diff options
| author | Michael Mason <ms13sp@gmail.com> | 2009-08-21 00:03:52 +0000 |
|---|---|---|
| committer | Michael Mason <ms13sp@gmail.com> | 2009-08-21 00:03:52 +0000 |
| commit | 557c1cd3a1917a6f9c3a0cecc569f42896cd7095 (patch) | |
| tree | b209180fed993eebd393c3ac0ae5109e8d1e25ad | |
| parent | 37d24ab6eb2f72267e53a13e7046c0ae7e51d6cc (diff) | |
| parent | 1444ddae645e1206190da7319a00413ffafd222b (diff) | |
| download | aports-557c1cd3a1917a6f9c3a0cecc569f42896cd7095.tar.bz2 aports-557c1cd3a1917a6f9c3a0cecc569f42896cd7095.tar.xz | |
Merge branch 'master' of git://git.alpinelinux.org/aports
53 files changed, 2639 insertions, 2001 deletions
diff --git a/main/alpine-conf/0001-setup-acf-fix-password-generation.patch b/main/alpine-conf/0001-setup-acf-fix-password-generation.patch new file mode 100644 index 00000000..6132c08a --- /dev/null +++ b/main/alpine-conf/0001-setup-acf-fix-password-generation.patch @@ -0,0 +1,25 @@ +From b7ac1f3f8b4ddb7cc4a585bc8b7ebdaa2dd8ae16 Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Thu, 20 Aug 2009 07:31:21 +0000 +Subject: [PATCH] setup-acf: fix password generation + +--- + setup-acf.in | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/setup-acf.in b/setup-acf.in +index 8c386ee..92d769c 100644 +--- a/setup-acf.in ++++ b/setup-acf.in +@@ -37,7 +37,7 @@ if [ "$create_passwd" != "no" ]; then + fi + # this will show password on process list but we assume user is alone + # on the box at this stage +- _md5passwd=$(echo -n "$_password" | md5sum) ++ _md5passwd=$(echo -n "$_password" | md5sum | cut -d' ' -f1) + echo "root:$_md5passwd:Admin account:ADMIN" >/etc/acf/passwd + fi + +-- +1.6.4 + diff --git a/main/alpine-conf/APKBUILD b/main/alpine-conf/APKBUILD index 5f3abd94..510d0849 100644 --- a/main/alpine-conf/APKBUILD +++ b/main/alpine-conf/APKBUILD @@ -1,20 +1,24 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=alpine-conf pkgver=2.0_beta5 -pkgrel=0 +pkgrel=1 pkgdesc="Alpine configuration management scripts" url=http://git.alpinelinux.org/cgit/$pkgname depends="openrc" source="http://git.alpinelinux.org/cgit/$pkgname/snapshot/$pkgname-$pkgver.tar.bz2 + 0001-setup-acf-fix-password-generation.patch " license="GPL-2" build() { cd "$srcdir/$pkgname-$pkgver" + patch -p1 -i ../0001-setup-acf-fix-password-generation.patch || return 1 + make || return 1 make install PREFIX= DESTDIR="$pkgdir" for i in commit exclude include status update; do ln -s lbu "$pkgdir"/sbin/lbu_$i done } -md5sums="92e6d2fee0c183c873627c2261d13845 alpine-conf-2.0_beta5.tar.bz2" +md5sums="92e6d2fee0c183c873627c2261d13845 alpine-conf-2.0_beta5.tar.bz2 +99d5a1c2386e35a1b5443e3b3d8a1157 0001-setup-acf-fix-password-generation.patch" diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD index fd2c3512..e9f2dfda 100644 --- a/main/apk-tools/APKBUILD +++ b/main/apk-tools/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=apk-tools -pkgver=2.0_rc3 -pkgrel=3 +pkgver=2.0_rc4 +pkgrel=0 pkgdesc="Alpine Package Keeper - package manager for alpine" subpackages="$pkgname-static" depends= @@ -36,4 +36,4 @@ static() { "$subpkgdir"/sbin/apk.static } -md5sums="64cc6fac209ad85b1dade7f796d8f842 apk-tools-2.0_rc3.tar.bz2" +md5sums="04224faeb255a9ca4697643f8bd8721a apk-tools-2.0_rc4.tar.bz2" diff --git a/main/bash/APKBUILD b/main/bash/APKBUILD index 886c0c06..1cd03f00 100644 --- a/main/bash/APKBUILD +++ b/main/bash/APKBUILD @@ -3,7 +3,7 @@ pkgname=bash _myver=4.0 _patchbase=40 -_patchlevel=024 +_patchlevel=028 pkgver=${_myver}.${_patchlevel} pkgrel=0 pkgdesc="The GNU Bourne Again shell" @@ -36,6 +36,10 @@ source="http://ftp.gnu.org/gnu/bash/bash-${_myver}.tar.gz http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-022 http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-023 http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-024 + http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-025 + http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-026 + http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-027 + http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-028 bash-noinfo.patch " @@ -97,4 +101,8 @@ eb7c7ddeb7e8451eb59228dca3329696 bash40-020 7a70f2608f90f6ac0c2051e5f1c6c414 bash40-022 7a23aa41630dd4fe8d30108a200e2d96 bash40-023 82ba5fc9eb780eb57d8b7628a17b7d74 bash40-024 +b26f9007ac4eef5c378f1abcb8959025 bash40-025 +83bc844c82d0a30740e8d91a8238bfa9 bash40-026 +a41c187f05ecab07389c18acc91214c6 bash40-027 +fcc367e6471267d2e397257e703b817d bash40-028 80fec5f3d60a63756a4999c877e31a8e bash-noinfo.patch" diff --git a/main/cabextract/APKBUILD b/main/cabextract/APKBUILD new file mode 100644 index 00000000..b4788780 --- /dev/null +++ b/main/cabextract/APKBUILD @@ -0,0 +1,26 @@ +# Maintainer: Leonardo Arena <rnalrd@gmail.com> +pkgname=cabextract +pkgver=1.2 +pkgrel=0 +pkgdesc="Tool for extracting Microsoft cabinet files" +url="http://www.cabextract.org.uk/" +license="GPL" +subpackages="$pkgname-doc" +depends="" +makedepends="" +install= +source="http://www.cabextract.org.uk/$pkgname-$pkgver.tar.gz" + +build () +{ + cd "$srcdir"/${pkgname}-${pkgver} + + ./configure --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info + make || return 1 + make DESTDIR="$pkgdir" install +} + +md5sums="dc421a690648b503265c82ade84e143e cabextract-1.2.tar.gz" diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index c54e9ce3..c5e37a80 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Carlo Landmeter <clandmeter at gmail.com> pkgname=curl -pkgver=7.19.5 +pkgver=7.19.6 pkgrel=0 pkgdesc="An URL retrival utility and library" url="http://curl.haxx.se" @@ -24,4 +24,4 @@ build() { chmod +x "$pkgdir"/usr/bin/curl-config } -md5sums="426d161661dce70c8ea9ad8f553363a3 curl-7.19.5.tar.bz2" +md5sums="8402c1f654c51ad7287aad57c3aa79be curl-7.19.6.tar.bz2" diff --git a/main/dahdi-linux-grsec/APKBUILD b/main/dahdi-linux-grsec/APKBUILD index 50077f8f..f6d1ec5f 100644 --- a/main/dahdi-linux-grsec/APKBUILD +++ b/main/dahdi-linux-grsec/APKBUILD @@ -14,16 +14,16 @@ _realname=dahdi-linux pkgname=${_realname}-${_flavor} pkgver=2.2.0 -pkgrel=7 +pkgrel=8 pkgdesc="Digium Asterisk Hardware Device Interface drivers" url="http://www.asterisk.org" license="GPL" #depends="dahdi-linux linux-${_flavor}=${_kernelver}" -depends="dahdi-linux linux-${_flavor}" +depends="dahdi-linux linux-${_flavor}=${_kernelver}" # we need wget and tar because make install downloads firmware and uses fancy # options for tar and wget. -#makedepends="linux-${_flavor}-dev=${_kernelver} wget tar perl" -makedepends="linux-${_flavor}-dev wget tar perl" +makedepends="linux-${_flavor}-dev=${_kernelver} wget tar perl" +#makedepends="linux-${_flavor}-dev wget tar perl" install= subpackages= source="http://downloads.digium.com/pub/telephony/dahdi-linux/releases/${_realname}-$pkgver.tar.gz @@ -45,7 +45,7 @@ build() { || return 1 make KVERS="${_abi_release}" DYNFS="yes" MODULES_EXTRA="zaphfc" \ DESTDIR="$pkgdir" install - rm -r "$pkgdir"/lib/firmware + rm -rf "$pkgdir"/lib/firmware "$pkgdir"/usr/lib/hotplug/firmware } # since we sourced the APKBUILD above we got the dev() function there to diff --git a/main/device-mapper/APKBUILD b/main/device-mapper/APKBUILD deleted file mode 100644 index 33841375..00000000 --- a/main/device-mapper/APKBUILD +++ /dev/null @@ -1,25 +0,0 @@ -# Maintainer: Natanael Copa <ncopa@alpinelinux.org> -pkgname=device-mapper -pkgver=1.02.28 -pkgrel=0 -pkgdesc="Device mapper userspace library and tools." -url="http://sourceware.org/dm/" -license="GPL" -depends="uclibc" -subpackages="$pkgname-dev $pkgname-doc" -source="ftp://sources.redhat.com/pub/dm/$pkgname.$pkgver.tgz" - -build() { - cd "$srcdir"/$pkgname.$pkgver - - ./configure --prefix=/usr \ - --sbindir=/sbin \ - --libdir=/lib \ - --enable-dmeventd \ - CLDFLAGS="$LDFLAGS" \ - || return 1 - - make || return 1 - make -j1 DESTDIR="$pkgdir" install -} -md5sums="c9ae0776994a419f9e1ba842164bb626 device-mapper.1.02.28.tgz" diff --git a/main/dhcpcd/APKBUILD b/main/dhcpcd/APKBUILD index 110f2c4c..43e511ab 100644 --- a/main/dhcpcd/APKBUILD +++ b/main/dhcpcd/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Michael Mason <ms13sp@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dhcpcd -pkgver=5.0.6 +pkgver=5.0.7 pkgrel=0 pkgdesc="RFC2131 compliant DHCP client" url="http://roy.marples.name/projects/dhcpcd/" @@ -23,4 +23,4 @@ build() { } -md5sums="600716ddbfa2525a7ef7ae0968a8158a dhcpcd-5.0.6.tar.bz2" +md5sums="1c85790576deb6106879430b24e1fa9c dhcpcd-5.0.7.tar.bz2" diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD index a0ac5dc3..888a2d49 100644 --- a/main/dovecot/APKBUILD +++ b/main/dovecot/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Michael Mason <ms13sp@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dovecot -pkgver=1.2.3 +pkgver=1.2.4 pkgrel=0 pkgdesc="IMAP and POP3 server" url="http://www.dovecot.org/" @@ -30,6 +30,6 @@ build() { install -m755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname } -md5sums="28905211d9301022a1ed20df71ad2b08 dovecot-1.2.3.tar.gz +md5sums="3e5717d13e3d6b32d3f4b809df397dbf dovecot-1.2.4.tar.gz 573e14589a6f8424d55753a2794ab99a dovecot.initd f0f8893411f5e482e14f40a81a177b19 dovecot.pre-install" diff --git a/main/imagemagick/APKBUILD b/main/imagemagick/APKBUILD index 183b1e82..1f25eb39 100644 --- a/main/imagemagick/APKBUILD +++ b/main/imagemagick/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=imagemagick -pkgver=6.5.3.10 -_pkgver=6.5.3-10 +pkgver=6.5.4.10 +_pkgver=6.5.4-10 pkgrel=0 pkgdesc="A collection of tools and libraries for many image formats" url="http://www.imagemagick.org/" @@ -32,4 +32,4 @@ build() { } -md5sums="d33621ea195792aeeec79900e7d1e395 ImageMagick-6.5.3-10.tar.gz" +md5sums="3b0c0082cf29103b4868c674d73e918d ImageMagick-6.5.4-10.tar.gz" diff --git a/main/ipsec-tools/00-verify-cert-leak.patch b/main/ipsec-tools/00-verify-cert-leak.patch deleted file mode 100644 index 9e678133..00000000 --- a/main/ipsec-tools/00-verify-cert-leak.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/src/racoon/crypto_openssl.c 20 Apr 2009 13:22:41 -0000 1.18 -+++ b/src/racoon/crypto_openssl.c 29 Apr 2009 10:48:51 -0000 -@@ -510,7 +510,7 @@ - X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL); - #endif - error = X509_verify_cert(csc); -- X509_STORE_CTX_cleanup(csc); -+ X509_STORE_CTX_free(csc); - - /* - * if x509_verify_cert() is successful then the value of error is diff --git a/main/ipsec-tools/10-rekey-ph1hint.patch b/main/ipsec-tools/10-rekey-ph1hint.patch new file mode 100644 index 00000000..773d6090 --- /dev/null +++ b/main/ipsec-tools/10-rekey-ph1hint.patch @@ -0,0 +1,1227 @@ +? .msg +? ChangeLog +? alpine-config +? commiters.txt +? fd-unmonitor-segv-fix.patch +? natt-and-cmpsaddr.patch +? racoon.txt +? rekeying-fixes.diff +? rpm/Makefile +? rpm/Makefile.in +? rpm/ipsec-tools.spec +? rpm/suse/Makefile +? rpm/suse/Makefile.in +? rpm/suse/ipsec-tools.spec +? src/Makefile +? src/Makefile.in +? src/include-glibc/.includes +? src/include-glibc/Makefile +? src/include-glibc/Makefile.in +? src/libipsec/.deps +? src/libipsec/.libs +? src/libipsec/Makefile +? src/libipsec/Makefile.in +? src/libipsec/ipsec_dump_policy.lo +? src/libipsec/ipsec_get_policylen.lo +? src/libipsec/ipsec_strerror.lo +? src/libipsec/key_debug.lo +? src/libipsec/libipsec.la +? src/libipsec/pfkey.lo +? src/libipsec/pfkey_dump.lo +? src/libipsec/policy_parse.c +? src/libipsec/policy_parse.h +? src/libipsec/policy_parse.lo +? src/libipsec/policy_token.c +? src/libipsec/policy_token.lo +? src/racoon/.deps +? src/racoon/.libs +? src/racoon/Makefile +? src/racoon/Makefile.in +? src/racoon/cfparse.c +? src/racoon/cfparse.h +? src/racoon/cftoken.c +? src/racoon/eaytest +? src/racoon/libracoon.la +? src/racoon/libracoon_la-kmpstat.lo +? src/racoon/libracoon_la-misc.lo +? src/racoon/libracoon_la-sockmisc.lo +? src/racoon/libracoon_la-vmbuf.lo +? src/racoon/plainrsa-gen +? src/racoon/prsa_par.c +? src/racoon/prsa_par.h +? src/racoon/prsa_tok.c +? src/racoon/racoon +? src/racoon/racoonctl +? src/racoon/samples/psk.txt +? src/racoon/samples/racoon.conf +? src/setkey/.deps +? src/setkey/.libs +? src/setkey/Makefile +? src/setkey/Makefile.in +? src/setkey/parse.c +? src/setkey/parse.h +? src/setkey/setkey +? src/setkey/token.c +Index: src/racoon/admin.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v +retrieving revision 1.31 +diff -u -r1.31 admin.c +--- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31 ++++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -341,7 +341,7 @@ + user[len] = 0; + + found = purgeph1bylogin(user); +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "deleted %d SA for user \"%s\"\n", found, user); + + break; +@@ -360,7 +360,7 @@ + rem = racoon_strdup(saddrwop2str(dst)); + STRDUP_FATAL(rem); + +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "Flushing all SAs for peer %s\n", rem); + + while ((iph1 = getph1bydstaddr(dst)) != NULL) { +@@ -373,7 +373,7 @@ + + racoon_free(loc); + } +- ++ + racoon_free(rem); + break; + } +@@ -383,14 +383,14 @@ + char *data; + + acp = (struct admin_com_psk *) +- ((char *)com + sizeof(*com) + ++ ((char *)com + sizeof(*com) + + sizeof(struct admin_com_indexes)); + + idtype = acp->id_type; + + if ((id = vmalloc(acp->id_len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "cannot allocate memory: %s\n", ++ "cannot allocate memory: %s\n", + strerror(errno)); + break; + } +@@ -399,7 +399,7 @@ + + if ((key = vmalloc(acp->key_len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "cannot allocate memory: %s\n", ++ "cannot allocate memory: %s\n", + strerror(errno)); + vfree(id); + id = NULL; +@@ -474,7 +474,7 @@ + rmconf->xauth->pass = key; + } + #endif +- ++ + plog(LLV_INFO, LOCATION, NULL, + "accept a request to establish IKE-SA: " + "%s\n", saddrwop2str(dst)); +@@ -577,7 +577,7 @@ + } + + insph2(iph2); +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, NULL) < 0) { + remph2(iph2); + delph2(iph2); + break; +@@ -710,17 +710,17 @@ + } + + if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, +- "chown(%s, %d, %d): %s\n", +- sunaddr.sun_path, adminsock_owner, ++ plog(LLV_ERROR, LOCATION, NULL, ++ "chown(%s, %d, %d): %s\n", ++ sunaddr.sun_path, adminsock_owner, + adminsock_group, strerror(errno)); + (void)close(lcconf->sock_admin); + return -1; + } + + if (chmod(sunaddr.sun_path, adminsock_mode) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, +- "chmod(%s, 0%03o): %s\n", ++ plog(LLV_ERROR, LOCATION, NULL, ++ "chmod(%s, 0%03o): %s\n", + sunaddr.sun_path, adminsock_mode, strerror(errno)); + (void)close(lcconf->sock_admin); + return -1; +Index: src/racoon/handler.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v +retrieving revision 1.29 +diff -u -r1.29 handler.c +--- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29 ++++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -64,7 +64,7 @@ + #include "evt.h" + #include "isakmp.h" + #ifdef ENABLE_HYBRID +-#include "isakmp_xauth.h" ++#include "isakmp_xauth.h" + #include "isakmp_cfg.h" + #endif + #include "isakmp_inf.h" +@@ -177,8 +177,8 @@ + * with phase 2's destinaion. + */ + struct ph1handle * +-getph1(rmconf, local, remote, flags) +- struct remoteconf *rmconf; ++getph1(ph1hint, local, remote, flags) ++ struct ph1handle *ph1hint; + struct sockaddr *local, *remote; + int flags; + { +@@ -202,12 +202,30 @@ + continue; + } + +- if (local != NULL && cmpsaddr(local, p->local) != 0) ++ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH) + continue; + +- if (remote != NULL && cmpsaddr(remote, p->remote) != 0) ++ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH) + continue; + ++ if (ph1hint != NULL) { ++ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l && ++ (ph1hint->id->l != p->id->l || ++ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) { ++ plog(LLV_DEBUG2, LOCATION, NULL, ++ "local identity does match hint\n"); ++ continue; ++ } ++ if (ph1hint->id_p && ph1hint->id_p->l && ++ p->id_p && p->id_p->l && ++ (ph1hint->id_p->l != p->id_p->l || ++ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) { ++ plog(LLV_DEBUG2, LOCATION, NULL, ++ "remote identity does match hint\n"); ++ continue; ++ } ++ } ++ + plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); + return p; + } +@@ -1155,7 +1173,7 @@ + } + + #ifdef ENABLE_HYBRID +-/* ++/* + * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise + * This should be in isakmp_cfg.c but ph1tree being private, it must be there + */ +@@ -1182,7 +1200,7 @@ + + + +-/* ++/* + * Reload conf code + */ + static int revalidate_ph2(struct ph2handle *iph2){ +@@ -1192,11 +1210,11 @@ + struct saprop *approval; + struct ph1handle *iph1; + +- /* ++ /* + * Get the new sainfo using values of the old one + */ + if (iph2->sainfo != NULL) { +- iph2->sainfo = getsainfo(iph2->sainfo->idsrc, ++ iph2->sainfo = getsainfo(iph2->sainfo->idsrc, + iph2->sainfo->iddst, iph2->sainfo->id_i, + NULL, iph2->sainfo->remoteid); + } +@@ -1204,7 +1222,7 @@ + sainfo = iph2->sainfo; + + if (sainfo == NULL) { +- /* ++ /* + * Sainfo has been removed + */ + plog(LLV_DEBUG, LOCATION, NULL, +@@ -1219,7 +1237,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, + "No approval found !