+*
+*
--- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/crypto/ciphers/aes/test_main.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,41 @@
-+#include <stdio.h>
-+#include <string.h>
-+#include <sys/types.h>
-+#include "aes_cbc.h"
-+#define AES_BLOCK_SIZE 16
-+#define KEY_SIZE 128 /* bits */
-+#define KEY "1234567890123456"
-+#define STR "hola guaso como estaisss ... 012"
-+#define STRSZ (sizeof(STR)-1)
-+
-+#define EMT_AESCBC_BLKLEN AES_BLOCK_SIZE
-+#define AES_CONTEXT_T aes_context
-+#define EMT_ESPAES_KEY_SZ 16
-+int pretty_print(const unsigned char *buf, int count) {
-+ int i=0;
-+ for (;i<count;i++) {
-+ if (i%8==0) putchar(' ');
-+ if (i%16==0) putchar('\n');
-+ printf ("%02hhx ", buf[i]);
-+ }
-+ putchar('\n');
-+ return i;
-+}
-+//#define SIZE STRSZ/2
-+#define SIZE STRSZ
-+int main() {
-+ int ret;
-+ char buf0[SIZE+1], buf1[SIZE+1];
-+ char IV[AES_BLOCK_SIZE]="\0\0\0\0\0\0\0\0" "\0\0\0\0\0\0\0\0";
-+ aes_context ac;
-+ AES_set_key(&ac, KEY, KEY_SIZE);
-+ //pretty_print((char *)&ac.aes_e_key, sizeof(ac.aes_e_key));
-+ memset(buf0, 0, sizeof (buf0));
-+ memset(buf1, 0, sizeof (buf1));
-+ ret=AES_cbc_encrypt(&ac, STR, buf0, SIZE, IV, 1);
-+ pretty_print(buf0, SIZE);
-+ printf("size=%d ret=%d\n%s\n", SIZE, ret, buf0);
-+ ret=AES_cbc_encrypt(&ac, buf0, buf1, SIZE, IV, 0);
-+ printf("size=%d ret=%d\n%s\n", SIZE, ret, buf1);
-+ return 0;
-+}
---- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/crypto/ciphers/aes/test_main_mac.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,30 @@
-+#include <stdio.h>
-+#include <sys/types.h>
-+#include <string.h>
-+#include "aes.h"
-+#include "aes_xcbc_mac.h"
-+#define STR "Hola guasssso c|mo estais ...012"
-+void print_hash(const __u8 *hash) {
-+ printf("%08x %08x %08x %08x\n",
-+ *(__u32*)(&hash[0]),
-+ *(__u32*)(&hash[4]),
-+ *(__u32*)(&hash[8]),
-+ *(__u32*)(&hash[12]));
-+}
-+int main(int argc, char *argv[]) {
-+ aes_block key= { 0xdeadbeef, 0xceedcaca, 0xcafebabe, 0xff010204 };
-+ __u8 hash[16];
-+ char *str = argv[1];
-+ aes_context_mac ctx;
-+ if (str==NULL) {
-+ fprintf(stderr, "pasame el str\n");
-+ return 255;
-+ }
-+ AES_xcbc_mac_set_key(&ctx, (__u8 *)&key, sizeof(key));
-+ AES_xcbc_mac_hash(&ctx, str, strlen(str), hash);
-+ print_hash(hash);
-+ str[2]='x';
-+ AES_xcbc_mac_hash(&ctx, str, strlen(str), hash);
-+ print_hash(hash);
-+ return 0;
-+}
---- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/crypto/aes.h Mon Feb 9 13:51:03 2004
@@ -0,0 +1,97 @@
+// I retain copyright in this code but I encourage its free use provided
+#endif /* _CBC_GENERIC_H */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/crypto/des.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,298 @@
+@@ -0,0 +1,286 @@
+/* crypto/des/des.org */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+int des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
+ des_cblock *iv);
+char *des_fcrypt(const char *buf,const char *salt, char *ret);
-+#ifdef PERL5
-+char *des_crypt(const char *buf,const char *salt);
-+#else
-+/* some stupid compilers complain because I have declared char instead
-+ * of const char */
-+#ifndef __KERNEL__
-+#ifdef HEADER_DES_LOCL_H
-+char *crypt(const char *buf,const char *salt);
-+#else /* HEADER_DES_LOCL_H */
-+char *crypt(void);
-+#endif /* HEADER_DES_LOCL_H */
-+#endif /* __KERNEL__ */
-+#endif /* PERL5 */
++
+void des_ofb_encrypt(unsigned char *in,unsigned char *out,
+ int numbits,long length,des_key_schedule schedule,des_cblock *ivec);
+void des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length,
+
+#endif
--- /dev/null Tue Mar 11 13:02:56 2003
++++ linux/include/crypto/ocf_assist.h Mon Feb 9 13:51:03 2004
+@@ -0,0 +1,63 @@
++#ifndef _OCF_ASSIST_H
++#define _OCF_ASSIST_H 1
++/****************************************************************************/
++/* The various hw_assist functions return these bits */
++
++#define OCF_PROVIDES_AES 0x0001
++#define OCF_PROVIDES_DES_3DES 0x0002
++
++/****************************************************************************/
++#if !defined(OCF_ASSIST)
++/****************************************************************************/
++/*
++ * stub it all out just in case
++ */
++
++#define ocf_aes_assist() (0)
++#define ocf_aes_set_key(a1,a2,a3,a4)
++#define ocf_aes_cbc_encrypt(a1,a2,a3,a4,a5,a6)
++
++#define ocf_des_assist() (0)
++#define ocf_des_set_key(a, b)
++#define ocf_des_cbc_encrypt(a1,a2,a3,a4,a5,a6)
++#define ocf_des_encrypt(a1,a2,a3)
++#define ocf_des_ede3_cbc_encrypt(a1,a2,a3,a4,a5,a6,a7,a8)
++#define ocf_des_ncbc_encrypt(a1,a2,a3,a4,a5,a6)
++#define ocf_des_ecb_encrypt(a1,a2,a3,a4)
++
++/****************************************************************************/
++#else
++/****************************************************************************/
++
++#include <sys/types.h>
++#include "aes.h"
++#include "des.h"
++
++extern int ocf_aes_assist(void);
++extern void ocf_aes_set_key(aes_context *cx, const unsigned char in_key[],
++ int n_bytes, const int f);
++extern int ocf_aes_cbc_encrypt(aes_context *ctx, u8 *input,
++ u8 *output,
++ long length,
++ u8 *ivec, int enc);
++
++extern int ocf_des_assist(void);
++extern int ocf_des_set_key(des_cblock *key, des_key_schedule schedule);
++extern void ocf_des_cbc_encrypt(des_cblock *input, des_cblock *output,
++ long length, des_key_schedule schedule,
++ des_cblock *ivec, int enc);
++extern void ocf_des_encrypt(DES_LONG *data, des_key_schedule ks, int enc);
++extern void ocf_des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output,
++ long length, des_key_schedule ks1,
++ des_key_schedule ks2, des_key_schedule ks3,
++ des_cblock *ivec, int enc);
++extern void ocf_des_ncbc_encrypt(des_cblock *input, des_cblock *output,
++ long length, des_key_schedule schedule,
++ des_cblock *ivec, int enc);
++extern void ocf_des_ecb_encrypt(des_cblock *input, des_cblock *output,
++ des_key_schedule ks, int enc);
++
++/****************************************************************************/
++#endif /* !defined(OCF_ASSIST) */
++/****************************************************************************/
++#endif /* _OCF_ASSIST_H */
+--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/des/des_locl.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,515 @@
+@@ -0,0 +1,506 @@
+/* crypto/des/des_locl.org */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+#undef NOPROTO
+#endif
+
-+#ifdef RAND
-+#define srandom(s) srand(s)
-+#define random rand
-+#endif
-+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+ } \
+ }
+
-+#if defined(WIN32)
-+#define ROTATE(a,n) (_lrotr(a,n))
-+#else
+#define ROTATE(a,n) (((a)>>(n))+((a)<<(32-(n))))
-+#endif
+
+/* Don't worry about the LOAD_DATA() stuff, that is used by
+ * fcrypt() to add it's little bit to the front */
+
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,518 @@
+@@ -0,0 +1,559 @@
+#ifndef _OPENSWAN_H
+/*
+ * header file for FreeS/WAN library functions
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
+ * License for more details.
+ *
-+ * RCSID $Id: openswan.h,v 1.93 2005/04/14 20:21:51 mcr Exp $
++ * RCSID $Id: openswan.h,v 1.95 2005/08/25 01:24:40 paul Exp $
+ */
+#define _OPENSWAN_H /* seen it, no need to see it again */
+
+ * where we get them depends on whether we're in userland or not.
+ */
+/* things that need to come from one place or the other, depending */
-+#ifdef __KERNEL__
++#if defined(linux)
++#if defined(__KERNEL__)
+#include <linux/types.h>
+#include <linux/socket.h>
+#include <linux/in.h>
++#include <linux/in6.h>
+#include <linux/string.h>
+#include <linux/ctype.h>
+#define user_assert(foo) /*nothing*/
+# define uint64_t u_int64_t
+
+
-+# define DEBUG_NO_STATIC static
+
-+#endif
++#endif /* __KERNEL__ */
+
++#define DEBUG_NO_STATIC static
++#include <openswan/ipsec_kversion.h>
+#include <openswan/ipsec_param.h>
++#endif /* linux */
+
++/*
++ * Yes Virginia, we have started a windows port.
++ */
++#if defined(__CYGWIN32__)
++#if !defined(WIN32_KERNEL)
++/* get windows equivalents */
++#include <stdio.h>
++#include <string.h>
++#include <win32/types.h>
++#include <netinet/in.h>
++#include <cygwin/socket.h>
++#include <assert.h>
++#define user_assert(foo) assert(foo)
++#endif /* _KERNEL */
++#endif /* WIN32 */
+
+/*
-+ * Grab the kernel version to see if we have NET_21, and therefore
-+ * IPv6. Some of this is repeated from ipsec_kversions.h. Of course,
-+ * we aren't really testing if the kernel has IPv6, but rather if the
-+ * the include files do.
++ * Kovacs? A macosx port?
+ */
-+#include <linux/version.h>
-+#ifndef KERNEL_VERSION
-+#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
++#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
++#include <TargetConditionals.h>
++#include <AvailabilityMacros.h>
++#include <machine/types.h>
++#include <machine/endian.h>
++#include <stdint.h>
++#include <stddef.h>
++#include <stdio.h>
++#include <time.h>
++#include <sys/time.h>
++#include <string.h>
++#include <netinet/in.h>
++#include <arpa/inet.h>
++#include <tcpd.h>
++#include <assert.h>
++#define user_assert(foo) assert(foo)
++#define __u32 unsigned int
++#define __u8 unsigned char
++#define s6_addr16 __u6_addr.__u6_addr16
++#define DEBUG_NO_STATIC static
+#endif
+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
-+#define NET_21
++/*
++ * FreeBSD
++ */
++#if defined(__FreeBSD__)
++# define DEBUG_NO_STATIC static
++#include <sys/types.h>
++#include <netinet/in.h>
++#include <sys/socket.h>
++#include <arpa/inet.h>
++#include <string.h>
++#include <assert.h>
++#define user_assert(foo) assert(foo)
++/* apparently this way to deal with an IPv6 address is not standard. */
++#define s6_addr16 __u6_addr.__u6_addr16
+#endif
+
++
+#ifndef IPPROTO_COMP
+# define IPPROTO_COMP 108
+#endif /* !IPPROTO_COMP */
+# define IPPROTO_INT 61
+#endif /* !IPPROTO_INT */
+
-+#ifdef CONFIG_KLIPS_DEBUG
-+#ifndef DEBUG_NO_STATIC
-+# define DEBUG_NO_STATIC
-+#endif
-+#else /* CONFIG_KLIPS_DEBUG */
-+#ifndef DEBUG_NO_STATIC
-+# define DEBUG_NO_STATIC static
-+#endif
-+#endif /* CONFIG_KLIPS_DEBUG */
-+
+#if !defined(ESPINUDP_WITH_NON_IKE)
+#define ESPINUDP_WITH_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
+#define ESPINUDP_WITH_NON_ESP 2 /* draft-ietf-ipsec-nat-t-ike-02 */
+ */
+
+/* first, some quick fakes in case we're on an old system with no IPv6 */
-+#ifndef s6_addr16
++#if !defined(s6_addr16) && defined(__CYGWIN32__)
+struct in6_addr {
+ union
+ {
-+ __u8 u6_addr8[16];
-+ __u16 u6_addr16[8];
-+ __u32 u6_addr32[4];
++ u_int8_t u6_addr8[16];
++ u_int16_t u6_addr16[8];
++ u_int32_t u6_addr32[4];
+ } in6_u;
+#define s6_addr in6_u.u6_addr8
+#define s6_addr16 in6_u.u6_addr16
+ */
+typedef uint32_t IPsecSAref_t;
+
-+#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
++/* Translation to/from nfmark.
++ *
++ * use bits 16-31. Leave bit 32 as a indicate that IPsec processing
++ * has already been done.
++ */
++#define IPSEC_SA_REF_TABLE_IDX_WIDTH 15
++#define IPSEC_SA_REF_TABLE_OFFSET 16
++#define IPSEC_SA_REF_MAASK ((1<<IPSEC_SA_REF_TABLE_IDX_WIDTH)-1)
+
-+#define IPsecSAref2NFmark(x) ((x) << (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
-+#define NFmark2IPsecSAref(x) ((x) >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
++#define IPsecSAref2NFmark(x) (((x)&IPSEC_SA_REF_MASK) << IPSEC_SA_REF_TABLE_OFFSET)
++#define NFmark2IPsecSAref(x) (((x) >> IPSEC_SA_REF_TABLE_OFFSET)&IPSEC_SA_REF_MASK)
+
-+#define IPSEC_SAREF_NULL (~((IPsecSAref_t)0))
++#define IPSEC_SAREF_NULL ((IPsecSAref_t)0)
++#define IPSEC_SAREF_NA ((IPsecSAref_t)0xffff0001)
+
+/* GCC magic for use in function definitions! */
+#ifdef GCC_LINT
+#endif
+
+
++/*
++ * function to log stuff from libraries that may be used in multiple
++ * places.
++ */
++typedef int (*openswan_keying_debug_func_t)(const char *message, ...);
+
+
+
+err_t ttoul(const char *src, size_t srclen, int format, unsigned long *dst);
+size_t ultot(unsigned long src, int format, char *buf, size_t buflen);
+#define ULTOT_BUF (22+1) /* holds 64 bits in octal */
++
++/* looks up names in DNS */
+err_t ttoaddr(const char *src, size_t srclen, int af, ip_address *dst);
++
++/* does not look up names in DNS */
++err_t ttoaddr_num(const char *src, size_t srclen, int af, ip_address *dst);
++
+err_t tnatoaddr(const char *src, size_t srclen, int af, ip_address *dst);
+size_t addrtot(const ip_address *src, int format, char *buf, size_t buflen);
+/* RFC 1886 old IPv6 reverse-lookup format is the bulkiest */
+#define TTODATAV_IGNORESPACE (1<<1) /* ignore spaces in base64 encodings*/
+#define TTODATAV_SPACECOUNTS 0 /* do not ignore spaces in base64 */
+
-+size_t datatot(const char *src, size_t srclen, int format, char *buf,
-+ size_t buflen);
++size_t datatot(const unsigned char *src, size_t srclen, int format
++ , char *buf, size_t buflen);
+size_t keyblobtoid(const unsigned char *src, size_t srclen, char *dst,
+ size_t dstlen);
+size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m,
+int samesaid(const ip_said *a, const ip_said *b);
+int sameaddrtype(const ip_address *a, const ip_address *b);
+int samesubnettype(const ip_subnet *a, const ip_subnet *b);
++int isvalidsubnet(const ip_subnet *a);
+int isanyaddr(const ip_address *src);
+int isunspecaddr(const ip_address *src);
+int isloopbackaddr(const ip_address *src);
+);
+size_t /* 0 failure, else true size */
+bytestoa(
-+ const char *src,
++ const unsigned char *src,
+ size_t srclen,
+ int format, /* character; 0 means default */
+ char *dst,
+);
+size_t /* 0 failure, else true size */
+datatoa(
-+ const char *src,
++ const unsigned char *src,
+ size_t srclen,
+ int format, /* character; 0 means default */
+ char *dst,
+
+
+/*
-+ * general utilities
-+ */
-+
-+#ifndef __KERNEL__
-+/* option pickup from files (userland only because of use of FILE) */
-+const char *optionsfrom(const char *filename, int *argcp, char ***argvp,
-+ int optind, FILE *errorreport);
-+
-+/* sanitize a string */
-+extern size_t sanitize_string(char *buf, size_t size);
-+
-+#endif
-+
-+
-+/*
+ * ENUM of klips debugging values. Not currently used in klips.
+ * debug flag is actually 32 -bits, but only one bit is ever used,
+ * so we can actually pack it all into a single 32-bit word.
+#endif /* _IPCOMP_H */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_ah.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,202 @@
+/*
+ * Authentication Header declarations
+ * Copyright (C) 1996, 1997 John Ioannidis.
+
+#ifdef __KERNEL__
+
++#ifndef CONFIG_XFRM_ALTERNATE_STACK
+extern struct inet_protocol ah_protocol;
++#endif /* CONFIG_XFRM_ALTERNATE_STACK */
+
+struct options;
+
+#include <linux/types.h>
+#include <linux/list.h>
+#include <asm/atomic.h>
-+#include <pfkey.h>
++#include <openswan/pfkey.h>
+
+/*
+ * The following structs are used via pointers in ipsec_alg object to
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_esp.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,157 @@
+@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
+ des_key_schedule ks;
+};
+
++#ifndef CONFIG_XFRM_ALTERNATE_STACK
+extern struct inet_protocol esp_protocol;
++#endif /* CONFIG_XFRM_ALTERNATE_STACK */
+
+struct options;
+
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_ipcomp.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,97 @@
+/*
+ * IP compression header declations
+ *
+ __u16 ipcomp_cpi; /* Compression Parameter Index */
+};
+
++#ifndef CONFIG_XFRM_ALTERNATE_STACK
+extern struct inet_protocol comp_protocol;
++#endif /* CONFIG_XFRM_ALTERNATE_STACK */
++
+extern int sysctl_ipsec_debug_ipcomp;
+
+#define IPCOMP_UNCOMPRESSABLE 0x000000001
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_kern24.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,152 @@
+/*
+ * @(#) routines to makes kernel 2.4 compatible with 2.6 usage.
+ *
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_kern24.h,v 1.4 2005/05/20 03:19:18 mcr Exp $
++ * RCSID $Id: ipsec_kern24.h,v 1.5 2005/08/05 08:48:38 mcr Exp $
+ */
+
+#ifndef _IPSEC_KERN24_H
+
-+#ifndef NET_26
-+#define sk_receive_queue receive_queue
-+#define sk_destruct destruct
-+#define sk_reuse reuse
-+#define sk_zapped zapped
-+#define sk_family family
-+#define sk_protocol protocol
-+#define sk_protinfo protinfo
-+#define sk_sleep sleep
-+#define sk_state_change state_change
-+#define sk_shutdown shutdown
-+#define sk_err err
-+#define sk_stamp stamp
-+#define sk_socket socket
-+#define sk_sndbuf sndbuf
-+#define sock_flag(sk, flag) sk->dead
-+#define sk_for_each(sk, node, plist) for(sk=*plist; sk!=NULL; sk = sk->next)
-+#endif
-+
-+/* deal with 2.4 vs 2.6 issues with module counts */
-+
-+/* in 2.6, all refcounts are maintained *outside* of the
-+ * module to deal with race conditions.
-+ */
-+
-+#ifdef NET_26
-+#define KLIPS_INC_USE /* nothing */
-+#define KLIPS_DEC_USE /* nothing */
-+
-+#else
-+#define KLIPS_INC_USE MOD_INC_USE_COUNT
-+#define KLIPS_DEC_USE MOD_DEC_USE_COUNT
-+#endif
-+
-+extern int printk_ratelimit(void);
-+
-+
-+#define _IPSEC_KERN24_H 1
-+
-+#endif /* _IPSEC_KERN24_H */
-+
---- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/include/openswan/ipsec_kversion.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,352 @@
-+#ifndef _OPENSWAN_KVERSIONS_H
-+/*
-+ * header file for FreeS/WAN library functions
-+ * Copyright (C) 1998, 1999, 2000 Henry Spencer.
-+ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs
-+ *
-+ * This library is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU Library General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or (at your
-+ * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
-+ * License for more details.
-+ *
-+ * RCSID $Id: ipsec_kversion.h,v 1.15.2.11 2007/02/20 03:53:16 paul Exp $
-+ */
-+#define _OPENSWAN_KVERSIONS_H /* seen it, no need to see it again */
-+
-+/*
-+ * this file contains a series of atomic defines that depend upon
-+ * kernel version numbers. The kernel versions are arranged
-+ * in version-order number (which is often not chronological)
-+ * and each clause enables or disables a feature.
-+ */
-+
-+/*
-+ * First, assorted kernel-version-dependent trickery.
-+ */
-+#include <linux/version.h>
-+#ifndef KERNEL_VERSION
-+#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0)
-+#define HEADER_CACHE_BIND_21
-+#error "KLIPS is no longer supported on Linux 2.0. Sorry"
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
-+#define SPINLOCK
-+#define PROC_FS_21
-+#define NETLINK_SOCK
-+#define NET_21
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19)
-+#define net_device_stats enet_statistics
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
-+#define SPINLOCK_23
-+#define NETDEV_23
-+# ifndef CONFIG_IP_ALIAS
-+# define CONFIG_IP_ALIAS
-+# endif
-+#include <linux/socket.h>
-+#include <linux/skbuff.h>
-+#include <linux/netlink.h>
-+# ifdef NETLINK_XFRM
-+# define NETDEV_25
-+# endif
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25)
-+#define PROC_FS_2325
-+#undef PROC_FS_21
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30)
-+#define PROC_NO_DUMMY
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35)
-+#define SKB_COPY_EXPAND
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37)
-+#define IP_SELECT_IDENT
-+#endif
-+
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER)
-+#define SKB_RESET_NFCT
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2)
-+#define IP_SELECT_IDENT_NEW
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4)
-+#define IPH_is_SKB_PULLED
-+#define SKB_COW_NEW
-+#define PROTO_HANDLER_SINGLE_PARM
-+#define IP_FRAGMENT_LINEARIZE 1
-+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-+# ifdef REDHAT_BOGOSITY
-+# define IP_SELECT_IDENT_NEW
-+# define IPH_is_SKB_PULLED
-+# define SKB_COW_NEW
-+# define PROTO_HANDLER_SINGLE_PARM
-+# endif /* REDHAT_BOGOSITY */
-+#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
-+#define MALLOC_SLAB
-+#define LINUX_KERNEL_HAS_SNPRINTF
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
-+#define HAVE_NETDEV_PRINTK 1
-+#define NET_26
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8)
-+#define NEED_INET_PROTOCOL
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
-+#define HAVE_SOCK_ZAPPED
-+#define NET_26_12_SKALLOC
-+#endif
-+
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,13)
-+#define HAVE_SOCK_SECURITY
-+/* skb->nf_debug disappared completely in 2.6.13 */
-+#define HAVE_SKB_NF_DEBUG
-+#endif
-+
-+#define SYSCTL_IPSEC_DEFAULT_TTL sysctl_ip_default_ttl
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14)
-+/* skb->stamp changed to skb->tstamp in 2.6.14 */
-+#define HAVE_TSTAMP
-+#define HAVE_INET_SK_SPORT
-+#undef SYSCTL_IPSEC_DEFAULT_TTL
-+#define SYSCTL_IPSEC_DEFAULT_TTL IPSEC_DEFAULT_TTL
-+#else
-+#define HAVE_SKB_LIST
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18)
-+#define HAVE_NEW_SKB_LINEARIZE
-+#endif
-+
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20)
-+/* skb->nfmark changed to skb->mark in 2.6.20 */
-+#define nfmark mark
-+#endif
-+
+#ifdef NET_21
+# include <linux/in6.h>
+#else
+ printk(sevlevel "%s: " format , netdev->name , ## arg)
+#endif
+
++#ifndef NET_26
++#define sk_receive_queue receive_queue
++#define sk_destruct destruct
++#define sk_reuse reuse
++#define sk_zapped zapped
++#define sk_family family
++#define sk_protocol protocol
++#define sk_protinfo protinfo
++#define sk_sleep sleep
++#define sk_state_change state_change
++#define sk_shutdown shutdown
++#define sk_err err
++#define sk_stamp stamp
++#define sk_socket socket
++#define sk_sndbuf sndbuf
++#define sock_flag(sk, flag) sk->dead
++#define sk_for_each(sk, node, plist) for(sk=*plist; sk!=NULL; sk = sk->next)
++#endif
++
++/* deal with 2.4 vs 2.6 issues with module counts */
++
++/* in 2.6, all refcounts are maintained *outside* of the
++ * module to deal with race conditions.
