Date: Fri, 10 Aug 2018 10:03:31 +0000 (UTC) From: Eugene Grosbein <eugen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r476825 - in head/security/ipsec-tools: . files Message-ID: <201808101003.w7AA3V3C075391@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eugen Date: Fri Aug 10 10:03:30 2018 New Revision: 476825 URL: https://svnweb.freebsd.org/changeset/ports/476825 Log: security/ipsec-tools: add support for multiple if_ipsec(4) interfaces - added patch introducing racoon compatibility with multiple if_ipsec(4) interfaces (*); - MAINTAINER reset due to nearly 3 years maintainer inactivity; - bump PORTREVISION. Submitted by: ae (*) Approved by: vanhu (implicitly) Added: head/security/ipsec-tools/files/patch-reqid.diff (contents, props changed) Modified: head/security/ipsec-tools/Makefile Modified: head/security/ipsec-tools/Makefile ============================================================================== --- head/security/ipsec-tools/Makefile Fri Aug 10 10:00:35 2018 (r476824) +++ head/security/ipsec-tools/Makefile Fri Aug 10 10:03:30 2018 (r476825) @@ -8,11 +8,11 @@ PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MASTER_SITES= SF -MAINTAINER= vanhu@FreeBSD.org +MAINTAINER= ports@FreeBSD.org COMMENT= KAME racoon IKE daemon, ipsec-tools version LICENSE= BSD3CLAUSE Added: head/security/ipsec-tools/files/patch-reqid.diff ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ipsec-tools/files/patch-reqid.diff Fri Aug 10 10:03:30 2018 (r476825) @@ -0,0 +1,176 @@ +--- src/racoon/cfparse.y 22 Aug 2006 18:17:17 -0000 1.66 ++++ src/racoon/cfparse.y 13 May 2018 01:53:57 -0000 +@@ -284,7 +284,7 @@ static int process_rmconf() + /* algorithm */ + %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE + /* sainfo */ +-%token SAINFO FROM ++%token SAINFO FROM REQID + /* remote */ + %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS + %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE +@@ -1571,6 +1571,11 @@ sainfo_spec + | REMOTEID NUMBER + { + cur_sainfo->remoteid = $2; ++ } ++ EOS ++ | REQID NUMBER ++ { ++ cur_sainfo->reqid = $2; + } + EOS + | LIFETIME LIFETYPE_TIME NUMBER unittype_time +--- src/racoon/cftoken.l 22 Aug 2006 18:17:17 -0000 1.53 ++++ src/racoon/cftoken.l 13 May 2018 01:53:57 -0000 +@@ -290,6 +290,7 @@ + <S_SAINFS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } + <S_SAINFS>my_identifier { YYD; return(MY_IDENTIFIER); } + <S_SAINFS>lifetime { YYD; return(LIFETIME); } ++<S_SAINFS>reqid { YYD; return(REQID); } + <S_SAINFS>time { YYD; return(LIFETYPE_TIME); } + <S_SAINFS>byte { YYD; return(LIFETYPE_BYTE); } + <S_SAINFS>encryption_algorithm { YYD; yylval.num = algclass_ipsec_enc; return(ALGORITHM_CLASS); } +--- src/racoon/proposal.c 27 Apr 2006 03:41:54 -0000 1.19 ++++ src/racoon/proposal.c 13 May 2018 01:53:58 -0000 +@@ -1253,8 +1253,8 @@ set_proposal_from_proposal(iph2) + if(g_nextreqid >= IPSEC_MANUAL_REQID_MAX) + g_nextreqid = 1; + }else{ +- newpr->reqid_in = 0; +- newpr->reqid_out = 0; ++ newpr->reqid_in = iph2->sainfo->reqid; ++ newpr->reqid_out = iph2->sainfo->reqid; + } + + if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) +--- src/racoon/sainfo.c 11 Aug 2006 16:07:05 -0000 1.9 ++++ src/racoon/sainfo.c 13 May 2018 01:53:58 -0000 +@@ -383,8 +383,8 @@ sainfo2str(si) + else + id_i = ipsecdoi_id2str(si->id_i); + +- snprintf(buf, 255, "loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%u", +- idloc, idrmt, id_i, si->remoteid); ++ snprintf(buf, 255, "loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%u, reqid=%u", ++ idloc, idrmt, id_i, si->remoteid, si->reqid); + + racoon_free(idloc); + racoon_free(idrmt); +--- src/racoon/sainfo.h 9 Jul 2006 17:19:38 -0000 1.5 ++++ src/racoon/sainfo.h 13 May 