\n"); + return 0; +- } ++ } + + /* + * Don't care about proposals, should we do something ? +@@ -1318,7 +1336,7 @@ + } + + found = 0; +- for (alg = sainfo->algs[algclass_ipsec_enc]; ++ for (alg = sainfo->algs[algclass_ipsec_enc]; + (found == 0 && alg != NULL); alg = alg->next) { + plog(LLV_DEBUG, LOCATION, NULL, + "Reload: next ph2 enc alg...\n"); +@@ -1351,7 +1369,7 @@ + break; + + default: +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "unexpected check_level\n"); + continue; + break; +@@ -1375,7 +1393,7 @@ + } + + +-static void ++static void + remove_ph2(struct ph2handle *iph2) + { + u_int32_t spis[2]; +@@ -1467,7 +1485,7 @@ + return 1; + } + +-int ++int + revalidate_ph12(void) + { + +Index: src/racoon/handler.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v +retrieving revision 1.21 +diff -u -r1.21 handler.h +--- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21 ++++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -214,7 +214,7 @@ + LIST_ENTRY(ph1handle) chain; + #ifdef ENABLE_HYBRID + struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ +-#endif ++#endif + EVT_LISTENER_LIST(evt_listeners); + }; + +@@ -449,7 +449,7 @@ + struct sockaddr_storage remote; + struct sockaddr_storage local; + u_int8_t version; +- u_int8_t etype; ++ u_int8_t etype; + time_t created; + int ph2cnt; + }; +@@ -468,7 +468,7 @@ + + #define GETPH1_F_ESTABLISHED 0x0001 + +-extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, ++extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, + struct sockaddr *local, + struct sockaddr *remote, + int flags)); +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.58 +diff -u -r1.58 isakmp.c +--- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58 ++++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -176,7 +176,7 @@ + }; + + static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ +- ++ + static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); + static int ph1_main __P((struct ph1handle *, vchar_t *)); + static int quick_main __P((struct ph2handle *, vchar_t *)); +@@ -190,7 +190,7 @@ + static int isakmp_ph2resend __P((struct ph2handle *)); + + #ifdef ENABLE_FRAG +-static int frag_handler(struct ph1handle *, ++static int frag_handler(struct ph1handle *, + vchar_t *, struct sockaddr *, struct sockaddr *); + #endif + +@@ -259,16 +259,16 @@ + extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl; + } + #endif +- } ++ } + + #ifdef ENABLE_NATT +- /* we don't know about portchange yet, ++ /* we don't know about portchange yet, + look for non-esp marker instead */ + if (x.non_esp[0] == 0 && x.non_esp[1] != 0) + extralen = NON_ESP_MARKER_LEN; + #endif + +- /* now we know if there is an extra non-esp ++ /* now we know if there is an extra non-esp + marker at the beginning or not */ + memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp)); + +@@ -309,7 +309,7 @@ + if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), + 0, (struct sockaddr *)&remote, &remote_len)) < 0) { + plog(LLV_ERROR, LOCATION, NULL, +- "failed to receive isakmp packet: %s\n", ++ "failed to receive isakmp packet: %s\n", + strerror (errno)); + } + goto end; +@@ -332,11 +332,11 @@ + (len - extralen)); + goto end; + } +- ++ + memcpy (buf->v, tmpbuf->v + extralen, buf->l); + + len -= extralen; +- ++ + if (len != buf->l) { + plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, + "received invalid length (%d != %zu), why ?\n", +@@ -347,7 +347,7 @@ + plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(LLV_DEBUG, LOCATION, NULL, + "%d bytes message received %s\n", +- len, saddr2str_fromto("from %s to %s", ++ len, saddr2str_fromto("from %s to %s", + (struct sockaddr *)&remote, + (struct sockaddr *)&local)); + plogdump(LLV_DEBUG, buf->v, buf->l); +@@ -496,12 +496,12 @@ + } + + /* set the flag to prevent further port floating +- (FIXME: should we allow it? E.g. when the NAT gw ++ (FIXME: should we allow it? E.g. when the NAT gw + is rebooted?) */ + iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER; +- ++ + /* print some neat info */ +- plog (LLV_INFO, LOCATION, NULL, ++ plog (LLV_INFO, LOCATION, NULL, + "NAT-T: ports changed to: %s\n", + saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local)); + +@@ -668,7 +668,7 @@ + return -1; + } + #ifdef ENABLE_HYBRID +- /* Reinit the IVM if it's still there */ ++ /* Reinit the IVM if it's still there */ + if (iph1->mode_cfg && iph1->mode_cfg->ivm) { + oakley_delivm(iph1->mode_cfg->ivm); + iph1->mode_cfg->ivm = NULL; +@@ -753,7 +753,7 @@ + + isakmp_cfg_r(iph1, msg); + break; +-#endif ++#endif + + case ISAKMP_ETYPE_NONE: + default: +@@ -822,7 +822,7 @@ + /* free resend buffer */ + if (iph1->sendbuf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "no buffer found as sendbuf\n"); ++ "no buffer found as sendbuf\n"); + return -1; + } + #endif +@@ -925,13 +925,13 @@ + log_ph1established(iph1); + plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + +- /* ++ /* + * SA up shell script hook: do it now,except if + * ISAKMP mode config was requested. In the later + * case it is done when we receive the configuration. + */ + if ((iph1->status == PHASE1ST_ESTABLISHED) && +- !iph1->rmconf->mode_cfg) { ++ !iph1->rmconf->mode_cfg) { + switch (iph1->approval->authmethod) { + #ifdef ENABLE_HYBRID + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: +@@ -1004,7 +1004,7 @@ + /* free resend buffer */ + if (iph2->sendbuf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, +- "no buffer found as sendbuf\n"); ++ "no buffer found as sendbuf\n"); + return -1; + } + VPTRINIT(iph2->sendbuf); +@@ -1754,23 +1754,23 @@ + extralen = 0; + + #ifdef ENABLE_FRAG +- /* ++ /* + * Do not add the non ESP marker for a packet that will +- * be fragmented. The non ESP marker should appear in ++ * be fragmented. The non ESP marker should appear in + * all fragment's packets, but not in the fragmented packet + */ +- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) ++ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) + extralen = 0; + #endif + if (extralen) + plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n"); + +- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) +- must added just before the packet itself. For this we must ++ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) ++ must added just before the packet itself. For this we must + allocate a new buffer and release it at the end. */ + if (extralen) { + if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "vbuf allocation failed\n"); + return -1; + } +@@ -1791,17 +1791,17 @@ + if (s == -1) + return -1; + +- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, ++ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, + saddr2str_fromto("from %s to %s", iph1->local, iph1->remote)); + + #ifdef ENABLE_FRAG + if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) { + if (isakmp_sendfrags(iph1, sbuf) == -1) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "isakmp_sendfrags failed\n"); + return -1; + } +- } else ++ } else + #endif + { + len = sendfromto(s, sbuf->v, sbuf->l, +@@ -1812,7 +1812,7 @@ + return -1; + } + } +- ++ + return 0; + } + +@@ -1959,7 +1959,7 @@ + iph1->status = PHASE1ST_DYING; + + /* Any fresh phase1s? */ +- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); + if (new_iph1 == NULL) { + LIST_FOREACH(p, &iph1->ph2tree, ph1bind) { + if (p->status != PHASE2ST_ESTABLISHED) +@@ -2036,7 +2036,7 @@ + char *src, *dst; + + /* Migrate established phase2s. Any fresh phase1s? */ +- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1); + if (new_iph1 != NULL) + migrate_ph12(iph1, new_iph1); + +@@ -2143,12 +2143,13 @@ + * if phase1 has been finished, begin phase2. + */ + int +-isakmp_post_acquire(iph2) ++isakmp_post_acquire(iph2, iph1hint) + struct ph2handle *iph2; ++ struct ph1handle *iph1hint; + { + struct remoteconf *rmconf; + struct ph1handle *iph1 = NULL; +- ++ + plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n"); + + /* Search appropriate configuration with masking port. Note that +@@ -2159,12 +2160,17 @@ + * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS + * as iph2->dst hint). This scenario would require additional changes, + * so no need to bother yet. --arno */ +- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); +- if (rmconf == NULL) { +- plog(LLV_ERROR, LOCATION, NULL, +- "no configuration found for %s.\n", +- saddrwop2str(iph2->dst)); +- return -1; ++ ++ if (iph1hint == NULL || iph1hint->rmconf == NULL) { ++ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE); ++ if (rmconf == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "no configuration found for %s.\n", ++ saddrwop2str(iph2->dst)); ++ return -1; ++ } ++ } else { ++ rmconf = iph1hint->rmconf; + } + + /* if passive mode, ignore the acquire message */ +@@ -2181,7 +2187,7 @@ + * some cases, we should use the ISAKMP identity to search + * matching ISAKMP. + */ +- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); ++ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0); + + /* no ISAKMP-SA found. */ + if (iph1 == NULL) { +@@ -2978,7 +2984,7 @@ + "ISAKMP-SA established %s-%s spi:%s\n", + src, dst, + isakmp_pindex(&iph1->index, 0)); +- ++ + evt_phase1(iph1, EVT_PHASE1_UP, NULL); + if(!iph1->rmconf->mode_cfg) + evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL); +@@ -3011,7 +3017,7 @@ + return plist; + } + +-vchar_t * ++vchar_t * + isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1) + { + struct payload_list *ptr = *plist, *first; +@@ -3022,7 +3028,7 @@ + /* Seek to the first item. */ + while (ptr->prev) ptr = ptr->prev; + first = ptr; +- ++ + /* Compute the whole length. */ + while (ptr) { + tlen += ptr->payload->l + sizeof (struct isakmp_gen); +@@ -3064,7 +3070,7 @@ + } + + #ifdef ENABLE_FRAG +-int ++int + frag_handler(iph1, msg, remote, local) + struct ph1handle *iph1; + vchar_t *msg; +@@ -3075,7 +3081,7 @@ + + if (isakmp_frag_extract(iph1, msg) == 1) { + if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) { +- plog(LLV_ERROR, LOCATION, remote, ++ plog(LLV_ERROR, LOCATION, remote, + "Packet reassembly failed\n"); + return -1; + } +@@ -3125,24 +3131,24 @@ + if (iph1->remote != NULL) { + GETNAMEINFO(iph1->remote, addrstr, portstr); + +- if (script_env_append(&envp, &envc, ++ if (script_env_append(&envp, &envc, + "REMOTE_ADDR", addrstr) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "Cannot set REMOTE_ADDR\n"); + goto out; + } + +- if (script_env_append(&envp, &envc, ++ if (script_env_append(&envp, &envc, + "REMOTE_PORT", portstr) != 0) { +- plog(LLV_ERROR, LOCATION, NULL, ++ plog(LLV_ERROR, LOCATION, NULL, + "Cannot set REMOTEL_PORT\n"); + goto out; + } + } + +- if (privsep_script_exec(iph1->rmconf->script[script]->v, +- script, envp) != 0) +- plog(LLV_ERROR, LOCATION, NULL, ++ if (privsep_script_exec(iph1->rmconf->script[script]->v, ++ script, envp) != 0) ++ plog(LLV_ERROR, LOCATION, NULL, + "Script %s execution failed\n", script_names[script]); + + out: +@@ -3202,7 +3208,7 @@ + argv[1] = script_names[name]; + argv[2] = NULL; + +- switch (fork()) { ++ switch (fork()) { + case 0: + execve(argv[0], argv, envp); + plog(LLV_ERROR, LOCATION, NULL, +@@ -3217,7 +3223,7 @@ + break; + default: + break; +- } ++ } + return 0; + + } +@@ -3243,7 +3249,7 @@ + iph1->status = PHASE1ST_EXPIRED; + + /* Check if we have another, still valid, phase1 SA. */ +- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1); ++ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED); + + /* + * Delete all orphaned or binded to the deleting ph1handle phase2 SAs. +@@ -3319,7 +3325,7 @@ + ntohl(sa->sadb_sa_spi)); + }else{ + +- /* ++ /* + * If we have a new ph1, do not purge IPsec-SAs binded + * to a different ISAKMP-SA + */ +@@ -3331,7 +3337,7 @@ + /* If the ph2handle is established, do not purge IPsec-SA */ + if (iph2->status == PHASE2ST_ESTABLISHED || + iph2->status == PHASE2ST_EXPIRED) { +- ++ + plog(LLV_INFO, LOCATION, NULL, + "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n", + ntohl(sa->sadb_sa_spi), +@@ -3342,7 +3348,7 @@ + } + } + +- ++ + pfkey_send_delete(lcconf->sock_pfkey, + msg->sadb_msg_satype, + IPSEC_MODE_ANY, +@@ -3373,7 +3379,7 @@ + sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); + } + +-void ++void + delete_spd(iph2, created) + struct ph2handle *iph2; + u_int64_t created; +@@ -3399,22 +3405,22 @@ + + plog(LLV_INFO, LOCATION, NULL, + "generated policy, deleting it.\n"); +- ++ + memset(&spidx, 0, sizeof(spidx)); + iph2->spidx_gen = (caddr_t )&spidx; +- ++ + /* make inbound policy */ + iph2->src = dst; + iph2->dst = src; + spidx.dir = IPSEC_DIR_INBOUND; + spidx.ul_proto = 0; +- +- /* ++ ++ /* + * Note: code from get_proposal_r + */ +- ++ + #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type +- ++ + /* + * make destination address in spidx from either ID payload + * or phase 1 address into a address in spidx. +@@ -3430,48 +3436,48 @@ + &spidx.prefd, &spidx.ul_proto); + if (error) + goto purge; +- ++ + #ifdef INET6 + /* + * get scopeid from the SA address. + * note that the phase 1 source address is used as +- * a destination address to search for a inbound ++ * a destination address to search for a inbound + * policy entry because rcoon is responder. + */ + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { +- if ((error = ++ if ((error = + setscopeid((struct sockaddr *)&spidx.dst, + iph2->src)) != 0) + goto purge; + } + #endif +- ++ + if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR + || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) + idi2type = _XIDT(iph2->id); +- ++ + } else { +- ++ + plog(LLV_DEBUG, LOCATION, NULL, + "get a destination address of SP index " + "from phase1 address " + "due to no ID payloads found " + "OR because ID type is not address.