Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Bug fixes from the ipsec-tools 0.6 branch:
details: https://anonhg.NetBSD.org/src/rev/57691cc1d76e
branches: trunk
changeset: 580510:57691cc1d76e
user: manu <manu%NetBSD.org@localhost>
date: Wed Apr 27 05:19:49 2005 +0000
description:
Bug fixes from the ipsec-tools 0.6 branch:
- Fix NAT-T problems that prevented multiple peers behind the same NAT
to talk to the same machine outside the NAT. This also require kernel
fixes (already committed eralier)
- Fix a LP64 bug
- Fix NAT-T RFC conformance bugs (missing non ESP marker in packets)
- Add a -p option to setkey to display ports that could be used for ESP
over UDP when printing policies
diffstat:
crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c | 57 ++++++++++++---
crypto/dist/ipsec-tools/src/libipsec/libpfkey.h | 4 +-
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c | 24 ++++++-
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c | 18 +++-
crypto/dist/ipsec-tools/src/racoon/isakmp.c | 28 +++++-
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c | 4 +-
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c | 4 +-
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c | 9 ++-
crypto/dist/ipsec-tools/src/racoon/nattraversal.c | 6 +-
crypto/dist/ipsec-tools/src/racoon/nattraversal.h | 5 +-
crypto/dist/ipsec-tools/src/racoon/pfkey.c | 6 +-
crypto/dist/ipsec-tools/src/setkey/setkey.8 | 13 ++-
crypto/dist/ipsec-tools/src/setkey/setkey.c | 18 +++-
lib/libipsec/package_version.h | 4 +-
14 files changed, 149 insertions(+), 51 deletions(-)
diffs (truncated from 606 to 300 lines):
diff -r 3ea4dfb788c9 -r 57691cc1d76e crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
--- a/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c Wed Apr 27 02:12:20 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c Wed Apr 27 05:19:49 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_dump_policy.c,v 1.1.1.2 2005/02/23 14:54:07 manu Exp $ */
+/* $NetBSD: ipsec_dump_policy.c,v 1.2 2005/04/27 05:19:49 manu Exp $ */
/* Id: ipsec_dump_policy.c,v 1.7 2004/10/29 16:37:03 ludvigm Exp */
@@ -65,10 +65,11 @@
};
static char *ipsec_dump_ipsecrequest __P((char *, size_t,
- struct sadb_x_ipsecrequest *, size_t));
+ struct sadb_x_ipsecrequest *, size_t, int));
+static char *ipsec_dump_policy1 __P((caddr_t, char *, int));
static int set_addresses __P((char *, size_t, struct sockaddr *,
- struct sockaddr *));
-static char *set_address __P((char *, size_t, struct sockaddr *));
+ struct sockaddr *, int));
+static char *set_address __P((char *, size_t, struct sockaddr *, int));
/*
* policy is sadb_x_policy buffer.
@@ -80,6 +81,23 @@
caddr_t policy;
char *delimiter;
{
+ return ipsec_dump_policy1(policy, delimiter, 0);
+}
+
+char *
+ipsec_dump_policy_withports(policy, delimiter)
+ caddr_t policy;
+ char *delimiter;
+{
+ return ipsec_dump_policy1(policy, delimiter, 1);
+}
+
+static char *
+ipsec_dump_policy1(policy, delimiter, withports)
+ caddr_t policy;
+ char *delimiter;
+ int withports;
+{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)policy;
struct sadb_x_ipsecrequest *xisr;
size_t off, buflen;
@@ -233,7 +251,7 @@
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl + off);
if (ipsec_dump_ipsecrequest(isrbuf, sizeof(isrbuf), xisr,
- PFKEY_EXTLEN(xpl) - off) == NULL) {
+ PFKEY_EXTLEN(xpl) - off, withports) == NULL) {
free(buf);
return NULL;
}
@@ -257,11 +275,12 @@
}
static char *
-ipsec_dump_ipsecrequest(buf, len, xisr, bound)
+ipsec_dump_ipsecrequest(buf, len, xisr, bound, withports)
