Module Name: src
Committed By: tteras
Date: Fri Jul 3 06:41:47 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c grabmyaddr.c handler.c
handler.h isakmp.c isakmp_cfg.c isakmp_inf.c isakmp_quick.c
nattraversal.c pfkey.c policy.c remoteconf.c remoteconf.h
sockmisc.c sockmisc.h throttle.c
Log Message:
Get rid of the evil CMPSADDR macro. Trac #295.
To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.22 -r1.23 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.57 -r1.58 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.21 -r1.22 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.40 -r1.41 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.47 -r1.48 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/policy.c \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h \
src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/throttle.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.30 Mon Apr 20 13:22:00 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.30 2009/04/20 13:22:00 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.31 2009/07/03 06:41:46 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -167,6 +167,14 @@
return error;
}
+static int admin_ph1_delete_sa(struct ph1handle *iph1, void *arg)
+{
+ if (iph1->status >= PHASE1ST_ESTABLISHED)
+ isakmp_info_send_d1(iph1);
+ purge_remote(iph1);
+ return 0;
+}
+
/*
* main child's process.
*/
@@ -257,7 +265,7 @@
break;
}
- iph1 = getph1byaddrwop(src, dst);
+ iph1 = getph1byaddr(src, dst, 0);
if (iph1 == NULL) {
l_ac_errno = ENOENT;
break;
@@ -292,30 +300,25 @@
case ADMIN_DELETE_SA: {
struct ph1handle *iph1;
- struct sockaddr *dst;
- struct sockaddr *src;
+ struct ph1selector sel;
char *loc, *rem;
- src = (struct sockaddr *)
+ memset(&sel, 0, sizeof(sel));
+ sel.local = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->src;
- dst = (struct sockaddr *)
+ sel.remote = (struct sockaddr *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
- loc = racoon_strdup(saddrwop2str(src));
- rem = racoon_strdup(saddrwop2str(dst));
+ loc = racoon_strdup(saddr2str(sel.local));
+ rem = racoon_strdup(saddr2str(sel.remote));
STRDUP_FATAL(loc);
STRDUP_FATAL(rem);
- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "phase 1 for %s -> %s not found\n", loc, rem);
- } else {
- if (iph1->status >= PHASE1ST_ESTABLISHED)
- isakmp_info_send_d1(iph1);
- purge_remote(iph1);
- }
+ plog(LLV_INFO, LOCATION, NULL,
+ "admin delete-sa %s %s\n", loc, rem);
+ enumph1(&sel, admin_ph1_delete_sa, NULL);
racoon_free(loc);
racoon_free(rem);
@@ -360,7 +363,7 @@
plog(LLV_INFO, LOCATION, NULL,
"Flushing all SAs for peer %s\n", rem);
- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
+ while ((iph1 = getph1bydstaddr(dst)) != NULL) {
loc = racoon_strdup(saddrwop2str(iph1->local));
STRDUP_FATAL(loc);
@@ -429,7 +432,7 @@
l_ac_errno = -1;
/* connected already? */
- ph1 = getph1byaddrwop(src, dst);
+ ph1 = getph1byaddr(src, dst, 0);
if (ph1 != NULL) {
event_list = &ph1->evt_listeners;
if (ph1->status == PHASE1ST_ESTABLISHED)
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.22 Tue Apr 21 18:38:31 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.22 2009/04/21 18:38:31 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.23 2009/07/03 06:41:46 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras <[email protected]>.
@@ -100,7 +100,7 @@
return TRUE;
LIST_FOREACH(cfg, &configured, chain) {
- if (cmpsaddrstrict(addr, (struct sockaddr *) &cfg->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
return TRUE;
}
@@ -116,7 +116,7 @@
/* Already open? */
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddrstrict(addr, (struct sockaddr *) &my->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
return TRUE;
}
@@ -156,7 +156,7 @@
LIST_FOREACH(cfg, &configured, chain) {
if (addr != NULL &&
- cmpsaddrwop(addr, (struct sockaddr *) &cfg->addr) != 0)
+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
continue;
if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
return FALSE;
@@ -187,8 +187,8 @@
for (my = LIST_FIRST(&opened); my; my = next) {
next = LIST_NEXT(my, chain);
- if (!cmpsaddrwop((struct sockaddr *) &addr,
- (struct sockaddr *) &my->addr))
+ if (!cmpsaddr((struct sockaddr *) &addr,
+ (struct sockaddr *) &my->addr))
myaddr_delete(my);
}
}
@@ -261,7 +261,7 @@
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
return my->fd;
}
@@ -273,19 +273,13 @@
struct sockaddr *addr;
{
struct myaddr *my;
- int bestmatch_port = -1;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddrstrict((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
return extract_port((struct sockaddr *) &my->addr);
- if (cmpsaddrwop((struct sockaddr *) &my->addr, addr) != 0)
- continue;
- if (bestmatch_port == -1 ||
- extract_port((struct sockaddr *) &my->addr) == PORT_ISAKMP)
- bestmatch_port = extract_port((struct sockaddr *) &my->addr);
}
- return bestmatch_port;
+ return PORT_ISAKMP;
}
void
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.28 Tue Apr 28 13:54:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.28 2009/04/28 13:54:07 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.29 2009/07/03 06:41:46 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -120,11 +120,11 @@
LIST_FOREACH(p, &ph1tree, chain) {
if (sel != NULL) {
if (sel->local != NULL &&
- CMPSADDR(sel->local, p->local) != 0)
