projects / openwrt / svn-archive / archive.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[packages] glib2: fix autoreconf
[openwrt/svn-archive/archive.git] / net / isakmpd / patches / 010-debian_3.patch
1 Index: isakmpd-20041012.orig/dpd.c
2 ===================================================================
3 --- isakmpd-20041012.orig.orig/dpd.c 2007-06-04 13:22:39.088912864 +0200
4 +++ isakmpd-20041012.orig/dpd.c 2007-06-04 13:22:39.282883376 +0200
5 @@ -26,6 +26,7 @@
6
7 #include <sys/types.h>
8 #include <stdlib.h>
9 +#include <memory.h>
10
11 #include "sysdep.h"
12
13 @@ -174,6 +175,7 @@
14 }
15 break;
16 default:
17 + ;
18 }
19
20 /* Mark handled. */
21 @@ -223,6 +225,7 @@
22 dpd_check_event, sa, &tv);
23 break;
24 default:
25 + ;
26 }
27 if (!sa->dpd_event)
28 log_print("dpd_timer_reset: timer_add_event failed");
29 Index: isakmpd-20041012.orig/ipsec.c
30 ===================================================================
31 --- isakmpd-20041012.orig.orig/ipsec.c 2007-06-04 13:22:39.093912104 +0200
32 +++ isakmpd-20041012.orig/ipsec.c 2007-06-04 13:22:39.283883224 +0200
33 @@ -1020,6 +1020,52 @@
34 }
35 }
36
37 +/*
38 + * deal with a NOTIFY of INVALID_SPI
39 + */
40 +static void
41 +ipsec_invalid_spi (struct message *msg, struct payload *p)
42 +{
43 + struct sockaddr *dst;
44 + int invspisz, off;
45 + u_int32_t spi;
46 + u_int16_t totsiz;
47 + u_int8_t spisz;
48 +
49 + /* Any notification that make us do something should be protected */
50 + if(!TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]))
51 + {
52 + LOG_DBG ((LOG_SA, 40,
53 + "ipsec_invalid_spi: missing HASH payload in INVALID_SPI"
54 + " notification"));
55 + return;
56 + }
57 +
58 + /*
59 + * get the invalid spi out of the variable sized notification data
60 + * field, which is after the variable sized SPI field [which specifies
61 + * the receiving entity's phase-1 SPI, not the invalid spi]
62 + */
63 + totsiz = GET_ISAKMP_GEN_LENGTH (p->p);
64 + spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p);
65 + off = ISAKMP_NOTIFY_SPI_OFF + spisz;
66 + invspisz = totsiz - off;
67 +
68 + if (invspisz != sizeof spi)
69 + {
70 + LOG_DBG ((LOG_SA, 40,
71 + "ipsec_invalid_spi: SPI size %d in INVALID_SPI "
72 + "payload unsupported", spisz));
73 + return;
74 + }
75 + memcpy (&spi, p->p + off, sizeof spi);
76 +
77 + msg->transport->vtbl->get_dst (msg->transport, &dst);
78 +
79 + /* delete matching SPI's from this peer */
80 + ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI");
81 +}
82 +
83 static int
84 ipsec_responder(struct message *msg)
85 {
86 @@ -1205,7 +1251,9 @@
87 return dv != IPSEC_ENCAP_TUNNEL
88 && dv != IPSEC_ENCAP_TRANSPORT
89 && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL
90 - && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT;
91 + && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT
92 + && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT
93 + && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT;
94 #else
95 return dv < IPSEC_ENCAP_TUNNEL
96 || dv > IPSEC_ENCAP_TRANSPORT;
97 @@ -1837,7 +1885,7 @@
98 ipsec_get_id(char *section, int *id, struct sockaddr **addr,
99 struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port)
100 {
101 - char *type, *address, *netmask;
102 + char *type, *address, *netmask;
103
104 type = conf_get_str(section, "ID-type");
105 if (!type) {
106 Index: isakmpd-20041012.orig/GNUmakefile
107 ===================================================================
108 --- isakmpd-20041012.orig.orig/GNUmakefile 2007-06-04 13:22:39.099911192 +0200
109 +++ isakmpd-20041012.orig/GNUmakefile 2007-06-04 13:22:39.283883224 +0200
110 @@ -40,12 +40,12 @@
111 # integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec.
112 # darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5
113 # and later with native IPSec support.
114 -OS= openbsd
115 +#OS= openbsd
116 #OS= netbsd
117 #OS= freebsd
118 #OS= freeswan
119 #OS= darwin
120 -#OS= linux
121 +OS= linux
122
123 .CURDIR:= $(shell pwd)
124 VPATH= ${.CURDIR}/sysdep/${OS}
125 @@ -55,9 +55,10 @@
126 ifndef BINDIR
127 BINDIR= /sbin
128 endif
129 -ifndef LDSTATIC
130 -LDSTATIC= -static
131 -endif
132 +
133 +#ifndef LDSTATIC
134 +#LDSTATIC= -static
135 +#endif
136
137 SRCS= app.c attribute.c cert.c connection.c \
138 constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \
139 @@ -131,11 +132,14 @@
140 ifneq ($(findstring install,$(MAKECMDGOALS)),install)
141 # Skip 'regress' until the regress/ structure has gmake makefiles for it.
142 #SUBDIR:= regress
143 -SUBDIR:=
144 +#SUBDIR:= apps/certpatch
145 mksubdirs:
146 $(foreach DIR, ${SUBDIR}, \
147 - cd ${DIR}; ${MAKE} ${MAKEFLAGS} CFLAGS="${CFLAGS}" \
148 - MKDEP="${MKDEP}" ${MAKECMDGOALS})
149 + cd ${.CURDIR}/${DIR}; ${MAKE} ${MAKECMDGOALS};)
150 +
151 +# $(foreach DIR, ${SUBDIR}, \
152 +# cd ${DIR}; ${MAKE} CFLAGS="${CFLAGS}" \
153 +# MKDEP="${MKDEP}" ${MAKECMDGOALS})
154 else
155 mksubdirs:
156 endif
157 @@ -173,7 +177,7 @@
158 endif
159
160 SRCS+= ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \
161 - $(ISAKMP_CFG)
162 + $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL}
163 CFLAGS+= ${IPSEC_CFLAGS}
164 LDADD+= ${DESLIB}
165 DPADD+= ${DESLIBDEP}
166 Index: isakmpd-20041012.orig/exchange.h
167 ===================================================================
168 --- isakmpd-20041012.orig.orig/exchange.h 2007-06-04 13:22:39.104910432 +0200
169 +++ isakmpd-20041012.orig/exchange.h 2007-06-04 13:22:39.283883224 +0200
170 @@ -221,6 +221,8 @@
171 #define EXCHANGE_FLAG_NAT_T_ENABLE 0x10 /* We are doing NAT-T. */
172 #define EXCHANGE_FLAG_NAT_T_KEEPALIVE 0x20 /* We are the NAT:ed peer. */
173 #define EXCHANGE_FLAG_DPD_CAP_PEER 0x40 /* Peer is DPD capable. */
174 +#define EXCHANGE_FLAG_NAT_T_RFC 0x0080 /* Peer does RFC NAT-T. */
175 +#define EXCHANGE_FLAG_NAT_T_DRAFT 0x0100 /* Peer does draft NAT-T.*/
176
177 extern int exchange_add_certs(struct message *);
178 extern void exchange_finalize(struct message *);
179 Index: isakmpd-20041012.orig/log.c
180 ===================================================================
181 --- isakmpd-20041012.orig.orig/log.c 2007-06-04 13:22:39.110909520 +0200
182 +++ isakmpd-20041012.orig/log.c 2007-06-04 13:22:39.284883072 +0200
183 @@ -79,7 +79,6 @@
184
185 struct packhdr {
186 struct pcap_pkthdr pcap;/* pcap file packet header */
187 - u_int32_t sa_family; /* address family */
188 union {
189 struct ip ip4; /* IPv4 header (w/o options) */
190 struct ip6_hdr ip6; /* IPv6 header */
191 @@ -97,7 +96,7 @@
192 static u_int8_t *packet_buf = NULL;
193
194 static int udp_cksum(struct packhdr *, const struct udphdr *,
195 - u_int16_t *);
196 + u_int16_t *, int);
197 static u_int16_t in_cksum(const u_int16_t *, int);
198 #endif /* USE_DEBUG */
199
200 @@ -539,11 +538,9 @@
201 udp.uh_ulen = htons(datalen);
202
203 /* ip */
204 - hdr.sa_family = htonl(src->sa_family);
205 switch (src->sa_family) {
206 default:
207 /* Assume IPv4. XXX Can 'default' ever happen here? */
208 - hdr.sa_family = htonl(AF_INET);
209 hdr.ip.ip4.ip_src.s_addr = 0x02020202;
210 hdr.ip.ip4.ip_dst.s_addr = 0x01010101;
211 /* The rest of the setup is common to AF_INET. */
212 @@ -584,9 +581,7 @@
213 }
214
215 /* Calculate UDP checksum. */
216 - udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf);
217 - hdrlen += sizeof hdr.sa_family;
218 -
219 + udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf, src->sa_family);
220 /* pcap file packet header */
221 gettimeofday(&tv, 0);
222 hdr.pcap.ts.tv_sec = tv.tv_sec;
223 @@ -610,7 +605,7 @@
224
225 /* Copied from tcpdump/print-udp.c, mostly rewritten. */
226 static int
227 -udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
228 +udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d, int af)
229 {
230 struct ip *ip4;
231 struct ip6_hdr *ip6;
232 @@ -639,7 +634,7 @@
233
234 /* Setup pseudoheader. */
235 memset(phu.pa, 0, sizeof phu);
236 - switch (ntohl(hdr->sa_family)) {
237 + switch (af) {
238 case AF_INET:
239 ip4 = &hdr->ip.ip4;
240 memcpy(&phu.ip4p.src, &ip4->ip_src, sizeof(struct in_addr));
241 @@ -664,7 +659,7 @@
242
243 /* IPv6 wants a 0xFFFF checksum "on error", not 0x0. */
244 if (tlen < 0)
245 - return (ntohl(hdr->sa_family) == AF_INET ? 0 : 0xFFFF);
246 + return (af == AF_INET ? 0 : 0xFFFF);
247
248 sum = 0;
249 for (i = 0; i < hdrlen; i += 2)
250 Index: isakmpd-20041012.orig/nat_traversal.c
251 ===================================================================
252 --- isakmpd-20041012.orig.orig/nat_traversal.c 2007-06-04 13:22:39.115908760 +0200
253 +++ isakmpd-20041012.orig/nat_traversal.c 2007-06-04 13:22:39.284883072 +0200
254 @@ -1,4 +1,4 @@
255 -/* $OpenBSD: nat_traversal.c,v 1.7 2004/08/08 19:11:06 deraadt Exp $ */
256 +/* $OpenBSD: nat_traversal.c,v 1.17 2006/06/14 14:03:33 hshoexer Exp $ */
257
258 /*
259 * Copyright (c) 2004 HÃ¥kan Olsson. All rights reserved.
