summaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorTimo Teras <timo.teras@iki.fi>2009-09-03 13:42:21 +0400
committerTimo Teras <timo.teras@iki.fi>2009-09-03 13:42:21 +0400
commit3bb9b2ed2ad6caaf6a5fa85db040b9449f94f242 (patch)
tree7458356cb8c7161ae896d74b796e1c20262a7b20 /main
parent2b56d85b3fa6558775682b8801d9dce8140f9950 (diff)
downloadaports-3bb9b2ed2ad6caaf6a5fa85db040b9449f94f242.tar.bz2
aports-3bb9b2ed2ad6caaf6a5fa85db040b9449f94f242.tar.xz
main/ipsec-tools: update to 20090903 snapshot
remove the patch merged upstream.
Diffstat (limited to 'main')
-rw-r--r--main/ipsec-tools/10-rekey-ph1hint.patch1227
-rw-r--r--main/ipsec-tools/APKBUILD8
2 files changed, 3 insertions, 1232 deletions
diff --git a/main/ipsec-tools/10-rekey-ph1hint.patch b/main/ipsec-tools/10-rekey-ph1hint.patch
deleted file mode 100644
index 773d6090..00000000
--- a/main/ipsec-tools/10-rekey-ph1hint.patch
+++ /dev/null
@@ -1,1227 +0,0 @@
-? .msg
-? ChangeLog
-? alpine-config
-? commiters.txt
-? fd-unmonitor-segv-fix.patch
-? natt-and-cmpsaddr.patch
-? racoon.txt
-? rekeying-fixes.diff
-? rpm/Makefile
-? rpm/Makefile.in
-? rpm/ipsec-tools.spec
-? rpm/suse/Makefile
-? rpm/suse/Makefile.in
-? rpm/suse/ipsec-tools.spec
-? src/Makefile
-? src/Makefile.in
-? src/include-glibc/.includes
-? src/include-glibc/Makefile
-? src/include-glibc/Makefile.in
-? src/libipsec/.deps
-? src/libipsec/.libs
-? src/libipsec/Makefile
-? src/libipsec/Makefile.in
-? src/libipsec/ipsec_dump_policy.lo
-? src/libipsec/ipsec_get_policylen.lo
-? src/libipsec/ipsec_strerror.lo
-? src/libipsec/key_debug.lo
-? src/libipsec/libipsec.la
-? src/libipsec/pfkey.lo
-? src/libipsec/pfkey_dump.lo
-? src/libipsec/policy_parse.c
-? src/libipsec/policy_parse.h
-? src/libipsec/policy_parse.lo
-? src/libipsec/policy_token.c
-? src/libipsec/policy_token.lo
-? src/racoon/.deps
-? src/racoon/.libs
-? src/racoon/Makefile
-? src/racoon/Makefile.in
-? src/racoon/cfparse.c
-? src/racoon/cfparse.h
-? src/racoon/cftoken.c
-? src/racoon/eaytest
-? src/racoon/libracoon.la
-? src/racoon/libracoon_la-kmpstat.lo
-? src/racoon/libracoon_la-misc.lo
-? src/racoon/libracoon_la-sockmisc.lo
-? src/racoon/libracoon_la-vmbuf.lo
-? src/racoon/plainrsa-gen
-? src/racoon/prsa_par.c
-? src/racoon/prsa_par.h
-? src/racoon/prsa_tok.c
-? src/racoon/racoon
-? src/racoon/racoonctl
-? src/racoon/samples/psk.txt
-? src/racoon/samples/racoon.conf
-? src/setkey/.deps
-? src/setkey/.libs
-? src/setkey/Makefile
-? src/setkey/Makefile.in
-? src/setkey/parse.c
-? src/setkey/parse.h
-? src/setkey/setkey
-? src/setkey/token.c
-Index: src/racoon/admin.c
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/admin.c,v
-retrieving revision 1.31
-diff -u -r1.31 admin.c
---- a/src/racoon/admin.c 3 Jul 2009 06:41:46 -0000 1.31
-+++ b/src/racoon/admin.c 19 Aug 2009 14:35:06 -0000
-@@ -5,7 +5,7 @@
- /*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
-- *
-+ *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
-@@ -17,7 +17,7 @@
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
-- *
-+ *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-@@ -341,7 +341,7 @@
- user[len] = 0;
-
- found = purgeph1bylogin(user);
-- plog(LLV_INFO, LOCATION, NULL,
-+ plog(LLV_INFO, LOCATION, NULL,
- "deleted %d SA for user \"%s\"\n", found, user);
-
- break;
-@@ -360,7 +360,7 @@
- rem = racoon_strdup(saddrwop2str(dst));
- STRDUP_FATAL(rem);
-
-- plog(LLV_INFO, LOCATION, NULL,
-+ plog(LLV_INFO, LOCATION, NULL,
- "Flushing all SAs for peer %s\n", rem);
-
- while ((iph1 = getph1bydstaddr(dst)) != NULL) {
-@@ -373,7 +373,7 @@
-
- racoon_free(loc);
- }
--
-+
- racoon_free(rem);
- break;
- }
-@@ -383,14 +383,14 @@
- char *data;
-
- acp = (struct admin_com_psk *)
-- ((char *)com + sizeof(*com) +
-+ ((char *)com + sizeof(*com) +
- sizeof(struct admin_com_indexes));
-
- idtype = acp->id_type;
-
- if ((id = vmalloc(acp->id_len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
-- "cannot allocate memory: %s\n",
-+ "cannot allocate memory: %s\n",
- strerror(errno));
- break;
- }
-@@ -399,7 +399,7 @@
-