+ cmpsaddr(sel->local, p->local) != 0)
continue;
if (sel->remote != NULL &&
- CMPSADDR(sel->remote, p->remote) != 0)
+ cmpsaddr(sel->remote, p->remote) != 0)
continue;
}
@@ -201,17 +201,12 @@
"status %d, skipping\n", p->status);
continue;
}
- if (flags & GETPH1_F_WITHOUT_PORTS) {
- if (local != NULL && cmpsaddrwop(local, p->local) != 0)
- continue;
- if (remote != NULL && cmpsaddrwop(remote, p->remote) != 0)
- continue;
- } else {
- if (local != NULL && CMPSADDR(local, p->local) != 0)
- continue;
- if (remote != NULL && CMPSADDR(remote, p->remote) != 0)
- continue;
- }
+
+ if (local != NULL && cmpsaddr(local, p->local) != 0)
+ continue;
+
+ if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
+ continue;
plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
return p;
@@ -287,8 +282,8 @@
if (p->status < PHASE1ST_DYING)
continue;
- if (CMPSADDR(iph1->local, p->local) == 0
- && CMPSADDR(iph1->remote, p->remote) == 0)
+ if (cmpsaddr(iph1->local, p->local) == 0
+ && cmpsaddr(iph1->remote, p->remote) == 0)
migrate_ph12(p, iph1);
}
}
@@ -518,11 +513,11 @@
continue;
if (sel->src != NULL &&
- CMPSADDR(sel->src, p->src) != 0)
+ cmpsaddr(sel->src, p->src) != 0)
continue;
if (sel->dst != NULL &&
- CMPSADDR(sel->dst, p->dst) != 0)
+ cmpsaddr(sel->dst, p->dst) != 0)
continue;
}
@@ -586,8 +581,8 @@
LIST_FOREACH(p, &ph2tree, chain) {
if (spid == p->spid &&
- cmpsaddrwild(src, p->src) == 0 &&
- cmpsaddrwild(dst, p->dst) == 0){
+ cmpsaddr(src, p->src) == 0 &&
+ cmpsaddr(dst, p->dst) == 0){
/* Sanity check to detect zombie handlers
* XXX Sould be done "somewhere" more interesting,
* because we have lots of getph2byxxxx(), but this one
@@ -614,8 +609,8 @@
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
- if (cmpsaddrstrict(src, p->src) == 0 &&
- cmpsaddrstrict(dst, p->dst) == 0)
+ if (cmpsaddr(src, p->src) == 0 &&
+ cmpsaddr(dst, p->dst) == 0)
return p;
}
@@ -918,7 +913,7 @@
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
- if (cmpsaddrstrict(remote, p->remote) == 0)
+ if (cmpsaddr(remote, p->remote) == 0)
return p;
}
@@ -997,7 +992,7 @@
/*
* the packet was processed before, but the remote address mismatches.
*/
- if (cmpsaddrstrict(remote, r->remote) != 0)
+ if (cmpsaddr(remote, r->remote) != 0)
return 2;
/*
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.20 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.20 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.20 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.21 2009/07/03 06:41:46 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -467,7 +467,6 @@
void *enum_arg));
#define GETPH1_F_ESTABLISHED 0x0001
-#define GETPH1_F_WITHOUT_PORTS 0x0002
extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
struct sockaddr *local,
@@ -476,10 +475,8 @@
#define getph1byaddr(local, remote, est) \
getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0)
-#define getph1byaddrwop(local, remote) \
- getph1(NULL, local, remote, GETPH1_F_WITHOUT_PORTS)
-#define getph1bydstaddrwop(remote) \
- getph1(NULL, NULL, remote, GETPH1_F_WITHOUT_PORTS)
+#define getph1bydstaddr(remote) \
+ getph1(NULL, NULL, remote, 0)
#ifdef ENABLE_HYBRID
struct ph1handle *getph1bylogin __P((char *));
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.57 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.58
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.57 Fri Jul 3 06:40:10 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.57 2009/07/03 06:40:10 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.58 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -468,8 +468,8 @@
/* Floating ports for NAT-T */
if (NATT_AVAILABLE(iph1) &&
! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
- ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
- (cmpsaddrstrict(iph1->local, local) != 0)))
+ ((cmpsaddr(iph1->remote, remote) != 0) ||
+ (cmpsaddr(iph1->local, local) != 0)))
{
/* prevent memory leak */
racoon_free(iph1->remote);
@@ -510,7 +510,7 @@
#endif
/* must be same addresses in one stream of a phase at least. */
- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
+ if (cmpsaddr(iph1->remote, remote) != 0) {
char *saddr_db, *saddr_act;
saddr_db = racoon_strdup(saddr2str(iph1->remote));
@@ -636,7 +636,7 @@
"exchange received.\n");
return -1;
}
- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
+ if (cmpsaddr(iph1->remote, remote) != 0) {
plog(LLV_WARNING, LOCATION, remote,
"remote address mismatched. "
"db=%s\n",
@@ -1268,6 +1268,12 @@
}
#endif
+ /* fixup ph2 ports for this ph1 */
+ if (extract_port(iph2->src) == 0)
+ set_port(iph2->src, extract_port(iph1->local));
+ if (extract_port(iph2->dst) == 0)
+ set_port(iph2->dst, extract_port(iph1->remote));
+
/* found ISAKMP-SA. */
plog(LLV_DEBUG, LOCATION, NULL, "===\n");
plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
@@ -1346,15 +1352,6 @@
delph2(iph2);
return -1;
}
-#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
- if (set_port(iph2->dst, 0) == NULL ||
- set_port(iph2->src, 0) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->dst->sa_family);
- delph2(iph2);
- return -1;
- }
-#endif
/* add new entry to isakmp status table */
insph2(iph2);
@@ -2179,23 +2176,12 @@
return 0;
}
- /*
- * Search isakmp status table by address and port
- * If NAT-T is in use, consider null ports as a
- * wildcard and use IKE ports instead.