260 @@ -48,40 +48,40 @@
261 #include "util.h"
262 #include "virtual.h"
263
264 +int disable_nat_t = 0;
265 +
266 /*
267 - * XXX According to draft-ietf-ipsec-nat-t-ike-07.txt, the NAT-T
268 - * capability of the other peer is determined by a particular vendor ID
269 - * sent as the first message. This vendor ID string is supposed to be a
270 - * MD5 hash of "RFC XXXX", where XXXX is the future RFC number.
271 + * NAT-T capability of the other peer is determined by a particular vendor
272 + * ID sent in the first message. This vendor ID string is supposed to be a
273 + * MD5 hash of "RFC 3947".
274 *
275 * These seem to be the "well" known variants of this string in use by
276 * products today.
277 */
278 -static const char *isakmp_nat_t_cap_text[] = {
279 - "draft-ietf-ipsec-nat-t-ike-00", /* V1 (XXX: may be obsolete) */
280 - "draft-ietf-ipsec-nat-t-ike-02\n", /* V2 */
281 - "draft-ietf-ipsec-nat-t-ike-03", /* V3 */
282 -#ifdef notyet
283 - "RFC XXXX",
284 -#endif
285 +
286 +static struct nat_t_cap isakmp_nat_t_cap[] = {
287 + { VID_DRAFT_V2_N, EXCHANGE_FLAG_NAT_T_DRAFT,
288 + "draft-ietf-ipsec-nat-t-ike-02\n", NULL, 0 },
289 + { VID_DRAFT_V3, EXCHANGE_FLAG_NAT_T_DRAFT,
290 + "draft-ietf-ipsec-nat-t-ike-03", NULL, 0 },
291 + { VID_RFC3947, EXCHANGE_FLAG_NAT_T_RFC,
292 + "RFC 3947", NULL, 0 },
293 };
294
295 +#define NUMNATTCAP (sizeof isakmp_nat_t_cap / sizeof isakmp_nat_t_cap[0])
296 +
297 /* In seconds. Recommended in draft-ietf-ipsec-udp-encaps-09. */
298 #define NAT_T_KEEPALIVE_INTERVAL 20
299
300 -/* The MD5 hashes of the above strings is put in this array. */
301 -static char **nat_t_hashes;
302 -static size_t nat_t_hashsize;
303 -
304 static int nat_t_setup_hashes(void);
305 -static int nat_t_add_vendor_payload(struct message *, char *);
306 +static int nat_t_add_vendor_payload(struct message *, struct nat_t_cap *);
307 static int nat_t_add_nat_d(struct message *, struct sockaddr *);
308 static int nat_t_match_nat_d_payload(struct message *, struct sockaddr *);
309
310 void
311 nat_t_init(void)
312 {
313 - nat_t_hashes = (char **)NULL;
314 + nat_t_setup_hashes();
315 }
316
317 /* Generate the NAT-T capability marker hashes. Executed only once. */
318 @@ -89,7 +89,7 @@
319 nat_t_setup_hashes(void)
320 {
321 struct hash *hash;
322 - int n = sizeof isakmp_nat_t_cap_text / sizeof isakmp_nat_t_cap_text[0];
323 + int n = NUMNATTCAP;
324 int i;
325
326 /* The draft says to use MD5. */
327 @@ -100,56 +100,49 @@
328 "could not find MD5 hash structure!");
329 return -1;
330 }
331 - nat_t_hashsize = hash->hashsize;
332
333 - /* Allocate one more than is necessary, i.e NULL terminated. */
334 - nat_t_hashes = (char **)calloc((size_t)(n + 1), sizeof(char *));
335 - if (!nat_t_hashes) {
336 - log_error("nat_t_setup_hashes: calloc (%lu,%lu) failed",
337 - (unsigned long)n, (unsigned long)sizeof(char *));
338 - return -1;
339 - }
340 -
341 - /* Populate with hashes. */
342 + /* Populate isakmp_nat_t_cap with hashes. */
343 for (i = 0; i < n; i++) {
344 - nat_t_hashes[i] = (char *)malloc(nat_t_hashsize);
345 - if (!nat_t_hashes[i]) {
346 + isakmp_nat_t_cap[i].hashsize = hash->hashsize;
347 + isakmp_nat_t_cap[i].hash = (char *)malloc(hash->hashsize);
348 + if (!isakmp_nat_t_cap[i].hash) {
349 log_error("nat_t_setup_hashes: malloc (%lu) failed",
350 - (unsigned long)nat_t_hashsize);
351 + (unsigned long)hash->hashsize);
352 goto errout;
353 }
354
355 hash->Init(hash->ctx);
356 hash->Update(hash->ctx,
357 - (unsigned char *)isakmp_nat_t_cap_text[i],
358 - strlen(isakmp_nat_t_cap_text[i]));
359 - hash->Final(nat_t_hashes[i], hash->ctx);
360 + (unsigned char *)isakmp_nat_t_cap[i].text,
361 + strlen(isakmp_nat_t_cap[i].text));
362 + hash->Final(isakmp_nat_t_cap[i].hash, hash->ctx);
363
364 LOG_DBG((LOG_EXCHANGE, 50, "nat_t_setup_hashes: "
365 - "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap_text[i],
366 - (unsigned long)nat_t_hashsize));
367 + "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap[i].text,
368 + (unsigned long)hash->hashsize));
369 LOG_DBG_BUF((LOG_EXCHANGE, 50, "nat_t_setup_hashes",
370 - nat_t_hashes[i], nat_t_hashsize));
371 + isakmp_nat_t_cap[i].hash, hash->hashsize));
372 }
373
374 return 0;
375
376 - errout:
377 +errout:
378 for (i = 0; i < n; i++)
379 - if (nat_t_hashes[i])
380 - free(nat_t_hashes[i]);
381 - free(nat_t_hashes);
382 - nat_t_hashes = NULL;
383 + if (isakmp_nat_t_cap[i].hash)
384 + free(isakmp_nat_t_cap[i].hash);
385 return -1;
386 }
387
388 /* Add one NAT-T VENDOR payload. */
389 static int
390 -nat_t_add_vendor_payload(struct message *msg, char *hash)
391 +nat_t_add_vendor_payload(struct message *msg, struct nat_t_cap *cap)
392 {
393 - size_t buflen = nat_t_hashsize + ISAKMP_GEN_SZ;
394 + size_t buflen = cap->hashsize + ISAKMP_GEN_SZ;
395 u_int8_t *buf;
396
397 + if (disable_nat_t)
398 + return 0;
399 +
400 buf = malloc(buflen);
401 if (!buf) {
402 log_error("nat_t_add_vendor_payload: malloc (%lu) failed",
403 @@ -158,12 +151,11 @@
404 }
405
406 SET_ISAKMP_GEN_LENGTH(buf, buflen);
407 - memcpy(buf + ISAKMP_VENDOR_ID_OFF, hash, nat_t_hashsize);
408 + memcpy(buf + ISAKMP_VENDOR_ID_OFF, cap->hash, cap->hashsize);
409 if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) {
410 free(buf);
411 return -1;
412 }
413 -
414 return 0;
415 }
416
417 @@ -171,16 +163,14 @@
418 int
419 nat_t_add_vendor_payloads(struct message *msg)
420 {
421 - int i = 0;
422 + int i;
423
424 - if (!nat_t_hashes)
425 - if (nat_t_setup_hashes())
426 - return 0; /* XXX should this be an error? */
427 + if (disable_nat_t)
428 + return 0;
429
430 - while (nat_t_hashes[i])
431 - if (nat_t_add_vendor_payload(msg, nat_t_hashes[i++]))
432 + for (i = 0; i < NUMNATTCAP; i++)
433 + if (nat_t_add_vendor_payload(msg, &isakmp_nat_t_cap[i]))
434 return -1;
435 -
436 return 0;
437 }
438
439 @@ -192,36 +182,31 @@
440 {
441 u_int8_t *pbuf = p->p;
442 size_t vlen;
443 - int i = 0;
444 + int i;
445
446 - /* Already checked? */
447 - if (p->flags & PL_MARK ||
448 - msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
449 + if (disable_nat_t)
450 return;
451
452 - if (!nat_t_hashes)
453 - if (nat_t_setup_hashes())
454 - return;
455 -
456 vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ;
457 - if (vlen != nat_t_hashsize) {
458 - LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
459 - "bad size %lu != %lu", (unsigned long)vlen,
460 - (unsigned long)nat_t_hashsize));
461 - return;
462 - }
463
464 - while (nat_t_hashes[i])
465 - if (memcmp(nat_t_hashes[i++], pbuf + ISAKMP_GEN_SZ,
466 + for (i = 0; i < NUMNATTCAP; i++) {
467 + if (vlen != isakmp_nat_t_cap[i].hashsize) {
468 + LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
469 + "bad size %lu != %lu", (unsigned long)vlen,
470 + (unsigned long)isakmp_nat_t_cap[i].hashsize));
471 + continue;
472 + }
473 + if (memcmp(isakmp_nat_t_cap[i].hash, pbuf + ISAKMP_GEN_SZ,
474 vlen) == 0) {
475 /* This peer is NAT-T capable. */