- if ((key = vmalloc(acp->key_len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
-- "cannot allocate memory: %s\n",
-+ "cannot allocate memory: %s\n",
- strerror(errno));
- vfree(id);
- id = NULL;
-@@ -474,7 +474,7 @@
- rmconf->xauth->pass = key;
- }
- #endif
--
-+
- plog(LLV_INFO, LOCATION, NULL,
- "accept a request to establish IKE-SA: "
- "%s\n", saddrwop2str(dst));
-@@ -577,7 +577,7 @@
- }
-
- insph2(iph2);
-- if (isakmp_post_acquire(iph2) < 0) {
-+ if (isakmp_post_acquire(iph2, NULL) < 0) {
- remph2(iph2);
- delph2(iph2);
- break;
-@@ -710,17 +710,17 @@
- }
-
- if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "chown(%s, %d, %d): %s\n",
-- sunaddr.sun_path, adminsock_owner,
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "chown(%s, %d, %d): %s\n",
-+ sunaddr.sun_path, adminsock_owner,
- adminsock_group, strerror(errno));
- (void)close(lcconf->sock_admin);
- return -1;
- }
-
- if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "chmod(%s, 0%03o): %s\n",
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "chmod(%s, 0%03o): %s\n",
- sunaddr.sun_path, adminsock_mode, strerror(errno));
- (void)close(lcconf->sock_admin);
- return -1;
-Index: src/racoon/handler.c
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.c,v
-retrieving revision 1.29
-diff -u -r1.29 handler.c
---- a/src/racoon/handler.c 3 Jul 2009 06:41:46 -0000 1.29
-+++ b/src/racoon/handler.c 19 Aug 2009 14:35:06 -0000
-@@ -5,7 +5,7 @@
- /*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
-- *
-+ *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
-@@ -17,7 +17,7 @@
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
-- *
-+ *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-@@ -64,7 +64,7 @@
- #include "evt.h"
- #include "isakmp.h"
- #ifdef ENABLE_HYBRID
--#include "isakmp_xauth.h"
-+#include "isakmp_xauth.h"
- #include "isakmp_cfg.h"
- #endif
- #include "isakmp_inf.h"
-@@ -177,8 +177,8 @@
- * with phase 2's destinaion.
- */
- struct ph1handle *
--getph1(rmconf, local, remote, flags)
-- struct remoteconf *rmconf;
-+getph1(ph1hint, local, remote, flags)
-+ struct ph1handle *ph1hint;
- struct sockaddr *local, *remote;
- int flags;
- {
-@@ -202,12 +202,30 @@
- continue;
- }
-
-- if (local != NULL && cmpsaddr(local, p->local) != 0)
-+ if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH)
- continue;
-
-- if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
-+ if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH)
- continue;
-
-+ if (ph1hint != NULL) {
-+ if (ph1hint->id && ph1hint->id->l && p->id && p->id->l &&
-+ (ph1hint->id->l != p->id->l ||
-+ memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
-+ plog(LLV_DEBUG2, LOCATION, NULL,
-+ "local identity does match hint\n");
-+ continue;
-+ }
-+ if (ph1hint->id_p && ph1hint->id_p->l &&
-+ p->id_p && p->id_p->l &&
-+ (ph1hint->id_p->l != p->id_p->l ||
-+ memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
-+ plog(LLV_DEBUG2, LOCATION, NULL,
-+ "remote identity does match hint\n");
-+ continue;
-+ }
-+ }
-+
- plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
- return p;
- }
-@@ -1155,7 +1173,7 @@
- }
-
- #ifdef ENABLE_HYBRID
--/*
-+/*
- * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
- * This should be in isakmp_cfg.c but ph1tree being private, it must be there
- */
-@@ -1182,7 +1200,7 @@
-
-
-
--/*
-+/*
- * Reload conf code
- */
- static int revalidate_ph2(struct ph2handle *iph2){
-@@ -1192,11 +1210,11 @@
- struct saprop *approval;
- struct ph1handle *iph1;
-
-- /*
-+ /*
- * Get the new sainfo using values of the old one
- */
- if (iph2->sainfo != NULL) {
-- iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
-+ iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
- iph2->sainfo->iddst, iph2->sainfo->id_i,
- NULL, iph2->sainfo->remoteid);
- }
-@@ -1204,7 +1222,7 @@
- sainfo = iph2->sainfo;
-
- if (sainfo == NULL) {
-- /*
-+ /*
- * Sainfo has been removed
- */
- plog(LLV_DEBUG, LOCATION, NULL,
-@@ -1219,7 +1237,7 @@
- plog(LLV_DEBUG, LOCATION, NULL,
- "No approval found !\n");
- return 0;
-- }
-+ }
-
- /*
- * Don't care about proposals, should we do something ?