+ /*
+ * XXX Searching by IP addresses + ports might fail on
+ * some cases, we should use the ISAKMP identity to search
+ * matching ISAKMP.
*/
-#ifdef ENABLE_NATT
- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
- set_port(iph2->src, extract_port(iph1->local));
- set_port(iph2->dst, extract_port(iph1->remote));
- }
- } else {
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
- }
-#else
iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-#endif
/* no ISAKMP-SA found. */
if (iph1 == NULL) {
@@ -2373,26 +2359,8 @@
return;
}
- /*
- * Search isakmp status table by address and port
- * If NAT-T is in use, consider null ports as a
- * wildcard and use IKE ports instead.
- */
-#ifdef ENABLE_NATT
- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
- if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
- }
- } else {
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
- if(iph1 != NULL)
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
- }
-#else
+ /* Search isakmp status table by address and port */
iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-#endif
/* XXX Even if ph1 as responder is there, should we not start
* phase 2 negotiation ? */
@@ -3314,20 +3282,10 @@
msg = next;
continue;
}
+ pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-#ifdef SADB_X_NAT_T_NEW_MAPPING
- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
- /* NAT-T is enabled for this SADB entry; copy
- * the ports from NAT-T extensions */
- if(mhp[SADB_X_EXT_NAT_T_SPORT] != NULL)
- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
- if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
- }
-#endif
-
if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
sa->sadb_sa_state != SADB_SASTATE_MATURE &&
sa->sadb_sa_state != SADB_SASTATE_DYING) {
@@ -3339,22 +3297,14 @@
* check in/outbound SAs.
* Select only SAs where src == local and dst == remote (outgoing)
* or src == remote and dst == local (incoming).
- * XXX we sometime have src/dst ports set to 0 and want to match
- * iph1->local/remote with ports set to 500. This is a bug, see trac:2
*/
-#ifdef ENABLE_NATT
- if ((cmpsaddrmagic(iph1->local, src) || cmpsaddrmagic(iph1->remote, dst)) &&
- (cmpsaddrmagic(iph1->local, dst) || cmpsaddrmagic(iph1->remote, src))) {
- msg = next;
- continue;
- }
-#else
- if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
- (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
+ if ((cmpsaddr(iph1->local, src) ||
+ cmpsaddr(iph1->remote, dst)) &&
+ (cmpsaddr(iph1->local, dst) ||
+ cmpsaddr(iph1->remote, src))) {
msg = next;
continue;
}
-#endif
proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.21 Fri Jan 23 08:23:51 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.21 2009/01/23 08:23:51 tteras Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.22 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -1151,15 +1151,6 @@
goto end;
}
-#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
- if (set_port(iph2->dst, 0) == NULL ||
- set_port(iph2->src, 0) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->remote->sa_family);
- delph2(iph2);
- goto end;
- }
-#endif
iph2->side = INITIATOR;
iph2->status = PHASE2ST_START;
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.40 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.40 Fri Jul 3 06:40:10 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.40 2009/07/03 06:40:10 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.41 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -899,15 +899,6 @@
delph2(iph2);
goto end;
}
-#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
- if (set_port(iph2->dst, 0) == NULL ||
- set_port(iph2->src, 0) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->remote->sa_family);
- delph2(iph2);
- goto end;
- }
-#endif
iph2->side = INITIATOR;
iph2->status = PHASE2ST_START;
iph2->msgid = isakmp_newmsgid2(iph1);
@@ -1123,9 +1114,6 @@
