mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-12-28 12:51:44 +01:00
787 lines
23 KiB
Diff
787 lines
23 KiB
Diff
Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c 2011-03-29 22:08:43.000000000 +0300
|
|
@@ -232,7 +232,7 @@
|
|
"\n"
|
|
" <saopts>: \"isakmp\" <family> <src> <dst>\n"
|
|
" : {\"esp\",\"ah\"} <family> <src/prefixlen/port> <dst/prefixlen/port>\n"
|
|
-" <ul_proto>\n"
|
|
+" <ul_proto> [grekey <grekey>]\n"
|
|
" <family>: \"inet\" or \"inet6\"\n"
|
|
" <ul_proto>: \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n"
|
|
"\n",
|
|
@@ -819,7 +819,7 @@
|
|
{
|
|
int family;
|
|
|
|
- if (ac != 3 && ac != 4) {
|
|
+ if (ac < 3) {
|
|
errno = EINVAL;
|
|
return NULL;
|
|
}
|
|
@@ -861,10 +861,8 @@
|
|
struct sockaddr *src = NULL, *dst = NULL;
|
|
int ulproto;
|
|
|
|
- if (ac != 2 && ac != 3) {
|
|
- errno = EINVAL;
|
|
- return NULL;
|
|
- }
|
|
+ if (ac < 2)
|
|
+ goto bad_args;
|
|
|
|
if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1)
|
|
goto bad;
|
|
@@ -901,13 +899,34 @@
|
|
|
|
av++;
|
|
ac--;
|
|
- if(ac){
|
|
+ if (ac) {
|
|
ulproto = get_ulproto(*av);
|
|
if (ulproto == -1)
|
|
goto bad;
|
|
- }else
|
|
+ av++;
|
|
+ ac--;
|
|
+ } else
|
|
ulproto=0;
|
|
|
|
+ if (ac == 2 && strcmp(av[0], "grekey") == 0) {
|
|
+ int a, b, c, d;
|
|
+ unsigned long u;
|
|
+
|
|
+ if (sscanf(av[1], "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
|
|
+ set_port(src, (a << 8) + b);
|
|
+ set_port(dst, (c << 8) + d);
|
|
+ } else if (sscanf(av[1], "%lu", &u) == 1) {
|
|
+ set_port(src, u >> 16);
|
|
+ set_port(dst, u & 0xffff);
|
|
+ } else
|
|
+ goto bad_args;
|
|
+ av += 2;
|
|
+ ac -= 2;
|
|
+ }
|
|
+
|
|
+ if (ac != 0)
|
|
+ goto bad_args;
|
|
+
|
|
ci = (struct admin_com_indexes *)buf->v;
|
|
if(p_prefs)
|
|
ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
|
|
@@ -926,7 +945,9 @@
|
|
|
|
return buf;
|
|
|
|
- bad:
|
|
+bad_args:
|
|
+ errno = EINVAL;
|
|
+bad:
|
|
if (p_name)
|
|
racoon_free(p_name);
|
|
if (p_port)
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-30 09:41:46.000000000 +0300
|
|
@@ -444,7 +444,7 @@
|
|
|
|
/* search appropreate configuration */
|
|
if (name == NULL)
|
|
- rmconf = getrmconf(dst, 0);
|
|
+ rmconf = getrmconf(dst, 0, 0);
|
|
else
|
|
rmconf = getrmconf_by_name(name);
|
|
if (rmconf == NULL) {
|
|
@@ -536,6 +536,7 @@
|
|
spidx.prefs = ndx->prefd;
|
|
spidx.prefd = ndx->prefs;
|
|
spidx.ul_proto = ndx->ul_proto;
|
|
+ spidx_normalize_ulports(&spidx);
|
|
|
|
sp_in = getsp_r(&spidx);
|
|
if (sp_in) {
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l 2011-03-29 22:08:43.000000000 +0300
|
|
@@ -288,6 +288,7 @@
|
|
<S_SAINF>any { YYD; return(ANY); }
|
|
<S_SAINF>from { YYD; return(FROM); }
|
|
<S_SAINF>group { YYD; return(GROUP); }
|
|
+<S_SAINF>grekey { YYD; return(GREKEY); }
|
|
/* sainfo spec */
|
|