++ */
++
++#ifdef NET_26
++#define KLIPS_INC_USE /* nothing */
++#define KLIPS_DEC_USE /* nothing */
++
++#else
++#define KLIPS_INC_USE MOD_INC_USE_COUNT
++#define KLIPS_DEC_USE MOD_DEC_USE_COUNT
++#endif
++
++extern int printk_ratelimit(void);
++
++
++#define _IPSEC_KERN24_H 1
++
++#endif /* _IPSEC_KERN24_H */
++
+--- /dev/null Tue Mar 11 13:02:56 2003
++++ linux/include/openswan/ipsec_kversion.h Mon Feb 9 13:51:03 2004
+@@ -0,0 +1,260 @@
++#ifndef _OPENSWAN_KVERSIONS_H
++/*
++ * header file for FreeS/WAN library functions
++ * Copyright (C) 1998, 1999, 2000 Henry Spencer.
++ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs
++ *
++ * This library is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU Library General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
++ *
++ * This library is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
++ * License for more details.
++ *
++ * RCSID $Id: ipsec_kversion.h,v 1.23 2005/11/13 15:24:07 ken Exp $
++ */
++#define _OPENSWAN_KVERSIONS_H /* seen it, no need to see it again */
++
++/*
++ * this file contains a series of atomic defines that depend upon
++ * kernel version numbers. The kernel versions are arranged
++ * in version-order number (which is often not chronological)
++ * and each clause enables or disables a feature.
++ */
++
++/*
++ * First, assorted kernel-version-dependent trickery.
++ */
++#include <linux/version.h>
++#ifndef KERNEL_VERSION
++#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
++#endif
++
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0)
++#define HEADER_CACHE_BIND_21
++#error "KLIPS is no longer supported on Linux 2.0. Sorry"
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0)
++#define SPINLOCK
++#define PROC_FS_21
++#define NETLINK_SOCK
++#define NET_21
++#endif
++
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19)
++#define net_device_stats enet_statistics
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
++#define SPINLOCK_23
++#define NETDEV_23
++# ifndef CONFIG_IP_ALIAS
++# define CONFIG_IP_ALIAS
++# endif
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25)
++#define PROC_FS_2325
++#undef PROC_FS_21
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30)
++#define PROC_NO_DUMMY
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35)
++#define SKB_COPY_EXPAND
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37)
++#define IP_SELECT_IDENT
++#endif
++
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER)
++#define SKB_RESET_NFCT
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2)
++#define IP_SELECT_IDENT_NEW
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4)
++#define IPH_is_SKB_PULLED
++#define SKB_COW_NEW
++#define PROTO_HANDLER_SINGLE_PARM
++#define IP_FRAGMENT_LINEARIZE 1
++#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
++# ifdef REDHAT_BOGOSITY
++# define IP_SELECT_IDENT_NEW
++# define IPH_is_SKB_PULLED
++# define SKB_COW_NEW
++# define PROTO_HANDLER_SINGLE_PARM
++# endif /* REDHAT_BOGOSITY */
++#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
++#define MALLOC_SLAB
++#define LINUX_KERNEL_HAS_SNPRINTF
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
++#define HAVE_NETDEV_PRINTK 1
++#define NET_26
++#define NETDEV_25
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8)
++#define NEED_INET_PROTOCOL
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
++#define HAVE_SOCK_ZAPPED
++#define NET_26_12_SKALLOC
++#endif
++
++/* see <linux/security.h> */
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,13)
++#define HAVE_SOCK_SECURITY
++/* skb->nf_debug disappared completely in 2.6.13 */
++#define HAVE_SKB_NF_DEBUG
++#endif
++
++/* skb->stamp changed to skb->tstamp in 2.6.14 */
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14)
++#define HAVE_TSTAMP
++#define HAVE_INET_SK_SPORT
++#else
++#define HAVE_SKB_LIST
++#endif
++
++#define SYSCTL_IPSEC_DEFAULT_TTL sysctl_ip_default_ttl
++/* it seems 2.6.14 accidentally removed sysctl_ip_default_ttl */
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14)
++#undef SYSCTL_IPSEC_DEFAULT_TTL
++#define SYSCTL_IPSEC_DEFAULT_TTL IPSEC_DEFAULT_TTL
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18)
++#define HAVE_NEW_SKB_LINEARIZE
++#endif
++
++/* this is the best we can do to detect XEN, which makes
++ * patches to linux/skbuff.h, making it look like 2.6.18 version
++ */
++#ifdef CONFIG_XEN
++#define HAVE_NEW_SKB_LINEARIZE
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20)
++/* skb->nfmark changed to skb->mark in 2.6.20 */
++#define nfmark mark
++#endif
++
++#if __KERNEL__
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0)
+#include "openswan/ipsec_kern24.h"
+#error "kernels before 2.4 are not supported at this time"
+#endif
+#endif
-+
++#endif
+
+#endif /* _OPENSWAN_KVERSIONS_H */
+
+/*
+ * $Log: ipsec_kversion.h,v $
-+ * Revision 1.15.2.11 2007/02/20 03:53:16 paul
-+ * Added comment, made layout consistent with other checks.
-+ *
-+ * Revision 1.15.2.10 2007/02/16 19:08:12 paul
-+ * Fix for compiling on 2.6.20 (nfmark is now called mark in sk_buff)
++ * Revision 1.23 2005/11/13 15:24:07 ken
++ * sysctl_ip_default_ttl is missing in 2.6.14.2, and might be for awhile
+ *
-+ * Revision 1.15.2.9 2006/07/29 05:00:40 paul
-+ * Added HAVE_NEW_SKB_LINEARIZE for 2.6.18+ kernels where skb_linearize
-+ * only takes 1 argument.
++ * Revision 1.22 2005/11/11 05:01:28 paul
++ * Added HAVE_SKB_LIST for 2.6.14 that no longer has skb->list
+ *
-+ * Revision 1.15.2.8 2006/05/01 14:31:52 mcr
-+ * FREESWAN->OPENSWAN in #ifdef.
++ * Revision 1.21 2005/11/11 04:42:02 paul
++ * Added define for HAVE_INET_SK_SPORT for 2.6.14 and up
+ *
-+ * Revision 1.15.2.7 2006/01/11 02:02:59 mcr
-+ * updated patches and DEFAULT_TTL code to work
++ * Revision 1.20 2005/11/11 03:58:34 paul
++ * Added a define for 2.6.14 that is not exporting sysctl_ip_default_ttl
++ * by accident.
+ *
-+ * Revision 1.15.2.6 2006/01/03 19:25:02 ken
-+ * Remove duplicated #ifdef for TTL fix - bad patch
++ * Revision 1.19 2005/11/11 03:16:22 paul
++ * Added HAVE_TSTAMP define for 2.6.14 kernels
++ * (skb->stamp changed to skb->tstamp)
+ *
-+ * Revision 1.15.2.5 2006/01/03 18:06:33 ken
-+ * Fix for missing sysctl default ttl
-+ *
-+ * Revision 1.15.2.4 2005/11/27 21:40:14 paul
-+ * Pull down TTL fixes from head. this fixes "Unknown symbol sysctl_ip_default_ttl"
-+ * in for klips as module.
++ * Revision 1.18 2005/08/31 23:26:11 mcr
++ * fixes for 2.6.13
+ *
+ * Revision 1.15.2.3 2005/11/22 04:11:52 ken
+ * Backport fixes for 2.6.14 kernels from HEAD
+ * Revision 1.15.2.2 2005/09/01 01:57:19 paul
+ * michael's fixes for 2.6.13 from head
+ *
-+ * Revision 1.15.2.1 2005/08/27 23:13:48 paul
-+ * Fix for:
-+ * 7 weeks ago: [NET]: Remove unused security member in sk_buff
-+ * changeset 4280: 328ea53f5fee
-+ * parent 4279: beb0afb0e3f8
-+ * author: Thomas Graf <tgraf@suug.ch>
-+ * date: Tue Jul 5 21:12:44 2005
-+ * files: include/linux/skbuff.h include/linux/tc_ematch/tc_em_meta.h net/core/skbuff.c net/ipv4/ip_output.c net/ipv6/ip6_output.c net/sched/em_meta.c
++ * Revision 1.17 2005/08/27 23:07:21 paul
++ * Somewhere between 2.6.12 and 2.6.13rc7 the unused security memnber in sk_buff
++ * has been removed. This patch should fix compilation for both cases.
+ *
-+ * This should fix compilation on 2.6.13(rc) kernels
++ * Revision 1.16 2005/08/05 08:48:38 mcr
++ * many compat definitions moved to kern24.h because
++ * ipsec_kversion.h may be needed by openswan.h.
+ *
+ * Revision 1.15 2005/07/19 20:02:15 mcr
+ * sk_alloc() interface change.
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_param.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,387 @@
+@@ -0,0 +1,389 @@
+/*
+ * @(#) Openswan tunable paramaters
+ *
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_param.h,v 1.29.6.3 2006/05/01 14:32:31 mcr Exp $
++ * RCSID $Id: ipsec_param.h,v 1.31 2005/08/12 15:01:38 mcr Exp $
+ *
+ */
+
+#ifndef _IPSEC_PARAM_H_
+
+#ifdef __KERNEL__
-+#include "ipsec_kversion.h"
++
++#include "openswan/ipsec_kversion.h"
+
+/* Set number of ipsecX virtual devices here. */
+/* This must be < exp(field width of IPSEC_DEV_FORMAT) */
+/* It must also be reasonable so as not to overload the memory and CPU */
+/* constraints of the host. */
-+#define IPSEC_NUM_IF 4
++#ifdef CONFIG_KLIPS_IF_MAX
++#define IPSEC_NUM_IFMAX CONFIG_KLIPS_IF_MAX
++#endif
++#ifndef IPSEC_NUM_IFMAX
++#define IPSEC_NUM_IFMAX 64
++#endif
++
++/* default number of ipsecX devices to create */
++#define IPSEC_NUM_IF 2
++
+/* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */
+/* With "ipsec" being 5 characters, that means 10 is the max field width */
+/* but machine memory and CPU constraints are not likely to tollerate */
+/* for now, no "0"-padding should be used (which would have been helpful */
+/* to make text-searches work */
+#define IPSEC_DEV_FORMAT "ipsec%d"
++#define MAST_DEV_FORMAT "mast%d"
++
+/* For, say, 500 virtual ipsec devices, I would recommend: */
+/* #define IPSEC_NUM_IF 500 */
+/* #define IPSEC_DEV_FORMAT "ipsec%03d" */
+#else /* CONFIG_KLIPS_BIGGATE */
+# define SADB_HASHMOD 257
+#endif /* CONFIG_KLIPS_BIGGATE */
++
+#endif /* __KERNEL__ */
+
+/*
+ * maximum number of SAs that KLIPS can concurrently deal with, plus enough
+ * space for keeping expired SAs around.
+ *
-+ * TABLE_MAX_WIDTH is the number of bits that we will use.
++ * TABLE_IDX_WIDTH is the number of bits that we will use.
+ * MAIN_TABLE_WIDTH is the number of bits used for the primary index table.
+ *
+ */
-+#ifndef IPSEC_SA_REF_TABLE_IDX_WIDTH
-+# define IPSEC_SA_REF_TABLE_IDX_WIDTH 16
-+#endif
-+
+#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH
+# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4
+#endif
+#ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE
+# ifdef CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE
+# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100
++# else /* CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE */
++/* not by default! */
++# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
+# endif /* CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE */
-+#else
-+#define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
+#endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */
+
-+#else /* CONFIG_KLIPS_REGRESS */
-+#define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0
-+
+#endif /* CONFIG_KLIPS_REGRESS */
+
+
+ */
+#define KLIPS_ERROR(flag, format, args...) if(printk_ratelimit() || flag) printk(KERN_ERR "KLIPS " format, ## args)
+#ifdef CONFIG_KLIPS_DEBUG
-+extern void ipsec_print_ip(struct iphdr *ip);
-+
+ #define KLIPS_PRINT(flag, format, args...) \
+ ((flag) ? printk(KERN_INFO format , ## args) : 0)
+ #define KLIPS_PRINTMORE(flag, format, args...) \
+
+/*
+ * $Log: ipsec_param.h,v $
-+ * Revision 1.29.6.3 2006/05/01 14:32:31 mcr
-+ * added KLIPS_ERROR and make sure that things work without CONFIG_KLIPS_REGRESS.
++ * Revision 1.31 2005/08/12 15:01:38 mcr
++ * attempt to #undef CONFIG_IPSEC_NAT_TRAVERSAL if it is =0.
+ *
-+ * Revision 1.29.6.2 2005/11/27 21:40:14 paul
-+ * Pull down TTL fixes from head. this fixes "Unknown symbol sysctl_ip_default_ttl"
-+ * in for klips as module.
-+ *
-+ * Revision 1.29.6.1 2005/08/12 16:24:18 ken
-+ * Pull in NAT-T compile logic from HEAD
++ * Revision 1.30 2005/08/05 08:50:45 mcr
++ * move #include of skbuff.h to a place where
++ * we know it will be kernel only code.
+ *
+ * Revision 1.29 2005/01/26 00:50:35 mcr
+ * adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
+ * License for more details.
+ *
-+ * RCSID $Id: ipsec_policy.h,v 1.7.6.1 2005/07/26 01:53:07 ken Exp $
++ * RCSID $Id: ipsec_policy.h,v 1.8 2005/07/26 01:12:38 mcr Exp $
+ */
+#define _IPSEC_POLICY_H /* seen it, no need to see it again */
+
+#endif /* _IPSEC_POLICY_H */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_proto.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,195 @@
+/*
+ * @(#) prototypes for FreeSWAN functions
+ *
+
+
+extern struct ipsec_sa *ipsec_sa_getbyid(ip_said *);
-+extern int ipsec_sa_put(struct ipsec_sa *);
-+extern /* void */ int ipsec_sa_del(struct ipsec_sa *);
-+extern /* void */ int ipsec_sa_delchain(struct ipsec_sa *);
+extern /* void */ int ipsec_sa_add(struct ipsec_sa *);
+
+extern int ipsec_sa_init(struct ipsec_sa *ipsp);
-+extern int ipsec_sa_wipe(struct ipsec_sa *ipsp);
+
+/* debug declarations */
+
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_rcv.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,197 @@
+/*
+ *
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_rcv.h,v 1.28.2.2 2006/10/06 21:39:26 paul Exp $
++ * RCSID $Id: ipsec_rcv.h,v 1.28.2.1 2006/07/10 15:52:20 paul Exp $
+ */
+
+#ifndef IPSEC_RCV_H
+
+#define __NO_VERSION__
+#ifndef AUTOCONF_INCLUDED
-+#include <linux/config.h> /* for CONFIG_IP_FORWARD */
-+#endif
++#include <linux/config.h>
++#endif /* for CONFIG_IP_FORWARD */
+#ifdef CONFIG_MODULES
+#include <linux/module.h>
+#endif
+
+extern int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type);
+
++// manage ipsec rcv state objects
++extern int ipsec_rcv_state_cache_init (void);
++extern void ipsec_rcv_state_cache_cleanup (void);
+
+#endif /* IPSEC_RCV_H */
+
+/*
+ * $Log: ipsec_rcv.h,v $
-+ * Revision 1.28.2.2 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.28.2.1 2006/07/10 15:52:20 paul
+ * Fix for bug #642 by Bart Trojanowski
+ *
+
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_sa.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,355 @@
+@@ -0,0 +1,279 @@
+/*
+ * @(#) Definitions of IPsec Security Association (ipsec_sa)
+ *
+#endif /* __KERNEL__ */
+#include "openswan/ipsec_param.h"
+
-+#include "pfkeyv2.h"
++#include "openswan/pfkeyv2.h"
+
+
+/* SAs are held in a table.
+#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE))
+#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t))
+
-+#define IPSEC_SA_REF_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
-+#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
-+#define IPSEC_SA_REF_ENTRY_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
++#define IPSEC_SA_REF_MAX (~IPSEC_SAREF_NULL)
++#define IPSEC_SAREF_FIRST 1
++#define IPSEC_SA_REF_MASK (IPSEC_SA_REF_MAX >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH))
++#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SA_REF_MAX >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
++#define IPSEC_SA_REF_ENTRY_MASK (IPSEC_SA_REF_MAX >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH))
+
+#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)
+#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK)
+/* 'struct ipsec_sa' should be 64bit aligned when allocated. */
+struct ipsec_sa
+{
-+ IPsecSAref_t ips_ref; /* reference table entry number */
-+ atomic_t ips_refcount; /* reference count for this struct */
++ atomic_t ips_refcount; /* reference count for this struct */
++ int ips_marked_deleted; /* used with reference counting */
++ IPsecSAref_t ips_ref; /* reference table entry number */
++ IPsecSAref_t ips_refhim; /* ref of paired SA, if any */
++ struct ipsec_sa *ips_next; /* pointer to next xform */
++
+ struct ipsec_sa *ips_hnext; /* next in hash chain */
+ struct ipsec_sa *ips_inext; /* pointer to next xform */
+ struct ipsec_sa *ips_onext; /* pointer to prev xform */
+
+ struct ifnet *ips_rcvif; /* related rcv encap interface */
+
++ struct xform_functions *ips_xformfuncs; /* pointer to routines to process this SA */
++
++ struct net_device *ips_out; /* what interface to emerge on */
++ __u8 ips_transport_direct; /* if true, punt directly to
++ * the protocol layer */
++ struct socket *ips_sock; /* cache of transport socket */
++
+ ip_said ips_said; /* SA ID */
+
+ __u32 ips_seq; /* seq num of msg that initiated this SA */
+#endif
+ struct ipsec_alg_enc *ips_alg_enc;
+ struct ipsec_alg_auth *ips_alg_auth;
-+ IPsecSAref_t ips_ref_rel;
++//IPsecSAref_t ips_ref_rel;
+};
+
+struct IPsecSArefSubTable
+extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */
+extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */
+extern int ipsec_sa_free(struct ipsec_sa* ips);
-+extern int ipsec_sa_put(struct ipsec_sa *ips);
++
++#define ipsec_sa_get(ips) __ipsec_sa_get(ips, __FUNCTION__, __LINE__)
++extern struct ipsec_sa * __ipsec_sa_get(struct ipsec_sa *ips, const char *func, int line);
++
++#define ipsec_sa_put(ips) __ipsec_sa_put(ips, __FUNCTION__, __LINE__)
++extern void __ipsec_sa_put(struct ipsec_sa *ips, const char *func, int line);
+extern int ipsec_sa_add(struct ipsec_sa *ips);
-+extern int ipsec_sa_del(struct ipsec_sa *ips);
-+extern int ipsec_sa_delchain(struct ipsec_sa *ips);
++extern void ipsec_sa_rm(struct ipsec_sa *ips);
+extern int ipsec_sadb_cleanup(__u8 proto);
+extern int ipsec_sadb_free(void);
-+extern int ipsec_sa_wipe(struct ipsec_sa *ips);
++extern int ipsec_sa_intern(struct ipsec_sa *ips);
++extern void ipsec_sa_untern(struct ipsec_sa *ips);
++extern struct ipsec_sa *ipsec_sa_getbyref(IPsecSAref_t ref);
++
+#endif /* __KERNEL__ */
+
+enum ipsec_direction {
+#endif /* _IPSEC_SA_H_ */
+
+/*
-+ * $Log: ipsec_sa.h,v $
-+ * Revision 1.23 2005/05/11 01:18:59 mcr
-+ * do not change structure based upon options, to avoid
-+ * too many #ifdef.
-+ *
-+ * Revision 1.22 2005/04/14 01:17:09 mcr
-+ * change sadb_state to an enum.
-+ *
-+ * Revision 1.21 2004/08/20 21:45:37 mcr
-+ * CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to
-+ * be 26sec compatible. But, some defines where changed.
-+ *
-+ * Revision 1.20 2004/07/10 19:08:41 mcr
-+ * CONFIG_IPSEC -> CONFIG_KLIPS.
-+ *
-+ * Revision 1.19 2004/04/05 19:55:06 mcr
-+ * Moved from linux/include/freeswan/ipsec_sa.h,v
-+ *
-+ * Revision 1.18 2004/04/05 19:41:05 mcr
-+ * merged alg-branch code.
-+ *
-+ * Revision 1.17.2.1 2003/12/22 15:25:52 jjo
-+ * . Merged algo-0.8.1-rc11-test1 into alg-branch
-+ *
-+ * Revision 1.17 2003/12/10 01:20:06 mcr
-+ * NAT-traversal patches to KLIPS.
-+ *
-+ * Revision 1.16 2003/10/31 02:27:05 mcr
-+ * pulled up port-selector patches and sa_id elimination.
-+ *
-+ * Revision 1.15.4.1 2003/10/29 01:10:19 mcr
-+ * elimited "struct sa_id"
-+ *
-+ * Revision 1.15 2003/05/11 00:53:09 mcr
-+ * IPsecSAref_t and macros were moved to freeswan.h.
-+ *
-+ * Revision 1.14 2003/02/12 19:31:55 rgb
-+ * Fixed bug in "file seen" machinery.
-+ * Updated copyright year.
-+ *
-+ * Revision 1.13 2003/01/30 02:31:52 rgb
-+ *
-+ * Re-wrote comments describing SAref system for accuracy.
-+ * Rename SAref table macro names for clarity.
-+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
-+ * Transmit error code through to caller from callee for better diagnosis of problems.
-+ * Enclose all macro arguments in parens to avoid any possible obscrure bugs.
-+ *
-+ * Revision 1.12 2002/10/07 18:31:19 rgb
-+ * Change comment to reflect the flexible nature of the main and sub-table widths.
-+ * Added a counter for the number of unused entries in each subtable.
-+ * Further break up host field type macro to host field.
-+ * Move field width sanity checks to ipsec_sa.c
-+ * Define a mask for an entire saref.
-+ *
-+ * Revision 1.11 2002/09/20 15:40:33 rgb
-+ * Re-write most of the SAref macros and types to eliminate any pointer references to Entrys.
-+ * Fixed SAref/nfmark macros.
-+ * Rework saref freeslist.
-+ * Place all ipsec sadb globals into one struct.
-+ * Restrict some bits to kernel context for use to klips utils.
-+ *
-+ * Revision 1.10 2002/09/20 05:00:34 rgb
-+ * Update copyright date.
-+ *
-+ * Revision 1.9 2002/09/17 17:19:29 mcr
-+ * make it compile even if there is no netfilter - we lost
-+ * functionality, but it works, especially on 2.2.
