add support for bsd md5 as a md5sum replacement
[openwrt.git] / package / isakmpd / patches / 010-debian_3.patch
1 --- isakmpd-20041012.orig/dpd.c
2 +++ isakmpd-20041012/dpd.c
3 @@ -26,6 +26,7 @@
4  
5  #include <sys/types.h>
6  #include <stdlib.h>
7 +#include <memory.h>
8  
9  #include "sysdep.h"
10  
11 @@ -174,6 +175,7 @@
12                 }
13                 break;
14         default:
15 +       ;
16         }
17  
18         /* Mark handled.  */
19 @@ -223,6 +225,7 @@
20                     dpd_check_event, sa, &tv);
21                 break;
22         default:
23 +       ;
24         }
25         if (!sa->dpd_event) 
26                 log_print("dpd_timer_reset: timer_add_event failed");
27 --- isakmpd-20041012.orig/ipsec.c
28 +++ isakmpd-20041012/ipsec.c
29 @@ -1020,6 +1020,52 @@
30         }
31  }
32  
33 +/*
34 + * deal with a NOTIFY of INVALID_SPI
35 + */
36 +static void
37 +ipsec_invalid_spi (struct message *msg, struct payload *p)
38 +{
39 +  struct sockaddr *dst;
40 +  int invspisz, off;
41 +  u_int32_t spi;
42 +  u_int16_t totsiz;
43 +  u_int8_t spisz;
44 +
45 +  /* Any notification that make us do something should be protected */
46 +  if(!TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]))
47 +    {
48 +      LOG_DBG ((LOG_SA, 40,
49 +              "ipsec_invalid_spi: missing HASH payload in INVALID_SPI"
50 +              " notification"));
51 +      return;
52 +    }
53 +
54 +  /*
55 +   * get the invalid spi out of the variable sized notification data
56 +   * field, which is after the variable sized SPI field [which specifies
57 +   * the receiving entity's phase-1 SPI, not the invalid spi]
58 +   */
59 +  totsiz = GET_ISAKMP_GEN_LENGTH (p->p);
60 +  spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p);
61 +  off = ISAKMP_NOTIFY_SPI_OFF + spisz;
62 +  invspisz = totsiz - off;
63 +
64 +  if (invspisz != sizeof spi)
65 +    {
66 +      LOG_DBG ((LOG_SA, 40,
67 +              "ipsec_invalid_spi: SPI size %d in INVALID_SPI "
68 +              "payload unsupported", spisz));
69 +       return;
70 +    }
71 +  memcpy (&spi, p->p + off, sizeof spi);
72 +
73 +  msg->transport->vtbl->get_dst (msg->transport, &dst);
74 +
75 +  /* delete matching SPI's from this peer */
76 +  ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI");
77 +}
78 +
79  static int
80  ipsec_responder(struct message *msg)
81  {
82 @@ -1205,7 +1251,9 @@
83                         return dv != IPSEC_ENCAP_TUNNEL
84                             && dv != IPSEC_ENCAP_TRANSPORT
85                             && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL
86 -                           && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT;
87 +                           && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT
88 +                           && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT
89 +                           && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT;
90  #else
91                         return dv < IPSEC_ENCAP_TUNNEL
92                             || dv > IPSEC_ENCAP_TRANSPORT;
93 @@ -1837,7 +1885,7 @@
94  ipsec_get_id(char *section, int *id, struct sockaddr **addr,
95      struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port)
96  {
97 -       char    *type, *address, *netmask;
98 +    char       *type, *address, *netmask;
99  
100         type = conf_get_str(section, "ID-type");
101         if (!type) {
102 --- isakmpd-20041012.orig/GNUmakefile
103 +++ isakmpd-20041012/GNUmakefile
104 @@ -40,12 +40,12 @@
105  # integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec.
106  # darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5
107  # and later with native IPSec support.
108 -OS=            openbsd
109 +#OS=           openbsd
110  #OS=           netbsd
111  #OS=           freebsd
112  #OS=           freeswan
113  #OS=           darwin
114 -#OS=           linux
115 +OS=            linux
116  
117  .CURDIR:=      $(shell pwd)
118  VPATH=         ${.CURDIR}/sysdep/${OS}
119 @@ -55,9 +55,10 @@
120  ifndef BINDIR
121  BINDIR=                /sbin
122  endif
123 -ifndef LDSTATIC
124 -LDSTATIC=      -static
125 -endif
126 +
127 +#ifndef LDSTATIC
128 +#LDSTATIC=     -static
129 +#endif
130  
131  SRCS=          app.c attribute.c cert.c connection.c \
132                 constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \
133 @@ -131,11 +132,14 @@
134  ifneq ($(findstring install,$(MAKECMDGOALS)),install)
135  # Skip 'regress' until the regress/ structure has gmake makefiles for it.
136  #SUBDIR:=      regress
137 -SUBDIR:=
138 +#SUBDIR:=      apps/certpatch
139  mksubdirs:
140         $(foreach DIR, ${SUBDIR}, \
141 -               cd ${DIR}; ${MAKE} ${MAKEFLAGS} CFLAGS="${CFLAGS}" \
142 -                       MKDEP="${MKDEP}" ${MAKECMDGOALS})
143 +               cd ${.CURDIR}/${DIR}; ${MAKE} ${MAKECMDGOALS};)
144 +               
145 +#      $(foreach DIR, ${SUBDIR}, \
146 +#              cd ${DIR}; ${MAKE} CFLAGS="${CFLAGS}" \
147 +#                      MKDEP="${MKDEP}" ${MAKECMDGOALS})
148  else
149  mksubdirs:
150  endif
151 @@ -173,7 +177,7 @@
152  endif
153  
154  SRCS+=         ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \
155 -               $(ISAKMP_CFG)
156 +                       $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL}
157  CFLAGS+=       ${IPSEC_CFLAGS}
158  LDADD+=                ${DESLIB}
159  DPADD+=                ${DESLIBDEP}
160 --- isakmpd-20041012.orig/exchange.h
161 +++ isakmpd-20041012/exchange.h
162 @@ -221,6 +221,8 @@
163  #define EXCHANGE_FLAG_NAT_T_ENABLE     0x10    /* We are doing NAT-T.  */
164  #define EXCHANGE_FLAG_NAT_T_KEEPALIVE  0x20    /* We are the NAT:ed peer.  */
165  #define EXCHANGE_FLAG_DPD_CAP_PEER     0x40    /* Peer is DPD capable.  */
166 +#define EXCHANGE_FLAG_NAT_T_RFC                0x0080  /* Peer does RFC NAT-T. */
167 +#define EXCHANGE_FLAG_NAT_T_DRAFT      0x0100  /* Peer does draft NAT-T.*/
168  
169  extern int      exchange_add_certs(struct message *);
170  extern void     exchange_finalize(struct message *);
171 --- isakmpd-20041012.orig/log.c
172 +++ isakmpd-20041012/log.c
173 @@ -79,7 +79,6 @@
174  
175  struct packhdr {
176         struct pcap_pkthdr pcap;/* pcap file packet header */
177 -       u_int32_t sa_family;    /* address family */
178         union {
179                 struct ip       ip4;    /* IPv4 header (w/o options) */
180                 struct ip6_hdr  ip6;    /* IPv6 header */
181 @@ -97,7 +96,7 @@
182  static u_int8_t *packet_buf = NULL;
183  
184  static int      udp_cksum(struct packhdr *, const struct udphdr *,
185 -    u_int16_t *);
186 +    u_int16_t *, int);
187  static u_int16_t in_cksum(const u_int16_t *, int);
188  #endif                         /* USE_DEBUG */
189  
190 @@ -539,11 +538,9 @@
191         udp.uh_ulen = htons(datalen);
192  
193         /* ip */
194 -       hdr.sa_family = htonl(src->sa_family);
195         switch (src->sa_family) {
196         default:
197                 /* Assume IPv4. XXX Can 'default' ever happen here?  */
198 -               hdr.sa_family = htonl(AF_INET);
199                 hdr.ip.ip4.ip_src.s_addr = 0x02020202;
200                 hdr.ip.ip4.ip_dst.s_addr = 0x01010101;
201                 /* The rest of the setup is common to AF_INET.  */
202 @@ -584,9 +581,7 @@
203         }
204  
205         /* Calculate UDP checksum.  */
206 -       udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf);
207 -       hdrlen += sizeof hdr.sa_family;
208 -
209 +       udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf, src->sa_family);
210         /* pcap file packet header */
211         gettimeofday(&tv, 0);
212         hdr.pcap.ts.tv_sec = tv.tv_sec;
213 @@ -610,7 +605,7 @@
214  
215  /* Copied from tcpdump/print-udp.c, mostly rewritten.  */
216  static int
217 -udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
218 +udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d, int af)
219  {
220         struct ip       *ip4;
221         struct ip6_hdr  *ip6;
222 @@ -639,7 +634,7 @@
223  
224         /* Setup pseudoheader.  */
225         memset(phu.pa, 0, sizeof phu);
226 -       switch (ntohl(hdr->sa_family)) {
227 +       switch (af) {
228         case AF_INET:
229                 ip4 = &hdr->ip.ip4;
230                 memcpy(&phu.ip4p.src, &ip4->ip_src, sizeof(struct in_addr));
231 @@ -664,7 +659,7 @@
232  
233         /* IPv6 wants a 0xFFFF checksum "on error", not 0x0.  */
234         if (tlen < 0)
235 -               return (ntohl(hdr->sa_family) == AF_INET ? 0 : 0xFFFF);
236 +               return (af == AF_INET ? 0 : 0xFFFF);
237  
238         sum = 0;
239         for (i = 0; i < hdrlen; i += 2)
240 --- isakmpd-20041012.orig/nat_traversal.c
241 +++ isakmpd-20041012/nat_traversal.c
242 @@ -1,4 +1,4 @@
243 -/*     $OpenBSD: nat_traversal.c,v 1.7 2004/08/08 19:11:06 deraadt Exp $       */
244 +/*     $OpenBSD: nat_traversal.c,v 1.17 2006/06/14 14:03:33 hshoexer Exp $     */
245  
246  /*
247   * Copyright (c) 2004 HÃ¥kan Olsson.  All rights reserved.
