1 --- isakmpd-20041012.orig/dpd.c
2 +++ isakmpd-20041012/dpd.c
20 dpd_check_event, sa, &tv);
26 log_print("dpd_timer_reset: timer_add_event failed");
27 --- isakmpd-20041012.orig/ipsec.c
28 +++ isakmpd-20041012/ipsec.c
29 @@ -1020,6 +1020,52 @@
34 + * deal with a NOTIFY of INVALID_SPI
37 +ipsec_invalid_spi (struct message *msg, struct payload *p)
39 + struct sockaddr *dst;
45 + /* Any notification that make us do something should be protected */
46 + if(!TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]))
48 + LOG_DBG ((LOG_SA, 40,
49 + "ipsec_invalid_spi: missing HASH payload in INVALID_SPI"
55 + * get the invalid spi out of the variable sized notification data
56 + * field, which is after the variable sized SPI field [which specifies
57 + * the receiving entity's phase-1 SPI, not the invalid spi]
59 + totsiz = GET_ISAKMP_GEN_LENGTH (p->p);
60 + spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p);
61 + off = ISAKMP_NOTIFY_SPI_OFF + spisz;
62 + invspisz = totsiz - off;
64 + if (invspisz != sizeof spi)
66 + LOG_DBG ((LOG_SA, 40,
67 + "ipsec_invalid_spi: SPI size %d in INVALID_SPI "
68 + "payload unsupported", spisz));
71 + memcpy (&spi, p->p + off, sizeof spi);
73 + msg->transport->vtbl->get_dst (msg->transport, &dst);
75 + /* delete matching SPI's from this peer */
76 + ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI");
80 ipsec_responder(struct message *msg)
83 return dv != IPSEC_ENCAP_TUNNEL
84 && dv != IPSEC_ENCAP_TRANSPORT
85 && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL
86 - && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT;
87 + && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT
88 + && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT
89 + && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT;
91 return dv < IPSEC_ENCAP_TUNNEL
92 || dv > IPSEC_ENCAP_TRANSPORT;
94 ipsec_get_id(char *section, int *id, struct sockaddr **addr,
95 struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port)
97 - char *type, *address, *netmask;
98 + char *type, *address, *netmask;
100 type = conf_get_str(section, "ID-type");
102 --- isakmpd-20041012.orig/GNUmakefile
103 +++ isakmpd-20041012/GNUmakefile
105 # integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec.
106 # darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5
107 # and later with native IPSec support.
117 .CURDIR:= $(shell pwd)
118 VPATH= ${.CURDIR}/sysdep/${OS}
131 SRCS= app.c attribute.c cert.c connection.c \
132 constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \
133 @@ -131,11 +132,14 @@
134 ifneq ($(findstring install,$(MAKECMDGOALS)),install)
135 # Skip 'regress' until the regress/ structure has gmake makefiles for it.
138 +#SUBDIR:= apps/certpatch
140 $(foreach DIR, ${SUBDIR}, \
141 - cd ${DIR}; ${MAKE} ${MAKEFLAGS} CFLAGS="${CFLAGS}" \
142 - MKDEP="${MKDEP}" ${MAKECMDGOALS})
143 + cd ${.CURDIR}/${DIR}; ${MAKE} ${MAKECMDGOALS};)
145 +# $(foreach DIR, ${SUBDIR}, \
146 +# cd ${DIR}; ${MAKE} CFLAGS="${CFLAGS}" \
147 +# MKDEP="${MKDEP}" ${MAKECMDGOALS})
154 SRCS+= ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \
156 + $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL}
157 CFLAGS+= ${IPSEC_CFLAGS}
160 --- isakmpd-20041012.orig/exchange.h
161 +++ isakmpd-20041012/exchange.h
163 #define EXCHANGE_FLAG_NAT_T_ENABLE 0x10 /* We are doing NAT-T. */
164 #define EXCHANGE_FLAG_NAT_T_KEEPALIVE 0x20 /* We are the NAT:ed peer. */
165 #define EXCHANGE_FLAG_DPD_CAP_PEER 0x40 /* Peer is DPD capable. */
166 +#define EXCHANGE_FLAG_NAT_T_RFC 0x0080 /* Peer does RFC NAT-T. */
167 +#define EXCHANGE_FLAG_NAT_T_DRAFT 0x0100 /* Peer does draft NAT-T.*/
169 extern int exchange_add_certs(struct message *);
170 extern void exchange_finalize(struct message *);
171 --- isakmpd-20041012.orig/log.c
172 +++ isakmpd-20041012/log.c
176 struct pcap_pkthdr pcap;/* pcap file packet header */
177 - u_int32_t sa_family; /* address family */
179 struct ip ip4; /* IPv4 header (w/o options) */
180 struct ip6_hdr ip6; /* IPv6 header */
182 static u_int8_t *packet_buf = NULL;
184 static int udp_cksum(struct packhdr *, const struct udphdr *,
187 static u_int16_t in_cksum(const u_int16_t *, int);
188 #endif /* USE_DEBUG */
191 udp.uh_ulen = htons(datalen);
194 - hdr.sa_family = htonl(src->sa_family);
195 switch (src->sa_family) {
197 /* Assume IPv4. XXX Can 'default' ever happen here? */
198 - hdr.sa_family = htonl(AF_INET);
199 hdr.ip.ip4.ip_src.s_addr = 0x02020202;
200 hdr.ip.ip4.ip_dst.s_addr = 0x01010101;
201 /* The rest of the setup is common to AF_INET. */
205 /* Calculate UDP checksum. */
206 - udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf);
207 - hdrlen += sizeof hdr.sa_family;
209 + udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf, src->sa_family);
210 /* pcap file packet header */
211 gettimeofday(&tv, 0);
212 hdr.pcap.ts.tv_sec = tv.tv_sec;
215 /* Copied from tcpdump/print-udp.c, mostly rewritten. */
217 -udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
218 +udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d, int af)
224 /* Setup pseudoheader. */
225 memset(phu.pa, 0, sizeof phu);
226 - switch (ntohl(hdr->sa_family)) {
230 memcpy(&phu.ip4p.src, &ip4->ip_src, sizeof(struct in_addr));
233 /* IPv6 wants a 0xFFFF checksum "on error", not 0x0. */
235 - return (ntohl(hdr->sa_family) == AF_INET ? 0 : 0xFFFF);
236 + return (af == AF_INET ? 0 : 0xFFFF);
239 for (i = 0; i < hdrlen; i += 2)
240 --- isakmpd-20041012.orig/nat_traversal.c
241 +++ isakmpd-20041012/nat_traversal.c
243 -/* $OpenBSD: nat_traversal.c,v 1.7 2004/08/08 19:11:06 deraadt Exp $ */
244 +/* $OpenBSD: nat_traversal.c,v 1.17 2006/06/14 14:03:33 hshoexer Exp $ */
247 * Copyright (c) 2004 HÃ¥kan Olsson. All rights reserved.