-+ *
-+ * Revision 1.8 2002/07/28 22:59:53 mcr
-+ * clarified/expanded one comment.
-+ *
-+ * Revision 1.7 2002/07/26 08:48:31 rgb
-+ * Added SA ref table code.
-+ *
-+ * Revision 1.6 2002/05/31 17:27:48 rgb
-+ * Comment fix.
-+ *
-+ * Revision 1.5 2002/05/27 18:55:03 rgb
-+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
-+ *
-+ * Revision 1.4 2002/05/23 07:13:36 rgb
-+ * Convert "usecount" to "refcount" to remove ambiguity.
-+ *
-+ * Revision 1.3 2002/04/24 07:36:47 mcr
-+ * Moved from ./klips/net/ipsec/ipsec_sa.h,v
-+ *
-+ * Revision 1.2 2001/11/26 09:16:15 rgb
-+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
-+ *
-+ * Revision 1.1.2.1 2001/09/25 02:24:58 mcr
-+ * struct tdb -> struct ipsec_sa.
-+ * sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
-+ * ipsec_xform.c removed. header file still contains useful things.
-+ *
-+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_tunnel.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,280 @@
+@@ -0,0 +1,270 @@
+/*
+ * IPSEC tunneling code
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ */
+
+
-+#ifdef NET_21
+# define DEV_QUEUE_XMIT(skb, device, pri) {\
+ skb->dev = device; \
+ neigh_compat_output(skb); \
+ icmp_send(skb_in, type, code, htonl(info))
+# define IP_SEND(skb, dev) \
+ ip_send(skb);
-+#else /* NET_21 */
-+# define DEV_QUEUE_XMIT(skb, device, pri) {\
-+ dev_queue_xmit(skb, device, pri); \
-+ }
-+# define ICMP_SEND(skb_in, type, code, info, dev) \
-+ icmp_send(skb_in, type, code, info, dev)
-+# define IP_SEND(skb, dev) \
-+ if(ntohs(iph->tot_len) > physmtu) { \
-+ ip_fragment(NULL, skb, dev, 0); \
-+ ipsec_kfree_skb(skb); \
-+ } else { \
-+ dev_queue_xmit(skb, dev, SOPRI_NORMAL); \
-+ }
-+#endif /* NET_21 */
+
+
++#if defined(KLIPS)
+/*
+ * Heavily based on drivers/net/new_tunnel.c. Lots
+ * of ideas also taken from the 2.1.x version of drivers/net/shaper.c
+#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
+#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
+#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
++#endif
+
+#ifdef __KERNEL__
+#include <linux/version.h>
+#define DB_TN_ENCAP 0x0200
+#endif /* CONFIG_KLIPS_DEBUG */
+
++// manage ipsec xmit state objects
++extern int ipsec_xmit_state_cache_init (void);
++extern void ipsec_xmit_state_cache_cleanup (void);
+/*
+ * $Log: ipsec_tunnel.h,v $
+ * Revision 1.33 2005/06/04 16:06:05 mcr
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/include/openswan/ipsec_xform.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,257 @@
+@@ -0,0 +1,263 @@
+/*
+ * Definitions relevant to IPSEC transformations
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_xform.h,v 1.41 2004/07/10 19:08:41 mcr Exp $
++ * RCSID $Id: ipsec_xform.h,v 1.42 2005/08/05 08:50:45 mcr Exp $
+ */
+
+#ifndef _IPSEC_XFORM_H_
+ auth_name_id(x->ips_authalg) /* "_UNKNOWN_auth" */ \
+
+#ifdef __KERNEL__
++#include <linux/skbuff.h>
++
+struct ipsec_rcv_state;
+struct ipsec_xmit_state;
+
+
+/*
+ * $Log: ipsec_xform.h,v $
++ * Revision 1.42 2005/08/05 08:50:45 mcr
++ * move #include of skbuff.h to a place where
++ * we know it will be kernel only code.
++ *
+ * Revision 1.41 2004/07/10 19:08:41 mcr
+ * CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ (*openswan_passert_fail)("impossible", __FILE__, __LINE__); \
+ }} while(0)
+
-+extern void switch_fail(int n
++extern void openswan_switch_fail(int n
+ , const char *file_str, unsigned long line_no) NEVER_RETURNS;
+
-+# define bad_case(n) switch_fail((int) n, __FILE__, __LINE__)
++# define bad_case(n) openswan_switch_fail((int) n, __FILE__, __LINE__)
+
+# define passert(pred) do { \
+ if (!(pred)) \
+
+#endif /* _OPENSWAN_PASSERT_H */
--- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/include/openswan/pfkey_debug.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,54 @@
-+/*
-+ * sanitize a string into a printable format.
-+ *
-+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
-+ * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
-+ *
-+ * This library is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU Library General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or (at your
-+ * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
-+ * License for more details.
-+ *
-+ * RCSID $Id: pfkey_debug.h,v 1.3 2004/04/05 19:55:07 mcr Exp $
-+ */
-+
-+#ifndef _FREESWAN_PFKEY_DEBUG_H
-+#define _FREESWAN_PFKEY_DEBUG_H
-+
-+#ifdef __KERNEL__
-+
-+/* note, kernel version ignores pfkey levels */
-+# define DEBUGGING(level,args...) \
-+ KLIPS_PRINT(debug_pfkey, "klips_debug:" args)
-+
-+# define ERROR(args...) printk(KERN_ERR "klips:" args)
-+
-+#else
-+
-+extern unsigned int pfkey_lib_debug;
-+
-+extern void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
-+extern void (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1);
-+
-+#define DEBUGGING(level,args...) if(pfkey_lib_debug & level) { \
-+ if(pfkey_debug_func != NULL) { \
-+ (*pfkey_debug_func)("pfkey_lib_debug:" args); \
-+ } else { \
-+ printf("pfkey_lib_debug:" args); \
-+ } }
-+
-+#define ERROR(args...) if(pfkey_error_func != NULL) { \
-+ (*pfkey_error_func)("pfkey_lib_debug:" args); \
-+ }
-+
-+# define MALLOC(size) malloc(size)
-+# define FREE(obj) free(obj)
-+
-+#endif
-+
-+#endif
---- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/include/openswan/radij.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,280 @@
-+/*
-+ * RCSID $Id: radij.h,v 1.13 2004/04/05 19:55:08 mcr Exp $
-+ */
-+
-+/*
-+ * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite
-+ *
-+ * Variable and procedure names have been modified so that they don't
-+ * conflict with the original BSD code, as a small number of modifications
-+ * have been introduced and we may want to reuse this code in BSD.
-+ *
-+ * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
-+ * chi or a German ch sound (as `doch', not as in `milch'), or even a
-+ * spanish j as in Juan. It is not as far back in the throat like
-+ * the corresponding Hebrew sound, nor is it a soft breath like the English h.
-+ * It has nothing to do with the Dutch ij sound.
-+ *
-+ * Here is the appropriate copyright notice:
-+ */
-+
-+/*
-+ * Copyright (c) 1988, 1989, 1993
-+ * The Regents of the University of California. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * This product includes software developed by the University of
-+ * California, Berkeley and its contributors.
-+ * 4. Neither the name of the University nor the names of its contributors
-+ * may be used to endorse or promote products derived from this software
-+ * without specific prior written permission.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * @(#)radix.h 8.1 (Berkeley) 6/10/93
-+ */
-+
-+#ifndef _RADIJ_H_
-+#define _RADIJ_H_
-+
-+/*
-+#define RJ_DEBUG
-+*/
-+
-+#ifdef __KERNEL__
-+
-+#ifndef __P
-+#ifdef __STDC__
-+#define __P(x) x
-+#else
-+#define __P(x) ()
-+#endif
-+#endif
-+
-+/*
-+ * Radix search tree node layout.
-+ */
-+
-+struct radij_node
-+{
-+ struct radij_mask *rj_mklist; /* list of masks contained in subtree */
-+ struct radij_node *rj_p; /* parent */
-+ short rj_b; /* bit offset; -1-index(netmask) */
-+ char rj_bmask; /* node: mask for bit test*/
-+ u_char rj_flags; /* enumerated next */
-+#define RJF_NORMAL 1 /* leaf contains normal route */
-+#define RJF_ROOT 2 /* leaf is root leaf for tree */
-+#define RJF_ACTIVE 4 /* This node is alive (for rtfree) */
-+ union {
-+ struct { /* leaf only data: */
-+ caddr_t rj_Key; /* object of search */
-+ caddr_t rj_Mask; /* netmask, if present */
-+ struct radij_node *rj_Dupedkey;
-+ } rj_leaf;
-+ struct { /* node only data: */
-+ int rj_Off; /* where to start compare */
-+ struct radij_node *rj_L;/* progeny */
-+ struct radij_node *rj_R;/* progeny */
-+ }rj_node;
-+ } rj_u;
-+#ifdef RJ_DEBUG
-+ int rj_info;
-+ struct radij_node *rj_twin;
-+ struct radij_node *rj_ybro;
-+#endif
-+};
-+
-+#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey
-+#define rj_key rj_u.rj_leaf.rj_Key
-+#define rj_mask rj_u.rj_leaf.rj_Mask
-+#define rj_off rj_u.rj_node.rj_Off
-+#define rj_l rj_u.rj_node.rj_L
-+#define rj_r rj_u.rj_node.rj_R
-+
-+/*
-+ * Annotations to tree concerning potential routes applying to subtrees.
-+ */
-+
-+extern struct radij_mask {
-+ short rm_b; /* bit offset; -1-index(netmask) */
-+ char rm_unused; /* cf. rj_bmask */
-+ u_char rm_flags; /* cf. rj_flags */
-+ struct radij_mask *rm_mklist; /* more masks to try */
-+ caddr_t rm_mask; /* the mask */
-+ int rm_refs; /* # of references to this struct */
-+} *rj_mkfreelist;
-+
-+#define MKGet(m) {\
-+ if (rj_mkfreelist) {\
-+ m = rj_mkfreelist; \
-+ rj_mkfreelist = (m)->rm_mklist; \
-+ } else \
-+ R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\
-+
-+#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);}
-+
-+struct radij_node_head {
-+ struct radij_node *rnh_treetop;
-+ int rnh_addrsize; /* permit, but not require fixed keys */
-+ int rnh_pktsize; /* permit, but not require fixed keys */
-+#if 0
-+ struct radij_node *(*rnh_addaddr) /* add based on sockaddr */
-+ __P((void *v, void *mask,
-+ struct radij_node_head *head, struct radij_node nodes[]));
-+#endif
-+ int (*rnh_addaddr) /* add based on sockaddr */
-+ __P((void *v, void *mask,
-+ struct radij_node_head *head, struct radij_node nodes[]));
-+ struct radij_node *(*rnh_addpkt) /* add based on packet hdr */
-+ __P((void *v, void *mask,
-+ struct radij_node_head *head, struct radij_node nodes[]));
-+#if 0
-+ struct radij_node *(*rnh_deladdr) /* remove based on sockaddr */
-+ __P((void *v, void *mask, struct radij_node_head *head));
-+#endif
-+ int (*rnh_deladdr) /* remove based on sockaddr */
-+ __P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node));
-+ struct radij_node *(*rnh_delpkt) /* remove based on packet hdr */
-+ __P((void *v, void *mask, struct radij_node_head *head));
-+ struct radij_node *(*rnh_matchaddr) /* locate based on sockaddr */
-+ __P((void *v, struct radij_node_head *head));
-+ struct radij_node *(*rnh_matchpkt) /* locate based on packet hdr */
-+ __P((void *v, struct radij_node_head *head));
-+ int (*rnh_walktree) /* traverse tree */
-+ __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
-+ struct radij_node rnh_nodes[3]; /* empty tree for common case */
-+};
-+
-+
-+#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
-+#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
-+#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n))
-+#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n)))
-+#define Free(p) kfree((caddr_t)p);
-+
-+void rj_init __P((void));
-+int rj_inithead __P((void **, int));
-+int rj_refines __P((void *, void *));
-+int rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
-+struct radij_node
-+ *rj_addmask __P((void *, int, int)) /* , rgb */ ;
-+int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *,
-+ struct radij_node [2])) /* , rgb */ ;
-+int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ;
-+struct radij_node /* rgb */
-+ *rj_insert __P((void *, struct radij_node_head *, int *,
-+ struct radij_node [2])),
-+ *rj_match __P((void *, struct radij_node_head *)),
-+ *rj_newpair __P((void *, int, struct radij_node[2])),
-+ *rj_search __P((void *, struct radij_node *)),
-+ *rj_search_m __P((void *, struct radij_node *, void *));
-+
-+void rj_deltree(struct radij_node_head *);
-+void rj_delnodes(struct radij_node *);
-+void rj_free_mkfreelist(void);
-+int radijcleartree(void);
-+int radijcleanup(void);
-+
-+extern struct radij_node_head *mask_rjhead;
-+extern int maj_keylen;
-+#endif /* __KERNEL__ */
-+
-+#endif /* _RADIJ_H_ */
-+
-+
-+/*
-+ * $Log: radij.h,v $
-+ * Revision 1.13 2004/04/05 19:55:08 mcr
-+ * Moved from linux/include/freeswan/radij.h,v
-+ *
-+ * Revision 1.12 2002/04/24 07:36:48 mcr
-+ * Moved from ./klips/net/ipsec/radij.h,v
-+ *
-+ * Revision 1.11 2001/09/20 15:33:00 rgb
-+ * Min/max cleanup.
-+ *
-+ * Revision 1.10 1999/11/18 04:09:20 rgb
-+ * Replaced all kernel version macros to shorter, readable form.
-+ *
-+ * Revision 1.9 1999/05/05 22:02:33 rgb
-+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
-+ *
-+ * Revision 1.8 1999/04/29 15:24:58 rgb
-+ * Add check for existence of macros min/max.
-+ *
-+ * Revision 1.7 1999/04/11 00:29:02 henry
-+ * GPL boilerplate
-+ *
-+ * Revision 1.6 1999/04/06 04:54:29 rgb
-+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
-+ * patch shell fixes.
-+ *
-+ * Revision 1.5 1999/01/22 06:30:32 rgb
-+ * 64-bit clean-up.
-+ *
-+ * Revision 1.4 1998/11/30 13:22:55 rgb
-+ * Rationalised all the klips kernel file headers. They are much shorter
-+ * now and won't conflict under RH5.2.
-+ *
-+ * Revision 1.3 1998/10/25 02:43:27 rgb
-+ * Change return type on rj_addroute and rj_delete and add and argument
-+ * to the latter to be able to transmit more infomation about errors.
-+ *
-+ * Revision 1.2 1998/07/14 18:09:51 rgb
-+ * Add a routine to clear eroute table.
-+ * Added #ifdef __KERNEL__ directives to restrict scope of header.
-+ *
-+ * Revision 1.1 1998/06/18 21:30:22 henry
-+ * move sources from klips/src to klips/net/ipsec to keep stupid kernel
-+ * build scripts happier about symlinks
-+ *
-+ * Revision 1.4 1998/05/25 20:34:16 rgb
-+ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions.
-+ *
-+ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and
-+ * add ipsec_rj_walker_delete.
-+ *
-+ * Recover memory for eroute table on unload of module.
-+ *
-+ * Revision 1.3 1998/04/22 16:51:37 rgb
-+ * Tidy up radij debug code from recent rash of modifications to debug code.
-+ *
-+ * Revision 1.2 1998/04/14 17:30:38 rgb
-+ * Fix up compiling errors for radij tree memory reclamation.
-+ *
-+ * Revision 1.1 1998/04/09 03:06:16 henry
-+ * sources moved up from linux/net/ipsec
-+ *
-+ * Revision 1.1.1.1 1998/04/08 05:35:04 henry
-+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
-+ *
-+ * Revision 0.4 1997/01/15 01:28:15 ji
-+ * No changes.
-+ *
-+ * Revision 0.3 1996/11/20 14:44:45 ji
-+ * Release update only.
-+ *
-+ * Revision 0.2 1996/11/02 00:18:33 ji
-+ * First limited release.
-+ *
-+ *
-+ */
---- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/include/pfkey.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,529 @@
++++ linux/include/openswan/pfkey.h Mon Feb 9 13:51:03 2004
+@@ -0,0 +1,344 @@
+/*
+ * FreeS/WAN specific PF_KEY headers
+ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: pfkey.h,v 1.49 2005/05/11 00:57:29 mcr Exp $
++ * RCSID $Id: pfkey.h,v 1.52 2005/11/09 00:30:37 mcr Exp $
+ */
+
+#ifndef __NET_IPSEC_PF_KEY_H
+extern int pfkey_acquire(struct ipsec_sa *);
+#else /* ! __KERNEL__ */
+
-+extern void (*pfkey_debug_func)(const char *message, ...);
-+extern void (*pfkey_error_func)(const char *message, ...);
++extern openswan_keying_debug_func_t pfkey_debug_func;
++extern openswan_keying_debug_func_t pfkey_error_func;
+extern void pfkey_print(struct sadb_msg *msg, FILE *out);
+
+
+pfkey_key_build(struct sadb_ext** pfkey_ext,
+ uint16_t exttype,
+ uint16_t key_bits,
-+ char* key);
++ unsigned char *key);
+
+int
+pfkey_ident_build(struct sadb_ext** pfkey_ext,
+const char *
+pfkey_v2_sadb_type_string(int sadb_type);
+
++extern int
++pfkey_outif_build(struct sadb_ext **pfkey_ext,
++ uint16_t outif);
+
+#endif /* __NET_IPSEC_PF_KEY_H */
+
+--- /dev/null Tue Mar 11 13:02:56 2003
++++ linux/include/openswan/pfkey_debug.h Mon Feb 9 13:51:03 2004
+@@ -0,0 +1,54 @@
+/*
-+ * $Log: pfkey.h,v $
-+ * Revision 1.49 2005/05/11 00:57:29 mcr
-+ * rename struct supported -> struct ipsec_alg_supported.
-+ * make pfkey.h more standalone.
-+ *
-+ * Revision 1.48 2005/05/01 03:12:50 mcr
-+ * include name of algorithm in datastructure.
-+ *
-+ * Revision 1.47 2004/08/21 00:44:14 mcr
-+ * simplify definition of nat_t related prototypes.
-+ *
-+ * Revision 1.46 2004/08/04 16:27:22 mcr
-+ * 2.6 sk_ options.
-+ *
-+ * Revision 1.45 2004/04/06 02:49:00 mcr
-+ * pullup of algo code from alg-branch.
-+ *
-+ * Revision 1.44 2003/12/10 01:20:01 mcr
-+ * NAT-traversal patches to KLIPS.
-+ *
-+ * Revision 1.43 2003/10/31 02:26:44 mcr
-+ * pulled up port-selector patches.
-+ *
-+ * Revision 1.42.2.2 2003/10/29 01:09:32 mcr
-+ * added debugging for pfkey library.
-+ *
-+ * Revision 1.42.2.1 2003/09/21 13:59:34 mcr
-+ * pre-liminary X.509 patch - does not yet pass tests.
-+ *
-+ * Revision 1.42 2003/08/25 22:08:19 mcr
-+ * removed pfkey_proto_init() from pfkey.h for 2.6 support.
-+ *
-+ * Revision 1.41 2003/05/07 17:28:57 mcr
-+ * new function pfkey_debug_func added for us in debugging from
-+
-+ * pfkey library.
-+ *
-+ * Revision 1.40 2003/01/30 02:31:34 rgb
-+ *
-+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
-+ *
-+ * Revision 1.39 2002/09/20 15:40:21 rgb
-+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
-+ * Added ref parameter to pfkey_sa_build().
-+ * Cleaned out unused cruft.
-+ *
-+ * Revision 1.38 2002/05/14 02:37:24 rgb
-+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
-+ * ipsec_sa or ipsec_sa.
-+ * Added function prototypes for the functions moved to
-+ * pfkey_v2_ext_process.c.
-+ *
-+ * Revision 1.37 2002/04/24 07:36:49 mcr
-+ * Moved from ./lib/pfkey.h,v
-+ *
-+ * Revision 1.36 2002/01/20 20:34:49 mcr
-+ * added pfkey_v2_sadb_type_string to decode sadb_type to string.
-+ *
-+ * Revision 1.35 2001/11/27 05:27:47 mcr
-+ * pfkey parses are now maintained by a structure
-+ * that includes their name for debug purposes.
-+ *
-+ * Revision 1.34 2001/11/26 09:23:53 rgb
-+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
-+ *
-+ * Revision 1.33 2001/11/06 19:47:47 rgb
-+ * Added packet parameter to lifetime and comb structures.
-+ *
-+ * Revision 1.32 2001/09/08 21:13:34 rgb
-+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
-+ *
-+ * Revision 1.31 2001/06/14 19:35:16 rgb
-+ * Update copyright date.
-+ *
-+ * Revision 1.30 2001/02/27 07:04:52 rgb
-+ * Added satype2name prototype.
-+ *
-+ * Revision 1.29 2001/02/26 19:59:33 rgb
-+ * Ditch unused sadb_satype2proto[], replaced by satype2proto().
-+ *
-+ * Revision 1.28 2000/10/10 20:10:19 rgb
-+ * Added support for debug_ipcomp and debug_verbose to klipsdebug.
-+ *
-+ * Revision 1.27 2000/09/21 04:20:45 rgb
-+ * Fixed array size off-by-one error. (Thanks Svenning!)
-+ *
-+ * Revision 1.26 2000/09/12 03:26:05 rgb
-+ * Added pfkey_acquire prototype.
-+ *
-+ * Revision 1.25 2000/09/08 19:21:28 rgb
-+ * Fix pfkey_prop_build() parameter to be only single indirection.
-+ *
-+ * Revision 1.24 2000/09/01 18:46:42 rgb
-+ * Added a supported algorithms array lists, one per satype and registered
-+ * existing algorithms.
-+ * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to
-+ * list.
-+ *
-+ * Revision 1.23 2000/08/27 01:55:26 rgb
-+ * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
-+ *
-+ * Revision 1.22 2000/08/20 21:39:23 rgb
-+ * Added kernel prototypes for kernel funcitions pfkey_upmsg() and
-+ * pfkey_expire().
-+ *
-+ * Revision 1.21 2000/08/15 17:29:23 rgb
-+ * Fixes from SZI to untested pfkey_prop_build().
-+ *
-+ * Revision 1.20 2000/05/10 20:14:19 rgb
-+ * Fleshed out sensitivity, proposal and supported extensions.
-+ *
-+ * Revision 1.19 2000/03/16 14:07:23 rgb
-+ * Renamed ALIGN macro to avoid fighting with others in kernel.
-+ *
-+ * Revision 1.18 2000/01/22 23:24:06 rgb
-+ * Added prototypes for proto2satype(), satype2proto() and proto2name().
-+ *
-+ * Revision 1.17 2000/01/21 06:26:59 rgb
-+ * Converted from double tdb arguments to one structure (extr)
-+ * containing pointers to all temporary information structures.
-+ * Added klipsdebug switching capability.
-+ * Dropped unused argument to pfkey_x_satype_build().
-+ *
-+ * Revision 1.16 1999/12/29 21:17:41 rgb
-+ * Changed pfkey_msg_build() I/F to include a struct sadb_msg**
-+ * parameter for cleaner manipulation of extensions[] and to guard
-+ * against potential memory leaks.
-+ * Changed the I/F to pfkey_msg_free() for the same reason.
-+ *
-+ * Revision 1.15 1999/12/09 23:12:54 rgb
-+ * Added macro for BITS_PER_OCTET.
-+ * Added argument to pfkey_sa_build() to do eroutes.
-+ *
-+ * Revision 1.14 1999/12/08 20:33:25 rgb
-+ * Changed sa_family_t to uint16_t for 2.0.xx compatibility.
-+ *
-+ * Revision 1.13 1999/12/07 19:53:40 rgb
-+ * Removed unused first argument from extension parsers.