248 @@ -48,40 +48,40 @@
249  #include "util.h"
250  #include "virtual.h"
251  
252 +int    disable_nat_t = 0;
253 +
254  /*
255 - * XXX According to draft-ietf-ipsec-nat-t-ike-07.txt, the NAT-T
256 - * capability of the other peer is determined by a particular vendor ID
257 - * sent as the first message. This vendor ID string is supposed to be a
258 - * MD5 hash of "RFC XXXX", where XXXX is the future RFC number.
259 + * NAT-T capability of the other peer is determined by a particular vendor
260 + * ID sent in the first message. This vendor ID string is supposed to be a
261 + * MD5 hash of "RFC 3947".
262   *
263   * These seem to be the "well" known variants of this string in use by
264   * products today.
265   */
266 -static const char *isakmp_nat_t_cap_text[] = {
267 -       "draft-ietf-ipsec-nat-t-ike-00",        /* V1 (XXX: may be obsolete) */
268 -       "draft-ietf-ipsec-nat-t-ike-02\n",      /* V2 */
269 -       "draft-ietf-ipsec-nat-t-ike-03",        /* V3 */
270 -#ifdef notyet
271 -       "RFC XXXX",
272 -#endif
273 +
274 +static struct nat_t_cap isakmp_nat_t_cap[] = {
275 +       { VID_DRAFT_V2_N, EXCHANGE_FLAG_NAT_T_DRAFT,
276 +         "draft-ietf-ipsec-nat-t-ike-02\n", NULL, 0 },
277 +       { VID_DRAFT_V3, EXCHANGE_FLAG_NAT_T_DRAFT,
278 +         "draft-ietf-ipsec-nat-t-ike-03", NULL, 0 },
279 +       { VID_RFC3947, EXCHANGE_FLAG_NAT_T_RFC,
280 +         "RFC 3947", NULL, 0 },
281  };
282  
283 +#define NUMNATTCAP     (sizeof isakmp_nat_t_cap / sizeof isakmp_nat_t_cap[0])
284 +
285  /* In seconds. Recommended in draft-ietf-ipsec-udp-encaps-09.  */
286  #define NAT_T_KEEPALIVE_INTERVAL       20
287  
288 -/* The MD5 hashes of the above strings is put in this array.  */
289 -static char    **nat_t_hashes;
290 -static size_t    nat_t_hashsize;
291 -
292  static int     nat_t_setup_hashes(void);
293 -static int     nat_t_add_vendor_payload(struct message *, char *);
294 +static int     nat_t_add_vendor_payload(struct message *, struct nat_t_cap *);
295  static int     nat_t_add_nat_d(struct message *, struct sockaddr *);
296  static int     nat_t_match_nat_d_payload(struct message *, struct sockaddr *);
297  
298  void
299  nat_t_init(void)
300  {
301 -       nat_t_hashes = (char **)NULL;
302 +       nat_t_setup_hashes();
303  }
304  
305  /* Generate the NAT-T capability marker hashes. Executed only once.  */
306 @@ -89,7 +89,7 @@
307  nat_t_setup_hashes(void)
308  {
309         struct hash *hash;
310 -       int n = sizeof isakmp_nat_t_cap_text / sizeof isakmp_nat_t_cap_text[0];
311 +       int n = NUMNATTCAP;
312         int i;
313  
314         /* The draft says to use MD5.  */
315 @@ -100,56 +100,49 @@
316                     "could not find MD5 hash structure!");
317                 return -1;
318         }
319 -       nat_t_hashsize = hash->hashsize;
320  
321 -       /* Allocate one more than is necessary, i.e NULL terminated.  */
322 -       nat_t_hashes = (char **)calloc((size_t)(n + 1), sizeof(char *));
323 -       if (!nat_t_hashes) {
324 -               log_error("nat_t_setup_hashes: calloc (%lu,%lu) failed",
325 -                   (unsigned long)n, (unsigned long)sizeof(char *));
326 -               return -1;
327 -       }
328 -
329 -       /* Populate with hashes.  */
330 +       /* Populate isakmp_nat_t_cap with hashes.  */
331         for (i = 0; i < n; i++) {
332 -               nat_t_hashes[i] = (char *)malloc(nat_t_hashsize);
333 -               if (!nat_t_hashes[i]) {
334 +               isakmp_nat_t_cap[i].hashsize = hash->hashsize;
335 +               isakmp_nat_t_cap[i].hash = (char *)malloc(hash->hashsize);
336 +               if (!isakmp_nat_t_cap[i].hash) {
337                         log_error("nat_t_setup_hashes: malloc (%lu) failed",
338 -                           (unsigned long)nat_t_hashsize);
339 +                           (unsigned long)hash->hashsize);
340                         goto errout;
341                 }
342  
343                 hash->Init(hash->ctx);
344                 hash->Update(hash->ctx,
345 -                   (unsigned char *)isakmp_nat_t_cap_text[i],
346 -                   strlen(isakmp_nat_t_cap_text[i]));
347 -               hash->Final(nat_t_hashes[i], hash->ctx);
348 +                   (unsigned char *)isakmp_nat_t_cap[i].text,
349 +                   strlen(isakmp_nat_t_cap[i].text));
350 +               hash->Final(isakmp_nat_t_cap[i].hash, hash->ctx);
351  
352                 LOG_DBG((LOG_EXCHANGE, 50, "nat_t_setup_hashes: "
353 -                   "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap_text[i],
354 -                   (unsigned long)nat_t_hashsize));
355 +                   "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap[i].text,
356 +                   (unsigned long)hash->hashsize));
357                 LOG_DBG_BUF((LOG_EXCHANGE, 50, "nat_t_setup_hashes",
358 -                   nat_t_hashes[i], nat_t_hashsize));
359 +                   isakmp_nat_t_cap[i].hash, hash->hashsize));
360         }
361  
362         return 0;
363  
364 -  errout:
365 +errout:
366         for (i = 0; i < n; i++)
367 -               if (nat_t_hashes[i])
368 -                       free(nat_t_hashes[i]);
369 -       free(nat_t_hashes);
370 -       nat_t_hashes = NULL;
371 +               if (isakmp_nat_t_cap[i].hash)
372 +                       free(isakmp_nat_t_cap[i].hash);
373         return -1;
374  }
375  
376  /* Add one NAT-T VENDOR payload.  */
377  static int
378 -nat_t_add_vendor_payload(struct message *msg, char *hash)
379 +nat_t_add_vendor_payload(struct message *msg, struct nat_t_cap *cap)
380  {
381 -       size_t   buflen = nat_t_hashsize + ISAKMP_GEN_SZ;
382 +       size_t    buflen = cap->hashsize + ISAKMP_GEN_SZ;
383         u_int8_t *buf;
384  
385 +       if (disable_nat_t)
386 +               return 0;
387 +
388         buf = malloc(buflen);
389         if (!buf) {
390                 log_error("nat_t_add_vendor_payload: malloc (%lu) failed",
391 @@ -158,12 +151,11 @@
392         }
393  
394         SET_ISAKMP_GEN_LENGTH(buf, buflen);
395 -       memcpy(buf + ISAKMP_VENDOR_ID_OFF, hash, nat_t_hashsize);
396 +       memcpy(buf + ISAKMP_VENDOR_ID_OFF, cap->hash, cap->hashsize);
397         if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) {
398                 free(buf);
399                 return -1;
400         }
401 -
402         return 0;
403  }
404  
405 @@ -171,16 +163,14 @@
406  int
407  nat_t_add_vendor_payloads(struct message *msg)
408  {
409 -       int i = 0;
410 +       int i;
411  
412 -       if (!nat_t_hashes)
413 -               if (nat_t_setup_hashes())
414 -                       return 0;  /* XXX should this be an error?  */
415 +       if (disable_nat_t)
416 +               return 0;
417  
418 -       while (nat_t_hashes[i])
419 -               if (nat_t_add_vendor_payload(msg, nat_t_hashes[i++]))
420 +       for (i = 0; i < NUMNATTCAP; i++)
421 +               if (nat_t_add_vendor_payload(msg, &isakmp_nat_t_cap[i]))
422                         return -1;
423 -
424         return 0;
425  }
426  
427 @@ -192,36 +182,31 @@
428  {
429         u_int8_t *pbuf = p->p;
430         size_t    vlen;
431 -       int       i = 0;
432 +       int       i;
433  
434 -       /* Already checked? */
435 -       if (p->flags & PL_MARK ||
436 -           msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
437 +       if (disable_nat_t)
438                 return;
439  
440 -       if (!nat_t_hashes)
441 -               if (nat_t_setup_hashes())
442 -                       return;
443 -
444         vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ;
445 -       if (vlen != nat_t_hashsize) {
446 -               LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
447 -                   "bad size %lu != %lu", (unsigned long)vlen,
448 -                   (unsigned long)nat_t_hashsize));
449 -               return;
450 -       }
451  
452 -       while (nat_t_hashes[i])
453 -               if (memcmp(nat_t_hashes[i++], pbuf + ISAKMP_GEN_SZ,
454 +       for (i = 0; i < NUMNATTCAP; i++) {