2018 01:53:58 -0000 +@@ -51,6 +51,7 @@ + time_t lifetime; + int lifebyte; + int pfs_group; /* only use when pfs is required. */ ++ uint32_t reqid; + vchar_t *id_i; /* identifier of the authorized initiator */ + struct sainfoalg *algs[MAXALGCLASS]; + +--- src/racoon/policy.h 2018-05-13 07:42:14.828102000 +0300 ++++ src/racoon/policy.h 2018-05-13 07:41:44.807564000 +0300 +@@ -66,6 +66,7 @@ struct policyindex { + u_int16_t ul_proto; /* upper layer Protocol */ + u_int32_t priority; /* priority for the policy */ + u_int64_t created; /* Used for generated SPD entries deletion */ ++ u_int32_t reqid; /* Reqid used for if_ipsec(4) */ + #ifdef HAVE_SECCTX + struct security_ctx sec_ctx; /* Security Context */ + #endif +--- src/racoon/isakmp_quick.c 2018-05-13 08:07:07.378039000 +0300 ++++ src/racoon/isakmp_quick.c 2018-05-13 08:11:12.268612000 +0300 +@@ -2473,6 +2473,7 @@ get_proposal_r(iph2) + #endif /* HAVE_SECCTX */ + + /* get inbound policy */ ++ spidx.reqid = iph2->sainfo->reqid; + sp_in = getsp_r(&spidx); + if (sp_in == NULL) { + if (iph2->ph1->rmconf->gen_policy) { +@@ -2521,6 +2522,7 @@ get_proposal_r(iph2) + spidx.prefs = spidx.prefd; + spidx.prefd = pref; + ++ spidx.reqid = iph2->sainfo->reqid; + sp_out = getsp_r(&spidx); + if (!sp_out) { + plog(LLV_WARNING, LOCATION, NULL, +--- src/racoon/pfkey.c 2018-05-13 08:12:05.730604000 +0300 ++++ src/racoon/pfkey.c 2018-05-13 08:48:02.708803000 +0300 +@@ -1888,6 +1888,10 @@ pk_recvacquire(mhp) + spidx.prefs = sp_out->spidx.prefd; + spidx.prefd = sp_out->spidx.prefs; + spidx.ul_proto = sp_out->spidx.ul_proto; ++#ifdef IPSEC_POLICYSCOPE_IFNET ++ /* XXX: reuse reqid from outbound policy */ ++ spidx.reqid = sp_out->spidx.reqid; ++#endif + + #ifdef HAVE_SECCTX + if (m_sec_ctx) { +@@ -2787,6 +2791,25 @@ pk_recvspddump(mhp) + } + #endif /* HAVE_SECCTX */ + ++#ifdef IPSEC_POLICYSCOPE_IFNET ++ if (xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET) { ++ struct sadb_x_ipsecrequest *xisr; ++ ++ if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "invalid xpl msg length.\n"); ++ return (-1); ++ } ++ xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); ++ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "invalid xisr msg length.\n"); ++ return (-1); ++ } ++ spidx.reqid = xisr->sadb_x_ipsecrequest_reqid; ++ } ++#endif /* IPSEC_POLICYSCOPE_IFNET */ ++ + sp = getsp(&spidx); + if (sp != NULL) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -3909,6 +3932,15 @@ addnewsp(mhp, local, remote) + created, + &new->spidx); + #endif ++ ++#ifdef IPSEC_POLICYSCOPE_IFNET ++ if (xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET) { ++ struct sadb_x_ipsecrequest *xisr; ++ ++ xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); ++ new->spidx.reqid = xisr->sadb_x_ipsecrequest_reqid; ++ } ++#endif /* IPSEC_POLICYSCOPE_IFNET */ + + #ifdef HAVE_SECCTX + if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { +--- src/racoon/policy.c 2018-05-13 07:17:32.815475000 +0300 ++++ src/racoon/policy.c 2018-05-13 07:44:40.838093000 +0300 +@@ -197,7 +197,8 @@ cmpspidxstrict(a, b) + if (a->dir != b->dir + || a->prefs != b->prefs + || a->prefd != b->prefd +- || a->ul_proto != b->ul_proto) ++ || a->ul_proto != b->ul_proto ++ || a->reqid != b->reqid) + return 1; + + if (cmpsaddr((struct sockaddr *) &a->src, +@@ -482,8 +483,9 @@ spidx2str(spidx) + p += i; + blen -= i; + +- i = snprintf(p, blen, "proto=%s dir=%s", +- s_proto(spidx->ul_proto), s_direction(spidx->dir)); ++ i = snprintf(p, blen, "proto=%s dir=%s reqid=%u", ++ s_proto(spidx->ul_proto), s_direction(spidx->dir), ++ spidx->reqid); + + #ifdef HAVE_SECCTX + if (spidx->sec_ctx.ctx_strlen) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808101003.w7AA3V3C075391>