u_int64_t created;
size_t i;
caddr_t mhp[SADB_EXT_MAX + 1];
-#ifdef ENABLE_NATT
- int natt_port_forced;
-#endif
plog(LLV_DEBUG2, LOCATION, NULL,
"purge_ipsec_spi:\n");
@@ -1165,6 +1153,7 @@
msg = next;
continue;
}
+ pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
@@ -1178,28 +1167,7 @@
msg = next;
continue;
}
-#ifdef ENABLE_NATT
- if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
- /* NAT-T is enabled for this SADB entry; copy
- * the ports from NAT-T extensions */
- if (extract_port(src) == 0 &&
- mhp[SADB_X_EXT_NAT_T_SPORT] != NULL) {
- set_port(src, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_SPORT]));
- }
- if (extract_port(dst) == 0 &&
- mhp[SADB_X_EXT_NAT_T_DPORT] != NULL) {
- set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
- }
- natt_port_forced = 0;
- } else {
- /* Force default UDP ports, so
- * CMPSADDR will match SAs with NO encapsulation */
- set_port(src, PORT_ISAKMP);
- set_port(dst, PORT_ISAKMP);
- natt_port_forced = 1;
- }
-#endif
plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
@@ -1207,19 +1175,11 @@
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
- if (CMPSADDR(dst0, dst)) {
+ if (cmpsaddr(dst0, dst)) {
msg = next;
continue;
}
-#ifdef ENABLE_NATT
- if (natt_port_forced) {
- /* Set back port to 0 if it was forced
- * to default UDP port */
- set_port(src, 0);
- set_port(dst, 0);
- }
-#endif
for (i = 0; i < n; i++) {
plog(LLV_DEBUG, LOCATION, NULL,
"check spi(packet)=%u spi(db)=%u.\n",
@@ -1350,37 +1310,33 @@
msg = (struct sadb_msg *)buf->v;
end = (struct sadb_msg *)(buf->v + buf->l);
- while (msg < end) {
+ for (; msg < end; msg = next) {
if ((msg->sadb_msg_len << 3) < sizeof(*msg))
break;
+
next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
- if (msg->sadb_msg_type != SADB_DUMP) {
- msg = next;
+ if (msg->sadb_msg_type != SADB_DUMP)
continue;
- }
if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
plog(LLV_ERROR, LOCATION, NULL,
"pfkey_check (%s)\n", ipsec_strerror());
- msg = next;
continue;
}
if (mhp[SADB_EXT_SA] == NULL
|| mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
- msg = next;
+ || mhp[SADB_EXT_ADDRESS_DST] == NULL)
continue;
- }
+
sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+ pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
if (sa->sadb_sa_state != SADB_SASTATE_MATURE
- && sa->sadb_sa_state != SADB_SASTATE_DYING) {
- msg = next;
+ && sa->sadb_sa_state != SADB_SASTATE_DYING)
continue;
- }
/*
* RFC2407 4.6.3.3 INITIAL-CONTACT is the message that
@@ -1390,39 +1346,18 @@
* racoon only deletes SA which is matched both the
* source address and the destination accress.
*/
-#ifdef ENABLE_NATT
- /*
- * XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs
- * from this peer !
- */
- if(iph1->natt_flags & NAT_DETECTED){
- if (CMPSADDR(iph1->local, src) == 0 &&
- CMPSADDR(iph1->remote, dst) == 0)
- ;
- else if (CMPSADDR(iph1->remote, src) == 0 &&
- CMPSADDR(iph1->local, dst) == 0)
- ;
- else {
- msg = next;
- continue;
- }
- } else
-#endif
- /* If there is no NAT-T, we don't have to check addr + port...
- * XXX what about a configuration with a remote peers which is not
- * NATed, but which NATs some other peers ?
- * Here, the INITIAl-CONTACT would also flush all those NATed peers !!
- */
- if (cmpsaddrwop(iph1->local, src) == 0 &&
- cmpsaddrwop(iph1->remote, dst) == 0)
- ;
- else if (cmpsaddrwop(iph1->remote, src) == 0 &&
- cmpsaddrwop(iph1->local, dst) == 0)
- ;
- else {
- msg = next;
+
+ /*
+ * Check that the IP and port match. But this is not optimal,
+ * since NAT-T can make the peer have multiple different
+ * ports. Correct thing to do is delete all entries with
+ * same identity. -TT
+ */
+ if ((cmpsaddr(iph1->local, src) != 0 ||
+ cmpsaddr(iph1->remote, dst) != 0) &&
+ (cmpsaddr(iph1->local, dst) != 0 ||
+ cmpsaddr(iph1->remote, src) != 0))
continue;
- }
/*
* Make sure this is an SATYPE that we manage.