char *buf;
size_t len;
struct sadb_x_ipsecrequest *xisr;
size_t bound; /* boundary */
+ int withports;
{
const char *proto, *mode, *level;
char abuf[NI_MAXHOST * 2 + 2];
@@ -314,7 +333,8 @@
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
- if (set_addresses(abuf, sizeof(abuf), sa1, sa2) != 0) {
+ if (set_addresses(abuf, sizeof(abuf),
+ sa1, sa2, withports) != 0) {
__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
return NULL;
}
@@ -355,16 +375,17 @@
}
static int
-set_addresses(buf, len, sa1, sa2)
+set_addresses(buf, len, sa1, sa2, withports)
char *buf;
size_t len;
struct sockaddr *sa1;
struct sockaddr *sa2;
+ int withports;
{
char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
- if (set_address(tmp1, sizeof(tmp1), sa1) == NULL ||
- set_address(tmp2, sizeof(tmp2), sa2) == NULL)
+ if (set_address(tmp1, sizeof(tmp1), sa1, withports) == NULL ||
+ set_address(tmp2, sizeof(tmp2), sa2, withports) == NULL)
return -1;
if (strlen(tmp1) + 1 + strlen(tmp2) + 1 > len)
return -1;
@@ -373,17 +394,27 @@
}
static char *
-set_address(buf, len, sa)
+set_address(buf, len, sa, withports)
char *buf;
size_t len;
struct sockaddr *sa;
+ int withports;
{
- const int niflags = NI_NUMERICHOST;
+ const int niflags = NI_NUMERICHOST | NI_NUMERICSERV;
+ char host[NI_MAXHOST];
+ char serv[NI_MAXSERV];
if (len < 1)
return NULL;
buf[0] = '\0';
- if (getnameinfo(sa, sysdep_sa_len(sa), buf, len, NULL, 0, niflags) != 0)
+ if (getnameinfo(sa, sysdep_sa_len(sa), host, sizeof(host), serv,
+ sizeof(serv), niflags) != 0)
return NULL;
+
+ if (withports)
+ snprintf(buf, len, "%s[%s]", host, serv);
+ else
+ snprintf(buf, len, "%s", host);
+
return buf;
}
diff -r 3ea4dfb788c9 -r 57691cc1d76e crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
--- a/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Wed Apr 27 02:12:20 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Wed Apr 27 05:19:49 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: libpfkey.h,v 1.3 2005/02/24 20:59:24 manu Exp $ */
+/* $NetBSD: libpfkey.h,v 1.4 2005/04/27 05:19:49 manu Exp $ */
/* Id: libpfkey.h,v 1.8.2.1 2005/02/24 13:33:54 manubsd Exp */
@@ -47,6 +47,7 @@
struct sadb_msg;
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
+extern void pfkey_spdump_withports __P((struct sadb_msg *));
struct sockaddr;
struct sadb_alg;
@@ -57,6 +58,7 @@
int ipsec_check_keylen2 __P((u_int, u_int, u_int));
int ipsec_get_keylen __P((u_int, u_int, struct sadb_alg *));
char *ipsec_dump_policy __P((caddr_t policy, char *delimiter));
+char *ipsec_dump_policy_withports __P((caddr_t policy, char *delimiter));
void ipsec_hexdump __P((caddr_t buf, int len));
int ipsec_get_policylen __P((caddr_t policy));
caddr_t ipsec_set_policy __P((char *msg, int msglen));
diff -r 3ea4dfb788c9 -r 57691cc1d76e crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Wed Apr 27 02:12:20 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Wed Apr 27 05:19:49 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey_dump.c,v 1.2 2005/04/10 21:20:55 manu Exp $ */
+/* $NetBSD: pfkey_dump.c,v 1.3 2005/04/27 05:19:49 manu Exp $ */
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
@@ -110,6 +110,7 @@
static void str_upperspec __P((u_int, u_int, u_int));
static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
+static void pfkey_spdump1(struct sadb_msg *, int);
struct val2str {
int val;
@@ -412,6 +413,21 @@
pfkey_spdump(m)
struct sadb_msg *m;
{
+ return pfkey_spdump1(m, 0);
+}
+
+void
+pfkey_spdump_withports(m)