-@@ -1318,7 +1336,7 @@
- }
-
- found = 0;
-- for (alg = sainfo->algs[algclass_ipsec_enc];
-+ for (alg = sainfo->algs[algclass_ipsec_enc];
- (found == 0 && alg != NULL); alg = alg->next) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: next ph2 enc alg...\n");
-@@ -1351,7 +1369,7 @@
- break;
-
- default:
-- plog(LLV_ERROR, LOCATION, NULL,
-+ plog(LLV_ERROR, LOCATION, NULL,
- "unexpected check_level\n");
- continue;
- break;
-@@ -1375,7 +1393,7 @@
- }
-
-
--static void
-+static void
- remove_ph2(struct ph2handle *iph2)
- {
- u_int32_t spis[2];
-@@ -1467,7 +1485,7 @@
- return 1;
- }
-
--int
-+int
- revalidate_ph12(void)
- {
-
-Index: src/racoon/handler.h
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
-retrieving revision 1.21
-diff -u -r1.21 handler.h
---- a/src/racoon/handler.h 3 Jul 2009 06:41:46 -0000 1.21
-+++ b/src/racoon/handler.h 19 Aug 2009 14:35:06 -0000
-@@ -5,7 +5,7 @@
- /*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
-- *
-+ *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
-@@ -17,7 +17,7 @@
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
-- *
-+ *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-@@ -214,7 +214,7 @@
- LIST_ENTRY(ph1handle) chain;
- #ifdef ENABLE_HYBRID
- struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
--#endif
-+#endif
- EVT_LISTENER_LIST(evt_listeners);
- };
-
-@@ -449,7 +449,7 @@
- struct sockaddr_storage remote;
- struct sockaddr_storage local;
- u_int8_t version;
-- u_int8_t etype;
-+ u_int8_t etype;
- time_t created;
- int ph2cnt;
- };
-@@ -468,7 +468,7 @@
-
- #define GETPH1_F_ESTABLISHED 0x0001
-
--extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
-+extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint,
- struct sockaddr *local,
- struct sockaddr *remote,
- int flags));
-Index: src/racoon/isakmp.c
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
-retrieving revision 1.58
-diff -u -r1.58 isakmp.c
---- a/src/racoon/isakmp.c 3 Jul 2009 06:41:46 -0000 1.58
-+++ b/src/racoon/isakmp.c 19 Aug 2009 14:35:07 -0000
-@@ -5,7 +5,7 @@
- /*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
-- *
-+ *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
-@@ -17,7 +17,7 @@
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
-- *
-+ *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-@@ -176,7 +176,7 @@
- };
-
- static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
--
-+
- static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
- static int ph1_main __P((struct ph1handle *, vchar_t *));
- static int quick_main __P((struct ph2handle *, vchar_t *));
-@@ -190,7 +190,7 @@
- static int isakmp_ph2resend __P((struct ph2handle *));
-
- #ifdef ENABLE_FRAG
--static int frag_handler(struct ph1handle *,
-+static int frag_handler(struct ph1handle *,
- vchar_t *, struct sockaddr *, struct sockaddr *);
- #endif
-
-@@ -259,16 +259,16 @@
- extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
- }
- #endif
-- }
-+ }
-
- #ifdef ENABLE_NATT
-- /* we don't know about portchange yet,
-+ /* we don't know about portchange yet,
- look for non-esp marker instead */
- if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
- extralen = NON_ESP_MARKER_LEN;
- #endif
-
-- /* now we know if there is an extra non-esp
-+ /* now we know if there is an extra non-esp
- marker at the beginning or not */
- memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
-
-@@ -309,7 +309,7 @@
- if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
- 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
-- "failed to receive isakmp packet: %s\n",
-+ "failed to receive isakmp packet: %s\n",
- strerror (errno));
- }
- goto end;
-@@ -332,11 +332,11 @@
- (len - extralen));
- goto end;
- }
--
-+
- memcpy (buf->v, tmpbuf->v + extralen, buf->l);
-
- len -= extralen;
--
-+
- if (len != buf->l) {
- plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
- "received invalid length (%d != %zu), why ?\n",
-@@ -347,7 +347,7 @@
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d bytes message received %s\n",
-- len, saddr2str_fromto("from %s to %s",
-+ len, saddr2str_fromto("from %s to %s",
- (struct sockaddr *)&remote,