476 msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER;
477 + msg->exchange->flags |= isakmp_nat_t_cap[i].flags;
478 LOG_DBG((LOG_EXCHANGE, 10,
479 "nat_t_check_vendor_payload: "
480 "NAT-T capable peer detected"));
481 p->flags |= PL_MARK;
482 - return;
483 }
484 + }
485
486 return;
487 }
488 @@ -233,10 +218,8 @@
489 {
490 struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data;
491 struct hash *hash;
492 - struct prf *prf;
493 u_int8_t *res;
494 in_port_t port;
495 - int prf_type = PRF_HMAC; /* XXX */
496
497 hash = hash_get(ie->hash->type);
498 if (hash == NULL) {
499 @@ -244,31 +227,25 @@
500 return NULL;
501 }
502
503 - prf = prf_alloc(prf_type, hash->type, msg->exchange->cookies,
504 - ISAKMP_HDR_COOKIES_LEN);
505 - if(!prf) {
506 - log_print("nat_t_generate_nat_d_hash: prf_alloc failed");
507 - return NULL;
508 - }
509 + *hashlen = hash->hashsize;
510
511 - *hashlen = prf->blocksize;
512 res = (u_int8_t *)malloc((unsigned long)*hashlen);
513 if (!res) {
514 log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed",
515 (unsigned long)*hashlen);
516 - prf_free(prf);
517 *hashlen = 0;
518 return NULL;
519 }
520
521 port = sockaddr_port(sa);
522 - memset(res, 0, *hashlen);
523 -
524 - prf->Update(prf->prfctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
525 - prf->Update(prf->prfctx, (unsigned char *)&port, sizeof port);
526 - prf->Final(res, prf->prfctx);
527 - prf_free (prf);
528 + bzero(res, *hashlen);
529
530 + hash->Init(hash->ctx);
531 + hash->Update(hash->ctx, msg->exchange->cookies,
532 + sizeof msg->exchange->cookies);
533 + hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
534 + hash->Update(hash->ctx, (unsigned char *)&port, sizeof port);
535 + hash->Final(res, hash->ctx);
536 return res;
537 }
538
539 @@ -276,6 +253,7 @@
540 static int
541 nat_t_add_nat_d(struct message *msg, struct sockaddr *sa)
542 {
543 + int ret;
544 u_int8_t *hbuf, *buf;
545 size_t hbuflen, buflen;
546
547 @@ -298,11 +276,19 @@
548 memcpy(buf + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen);
549 free(hbuf);
550
551 - if (message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, buflen, 1)) {
552 + if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_RFC)
553 + ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf,
554 + buflen, 1);
555 + else if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT)
556 + ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT,
557 + buf, buflen, 1);
558 + else
559 + ret = -1;
560 +
561 + if (ret) {
562 free(buf);
563 return -1;
564 }
565 -
566 return 0;
567 }
568
569 @@ -312,14 +298,14 @@
570 {
571 struct sockaddr *sa;
572
573 - msg->transport->vtbl->get_src(msg->transport, &sa);
574 + /* Remote address first. */
575 + msg->transport->vtbl->get_dst(msg->transport, &sa);
576 if (nat_t_add_nat_d(msg, sa))
577 return -1;
578
579 - msg->transport->vtbl->get_dst(msg->transport, &sa);
580 + msg->transport->vtbl->get_src(msg->transport, &sa);
581 if (nat_t_add_nat_d(msg, sa))
582 return -1;
583 -
584 return 0;
585 }
586
587 @@ -336,8 +322,8 @@
588 * If there are no NAT-D payloads in the message, return "found"
589 * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()).
590 */
591 - p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D);
592 - if (!p)
593 + if ((p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT)) == NULL &&
594 + (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D)) == NULL)
595 return 1;
596
597 hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen);
598 Index: isakmpd-20041012.orig/udp_encap.c
599 ===================================================================
600 --- isakmpd-20041012.orig.orig/udp_encap.c 2007-06-04 13:22:39.121907848 +0200
601 +++ isakmpd-20041012.orig/udp_encap.c 2007-06-04 13:22:39.284883072 +0200
602 @@ -61,6 +61,11 @@
603
604 #define UDP_SIZE 65536
605
606 +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
607 +#include <linux/socket.h>
608 +#include <linux/udp.h>
609 +#endif
610 +
611 /* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */
612 #ifndef SO_REUSEPORT
613 #define SO_REUSEPORT SO_REUSEADDR
614 @@ -134,6 +139,18 @@
615 if (sysdep_cleartext(s, laddr->sa_family) == -1)
616 goto err;
617
618 +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
619 + {
620 +#ifndef SOL_UDP
621 +#define SOL_UDP 17
622 +#endif
623 + int option = UDP_ENCAP_ESPINUDP;
624 + if(setsockopt(s, SOL_UDP, UDP_ENCAP, &option,
625 + sizeof (option)) < 0)
626 + goto err;
627 + }
628 +#endif
629 +
630 /* Wildcard address ? */
631 switch (laddr->sa_family) {
632 case AF_INET:
633 Index: isakmpd-20041012.orig/apps/Makefile
634 ===================================================================
635 --- isakmpd-20041012.orig.orig/apps/Makefile 2007-06-04 13:22:39.126907088 +0200
636 +++ isakmpd-20041012.orig/apps/Makefile 2007-06-04 13:22:39.285882920 +0200
637 @@ -31,4 +31,4 @@
638
639 SUBDIR= certpatch
640
641 -.include <bsd.subdir.mk>
642 +#.include <bsd.subdir.mk>
643 Index: isakmpd-20041012.orig/apps/certpatch/GNUmakefile
644 ===================================================================
645 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
646 +++ isakmpd-20041012.orig/apps/certpatch/GNUmakefile 2007-06-04 13:22:39.285882920 +0200
647 @@ -0,0 +1,55 @@
648 +# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $
649 +# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $
650 +
651 +#
652 +# Copyright (c) 1999 Niels Provos. All rights reserved.
653 +# Copyright (c) 2001 Niklas Hallqvist. All rights reserved.
654 +#
655 +# Redistribution and use in source and binary forms, with or without
656 +# modification, are permitted provided that the following conditions
657 +# are met:
658 +# 1. Redistributions of source code must retain the above copyright
659 +# notice, this list of conditions and the following disclaimer.
660 +# 2. Redistributions in binary form must reproduce the above copyright
661 +# notice, this list of conditions and the following disclaimer in the
662 +# documentation and/or other materials provided with the distribution.
663 +#
664 +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
665 +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
666 +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
667 +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
668 +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
669 +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
670 +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
671 +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
672 +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
673 +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
674 +#
675 +
676 +#
677 +# This code was written under funding by Ericsson Radio Systems.
678 +#
679 +
680 +PROG= certpatch
681 +SRCS= certpatch.c
682 +BINDIR?= /usr/sbin
683 +TOPSRC= ${.CURDIR}../..