455 +               if (vlen != isakmp_nat_t_cap[i].hashsize) {
456 +                       LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
457 +                           "bad size %lu != %lu", (unsigned long)vlen,
458 +                           (unsigned long)isakmp_nat_t_cap[i].hashsize));
459 +                       continue;
460 +               }
461 +               if (memcmp(isakmp_nat_t_cap[i].hash, pbuf + ISAKMP_GEN_SZ,
462                     vlen) == 0) {
463                         /* This peer is NAT-T capable.  */
464                         msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER;
465 +                       msg->exchange->flags |= isakmp_nat_t_cap[i].flags;
466                         LOG_DBG((LOG_EXCHANGE, 10,
467                             "nat_t_check_vendor_payload: "
468                             "NAT-T capable peer detected"));
469                         p->flags |= PL_MARK;
470 -                       return;
471                 }
472 +       }
473  
474         return;
475  }
476 @@ -233,10 +218,8 @@
477  {
478         struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data;
479         struct hash      *hash;
480 -       struct prf       *prf;
481         u_int8_t         *res;
482         in_port_t         port;
483 -       int               prf_type = PRF_HMAC; /* XXX */
484  
485         hash = hash_get(ie->hash->type);
486         if (hash == NULL) {
487 @@ -244,31 +227,25 @@
488                 return NULL;
489         }
490  
491 -       prf = prf_alloc(prf_type, hash->type, msg->exchange->cookies,
492 -           ISAKMP_HDR_COOKIES_LEN);
493 -       if(!prf) {
494 -               log_print("nat_t_generate_nat_d_hash: prf_alloc failed");
495 -               return NULL;
496 -       }
497 +       *hashlen = hash->hashsize;
498  
499 -       *hashlen = prf->blocksize;
500         res = (u_int8_t *)malloc((unsigned long)*hashlen);
501         if (!res) {
502                 log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed",
503                     (unsigned long)*hashlen);
504 -               prf_free(prf);
505                 *hashlen = 0;
506                 return NULL;
507         }
508  
509         port = sockaddr_port(sa);
510 -       memset(res, 0, *hashlen);
511 -
512 -       prf->Update(prf->prfctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
513 -       prf->Update(prf->prfctx, (unsigned char *)&port, sizeof port);
514 -       prf->Final(res, prf->prfctx);
515 -       prf_free (prf);
516 +       bzero(res, *hashlen);
517  
518 +       hash->Init(hash->ctx);
519 +       hash->Update(hash->ctx, msg->exchange->cookies,
520 +           sizeof msg->exchange->cookies);
521 +       hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
522 +       hash->Update(hash->ctx, (unsigned char *)&port, sizeof port);
523 +       hash->Final(res, hash->ctx);
524         return res;
525  }
526  
527 @@ -276,6 +253,7 @@
528  static int
529  nat_t_add_nat_d(struct message *msg, struct sockaddr *sa)
530  {
531 +       int       ret;
532         u_int8_t *hbuf, *buf;
533         size_t    hbuflen, buflen;
534  
535 @@ -298,11 +276,19 @@
536         memcpy(buf + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen);
537         free(hbuf);
538  
539 -       if (message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, buflen, 1)) {
540 +       if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_RFC)
541 +               ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf,
542 +                   buflen, 1);
543 +       else if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT)
544 +               ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT,
545 +                   buf, buflen, 1);
546 +       else
547 +               ret = -1;
548 +               
549 +       if (ret) {
550                 free(buf);
551                 return -1;
552         }
553 -
554         return 0;
555  }
556  
557 @@ -312,14 +298,14 @@
558  {
559         struct sockaddr *sa;
560  
561 -       msg->transport->vtbl->get_src(msg->transport, &sa);
562 +       /* Remote address first. */
563 +       msg->transport->vtbl->get_dst(msg->transport, &sa);
564         if (nat_t_add_nat_d(msg, sa))
565                 return -1;
566  
567 -       msg->transport->vtbl->get_dst(msg->transport, &sa);
568 +       msg->transport->vtbl->get_src(msg->transport, &sa);
569         if (nat_t_add_nat_d(msg, sa))
570                 return -1;
571 -
572         return 0;
573  }
574  
575 @@ -336,8 +322,8 @@
576          * If there are no NAT-D payloads in the message, return "found"
577          * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()).
578          */
579 -       p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D);
580 -       if (!p)
581 +       if ((p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT)) == NULL &&
582 +           (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D)) == NULL)
583                 return 1;
584  
585         hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen);
586 --- isakmpd-20041012.orig/udp_encap.c
587 +++ isakmpd-20041012/udp_encap.c
588 @@ -61,6 +61,11 @@
589  
590  #define UDP_SIZE 65536
591  
592 +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
593 +#include <linux/socket.h>
594 +#include <linux/udp.h>
595 +#endif
596 +
597  /* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do.  */
598  #ifndef SO_REUSEPORT
599  #define SO_REUSEPORT SO_REUSEADDR
600 @@ -134,6 +139,18 @@
601         if (sysdep_cleartext(s, laddr->sa_family) == -1)
602                 goto err;
603  
604 +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
605 +    {
606 +#ifndef SOL_UDP
607 +#define SOL_UDP 17
608 +#endif
609 +        int option = UDP_ENCAP_ESPINUDP;
610 +        if(setsockopt(s, SOL_UDP, UDP_ENCAP, &option,
611 +                      sizeof (option)) < 0)
612 +            goto err;
613 +    }
614 +#endif
615 +
616         /* Wildcard address ?  */
617         switch (laddr->sa_family) {
618         case AF_INET:
619 --- isakmpd-20041012.orig/apps/Makefile
620 +++ isakmpd-20041012/apps/Makefile
621 @@ -31,4 +31,4 @@
622  
623  SUBDIR= certpatch
624  
625 -.include <bsd.subdir.mk>
626 +#.include <bsd.subdir.mk>
627 --- isakmpd-20041012.orig/apps/certpatch/GNUmakefile
628 +++ isakmpd-20041012/apps/certpatch/GNUmakefile
629 @@ -0,0 +1,55 @@
630 +#      $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $
631 +#      $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $
632 +
633 +#
634 +# Copyright (c) 1999 Niels Provos.  All rights reserved.
635 +# Copyright (c) 2001 Niklas Hallqvist.  All rights reserved.
636 +#
637 +# Redistribution and use in source and binary forms, with or without
638 +# modification, are permitted provided that the following conditions
639 +# are met:
640 +# 1. Redistributions of source code must retain the above copyright
641 +#    notice, this list of conditions and the following disclaimer.
642 +# 2. Redistributions in binary form must reproduce the above copyright
643 +#    notice, this list of conditions and the following disclaimer in the
644 +#    documentation and/or other materials provided with the distribution.
645 +#
646 +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
647 +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
648 +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
649 +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
650 +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
651 +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
652 +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
653 +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
654 +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
655 +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
656 +#
657 +
658 +#
659 +# This code was written under funding by Ericsson Radio Systems.
660 +#
661 +
662 +PROG=          certpatch
663 +SRCS=          certpatch.c
664 +BINDIR?=       /usr/sbin
665 +TOPSRC=                ${.CURDIR}../..