-+ * Changed __u* types to uint* to avoid use of asm/types.h and
-+ * sys/types.h in userspace code.
-+ * Added function prototypes for pfkey message and extensions
-+ * initialisation and cleanup.
-+ *
-+ * Revision 1.12 1999/12/01 22:19:38 rgb
-+ * Change pfkey_sa_build to accept an SPI in network byte order.
-+ *
-+ * Revision 1.11 1999/11/27 11:55:26 rgb
-+ * Added extern sadb_satype2proto to enable moving protocol lookup table
-+ * to lib/pfkey_v2_parse.c.
-+ * Delete unused, moved typedefs.
-+ * Add argument to pfkey_msg_parse() for direction.
-+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
-+ *
-+ * Revision 1.10 1999/11/23 22:29:21 rgb
-+ * This file has been moved in the distribution from klips/net/ipsec to
-+ * lib.
-+ * Add macros for dealing with alignment and rounding up more opaquely.
-+ * The uint<n>_t type defines have been moved to freeswan.h to avoid
-+ * chicken-and-egg problems.
-+ * Add macros for dealing with alignment and rounding up more opaque.
-+ * Added prototypes for using extention header bitmaps.
-+ * Added prototypes of all the build functions.
-+ *
-+ * Revision 1.9 1999/11/20 21:59:48 rgb
-+ * Moved socketlist type declarations and prototypes for shared use.
-+ * Slightly modified scope of sockaddr_key declaration.
-+ *
-+ * Revision 1.8 1999/11/17 14:34:25 rgb
-+ * Protect sa_family_t from being used in userspace with GLIBC<2.
-+ *
-+ * Revision 1.7 1999/10/27 19:40:35 rgb
-+ * Add a maximum PFKEY packet size macro.
-+ *
-+ * Revision 1.6 1999/10/26 16:58:58 rgb
-+ * Created a sockaddr_key and key_opt socket extension structures.
-+ *
-+ * Revision 1.5 1999/06/10 05:24:41 rgb
-+ * Renamed variables to reduce confusion.
-+ *
-+ * Revision 1.4 1999/04/29 15:21:11 rgb
-+ * Add pfkey support to debugging.
-+ * Add return values to init and cleanup functions.
++ * sanitize a string into a printable format.
+ *
-+ * Revision 1.3 1999/04/15 17:58:07 rgb
-+ * Add RCSID labels.
++ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
++ * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
++ *
++ * This library is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU Library General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
++ *
++ * This library is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
++ * License for more details.
+ *
++ * RCSID $Id: pfkey_debug.h,v 1.3 2004/04/05 19:55:07 mcr Exp $
+ */
++
++#ifndef _FREESWAN_PFKEY_DEBUG_H
++#define _FREESWAN_PFKEY_DEBUG_H
++
++#ifdef __KERNEL__
++
++/* note, kernel version ignores pfkey levels */
++# define DEBUGGING(level,args...) \
++ KLIPS_PRINT(debug_pfkey, "klips_debug:" args)
++
++# define ERROR(args...) printk(KERN_ERR "klips:" args)
++
++#else
++
++extern unsigned int pfkey_lib_debug;
++
++extern int (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
++extern int (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1);
++
++#define DEBUGGING(level,args...) if(pfkey_lib_debug & level) { \
++ if(pfkey_debug_func != NULL) { \
++ (*pfkey_debug_func)("pfkey_lib_debug:" args); \
++ } else { \
++ printf("pfkey_lib_debug:" args); \
++ } }
++
++#define ERROR(args...) if(pfkey_error_func != NULL) { \
++ (*pfkey_error_func)("pfkey_lib_debug:" args); \
++ }
++
++# define MALLOC(size) malloc(size)
++# define FREE(obj) free(obj)
++
++#endif
++
++#endif
--- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/include/pfkeyv2.h Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,472 @@
++++ linux/include/openswan/pfkeyv2.h Mon Feb 9 13:51:03 2004
+@@ -0,0 +1,505 @@
+/*
+ * RCSID $Id: pfkeyv2.h,v 1.31 2005/04/14 01:14:54 mcr Exp $
+ */
+#define SADB_DUMP 10
+#define SADB_X_PROMISC 11
+#define SADB_X_PCHANGE 12
-+#define SADB_X_GRPSA 13
-+#define SADB_X_ADDFLOW 14
-+#define SADB_X_DELFLOW 15
-+#define SADB_X_DEBUG 16
+#define SADB_X_NAT_T_NEW_MAPPING 17
+#define SADB_MAX 17
+
++enum sadb_msg_t {
++ K_SADB_RESERVED=SADB_RESERVED,
++ K_SADB_GETSPI=SADB_GETSPI,
++ K_SADB_UPDATE=SADB_UPDATE,
++ K_SADB_ADD=SADB_ADD,
++ K_SADB_DELETE=SADB_DELETE,
++ K_SADB_GET=SADB_GET,
++ K_SADB_ACQUIRE=SADB_ACQUIRE,
++ K_SADB_REGISTER=SADB_REGISTER,
++ K_SADB_EXPIRE=SADB_EXPIRE,
++ K_SADB_FLUSH=SADB_FLUSH,
++ K_SADB_DUMP=SADB_DUMP,
++ K_SADB_X_PROMISC=SADB_X_PROMISC,
++ K_SADB_X_PCHANGE=SADB_X_PCHANGE,
++ K_SADB_X_GRPSA=13,
++ K_SADB_X_ADDFLOW=14,
++ K_SADB_X_DELFLOW=15,
++ K_SADB_X_DEBUG=16,
++ K_SADB_X_NAT_T_NEW_MAPPING=17,
++ K_SADB_X_PLUMBIF=18,
++ K_SADB_X_UNPLUMBIF=19,
++ K_SADB_MAX=19
++};
++
++#define SADB_X_GRPSA K_SADB_X_GRPSA
++#define SADB_X_ADDFLOW K_SADB_X_ADDFLOW
++#define SADB_X_DELFLOW K_SADB_X_DELFLOW
++#define SADB_X_DEBUG K_SADB_X_DEBUG
++#define SADB_X_PLUMBIF K_SADB_X_PLUMBIF
++#define SADB_X_UNPLUMBIF K_SADB_X_UNPLUMBIF
++
++
+struct sadb_msg {
+ uint8_t sadb_msg_version;
+ uint8_t sadb_msg_type;
+};
+
+/*
++ * a plumbif extension can appear in
++ * - a plumbif message to create the interface.
++ * - a unplumbif message to delete the interface.
++ * - a sadb add/replace to indicate which interface
++ * a decrypted packet should emerge on.
++ *
++ * the create/delete part could/should be replaced with netlink equivalents,
++ * or better yet, FORCES versions of same.
++ *
++ */
++struct sadb_x_plumbif {
++ uint16_t sadb_x_outif_len;
++ uint16_t sadb_x_outif_exttype;
++ uint16_t sadb_x_outif_ifnum;
++} __attribute__((packed));
++
++/*
++ * the ifnum describes a device that you wish to create refer to.
++ *
++ * devices 0-40959 are mastXXX devices.
++ * devices 40960-49141 are mastXXX devices with transport set.
++ * devices 49152-65536 are deprecated ipsecXXX devices.
++ */
++#define IPSECDEV_OFFSET (48*1024)
++#define MASTTRANSPORT_OFFSET (40*1024)
++
++/*
+ * A protocol structure for passing through the transport level
+ * protocol. It contains more fields than are actually used/needed
+ * but it is this way to be compatible with the structure used in
+#define SADB_EXT_SUPPORTED_ENCRYPT 15
+#define SADB_EXT_SPIRANGE 16
+#define SADB_X_EXT_KMPRIVATE 17
-+#define SADB_X_EXT_SATYPE2 18
-+#ifdef KERNEL26_HAS_KAME_DUPLICATES
+#define SADB_X_EXT_POLICY 18
-+#endif
+#define SADB_X_EXT_SA2 19
-+#define SADB_X_EXT_ADDRESS_DST2 20
-+#define SADB_X_EXT_ADDRESS_SRC_FLOW 21
-+#define SADB_X_EXT_ADDRESS_DST_FLOW 22
-+#define SADB_X_EXT_ADDRESS_SRC_MASK 23
-+#define SADB_X_EXT_ADDRESS_DST_MASK 24
-+#define SADB_X_EXT_DEBUG 25
-+#define SADB_X_EXT_PROTOCOL 26
+#define SADB_X_EXT_NAT_T_TYPE 27
+#define SADB_X_EXT_NAT_T_SPORT 28
+#define SADB_X_EXT_NAT_T_DPORT 29
+#define SADB_X_EXT_NAT_T_OA 30
+#define SADB_EXT_MAX 30
+
-+/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
-+#define SADB_X_EXT_ADDRESS_DELFLOW \
-+ ( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
-+ | (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
-+ | (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
-+ | (1<<SADB_X_EXT_ADDRESS_DST_MASK))
++/*
++ * NOTE that there is a limit of 31 extensions due to current implementation
++ * in pfkeyv2_ext_bits.c
++ */
++enum sadb_extension_t {
++ K_SADB_EXT_RESERVED=SADB_RESERVED,
++ K_SADB_EXT_SA= SADB_EXT_SA,
++ K_SADB_EXT_LIFETIME_CURRENT=SADB_EXT_LIFETIME_CURRENT,
++ K_SADB_EXT_LIFETIME_HARD= SADB_EXT_LIFETIME_HARD,
++ K_SADB_EXT_LIFETIME_SOFT= SADB_EXT_LIFETIME_SOFT,
++ K_SADB_EXT_ADDRESS_SRC= SADB_EXT_ADDRESS_SRC,
++ K_SADB_EXT_ADDRESS_DST= SADB_EXT_ADDRESS_DST,
++ K_SADB_EXT_ADDRESS_PROXY= SADB_EXT_ADDRESS_PROXY,
++ K_SADB_EXT_KEY_AUTH= SADB_EXT_KEY_AUTH,
++ K_SADB_EXT_KEY_ENCRYPT= SADB_EXT_KEY_ENCRYPT,
++ K_SADB_EXT_IDENTITY_SRC= SADB_EXT_IDENTITY_SRC,
++ K_SADB_EXT_IDENTITY_DST= SADB_EXT_IDENTITY_DST,
++ K_SADB_EXT_SENSITIVITY= SADB_EXT_SENSITIVITY,
++ K_SADB_EXT_PROPOSAL= SADB_EXT_PROPOSAL,
++ K_SADB_EXT_SUPPORTED_AUTH= SADB_EXT_SUPPORTED_AUTH,
++ K_SADB_EXT_SUPPORTED_ENCRYPT=SADB_EXT_SUPPORTED_ENCRYPT,
++ K_SADB_EXT_SPIRANGE= SADB_EXT_SPIRANGE,
++ K_SADB_X_EXT_KMPRIVATE= SADB_X_EXT_KMPRIVATE,
++ K_SADB_X_EXT_SATYPE2= 18,
++ K_SADB_X_EXT_POLICY= SADB_X_EXT_POLICY,
++ K_SADB_X_EXT_SA2= SADB_X_EXT_SA2,
++ K_SADB_X_EXT_ADDRESS_DST2= 20,
++ K_SADB_X_EXT_ADDRESS_SRC_FLOW=21,
++ K_SADB_X_EXT_ADDRESS_DST_FLOW=22,
++ K_SADB_X_EXT_ADDRESS_SRC_MASK=23,
++ K_SADB_X_EXT_ADDRESS_DST_MASK=24,
++ K_SADB_X_EXT_DEBUG= 25,
++ K_SADB_X_EXT_PROTOCOL= 26,
++ K_SADB_X_EXT_NAT_T_TYPE= 27,
++ K_SADB_X_EXT_NAT_T_SPORT= 28,
++ K_SADB_X_EXT_NAT_T_DPORT= 29,
++ K_SADB_X_EXT_NAT_T_OA= 30,
++ K_SADB_X_EXT_PLUMBIF= 31,
++ K_SADB_EXT_MAX= 31,
++};
++
++
++#define SADB_X_EXT_SATYPE2 K_SADB_X_EXT_SATYPE2
++#define SADB_X_EXT_ADDRESS_DST2 K_SADB_X_EXT_ADDRESS_DST2
++#define SADB_X_EXT_ADDRESS_SRC_FLOW K_SADB_X_EXT_ADDRESS_SRC_FLOW
++#define SADB_X_EXT_ADDRESS_DST_FLOW K_SADB_X_EXT_ADDRESS_DST_FLOW
++#define SADB_X_EXT_ADDRESS_SRC_MASK K_SADB_X_EXT_ADDRESS_SRC_MASK
++#define SADB_X_EXT_ADDRESS_DST_MASK K_SADB_X_EXT_ADDRESS_DST_MASK
++#define SADB_X_EXT_DEBUG K_SADB_X_EXT_DEBUG
++#define SADB_X_EXT_PROTOCOL K_SADB_X_EXT_PROTOCOL
++#define SADB_X_EXT_PLUMBIF K_SADB_X_EXT_PLUMBIF
++
++
++
++/* K_SADB_X_DELFLOW required over and above K_SADB_X_SAFLAGS_CLEARFLOW */
++#define K_SADB_X_EXT_ADDRESS_DELFLOW \
++ ( (1<<K_SADB_X_EXT_ADDRESS_SRC_FLOW) \
++ | (1<<K_SADB_X_EXT_ADDRESS_DST_FLOW) \
++ | (1<<K_SADB_X_EXT_ADDRESS_SRC_MASK) \
++ | (1<<K_SADB_X_EXT_ADDRESS_DST_MASK))
+
+#define SADB_SATYPE_UNSPEC 0
+#define SADB_SATYPE_AH 2
+#define SADB_X_SATYPE_INT 11
+#define SADB_SATYPE_MAX 11
+
++enum sadb_satype {
++ K_SADB_SATYPE_UNSPEC=SADB_SATYPE_UNSPEC,
++ K_SADB_SATYPE_AH=SADB_SATYPE_AH,
++ K_SADB_SATYPE_ESP=SADB_SATYPE_ESP,
++ K_SADB_SATYPE_RSVP=SADB_SATYPE_RSVP,
++ K_SADB_SATYPE_OSPFV2=SADB_SATYPE_OSPFV2,
++ K_SADB_SATYPE_RIPV2=SADB_SATYPE_RIPV2,
++ K_SADB_SATYPE_MIP=SADB_SATYPE_MIP,
++ K_SADB_X_SATYPE_IPIP=9,
++ K_SADB_X_SATYPE_COMP=10,
++ K_SADB_X_SATYPE_INT=11
++};
++#define K_SADB_SATYPE_MAX 11
++
+enum sadb_sastate {
-+ SADB_SASTATE_LARVAL=0,
-+ SADB_SASTATE_MATURE=1,
-+ SADB_SASTATE_DYING=2,
-+ SADB_SASTATE_DEAD=3
++ K_SADB_SASTATE_LARVAL=0,
++ K_SADB_SASTATE_MATURE=1,
++ K_SADB_SASTATE_DYING=2,
++ K_SADB_SASTATE_DEAD=3
+};
-+#define SADB_SASTATE_MAX 3
++#define K_SADB_SASTATE_MAX 3
+
+#define SADB_SAFLAGS_PFS 1
+#define SADB_X_SAFLAGS_REPLACEFLOW 2
+#define SADB_X_AALG_RIPEMD160HMAC 8
+#define SADB_X_AALG_NULL 251 /* kame */
+#define SADB_AALG_MAX 251
++enum sadb_aalg {
++ K_SADB_AALG_NONE= SADB_AALG_NONE,
++ K_SADB_AALG_MD5HMAC= SADB_AALG_MD5HMAC,
++ K_SADB_AALG_SHA1HMAC= SADB_AALG_SHA1HMAC,
++ K_SADB_X_AALG_SHA2_256HMAC=SADB_X_AALG_SHA2_256HMAC,
++ K_SADB_X_AALG_SHA2_384HMAC=SADB_X_AALG_SHA2_384HMAC,
++ K_SADB_X_AALG_SHA2_512HMAC=SADB_X_AALG_SHA2_512HMAC,
++ K_SADB_X_AALG_RIPEMD160HMAC=SADB_X_AALG_RIPEMD160HMAC,
++};
++#define K_SADB_AALG_MAX 251
+
+#define SADB_EALG_NONE 0
+#define SADB_EALG_DESCBC 2
+#define SADB_X_EALG_AESCBC 12
+#define SADB_EALG_MAX 255
+
++enum sadb_ealg {
++ K_SADB_EALG_NONE=SADB_EALG_NONE,
++ K_SADB_EALG_DESCBC=SADB_EALG_DESCBC,
++ K_SADB_EALG_3DESCBC=SADB_EALG_3DESCBC,
++ K_SADB_X_EALG_CASTCBC=SADB_X_EALG_CASTCBC,
++ K_SADB_X_EALG_BLOWFISHCBC=SADB_X_EALG_BLOWFISHCBC,
++ K_SADB_EALG_NULL=SADB_EALG_NULL,
++ K_SADB_X_EALG_AESCBC=SADB_X_EALG_AESCBC
++};
++
++#define K_SADB_EALG_MAX 255
++
+#define SADB_X_CALG_NONE 0
+#define SADB_X_CALG_OUI 1
+#define SADB_X_CALG_DEFLATE 2
+#define SADB_X_CALG_LZS 3
-+#define SADB_X_CALG_V42BIS 4
-+#ifdef KERNEL26_HAS_KAME_DUPLICATES
+#define SADB_X_CALG_LZJH 4
-+#endif
+#define SADB_X_CALG_MAX 4
+
-+#define SADB_X_TALG_NONE 0
-+#define SADB_X_TALG_IPv4_in_IPv4 1
-+#define SADB_X_TALG_IPv6_in_IPv4 2
-+#define SADB_X_TALG_IPv4_in_IPv6 3
-+#define SADB_X_TALG_IPv6_in_IPv6 4
-+#define SADB_X_TALG_MAX 4
++enum sadb_talg {
++ K_SADB_X_TALG_NONE=0,
++ K_SADB_X_TALG_IPv4_in_IPv4=1,
++ K_SADB_X_TALG_IPv6_in_IPv4=2,
++ K_SADB_X_TALG_IPv4_in_IPv6=3,
++ K_SADB_X_TALG_IPv6_in_IPv6=4,
++};
++#define SADB_X_TALG_MAX 4
+
+
+#define SADB_IDENTTYPE_RESERVED 0
+#define SADB_KEY_FLAGS_MAX 0
+#endif /* __PFKEY_V2_H */
+
+--- /dev/null Tue Mar 11 13:02:56 2003
++++ linux/include/openswan/radij.h Mon Feb 9 13:51:03 2004
+@@ -0,0 +1,280 @@
+/*
-+ * $Log: pfkeyv2.h,v $
-+ * Revision 1.31 2005/04/14 01:14:54 mcr
-+ * change sadb_state to an enum.
-+ *
-+ * Revision 1.30 2004/04/06 02:49:00 mcr
-+ * pullup of algo code from alg-branch.
-+ *
-+ * Revision 1.29 2003/12/22 21:35:58 mcr
-+ * new patches from Dr{Who}.
-+ *
-+ * Revision 1.28 2003/12/22 19:33:15 mcr
-+ * added 0.6c NAT-T patch.
++ * RCSID $Id: radij.h,v 1.13 2004/04/05 19:55:08 mcr Exp $
++ */
++
++/*
++ * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite
+ *
-+ * Revision 1.27 2003/12/10 01:20:01 mcr
-+ * NAT-traversal patches to KLIPS.
++ * Variable and procedure names have been modified so that they don't
++ * conflict with the original BSD code, as a small number of modifications
++ * have been introduced and we may want to reuse this code in BSD.
++ *
++ * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
++ * chi or a German ch sound (as `doch', not as in `milch'), or even a
++ * spanish j as in Juan. It is not as far back in the throat like
++ * the corresponding Hebrew sound, nor is it a soft breath like the English h.
++ * It has nothing to do with the Dutch ij sound.
++ *
++ * Here is the appropriate copyright notice:
++ */
++
++/*
++ * Copyright (c) 1988, 1989, 1993
++ * The Regents of the University of California. All rights reserved.
+ *
-+ * Revision 1.26 2003/10/31 02:26:44 mcr
-+ * pulled up port-selector patches.
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * This product includes software developed by the University of
++ * California, Berkeley and its contributors.
++ * 4. Neither the name of the University nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
+ *
-+ * Revision 1.25.4.1 2003/09/21 13:59:34 mcr
-+ * pre-liminary X.509 patch - does not yet pass tests.
++ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
+ *
-+ * Revision 1.25 2003/07/31 23:59:17 mcr
-+ * re-introduce kernel 2.6 duplicate values for now.
-+ * hope to get them changed!
++ * @(#)radix.h 8.1 (Berkeley) 6/10/93
++ */
++
++#ifndef _RADIJ_H_
++#define _RADIJ_H_
++
++/*
++#define RJ_DEBUG
++*/
++
++#ifdef __KERNEL__
++
++#ifndef __P
++#ifdef __STDC__
++#define __P(x) x
++#else
++#define __P(x) ()
++#endif
++#endif
++
++/*
++ * Radix search tree node layout.
++ */
++
++struct radij_node
++{
++ struct radij_mask *rj_mklist; /* list of masks contained in subtree */
++ struct radij_node *rj_p; /* parent */
++ short rj_b; /* bit offset; -1-index(netmask) */
++ char rj_bmask; /* node: mask for bit test*/
++ u_char rj_flags; /* enumerated next */
++#define RJF_NORMAL 1 /* leaf contains normal route */
++#define RJF_ROOT 2 /* leaf is root leaf for tree */
++#define RJF_ACTIVE 4 /* This node is alive (for rtfree) */
++ union {
++ struct { /* leaf only data: */
++ caddr_t rj_Key; /* object of search */
++ caddr_t rj_Mask; /* netmask, if present */
++ struct radij_node *rj_Dupedkey;
++ } rj_leaf;
++ struct { /* node only data: */
++ int rj_Off; /* where to start compare */
++ struct radij_node *rj_L;/* progeny */
++ struct radij_node *rj_R;/* progeny */
++ }rj_node;
++ } rj_u;
++#ifdef RJ_DEBUG
++ int rj_info;
++ struct radij_node *rj_twin;
++ struct radij_node *rj_ybro;
++#endif
++};
++
++#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey
++#define rj_key rj_u.rj_leaf.rj_Key
++#define rj_mask rj_u.rj_leaf.rj_Mask
++#define rj_off rj_u.rj_node.rj_Off
++#define rj_l rj_u.rj_node.rj_L
++#define rj_r rj_u.rj_node.rj_R
++
++/*
++ * Annotations to tree concerning potential routes applying to subtrees.