684 +TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
685 +OS= linux
686 +FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//'
687 +.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
688 +CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
689 +LDFLAGS+= -lcrypto -lssl -lgmp
690 +MAN= certpatch.8
691 +
692 +CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP
693 +LDADD+= -lgmp
694 +DPADD+= ${LIBGMP}
695 +
696 +# Override LIBSYSDEPDIR definition from Makefile.sysdep
697 +LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep
698 +
699 +all: ${PROG}
700 +
701 +clean:
702 + rm -f ${PROG}
703 Index: isakmpd-20041012.orig/pf_key_v2.c
704 ===================================================================
705 --- isakmpd-20041012.orig.orig/pf_key_v2.c 2007-06-04 13:22:39.137905416 +0200
706 +++ isakmpd-20041012.orig/pf_key_v2.c 2007-06-04 13:22:39.287882616 +0200
707 @@ -1055,6 +1055,10 @@
708 #endif
709 #if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
710 struct sadb_x_udpencap udpencap;
711 +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
712 + struct sadb_x_nat_t_type nat_t_type;
713 + struct sadb_x_nat_t_port nat_t_sport;
714 + struct sadb_x_nat_t_port nat_t_dport;
715 #endif
716 #ifdef USE_DEBUG
717 char *addr_str;
718 @@ -1273,10 +1277,15 @@
719 log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto);
720 goto cleanup;
721 }
722 - if (incoming)
723 + if (incoming) {
724 sa->transport->vtbl->get_src(sa->transport, &dst);
725 - else
726 + sa->transport->vtbl->get_dst(sa->transport, &src);
727 + }
728 + else {
729 sa->transport->vtbl->get_dst(sa->transport, &dst);
730 + sa->transport->vtbl->get_src(sa->transport, &src);
731 + }
732 +
733 #ifdef KAME
734 msg.sadb_msg_seq = (incoming ?
735 pf_key_v2_seq_by_sa(proto->spi[incoming], sizeof ssa.sadb_sa_spi,
736 @@ -1319,12 +1328,13 @@
737 ssa.sadb_sa_flags = 0;
738 #ifdef SADB_X_SAFLAGS_TUNNEL
739 if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ||
740 - iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
741 + iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
742 + iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
743 ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL;
744 #endif
745
746 -#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
747 if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) {
748 +#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
749 memset(&udpencap, 0, sizeof udpencap);
750 ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
751 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
752 @@ -1334,8 +1344,40 @@
753 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0)
754 == -1)
755 goto cleanup;
756 - }
757 +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
758 +#ifndef UDP_ENCAP_ESPINUDP
759 +#define UDP_ENCAP_ESPINUDP 2
760 +#endif
761 + memset(&nat_t_type, 0, sizeof nat_t_type);
762 + memset(&nat_t_sport, 0, sizeof nat_t_sport);
763 + memset(&nat_t_dport, 0, sizeof nat_t_dport);
764 +
765 + /* type = draft-udp-encap-06 */
766 + nat_t_type.sadb_x_nat_t_type_len = sizeof nat_t_type / PF_KEY_V2_CHUNK;
767 + nat_t_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
768 + nat_t_type.sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
769 + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_type, 0) == -1)
770 + goto cleanup;
771 +
772 + /* source port */
773 + nat_t_sport.sadb_x_nat_t_port_len = sizeof nat_t_sport /
774 + PF_KEY_V2_CHUNK;
775 + nat_t_sport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
776 + nat_t_sport.sadb_x_nat_t_port_port = sockaddr_port(src);
777 + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_sport, 0) == -1)
778 + goto cleanup;
779 +
780 + /* destination port */
781 + nat_t_dport.sadb_x_nat_t_port_len = sizeof nat_t_dport /
782 + PF_KEY_V2_CHUNK;
783 + nat_t_dport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
784 + nat_t_dport.sadb_x_nat_t_port_port = sockaddr_port(dst);
785 + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_dport, 0) == -1)
786 + goto cleanup;
787 +
788 + /* original address (transport mode checksum missing info) goes here */
789 #endif
790 + }
791
792 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1)
793 goto cleanup;
794 @@ -1395,10 +1437,6 @@
795 /*
796 * Setup the ADDRESS extensions.
797 */
798 - if (incoming)
799 - sa->transport->vtbl->get_dst(sa->transport, &src);
800 - else
801 - sa->transport->vtbl->get_src(sa->transport, &src);
802 len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src));
803 addr = calloc(1, len);
804 if (!addr)
805 @@ -2167,7 +2205,7 @@
806 pf_key_v2_msg_free(ret);
807 return -1;
808
809 -#elif defined (SADB_X_SPDADD) && defined (SADB_X_SPDDELETE)
810 +#elif defined (SADB_X_SPDUPDATE) && defined (SADB_X_SPDDELETE)
811 struct sadb_msg msg;
812 struct sadb_x_policy *policy = 0;
813 struct sadb_x_ipsecrequest *ipsecrequest;
814 @@ -2181,7 +2219,7 @@
815 struct sockaddr_in *ip4_sa;
816 struct sockaddr_in6 *ip6_sa;
817
818 - msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDADD;
819 + msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDUPDATE;
820 msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
821 msg.sadb_msg_seq = 0;
822 flow = pf_key_v2_msg_new(&msg, 0);
823 Index: isakmpd-20041012.orig/isakmp_num.cst
824 ===================================================================
825 --- isakmpd-20041012.orig.orig/isakmp_num.cst 2007-06-04 13:22:39.143904504 +0200
826 +++ isakmpd-20041012.orig/isakmp_num.cst 2007-06-04 13:22:39.287882616 +0200
827 @@ -57,15 +57,18 @@
828 KD 17 # RFC 3547, Key Download
829 SEQ 18 # RFC 3547, Sequence Number
830 POP 19 # RFC 3547, Proof of possession
831 - RESERVED_MIN 20
832 + NAT_D 20 # RFC 3947, NAT Discovery payload
833 + NAT_OA 21 # RFC 3947, NAT Original Address payload
834 + RESERVED_MIN 22
835 RESERVED_MAX 127
836 PRIVATE_MIN 128
837 # XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify
838 # XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC
839 # XXX 3547 as seen above.
840 - NAT_D 130 # NAT Discovery payload
841 - NAT_OA 131 # NAT Original Address payload
842 + NAT_D_DRAFT 130 # NAT Discovery payload
843 + NAT_OA_DRAFT 131 # NAT Original Address payload
844 PRIVATE_MAX 255
845 + MAX 255
846 .
847
848 # ISAKMP exchange types.
849 Index: isakmpd-20041012.orig/ipsec_num.cst
850 ===================================================================
851 --- isakmpd-20041012.orig.orig/ipsec_num.cst 2007-06-04 13:22:39.149903592 +0200
852 +++ isakmpd-20041012.orig/ipsec_num.cst 2007-06-04 13:22:39.287882616 +0200
853 @@ -62,10 +62,10 @@
854 IPSEC_ENCAP
855 TUNNEL 1
856 TRANSPORT 2
857 - FUTURE_UDP_ENCAP_TUNNEL 3 # XXX Not yet assigned
858 - FUTURE_UDP_ENCAP_TRANSPORT 4 # XXX Not yet assigned
859 - UDP_ENCAP_TUNNEL 61443 # draft-ietf-ipsec-nat-t-ike
860 - UDP_ENCAP_TRANSPORT 61443 # draft-ietf-ipsec-nat-t-ike
861 + UDP_ENCAP_TUNNEL 3
862 + UDP_ENCAP_TRANSPORT 4
863 + UDP_ENCAP_TUNNEL_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike
864 + UDP_ENCAP_TRANSPORT_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike
865 .
866
867 # IPSEC authentication algorithm.
868 Index: isakmpd-20041012.orig/nat_traversal.h
869 ===================================================================
870 --- isakmpd-20041012.orig.orig/nat_traversal.h 2007-06-04 13:22:39.154902832 +0200
871 +++ isakmpd-20041012.orig/nat_traversal.h 2007-06-04 13:22:39.287882616 +0200
872 @@ -1,4 +1,4 @@
873 -/* $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $ */
874 +/* $OpenBSD: nat_traversal.h,v 1.4 2005/07/25 15:03:47 hshoexer Exp $ */
875
876 /*
877 * Copyright (c) 2004 HÃ¥kan Olsson. All rights reserved.
878 @@ -27,6 +27,24 @@
879 #ifndef _NAT_TRAVERSAL_H_
880 #define _NAT_TRAVERSAL_H_
881
882 +#define VID_DRAFT_V2 0
883 +#define VID_DRAFT_V2_N 1
884 +#define VID_DRAFT_V3 2
885 +#define VID_RFC3947 3
886 +
887 +struct nat_t_cap {
888 + int id;
889 + u_int32_t flags;
890 + const char *text;
891 + char *hash;
892 + size_t hashsize;
893 +};
894 +
895 +/*
896 + * Set if -T is given on the command line to disable NAT-T support.