- (struct sockaddr *)&local));
- plogdump(LLV_DEBUG, buf->v, buf->l);
-@@ -496,12 +496,12 @@
- }
-
- /* set the flag to prevent further port floating
-- (FIXME: should we allow it? E.g. when the NAT gw
-+ (FIXME: should we allow it? E.g. when the NAT gw
- is rebooted?) */
- iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
--
-+
- /* print some neat info */
-- plog (LLV_INFO, LOCATION, NULL,
-+ plog (LLV_INFO, LOCATION, NULL,
- "NAT-T: ports changed to: %s\n",
- saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
-
-@@ -668,7 +668,7 @@
- return -1;
- }
- #ifdef ENABLE_HYBRID
-- /* Reinit the IVM if it's still there */
-+ /* Reinit the IVM if it's still there */
- if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
- oakley_delivm(iph1->mode_cfg->ivm);
- iph1->mode_cfg->ivm = NULL;
-@@ -753,7 +753,7 @@
-
- isakmp_cfg_r(iph1, msg);
- break;
--#endif
-+#endif
-
- case ISAKMP_ETYPE_NONE:
- default:
-@@ -822,7 +822,7 @@
- /* free resend buffer */
- if (iph1->sendbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
-- "no buffer found as sendbuf\n");
-+ "no buffer found as sendbuf\n");
- return -1;
- }
- #endif
-@@ -925,13 +925,13 @@
- log_ph1established(iph1);
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
-
-- /*
-+ /*
- * SA up shell script hook: do it now,except if
- * ISAKMP mode config was requested. In the later
- * case it is done when we receive the configuration.
- */
- if ((iph1->status == PHASE1ST_ESTABLISHED) &&
-- !iph1->rmconf->mode_cfg) {
-+ !iph1->rmconf->mode_cfg) {
- switch (iph1->approval->authmethod) {
- #ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-@@ -1004,7 +1004,7 @@
- /* free resend buffer */
- if (iph2->sendbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
-- "no buffer found as sendbuf\n");
-+ "no buffer found as sendbuf\n");
- return -1;
- }
- VPTRINIT(iph2->sendbuf);
-@@ -1754,23 +1754,23 @@
- extralen = 0;
-
- #ifdef ENABLE_FRAG
-- /*
-+ /*
- * Do not add the non ESP marker for a packet that will
-- * be fragmented. The non ESP marker should appear in
-+ * be fragmented. The non ESP marker should appear in
- * all fragment's packets, but not in the fragmented packet
- */
-- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
-+ if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
- extralen = 0;
- #endif
- if (extralen)
- plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
-
-- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
-- must added just before the packet itself. For this we must
-+ /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
-+ must added just before the packet itself. For this we must
- allocate a new buffer and release it at the end. */
- if (extralen) {
- if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-+ plog(LLV_ERROR, LOCATION, NULL,
- "vbuf allocation failed\n");
- return -1;
- }
-@@ -1791,17 +1791,17 @@
- if (s == -1)
- return -1;
-
-- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
-+ plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
- saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
-
- #ifdef ENABLE_FRAG
- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
- if (isakmp_sendfrags(iph1, sbuf) == -1) {
-- plog(LLV_ERROR, LOCATION, NULL,
-+ plog(LLV_ERROR, LOCATION, NULL,
- "isakmp_sendfrags failed\n");
- return -1;
- }
-- } else
-+ } else
- #endif
- {
- len = sendfromto(s, sbuf->v, sbuf->l,
-@@ -1812,7 +1812,7 @@
- return -1;
- }
- }
--
-+
- return 0;
- }
-
-@@ -1959,7 +1959,7 @@
- iph1->status = PHASE1ST_DYING;
-
- /* Any fresh phase1s? */
-- new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1);
-+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
- if (new_iph1 == NULL) {
- LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
- if (p->status != PHASE2ST_ESTABLISHED)
-@@ -2036,7 +2036,7 @@
- char *src, *dst;
-
- /* Migrate established phase2s. Any fresh phase1s? */
-- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
-+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
- if (new_iph1 != NULL)
- migrate_ph12(iph1, new_iph1);
-
-@@ -2143,12 +2143,13 @@
- * if phase1 has been finished, begin phase2.