++ */
++
++extern struct radij_mask {
++ short rm_b; /* bit offset; -1-index(netmask) */
++ char rm_unused; /* cf. rj_bmask */
++ u_char rm_flags; /* cf. rj_flags */
++ struct radij_mask *rm_mklist; /* more masks to try */
++ caddr_t rm_mask; /* the mask */
++ int rm_refs; /* # of references to this struct */
++} *rj_mkfreelist;
++
++#define MKGet(m) {\
++ if (rj_mkfreelist) {\
++ m = rj_mkfreelist; \
++ rj_mkfreelist = (m)->rm_mklist; \
++ } else \
++ R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\
++
++#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);}
++
++struct radij_node_head {
++ struct radij_node *rnh_treetop;
++ int rnh_addrsize; /* permit, but not require fixed keys */
++ int rnh_pktsize; /* permit, but not require fixed keys */
++#if 0
++ struct radij_node *(*rnh_addaddr) /* add based on sockaddr */
++ __P((void *v, void *mask,
++ struct radij_node_head *head, struct radij_node nodes[]));
++#endif
++ int (*rnh_addaddr) /* add based on sockaddr */
++ __P((void *v, void *mask,
++ struct radij_node_head *head, struct radij_node nodes[]));
++ struct radij_node *(*rnh_addpkt) /* add based on packet hdr */
++ __P((void *v, void *mask,
++ struct radij_node_head *head, struct radij_node nodes[]));
++#if 0
++ struct radij_node *(*rnh_deladdr) /* remove based on sockaddr */
++ __P((void *v, void *mask, struct radij_node_head *head));
++#endif
++ int (*rnh_deladdr) /* remove based on sockaddr */
++ __P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node));
++ struct radij_node *(*rnh_delpkt) /* remove based on packet hdr */
++ __P((void *v, void *mask, struct radij_node_head *head));
++ struct radij_node *(*rnh_matchaddr) /* locate based on sockaddr */
++ __P((void *v, struct radij_node_head *head));
++ struct radij_node *(*rnh_matchpkt) /* locate based on packet hdr */
++ __P((void *v, struct radij_node_head *head));
++ int (*rnh_walktree) /* traverse tree */
++ __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
++ struct radij_node rnh_nodes[3]; /* empty tree for common case */
++};
++
++
++#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
++#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
++#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n))
++#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n)))
++#define Free(p) kfree((caddr_t)p);
++
++void rj_init __P((void));
++int rj_inithead __P((void **, int));
++int rj_refines __P((void *, void *));
++int rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w));
++struct radij_node
++ *rj_addmask __P((void *, int, int)) /* , rgb */ ;
++int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *,
++ struct radij_node [2])) /* , rgb */ ;
++int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ;
++struct radij_node /* rgb */
++ *rj_insert __P((void *, struct radij_node_head *, int *,
++ struct radij_node [2])),
++ *rj_match __P((void *, struct radij_node_head *)),
++ *rj_newpair __P((void *, int, struct radij_node[2])),
++ *rj_search __P((void *, struct radij_node *)),
++ *rj_search_m __P((void *, struct radij_node *, void *));
++
++void rj_deltree(struct radij_node_head *);
++void rj_delnodes(struct radij_node *);
++void rj_free_mkfreelist(void);
++int radijcleartree(void);
++int radijcleanup(void);
++
++extern struct radij_node_head *mask_rjhead;
++extern int maj_keylen;
++#endif /* __KERNEL__ */
++
++#endif /* _RADIJ_H_ */
++
++
++/*
++ * $Log: radij.h,v $
++ * Revision 1.13 2004/04/05 19:55:08 mcr
++ * Moved from linux/include/freeswan/radij.h,v
+ *
-+ * Revision 1.24 2003/07/31 22:55:27 mcr
-+ * added some definitions to keep pfkeyv2.h files in sync.
++ * Revision 1.12 2002/04/24 07:36:48 mcr
++ * Moved from ./klips/net/ipsec/radij.h,v
+ *
-+ * Revision 1.23 2003/05/11 00:43:48 mcr
-+ * added comment about origin of values used
++ * Revision 1.11 2001/09/20 15:33:00 rgb
++ * Min/max cleanup.
+ *
-+ * Revision 1.22 2003/01/30 02:31:34 rgb
++ * Revision 1.10 1999/11/18 04:09:20 rgb
++ * Replaced all kernel version macros to shorter, readable form.
+ *
-+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
++ * Revision 1.9 1999/05/05 22:02:33 rgb
++ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
+ *
-+ * Revision 1.21 2002/12/16 19:26:49 mcr
-+ * added definition of FS 1.xx sadb structure
++ * Revision 1.8 1999/04/29 15:24:58 rgb
++ * Add check for existence of macros min/max.
+ *
-+ * Revision 1.20 2002/09/20 15:40:25 rgb
-+ * Added sadb_x_sa_ref to struct sadb_sa.
++ * Revision 1.7 1999/04/11 00:29:02 henry
++ * GPL boilerplate
+ *
-+ * Revision 1.19 2002/04/24 07:36:49 mcr
-+ * Moved from ./lib/pfkeyv2.h,v
++ * Revision 1.6 1999/04/06 04:54:29 rgb
++ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
++ * patch shell fixes.
+ *
-+ * Revision 1.18 2001/11/06 19:47:47 rgb
-+ * Added packet parameter to lifetime and comb structures.
++ * Revision 1.5 1999/01/22 06:30:32 rgb
++ * 64-bit clean-up.
+ *
-+ * Revision 1.17 2001/09/08 21:13:35 rgb
-+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
++ * Revision 1.4 1998/11/30 13:22:55 rgb
++ * Rationalised all the klips kernel file headers. They are much shorter
++ * now and won't conflict under RH5.2.
+ *
-+ * Revision 1.16 2001/07/06 19:49:46 rgb
-+ * Added SADB_X_SAFLAGS_INFLOW for supporting incoming policy checks.
++ * Revision 1.3 1998/10/25 02:43:27 rgb
++ * Change return type on rj_addroute and rj_delete and add and argument
++ * to the latter to be able to transmit more infomation about errors.
+ *
-+ * Revision 1.15 2001/02/26 20:00:43 rgb
-+ * Added internal IP protocol 61 for magic SAs.
++ * Revision 1.2 1998/07/14 18:09:51 rgb
++ * Add a routine to clear eroute table.
++ * Added #ifdef __KERNEL__ directives to restrict scope of header.
+ *
-+ * Revision 1.14 2001/02/08 18:51:05 rgb
-+ * Include RFC document title and appendix subsection title.
++ * Revision 1.1 1998/06/18 21:30:22 henry
++ * move sources from klips/src to klips/net/ipsec to keep stupid kernel
++ * build scripts happier about symlinks
+ *
-+ * Revision 1.13 2000/10/10 20:10:20 rgb
-+ * Added support for debug_ipcomp and debug_verbose to klipsdebug.
++ * Revision 1.4 1998/05/25 20:34:16 rgb
++ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions.
+ *
-+ * Revision 1.12 2000/09/15 06:41:50 rgb
-+ * Added V42BIS constant.
++ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and
++ * add ipsec_rj_walker_delete.
+ *
-+ * Revision 1.11 2000/09/12 22:35:37 rgb
-+ * Restructured to remove unused extensions from CLEARFLOW messages.
++ * Recover memory for eroute table on unload of module.
+ *
-+ * Revision 1.10 2000/09/12 18:50:09 rgb
-+ * Added IPIP tunnel types as algo support.
++ * Revision 1.3 1998/04/22 16:51:37 rgb
++ * Tidy up radij debug code from recent rash of modifications to debug code.
+ *
-+ * Revision 1.9 2000/08/21 16:47:19 rgb
-+ * Added SADB_X_CALG_* macros for IPCOMP.
++ * Revision 1.2 1998/04/14 17:30:38 rgb
++ * Fix up compiling errors for radij tree memory reclamation.
+ *
-+ * Revision 1.8 2000/08/09 20:43:34 rgb
-+ * Fixed bitmask value for SADB_X_SAFLAGS_CLEAREROUTE.
++ * Revision 1.1 1998/04/09 03:06:16 henry
++ * sources moved up from linux/net/ipsec
+ *
-+ * Revision 1.7 2000/01/21 06:28:37 rgb
-+ * Added flow add/delete message type macros.
-+ * Added flow address extension type macros.
-+ * Tidied up spacing.
-+ * Added klipsdebug switching capability.
++ * Revision 1.1.1.1 1998/04/08 05:35:04 henry
++ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
+ *
-+ * Revision 1.6 1999/11/27 11:56:08 rgb
-+ * Add SADB_X_SATYPE_COMP for compression, eventually.
++ * Revision 0.4 1997/01/15 01:28:15 ji
++ * No changes.
+ *
-+ * Revision 1.5 1999/11/23 22:23:16 rgb
-+ * This file has been moved in the distribution from klips/net/ipsec to
-+ * lib.
++ * Revision 0.3 1996/11/20 14:44:45 ji
++ * Release update only.
+ *
-+ * Revision 1.4 1999/04/29 15:23:29 rgb
-+ * Add GRPSA support.
-+ * Add support for a second SATYPE, SA and DST_ADDRESS.
-+ * Add IPPROTO_IPIP support.
++ * Revision 0.2 1996/11/02 00:18:33 ji
++ * First limited release.
+ *
-+ * Revision 1.3 1999/04/15 17:58:08 rgb
-+ * Add RCSID labels.
+ *
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+#define TRY_FREE(s, p) {if (p) ZFREE(s, p);}
+
+#endif /* _Z_UTIL_H */
---- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/lib/libfreeswan/Makefile.objs Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,21 @@
-+obj-y += satot.o
-+obj-y += addrtot.o
-+obj-y += ultot.o
-+obj-y += addrtypeof.o
-+obj-y += anyaddr.o
-+obj-y += initaddr.o
-+obj-y += ultoa.o
-+obj-y += addrtoa.o
-+obj-y += subnettoa.o
-+obj-y += subnetof.o
-+obj-y += goodmask.o
-+obj-y += datatot.o
-+obj-y += rangetoa.o
-+obj-y += prng.o
-+obj-y += pfkey_v2_parse.o
-+obj-y += pfkey_v2_build.o
-+obj-y += pfkey_v2_debug.o
-+obj-y += pfkey_v2_ext_bits.o
-+
-+#version.c: ${LIBFREESWANDIR}/version.in.c ${OPENSWANSRCDIR}/Makefile.ver
-+# sed '/"/s/xxx/$(IPSECVERSION)/' ${LIBFREESWANDIR}/version.in.c >$@
---- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/lib/zlib/Makefile Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,118 @@
-+# (kernel) Makefile for IPCOMP zlib deflate code
-+# Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
-+# Copyright (C) 2000 Svenning Soerensen
-+#
-+# This program is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 2 of the License, or (at your
-+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-+#
-+# This program is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# for more details.
-+#
-+# RCSID $Id: Makefile,v 1.9 2002/04/24 07:55:32 mcr Exp $
-+#
-+
-+
-+
-+include ../Makefile.inc
-+
-+
-+
-+ifndef TOPDIR
-+TOPDIR := /usr/src/linux
-+endif
-+
-+
-+L_TARGET := zlib.a
-+
-+obj-y :=
-+
-+include Makefile.objs
-+
-+EXTRA_CFLAGS += $(KLIPSCOMPILE)
-+
-+EXTRA_CFLAGS += -Wall
-+#EXTRA_CFLAGS += -Wconversion
-+#EXTRA_CFLAGS += -Wmissing-prototypes
-+EXTRA_CFLAGS += -Wpointer-arith
-+#EXTRA_CFLAGS += -Wcast-qual
-+#EXTRA_CFLAGS += -Wmissing-declarations
-+EXTRA_CFLAGS += -Wstrict-prototypes
-+#EXTRA_CFLAGS += -pedantic
-+#EXTRA_CFLAGS += -W
-+#EXTRA_CFLAGS += -Wwrite-strings
-+EXTRA_CFLAGS += -Wbad-function-cast
-+EXTRA_CFLAGS += -DIPCOMP_PREFIX
-+
-+.S.o:
-+ $(CC) -D__ASSEMBLY__ -DNO_UNDERLINE -traditional -c $< -o $*.o
-+
-+asm-obj-$(CONFIG_M586) += match586.o
-+asm-obj-$(CONFIG_M586TSC) += match586.o
-+asm-obj-$(CONFIG_M586MMX) += match586.o
-+asm-obj-$(CONFIG_M686) += match686.o
-+asm-obj-$(CONFIG_MPENTIUMIII) += match686.o
-+asm-obj-$(CONFIG_MPENTIUM4) += match686.o
-+asm-obj-$(CONFIG_MK6) += match586.o
-+asm-obj-$(CONFIG_MK7) += match686.o
-+asm-obj-$(CONFIG_MCRUSOE) += match586.o
-+asm-obj-$(CONFIG_MWINCHIPC6) += match586.o
-+asm-obj-$(CONFIG_MWINCHIP2) += match686.o
-+asm-obj-$(CONFIG_MWINCHIP3D) += match686.o
-+
-+obj-y += $(asm-obj-y)
-+ifneq ($(strip $(asm-obj-y)),)
-+ EXTRA_CFLAGS += -DASMV
-+endif
-+
-+active-objs := $(sort $(obj-y) $(obj-m))
-+L_OBJS := $(obj-y)
-+M_OBJS := $(obj-m)
-+MIX_OBJS := $(filter $(export-objs), $(active-objs))
-+
-+include $(TOPDIR)/Rules.make
-+
-+$(obj-y) : $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h
-+
-+
-+clean:
-+ -rm -f *.o *.a
-+
-+checkprograms:
-+programs: $(L_TARGET)
-+
-+#
-+# $Log: Makefile,v $
-+# Revision 1.9 2002/04/24 07:55:32 mcr
-+# #include patches and Makefiles for post-reorg compilation.
-+#
-+# Revision 1.8 2002/04/24 07:36:44 mcr
-+# Moved from ./zlib/Makefile,v
-+#
-+# Revision 1.7 2002/03/27 23:34:35 mcr
-+# added programs: target
-+#
-+# Revision 1.6 2001/12/05 20:19:08 henry
-+# use new compile-control variable
-+#
-+# Revision 1.5 2001/11/27 16:38:08 mcr
-+# added new "checkprograms" target to deal with programs that
-+# are required for "make check", but that may not be ready to
-+# build for every user due to external dependancies.
-+#
-+# Revision 1.4 2001/10/24 14:46:24 henry
-+# Makefile.inc
-+#
-+# Revision 1.3 2001/04/21 23:05:24 rgb
-+# Update asm directives for 2.4 style makefiles.
-+#
-+# Revision 1.2 2001/01/29 22:22:00 rgb
-+# Convert to 2.4 new style with back compat.
-+#
-+# Revision 1.1.1.1 2000/09/29 18:51:33 rgb
-+# zlib_beginnings
-+#
-+#
---- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/lib/zlib/Makefile.objs Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,27 @@
-+obj-$(CONFIG_IPSEC_IPCOMP) += adler32.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += deflate.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += infblock.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += infcodes.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += inffast.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += inflate.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += inftrees.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += infutil.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += trees.o
-+obj-$(CONFIG_IPSEC_IPCOMP) += zutil.o
-+
-+asm-obj-$(CONFIG_M586) += ${LIBZLIBSRCDIR}/match586.o
-+asm-obj-$(CONFIG_M586TSC) += ${LIBZLIBSRCDIR}/match586.o
-+asm-obj-$(CONFIG_M586MMX) += ${LIBZLIBSRCDIR}/match586.o
-+asm-obj-$(CONFIG_M686) += ${LIBZLIBSRCDIR}/match686.o
-+asm-obj-$(CONFIG_MPENTIUMIII) += ${LIBZLIBSRCDIR}/match686.o
-+asm-obj-$(CONFIG_MPENTIUM4) += ${LIBZLIBSRCDIR}/match686.o
-+asm-obj-$(CONFIG_MK6) += ${LIBZLIBSRCDIR}/match586.o
-+asm-obj-$(CONFIG_MK7) += ${LIBZLIBSRCDIR}/match686.o
-+asm-obj-$(CONFIG_MCRUSOE) += ${LIBZLIBSRCDIR}/match586.o
-+asm-obj-$(CONFIG_MWINCHIPC6) += ${LIBZLIBSRCDIR}/match586.o
-+asm-obj-$(CONFIG_MWINCHIP2) += ${LIBZLIBSRCDIR}/match686.o
-+asm-obj-$(CONFIG_MWINCHIP3D) += ${LIBZLIBSRCDIR}/match686.o
-+
-+EXTRA_CFLAGS += -DIPCOMP_PREFIX
-+
-+
--- swan26/net/Kconfig.preipsec 2005-09-01 18:15:19.000000000 -0400
+++ swan26/net/Kconfig 2005-09-03 16:51:17.000000000 -0400
@@ -215,2 +215,6 @@
+
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/Kconfig Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,150 @@
+#
+# IPSEC configuration
+# Copyright (C) 2004 Michael Richardson <mcr@freeswan.org>
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
-+# RCSID $Id: Kconfig,v 1.6.2.2 2006/10/11 18:14:33 paul Exp $
++# RCSID $Id: Kconfig,v 1.6.2.1 2006/04/20 16:33:06 mcr Exp $
+
+config KLIPS
+ tristate "Openswan IPsec (KLIPS26)"
+ AES the NIST replacement for DES. AES is being widely analyzed,
+ and is very fast.
+
-+config KLIPS_ENC_NULL
-+ bool 'NULL NON-encryption algorithm'
-+ default n
-+ help
-+ NON encryption algo , maybe useful for ESP auth only scenarios
-+ (eg: with NAT-T), see RFC 2410.
-+
+config KLIPS_IPCOMP
+ bool 'IP compression'
+ default y
+#
+#
+# $Log: Kconfig,v $
-+# Revision 1.6.2.2 2006/10/11 18:14:33 paul
-+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled
-+# per default.
-+#
+# Revision 1.6.2.1 2006/04/20 16:33:06 mcr
+# remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+# Fix in-kernel module compilation. Sub-makefiles do not work.
+
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/Makefile Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,189 @@
+# Makefile for KLIPS kernel code as a module for 2.6 kernels
+#
+# Makefile for KLIPS kernel code as a module
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
-+# RCSID $Id: Makefile.fs2_6,v 1.8.2.2 2006/10/11 18:14:33 paul Exp $
++# RCSID $Id: Makefile.fs2_6,v 1.8.2.1 2006/04/20 16:33:06 mcr Exp $
+#
+# Note! Dependencies are done automagically by 'make dep', which also
+# removes any old dependencies. DON'T put your own dependencies here
+crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes.o
+endif
+
-+crypto-$(CONFIG_KLIPS_ENC_NULL) += null/ipsec_alg_null.o
-+
+ipsec-y += ${crypto-y}
+
+ipsec-$(CONFIG_KLIPS_ENC_CRYPTOAPI) += ipsec_alg_cryptoapi.o
+
+ipsec-$(CONFIG_KLIPS_IPCOMP) += ${base-ipcomp-objs}
+
-+EXTRA_CFLAGS += -DIPCOMP_PREFIX
++EXTRA_CFLAGS += -DIPCOMP_PREFIX -DKLIPS
+
+#
+# $Log: Makefile.fs2_6,v $
-+# Revision 1.8.2.2 2006/10/11 18:14:33 paul
-+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled
-+# per default.
-+#
+# Revision 1.8.2.1 2006/04/20 16:33:06 mcr
+# remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+# Fix in-kernel module compilation. Sub-makefiles do not work.
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/addrtot.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,423 @@
+@@ -0,0 +1,387 @@
+/*
+ * addresses to text
+ * Copyright (C) 2000 Henry Spencer.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
+ * License for more details.
+ *
-+ * RCSID $Id: addrtot.c,v 1.22.2.1 2005/11/17 22:30:49 paul Exp $
++ * RCSID $Id: addrtot.c,v 1.24 2005/11/11 06:59:40 mcr Exp $
+ */
+
+#if defined(__KERNEL__) && defined(__HAVE_ARCH_STRSTR)
+ * Find the first occurrence of find in s.
+ * (from NetBSD 1.6's /src/lib/libc/string/strstr.c)
+ */
-+static char *
-+strstr(s, find)
-+ const char *s, *find;
++static char *ipsec_strstr(const char *s, const char *find)
+{
+ char c, sc;
+ size_t len;
+#ifdef ADDRTOT_MAIN
+
+#include <stdio.h>
++#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+/*
+ * $Log: addrtot.c,v $
++ * Revision 1.24 2005/11/11 06:59:40 mcr
++ * try this code to avoid static/extern conflict with newer
++ * kernels.
++ *
++ * Revision 1.23 2005/11/11 03:09:53 paul
++ * Fix by Toby for newer kernels that have strstr()
++ *
+ * Revision 1.22.2.1 2005/11/17 22:30:49 paul
+ * pull up strstr fix from head.
+ *
+ * if the address type is invalid, then return length of <invalid>
+ * string!
+ *
-+ * Revision 1.12 2003/12/30 06:42:48 mcr
-+ * added $Log: addrtot.c,v $
-+ * added Revision 1.22.2.1 2005/11/17 22:30:49 paul
-+ * added pull up strstr fix from head.
-+ * added
-+ * added Revision 1.22 2005/05/20 16:47:40 mcr
-+ * added make strstr static if we need it.
-+ * added
-+ * added Revision 1.21 2005/03/21 00:35:12 mcr
-+ * added test for strstr properly
-+ * added
-+ * added Revision 1.20 2004/11/09 22:52:20 mcr
-+ * added until we figure out which kernels have strsep and which
-+ * added do not (UML does not under certain circumstances), then
-+ * added let's just provide our own.
-+ * added
-+ * added Revision 1.19 2004/10/08 16:30:33 mcr
-+ * added pull-up of initial crypto-offload work.
-+ * added
-+ * added Revision 1.18 2004/09/18 19:33:08 mcr
-+ * added use an appropriate kernel happy ifdef for strstr.
-+ * added
-+ * added Revision 1.17 2004/09/15 21:49:02 mcr
-+ * added use local copy of strstr() if this is going in the kernel.
-+ * added Not clear why this worked before, or why this shows up
-+ * added for modules only.
-+ * added
-+ * added Revision 1.16 2004/07/10 07:43:47 mcr
-+ * added Moved from linux/lib/libfreeswan/addrtot.c,v
-+ * added
-+ * added Revision 1.15 2004/04/11 17:39:25 mcr
-+ * added removed internal.h requirements.
-+ * added
-+ * added Revision 1.14 2004/03/08 01:59:08 ken
-+ * added freeswan.h -> openswan.h
-+ * added
-+ * added Revision 1.13 2004/01/05 23:21:05 mcr
-+ * added if the address type is invalid, then return length of <invalid>
-+ * added string!
-+ * added
-+ *
-+ *
+ */
+
--- /dev/null Tue Mar 11 13:02:56 2003
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/Makefile Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,56 @@
+# Makefile for KLIPS 3DES kernel code as a module for 2.6 kernels
+#
+# Makefile for KLIPS kernel code as a module
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
-+# RCSID $Id: Makefile.fs2_6,v 1.1.10.1 2005/08/12 16:10:05 ken Exp $
++# RCSID $Id: Makefile.fs2_6,v 1.2 2005/08/12 14:13:58 mcr Exp $
+#
+# Note! Dependencies are done automagically by 'make dep', which also
+# removes any old dependencies. DON'T put your own dependencies here
+
+#
+# $Log: Makefile.fs2_6,v $
-+# Revision 1.1.10.1 2005/08/12 16:10:05 ken
-+# do not use assembly code with there are no frame pointers
-+#
+# Revision 1.2 2005/08/12 14:13:58 mcr
+# do not use assembly code with there are no frame pointers,
+# as it does not have the right linkages.