897 + */
898 +extern int disable_nat_t;
899 +
900 void nat_t_init(void);
901 int nat_t_add_vendor_payloads(struct message *);
902 void nat_t_check_vendor_payload(struct message *, struct payload *);
903 Index: isakmpd-20041012.orig/message.c
904 ===================================================================
905 --- isakmpd-20041012.orig.orig/message.c 2007-06-04 13:22:39.160901920 +0200
906 +++ isakmpd-20041012.orig/message.c 2007-06-04 13:22:39.288882464 +0200
907 @@ -112,6 +112,7 @@
908 message_validate_hash, message_validate_sig, message_validate_nonce,
909 message_validate_notify, message_validate_delete,
910 message_validate_vendor, message_validate_attribute,
911 + message_validate_nat_d, message_validate_nat_oa,
912 message_validate_nat_d, message_validate_nat_oa
913 };
914
915 @@ -120,7 +121,7 @@
916 isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld,
917 isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld,
918 isakmp_vendor_fld, isakmp_attribute_fld, isakmp_nat_d_fld,
919 - isakmp_nat_oa_fld
920 + isakmp_nat_oa_fld, isakmp_nat_d_fld, isakmp_nat_oa_fld
921 };
922
923 /*
924 @@ -138,7 +139,8 @@
925 ISAKMP_PAYLOAD_SAK, ISAKMP_PAYLOAD_SAT, ISAKMP_PAYLOAD_KD,
926 ISAKMP_PAYLOAD_SEQ, ISAKMP_PAYLOAD_POP
927 #endif
928 - ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA
929 + ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA,
930 + ISAKMP_PAYLOAD_NAT_D_DRAFT, ISAKMP_PAYLOAD_NAT_OA_DRAFT
931 };
932
933 static u_int8_t payload_map[256];
934 @@ -347,8 +349,8 @@
935 }
936 /* Ignore most private payloads. */
937 if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN &&
938 - next != ISAKMP_PAYLOAD_NAT_D &&
939 - next != ISAKMP_PAYLOAD_NAT_OA) {
940 + next != ISAKMP_PAYLOAD_NAT_D_DRAFT &&
941 + next != ISAKMP_PAYLOAD_NAT_OA_DRAFT) {
942 LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: "
943 "private next payload type %s in payload of "
944 "type %d ignored",
945 @@ -460,8 +462,10 @@
946 return ISAKMP_ATTRIBUTE_SZ;
947 #if defined (USE_NAT_TRAVERSAL)
948 case ISAKMP_PAYLOAD_NAT_D:
949 + case ISAKMP_PAYLOAD_NAT_D_DRAFT:
950 return ISAKMP_NAT_D_SZ;
951 case ISAKMP_PAYLOAD_NAT_OA:
952 + case ISAKMP_PAYLOAD_NAT_OA_DRAFT:
953 return ISAKMP_NAT_OA_SZ;
954 #endif
955 /* Not yet supported and any other unknown payloads. */
956 Index: isakmpd-20041012.orig/policy.c
957 ===================================================================
958 --- isakmpd-20041012.orig.orig/policy.c 2007-06-04 13:22:39.165901160 +0200
959 +++ isakmpd-20041012.orig/policy.c 2007-06-04 13:22:39.289882312 +0200
960 @@ -511,7 +511,10 @@
961 break;
962 }
963 #if defined (USE_NAT_TRAVERSAL)
964 - else if (decode_16(value) == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
965 + else if (decode_16(value) ==
966 + IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
967 + decode_16(value) ==
968 + IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
969 switch (proto->proto) {
970 case IPSEC_PROTO_IPSEC_AH:
971 ah_encapsulation = "udp-encap-tunnel";
972 @@ -1932,7 +1935,7 @@
973 void
974 policy_init(void)
975 {
976 - char *ptr, *policy_file;
977 + char *ptr, *policy_file, *use_keynote;
978 char **asserts;
979 size_t sz, len;
980 int fd, i;
981 @@ -1940,10 +1943,11 @@
982 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"));
983
984 /* Do we want to use the policy modules? */
985 - if (ignore_policy ||
986 - strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
987 - return;
988 -
989 + use_keynote = conf_get_str("General", "Use-Keynote");
990 + if (ignore_policy ||
991 + (use_keynote && strncmp("yes", use_keynote, 3)))
992 + return;
993 +
994 /* Get policy file from configuration. */
995 policy_file = conf_get_str("General", "Policy-file");
996 if (!policy_file)
997 Index: isakmpd-20041012.orig/ike_phase_1.c
998 ===================================================================
999 --- isakmpd-20041012.orig.orig/ike_phase_1.c 2007-06-04 13:22:39.170900400 +0200
1000 +++ isakmpd-20041012.orig/ike_phase_1.c 2007-06-04 13:22:39.290882160 +0200
1001 @@ -1040,9 +1040,9 @@
1002
1003 /* Compare expected/desired and received remote ID */
1004 if (bcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz)) {
1005 - free(rid);
1006 log_print("ike_phase_1_recv_ID: "
1007 - "received remote ID other than expected %s", p);
1008 + "received remote ID other than expected %s - %s", p, payload->p);
1009 + free(rid);
1010 return -1;
1011 }
1012 free(rid);
1013 Index: isakmpd-20041012.orig/x509.c
1014 ===================================================================
1015 --- isakmpd-20041012.orig.orig/x509.c 2007-06-04 13:22:39.176899488 +0200
1016 +++ isakmpd-20041012.orig/x509.c 2007-06-04 13:22:39.290882160 +0200
1017 @@ -910,7 +910,11 @@
1018 X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
1019 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1020 /* XXX See comment in x509_read_crls_from_dir. */
1021 +#if OPENSSL_VERSION_NUMBER >= 0x00908000L
1022 + if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
1023 +#else
1024 if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
1025 +#endif
1026 X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
1027 X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
1028 }
1029 Index: isakmpd-20041012.orig/sysdep/linux/sysdep.c
1030 ===================================================================
1031 --- isakmpd-20041012.orig.orig/sysdep/linux/sysdep.c 2007-06-04 13:22:39.182898576 +0200
1032 +++ isakmpd-20041012.orig/sysdep/linux/sysdep.c 2007-06-04 13:22:39.291882008 +0200
1033 @@ -169,22 +169,22 @@
1034 return 0;
1035
1036 if (!(af == AF_INET || af == AF_INET6))
1037 - {
1038 + {
1039 log_print ("sysdep_cleartext: unsupported protocol family %d", af);
1040 return -1;
1041 }
1042
1043 if (setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
1044 - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1045 - &pol_in, sizeof pol_in) < 0 ||
1046 + af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1047 + &pol_in, sizeof pol_in) < 0 ||
1048 setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
1049 - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1050 - &pol_out, sizeof pol_out) < 0)
1051 - {
1052 + af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1053 + &pol_out, sizeof pol_out) < 0)
1054 + {
1055 log_error ("sysdep_cleartext: "
1056 - "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
1057 - "failed", fd, af == AF_INET ? "" : "V6",
1058 - af == AF_INET ? "" : "V6");
1059 + "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
1060 + "failed", fd, af == AF_INET ? "" : "V6",
1061 + af == AF_INET ? "" : "V6");
1062 return -1;
1063 }
1064 return 0;
1065 Index: isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep
1066 ===================================================================
1067 --- isakmpd-20041012.orig.orig/sysdep/linux/GNUmakefile.sysdep 2007-06-04 13:22:39.187897816 +0200
1068 +++ isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep 2007-06-04 13:22:39.291882008 +0200
1069 @@ -33,13 +33,13 @@
1070 LDADD+= -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
1071 DPADD+= ${LIBGMP} ${LIBSYSDEP}
1072
1073 -CFLAGS+= -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
1074 - -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \
1075 - -I/usr/src/linux/include -I${.CURDIR}/sysdep/common \
1076 +CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
1077 + -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \
1078 + -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \
1079 -I/usr/include/openssl
1080
1081 FEATURES= debug tripledes blowfish cast ec aggressive x509 policy
1082 -FEATURES+= des aes
1083 +FEATURES+= dpd nat_traversal isakmp_cfg des aes
1084
1085 IPSEC_SRCS= pf_key_v2.c
1086 IPSEC_CFLAGS= -DUSE_PF_KEY_V2
1087 @@ -51,7 +51,7 @@
1088 # hack libsysdep.a dependenc
1089 ${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
1090 cd ${LIBSYSDEPDIR} && \
1091 - ${MAKE} --no-print-directory ${MAKEFLAGS} \
1092 + ${MAKE} --no-print-directory \
1093 CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
1094
1095 ifeq ($(findstring clean,$(MAKECMDGOALS)),clean)
1096 Index: isakmpd-20041012.orig/sysdep/linux/include/bitstring.h
1097 ===================================================================
1098 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
1099 +++ isakmpd-20041012.orig/sysdep/linux/include/bitstring.h 2007-06-04 13:22:39.291882008 +0200
1100 @@ -0,0 +1,132 @@
1101 +/* $OpenBSD: bitstring.h,v 1.4 2002/06/19 02:50:10 millert Exp $ */
1102 +/* $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */
1103 +
1104 +/*
1105 + * Copyright (c) 1989, 1993
1106 + * The Regents of the University of California. All rights reserved.
