[ipsec-tools] update to a new upstream version
Tomáš Mráz
tmraz at fedoraproject.org
Mon Mar 21 20:45:42 UTC 2011
commit 6ccd29754953f674dbb35eef3be85f9a574adf0c
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Mon Mar 21 21:45:31 2011 +0100
update to a new upstream version
.gitignore | 1 +
ipsec-tools-0.7-dupsplit.patch | 57 ---
ipsec-tools-0.7-iface.patch | 28 --
ipsec-tools-0.7-splitcidr.patch | 139 --------
ipsec-tools-0.7.1-dpd-fixes.patch | 230 -------------
ipsec-tools-0.7.2-natt-linux.patch | 94 -----
ipsec-tools-0.7.3-aliasing.patch | 363 --------------------
ipsec-tools-0.7.3-gssapi-guard.patch | 58 ---
...uires.patch => ipsec-tools-0.8.0-acquires.patch | 73 ++---
ipsec-tools-0.8.0-aliasing.patch | 123 +++++++
...pback.patch => ipsec-tools-0.8.0-loopback.patch | 236 +++++++------
...odevel.patch => ipsec-tools-0.8.0-nodevel.patch | 16 +-
ipsec-tools.spec | 42 ++--
sources | 2 +-
14 files changed, 312 insertions(+), 1150 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 75c1995..03cd6e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
ipsec-tools-0.7.3.tar.bz2
+/ipsec-tools-0.8.0.tar.bz2
diff --git a/ipsec-tools-0.7-acquires.patch b/ipsec-tools-0.8.0-acquires.patch
similarity index 59%
rename from ipsec-tools-0.7-acquires.patch
rename to ipsec-tools-0.8.0-acquires.patch
index 3eaad6c..2f4a4ec 100644
--- a/ipsec-tools-0.7-acquires.patch
+++ b/ipsec-tools-0.8.0-acquires.patch
@@ -1,6 +1,7 @@
---- ipsec-tools-0.7/src/racoon/handler.h.acquires 2007-08-28 22:18:35.000000000 -0500
-+++ ipsec-tools-0.7/src/racoon/handler.h 2007-08-28 22:19:57.000000000 -0500
-@@ -284,6 +284,8 @@
+diff -up ipsec-tools-0.8.0/src/racoon/handler.h.acquires ipsec-tools-0.8.0/src/racoon/handler.h
+--- ipsec-tools-0.8.0/src/racoon/handler.h.acquires 2010-11-17 11:40:41.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/handler.h 2011-03-21 16:31:27.000000000 +0100
+@@ -316,6 +316,8 @@ struct ph2handle {
u_int8_t flags; /* Flags for phase 2 */
u_int32_t msgid; /* msgid for phase 2 */
@@ -9,28 +10,29 @@
struct sainfo *sainfo; /* place holder of sainfo */
struct saprop *proposal; /* SA(s) proposal. */
---- ipsec-tools-0.7/src/racoon/pfkey.c.acquires 2007-08-01 06:52:21.000000000 -0500
-+++ ipsec-tools-0.7/src/racoon/pfkey.c 2007-08-28 22:08:22.000000000 -0500
-@@ -1265,7 +1265,9 @@
- SCHED_KILL(iph2->sce);
-
+diff -up ipsec-tools-0.8.0/src/racoon/pfkey.c.acquires ipsec-tools-0.8.0/src/racoon/pfkey.c
+--- ipsec-tools-0.8.0/src/racoon/pfkey.c.acquires 2011-03-15 14:20:14.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/pfkey.c 2011-03-21 16:52:32.000000000 +0100
+@@ -1347,7 +1347,9 @@ pk_recvupdate(mhp)
+ sched_cancel(&iph2->sce);
+
/* update status */
- iph2->status = PHASE2ST_ESTABLISHED;
+ /* Do this in pk_recvadd
+ * iph2->status = PHASE2ST_ESTABLISHED;
+ */
+ evt_phase2(iph2, EVT_PHASE2_UP, NULL);
#ifdef ENABLE_STATS
- gettimeofday(&iph2->end, NULL);
-@@ -1311,6 +1313,7 @@
+@@ -1379,6 +1381,7 @@ pk_sendadd(iph2)
+ {
struct saproto *pr;
- int proxy = 0;
struct pfkey_send_sa_args sa_args;
+ u_int32_t sa_sent = 0;
/* sanity check */
if (iph2->approval == NULL) {
-@@ -1427,6 +1430,9 @@
+@@ -1498,6 +1501,9 @@ pk_sendadd(iph2)
return -1;
}
@@ -40,15 +42,15 @@
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
continue;
-@@ -1447,6 +1453,7 @@
+@@ -1518,6 +1524,7 @@ pk_sendadd(iph2)
sadbsecas2str(sa_args.src, sa_args.dst,
sa_args.satype, sa_args.spi, sa_args.mode));
}
+ iph2->sa_count = sa_sent;
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return 0;
- }
-
-@@ -1502,10 +1509,20 @@
+@@ -1576,10 +1583,20 @@ pk_recvadd(mhp)
}
/*
@@ -70,25 +72,16 @@
+
plog(LLV_INFO, LOCATION, NULL,