+#ifdef __KERNEL__
+#include <linux/types.h>
+#include <linux/kernel.h>
-+#define DEBUG(x)
++#define AES_DEBUG(x)
+#else
+#include <stdio.h>
+#include <sys/types.h>
-+#define DEBUG(x) x
++#define AES_DEBUG(x) x
+#endif
+
+#include "crypto/aes.h"
+ if (pos <= len)
+ *out ^= *in;
+ if (pos > len) {
-+ DEBUG(printf("put 0x80 at pos=%d\n", pos));
++ AES_DEBUG(printf("put 0x80 at pos=%d\n", pos));
+ *out ^= 0x80;
+ break;
+ }
+ }
+ do_pad_xor((u_int8_t *)&out, in, ilen);
+ if (ilen==16) {
-+ DEBUG(printf("using k3\n"));
++ AES_DEBUG(printf("using k3\n"));
+ xor_block(out, ctxm->k3);
+ }
+ else
+ {
-+ DEBUG(printf("using k2\n"));
++ AES_DEBUG(printf("using k2\n"));
+ xor_block(out, ctxm->k2);
+ }
+ aes_encrypt(&ctxm->ctx_k1, (u_int8_t *)out, hash);
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/aes/ipsec_alg_aes.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,299 @@
+/*
+ * ipsec_alg AES cipher stubs
+ *
+#if defined(CONFIG_KLIPS_ENC_AES_MODULE)
+MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
+#ifdef module_param
-+module_param(debug_aes,int,0600)
-+module_param(test_aes,int,0600)
-+module_param(excl_aes,int,0600)
-+module_param(keyminbits,int,0600)
-+module_param(keymaxbits,int,0600)
++module_param(debug_aes,int,0664);
++module_param(test_aes,int,0664);
++module_param(excl_aes,int,0664);
++module_param(keyminbits,int,0664);
++module_param(keymaxbits,int,0664);
+#else
+MODULE_PARM(debug_aes, "i");
+MODULE_PARM(test_aes, "i");
+#else
+static int auth_id=9;
+#endif
-+#ifdef module_param
-+module_param(auth_id, int, 0600);
-+#else
++#if 0
++#ifdef MODULE_PARM
+MODULE_PARM(auth_id, "i");
++#else
++module_param(auth_id,int,0664);
++#endif
+#endif
+#endif
+
+ ixt_blocksize: ESP_AES_CBC_BLK_LEN,
+ ixt_support: {
+ ias_exttype: IPSEC_ALG_TYPE_ENCRYPT,
++ //ias_ivlen: 128,
+ ias_id: ESP_AES,
+ ias_keyminbits: ESP_AES_KEY_SZ_MIN*8,
+ ias_keymaxbits: ESP_AES_KEY_SZ_MAX*8,
+source net/ipsec/alg/Config.alg_aes.in
+source net/ipsec/alg/Config.alg_cryptoapi.in
--- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/net/ipsec/alg/Makefile Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,112 @@
-+# Makefile,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
-+ifeq ($(strip $(KLIPSMODULE)),)
-+FREESWANSRCDIR=.
-+else
-+FREESWANSRCDIR=../../../..
-+endif
-+ifeq ($(strip $(KLIPS_TOP)),)
-+KLIPS_TOP=../../..
-+override EXTRA_CFLAGS += -I$(KLIPS_TOP)/include
-+endif
-+
-+ifeq ($(CONFIG_IPSEC_DEBUG),y)
-+override EXTRA_CFLAGS += -g
-+endif
-+
-+# LIBCRYPTO normally comes as an argument from "parent" Makefile
-+# (this applies both to FS' "make module" and eg. Linux' "make modules"
-+# But make dep doest follow same evaluations, so we need this default:
-+LIBCRYPTO=$(TOPDIR)/lib/libcrypto
-+
-+override EXTRA_CFLAGS += -I$(LIBCRYPTO)/include
-+override EXTRA_CFLAGS += -Wall -Wpointer-arith -Wstrict-prototypes
-+
-+MOD_LIST_NAME := NET_MISC_MODULES
-+
-+#O_TARGET := static_init.o
-+
-+subdir- :=
-+subdir-n :=
-+subdir-y :=
-+subdir-m :=
-+
-+obj-y := static_init.o
-+
-+ARCH_ASM-y :=
-+ARCH_ASM-$(CONFIG_M586) := i586
-+ARCH_ASM-$(CONFIG_M586TSC) := i586
-+ARCH_ASM-$(CONFIG_M586MMX) := i586
-+ARCH_ASM-$(CONFIG_MK6) := i586
-+ARCH_ASM-$(CONFIG_M686) := i686
-+ARCH_ASM-$(CONFIG_MPENTIUMIII) := i686
-+ARCH_ASM-$(CONFIG_MPENTIUM4) := i686
-+ARCH_ASM-$(CONFIG_MK7) := i686
-+ARCH_ASM-$(CONFIG_MCRUSOE) := i586
-+ARCH_ASM-$(CONFIG_MWINCHIPC6) := i586
-+ARCH_ASM-$(CONFIG_MWINCHIP2) := i586
-+ARCH_ASM-$(CONFIG_MWINCHIP3D) := i586
-+ARCH_ASM-$(CONFIG_USERMODE) := i586
-+
-+ARCH_ASM :=$(ARCH_ASM-y)
-+ifdef NO_ASM
-+ARCH_ASM :=
-+endif
-+
-+# The algorithm makefiles may put dependences, short-circuit them
-+null:
-+
-+makefiles=$(filter-out %.preipsec, $(wildcard Makefile.alg_*))
-+ifneq ($(makefiles),)
-+#include Makefile.alg_aes
-+#include Makefile.alg_aes-opt
-+include $(makefiles)
-+endif
-+
-+# These rules translate from new to old makefile rules
-+# Translate to Rules.make lists.
-+multi-used := $(filter $(list-multi), $(obj-y) $(obj-m))
-+multi-objs := $(foreach m, $(multi-used), $($(basename $(m))-objs))
-+active-objs := $(sort $(multi-objs) $(obj-y) $(obj-m))
-+O_OBJS := $(obj-y)
-+M_OBJS := $(obj-m)
-+MIX_OBJS := $(filter $(export-objs), $(active-objs))
-+#OX_OBJS := $(export-objs)
-+SUB_DIRS := $(subdir-y)
-+ALL_SUB_DIRS := $(subdir-y) $(subdir-m)
-+MOD_SUB_DIRS := $(subdir-m)
-+
-+
-+static_init_mod.o: $(obj-y)
-+ rm -f $@
-+ $(LD) $(LD_EXTRAFLAGS) $(obj-y) -r -o $@
-+
-+perlasm: ../../../crypto/ciphers/des/asm/perlasm
-+ ln -sf $? $@
-+
-+$(obj-y) $(obj-m): $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h
-+$(alg_obj-y) $(alg_obj-m): perlasm $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h
-+
-+
-+all_alg_modules: perlasm $(ALG_MODULES)
-+ @echo "ALG_MODULES=$(ALG_MODULES)"
-+
-+
-+#
-+# Construct alg. init. function: call ipsec_ALGO_init() for every static algo
-+# Needed when there are static algos (with static or modular ipsec.o)
-+#
-+static_init.c: $(TOPDIR)/include/linux/autoconf.h Makefile $(makefiles) scripts/mk-static_init.c.sh
-+ @echo "Re-creating $@"
-+ $(SHELL) scripts/mk-static_init.c.sh $(static_init-func-y) > $@
-+
-+clean:
-+ @for i in $(ALG_SUBDIRS);do test -d $$i && make -C $$i clean;done;exit 0
-+ @find . -type l -exec rm -f {} \;
-+ -rm -f perlasm
-+ -rm -rf $(ALG_SUBDIRS)
-+ -rm -f *.o static_init.c
-+
-+ifdef TOPDIR
-+include $(TOPDIR)/Rules.make
-+endif
-+
---- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/alg/Makefile.alg_aes Mon Feb 9 13:51:03 2004
@@ -0,0 +1,18 @@
+MOD_AES := ipsec_aes.o
+static int debug=0;
+static int test=0;
+static int excl=0;
++#ifdef module_param
++module_param(debug, int, 0664);
++module_param(test, int, 0664);
++module_param(excl, int, 0664);
++#else
++MODULE_PARM(debug, "i");
++MODULE_PARM(test, "i");
++MODULE_PARM(excl, "i");
++#endif
++
+static int noauto = 0;
++#ifdef module_param
++module_param(noauto,int, 0664);
++#else
++MODULE_PARM(noauto,"i");
++#endif
++MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones");
+
+static int des_ede3[] = {-1, -1};
+static int aes[] = {-1, -1};
+static int serpent[] = {-1, -1};
+static int twofish[] = {-1, -1};
+
-+#ifdef module_param
-+module_param(debug,int,0600);
-+module_param(test,int,0600);
-+module_param(ebug,int,0600);
-+
-+module_param(noauto,int,0600);
-+module_param(ebug,int,0600);
-+
++#ifdef module_param_array
+module_param_array(des_ede3,int,NULL,0);
-+module_param(aes,int,NULL,0);
-+module_param(blowfish,int,NULL,0);
-+module_param(cast,int,NULL,0);
-+module_param(serpent,int,NULL,0);
-+module_param(twofish,int,NULL,0);
++module_param_array(aes,int,NULL,0);
++module_param_array(blowfish,int,NULL,0);
++module_param_array(cast,int,NULL,0);
++module_param_array(serpent,int,NULL,0);
++module_param_array(twofish,int,NULL,0);
+#else
-+MODULE_PARM(debug, "i");
-+MODULE_PARM(test, "i");
-+MODULE_PARM(excl, "i");
-+
-+MODULE_PARM(noauto,"i");
-+
+MODULE_PARM(des_ede3,"1-2i");
+MODULE_PARM(aes,"1-2i");
+MODULE_PARM(blowfish,"1-2i");
+MODULE_PARM(serpent,"1-2i");
+MODULE_PARM(twofish,"1-2i");
+#endif
-+
-+MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones");
-+
+MODULE_PARM_DESC(des_ede3, "0: disable | 1: force_enable | min,max: dontuse");
+MODULE_PARM_DESC(aes, "0: disable | 1: force_enable | min,max: keybitlens");
+MODULE_PARM_DESC(blowfish, "0: disable | 1: force_enable | min,max: keybitlens");
+EOF
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/anyaddr.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,150 @@
+/*
+ * special addresses
+ * Copyright (C) 2000 Henry Spencer.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
+ * License for more details.
+ *
-+ * RCSID $Id: anyaddr.c,v 1.10.10.1 2006/11/24 05:55:46 paul Exp $
++ * RCSID $Id: anyaddr.c,v 1.10 2004/07/10 07:43:47 mcr Exp $
+ */
+#include "openswan.h"
+
+ case AF_INET6:
+ cmp = memcmp(&src->u.v6.sin6_addr, &v6any, sizeof(v6any));
+ break;
++
+ case 0:
+ /* a zeroed structure is considered any address */
+ return 1;
++
+ default:
+ return 0;
+ break;
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
+ * License for more details.
+ *
-+ * RCSID $Id: datatot.c,v 1.7 2005/04/14 20:48:43 mcr Exp $
++ * RCSID $Id: datatot.c,v 1.9 2005/08/30 21:15:26 mcr Exp $
+ */
+#include "openswan.h"
+
+ */
+size_t /* true length (with NUL) for success */
+datatot(src, srclen, format, dst, dstlen)
-+const char *src;
++const unsigned char *src;
+size_t srclen;
+int format; /* character indicating what format */
+char *dst; /* need not be valid if dstlen is 0 */
+ size_t breakevery; /* add a _ every this many (0 means don't) */
+ size_t sincebreak; /* output bytes since last _ */
+ char breakchar; /* character used to break between groups */
-+ char inblock[10]; /* enough for any format */
++ unsigned char inblock[10]; /* enough for any format */
+ char outblock[10]; /* enough for any format */
+ char fake[1]; /* fake output area for dstlen == 0 */
+ size_t needed; /* return value */
+ nreal = inblocksize;
+ out = (outblocksize > stop - dst) ? outblock : dst;
+
-+ convert(src, nreal, format, out);
++ convert((const char *)src, nreal, format, out);
+ needed += outblocksize;
+ sincebreak += outblocksize;
+ if (dst < stop) {
+ */
+size_t /* true length (with NUL) for success */
+datatoa(src, srclen, format, dst, dstlen)
-+const char *src;
++const unsigned char *src;
+size_t srclen;
+int format; /* character indicating what format */
+char *dst; /* need not be valid if dstlen is 0 */
+ */
+size_t /* true length (with NUL) for success */
+bytestoa(src, srclen, format, dst, dstlen)
-+const char *src;
++const unsigned char *src;
+size_t srclen;
+int format; /* character indicating what format */
+char *dst; /* need not be valid if dstlen is 0 */
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/defconfig Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,147 @@
+
+#
-+# RCSID $Id: defconfig,v 1.28.2.1 2006/10/11 18:14:33 paul Exp $
++# RCSID $Id: defconfig,v 1.30 2005/09/15 02:31:12 paul Exp $
+#
+
+#
-+# FreeS/WAN IPSec implementation, KLIPS kernel config defaults
++# Openswan IPSec implementation, KLIPS kernel config defaults
+#
+
+#
+# Encryption algorithm(s):
+CONFIG_KLIPS_ENC_3DES=y
+CONFIG_KLIPS_ENC_AES=y
-+# CONFIG_KLIPS_ENC_NULL=y
+
+# Use CryptoAPI for ALG? - by default, no.
+CONFIG_KLIPS_ENC_CRYPTOAPI=n
+# To enable userspace-switchable KLIPS debugging, say 'y'.
+CONFIG_KLIPS_DEBUG=y
+
-+# NAT Traversal
-+CONFIG_IPSEC_NAT_TRAVERSAL=y
-+
+#
+#
+# $Log: defconfig,v $
-+# Revision 1.28.2.1 2006/10/11 18:14:33 paul
-+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled
-+# per default.
++# Revision 1.30 2005/09/15 02:31:12 paul
++# Changed a FreeS/WAN occurance to Openswan
++#
++# Revision 1.29 2005/08/24 22:10:05 mcr
++# do not list NAT_TRAVERSAL as a default for KLIPS,
++# let it live in the packaging "MODULE_DEF_CONFIG" files.
+#
+# Revision 1.28 2005/05/11 03:15:42 mcr
+# adjusted makefiles to sanely build modules properly.
+'x*0.9' the speed.
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/Makefile Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,60 @@
+# Makefile for KLIPS kernel code as a module for 2.6 kernels
+#
+# Makefile for KLIPS kernel code as a module
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
-+# RCSID $Id: Makefile.fs2_6,v 1.2.2.1 2005/08/12 16:10:57 ken Exp $
++# RCSID $Id: Makefile.fs2_6,v 1.3 2005/08/12 14:13:59 mcr Exp $
+#
+# Note! Dependencies are done automagically by 'make dep', which also
+# removes any old dependencies. DON'T put your own dependencies here
+
+#
+# $Log: Makefile.fs2_6,v $
-+# Revision 1.2.2.1 2005/08/12 16:10:57 ken
-+# do not use assembly code with there are no frame pointers
-+#
+# Revision 1.3 2005/08/12 14:13:59 mcr
+# do not use assembly code with there are no frame pointers,
+# as it does not have the right linkages.
+
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/des/ipsec_alg_3des.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,181 @@
+@@ -0,0 +1,182 @@
+/*
+ * ipsec_alg 3DES cipher stubs
+ *
+#if defined(CONFIG_KLIPS_ENC_3DES_MODULE)
+MODULE_AUTHOR("Michael Richardson <mcr@xelerance.com>");
+#ifdef module_param
-+module_param(debug_3des,int,0600)
-+module_param(test_des,int,0600)
-+module_param(excl_des,int,0600)
++module_param(debug_3des, int, 0664);
++module_param(test_des, int, 0664);
++module_param(excl_des, int, 0664);
+#else
+MODULE_PARM(debug_3des, "i");
+MODULE_PARM(test_des, "i");
+ ixt_support: {
+ ias_exttype: IPSEC_ALG_TYPE_ENCRYPT,
+ ias_id: ESP_3DES,
++ //ias_ivlen: 64,
+ ias_keyminbits: ESP_3DES_KEY_SZ*8,
+ ias_keymaxbits: ESP_3DES_KEY_SZ*8,
+ },
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipcomp.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,701 @@
+@@ -0,0 +1,704 @@
+/*
+ * IPCOMP zlib interface code.
++ * implementation of RFC 3173.
++ *
+ * Copyright (C) 2000 Svenning Soerensen <svenning@post5.tele.dk>
+ * Copyright (C) 2000, 2001 Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
+ *
+ * for more details.
+ */
+
-+char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.41.2.5 2006/10/06 21:39:26 paul Exp $";
++char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.41.2.3 2006/04/20 15:46:58 mcr Exp $";
+
+/* SSS */
+
+
+#include <net/ip.h>
+
++#include "openswan/ipsec_kern24.h"
+#include "openswan/radij.h"
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+#include "zlib/zlib.h"
+#include "zlib/zutil.h"
+
-+#include <pfkeyv2.h> /* SADB_X_CALG_DEFLATE */
++#include <openswan/pfkeyv2.h> /* SADB_X_CALG_DEFLATE */
+
+#ifdef CONFIG_KLIPS_DEBUG
+int sysctl_ipsec_debug_ipcomp = 0;
+#endif /* NETDEV_23 */
+ n->ip_summed=0;
+#ifdef HAVE_TSTAMP
-+ n->tstamp = skb->tstamp;
++ n->tstamp = skb->tstamp;
+#else
+ n->stamp=skb->stamp;
+#endif
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_ah.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,407 @@
+@@ -0,0 +1,404 @@
+/*
+ * processing code for AH
+ * Copyright (C) 2003-2004 Michael Richardson <mcr@xelerance.com>
+ * for more details.
+ */
+
-+char ipsec_ah_c_version[] = "RCSID $Id: ipsec_ah.c,v 1.12.2.2 2006/10/06 21:39:26 paul Exp $";
++char ipsec_ah_c_version[] = "RCSID $Id: ipsec_ah.c,v 1.12.2.1 2006/02/15 05:35:14 paul Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+};
+
+
++#ifndef CONFIG_XFRM_ALTERNATE_STACK
+#ifdef NET_26
+struct inet_protocol ah_protocol = {
+ .handler = ipsec_rcv,
+#endif
+};
+#endif /* NET_26 */
++#endif /* CONFIG_XFRM_ALTERNATE_STACK */
+
+/*
+ * $Log: ipsec_ah.c,v $
-+ * Revision 1.12.2.2 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.12.2.1 2006/02/15 05:35:14 paul
+ * Patch by David McCullough <davidm@snapgear.com>
+ * If you setup a tunnel without ESP it doesn't work. It used to work in
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_alg.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1057 @@
+@@ -0,0 +1,1044 @@
+/*
+ * Modular extensions service and registration functions
+ *
+# include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_COMP */
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_alg.h"
+#include "openswan/ipsec_proto.h"
+ "entering with encalg=%d, ixt_e=%p\n",
+ sa_p->ips_encalg, ixt_e);
+ if (ixt_e == NULL) {
-+#ifdef CONFIG_KLIPS_DEBUG
+ KLIPS_ERROR(debug_flag,
+ "klips_debug:ipsec_alg_esp_encrypt: "
+ "NULL ipsec_alg_enc object\n");
-+#endif
+ return -1;
+ }
+ KLIPS_PRINT(debug_flag,
+ ipsec_3des_init();
+ }
+#endif
-+#if defined(CONFIG_KLIPS_ENC_NULL) && CONFIG_KLIPS_ENC_NULL && !defined(CONFIG_KLIPS_ENC_NULL_MODULE)
-+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI
-+#warning "Using built-in null cipher rather than CryptoAPI null cipher"
-+#endif
-+#warning "Building with null cipher (ESP_NULL), blame on you :-)"
-+ {
-+ extern int ipsec_null_init(void);
-+ ipsec_null_init();
-+ }
-+#endif
-+
+
+ /* If we are doing CryptoAPI, then init */
+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI && !defined(CONFIG_KLIPS_ENC_CRYPTOAPI_MODULE)
+#endif
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_alg_cryptoapi.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,455 @@
+@@ -0,0 +1,450 @@
+/*
+ * ipsec_alg to linux cryptoapi GLUE
+ *
+ * special case: ipsec core modular with this static algo inside:
+ * must avoid MODULE magic for this file
+ */
-+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_CRYPTOAPI)
++#if CONFIG_KLIPS_MODULE && CONFIG_KLIPS_ENC_CRYPTOAPI
+#undef MODULE
+#endif
+
+static int debug_crypto=0;
+static int test_crypto=0;
+static int excl_crypto=0;
-+
-+static int noauto = 0;
-+
+#ifdef module_param
-+module_param(debug_crypto,int,0600)
-+module_param(test_crypto,int,0600)
-+module_param(excl_crypto,int,0600)
-+
-+module_param(noauto,int,0600)
++module_param(debug_crypto, int, 0664);
++module_param(test_crypto, int, 0664);
++module_param(excl_crypto, int, 0664);
+#else
+MODULE_PARM(debug_crypto, "i");
+MODULE_PARM(test_crypto, "i");
+MODULE_PARM(excl_crypto, "i");
++#endif
+
++static int noauto = 0;
+MODULE_PARM(noauto,"i");
-+#endif
+MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones");
+
+#ifdef CONFIG_KLIPS_ENC_1DES
+static int serpent[] = {-1, -1};
+static int twofish[] = {-1, -1};
+
++#ifdef module_param_array
+#ifdef CONFIG_KLIPS_ENC_1DES
-+#ifdef module_param
-+module_param_array(des_ede1,int,NULL,0)
++module_param_array(des_ede1,int,NULL,0);
++#endif
++module_param_array(des_ede3,int,NULL,0);
++module_param_array(aes,int,NULL,0);
++module_param_array(blowfish,int,NULL,0);
++module_param_array(cast,int,NULL,0);
++module_param_array(serpent,int,NULL,0);
++module_param_array(twofish,int,NULL,0);
+#else
++#ifdef CONFIG_KLIPS_ENC_1DES
+MODULE_PARM(des_ede1,"1-2i");
+#endif
-+#endif
-+#ifdef module_param
-+module_param_array(des_ede3,int,NULL,0)
-+module_param_array(aes,int,NULL,0)
-+module_param_array(blowfish,int,NULL,0)
-+module_param_array(cast,int,NULL,0)
-+module_param_array(serpent,int,NULL,0)
-+module_param_array(twofish,int,NULL,0)
-+#else
+MODULE_PARM(des_ede3,"1-2i");
+MODULE_PARM(aes,"1-2i");
+MODULE_PARM(blowfish,"1-2i");
+#endif /* NO_CRYPTOAPI_SUPPORT */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_esp.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,607 @@
+@@ -0,0 +1,599 @@
+/*
+ * processing code for ESP
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ * for more details.
+ */
+
-+char ipsec_esp_c_version[] = "RCSID $Id: ipsec_esp.c,v 1.13.2.6 2006/10/06 21:39:26 paul Exp $";
++char ipsec_esp_c_version[] = "RCSID $Id: ipsec_esp.c,v 1.13.2.4 2006/05/06 03:07:38 ken Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+ if (ipsec_alg_esp_encrypt(ipsp,
+ idat, irs->ilen, espp->esp_iv,
+ IPSEC_ALG_DECRYPT) <= 0) {
-+#ifdef CONFIG_KLIPS_DEBUG
+ KLIPS_ERROR(debug_rcv, "klips_error:ipsec_rcv: "
+ "got packet with esplen = %d "
+ "from %s -- should be on "
+ irs->ilen,
+ irs->ipsaddr_txt,
+ ipsp->ips_encalg);
-+#endif
+ if(irs->stats) {
+ irs->stats->rx_errors++;
+ }
+ },
+};
+
++#ifndef CONFIG_XFRM_ALTERNATE_STACK
+#ifdef NET_26
+struct inet_protocol esp_protocol = {
+ .handler = ipsec_rcv,
+#endif
+};
+#endif /* NET_26 */
++#endif /* CONFIG_XFRM_ALTERNATE_STACK */
+
+#endif /* !CONFIG_KLIPS_ESP */
+
+
+/*
+ * $Log: ipsec_esp.c,v $
-+ * Revision 1.13.2.6 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.13.2.5 2006/08/24 03:02:01 paul
-+ * Compile fixes for when CONFIG_KLIPS_DEBUG is not set. (bug #642)
-+ *
+ * Revision 1.13.2.4 2006/05/06 03:07:38 ken
+ * Pull in proper padsize->tailroom fix from #public
+ * Need to do correct math on padlen since padsize is not equal to tailroom
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_init.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,614 @@
+@@ -0,0 +1,683 @@
+/*
+ * @(#) Initialization code.