\n"); +- ++ + /* +- * copy the SOURCE address of IKE into the +- * DESTINATION address of the key to search the ++ * copy the SOURCE address of IKE into the ++ * DESTINATION address of the key to search the + * SPD because the direction of policy is inbound. + */ + memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src)); + switch (spidx.dst.ss_family) { + case AF_INET: +- spidx.prefd = ++ spidx.prefd = + sizeof(struct in_addr) << 3; + break; + #ifdef INET6 + case AF_INET6: +- spidx.prefd = ++ spidx.prefd = + sizeof(struct in6_addr) << 3; + break; + #endif +@@ -3480,7 +3486,7 @@ + break; + } + } +- ++ + /* make source address in spidx */ + if (iph2->id_p != NULL + && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR +@@ -3500,7 +3506,7 @@ + * for more detail, see above of this function. + */ + if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { +- error = ++ error = + setscopeid((struct sockaddr *)&spidx.src, + iph2->dst); + if (error) +@@ -3538,12 +3544,12 @@ + memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst)); + switch (spidx.src.ss_family) { + case AF_INET: +- spidx.prefs = ++ spidx.prefs = + sizeof(struct in_addr) << 3; + break; + #ifdef INET6 + case AF_INET6: +- spidx.prefs = ++ spidx.prefs = + sizeof(struct in6_addr) << 3; + break; + #endif +@@ -3574,14 +3580,14 @@ + spidx.ul_proto = IPSEC_ULPROTO_ANY; + + #undef _XIDT +- ++ + /* Check if the generated SPD has the same timestamp as the SA. + * If timestamps are different, this means that the SPD entry has been + * refreshed by another SA, and should NOT be deleted with the current SA. + */ + if( created ){ + struct secpolicy *p; +- ++ + p = getsp(&spidx); + if(p != NULL){ + /* just do no test if p is NULL, because this probably just means +@@ -3646,7 +3652,7 @@ + struct sockaddr *sp_addr0, *sa_addr0; + { + struct sockaddr_in6 *sp_addr, *sa_addr; +- ++ + sp_addr = (struct sockaddr_in6 *)sp_addr0; + sa_addr = (struct sockaddr_in6 *)sa_addr0; + +Index: src/racoon/isakmp_var.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v +retrieving revision 1.15 +diff -u -r1.15 isakmp_var.h +--- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15 ++++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -87,7 +87,7 @@ + extern void isakmp_ph2delete __P((struct ph2handle *)); + + extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); +-extern int isakmp_post_acquire __P((struct ph2handle *)); ++extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *)); + extern int isakmp_post_getspi __P((struct ph2handle *)); + extern void isakmp_chkph1there_stub __P((struct sched *)); + extern void isakmp_chkph1there __P((struct ph2handle *)); +@@ -131,7 +131,7 @@ + struct remoteconf *, struct sockaddr *, struct sockaddr *)); + extern void log_ph1established __P((const struct ph1handle *)); + +-extern void script_hook __P((struct ph1handle *, int)); ++extern void script_hook __P((struct ph1handle *, int)); + extern int script_env_append __P((char ***, int *, char *, char *)); + extern int script_exec __P((char *, int, char * const *)); + +Index: src/racoon/pfkey.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v +retrieving revision 1.50 +diff -u -r1.50 pfkey.c +--- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50 ++++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000 +@@ -5,7 +5,7 @@ + /* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. +- * ++ * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: +@@ -17,7 +17,7 @@ + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. +- * ++ * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +@@ -173,7 +173,7 @@ + + /* cope with old kame headers - ugly */ + #ifndef SADB_X_AALG_MD5 +-#define SADB_X_AALG_MD5 SADB_AALG_MD5 ++#define SADB_X_AALG_MD5 SADB_AALG_MD5 + #endif + #ifndef SADB_X_AALG_SHA + #define SADB_X_AALG_SHA SADB_AALG_SHA +@@ -353,7 +353,7 @@ + "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid); + continue; + } +- ++ + + ml = msg->sadb_msg_len << 3; + bl = buf ? buf->l : 0; +@@ -839,7 +839,7 @@ + goto bad; + *a_keylen >>= 3; + +- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 ++ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 + && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { + /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ + *a_type = SADB_X_AALG_MD5; +@@ -919,7 +919,7 @@ + racoon_free(dst); + return -1; + } +- ++ + for (pr = pp->head; pr != NULL; pr = pr->next) { + + /* validity check */ +@@ -991,7 +991,7 @@ + * receive GETSPI from kernel. + */ + static int +-pk_recvgetspi(mhp) ++pk_recvgetspi(mhp) + caddr_t *mhp; + { + struct sadb_msg *msg; +@@ -1111,7 +1111,7 @@ + sa_args.l_addtime = iph2->lifetime_secs; + else + sa_args.l_addtime = iph2->approval->lifetime; +- sa_args.seq = iph2->seq; ++ sa_args.seq = iph2->seq; + sa_args.wsize = 4; + + if (iph2->sa_src && iph2->sa_dst) { +@@ -1163,7 +1163,7 @@ + pr->head->trns_id, + pr->head->authtype, + &sa_args.e_type, &sa_args.e_keylen, +- &sa_args.a_type, &sa_args.a_keylen, ++ &sa_args.a_type, &sa_args.a_keylen, + &sa_args.flags) < 0){ + racoon_free(sa_args.src); + racoon_free(sa_args.dst); +@@ -1221,11 +1221,11 @@ + * But it is impossible because there is not key in the + * information from the kernel. + */ +- ++ + /* change some things before backing up */ + sa_args.wsize = 4; + sa_args.l_bytes = iph2->approval->lifebyte * 1024; +- ++ + if (backupsa_to_file(&sa_args) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "backuped SA failed: %s\n", +@@ -1447,7 +1447,7 @@ + pr->head->trns_id, + pr->head->authtype, + &sa_args.e_type, &sa_args.e_keylen, +- &sa_args.a_type, &sa_args.a_keylen, ++ &sa_args.a_type, &sa_args.a_keylen, + &sa_args.flags) < 0){ + racoon_free(sa_args.src); + racoon_free(sa_args.dst); +@@ -1668,11 +1668,12 @@ + " being negotiated. Stopping negotiation.\n"); + } + +- /* turn off the timer for calling isakmp_ph2expire() */ ++ /* turn off the timer for calling isakmp_ph2expire() */ + sched_cancel(&iph2->sce); + + if (iph2->status == PHASE2ST_ESTABLISHED && + iph2->side == INITIATOR) { ++ struct ph1handle *iph1hint; + /* + * Active phase 2 expired and we were initiator. + * Begin new phase 2 exchange, so we can keep on sending +@@ -1680,11 +1681,12 @@ + */ + + /* update status for re-use */ ++ iph1hint = iph2->ph1; + initph2(iph2); + iph2->status = PHASE2ST_STATUS2; + + /* start quick exchange */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, iph1hint) < 0) { + plog(LLV_ERROR, LOCATION, iph2->dst, + "failed to begin ipsec sa " + "re-negotication.\n"); +@@ -1750,7 +1752,7 @@ + if (m_sec_ctx != NULL) { + plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", + m_sec_ctx->sadb_x_ctx_doi); +- plog(LLV_INFO, LOCATION, NULL, ++ plog(LLV_INFO, LOCATION, NULL, + "security context algorithm: %u\n", + m_sec_ctx->sadb_x_ctx_alg); + plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n", +@@ -1960,7 +1962,7 @@ + + /* start isakmp initiation by using ident exchange */ + /* XXX should be looped if there are multiple phase 2 handler. */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, NULL) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "failed to begin ipsec sa negotication.\n"); + remph2(iph2); +@@ -2145,7 +2147,7 @@ + p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen; + p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi; + p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg; +- ++ + memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen); + len += ctxlen; + } +@@ -2184,7 +2186,7 @@ + goto err; + } + +- /* ++ /* + * the policy level cannot be unique because the policy + * is defined later than SA, so req_id cannot be bound to SA. + */ +@@ -2217,7 +2219,7 @@ + + xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); + xisr = (struct sadb_x_ipsecrequest *)p; +- ++ + } + racoon_free(pr_rlist); + +@@ -3070,6 +3072,8 @@ + rmconf = getrmconf(iph2->dst, 0); + + if (rmconf && !rmconf->passive) { ++ struct ph1handle *iph1hint; ++ + plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received " + "*during* IPsec SA negotiation. As initiator, " + "restarting it.\n"); +@@ -3079,11 +3083,12 @@ + iph2->status = PHASE2ST_EXPIRED; + + /* ... clean Phase 2 handle ... */ ++ iph1hint = iph2->ph1; + initph2(iph2); + iph2->status = PHASE2ST_STATUS2; + + /* and start a new negotiation */ +- if (isakmp_post_acquire(iph2) < 0) { ++ if (isakmp_post_acquire(iph2, iph1hint) < 0) { + plog(LLV_ERROR, LOCATION, iph2->dst, "failed " + "to begin IPsec SA renegotiation after " + "MIGRATE reception.\n"); diff --git a/main/ipsec-tools/20-natoa-fix.patch b/main/ipsec-tools/20-natoa-fix.patch deleted file mode 100644 index 91d7224e..00000000 --- a/main/ipsec-tools/20-natoa-fix.patch +++ /dev/null @@ -1,33 +0,0 @@ -Fix nat-oa parsing when rekeying. - -From: Timo Teras <timo.teras@iki.fi> - - ---- - - src/racoon/handler.c | 11 +++++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) - - -diff --git a/src/racoon/handler.c b/src/racoon/handler.c -index 6f91beb..960b5b3 100644 ---- a/src/racoon/handler.c -+++ b/src/racoon/handler.c -@@ -736,6 +736,17 @@ initph2(iph2) - oakley_delivm(iph2->ivm); - iph2->ivm = NULL; - } -+ -+#ifdef ENABLE_NATT -+ if (iph2->natoa_src) { -+ racoon_free(iph2->natoa_src); -+ iph2->natoa_src = NULL; -+ } -+ if (iph2->natoa_dst) { -+ racoon_free(iph2->natoa_dst); -+ iph2->natoa_dst = NULL; -+ } -+#endif - } - - /* diff --git a/main/ipsec-tools/30-natt-ports-cleanup.patch b/main/ipsec-tools/30-natt-ports-cleanup.patch deleted file mode 100644 index 19360347..00000000 --- a/main/ipsec-tools/30-natt-ports-cleanup.patch +++ /dev/null @@ -1,393 +0,0 @@ -From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the - -From: Timo Teras <timo.teras@iki.fi> - -NAT-T port information. ---- - - src/libipsec/libpfkey.h | 12 ++++++++ - src/libipsec/pfkey.c | 49 +++++++++++++++++++++++++++++++++ - src/racoon/isakmp.c | 11 +++++++ - src/racoon/isakmp_inf.c | 37 +++++++++++++------------ - src/racoon/pfkey.c | 69 +++++++++++++++++++++++++++++++++-------------- - src/racoon/pfkey.h | 1 + - 6 files changed, 140 insertions(+), 39 deletions(-) - - -diff --git a/src/libipsec/libpfkey.h b/src/libipsec/libpfkey.h -index 8a503dd..c9b228b 100644 ---- a/src/libipsec/libpfkey.h -+++ b/src/libipsec/libpfkey.h -@@ -117,6 +117,10 @@ u_int pfkey_set_softrate __P((u_int, u_int)); - u_int pfkey_get_softrate __P((u_int)); - int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *, - struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t)); -+int pfkey_send_getspi_nat __P((int, u_int, u_int, -+ struct sockaddr *, struct sockaddr *, u_int8_t, u_int16_t, u_int16_t, -+ u_int32_t, u_int32_t, u_int32_t, u_int32_t)); -+ - int pfkey_send_update2 __P((struct pfkey_send_sa_args *)); - int pfkey_send_add2 __P((struct pfkey_send_sa_args *)); - int pfkey_send_delete __P((int, u_int, u_int, -@@ -155,6 +159,14 @@ int pfkey_send_migrate __P((int, struct sockaddr *, struct sockaddr *, - caddr_t, int, u_int32_t)); - #endif - -+/* XXX should be somewhere else !!! -+ */ -+#ifdef SADB_X_NAT_T_NEW_MAPPING -+#define PFKEY_ADDR_X_PORT(ext) (ntohs(((struct sadb_x_nat_t_port *)ext)->sadb_x_nat_t_port_port)) -+#define PFKEY_ADDR_X_NATTYPE(ext) ( ext != NULL && ((struct sadb_x_nat_t_type *)ext)->sadb_x_nat_t_type_type ) -+#endif -+ -+ - int pfkey_open __P((void)); - void pfkey_close __P((int)); - int pfkey_set_buffer_size __P((int, int)); -diff --git a/src/libipsec/pfkey.c b/src/libipsec/pfkey.c -index 0a944c2..b39ffca 100644 ---- a/src/libipsec/pfkey.c -+++ b/src/libipsec/pfkey.c -@@ -380,10 +380,12 @@ pfkey_get_softrate(type) - * -1 : error occured, and set errno. - */ - int --pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) -+pfkey_send_getspi_nat(so, satype, mode, src, dst, natt_type, sport, dport, min, max, reqid, seq) - int so; - u_int satype, mode; - struct sockaddr *src, *dst; -+ u_int8_t natt_type; -+ u_int16_t sport, dport; - u_int32_t min, max, reqid, seq; - { - struct sadb_msg *newmsg; -@@ -431,6 +433,14 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) - len += sizeof(struct sadb_spirange); - } - -+#ifdef SADB_X_EXT_NAT_T_TYPE -+ if(natt_type||sport||dport){ -+ len += sizeof(struct sadb_x_nat_t_type); -+ len += sizeof(struct sadb_x_nat_t_port); -+ len += sizeof(struct sadb_x_nat_t_port); -+ } -+#endif -+ - if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) { - __ipsec_set_strerror(strerror(errno)); - return -1; -@@ -466,6 +476,32 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) - return -1; - } - -+#ifdef SADB_X_EXT_NAT_T_TYPE -+ /* Add nat-t messages */ -+ if (natt_type) { -+ p = pfkey_set_natt_type(p, ep, SADB_X_EXT_NAT_T_TYPE, -+ natt_type); -+ if (!p) { -+ free(newmsg); -+ return -1; -+ } -+ -+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_SPORT, -+ sport); -+ if (!p) { -+ free(newmsg); -+ return -1; -+ } -+ -+ p = pfkey_set_natt_port(p, ep, SADB_X_EXT_NAT_T_DPORT, -+ dport); -+ if (!p) { -+ free(newmsg); -+ return -1; -+ } -+ } -+#endif -+ - /* proccessing spi range */ - if (need_spirange) { - struct sadb_spirange spirange; -@@ -501,6 +537,17 @@ pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) - return len; - } - -+int -+pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq) -+ int so; -+ u_int satype, mode; -+ struct sockaddr *src, *dst; -+ u_int32_t min, max, reqid, seq; -+{ -+ return pfkey_send_getspi_nat(so, satype, mode, src, dst, 0, 0, 0, -+ min, max, reqid, seq); -+} -+ - /* - * sending SADB_UPDATE message to the kernel. - * The length of key material is a_keylen + e_keylen. -diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c -index c8670f6..fe51653 100644 ---- a/src/racoon/isakmp.c -+++ b/src/racoon/isakmp.c -@@ -3324,6 +3324,17 @@ purge_remote(iph1) - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -+#ifdef SADB_X_NAT_T_NEW_MAPPING -+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -+ /* NAT-T is enabled for this SADB entry; copy -+ * the ports from NAT-T extensions */ -+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) -+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) -+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -+ } -+#endif -+ - if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && - sa->sadb_sa_state != SADB_SASTATE_MATURE && - sa->sadb_sa_state != SADB_SASTATE_DYING) { -diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c -index 1ada07f..a712825 100644 ---- a/src/racoon/isakmp_inf.c -+++ b/src/racoon/isakmp_inf.c -@@ -1128,8 +1128,7 @@ purge_ipsec_spi(dst0, proto, spi, n) - size_t i; - caddr_t mhp[SADB_EXT_MAX + 1]; - #ifdef ENABLE_NATT -- struct sadb_x_nat_t_type *natt_type; -- struct sadb_x_nat_t_port *natt_port; -+ int natt_port_forced; - #endif - - plog(LLV_DEBUG2, LOCATION, NULL, -@@ -1184,22 +1183,25 @@ purge_ipsec_spi(dst0, proto, spi, n) - continue; - } - #ifdef ENABLE_NATT -- natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE]; -- if (natt_type && natt_type->sadb_x_nat_t_type_type) { -+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { - /* NAT-T is enabled for this SADB entry; copy - * the ports from NAT-T extensions */ -- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT]; -- if (extract_port(src) == 0 && natt_port != NULL) -- set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port)); -- -- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT]; -- if (extract_port(dst) == 0 && natt_port != NULL) -- set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port)); -- }else{ -- /* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation -- */ -+ if (extract_port(src) == 0 && -+ mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) { -+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -+ } -+ -+ if (extract_port(dst) == 0 && -+ mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) { -+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -+ } -+ natt_port_forced = 0; -+ } else { -+ /* Force default UDP ports, so -+ * CMPSADDR will match SAs with NO encapsulation */ - set_port(src, PORT_ISAKMP); - set_port(dst, PORT_ISAKMP); -+ natt_port_forced = 1; - } - #endif - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); -@@ -1215,10 +1217,9 @@ purge_ipsec_spi(dst0, proto, spi, n) - } - - #ifdef ENABLE_NATT -- if (natt_type == NULL || -- ! natt_type->sadb_x_nat_t_type_type) { -- /* Set back port to 0 if it was forced to default UDP port -- */ -+ if (natt_port_forced) { -+ /* Set back port to 0 if it was forced -+ * to default UDP port */ - set_port(src, 0); - set_port(dst, 0); - } -diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c -index 610cc09..c210c5e 100644 ---- a/src/racoon/pfkey.c -+++ b/src/racoon/pfkey.c -@@ -769,6 +769,28 @@ keylen_ealg(enctype, encklen) - return res; - } - -+void -+pk_fixup_sa_addresses(mhp) -+ caddr_t *mhp; -+{ -+ struct sockaddr *src, *dst; -+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); -+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); -+#ifdef