefile uClibc++-0.2.2-new/src/abi/libgcc_eh/Makefile +--- uClibc++-0.2.2-old/src/abi/libgcc_eh/Makefile 2007-06-04 00:51:13.000000000 +0200 ++++ uClibc++-0.2.2-new/src/abi/libgcc_eh/Makefile 2007-09-03 21:51:07.000000000 +0200 +@@ -16,7 +16,7 @@ + # + #else + # echo Binary +- $(AR) x $(shell CC=$(CC) $(TOPDIR)/scripts/find_libgcc_eh.sh) ++ $(AR) x $(shell CC="$(CC)" $(TOPDIR)/scripts/find_libgcc_eh.sh) + #endif + #endif + +diff -ruN uClibc++-0.2.2-old/src/abi/libsupc/Makefile uClibc++-0.2.2-new/src/abi/libsupc/Makefile +--- uClibc++-0.2.2-old/src/abi/libsupc/Makefile 2007-06-04 00:51:13.000000000 +0200 ++++ uClibc++-0.2.2-new/src/abi/libsupc/Makefile 2007-09-03 21:51:17.000000000 +0200 +@@ -14,7 +14,7 @@ + # + #else + # echo Binary +- $(AR) x $(shell CC=$(CC) $(TOPDIR)/scripts/find_libsupc.sh) ++ $(AR) x $(shell CC="$(CC)" $(TOPDIR)/scripts/find_libsupc.sh) + $(RM) -f new_op*.o del_op*.o pure.o new_handler.o eh_alloc.o eh_globals.o + # + #endif diff --git a/main/uclibc++/005-wrapper.patch b/main/uclibc++/005-wrapper.patch new file mode 100644 index 000000000..b526a901f --- /dev/null +++ b/main/uclibc++/005-wrapper.patch @@ -0,0 +1,12 @@ +diff -ruN uClibc++-0.2.2-old/bin/Makefile uClibc++-0.2.2-new/bin/Makefile +--- uClibc++-0.2.2-old/bin/Makefile 2007-09-23 13:46:10.000000000 +0200 ++++ uClibc++-0.2.2-new/bin/Makefile 2007-09-23 13:47:03.000000000 +0200 +@@ -25,7 +25,7 @@ + echo 'while [ -n "$$1" ]' >> $(WRAPPER) + echo 'do' >> $(WRAPPER) + echo ' WRAPPER_OPTIONS="$$WRAPPER_OPTIONS $$1"' >> $(WRAPPER) +- echo ' if [ "$$1" = "-c" -o "$$1" = "-E" -o "$$1" = "-S" ]' >> $(WRAPPER) ++ echo ' if [ "$$1" = "-c" -o "$$1" = "-E" -o "$$1" = "-S" -o "$$1" = "-MF" ]' >> $(WRAPPER) + echo ' then' >> $(WRAPPER) + echo ' WRAPPER_INCLIB="N"' >> $(WRAPPER) + echo ' fi' >> $(WRAPPER) diff --git a/main/uclibc++/006-eabi_fix.patch b/main/uclibc++/006-eabi_fix.patch new file mode 100644 index 000000000..bc970a716 --- /dev/null +++ b/main/uclibc++/006-eabi_fix.patch @@ -0,0 +1,42 @@ +Index: uClibc++-0.2.2/include/typeinfo +=================================================================== +--- uClibc++-0.2.2.orig/include/typeinfo 2008-02-13 00:37:04.000000000 +0100 ++++ uClibc++-0.2.2/include/typeinfo 2008-02-13 00:37:34.000000000 +0100 +@@ -44,6 +44,7 @@ + class __class_type_info; + } // namespace __cxxabiv1 + ++#ifndef __GXX_MERGED_TYPEINFO_NAMES + #if !__GXX_WEAK__ + // If weak symbols are not supported, typeinfo names are not merged. + #define __GXX_MERGED_TYPEINFO_NAMES 0 +@@ -51,6 +52,7 @@ + // On platforms that support weak symbols, typeinfo names are merged. + #define __GXX_MERGED_TYPEINFO_NAMES 1 + #endif ++#endif + + namespace std + { +Index: uClibc++-0.2.2/include/unwind-cxx.h +=================================================================== +--- uClibc++-0.2.2.orig/include/unwind-cxx.h 2008-02-13 00:38:04.000000000 +0100 ++++ uClibc++-0.2.2/include/unwind-cxx.h 2008-02-13 00:40:32.000000000 +0100 +@@ -135,6 +135,7 @@ +
+ // This is the exception class we report -- "GNUCC++\0".