666 +TOPOBJ!=       cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
667 +OS=                    linux
668 +FEATURES!=     awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//'
669 +.PATH:         ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
670 +CFLAGS+=       -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
671 +LDFLAGS+=      -lcrypto -lssl -lgmp
672 +MAN=           certpatch.8
673 +
674 +CFLAGS+=       -DMP_FLAVOUR=MP_FLAVOUR_GMP
675 +LDADD+=                -lgmp
676 +DPADD+=                ${LIBGMP}
677 +
678 +# Override LIBSYSDEPDIR definition from Makefile.sysdep
679 +LIBSYSDEPDIR=  ${TOPSRC}/sysdep/common/libsysdep
680 +
681 +all:   ${PROG}
682 +
683 +clean: 
684 +       rm -f ${PROG}
685 --- isakmpd-20041012.orig/pf_key_v2.c
686 +++ isakmpd-20041012/pf_key_v2.c
687 @@ -1055,6 +1055,10 @@
688  #endif
689  #if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
690         struct sadb_x_udpencap udpencap;
691 +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
692 +       struct sadb_x_nat_t_type nat_t_type;
693 +       struct sadb_x_nat_t_port nat_t_sport;
694 +       struct sadb_x_nat_t_port nat_t_dport;
695  #endif
696  #ifdef USE_DEBUG
697         char           *addr_str;
698 @@ -1273,10 +1277,15 @@
699                 log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto);
700                 goto cleanup;
701         }
702 -       if (incoming)
703 +       if (incoming) {
704                 sa->transport->vtbl->get_src(sa->transport, &dst);
705 -       else
706 +               sa->transport->vtbl->get_dst(sa->transport, &src);
707 +       }
708 +       else {
709                 sa->transport->vtbl->get_dst(sa->transport, &dst);
710 +               sa->transport->vtbl->get_src(sa->transport, &src);
711 +       }
712 +
713  #ifdef KAME
714         msg.sadb_msg_seq = (incoming ?
715             pf_key_v2_seq_by_sa(proto->spi[incoming], sizeof ssa.sadb_sa_spi,
716 @@ -1319,12 +1328,13 @@
717         ssa.sadb_sa_flags = 0;
718  #ifdef SADB_X_SAFLAGS_TUNNEL
719         if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ||
720 -           iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
721 +           iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
722 +           iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
723                 ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL;
724  #endif
725  
726 -#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
727         if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) {
728 +#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
729                 memset(&udpencap, 0, sizeof udpencap);
730                 ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
731                 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
732 @@ -1334,8 +1344,40 @@
733                 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0)
734                     == -1)
735                         goto cleanup;
736 -       }
737 +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
738 +#ifndef UDP_ENCAP_ESPINUDP
739 +#define UDP_ENCAP_ESPINUDP     2
740 +#endif
741 +               memset(&nat_t_type, 0, sizeof nat_t_type);
742 +               memset(&nat_t_sport, 0, sizeof nat_t_sport);
743 +               memset(&nat_t_dport, 0, sizeof nat_t_dport);
744 +
745 +               /* type = draft-udp-encap-06 */
746 +               nat_t_type.sadb_x_nat_t_type_len = sizeof nat_t_type / PF_KEY_V2_CHUNK;
747 +               nat_t_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
748 +               nat_t_type.sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
749 +               if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_type, 0) == -1)
750 +                       goto cleanup;
751 +
752 +               /* source port */
753 +               nat_t_sport.sadb_x_nat_t_port_len = sizeof nat_t_sport / 
754 +                                                          PF_KEY_V2_CHUNK;
755 +               nat_t_sport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
756 +               nat_t_sport.sadb_x_nat_t_port_port = sockaddr_port(src);
757 +               if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_sport, 0) == -1)
758 +                       goto cleanup;
759 +
760 +               /* destination port */
761 +               nat_t_dport.sadb_x_nat_t_port_len = sizeof nat_t_dport / 
762 +                                                          PF_KEY_V2_CHUNK;
763 +               nat_t_dport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
764 +               nat_t_dport.sadb_x_nat_t_port_port = sockaddr_port(dst);
765 +               if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_dport, 0) == -1)
766 +                       goto cleanup;
767 +
768 +               /* original address (transport mode checksum missing info) goes here */
769  #endif
770 +    }
771  
772         if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1)
773                 goto cleanup;
774 @@ -1395,10 +1437,6 @@
775         /*
776          * Setup the ADDRESS extensions.
777           */
778 -       if (incoming)
779 -               sa->transport->vtbl->get_dst(sa->transport, &src);
780 -       else
781 -               sa->transport->vtbl->get_src(sa->transport, &src);
782         len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src));
783         addr = calloc(1, len);
784         if (!addr)
785 @@ -2167,7 +2205,7 @@
786                 pf_key_v2_msg_free(ret);
787         return -1;
788  
789 -#elif defined (SADB_X_SPDADD) && defined (SADB_X_SPDDELETE)
790 +#elif defined (SADB_X_SPDUPDATE) && defined (SADB_X_SPDDELETE)
791         struct sadb_msg msg;
792         struct sadb_x_policy *policy = 0;
793         struct sadb_x_ipsecrequest *ipsecrequest;
794 @@ -2181,7 +2219,7 @@
795         struct sockaddr_in *ip4_sa;
796         struct sockaddr_in6 *ip6_sa;
797  
798 -       msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDADD;
799 +       msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDUPDATE;
800         msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
801         msg.sadb_msg_seq = 0;
802         flow = pf_key_v2_msg_new(&msg, 0);
803 --- isakmpd-20041012.orig/isakmp_num.cst
804 +++ isakmpd-20041012/isakmp_num.cst
805 @@ -57,15 +57,18 @@
806    KD                           17      # RFC 3547, Key Download
807    SEQ                          18      # RFC 3547, Sequence Number
808    POP                          19      # RFC 3547, Proof of possession
809 -  RESERVED_MIN                 20
810 +  NAT_D                                20      # RFC 3947, NAT Discovery payload
811 +  NAT_OA                       21      # RFC 3947, NAT Original Address payload
812 +  RESERVED_MIN                 22
813    RESERVED_MAX                 127
814    PRIVATE_MIN                  128
815  # XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify
816  # XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC
817  # XXX 3547 as seen above.
818 -  NAT_D                                130     # NAT Discovery payload
819 -  NAT_OA                       131     # NAT Original Address payload
820 +  NAT_D_DRAFT                  130     # NAT Discovery payload
821 +  NAT_OA_DRAFT                 131     # NAT Original Address payload
822    PRIVATE_MAX                  255
823 +  MAX                          255
824  .
825  
826  # ISAKMP exchange types.
827 --- isakmpd-20041012.orig/ipsec_num.cst
828 +++ isakmpd-20041012/ipsec_num.cst
829 @@ -62,10 +62,10 @@
830  IPSEC_ENCAP
831    TUNNEL                               1
832    TRANSPORT                            2
833 -  FUTURE_UDP_ENCAP_TUNNEL              3       # XXX Not yet assigned
834 -  FUTURE_UDP_ENCAP_TRANSPORT           4       # XXX Not yet assigned
835 -  UDP_ENCAP_TUNNEL                     61443   # draft-ietf-ipsec-nat-t-ike
836 -  UDP_ENCAP_TRANSPORT                  61443   # draft-ietf-ipsec-nat-t-ike
837 +  UDP_ENCAP_TUNNEL                     3
838 +  UDP_ENCAP_TRANSPORT                  4
839 +  UDP_ENCAP_TUNNEL_DRAFT               61443   # draft-ietf-ipsec-nat-t-ike
840 +  UDP_ENCAP_TRANSPORT_DRAFT            61443   # draft-ietf-ipsec-nat-t-ike
841  .
842  
843  # IPSEC authentication algorithm.
844 --- isakmpd-20041012.orig/nat_traversal.h
845 +++ isakmpd-20041012/nat_traversal.h
846 @@ -1,4 +1,4 @@
847 -/*     $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $    */
848 +/*     $OpenBSD: nat_traversal.h,v 1.4 2005/07/25 15:03:47 hshoexer Exp $      */
849  
850  /*
851   * Copyright (c) 2004 HÃ¥kan Olsson.  All rights reserved.
852 @@ -27,6 +27,24 @@
853  #ifndef _NAT_TRAVERSAL_H_
854  #define _NAT_TRAVERSAL_H_
855  
856 +#define VID_DRAFT_V2   0
857 +#define VID_DRAFT_V2_N 1
858 +#define VID_DRAFT_V3   2
859 +#define VID_RFC3947    3
860 +
861 +struct nat_t_cap {
862 +       int              id;
863 +       u_int32_t        flags;
864 +       const char      *text;
865 +       char            *hash;
866 +       size_t           hashsize;
867 +};
868 +
869 +/*
870 + * Set if -T is given on the command line to disable NAT-T support.