252 +int disable_nat_t = 0;
255 - * XXX According to draft-ietf-ipsec-nat-t-ike-07.txt, the NAT-T
256 - * capability of the other peer is determined by a particular vendor ID
257 - * sent as the first message. This vendor ID string is supposed to be a
258 - * MD5 hash of "RFC XXXX", where XXXX is the future RFC number.
259 + * NAT-T capability of the other peer is determined by a particular vendor
260 + * ID sent in the first message. This vendor ID string is supposed to be a
261 + * MD5 hash of "RFC 3947".
263 * These seem to be the "well" known variants of this string in use by
266 -static const char *isakmp_nat_t_cap_text[] = {
267 - "draft-ietf-ipsec-nat-t-ike-00", /* V1 (XXX: may be obsolete) */
268 - "draft-ietf-ipsec-nat-t-ike-02\n", /* V2 */
269 - "draft-ietf-ipsec-nat-t-ike-03", /* V3 */
274 +static struct nat_t_cap isakmp_nat_t_cap[] = {
275 + { VID_DRAFT_V2_N, EXCHANGE_FLAG_NAT_T_DRAFT,
276 + "draft-ietf-ipsec-nat-t-ike-02\n", NULL, 0 },
277 + { VID_DRAFT_V3, EXCHANGE_FLAG_NAT_T_DRAFT,
278 + "draft-ietf-ipsec-nat-t-ike-03", NULL, 0 },
279 + { VID_RFC3947, EXCHANGE_FLAG_NAT_T_RFC,
280 + "RFC 3947", NULL, 0 },
283 +#define NUMNATTCAP (sizeof isakmp_nat_t_cap / sizeof isakmp_nat_t_cap[0])
285 /* In seconds. Recommended in draft-ietf-ipsec-udp-encaps-09. */
286 #define NAT_T_KEEPALIVE_INTERVAL 20
288 -/* The MD5 hashes of the above strings is put in this array. */
289 -static char **nat_t_hashes;
290 -static size_t nat_t_hashsize;
292 static int nat_t_setup_hashes(void);
293 -static int nat_t_add_vendor_payload(struct message *, char *);
294 +static int nat_t_add_vendor_payload(struct message *, struct nat_t_cap *);
295 static int nat_t_add_nat_d(struct message *, struct sockaddr *);
296 static int nat_t_match_nat_d_payload(struct message *, struct sockaddr *);
301 - nat_t_hashes = (char **)NULL;
302 + nat_t_setup_hashes();
305 /* Generate the NAT-T capability marker hashes. Executed only once. */
307 nat_t_setup_hashes(void)
310 - int n = sizeof isakmp_nat_t_cap_text / sizeof isakmp_nat_t_cap_text[0];
311 + int n = NUMNATTCAP;
314 /* The draft says to use MD5. */
315 @@ -100,56 +100,49 @@
316 "could not find MD5 hash structure!");
319 - nat_t_hashsize = hash->hashsize;
321 - /* Allocate one more than is necessary, i.e NULL terminated. */
322 - nat_t_hashes = (char **)calloc((size_t)(n + 1), sizeof(char *));
323 - if (!nat_t_hashes) {
324 - log_error("nat_t_setup_hashes: calloc (%lu,%lu) failed",
325 - (unsigned long)n, (unsigned long)sizeof(char *));
329 - /* Populate with hashes. */
330 + /* Populate isakmp_nat_t_cap with hashes. */
331 for (i = 0; i < n; i++) {
332 - nat_t_hashes[i] = (char *)malloc(nat_t_hashsize);
333 - if (!nat_t_hashes[i]) {
334 + isakmp_nat_t_cap[i].hashsize = hash->hashsize;
335 + isakmp_nat_t_cap[i].hash = (char *)malloc(hash->hashsize);
336 + if (!isakmp_nat_t_cap[i].hash) {
337 log_error("nat_t_setup_hashes: malloc (%lu) failed",
338 - (unsigned long)nat_t_hashsize);
339 + (unsigned long)hash->hashsize);
343 hash->Init(hash->ctx);
344 hash->Update(hash->ctx,
345 - (unsigned char *)isakmp_nat_t_cap_text[i],
346 - strlen(isakmp_nat_t_cap_text[i]));
347 - hash->Final(nat_t_hashes[i], hash->ctx);
348 + (unsigned char *)isakmp_nat_t_cap[i].text,
349 + strlen(isakmp_nat_t_cap[i].text));
350 + hash->Final(isakmp_nat_t_cap[i].hash, hash->ctx);
352 LOG_DBG((LOG_EXCHANGE, 50, "nat_t_setup_hashes: "
353 - "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap_text[i],
354 - (unsigned long)nat_t_hashsize));
355 + "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap[i].text,
356 + (unsigned long)hash->hashsize));
357 LOG_DBG_BUF((LOG_EXCHANGE, 50, "nat_t_setup_hashes",
358 - nat_t_hashes[i], nat_t_hashsize));
359 + isakmp_nat_t_cap[i].hash, hash->hashsize));
366 for (i = 0; i < n; i++)
367 - if (nat_t_hashes[i])
368 - free(nat_t_hashes[i]);
369 - free(nat_t_hashes);
370 - nat_t_hashes = NULL;
371 + if (isakmp_nat_t_cap[i].hash)
372 + free(isakmp_nat_t_cap[i].hash);
376 /* Add one NAT-T VENDOR payload. */
378 -nat_t_add_vendor_payload(struct message *msg, char *hash)
379 +nat_t_add_vendor_payload(struct message *msg, struct nat_t_cap *cap)
381 - size_t buflen = nat_t_hashsize + ISAKMP_GEN_SZ;
382 + size_t buflen = cap->hashsize + ISAKMP_GEN_SZ;
388 buf = malloc(buflen);
390 log_error("nat_t_add_vendor_payload: malloc (%lu) failed",
391 @@ -158,12 +151,11 @@
394 SET_ISAKMP_GEN_LENGTH(buf, buflen);
395 - memcpy(buf + ISAKMP_VENDOR_ID_OFF, hash, nat_t_hashsize);
396 + memcpy(buf + ISAKMP_VENDOR_ID_OFF, cap->hash, cap->hashsize);
397 if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) {
405 @@ -171,16 +163,14 @@
407 nat_t_add_vendor_payloads(struct message *msg)
413 - if (nat_t_setup_hashes())
414 - return 0; /* XXX should this be an error? */
418 - while (nat_t_hashes[i])
419 - if (nat_t_add_vendor_payload(msg, nat_t_hashes[i++]))
420 + for (i = 0; i < NUMNATTCAP; i++)
421 + if (nat_t_add_vendor_payload(msg, &isakmp_nat_t_cap[i]))
427 @@ -192,36 +182,31 @@
429 u_int8_t *pbuf = p->p;
434 - /* Already checked? */
435 - if (p->flags & PL_MARK ||
436 - msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
441 - if (nat_t_setup_hashes())
444 vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ;
445 - if (vlen != nat_t_hashsize) {
446 - LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
447 - "bad size %lu != %lu", (unsigned long)vlen,
448 - (unsigned long)nat_t_hashsize));
452 - while (nat_t_hashes[i])
453 - if (memcmp(nat_t_hashes[i++], pbuf + ISAKMP_GEN_SZ,
454 + for (i = 0; i < NUMNATTCAP; i++) {
455 + if (vlen != isakmp_nat_t_cap[i].hashsize) {
456 + LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
457 + "bad size %lu != %lu", (unsigned long)vlen,
458 + (unsigned long)isakmp_nat_t_cap[i].hashsize));
461 + if (memcmp(isakmp_nat_t_cap[i].hash, pbuf + ISAKMP_GEN_SZ,
463 /* This peer is NAT-T capable. */
464 msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER;
465 + msg->exchange->flags |= isakmp_nat_t_cap[i].flags;
466 LOG_DBG((LOG_EXCHANGE, 10,
467 "nat_t_check_vendor_payload: "