@@ -1434,10 +1369,8 @@
msg->sadb_msg_satype)
break;
}
- if (i == pfkey_nsatypes) {
- msg = next;
+ if (i == pfkey_nsatypes)
continue;
- }
plog(LLV_INFO, LOCATION, NULL,
"purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
@@ -1457,8 +1390,6 @@
remph2(iph2);
delph2(iph2);
}
-
- msg = next;
}
vfree(buf);
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.25 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_quick.c,v 1.25 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: isakmp_quick.c,v 1.26 2009/07/03 06:41:46 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@@ -610,17 +610,19 @@
error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
goto end;
}
+#ifdef ENABLE_NATT
+ set_port(iph2->natoa_src,
+ extract_port((struct sockaddr *) &proposed_addr));
+#endif
- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
- (struct sockaddr *) &got_addr) == 0) {
+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
+ (struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDci matches proposal.\n");
#ifdef ENABLE_NATT
} else if (iph2->natoa_src != NULL
- && cmpsaddrwop(iph2->natoa_src,
- (struct sockaddr *) &got_addr) == 0
- && extract_port((struct sockaddr *) &proposed_addr) ==
- extract_port((struct sockaddr *) &got_addr)) {
+ && cmpsaddr(iph2->natoa_src,
+ (struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDci matches NAT-OAi.\n");
#endif
@@ -656,16 +658,19 @@
goto end;
}
- if (cmpsaddrstrict((struct sockaddr *) &proposed_addr,
- (struct sockaddr *) &got_addr) == 0) {
+#ifdef ENABLE_NATT
+ set_port(iph2->natoa_dst,
+ extract_port((struct sockaddr *) &proposed_addr));
+#endif
+
+ if (cmpsaddr((struct sockaddr *) &proposed_addr,
+ (struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches proposal.\n");
#ifdef ENABLE_NATT
} else if (iph2->natoa_dst != NULL
- && cmpsaddrwop(iph2->natoa_dst,
- (struct sockaddr *) &got_addr) == 0
- && extract_port((struct sockaddr *) &proposed_addr) ==
- extract_port((struct sockaddr *) &got_addr)) {
+ && cmpsaddr(iph2->natoa_dst,
+ (struct sockaddr *) &got_addr) == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches NAT-OAr.\n");
#endif
Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.11 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.12
--- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.11 Mon May 18 17:00:42 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: nattraversal.c,v 1.11 2009/05/18 17:00:42 tteras Exp $ */
+/* $NetBSD: nattraversal.c,v 1.12 2009/07/03 06:41:46 tteras Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -379,8 +379,8 @@
struct natt_ka_addrs *ka = NULL, *new_addr;
TAILQ_FOREACH (ka, &ka_tree, chain) {
- if (cmpsaddrstrict(ka->src, src) == 0 &&
- cmpsaddrstrict(ka->dst, dst) == 0) {
+ if (cmpsaddr(ka->src, src) == 0 &&
+ cmpsaddr(ka->dst, dst) == 0) {
ka->in_use++;
plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
@@ -443,8 +443,8 @@
plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
- if (cmpsaddrstrict(ka->src, src) == 0 &&
- cmpsaddrstrict(ka->dst, dst) == 0 &&
+ if (cmpsaddr(ka->src, src) == 0 &&
+ cmpsaddr(ka->dst, dst) == 0 &&
-- ka->in_use <= 0) {
plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.47 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.47 Fri Jul 3 06:40:10 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Fri Jul 3 06:41:46 2009
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.47 2009/07/03 06:40:10 tteras Exp $ */
+/* $NetBSD: pfkey.c,v 1.48 2009/07/03 06:41:46 tteras Exp $ */
-/* $Id: pfkey.c,v 1.47 2009/07/03 06:40:10 tteras Exp $ */
+/* $Id: pfkey.c,v 1.48 2009/07/03 06:41:46 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -774,8 +774,12 @@
caddr_t *mhp;
{
struct sockaddr *src, *dst;
+
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ set_port(src, PORT_ISAKMP);
+ set_port(dst, PORT_ISAKMP);
+
#ifdef ENABLE_NATT
if (PFKEY_ADDR_X_NATTYPE(mhp[SADB_X_EXT_NAT_T_TYPE])) {
/* NAT-T is enabled for this SADB entry; copy
@@ -785,9 +789,6 @@
if(mhp[SADB_X_EXT_NAT_T_DPORT] != NULL)
set_port(dst, PFKEY_ADDR_X_PORT(mhp[SADB_X_EXT_NAT_T_DPORT]));
}
-#else
- set_port(src, 0);
- set_port(dst, 0);
#endif
}
@@ -949,10 +950,6 @@
dport=extract_port(dst);
}
#endif
- /* Always remove port information, it will be sent in
- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
- set_port(src, 0);
- set_port(dst, 0);
plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
if (pfkey_send_getspi_nat(
@@ -1009,6 +1006,7 @@
}
msg = (struct sadb_msg *)mhp[0];
sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+ pk_fixup_sa_addresses(mhp);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
@@ -1183,18 +1181,14 @@
#ifdef ENABLE_NATT
if (pr->udp_encap) {
sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
- sa_args.l_natt_sport = extract_port (iph2->ph1->remote);
- sa_args.l_natt_dport = extract_port (iph2->ph1->local);
+ sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
+ sa_args.l_natt_dport = extract_port(iph2->ph1->local);
sa_args.l_natt_oa = iph2->natoa_src;
#ifdef SADB_X_EXT_NAT_T_FRAG
sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
#endif
}
#endif
- /* Always remove port information, it will be sent in
- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
- set_port(sa_args.src, 0);
- set_port(sa_args.dst, 0);
/* more info to fill in */
sa_args.spi = pr->spi;
@@ -1358,14 +1352,6 @@
/* turn off schedule */
sched_cancel(&iph2->scr);
- /* Force the update of ph2's ports, as there is at least one
- * situation where they'll mismatch with ph1's values
- */
-#ifdef ENABLE_NATT
- set_port(iph2->src, extract_port(iph2->ph1->local));
- set_port(iph2->dst, extract_port(iph2->ph1->remote));
-#endif
-
/*
* since we are going to reuse the phase2 handler, we need to
* remain it and refresh all the references between ph1 and ph2 to use.
