From a3ac54642287caf8b365262fe3463c663225b059 Mon Sep 17 00:00:00 2001 From: Florian Fainelli Date: Sun, 28 Aug 2011 12:08:31 +0000 Subject: [PATCH] [package] ipsec-tools: update to 0.8.0, add init script Signed-off-by: Artem Makhutov SVN-Revision: 28102 --- net/ipsec-tools/Makefile | 11 +- net/ipsec-tools/files/racoon.init | 17 + .../patches/001-ipsec-tools-def-psk.patch | 25 + net/ipsec-tools/patches/002-patch8-utmp.patch | 73 + .../003-linux_2.6.19_rtnetlink_changes.diff | 20 - .../patches/003-microsoft-fqdn-in-main.patch | 14 + net/ipsec-tools/patches/004-opennhrp.patch | 1659 ----------------- net/ipsec-tools/patches/005-isakmp-fix.patch | 11 + 8 files changed, 147 insertions(+), 1683 deletions(-) create mode 100644 net/ipsec-tools/files/racoon.init create mode 100644 net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch create mode 100644 net/ipsec-tools/patches/002-patch8-utmp.patch delete mode 100644 net/ipsec-tools/patches/003-linux_2.6.19_rtnetlink_changes.diff create mode 100644 net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch delete mode 100644 net/ipsec-tools/patches/004-opennhrp.patch create mode 100644 net/ipsec-tools/patches/005-isakmp-fix.patch diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile index caece38ab7..48b1d59299 100644 --- a/net/ipsec-tools/Makefile +++ b/net/ipsec-tools/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2010 OpenWrt.org +# Copyright (C) 2006-2011 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ipsec-tools -PKG_VERSION:=0.7.3 -PKG_RELEASE:=3 +PKG_VERSION:=0.8.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/ipsec-tools -PKG_MD5SUM:=821bd84e8d4ad5a93bf594b8b3d66e1e +PKG_MD5SUM:=b79aae3055a51f8de5c0f1b8ca6cf619 PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1 @@ -43,6 +43,7 @@ CONFIGURE_ARGS += \ --enable-security-context=no \ --enable-natt \ --enable-adminport \ + --enable-frag \ $(call autoconf_bool,CONFIG_IPV6,ipv6) # override CFLAGS holding "-Werror" that break builds on compile warnings @@ -72,6 +73,8 @@ define Package/ipsec-tools/install $(SED) 's|@sysconfdir_x@|/etc|g' $(1)/etc/racoon.conf $(INSTALL_DIR) $(1)/etc/racoon $(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/psk.txt $(1)/etc/racoon/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/ diff --git a/net/ipsec-tools/files/racoon.init b/net/ipsec-tools/files/racoon.init new file mode 100644 index 0000000000..e8d2870006 --- /dev/null +++ b/net/ipsec-tools/files/racoon.init @@ -0,0 +1,17 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2009 OpenWrt.org +START=49 +# Copyright (C) 2011 Artem Makhutov + +start() { + setkey -f /etc/ipsec.conf + mkdir /var/racoon/ + + /usr/sbin/racoon -f /etc/racoon/racoon.conf +} + +stop() { + killall racoon + killall racoonctl +} + diff --git a/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch b/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch new file mode 100644 index 0000000000..16f450467f --- /dev/null +++ b/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch @@ -0,0 +1,25 @@ +diff -brau ipsec-tools-0.7.3.o/src/racoon/oakley.c ipsec-tools-0.7.3/src/racoon/oakley.c +--- a/src/racoon/oakley.c 2009-08-13 11:18:45.000000000 +0200 ++++ b/src/racoon/oakley.c 2011-06-06 09:36:11.000000000 +0200 +@@ -2498,8 +2498,21 @@ + plog(LLV_ERROR, LOCATION, iph1->remote, + "couldn't find the pskey for %s.\n", + saddrwop2str(iph1->remote)); ++ } ++ } ++ if (iph1->authstr == NULL) { ++ /* ++ * If we could not locate a psk above try and locate ++ * the default psk, ie, "*". ++ */ ++ iph1->authstr = privsep_getpsk("*", 1); ++ if (iph1->authstr == NULL) { ++ plog(LLV_ERROR, LOCATION, iph1->remote, ++ "couldn't find the the default pskey either.\n"); + goto end; + } ++ plog(LLV_NOTIFY, LOCATION, iph1->remote, ++ "Using default PSK.\n"); + } + plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); + /* should be secret PSK */ diff --git a/net/ipsec-tools/patches/002-patch8-utmp.patch b/net/ipsec-tools/patches/002-patch8-utmp.patch new file mode 100644 index 0000000000..5d36cb87b6 --- /dev/null +++ b/net/ipsec-tools/patches/002-patch8-utmp.patch @@ -0,0 +1,73 @@ +diff -urN build_dir/linux-ar71xx_generic/ipsec-tools-0.8.0/src/racoon/isakmp_cfg.c build_dir/linux-ar71xx_generic/ipsec-tools-0.8.0a/src/racoon/isakmp_cfg.c +--- a/src/racoon/isakmp_cfg.c 2010-09-21 16:14:17.000000000 +0300 ++++ b/src/racoon/isakmp_cfg.c 2011-07-13 11:52:16.000000000 +0300 +@@ -38,7 +38,7 @@ + #include + #include + +-#include ++#include + #if defined(__APPLE__) && defined(__MACH__) + #include + #endif +@@ -1661,7 +1661,8 @@ + int inout; + { + int error = 0; +- struct utmpx ut; ++ struct utmp ut; ++ char term[UT_LINESIZE]; + char addr[NI_MAXHOST]; + + if (usr == NULL || usr[0]=='\0') { +@@ -1670,34 +1671,37 @@ + return -1; + } + +- memset(&ut, 0, sizeof ut); +- gettimeofday((struct timeval *)&ut.ut_tv, NULL); +- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port); ++ sprintf(term, TERMSPEC, port); + + switch (inout) { + case ISAKMP_CFG_LOGIN: +- ut.ut_type = USER_PROCESS; +- strncpy(ut.ut_user, usr, sizeof ut.ut_user); ++ strncpy(ut.ut_name, usr, UT_NAMESIZE); ++ ut.ut_name[UT_NAMESIZE - 1] = '\0'; ++ ++ strncpy(ut.ut_line, term, UT_LINESIZE); ++ ut.ut_line[UT_LINESIZE - 1] = '\0'; + + GETNAMEINFO_NULL(raddr, addr); +- strncpy(ut.ut_host, addr, sizeof ut.ut_host); ++ strncpy(ut.ut_host, addr, UT_HOSTSIZE); ++ ut.ut_host[UT_HOSTSIZE - 1] = '\0'; ++ ++ ut.ut_time = time(NULL); + + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' logging on '%s' from %s.\n", +- ut.ut_user, ut.ut_id, addr); +- +- pututxline(&ut); ++ ut.ut_name, ut.ut_line, ut.ut_host); + ++ login(&ut); ++ + break; + case ISAKMP_CFG_LOGOUT: +- ut.ut_type = DEAD_PROCESS; + + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' unlogging from '%s'.