468 "NAT-T capable peer detected"));
478 struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data;
483 - int prf_type = PRF_HMAC; /* XXX */
485 hash = hash_get(ie->hash->type);
487 @@ -244,31 +227,25 @@
491 - prf = prf_alloc(prf_type, hash->type, msg->exchange->cookies,
492 - ISAKMP_HDR_COOKIES_LEN);
494 - log_print("nat_t_generate_nat_d_hash: prf_alloc failed");
497 + *hashlen = hash->hashsize;
499 - *hashlen = prf->blocksize;
500 res = (u_int8_t *)malloc((unsigned long)*hashlen);
502 log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed",
503 (unsigned long)*hashlen);
509 port = sockaddr_port(sa);
510 - memset(res, 0, *hashlen);
512 - prf->Update(prf->prfctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
513 - prf->Update(prf->prfctx, (unsigned char *)&port, sizeof port);
514 - prf->Final(res, prf->prfctx);
516 + bzero(res, *hashlen);
518 + hash->Init(hash->ctx);
519 + hash->Update(hash->ctx, msg->exchange->cookies,
520 + sizeof msg->exchange->cookies);
521 + hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
522 + hash->Update(hash->ctx, (unsigned char *)&port, sizeof port);
523 + hash->Final(res, hash->ctx);
529 nat_t_add_nat_d(struct message *msg, struct sockaddr *sa)
532 u_int8_t *hbuf, *buf;
533 size_t hbuflen, buflen;
535 @@ -298,11 +276,19 @@
536 memcpy(buf + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen);
539 - if (message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, buflen, 1)) {
540 + if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_RFC)
541 + ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf,
543 + else if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT)
544 + ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT,
557 @@ -312,14 +298,14 @@
561 - msg->transport->vtbl->get_src(msg->transport, &sa);
562 + /* Remote address first. */
563 + msg->transport->vtbl->get_dst(msg->transport, &sa);
564 if (nat_t_add_nat_d(msg, sa))
567 - msg->transport->vtbl->get_dst(msg->transport, &sa);
568 + msg->transport->vtbl->get_src(msg->transport, &sa);
569 if (nat_t_add_nat_d(msg, sa))
576 * If there are no NAT-D payloads in the message, return "found"
577 * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()).
579 - p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D);
581 + if ((p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT)) == NULL &&
582 + (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D)) == NULL)
585 hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen);
586 --- isakmpd-20041012.orig/udp_encap.c
587 +++ isakmpd-20041012/udp_encap.c
590 #define UDP_SIZE 65536
592 +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
593 +#include <linux/socket.h>
594 +#include <linux/udp.h>
597 /* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */
599 #define SO_REUSEPORT SO_REUSEADDR
601 if (sysdep_cleartext(s, laddr->sa_family) == -1)
604 +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
609 + int option = UDP_ENCAP_ESPINUDP;
610 + if(setsockopt(s, SOL_UDP, UDP_ENCAP, &option,
611 + sizeof (option)) < 0)
616 /* Wildcard address ? */
617 switch (laddr->sa_family) {
619 --- isakmpd-20041012.orig/apps/Makefile
620 +++ isakmpd-20041012/apps/Makefile
625 -.include <bsd.subdir.mk>
626 +#.include <bsd.subdir.mk>
627 --- isakmpd-20041012.orig/apps/certpatch/GNUmakefile
628 +++ isakmpd-20041012/apps/certpatch/GNUmakefile
630 +# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $
631 +# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $
634 +# Copyright (c) 1999 Niels Provos. All rights reserved.
635 +# Copyright (c) 2001 Niklas Hallqvist. All rights reserved.
637 +# Redistribution and use in source and binary forms, with or without
638 +# modification, are permitted provided that the following conditions
640 +# 1. Redistributions of source code must retain the above copyright
641 +# notice, this list of conditions and the following disclaimer.
642 +# 2. Redistributions in binary form must reproduce the above copyright
643 +# notice, this list of conditions and the following disclaimer in the
644 +# documentation and/or other materials provided with the distribution.
646 +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
647 +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
648 +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
649 +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
650 +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
651 +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
652 +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
653 +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
654 +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
655 +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
659 +# This code was written under funding by Ericsson Radio Systems.
665 +TOPSRC= ${.CURDIR}../..
666 +TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
668 +FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//'
669 +.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
670 +CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
671 +LDFLAGS+= -lcrypto -lssl -lgmp
674 +CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP
678 +# Override LIBSYSDEPDIR definition from Makefile.sysdep
679 +LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep
685 --- isakmpd-20041012.orig/pf_key_v2.c
686 +++ isakmpd-20041012/pf_key_v2.c
687 @@ -1055,6 +1055,10 @@
689 #if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
690 struct sadb_x_udpencap udpencap;
691 +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
692 + struct sadb_x_nat_t_type nat_t_type;
693 + struct sadb_x_nat_t_port nat_t_sport;
694 + struct sadb_x_nat_t_port nat_t_dport;
698 @@ -1273,10 +1277,15 @@
699 log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto);
704 sa->transport->vtbl->get_src(sa->transport, &dst);
706 + sa->transport->vtbl->get_dst(sa->transport, &src);
709 sa->transport->vtbl->get_dst(sa->transport, &dst);
710 + sa->transport->vtbl->get_src(sa->transport, &src);
714 msg.sadb_msg_seq = (incoming ?