<S_SAINF>{bcl} { BEGIN S_SAINFS; return(BOC); }
|
|
<S_SAINF>{semi} { BEGIN S_INI; return(EOS); }
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y 2011-03-14 19:12:41.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y 2011-03-29 22:08:43.000000000 +0300
|
|
@@ -214,7 +214,7 @@
|
|
/* algorithm */
|
|
%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
|
|
/* sainfo */
|
|
-%token SAINFO FROM
|
|
+%token SAINFO FROM GREKEY
|
|
/* remote */
|
|
%token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
|
|
%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
|
|
@@ -1302,6 +1302,35 @@
|
|
cur_sainfo->idsrc = $1;
|
|
cur_sainfo->iddst = $2;
|
|
}
|
|
+ | sainfo_id sainfo_id GREKEY ADDRSTRING
|
|
+ {
|
|
+ int a, b, c, d;
|
|
+
|
|
+ if (sscanf($4->v, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
|
|
+ a = ipsecdoi_fixup_id_uldata(
|
|
+ $1, $2, IPPROTO_GRE,
|
|
+ (a << 8) + b, (c << 8) + d);
|
|
+ } else {
|
|
+ yyerror("grekey format unrecognized.");
|
|
+ return -1;
|
|
+ }
|
|
+ if (a != 0) {
|
|
+ yyerror("ul_proto needs to be 'gre' to use grekey.");
|
|
+ return -1;
|
|
+ }
|
|
+ cur_sainfo->idsrc = $1;
|
|
+ cur_sainfo->iddst = $2;
|
|
+ }
|
|
+ | sainfo_id sainfo_id GREKEY NUMBER
|
|
+ {
|
|
+ if (ipsecdoi_fixup_id_uldata($1, $2, IPPROTO_GRE,
|
|
+ ($4) >> 16, ($4) & 0xffff) != 0) {
|
|
+ yyerror("ul_proto needs to be 'gre' to use grekey.");
|
|
+ return -1;
|
|
+ }
|
|
+ cur_sainfo->idsrc = $1;
|
|
+ cur_sainfo->iddst = $2;
|
|
+ }
|
|
;
|
|
sainfo_id
|
|
: IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
|
|
@@ -1668,7 +1697,7 @@
|
|
{
|
|
struct remoteconf *from, *new;
|
|
|
|
- from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
|
|
+ from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS, 0);
|
|
if (from == NULL) {
|
|
yyerror("failed to get remoteconf for %s.",
|
|
saddr2str($4));
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h 2011-03-30 09:22:13.000000000 +0300
|
|
@@ -227,6 +227,10 @@
|
|
extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
|
|
extern int ipsecdoi_setid2 __P((struct ph2handle *));
|
|
extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
|
|
+extern int ipsecdoi_fixup_id_uldata __P((vchar_t *, vchar_t *, u_int16_t, u_int16_t, u_int16_t));
|
|
+extern int ipsecdoi_normalize_id_uldata __P((vchar_t *, vchar_t *));
|
|
+extern int ipsecdoi_id_has_port __P((vchar_t *));
|
|
+
|
|
extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
|
|
u_int8_t *, u_int16_t *));
|
|
extern char *ipsecdoi_id2str __P((const vchar_t *));
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-30 16:59:49.000000000 +0300
|
|
@@ -3308,6 +3308,7 @@
|
|
const vchar_t *subnet;
|
|
const vchar_t *address;
|
|
{
|
|
+ struct in_addr *a, *b;
|
|
struct in_addr *mask;
|
|
|
|
if (address->l != sizeof(struct in_addr))
|
|