1107 + *
1108 + * This code is derived from software contributed to Berkeley by
1109 + * Paul Vixie.
1110 + *
1111 + * Redistribution and use in source and binary forms, with or without
1112 + * modification, are permitted provided that the following conditions
1113 + * are met:
1114 + * 1. Redistributions of source code must retain the above copyright
1115 + * notice, this list of conditions and the following disclaimer.
1116 + * 2. Redistributions in binary form must reproduce the above copyright
1117 + * notice, this list of conditions and the following disclaimer in the
1118 + * documentation and/or other materials provided with the distribution.
1119 + * 3. All advertising materials mentioning features or use of this software
1120 + * must display the following acknowledgement:
1121 + * This product includes software developed by the University of
1122 + * California, Berkeley and its contributors.
1123 + * 4. Neither the name of the University nor the names of its contributors
1124 + * may be used to endorse or promote products derived from this software
1125 + * without specific prior written permission.
1126 + *
1127 + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1128 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1129 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1130 + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1131 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1132 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1133 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1134 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1135 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1136 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1137 + * SUCH DAMAGE.
1138 + *
1139 + * @(#)bitstring.h 8.1 (Berkeley) 7/19/93
1140 + */
1141 +
1142 +#ifndef _BITSTRING_H_
1143 +#define _BITSTRING_H_
1144 +
1145 +/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91
1146 + * bitstr_size changed gratuitously, but shorter
1147 + * bit_alloc spelling error fixed
1148 + * the following were efficient, but didn't work, they've been made to
1149 + * work, but are no longer as efficient :-)
1150 + * bit_nclear, bit_nset, bit_ffc, bit_ffs
1151 + */
1152 +typedef unsigned char bitstr_t;
1153 +
1154 +/* internal macros */
1155 + /* byte of the bitstring bit is in */
1156 +#define _bit_byte(bit) \
1157 + ((bit) >> 3)
1158 +
1159 + /* mask for the bit within its byte */
1160 +#define _bit_mask(bit) \
1161 + (1 << ((bit)&0x7))
1162 +
1163 +/* external macros */
1164 + /* bytes in a bitstring of nbits bits */
1165 +#define bitstr_size(nbits) \
1166 + (((nbits) + 7) >> 3)
1167 +
1168 + /* allocate a bitstring */
1169 +#define bit_alloc(nbits) \
1170 + (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t))
1171 +
1172 + /* allocate a bitstring on the stack */
1173 +#define bit_decl(name, nbits) \
1174 + ((name)[bitstr_size(nbits)])
1175 +
1176 + /* is bit N of bitstring name set? */
1177 +#define bit_test(name, bit) \
1178 + ((name)[_bit_byte(bit)] & _bit_mask(bit))
1179 +
1180 + /* set bit N of bitstring name */
1181 +#define bit_set(name, bit) \
1182 + ((name)[_bit_byte(bit)] |= _bit_mask(bit))
1183 +
1184 + /* clear bit N of bitstring name */
1185 +#define bit_clear(name, bit) \
1186 + ((name)[_bit_byte(bit)] &= ~_bit_mask(bit))
1187 +
1188 + /* clear bits start ... stop in bitstring */
1189 +#define bit_nclear(name, start, stop) do { \
1190 + register bitstr_t *_name = name; \
1191 + register int _start = start, _stop = stop; \
1192 + while (_start <= _stop) { \
1193 + bit_clear(_name, _start); \
1194 + _start++; \
1195 + } \
1196 +} while(0)
1197 +
1198 + /* set bits start ... stop in bitstring */
1199 +#define bit_nset(name, start, stop) do { \
1200 + register bitstr_t *_name = name; \
1201 + register int _start = start, _stop = stop; \
1202 + while (_start <= _stop) { \
1203 + bit_set(_name, _start); \
1204 + _start++; \
1205 + } \
1206 +} while(0)
1207 +
1208 + /* find first bit clear in name */
1209 +#define bit_ffc(name, nbits, value) do { \
1210 + register bitstr_t *_name = name; \
1211 + register int _bit, _nbits = nbits, _value = -1; \
1212 + for (_bit = 0; _bit < _nbits; ++_bit) \
1213 + if (!bit_test(_name, _bit)) { \
1214 + _value = _bit; \
1215 + break; \
1216 + } \
1217 + *(value) = _value; \
1218 +} while(0)
1219 +
1220 + /* find first bit set in name */
1221 +#define bit_ffs(name, nbits, value) do { \
1222 + register bitstr_t *_name = name; \
1223 + register int _bit, _nbits = nbits, _value = -1; \
1224 + for (_bit = 0; _bit < _nbits; ++_bit) \
1225 + if (bit_test(_name, _bit)) { \
1226 + _value = _bit; \
1227 + break; \
1228 + } \
1229 + *(value) = _value; \
1230 +} while(0)
1231 +
1232 +#endif /* !_BITSTRING_H_ */
1233 Index: isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h
1234 ===================================================================
1235 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
1236 +++ isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h 2007-06-04 13:22:39.292881856 +0200
1237 @@ -0,0 +1,453 @@
1238 +/*
1239 + * Copyright (c) 1991, 1993
1240 + * The Regents of the University of California. All rights reserved.
1241 + *
1242 + * Redistribution and use in source and binary forms, with or without
1243 + * modification, are permitted provided that the following conditions
1244 + * are met:
1245 + * 1. Redistributions of source code must retain the above copyright
1246 + * notice, this list of conditions and the following disclaimer.
1247 + * 2. Redistributions in binary form must reproduce the above copyright
1248 + * notice, this list of conditions and the following disclaimer in the
1249 + * documentation and/or other materials provided with the distribution.
1250 + * 3. All advertising materials mentioning features or use of this software
1251 + * must display the following acknowledgement:
1252 + * This product includes software developed by the University of
1253 + * California, Berkeley and its contributors.
1254 + * 4. Neither the name of the University nor the names of its contributors
1255 + * may be used to endorse or promote products derived from this software
1256 + * without specific prior written permission.
1257 + *
1258 + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1259 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1260 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1261 + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1262 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1263 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1264 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1265 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1266 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1267 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1268 + * SUCH DAMAGE.
1269 + *
1270 + * @(#)queue.h 8.5 (Berkeley) 8/20/94
1271 + * $FreeBSD: src/sys/sys/queue.h,v 1.45 2001/12/11 11:49:58 sheldonh Exp $
1272 + */
1273 +
1274 +#ifndef _SYS_QUEUE_H_
1275 +#define _SYS_QUEUE_H_
1276 +
1277 +//#include <machine/ansi.h> /* for __offsetof */
1278 +
1279 +/*
1280 + * This file defines four types of data structures: singly-linked lists,
1281 + * singly-linked tail queues, lists and tail queues.
1282 + *
1283 + * A singly-linked list is headed by a single forward pointer. The elements
1284 + * are singly linked for minimum space and pointer manipulation overhead at
1285 + * the expense of O(n) removal for arbitrary elements. New elements can be
1286 + * added to the list after an existing element or at the head of the list.
1287 + * Elements being removed from the head of the list should use the explicit
1288 + * macro for this purpose for optimum efficiency. A singly-linked list may
1289 + * only be traversed in the forward direction. Singly-linked lists are ideal
1290 + * for applications with large datasets and few or no removals or for
1291 + * implementing a LIFO queue.
1292 + *
1293 + * A singly-linked tail queue is headed by a pair of pointers, one to the
1294 + * head of the list and the other to the tail of the list. The elements are
1295 + * singly linked for minimum space and pointer manipulation overhead at the
1296 + * expense of O(n) removal for arbitrary elements. New elements can be added
1297 + * to the list after an existing element, at the head of the list, or at the
1298 + * end of the list. Elements being removed from the head of the tail queue
1299 + * should use the explicit macro for this purpose for optimum efficiency.
1300 + * A singly-linked tail queue may only be traversed in the forward direction.
1301 + * Singly-linked tail queues are ideal for applications with large datasets
1302 + * and few or no removals or for implementing a FIFO queue.
1303 + *
1304 + * A list is headed by a single forward pointer (or an array of forward
1305 + * pointers for a hash table header). The elements are doubly linked
1306 + * so that an arbitrary element can be removed without a need to
1307 + * traverse the list. New elements can be added to the list before
1308 + * or after an existing element or at the head of the list. A list
1309 + * may only be traversed in the forward direction.
1310 + *
1311 + * A tail queue is headed by a pair of pointers, one to the head of the
1312 + * list and the other to the tail of the list. The elements are doubly
1313 + * linked so that an arbitrary element can be removed without a need to
1314 + * traverse the list. New elements can be added to the list before or
1315 + * after an existing element, at the head of the list, or at the end of
1316 + * the list. A tail queue may be traversed in either direction.
1317 + *
1318 + * For details on the use of these macros, see the queue(3) manual page.