- */
- int
--isakmp_post_acquire(iph2)
-+isakmp_post_acquire(iph2, iph1hint)
- struct ph2handle *iph2;
-+ struct ph1handle *iph1hint;
- {
- struct remoteconf *rmconf;
- struct ph1handle *iph1 = NULL;
--
-+
- plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
-
- /* Search appropriate configuration with masking port. Note that
-@@ -2159,12 +2160,17 @@
- * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
- * as iph2->dst hint). This scenario would require additional changes,
- * so no need to bother yet. --arno */
-- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
-- if (rmconf == NULL) {
-- plog(LLV_ERROR, LOCATION, NULL,
-- "no configuration found for %s.\n",
-- saddrwop2str(iph2->dst));
-- return -1;
-+
-+ if (iph1hint == NULL || iph1hint->rmconf == NULL) {
-+ rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
-+ if (rmconf == NULL) {
-+ plog(LLV_ERROR, LOCATION, NULL,
-+ "no configuration found for %s.\n",
-+ saddrwop2str(iph2->dst));
-+ return -1;
-+ }
-+ } else {
-+ rmconf = iph1hint->rmconf;
- }
-
- /* if passive mode, ignore the acquire message */
-@@ -2181,7 +2187,7 @@
- * some cases, we should use the ISAKMP identity to search
- * matching ISAKMP.
- */
-- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-+ iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
-
- /* no ISAKMP-SA found. */
- if (iph1 == NULL) {
-@@ -2978,7 +2984,7 @@
- "ISAKMP-SA established %s-%s spi:%s\n",
- src, dst,
- isakmp_pindex(&iph1->index, 0));
--
-+
- evt_phase1(iph1, EVT_PHASE1_UP, NULL);
- if(!iph1->rmconf->mode_cfg)
- evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
-@@ -3011,7 +3017,7 @@
- return plist;
- }
-
--vchar_t *
-+vchar_t *
- isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
- {
- struct payload_list *ptr = *plist, *first;
-@@ -3022,7 +3028,7 @@
- /* Seek to the first item. */
- while (ptr->prev) ptr = ptr->prev;
- first = ptr;
--
-+
- /* Compute the whole length. */
- while (ptr) {
- tlen += ptr->payload->l + sizeof (struct isakmp_gen);
-@@ -3064,7 +3070,7 @@
- }
-
- #ifdef ENABLE_FRAG
--int
-+int
- frag_handler(iph1, msg, remote, local)
- struct ph1handle *iph1;
- vchar_t *msg;
-@@ -3075,7 +3081,7 @@
-
- if (isakmp_frag_extract(iph1, msg) == 1) {
- if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
-- plog(LLV_ERROR, LOCATION, remote,
-+ plog(LLV_ERROR, LOCATION, remote,
- "Packet reassembly failed\n");
- return -1;
- }
-@@ -3125,24 +3131,24 @@
- if (iph1->remote != NULL) {
- GETNAMEINFO(iph1->remote, addrstr, portstr);
-
-- if (script_env_append(&envp, &envc,
-+ if (script_env_append(&envp, &envc,
- "REMOTE_ADDR", addrstr) != 0) {
-- plog(LLV_ERROR, LOCATION, NULL,
-+ plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set REMOTE_ADDR\n");
- goto out;
- }
-
-- if (script_env_append(&envp, &envc,
-+ if (script_env_append(&envp, &envc,
- "REMOTE_PORT", portstr) != 0) {
-- plog(LLV_ERROR, LOCATION, NULL,
-+ plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set REMOTEL_PORT\n");
- goto out;
- }
- }
-
-- if (privsep_script_exec(iph1->rmconf->script[script]->v,
-- script, envp) != 0)
-- plog(LLV_ERROR, LOCATION, NULL,
-+ if (privsep_script_exec(iph1->rmconf->script[script]->v,
-+ script, envp) != 0)
-+ plog(LLV_ERROR, LOCATION, NULL,
- "Script %s execution failed\n", script_names[script]);
-
- out:
-@@ -3202,7 +3208,7 @@
- argv[1] = script_names[name];
- argv[2] = NULL;
-
-- switch (fork()) {
-+ switch (fork()) {
- case 0:
- execve(argv[0], argv, envp);
- plog(LLV_ERROR, LOCATION, NULL,
-@@ -3217,7 +3223,7 @@
- break;
- default:
- break;
-- }
-+ }
- return 0;
-
- }
-@@ -3243,7 +3249,7 @@
- iph1->status = PHASE1ST_EXPIRED;
-
- /* Check if we have another, still valid, phase1 SA. */
-- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
-+ new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