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ *
+ */
+
-+char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.104.2.4 2006/10/06 21:39:26 paul Exp $";
++char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.104.2.2 2006/04/20 16:33:06 mcr Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+#include <net/xfrmudp.h>
+extern void ipsec_sysctl_unregister(void);
+#endif
+
-+#if defined(NET_26) || defined(IPSKB_XFRM_TUNNEL_SIZE)
++#ifdef NET_26
+static inline int
+openswan_inet_add_protocol(struct inet_protocol *prot, unsigned protocol)
+{
+ "KLIPS startup, Openswan KLIPS IPsec stack version: %s\n",
+ ipsec_version_code());
+
++ error = ipsec_xmit_state_cache_init ();
++ if (error)
++ goto error_xmit_state_cache;
++
++ error = ipsec_rcv_state_cache_init ();
++ if (error)
++ goto error_rcv_state_cache;
++
+ error |= ipsec_proc_init();
++ if (error)
++ goto error_proc_init;
+
+#ifdef SPINLOCK
+ ipsec_sadb.sadb_lock = SPIN_LOCK_UNLOCKED;
+#endif /* !SPINLOCK */
+
+ error |= ipsec_sadb_init();
++ if (error)
++ goto error_sadb_init;
++
+ error |= ipsec_radijinit();
++ if (error)
++ goto error_radijinit;
+
+ error |= pfkey_init();
++ if (error)
++ goto error_pfkey_init;
+
+ error |= register_netdevice_notifier(&ipsec_dev_notifier);
++ if (error)
++ goto error_netdev_notifier;
++
++#ifdef CONFIG_XFRM_ALTERNATE_STACK
++ error = xfrm_register_alternate_rcv (ipsec_rcv);
++ if (error)
++ goto error_xfrm_register;
++
++#else // CONFIG_XFRM_ALTERNATE_STACK
+
+#ifdef CONFIG_KLIPS_ESP
+ openswan_inet_add_protocol(&esp_protocol, IPPROTO_ESP);
+#endif /* CONFIG_KLIPS_IPCOMP */
+#endif
+
++#endif // CONFIG_XFRM_ALTERNATE_STACK
++
+ error |= ipsec_tunnel_init_devices();
++ if (error)
++ goto error_tunnel_init_devices;
+
+#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+ /* register our ESP-UDP handler */
+
+#ifdef CONFIG_SYSCTL
+ error |= ipsec_sysctl_register();
++ if (error)
++ goto error_sysctl_register;
+#endif
+
+ ipsec_alg_init();
+ prng_init(&ipsec_prng, seed, sizeof(seed));
+
+ return error;
++
++ // undo ipsec_sysctl_register
++error_sysctl_register:
++ ipsec_tunnel_cleanup_devices();
++error_tunnel_init_devices:
++#ifdef CONFIG_XFRM_ALTERNATE_STACK
++ xfrm_deregister_alternate_rcv(ipsec_rcv);
++error_xfrm_register:
++#endif // CONFIG_XFRM_ALTERNATE_STACK
++ unregister_netdevice_notifier(&ipsec_dev_notifier);
++error_netdev_notifier:
++ pfkey_cleanup();
++error_pfkey_init:
++ ipsec_radijcleanup();
++error_radijinit:
++ ipsec_sadb_cleanup(0);
++ ipsec_sadb_free();
++error_sadb_init:
++error_proc_init:
++ // ipsec_proc_init() does not cleanup after itself, so we have to do it here
++ // TODO: ipsec_proc_init() should roll back what it chaned on failure
++ ipsec_proc_cleanup();
++ ipsec_rcv_state_cache_cleanup ();
++error_rcv_state_cache:
++ ipsec_xmit_state_cache_cleanup ();
++error_xmit_state_cache:
++ return error;
+}
+
+
+
+ KLIPS_PRINT(debug_netlink, "called ipsec_tunnel_cleanup_devices");
+
++#ifdef CONFIG_XFRM_ALTERNATE_STACK
++
++ xfrm_deregister_alternate_rcv(ipsec_rcv);
++
++#else // CONFIG_XFRM_ALTERNATE_STACK
++
+/* we never actually link IPCOMP to the stack */
+#ifdef IPCOMP_USED_ALONE
+#ifdef CONFIG_KLIPS_IPCOMP
+ "esp close: can't remove protocol\n");
+#endif /* CONFIG_KLIPS_ESP */
+
++#endif // CONFIG_XFRM_ALTERNATE_STACK
++
+ error |= unregister_netdevice_notifier(&ipsec_dev_notifier);
+
+ KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
+ "calling pfkey_cleanup.\n");
+ error |= pfkey_cleanup();
+
++ ipsec_rcv_state_cache_cleanup ();
++ ipsec_xmit_state_cache_cleanup ();
++
++ ipsec_rcv_state_cache_cleanup ();
++ ipsec_xmit_state_cache_cleanup ();
++
+ ipsec_proc_cleanup();
+
+ prng_final(&ipsec_prng);
+ return error;
+}
+
++#ifndef NET_26
+void
+cleanup_module(void)
+{
+ KLIPS_PRINT(1, "klips_info:cleanup_module: "
+ "ipsec module unloaded.\n");
+}
++#endif
+#endif /* MODULE */
+
+/*
+ * $Log: ipsec_init.c,v $
-+ * Revision 1.104.2.4 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.104.2.3 2006/07/31 15:25:20 paul
-+ * Check for NETKEY backport in Debian using IPSKB_XFRM_TUNNEL_SIZE to
-+ * determine wether inet_add_protocol needs the protocol argument.
-+ *
++ * Revision 1.106 2005/09/14 14:22:55 mcr
++ * remove module unload on 2.6. --- it just won't work, so
++ * don't let people try.
+ * Revision 1.104.2.2 2006/04/20 16:33:06 mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ * Fix in-kernel module compilation. Sub-makefiles do not work.
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_ipcomp.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,256 @@
+@@ -0,0 +1,258 @@
+/*
+ * processing code for IPCOMP
+ * Copyright (C) 2003 Michael Richardson <mcr@sandelman.ottawa.on.ca>
+ * for more details.
+ */
+
-+char ipsec_ipcomp_c_version[] = "RCSID $Id: ipsec_ipcomp.c,v 1.5.2.2 2006/10/06 21:39:26 paul Exp $";
++char ipsec_ipcomp_c_version[] = "RCSID $Id: ipsec_ipcomp.c,v 1.5.2.1 2006/07/07 16:39:58 paul Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+/* We probably don't want to install a pure IPCOMP protocol handler, but
+ only want to handle IPCOMP if it is encapsulated inside an ESP payload
+ (which is already handled) */
++#ifndef CONFIG_XFRM_ALTERNATE_STACK
+#ifdef CONFIG_KLIPS_IPCOMP
+struct inet_protocol comp_protocol =
+{
+#endif
+};
+#endif /* CONFIG_KLIPS_IPCOMP */
++#endif /* CONFIG_XFRM_ALTERNATE_STACK */
+#endif
+
+#endif /* CONFIG_KLIPS_IPCOMP */
+ * for more details.
+ */
+
-+char ipsec_ipip_c_version[] = "RCSID $Id: ipsec_ipip.c,v 1.3.2.3 2006/10/06 21:39:26 paul Exp $";
++char ipsec_ipip_c_version[] = "RCSID $Id: ipsec_ipip.c,v 1.5 2005/11/11 06:36:41 paul Exp $";
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#endif
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_life.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,268 @@
+/*
+ * @(#) lifetime structure utilities
+ *
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_life.c,v 1.13.10.1 2006/10/06 21:39:26 paul Exp $
++ * RCSID $Id: ipsec_life.c,v 1.13 2004/07/10 19:11:18 mcr Exp $
+ *
+ */
+
+#include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+
+ saname,
+ dir);
+
-+ if(ips->ips_state != SADB_SASTATE_DYING) {
++ if(ips->ips_state != K_SADB_SASTATE_DYING) {
+ pfkey_expire(ips, 0);
+ }
-+ ips->ips_state = SADB_SASTATE_DYING;
++ ips->ips_state = K_SADB_SASTATE_DYING;
+
+ return ipsec_life_softdied;
+ }
+
+/*
+ * $Log: ipsec_life.c,v $
-+ * Revision 1.13.10.1 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.13 2004/07/10 19:11:18 mcr
+ * CONFIG_IPSEC -> CONFIG_KLIPS.
+ *
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_mast.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1099 @@
+@@ -0,0 +1,1094 @@
+/*
+ * IPSEC MAST code.
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * for more details.
+ */
+
-+char ipsec_mast_c_version[] = "RCSID $Id: ipsec_mast.c,v 1.7.2.1 2006/10/06 21:39:26 paul Exp $";
++char ipsec_mast_c_version[] = "RCSID $Id: ipsec_mast.c,v 1.7 2005/04/29 05:10:22 mcr Exp $";
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include "freeswan/ipsec_ah.h"
+#include "freeswan/ipsec_esp.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "freeswan/ipsec_proto.h"
+
+
+/*
+ * $Log: ipsec_mast.c,v $
-+ * Revision 1.7.2.1 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.7 2005/04/29 05:10:22 mcr
+ * removed from extraenous includes to make unit testing easier.
+ *
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_proc.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1186 @@
+@@ -0,0 +1,1172 @@
+/*
+ * @(#) /proc file system interface code.
+ *
+ * Split out from ipsec_init.c version 1.70.
+ */
+
-+char ipsec_proc_c_version[] = "RCSID $Id: ipsec_proc.c,v 1.39.2.4 2006/11/15 22:21:39 paul Exp $";
++char ipsec_proc_c_version[] = "RCSID $Id: ipsec_proc.c,v 1.41 2005/11/11 04:04:03 paul Exp $";
+
+
+#ifndef AUTOCONF_INCLUDED
+
+#include "openswan/ipsec_proto.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#ifdef CONFIG_PROC_FS
+
+extern int ipsec_xform_get_info(char *buffer, char **start,
+ off_t offset, int length IPSEC_PROC_LAST_ARG);
+
-+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_eroute_get_info(char *buffer,
+ return len;
+}
+
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+unsigned int natt_available = 1;
-+#else
-+unsigned int natt_available = 0;
-+#endif
-+module_param(natt_available, int, 0444);
-+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+int
+ipsec_natt_get_info(char *buffer,
-+ char **start,
-+ off_t offset,
-+ int length IPSEC_PROC_LAST_ARG)
++ char **start,
++ off_t offset,
++ int length IPSEC_PROC_LAST_ARG)
+{
-+ int len = 0;
-+ off_t begin = 0;
++ int len = 0;
++ off_t begin = 0;
+
-+ len += ipsec_snprintf(buffer + len,
-+ length-len, "%d\n",
++ len += ipsec_snprintf(buffer + len,
++ length-len, "%d\n",
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+ 1
++ 1
+#else
-+ 0
++ 0
+#endif
-+ );
++ );
+
-+ *start = buffer + (offset - begin); /* Start of wanted data */
-+ len -= (offset - begin); /* Start slop */
-+ if (len > length)
-+ len = length;
-+ return len;
++ *start = buffer + (offset - begin); /* Start of wanted data */
++ len -= (offset - begin); /* Start slop */
++ if (len > length)
++ len = length;
++ return len;
+}
+
+IPSEC_PROCFS_DEBUG_NO_STATIC
+ {"stats", &proc_net_ipsec_dir, &proc_stats_dir, NULL, NULL, NULL},
+ {"trap_count", &proc_stats_dir, NULL, ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_count},
+ {"trap_sendcount", &proc_stats_dir, NULL, ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_sendcount},
++ {"natt", &proc_net_ipsec_dir, NULL, ipsec_natt_get_info, NULL, NULL},
+ {"version", &proc_net_ipsec_dir, NULL, ipsec_version_get_info, NULL, NULL},
+ {NULL, NULL, NULL, NULL, NULL, NULL}
+};
+
+/*
+ * $Log: ipsec_proc.c,v $
-+ * Revision 1.39.2.4 2006/11/15 22:21:39 paul
-+ * backport of creating a /sys/ file to test for nat-t capability in kernel.
-+ *
-+ * Revision 1.39.2.3 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
++ * Revision 1.41 2005/11/11 04:04:03 paul
++ * Fix for compiling without CONFIG_KLIPS_ALG by Toby
+ *
-+ * Revision 1.39.2.2 2006/02/13 18:48:12 paul
-+ * Fix by Ankit Desai <ankit@elitecore.com> for module unloading.
-+ *
-+ * Revision 1.39.2.1 2005/09/07 00:45:59 paul
-+ * pull up of mcr's nat-t klips detection patch from head
++ * Revision 1.40 2005/08/26 20:02:24 mcr
++ * added /proc/net/ipsec/natt file to indicate if NAT-T was compiled
++ * into KLIPS.
+ *
+ * Revision 1.39 2005/05/20 03:19:18 mcr
+ * modifications for use on 2.4.30 kernel, with backported
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_radij.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,889 @@
+@@ -0,0 +1,884 @@
+/*
+ * Interface between the IPSEC code and the radix (radij) tree code
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_radij.c,v 1.73.2.1 2006/10/06 21:39:26 paul Exp $
++ * RCSID $Id: ipsec_radij.c,v 1.73 2005/04/29 05:10:22 mcr Exp $
+ */
+
+#ifndef AUTOCONF_INCLUDED
+#include "openswan/ipsec_tunnel.h" /* struct ipsecpriv */
+#include "openswan/ipsec_xform.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+
+int
+ipsec_radijcleanup(void)
+{
-+ int error;
++ int error = 0;
+
+ spin_lock_bh(&eroute_lock);
+
+
+/*
+ * $Log: ipsec_radij.c,v $
-+ * Revision 1.73.2.1 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.73 2005/04/29 05:10:22 mcr
+ * removed from extraenous includes to make unit testing easier.
+ *
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_rcv.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,2304 @@
+@@ -0,0 +1,2395 @@
+/*
+ * receive code
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * for more details.
+ */
+
-+char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.171.2.10 2006/10/06 21:39:26 paul Exp $";
++char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.178 2005/10/21 02:19:34 mcr Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#include "openswan/ipsec_ipcomp.h"
+#endif /* CONFIG_KLIPS_COMP */
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+ /* ipsec_sa_put(irs->ipsp);*/ /* incomplete */
+
+ /* If it is in larval state, drop the packet, we cannot process yet. */
-+ if(newipsp->ips_state == SADB_SASTATE_LARVAL) {
++ if(newipsp->ips_state == K_SADB_SASTATE_LARVAL) {
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:ipsec_rcv: "
+ "ipsec_sa in larval state, cannot be used yet, dropping packet.\n");
+ return IPSEC_RCV_SAIDNOTLIVE;
+ }
+
-+ if(newipsp->ips_state == SADB_SASTATE_DEAD) {
++ if(newipsp->ips_state == K_SADB_SASTATE_DEAD) {
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:ipsec_rcv: "
+ "ipsec_sa in dead state, cannot be used any more, dropping packet.\n");
+
+
+
++
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+ if (proto == IPPROTO_ESP) {
-+ KLIPS_PRINT(debug_rcv,
-+ "klips_debug:ipsec_rcv: "
-+ "natt_type=%u tdbp->ips_natt_type=%u : %s\n",
-+ irs->natt_type, newipsp->ips_natt_type,
-+ (irs->natt_type==newipsp->ips_natt_type)?"ok":"bad");
-+ if (irs->natt_type != newipsp->ips_natt_type) {
-+ KLIPS_PRINT(debug_rcv,
-+ "klips_debug:ipsec_rcv: "
-+ "SA:%s does not agree with expected NAT-T policy.\n",
-+ irs->sa_len ? irs->sa : " (error)");
-+ if(irs->stats) {
-+ irs->stats->rx_dropped++;
-+ }
-+ ipsec_sa_put(newipsp);
-+ return IPSEC_RCV_FAILEDINBOUND;
-+ }
-+ }
++ if (proto == IPPROTO_ESP) {
++ KLIPS_PRINT(debug_rcv,
++ "klips_debug:ipsec_rcv: "
++ "natt_type=%u tdbp->ips_natt_type=%u : %s\n",
++ irs->natt_type, newipsp->ips_natt_type,
++ (irs->natt_type==newipsp->ips_natt_type)?"ok":"bad");
++ if (irs->natt_type != newipsp->ips_natt_type) {
++ KLIPS_PRINT(debug_rcv,
++ "klips_debug:ipsec_rcv: "
++ "SA:%s does not agree with expected NAT-T policy.\n",
++ irs->sa_len ? irs->sa : " (error)");
++ if(irs->stats) {
++ irs->stats->rx_dropped++;
++ }
++ ipsec_sa_put(newipsp);
++ return IPSEC_RCV_FAILEDINBOUND;
++ }
++ }
+#endif
+ }
+
+ ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_packets, "packets",
+ irs->sa, ipsec_life_countbased, ipsec_incoming,
+ irs->ipsp) == ipsec_life_harddied) {
-+ ipsec_sa_delchain(irs->ipsp);
++
++ /*
++ * disconnect SA from the hash table, so it can not be
++ * found again.
++ */
++ ipsec_sa_rm(irs->ipsp);
+ if(irs->stats) {
+ irs->stats->rx_dropped++;
+ }
+
+ /* If the sequence number == 0, expire SA, it had rolled */
+ if(irs->ipsp->ips_replaywin && !replay /* !irs->ipsp->ips_replaywin_lastseq */) {
-+ ipsec_sa_delchain(irs->ipsp);
++
++ /* we need to remove it from the sadb hash, so that it can't be found again */
++ ipsec_sa_rm(irs->ipsp);
++
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:ipsec_rcv: "
+ "replay window counter rolled, expiring SA.\n");
+ ipsec_kfree_skb(skb);
+ }
+
-+ /* KLIPS_DEC_USE; Artifact from refactor? bug # 454 */
+ return(0);
+}
+
+}
+#endif
+
++/* management of buffers */
++static struct ipsec_rcv_state * ipsec_rcv_state_new (void);
++static void ipsec_rcv_state_delete (struct ipsec_rcv_state *irs);
+
+int
+ipsec_rcv(struct sk_buff *skb
+ struct net_device_stats *stats = NULL; /* This device's statistics */
+ struct net_device *ipsecdev = NULL, *prvdev;
+ struct ipsecpriv *prv;
-+ struct ipsec_rcv_state nirs, *irs = &nirs;
++ struct ipsec_rcv_state *irs = NULL;
+ struct iphdr *ipp;
+ char name[9];
+ int i;
+ /* Don't unlink in the middle of a turnaround */
+ KLIPS_INC_USE;
+
-+ memset(&nirs, 0, sizeof(struct ipsec_rcv_state));
-+
+ if (skb == NULL) {
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:ipsec_rcv: "
+ "NULL skb passed in.\n");
-+ goto rcvleave;
++ goto error_no_skb;
+ }
+
+ if (skb->data == NULL) {
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:ipsec_rcv: "
+ "NULL skb->data passed in, packet is bogus, dropping.\n");
-+ goto rcvleave;
++ goto error_bad_skb;
+ }
+
++ irs = ipsec_rcv_state_new ();
++ if (unlikely (! irs)) {
++ KLIPS_PRINT(debug_rcv,
++ "klips_debug:ipsec_rcv: "
++ "failled to allocate a rcv state object\n");
++ goto error_alloc;
++ }
++
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) && !defined(NET_26)
+ {
+ /* NET_26 NAT-T is handled by seperate function */
+ irs->authfuncs=NULL;
+ irs->skb = skb;
+
-+ ipsec_rcv_decap(irs);
-+ KLIPS_DEC_USE;
++ (void)ipsec_rcv_decap(irs);
++
++ ipsec_rcv_state_delete (irs);
++ KLIPS_DEC_USE;
+ return(0);
+
-+ rcvleave:
-+ if(skb) {
-+ ipsec_kfree_skb(skb);
-+ }
++rcvleave:
++ ipsec_rcv_state_delete (irs);
++
++error_alloc:
++error_bad_skb:
++ ipsec_kfree_skb(skb);
++error_no_skb:
++
+ KLIPS_DEC_USE;
+ return(0);
+
+ */
+int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type)
+{
-+ struct ipsec_rcv_state nirs, *irs = &nirs;
++ struct ipsec_rcv_state *irs = NULL;
+ struct iphdr *ipp;
+
+ /* Don't unlink in the middle of a turnaround */
+ KLIPS_INC_USE;
+
-+ memset(irs, 0, sizeof(*irs));
++ irs = ipsec_rcv_state_new ();
++ if (unlikely (! irs)) {
++ KLIPS_PRINT(debug_rcv,
++ "klips_debug:ipsec_rcv: "
++ "failled to allocate a rcv state object\n");
++ goto error_alloc;
++ }
+
+ /* XXX fudge it so that all nat-t stuff comes from ipsec0 */
+ /* eventually, the SA itself will determine which device
+
+#endif
+ ipsec_rcv_decap(irs);
++
+ KLIPS_DEC_USE;
++ ipsec_rcv_state_delete (irs);
+ return 0;
+
+rcvleave:
+ if(skb) {
+ ipsec_kfree_skb(skb);
+ }
++ ipsec_rcv_state_delete (irs);
++error_alloc:
+ KLIPS_DEC_USE;
+ return 0;
+}
+#endif
+
++// ------------------------------------------------------------------------
++// this handles creating and managing state for recv path
++
++static spinlock_t irs_cache_lock = SPIN_LOCK_UNLOCKED;
++static kmem_cache_t *irs_cache_allocator = NULL;
++static unsigned irs_cache_allocated_count = 0;
++
++int
++ipsec_rcv_state_cache_init (void)
++{
++ if (irs_cache_allocator)
++ return -EBUSY;
++
++ spin_lock_init(&irs_cache_lock);
++
++ irs_cache_allocator = kmem_cache_create ("ipsec_irs",
++ sizeof (struct ipsec_rcv_state), 0,
++ 0, NULL, NULL);
++ if (! irs_cache_allocator)
++ return -ENOMEM;
++
++ return 0;
++}
++
++void
++ipsec_rcv_state_cache_cleanup (void)
++{
++ if (unlikely (irs_cache_allocated_count))
++ printk ("ipsec: deleting ipsec_irs kmem_cache while in use\n");
++
++ if (irs_cache_allocator) {
++ kmem_cache_destroy (irs_cache_allocator);
++ irs_cache_allocator = NULL;
++ }
++ irs_cache_allocated_count = 0;
++}
++
++static struct ipsec_rcv_state *
++ipsec_rcv_state_new (void)
++{
++ struct ipsec_rcv_state *irs;
++
++ spin_lock_bh (&irs_cache_lock);
++
++ irs = kmem_cache_alloc (irs_cache_allocator, GFP_ATOMIC);
++
++ if (likely (irs != NULL))
++ irs_cache_allocated_count++;
++
++ spin_unlock_bh (&irs_cache_lock);
++
++ if (unlikely (NULL == irs))
++ goto bail;
++
++ // initialize the object
++ memset((caddr_t)irs, 0, sizeof(*irs));
++
++bail:
++ return irs;
++}
++
++static void
++ipsec_rcv_state_delete (struct ipsec_rcv_state *irs)
++{
++ if (unlikely (! irs))
++ return;
++
++ spin_lock_bh (&irs_cache_lock);
++
++ irs_cache_allocated_count--;
++ kmem_cache_free (irs_cache_allocator, irs);
++
++ spin_unlock_bh (&irs_cache_lock);
++}
+
+/*
+ * $Log: ipsec_rcv.c,v $
-+ * Revision 1.171.2.10 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.171.2.9 2006/07/30 02:09:33 paul
-+ * Author: Bart Trojanowski <bart@xelerance.com>
-+ * This fixes a NATT+ESP bug in rcv path.
-+ *
-+ * We only want to test NATT policy on the ESP packet. Doing so on the
-+ * bundled SA breaks because the next layer does not know anything about
-+ * NATT.