@@ -1418,7 +1404,7 @@
racoon_free(sa_args.src);
racoon_free(sa_args.dst);
return -1;
- }
+ }
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
/* validity check */
@@ -1490,11 +1476,6 @@
#endif
}
#endif
- /* Always remove port information, it will be sent in
- * SADB_X_EXT_NAT_T_[S|D]PORT if needed */
- set_port(sa_args.src, 0);
- set_port(sa_args.dst, 0);
-
/* more info to fill in */
sa_args.spi = pr->spi_p;
sa_args.reqid = pr->reqid_out;
@@ -1559,6 +1540,7 @@
return -1;
}
msg = (struct sadb_msg *)mhp[0];
+ pk_fixup_sa_addresses(mhp);
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
@@ -1749,7 +1731,9 @@
}
msg = (struct sadb_msg *)mhp[0];
xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- pk_fixup_sa_addresses(mhp);
+ /* acquire does not have nat-t ports; so do not bother setting
+ * the default port 500; just use the port zero for wildcard
+ * matching the get a valid natted destination */
sp_src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
sp_dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
@@ -2884,8 +2868,8 @@
u_int16_t port;
/* Already up-to-date? */
- if (cmpsaddrwop(iph1->local, ma->local) == 0 &&
- cmpsaddrwop(iph1->remote, ma->remote) == 0)
+ if (cmpsaddr(iph1->local, ma->local) == 0 &&
+ cmpsaddr(iph1->remote, ma->remote) == 0)
return 0;
if (iph1->status < PHASE1ST_ESTABLISHED) {
@@ -2985,8 +2969,8 @@
migrate_ph1_ike_addresses(iph2->ph1, arg);
/* Already up-to-date? */
- if (CMPSADDR(iph2->src, ma->local) == 0 &&
- CMPSADDR(iph2->dst, ma->remote) == 0)
+ if (cmpsaddr(iph2->src, ma->local) == 0 &&
+ cmpsaddr(iph2->dst, ma->remote) == 0)
return 0;
/* save src/dst as sa_src/sa_dst before rewriting */
@@ -3206,8 +3190,8 @@
"changing address families (%d to %d) for endpoints.\n",
osaddr->sa_family, nsaddr->sa_family);
- if (CMPSADDR(osaddr, (struct sockaddr *)&saidx->src) ||
- CMPSADDR(odaddr, (struct sockaddr *)&saidx->dst)) {
+ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
+ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
"mismatch of addresses in saidx and xisr.\n");
return -1;
Index: src/crypto/dist/ipsec-tools/src/racoon/policy.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/policy.c:1.10 src/crypto/dist/ipsec-tools/src/racoon/policy.c:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/policy.c:1.10 Fri Dec 5 06:02:20 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/policy.c Fri Jul 3 06:41:46 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: policy.c,v 1.10 2008/12/05 06:02:20 tteras Exp $ */
+/* $NetBSD: policy.c,v 1.11 2009/07/03 06:41:46 tteras Exp $ */
/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */
@@ -141,16 +141,18 @@
saddr2str(iph2->src));
plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
saddr2str((struct sockaddr *)&spidx->src));
- if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src)
- || spidx->prefs != prefixlen)
+
+ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
+ spidx->prefs != prefixlen)
return NULL;
plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
saddr2str(iph2->dst));
plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
saddr2str((struct sockaddr *)&spidx->dst));
- if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst)
- || spidx->prefd != prefixlen)
+
+ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
+ spidx->prefd != prefixlen)
return NULL;
plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n");
@@ -198,11 +200,11 @@
|| a->ul_proto != b->ul_proto)
return 1;
- if (cmpsaddrstrict((struct sockaddr *)&a->src,
- (struct sockaddr *)&b->src))
+ if (cmpsaddr((struct sockaddr *) &a->src,
+ (struct sockaddr *) &b->src))
return 1;
- if (cmpsaddrstrict((struct sockaddr *)&a->dst,
- (struct sockaddr *)&b->dst))
+ if (cmpsaddr((struct sockaddr *) &a->dst,
+ (struct sockaddr *) &b->dst))
return 1;
#ifdef HAVE_SECCTX
@@ -259,7 +261,7 @@
a, b->prefs, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefs, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
return 1;
#ifndef __linux__
@@ -277,7 +279,7 @@
a, b->prefd, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefd, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
return 1;
#ifdef HAVE_SECCTX
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.10 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.10 Fri Mar 13 04:49:16 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Fri Jul 3 06:41:47 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.h,v 1.10 2009/03/13 04:49:16 tteras Exp $ */
+/* $NetBSD: remoteconf.h,v 1.11 2009/07/03 06:41:47 tteras Exp $ */
/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
