Index: head/security/ipsec-tools/Makefile =================================================================== --- head/security/ipsec-tools/Makefile (revision 476824) +++ head/security/ipsec-tools/Makefile (revision 476825) @@ -1,104 +1,104 @@ # Created by: vanhu # $FreeBSD$ # TODO: - libipsec issue ? # - cleanup... # - SYSCONFDIR # - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MASTER_SITES= SF -MAINTAINER= vanhu@FreeBSD.org +MAINTAINER= ports@FreeBSD.org COMMENT= KAME racoon IKE daemon, ipsec-tools version LICENSE= BSD3CLAUSE CONFLICTS= racoon-[0-9]* USE_RC_SUBR= racoon INSTALL_TARGET= install-strip USES= libtool tar:bzip2 ssl GNU_CONFIGURE= yes USE_LDCONFIG= yes CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \ --localstatedir=${STATEDIR:S/\/racoon//} \ --with-pkgversion=freebsd-${PORTVERSION} STATEDIR= /var/db/racoon SUB_LIST+= STATEDIR=${STATEDIR} PLIST_SUB+= STATEDIR=${STATEDIR} OPTIONS_DEFINE= DEBUG IPV6 ADMINPORT STATS DPD NATT NATTF FRAG HYBRID PAM \ RADIUS LDAP GSSAPI SAUNSPEC RC5 IDEA DOCS EXAMPLES WCPSKEY OPTIONS_DEFAULT= DEBUG DPD NATT FRAG HYBRID ADMINPORT_DESC= Enable Admin port STATS_DESC= Statistics logging function DPD_DESC= Dead Peer Detection NATT_DESC= NAT-Traversal (kernel-patch required before 11.0-STABLE) NATTF_DESC= require NAT-Traversal (fail without kernel-patch) FRAG_DESC= IKE fragmentation payload support HYBRID_DESC= Hybrid, Xauth and Mode-cfg support SAUNSPEC_DESC= Unspecified SA mode RC5_DESC= RC5 encryption (patented) IDEA_DESC= IDEA encryption (patented) PAM_DESC= PAM authentication (Xauth server) RADIUS_DESC= Radius authentication (Xauth server) LDAP_DESC= LDAP authentication (Xauth server) WCPSKEY_DESC= Allow wildcard matching for pre-shared keys PORTDOCS= * PORTEXAMPLES= * DEBUG_CONFIGURE_ENABLE= debug IPV6_CONFIGURE_ENABLE= ipv6 ADMINPORT_CONFIGURE_ENABLE=adminport STATS_CONFIGURE_ENABLE= stats DPD_CONFIGURE_ENABLE= dpd NATTF_VARS= NATT=yes NATTF_VARS_OFF= NATT=kernel NATT_CONFIGURE_ON= --enable-natt=${NATT} --enable-natt-versions=rfc NATT_CONFIGURE_OFF= --disable-natt FRAG_CONFIGURE_ENABLE= frag HYBRID_CONFIGURE_ENABLE=hybrid PAM_CONFIGURE_WITH= libpam GSSAPI_USES= iconv GSSAPI_CFLAGS= -I${LOCALBASE}/include GSSAPI_LDFLAGS= -L${LOCALBASE}/lib GSSAPI_CONFIGURE_ENABLE=gssapi RADIUS_CONFIGURE_WITH= libradius LDAP_USE= OPENLDAP=yes LDAP_CONFIGURE_ON= --with-libldap=${LOCALBASE} LDAP_CONFIGURE_OFF= --without-libldap SAUNSPEC_CONFIGURE_ENABLE= samode-unspec RC5_CONFIGURE_ENABLE= rc5 IDEA_CONFIGURE_ENABLE= idea WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff post-patch: @${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure post-install: @${MKDIR} ${STAGEDIR}/${PREFIX}/etc/racoon @if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \ ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \ ${ECHO_MSG} " You must build the kernel if you want to run racoon on the host"; \ fi ; post-install-EXAMPLES-on: @${MKDIR} ${STAGEDIR}/${EXAMPLESDIR} @${RM} ${WRKSRC}/src/racoon/samples/*.in @${CP} -r ${WRKSRC}/src/racoon/samples/* ${STAGEDIR}/${EXAMPLESDIR} post-install-DOCS-on: @${MKDIR} ${STAGEDIR}/${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${STAGEDIR}/${DOCSDIR} .include Index: head/security/ipsec-tools/files/patch-reqid.diff =================================================================== --- head/security/ipsec-tools/files/patch-reqid.diff (nonexistent) +++ head/security/ipsec-tools/files/patch-reqid.diff (revision 476825) @@ -0,0 +1,176 @@ +--- src/racoon/cfparse.y 22 Aug 2006 18:17:17 -0000 1.66 ++++ src/racoon/cfparse.y 13 May 2018 01:53:57 -0000 +@@ -284,7 +284,7 @@ static int process_rmconf() + /* algorithm */ + %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE + /* sainfo */ +-%token SAINFO FROM ++%token SAINFO FROM REQID + /* remote */ + %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS + %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE +@@ -1571,6 +1571,11 @@ sainfo_spec + | REMOTEID NUMBER + { + cur_sainfo->remoteid = $2; ++ } ++ EOS ++ | REQID NUMBER ++ { ++ cur_sainfo->reqid = $2; + } + EOS + | LIFETIME LIFETYPE_TIME NUMBER unittype_time +--- src/racoon/cftoken.l 22 Aug 2006 18:17:17 -0000 1.53 ++++ src/racoon/cftoken.l 13 May 2018 01:53:57 -0000 +@@ -290,6 +290,7 @@ + identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } + my_identifier { YYD; return(MY_IDENTIFIER); } + lifetime { YYD; return(LIFETIME); } ++reqid { YYD; return(REQID); } + time { YYD; return(LIFETYPE_TIME); } + byte { YYD; return(LIFETYPE_BYTE); } + encryption_algorithm { YYD; yylval.num = algclass_ipsec_enc; return(ALGORITHM_CLASS); } +--- src/racoon/proposal.c 27 Apr 2006 03:41:54 -0000 1.19 ++++ src/racoon/proposal.c 13 May 2018 01:53:58 -0000 +@@ -1253,8 +1253,8 @@ set_proposal_from_proposal(iph2) + if(g_nextreqid >= IPSEC_MANUAL_REQID_MAX) + g_nextreqid = 1; + }else{ +- newpr->reqid_in = 0; +- newpr->reqid_out = 0; ++ newpr->reqid_in = iph2->sainfo->reqid; ++ newpr->reqid_out = iph2->sainfo->reqid; + } + + if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) +--- src/racoon/sainfo.c 11 Aug 2006 16:07:05 -0000 1.9 ++++ src/racoon/sainfo.c 13 May 2018 01:53:58 -0000 +@@ -383,8 +383,8 @@ sainfo2str(si) + else + id_i = ipsecdoi_id2str(si->id_i); + +- snprintf(buf, 255, "loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%u", +- idloc, idrmt, id_i, si->remoteid); ++ snprintf(buf, 255, "loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%u, reqid=%u", ++ idloc, idrmt, id_i, si->remoteid, si->reqid); + + racoon_free(idloc); + racoon_free(idrmt); +--- src/racoon/sainfo.h 9 Jul 2006 17:19:38 -0000 1.5 ++++ src/racoon/sainfo.h 13 May 2018 01:53:58 -0000 +@@ -51,6 +51,7 @@ + time_t lifetime; + int lifebyte; + int pfs_group; /* only use when pfs is required. */ ++ uint32_t reqid; + vchar_t *id_i; /* identifier of the authorized initiator */ + struct sainfoalg *algs[MAXALGCLASS]; + +--- src/racoon/policy.h 2018-05-13 07:42:14.828102000 +0300 ++++ src/racoon/policy.h 2018-05-13 07:41:44.807564000 +0300 +@@ -66,6 +66,7 @@ struct policyindex { + u_int16_t ul_proto; /* upper layer Protocol */ + u_int32_t priority; /* priority for the policy */ + u_int64_t created; /* Used for generated SPD entries deletion */ ++ u_int32_t reqid; /* Reqid used for