@@ -3316,12 +3317,15 @@
|
|
if (subnet->l != (sizeof(struct in_addr)*2))
|
|
return 1;
|
|
|
|
+ a = (struct in_addr*)(subnet->v);
|
|
+ b = (struct in_addr*)(address->v);
|
|
mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr));
|
|
|
|
- if (mask->s_addr!=0xffffffff)
|
|
- return 1;
|
|
+ //if (mask->s_addr!=0xffffffff)
|
|
+ // return 1;
|
|
+ //return memcmp(subnet->v,address->v,address->l);
|
|
|
|
- return memcmp(subnet->v,address->v,address->l);
|
|
+ return (a->s_addr & mask->s_addr) != (b->s_addr & mask->s_addr);
|
|
}
|
|
|
|
#ifdef INET6
|
|
@@ -3371,6 +3375,7 @@
|
|
vchar_t ident_t;
|
|
vchar_t ident_s;
|
|
int result;
|
|
+ int check_ports = 0;
|
|
|
|
/* handle wildcard IDs */
|
|
|
|
@@ -3410,12 +3415,14 @@
|
|
|
|
if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&&
|
|
(id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) {
|
|
+ check_ports = 1;
|
|
result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s);
|
|
goto cmpid_result;
|
|
}
|
|
|
|
if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&&
|
|
(id_bt->type == IPSECDOI_ID_IPV4_ADDR)) {
|
|
+ check_ports = 1;
|
|
result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t);
|
|
goto cmpid_result;
|
|
}
|
|
@@ -3423,12 +3430,14 @@
|
|
#ifdef INET6
|
|
if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&&
|
|
(id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
|
|
+ check_ports = 1;
|
|
result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s);
|
|
goto cmpid_result;
|
|
}
|
|
|
|
if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&&
|
|
(id_bt->type == IPSECDOI_ID_IPV6_ADDR)) {
|
|
+ check_ports = 1;
|
|
result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t);
|
|
goto cmpid_result;
|
|
}
|
|
@@ -3460,6 +3469,7 @@
|
|
|
|
case IPSECDOI_ID_IPV4_ADDR:
|
|
/* validate lengths */
|
|
+ check_ports = 1;
|
|
if ((ident_t.l != sizeof(struct in_addr))||
|
|
(ident_s.l != sizeof(struct in_addr)))
|
|
goto cmpid_invalid;
|
|
@@ -3468,6 +3478,7 @@
|
|
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
|
|
case IPSECDOI_ID_IPV4_ADDR_RANGE:
|
|
/* validate lengths */
|
|
+ check_ports = 1;
|
|
if ((ident_t.l != (sizeof(struct in_addr)*2))||
|
|
(ident_s.l != (sizeof(struct in_addr)*2)))
|
|
goto cmpid_invalid;
|
|
@@ -3476,6 +3487,7 @@
|
|
#ifdef INET6
|
|
case IPSECDOI_ID_IPV6_ADDR:
|
|
/* validate lengths */
|
|
+ check_ports = 1;
|
|
if ((ident_t.l != sizeof(struct in6_addr))||
|
|
(ident_s.l != sizeof(struct in6_addr)))
|
|
goto cmpid_invalid;
|
|
@@ -3484,6 +3496,7 @@
|
|
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
|
|
case IPSECDOI_ID_IPV6_ADDR_RANGE:
|
|
/* validate lengths */
|
|
+ check_ports = 1;
|
|
if ((ident_t.l != (sizeof(struct in6_addr)*2))||
|
|
(ident_s.l != (sizeof(struct in6_addr)*2)))
|
|
goto cmpid_invalid;
|
|
@@ -3502,12 +3515,18 @@
|
|
}
|
|
|
|