"IPsec-SA established: %s\n",
- sadbsecas2str(iph2->src, iph2->dst,
-@@ -1589,8 +1606,6 @@
- /* turn off the timer for calling isakmp_ph2expire() */
- SCHED_KILL(iph2->sce);
-
-- iph2->status = PHASE2ST_EXPIRED;
--
- /* INITIATOR, begin phase 2 exchange. */
- /* allocate buffer for status management of pfkey message */
- if (iph2->side == INITIATOR) {
-@@ -1618,6 +1633,7 @@
- /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
- /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
- * manage IPsec SA, so delete the list */
-+ iph2->status = PHASE2ST_EXPIRED;
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
-@@ -1739,8 +1755,17 @@
+ sadbsecas2str(src, dst,
+@@ -1690,6 +1707,7 @@ pk_recvexpire(mhp)
+ plog(LLV_ERROR, LOCATION, iph2->dst,
+ "failed to begin ipsec sa "
+ "re-negotication.\n");
++ iph2->status = PHASE2ST_EXPIRED;
+ remph2(iph2);
+ delph2(iph2);
+ return -1;
+@@ -1855,8 +1873,17 @@ pk_recvacquire(mhp)
* 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
* has to prcesss such a acquire message because racoon may
* lost the expire message.
@@ -99,10 +92,10 @@
+ * and responder receives acquire for same policy. So to prevent
+ * another identical negotiation, also check by address.
*/
- iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
-+ if (iph2[0] == NULL)
-+ iph2[0] = getph2bysaddr(src, dst);
+ iph2 = getph2byid(src, dst, xpl->sadb_x_policy_id);
++ if (iph2 == NULL)
++ iph2 = getph2bysaddr(src, dst);
+
- if (iph2[0] != NULL) {
- if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
+ if (iph2 != NULL) {
+ if (iph2->status < PHASE2ST_ESTABLISHED) {
plog(LLV_DEBUG, LOCATION, NULL,
diff --git a/ipsec-tools-0.8.0-aliasing.patch b/ipsec-tools-0.8.0-aliasing.patch
new file mode 100644
index 0000000..447b6a1
--- /dev/null
+++ b/ipsec-tools-0.8.0-aliasing.patch
@@ -0,0 +1,123 @@
+diff -up ipsec-tools-0.8.0/src/racoon/grabmyaddr.c.aliasing ipsec-tools-0.8.0/src/racoon/grabmyaddr.c
+--- ipsec-tools-0.8.0/src/racoon/grabmyaddr.c.aliasing 2011-03-14 18:18:12.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/grabmyaddr.c 2011-03-21 21:41:49.000000000 +0100
+@@ -399,10 +399,9 @@ netlink_add_del_address(int add, struct
+ static int
+ netlink_process_addr(struct nlmsghdr *h)
+ {
+- struct sockaddr_storage addr;
++ struct sockaddr_in6 sin6;
+ struct ifaddrmsg *ifa;
+ struct rtattr *rta[IFA_MAX+1];
+- struct sockaddr_in6 *sin6;
+
+ ifa = NLMSG_DATA(h);
+ parse_rtattr(rta, IFA_MAX, IFA_RTA(ifa), IFA_PAYLOAD(h));
+@@ -416,17 +415,16 @@ netlink_process_addr(struct nlmsghdr *h)
+ if (rta[IFA_LOCAL] == NULL)
+ return 0;
+
+- memset(&addr, 0, sizeof(addr));
+- addr.ss_family = ifa->ifa_family;
+- sin6 = (struct sockaddr_in6 *) &addr;
+- memcpy(&sin6->sin6_addr, RTA_DATA(rta[IFA_LOCAL]),
+- sizeof(sin6->sin6_addr));
+- if (!IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
++ memset(&sin6, 0, sizeof(sin6));
++ sin6.sin6_family = ifa->ifa_family;
++ memcpy(&sin6.sin6_addr, RTA_DATA(rta[IFA_LOCAL]),
++ sizeof(sin6.sin6_addr));
++ if (!IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr))
+ return 0;
+- sin6->sin6_scope_id = ifa->ifa_index;
++ sin6.sin6_scope_id = ifa->ifa_index;
+
+ netlink_add_del_address(h->nlmsg_type == RTM_NEWADDR,
+- (struct sockaddr *) &addr);
++ (struct sockaddr *) &sin6);
+
+ return 0;
+ }
+@@ -471,13 +469,9 @@ netlink_route_is_local(int family, const
+ static int
+ netlink_process_route(struct nlmsghdr *h)
+ {
+- struct sockaddr_storage addr;
++ union sockaddr_any addr;
+ struct rtmsg *rtm;
+ struct rtattr *rta[RTA_MAX+1];
+- struct sockaddr_in *sin;
+-#ifdef INET6
+- struct sockaddr_in6 *sin6;
+-#endif
+
+ rtm = NLMSG_DATA(h);
+
+@@ -492,21 +486,19 @@ netlink_process_route(struct nlmsghdr *h