871 + */
872 +extern int     disable_nat_t;
873 +
874  void   nat_t_init(void);
875  int    nat_t_add_vendor_payloads(struct message *);
876  void   nat_t_check_vendor_payload(struct message *, struct payload *);
877 --- isakmpd-20041012.orig/message.c
878 +++ isakmpd-20041012/message.c
879 @@ -112,6 +112,7 @@
880         message_validate_hash, message_validate_sig, message_validate_nonce,
881         message_validate_notify, message_validate_delete,
882         message_validate_vendor, message_validate_attribute,
883 +       message_validate_nat_d, message_validate_nat_oa,
884         message_validate_nat_d, message_validate_nat_oa
885  };
886  
887 @@ -120,7 +121,7 @@
888         isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld,
889         isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld,
890         isakmp_vendor_fld, isakmp_attribute_fld, isakmp_nat_d_fld,
891 -       isakmp_nat_oa_fld
892 +       isakmp_nat_oa_fld, isakmp_nat_d_fld, isakmp_nat_oa_fld
893  };
894  
895  /*
896 @@ -138,7 +139,8 @@
897         ISAKMP_PAYLOAD_SAK, ISAKMP_PAYLOAD_SAT, ISAKMP_PAYLOAD_KD,
898         ISAKMP_PAYLOAD_SEQ, ISAKMP_PAYLOAD_POP
899  #endif
900 -       ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA
901 +       ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA, 
902 +       ISAKMP_PAYLOAD_NAT_D_DRAFT, ISAKMP_PAYLOAD_NAT_OA_DRAFT
903  };
904  
905  static u_int8_t payload_map[256];
906 @@ -347,8 +349,8 @@
907                 }
908                 /* Ignore most private payloads.  */
909                 if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN &&
910 -                   next != ISAKMP_PAYLOAD_NAT_D &&
911 -                   next != ISAKMP_PAYLOAD_NAT_OA) {
912 +                   next != ISAKMP_PAYLOAD_NAT_D_DRAFT &&
913 +                   next != ISAKMP_PAYLOAD_NAT_OA_DRAFT) {
914                         LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: "
915                             "private next payload type %s in payload of "
916                             "type %d ignored",
917 @@ -460,8 +462,10 @@
918                 return ISAKMP_ATTRIBUTE_SZ;
919  #if defined (USE_NAT_TRAVERSAL)
920         case ISAKMP_PAYLOAD_NAT_D:
921 +       case ISAKMP_PAYLOAD_NAT_D_DRAFT:
922                 return ISAKMP_NAT_D_SZ;
923         case ISAKMP_PAYLOAD_NAT_OA:
924 +       case ISAKMP_PAYLOAD_NAT_OA_DRAFT:
925                 return ISAKMP_NAT_OA_SZ;
926  #endif
927         /* Not yet supported and any other unknown payloads. */
928 --- isakmpd-20041012.orig/policy.c
929 +++ isakmpd-20041012/policy.c
930 @@ -511,7 +511,10 @@
931                                                         break;
932                                                 }
933  #if defined (USE_NAT_TRAVERSAL)
934 -                                       else if (decode_16(value) == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
935 +                                       else if (decode_16(value) ==
936 +                                           IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
937 +                                           decode_16(value) ==
938 +                                           IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
939                                                 switch (proto->proto) {
940                                                 case IPSEC_PROTO_IPSEC_AH:
941                                                         ah_encapsulation = "udp-encap-tunnel";
942 @@ -1932,7 +1935,7 @@
943  void
944  policy_init(void)
945  {
946 -       char           *ptr, *policy_file;
947 +       char           *ptr, *policy_file, *use_keynote;
948         char          **asserts;
949         size_t          sz, len;
950         int             fd, i;
951 @@ -1940,10 +1943,11 @@
952         LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"));
953  
954         /* Do we want to use the policy modules?  */
955 -       if (ignore_policy ||
956 -           strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
957 -               return;
958 -
959 +       use_keynote = conf_get_str("General", "Use-Keynote");
960 +       if (ignore_policy || 
961 +               (use_keynote && strncmp("yes", use_keynote, 3)))
962 +                return;
963
964         /* Get policy file from configuration.  */
965         policy_file = conf_get_str("General", "Policy-file");
966         if (!policy_file)
967 --- isakmpd-20041012.orig/ike_phase_1.c
968 +++ isakmpd-20041012/ike_phase_1.c
969 @@ -1040,9 +1040,9 @@
970  
971                 /* Compare expected/desired and received remote ID */
972                 if (bcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz)) {
973 -                       free(rid);
974                         log_print("ike_phase_1_recv_ID: "
975 -                           "received remote ID other than expected %s", p);
976 +                           "received remote ID other than expected %s - %s", p, payload->p);
977 +                       free(rid);
978                         return -1;
979                 }
980                 free(rid);
981 --- isakmpd-20041012.orig/x509.c
982 +++ isakmpd-20041012/x509.c
983 @@ -910,7 +910,11 @@
984         X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
985  #if OPENSSL_VERSION_NUMBER >= 0x00907000L
986         /* XXX See comment in x509_read_crls_from_dir.  */
987 +#if OPENSSL_VERSION_NUMBER >= 0x00908000L
988 +       if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
989 +#else
990         if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
991 +#endif
992                 X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
993                 X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
994         }
995 --- isakmpd-20041012.orig/sysdep/linux/sysdep.c
996 +++ isakmpd-20041012/sysdep/linux/sysdep.c
997 @@ -169,22 +169,22 @@
998      return 0;
999  
1000    if (!(af == AF_INET || af == AF_INET6))
1001 -    {
1002 +    { 
1003        log_print ("sysdep_cleartext: unsupported protocol family %d", af);
1004        return -1;
1005      }
1006  
1007    if (setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
1008 -                 af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1009 -                 &pol_in, sizeof pol_in) < 0 ||
1010 +          af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1011 +          &pol_in, sizeof pol_in) < 0 ||
1012        setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
1013 -                 af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1014 -                 &pol_out, sizeof pol_out) < 0)
1015 -    {
1016 +          af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1017 +          &pol_out, sizeof pol_out) < 0)
1018 +    { 
1019        log_error ("sysdep_cleartext: "
1020 -                "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
1021 -                "failed", fd, af == AF_INET ? "" : "V6",
1022 -                af == AF_INET ? "" : "V6");
1023 +         "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
1024 +         "failed", fd, af == AF_INET ? "" : "V6",
1025 +         af == AF_INET ? "" : "V6");
1026        return -1;
1027      }
1028    return 0;
1029 --- isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep
1030 +++ isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep
1031 @@ -33,13 +33,13 @@
1032  LDADD+=                -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
1033  DPADD+=                ${LIBGMP} ${LIBSYSDEP}
1034  
1035 -CFLAGS+=       -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
1036 -               -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \
1037 -               -I/usr/src/linux/include -I${.CURDIR}/sysdep/common \
1038 +CFLAGS+=       -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
1039 +               -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \
1040 +               -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \
1041                 -I/usr/include/openssl
1042  
1043  FEATURES=      debug tripledes blowfish cast ec aggressive x509 policy
1044 -FEATURES+=     des aes
1045 +FEATURES+=     dpd nat_traversal isakmp_cfg des aes
1046  
1047  IPSEC_SRCS=    pf_key_v2.c
1048  IPSEC_CFLAGS=  -DUSE_PF_KEY_V2
1049 @@ -51,7 +51,7 @@
1050  # hack libsysdep.a dependenc
1051  ${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
1052         cd ${LIBSYSDEPDIR} && \
1053 -               ${MAKE} --no-print-directory ${MAKEFLAGS} \
1054 +               ${MAKE} --no-print-directory \
1055                         CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
1056  
1057  ifeq ($(findstring clean,$(MAKECMDGOALS)),clean)
1058 --- isakmpd-20041012.orig/sysdep/linux/include/bitstring.h
1059 +++ isakmpd-20041012/sysdep/linux/include/bitstring.h
1060 @@ -0,0 +1,132 @@
1061 +/*     $OpenBSD: bitstring.h,v 1.4 2002/06/19 02:50:10 millert Exp $   */
1062 +/*     $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */
1063 +
1064 +/*
1065 + * Copyright (c) 1989, 1993
1066 + *     The Regents of the University of California.  All rights reserved.
1067 + *
1068 + * This code is derived from software contributed to Berkeley by
1069 + * Paul Vixie.
1070 + *
1071 + * Redistribution and use in source and binary forms, with or without
1072 + * modification, are permitted provided that the following conditions
1073 + * are met:
1074 + * 1. Redistributions of source code must retain the above copyright
1075 + *    notice, this list of conditions and the following disclaimer.
1076 + * 2. Redistributions in binary form must reproduce the above copyright
1077 + *    notice, this list of conditions and the following disclaimer in the
1078 + *    documentation and/or other materials provided with the distribution.
1079 + * 3. All advertising materials mentioning features or use of this software
1080 + *    must display the following acknowledgement:
1081 + *     This product includes software developed by the University of
1082 + *     California, Berkeley and its contributors.
1083 + * 4. Neither the name of the University nor the names of its contributors
1084 + *    may be used to endorse or promote products derived from this software
1085 + *    without specific prior written permission.
1086 + *
1087 + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1088 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1089 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1090 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1091 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1092 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1093 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1094 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1095 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1096 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1097 + * SUCH DAMAGE.