/* validate matching data and length */
|
|
- if (ident_t.l == ident_s.l)
|
|
- result = memcmp(ident_t.v,ident_s.v,ident_t.l);
|
|
- else
|
|
+ if (ident_t.l != ident_s.l)
|
|
result = 1;
|
|
+ else
|
|
+ result = memcmp(ident_t.v,ident_s.v,ident_t.l);
|
|
|
|
cmpid_result:
|
|
+ if (check_ports &&
|
|
+ (id_bt->port != id_bs->port && id_bs->port != 0)) {
|
|
+ /* if target is wildcard, source should be too, otherwise
|
|
+ * specific rule matches wildcard request */
|
|
+ result = 1;
|
|
+ }
|
|
|
|
/* debug level output */
|
|
if(loglevel >= LLV_DEBUG) {
|
|
@@ -4089,6 +4108,67 @@
|
|
return new;
|
|
}
|
|
|
|
+int ipsecdoi_fixup_id_uldata(srcid, dstid, ul_proto, ul_data1, ul_data2)
|
|
+ vchar_t *srcid, *dstid;
|
|
+ u_int16_t ul_proto;
|
|
+ u_int16_t ul_data1, ul_data2;
|
|
+{
|
|
+ struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v;
|
|
+ struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v;
|
|
+
|
|
+ if (src->proto_id != ul_proto ||
|
|
+ dst->proto_id != ul_proto)
|
|
+ return -1;
|
|
+
|
|
+ src->port = htons(ul_data1);
|
|
+ dst->port = htons(ul_data2);
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int ipsecdoi_normalize_id_uldata(srcid, dstid)
|
|
+ vchar_t *srcid, *dstid;
|
|
+{
|
|
+ struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v;
|
|
+ struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v;
|
|
+ u_int16_t tmp;
|
|
+
|
|
+ if (src->proto_id != dst->proto_id)
|
|
+ return -1;
|
|
+
|
|
+ switch (src->proto_id) {
|
|
+ case IPPROTO_ICMP:
|
|
+ case IPPROTO_ICMPV6:
|
|
+ case IPPROTO_GRE:
|
|
+ tmp = src->port;
|
|
+ src->port = dst->port;
|
|
+ dst->port = tmp;
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int ipsecdoi_id_has_port(id)
|
|
+ vchar_t *id;
|
|
+{
|
|
+ struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *) id->v;
|
|
+
|
|
+ switch (id_b->type) {
|
|
+ case IPSECDOI_ID_IPV4_ADDR:
|
|
+ case IPSECDOI_ID_IPV4_ADDR_SUBNET:
|
|
+ case IPSECDOI_ID_IPV4_ADDR_RANGE:
|
|
+ case IPSECDOI_ID_IPV6_ADDR:
|
|
+ case IPSECDOI_ID_IPV6_ADDR_SUBNET:
|
|
+ case IPSECDOI_ID_IPV6_ADDR_RANGE:
|
|
+ if (ntohs(id_b->port) != 0)
|
|
+ return 1;
|
|
+ break;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+
|
|
vchar_t *
|
|
ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
|
|
struct sockaddr *laddr, *haddr;
|
|
@@ -4318,7 +4398,7 @@
|
|
saddr.sa.sa_len = sizeof(struct sockaddr_in);
|
|
#endif
|
|
saddr.sa.sa_family = AF_INET;
|
|
- saddr.sin.sin_port = IPSEC_PORT_ANY;
|
|
+ saddr.sin.sin_port = id_b->port;
|
|
memcpy(&saddr.sin.sin_addr,
|
|
id->v + sizeof(*id_b), sizeof(struct in_addr));
|
|
break;
|
|
@@ -4331,7 +4411,7 @@
|
|
saddr.sa.sa_len = sizeof(struct sockaddr_in6);
|
|
#endif
|
|
saddr.sa.sa_family = AF_INET6;
|
|
- saddr.sin6.sin6_port = IPSEC_PORT_ANY;
|
|
+ saddr.sin6.sin6_port = id_b->port;
|
|