+
+ /* setup the socket address */
+ memset(&addr, 0, sizeof(addr));
+- addr.ss_family = rtm->rtm_family;
++ addr.sa.sa_family = rtm->rtm_family;
+ switch (rtm->rtm_family) {
+ case AF_INET:
+- sin = (struct sockaddr_in *) &addr;
+- memcpy(&sin->sin_addr, RTA_DATA(rta[RTA_DST]),
+- sizeof(sin->sin_addr));
++ memcpy(&addr.sin.sin_addr, RTA_DATA(rta[RTA_DST]),
++ sizeof(addr.sin.sin_addr));
+ break;
+ #ifdef INET6
+ case AF_INET6:
+- sin6 = (struct sockaddr_in6 *) &addr;
+- memcpy(&sin6->sin6_addr, RTA_DATA(rta[RTA_DST]),
+- sizeof(sin6->sin6_addr));
++ memcpy(&addr.sin6.sin6_addr, RTA_DATA(rta[RTA_DST]),
++ sizeof(addr.sin6.sin6_addr));
+ /* Link-local addresses are handled with RTM_NEWADDR
+ * notifications */
+- if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
++ if (IN6_IS_ADDR_LINKLOCAL(&addr.sin6.sin6_addr))
+ return 0;
+ break;
+ #endif
+@@ -522,12 +514,12 @@ netlink_process_route(struct nlmsghdr *h
+ RTA_PAYLOAD(rta[RTA_DST]))) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Netlink: not deleting %s yet, it exists still\n",
+- saddrwop2str((struct sockaddr *) &addr));
++ saddrwop2str(&addr.sa));
+ return 0;
+ }
+
+ netlink_add_del_address(h->nlmsg_type == RTM_NEWROUTE,
+- (struct sockaddr *) &addr);
++ &addr.sa);
+ return 0;
+ }
+
+diff -up ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.aliasing ipsec-tools-0.8.0/src/racoon/isakmp_quick.c
+--- ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.aliasing 2011-03-21 18:13:15.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/isakmp_quick.c 2011-03-21 21:30:05.000000000 +0100
+@@ -2173,15 +2173,15 @@ get_sainfo_r(iph2)
+ if (iph2->ph1->mode_cfg != NULL) {
+ if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
+ (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){
+- struct sockaddr saddr;
+- saddr.sa_family = AF_INET;
++ struct sockaddr_in saddr;
++ saddr.sin_family = AF_INET;
+ #ifndef __linux__
+- saddr.sa_len = sizeof(struct sockaddr_in);
++ saddr.sin_len = sizeof(struct sockaddr_in);
+ #endif
+- ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
+- memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
++ saddr.sin_port = IPSEC_PORT_ANY;
++ memcpy(&saddr.sin_addr,
+ &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr));
+- client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY);
++ client = ipsecdoi_sockaddr2id((struct sockaddr *)&saddr, 32, IPSEC_ULPROTO_ANY);
+ }
+ }
+
diff --git a/ipsec-tools-0.7.1-loopback.patch b/ipsec-tools-0.8.0-loopback.patch
similarity index 62%
rename from ipsec-tools-0.7.1-loopback.patch
rename to ipsec-tools-0.8.0-loopback.patch
index d54dbbf..6d1d464 100644
--- a/ipsec-tools-0.7.1-loopback.patch
+++ b/ipsec-tools-0.8.0-loopback.patch
@@ -1,9 +1,9 @@
-diff -up ipsec-tools-0.7.1/configure.ac.loopback ipsec-tools-0.7.1/configure.ac
---- ipsec-tools-0.7.1/configure.ac.loopback 2008-07-22 15:53:46.000000000 +0200
-+++ ipsec-tools-0.7.1/configure.ac 2008-07-30 21:14:30.000000000 +0200
-@@ -794,6 +794,27 @@ if test "$enable_security_context" = "ye
- fi
- fi
+diff -up ipsec-tools-0.8.0/configure.ac.loopback ipsec-tools-0.8.0/configure.ac
+--- ipsec-tools-0.8.0/configure.ac.loopback 2011-03-18 14:25:12.000000000 +0100
++++ ipsec-tools-0.8.0/configure.ac 2011-03-21 16:54:55.000000000 +0100
+@@ -794,6 +794,27 @@ AC_TRY_COMPILE(
+ AC_MSG_RESULT(yes)],
+ [AC_MSG_RESULT(no)])
+AC_MSG_CHECKING(whether to support Auditing)
+AC_ARG_ENABLE(audit,
@@ -29,10 +29,79 @@ diff -up ipsec-tools-0.7.1/configure.ac.loopback ipsec-tools-0.7.1/configure.ac
CFLAGS="$CFLAGS $CFLAGS_ADD"
CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
-diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/racoon/pfkey.c
---- ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback 2008-07-30 21:14:30.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-07-30 21:33:20.000000000 +0200
-@@ -99,6 +99,7 @@
+diff -up ipsec-tools-0.8.0/src/racoon/handler.h.loopback ipsec-tools-0.8.0/src/racoon/handler.h
+--- ipsec-tools-0.8.0/src/racoon/handler.h.loopback 2011-03-21 16:54:55.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/handler.h 2011-03-21 16:54:55.000000000 +0100
+@@ -318,6 +318,7 @@ struct ph2handle {
+ u_int32_t msgid; /* msgid for phase 2 */
+
+ u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
++ u_int8_t loopback;
+
+ struct sainfo *sainfo; /* place holder of sainfo */
+ struct saprop *proposal; /* SA(s) proposal. */
+diff -up ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.loopback ipsec-tools-0.8.0/src/racoon/isakmp_quick.c
+--- ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.loopback 2011-03-14 18:18:13.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/isakmp_quick.c 2011-03-21 18:10:37.000000000 +0100
+@@ -99,11 +99,10 @@ static vchar_t *quick_ir1mx __P((struct
+ static int get_sainfo_r __P((struct ph2handle *));
+ static int get_proposal_r __P((struct ph2handle *));
+ static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *));
+-static void quick_timeover_stub __P((struct sched *));
+ static void quick_timeover __P((struct ph2handle *));
+
+ /* called from scheduler */
+-static void
++void
+ quick_timeover_stub(p)
+ struct sched *p;
+ {
+diff -up ipsec-tools-0.8.0/src/racoon/isakmp_quick.h.loopback ipsec-tools-0.8.0/src/racoon/isakmp_quick.h
+--- ipsec-tools-0.8.0/src/racoon/isakmp_quick.h.loopback 2006-09-09 18:22:09.000000000 +0200
++++ ipsec-tools-0.8.0/src/racoon/isakmp_quick.h 2011-03-21 18:10:57.000000000 +0100
+@@ -47,4 +47,5 @@ extern int quick_r3recv __P((struct ph2h
+ extern int quick_r3send __P((struct ph2handle *, vchar_t *));
+ extern int quick_r3prep __P((struct ph2handle *, vchar_t *));
+
++extern void quick_timeover_stub __P((struct sched *));
+ #endif /* _ISAKMP_QUICK_H */
+diff -up ipsec-tools-0.8.0/src/racoon/main.c.loopback ipsec-tools-0.8.0/src/racoon/main.c
+--- ipsec-tools-0.8.0/src/racoon/main.c.loopback 2009-01-26 19:13:06.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/main.c 2011-03-21 16:54:55.000000000 +0100
+@@ -297,6 +297,9 @@ main(ac, av)
+ #ifdef HAVE_SECCTX
+ init_avc();
+ #endif
++#ifdef HAVE_LIBAUDIT
++ audit_init();
++#endif
+ eay_init();
+ initrmconf();
+ oakley_dhinit();
+diff -up ipsec-tools-0.8.0/src/racoon/Makefile.am.loopback ipsec-tools-0.8.0/src/racoon/Makefile.am
+--- ipsec-tools-0.8.0/src/racoon/Makefile.am.loopback 2009-12-11 10:04:04.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/Makefile.am 2011-03-21 16:54:55.000000000 +0100
+@@ -39,7 +39,7 @@ racoon_SOURCES = \
+ EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
+ isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
+ racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
+- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
++ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
+ racoon_DEPENDENCIES = \
+ $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
+ vmbuf.o sockmisc.o misc.o
+diff -up ipsec-tools-0.8.0/src/racoon/pfkey.c.loopback ipsec-tools-0.8.0/src/racoon/pfkey.c
+--- ipsec-tools-0.8.0/src/racoon/pfkey.c.loopback 2011-03-21 17:43:02.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/pfkey.c 2011-03-21 18:10:02.000000000 +0100
+@@ -87,6 +87,7 @@
+ #include "isakmp_var.h"
+ #include "isakmp.h"
+ #include "isakmp_inf.h"
++#include "isakmp_quick.h"
+ #include "ipsec_doi.h"