715 pf_key_v2_seq_by_sa(proto->spi[incoming], sizeof ssa.sadb_sa_spi,
716 @@ -1319,12 +1328,13 @@
717 ssa.sadb_sa_flags = 0;
718 #ifdef SADB_X_SAFLAGS_TUNNEL
719 if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ||
720 - iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
721 + iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
722 + iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
723 ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL;
726 -#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
727 if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) {
728 +#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
729 memset(&udpencap, 0, sizeof udpencap);
730 ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
731 udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
732 @@ -1334,8 +1344,40 @@
733 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0)
737 +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
738 +#ifndef UDP_ENCAP_ESPINUDP
739 +#define UDP_ENCAP_ESPINUDP 2
741 + memset(&nat_t_type, 0, sizeof nat_t_type);
742 + memset(&nat_t_sport, 0, sizeof nat_t_sport);
743 + memset(&nat_t_dport, 0, sizeof nat_t_dport);
745 + /* type = draft-udp-encap-06 */
746 + nat_t_type.sadb_x_nat_t_type_len = sizeof nat_t_type / PF_KEY_V2_CHUNK;
747 + nat_t_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
748 + nat_t_type.sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
749 + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_type, 0) == -1)
753 + nat_t_sport.sadb_x_nat_t_port_len = sizeof nat_t_sport /
755 + nat_t_sport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
756 + nat_t_sport.sadb_x_nat_t_port_port = sockaddr_port(src);
757 + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_sport, 0) == -1)
760 + /* destination port */
761 + nat_t_dport.sadb_x_nat_t_port_len = sizeof nat_t_dport /
763 + nat_t_dport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
764 + nat_t_dport.sadb_x_nat_t_port_port = sockaddr_port(dst);
765 + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_dport, 0) == -1)
768 + /* original address (transport mode checksum missing info) goes here */
772 if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1)
774 @@ -1395,10 +1437,6 @@
776 * Setup the ADDRESS extensions.
779 - sa->transport->vtbl->get_dst(sa->transport, &src);
781 - sa->transport->vtbl->get_src(sa->transport, &src);
782 len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src));
783 addr = calloc(1, len);
785 @@ -2167,7 +2205,7 @@
786 pf_key_v2_msg_free(ret);
789 -#elif defined (SADB_X_SPDADD) && defined (SADB_X_SPDDELETE)
790 +#elif defined (SADB_X_SPDUPDATE) && defined (SADB_X_SPDDELETE)
792 struct sadb_x_policy *policy = 0;
793 struct sadb_x_ipsecrequest *ipsecrequest;
794 @@ -2181,7 +2219,7 @@
795 struct sockaddr_in *ip4_sa;
796 struct sockaddr_in6 *ip6_sa;
798 - msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDADD;
799 + msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDUPDATE;
800 msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
801 msg.sadb_msg_seq = 0;
802 flow = pf_key_v2_msg_new(&msg, 0);
803 --- isakmpd-20041012.orig/isakmp_num.cst
804 +++ isakmpd-20041012/isakmp_num.cst
806 KD 17 # RFC 3547, Key Download
807 SEQ 18 # RFC 3547, Sequence Number
808 POP 19 # RFC 3547, Proof of possession
810 + NAT_D 20 # RFC 3947, NAT Discovery payload
811 + NAT_OA 21 # RFC 3947, NAT Original Address payload
815 # XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify
816 # XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC
817 # XXX 3547 as seen above.
818 - NAT_D 130 # NAT Discovery payload
819 - NAT_OA 131 # NAT Original Address payload
820 + NAT_D_DRAFT 130 # NAT Discovery payload
821 + NAT_OA_DRAFT 131 # NAT Original Address payload
826 # ISAKMP exchange types.
827 --- isakmpd-20041012.orig/ipsec_num.cst
828 +++ isakmpd-20041012/ipsec_num.cst
833 - FUTURE_UDP_ENCAP_TUNNEL 3 # XXX Not yet assigned
834 - FUTURE_UDP_ENCAP_TRANSPORT 4 # XXX Not yet assigned
835 - UDP_ENCAP_TUNNEL 61443 # draft-ietf-ipsec-nat-t-ike
836 - UDP_ENCAP_TRANSPORT 61443 # draft-ietf-ipsec-nat-t-ike
838 + UDP_ENCAP_TRANSPORT 4
839 + UDP_ENCAP_TUNNEL_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike
840 + UDP_ENCAP_TRANSPORT_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike
843 # IPSEC authentication algorithm.
844 --- isakmpd-20041012.orig/nat_traversal.h
845 +++ isakmpd-20041012/nat_traversal.h
847 -/* $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $ */
848 +/* $OpenBSD: nat_traversal.h,v 1.4 2005/07/25 15:03:47 hshoexer Exp $ */
851 * Copyright (c) 2004 HÃ¥kan Olsson. All rights reserved.
853 #ifndef _NAT_TRAVERSAL_H_
854 #define _NAT_TRAVERSAL_H_
856 +#define VID_DRAFT_V2 0
857 +#define VID_DRAFT_V2_N 1
858 +#define VID_DRAFT_V3 2
859 +#define VID_RFC3947 3
870 + * Set if -T is given on the command line to disable NAT-T support.