ENABLE_NATT -+ if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -+ /* NAT-T is enabled for this SADB entry; copy -+ * the ports from NAT-T extensions */ -+ if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) -+ set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -+ if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) -+ set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -+ } -+#else -+ set_port(src, 0); -+ set_port(dst, 0); -+#endif -+} -+ - int - pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, - e_type, e_keylen, a_type, a_keylen, flags) -@@ -866,6 +888,8 @@ pk_sendgetspi(iph2) - struct saprop *pp; - struct saproto *pr; - u_int32_t minspi, maxspi; -+ u_int8_t natt_type = 0; -+ u_int16_t sport = 0, dport = 0; - - if (iph2->side == INITIATOR) - pp = iph2->proposal; -@@ -919,19 +943,27 @@ pk_sendgetspi(iph2) - } - - #ifdef ENABLE_NATT -- if (! pr->udp_encap) { -- /* Remove port information, that SA doesn't use it */ -- set_port(iph2->src, 0); -- set_port(iph2->dst, 0); -+ if (pr->udp_encap) { -+ natt_type = iph2->ph1->natt_options->encaps_type; -+ sport=extract_port(src); -+ dport=extract_port(dst); - } - #endif -+ /* Always remove port information, it will be sent in -+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -+ set_port(src, 0); -+ set_port(dst, 0); -+ - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); -- if (pfkey_send_getspi( -+ if (pfkey_send_getspi_nat( - lcconf->sock_pfkey, - satype, - mode, - dst, /* src of SA */ - src, /* dst of SA */ -+ natt_type, -+ dport, -+ sport, - minspi, maxspi, - pr->reqid_in, iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, -@@ -1157,13 +1189,13 @@ pk_sendupdate(iph2) - #ifdef SADB_X_EXT_NAT_T_FRAG - sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; - #endif -- } else { -- /* Remove port information, that SA doesn't use it */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); - } -- - #endif -+ /* Always remove port information, it will be sent in -+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -+ set_port(sa_args.src, 0); -+ set_port(sa_args.dst, 0); -+ - /* more info to fill in */ - sa_args.spi = pr->spi; - sa_args.reqid = pr->reqid_in; -@@ -1236,6 +1268,7 @@ pk_recvupdate(mhp) - return -1; - } - msg = (struct sadb_msg *)mhp[0]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -@@ -1328,7 +1361,6 @@ pk_recvupdate(mhp) - /* Force the update of ph2's ports, as there is at least one - * situation where they'll mismatch with ph1's values - */ -- - #ifdef ENABLE_NATT - set_port(iph2->src, extract_port(iph2->ph1->local)); - set_port(iph2->dst, extract_port(iph2->ph1->remote)); -@@ -1456,17 +1488,12 @@ pk_sendadd(iph2) - #ifdef SADB_X_EXT_NAT_T_FRAG - sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; - #endif -- } else { -- /* Remove port information, that SA doesn't use it */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); - } -- --#else -- /* Remove port information, it is not used without NAT-T */ -+#endif -+ /* Always remove port information, it will be sent in -+ * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ - set_port(sa_args.src, 0); - set_port(sa_args.dst, 0); --#endif - - /* more info to fill in */ - sa_args.spi = pr->spi_p; -@@ -1596,6 +1623,7 @@ pk_recvexpire(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -1721,6 +1749,7 @@ pk_recvacquire(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; -+ pk_fixup_sa_addresses(mhp); - sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -1971,6 +2000,7 @@ pk_recvdelete(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -2709,7 +2739,6 @@ pk_recvspddump(mhp) - return -1; - } - msg = (struct sadb_msg *)mhp[0]; -- - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; -diff --git a/src/racoon/pfkey.h b/src/racoon/pfkey.h -index a3acd1c..f1b037d 100644 ---- a/src/racoon/pfkey.h -+++ b/src/racoon/pfkey.h -@@ -52,6 +52,7 @@ extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int)); - extern int pk_checkalg __P((int, int, int)); - - struct ph2handle; -+extern void pk_fixup_sa_addresses __P((caddr_t *mhp)); - extern int pk_sendgetspi __P((struct ph2handle *)); - extern int pk_sendupdate __P((struct ph2handle *)); - extern int pk_sendadd __P((struct ph2handle *)); diff --git a/main/ipsec-tools/40-cmpsaddr-cleanup.patch b/main/ipsec-tools/40-cmpsaddr-cleanup.patch deleted file mode 100644 index c5e3e4b3..00000000 --- a/main/ipsec-tools/40-cmpsaddr-cleanup.patch +++ /dev/null @@ -1,1403 +0,0 @@ -Get rid of CMPSADDR hack in port comparisons. Trac #295. - -From: Timo Teras <timo.teras@iki.fi> - - ---- - - src/racoon/admin.c | 37 ++++--- - src/racoon/grabmyaddr.c | 22 ++-- - src/racoon/handler.c | 41 +++----- - src/racoon/handler.h | 7 - - src/racoon/isakmp.c | 90 ++++------------- - src/racoon/isakmp_cfg.c | 9 -- - src/racoon/isakmp_inf.c | 111 ++++----------------- - src/racoon/isakmp_quick.c | 29 +++--- - src/racoon/nattraversal.c | 8 +- - src/racoon/pfkey.c | 52 +++------- - src/racoon/policy.c | 22 ++-- - src/racoon/remoteconf.c | 30 +----- - src/racoon/remoteconf.h | 3 - - src/racoon/sockmisc.c | 234 +++------------------------------------------ - src/racoon/sockmisc.h | 15 +-- - src/racoon/throttle.c | 2 - 16 files changed, 170 insertions(+), 542 deletions(-) - - -diff --git a/src/racoon/admin.c b/src/racoon/admin.c -index 576e191..b67e545 100644 ---- a/src/racoon/admin.c -+++ b/src/racoon/admin.c -@@ -167,6 +167,14 @@ end: - return error; - } - -+static int admin_ph1_delete_sa(struct ph1handle *iph1, void *arg) -+{ -+ if (iph1->status >= PHASE1ST_ESTABLISHED) -+ isakmp_info_send_d1(iph1); -+ purge_remote(iph1); -+ return 0; -+} -+ - /* - * main child's process. - */ -@@ -257,7 +265,7 @@ admin_process(so2, combuf) - break; - } - -- iph1 = getph1byaddrwop(src, dst); -+ iph1 = getph1byaddr(src, dst, 0); - if (iph1 == NULL) { - l_ac_errno = ENOENT; - break; -@@ -292,30 +300,25 @@ admin_process(so2, combuf) - - case ADMIN_DELETE_SA: { - struct ph1handle *iph1; -- struct sockaddr *dst; -- struct sockaddr *src; -+ struct ph1selector sel; - char *loc, *rem; - -- src = (struct sockaddr *) -+ memset(&sel, 0, sizeof(sel)); -+ sel.local = (struct sockaddr *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->src; -- dst = (struct sockaddr *) -+ sel.remote = (struct sockaddr *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->dst; - -- loc = racoon_strdup(saddrwop2str(src)); -- rem = racoon_strdup(saddrwop2str(dst)); -+ loc = racoon_strdup(saddr2str(sel.local)); -+ rem = racoon_strdup(saddr2str(sel.remote)); - STRDUP_FATAL(loc); - STRDUP_FATAL(rem); - -- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "phase 1 for %s -> %s not found\n", loc, rem); -- } else { -- if (iph1->status >= PHASE1ST_ESTABLISHED) -- isakmp_info_send_d1(iph1); -- purge_remote(iph1); -- } -+ plog(LLV_INFO, LOCATION, NULL, -+ "admin delete-sa %s %s\n", loc, rem); -+ enumph1(&sel, admin_ph1_delete_sa, NULL); - - racoon_free(loc); - racoon_free(rem); -@@ -360,7 +363,7 @@ admin_process(so2, combuf) - plog(LLV_INFO, LOCATION, NULL, - "Flushing all SAs for peer %s\n", rem); - -- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) { -+ while ((iph1 = getph1bydstaddr(dst)) != NULL) { - loc = racoon_strdup(saddrwop2str(iph1->local)); - STRDUP_FATAL(loc); - -@@ -429,7 +432,7 @@ admin_process(so2, combuf) - l_ac_errno = -1; - - /* connected already? */ -- ph1 = getph1byaddrwop(src, dst); -+ ph1 = getph1byaddr(src, dst, 0); - if (ph1 != NULL) { - event_list = &ph1->evt_listeners; - if (ph1->status == PHASE1ST_ESTABLISHED) -diff --git a/src/racoon/grabmyaddr.c b/src/racoon/grabmyaddr.c -index f866dd5..cb1b638 100644 ---- a/src/racoon/grabmyaddr.c -+++ b/src/racoon/grabmyaddr.c -@@ -100,7 +100,7 @@ myaddr_configured(addr) - return TRUE; - - LIST_FOREACH(cfg, &configured, chain) { -- if (cmpsaddrstrict(addr, (struct sockaddr *) &cfg->addr) == 0) -+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0) - return TRUE; - } - -@@ -116,7 +116,7 @@ myaddr_open(addr, udp_encap) - - /* Already open? */ - LIST_FOREACH(my, &opened, chain) { -- if (cmpsaddrstrict(addr, (struct sockaddr *) &my->addr) == 0) -+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0) - return TRUE; - } - -@@ -156,7 +156,7 @@ myaddr_open_all_configured(addr) - - LIST_FOREACH(cfg, &configured, chain) { - if (addr != NULL && -- cmpsaddrwop(addr, (struct sockaddr *) &cfg->addr) != 0) -+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0) - continue; - if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap)) - return FALSE; -@@ -187,8 +187,8 @@ myaddr_close_all_open(addr) - for (my = LIST_FIRST(&opened); my; my = next) { - next = LIST_NEXT(my, chain); - -- if (!cmpsaddrwop((struct sockaddr *) &addr, -- (struct sockaddr *) &my->addr)) -+ if (!cmpsaddr((struct sockaddr *) &addr, -+ (struct sockaddr *) &my->addr)) - myaddr_delete(my); - } - } -@@ -261,7 +261,7 @@ myaddr_getfd(addr) - struct myaddr *my; - - LIST_FOREACH(my, &opened, chain) { -- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0) -+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) - return my->fd; - } - -@@ -273,19 +273,13 @@ myaddr_getsport(addr) - struct sockaddr *addr; - { - struct myaddr *my; -- int bestmatch_port = -1; - - LIST_FOREACH(my, &opened, chain) { -- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0) -+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0) - return extract_port((struct sockaddr *) &my->addr); -- if (cmpsaddrwop((struct sockaddr *) &my->addr, addr) != 0) -- continue; -- if (bestmatch_port == -1 || -- extract_port((struct sockaddr *) &my->addr) == PORT_ISAKMP) -- bestmatch_port = extract_port((struct sockaddr *) &my->addr); - } - -- return bestmatch_port; -+ return PORT_ISAKMP; - } - - void -diff --git a/src/racoon/handler.c b/src/racoon/handler.c -index 960b5b3..b33986f 100644 ---- a/src/racoon/handler.c -+++ b/src/racoon/handler.c -@@ -120,11 +120,11 @@ enumph1(sel, enum_func, enum_arg) - LIST_FOREACH(p, &ph1tree, chain) { - if (sel != NULL) { - if (sel->local != NULL && -- CMPSADDR(sel->local, p->local) != 0) -+ cmpsaddr(sel->local, p->local) != 0) - continue; - - if (sel->remote != NULL && -- CMPSADDR(sel->remote, p->remote) != 0) -+ cmpsaddr(sel->remote, p->remote) != 0) - continue; - } - -@@ -201,17 +201,12 @@ getph1(rmconf, local, remote, flags) - "status %d, skipping\n", p->status); - continue; - } -- if (flags & GETPH1_F_WITHOUT_PORTS) { -- if (local != NULL && cmpsaddrwop(local, p->local) != 0) -- continue; -- if (remote != NULL && cmpsaddrwop(remote, p->remote) != 0) -- continue; -- } else { -- if (local != NULL && CMPSADDR(local, p->local) != 0) -- continue; -- if (remote != NULL && CMPSADDR(remote, p->remote) != 0) -- continue; -- } -+ -+ if (local != NULL && cmpsaddr(local, p->local) != 0) -+ continue; -+ -+ if (remote != NULL && cmpsaddr(remote, p->remote) != 0) -+ continue; - - plog(LLV_DEBUG2, LOCATION, NULL, "matched\n"); - return p; -@@ -287,8 +282,8 @@ void migrate_dying_ph12(iph1) - if (p->status < PHASE1ST_DYING) - continue; - -- if (CMPSADDR(iph1->local, p->local) == 0 -- && CMPSADDR(iph1->remote, p->remote) == 0) -+ if (cmpsaddr(iph1->local, p->local) == 0 -+ && cmpsaddr(iph1->remote, p->remote) == 0) - migrate_ph12(p, iph1); - } - } -@@ -518,11 +513,11 @@ enumph2(sel, enum_func, enum_arg) - continue; - - if (sel->src != NULL && -- CMPSADDR(sel->src, p->src) != 0) -+ cmpsaddr(sel->src, p->src) != 0) - continue; - - if (sel->dst != NULL && -- CMPSADDR(sel->dst, p->dst) != 0) -+ cmpsaddr(sel->dst, p->dst) != 0) - continue; - } - -@@ -586,8 +581,8 @@ getph2byid(src, dst, spid) - - LIST_FOREACH(p, &ph2tree, chain) { - if (spid == p->spid && -- cmpsaddrwild(src, p->src) == 0 && -- cmpsaddrwild(dst, p->dst) == 0){ -+ cmpsaddr(src, p->src) == 0 && -+ cmpsaddr(dst, p->dst) == 0){ - /* Sanity check to detect zombie handlers - * XXX Sould be done "somewhere" more interesting, - * because we have lots of getph2byxxxx(), but this one -@@ -614,8 +609,8 @@ getph2bysaddr(src, dst) - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { -- if (cmpsaddrstrict(src, p->src) == 0 && -- cmpsaddrstrict(dst, p->dst) == 0) -+ if (cmpsaddr(src, p->src) == 0 && -+ cmpsaddr(dst, p->dst) == 0) - return p; - } - -@@ -918,7 +913,7 @@ getcontacted(remote) - struct contacted *p; - - LIST_FOREACH(p, &ctdtree, chain) { -- if (cmpsaddrstrict(remote, p->remote) == 0) -+ if (cmpsaddr(remote, p->remote) == 0) - return p; - } - -@@ -997,7 +992,7 @@ check_recvdpkt(remote, local, rbuf) - /* - * the packet was processed before, but the remote address mismatches. - */ -- if (cmpsaddrstrict(remote, r->remote) != 0) -+ if (cmpsaddr(remote, r->remote) != 0) - return 2; - - /* -diff --git a/src/racoon/handler.h b/src/racoon/handler.h -index c31753d..8f19c88 100644 ---- a/src/racoon/handler.h -+++ b/src/racoon/handler.h -@@ -467,7 +467,6 @@ extern int enumph1 __P((struct ph1selector *ph1sel, - void *enum_arg)); - - #define GETPH1_F_ESTABLISHED 0x0001 --#define GETPH1_F_WITHOUT_PORTS 0x0002 - - extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, - struct sockaddr *local, -@@ -476,10 +475,8 @@ extern struct ph1handle *getph1 __P((struct remoteconf *rmconf, - - #define getph1byaddr(local, remote, est) \ - getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0) --#define getph1byaddrwop(local, remote) \ -- getph1(NULL, local, remote, GETPH1_F_WITHOUT_PORTS) --#define getph1bydstaddrwop(remote) \ -- getph1(NULL, NULL, remote, GETPH1_F_WITHOUT_PORTS) -+#define getph1bydstaddr(remote) \ -+ getph1(NULL, NULL, remote, 0) - - #ifdef ENABLE_HYBRID - struct ph1handle *getph1bylogin __P((char *)); -diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c -index fe51653..0de16d1 100644 ---- a/src/racoon/isakmp.c -+++ b/src/racoon/isakmp.c -@@ -475,8 +475,8 @@ isakmp_main(msg, remote, local) - /* Floating ports for NAT-T */ - if (NATT_AVAILABLE(iph1) && - ! (iph1->natt_flags & NAT_PORTS_CHANGED) && -- ((cmpsaddrstrict(iph1->remote, remote) != 0) || -- (cmpsaddrstrict(iph1->local, local) != 0))) -+ ((cmpsaddr(iph1->remote, remote) != 0) || -+ (cmpsaddr(iph1->local, local) != 0))) - { - /* prevent memory leak */ - racoon_free(iph1->remote); -@@ -517,7 +517,7 @@ isakmp_main(msg, remote, local) - #endif - - /* must be same addresses in one stream of a phase at least. */ -- if (cmpsaddrstrict(iph1->remote, remote) != 0) { -+ if (cmpsaddr(iph1->remote, remote) != 0) { - char *saddr_db, *saddr_act; - - saddr_db = racoon_strdup(saddr2str(iph1->remote)); -@@ -643,7 +643,7 @@ isakmp_main(msg, remote, local) - "exchange received.