+ #include "oakley.h"
+ #include "pfkey.h"
+@@ -101,6 +102,7 @@
#include "nattraversal.h"
#include "crypto_openssl.h"
#include "grabmyaddr.h"
@@ -40,7 +109,7 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
-@@ -972,6 +973,56 @@ pk_recvgetspi(mhp)
+@@ -1043,6 +1045,56 @@ pk_recvgetspi(mhp)
return -1;
}
@@ -50,7 +119,7 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
+ struct sockaddr *src;
+
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-+ if (cmpsaddrstrict(src, dst) == 0) {
++ if (cmpsaddr(src, dst) != CMPSADDR_MISMATCH) {
+ struct pfkey_send_sa_args sa_args;
+ /* yep, this is loopback. install SA */
+ satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id);
@@ -97,24 +166,24 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
/* set SPI, and check to get all spi whether or not */
allspiok = 1;
notfound = 1;
-@@ -1222,6 +1273,26 @@ pk_recvupdate(mhp)
+@@ -1304,6 +1356,26 @@ pk_recvupdate(mhp)
return -1;
}
+#ifdef HAVE_SECCTX
+ /* get update for loopback here */
-+ if (iph2->loopback == 1 && (cmpsaddrstrict(src, dst) == 0)) {
++ if (iph2->loopback == 1 && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "IPsec-SA established without ISAKMP: %s\n",
+ sadbsecas2str(iph2->dst, iph2->src,
+ msg->sadb_msg_satype, sa->sadb_sa_spi,
+ IPSEC_MODE_TRANSPORT));
+
-+ /* turn off the timer for calling pfkey_timeover() */
-+ SCHED_KILL(iph2->sce);
++ /* turn off the timer for calling quick_timeover() */
++ sched_cancel(&iph2->sce);
+
-+ iph2->sce = sched_new(iph2->proposal->lifetime,
-+ isakmp_ph2expire_stub, iph2);
++ sched_schedule(&iph2->sce, iph2->proposal->lifetime,
++ isakmp_ph2expire_stub);
+
+ iph2->status = PHASE2ST_ESTABLISHED;
+ return 0;
@@ -124,27 +193,16 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
/* check to complete all keys ? */
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
-@@ -1264,11 +1335,6 @@ pk_recvupdate(mhp)
- /* turn off the timer for calling pfkey_timeover() */
- SCHED_KILL(iph2->sce);
-
-- /* update status */
-- /* Do this in pk_recvadd
-- * iph2->status = PHASE2ST_ESTABLISHED;
-- */
--
- #ifdef ENABLE_STATS
- gettimeofday(&iph2->end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
-@@ -1657,6 +1723,7 @@ pk_recvacquire(mhp)
- struct sadb_x_sec_ctx *m_sec_ctx;
- #endif /* HAVE_SECCTX */
- struct policyindex spidx;
-+ int do_listen = 0;
+@@ -1343,7 +1415,7 @@ pk_recvupdate(mhp)
+ if (incomplete)
+ return 0;
+- /* turn off the timer for calling pfkey_timeover() */
++ /* turn off the timer for calling quick_timeover() */
+ sched_cancel(&iph2->sce);
- /* ignore this message because of local test mode. */
-@@ -1681,6 +1748,12 @@ pk_recvacquire(mhp)
+ /* update status */
+@@ -1768,6 +1840,12 @@ pk_recvacquire(mhp)
m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
if (m_sec_ctx != NULL) {
@@ -156,18 +214,10 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
+ }
plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
m_sec_ctx->sadb_x_ctx_doi);
- plog(LLV_INFO, LOCATION, NULL,
-@@ -1730,7 +1803,6 @@ pk_recvacquire(mhp)
- */
- struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- struct myaddrs *p;
-- int do_listen = 0;
- for (p = lcconf->myaddrs; p; p = p->next) {
- if (!cmpsaddrwop(p->addr, sa)) {
- do_listen = 1;
-@@ -1853,6 +1925,73 @@ pk_recvacquire(mhp)
- plog(LLV_DEBUG, LOCATION, NULL,
- "new acquire %s\n", spidx2str(&sp_out->spidx));
+ plog(LLV_INFO, LOCATION, NULL,
+@@ -1974,6 +2052,73 @@ pk_recvacquire(mhp)
+ iph2->sa_dst = dupsaddr(sa_dst);
+ }
+#ifdef HAVE_SECCTX
+ /*
@@ -176,15 +226,15 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
+ * packet arrived over loopback and just get an SPI and
+ * install the SA.