872 +extern int disable_nat_t;
874 void nat_t_init(void);
875 int nat_t_add_vendor_payloads(struct message *);
876 void nat_t_check_vendor_payload(struct message *, struct payload *);
877 --- isakmpd-20041012.orig/message.c
878 +++ isakmpd-20041012/message.c
880 message_validate_hash, message_validate_sig, message_validate_nonce,
881 message_validate_notify, message_validate_delete,
882 message_validate_vendor, message_validate_attribute,
883 + message_validate_nat_d, message_validate_nat_oa,
884 message_validate_nat_d, message_validate_nat_oa
888 isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld,
889 isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld,
890 isakmp_vendor_fld, isakmp_attribute_fld, isakmp_nat_d_fld,
892 + isakmp_nat_oa_fld, isakmp_nat_d_fld, isakmp_nat_oa_fld
897 ISAKMP_PAYLOAD_SAK, ISAKMP_PAYLOAD_SAT, ISAKMP_PAYLOAD_KD,
898 ISAKMP_PAYLOAD_SEQ, ISAKMP_PAYLOAD_POP
900 - ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA
901 + ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA,
902 + ISAKMP_PAYLOAD_NAT_D_DRAFT, ISAKMP_PAYLOAD_NAT_OA_DRAFT
905 static u_int8_t payload_map[256];
908 /* Ignore most private payloads. */
909 if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN &&
910 - next != ISAKMP_PAYLOAD_NAT_D &&
911 - next != ISAKMP_PAYLOAD_NAT_OA) {
912 + next != ISAKMP_PAYLOAD_NAT_D_DRAFT &&
913 + next != ISAKMP_PAYLOAD_NAT_OA_DRAFT) {
914 LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: "
915 "private next payload type %s in payload of "
918 return ISAKMP_ATTRIBUTE_SZ;
919 #if defined (USE_NAT_TRAVERSAL)
920 case ISAKMP_PAYLOAD_NAT_D:
921 + case ISAKMP_PAYLOAD_NAT_D_DRAFT:
922 return ISAKMP_NAT_D_SZ;
923 case ISAKMP_PAYLOAD_NAT_OA:
924 + case ISAKMP_PAYLOAD_NAT_OA_DRAFT:
925 return ISAKMP_NAT_OA_SZ;
927 /* Not yet supported and any other unknown payloads. */
928 --- isakmpd-20041012.orig/policy.c
929 +++ isakmpd-20041012/policy.c
933 #if defined (USE_NAT_TRAVERSAL)
934 - else if (decode_16(value) == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
935 + else if (decode_16(value) ==
936 + IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
937 + decode_16(value) ==
938 + IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
939 switch (proto->proto) {
940 case IPSEC_PROTO_IPSEC_AH:
941 ah_encapsulation = "udp-encap-tunnel";
942 @@ -1932,7 +1935,7 @@
946 - char *ptr, *policy_file;
947 + char *ptr, *policy_file, *use_keynote;
951 @@ -1940,10 +1943,11 @@
952 LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"));
954 /* Do we want to use the policy modules? */
955 - if (ignore_policy ||
956 - strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
959 + use_keynote = conf_get_str("General", "Use-Keynote");
960 + if (ignore_policy ||
961 + (use_keynote && strncmp("yes", use_keynote, 3)))
964 /* Get policy file from configuration. */
965 policy_file = conf_get_str("General", "Policy-file");
967 --- isakmpd-20041012.orig/ike_phase_1.c
968 +++ isakmpd-20041012/ike_phase_1.c
969 @@ -1040,9 +1040,9 @@
971 /* Compare expected/desired and received remote ID */
972 if (bcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz)) {
974 log_print("ike_phase_1_recv_ID: "
975 - "received remote ID other than expected %s", p);
976 + "received remote ID other than expected %s - %s", p, payload->p);
981 --- isakmpd-20041012.orig/x509.c
982 +++ isakmpd-20041012/x509.c
984 X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
985 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
986 /* XXX See comment in x509_read_crls_from_dir. */
987 +#if OPENSSL_VERSION_NUMBER >= 0x00908000L
988 + if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
990 if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
992 X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
993 X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
995 --- isakmpd-20041012.orig/sysdep/linux/sysdep.c
996 +++ isakmpd-20041012/sysdep/linux/sysdep.c
997 @@ -169,22 +169,22 @@
1000 if (!(af == AF_INET || af == AF_INET6))
1003 log_print ("sysdep_cleartext: unsupported protocol family %d", af);
1007 if (setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
1008 - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1009 - &pol_in, sizeof pol_in) < 0 ||
1010 + af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1011 + &pol_in, sizeof pol_in) < 0 ||
1012 setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
1013 - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1014 - &pol_out, sizeof pol_out) < 0)
1016 + af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
1017 + &pol_out, sizeof pol_out) < 0)
1019 log_error ("sysdep_cleartext: "
1020 - "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
1021 - "failed", fd, af == AF_INET ? "" : "V6",
1022 - af == AF_INET ? "" : "V6");
1023 + "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
1024 + "failed", fd, af == AF_INET ? "" : "V6",
1025 + af == AF_INET ? "" : "V6");
1029 --- isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep
1030 +++ isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep
1032 LDADD+= -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
1033 DPADD+= ${LIBGMP} ${LIBSYSDEP}
1035 -CFLAGS+= -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
1036 - -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \
1037 - -I/usr/src/linux/include -I${.CURDIR}/sysdep/common \
1038 +CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
1039 + -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \
1040 + -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \
1041 -I/usr/include/openssl
1043 FEATURES= debug tripledes blowfish cast ec aggressive x509 policy
1045 +FEATURES+= dpd nat_traversal isakmp_cfg des aes
1047 IPSEC_SRCS= pf_key_v2.c
1048 IPSEC_CFLAGS= -DUSE_PF_KEY_V2
1050 # hack libsysdep.a dependenc
1051 ${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
1052 cd ${LIBSYSDEPDIR} && \
1053 - ${MAKE} --no-print-directory ${MAKEFLAGS} \
1054 + ${MAKE} --no-print-directory \
1055 CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
1057 ifeq ($(findstring clean,$(MAKECMDGOALS)),clean)
1058 --- isakmpd-20041012.orig/sysdep/linux/include/bitstring.h
1059 +++ isakmpd-20041012/sysdep/linux/include/bitstring.h
1061 +/* $OpenBSD: bitstring.h,v 1.4 2002/06/19 02:50:10 millert Exp $ */
1062 +/* $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */
1065 + * Copyright (c) 1989, 1993
1066 + * The Regents of the University of California. All rights reserved.
1068 + * This code is derived from software contributed to Berkeley by
1071 + * Redistribution and use in source and binary forms, with or without
1072 + * modification, are permitted provided that the following conditions
1074 + * 1. Redistributions of source code must retain the above copyright
1075 + * notice, this list of conditions and the following disclaimer.
1076 + * 2. Redistributions in binary form must reproduce the above copyright
1077 + * notice, this list of conditions and the following disclaimer in the
1078 + * documentation and/or other materials provided with the distribution.
1079 + * 3. All advertising materials mentioning features or use of this software
1080 + * must display the following acknowledgement:
1081 + * This product includes software developed by the University of
1082 + * California, Berkeley and its contributors.
1083 + * 4. Neither the name of the University nor the names of its contributors
1084 + * may be used to endorse or promote products derived from this software
1085 + * without specific prior written permission.