\n", +- usr, ut.ut_id); +- +- pututxline(&ut); ++ usr, term); + ++ logout(term); ++ + break; + default: + plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); diff --git a/net/ipsec-tools/patches/003-linux_2.6.19_rtnetlink_changes.diff b/net/ipsec-tools/patches/003-linux_2.6.19_rtnetlink_changes.diff deleted file mode 100644 index e94b11f238..0000000000 --- a/net/ipsec-tools/patches/003-linux_2.6.19_rtnetlink_changes.diff +++ /dev/null @@ -1,20 +0,0 @@ ---- a/src/racoon/grabmyaddr.c -+++ b/src/racoon/grabmyaddr.c -@@ -80,10 +80,17 @@ - #ifdef __linux__ - #include - #include -+#include -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19) -+# include -+#endif - #ifndef HAVE_GETIFADDRS - #define HAVE_GETIFADDRS - #define NEED_LINUX_GETIFADDRS - #endif -+#ifndef IFA_RTA -+# define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg)))) -+#endif - #endif - - #ifndef HAVE_GETIFADDRS diff --git a/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch b/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch new file mode 100644 index 0000000000..900741eaa5 --- /dev/null +++ b/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch @@ -0,0 +1,14 @@ +diff -urN build_dir/linux-ar71xx_generic/ipsec-tools-0.8.0/src/racoon/ipsec_doi.c build_dir/linux-ar71xx_generic/ipsec-tools-0.8.0a/src/racoon/ipsec_doi.c +--- a/src/racoon/ipsec_doi.c 2010-12-14 19:57:31.000000000 +0200 ++++ b/src/racoon/ipsec_doi.c 2011-07-13 12:07:44.000000000 +0300 +@@ -3582,8 +3582,8 @@ + iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) { + if (id_b->type != IPSECDOI_ID_IPV4_ADDR + && id_b->type != IPSECDOI_ID_IPV6_ADDR) { +- plog(LLV_ERROR, LOCATION, NULL, +- "Expecting IP address type in main mode, " ++ plog(LLV_WARNING, LOCATION, NULL, ++ "Expecting IP address type in main mode (RFC2409) , " + "but %s.\n", s_ipsecdoi_ident(id_b->type)); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } diff --git a/net/ipsec-tools/patches/004-opennhrp.patch b/net/ipsec-tools/patches/004-opennhrp.patch deleted file mode 100644 index aa76f9fbb1..0000000000 --- a/net/ipsec-tools/patches/004-opennhrp.patch +++ /dev/null @@ -1,1659 +0,0 @@ -Index: ipsec-tools-0.7.3/src/racoon/admin.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/admin.c 2009-04-20 15:32:57.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/admin.c 2010-03-28 17:07:57.000000000 +0200 -@@ -76,6 +76,7 @@ - #include "evt.h" - #include "pfkey.h" - #include "ipsec_doi.h" -+#include "policy.h" - #include "admin.h" - #include "admin_var.h" - #include "isakmp_inf.h" -@@ -147,16 +148,18 @@ - goto end; - } - -- if (com.ac_cmd == ADMIN_RELOAD_CONF) { -- /* reload does not work at all! */ -- signal_handler(SIGHUP); -- goto end; -- } -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "[%d] admin connection established\n", so2); - - error = admin_process(so2, combuf); - -- end: -- (void)close(so2); -+end: -+ if (error != -2) { -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "[%d] admin connection closed\n", so2); -+ (void)close(so2); -+ } -+ - if (combuf) - racoon_free(combuf); - -@@ -177,6 +180,8 @@ - vchar_t *key = NULL; - int idtype = 0; - int error = -1; -+ int send_events = 0; -+ struct evt_listener_list *event_list = NULL; - - com->ac_errno = 0; - -@@ -208,9 +213,7 @@ - } - - case ADMIN_SHOW_EVT: -- /* It's not really an error, don't force racoonctl to quit */ -- if ((buf = evt_dump()) == NULL) -- com->ac_errno = 0; -+ send_events = 1; - break; - - case ADMIN_SHOW_SA: -@@ -393,17 +396,17 @@ - /* FALLTHROUGH */ - case ADMIN_ESTABLISH_SA: - { -+ struct admin_com_indexes *ndx; - struct sockaddr *dst; - struct sockaddr *src; -- src = (struct sockaddr *) -- &((struct admin_com_indexes *) -- ((caddr_t)com + sizeof(*com)))->src; -- dst = (struct sockaddr *) -- &((struct admin_com_indexes *) -- ((caddr_t)com + sizeof(*com)))->dst; -+ -+ ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)); -+ src = (struct sockaddr *) &ndx->src; -+ dst = (struct sockaddr *) &ndx->dst; - - switch (com->ac_proto) { - case ADMIN_PROTO_ISAKMP: { -+ struct ph1handle *ph1; - struct remoteconf *rmconf; - struct sockaddr *remote = NULL; - struct sockaddr *local = NULL; -@@ -411,6 +414,17 @@ - - com->ac_errno = -1; - -+ /* connected already? */ -+ ph1 = getph1byaddrwop(src, dst); -+ if (ph1 != NULL) { -+ event_list = &ph1->evt_listeners; -+ if (ph1->status == PHASE1ST_ESTABLISHED) -+ com->ac_errno = EEXIST; -+ else -+ com->ac_errno = 0; -+ break; -+ } -+ - /* search appropreate configuration */ - rmconf = getrmconf(dst); - if (rmconf == NULL) { -@@ -461,9 +475,11 @@ - "%s\n", saddrwop2str(remote)); - - /* begin ident mode */ -- if (isakmp_ph1begin_i(rmconf, remote, local) < 0) -+ ph1 = isakmp_ph1begin_i(rmconf, remote, local); -+ if (ph1 == NULL) - goto out1; - -+ event_list = &ph1->evt_listeners; - com->ac_errno = 0; - out1: - if (local != NULL) -@@ -473,8 +489,105 @@ - break; - } - case ADMIN_PROTO_AH: -- case ADMIN_PROTO_ESP: -+ case ADMIN_PROTO_ESP: { -+ struct ph2handle *iph2; -+ struct secpolicy *sp_out = NULL, *sp_in = NULL; -+ struct policyindex spidx; -+ -+ com->ac_errno = -1; -+ -+ /* got outbound policy */ -+ memset(&spidx, 0, sizeof(spidx)); -+ spidx.dir = IPSEC_DIR_OUTBOUND; -+ memcpy(&spidx.src, src, sizeof(spidx.src)); -+ memcpy(&spidx.dst, dst, sizeof(spidx.dst)); -+ spidx.prefs = ndx->prefs; -+ spidx.prefd = ndx->prefd; -+ spidx.ul_proto = ndx->ul_proto; -+ -+ sp_out = getsp_r(&spidx); -+ if (sp_out) { -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "suitable outbound SP found: %s.\n", -+ spidx2str(&sp_out->spidx)); -+ } else { -+ com->ac_errno = ENOENT; -+ plog(LLV_NOTIFY, LOCATION, NULL, -+ "no outbound policy found: %s\n", -+ spidx2str(&spidx)); -+ break; -+ } -+ -+ iph2 = getph2byid(src, dst, sp_out->id); -+ if (iph2 != NULL) { -+ event_list = &iph2->evt_listeners; -+ if (iph2->status == PHASE2ST_ESTABLISHED) -+ com->ac_errno = EEXIST; -+ else -+ com->ac_errno = 0; -+ break; -+ } -+ -+ /* get inbound policy */ -+ memset(&spidx, 0, sizeof(spidx)); -+ spidx.dir = IPSEC_DIR_INBOUND; -+ memcpy(&spidx.src, dst, sizeof(spidx.src)); -+ memcpy(&spidx.dst, src, sizeof(spidx.dst)); -+ spidx.prefs = ndx->prefd; -+ spidx.prefd = ndx->prefs; -+ spidx.ul_proto = ndx->ul_proto; -+ -+ sp_in = getsp_r(&spidx); -+ if (sp_in) { -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "suitable inbound SP found: %s.\n", -+ spidx2str(&sp_in->spidx)); -+ } else { -+ com->ac_errno = ENOENT; -+ plog(LLV_NOTIFY, LOCATION, NULL, -+ "no inbound policy found: %s\n", -+ spidx2str(&spidx)); -+ break; -+ } -+ -+ /* allocate a phase 2 */ -+ iph2 = newph2(); -+ if (iph2 == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to allocate phase2 entry.