+ const _Unwind_Exception_Class __gxx_exception_class
++#ifndef __ARM_EABI_UNWINDER__
+ = ((((((((_Unwind_Exception_Class) 'G'
+ << 8 | (_Unwind_Exception_Class) 'N')
+ << 8 | (_Unwind_Exception_Class) 'U')
+@@ -143,6 +144,9 @@ + << 8 | (_Unwind_Exception_Class) '+')
+ << 8 | (_Unwind_Exception_Class) '+')
+ << 8 | (_Unwind_Exception_Class) '\0');
++#else
++= "GNUC++";
++#endif
+
+ // GNU C++ personality routine, Version 0.
+ extern "C" _Unwind_Reason_Code __gxx_personality_v0
diff --git a/main/uclibc++/007-numeric_limits.patch b/main/uclibc++/007-numeric_limits.patch new file mode 100644 index 000000000..1ed7d6c6e --- /dev/null +++ b/main/uclibc++/007-numeric_limits.patch @@ -0,0 +1,66 @@ +Index: uClibc++-0.2.2/include/limits +=================================================================== +--- uClibc++-0.2.2/include/limits (revision 1877) ++++ uClibc++-0.2.2/include/limits (revision 1878) +@@ -143,6 +143,53 @@ + static T signaling_NaN(); + }; + ++template <> class numeric_limits<bool> { ++public: ++ typedef bool T; ++ // General -- meaningful for all specializations. ++ static const bool is_specialized = true; ++ static T min(){ ++ return false; ++ } ++ static T max(){ ++ return true; ++ } ++ static const int radix = 2; ++ static const int digits = 1; ++ static const int digits10 = 0; ++ static const bool is_signed = false; ++ static const bool is_integer = true; ++ static const bool is_exact = true; ++ static const bool traps = false; ++ static const bool is_modulo = false; ++ static const bool is_bounded = true; ++ ++ // Floating point specific. ++ ++ static T epsilon(){ ++ return 0; ++ } ++ static T round_error(){ ++ return 0; ++ } ++ static const int min_exponent10 = 0; ++ static const int max_exponent10 = 0; ++ static const int min_exponent = 0; ++ ++ static const int max_exponent = 0; ++ static const bool has_infinity = false; ++ static const bool has_quiet_NaN = false; ++ static const bool has_signaling_NaN = false; ++ static const bool is_iec559 = false; ++ static const bool has_denorm = false; ++ static const bool tinyness_before = false; ++ static const float_round_style round_style = round_indeterminate; ++ static T denorm_min(); ++ static T infinity(); ++ static T quiet_NaN(); ++ static T signaling_NaN(); ++}; ++ + template <> class numeric_limits<unsigned char> { + public: + typedef unsigned char T; +@@ -567,6 +614,7 @@ + }; + + template <> class numeric_limits<double> { ++public: + typedef double numeric_type; + + static const bool is_specialized = true; diff --git a/main/uclibc++/008-integer_width.patch b/main/uclibc++/008-integer_width.patch new file mode 100644 index 000000000..c467e6011 --- /dev/null +++ b/main/uclibc++/008-integer_width.patch @@ -0,0 +1,314 @@ +Index: uClibc++-0.2.2/include/ostream +=================================================================== +--- uClibc++-0.2.2/include/ostream (revision 708) ++++ uClibc++-0.2.2/include/ostream (revision 709) +@@ -129,6 +129,18 @@ + return *this; + } + ++ _UCXXEXPORT void printout(const char_type* s, streamsize n) ++ { ++ int extra = ios::width() - n; ++ if ((ios::flags()&ios::adjustfield) == ios::right) ++ while (extra-- > 0) ++ put(ios::fill()); ++ write(s, n); ++ if ((ios::flags()&ios::adjustfield) == ios::left) ++ while (extra-- > 0) ++ put(ios::fill()); ++ } ++ + protected: + basic_ostream(const basic_ostream<charT,traits> &){ } + basic_ostream<charT,traits> & operator=(const basic_ostream<charT,traits> &){ return *this; } +@@ -142,15 +154,15 @@ + sentry s(*this); + if( basic_ios<charT,traits>::flags() & ios_base::boolalpha){ + if(n){ +- write("true", 4); ++ printout("true", 4); + }else{ +- write("false", 5); ++ printout("false", 5); + } + }else{ + if(n){ +- write("1", 1); ++ printout("1", 1); + }else{ +- write("0", 1); ++ printout("0", 1); + } + } + if(basic_ios<charT,traits>::flags() & ios_base::unitbuf){ +@@ -219,7 +231,7 @@ + template <class charT, class traits> _UCXXEXPORT basic_ostream<charT,traits>& basic_ostream<charT, traits>::operator<<(void* p){ + sentry s(*this); + char buffer[20]; +- write(buffer, snprintf(buffer, 20, "%p", p) ); ++ printout(buffer, snprintf(buffer, 20, "%p", p) ); + if(basic_ios<charT,traits>::flags() & ios_base::unitbuf){ + flush(); + } +@@ -356,7 +368,7 @@ + operator<<(basic_ostream<charT,traits>& out, const charT* c) + { + typename basic_ostream<charT,traits>::sentry s(out); +- out.write(c, traits::length(c) ); ++ out.printout(c, traits::length(c) ); + return out; + } + +@@ -364,7 +376,7 @@ + operator<<(basic_ostream<charT,traits>& out, const char* c) + { + typename basic_ostream<charT,traits>::sentry s(out); +- out.write(c, char_traits<char>::length(c) ); ++ out.printout(c, char_traits<char>::length(c) ); + return out; + } + +@@ -373,7 +385,7 @@ + operator<<(basic_ostream<char,traits>& out, const char* c) + { + typename basic_ostream<char,traits>::sentry s(out); +- out.write(c, traits::length(c)); ++ out.printout(c, traits::length(c)); + return out; + } + +@@ -389,7 +401,7 @@ + temp[i] = out.widen(c[i]); + } + +- out.write(temp, numChars); ++ out.printout(temp, numChars); + return out; + } + #endif +@@ -399,7 +411,7 @@ + operator<<(basic_ostream<char,traits>& out, const signed char* c) + { + typename basic_ostream<char,traits>::sentry s(out); +- out.write(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c))); ++ out.printout(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c))); + return out; + } + +@@ -407,7 +419,7 @@ + operator<<(basic_ostream<char,traits>& out, const unsigned char* c) + { + typename basic_ostream<char,traits>::sentry s(out); +- out.write(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c))); ++ out.printout(reinterpret_cast<const char *>(c), traits::length( reinterpret_cast<const char *>(c))); + return out; + } + +Index: uClibc++-0.2.2/include/ostream_helpers +=================================================================== +--- uClibc++-0.2.2/include/ostream_helpers (revision 708) ++++ uClibc++-0.2.2/include/ostream_helpers (revision 709) +@@ -88,7 +88,7 @@ + } + } + +- stream.write(buffer, snprintf(buffer, 20, formatString, n) ); ++ stream.printout(buffer, snprintf(buffer, 20, formatString, n) ); + + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); +@@ -135,7 +135,7 @@ + } + } + +- stream.write(buffer, snprintf(buffer, 20, formatString, n)); ++ stream.printout(buffer, snprintf(buffer, 20, formatString, n)); + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); + } +@@ -182,7 +182,7 @@ + } + } + +- stream.write(buffer, snprintf(buffer, 27, formatString, n) ); ++ stream.printout(buffer, snprintf(buffer, 27, formatString, n) ); + + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); +@@ -228,7 +228,7 @@ + } + } + +- stream.write(buffer, snprintf(buffer, 27, formatString, n) ); ++ stream.printout(buffer, snprintf(buffer, 27, formatString, n) ); + + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); +@@ -256,7 +256,7 @@ + } else { + length = snprintf(buffer, 32, "%*.*g",static_cast<int>(stream.width()),static_cast<int>(stream.precision()), f); + } +- stream.write(buffer, length); ++ stream.printout(buffer, length); + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); + } +@@ -280,7 +280,7 @@ + } else { + length = snprintf(buffer, 32, "%*.