+ */
-+ if (do_listen && m_sec_ctx && (cmpsaddrstrict(src, dst) == 0)) {
++ if (m_sec_ctx && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) {
+ struct saprop *newpp;
+ struct saproto *newpr;
-+ iph2[n]->loopback = 1;
++ iph2->loopback = 1;
+ newpp = newsaprop();
+ if (newpp == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate saprop.\n");
-+ delph2(iph2[n]);
++ delph2(iph2);
+ return -1;
+ }
+ /* allocate to hold reqid */
@@ -192,7 +242,7 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
+ if (newpr == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate saproto.\n");
-+ delph2(iph2[n]);
++ delph2(iph2);
+ return -1;
+ }
+
@@ -201,59 +251,47 @@ diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/rac
+ newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto);
+
+ inssaprotorev(newpp, newpr);
-+ iph2[n]->proposal = newpp;
++ iph2->proposal = newpp;
+ printsaprop0(LLV_DEBUG, newpp);
+
-+ set_secctx_in_proposal(iph2[n], spidx);
-+ iph2[n]->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
++ set_secctx_in_proposal(iph2, spidx);
++ iph2->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
+
-+ insph2(iph2[n]);
++ insph2(iph2);
+
-+ iph2[n]->status = PHASE2ST_GETSPISENT;
++ iph2->status = PHASE2ST_GETSPISENT;
+ plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
+ if (pfkey_send_getspi(
+ lcconf->sock_pfkey,
-+ iph2[n]->satype,
++ iph2->satype,
+ IPSEC_MODE_TRANSPORT,
+ dst, /* src of SA */
+ src, /* dst of SA */
+ 0, 0,
-+ newpr->reqid_in, iph2[n]->seq) < 0) {
++ newpr->reqid_in, iph2->seq) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ipseclib failed send getspi (%s)\n",
+ ipsec_strerror());
-+ delph2(iph2[n]);
++ delph2(iph2);
+ return -1;
+ }
-+ iph2[n]->sce = sched_new(lcconf->wait_ph2complete,
-+ pfkey_timeover_stub, iph2[n]);
++ sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
++ quick_timeover_stub);
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "pfkey GETSPI sent: %s\n",
-+ sadbsecas2str(dst, src, iph2[n]->satype, 0,
++ sadbsecas2str(dst, src, iph2->satype, 0,
+ IPSEC_MODE_TRANSPORT));
+ return 0;
+ }
+#endif /* HAVE_SECCTX */
-+
- /* get sainfo */
- {
- vchar_t *idsrc, *iddst;
-diff -up ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback ipsec-tools-0.7.1/src/racoon/Makefile.am
---- ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback 2008-07-23 15:54:16.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/Makefile.am 2008-07-30 21:14:30.000000000 +0200
-@@ -39,7 +39,7 @@ racoon_SOURCES = \
- EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
- isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
- racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
-- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
-+ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
- racoon_DEPENDENCIES = \
- $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
- vmbuf.o sockmisc.o misc.o
-diff -up ipsec-tools-0.7.1/src/racoon/policy.h.loopback ipsec-tools-0.7.1/src/racoon/policy.h
---- ipsec-tools-0.7.1/src/racoon/policy.h.loopback 2007-06-07 22:34:19.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/policy.h 2008-07-30 21:14:30.000000000 +0200
++
+ if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
+ delph2(iph2);
+ return -1;
+diff -up ipsec-tools-0.8.0/src/racoon/policy.h.loopback ipsec-tools-0.8.0/src/racoon/policy.h
+--- ipsec-tools-0.8.0/src/racoon/policy.h.loopback 2008-12-05 07:02:20.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/policy.h 2011-03-21 16:54:55.000000000 +0100
@@ -38,7 +38,12 @@
@@ -268,7 +306,7 @@ diff -up ipsec-tools-0.7.1/src/racoon/policy.h.loopback ipsec-tools-0.7.1/src/ra
struct security_ctx {