\n"); - return -1; - } -- if (cmpsaddrstrict(iph1->remote, remote) != 0) { -+ if (cmpsaddr(iph1->remote, remote) != 0) { - plog(LLV_WARNING, LOCATION, remote, - "remote address mismatched. " - "db=%s\n", -@@ -1275,6 +1275,12 @@ isakmp_ph2begin_i(iph1, iph2) - } - #endif - -+ /* fixup ph2 ports for this ph1 */ -+ if (extract_port(iph2->src) == 0) -+ set_port(iph2->src, extract_port(iph1->local)); -+ if (extract_port(iph2->dst) == 0) -+ set_port(iph2->dst, extract_port(iph1->remote)); -+ - /* found ISAKMP-SA. */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); -@@ -1353,15 +1359,6 @@ isakmp_ph2begin_r(iph1, msg) - delph2(iph2); - return -1; - } --#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) -- if (set_port(iph2->dst, 0) == NULL || -- set_port(iph2->src, 0) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "invalid family: %d\n", iph2->dst->sa_family); -- delph2(iph2); -- return -1; -- } --#endif - - /* add new entry to isakmp status table */ - insph2(iph2); -@@ -2186,23 +2183,12 @@ isakmp_post_acquire(iph2) - return 0; - } - -- /* -- * Search isakmp status table by address and port -- * If NAT-T is in use, consider null ports as a -- * wildcard and use IKE ports instead. -+ /* -+ * XXX Searching by IP addresses + ports might fail on -+ * some cases, we should use the ISAKMP identity to search -+ * matching ISAKMP. - */ --#ifdef ENABLE_NATT -- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { -- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) { -- set_port(iph2->src, extract_port(iph1->local)); -- set_port(iph2->dst, extract_port(iph1->remote)); -- } -- } else { -- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); -- } --#else - iph1 = getph1byaddr(iph2->src, iph2->dst, 0); --#endif - - /* no ISAKMP-SA found. */ - if (iph1 == NULL) { -@@ -2380,26 +2366,8 @@ isakmp_chkph1there(iph2) - return; - } - -- /* -- * Search isakmp status table by address and port -- * If NAT-T is in use, consider null ports as a -- * wildcard and use IKE ports instead. -- */ --#ifdef ENABLE_NATT -- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) { -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n"); -- if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){ -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n"); -- } -- } else { -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n"); -- iph1 = getph1byaddr(iph2->src, iph2->dst, 0); -- if(iph1 != NULL) -- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n"); -- } --#else -+ /* Search isakmp status table by address and port */ - iph1 = getph1byaddr(iph2->src, iph2->dst, 0); --#endif - - /* XXX Even if ph1 as responder is there, should we not start - * phase 2 negotiation ? */ -@@ -3321,20 +3289,10 @@ purge_remote(iph1) - msg = next; - continue; - } -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - --#ifdef SADB_X_NAT_T_NEW_MAPPING -- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -- /* NAT-T is enabled for this SADB entry; copy -- * the ports from NAT-T extensions */ -- if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) -- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -- if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) -- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -- } --#endif -- - if (sa->sadb_sa_state != SADB_SASTATE_LARVAL && - sa->sadb_sa_state != SADB_SASTATE_MATURE && - sa->sadb_sa_state != SADB_SASTATE_DYING) { -@@ -3346,22 +3304,14 @@ purge_remote(iph1) - * check in/outbound SAs. - * Select only SAs where src == local and dst == remote (outgoing) - * or src == remote and dst == local (incoming). -- * XXX we sometime have src/dst ports set to 0 and want to match -- * iph1->local/remote with ports set to 500. This is a bug, see trac:2 - */ --#ifdef ENABLE_NATT -- if ((cmpsaddrmagic(iph1->local, src) || cmpsaddrmagic(iph1->remote, dst)) && -- (cmpsaddrmagic(iph1->local, dst) || cmpsaddrmagic(iph1->remote, src))) { -- msg = next; -- continue; -- } --#else -- if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) && -- (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) { -+ if ((cmpsaddr(iph1->local, src) || -+ cmpsaddr(iph1->remote, dst)) && -+ (cmpsaddr(iph1->local, dst) || -+ cmpsaddr(iph1->remote, src))) { - msg = next; - continue; - } --#endif - - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); -diff --git a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c -index 62916f8..df763f8 100644 ---- a/src/racoon/isakmp_cfg.c -+++ b/src/racoon/isakmp_cfg.c -@@ -1151,15 +1151,6 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange) - goto end; - } - --#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) -- if (set_port(iph2->dst, 0) == NULL || -- set_port(iph2->src, 0) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "invalid family: %d\n", iph1->remote->sa_family); -- delph2(iph2); -- goto end; -- } --#endif - iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; - -diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c -index a712825..6fa3498 100644 ---- a/src/racoon/isakmp_inf.c -+++ b/src/racoon/isakmp_inf.c -@@ -903,15 +903,6 @@ isakmp_info_send_common(iph1, payload, np, flags) - delph2(iph2); - goto end; - } --#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) -- if (set_port(iph2->dst, 0) == NULL || -- set_port(iph2->src, 0) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "invalid family: %d\n", iph1->remote->sa_family); -- delph2(iph2); -- goto end; -- } --#endif - iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; - iph2->msgid = isakmp_newmsgid2(iph1); -@@ -1127,9 +1118,6 @@ purge_ipsec_spi(dst0, proto, spi, n) - u_int64_t created; - size_t i; - caddr_t mhp[SADB_EXT_MAX + 1]; --#ifdef ENABLE_NATT -- int natt_port_forced; --#endif - - plog(LLV_DEBUG2, LOCATION, NULL, - "purge_ipsec_spi:\n"); -@@ -1169,6 +1157,7 @@ purge_ipsec_spi(dst0, proto, spi, n) - msg = next; - continue; - } -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD]; -@@ -1182,28 +1171,7 @@ purge_ipsec_spi(dst0, proto, spi, n) - msg = next; - continue; - } --#ifdef ENABLE_NATT -- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { -- /* NAT-T is enabled for this SADB entry; copy -- * the ports from NAT-T extensions */ -- if (extract_port(src) == 0 && -- mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) { -- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT])); -- } - -- if (extract_port(dst) == 0 && -- mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) { -- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); -- } -- natt_port_forced = 0; -- } else { -- /* Force default UDP ports, so -- * CMPSADDR will match SAs with NO encapsulation */ -- set_port(src, PORT_ISAKMP); -- set_port(dst, PORT_ISAKMP); -- natt_port_forced = 1; -- } --#endif - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); - -@@ -1211,19 +1179,11 @@ purge_ipsec_spi(dst0, proto, spi, n) - - /* don't delete inbound SAs at the moment */ - /* XXX should we remove SAs with opposite direction as well? */ -- if (CMPSADDR(dst0, dst)) { -+ if (cmpsaddr(dst0, dst)) { - msg = next; - continue; - } - --#ifdef ENABLE_NATT -- if (natt_port_forced) { -- /* Set back port to 0 if it was forced -- * to default UDP port */ -- set_port(src, 0); -- set_port(dst, 0); -- } --#endif - for (i = 0; i < n; i++) { - plog(LLV_DEBUG, LOCATION, NULL, - "check spi(packet)=%u spi(db)=%u.\n", -@@ -1354,37 +1314,33 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); - -- while (msg < end) { -+ for (; msg < end; msg = next) { - if ((msg->sadb_msg_len << 3) < sizeof(*msg)) - break; -+ - next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); -- if (msg->sadb_msg_type != SADB_DUMP) { -- msg = next; -+ if (msg->sadb_msg_type != SADB_DUMP) - continue; -- } - - if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "pfkey_check (%s)\n", ipsec_strerror()); -- msg = next; - continue; - } - - if (mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL -- || mhp[SADB_EXT_ADDRESS_DST] == NULL) { -- msg = next; -+ || mhp[SADB_EXT_ADDRESS_DST] == NULL) - continue; -- } -+ - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - - if (sa->sadb_sa_state != SADB_SASTATE_MATURE -- && sa->sadb_sa_state != SADB_SASTATE_DYING) { -- msg = next; -+ && sa->sadb_sa_state != SADB_SASTATE_DYING) - continue; -- } - - /* - * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that -@@ -1394,39 +1350,18 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - * racoon only deletes SA which is matched both the - * source address and the destination accress. - */ --#ifdef ENABLE_NATT -- /* -- * XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs -- * from this peer ! -- */ -- if(iph1->natt_flags & NAT_DETECTED){ -- if (CMPSADDR(iph1->local, src) == 0 && -- CMPSADDR(iph1->remote, dst) == 0) -- ; -- else if (CMPSADDR(iph1->remote, src) == 0 && -- CMPSADDR(iph1->local, dst) == 0) -- ; -- else { -- msg = next; -- continue; -- } -- } else --#endif -- /* If there is no NAT-T, we don't have to check addr + port... -- * XXX what about a configuration with a remote peers which is not -- * NATed, but which NATs some other peers ? -- * Here, the INITIAl-CONTACT would also flush all those NATed peers !! -- */ -- if (cmpsaddrwop(iph1->local, src) == 0 && -- cmpsaddrwop(iph1->remote, dst) == 0) -- ; -- else if (cmpsaddrwop(iph1->remote, src) == 0 && -- cmpsaddrwop(iph1->local, dst) == 0) -- ; -- else { -- msg = next; -+ -+ /* -+ * Check that the IP and port match. But this is not optimal, -+ * since NAT-T can make the peer have multiple different -+ * ports. Correct thing to do is delete all entries with -+ * same identity. -TT -+ */ -+ if ((cmpsaddr(iph1->local, src) != 0 || -+ cmpsaddr(iph1->remote, dst) != 0) && -+ (cmpsaddr(iph1->local, dst) != 0 || -+ cmpsaddr(iph1->remote, src) != 0)) - continue; -- } - - /* - * Make sure this is an SATYPE that we manage. -@@ -1438,10 +1373,8 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - msg->sadb_msg_satype) - break; - } -- if (i == pfkey_nsatypes) { -- msg = next; -+ if (i == pfkey_nsatypes) - continue; -- } - - plog(LLV_INFO, LOCATION, NULL, - "purging spi=%u.\n", ntohl(sa->sadb_sa_spi)); -@@ -1461,8 +1394,6 @@ isakmp_info_recv_initialcontact(iph1, protectedph2) - remph2(iph2); - delph2(iph2); - } -- -- msg = next; - } - - vfree(buf); -diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c -index 804c1bf..46c84c1 100644 ---- a/src/racoon/isakmp_quick.c -+++ b/src/racoon/isakmp_quick.c -@@ -610,17 +610,19 @@ quick_i2recv(iph2, msg0) - error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; - goto end; - } -+#ifdef ENABLE_NATT -+ set_port(iph2->natoa_src, -+ extract_port((struct sockaddr *) &proposed_addr)); -+#endif - -- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr, -- (struct sockaddr *) &got_addr) == 0) { -+ if (cmpsaddr((struct sockaddr *) &proposed_addr, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDci matches proposal.\n"); - #ifdef ENABLE_NATT - } else if (iph2->natoa_src != NULL -- && cmpsaddrwop(iph2->natoa_src, -- (struct sockaddr *) &got_addr) == 0 -- && extract_port((struct sockaddr *) &proposed_addr) == -- extract_port((struct sockaddr *) &got_addr)) { -+ && cmpsaddr(iph2->natoa_src, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDci matches NAT-OAi.\n"); - #endif -@@ -656,16 +658,19 @@ quick_i2recv(iph2, msg0) - goto end; - } - -- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr, -- (struct sockaddr *) &got_addr) == 0) { -+#ifdef ENABLE_NATT -+ set_port(iph2->natoa_dst, -+ extract_port((struct sockaddr *) &proposed_addr)); -+#endif -+ -+ if (cmpsaddr((struct sockaddr *) &proposed_addr, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDcr matches proposal.\n"); - #ifdef ENABLE_NATT - } else if (iph2->natoa_dst != NULL -- && cmpsaddrwop(iph2->natoa_dst, -- (struct sockaddr *) &got_addr) == 0 -- && extract_port((struct sockaddr *) &proposed_addr) == -- extract_port((struct sockaddr *) &got_addr)) { -+ && cmpsaddr(iph2->natoa_dst, -+ (struct sockaddr *) &got_addr) == 0) { - plog(LLV_DEBUG, LOCATION, NULL, - "IDcr matches NAT-OAr.\n"); - #endif -diff --git a/src/racoon/nattraversal.c b/src/racoon/nattraversal.c -index f23341a..92095de 100644 ---- a/src/racoon/nattraversal.c -+++ b/src/racoon/nattraversal.c -@@ -379,8 +379,8 @@ natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst) - struct natt_ka_addrs *ka = NULL, *new_addr; - - TAILQ_FOREACH (ka, &ka_tree, chain) { -- if (cmpsaddrstrict(ka->src, src) == 0 && -- cmpsaddrstrict(ka->dst, dst) == 0) { -+ if (cmpsaddr(ka->src, src) == 0 && -+ cmpsaddr(ka->dst, dst) == 0) { - ka->in_use++; - plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); -@@ -443,8 +443,8 @@ natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst) - plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n", - saddr2str_fromto("%s->%s", src, dst), ka->in_use); - -- if (cmpsaddrstrict(ka->src, src) == 0 && -- cmpsaddrstrict(ka->dst, dst) == 0 && -+ if (cmpsaddr(ka->src, src) == 0 && -+ cmpsaddr(ka->dst, dst) == 0 && - -- ka->in_use <= 0) { - - plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); -diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c -index c210c5e..3778ef2 100644 ---- a/src/racoon/pfkey.c -+++ b/src/racoon/pfkey.c -@@ -774,8 +774,12 @@ pk_fixup_sa_addresses(mhp) - caddr_t *mhp; - { - struct sockaddr *src, *dst; -+ - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); -+ set_port(src, PORT_ISAKMP); -+ set_port(dst, PORT_ISAKMP); -+ - #ifdef ENABLE_NATT - if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) { - /* NAT-T is enabled for this SADB entry; copy -@@ -785,9 +789,6 @@ pk_fixup_sa_addresses(mhp) - if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) - set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT])); - } --#else -- set_port(src, 0); -- set_port(dst, 0); - #endif - } - -@@ -949,10 +950,6 @@ pk_sendgetspi(iph2) - dport=extract_port(dst); - } - #endif -- /* Always remove port information, it will be sent in -- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -- set_port(src, 0); -- set_port(dst, 0); - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); - if (pfkey_send_getspi_nat( -@@ -1009,6 +1006,7 @@ pk_recvgetspi(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -+ pk_fixup_sa_addresses(mhp); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -1183,18 +1181,14 @@ pk_sendupdate(iph2) - #ifdef ENABLE_NATT - if (pr->udp_encap) { - sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; -- sa_args.l_natt_sport = extract_port (iph2->ph1->remote); -- sa_args.l_natt_dport = extract_port (iph2->ph1->local); -+ sa_args.l_natt_sport = extract_port(iph2->ph1->remote); -+ sa_args.l_natt_dport = extract_port(iph2->ph1->local); - sa_args.l_natt_oa = iph2->natoa_src; - #ifdef SADB_X_EXT_NAT_T_FRAG - sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; - #endif - } - #endif -- /* Always remove port information, it will be sent in -- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); - - /* more info to fill in */ - sa_args.spi = pr->spi; -@@ -1358,14 +1352,6 @@ pk_recvupdate(mhp) - /* turn off schedule */ - sched_cancel(&iph2->scr); - -- /* Force the update of ph2's ports, as there is at least one -- * situation where they'll mismatch with ph1's values -- */ --#ifdef ENABLE_NATT -- set_port(iph2->src, extract_port(iph2->ph1->local)); -- set_port(iph2->dst, extract_port(iph2->ph1->remote)); --#endif -- - /* - * since we are going to reuse the phase2 handler, we need to - * remain it and refresh all the references between ph1 and ph2 to use. -@@ -1418,7 +1404,7 @@ pk_sendadd(iph2) - racoon_free(sa_args.src); - racoon_free(sa_args.dst); - return -1; -- } -+ } - - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - /* validity check */ -@@ -1490,11 +1476,6 @@ pk_sendadd(iph2) - #endif - } - #endif -- /* Always remove port information, it will be sent in -- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */ -- set_port(sa_args.src, 0); -- set_port(sa_args.dst, 0); -- - /* more info to fill in */ - sa_args.spi = pr->spi_p; - sa_args.reqid = pr->reqid_out; -@@ -1559,6 +1540,7 @@ pk_recvadd(mhp) - return -1; - } - msg = (struct sadb_msg *)mhp[0]; -+ pk_fixup_sa_addresses(mhp); - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; -@@ -1749,7 +1731,9 @@ pk_recvacquire(mhp) - } - msg = (struct sadb_msg *)mhp[0]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; -- pk_fixup_sa_addresses(mhp); -+ /* acquire does not have nat-t ports; so do not bother setting -+ * the default port 500; just use the port zero for wildcard -+ * matching the get a valid natted destination */ - sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - -@@ -2884,8 +2868,8 @@ migrate_ph1_ike_addresses(iph1, arg) - u_int16_t port; - - /* Already up-to-date? */ -- if (cmpsaddrwop(iph1->local, ma->local) == 0 && -- cmpsaddrwop(iph1->remote, ma->remote) == 0) -+ if (cmpsaddr(iph1->local, ma->local) == 0 && -+ cmpsaddr(iph1->remote, ma->remote) == 0) - return 0; - - if (iph1->status < PHASE1ST_ESTABLISHED) { -@@ -2985,8 +2969,8 @@ migrate_ph2_ike_addresses(iph2, arg) - migrate_ph1_ike_addresses(iph2->ph1, arg); - - /* Already up-to-date? */ -- if (CMPSADDR(iph2->src, ma->local) == 0 && -- CMPSADDR(iph2->dst, ma->remote) == 0) -+ if (cmpsaddr(iph2->src, ma->local) == 0 && -+ cmpsaddr(iph2->dst, ma->remote) == 0) - return 0; - - /* save src/dst as sa_src/sa_dst before rewriting */ -@@ -3206,8 +3190,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_old, xisr_new) - "changing address families (%d to %d) for endpoints.