@@ -189,8 +189,7 @@
void *enum_arg));
#define GETRMCONF_F_NO_ANONYMOUS 0x0001
-#define GETRMCONF_F_NO_PORTS 0x0002
-#define GETRMCONF_F_NO_PASSIVE 0x0004
+#define GETRMCONF_F_NO_PASSIVE 0x0002
#define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)
Index: src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h:1.10 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h:1.10 Mon May 18 17:40:38 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h Fri Jul 3 06:41:47 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: sockmisc.h,v 1.10 2009/05/18 17:40:38 tteras Exp $ */
+/* $NetBSD: sockmisc.h,v 1.11 2009/07/03 06:41:47 tteras Exp $ */
/* Id: sockmisc.h,v 1.9 2005/10/05 16:55:41 manubsd Exp */
@@ -56,16 +56,11 @@
extern const int niflags;
-extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *));
-extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *));
-extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *));
-extern int cmpsaddrmagic __P((const struct sockaddr *, const struct sockaddr *));
-
-#ifdef ENABLE_NATT
-#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2))
-#else
-#define CMPSADDR(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2))
-#endif
+#define CMPSADDR_MATCH 0
+#define CMPSADDR_WOP_MATCH 1
+#define CMPSADDR_MISMATCH 2
+
+extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.14 Thu Mar 12 23:05:27 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Fri Jul 3 06:41:47 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.c,v 1.14 2009/03/12 23:05:27 he Exp $ */
+/* $NetBSD: remoteconf.c,v 1.15 2009/07/03 06:41:47 tteras Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@@ -200,15 +200,9 @@
/* Check address */
if (rmsel->remote != NULL) {
if (rmconf->remote->sa_family != AF_UNSPEC) {
- if (rmsel->flags & GETRMCONF_F_NO_PORTS) {
- if (cmpsaddrwop(rmsel->remote,
- rmconf->remote) != 0)
- return 0;
- } else {
- if (cmpsaddrstrict(rmsel->remote,
- rmconf->remote) != 0)
- return 0;
- }
+ if (cmpsaddr(rmsel->remote, rmconf->remote) != 0)
+ return 0;
+
/* Address matched */
ret = 2;
}
@@ -262,7 +256,7 @@
struct ph1handle *iph1;
{
memset(rmsel, 0, sizeof(*rmsel));
- rmsel->flags = GETRMCONF_F_NO_PORTS;
+ rmsel->flags = 0;
rmsel->remote = iph1->remote;
rmsel->etype = iph1->etype;
rmsel->approval = iph1->approval;
@@ -357,22 +351,8 @@
int n = 0;
memset(&ctx, 0, sizeof(ctx));
- ctx.sel.flags = flags | GETRMCONF_F_NO_PORTS;
+ ctx.sel.flags = flags;
ctx.sel.remote = remote;
-#ifndef ENABLE_NATT
- /*
- * We never have ports set in our remote configurations, but when
- * NAT-T is enabled, the kernel can have policies with ports and
- * send us an acquire message for a destination that has a port set.
- * If we do this port check here, we don't find the remote config.
- *
- * In an ideal world, we would be able to have remote conf with
- * port, and the port could be a wildcard. That test could be used.
- */
- if (remote->sa_family != AF_UNSPEC &&
- extract_port(remote) != IPSEC_PORT_ANY)
- ctx.sel.flags &= ~GETRMCONF_F_NO_PORTS;
-#endif /* ENABLE_NATT */
if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
plog(LLV_ERROR, LOCATION, remote,
Index: src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c:1.15 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c:1.16
--- src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c:1.15 Mon May 18 17:40:38 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c Fri Jul 3 06:41:47 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: sockmisc.c,v 1.15 2009/05/18 17:40:38 tteras Exp $ */
+/* $NetBSD: sockmisc.c,v 1.16 2009/07/03 06:41:47 tteras Exp $ */
/* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */
@@ -80,87 +80,28 @@
const int niflags = 0;
/*
- * compare two sockaddr without port number.
- * OUT: 0: equal.
- * 1: not equal.
- */
-int
-cmpsaddrwop(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
-{
- caddr_t sa1, sa2;
-
- if (addr1 == 0 && addr2 == 0)
- return 0;
- if (addr1 == 0 || addr2 == 0)
- return 1;
-
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
- return 1;
-
-#endif /* __linux__ */
-
- switch (addr1->sa_family) {
- case AF_UNSPEC:
- break;
- case AF_INET:
- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
- return 1;
- break;
-#ifdef INET6
- case AF_INET6:
- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
- return 1;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
- return 1;
- break;
-#endif
- default:
- return 1;
- }
-
- return 0;
-}
-
-/*
* compare two sockaddr with port, taking care wildcard.
* addr1 is a subject address, addr2 is in a database entry.
* OUT: 0: equal.
* 1: not equal.