+ struct sadb_msg *m;
+{
+ return pfkey_spdump1(m, 1);
+}
+
+static void
+pfkey_spdump1(m, withports)
+ struct sadb_msg *m;
+ int withports;
+{
char pbuf[NI_MAXSERV];
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_address *m_saddr, *m_daddr;
@@ -515,7 +531,11 @@
printf("no X_POLICY extension.\n");
return;
}
- d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
+ if (withports)
+ d_xpl = ipsec_dump_policy_withports((char *)m_xpl, "\n\t");
+ else
+ d_xpl = ipsec_dump_policy((char *)m_xpl, "\n\t");
+
if (!d_xpl)
printf("\n\tPolicy:[%s]\n", ipsec_strerror());
else {
diff -r 3ea4dfb788c9 -r 57691cc1d76e crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Wed Apr 27 02:12:20 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Wed Apr 27 05:19:49 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_doi.c,v 1.2 2005/04/18 11:15:01 manu Exp $ */
+/* $NetBSD: ipsec_doi.c,v 1.3 2005/04/27 05:19:50 manu Exp $ */
/* Id: ipsec_doi.c,v 1.26.2.1 2005/02/17 13:19:18 vanhu Exp */
@@ -2611,17 +2611,19 @@
int attrlen = 0;
if (sa->lifetime) {
+ u_int32_t lifetime = htonl((u_int32_t)sa->lifetime);
+
attrlen += sizeof(struct isakmp_data)
+ sizeof(struct isakmp_data);
if (sa->lifetime > 0xffff)
- attrlen += sizeof(sa->lifetime);
+ attrlen += sizeof(lifetime);
if (buf) {
p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE,
OAKLEY_ATTR_SA_LD_TYPE_SEC);
if (sa->lifetime > 0xffff) {
- u_int32_t v = htonl((u_int32_t)sa->lifetime);
p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD,
- (caddr_t)&v, sizeof(v));
+ (caddr_t)&lifetime,
+ sizeof(lifetime));
} else {
p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD,
sa->lifetime);
@@ -2630,17 +2632,19 @@
}
if (sa->lifebyte) {
+ u_int32_t lifebyte = htonl((u_int32_t)sa->lifebyte);
+
attrlen += sizeof(struct isakmp_data)
+ sizeof(struct isakmp_data);
if (sa->lifebyte > 0xffff)
- attrlen += sizeof(sa->lifebyte);
+ attrlen += sizeof(lifebyte);
if (buf) {
p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE,
OAKLEY_ATTR_SA_LD_TYPE_KB);
if (sa->lifebyte > 0xffff) {
- u_int32_t v = htonl((u_int32_t)sa->lifebyte);
p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD,
- (caddr_t)&v, sizeof(v));
+ (caddr_t)&lifebyte,
+ sizeof(lifebyte));
} else {
p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD,
sa->lifebyte);
diff -r 3ea4dfb788c9 -r 57691cc1d76e crypto/dist/ipsec-tools/src/racoon/isakmp.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Apr 27 02:12:20 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Apr 27 05:19:49 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.2 2005/04/19 19:42:09 manu Exp $ */
+/* $NetBSD: isakmp.c,v 1.3 2005/04/27 05:19:50 manu Exp $ */
/* Id: isakmp.c,v 1.34.2.2 2005/03/13 17:31:55 vanhu Exp */
@@ -431,14 +431,14 @@
#ifdef ENABLE_NATT
/* Floating ports for NAT-T */
- if ((iph1->natt_flags & NAT_DETECTED) &&
+ if (NATT_AVAILABLE(iph1) &&
! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
((cmpsaddrstrict(iph1->remote, remote) != 0) ||
(cmpsaddrstrict(iph1->local, local) != 0)))
{
/* prevent memory leak */
- racoon_free (iph1->remote);
- racoon_free (iph1->local);
+ racoon_free(iph1->remote);
+ racoon_free(iph1->local);
/* copy-in new addresses */
iph1->remote = dupsaddr(remote);
@@ -447,7 +447,7 @@
/* set the flag to prevent further port floating
(FIXME: should we allow it? E.g. when the NAT gw
is rebooted?) */
- iph1->natt_flags |= NAT_PORTS_CHANGED;
+ iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
/* print some neat info */
Home |
Main Index |
Thread Index |
Old Index