1098 + *
1099 + *     @(#)bitstring.h 8.1 (Berkeley) 7/19/93
1100 + */
1101 +
1102 +#ifndef _BITSTRING_H_
1103 +#define        _BITSTRING_H_
1104 +
1105 +/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91
1106 + * bitstr_size changed gratuitously, but shorter
1107 + * bit_alloc   spelling error fixed
1108 + * the following were efficient, but didn't work, they've been made to
1109 + * work, but are no longer as efficient :-)
1110 + * bit_nclear, bit_nset, bit_ffc, bit_ffs
1111 + */
1112 +typedef        unsigned char bitstr_t;
1113 +
1114 +/* internal macros */
1115 +                               /* byte of the bitstring bit is in */
1116 +#define        _bit_byte(bit) \
1117 +       ((bit) >> 3)
1118 +
1119 +                               /* mask for the bit within its byte */
1120 +#define        _bit_mask(bit) \
1121 +       (1 << ((bit)&0x7))
1122 +
1123 +/* external macros */
1124 +                               /* bytes in a bitstring of nbits bits */
1125 +#define        bitstr_size(nbits) \
1126 +       (((nbits) + 7) >> 3)
1127 +
1128 +                               /* allocate a bitstring */
1129 +#define        bit_alloc(nbits) \
1130 +       (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t))
1131 +
1132 +                               /* allocate a bitstring on the stack */
1133 +#define        bit_decl(name, nbits) \
1134 +       ((name)[bitstr_size(nbits)])
1135 +
1136 +                               /* is bit N of bitstring name set? */
1137 +#define        bit_test(name, bit) \
1138 +       ((name)[_bit_byte(bit)] & _bit_mask(bit))
1139 +
1140 +                               /* set bit N of bitstring name */
1141 +#define        bit_set(name, bit) \
1142 +       ((name)[_bit_byte(bit)] |= _bit_mask(bit))
1143 +
1144 +                               /* clear bit N of bitstring name */
1145 +#define        bit_clear(name, bit) \
1146 +       ((name)[_bit_byte(bit)] &= ~_bit_mask(bit))
1147 +
1148 +                               /* clear bits start ... stop in bitstring */
1149 +#define        bit_nclear(name, start, stop) do { \
1150 +       register bitstr_t *_name = name; \
1151 +       register int _start = start, _stop = stop; \
1152 +       while (_start <= _stop) { \
1153 +               bit_clear(_name, _start); \
1154 +               _start++; \
1155 +               } \
1156 +} while(0)
1157 +
1158 +                               /* set bits start ... stop in bitstring */
1159 +#define        bit_nset(name, start, stop) do { \
1160 +       register bitstr_t *_name = name; \
1161 +       register int _start = start, _stop = stop; \
1162 +       while (_start <= _stop) { \
1163 +               bit_set(_name, _start); \
1164 +               _start++; \
1165 +               } \
1166 +} while(0)
1167 +
1168 +                               /* find first bit clear in name */
1169 +#define        bit_ffc(name, nbits, value) do { \
1170 +       register bitstr_t *_name = name; \
1171 +       register int _bit, _nbits = nbits, _value = -1; \
1172 +       for (_bit = 0; _bit < _nbits; ++_bit) \
1173 +               if (!bit_test(_name, _bit)) { \
1174 +                       _value = _bit; \
1175 +                       break; \
1176 +               } \
1177 +       *(value) = _value; \
1178 +} while(0)
1179 +
1180 +                               /* find first bit set in name */
1181 +#define        bit_ffs(name, nbits, value) do { \
1182 +       register bitstr_t *_name = name; \
1183 +       register int _bit, _nbits = nbits, _value = -1; \
1184 +       for (_bit = 0; _bit < _nbits; ++_bit) \
1185 +               if (bit_test(_name, _bit)) { \
1186 +                       _value = _bit; \
1187 +                       break; \
1188 +               } \
1189 +       *(value) = _value; \
1190 +} while(0)
1191 +
1192 +#endif /* !_BITSTRING_H_ */
1193 --- isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h
1194 +++ isakmpd-20041012/sysdep/linux/include/sys/queue.h
1195 @@ -0,0 +1,453 @@
1196 +/*
1197 + * Copyright (c) 1991, 1993
1198 + *     The Regents of the University of California.  All rights reserved.
1199 + *
1200 + * Redistribution and use in source and binary forms, with or without
1201 + * modification, are permitted provided that the following conditions
1202 + * are met:
1203 + * 1. Redistributions of source code must retain the above copyright
1204 + *    notice, this list of conditions and the following disclaimer.
1205 + * 2. Redistributions in binary form must reproduce the above copyright
1206 + *    notice, this list of conditions and the following disclaimer in the
1207 + *    documentation and/or other materials provided with the distribution.
1208 + * 3. All advertising materials mentioning features or use of this software
1209 + *    must display the following acknowledgement:
1210 + *     This product includes software developed by the University of
1211 + *     California, Berkeley and its contributors.
1212 + * 4. Neither the name of the University nor the names of its contributors
1213 + *    may be used to endorse or promote products derived from this software
1214 + *    without specific prior written permission.
1215 + *
1216 + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1217 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1218 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1219 + * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1220 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1221 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1222 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1223 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1224 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1225 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1226 + * SUCH DAMAGE.
1227 + *
1228 + *     @(#)queue.h     8.5 (Berkeley) 8/20/94
1229 + * $FreeBSD: src/sys/sys/queue.h,v 1.45 2001/12/11 11:49:58 sheldonh Exp $
1230 + */
1231 +
1232 +#ifndef _SYS_QUEUE_H_
1233 +#define        _SYS_QUEUE_H_
1234 +
1235 +//#include <machine/ansi.h>    /* for __offsetof */
1236 +
1237 +/*
1238 + * This file defines four types of data structures: singly-linked lists,
1239 + * singly-linked tail queues, lists and tail queues.
1240 + *
1241 + * A singly-linked list is headed by a single forward pointer. The elements
1242 + * are singly linked for minimum space and pointer manipulation overhead at
1243 + * the expense of O(n) removal for arbitrary elements. New elements can be
1244 + * added to the list after an existing element or at the head of the list.
1245 + * Elements being removed from the head of the list should use the explicit
1246 + * macro for this purpose for optimum efficiency. A singly-linked list may
1247 + * only be traversed in the forward direction.  Singly-linked lists are ideal
1248 + * for applications with large datasets and few or no removals or for
1249 + * implementing a LIFO queue.
1250 + *
1251 + * A singly-linked tail queue is headed by a pair of pointers, one to the
1252 + * head of the list and the other to the tail of the list. The elements are
1253 + * singly linked for minimum space and pointer manipulation overhead at the
1254 + * expense of O(n) removal for arbitrary elements. New elements can be added
1255 + * to the list after an existing element, at the head of the list, or at the
1256 + * end of the list. Elements being removed from the head of the tail queue
1257 + * should use the explicit macro for this purpose for optimum efficiency.
1258 + * A singly-linked tail queue may only be traversed in the forward direction.
1259 + * Singly-linked tail queues are ideal for applications with large datasets
1260 + * and few or no removals or for implementing a FIFO queue.
1261 + *
1262 + * A list is headed by a single forward pointer (or an array of forward
1263 + * pointers for a hash table header). The elements are doubly linked
1264 + * so that an arbitrary element can be removed without a need to
1265 + * traverse the list. New elements can be added to the list before
1266 + * or after an existing element or at the head of the list. A list
1267 + * may only be traversed in the forward direction.
1268 + *
1269 + * A tail queue is headed by a pair of pointers, one to the head of the
1270 + * list and the other to the tail of the list. The elements are doubly
1271 + * linked so that an arbitrary element can be removed without a need to
1272 + * traverse the list. New elements can be added to the list before or
1273 + * after an existing element, at the head of the list, or at the end of
1274 + * the list. A tail queue may be traversed in either direction.
1275 + *
1276 + * For details on the use of these macros, see the queue(3) manual page.
1277 + *
1278 + *
1279 + *                     SLIST   LIST    STAILQ  TAILQ
1280 + * _HEAD               +       +       +       +
1281 + * _HEAD_INITIALIZER   +       +       +       +
1282 + * _ENTRY              +       +       +       +
1283 + * _INIT               +       +       +       +
1284 + * _EMPTY              +       +       +       +
1285 + * _FIRST              +       +       +       +
1286 + * _NEXT               +       +       +       +
1287 + * _PREV               -       -       -       +
1288 + * _LAST               -       -       +       +
1289 + * _FOREACH            +       +       +       +
1290 + * _FOREACH_REVERSE    -       -       -       +
1291 + * _INSERT_HEAD                +       +       +       +
1292 + * _INSERT_BEFORE      -       +       -       +
1293 + * _INSERT_AFTER       +       +       +       +
1294 + * _INSERT_TAIL                -       -       +       +
1295 + * _REMOVE_HEAD                +       -       +       -
1296 + * _REMOVE             +       +       +       +
1297 + *
1298 + */
1299 +
1300 +/*
1301 + * Singly-linked List declarations.
1302 + */
1303 +#define        SLIST_HEAD(name, type)                                          \
1304 +struct name {                                                          \
1305 +       struct type *slh_first; /* first element */                     \
1306 +}
1307 +
1308 +#define        SLIST_HEAD_INITIALIZER(head)                                    \
1309 +       { NULL }
1310
1311 +#define        SLIST_ENTRY(type)                                               \
1312 +struct {                                                               \
1313 +       struct type *sle_next;  /* next element */                      \
1314 +}
1315
1316 +/*
1317 + * Singly-linked List functions.