*Lg", static_cast<int>(stream.width()), static_cast<int>(stream.precision()), f); + } +- stream.write(buffer, length); ++ stream.printout(buffer, length); + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); + } +@@ -295,25 +295,25 @@ + { + wchar_t buffer[20]; + if( stream.flags() & ios_base::dec){ +- stream.write(buffer, swprintf(buffer, 20, L"%ld", n)); ++ stream.printout(buffer, swprintf(buffer, 20, L"%ld", n)); + }else if( stream.flags() & ios_base::oct){ + if( stream.flags() & ios_base::showbase){ +- stream.write(buffer, swprintf(buffer, 20, L"%#lo", n)); ++ stream.printout(buffer, swprintf(buffer, 20, L"%#lo", n)); + }else{ +- stream.write(buffer, swprintf(buffer, 20, L"%lo", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%lo", n) ); + } + }else if (stream.flags() & ios_base::hex){ + if(stream.flags() & ios_base::showbase){ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 20, L"%#lX", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%#lX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 20, L"%#lx", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%#lx", n) ); + } + }else{ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 20, L"%lX", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%lX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 20, L"%lx", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%lx", n) ); + } + } + } +@@ -329,25 +329,25 @@ + { + wchar_t buffer[20]; + if( stream.flags() & ios_base::dec){ +- stream.write(buffer, swprintf(buffer, 20, L"%lu", n)); ++ stream.printout(buffer, swprintf(buffer, 20, L"%lu", n)); + }else if( stream.flags() & ios_base::oct){ + if( stream.flags() & ios_base::showbase){ +- stream.write(buffer, swprintf(buffer, 20, L"%#lo", n)); ++ stream.printout(buffer, swprintf(buffer, 20, L"%#lo", n)); + }else{ +- stream.write(buffer, swprintf(buffer, 20, L"%lo", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%lo", n) ); + } + }else if (stream.flags() & ios_base::hex){ + if(stream.flags() & ios_base::showbase){ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 20, L"%#lX", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%#lX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 20, L"%#lx", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%#lx", n) ); + } + }else{ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 20, L"%lX", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%lX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 20, L"%lx", n) ); ++ stream.printout(buffer, swprintf(buffer, 20, L"%lx", n) ); + } + } + } +@@ -365,25 +365,25 @@ + { + wchar_t buffer[28]; + if( stream.flags() & ios_base::dec){ +- stream.write(buffer, swprintf(buffer, 27, L"%lld", n)); ++ stream.printout(buffer, swprintf(buffer, 27, L"%lld", n)); + }else if( stream.flags() & ios_base::oct){ + if( stream.flags() & ios_base::showbase){ +- stream.write(buffer, swprintf(buffer, 27, L"%#llo", n)); ++ stream.printout(buffer, swprintf(buffer, 27, L"%#llo", n)); + }else{ +- stream.write(buffer, swprintf(buffer, 27, L"%llo", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%llo", n) ); + } + }else if (stream.flags() & ios_base::hex){ + if(stream.flags() & ios_base::showbase){ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 27, L"%#llX", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%#llX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 27, L"%#llx", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%#llx", n) ); + } + }else{ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 27, L"%llX", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%llX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 27, L"%llx", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%llx", n) ); + } + } + } +@@ -399,25 +399,25 @@ + { + wchar_t buffer[28]; + if( stream.flags() & ios_base::dec){ +- stream.write(buffer, swprintf(buffer, 27, L"%llu", n)); ++ stream.printout(buffer, swprintf(buffer, 27, L"%llu", n)); + }else if( stream.flags() & ios_base::oct){ + if( stream.flags() & ios_base::showbase){ +- stream.write(buffer, swprintf(buffer, 27, L"%#llo", n)); ++ stream.printout(buffer, swprintf(buffer, 27, L"%#llo", n)); + }else{ +- stream.write(buffer, swprintf(buffer, 27, L"%llo", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%llo", n) ); + } + }else