-
- /*
- * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
-@@ -3319,7 +3325,7 @@
- ntohl(sa->sadb_sa_spi));
- }else{
-
-- /*
-+ /*
- * If we have a new ph1, do not purge IPsec-SAs binded
- * to a different ISAKMP-SA
- */
-@@ -3331,7 +3337,7 @@
- /* If the ph2handle is established, do not purge IPsec-SA */
- if (iph2->status == PHASE2ST_ESTABLISHED ||
- iph2->status == PHASE2ST_EXPIRED) {
--
-+
- plog(LLV_INFO, LOCATION, NULL,
- "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
- ntohl(sa->sadb_sa_spi),
-@@ -3342,7 +3348,7 @@
- }
- }
-
--
-+
- pfkey_send_delete(lcconf->sock_pfkey,
- msg->sadb_msg_satype,
- IPSEC_MODE_ANY,
-@@ -3373,7 +3379,7 @@
- sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
- }
-
--void
-+void
- delete_spd(iph2, created)
- struct ph2handle *iph2;
- u_int64_t created;
-@@ -3399,22 +3405,22 @@
-
- plog(LLV_INFO, LOCATION, NULL,
- "generated policy, deleting it.\n");
--
-+
- memset(&spidx, 0, sizeof(spidx));
- iph2->spidx_gen = (caddr_t )&spidx;
--
-+
- /* make inbound policy */
- iph2->src = dst;
- iph2->dst = src;
- spidx.dir = IPSEC_DIR_INBOUND;
- spidx.ul_proto = 0;
--
-- /*
-+
-+ /*
- * Note: code from get_proposal_r
- */
--
-+
- #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
--
-+
- /*
- * make destination address in spidx from either ID payload
- * or phase 1 address into a address in spidx.
-@@ -3430,48 +3436,48 @@
- &spidx.prefd, &spidx.ul_proto);
- if (error)
- goto purge;
--
-+
- #ifdef INET6
- /*
- * get scopeid from the SA address.
- * note that the phase 1 source address is used as
-- * a destination address to search for a inbound
-+ * a destination address to search for a inbound
- * policy entry because rcoon is responder.
- */
- if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
-- if ((error =
-+ if ((error =
- setscopeid((struct sockaddr *)&spidx.dst,
- iph2->src)) != 0)
- goto purge;
- }
- #endif
--
-+
- if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
- idi2type = _XIDT(iph2->id);
--
-+
- } else {
--
-+
- plog(LLV_DEBUG, LOCATION, NULL,
- "get a destination address of SP index "
- "from phase1 address "
- "due to no ID payloads found "
- "OR because ID type is not address.\n");
--
-+
- /*
-- * copy the SOURCE address of IKE into the
-- * DESTINATION address of the key to search the
-+ * copy the SOURCE address of IKE into the
-+ * DESTINATION address of the key to search the
- * SPD because the direction of policy is inbound.
- */
- memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
- switch (spidx.dst.ss_family) {
- case AF_INET:
-- spidx.prefd =
-+ spidx.prefd =
- sizeof(struct in_addr) << 3;
- break;
- #ifdef INET6
- case AF_INET6:
-- spidx.prefd =
-+ spidx.prefd =
- sizeof(struct in6_addr) << 3;
- break;
- #endif
-@@ -3480,7 +3486,7 @@
- break;
- }
- }
--
-+
- /* make source address in spidx */
- if (iph2->id_p != NULL
- && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
-@@ -3500,7 +3506,7 @@
- * for more detail, see above of this function.
- */
- if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
-- error =
-+ error =
- setscopeid((struct sockaddr *)&spidx.src,
- iph2->dst);
- if (error)
-@@ -3538,12 +3544,12 @@
- memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
- switch (spidx.src.ss_family) {
- case AF_INET:
-- spidx.prefs =
-+ spidx.prefs =
- sizeof(struct in_addr) << 3;
- break;
- #ifdef INET6
- case AF_INET6:
-- spidx.prefs =
-+ spidx.prefs =
- sizeof(struct in6_addr) << 3;
- break;
- #endif
-@@ -3574,14 +3580,14 @@
- spidx.ul_proto = IPSEC_ULPROTO_ANY;
-
- #undef _XIDT
--
-+
- /* Check if the generated SPD has the same timestamp as the SA.
- * If timestamps are different, this means that the SPD entry has been
- * refreshed by another SA, and should NOT be deleted with the current SA.