1319 + *
1320 + *
1321 + * SLIST LIST STAILQ TAILQ
1322 + * _HEAD + + + +
1323 + * _HEAD_INITIALIZER + + + +
1324 + * _ENTRY + + + +
1325 + * _INIT + + + +
1326 + * _EMPTY + + + +
1327 + * _FIRST + + + +
1328 + * _NEXT + + + +
1329 + * _PREV - - - +
1330 + * _LAST - - + +
1331 + * _FOREACH + + + +
1332 + * _FOREACH_REVERSE - - - +
1333 + * _INSERT_HEAD + + + +
1334 + * _INSERT_BEFORE - + - +
1335 + * _INSERT_AFTER + + + +
1336 + * _INSERT_TAIL - - + +
1337 + * _REMOVE_HEAD + - + -
1338 + * _REMOVE + + + +
1339 + *
1340 + */
1341 +
1342 +/*
1343 + * Singly-linked List declarations.
1344 + */
1345 +#define SLIST_HEAD(name, type) \
1346 +struct name { \
1347 + struct type *slh_first; /* first element */ \
1348 +}
1349 +
1350 +#define SLIST_HEAD_INITIALIZER(head) \
1351 + { NULL }
1352 +
1353 +#define SLIST_ENTRY(type) \
1354 +struct { \
1355 + struct type *sle_next; /* next element */ \
1356 +}
1357 +
1358 +/*
1359 + * Singly-linked List functions.
1360 + */
1361 +#define SLIST_EMPTY(head) ((head)->slh_first == NULL)
1362 +
1363 +#define SLIST_FIRST(head) ((head)->slh_first)
1364 +
1365 +#define SLIST_FOREACH(var, head, field) \
1366 + for ((var) = SLIST_FIRST((head)); \
1367 + (var); \
1368 + (var) = SLIST_NEXT((var), field))
1369 +
1370 +#define SLIST_INIT(head) do { \
1371 + SLIST_FIRST((head)) = NULL; \
1372 +} while (0)
1373 +
1374 +#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \
1375 + SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field); \
1376 + SLIST_NEXT((slistelm), field) = (elm); \
1377 +} while (0)
1378 +
1379 +#define SLIST_INSERT_HEAD(head, elm, field) do { \
1380 + SLIST_NEXT((elm), field) = SLIST_FIRST((head)); \
1381 + SLIST_FIRST((head)) = (elm); \
1382 +} while (0)
1383 +
1384 +#define SLIST_NEXT(elm, field) ((elm)->field.sle_next)
1385 +
1386 +#define SLIST_REMOVE(head, elm, type, field) do { \
1387 + if (SLIST_FIRST((head)) == (elm)) { \
1388 + SLIST_REMOVE_HEAD((head), field); \
1389 + } \
1390 + else { \
1391 + struct type *curelm = SLIST_FIRST((head)); \
1392 + while (SLIST_NEXT(curelm, field) != (elm)) \
1393 + curelm = SLIST_NEXT(curelm, field); \
1394 + SLIST_NEXT(curelm, field) = \
1395 + SLIST_NEXT(SLIST_NEXT(curelm, field), field); \
1396 + } \
1397 +} while (0)
1398 +
1399 +#define SLIST_REMOVE_HEAD(head, field) do { \
1400 + SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field); \
1401 +} while (0)
1402 +
1403 +/*
1404 + * Singly-linked Tail queue declarations.
1405 + */
1406 +#define STAILQ_HEAD(name, type) \
1407 +struct name { \
1408 + struct type *stqh_first;/* first element */ \
1409 + struct type **stqh_last;/* addr of last next element */ \
1410 +}
1411 +
1412 +#define STAILQ_HEAD_INITIALIZER(head) \
1413 + { NULL, &(head).stqh_first }
1414 +
1415 +#define STAILQ_ENTRY(type) \
1416 +struct { \
1417 + struct type *stqe_next; /* next element */ \
1418 +}
1419 +
1420 +/*
1421 + * Singly-linked Tail queue functions.
1422 + */
1423 +#define STAILQ_EMPTY(head) ((head)->stqh_first == NULL)
1424 +
1425 +#define STAILQ_FIRST(head) ((head)->stqh_first)
1426 +
1427 +#define STAILQ_FOREACH(var, head, field) \
1428 + for((var) = STAILQ_FIRST((head)); \
1429 + (var); \
1430 + (var) = STAILQ_NEXT((var), field))
1431 +
1432 +#define STAILQ_INIT(head) do { \
1433 + STAILQ_FIRST((head)) = NULL; \
1434 + (head)->stqh_last = &STAILQ_FIRST((head)); \
1435 +} while (0)
1436 +
1437 +#define STAILQ_INSERT_AFTER(head, tqelm, elm, field) do { \
1438 + if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\
1439 + (head)->stqh_last = &STAILQ_NEXT((elm), field); \
1440 + STAILQ_NEXT((tqelm), field) = (elm); \
1441 +} while (0)
1442 +
1443 +#define STAILQ_INSERT_HEAD(head, elm, field) do { \
1444 + if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \
1445 + (head)->stqh_last = &STAILQ_NEXT((elm), field); \
1446 + STAILQ_FIRST((head)) = (elm); \
1447 +} while (0)
1448 +
1449 +#define STAILQ_INSERT_TAIL(head, elm, field) do { \
1450 + STAILQ_NEXT((elm), field) = NULL; \
1451 + *(head)->stqh_last = (elm); \
1452 + (head)->stqh_last = &STAILQ_NEXT((elm), field); \
1453 +} while (0)
1454 +
1455 +#define STAILQ_LAST(head, type, field) \
1456 + (STAILQ_EMPTY(head) ? \
1457 + NULL : \
1458 + ((struct type *) \
1459 + ((char *)((head)->stqh_last) - __offsetof(struct type, field))))
1460 +
1461 +#define STAILQ_NEXT(elm, field) ((elm)->field.stqe_next)
1462 +
1463 +#define STAILQ_REMOVE(head, elm, type, field) do { \
1464 + if (STAILQ_FIRST((head)) == (elm)) { \
1465 + STAILQ_REMOVE_HEAD(head, field); \
1466 + } \
1467 + else { \
1468 + struct type *curelm = STAILQ_FIRST((head)); \
1469 + while (STAILQ_NEXT(curelm, field) != (elm)) \
1470 + curelm = STAILQ_NEXT(curelm, field); \
1471 + if ((STAILQ_NEXT(curelm, field) = \
1472 + STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\
1473 + (head)->stqh_last = &STAILQ_NEXT((curelm), field);\
1474 + } \
1475 +} while (0)
1476 +
1477 +#define STAILQ_REMOVE_HEAD(head, field) do { \
1478 + if ((STAILQ_FIRST((head)) = \
1479 + STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL) \
1480 + (head)->stqh_last = &STAILQ_FIRST((head)); \
1481 +} while (0)
1482 +
1483 +#define STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do { \
1484 + if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \
1485 + (head)->stqh_last = &STAILQ_FIRST((head)); \
1486 +} while (0)
1487 +
1488 +/*
1489 + * List declarations.
1490 + */
1491 +#define LIST_HEAD(name, type) \
1492 +struct name { \
1493 + struct type *lh_first; /* first element */ \
1494 +}
1495 +
1496 +#define LIST_HEAD_INITIALIZER(head) \
1497 + { NULL }
1498 +
1499 +#define LIST_ENTRY(type) \
1500 +struct { \
1501 + struct type *le_next; /* next element */ \
1502 + struct type **le_prev; /* address of previous next element */ \
1503 +}
1504 +
1505 +/*
1506 + * List functions.
1507 + */
1508 +
1509 +#define LIST_EMPTY(head) ((head)->lh_first == NULL)
1510 +
1511 +#define LIST_FIRST(head) ((head)->lh_first)
1512 +
1513 +#define LIST_FOREACH(var, head, field) \
1514 + for ((var) = LIST_FIRST((head)); \
1515 + (var); \
1516 + (var) = LIST_NEXT((var), field))
1517 +
1518 +#define LIST_INIT(head) do { \
1519 + LIST_FIRST((head)) = NULL; \
1520 +} while (0)
1521 +
1522 +#define LIST_INSERT_AFTER(listelm, elm, field) do { \
1523 + if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\
1524 + LIST_NEXT((listelm), field)->field.le_prev = \
1525 + &LIST_NEXT((elm), field); \
1526 + LIST_NEXT((listelm), field) = (elm); \
1527 + (elm)->field.le_prev = &LIST_NEXT((listelm), field); \
1528 +} while (0)
1529 +
1530 +#define LIST_INSERT_BEFORE(listelm, elm, field) do { \
1531 + (elm)->field.le_prev = (listelm)->field.le_prev; \
1532 + LIST_NEXT((elm), field) = (listelm); \
1533 + *(listelm)->field.le_prev = (elm); \
1534 + (listelm)->field.le_prev = &LIST_NEXT((elm), field); \
1535 +} while (0)
1536 +
1537 +#define LIST_INSERT_HEAD(head, elm, field) do { \
1538 + if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL) \
1539 + LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\
1540 + LIST_FIRST((head)) = (elm); \
1541 + (elm)->field.le_prev = &LIST_FIRST((head)); \
1542 +} while (0)
1543 +
1544 +#define LIST_NEXT(elm, field) ((elm)->field.le_next)
1545 +
1546 +#define LIST_REMOVE(elm, field) do { \
1547 + if (LIST_NEXT((elm), field) != NULL) \
1548 + LIST_NEXT((elm), field)->field.le_prev = \
1549 + (elm)->field.le_prev; \
1550 + *(elm)->field.le_prev = LIST_NEXT((elm), field); \
1551 +} while (0)
1552 +
1553 +/*
1554 + * Tail queue declarations.