*/
int
-cmpsaddrwild(addr1, addr2)
+cmpsaddr(addr1, addr2)
const struct sockaddr *addr1;
const struct sockaddr *addr2;
{
caddr_t sa1, sa2;
u_short port1, port2;
- if (addr1 == 0 && addr2 == 0)
- return 0;
- if (addr1 == 0 || addr2 == 0)
- return 1;
+ if (addr1 == NULL && addr2 == NULL)
+ return CMPSADDR_MATCH;
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
- return 1;
+ if (addr1 == NULL || addr2 == NULL)
+ return CMPSADDR_MISMATCH;
-#endif /* __linux__ */
+ if (addr1->sa_family != addr2->sa_family ||
+ sysdep_sa_len(addr1) != sysdep_sa_len(addr2))
+ return CMPSADDR_MISMATCH;
switch (addr1->sa_family) {
case AF_UNSPEC:
@@ -170,12 +111,8 @@
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
port1 = ((struct sockaddr_in *)addr1)->sin_port;
port2 = ((struct sockaddr_in *)addr2)->sin_port;
- if (!(port1 == IPSEC_PORT_ANY ||
- port2 == IPSEC_PORT_ANY ||
- port1 == port2))
- return 1;
if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
- return 1;
+ return CMPSADDR_MISMATCH;
break;
#ifdef INET6
case AF_INET6:
@@ -183,155 +120,23 @@
sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
- if (!(port1 == IPSEC_PORT_ANY ||
- port2 == IPSEC_PORT_ANY ||
- port1 == port2))
- return 1;
if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
- return 1;
+ return CMPSADDR_MISMATCH;
if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
((struct sockaddr_in6 *)addr2)->sin6_scope_id)
- return 1;
+ return CMPSADDR_MISMATCH;
break;
#endif
default:
- return 1;
+ return CMPSADDR_MISMATCH;
}
- return 0;
-}
+ if (port1 == port2 ||
+ port1 == IPSEC_PORT_ANY ||
+ port2 == IPSEC_PORT_ANY)
+ return CMPSADDR_MATCH;
-/*
- * compare two sockaddr with port, taking care specific situation:
- * one addr has 0 as port, and the other has 500 (network order), return equal
- * OUT: 0: equal.
- * 1: not equal.
- */
-int
-cmpsaddrmagic(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
-{
- caddr_t sa1, sa2;
- u_short port1, port2;
-
- if (addr1 == 0 && addr2 == 0)
- return 0;
- if (addr1 == 0 || addr2 == 0)
- return 1;
-
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
- return 1;
-
-#endif /* __linux__ */
-
- switch (addr1->sa_family) {
- case AF_UNSPEC:
- break;
- case AF_INET:
- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- port1 = ((struct sockaddr_in *)addr1)->sin_port;
- port2 = ((struct sockaddr_in *)addr2)->sin_port;
- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: port1 == %d, port2 == %d\n", port1, port2);
- if (!((port1 == IPSEC_PORT_ANY && port2 == ntohs(PORT_ISAKMP)) ||
- (port2 == IPSEC_PORT_ANY && port1 == ntohs(PORT_ISAKMP)) ||
- (port1 == port2))){
- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports mismatch\n");
- return 1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "cmpsaddr_magic: ports matched\n");
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
- return 1;
- break;
-#ifdef INET6
- case AF_INET6:
- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
- if (!((port1 == IPSEC_PORT_ANY && port2 == PORT_ISAKMP) ||
- (port2 == IPSEC_PORT_ANY && port1 == PORT_ISAKMP) ||
- (port1 == port2)))
- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
- return 1;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
- return 1;
- break;
-#endif
- default:
- return 1;
- }
-
- return 0;
-}
-
-/*
- * compare two sockaddr with strict match on port.
- * OUT: 0: equal.
- * 1: not equal.
- */
-int
-cmpsaddrstrict(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
-{
- caddr_t sa1, sa2;
- u_short port1, port2;
-
- if (addr1 == 0 && addr2 == 0)
- return 0;
- if (addr1 == 0 || addr2 == 0)
- return 1;
-
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
- return 1;
-
-#endif /* __linux__ */
-
- switch (addr1->sa_family) {
- case AF_INET:
- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- port1 = ((struct sockaddr_in *)addr1)->sin_port;
- port2 = ((struct sockaddr_in *)addr2)->sin_port;
- if (port1 != port2)
- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
- return 1;
- break;
-#ifdef INET6
- case AF_INET6:
- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
- if (port1 != port2)
- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
- return 1;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
- return 1;
- break;
-#endif
- default:
- return 1;
- }
-
- return 0;
+ return CMPSADDR_WOP_MATCH;
}
/* get local address against the destination. */
@@ -1128,7 +933,7 @@
free(a2);
free(a3);
}
- if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0)
+ if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
return naddr->prefix + port_score;
return -1;
Index: src/crypto/dist/ipsec-tools/src/racoon/throttle.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/throttle.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/throttle.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/throttle.c:1.5 Fri Jan 23 08:25:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/throttle.c Fri Jul 3 06:41:47 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: throttle.c,v 1.5 2009/01/23 08:25:07 tteras Exp $ */
+/* $NetBSD: throttle.c,v 1.6 2009/07/03 06:41:47 tteras Exp $ */
/* Id: throttle.c,v 1.5 2006/04/05 20:54:50 manubsd Exp */
@@ -104,7 +104,7 @@
goto restart;
}
- if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) {
+ if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
found = 1;
break;
}