1318 + */
1319 +#define        SLIST_EMPTY(head)       ((head)->slh_first == NULL)
1320 +
1321 +#define        SLIST_FIRST(head)       ((head)->slh_first)
1322 +
1323 +#define        SLIST_FOREACH(var, head, field)                                 \
1324 +       for ((var) = SLIST_FIRST((head));                               \
1325 +           (var);                                                      \
1326 +           (var) = SLIST_NEXT((var), field))
1327 +
1328 +#define        SLIST_INIT(head) do {                                           \
1329 +       SLIST_FIRST((head)) = NULL;                                     \
1330 +} while (0)
1331 +
1332 +#define        SLIST_INSERT_AFTER(slistelm, elm, field) do {                   \
1333 +       SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field);       \
1334 +       SLIST_NEXT((slistelm), field) = (elm);                          \
1335 +} while (0)
1336 +
1337 +#define        SLIST_INSERT_HEAD(head, elm, field) do {                        \
1338 +       SLIST_NEXT((elm), field) = SLIST_FIRST((head));                 \
1339 +       SLIST_FIRST((head)) = (elm);                                    \
1340 +} while (0)
1341 +
1342 +#define        SLIST_NEXT(elm, field)  ((elm)->field.sle_next)
1343 +
1344 +#define        SLIST_REMOVE(head, elm, type, field) do {                       \
1345 +       if (SLIST_FIRST((head)) == (elm)) {                             \
1346 +               SLIST_REMOVE_HEAD((head), field);                       \
1347 +       }                                                               \
1348 +       else {                                                          \
1349 +               struct type *curelm = SLIST_FIRST((head));              \
1350 +               while (SLIST_NEXT(curelm, field) != (elm))              \
1351 +                       curelm = SLIST_NEXT(curelm, field);             \
1352 +               SLIST_NEXT(curelm, field) =                             \
1353 +                   SLIST_NEXT(SLIST_NEXT(curelm, field), field);       \
1354 +       }                                                               \
1355 +} while (0)
1356 +
1357 +#define        SLIST_REMOVE_HEAD(head, field) do {                             \
1358 +       SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field);   \
1359 +} while (0)
1360 +
1361 +/*
1362 + * Singly-linked Tail queue declarations.
1363 + */
1364 +#define        STAILQ_HEAD(name, type)                                         \
1365 +struct name {                                                          \
1366 +       struct type *stqh_first;/* first element */                     \
1367 +       struct type **stqh_last;/* addr of last next element */         \
1368 +}
1369 +
1370 +#define        STAILQ_HEAD_INITIALIZER(head)                                   \
1371 +       { NULL, &(head).stqh_first }
1372 +
1373 +#define        STAILQ_ENTRY(type)                                              \
1374 +struct {                                                               \
1375 +       struct type *stqe_next; /* next element */                      \
1376 +}
1377 +
1378 +/*
1379 + * Singly-linked Tail queue functions.
1380 + */
1381 +#define        STAILQ_EMPTY(head)      ((head)->stqh_first == NULL)
1382 +
1383 +#define        STAILQ_FIRST(head)      ((head)->stqh_first)
1384 +
1385 +#define        STAILQ_FOREACH(var, head, field)                                \
1386 +       for((var) = STAILQ_FIRST((head));                               \
1387 +          (var);                                                       \
1388 +          (var) = STAILQ_NEXT((var), field))
1389 +
1390 +#define        STAILQ_INIT(head) do {                                          \
1391 +       STAILQ_FIRST((head)) = NULL;                                    \
1392 +       (head)->stqh_last = &STAILQ_FIRST((head));                      \
1393 +} while (0)
1394 +
1395 +#define        STAILQ_INSERT_AFTER(head, tqelm, elm, field) do {               \
1396 +       if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\
1397 +               (head)->stqh_last = &STAILQ_NEXT((elm), field);         \
1398 +       STAILQ_NEXT((tqelm), field) = (elm);                            \
1399 +} while (0)
1400 +
1401 +#define        STAILQ_INSERT_HEAD(head, elm, field) do {                       \
1402 +       if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \
1403 +               (head)->stqh_last = &STAILQ_NEXT((elm), field);         \
1404 +       STAILQ_FIRST((head)) = (elm);                                   \
1405 +} while (0)
1406 +
1407 +#define        STAILQ_INSERT_TAIL(head, elm, field) do {                       \
1408 +       STAILQ_NEXT((elm), field) = NULL;                               \
1409 +       *(head)->stqh_last = (elm);                                     \
1410 +       (head)->stqh_last = &STAILQ_NEXT((elm), field);                 \
1411 +} while (0)
1412 +
1413 +#define        STAILQ_LAST(head, type, field)                                  \
1414 +       (STAILQ_EMPTY(head) ?                                           \
1415 +               NULL :                                                  \
1416 +               ((struct type *)                                        \
1417 +               ((char *)((head)->stqh_last) - __offsetof(struct type, field))))
1418 +
1419 +#define        STAILQ_NEXT(elm, field) ((elm)->field.stqe_next)
1420 +
1421 +#define        STAILQ_REMOVE(head, elm, type, field) do {                      \
1422 +       if (STAILQ_FIRST((head)) == (elm)) {                            \
1423 +               STAILQ_REMOVE_HEAD(head, field);                        \
1424 +       }                                                               \
1425 +       else {                                                          \
1426 +               struct type *curelm = STAILQ_FIRST((head));             \
1427 +               while (STAILQ_NEXT(curelm, field) != (elm))             \
1428 +                       curelm = STAILQ_NEXT(curelm, field);            \
1429 +               if ((STAILQ_NEXT(curelm, field) =                       \
1430 +                    STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\
1431 +                       (head)->stqh_last = &STAILQ_NEXT((curelm), field);\
1432 +       }                                                               \
1433 +} while (0)
1434 +
1435 +#define        STAILQ_REMOVE_HEAD(head, field) do {                            \
1436 +       if ((STAILQ_FIRST((head)) =                                     \
1437 +            STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL)         \
1438 +               (head)->stqh_last = &STAILQ_FIRST((head));              \
1439 +} while (0)
1440 +
1441 +#define        STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do {                 \
1442 +       if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \
1443 +               (head)->stqh_last = &STAILQ_FIRST((head));              \
1444 +} while (0)
1445 +
1446 +/*
1447 + * List declarations.
1448 + */
1449 +#define        LIST_HEAD(name, type)                                           \
1450 +struct name {                                                          \
1451 +       struct type *lh_first;  /* first element */                     \
1452 +}
1453 +
1454 +#define        LIST_HEAD_INITIALIZER(head)                                     \
1455 +       { NULL }
1456 +
1457 +#define        LIST_ENTRY(type)                                                \
1458 +struct {                                                               \
1459 +       struct type *le_next;   /* next element */                      \
1460 +       struct type **le_prev;  /* address of previous next element */  \
1461 +}
1462 +
1463 +/*
1464 + * List functions.
1465 + */
1466 +
1467 +#define        LIST_EMPTY(head)        ((head)->lh_first == NULL)
1468 +
1469 +#define        LIST_FIRST(head)        ((head)->lh_first)
1470 +
1471 +#define        LIST_FOREACH(var, head, field)                                  \
1472 +       for ((var) = LIST_FIRST((head));                                \
1473 +           (var);                                                      \
1474 +           (var) = LIST_NEXT((var), field))
1475 +
1476 +#define        LIST_INIT(head) do {                                            \
1477 +       LIST_FIRST((head)) = NULL;                                      \
1478 +} while (0)
1479 +
1480 +#define        LIST_INSERT_AFTER(listelm, elm, field) do {                     \
1481 +       if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\
1482 +               LIST_NEXT((listelm), field)->field.le_prev =            \
1483 +                   &LIST_NEXT((elm), field);                           \
1484 +       LIST_NEXT((listelm), field) = (elm);                            \
1485 +       (elm)->field.le_prev = &LIST_NEXT((listelm), field);            \
1486 +} while (0)
1487 +
1488 +#define        LIST_INSERT_BEFORE(listelm, elm, field) do {                    \
1489 +       (elm)->field.le_prev = (listelm)->field.le_prev;                \
1490 +       LIST_NEXT((elm), field) = (listelm);                            \
1491 +       *(listelm)->field.le_prev = (elm);                              \
1492 +       (listelm)->field.le_prev = &LIST_NEXT((elm), field);            \
1493 +} while (0)
1494 +
1495 +#define        LIST_INSERT_HEAD(head, elm, field) do {                         \
1496 +       if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL)     \
1497 +               LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\
1498 +       LIST_FIRST((head)) = (elm);                                     \
1499 +       (elm)->field.le_prev = &LIST_FIRST((head));                     \
1500 +} while (0)
1501 +
1502 +#define        LIST_NEXT(elm, field)   ((elm)->field.le_next)
1503 +
1504 +#define        LIST_REMOVE(elm, field) do {                                    \
1505 +       if (LIST_NEXT((elm), field) != NULL)                            \
1506 +               LIST_NEXT((elm), field)->field.le_prev =                \
1507 +                   (elm)->field.le_prev;                               \
1508 +       *(elm)->field.le_prev = LIST_NEXT((elm), field);                \
1509 +} while (0)
1510 +
1511 +/*
1512 + * Tail queue declarations.