1087 + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1088 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1089 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1090 + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1091 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1092 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1093 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1094 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1095 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1096 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1099 + * @(#)bitstring.h 8.1 (Berkeley) 7/19/93
1102 +#ifndef _BITSTRING_H_
1103 +#define _BITSTRING_H_
1105 +/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91
1106 + * bitstr_size changed gratuitously, but shorter
1107 + * bit_alloc spelling error fixed
1108 + * the following were efficient, but didn't work, they've been made to
1109 + * work, but are no longer as efficient :-)
1110 + * bit_nclear, bit_nset, bit_ffc, bit_ffs
1112 +typedef unsigned char bitstr_t;
1114 +/* internal macros */
1115 + /* byte of the bitstring bit is in */
1116 +#define _bit_byte(bit) \
1119 + /* mask for the bit within its byte */
1120 +#define _bit_mask(bit) \
1121 + (1 << ((bit)&0x7))
1123 +/* external macros */
1124 + /* bytes in a bitstring of nbits bits */
1125 +#define bitstr_size(nbits) \
1126 + (((nbits) + 7) >> 3)
1128 + /* allocate a bitstring */
1129 +#define bit_alloc(nbits) \
1130 + (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t))
1132 + /* allocate a bitstring on the stack */
1133 +#define bit_decl(name, nbits) \
1134 + ((name)[bitstr_size(nbits)])
1136 + /* is bit N of bitstring name set? */
1137 +#define bit_test(name, bit) \
1138 + ((name)[_bit_byte(bit)] & _bit_mask(bit))
1140 + /* set bit N of bitstring name */
1141 +#define bit_set(name, bit) \
1142 + ((name)[_bit_byte(bit)] |= _bit_mask(bit))
1144 + /* clear bit N of bitstring name */
1145 +#define bit_clear(name, bit) \
1146 + ((name)[_bit_byte(bit)] &= ~_bit_mask(bit))
1148 + /* clear bits start ... stop in bitstring */
1149 +#define bit_nclear(name, start, stop) do { \
1150 + register bitstr_t *_name = name; \
1151 + register int _start = start, _stop = stop; \
1152 + while (_start <= _stop) { \
1153 + bit_clear(_name, _start); \
1158 + /* set bits start ... stop in bitstring */
1159 +#define bit_nset(name, start, stop) do { \
1160 + register bitstr_t *_name = name; \
1161 + register int _start = start, _stop = stop; \
1162 + while (_start <= _stop) { \
1163 + bit_set(_name, _start); \
1168 + /* find first bit clear in name */
1169 +#define bit_ffc(name, nbits, value) do { \
1170 + register bitstr_t *_name = name; \
1171 + register int _bit, _nbits = nbits, _value = -1; \
1172 + for (_bit = 0; _bit < _nbits; ++_bit) \
1173 + if (!bit_test(_name, _bit)) { \
1177 + *(value) = _value; \
1180 + /* find first bit set in name */
1181 +#define bit_ffs(name, nbits, value) do { \
1182 + register bitstr_t *_name = name; \
1183 + register int _bit, _nbits = nbits, _value = -1; \
1184 + for (_bit = 0; _bit < _nbits; ++_bit) \
1185 + if (bit_test(_name, _bit)) { \
1189 + *(value) = _value; \
1192 +#endif /* !_BITSTRING_H_ */
1193 --- isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h
1194 +++ isakmpd-20041012/sysdep/linux/include/sys/queue.h
1197 + * Copyright (c) 1991, 1993
1198 + * The Regents of the University of California. All rights reserved.
1200 + * Redistribution and use in source and binary forms, with or without
1201 + * modification, are permitted provided that the following conditions
1203 + * 1. Redistributions of source code must retain the above copyright
1204 + * notice, this list of conditions and the following disclaimer.
1205 + * 2. Redistributions in binary form must reproduce the above copyright
1206 + * notice, this list of conditions and the following disclaimer in the
1207 + * documentation and/or other materials provided with the distribution.
1208 + * 3. All advertising materials mentioning features or use of this software
1209 + * must display the following acknowledgement:
1210 + * This product includes software developed by the University of
1211 + * California, Berkeley and its contributors.
1212 + * 4. Neither the name of the University nor the names of its contributors
1213 + * may be used to endorse or promote products derived from this software
1214 + * without specific prior written permission.
1216 + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1217 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1218 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1219 + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1220 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1221 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1222 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1223 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1224 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1225 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1228 + * @(#)queue.h 8.5 (Berkeley) 8/20/94
1229 + * $FreeBSD: src/sys/sys/queue.h,v 1.45 2001/12/11 11:49:58 sheldonh Exp $
1232 +#ifndef _SYS_QUEUE_H_
1233 +#define _SYS_QUEUE_H_
1235 +//#include <machine/ansi.h> /* for __offsetof */
1238 + * This file defines four types of data structures: singly-linked lists,
1239 + * singly-linked tail queues, lists and tail queues.
1241 + * A singly-linked list is headed by a single forward pointer. The elements
1242 + * are singly linked for minimum space and pointer manipulation overhead at
1243 + * the expense of O(n) removal for arbitrary elements. New elements can be
1244 + * added to the list after an existing element or at the head of the list.
1245 + * Elements being removed from the head of the list should use the explicit
1246 + * macro for this purpose for optimum efficiency. A singly-linked list may
1247 + * only be traversed in the forward direction. Singly-linked lists are ideal
1248 + * for applications with large datasets and few or no removals or for
1249 + * implementing a LIFO queue.
1251 + * A singly-linked tail queue is headed by a pair of pointers, one to the
1252 + * head of the list and the other to the tail of the list. The elements are
1253 + * singly linked for minimum space and pointer manipulation overhead at the
1254 + * expense of O(n) removal for arbitrary elements. New elements can be added
1255 + * to the list after an existing element, at the head of the list, or at the
1256 + * end of the list. Elements being removed from the head of the tail queue
1257 + * should use the explicit macro for this purpose for optimum efficiency.
1258 + * A singly-linked tail queue may only be traversed in the forward direction.
1259 + * Singly-linked tail queues are ideal for applications with large datasets
1260 + * and few or no removals or for implementing a FIFO queue.
1262 + * A list is headed by a single forward pointer (or an array of forward
1263 + * pointers for a hash table header). The elements are doubly linked
1264 + * so that an arbitrary element can be removed without a need to
1265 + * traverse the list. New elements can be added to the list before
1266 + * or after an existing element or at the head of the list. A list
1267 + * may only be traversed in the forward direction.
1269 + * A tail queue is headed by a pair of pointers, one to the head of the
1270 + * list and the other to the tail of the list. The elements are doubly
1271 + * linked so that an arbitrary element can be removed without a need to
1272 + * traverse the list. New elements can be added to the list before or
1273 + * after an existing element, at the head of the list, or at the end of
1274 + * the list. A tail queue may be traversed in either direction.
1276 + * For details on the use of these macros, see the queue(3) manual page.
1279 + * SLIST LIST STAILQ TAILQ
1281 + * _HEAD_INITIALIZER + + + +
1289 + * _FOREACH + + + +
1290 + * _FOREACH_REVERSE - - - +
1291 + * _INSERT_HEAD + + + +
1292 + * _INSERT_BEFORE - + - +
1293 + * _INSERT_AFTER + + + +
1294 + * _INSERT_TAIL - - + +
1295 + * _REMOVE_HEAD + - + -
1301 + * Singly-linked List declarations.