\n", - osaddr->sa_family, nsaddr->sa_family); - -- if (CMPSADDR(osaddr, (struct sockaddr *)&saidx->src) || -- CMPSADDR(odaddr, (struct sockaddr *)&saidx->dst)) { -+ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) || -+ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) { - plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: " - "mismatch of addresses in saidx and xisr.\n"); - return -1; -diff --git a/src/racoon/policy.c b/src/racoon/policy.c -index 850fa6b..058753f 100644 ---- a/src/racoon/policy.c -+++ b/src/racoon/policy.c -@@ -141,16 +141,18 @@ getsp_r(spidx, iph2) - saddr2str(iph2->src)); - plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", - saddr2str((struct sockaddr *)&spidx->src)); -- if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src) -- || spidx->prefs != prefixlen) -+ -+ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) || -+ spidx->prefs != prefixlen) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", - saddr2str(iph2->dst)); - plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", - saddr2str((struct sockaddr *)&spidx->dst)); -- if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst) -- || spidx->prefd != prefixlen) -+ -+ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) || -+ spidx->prefd != prefixlen) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n"); -@@ -198,11 +200,11 @@ cmpspidxstrict(a, b) - || a->ul_proto != b->ul_proto) - return 1; - -- if (cmpsaddrstrict((struct sockaddr *)&a->src, -- (struct sockaddr *)&b->src)) -+ if (cmpsaddr((struct sockaddr *) &a->src, -+ (struct sockaddr *) &b->src)) - return 1; -- if (cmpsaddrstrict((struct sockaddr *)&a->dst, -- (struct sockaddr *)&b->dst)) -+ if (cmpsaddr((struct sockaddr *) &a->dst, -+ (struct sockaddr *) &b->dst)) - return 1; - - #ifdef HAVE_SECCTX -@@ -259,7 +261,7 @@ cmpspidxwild(a, b) - a, b->prefs, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - b, b->prefs, saddr2str((struct sockaddr *)&sa2)); -- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) -+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) - return 1; - - #ifndef __linux__ -@@ -277,7 +279,7 @@ cmpspidxwild(a, b) - a, b->prefd, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - b, b->prefd, saddr2str((struct sockaddr *)&sa2)); -- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) -+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) - return 1; - - #ifdef HAVE_SECCTX -diff --git a/src/racoon/remoteconf.c b/src/racoon/remoteconf.c -index 73d80bc..88c622c 100644 ---- a/src/racoon/remoteconf.c -+++ b/src/racoon/remoteconf.c -@@ -200,15 +200,9 @@ rmconf_match_type(rmsel, rmconf) - /* Check address */ - if (rmsel->remote != NULL) { - if (rmconf->remote->sa_family != AF_UNSPEC) { -- if (rmsel->flags & GETRMCONF_F_NO_PORTS) { -- if (cmpsaddrwop(rmsel->remote, -- rmconf->remote) != 0) -- return 0; -- } else { -- if (cmpsaddrstrict(rmsel->remote, -- rmconf->remote) != 0) -- return 0; -- } -+ if (cmpsaddr(rmsel->remote, rmconf->remote) != 0) -+ return 0; -+ - /* Address matched */ - ret = 2; - } -@@ -262,7 +256,7 @@ void rmconf_selector_from_ph1(rmsel, iph1) - struct ph1handle *iph1; - { - memset(rmsel, 0, sizeof(*rmsel)); -- rmsel->flags = GETRMCONF_F_NO_PORTS; -+ rmsel->flags = 0; - rmsel->remote = iph1->remote; - rmsel->etype = iph1->etype; - rmsel->approval = iph1->approval; -@@ -357,22 +351,8 @@ getrmconf(remote, flags) - int n = 0; - - memset(&ctx, 0, sizeof(ctx)); -- ctx.sel.flags = flags | GETRMCONF_F_NO_PORTS; -+ ctx.sel.flags = flags; - ctx.sel.remote = remote; --#ifndef ENABLE_NATT -- /* -- * We never have ports set in our remote configurations, but when -- * NAT-T is enabled, the kernel can have policies with ports and -- * send us an acquire message for a destination that has a port set. -- * If we do this port check here, we don't find the remote config. -- * -- * In an ideal world, we would be able to have remote conf with -- * port, and the port could be a wildcard. That test could be used. -- */ -- if (remote->sa_family != AF_UNSPEC && -- extract_port(remote) != IPSEC_PORT_ANY) -- ctx.sel.flags &= ~GETRMCONF_F_NO_PORTS; --#endif /* ENABLE_NATT */ - - if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) { - plog(LLV_ERROR, LOCATION, remote, -diff --git a/src/racoon/remoteconf.h b/src/racoon/remoteconf.h -index 38faf03..b2e9e4a 100644 ---- a/src/racoon/remoteconf.h -+++ b/src/racoon/remoteconf.h -@@ -189,8 +189,7 @@ extern int enumrmconf __P((struct rmconfselector *rmsel, - void *enum_arg)); - - #define GETRMCONF_F_NO_ANONYMOUS 0x0001 --#define GETRMCONF_F_NO_PORTS 0x0002 --#define GETRMCONF_F_NO_PASSIVE 0x0004 -+#define GETRMCONF_F_NO_PASSIVE 0x0002 - - #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1) - -diff --git a/src/racoon/sockmisc.c b/src/racoon/sockmisc.c -index 5c1f9c7..2bc2177 100644 ---- a/src/racoon/sockmisc.c -+++ b/src/racoon/sockmisc.c -@@ -80,87 +77,28 @@ - const int niflags = 0; - - /* -- * compare two sockaddr without port number. -- * OUT: 0: equal. -- * 1: not equal. -- */ --int --cmpsaddrwop(addr1, addr2) -- const struct sockaddr *addr1; -- const struct sockaddr *addr2; --{ -- caddr_t sa1, sa2; -- -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -- --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -- --#endif /* __linux__ */ -- -- switch (addr1->sa_family) { -- case AF_UNSPEC: -- break; -- case AF_INET: -- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; -- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; -- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -- break; --#ifdef INET6 -- case AF_INET6: -- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; -- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; -- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != -- ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -- break; --#endif -- default: -- return 1; -- } -- -- return 0; --} -- --/* - * compare two sockaddr with port, taking care wildcard. - * addr1 is a subject address, addr2 is in a database entry. - * OUT: 0: equal. - * 1: not equal. - */ - int --cmpsaddrwild(addr1, addr2) -+cmpsaddr(addr1, addr2) - const struct sockaddr *addr1; - const struct sockaddr *addr2; - { - caddr_t sa1, sa2; - u_short port1, port2; - -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -+ if (addr1 == NULL && addr2 == NULL) -+ return CMPSADDR_MATCH; - --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -+ if (addr1 == NULL || addr2 == NULL) -+ return CMPSADDR_MISMATCH; - --#endif /* __linux__ */ -+ if (addr1->sa_family != addr2->sa_family || -+ sysdep_sa_len(addr1) != sysdep_sa_len(addr2)) -+ return CMPSADDR_MISMATCH; - - switch (addr1->sa_family) { - case AF_UNSPEC: -@@ -170,12 +108,8 @@ cmpsaddrwild(addr1, addr2) - sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; - port1 = ((struct sockaddr_in *)addr1)->sin_port; - port2 = ((struct sockaddr_in *)addr2)->sin_port; -- if (!(port1 == IPSEC_PORT_ANY || -- port2 == IPSEC_PORT_ANY || -- port1 == port2)) -- return 1; - if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -+ return CMPSADDR_MISMATCH; - break; - #ifdef INET6 - case AF_INET6: -@@ -183,155 +117,23 @@ cmpsaddrwild(addr1, addr2) - sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; - port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; - port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; -- if (!(port1 == IPSEC_PORT_ANY || -- port2 == IPSEC_PORT_ANY || -- port1 == port2)) -- return 1; - if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -+ return CMPSADDR_MISMATCH; - if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != - ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -+ return CMPSADDR_MISMATCH; - break; - #endif - default: -- return 1; -+ return CMPSADDR_MISMATCH; - } - -- return 0; --} -- --/* -- * compare two sockaddr with port, taking care specific situation: -- * one addr has 0 as port, and the other has 500 (network order), return equal -- * OUT: 0: equal. -- * 1: not equal. -- */ --int --cmpsaddrmagic(addr1, addr2) -- const struct sockaddr *addr1; -- const struct sockaddr *addr2; --{ -- caddr_t sa1, sa2; -- u_short port1, port2; -- -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -- --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -+ if (port1 == port2 || -+ port1 == IPSEC_PORT_ANY || -+ port2 == IPSEC_PORT_ANY) -+ return CMPSADDR_MATCH; - --#endif /* __linux__ */ -- -- switch (addr1->sa_family) { -- case AF_UNSPEC: -- break; -- case AF_INET: -- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; -- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; -- port1 = ((struct sockaddr_in *)addr1)->sin_port; -- port2 = ((struct sockaddr_in *)addr2)->sin_port; -- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: port1 == %d, port2 == %d\n", port1, port2); -- if (!((port1 == IPSEC_PORT_ANY && port2 == ntohs(PORT_ISAKMP)) || -- (port2 == IPSEC_PORT_ANY && port1 == ntohs(PORT_ISAKMP)) || -- (port1 == port2))){ -- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports mismatch\n"); -- return 1; -- } -- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports matched\n"); -- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -- break; --#ifdef INET6 -- case AF_INET6: -- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; -- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; -- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; -- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; -- if (!((port1 == IPSEC_PORT_ANY && port2 == PORT_ISAKMP) || -- (port2 == IPSEC_PORT_ANY && port1 == PORT_ISAKMP) || -- (port1 == port2))) -- return 1; -- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != -- ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -- break; --#endif -- default: -- return 1; -- } -- -- return 0; --} -- --/* -- * compare two sockaddr with strict match on port. -- * OUT: 0: equal. -- * 1: not equal. -- */ --int --cmpsaddrstrict(addr1, addr2) -- const struct sockaddr *addr1; -- const struct sockaddr *addr2; --{ -- caddr_t sa1, sa2; -- u_short port1, port2; -- -- if (addr1 == 0 && addr2 == 0) -- return 0; -- if (addr1 == 0 || addr2 == 0) -- return 1; -- --#ifdef __linux__ -- if (addr1->sa_family != addr2->sa_family) -- return 1; --#else -- if (addr1->sa_len != addr2->sa_len -- || addr1->sa_family != addr2->sa_family) -- return 1; -- --#endif /* __linux__ */ -- -- switch (addr1->sa_family) { -- case AF_INET: -- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; -- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; -- port1 = ((struct sockaddr_in *)addr1)->sin_port; -- port2 = ((struct sockaddr_in *)addr2)->sin_port; -- if (port1 != port2) -- return 1; -- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) -- return 1; -- break; --#ifdef INET6 -- case AF_INET6: -- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; -- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; -- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; -- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; -- if (port1 != port2) -- return 1; -- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) -- return 1; -- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != -- ((struct sockaddr_in6 *)addr2)->sin6_scope_id) -- return 1; -- break; --#endif -- default: -- return 1; -- } -- -- return 0; -+ return CMPSADDR_WOP_MATCH; - } - - /* get local address against the destination. */ -@@ -1129,7 +931,7 @@ naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr) - free(a2); - free(a3); - } -- if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0) -+ if (cmpsaddr(&sa, &naddr->sa.sa) == 0) - return naddr->prefix + port_score; - - return -1; -diff --git a/src/racoon/sockmisc.h b/src/racoon/sockmisc.h -index fcc286f..0a58f44 100644 ---- a/src/racoon/sockmisc.h -+++ b/src/racoon/sockmisc.h -@@ -54,16 +54,11 @@ struct netaddr { - - extern const int niflags; - --extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *)); --extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *)); --extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *)); --extern int cmpsaddrmagic __P((const struct sockaddr *, const struct sockaddr *)); -- --#ifdef ENABLE_NATT --#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2)) --#else --#define CMPSADDR(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2)) --#endif -+#define CMPSADDR_MATCH 0 -+#define CMPSADDR_WOP_MATCH 1 -+#define CMPSADDR_MISMATCH 2 -+ -+extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *)); - - extern struct sockaddr *getlocaladdr __P((struct sockaddr *)); - -diff --git a/src/racoon/throttle.c b/src/racoon/throttle.c -index 5ab62c3..64b566b 100644 ---- a/src/racoon/throttle.c -+++ b/src/racoon/throttle.c -@@ -104,7 +104,7 @@ restart: - goto restart; - } - -- if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) { -+ if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) { - found = 1; - break; - } diff --git a/main/ipsec-tools/50-reverse-connect.patch b/main/ipsec-tools/50-reverse-connect.patch index c49eae34..f29c3d50 100644 --- a/main/ipsec-tools/50-reverse-connect.patch +++ b/main/ipsec-tools/50-reverse-connect.patch @@ -125,9 +125,9 @@ index b33986f..9fd3817 100644 + * to firewall or nat */ + if (iph1->side == RESPONDER && p->side == INITIATOR && + p->status < PHASE1ST_MSG3RECEIVED) { ++ /* Do not delete ph1, since if the node is not NATted, ++ * and we delete it we might get phase2's lost */ + evt_list_move(&p->evt_listeners, &iph1->evt_listeners); -+ remph1(p); -+ delph1(p); + } } } diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD index f7a78026..db1d28bf 100644 --- a/main/ipsec-tools/APKBUILD +++ b/main/ipsec-tools/APKBUILD @@ -1,8 +1,8 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=ipsec-tools -pkgver=0.8_alpha20090422 -_myver=0.8-alpha20090422 -pkgrel=1 +pkgver=0.8_alpha20090820 +_myver=0.8-alpha20090820 +pkgrel=0 pkgdesc="User-space IPsec tools for various IPsec implementations" url="http://ipsec-tools.sourceforge.net/" license="BSD" @@ -12,10 +12,7 @@ subpackages="$pkgname-doc $pkgname-dev" source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz racoon.initd racoon.confd - 00-verify-cert-leak.patch - 20-natoa-fix.patch - 30-natt-ports-cleanup.patch - 40-cmpsaddr-cleanup.patch + 10-rekey-ph1hint.patch 50-reverse-connect.patch 60-debug-quick.patch " @@ -48,12 +45,9 @@ build() { install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon } -md5sums="8327401b5d1aa91e9c554d2cc536f823 ipsec-tools-0.8-alpha20090422.tar.gz +md5sums="8b79f9e773043a47d636b4c6f59b84eb ipsec-tools-0.8-alpha20090820.tar.gz fce62b52b598be268e27609f470f8e9b racoon.initd 2d00250cf72da7f2f559c91b65a48747 racoon.confd -e0abf570c29519e8e36406dfc3bbe3c8 00-verify-cert-leak.patch -2adb8796c75f62811b08c8370c75312c 20-natoa-fix.patch -17b3f05426537afa1e94947c39b10163 30-natt-ports-cleanup.patch -5fcaf5a01340132d4bfe55997bc5c60b 40-cmpsaddr-cleanup.patch -91eb6da2726c4ed83df990f6908a7553 50-reverse-connect.patch +4ee586cc6c6f1e0dd7a8bd9da0f5111d 10-rekey-ph1hint.patch +13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch baa13d7f0f48955c792f7fcd42a8587a 60-debug-quick.patch" diff --git a/main/lvm2/APKBUILD b/main/lvm2/APKBUILD index d113a383..d9939174 100644 --- a/main/lvm2/APKBUILD +++ b/main/lvm2/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=lvm2 pkgver=2.02.48 -pkgrel=0 +pkgrel=1 pkgdesc="Logical Volume Manager 2 utilities" url="http://sourceware.org/lvm2/" license="GPL" @@ -10,7 +10,7 @@ makedepends="readline-dev" source="ftp://sources.redhat.com/pub/$pkgname/LVM2.$pkgver.tgz lvm.initd " -subpackages="$pkgname-dev $pkgname-doc" +subpackages="$pkgname-dev $pkgname-doc device-mapper:dm" build () { cd "$srcdir"/LVM2.