memcpy(&saddr.sin6.sin6_addr,
|
|
id->v + sizeof(*id_b), sizeof(struct in6_addr));
|
|
saddr.sin6.sin6_scope_id =
|
|
@@ -4347,7 +4427,7 @@
|
|
#ifdef INET6
|
|
case IPSECDOI_ID_IPV6_ADDR:
|
|
#endif
|
|
- len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr.sa));
|
|
+ len = snprintf( buf, BUFLEN, "%s", saddr2str(&saddr.sa));
|
|
break;
|
|
|
|
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
|
|
@@ -4403,7 +4483,9 @@
|
|
plen += l;
|
|
}
|
|
|
|
- len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr.sa), plen);
|
|
+ len = snprintf(buf, BUFLEN, "%s/%i[%d]",
|
|
+ saddrwop2str(&saddr.sa), plen,
|
|
+ ntohs(id_b->port));
|
|
}
|
|
break;
|
|
|
|
@@ -4415,12 +4497,12 @@
|
|
saddr.sa.sa_len = sizeof(struct sockaddr_in);
|
|
#endif
|
|
saddr.sa.sa_family = AF_INET;
|
|
- saddr.sin.sin_port = IPSEC_PORT_ANY;
|
|
+ saddr.sin.sin_port = id_b->port;
|
|
memcpy(&saddr.sin.sin_addr,
|
|
id->v + sizeof(*id_b) + sizeof(struct in_addr),
|
|
sizeof(struct in_addr));
|
|
|
|
- len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
|
|
+ len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
|
|
break;
|
|
|
|
#ifdef INET6
|
|
@@ -4431,7 +4513,7 @@
|
|
saddr.sa.sa_len = sizeof(struct sockaddr_in6);
|
|
#endif
|
|
saddr.sa.sa_family = AF_INET6;
|
|
- saddr.sin6.sin6_port = IPSEC_PORT_ANY;
|
|
+ saddr.sin6.sin6_port = id_b->port;
|
|
memcpy(&saddr.sin6.sin6_addr,
|
|
id->v + sizeof(*id_b) + sizeof(struct in6_addr),
|
|
sizeof(struct in6_addr));
|
|
@@ -4440,7 +4522,7 @@
|
|
? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
|
|
: 0);
|
|
|
|
- len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
|
|
+ len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
|
|
break;
|
|
#endif
|
|
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c 2011-03-29 22:08:44.000000000 +0300
|
|
@@ -124,7 +124,7 @@
|
|
plog(LLV_DEBUG, LOCATION, NULL,
|
|
"evaluating sainfo: %s\n", sainfostr);
|
|
|
|
- if(s->remoteid != remoteid) {
|
|
+ if (remoteid != -1 && s->remoteid != remoteid) {
|
|
plog(LLV_DEBUG, LOCATION, NULL,
|
|
"remoteid mismatch: %u != %u\n",
|
|
s->remoteid, remoteid);
|
|
@@ -234,16 +234,22 @@
|
|
int pri = 0;
|
|
|
|
if(s->remoteid)
|
|
- pri += 3;
|
|
+ pri += 7;
|
|
|
|
if(s->id_i)
|
|
- pri += 3;
|
|
+ pri += 7;
|
|
|
|
- if(s->idsrc)
|
|
+ if(s->idsrc) {
|
|
pri++;
|
|
+ if (ipsecdoi_id_has_port(s->idsrc))
|
|
+ pri += 2;
|
|
+ }
|
|
|
|
- if(s->iddst)
|
|
+ if(s->iddst) {
|
|
pri++;
|
|
+ if (ipsecdoi_id_has_port(s->iddst))
|
|
+ pri += 2;
|
|
+ }
|
|
|
|
return pri;
|
|
}
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-14 19:18:12.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-30 09:41:46.000000000 +0300
|
|
@@ -2173,7 +2173,15 @@
|
|
* so no need to bother yet. --arno */
|
|
|
|
if (iph1hint == NULL || iph1hint->rmconf == NULL) {
|
|
- rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
|
|
+ int flags = 0;
|
|
+ uint32_t remoteid;
|
|
+ if (nopassive)
|
|
+ flags |= GETRMCONF_F_NO_PASSIVE;
|
|
+ if (iph2->sainfo != NULL) {
|
|
+ flags |= GETRMCONF_F_HAS_REMOTEID;
|
|
+ remoteid = iph2->sainfo->remoteid;
|
|
+ }
|
|
+ rmconf = getrmconf(iph2->dst, flags, remoteid);
|
|
if (rmconf == NULL) {
|
|
plog(LLV_ERROR, LOCATION, NULL,
|
|
"no configuration found for %s.\n",
|
|
@@ -2249,7 +2257,7 @@
|
|
struct secpolicy *sp_out, *sp_in;
|
|
{
|
|
struct remoteconf *conf;
|
|
- uint32_t remoteid = 0;
|
|
+ uint32_t remoteid = -1;
|
|
|
|
plog(LLV_DEBUG, LOCATION, NULL,
|
|
"new acquire %s\n", spidx2str(&sp_out->spidx));
|
|
@@ -2276,7 +2284,7 @@
|
|
return -1;
|
|
}
|
|
|
|
- conf = getrmconf(iph2->dst, 0);
|
|
+ conf = getrmconf(iph2->dst, 0, 0);
|
|
if (conf != NULL)
|
|
remoteid = conf->ph1id;
|
|
else
|
|
@@ -3582,6 +3590,8 @@
|
|
|
|
#undef _XIDT
|
|
|
|
+ spidx_normalize_ulports(&spidx);
|
|
+
|
|
plog(LLV_DEBUG, LOCATION, NULL,
|
|
"get a src address from ID payload "
|
|
"%s prefixlen=%u ul_proto=%u\n",
|
|
@@ -3654,6 +3664,7 @@
|
|
pref = spidx.prefs;
|
|
spidx.prefs = spidx.prefd;
|
|
spidx.prefd = pref;
|
|
+ spidx_normalize_ulports(&spidx);
|
|
|
|
if (pk_sendspddelete(iph2) < 0) {
|
|
plog(LLV_ERROR, LOCATION, NULL,
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c 2011-03-14 19:12:41.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c 2011-03-29 22:08:44.000000000 +0300
|
|
@@ -217,6 +217,13 @@
|
|
return MATCH_NONE;
|
|
}
|
|
|
|
+ if ((rmsel->flags & GETRMCONF_F_HAS_REMOTEID) &&
|
|
+ rmsel->remoteid != rmconf->ph1id){
|
|
+ plog(LLV_DEBUG2, LOCATION, rmsel->remote,
|
|
+ "Not matched: remote_id did not match.\n");
|
|
+ return MATCH_NONE;
|
|
+ }
|
|
+
|
|
ret |= MATCH_BASIC;
|
|
|
|
/* Check address */
|
|
@@ -387,9 +394,10 @@
|
|
*/
|
|
|
|
struct remoteconf *
|
|
-getrmconf(remote, flags)
|
|
+getrmconf(remote, flags, remoteid)
|
|
struct sockaddr *remote;
|
|
int flags;
|
|
+ uint32_t remoteid;
|
|
{
|
|
struct rmconf_find_context ctx;
|
|
int n = 0;
|
|
@@ -397,6 +405,7 @@
|
|
memset(&ctx, 0, sizeof(ctx));
|
|
ctx.sel.flags = flags;
|
|
ctx.sel.remote = remote;
|
|
+ ctx.sel.remoteid = remoteid;
|
|
|
|
if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
|
|
plog(LLV_ERROR, LOCATION, remote,
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h 2011-03-14 19:12:41.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h 2011-03-29 22:08:44.000000000 +0300
|
|
@@ -178,6 +178,7 @@
|
|
int flags;
|
|
struct sockaddr *remote;
|
|
int etype;
|
|
+ uint32_t remoteid;
|
|
struct isakmpsa *approval;
|
|
vchar_t *identity;
|
|
vchar_t *certificate_request;
|
|
@@ -191,12 +192,13 @@
|
|
|
|
#define GETRMCONF_F_NO_ANONYMOUS 0x0001
|
|
#define GETRMCONF_F_NO_PASSIVE 0x0002
|
|
+#define GETRMCONF_F_HAS_REMOTEID 0x0004