\n"); -+ break; -+ } -+ iph2->side = INITIATOR; -+ iph2->satype = admin2pfkey_proto(com->ac_proto); -+ iph2->spid = sp_out->id; -+ iph2->seq = pk_getseq(); -+ iph2->status = PHASE2ST_STATUS2; -+ -+ /* set end addresses of SA */ -+ iph2->dst = dupsaddr(dst); -+ iph2->src = dupsaddr(src); -+ if (iph2->dst == NULL || iph2->src == NULL) { -+ delph2(iph2); -+ break; -+ } -+ -+ if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) { -+ delph2(iph2); -+ break; -+ } -+ -+ insph2(iph2); -+ if (isakmp_post_acquire(iph2) < 0) { -+ unbindph12(iph2); -+ remph2(iph2); -+ delph2(iph2); -+ break; -+ } -+ -+ event_list = &iph2->evt_listeners; -+ com->ac_errno = 0; - break; -+ } - default: - /* ignore */ - com->ac_errno = -1; -@@ -491,7 +604,8 @@ - if ((error = admin_reply(so2, com, buf)) != 0) - goto out; - -- error = 0; -+ if (send_events || event_list != NULL) -+ error = evt_subscribe(event_list, so2); - out: - if (buf != NULL) - vfree(buf); -Index: ipsec-tools-0.7.3/src/racoon/evt.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/evt.c 2006-09-09 18:22:09.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/evt.c 2010-03-28 17:07:57.000000000 +0200 -@@ -46,113 +46,219 @@ - #include "plog.h" - #include "misc.h" - #include "admin.h" -+#include "handler.h" - #include "gcmalloc.h" - #include "evt.h" - - #ifdef ENABLE_ADMINPORT --struct evtlist evtlist = TAILQ_HEAD_INITIALIZER(evtlist); --int evtlist_len = 0; -+static EVT_LISTENER_LIST(evt_listeners); -+static EVT_LISTENER_LIST(evt_fds); - --void --evt_push(src, dst, type, optdata) -- struct sockaddr *src; -- struct sockaddr *dst; -+struct evtdump { -+ struct admin_com adm; -+ struct evt_common evt; -+}; -+ -+static struct evtdump * -+evtdump_create(type, optdata) - int type; - vchar_t *optdata; - { -- struct evtdump *evtdump; -- struct evt *evt; -+ struct evtdump *e; - size_t len; - -- /* If admin socket is disabled, silently discard anything */ -- if (adminsock_path == NULL) -+ len = sizeof(struct admin_com) + sizeof(struct evt_common); -+ if (optdata != NULL) -+ len += optdata->l; -+ -+ if ((e = racoon_malloc(len)) == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate event: %s\n", -+ strerror(errno)); -+ return NULL; -+ } -+ -+ memset(e, 0, sizeof(struct evtdump)); -+ e->adm.ac_len = len; -+ e->adm.ac_cmd = ADMIN_SHOW_EVT; -+ e->adm.ac_errno = 0; -+ e->adm.ac_proto = 0; -+ e->evt.ec_type = type; -+ time(&e->evt.ec_timestamp); -+ if (optdata != NULL) -+ memcpy(e + 1, optdata->v, optdata->l); -+ -+ return e; -+} -+ -+static void -+evt_unsubscribe(l) -+ struct evt_listener *l; -+{ -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "[%d] admin connection released\n", l->fd); -+ -+ LIST_REMOVE(l, ll_chain); -+ LIST_REMOVE(l, fd_chain); -+ close(l->fd); -+ racoon_free(l); -+} -+ -+static void -+evtdump_broadcast(ll, e) -+ const struct evt_listener_list *ll; -+ struct evtdump *e; -+{ -+ struct evt_listener *l, *nl; -+ -+ for (l = LIST_FIRST(ll); l != NULL; l = nl) { -+ nl = LIST_NEXT(l, ll_chain); -+ -+ if (send(l->fd, e, e->adm.ac_len, -+ MSG_NOSIGNAL | MSG_DONTWAIT) < 0) { -+ plog(LLV_DEBUG, LOCATION, NULL, "Cannot send event to fd: %s\n", -+ strerror(errno)); -+ evt_unsubscribe(l); -+ } -+ -+ } -+ -+} -+ -+void -+evt_generic(type, optdata) -+ int type; -+ vchar_t *optdata; -+{ -+ struct evtdump *e; -+ -+ -+ if ((e = evtdump_create(type, optdata)) == NULL) - return; - -- /* If we are above the limit, don't record anything */ -- if (evtlist_len > EVTLIST_MAX) { -- plog(LLV_DEBUG, LOCATION, NULL, -- "Cannot record event: event queue overflowed\n"); -+ evtdump_broadcast(&evt_listeners, e); -+ -+ racoon_free(e); -+} -+ -+void -+evt_phase1(ph1, type, optdata) -+ const struct ph1handle *ph1; -+ int type; -+ vchar_t *optdata; -+{ -+ struct evtdump *e; -+ -+ if ((e = evtdump_create(type, optdata)) == NULL) -+ return; -+ -+ if (ph1->local) -+ memcpy(&e->evt.ec_ph1src, ph1->local, sysdep_sa_len(ph1->local)); -+ if (ph1->remote) -+ memcpy(&e->evt.ec_ph1dst, ph1->remote, sysdep_sa_len(ph1->remote)); -+ -+ evtdump_broadcast(&ph1->evt_listeners, e); -+ evtdump_broadcast(&evt_listeners, e); -+ -+ racoon_free(e); -+ } -+ -+void -+evt_phase2(ph2, type, optdata) -+ const struct ph2handle *ph2; -+ int type; -+ vchar_t *optdata; -+{ -+ struct evtdump *e; -+ struct ph1handle *ph1 = ph2->ph1; -+ -+ if ((e = evtdump_create(type, optdata)) == NULL) - return; -+ -+ if (ph1) { -+ if (ph1->local) -+ memcpy(&e->evt.ec_ph1src, ph1->local, sysdep_sa_len(ph1->local)); -+ if (ph1->remote) -+ memcpy(&e->evt.ec_ph1dst, ph1->remote, sysdep_sa_len(ph1->remote)); - } -+ e->evt.ec_ph2msgid = ph2->msgid; - -- /* If we hit the limit, record an overflow event instead */ -- if (evtlist_len == EVTLIST_MAX) { -- plog(LLV_ERROR, LOCATION, NULL, -- "Cannot record event: event queue overflow\n"); -- src = NULL; -- dst = NULL; -- type = EVTT_OVERFLOW; -- optdata = NULL; -- } -- -- len = sizeof(*evtdump); -- if (optdata) -- len += optdata->l; -- -- if ((evtdump = racoon_malloc(len)) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n", -- strerror(errno)); -- return; -+ evtdump_broadcast(&ph2->evt_listeners, e); -+ if (ph1) -+ evtdump_broadcast(&ph1->evt_listeners, e); -+ evtdump_broadcast(&evt_listeners, e); -+ -+ racoon_free(e); - } - -- if ((evt = racoon_malloc(sizeof(*evt))) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n", -- strerror(errno)); -- racoon_free(evtdump); -- return; -+int -+evt_subscribe(list, fd) -+ struct evt_listener_list *list; -+ int fd; -+{ -+ struct evt_listener *l; -+ -+ if ((l = racoon_malloc(sizeof(*l))) == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Cannot allocate event listener: %s\n", -+ strerror(errno)); -+ return errno; - } - -- if (src) -- memcpy(&evtdump->src, src, sysdep_sa_len(src)); -- if (dst) -- memcpy(&evtdump->dst, dst, sysdep_sa_len(dst)); -- evtdump->len = len; -- evtdump->type = type; -- time(&evtdump->timestamp); -+ if (list == NULL) -+ list = &evt_listeners; - -- if (optdata) -- memcpy(evtdump + 1, optdata->v, optdata->l); -+ LIST_INSERT_HEAD(list, l, ll_chain); -+ LIST_INSERT_HEAD(&evt_fds, l, fd_chain); -+ l->fd = fd; - -- evt->dump = evtdump; -- TAILQ_INSERT_TAIL(&evtlist, evt, next); -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "[%d] admin connection is polling events\n", fd); - -- evtlist_len++; -+ return -2; -+} - -- return; -+void -+evt_list_init(list) -+ struct evt_listener_list *list; -+{ -+ LIST_INIT(list); - } - --struct evtdump * --evt_pop(void) { -- struct evtdump *evtdump; -- struct evt *evt; - -- if ((evt = TAILQ_FIRST(&evtlist)) == NULL) -- return NULL; -+void -+evt_list_cleanup(list) -+ struct evt_listener_list *list; -+{ -+ while (!LIST_EMPTY(list)) -+ evt_unsubscribe(LIST_FIRST(list)); -+} - -- evtdump = evt->dump; -- TAILQ_REMOVE(&evtlist, evt, next); -- racoon_free(evt); -- evtlist_len--; -- -- return evtdump; --} -- --vchar_t * --evt_dump(void) { -- struct evtdump *evtdump; -- vchar_t *buf = NULL; -- -- if ((evtdump = evt_pop()) != NULL) { -- if ((buf = vmalloc(evtdump->len)) == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "evt_dump failed: %s\n", strerror(errno)); -- return NULL; -- } -- memcpy(buf->v, evtdump, evtdump->len); -- racoon_free(evtdump); -+int -+evt_get_fdmask(nfds, fdset) -+ int nfds; -+ fd_set *fdset; -+{ -+ struct evt_listener *l; -+ LIST_FOREACH(l, &evt_fds, fd_chain) { -+ FD_SET(l->fd, fdset); -+ if (l->fd + 1 > nfds) -+ nfds = l->fd + 1; - } -+ return nfds; -+} - -- return buf; -+void -+evt_handle_fdmask(fdset) -+ fd_set *fdset; -+{ -+ struct evt_listener *l, *nl; -+ -+ for (l = LIST_FIRST(&evt_fds); l != NULL; l = nl) { -+ nl = LIST_NEXT(l, ll_chain); -+ -+ if (FD_ISSET(l->fd, fdset)) -+ evt_unsubscribe(l); -+ } - } - - #endif /* ENABLE_ADMINPORT */ -Index: ipsec-tools-0.7.3/src/racoon/evt.h -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/evt.h 2006-09-09 18:22:09.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/evt.h 2010-03-28 17:07:57.000000000 +0200 -@@ -34,12 +34,27 @@ - #ifndef _EVT_H - #define _EVT_H - --struct evtdump { -- size_t len; -- struct sockaddr_storage src; -- struct sockaddr_storage dst; -- time_t timestamp; -- int type; -+#ifdef ENABLE_ADMINPORT -+ -+struct evt_listener { -+ LIST_ENTRY(evt_listener) ll_chain; -+ LIST_ENTRY(evt_listener) fd_chain; -+ int fd; -+}; -+LIST_HEAD(evt_listener_list, evt_listener); -+#define EVT_LISTENER_LIST(x) struct evt_listener_list x; -+ -+struct ph1handle; -+struct ph2handle; -+ -+struct evt_common { -+ uint32_t ec_type; -+ time_t ec_timestamp; -+ -+ struct sockaddr_storage ec_ph1src; -+ struct sockaddr_storage ec_ph1dst; -+ u_int32_t ec_ph2msgid; -+ - /* - * Optionnal list of struct isakmp_data - * for type EVTT_ISAKMP_CFG_DONE -@@ -47,42 +62,46 @@ - }; - - /* type */ --#define EVTT_UNSEPC 0 --#define EVTT_PHASE1_UP 1 --#define EVTT_PHASE1_DOWN 2 --#define EVTT_XAUTH_SUCCESS 3 --#define EVTT_ISAKMP_CFG_DONE 4 --#define EVTT_PHASE2_UP 5 --#define EVTT_PHASE2_DOWN 6 --#define EVTT_DPD_TIMEOUT 7 --#define EVTT_PEER_NO_RESPONSE 8 --#define EVTT_PEER_DELETE 9 --#define EVTT_RACOON_QUIT 10 --#define EVTT_XAUTH_FAILED 11 --#define EVTT_OVERFLOW 12 /* Event queue overflowed */ --#define EVTT_PEERPH1AUTH_FAILED 13 --#define EVTT_PEERPH1_NOPROP 14 /* NO_PROPOSAL_CHOSEN & friends */ --#define EVTT_NO_ISAKMP_CFG 15 /* no need to wait for mode_cfg */ -- --struct evt { -- struct evtdump *dump; -- TAILQ_ENTRY(evt) next; --}; -- --TAILQ_HEAD(evtlist, evt); -- --#define EVTLIST_MAX 32 -+#define EVTT_RACOON_QUIT 0x0001 -+#define EVTT_PHASE1_UP 0x0100 -+#define EVTT_PHASE1_DOWN 0x0101 -+#define EVTT_PHASE1_NO_RESPONSE 0x0102 -+#define EVTT_PHASE1_NO_PROPOSAL 0x0103 -+#define EVTT_PHASE1_AUTH_FAILED 0x0104 -+#define EVTT_PHASE1_DPD_TIMEOUT 0x0105 -+#define EVTT_PHASE1_PEER_DELETED 0x0106 -+#define EVTT_PHASE1_MODE_CFG 0x0107 -+#define EVTT_PHASE1_XAUTH_SUCCESS 0x0108 -+#define EVTT_PHASE1_XAUTH_FAILED 0x0109 -+ -+#define EVTT_PHASE2_NO_PHASE1 0x0200 -+#define EVTT_PHASE2_UP 0x0201 -+#define EVTT_PHASE2_DOWN 0x0202 -+#define EVTT_PHASE2_NO_RESPONSE 0x0203 -+ -+void evt_generic __P((int type, vchar_t *optdata)); -+void evt_phase1 __P((const struct ph1handle *ph1, int type, vchar_t *optdata)); -+void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata)); -+ -+int evt_subscribe __P((struct evt_listener_list *list, int fd)); -+void evt_list_init __P((struct evt_listener_list *list)); -+void evt_list_cleanup __P((struct evt_listener_list *list)); -+int evt_get_fdmask __P((int nfds, fd_set *fdset)); -+void evt_handle_fdmask __P((fd_set *fdset)); -+ -+#else - --#ifdef ENABLE_ADMINPORT --struct evtdump *evt_pop(void); --vchar_t *evt_dump(void); --void evt_push(struct sockaddr *, struct sockaddr *, int, vchar_t *); --#endif -+#define EVT_LISTENER_LIST(x) -+#define evt_generic(type, optdata) ; -+#define evt_phase1(ph1, type, optdata) ; -+#define evt_phase2(ph2, type, optdata) ; -+ -+#define evt_subscribe(eventlist, fd) ; -+#define evt_list_init(eventlist) ; -+#define evt_list_cleanup(eventlist) ; -+#define evt_get_fdmask(nfds, fdset) nfds -+#define evt_handle_fdmask(fdset) ; - --#ifdef ENABLE_ADMINPORT --#define EVT_PUSH(src, dst, type, optdata) evt_push(src, dst, type, optdata); --#else --#define EVT_PUSH(src, dst, type, optdata) ; --#endif -+#endif /* ENABLE_ADMINPORT */ - - #endif /* _EVT_H */ -Index: ipsec-tools-0.7.3/src/racoon/handler.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/handler.c 2009-04-20 15:25:27.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/handler.c 2010-03-28 17:07:57.000000000 +0200 -@@ -289,8 +289,7 @@ - - /* SA down shell script hook */ - script_hook(iph1, SCRIPT_PHASE1_DOWN); -- -- EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL); -+ evt_list_cleanup(&iph1->evt_listeners); - - #ifdef ENABLE_NATT - if (iph1->natt_flags & NAT_KA_QUEUED) -Index: ipsec-tools-0.7.3/src/racoon/handler.h -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/handler.h 2008-01-11 15:12:01.000000000 +0100 -+++ ipsec-tools-0.7.3/src/racoon/handler.h 2010-03-28 17:07:57.000000000 +0200 -@@ -41,6 +41,7 @@ - - #include "isakmp_var.h" - #include "oakley.h" -+#include "evt.h" - - /* Phase 1 handler */ - /* -@@ -211,7 +212,7 @@ - #ifdef ENABLE_HYBRID - struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ - #endif -- -+ EVT_LISTENER_LIST(evt_listeners); - }; - - /* Phase 2 handler */ -@@ -320,6 +321,7 @@ - - LIST_ENTRY(ph2handle) chain; - LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ -+ EVT_LISTENER_LIST(evt_listeners); - }; - - /* -Index: ipsec-tools-0.7.3/src/racoon/isakmp_agg.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp_agg.c 2006-09-30 23:49:37.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/isakmp_agg.c 2010-03-28 17:07:57.000000000 +0200 -@@ -587,8 +587,7 @@ - /* message printed inner oakley_validate_auth() */ - goto end; - } -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEERPH1AUTH_FAILED, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, ptype, NULL); - goto end; - } -@@ -1486,8 +1485,7 @@ - /* message printed inner oakley_validate_auth() */ - goto end; - } -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEERPH1AUTH_FAILED, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, ptype, NULL); - goto end; - } -Index: ipsec-tools-0.7.3/src/racoon/isakmp_base.