$pkgver @@ -31,5 +31,13 @@ build () { install -d "$pkgdir"/etc/lvm/archive "$pkgdir"/etc/lvm/backup install -Dm755 "$srcdir"/lvm.initd "$pkgdir"/etc/init.d/lvm } + +dm() { + pkgdesc="Device mapper userspace library and tools from LVM2" + mkdir -p "$subpkgdir"/sbin + mv "$pkgdir"/lib "$subpkgdir"/ + mv "$pkgdir"/sbin/dm* "$subpkgdir"/sbin/ +} + md5sums="0d24c2709f439eeca36261e5cea68330 LVM2.2.02.48.tgz e60d88f78eedb9c1252deb5b9b9b978b lvm.initd" diff --git a/main/mkinitfs/APKBUILD b/main/mkinitfs/APKBUILD index 72cc58bc..685c151a 100644 --- a/main/mkinitfs/APKBUILD +++ b/main/mkinitfs/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mkinitfs -pkgver=2.0_rc2 +pkgver=2.0_rc3 pkgrel=0 pkgdesc="Tool to generate initramfs images for Alpine" url=http://git.alpinelinux.org/cgit/mkinitfs @@ -15,4 +15,4 @@ build() { make make install DESTDIR="$pkgdir" || return 1 } -md5sums="0c9ede9aa7a2e292cc70144993278ee0 mkinitfs-2.0_rc2.tar.bz2" +md5sums="7f0e2ec039d10a01f46a7a049d6cbea0 mkinitfs-2.0_rc3.tar.bz2" diff --git a/main/mkinitfs/mkinitfs.trigger b/main/mkinitfs/mkinitfs.trigger new file mode 100644 index 00000000..be15f52f --- /dev/null +++ b/main/mkinitfs/mkinitfs.trigger @@ -0,0 +1,8 @@ +#!/bin/sh + +for i in "$@"; do + # get last element in path + kver=${i##*/} + mkinitfs $kver +done + diff --git a/main/ncftp/APKBUILD b/main/ncftp/APKBUILD index 4a43f458..4495c559 100644 --- a/main/ncftp/APKBUILD +++ b/main/ncftp/APKBUILD @@ -1,15 +1,14 @@ # Maintainer: Carlo Landmeter <clandmeter at gmail> pkgname=ncftp -pkgver=3.2.2 -pkgrel=1 +pkgver=3.2.3 +pkgrel=0 pkgdesc="A set of free application programs implementing FTP" url="http://www.ncftp.com/" license="custom" -depends="uclibc" +depends= makedepends="ncurses-dev" install="$pkgname.post-install" -source="ftp://ftp.$pkgname.com/$pkgname/$pkgname-$pkgver-src.tar.bz2 -$pkgname.post-install" +source="ftp://ftp.$pkgname.com/$pkgname/$pkgname-$pkgver-src.tar.bz2" subpackages="$pkgname-doc $pkgname-bookmarks" build () { @@ -28,11 +27,9 @@ build () { } bookmarks () { - depends="ncurses" install="" mkdir -p "$subpkgdir"/usr/bin || return 1 mv "$pkgdir"/usr/bin/ncftpbookmarks "$subpkgdir"/usr/bin/ || return 1 } -md5sums="b2b4b2fd38c81754b8f13895d784d491 ncftp-3.2.2-src.tar.bz2 -b2f4e60fb769c6c9461f28979efa087d ncftp.post-install" +md5sums="fac4aa169e1734e8d9617afd4a9b51e5 ncftp-3.2.3-src.tar.bz2" diff --git a/main/openrc/APKBUILD b/main/openrc/APKBUILD index 415f24a5..c0c3ec3b 100644 --- a/main/openrc/APKBUILD +++ b/main/openrc/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openrc pkgver=0.5.0 -pkgrel=6 +pkgrel=7 pkgdesc="OpenRC manages the services, startup and shutdown of a host" url="http://roy.marples.name/openrc" license='BSD-2' @@ -50,7 +50,7 @@ c32e15b0858eef708497e7ee6355a055 hostname.initd b1e64885f301166df30be3e3cf5338ff hwdrivers.initd 33ca3e558c42cdd17adccbc7807298f7 keymaps.initd 098a1f16812f56fcb56eb6b6f0fa31f6 modules.initd -c77cb4a67aa7ef40dfb12dd1ff5bf5e2 modloop.initd +4c69d1c6a84cbe0195496c14a757579b modloop.initd 747168eee535e845179eaef5a3fcb334 networking.initd 71d823acc9935a8ac82649a94b5bc0b9 openrc.post-install 393ff61bc0bf2c07f9af81795554c584 openrc.post-upgrade" diff --git a/main/openrc/modloop.initd b/main/openrc/modloop.initd index c32e1f49..cf46c98d 100644 --- a/main/openrc/modloop.initd +++ b/main/openrc/modloop.initd @@ -77,11 +77,16 @@ start() { } stop() { + local rc=0 find_media [ -z "$alpine_dev" ] && return 0 ebegin "Unmounting loopback device for kernel modules" - umount -d /.modloop &&\ - umount $alpine_mnt 2>/dev/null - eend $? + if mountinfo --quiet /.modloop; then + umount -d /.modloop || rc=1 + fi + if mountinfo --quiet $alpine_mnt; then + umount $alpine_mnt || rc=1 + fi + eend $rc } diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index f758f255..69a1db15 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openssl pkgver=0.9.8k -pkgrel=6 +pkgrel=7 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url=http://openssl.org depends= @@ -24,7 +24,7 @@ build() { patch -p1 < $i || return 1 done - ./config --prefix=/usr --openssldir=/etc/ssl shared + ./config --prefix=/usr --openssldir=/etc/ssl shared enable-montasm make -j1 || return 1 make -j1 INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man install diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD index 205c3f89..2c3266bc 100644 --- a/main/postgresql/APKBUILD +++ b/main/postgresql/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=postgresql pkgver=8.4.0 -pkgrel=0 +pkgrel=1 pkgdesc="A sophisticated object-relational DBMS" url="http://www.postgresql.org/" license="BSD" @@ -12,7 +12,6 @@ subpackages="$pkgname-dev $pkgname-doc libpq $pkgname-client" source="ftp://ftp.$pkgname.org/pub/source/v$pkgver/$pkgname-$pkgver.tar.bz2 $pkgname.initd $pkgname.confd - $install " build() { @@ -49,5 +48,4 @@ client() { md5sums="1f172d5f60326e972837f58fa5acd130 postgresql-8.4.0.tar.bz2 6dd7bd7c97252312357a255237115b38 postgresql.initd -6218755fde294b7d17b77d280a9c9106 postgresql.confd -a5c671b718f7adc9735b1ed89a5c26e1 postgresql.pre-upgrade" +6218755fde294b7d17b77d280a9c9106 postgresql.confd" diff --git a/main/postgresql/postgresql.pre-upgrade b/main/postgresql/postgresql.pre-upgrade index 358e9986..989e0216 100644 --- a/main/postgresql/postgresql.pre-upgrade +++ b/main/postgresql/postgresql.pre-upgrade @@ -1,8 +1,9 @@ #!/bin/sh -current="$1" -compare=$(apk version -t $current 8.4) +new="$1" +old="$2" +compare=$(apk version -t "$old" 8.4) # check if we upgrade from earlier than 8.4 and if it is running if [ "$compare" != "<" ] || ! /etc/init.d/postgresql --quiet status; then @@ -23,7 +24,7 @@ cat <<EOF * /etc/init.d/postgresql stop * apk add -u postgresql * /etc/init.d/postgresql setup -* /etc/init.d/postgresl start +* /etc/init.d/postgresql start * psql -U ${PGUSER:-postgres} -f dumpfile * EOF diff --git a/main/subversion/APKBUILD b/main/subversion/APKBUILD index 538f77d0..b965cc2a 100644 --- a/main/subversion/APKBUILD +++ b/main/subversion/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=subversion -pkgver=1.6.3 +pkgver=1.6.4 pkgrel=0 pkgdesc="Replacement for CVS, another versioning system (svn)" url="http://subversion.tigris.org/" @@ -10,7 +10,7 @@ makedepends="apr-dev apr-util-dev expat-dev neon-dev openssl-dev zlib-dev e2fsprogs-dev sqlite-dev" install="$pkgname.pre-install" subpackages="$pkgname-dev $pkgname-doc" -source="http://svn.collab.net/tarballs/$pkgname-$pkgver.tar.gz +source="http://subversion.tigris.org/downloads/subversion-$pkgver.tar.bz2 svnserve.confd svnserve.initd $install @@ -32,7 +32,7 @@ build() { install -Dm755 "$srcdir"/svnserve.initd "$pkgdir"/etc/init.d/svnserve install -Dm644 "$srcdir"/svnserve.confd "$pkgdir"/etc/conf.d/svnserve } -md5sums="8357468ed2485b88151c50fb5deb28ca subversion-1.6.3.tar.gz +md5sums="11e3fa838c9a558cadc378f2807572e2 subversion-1.6.4.tar.bz2 d084a7558053784886bc858b94fa9186 svnserve.confd 06cf9328f63a935654971052a2c3594a svnserve.initd bfd0d890c07830f1a6010891dd25fa5c subversion.pre-install" diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD index c580a84a..4b348465 100644 --- a/main/tiff/APKBUILD +++ b/main/tiff/APKBUILD @@ -2,17 +2,33 @@ # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=tiff pkgver=3.8.2 -pkgrel=0 +pkgrel=1 pkgdesc="Provides support for the Tag Image File Format or TIFF" url="http://www.libtiff.org/" license="GPL" -depends="uclibc" +depends= subpackages="$pkgname-doc $pkgname-dev" -source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz" +source="ftp://ftp.remotesensing.org/pub/lib$pkgname/$pkgname-$pkgver.tar.gz + CVE-2006-3459-3465.patch + libtiff-CVE-2009-2285.patch + tiff-3.8.2-CVE-2008-2327.patch + tiff-3.8.2-CVE-2009-2347.patch + tiff2pdf-compression.patch + tiff2pdf-octal-printf.patch + tiffsplit-fname-overflow.patch + " build() { cd "$srcdir/$pkgname-$pkgver" + patch -p1 < ../tiff2pdf-octal-printf.patch || return 1 + patch -p1 < ../tiffsplit-fname-overflow.patch || return 1 + patch -p1 < ../CVE-2006-3459-3465.patch || return 1 + patch -p1 < ../tiff2pdf-compression.patch || return 1 + patch -p1 < ../tiff-3.8.2-CVE-2008-2327.patch || return 1 + patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1 + patch -p1 < ../tiff-3.8.2-CVE-2009-2347.patch || return 1 + ./configure --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ @@ -23,4 +39,11 @@ build() { } -md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz" +md5sums="fbb6f446ea4ed18955e2714934e5b698 tiff-3.8.2.tar.gz +624d3067e6a4c0680767eb62253ea980 CVE-2006-3459-3465.patch +ff61077408727a82281f77a94f555e2a libtiff-CVE-2009-2285.patch +c2c2e22557d9c63011df5777dda6a86b tiff-3.8.2-CVE-2008-2327.patch +d3b02693cca83e63005b162edd43016b tiff-3.8.2-CVE-2009-2347.patch +b443ffca9d498bb3a88c17da0200025b tiff2pdf-compression.patch +d54368687d2645ffbbe6c2df384b11bf tiff2pdf-octal-printf.patch +323352fd60a7bd3ffac8724c3c031669 tiffsplit-fname-overflow.patch" diff --git a/main/tiff/CVE-2006-3459-3465.patch b/main/tiff/CVE-2006-3459-3465.patch new file mode 100644 index 00000000..cb55b03e --- /dev/null +++ b/main/tiff/CVE-2006-3459-3465.patch @@ -0,0 +1,669 @@ +diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c +--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c +--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c +--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include <limits.h> ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c +--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c +--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c +--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +@@ -105,11 +105,16 @@ + * as codes of the form <color><npixels> + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c +--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c +--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include <stdio.h> + ++#include <limits.h> ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } diff --git a/main/tiff/libtiff-CVE-2009-2285.patch b/main/tiff/libtiff-CVE-2009-2285.patch new file mode 100644 index 00000000..435a84b5 --- /dev/null +++ b/main/tiff/libtiff-CVE-2009-2285.patch @@ -0,0 +1,22 @@ +Index: tiff-3.8.2/libtiff/tif_lzw.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_lzw.c ++++ tiff-3.8.2/libtiff/tif_lzw.c +@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); +@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); diff --git a/main/tiff/tiff-3.8.2-CVE-2008-2327.patch b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch new file mode 100644 index 00000000..e6d74a67 --- /dev/null +++ b/main/tiff/tiff-3.8.2-CVE-2008-2327.patch @@ -0,0 +1,64 @@ +Fixes security issues in libTIFF's handling of LZW-encoded +images. The use of uninitialized data could lead to a buffer +underflow and a crash or arbitrary code execution. + +CVE-ID: CVE-2008-2327 +Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 + +Index: tiff-3.8.2/libtiff/tif_lzw.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_lzw.c ++++ tiff-3.8.2/libtiff/tif_lzw.c +@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ + } + return (1); + } +@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; diff --git a/main/tiff/tiff-3.8.2-CVE-2009-2347.patch b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch new file mode 100644 index 00000000..039d7336 --- /dev/null +++ b/main/tiff/tiff-3.8.2-CVE-2009-2347.patch @@ -0,0 +1,170 @@ +Fix several places in tiff2rgba and rgb2ycbcr that were being careless about +possible integer overflow in calculation of buffer sizes. + +CVE-2009-2347 + + +diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c +--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 ++++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-10 17:12:32.000000000 -0400 +@@ -202,6 +202,17 @@ + #undef LumaBlue + #undef V2Code + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + /* + * Convert a strip of RGB data to YCbCr and + * sample to generate the output data. +@@ -278,10 +289,19 @@ + float floatv; + char *stringv; + uint32 longv; ++ tsize_t raster_size; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c +--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-10 17:06:42.000000000 -0400 +@@ -124,6 +124,17 @@ + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -133,6 +144,7 @@ + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -150,7 +162,14 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -158,7 +177,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -226,6 +245,7 @@ + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -241,7 +261,14 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -249,7 +276,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { +@@ -328,14 +355,22 @@ + uint32* raster; /* retrieve RGBA image */ + uint32 width, height; /* image width & height */ + uint32 row; +- ++ tsize_t raster_size; ++ + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -353,7 +388,7 @@ + */ + if( no_alpha ) + { +- int pixel_count = width * height; ++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; + unsigned char *src, *dst; + + src = (unsigned char *) raster; + diff --git a/main/tiff/tiff2pdf-compression.patch b/main/tiff/tiff2pdf-compression.patch new file mode 100644 index 00000000..2dae2dcd --- /dev/null +++ b/main/tiff/tiff2pdf-compression.patch @@ -0,0 +1,44 @@ +--- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35 ++++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36 +@@ -937,7 +937,7 @@ + + #ifdef JPEG_SUPPORT + if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){ +- if(t2p->pdf_defaultcompressionquality<100 || ++ if(t2p->pdf_defaultcompressionquality>100 || + t2p->pdf_defaultcompressionquality<1){ + t2p->pdf_defaultcompressionquality=0; + } +@@ -945,25 +945,17 @@ + #endif + #ifdef ZIP_SUPPORT + if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){ +- switch (t2p->pdf_defaultcompressionquality){ +- case 1: case 10: case 11: case 12: case 13: case 14: case 15: +- case 101: case 110: case 111: case 112: case 113: case 114: case 115: +- case 201: case 210: case 211: case 212: case 213: case 214: case 215: +- case 301: case 310: case 311: case 312: case 313: case 314: case 315: +- case 401: case 410: case 411: case 412: case 413: case 414: case 415: +- case 501: case 510: case 511: case 512: case 513: case 514: case 515: +- case 601: case 610: case 611: case 612: case 613: case 614: case 615: +- case 701: case 710: case 711: case 712: case 713: case 714: case 715: +- case 801: case 810: case 811: case 812: case 813: case 814: case 815: +- case 901: case 910: case 911: case 912: case 913: case 914: case 915: +- break; +- default: +- t2p->pdf_defaultcompressionquality=0; ++ uint16 m=t2p->pdf_defaultcompressionquality%100; ++ if(t2p->pdf_defaultcompressionquality/100 > 9 || ++ (m>1 && m<10) || m>15){ ++ t2p->pdf_defaultcompressionquality=0; + } + if(t2p->pdf_defaultcompressionquality%100 !