|
|
|
|
#define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)
|
|
|
|
extern int rmconf_match_identity __P((struct remoteconf *rmconf,
|
|
vchar_t *id_p));
|
|
-extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags));
|
|
+extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags, uint32_t remoteid));
|
|
extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1));
|
|
extern struct remoteconf *getrmconf_by_name __P((const char *name));
|
|
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-14 19:18:13.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-30 08:21:09.000000000 +0300
|
|
@@ -1886,6 +1886,7 @@
|
|
spidx.prefs = sp_out->spidx.prefd;
|
|
spidx.prefd = sp_out->spidx.prefs;
|
|
spidx.ul_proto = sp_out->spidx.ul_proto;
|
|
+ spidx_normalize_ulports(&spidx);
|
|
|
|
#ifdef HAVE_SECCTX
|
|
if (m_sec_ctx) {
|
|
@@ -2898,7 +2899,7 @@
|
|
|
|
/* If we are not acting as initiator, let's just leave and
|
|
* let the remote peer handle the restart */
|
|
- rmconf = getrmconf(ma->remote, 0);
|
|
+ rmconf = getrmconf(ma->remote, 0, 0);
|
|
if (rmconf == NULL || !rmconf->passive) {
|
|
iph1->status = PHASE1ST_EXPIRED;
|
|
sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
|
|
@@ -3068,8 +3069,10 @@
|
|
|
|
if (iph2->ph1 && iph2->ph1->rmconf)
|
|
rmconf = iph2->ph1->rmconf;
|
|
+ else if (iph2->sainfo != NULL)
|
|
+ rmconf = getrmconf(iph2->dst, GETRMCONF_F_HAS_REMOTEID, iph2->sainfo->remoteid);
|
|
else
|
|
- rmconf = getrmconf(iph2->dst, 0);
|
|
+ rmconf = getrmconf(iph2->dst, 0, 0);
|
|
|
|
if (rmconf && !rmconf->passive) {
|
|
struct ph1handle *iph1hint;
|
|
Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8 2011-03-29 22:08:44.000000000 +0300
|
|
@@ -453,7 +453,7 @@
|
|
.Pp
|
|
A second example of requiring transport mode encryption of specific
|
|
GRE tunnel:
|
|
-.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ;
|
|
+.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 -P in ipsec esp/transport//require ;
|
|
.Pp
|
|
.Em Note :
|
|
.Ar upperspec
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 2011-03-29 22:08:44.000000000 +0300
|
|
@@ -981,6 +981,7 @@
|
|
.Bl -tag -width Ds -compact
|
|
.It Ic sainfo Po Ar local_id | Ic anonymous Pc \
|
|
Po Ar remote_id | Ic clientaddr | Ic anonymous Pc \
|
|
+Bo Ic grekey Ar key Bc \
|
|
Bo Ic from Ar idtype Bo Ar string Bc Bc Bo Ic group Ar string Bc \
|
|
Ic { Ar statements Ic }
|
|
Defines the parameters of the IKE phase 2 (IPsec-SA establishment).
|
|
@@ -1026,6 +1027,15 @@
|
|
to restrict policy generation when racoon is acting as a client gateway
|
|
for peers with dynamic ip addresses.
|
|
.Pp
|
|
+If both
|
|
+.Ar local_id
|
|
+and
|
|
+.Ar remote_id
|
|
+are specified with GRE as upper layer protocol, the upper layer GRE
|
|
+key match can be specified with
|
|
+.Ic grekey
|
|
+.Ar key .