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp_base.c 2006-10-02 23:51:33.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/isakmp_base.c 2010-03-28 17:07:57.000000000 +0200 -@@ -716,8 +716,7 @@ - /* message printed inner oakley_validate_auth() */ - goto end; - } -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEERPH1AUTH_FAILED, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, ptype, NULL); - goto end; - } -@@ -1242,8 +1241,7 @@ - /* message printed inner oakley_validate_auth() */ - goto end; - } -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEERPH1AUTH_FAILED, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, ptype, NULL); - goto end; - } -Index: ipsec-tools-0.7.3/src/racoon/isakmp.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp.c 2008-09-25 11:34:39.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/isakmp.c 2010-03-28 17:10:11.000000000 +0200 -@@ -88,6 +88,9 @@ - #include "pfkey.h" - #include "crypto_openssl.h" - #include "policy.h" -+#include "algorithm.h" -+#include "proposal.h" -+#include "sainfo.h" - #include "isakmp_ident.h" - #include "isakmp_agg.h" - #include "isakmp_base.h" -@@ -1015,7 +1018,7 @@ - } - - /* new negotiation of phase 1 for initiator */ --int -+struct ph1handle * - isakmp_ph1begin_i(rmconf, remote, local) - struct remoteconf *rmconf; - struct sockaddr *remote, *local; -@@ -1028,7 +1031,7 @@ - /* get new entry to isakmp status table. */ - iph1 = newph1(); - if (iph1 == NULL) -- return -1; -+ return NULL; - - iph1->status = PHASE1ST_START; - iph1->rmconf = rmconf; -@@ -1043,7 +1046,7 @@ - #ifdef ENABLE_HYBRID - if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { - delph1(iph1); -- return -1; -+ return NULL; - } - #endif - #ifdef ENABLE_FRAG -@@ -1059,7 +1062,7 @@ - /* XXX copy remote address */ - if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { - delph1(iph1); -- return -1; -+ return NULL; - } - - (void)insph1(iph1); -@@ -1095,7 +1098,7 @@ - remph1(iph1); - delph1(iph1); - -- return -1; -+ return NULL; - } - - #ifdef ENABLE_STATS -@@ -1106,7 +1109,7 @@ - timedelta(&start, &end)); - #endif - -- return 0; -+ return iph1; - } - - /* new negotiation of phase 1 for responder */ -@@ -1887,8 +1890,7 @@ - plog(LLV_ERROR, LOCATION, NULL, - "phase1 negotiation failed due to time up. %s\n", - isakmp_pindex(&iph1->index, iph1->msgid)); -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEER_NO_RESPONSE, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_NO_RESPONSE, NULL); - - return -1; - } -@@ -1897,8 +1899,7 @@ - plog(LLV_ERROR, LOCATION, NULL, - "phase1 negotiation failed due to send error. %s\n", - isakmp_pindex(&iph1->index, iph1->msgid)); -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEER_NO_RESPONSE, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_NO_RESPONSE, NULL); - return -1; - } - -@@ -1947,7 +1948,7 @@ - plog(LLV_ERROR, LOCATION, NULL, - "phase2 negotiation failed due to time up. %s\n", - isakmp_pindex(&iph2->ph1->index, iph2->msgid)); -- EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); -+ evt_phase2(iph2, EVTT_PHASE2_NO_RESPONSE, NULL); - unbindph12(iph2); - return -1; - } -@@ -1956,8 +1957,7 @@ - plog(LLV_ERROR, LOCATION, NULL, - "phase2 negotiation failed due to send error. %s\n", - isakmp_pindex(&iph2->ph1->index, iph2->msgid)); -- EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL); -- -+ evt_phase2(iph2, EVTT_PHASE2_NO_RESPONSE, NULL); - return -1; - } - -@@ -2048,7 +2048,7 @@ - plog(LLV_INFO, LOCATION, NULL, - "ISAKMP-SA deleted %s-%s spi:%s\n", - src, dst, isakmp_pindex(&iph1->index, 0)); -- EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_DOWN, NULL); - racoon_free(src); - racoon_free(dst); - -@@ -2195,7 +2195,7 @@ - saddrwop2str(iph2->dst)); - - /* start phase 1 negotiation as a initiator. */ -- if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) { -+ if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) == NULL) { - SCHED_KILL(sc); - return -1; - } -@@ -2228,6 +2228,71 @@ - return 0; - } - -+int -+isakmp_get_sainfo(iph2, sp_out, sp_in) -+ struct ph2handle *iph2; -+ struct secpolicy *sp_out, *sp_in; -+{ -+ int remoteid=0; -+ -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "new acquire %s\n", spidx2str(&sp_out->spidx)); -+ -+ /* get sainfo */ -+ { -+ vchar_t *idsrc, *iddst; -+ -+ idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src, -+ sp_out->spidx.prefs, sp_out->spidx.ul_proto); -+ if (idsrc == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to get ID for %s\n", -+ spidx2str(&sp_out->spidx)); -+ return -1; -+ } -+ iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst, -+ sp_out->spidx.prefd, sp_out->spidx.ul_proto); -+ if (iddst == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to get ID for %s\n", -+ spidx2str(&sp_out->spidx)); -+ vfree(idsrc); -+ return -1; -+ } -+ { -+ struct remoteconf *conf; -+ conf = getrmconf(iph2->dst); -+ if (conf != NULL) -+ remoteid=conf->ph1id; -+ else{ -+ plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n"); -+ remoteid=0; -+ } -+ } -+ iph2->sainfo = getsainfo(idsrc, iddst, NULL, remoteid); -+ vfree(idsrc); -+ vfree(iddst); -+ if (iph2->sainfo == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to get sainfo.\n"); -+ return -1; -+ /* XXX should use the algorithm list from register message */ -+ } -+ -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "selected sainfo: %s\n", sainfo2str(iph2->sainfo)); -+ } -+ -+ if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to create saprop.\n"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+ - /* - * receive GETSPI from kernel. - */ -@@ -2931,9 +2996,9 @@ - src, dst, - isakmp_pindex(&iph1->index, 0)); - -- EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_UP, NULL); - if(!iph1->rmconf->mode_cfg) -- EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_MODE_CFG, NULL); - - racoon_free(src); - racoon_free(dst); -Index: ipsec-tools-0.7.3/src/racoon/isakmp_cfg.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp_cfg.c 2008-11-27 16:25:20.000000000 +0100 -+++ ipsec-tools-0.7.3/src/racoon/isakmp_cfg.c 2010-03-28 17:07:57.000000000 +0200 -@@ -473,8 +473,7 @@ - "Cannot allocate memory: %s\n", strerror(errno)); - } else { - memcpy(buf->v, attrpl + 1, buf->l); -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_ISAKMP_CFG_DONE, buf); -+ evt_phase1(iph1, EVTT_PHASE1_MODE_CFG, buf); - vfree(buf); - } - } -Index: ipsec-tools-0.7.3/src/racoon/isakmp_ident.