=0){ ++ t2p->pdf_defaultcompressionquality/=100; ++ t2p->pdf_defaultcompressionquality*=100; + TIFFError( + TIFF2PDF_MODULE, +- "PNG Group predictor differencing not implemented, assuming compresion quality %u", ++ "PNG Group predictor differencing not implemented, assuming compression quality %u", + t2p->pdf_defaultcompressionquality); + } + t2p->pdf_defaultcompressionquality%=100; diff --git a/main/tiff/tiff2pdf-octal-printf.patch b/main/tiff/tiff2pdf-octal-printf.patch new file mode 100644 index 00000000..f35b0723 --- /dev/null +++ b/main/tiff/tiff2pdf-octal-printf.patch @@ -0,0 +1,11 @@ +--- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400 +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;i<len;i++){ + if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ +- sprintf(buffer, "\\%.3o", pdfstr[i]); ++ sprintf(buffer, "\\%.3hho", pdfstr[i]); + written += TIFFWriteFile(output, (tdata_t) buffer, 4); + } else { + switch (pdfstr[i]){ diff --git a/main/tiff/tiffsplit-fname-overflow.patch b/main/tiff/tiffsplit-fname-overflow.patch new file mode 100644 index 00000000..cc225890 --- /dev/null +++ b/main/tiff/tiffsplit-fname-overflow.patch @@ -0,0 +1,19 @@ +--- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500 ++++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400 +@@ -61,14 +61,13 @@ + return (-3); + } + if (argc > 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2); diff --git a/main/vala/APKBUILD b/main/vala/APKBUILD index 1a03977a..21214872 100644 --- a/main/vala/APKBUILD +++ b/main/vala/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=vala -pkgver=0.7.4 +pkgver=0.7.5 pkgrel=0 pkgdesc="Compiler for the GObject type system" url="http://live.gnome.org/Vala" @@ -19,4 +19,4 @@ build () make DESTDIR="$pkgdir" install || return 1 } -md5sums="6ca0017be63244aff4d62d5f51f4b31a vala-0.7.4.tar.gz" +md5sums="73255913302dbbf17c98f6ff8c71a65a vala-0.7.5.tar.gz" diff --git a/testing/device-mapper/APKBUILD b/testing/device-mapper/APKBUILD deleted file mode 100644 index aaca6808..00000000 --- a/testing/device-mapper/APKBUILD +++ /dev/null @@ -1,26 +0,0 @@ -# Contributor: Leonardo Arena <rnalrd@gmail.com> -# Maintainer: Leonardo Arena <rnalrd@gmail.com> -pkgname=device-mapper -pkgver=1.02.28 -pkgrel=0 -pkgdesc="Device mapper ioctl library" -url="http://sources.redhat.com/pub/dm/" -license="GPL-2" -depends="uclibc" -makedepends="" -install= -subpackages="$pkgname-doc $pkgname-dev" -source="ftp://sources.redhat.com/pub/dm/$pkgname.$pkgver.tgz" - -build() { - cd "$srcdir/$pkgname.$pkgver" - - ./configure --prefix=/usr \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --infodir=/usr/share/info - make || return 1 - make DESTDIR="$pkgdir" install -} - -md5sums="c9ae0776994a419f9e1ba842164bb626 device-mapper.1.02.28.tgz" diff --git a/testing/libaio/APKBUILD b/testing/libaio/APKBUILD index 4108c4eb..0951b758 100644 --- a/testing/libaio/APKBUILD +++ b/testing/libaio/APKBUILD @@ -2,12 +2,12 @@ # Maintainer: Leonardo Arena <rnalrd@gmail.com> pkgname="libaio" pkgver="0.3.107" -pkgrel=0 -pkgdesc="Asynchronous input/output library that uses the kernels native interface" -url="http://www.kernel.org/pub/linux/kernel/people/andrea/libaio/ http://lse.sourceforge.net/io/aio.html" +pkgrel=1 +pkgdesc="Asynchronous input/output library" +url="http://lse.sourceforge.net/io/aio.html" license="LGPL-2" -depends="uclibc" -makedepends="" +depends= +makedepends= install= subpackages="$pkgname-dev" source="http://distfiles.gentoo.org/distfiles/$pkgname-$pkgver.tar.gz" @@ -15,7 +15,11 @@ source="http://distfiles.gentoo.org/distfiles/$pkgname-$pkgver.tar.gz" build() { cd "$srcdir/$pkgname-$pkgver" - make prefix="$pkgdir/usr" sysconfdir="$pkgdir/etc" mandir="$pkgdir/usr/share/man" infodir="$pkgdir/usr/share/info" install || return 1 + make prefix="$pkgdir/usr" \ + sysconfdir="$pkgdir/etc" \ + mandir="$pkgdir/usr/share/man" \ + infodir="$pkgdir/usr/share/info" \ + install || return 1 } md5sums="db32c19c61ca937bcb1ba48da9180682 libaio-0.3.107.tar.gz" diff --git a/testing/multipath-tools/APKBUILD b/testing/multipath-tools/APKBUILD index bf24a4d7..471d9de2 100644 --- a/testing/multipath-tools/APKBUILD +++ b/testing/multipath-tools/APKBUILD @@ -2,12 +2,12 @@ # Maintainer: Leonardo Arena <rnalrd@gmail.com> pkgname="multipath-tools" pkgver=0.4.8 -pkgrel=1 +pkgrel=2 pkgdesc="Device Mapper Multipathing Driver" url="http://christophe.varoqui.free.fr/" license="GPL" depends= -makedepends="device-mapper-dev libaio-dev readline-dev" +makedepends="lvm2-dev libaio-dev readline-dev" install= subpackages="$pkgname-doc" source="http://christophe.varoqui.free.fr/$pkgname/$pkgname-$pkgver.tar.bz2 @@ -16,7 +16,7 @@ source="http://christophe.varoqui.free.fr/$pkgname/$pkgname-$pkgver.tar.bz2 build() { cd "$srcdir/$pkgname-$pkgver" - patch Makefile < ../../Makefile.patch + patch Makefile < ../Makefile.patch || return 1 find . -name Makefile -exec sed -i -e 's/glibc/uclibc/g' {} \; make -j1 \ diff --git a/x11/desktop-file-utils/APKBUILD b/x11/desktop-file-utils/APKBUILD index 7ff0ee30..b4b373fe 100644 --- a/x11/desktop-file-utils/APKBUILD +++ b/x11/desktop-file-utils/APKBUILD @@ -1,23 +1,21 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=desktop-file-utils pkgver=0.15 -pkgrel=0 +pkgrel=1 pkgdesc="Command line utilities for working with desktop entries" url="http://www.freedesktop.org/wiki/Software/desktop-file-utils" license="GPL" -depends="glib uclibc libiconv gettext" +depends= makedepends="glib-dev libiconv-dev gettext-dev pkgconfig" -source="http://www.freedesktop.org/software/$pkgname/releases/$pkgname-$pkgver.tar.gz - nocxx.patch" +triggers="$pkgname.trigger:/usr/share/applications" +source="http://www.freedesktop.org/software/$pkgname/releases/$pkgname-$pkgver.tar.gz" -build () -{ +build () +{ cd "$srcdir"/desktop-file-utils-$pkgver - patch configure < ../nocxx.patch || return 1 ./configure --prefix=/usr || return 1 make || return 1 make DESTDIR="$pkgdir" install || return 1 } -md5sums="2fe8ebe222fc33cd4a959415495b7eed desktop-file-utils-0.15.tar.gz -28513788ba4d556ccd538867dc6205ab nocxx.patch" +md5sums="2fe8ebe222fc33cd4a959415495b7eed desktop-file-utils-0.15.tar.gz" diff --git a/x11/desktop-file-utils/desktop-file-utils.trigger b/x11/desktop-file-utils/desktop-file-utils.trigger new file mode 100644 index 00000000..0400e9a2 --- /dev/null +++ b/x11/desktop-file-utils/desktop-file-utils.trigger @@ -0,0 +1,3 @@ +#!/bin/sh + +update-desktop-database -q diff --git a/x11/desktop-file-utils/nocxx.patch b/x11/desktop-file-utils/nocxx.patch deleted file mode 100644 index beb1ab90..00000000 --- a/x11/desktop-file-utils/nocxx.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- a/configure 2004-12-07 21:34:23.205172545 +0000 -+++ b/configure 2004-12-07 21:37:17.726654782 +0000 -@@ -5148,10 +5148,8 @@ - : - else - { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check --See \`config.log' for more details." >&5 --echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check --See \`config.log' for more details." >&2;} -- { (exit 1); exit 1; }; } -+See \`config.log' for more details." >&5;} -+ { echo "C++ sucks, ignoring ..." >&5; }; } - fi - - ac_ext=cc diff --git a/x11/epdfview/APKBUILD b/x11/epdfview/APKBUILD new file mode 100644 index 00000000..daccdbc9 --- /dev/null +++ b/x11/epdfview/APKBUILD @@ -0,0 +1,40 @@ +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgname=epdfview +pkgver=0.1.7 +pkgrel=0 +pkgdesc="A free lightweight PDF document viewer." +url="http://www.emma-soft.com/projects/epdfview/" +license="GPL" +#depends="poppler-glib>=0.10.0 heimdal>=1.2.1-1 libcups>=1.3.7-2 gnutls>=2.4.1 +depends="desktop-file-utils hicolor-icon-theme" +makedepends="poppler-dev" +source="http://www.emma-soft.com/projects/$pkgname/chrome/site/releases/$pkgname-$pkgver.tar.bz2 + $pkgname.desktop.patch + fix-scrolling.patch" + +build () +{ + cd ""$srcdir"/$pkgname-$pkgver" + patch -Np0 -i ../epdfview.desktop.patch || return 1 + patch -Np0 -i ../fix-scrolling.patch || return 1 + ./configure --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + || return 1 + make || return 1 + make -j1 DESTDIR="$pkgdir" install || return 1 + for i in 24 32 48; do + install -d "$pkgdir"/usr/share/icons/hicolor/${i}x${i}/apps \ + || return 1 + done + install -m644 data/icon_epdfview-24.png \ + "$pkgdir"/usr/share/icons/hicolor/24x24/apps/epdfview.png + install -m644 data/icon_epdfview-32.png \ + "$pkgdir"/usr/share/icons/hicolor/32x32/apps/epdfview.png + install -m644 data/icon_epdfview-48.png \ + "$pkgdir"/usr/share/icons/hicolor/48x48/apps/epdfview.png +} + +md5sums="1919bb19c16ef0a97d48b0a8303d3c7b epdfview-0.1.7.tar.bz2 +fbf22bbabdbb7544db615ac5775d57e2 epdfview.desktop.patch +7a1574e0a8d0bcde316050629fb7bedd fix-scrolling.patch" diff --git a/x11/epdfview/epdfview.desktop.patch b/x11/epdfview/epdfview.desktop.patch new file mode 100644 index 00000000..d86fc308 --- /dev/null +++ b/x11/epdfview/epdfview.desktop.patch @@ -0,0 +1,11 @@ +--- data/epdfview.desktop.bak 2009-04-05 16:55:56.000000000 -0700 ++++ data/epdfview.desktop 2009-04-05 16:56:33.000000000 -0700 +@@ -7,7 +7,7 @@ + GenericName=PDF Viewer + GenericName[ca]=Visor PDF + GenericName[es]=Visor PDF +-Icon=icon_epdfview-48 ++Icon=epdfview + Name=ePDFViewer + Name[ca]=ePDFViewer + Name[es]=ePDFViewer diff --git a/x11/epdfview/fix-scrolling.patch b/x11/epdfview/fix-scrolling.patch new file mode 100644 index 00000000..828bf125 --- /dev/null +++ b/x11/epdfview/fix-scrolling.patch @@ -0,0 +1,33 @@ +--- ./src/gtk/MainView.cxx.old 2009-02-28 22:00:55.000000000 +0100 ++++ ./src/gtk/MainView.cxx 2009-03-20 03:12:10.000000000 +0100 +@@ -77,7 +77,7 @@ + static void main_window_zoom_out_cb (GtkWidget *, gpointer); + static void main_window_zoom_width_cb (GtkToggleAction *, gpointer); + static void main_window_set_page_mode (GtkRadioAction *, GtkRadioAction *, gpointer); +-static void main_window_page_scrolled_cb (GtkWidget *widget, GdkEventScroll *event, gpointer data); ++static gboolean main_window_page_scrolled_cb (GtkWidget *widget, GdkEventScroll *event, gpointer data); + + #if defined (HAVE_CUPS) + static void main_window_print_cb (GtkWidget *, gpointer); +@@ -1479,18 +1479,19 @@ + pter->setPageMode (mode); + } + +-void ++gboolean + main_window_page_scrolled_cb (GtkWidget *widget, GdkEventScroll *event, gpointer data) + { + g_assert ( NULL != data && "The data parameter is NULL."); + + MainPter *pter = (MainPter *)data; + // Only zoom when the CTRL-Button is down... +- if ( !(event->state & GDK_CONTROL_MASK) ) return; ++ if ( !(event->state & GDK_CONTROL_MASK) ) return FALSE; + if ( event->direction == GDK_SCROLL_UP ) { + pter->zoomInActivated (); + } else if ( event->direction == GDK_SCROLL_DOWN ) { + pter->zoomOutActivated (); + } ++ return TRUE; + } + diff --git a/x11/gtk+/APKBUILD b/x11/gtk+/APKBUILD index a84abef7..0dfc73c8 100644 --- a/x11/gtk+/APKBUILD +++ b/x11/gtk+/APKBUILD @@ -1,10 +1,11 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=gtk+ -pkgver=2.16.4 +pkgver=2.16.5 pkgrel=0 pkgdesc="The GTK+ Toolkit (v2)" url="http://www.gtk.org/" install="$pkgname.post-install $pkgname.post-upgrade $pkgname.post-deinstall" +triggers="$pkgname.trigger:/usr/share/icons/*" license="LGPL" subpackages="$pkgname-dev $pkgname-doc" depends= @@ -29,8 +30,7 @@ makedepends="pkgconfig pango-dev tiff-dev zlib-dev" -source="http://ftp.gnome.org/pub/gnome/sources/gtk+/${pkgver%.*}/gtk+-$pkgver.tar.bz2 - $install" +source="http://ftp.gnome.org/pub/gnome/sources/gtk+/${pkgver%.*}/gtk+-$pkgver.tar.bz2" depends_dev="atk-dev pango-dev cairo-dev glib-dev" build() { @@ -44,7 +44,4 @@ build() { make || return 1 make DESTDIR="$pkgdir" install || return 1 } -md5sums="d666f9f5a544e9d4d45804d88b1b5c4d gtk+-2.16.4.tar.bz2 -bf14adb7cc12acf93409ccf83545da06 gtk+.post-install -bf14adb7cc12acf93409ccf83545da06 gtk+.post-upgrade -ddc2c8add489c9f7f48f92cea34c05e6 gtk+.post-deinstall" +md5sums="8d1ea0b9b0400224d25b0cc2750b438d gtk+-2.16.5.tar.bz2" diff --git a/x11/gtk+/gtk+.trigger b/x11/gtk+/gtk+.trigger new file mode 100644 index 00000000..e9ff91c9 --- /dev/null +++ b/x11/gtk+/gtk+.trigger @@ -0,0 +1,5 @@ +#!/bin/sh + +for i in "$@"; do + gtk-update-icon-cache -q -t -f $i +done diff --git a/x11/gtk-vnc/APKBUILD b/x11/gtk-vnc/APKBUILD new file mode 100644 index 00000000..353b1205 --- /dev/null +++ b/x11/gtk-vnc/APKBUILD @@ -0,0 +1,24 @@ +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgname=gtk-vnc +pkgver=0.3.8 +pkgrel=0 +pkgdesc="A VNC viewer widget for GTK" +url="http://live.gnome.org/gtk-vnc" +license="LGPL" +subpackages="$pkgname-dev" +makedepends="gnutls-dev gtk+-dev libiconv-dev gettext-dev intltool expat-dev + libgcrypt-dev libgpg-error-dev" +depends_dev="gtk+-dev gnutls-dev" +source="http://ftp.gnome.org/pub/gnome/sources/$pkgname/0.3/$pkgname-$pkgver.tar.bz2" + +build () +{ + cd "$srcdir"/$pkgname-$pkgver + ./configure --prefix=/usr \ + --without-python \ + --without-examples \ + --disable-static || return 1 + make || return 1 + make DESTDIR="$pkgdir" install || return 1 +} +md5sums="7c7b07a868568206acd3f6e9e4d18ba1 gtk-vnc-0.3.8.tar.bz2" diff --git a/x11/mrxvt/APKBUILD b/x11/mrxvt/APKBUILD new file mode 100644 index 00000000..3dba1c4c --- /dev/null +++ b/x11/mrxvt/APKBUILD @@ -0,0 +1,45 @@ +# Contributor: Mark Constable <markc@renta.net> +# Maintainer: Mark Constable <markc@renta.net> +pkgname=mrxvt +pkgver=0.5.4 +pkgrel=0 +pkgdesc="A multi-tabbed X terminal emulator based on rxvt code" +url="http://materm.sourceforge.net/wiki/pmwiki.php" +license="GPL" +makedepends="libpng-dev jpeg-dev libxft-dev libxpm-dev libx11-dev" +subpackages="$pkgname-doc" +source=" + http://downloads.sourceforge.net/sourceforge/materm/$pkgname-$pkgver.tar.gz + mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch + mrxvt.desktop + " + +build() +{ + cd "$srcdir"/$pkgname-$pkgver + patch -p1 < ../mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch || return 1 + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --enable-xft \ + --enable-text-shadow \ + --enable-transparency \ + --enable-smart-resize \ + --enable-menubar \ + --disable-ourstrings \ + --enable-linespace \ + --enable-256colors \ + --enable-xim \ + --enable-thai \ + --enable-greek \ + --enable-cjk \ + --enable-backspace-key \ + --with-save-lines=2048 || return 1 + make || return 1 + make DESTDIR=$pkgdir install || return 1 + install -Dm644 ../mrxvt.desktop $pkgdir/usr/share/applications/mrxvt.desktop + +} +md5sums="0232c8868484751dcb931a28f0756f69 mrxvt-0.5.4.tar.gz +e4a8bb2521246aba85f8dcaa01aed527 mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch +6ba3bcd484c8dad1b0b48465ded54de3 mrxvt.desktop" diff --git a/x11/mrxvt/mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch b/x11/mrxvt/mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch new file mode 100644 index 00000000..c9af740e --- /dev/null +++ b/x11/mrxvt/mrxvt-0.5.4-002-fix-segfault-when-wd-empty.patch @@ -0,0 +1,12 @@ +diff -ru a/src/tabbar.c b/src/tabbar.c +--- a/src/tabbar.c 2009-08-19 21:12:48.000000000 +0000 ++++ b/src/tabbar.c 2009-08-19 21:13:35.000000000 +0000 +@@ -1314,7 +1314,7 @@ + if( p.we_wordc > 1) + rxvt_msg( DBG_ERROR, DBG_TABBAR, + "Too many words when expanding %s\n", cwdOption ); +- else ++ else if( NOT_NULL( *p.we_wordv ) ) + { + filename = *p.we_wordv; + diff --git a/x11/mrxvt/mrxvt.desktop b/x11/mrxvt/mrxvt.desktop new file mode 100644 index 00000000..fc2173dd --- /dev/null +++ b/x11/mrxvt/mrxvt.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Encoding=UTF-8 +Name=mrxvt +Comment=MultiTabbed rxvt Terminal +Exec=mrxvt +Icon=mrxvt +Terminal=false +Type=Application +Categories=Application;TerminalEmulator; +GenericName=Terminal diff --git a/x11/poppler/APKBUILD b/x11/poppler/APKBUILD new file mode 100644 index 00000000..04ed2db8 --- /dev/null +++ b/x11/poppler/APKBUILD @@ -0,0 +1,39 @@ +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgname=poppler +pkgver=0.10.7 +pkgrel=0 +pkgdesc="PDF rendering library based on xpdf 3.0" +url="http://poppler.freedesktop.org/" +license="GPL" +subpackages="$pkgname-dev $pkgname-doc $pkgname-glib" +makedepends="jpeg-dev cairo-dev gtk+-dev libxml2-dev fontconfig-dev pkgconfig + glib-dev" +depends= +depends_dev="glib-dev gtk+-dev cairo-dev" +source="http://$pkgname.freedesktop.org/$pkgname-$pkgver.tar.gz" + +build() { + cd "$srcdir"/$pkgname-$pkgver + ./configure --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --disable-static \ + --enable-cairo-output \ + --enable-xpdf-headers \ + --enable-libjpeg \ + --enable-zlib \ + --disable-poppler-qt4 \ + --enable-poppler-glib \ + --disable-poppler-qt \ + || return 1 + make || return 1 + make DESTDIR="$pkgdir" install || return 1 +} + +glib() { + pkgdesc="Glib bindings for poppler" + mkdir -p "$subpkgdir"/usr/lib + mv "$pkgdir"/usr/lib/libpoppler-glib* "$subpkgdir"/usr/lib/ +} + +md5sums="ba120e49a82567d85d00e159011ebe67 poppler-0.10.7.tar.gz" |