if_ipsec(4) */ + #ifdef HAVE_SECCTX + struct security_ctx sec_ctx; /* Security Context */ + #endif +--- src/racoon/isakmp_quick.c 2018-05-13 08:07:07.378039000 +0300 ++++ src/racoon/isakmp_quick.c 2018-05-13 08:11:12.268612000 +0300 +@@ -2473,6 +2473,7 @@ get_proposal_r(iph2) + #endif /* HAVE_SECCTX */ + + /* get inbound policy */ ++ spidx.reqid = iph2->sainfo->reqid; + sp_in = getsp_r(&spidx); + if (sp_in == NULL) { + if (iph2->ph1->rmconf->gen_policy) { +@@ -2521,6 +2522,7 @@ get_proposal_r(iph2) + spidx.prefs = spidx.prefd; + spidx.prefd = pref; + ++ spidx.reqid = iph2->sainfo->reqid; + sp_out = getsp_r(&spidx); + if (!sp_out) { + plog(LLV_WARNING, LOCATION, NULL, +--- src/racoon/pfkey.c 2018-05-13 08:12:05.730604000 +0300 ++++ src/racoon/pfkey.c 2018-05-13 08:48:02.708803000 +0300 +@@ -1888,6 +1888,10 @@ pk_recvacquire(mhp) + spidx.prefs = sp_out->spidx.prefd; + spidx.prefd = sp_out->spidx.prefs; + spidx.ul_proto = sp_out->spidx.ul_proto; ++#ifdef IPSEC_POLICYSCOPE_IFNET ++ /* XXX: reuse reqid from outbound policy */ ++ spidx.reqid = sp_out->spidx.reqid; ++#endif + + #ifdef HAVE_SECCTX + if (m_sec_ctx) { +@@ -2787,6 +2791,25 @@ pk_recvspddump(mhp) + } + #endif /* HAVE_SECCTX */ + ++#ifdef IPSEC_POLICYSCOPE_IFNET ++ if (xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET) { ++ struct sadb_x_ipsecrequest *xisr; ++ ++ if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "invalid xpl msg length.\n"); ++ return (-1); ++ } ++ xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); ++ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "invalid xisr msg length.\n"); ++ return (-1); ++ } ++ spidx.reqid = xisr->sadb_x_ipsecrequest_reqid; ++ } ++#endif /* IPSEC_POLICYSCOPE_IFNET */ ++ + sp = getsp(&spidx); + if (sp != NULL) { + plog(LLV_ERROR, LOCATION, NULL, +@@ -3909,6 +3932,15 @@ addnewsp(mhp, local, remote) + created, + &new->spidx); + #endif ++ ++#ifdef IPSEC_POLICYSCOPE_IFNET ++ if (xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET) { ++ struct sadb_x_ipsecrequest *xisr; ++ ++ xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); ++ new->spidx.reqid = xisr->sadb_x_ipsecrequest_reqid; ++ } ++#endif /* IPSEC_POLICYSCOPE_IFNET */ + + #ifdef HAVE_SECCTX + if (mhp[SADB_X_EXT_SEC_CTX] != NULL) { +--- src/racoon/policy.c 2018-05-13 07:17:32.815475000 +0300 ++++ src/racoon/policy.c 2018-05-13 07:44:40.838093000 +0300 +@@ -197,7 +197,8 @@ cmpspidxstrict(a, b) + if (a->dir != b->dir + || a->prefs != b->prefs + || a->prefd != b->prefd +- || a->ul_proto != b->ul_proto) ++ || a->ul_proto != b->ul_proto ++ || a->reqid != b->reqid) + return 1; + + if (cmpsaddr((struct sockaddr *) &a->src, +@@ -482,8 +483,9 @@ spidx2str(spidx) + p += i; + blen -= i; + +- i = snprintf(p, blen, "proto=%s dir=%s", +- s_proto(spidx->ul_proto), s_direction(spidx->dir)); ++ i = snprintf(p, blen, "proto=%s dir=%s reqid=%u", ++ s_proto(spidx->ul_proto), s_direction(spidx->dir), ++ spidx->reqid); + + #ifdef HAVE_SECCTX + if (spidx->sec_ctx.ctx_strlen) { Property changes on: head/security/ipsec-tools/files/patch-reqid.diff ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property