u_int8_t ctx_doi; /* Security Context DOI */
u_int8_t ctx_alg; /* Security Context Algorithm */
-@@ -152,6 +157,9 @@ extern void initsp __P((void));
+@@ -158,6 +163,9 @@ extern void initsp __P((void));
extern struct ipsecrequest *newipsecreq __P((void));
extern const char *spidx2str __P((const struct policyindex *));
@@ -278,33 +316,9 @@ diff -up ipsec-tools-0.7.1/src/racoon/policy.h.loopback ipsec-tools-0.7.1/src/ra
#ifdef HAVE_SECCTX
#include <selinux/selinux.h>
extern int get_security_context __P((vchar_t *, struct policyindex *));
-diff -up ipsec-tools-0.7.1/src/racoon/main.c.loopback ipsec-tools-0.7.1/src/racoon/main.c
---- ipsec-tools-0.7.1/src/racoon/main.c.loopback 2007-06-07 22:34:18.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/main.c 2008-07-30 21:14:30.000000000 +0200
-@@ -169,6 +169,9 @@ main(ac, av)
- #ifdef HAVE_SECCTX
- init_avc();
- #endif
-+#ifdef HAVE_LIBAUDIT
-+ audit_init();
-+#endif
- eay_init();
- initlcconf();
- initrmconf();
-diff -up ipsec-tools-0.7.1/src/racoon/handler.h.loopback ipsec-tools-0.7.1/src/racoon/handler.h
---- ipsec-tools-0.7.1/src/racoon/handler.h.loopback 2008-07-30 21:14:30.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/handler.h 2008-07-30 21:14:30.000000000 +0200
-@@ -286,6 +286,7 @@ struct ph2handle {
- u_int32_t msgid; /* msgid for phase 2 */
-
- u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
-+ u_int8_t loopback;
-
- struct sainfo *sainfo; /* place holder of sainfo */
- struct saprop *proposal; /* SA(s) proposal. */
-diff -up ipsec-tools-0.7.1/src/racoon/security.c.loopback ipsec-tools-0.7.1/src/racoon/security.c
---- ipsec-tools-0.7.1/src/racoon/security.c.loopback 2007-06-07 22:34:19.000000000 +0200
-+++ ipsec-tools-0.7.1/src/racoon/security.c 2008-07-30 21:14:30.000000000 +0200
+diff -up ipsec-tools-0.8.0/src/racoon/security.c.loopback ipsec-tools-0.8.0/src/racoon/security.c
+--- ipsec-tools-0.8.0/src/racoon/security.c.loopback 2007-05-31 21:54:55.000000000 +0200
++++ ipsec-tools-0.8.0/src/racoon/security.c 2011-03-21 16:54:55.000000000 +0100
@@ -55,6 +55,61 @@
#include "proposal.h"
#include "strnames.h"
diff --git a/ipsec-tools-0.7.2-nodevel.patch b/ipsec-tools-0.8.0-nodevel.patch
similarity index 67%
rename from ipsec-tools-0.7.2-nodevel.patch
rename to ipsec-tools-0.8.0-nodevel.patch
index e9a7bd0..1abb6bf 100644
--- a/ipsec-tools-0.7.2-nodevel.patch
+++ b/ipsec-tools-0.8.0-nodevel.patch
@@ -1,6 +1,6 @@
-diff -up ipsec-tools-0.7.2/src/libipsec/Makefile.am.nodevel ipsec-tools-0.7.2/src/libipsec/Makefile.am
---- ipsec-tools-0.7.2/src/libipsec/Makefile.am.nodevel 2009-07-15 10:15:40.000000000 +0200
-+++ ipsec-tools-0.7.2/src/libipsec/Makefile.am 2009-07-15 10:15:40.000000000 +0200
+diff -up ipsec-tools-0.8.0/src/libipsec/Makefile.am.nodevel ipsec-tools-0.8.0/src/libipsec/Makefile.am
+--- ipsec-tools-0.8.0/src/libipsec/Makefile.am.nodevel 2011-03-21 17:26:37.000000000 +0100
++++ ipsec-tools-0.8.0/src/libipsec/Makefile.am 2011-03-21 17:26:37.000000000 +0100
@@ -1,11 +1,10 @@
#bin_PROGRAMS = test-policy test-policy-priority
@@ -24,23 +24,23 @@ diff -up ipsec-tools-0.7.2/src/libipsec/Makefile.am.nodevel ipsec-tools-0.7.2/sr
#test_policy_SOURCES = test-policy.c
#test_policy_LDFLAGS = libipsec.la
-diff -up ipsec-tools-0.7.2/src/racoon/Makefile.am.nodevel ipsec-tools-0.7.2/src/racoon/Makefile.am
---- ipsec-tools-0.7.2/src/racoon/Makefile.am.nodevel 2009-07-15 10:15:40.000000000 +0200
-+++ ipsec-tools-0.7.2/src/racoon/Makefile.am 2009-07-15 10:31:18.000000000 +0200
+diff -up ipsec-tools-0.8.0/src/racoon/Makefile.am.nodevel ipsec-tools-0.8.0/src/racoon/Makefile.am
+--- ipsec-tools-0.8.0/src/racoon/Makefile.am.nodevel 2011-03-21 17:26:37.000000000 +0100