if (stream.flags() & ios_base::hex){ + if(stream.flags() & ios_base::showbase){ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 27, L"%#llX", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%#llX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 27, L"%#llx", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%#llx", n) ); + } + }else{ + if(stream.flags() & ios_base::uppercase){ +- stream.write(buffer, swprintf(buffer, 27, L"%llX", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%llX", n) ); + }else{ +- stream.write(buffer, swprintf(buffer, 27, L"%llx", n) ); ++ stream.printout(buffer, swprintf(buffer, 27, L"%llx", n) ); + } + } + } +@@ -447,7 +447,7 @@ + } else { + swprintf(format_string, 32, L"%%%u.%ug", static_cast<int>(stream.width()), static_cast<unsigned int>(stream.precision())); + } +- stream.write(buffer, swprintf(buffer, 32, format_string, f) ); ++ stream.printout(buffer, swprintf(buffer, 32, format_string, f) ); + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); + } +@@ -471,7 +471,7 @@ + } else { + swprintf(format_string, 32, L"%%%u.%uLg", static_cast<unsigned int>(stream.width()), static_cast<unsigned int>(stream.precision())); + } +- stream.write(buffer, swprintf(buffer, 32, format_string, f) ); ++ stream.printout(buffer, swprintf(buffer, 32, format_string, f) ); + if(stream.flags() & ios_base::unitbuf){ + stream.flush(); + } diff --git a/main/uclibc++/900-dependent_exception.patch b/main/uclibc++/900-dependent_exception.patch new file mode 100644 index 000000000..3a5cb7dbc --- /dev/null +++ b/main/uclibc++/900-dependent_exception.patch @@ -0,0 +1,68 @@ +--- a/src/eh_alloc.cpp 2007-06-03 23:51:13.000000000 +0100 ++++ b/src/eh_alloc.cpp 2009-07-13 09:42:39.000000000 +0100 +@@ -42,4 +42,21 @@ + free( (char *)(vptr) - sizeof(__cxa_exception) ); + } + ++#if __GNUC__ * 100 + __GNUC_MINOR__ >= 404 ++extern "C" __cxa_dependent_exception* __cxa_allocate_dependent_exception() throw(){ ++ __cxa_dependent_exception *retval; ++ ++ retval = static_cast<__cxa_dependent_exception*>(malloc(sizeof(__cxa_dependent_exception))); ++ if(0 == retval){ ++ std::terminate(); ++ } ++ memset (retval, 0, sizeof(__cxa_dependent_exception)); ++ return retval ; ++} ++ ++extern "C" void __cxa_free_dependent_exception(__cxa_dependent_exception *vptr) throw(){ ++ free( vptr ); ++} ++#endif ++ + } +--- a/include/unwind-cxx.h 2009-07-13 10:01:11.000000000 +0100 ++++ b/include/unwind-cxx.h 2009-07-13 10:14:08.000000000 +0100 +@@ -79,6 +79,41 @@ + _Unwind_Exception unwindHeader;
+ };
+
++#if __GNUC__ * 100 + __GNUC_MINOR__ >= 404
++// A dependent C++ exception object consists of a wrapper around an unwind
++// object header with additional C++ specific information, containing a pointer
++// to a primary exception object.
++
++struct __cxa_dependent_exception
++{
++ // The primary exception this thing depends on.
++ void *primaryException;
++
++ // The C++ standard has entertaining rules wrt calling set_terminate
++ // and set_unexpected in the middle of the exception cleanup process.
++ std::unexpected_handler unexpectedHandler;
++ std::terminate_handler terminateHandler;
++
++ // The caught exception stack threads through here.
++ __cxa_exception *nextException;
++
++ // How many nested handlers have caught this exception. A negated
++ // value is a signal that this object has been rethrown.
++ int handlerCount;
++
++ // Cache parsed handler data from the personality routine Phase 1
++ // for Phase 2 and __cxa_call_unexpected.
++ int handlerSwitchValue;
++ const unsigned char *actionRecord;
++ const unsigned char *languageSpecificData;
++ _Unwind_Ptr catchTemp;
++ void *adjustedPtr;
++
++ // The generic exception header. Must be last.
++ _Unwind_Exception unwindHeader;
++};
++
++#endif
+ // Each thread in a C++ program has access to a __cxa_eh_globals object.