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp_ident.c 2006-10-02 23:41:59.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/isakmp_ident.c 2010-03-28 17:07:57.000000000 +0200 -@@ -788,8 +788,7 @@ - /* msg printed inner oakley_validate_auth() */ - goto end; - } -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEERPH1AUTH_FAILED, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } -@@ -1537,8 +1536,7 @@ - /* msg printed inner oakley_validate_auth() */ - goto end; - } -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEERPH1AUTH_FAILED, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_AUTH_FAILED, NULL); - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } -Index: ipsec-tools-0.7.3/src/racoon/isakmp_inf.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp_inf.c 2009-05-18 19:07:46.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/isakmp_inf.c 2010-03-28 17:07:57.000000000 +0200 -@@ -510,8 +510,7 @@ - del_ph1=getph1byindex((isakmp_index *)(delete + 1)); - if(del_ph1 != NULL){ - -- EVT_PUSH(del_ph1->local, del_ph1->remote, -- EVTT_PEERPH1_NOPROP, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_PEER_DELETED, NULL); - if (del_ph1->scr) - SCHED_KILL(del_ph1->scr); - -@@ -532,8 +531,6 @@ - delete->spi_size, delete->proto_id); - return 0; - } -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_PEER_DELETE, NULL); - purge_ipsec_spi(iph1->remote, delete->proto_id, - (u_int32_t *)(delete + 1), num_spi); - break; -@@ -1630,7 +1627,7 @@ - "DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n", - isakmp_pindex(&iph1->index, 0)); - -- EVT_PUSH(iph1->local, iph1->remote, EVTT_DPD_TIMEOUT, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_DPD_TIMEOUT, NULL); - purge_remote(iph1); - - /* Do not reschedule here: phase1 is deleted, -Index: ipsec-tools-0.7.3/src/racoon/isakmp_var.h -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp_var.h 2007-02-20 10:08:49.000000000 +0100 -+++ ipsec-tools-0.7.3/src/racoon/isakmp_var.h 2010-03-28 17:07:57.000000000 +0200 -@@ -35,6 +35,7 @@ - #define _ISAKMP_VAR_H - - #include "vmbuf.h" -+#include "policy.h" - - #define PORT_ISAKMP 500 - #define PORT_ISAKMP_NATT 4500 -@@ -62,8 +63,8 @@ - struct isakmp_pl_nonce; /* XXX */ - - extern int isakmp_handler __P((int)); --extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *, -- struct sockaddr *)); -+extern struct ph1handle *isakmp_ph1begin_i __P((struct remoteconf *, -+ struct sockaddr *, struct sockaddr *)); - - extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int)); - extern vchar_t *isakmp_parse __P((vchar_t *)); -@@ -87,6 +88,7 @@ - extern void isakmp_ph2delete_stub __P((void *)); - extern void isakmp_ph2delete __P((struct ph2handle *)); - -+extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); - extern int isakmp_post_acquire __P((struct ph2handle *)); - extern int isakmp_post_getspi __P((struct ph2handle *)); - extern void isakmp_chkph1there_stub __P((void *)); -Index: ipsec-tools-0.7.3/src/racoon/isakmp_xauth.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/isakmp_xauth.c 2009-04-20 15:35:36.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/isakmp_xauth.c 2010-03-28 17:07:57.000000000 +0200 -@@ -1568,13 +1568,11 @@ - plog(LLV_ERROR, LOCATION, NULL, - "Xauth authentication failed\n"); - -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_XAUTH_FAILED, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_XAUTH_FAILED, NULL); - - iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; - } else { -- EVT_PUSH(iph1->local, iph1->remote, -- EVTT_XAUTH_SUCCESS, NULL); -+ evt_phase1(iph1, EVTT_PHASE1_XAUTH_SUCCESS, NULL); - } - - -Index: ipsec-tools-0.7.3/src/racoon/pfkey.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c 2008-03-05 23:14:24.000000000 +0100 -+++ ipsec-tools-0.7.3/src/racoon/pfkey.c 2010-03-28 17:07:57.000000000 +0200 -@@ -92,6 +92,7 @@ - #include "algorithm.h" - #include "sainfo.h" - #include "admin.h" -+#include "evt.h" - #include "privsep.h" - #include "strnames.h" - #include "backupsa.h" -@@ -1266,6 +1267,7 @@ - - /* update status */ - iph2->status = PHASE2ST_ESTABLISHED; -+ evt_phase2(iph2, EVTT_PHASE2_UP, NULL); - - #ifdef ENABLE_STATS - gettimeofday(&iph2->end, NULL); -@@ -1636,7 +1638,6 @@ - struct ph2handle *iph2[MAXNESTEDSA]; - struct sockaddr *src, *dst; - int n; /* # of phase 2 handler */ -- int remoteid=0; - #ifdef HAVE_SECCTX - struct sadb_x_sec_ctx *m_sec_ctx; - #endif /* HAVE_SECCTX */ -@@ -1825,63 +1826,11 @@ - return -1; - } - -- plog(LLV_DEBUG, LOCATION, NULL, -- "new acquire %s\n", spidx2str(&sp_out->spidx)); -- -- /* get sainfo */ -- { -- vchar_t *idsrc, *iddst; -- -- idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src, -- sp_out->spidx.prefs, sp_out->spidx.ul_proto); -- if (idsrc == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "failed to get ID for %s\n", -- spidx2str(&sp_out->spidx)); -- delph2(iph2[n]); -- return -1; -- } -- iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst, -- sp_out->spidx.prefd, sp_out->spidx.ul_proto); -- if (iddst == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "failed to get ID for %s\n", -- spidx2str(&sp_out->spidx)); -- vfree(idsrc); -- delph2(iph2[n]); -- return -1; -- } -- { -- struct remoteconf *conf; -- conf = getrmconf(iph2[n]->dst); -- if (conf != NULL) -- remoteid=conf->ph1id; -- else{ -- plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n"); -- remoteid=0; -- } -- } -- iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL, remoteid); -- vfree(idsrc); -- vfree(iddst); -- if (iph2[n]->sainfo == NULL) { -- plog(LLV_ERROR, LOCATION, NULL, -- "failed to get sainfo.\n"); -+ if (isakmp_get_sainfo(iph2[n], sp_out, sp_in) < 0) { - delph2(iph2[n]); - return -1; -- /* XXX should use the algorithm list from register message */ - } - -- plog(LLV_DEBUG, LOCATION, NULL, -- "selected sainfo: %s\n", sainfo2str(iph2[n]->sainfo)); -- } -- -- if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) { -- plog(LLV_ERROR, LOCATION, NULL, -- "failed to create saprop.\n"); -- delph2(iph2[n]); -- return -1; -- } - #ifdef HAVE_SECCTX - if (m_sec_ctx) { - set_secctx_in_proposal(iph2[n], spidx); -Index: ipsec-tools-0.7.3/src/racoon/racoonctl.