- */
- if( created ){
- struct secpolicy *p;
--
-+
- p = getsp(&spidx);
- if(p != NULL){
- /* just do no test if p is NULL, because this probably just means
-@@ -3646,7 +3652,7 @@
- struct sockaddr *sp_addr0, *sa_addr0;
- {
- struct sockaddr_in6 *sp_addr, *sa_addr;
--
-+
- sp_addr = (struct sockaddr_in6 *)sp_addr0;
- sa_addr = (struct sockaddr_in6 *)sa_addr0;
-
-Index: src/racoon/isakmp_var.h
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h,v
-retrieving revision 1.15
-diff -u -r1.15 isakmp_var.h
---- a/src/racoon/isakmp_var.h 20 Apr 2009 13:24:36 -0000 1.15
-+++ b/src/racoon/isakmp_var.h 19 Aug 2009 14:35:07 -0000
-@@ -5,7 +5,7 @@
- /*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
-- *
-+ *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
-@@ -17,7 +17,7 @@
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
-- *
-+ *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-@@ -87,7 +87,7 @@
- extern void isakmp_ph2delete __P((struct ph2handle *));
-
- extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
--extern int isakmp_post_acquire __P((struct ph2handle *));
-+extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
- extern int isakmp_post_getspi __P((struct ph2handle *));
- extern void isakmp_chkph1there_stub __P((struct sched *));
- extern void isakmp_chkph1there __P((struct ph2handle *));
-@@ -131,7 +131,7 @@
- struct remoteconf *, struct sockaddr *, struct sockaddr *));
- extern void log_ph1established __P((const struct ph1handle *));
-
--extern void script_hook __P((struct ph1handle *, int));
-+extern void script_hook __P((struct ph1handle *, int));
- extern int script_env_append __P((char ***, int *, char *, char *));
- extern int script_exec __P((char *, int, char * const *));
-
-Index: src/racoon/pfkey.c
-===================================================================
-RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/pfkey.c,v
-retrieving revision 1.50
-diff -u -r1.50 pfkey.c
---- a/src/racoon/pfkey.c 10 Aug 2009 08:22:13 -0000 1.50
-+++ b/src/racoon/pfkey.c 19 Aug 2009 14:35:07 -0000
-@@ -5,7 +5,7 @@
- /*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
-- *
-+ *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
-@@ -17,7 +17,7 @@
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
-- *
-+ *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-@@ -173,7 +173,7 @@
-
- /* cope with old kame headers - ugly */
- #ifndef SADB_X_AALG_MD5
--#define SADB_X_AALG_MD5 SADB_AALG_MD5
-+#define SADB_X_AALG_MD5 SADB_AALG_MD5
- #endif
- #ifndef SADB_X_AALG_SHA
- #define SADB_X_AALG_SHA SADB_AALG_SHA
-@@ -353,7 +353,7 @@
- "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
- continue;
- }
--
-+
-
- ml = msg->sadb_msg_len << 3;
- bl = buf ? buf->l : 0;
-@@ -839,7 +839,7 @@
- goto bad;
- *a_keylen >>= 3;
-
-- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
-+ if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
- && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
- /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
- *a_type = SADB_X_AALG_MD5;
-@@ -919,7 +919,7 @@
- racoon_free(dst);
- return -1;
- }
--
-+
- for (pr = pp->head; pr != NULL; pr = pr->next) {
-
- /* validity check */
-@@ -991,7 +991,7 @@
- * receive GETSPI from kernel.
- */
- static int
--pk_recvgetspi(mhp)
-+pk_recvgetspi(mhp)
- caddr_t *mhp;
- {
- struct sadb_msg *msg;
-@@ -1111,7 +1111,7 @@
- sa_args.l_addtime = iph2->lifetime_secs;
- else
- sa_args.l_addtime = iph2->approval->lifetime;
-- sa_args.seq = iph2->seq;
-+ sa_args.seq = iph2->seq;
- sa_args.wsize = 4;
-
- if (iph2->sa_src && iph2->sa_dst) {
-@@ -1163,7 +1163,7 @@
- pr->head->trns_id,
- pr->head->authtype,
- &sa_args.e_type, &sa_args.e_keylen,
-- &sa_args.a_type, &sa_args.a_keylen,
-+ &sa_args.a_type, &sa_args.a_keylen,
- &sa_args.flags) < 0){
- racoon_free(sa_args.src);
- racoon_free(sa_args.dst);
-@@ -1221,11 +1221,11 @@
- * But it is impossible because there is not key in the
- * information from the kernel.
- */
--
-+
- /* change some things before backing up */
- sa_args.wsize = 4;
- sa_args.l_bytes = iph2->approval->lifebyte * 1024;
--
-+
- if (backupsa_to_file(&sa_args) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "backuped SA failed: %s\n",
-@@ -1447,7 +1447,7 @@
- pr->head->trns_id,
- pr->head->authtype,
- &sa_args.e_type, &sa_args.e_keylen,
-- &sa_args.a_type, &sa_args.a_keylen,
-+ &sa_args.a_type, &sa_args.a_keylen,
- &sa_args.flags) < 0){
- racoon_free(sa_args.src);
- racoon_free(sa_args.dst);
-@@ -1668,11 +1668,12 @@
- " being negotiated. Stopping negotiation.\n");
- }
-
-- /* turn off the timer for calling isakmp_ph2expire() */
-+ /* turn off the timer for calling isakmp_ph2expire() */
- sched_cancel(&iph2->sce);
-
- if (iph2->status == PHASE2ST_ESTABLISHED &&
- iph2->side == INITIATOR) {
-+ struct ph1handle *iph1hint;
- /*
- * Active phase 2 expired and we were initiator.