1303 +#define SLIST_HEAD(name, type) \
1305 + struct type *slh_first; /* first element */ \
1308 +#define SLIST_HEAD_INITIALIZER(head) \
1311 +#define SLIST_ENTRY(type) \
1313 + struct type *sle_next; /* next element */ \
1317 + * Singly-linked List functions.
1319 +#define SLIST_EMPTY(head) ((head)->slh_first == NULL)
1321 +#define SLIST_FIRST(head) ((head)->slh_first)
1323 +#define SLIST_FOREACH(var, head, field) \
1324 + for ((var) = SLIST_FIRST((head)); \
1326 + (var) = SLIST_NEXT((var), field))
1328 +#define SLIST_INIT(head) do { \
1329 + SLIST_FIRST((head)) = NULL; \
1332 +#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \
1333 + SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field); \
1334 + SLIST_NEXT((slistelm), field) = (elm); \
1337 +#define SLIST_INSERT_HEAD(head, elm, field) do { \
1338 + SLIST_NEXT((elm), field) = SLIST_FIRST((head)); \
1339 + SLIST_FIRST((head)) = (elm); \
1342 +#define SLIST_NEXT(elm, field) ((elm)->field.sle_next)
1344 +#define SLIST_REMOVE(head, elm, type, field) do { \
1345 + if (SLIST_FIRST((head)) == (elm)) { \
1346 + SLIST_REMOVE_HEAD((head), field); \
1349 + struct type *curelm = SLIST_FIRST((head)); \
1350 + while (SLIST_NEXT(curelm, field) != (elm)) \
1351 + curelm = SLIST_NEXT(curelm, field); \
1352 + SLIST_NEXT(curelm, field) = \
1353 + SLIST_NEXT(SLIST_NEXT(curelm, field), field); \
1357 +#define SLIST_REMOVE_HEAD(head, field) do { \
1358 + SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field); \
1362 + * Singly-linked Tail queue declarations.
1364 +#define STAILQ_HEAD(name, type) \
1366 + struct type *stqh_first;/* first element */ \
1367 + struct type **stqh_last;/* addr of last next element */ \
1370 +#define STAILQ_HEAD_INITIALIZER(head) \
1371 + { NULL, &(head).stqh_first }
1373 +#define STAILQ_ENTRY(type) \
1375 + struct type *stqe_next; /* next element */ \
1379 + * Singly-linked Tail queue functions.
1381 +#define STAILQ_EMPTY(head) ((head)->stqh_first == NULL)
1383 +#define STAILQ_FIRST(head) ((head)->stqh_first)
1385 +#define STAILQ_FOREACH(var, head, field) \
1386 + for((var) = STAILQ_FIRST((head)); \
1388 + (var) = STAILQ_NEXT((var), field))
1390 +#define STAILQ_INIT(head) do { \
1391 + STAILQ_FIRST((head)) = NULL; \
1392 + (head)->stqh_last = &STAILQ_FIRST((head)); \
1395 +#define STAILQ_INSERT_AFTER(head, tqelm, elm, field) do { \
1396 + if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\
1397 + (head)->stqh_last = &STAILQ_NEXT((elm), field); \
1398 + STAILQ_NEXT((tqelm), field) = (elm); \
1401 +#define STAILQ_INSERT_HEAD(head, elm, field) do { \
1402 + if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \
1403 + (head)->stqh_last = &STAILQ_NEXT((elm), field); \
1404 + STAILQ_FIRST((head)) = (elm); \
1407 +#define STAILQ_INSERT_TAIL(head, elm, field) do { \
1408 + STAILQ_NEXT((elm), field) = NULL; \
1409 + *(head)->stqh_last = (elm); \
1410 + (head)->stqh_last = &STAILQ_NEXT((elm), field); \
1413 +#define STAILQ_LAST(head, type, field) \
1414 + (STAILQ_EMPTY(head) ? \
1416 + ((struct type *) \
1417 + ((char *)((head)->stqh_last) - __offsetof(struct type, field))))
1419 +#define STAILQ_NEXT(elm, field) ((elm)->field.stqe_next)
1421 +#define STAILQ_REMOVE(head, elm, type, field) do { \
1422 + if (STAILQ_FIRST((head)) == (elm)) { \
1423 + STAILQ_REMOVE_HEAD(head, field); \
1426 + struct type *curelm = STAILQ_FIRST((head)); \
1427 + while (STAILQ_NEXT(curelm, field) != (elm)) \
1428 + curelm = STAILQ_NEXT(curelm, field); \
1429 + if ((STAILQ_NEXT(curelm, field) = \
1430 + STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\
1431 + (head)->stqh_last = &STAILQ_NEXT((curelm), field);\
1435 +#define STAILQ_REMOVE_HEAD(head, field) do { \
1436 + if ((STAILQ_FIRST((head)) = \
1437 + STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL) \
1438 + (head)->stqh_last = &STAILQ_FIRST((head)); \
1441 +#define STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do { \
1442 + if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \
1443 + (head)->stqh_last = &STAILQ_FIRST((head)); \
1447 + * List declarations.
1449 +#define LIST_HEAD(name, type) \
1451 + struct type *lh_first; /* first element */ \
1454 +#define LIST_HEAD_INITIALIZER(head) \
1457 +#define LIST_ENTRY(type) \
1459 + struct type *le_next; /* next element */ \
1460 + struct type **le_prev; /* address of previous next element */ \
1467 +#define LIST_EMPTY(head) ((head)->lh_first == NULL)
1469 +#define LIST_FIRST(head) ((head)->lh_first)
1471 +#define LIST_FOREACH(var, head, field) \
1472 + for ((var) = LIST_FIRST((head)); \
1474 + (var) = LIST_NEXT((var), field))
1476 +#define LIST_INIT(head) do { \
1477 + LIST_FIRST((head)) = NULL; \
1480 +#define LIST_INSERT_AFTER(listelm, elm, field) do { \
1481 + if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\
1482 + LIST_NEXT((listelm), field)->field.le_prev = \
1483 + &LIST_NEXT((elm), field); \
1484 + LIST_NEXT((listelm), field) = (elm); \
1485 + (elm)->field.le_prev = &LIST_NEXT((listelm), field); \
1488 +#define LIST_INSERT_BEFORE(listelm, elm, field) do { \
1489 + (elm)->field.le_prev = (listelm)->field.le_prev; \
1490 + LIST_NEXT((elm), field) = (listelm); \
1491 + *(listelm)->field.le_prev = (elm); \
1492 + (listelm)->field.le_prev = &LIST_NEXT((elm), field); \
1495 +#define LIST_INSERT_HEAD(head, elm, field) do { \
1496 + if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL) \
1497 + LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\
1498 + LIST_FIRST((head)) = (elm); \
1499 + (elm)->field.le_prev = &LIST_FIRST((head)); \
1502 +#define LIST_NEXT(elm, field) ((elm)->field.le_next)
1504 +#define LIST_REMOVE(elm, field) do { \
1505 + if (LIST_NEXT((elm), field) != NULL) \
1506 + LIST_NEXT((elm), field)->field.le_prev = \
1507 + (elm)->field.le_prev; \
1508 + *(elm)->field.le_prev = LIST_NEXT((elm), field); \
1512 + * Tail queue declarations.