|
|
+.Pp
|
|
The
|
|
.Ic from
|
|
keyword allows an sainfo to only match for peers that use a specific phase1
|
|
Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/setkey/parse.y 2011-03-29 22:08:44.000000000 +0300
|
|
@@ -856,6 +856,17 @@
|
|
}
|
|
$$.len = strlen($$.buf);
|
|
}
|
|
+ | DECSTRING
|
|
+ {
|
|
+ char tmp[16];
|
|
+ sprintf(tmp, "%lu", $1);
|
|
+ $$.buf = strdup(tmp);
|
|
+ if (!$$.buf) {
|
|
+ yyerror("insufficient memory");
|
|
+ return -1;
|
|
+ }
|
|
+ $$.len = strlen(tmp);
|
|
+ }
|
|
;
|
|
|
|
context_spec
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.8 2011-03-05 09:23:59.000000000 +0200
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8 2011-03-29 22:08:44.000000000 +0300
|
|
@@ -158,8 +158,8 @@
|
|
has the following format:
|
|
.Bl -tag -width Bl
|
|
.It isakmp {inet|inet6} Ar src Ar dst
|
|
-.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
|
|
-{icmp|tcp|udp|gre|any}
|
|
+.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port \
|
|
+ {icmp|tcp|udp|gre|any} Oo grekey Ar key Oc
|
|
.El
|
|
.It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway
|
|
This is a particular case of the previous command.
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-29 22:18:12.000000000 +0300
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-30 09:23:13.000000000 +0300
|
|
@@ -2168,6 +2168,8 @@
|
|
goto end;
|
|
}
|
|
|
|
+ ipsecdoi_normalize_id_uldata(idsrc, iddst);
|
|
+
|
|
#ifdef ENABLE_HYBRID
|
|
|
|
/* clientaddr check : obtain modecfg address */
|
|
@@ -2494,6 +2496,7 @@
|
|
pref = spidx.prefs;
|
|
spidx.prefs = spidx.prefd;
|
|
spidx.prefd = pref;
|
|
+ spidx_normalize_ulports(&spidx);
|
|
|
|
sp_out = getsp_r(&spidx);
|
|
if (!sp_out) {
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-30 08:03:15.000000000 +0300
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-30 08:05:23.000000000 +0300
|
|
@@ -444,6 +444,25 @@
|
|
return new;
|
|
}
|
|
|
|
+void
|
|
+spidx_normalize_ulports(spidx)
|
|
+ struct policyindex *spidx;
|
|
+{
|
|
+ u_int16_t tmp;
|
|
+
|
|
+ switch (spidx->ul_proto) {
|
|
+ case IPPROTO_ICMP:
|
|
+ case IPPROTO_ICMPV6:
|
|
+ case IPPROTO_GRE:
|
|
+ /* Ports are UL specific data, and should not get swapped */
|
|
+ tmp = extract_port((struct sockaddr *) &spidx->src);
|
|
+ set_port((struct sockaddr *) &spidx->src,
|
|
+ extract_port((struct sockaddr *) &spidx->dst));
|
|
+ set_port((struct sockaddr *) &spidx->dst, tmp);
|
|
+ break;
|
|
+ }
|
|
+}
|
|
+
|
|
const char *
|
|
spidx2str(spidx)
|
|
const struct policyindex *spidx;
|
|
Index: ipsec-tools-cvs-HEAD/src/racoon/policy.h
|
|
===================================================================
|
|
--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.h 2011-03-30 08:15:44.000000000 +0300
|
|
+++ ipsec-tools-cvs-HEAD/src/racoon/policy.h 2011-03-30 08:16:21.000000000 +0300
|
|
@@ -156,6 +156,7 @@
|
|
extern void flushsp __P((void));
|
|
extern void initsp __P((void));
|
|
extern struct ipsecrequest *newipsecreq __P((void));
|
|
+extern void spidx_normalize_ulports __P((struct policyindex *));
|
|
|
|
extern const char *spidx2str __P((const struct policyindex *));
|
|
#ifdef HAVE_SECCTX
|