+ struct __cxa_eh_globals
+ {
diff --git a/main/uclibc++/APKBUILD b/main/uclibc++/APKBUILD index e6545e482..6a40ba549 100644 --- a/main/uclibc++/APKBUILD +++ b/main/uclibc++/APKBUILD @@ -1,14 +1,23 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=uclibc++ pkgver=0.2.2 -pkgrel=3 +pkgrel=5 pkgdesc="Embedded C++ library" url="http://cxx.uclibc.org/" license='GPL-2' depends= -makedepends= +makedepends="bash" subpackages="$pkgname-dev" source="http://cxx.uclibc.org/src/uClibc++-$pkgver.tar.bz2 + 001-path_to_make.patch + 002-no_bash.patch + 003-cp_command.patch + 004-ccache_fixes.patch + 005-wrapper.patch + 006-eabi_fix.patch + 007-numeric_limits.patch + 008-integer_width.patch + 900-dependent_exception.patch associative_base.patch uclibc++-gcc-4.3.patch uclibc++config @@ -42,6 +51,15 @@ dev() { md5sums="1ceef3209cca88be8f1bd9de99735954 uClibc++-0.2.2.tar.bz2 +ce1016fb83c23c83486f35f4cd1b64ab 001-path_to_make.patch +2a9bee5e88bf94d3870517891d5129d6 002-no_bash.patch +8068b394de053ed94a742d1ed9657b99 003-cp_command.patch +363dc1cd86052f44212c2f3ac15926da 004-ccache_fixes.patch +3689f8d77984ca66554e14cacbeb796c 005-wrapper.patch +99e625748c0e6d5fc7cef8484cbac587 006-eabi_fix.patch +d335b8f1c9d4682a220a082a371277e4 007-numeric_limits.patch +2c431d4ad46a244f2f50baf40b85f7d2 008-integer_width.patch +4e9c416c2a107f7d814f938fa57901a5 900-dependent_exception.patch 5689baa3f3bf8488c0a5d27a690d30fa associative_base.patch 4c7b499e4697225378acef25f6364e9b uclibc++-gcc-4.3.patch 2f573c1e2a0c7a320ea4685cc3ce9e2a uclibc++config" diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD index b4ecb2a1d..a6ce2f622 100644 --- a/main/vim/APKBUILD +++ b/main/vim/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=vim _srcver=7.2 -_patchver=234 +_patchver=245 pkgver=$_srcver.$_patchver pkgrel=1 pkgdesc="advanced text editor" @@ -249,6 +249,17 @@ source="ftp://ftp.vim.org/pub/vim/unix/vim-7.2.tar.bz2 ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.232 ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.233 ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.234 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.235 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.236 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.237 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.238 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.239 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.240 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.241 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.242 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.243 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.244 + ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.245 " # this generates the patches list @@ -282,6 +293,7 @@ build() { md5sums="f0901284b338e448bfd79ccca0041254 vim-7.2.tar.bz2 35e04482f07c57221c9a751aaa3b8dac vim-7.2-extra.tar.gz +97aecde2ab504e543a96bec84b3b5638 vimrc 7c2dc4a956cf315e546e347bc349968c 7.2.001 7f16f80814f1e071a689806c2056b39d 7.2.002 0de916fdfd450a4a0d95bed44ae2c398 7.2.003 @@ -516,4 +528,14 @@ b97e5d33fa4fb8a1ea1308558bb33d41 7.2.228 5e5cfa4e5ee34cbbdd01c27ece1b7398 7.2.232 9fa12db95776e9174ca7c95172a48838 7.2.233 a46776a6914ec2972ada91b33b0cfb39 7.2.234 -97aecde2ab504e543a96bec84b3b5638 vimrc" +4121105bf052ebac02bd9891c232137a 7.2.235 +e9ca47c42d7de7b27910e3b35e533ecd 7.2.236 +f48f3e3f58a7a82a1c14fd61072c69f0 7.2.237 +5b9cc79b5448fb71ac1b2870a861119d 7.2.238 +28a8a33a3e2ceef51f838c2dc9fceac2 7.2.239 +212989ec4f90d697183c7cfb363cd453 7.2.240 +45f0effee324a20881e254c1b59dd5f8 7.2.241 +464fc788e592b19cd4d8a21d3d8b789e 7.2.242 +eb8132b8f89393e7f39734e607fc3925 7.2.243 +15c654c51220c2ad94b47d6013626aef 7.2.244 +d5ecb198dfea237e96b5ae12b9381383 7.2.245" diff --git a/main/xdelta3/APKBUILD b/main/xdelta3/APKBUILD new file mode 100644 index 000000000..fece127a6 --- /dev/null +++ b/main/xdelta3/APKBUILD @@ -0,0 +1,27 @@ +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgname=xdelta3 +pkgver=3.0v +pkgrel=0 +pkgdesc="A diff utility which works with binary files" +url="http://xdelta.org/" +license="GPL" +depends= +makedepends= +source="http://xdelta.googlecode.com/files/$pkgname.0v.tar.gz + $pkgname-makefile.patch + $pkgname-xz.patch" + +build () +{ + cd $srcdir/xdelta$pkgver + patch -Np1 -i $srcdir/xdelta3-makefile.patch + patch -Np1 -i $srcdir/xdelta3-xz.patch + make xdelta3 || return 1 + install -D xdelta3 "$pkgdir"/usr/bin/xdelta3 +# python ./setup.py install --root "$pkgdir" +# make xdelta3module.so || return 1 +# install -m644 {xdelta3.py,xdelta3module.so} "$pkgdir"/usr/lib/python2.6/site-packages +} +md5sums="6b5faeb88028a1211cb047e49b687a3a xdelta3.0v.tar.gz +35aa0d20a27791addeb929591a78bd3f xdelta3-makefile.patch +fb1e685d810a15f04b7bdbc9a3f3e635 xdelta3-xz.patch" diff --git a/main/xdelta3/xdelta3-makefile.patch b/main/xdelta3/xdelta3-makefile.patch new file mode 100644 index 000000000..f7fc6a657 --- /dev/null +++ b/main/xdelta3/xdelta3-makefile.patch @@ -0,0 +1,33 @@ +diff -Naur xdelta3.0v-old/Makefile xdelta3.0v/Makefile +--- xdelta3.0v-old/Makefile 2009-03-12 01:44:51.000000000 +0000 ++++ xdelta3.0v/Makefile 2009-03-14 17:02:33.000000000 +0000 +@@ -4,7 +4,7 @@ + UNAME = $(shell uname) + CYGWIN = $(findstring CYGWIN, $(UNAME)) + DARWIN = $(findstring Darwin, $(UNAME)) +-PYVER = 2.5 ++PYVER = 2.6 + + ifeq ("$(CYGWIN)", "") + SWIGTGT = xdelta3module.so +@@ -200,6 +200,9 @@ + xdelta3.o: $(SOURCES) + $(CC) -O3 $(CFLAGS) -c xdelta3.c $(SWIG_FLAGS) -o xdelta3.o + ++xdelta3_PIC.o: $(SOURCES) ++ $(CC) -O3 $(CFLAGS) -fPIC -c xdelta3.c $(SWIG_FLAGS) -o xdelta3_PIC.o ++ + xdelta3_wrap.o: xdelta3_wrap.c + $(CC) -O3 $(CFLAGS) $(SWIG_FLAGS) \ + -DHAVE_CONFIG_H \ +@@ -218,8 +221,8 @@ + cp $(SWIGTGT) /usr/lib/python$(PYVER)/site-packages + + ifeq ("$(DARWIN)", "") +-xdelta3module.so: xdelta3_wrap.o xdelta3.o +- ld -shared xdelta3.o xdelta3_wrap.o \ ++xdelta3module.so: xdelta3_wrap.o xdelta3_PIC.o ++ cc -shared xdelta3_PIC.o xdelta3_wrap.o \ + -o xdelta3module.so \ + /usr/lib/libpython$(PYVER).so \ + -lc diff --git a/main/xdelta3/xdelta3-xz.patch b/main/xdelta3/xdelta3-xz.patch new file mode 100644 index 000000000..3527406c1 --- /dev/null +++ b/main/xdelta3/xdelta3-xz.patch @@ -0,0 +1,12 @@ +diff -ruNa a/xdelta3-main.h b/xdelta3-main.h +--- a/xdelta3-main.h 2009-01-30 05:59:02.000000000 +0100 ++++ b/xdelta3-main.h 2009-05-13 12:43:00.000000000 +0200 +@@ -355,6 +355,7 @@ + RD_NONEXTERNAL }, + { "bzip2", "-cf", "bzip2", "-dcf", "B", "BZh", 3, 0 }, + { "gzip", "-cf", "gzip", "-dcf", "G", "\037\213", 2, 0 }, ++ { "xz", "-cf", "xz", "-dcf", "Y", "\xfd\x37\x7a\x58\x5a\x00", 2, 0 }, + { "compress", "-cf", "uncompress", "-cf", "Z", "\037\235", 2, 0 }, + + /* TODO: add commandline support for magic-less formats */ + |