1555 + */
1556 +#define TAILQ_HEAD(name, type) \
1557 +struct name { \
1558 + struct type *tqh_first; /* first element */ \
1559 + struct type **tqh_last; /* addr of last next element */ \
1560 +}
1561 +
1562 +#define TAILQ_HEAD_INITIALIZER(head) \
1563 + { NULL, &(head).tqh_first }
1564 +
1565 +#define TAILQ_ENTRY(type) \
1566 +struct { \
1567 + struct type *tqe_next; /* next element */ \
1568 + struct type **tqe_prev; /* address of previous next element */ \
1569 +}
1570 +
1571 +/*
1572 + * Tail queue functions.
1573 + */
1574 +#define TAILQ_EMPTY(head) ((head)->tqh_first == NULL)
1575 +
1576 +#define TAILQ_FIRST(head) ((head)->tqh_first)
1577 +
1578 +#define TAILQ_FOREACH(var, head, field) \
1579 + for ((var) = TAILQ_FIRST((head)); \
1580 + (var); \
1581 + (var) = TAILQ_NEXT((var), field))
1582 +
1583 +#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \
1584 + for ((var) = TAILQ_LAST((head), headname); \
1585 + (var); \
1586 + (var) = TAILQ_PREV((var), headname, field))
1587 +
1588 +#define TAILQ_INIT(head) do { \
1589 + TAILQ_FIRST((head)) = NULL; \
1590 + (head)->tqh_last = &TAILQ_FIRST((head)); \
1591 +} while (0)
1592 +
1593 +#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \
1594 + if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\
1595 + TAILQ_NEXT((elm), field)->field.tqe_prev = \
1596 + &TAILQ_NEXT((elm), field); \
1597 + else \
1598 + (head)->tqh_last = &TAILQ_NEXT((elm), field); \
1599 + TAILQ_NEXT((listelm), field) = (elm); \
1600 + (elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field); \
1601 +} while (0)
1602 +
1603 +#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \
1604 + (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \
1605 + TAILQ_NEXT((elm), field) = (listelm); \
1606 + *(listelm)->field.tqe_prev = (elm); \
1607 + (listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field); \
1608 +} while (0)
1609 +
1610 +#define TAILQ_INSERT_HEAD(head, elm, field) do { \
1611 + if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL) \
1612 + TAILQ_FIRST((head))->field.tqe_prev = \
1613 + &TAILQ_NEXT((elm), field); \
1614 + else \
1615 + (head)->tqh_last = &TAILQ_NEXT((elm), field); \
1616 + TAILQ_FIRST((head)) = (elm); \
1617 + (elm)->field.tqe_prev = &TAILQ_FIRST((head)); \
1618 +} while (0)
1619 +
1620 +#define TAILQ_INSERT_TAIL(head, elm, field) do { \
1621 + TAILQ_NEXT((elm), field) = NULL; \
1622 + (elm)->field.tqe_prev = (head)->tqh_last; \
1623 + *(head)->tqh_last = (elm); \
1624 + (head)->tqh_last = &TAILQ_NEXT((elm), field); \
1625 +} while (0)
1626 +
1627 +#define TAILQ_LAST(head, headname) \
1628 + (*(((struct headname *)((head)->tqh_last))->tqh_last))
1629 +
1630 +#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
1631 +
1632 +#define TAILQ_PREV(elm, headname, field) \
1633 + (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
1634 +
1635 +#define TAILQ_REMOVE(head, elm, field) do { \
1636 + if ((TAILQ_NEXT((elm), field)) != NULL) \
1637 + TAILQ_NEXT((elm), field)->field.tqe_prev = \
1638 + (elm)->field.tqe_prev; \
1639 + else \
1640 + (head)->tqh_last = (elm)->field.tqe_prev; \
1641 + *(elm)->field.tqe_prev = TAILQ_NEXT((elm), field); \
1642 +} while (0)
1643 +
1644 +
1645 +#ifdef _KERNEL
1646 +
1647 +/*
1648 + * XXX insque() and remque() are an old way of handling certain queues.
1649 + * They bogusly assumes that all queue heads look alike.
1650 + */
1651 +
1652 +struct quehead {
1653 + struct quehead *qh_link;
1654 + struct quehead *qh_rlink;
1655 +};
1656 +
1657 +#ifdef __GNUC__
1658 +
1659 +static __inline void
1660 +insque(void *a, void *b)
1661 +{
1662 + struct quehead *element = (struct quehead *)a,
1663 + *head = (struct quehead *)b;
1664 +
1665 + element->qh_link = head->qh_link;
1666 + element->qh_rlink = head;
1667 + head->qh_link = element;
1668 + element->qh_link->qh_rlink = element;
1669 +}
1670 +
1671 +static __inline void
1672 +remque(void *a)
1673 +{
1674 + struct quehead *element = (struct quehead *)a;
1675 +
1676 + element->qh_link->qh_rlink = element->qh_rlink;
1677 + element->qh_rlink->qh_link = element->qh_link;
1678 + element->qh_rlink = 0;
1679 +}
1680 +
1681 +#else /* !__GNUC__ */
1682 +
1683 +void insque __P((void *a, void *b));
1684 +void remque __P((void *a));
1685 +
1686 +#endif /* __GNUC__ */
1687 +
1688 +#endif /* _KERNEL */
1689 +
1690 +#endif /* !_SYS_QUEUE_H_ */
1691 Index: isakmpd-20041012.orig/sysdep/common/pcap.h
1692 ===================================================================
1693 --- isakmpd-20041012.orig.orig/sysdep/common/pcap.h 2007-06-04 13:22:39.203895384 +0200
1694 +++ isakmpd-20041012.orig/sysdep/common/pcap.h 2007-06-04 13:22:39.292881856 +0200
1695 @@ -55,8 +55,13 @@
1696 u_int32_t linktype; /* data link type (DLT_*) */
1697 };
1698
1699 +struct pcap_timeval {
1700 + int32_t tv_sec; /* seconds */
1701 + int32_t tv_usec; /* microseconds */
1702 +};
1703 +
1704 struct pcap_pkthdr {
1705 - struct timeval ts; /* time stamp */
1706 + struct pcap_timeval ts; /* time stamp */
1707 u_int32_t caplen; /* length of portion present */
1708 u_int32_t len; /* length this packet (off wire) */
1709 };
1710 Index: isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c
1711 ===================================================================
1712 --- isakmpd-20041012.orig.orig/sysdep/common/libsysdep/arc4random.c 2007-06-04 13:22:39.211894168 +0200
1713 +++ isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c 2007-06-04 13:22:39.292881856 +0200
1714 @@ -78,7 +78,7 @@
1715 static void
1716 arc4_stir(struct arc4_stream *as)
1717 {
1718 - int fd;
1719 + int fd, i;
1720 struct {
1721 struct timeval tv;
1722 u_int8_t rnd[128 - sizeof(struct timeval)];
1723 Index: isakmpd-20041012.orig/x509v3.cnf
1724 ===================================================================
1725 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
1726 +++ isakmpd-20041012.orig/x509v3.cnf 2007-06-04 13:22:39.293881704 +0200
1727 @@ -0,0 +1,26 @@
1728 +# default settings
1729 +CERTPATHLEN = 1
1730 +CERTUSAGE = digitalSignature,keyCertSign
1731 +CERTIP = 0.0.0.0
1732 +CERTFQDN = nohost.nodomain
1733 +
1734 +# This section should be referenced when building an x509v3 CA
1735 +# Certificate.
1736 +# The default path length and the key usage can be overriden
1737 +# modified by setting the CERTPATHLEN and CERTUSAGE environment
1738 +# variables.
1739 +[x509v3_CA]
1740 +basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
1741 +keyUsage=$ENV::CERTUSAGE
1742 +
1743 +# This section should be referenced to add an IP Address
1744 +# as an alternate subject name, needed by isakmpd
1745 +# The address must be provided in the CERTIP environment variable
1746 +[x509v3_IPAddr]
1747 +subjectAltName=IP:$ENV::CERTIP
1748 +
1749 +# This section should be referenced to add a FQDN hostname
1750 +# as an alternate subject name, needed by isakmpd
1751 +# The address must be provided in the CERTFQDN environment variable
1752 +[x509v3_FQDN]
1753 +subjectAltName=DNS:$ENV::CERTFQDN
OpenWrt SVN history