++++ ipsec-tools-0.8.0/src/racoon/Makefile.am 2011-03-21 17:27:57.000000000 +0100
@@ -2,10 +2,10 @@
sbin_PROGRAMS = racoon racoonctl plainrsa-gen
noinst_PROGRAMS = eaytest
-include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
+racoonhdr = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
- schedule.h sockmisc.h vmbuf.h isakmp_var.h isakmp.h isakmp_xauth.h \
+ schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \
isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
-lib_LTLIBRARIES = libracoon.la
+noinst_LTLIBRARIES = libracoon.la
adminsockdir=${localstatedir}/racoon
-@@ -63,7 +63,7 @@ eaytest_LDADD = crypto_openssl_test.o vm
+@@ -64,7 +64,7 @@ eaytest_LDADD = crypto_openssl_test.o vm
eaytest_DEPENDENCIES = crypto_openssl_test.o vmbuf.o str2val.o \
misc_noplog.o $(CRYPTOBJS)
diff --git a/ipsec-tools.spec b/ipsec-tools.spec
index d530488..b048feb 100644
--- a/ipsec-tools.spec
+++ b/ipsec-tools.spec
@@ -1,31 +1,33 @@
Name: ipsec-tools
-Version: 0.7.3
-Release: 8%{?dist}
+Version: 0.8.0
+Release: 1%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
URL: http://ipsec-tools.sourceforge.net/
-Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-%{version}.tar.bz2
+Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-%{version}.tar.bz2
Source1: racoon.conf
Source2: psk.txt
Source3: p1_up_down
Source4: racoon.init
Source5: racoon.pam
-Patch3: ipsec-tools-0.7-acquires.patch
-Patch4: ipsec-tools-0.7.1-loopback.patch
-# the following patches were also submitted upstream:
-Patch5: ipsec-tools-0.7-iface.patch
-Patch6: ipsec-tools-0.7-dupsplit.patch
-Patch9: ipsec-tools-0.7-splitcidr.patch
-Patch10: ipsec-tools-0.7.2-natt-linux.patch
+# Ignore acquires that are sent by kernel for SAs that are already being
+# negotiated (#234491)
+Patch3: ipsec-tools-0.8.0-acquires.patch
+# Support for labeled IPSec on loopback
+Patch4: ipsec-tools-0.8.0-loopback.patch
+# Create racoon as PIE
Patch11: ipsec-tools-0.7.1-pie.patch
-Patch13: ipsec-tools-0.7.1-dpd-fixes.patch
+# Fix leak in certification handling
Patch14: ipsec-tools-0.7.2-moreleaks.patch
-Patch15: ipsec-tools-0.7.3-aliasing.patch
-Patch16: ipsec-tools-0.7.2-nodevel.patch
-Patch17: ipsec-tools-0.7.3-gssapi-guard.patch
+# Do not install development files
+Patch16: ipsec-tools-0.8.0-nodevel.patch
+# Use krb5 gssapi mechanism
Patch18: ipsec-tools-0.7.3-gssapi-mech.patch
+# Drop -R from linker
Patch19: ipsec-tools-0.7.3-build.patch
+# Silence strict aliasing warnings
+Patch20: ipsec-tools-0.8.0-aliasing.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, flex-static
BuildRequires: automake, libtool
@@ -54,18 +56,13 @@ The main tools of this package are:
%setup -q
%patch3 -p1 -b .acquires
%patch4 -p1 -b .loopback
-%patch5 -p1 -b .iface
-%patch6 -p1 -b .dupsplit
-%patch9 -p1 -b .splitcidr
-%patch10 -p1 -b .natt-linux
+
%patch11 -p1 -b .pie
-%patch13 -p1 -b .dpd-fixes
%patch14 -p1 -b .moreleaks
-%patch15 -p1 -b .review
%patch16 -p1 -b .nodevel
-%patch17 -p1 -b .gssapi-guard
%patch18 -p1 -b .gssapi-mech
%patch19 -p1 -b .build
+%patch20 -p1 -b .aliasing
./bootstrap
@@ -141,6 +138,9 @@ fi
%config(noreplace) %{_sysconfdir}/pam.d/racoon
%changelog
+* Mon Mar 21 2011 Tomas Mraz <tmraz at redhat.com> - 0.8.0-1
+- update to a new upstream version
+
* Thu Feb 10 2011 Tomas Mraz <tmraz at redhat.com> - 0.7.3-8
- fix build - drop -R from compiler invocation
diff --git a/sources b/sources
index f01d34f..194274f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-821bd84e8d4ad5a93bf594b8b3d66e1e ipsec-tools-0.7.3.tar.bz2
+b79aae3055a51f8de5c0f1b8ca6cf619 ipsec-tools-0.8.0.tar.bz2
More information about the scm-commits
mailing list