1513 + */
1514 +#define        TAILQ_HEAD(name, type)                                          \
1515 +struct name {                                                          \
1516 +       struct type *tqh_first; /* first element */                     \
1517 +       struct type **tqh_last; /* addr of last next element */         \
1518 +}
1519 +
1520 +#define        TAILQ_HEAD_INITIALIZER(head)                                    \
1521 +       { NULL, &(head).tqh_first }
1522 +
1523 +#define        TAILQ_ENTRY(type)                                               \
1524 +struct {                                                               \
1525 +       struct type *tqe_next;  /* next element */                      \
1526 +       struct type **tqe_prev; /* address of previous next element */  \
1527 +}
1528 +
1529 +/*
1530 + * Tail queue functions.
1531 + */
1532 +#define        TAILQ_EMPTY(head)       ((head)->tqh_first == NULL)
1533 +
1534 +#define        TAILQ_FIRST(head)       ((head)->tqh_first)
1535 +
1536 +#define        TAILQ_FOREACH(var, head, field)                                 \
1537 +       for ((var) = TAILQ_FIRST((head));                               \
1538 +           (var);                                                      \
1539 +           (var) = TAILQ_NEXT((var), field))
1540 +
1541 +#define        TAILQ_FOREACH_REVERSE(var, head, headname, field)               \
1542 +       for ((var) = TAILQ_LAST((head), headname);                      \
1543 +           (var);                                                      \
1544 +           (var) = TAILQ_PREV((var), headname, field))
1545 +
1546 +#define        TAILQ_INIT(head) do {                                           \
1547 +       TAILQ_FIRST((head)) = NULL;                                     \
1548 +       (head)->tqh_last = &TAILQ_FIRST((head));                        \
1549 +} while (0)
1550 +
1551 +#define        TAILQ_INSERT_AFTER(head, listelm, elm, field) do {              \
1552 +       if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\
1553 +               TAILQ_NEXT((elm), field)->field.tqe_prev =              \
1554 +                   &TAILQ_NEXT((elm), field);                          \
1555 +       else                                                            \
1556 +               (head)->tqh_last = &TAILQ_NEXT((elm), field);           \
1557 +       TAILQ_NEXT((listelm), field) = (elm);                           \
1558 +       (elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field);          \
1559 +} while (0)
1560 +
1561 +#define        TAILQ_INSERT_BEFORE(listelm, elm, field) do {                   \
1562 +       (elm)->field.tqe_prev = (listelm)->field.tqe_prev;              \
1563 +       TAILQ_NEXT((elm), field) = (listelm);                           \
1564 +       *(listelm)->field.tqe_prev = (elm);                             \
1565 +       (listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field);          \
1566 +} while (0)
1567 +
1568 +#define        TAILQ_INSERT_HEAD(head, elm, field) do {                        \
1569 +       if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL)   \
1570 +               TAILQ_FIRST((head))->field.tqe_prev =                   \
1571 +                   &TAILQ_NEXT((elm), field);                          \
1572 +       else                                                            \
1573 +               (head)->tqh_last = &TAILQ_NEXT((elm), field);           \
1574 +       TAILQ_FIRST((head)) = (elm);                                    \
1575 +       (elm)->field.tqe_prev = &TAILQ_FIRST((head));                   \
1576 +} while (0)
1577 +
1578 +#define        TAILQ_INSERT_TAIL(head, elm, field) do {                        \
1579 +       TAILQ_NEXT((elm), field) = NULL;                                \
1580 +       (elm)->field.tqe_prev = (head)->tqh_last;                       \
1581 +       *(head)->tqh_last = (elm);                                      \
1582 +       (head)->tqh_last = &TAILQ_NEXT((elm), field);                   \
1583 +} while (0)
1584 +
1585 +#define        TAILQ_LAST(head, headname)                                      \
1586 +       (*(((struct headname *)((head)->tqh_last))->tqh_last))
1587 +
1588 +#define        TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
1589 +
1590 +#define        TAILQ_PREV(elm, headname, field)                                \
1591 +       (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
1592 +
1593 +#define        TAILQ_REMOVE(head, elm, field) do {                             \
1594 +       if ((TAILQ_NEXT((elm), field)) != NULL)                         \
1595 +               TAILQ_NEXT((elm), field)->field.tqe_prev =              \
1596 +                   (elm)->field.tqe_prev;                              \
1597 +       else                                                            \
1598 +               (head)->tqh_last = (elm)->field.tqe_prev;               \
1599 +       *(elm)->field.tqe_prev = TAILQ_NEXT((elm), field);              \
1600 +} while (0)
1601 +
1602 +
1603 +#ifdef _KERNEL
1604 +
1605 +/*
1606 + * XXX insque() and remque() are an old way of handling certain queues.
1607 + * They bogusly assumes that all queue heads look alike.
1608 + */
1609 +
1610 +struct quehead {
1611 +       struct quehead *qh_link;
1612 +       struct quehead *qh_rlink;
1613 +};
1614 +
1615 +#ifdef __GNUC__
1616 +
1617 +static __inline void
1618 +insque(void *a, void *b)
1619 +{
1620 +       struct quehead *element = (struct quehead *)a,
1621 +                *head = (struct quehead *)b;
1622 +
1623 +       element->qh_link = head->qh_link;
1624 +       element->qh_rlink = head;
1625 +       head->qh_link = element;
1626 +       element->qh_link->qh_rlink = element;
1627 +}
1628 +
1629 +static __inline void
1630 +remque(void *a)
1631 +{
1632 +       struct quehead *element = (struct quehead *)a;
1633 +
1634 +       element->qh_link->qh_rlink = element->qh_rlink;
1635 +       element->qh_rlink->qh_link = element->qh_link;
1636 +       element->qh_rlink = 0;
1637 +}
1638 +
1639 +#else /* !__GNUC__ */
1640 +
1641 +void   insque __P((void *a, void *b));
1642 +void   remque __P((void *a));
1643 +
1644 +#endif /* __GNUC__ */
1645 +
1646 +#endif /* _KERNEL */
1647 +
1648 +#endif /* !_SYS_QUEUE_H_ */
1649 --- isakmpd-20041012.orig/sysdep/common/pcap.h
1650 +++ isakmpd-20041012/sysdep/common/pcap.h
1651 @@ -55,8 +55,13 @@
1652         u_int32_t linktype;     /* data link type (DLT_*) */
1653  };
1654  
1655 +struct pcap_timeval {
1656 +       int32_t tv_sec;         /* seconds */
1657 +       int32_t tv_usec;        /* microseconds */
1658 +};
1659 +
1660  struct pcap_pkthdr {
1661 -       struct timeval ts;      /* time stamp */
1662 +       struct pcap_timeval ts; /* time stamp */
1663         u_int32_t caplen;       /* length of portion present */
1664         u_int32_t len;          /* length this packet (off wire) */
1665  };
1666 --- isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c
1667 +++ isakmpd-20041012/sysdep/common/libsysdep/arc4random.c
1668 @@ -78,7 +78,7 @@
1669  static void
1670  arc4_stir(struct arc4_stream *as)
1671  {
1672 -       int     fd;
1673 +       int     fd, i;
1674         struct {
1675                 struct timeval tv;
1676                 u_int8_t rnd[128 - sizeof(struct timeval)];
1677 --- isakmpd-20041012.orig/x509v3.cnf
1678 +++ isakmpd-20041012/x509v3.cnf
1679 @@ -0,0 +1,26 @@
1680 +# default settings
1681 +CERTPATHLEN             = 1
1682 +CERTUSAGE               = digitalSignature,keyCertSign
1683 +CERTIP                  = 0.0.0.0
1684 +CERTFQDN                = nohost.nodomain
1685 +
1686 +# This section should be referenced when building an x509v3 CA
1687 +# Certificate.
1688 +# The default path length and the key usage can be overriden
1689 +# modified by setting the CERTPATHLEN and CERTUSAGE environment 
1690 +# variables.
1691 +[x509v3_CA]
1692 +basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
1693 +keyUsage=$ENV::CERTUSAGE
1694 +
1695 +# This section should be referenced to add an IP Address
1696 +# as an alternate subject name, needed by isakmpd
1697 +# The address must be provided in the CERTIP environment variable
1698 +[x509v3_IPAddr]
1699 +subjectAltName=IP:$ENV::CERTIP
1700 +
1701 +# This section should be referenced to add a FQDN hostname
1702 +# as an alternate subject name, needed by isakmpd
1703 +# The address must be provided in the CERTFQDN environment variable
1704 +[x509v3_FQDN]
1705 +subjectAltName=DNS:$ENV::CERTFQDN
1706