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/racoonctl.c 2009-04-20 15:32:57.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/racoonctl.c 2010-03-28 17:07:57.000000000 +0200 -@@ -135,26 +135,24 @@ - struct evtmsg { - int type; - char *msg; -- enum { UNSPEC, ERROR, INFO } level; - } evtmsg[] = { -- { EVTT_PHASE1_UP, "Phase 1 established", INFO }, -- { EVTT_PHASE1_DOWN, "Phase 1 deleted", INFO }, -- { EVTT_XAUTH_SUCCESS, "Xauth exchange passed", INFO }, -- { EVTT_ISAKMP_CFG_DONE, "ISAKMP mode config done", INFO }, -- { EVTT_PHASE2_UP, "Phase 2 established", INFO }, -- { EVTT_PHASE2_DOWN, "Phase 2 deleted", INFO }, -- { EVTT_DPD_TIMEOUT, "Peer not reachable anymore", ERROR }, -- { EVTT_PEER_NO_RESPONSE, "Peer not responding", ERROR }, -- { EVTT_PEER_DELETE, "Peer terminated security association", ERROR }, -- { EVTT_RACOON_QUIT, "Raccon terminated", ERROR }, -- { EVTT_OVERFLOW, "Event queue overflow", ERROR }, -- { EVTT_XAUTH_FAILED, "Xauth exchange failed", ERROR }, -- { EVTT_PEERPH1AUTH_FAILED, "Peer failed phase 1 authentication " -- "(certificate problem?)", ERROR }, -- { EVTT_PEERPH1_NOPROP, "Peer failed phase 1 initiation " -- "(proposal problem?)", ERROR }, -- { 0, NULL, UNSPEC }, -- { EVTT_NO_ISAKMP_CFG, "No need for ISAKMP mode config ", INFO }, -+ { EVTT_RACOON_QUIT, "Racoon terminated" }, -+ -+ { EVTT_PHASE1_UP, "Phase 1 established" }, -+ { EVTT_PHASE1_DOWN, "Phase 1 deleted" }, -+ { EVTT_PHASE1_NO_RESPONSE, "Phase 1 error: peer not responding" }, -+ { EVTT_PHASE1_NO_PROPOSAL, "Phase 1 error: no proposal chosen" }, -+ { EVTT_PHASE1_AUTH_FAILED, -+ "Phase 1 error: authentication failed (bad certificate?)" }, -+ { EVTT_PHASE1_DPD_TIMEOUT, "Phase 1 error: dead peer detected" }, -+ { EVTT_PHASE1_MODE_CFG, "Phase 1 mode configuration done" }, -+ { EVTT_PHASE1_XAUTH_SUCCESS, "Phase 1 Xauth succeeded" }, -+ { EVTT_PHASE1_XAUTH_FAILED, "Phase 1 Xauth failed" }, -+ -+ { EVTT_PHASE2_NO_PHASE1, "Phase 2 error: no suitable phase 1" }, -+ { EVTT_PHASE2_UP, "Phase 2 established" }, -+ { EVTT_PHASE2_DOWN, "Phase 2 deleted" }, -+ { EVTT_PHASE2_NO_RESPONSE, "Phase 2 error: no response" }, - }; - - static int get_proto __P((char *)); -@@ -184,6 +182,7 @@ - { IPPROTO_ICMP, "icmp" }, - { IPPROTO_TCP, "tcp" }, - { IPPROTO_UDP, "udp" }, -+ { IPPROTO_GRE, "gre" }, - { 0, NULL }, - }; - -@@ -193,31 +192,13 @@ - - char *pname; - int long_format = 0; -- --#define EVTF_NONE 0x0000 /* Ignore any events */ --#define EVTF_LOOP 0x0001 /* Loop awaiting for new events */ --#define EVTF_CFG_STOP 0x0002 /* Stop after ISAKMP mode config */ --#define EVTF_CFG 0x0004 /* Print ISAKMP mode config info */ --#define EVTF_ALL 0x0008 /* Print any events */ --#define EVTF_PURGE 0x0010 /* Print all available events */ --#define EVTF_PH1DOWN_STOP 0x0020 /* Stop when phase 1 SA gets down */ --#define EVTF_PH1DOWN 0x0040 /* Print that phase 1 SA got down */ --#define EVTF_ERR 0x0080 /* Print any error */ --#define EVTF_ERR_STOP 0x0100 /* Stop on any error */ -- --int evt_filter = EVTF_NONE; --time_t evt_start; -+int evt_quit_event = 0; - - void dump_isakmp_sa __P((char *, int)); - void dump_internal __P((char *, int)); - char *pindex_isakmp __P((isakmp_index *)); - void print_schedule __P((caddr_t, int)); --void print_evt __P((caddr_t, int)); --void print_cfg __P((caddr_t, int)); --void print_err __P((caddr_t, int)); --void print_ph1down __P((caddr_t, int)); --void print_ph1up __P((caddr_t, int)); --int evt_poll __P((void)); -+void print_evt __P((struct evt_common *)); - char * fixed_addr __P((char *, char *, int)); - - static void -@@ -226,13 +207,15 @@ - printf( - "Usage:\n" - " %s reload-config\n" -+" %s show-schedule\n" - " %s [-l [-l]] show-sa [protocol]\n" - " %s flush-sa [protocol]\n" - " %s delete-sa \n" --" %s establish-sa [-u identity] \n" -+" %s establish-sa [-u identity] [-w] \n" - " %s vpn-connect [-u identity] vpn_gateway\n" - " %s vpn-disconnect vpn_gateway\n" --"\n" -+" %s show-event\n" -+" %s logout-user login\n""\n" - " : \"isakmp\", \"esp\" or \"ah\".\n" - " In the case of \"show-sa\" or \"flush-sa\", you can use \"ipsec\".\n" - "\n" -@@ -240,8 +223,8 @@ - " : {\"esp\",\"ah\"} \n" - " \n" - " : \"inet\" or \"inet6\"\n" --" : \"icmp\", \"tcp\", \"udp\" or \"any\"\n", -- pname, pname, pname, pname, pname, pname, pname); -+" : \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n", -+ pname, pname, pname, pname, pname, pname, pname, pname, pname, pname); - } - - /* -@@ -312,53 +295,24 @@ - - vfree(combuf); - -- if (com_recv(&combuf) != 0) -- goto bad; -- if (handle_recv(combuf) != 0) -- goto bad; -- -- vfree(combuf); -+ do { -+ if (com_recv(&combuf) != 0) -+ goto bad; -+ if (handle_recv(combuf) != 0) -+ goto bad; -+ vfree(combuf); -+ } while (evt_quit_event != 0); - -- if (evt_filter != EVTF_NONE) -- if (evt_poll() != 0) -- goto bad; -- -+ close(so); - exit(0); - -- bad: -+bad: -+ close(so); -+ if (errno == EEXIST) -+ exit(0); - exit(1); - } - --int --evt_poll(void) { -- struct timeval tv; -- vchar_t *recvbuf; -- vchar_t *sendbuf; -- -- if ((sendbuf = f_getevt(0, NULL)) == NULL) -- errx(1, "Cannot make combuf"); -- -- -- while (evt_filter & (EVTF_LOOP|EVTF_PURGE)) { -- /* handle_recv closes the socket time, so open it each time */ -- com_init(); -- -- if (com_send(sendbuf) != 0) -- errx(1, "Cannot send combuf"); -- -- if (com_recv(&recvbuf) == 0) { -- handle_recv(recvbuf); -- vfree(recvbuf); -- } -- -- tv.tv_sec = 0; -- tv.tv_usec = 10; -- (void)select(0, NULL, NULL, NULL, &tv); -- } -- -- vfree(sendbuf); -- return 0; --} - - /* %%% */ - /* -@@ -422,20 +376,8 @@ - vchar_t *buf; - struct admin_com *head; - -- /* -- * There are 3 ways of getting here -- * 1) racoonctl vc => evt_filter = (EVTF_LOOP|EVTF_CFG| ... ) -- * 2) racoonctl es => evt_filter = EVTF_NONE -- * 3) racoonctl es -l => evt_filter = EVTF_LOOP -- * Catch the second case: show-event is here to purge all -- */ -- if (evt_filter == EVTF_NONE) -- evt_filter = (EVTF_ALL|EVTF_PURGE); -- -- if ((ac >= 1) && (strcmp(av[0], "-l") == 0)) -- evt_filter |= EVTF_LOOP; -- -- if (ac >= 2) -+ evt_quit_event = -1; -+ if (ac >= 1) - errx(1, "too many arguments"); - - buf = vmalloc(sizeof(*head)); -@@ -653,6 +595,7 @@ - char *id = NULL; - char *key = NULL; - struct admin_com_psk *acp; -+ int wait = 0; - - if (ac < 1) - errx(1, "insufficient arguments"); -@@ -673,6 +616,12 @@ - ac -= 2; - } - -+ if (ac >= 1 && strcmp(av[0], "-w") == 0) { -+ wait = 1; -+ av++; -+ ac--; -+ } -+ - /* need protocol */ - if (ac < 1) - errx(1, "insufficient arguments"); -@@ -687,12 +636,16 @@ - index = get_index(ac, av); - if (index == NULL) - return NULL; -+ if (wait) -+ evt_quit_event = EVTT_PHASE1_MODE_CFG; - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - index = get_index(ac, av); - if (index == NULL) - return NULL; -+ if (wait) -+ evt_quit_event = EVTT_PHASE2_UP; - break; - default: - errno = EPROTONOSUPPORT; -@@ -749,8 +702,7 @@ - if (ac < 1) - errx(1, "insufficient arguments"); - -- evt_filter = (EVTF_LOOP|EVTF_CFG|EVTF_CFG_STOP|EVTF_ERR|EVTF_ERR_STOP); -- time(&evt_start); -+ evt_quit_event = EVTT_PHASE1_MODE_CFG; - - /* Optional -u identity */ - if (strcmp(av[0], "-u") == 0) { -@@ -814,8 +766,7 @@ - if (ac > 1) - warnx("Extra arguments"); - -- evt_filter = -- (EVTF_PH1DOWN|EVTF_PH1DOWN_STOP|EVTF_LOOP|EVTF_ERR|EVTF_ERR_STOP); -+ evt_quit_event = EVTT_PHASE1_DOWN; - - nav[nac++] = isakmp; - nav[nac++] = inet; -@@ -1337,84 +1288,32 @@ - - - void --print_evt(buf, len) -- caddr_t buf; -- int len; -+print_evt(evtdump) -+ struct evt_common *evtdump; - { -- struct evtdump *evtdump = (struct evtdump *)buf; - int i; - char *srcstr; - char *dststr; - -- for (i = 0; evtmsg[i].msg; i++) -- if (evtmsg[i].type == evtdump->type) -- break; -- -- if (evtmsg[i].msg == NULL) -- printf("Event %d: ", evtdump->type); -+ for (i = 0; i < sizeof(evtmsg) / sizeof(evtmsg[0]); i++) -+ if (evtmsg[i].type == evtdump->ec_type) -+ break; -+ -+ if (evtmsg[i].msg == NULL) -+ printf("Event %d: ", evtdump->ec_type); - else - printf("%s : ", evtmsg[i].msg); - -- if ((srcstr = saddr2str((struct sockaddr *)&evtdump->src)) == NULL) -+ if ((srcstr = saddr2str((struct sockaddr *)&evtdump->ec_ph1src)) == NULL) - printf("unknown"); - else - printf("%s", srcstr); - printf(" -> "); -- if ((dststr = saddr2str((struct sockaddr *)&evtdump->dst)) == NULL) -+ if ((dststr = saddr2str((struct sockaddr *)&evtdump->ec_ph1dst)) == NULL) - printf("unknown"); - else - printf("%s", dststr); - printf("\n"); -- -- return; --} -- --void --print_err(buf, len) -- caddr_t buf; -- int len; --{ -- struct evtdump *evtdump = (struct evtdump *)buf; -- int i; -- -- -- for (i = 0; evtmsg[i].msg; i++) -- if (evtmsg[i].type == evtdump->type) -- break; -- -- if (evtmsg[i].level != ERROR) -- return; -- -- if (evtmsg[i].msg == NULL) -- printf("Error: Event %d\n", evtdump->type); -- else -- printf("Error: %s\n", evtmsg[i].msg); -- -- if (evt_filter & EVTF_ERR_STOP) -- evt_filter &= ~EVTF_LOOP; -- -- return; --} -- --/* -- * Print a message when phase 1 SA goes down -- */ --void --print_ph1down(buf, len) -- caddr_t buf; -- int len; --{ -- struct evtdump *evtdump = (struct evtdump *)buf; -- -- if (evtdump->type != EVTT_PHASE1_DOWN) -- return; -- -- printf("VPN connexion terminated\n"); -- -- if (evt_filter & EVTF_PH1DOWN_STOP) -- evt_filter &= ~EVTF_LOOP; -- -- return; - } - - /* -@@ -1425,15 +1324,14 @@ - caddr_t buf; - int len; - { -- struct evtdump *evtdump = (struct evtdump *)buf; -+ struct evt_common *evtdump = (struct evt_common *)buf; - struct isakmp_data *attr; - char *banner = NULL; - struct in_addr addr4; - - memset(&addr4, 0, sizeof(addr4)); - -- if (evtdump->type != EVTT_ISAKMP_CFG_DONE && -- evtdump->type != EVTT_NO_ISAKMP_CFG) -+ if (evtdump->ec_type != EVTT_PHASE1_MODE_CFG) - return; - - len -= sizeof(*evtdump); -@@ -1487,7 +1385,7 @@ - } - } - -- if (evtdump->type == EVTT_ISAKMP_CFG_DONE) -+ if (len > 0) - printf("Bound to address %s\n", inet_ntoa(addr4)); - else - printf("VPN connexion established\n"); -@@ -1508,11 +1406,6 @@ - printf("\n"); - racoon_free(banner); - } -- -- if (evt_filter & EVTF_CFG_STOP) -- evt_filter &= ~EVTF_LOOP; -- -- return; - } - - -@@ -1563,32 +1456,28 @@ - break; - - case ADMIN_SHOW_EVT: { -- struct evtdump *evtdump; -+ struct evt_common *ec; - -- /* We got no event */ -- if (len == 0) { -- /* If we were purging the queue, it is now done */ -- if (evt_filter & EVTF_PURGE) -- evt_filter &= ~EVTF_PURGE; -+ /* We got no event? */ -+ if (len == 0) - break; -- } -+ if (len < sizeof(struct evt_common)) -+ errx(1, "Short buffer\n"); - -- if (len < sizeof(struct evtdump)) -- errx(1, "Short buffer\n"); -- -- /* Toss outdated events */ -- evtdump = (struct evtdump *)buf; -- if (evtdump->timestamp < evt_start) -- break; -- -- if (evt_filter & EVTF_ALL) -- print_evt(buf, len); -- if (evt_filter & EVTF_ERR) -- print_err(buf, len); -- if (evt_filter & EVTF_CFG) -- print_cfg(buf, len); -- if (evt_filter & EVTF_PH1DOWN) -- print_ph1down(buf, len); -+ ec = (struct evt_common *) buf; -+ if (evt_quit_event <= 0) -+ print_evt(ec); -+ else if (evt_quit_event == ec->ec_type) { -+ switch (ec->ec_type) { -+ case EVTT_PHASE1_MODE_CFG: -+ print_cfg(ec, len); -+ break; -+ default: -+ print_evt(ec); -+ break; -+ }; -+ evt_quit_event = 0; -+ } - break; - } - -@@ -1645,10 +1534,8 @@ - break; - } - -- close(so); - return 0; - -- bad: -- close(so); -+bad: - return -1; - } -Index: ipsec-tools-0.7.3/src/racoon/session.c -=================================================================== ---- ipsec-tools-0.7.3.orig/src/racoon/session.c 2007-08-01 13:52:22.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/session.c 2010-03-28 17:07:57.000000000 +0200 -@@ -192,6 +192,7 @@ - /* scheduling */ - timeout = schedular(); - -+ nfds = evt_get_fdmask(nfds, &rfds); - error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout); - if (error < 0) { - switch (errno) { -@@ -211,6 +212,7 @@ - (FD_ISSET(lcconf->sock_admin, &rfds))) - admin_handler(); - #endif -+ evt_handle_fdmask(&rfds); - - for (p = lcconf->myaddrs; p; p = p->next) { - if (!p->addr) -@@ -451,7 +453,7 @@ - case SIGTERM: - plog(LLV_INFO, LOCATION, NULL, - "caught signal %d\n", sig); -- EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL); -+ evt_generic(EVTT_RACOON_QUIT, NULL); - pfkey_send_flush(lcconf->sock_pfkey, - SADB_SATYPE_UNSPEC); - #ifdef ENABLE_FASTQUIT diff --git a/net/ipsec-tools/patches/005-isakmp-fix.patch b/net/ipsec-tools/patches/005-isakmp-fix.patch new file mode 100644 index 0000000000..f7aa3c26cf --- /dev/null +++ b/net/ipsec-tools/patches/005-isakmp-fix.patch @@ -0,0 +1,11 @@ +--- a/src/racoon/isakmp.c ++++ b/src/racoon/isakmp.c +@@ -31,6 +31,8 @@ + * SUCH DAMAGE. + */ + ++#define __packed __attribute__((__packed__)) ++ + #include "config.h" + + #include -- 2.30.2