1514 +#define TAILQ_HEAD(name, type) \
1516 + struct type *tqh_first; /* first element */ \
1517 + struct type **tqh_last; /* addr of last next element */ \
1520 +#define TAILQ_HEAD_INITIALIZER(head) \
1521 + { NULL, &(head).tqh_first }
1523 +#define TAILQ_ENTRY(type) \
1525 + struct type *tqe_next; /* next element */ \
1526 + struct type **tqe_prev; /* address of previous next element */ \
1530 + * Tail queue functions.
1532 +#define TAILQ_EMPTY(head) ((head)->tqh_first == NULL)
1534 +#define TAILQ_FIRST(head) ((head)->tqh_first)
1536 +#define TAILQ_FOREACH(var, head, field) \
1537 + for ((var) = TAILQ_FIRST((head)); \
1539 + (var) = TAILQ_NEXT((var), field))
1541 +#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \
1542 + for ((var) = TAILQ_LAST((head), headname); \
1544 + (var) = TAILQ_PREV((var), headname, field))
1546 +#define TAILQ_INIT(head) do { \
1547 + TAILQ_FIRST((head)) = NULL; \
1548 + (head)->tqh_last = &TAILQ_FIRST((head)); \
1551 +#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \
1552 + if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\
1553 + TAILQ_NEXT((elm), field)->field.tqe_prev = \
1554 + &TAILQ_NEXT((elm), field); \
1556 + (head)->tqh_last = &TAILQ_NEXT((elm), field); \
1557 + TAILQ_NEXT((listelm), field) = (elm); \
1558 + (elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field); \
1561 +#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \
1562 + (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \
1563 + TAILQ_NEXT((elm), field) = (listelm); \
1564 + *(listelm)->field.tqe_prev = (elm); \
1565 + (listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field); \
1568 +#define TAILQ_INSERT_HEAD(head, elm, field) do { \
1569 + if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL) \
1570 + TAILQ_FIRST((head))->field.tqe_prev = \
1571 + &TAILQ_NEXT((elm), field); \
1573 + (head)->tqh_last = &TAILQ_NEXT((elm), field); \
1574 + TAILQ_FIRST((head)) = (elm); \
1575 + (elm)->field.tqe_prev = &TAILQ_FIRST((head)); \
1578 +#define TAILQ_INSERT_TAIL(head, elm, field) do { \
1579 + TAILQ_NEXT((elm), field) = NULL; \
1580 + (elm)->field.tqe_prev = (head)->tqh_last; \
1581 + *(head)->tqh_last = (elm); \
1582 + (head)->tqh_last = &TAILQ_NEXT((elm), field); \
1585 +#define TAILQ_LAST(head, headname) \
1586 + (*(((struct headname *)((head)->tqh_last))->tqh_last))
1588 +#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
1590 +#define TAILQ_PREV(elm, headname, field) \
1591 + (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
1593 +#define TAILQ_REMOVE(head, elm, field) do { \
1594 + if ((TAILQ_NEXT((elm), field)) != NULL) \
1595 + TAILQ_NEXT((elm), field)->field.tqe_prev = \
1596 + (elm)->field.tqe_prev; \
1598 + (head)->tqh_last = (elm)->field.tqe_prev; \
1599 + *(elm)->field.tqe_prev = TAILQ_NEXT((elm), field); \
1606 + * XXX insque() and remque() are an old way of handling certain queues.
1607 + * They bogusly assumes that all queue heads look alike.
1611 + struct quehead *qh_link;
1612 + struct quehead *qh_rlink;
1617 +static __inline void
1618 +insque(void *a, void *b)
1620 + struct quehead *element = (struct quehead *)a,
1621 + *head = (struct quehead *)b;
1623 + element->qh_link = head->qh_link;
1624 + element->qh_rlink = head;
1625 + head->qh_link = element;
1626 + element->qh_link->qh_rlink = element;
1629 +static __inline void
1632 + struct quehead *element = (struct quehead *)a;
1634 + element->qh_link->qh_rlink = element->qh_rlink;
1635 + element->qh_rlink->qh_link = element->qh_link;
1636 + element->qh_rlink = 0;
1639 +#else /* !__GNUC__ */
1641 +void insque __P((void *a, void *b));
1642 +void remque __P((void *a));
1644 +#endif /* __GNUC__ */
1646 +#endif /* _KERNEL */
1648 +#endif /* !_SYS_QUEUE_H_ */
1649 --- isakmpd-20041012.orig/sysdep/common/pcap.h
1650 +++ isakmpd-20041012/sysdep/common/pcap.h
1652 u_int32_t linktype; /* data link type (DLT_*) */
1655 +struct pcap_timeval {
1656 + int32_t tv_sec; /* seconds */
1657 + int32_t tv_usec; /* microseconds */
1660 struct pcap_pkthdr {
1661 - struct timeval ts; /* time stamp */
1662 + struct pcap_timeval ts; /* time stamp */
1663 u_int32_t caplen; /* length of portion present */
1664 u_int32_t len; /* length this packet (off wire) */
1666 --- isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c
1667 +++ isakmpd-20041012/sysdep/common/libsysdep/arc4random.c
1670 arc4_stir(struct arc4_stream *as)
1676 u_int8_t rnd[128 - sizeof(struct timeval)];
1677 --- isakmpd-20041012.orig/x509v3.cnf
1678 +++ isakmpd-20041012/x509v3.cnf
1682 +CERTUSAGE = digitalSignature,keyCertSign
1684 +CERTFQDN = nohost.nodomain
1686 +# This section should be referenced when building an x509v3 CA
1688 +# The default path length and the key usage can be overriden
1689 +# modified by setting the CERTPATHLEN and CERTUSAGE environment
1692 +basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
1693 +keyUsage=$ENV::CERTUSAGE
1695 +# This section should be referenced to add an IP Address
1696 +# as an alternate subject name, needed by isakmpd
1697 +# The address must be provided in the CERTIP environment variable
1699 +subjectAltName=IP:$ENV::CERTIP
1701 +# This section should be referenced to add a FQDN hostname
1702 +# as an alternate subject name, needed by isakmpd
1703 +# The address must be provided in the CERTFQDN environment variable
1705 +subjectAltName=DNS:$ENV::CERTFQDN
projects / openwrt.git / blob