- * Begin new phase 2 exchange, so we can keep on sending
-@@ -1680,11 +1681,12 @@
- */
-
- /* update status for re-use */
-+ iph1hint = iph2->ph1;
- initph2(iph2);
- iph2->status = PHASE2ST_STATUS2;
-
- /* start quick exchange */
-- if (isakmp_post_acquire(iph2) < 0) {
-+ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
- plog(LLV_ERROR, LOCATION, iph2->dst,
- "failed to begin ipsec sa "
- "re-negotication.\n");
-@@ -1750,7 +1752,7 @@
- if (m_sec_ctx != NULL) {
- plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
- m_sec_ctx->sadb_x_ctx_doi);
-- plog(LLV_INFO, LOCATION, NULL,
-+ plog(LLV_INFO, LOCATION, NULL,
- "security context algorithm: %u\n",
- m_sec_ctx->sadb_x_ctx_alg);
- plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
-@@ -1960,7 +1962,7 @@
-
- /* start isakmp initiation by using ident exchange */
- /* XXX should be looped if there are multiple phase 2 handler. */
-- if (isakmp_post_acquire(iph2) < 0) {
-+ if (isakmp_post_acquire(iph2, NULL) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to begin ipsec sa negotication.\n");
- remph2(iph2);
-@@ -2145,7 +2147,7 @@
- p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
- p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
- p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
--
-+
- memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
- len += ctxlen;
- }
-@@ -2184,7 +2186,7 @@
- goto err;
- }
-
-- /*
-+ /*
- * the policy level cannot be unique because the policy
- * is defined later than SA, so req_id cannot be bound to SA.
- */
-@@ -2217,7 +2219,7 @@
-
- xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
- xisr = (struct sadb_x_ipsecrequest *)p;
--
-+
- }
- racoon_free(pr_rlist);
-
-@@ -3070,6 +3072,8 @@
- rmconf = getrmconf(iph2->dst, 0);
-
- if (rmconf && !rmconf->passive) {
-+ struct ph1handle *iph1hint;
-+
- plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
- "*during* IPsec SA negotiation. As initiator, "
- "restarting it.\n");
-@@ -3079,11 +3083,12 @@
- iph2->status = PHASE2ST_EXPIRED;
-
- /* ... clean Phase 2 handle ... */
-+ iph1hint = iph2->ph1;
- initph2(iph2);
- iph2->status = PHASE2ST_STATUS2;
-
- /* and start a new negotiation */
-- if (isakmp_post_acquire(iph2) < 0) {
-+ if (isakmp_post_acquire(iph2, iph1hint) < 0) {
- plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
- "to begin IPsec SA renegotiation after "
- "MIGRATE reception.\n");
diff --git a/main/ipsec-tools/APKBUILD b/main/ipsec-tools/APKBUILD
index db1d28bf..1b792b0b 100644
--- a/main/ipsec-tools/APKBUILD
+++ b/main/ipsec-tools/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ipsec-tools
-pkgver=0.8_alpha20090820
-_myver=0.8-alpha20090820
+pkgver=0.8_alpha20090903
+_myver=0.8-alpha20090903
pkgrel=0
pkgdesc="User-space IPsec tools for various IPsec implementations"
url="http://ipsec-tools.sourceforge.net/"
@@ -12,7 +12,6 @@ subpackages="$pkgname-doc $pkgname-dev"
source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
racoon.initd
racoon.confd
- 10-rekey-ph1hint.patch
50-reverse-connect.patch
60-debug-quick.patch
"
@@ -45,9 +44,8 @@ build() {
install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
}
-md5sums="8b79f9e773043a47d636b4c6f59b84eb ipsec-tools-0.8-alpha20090820.tar.gz
+md5sums="8ec28d4e89c0f5e49ae2caa7463fbcfd ipsec-tools-0.8-alpha20090903.tar.gz
fce62b52b598be268e27609f470f8e9b racoon.initd
2d00250cf72da7f2f559c91b65a48747 racoon.confd
-4ee586cc6c6f1e0dd7a8bd9da0f5111d 10-rekey-ph1hint.patch
13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
baa13d7f0f48955c792f7fcd42a8587a 60-debug-quick.patch"