-+ *
-+ * Fix just puts an if(proto == IPPROTO_ESP) around the NATT policy check.
-+ *
-+ * Revision 1.171.2.8 2006/07/29 05:03:04 paul
-+ * Added check for new version of skb_linearize that only takes 1 argument,
-+ * for 2.6.18+ kernels.
++ * Revision 1.178 2005/10/21 02:19:34 mcr
++ * on 2.4 systems, we have to fix up the length as well.
+ *
+ * Revision 1.171.2.7 2006/04/20 16:33:07 mcr
+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_sa.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1870 @@
+@@ -0,0 +1,1501 @@
+/*
+ * Common routines for IPsec SA maintenance routines.
+ *
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_sa.c,v 1.30.2.2 2006/10/06 21:39:26 paul Exp $
++ * RCSID $Id: ipsec_sa.c,v 1.31 2005/11/11 04:38:56 paul Exp $
+ *
+ * This is the file formerly known as "ipsec_xform.h"
+ *
+#include "openswan/ipsec_ipe4.h"
+#include "openswan/ipsec_ah.h"
+#include "openswan/ipsec_esp.h"
++#include "openswan/ipsec_ipip.h"
++#ifdef CONFIG_KLIPS_IPCOMP
++#include "openswan/ipsec_ipcomp.h"
++#endif /* CONFIG_KLIPS_COMP */
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+struct ipsec_sadb ipsec_sadb;
+
-+#if IPSEC_SA_REF_CODE
-+
+/* the sub table must be narrower (or equal) in bits than the variable type
+ in the main table to count the number of unused entries in it. */
+typedef struct {
+
+#define IPS_HASH(said) (((said)->spi + (said)->dst.u.v4.sin_addr.s_addr + (said)->proto) % SADB_HASHMOD)
+
-+
-+void
-+ipsec_SAtest(void)
-+{
-+ IPsecSAref_t SAref = 258;
-+ struct ipsec_sa ips;
-+ ips.ips_ref = 772;
-+
-+ printk("klips_debug:ipsec_SAtest: "
-+ "IPSEC_SA_REF_SUBTABLE_IDX_WIDTH=%u\n"
-+ "IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES=%u\n"
-+ "IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES=%u\n"
-+ "IPSEC_SA_REF_HOST_FIELD_WIDTH=%lu\n"
-+ "IPSEC_SA_REF_TABLE_MASK=%x\n"
-+ "IPSEC_SA_REF_ENTRY_MASK=%x\n"
-+ "IPsecSAref2table(%d)=%u\n"
-+ "IPsecSAref2entry(%d)=%u\n"
-+ "IPsecSAref2NFmark(%d)=%u\n"
-+ "IPsecSAref2SA(%d)=%p\n"
-+ "IPsecSA2SAref(%p)=%d\n"
-+ ,
-+ IPSEC_SA_REF_SUBTABLE_IDX_WIDTH,
-+ IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES,
-+ IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES,
-+ (unsigned long) IPSEC_SA_REF_HOST_FIELD_WIDTH,
-+ IPSEC_SA_REF_TABLE_MASK,
-+ IPSEC_SA_REF_ENTRY_MASK,
-+ SAref, IPsecSAref2table(SAref),
-+ SAref, IPsecSAref2entry(SAref),
-+ SAref, IPsecSAref2NFmark(SAref),
-+ SAref, IPsecSAref2SA(SAref),
-+ (&ips), IPsecSA2SAref((&ips))
-+ );
-+ return;
-+}
++// private functions for reference counting
++static int ipsec_sa_wipe(struct ipsec_sa *ips);
+
+int
+ipsec_SAref_recycle(void)
+{
-+ int table;
-+ int entry;
++ int table, i;
+ int error = 0;
++ int addone;
+
-+ ipsec_sadb.refFreeListHead = -1;
-+ ipsec_sadb.refFreeListTail = -1;
++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_NULL;
++ ipsec_sadb.refFreeListTail = IPSEC_SAREF_NULL;
+
+ if(ipsec_sadb.refFreeListCont == IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES * IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES) {
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_SAref_recycle: "
+ "end of table reached, continuing at start..\n");
-+ ipsec_sadb.refFreeListCont = 0;
++ ipsec_sadb.refFreeListCont = IPSEC_SAREF_FIRST;
+ }
+
+ KLIPS_PRINT(debug_xform,
+ IPsecSAref2table(ipsec_sadb.refFreeListCont),
+ IPsecSAref2entry(ipsec_sadb.refFreeListCont));
+
-+ for(table = IPsecSAref2table(ipsec_sadb.refFreeListCont);
-+ table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES;
-+ table++) {
-+ if(ipsec_sadb.refTable[table] == NULL) {
++ /* add one additional table entry */
++ addone = 0;
++
++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_FIRST;
++ for(i = 0; i < IPSEC_SA_REF_FREELIST_NUM_ENTRIES; i++) {
++ table = IPsecSAref2table(ipsec_sadb.refFreeListCont);
++ if(addone == 0 && ipsec_sadb.refTable[table] == NULL) {
++ addone = 1;
+ error = ipsec_SArefSubTable_alloc(table);
+ if(error) {
+ return error;
+ }
+ }
-+ for(entry = IPsecSAref2entry(ipsec_sadb.refFreeListCont);
-+ entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES;
-+ entry++) {
-+ if(ipsec_sadb.refTable[table]->entry[entry] == NULL) {
-+ ipsec_sadb.refFreeList[++ipsec_sadb.refFreeListTail] = IPsecSArefBuild(table, entry);
-+ if(ipsec_sadb.refFreeListTail == (IPSEC_SA_REF_FREELIST_NUM_ENTRIES - 1)) {
-+ ipsec_sadb.refFreeListHead = 0;
-+ ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1;
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_SAref_recycle: "
-+ "SArefFreeList refilled.\n");
-+ return 0;
-+ }
-+ }
++ if(ipsec_sadb.refTable[table] == NULL) {
++ /* we failed to add a second table, so just stop */
++ break;
++ }
++
++ if(IPsecSAref2SA(ipsec_sadb.refFreeListCont) == NULL) {
++ ipsec_sadb.refFreeList[i] = ipsec_sadb.refFreeListCont;
+ }
++ ipsec_sadb.refFreeListCont++;
++ ipsec_sadb.refFreeListTail=i;
+ }
+
-+ if(ipsec_sadb.refFreeListTail == -1) {
++ if(ipsec_sadb.refFreeListTail == IPSEC_SAREF_NULL) {
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_SAref_recycle: "
+ "out of room in the SArefTable.\n");
+ return(-ENOSPC);
+ }
+
-+ ipsec_sadb.refFreeListHead = 0;
-+ ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1;
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_SAref_recycle: "
+ "SArefFreeList partly refilled to %d of %d.\n",
+
+ return 0;
+}
-+#endif /* IPSEC_SA_REF_CODE */
++
++int
++ipsec_saref_verify_slot(IPsecSAref_t ref)
++{
++ int ref_table=IPsecSAref2table(ref);
++
++ if(ipsec_sadb.refTable[ref_table] == NULL) {
++ int ret;
++ ret = ipsec_SArefSubTable_alloc(ref_table);
++ }
++
++ return 0;
++}
+
+int
+ipsec_saref_freelist_init(void)
+ for(i = 0; i < IPSEC_SA_REF_FREELIST_NUM_ENTRIES; i++) {
+ ipsec_sadb.refFreeList[i] = IPSEC_SAREF_NULL;
+ }
-+ ipsec_sadb.refFreeListHead = -1;
-+ ipsec_sadb.refFreeListCont = 0;
-+ ipsec_sadb.refFreeListTail = -1;
++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_NULL;
++ ipsec_sadb.refFreeListCont = IPSEC_SAREF_FIRST+1;
++ ipsec_sadb.refFreeListTail = IPSEC_SAREF_NULL;
+
+ return 0;
+}
+ /* parts above are for the old style SADB hash table */
+
+
-+#if IPSEC_SA_REF_CODE
+ /* initialise SA reference table */
+
+ /* initialise the main table */
+ }
+
+ error = ipsec_saref_freelist_init();
-+#endif /* IPSEC_SA_REF_CODE */
+ return error;
+}
+
-+#if IPSEC_SA_REF_CODE
+IPsecSAref_t
+ipsec_SAref_alloc(int*error) /* pass in error var by pointer */
+{
+ IPsecSAref_t SAref;
+
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_SAref_alloc: "
++ "ipsec_SAref_alloc: "
+ "SAref requested... head=%d, cont=%d, tail=%d, listsize=%d.\n",
+ ipsec_sadb.refFreeListHead,
+ ipsec_sadb.refFreeListCont,
+ ipsec_sadb.refFreeListTail,
+ IPSEC_SA_REF_FREELIST_NUM_ENTRIES);
+
-+ if(ipsec_sadb.refFreeListHead == -1) {
++ if(ipsec_sadb.refFreeListHead == IPSEC_SAREF_NULL) {
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_SAref_alloc: "
++ "ipsec_SAref_alloc: "
+ "FreeList empty, recycling...\n");
+ *error = ipsec_SAref_recycle();
+ if(*error) {
+
+ SAref = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListHead];
+ if(SAref == IPSEC_SAREF_NULL) {
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_SAref_alloc: "
++ KLIPS_ERROR(debug_xform,
++ "ipsec_SAref_alloc: "
+ "unexpected error, refFreeListHead = %d points to invalid entry.\n",
+ ipsec_sadb.refFreeListHead);
-+ *error = -ESPIPE;
-+ return IPSEC_SAREF_NULL;
++ *error = -ESPIPE;
++ return IPSEC_SAREF_NULL;
+ }
+
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_SAref_alloc: "
++ "ipsec_SAref_alloc: "
+ "allocating SAref=%d, table=%u, entry=%u of %u.\n",
+ SAref,
+ IPsecSAref2table(SAref),
+ ipsec_sadb.refFreeListHead++;
+ if(ipsec_sadb.refFreeListHead > ipsec_sadb.refFreeListTail) {
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_SAref_alloc: "
++ "ipsec_SAref_alloc: "
+ "last FreeList entry allocated, resetting list head to empty.\n");
-+ ipsec_sadb.refFreeListHead = -1;
++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_NULL;
+ }
+
+ return SAref;
+}
-+#endif /* IPSEC_SA_REF_CODE */
+
+int
+ipsec_sa_print(struct ipsec_sa *ips)
+ if(ips->ips_hnext != NULL) {
+ printk(" hnext=0p%p", ips->ips_hnext);
+ }
-+ if(ips->ips_inext != NULL) {
-+ printk(" inext=0p%p", ips->ips_inext);
-+ }
-+ if(ips->ips_onext != NULL) {
-+ printk(" onext=0p%p", ips->ips_onext);
++ if(ips->ips_next != NULL) {
++ printk(" next=0p%p", ips->ips_next);
+ }
+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+ printk(" said=%s", sa_len ? sa : " (error)");
+
+ if((ips = kmalloc(sizeof(*ips), GFP_ATOMIC) ) == NULL) {
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_alloc: "
++ "ipsec_sa_alloc: "
+ "memory allocation error\n");
+ *error = -ENOMEM;
+ return NULL;
+ }
+ memset((caddr_t)ips, 0, sizeof(*ips));
-+#if IPSEC_SA_REF_CODE
-+ ips->ips_ref = ipsec_SAref_alloc(error); /* pass in error return by pointer */
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_alloc: "
-+ "allocated %lu bytes for ipsec_sa struct=0p%p ref=%d.\n",
-+ (unsigned long) sizeof(*ips),
-+ ips,
-+ ips->ips_ref);
-+ if(ips->ips_ref == IPSEC_SAREF_NULL) {
-+ kfree(ips);
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_alloc: "
-+ "SAref allocation error\n");
-+ return NULL;
-+ }
+
-+ atomic_inc(&ips->ips_refcount);
-+ IPsecSAref2SA(ips->ips_ref) = ips;
-+#endif /* IPSEC_SA_REF_CODE */
++ /* return with at least counter = 1 */
++ ipsec_sa_get(ips);
+
+ *error = 0;
+ return(ips);
+}
+
++void
++ipsec_sa_untern(struct ipsec_sa *ips)
++{
++ IPsecSAref_t ref = ips->ips_ref;
++ int error;
++
++ /* verify that we are removing correct item! */
++ error = ipsec_saref_verify_slot(ref);
++ if(error) {
++ return;
++ }
++
++ if(IPsecSAref2SA(ref) == ips) {
++ IPsecSAref2SA(ref) = NULL;
++ ipsec_sa_put(ips);
++ } else {
++ KLIPS_PRINT(debug_xform,
++ "ipsec_sa_untern: "
++ "ref=%u -> %p but untern'ing %p\n", ref,
++ IPsecSAref2SA(ref), ips);
++ }
++
++}
++
+int
-+ipsec_sa_free(struct ipsec_sa* ips)
++ipsec_sa_intern(struct ipsec_sa *ips)
+{
-+ return ipsec_sa_wipe(ips);
++ int error;
++ IPsecSAref_t ref = ips->ips_ref;
++
++ if(ref == IPSEC_SAREF_NULL) {
++ ref = ipsec_SAref_alloc(&error); /* pass in error return by pointer */
++ KLIPS_PRINT(debug_xform,
++ "ipsec_sa_intern: "
++ "allocated ref=%u for sa %p\n", ref, ips);
++
++ if(ref == IPSEC_SAREF_NULL) {
++ KLIPS_PRINT(debug_xform,
++ "ipsec_sa_intern: "
++ "SAref allocation error\n");
++ return error;
++ }
++
++ ips->ips_ref = ref;
++ }
++
++ error = ipsec_saref_verify_slot(ref);
++ if(error) {
++ return error;
++ }
++
++ ipsec_sa_get(ips);
++ /*
++ * if there is an existing SA at this reference, then free it
++ * note, that nsa might == ips!. That's okay, we just incremented
++ * the reference count above.
++ */
++ {
++ struct ipsec_sa *nsa = IPsecSAref2SA(ref);
++ if(nsa) {
++ ipsec_sa_put(nsa);
++ }
++ }
++
++ KLIPS_PRINT(debug_xform,
++ "ipsec_sa_alloc: "
++ "SAref[%d]=%p\n",
++ ips->ips_ref, ips);
++ IPsecSAref2SA(ips->ips_ref) = ips;
++
++ /* return OK */
++ return 0;
+}
+
++
+struct ipsec_sa *
+ipsec_sa_getbyid(ip_said *said)
+{
+
+ if(said == NULL) {
+ KLIPS_PRINT(debug_xform,
-+ "klips_error:ipsec_sa_getbyid: "
++ "ipsec_sa_getbyid: "
+ "null pointer passed in!\n");
+ return NULL;
+ }
+ hashval = IPS_HASH(said);
+
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_getbyid: "
++ "ipsec_sa_getbyid: "
+ "linked entry in ipsec_sa table for hash=%d of SA:%s requested.\n",
+ hashval,
+ sa_len ? sa : " (error)");
+
+ if((ips = ipsec_sadb_hash[hashval]) == NULL) {
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_getbyid: "
++ "ipsec_sa_getbyid: "
+ "no entries in ipsec_sa table for hash=%d of SA:%s.\n",
+ hashval,
+ sa_len ? sa : " (error)");
+ if ((ips->ips_said.spi == said->spi) &&
+ (ips->ips_said.dst.u.v4.sin_addr.s_addr == said->dst.u.v4.sin_addr.s_addr) &&
+ (ips->ips_said.proto == said->proto)) {
-+ atomic_inc(&ips->ips_refcount);
++ ipsec_sa_get(ips);
+ return ips;
+ }
+ }
+
+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_getbyid: "
++ "ipsec_sa_getbyid: "
+ "no entry in linked list for hash=%d of SA:%s.\n",
+ hashval,
+ sa_len ? sa : " (error)");
+ return NULL;
+}
+
-+int
-+ipsec_sa_put(struct ipsec_sa *ips)
++struct ipsec_sa *
++ipsec_sa_getbyref(IPsecSAref_t ref)
++{
++ struct ipsec_sa *ips;
++ struct IPsecSArefSubTable *st = ipsec_sadb.refTable[IPsecSAref2table(ref)];
++
++ if(st == NULL) {
++ return NULL;
++ }
++
++ ips = st->entry[IPsecSAref2entry(ref)];
++ if(ips) {
++ ipsec_sa_get(ips);
++ }
++ return ips;
++}
++
++
++void
++__ipsec_sa_put(struct ipsec_sa *ips, const char *func, int line)
+{
+ char sa[SATOT_BUF];
+ size_t sa_len;
+
+ if(ips == NULL) {
+ KLIPS_PRINT(debug_xform,
-+ "klips_error:ipsec_sa_put: "
++ "ipsec_sa_put: "
+ "null pointer passed in!\n");
-+ return -1;
++ return;
+ }
+
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
++ if(debug_xform) {
++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_put: "
-+ "ipsec_sa SA:%s, ref:%d reference count decremented.\n",
-+ sa_len ? sa : " (error)",
-+ ips->ips_ref);
++ KLIPS_PRINT(debug_xform,
++ "ipsec_sa_put: "
++ "ipsec_sa %p SA:%s, ref:%d reference count (%d--) decremented by %s:%d.\n",
++ ips,
++ sa_len ? sa : " (error)",
++ ips->ips_ref,
++ atomic_read(&ips->ips_refcount),
++ func, line);
++ }
+
-+ atomic_dec(&ips->ips_refcount);
++ if(atomic_dec_and_test(&ips->ips_refcount)) {
++ KLIPS_PRINT(debug_xform,
++ "ipsec_sa_put: freeing %p\n",
++ ips);
++ /* it was zero */
++ ipsec_sa_wipe(ips);
++ }
+
-+ return 0;
++ return;
+}
+
++struct ipsec_sa *
++__ipsec_sa_get(struct ipsec_sa *ips, const char *func, int line)
++{
++ char sa[SATOT_BUF];
++ size_t sa_len;
++
++ if (ips == NULL)
++ return NULL;
++
++ if(debug_xform) {
++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
++
++ KLIPS_PRINT(debug_xform,
++ "ipsec_sa_get: "
++ "ipsec_sa %p SA:%s, ref:%d reference count (%d++) incremented by %s:%d.\n",
++ ips,
++ sa_len ? sa : " (error)",
++ ips->ips_ref,
++ atomic_read(&ips->ips_refcount),
++ func, line);
++ }
++
++ atomic_inc(&ips->ips_refcount);
++
++ // check to make sure we were not deleted
++ if (ips->ips_marked_deleted) {
++ // we cannot use this reference
++ ipsec_sa_put (ips);
++ ips = NULL;
++ }
++
++ return ips;
++}
++
++
+/*
+ The ipsec_sa table better *NOT* be locked before it is handed in, or SMP locks will happen
+*/
+ int error = 0;
+ unsigned int hashval;
+
++ ips = ipsec_sa_get(ips);
++
+ if(ips == NULL) {
+ KLIPS_PRINT(debug_xform,
+ "klips_error:ipsec_sa_add: "
+ }
+ hashval = IPS_HASH(&ips->ips_said);
+
-+ atomic_inc(&ips->ips_refcount);
+ spin_lock_bh(&tdb_lock);
+
+ ips->ips_hnext = ipsec_sadb_hash[hashval];
+}
+
+/*
-+ The ipsec_sa table better be locked before it is handed in, or races might happen
-+*/
-+int
++ * remove it from the hash chain, decrementing hash count
++ */
++void ipsec_sa_rm(struct ipsec_sa *ips)
++{
++ unsigned int hashval;
++ char sa[SATOT_BUF];
++ size_t sa_len;
++
++
++ if(ips == NULL) {
++ return;
++ }
++
++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
++
++ hashval = IPS_HASH(&ips->ips_said);
++
++ KLIPS_PRINT(debug_xform,
++ "klips_debug:ipsec_sa_del: "
++ "unhashing SA:%s (ref=%u), hashval=%d.\n",
++ sa_len ? sa : " (error)",
++ ips->ips_ref,
++ hashval);
++
++ if(ipsec_sadb_hash[hashval] == NULL) {
++ return;
++ }
++
++ if (ips == ipsec_sadb_hash[hashval]) {
++ ipsec_sadb_hash[hashval] = ipsec_sadb_hash[hashval]->ips_hnext;
++ ips->ips_hnext = NULL;
++ ipsec_sa_put(ips);
++ KLIPS_PRINT(debug_xform,
++ "klips_debug:ipsec_sa_del: "
++ "successfully unhashed first ipsec_sa in chain.\n");
++ return;
++ } else {
++ struct ipsec_sa *ipstp;
++
++ for (ipstp = ipsec_sadb_hash[hashval];
++ ipstp;
++ ipstp = ipstp->ips_hnext) {
++ if (ipstp->ips_hnext == ips) {
++ ipstp->ips_hnext = ips->ips_hnext;
++ ips->ips_hnext = NULL;
++ ipsec_sa_put(ips);
++ KLIPS_PRINT(debug_xform,
++ "klips_debug:ipsec_sa_del: "
++ "successfully unhashed link in ipsec_sa chain.\n");
++ return;
++ }
++ }
++ }
++}
++
++
++#if 0
++/*
++ * The ipsec_sa table better be locked before it is handed in,
++ * or races might happen.
++ *
++ * this routine assumes the SA has a refcount==0, and we free it.
++ * we also assume that the pointers are already cleaned up.
++ */
++static int
+ipsec_sa_del(struct ipsec_sa *ips)
+{
+ unsigned int hashval;
+ size_t sa_len;
+
+ if(ips == NULL) {
-+ KLIPS_PRINT(debug_xform,
++ KLIPS_ERROR(debug_xform,
+ "klips_error:ipsec_sa_del: "
+ "null pointer passed in!\n");
+ return -ENODATA;
+ }
-+
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ if(ips->ips_inext || ips->ips_onext) {
-+ KLIPS_PRINT(debug_xform,
-+ "klips_error:ipsec_sa_del: "
-+ "SA:%s still linked!\n",
-+ sa_len ? sa : " (error)");
-+ return -EMLINK;
++
++ if(ips->ips_next) {
++ struct ipsec_sa *in = ips->ips_next;
++
++ ips->ips_next=NULL;
++ ipsec_sa_put(in);
+ }
+
++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
+ hashval = IPS_HASH(&ips->ips_said);
+
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_sa_del: "
-+ "deleting SA:%s, hashval=%d.\n",
++ "deleting SA:%s (ref=%u), hashval=%d.\n",
+ sa_len ? sa : " (error)",
++ ips->ips_ref,
+ hashval);
++
+ if(ipsec_sadb_hash[hashval] == NULL) {
++ /* if this is NULL, then we can be sure that the SA was never
++ * added to the SADB, so we just free it.
++ */
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_sa_del: "
-+ "no entries in ipsec_sa table for hash=%d of SA:%s.\n",
++ "no entries in ipsec_sa table for hash=%d (ref=%u) of SA:%s.\n",
+ hashval,
++ ips->ips_ref,
+ sa_len ? sa : " (error)");
+ return -ENOENT;
+ }
+ if (ips == ipsec_sadb_hash[hashval]) {
+ ipsec_sadb_hash[hashval] = ipsec_sadb_hash[hashval]->ips_hnext;
+ ips->ips_hnext = NULL;
-+ atomic_dec(&ips->ips_refcount);
++
++ ipsec_sa_put(ips);
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_sa_del: "
+ "successfully deleted first ipsec_sa in chain.\n");
+ if (ipstp->ips_hnext == ips) {
+ ipstp->ips_hnext = ips->ips_hnext;
+ ips->ips_hnext = NULL;
-+ atomic_dec(&ips->ips_refcount);
++ ipsec_sa_put(ips);
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_sa_del: "
+ "successfully deleted link in ipsec_sa chain.\n");
+ sa_len ? sa : " (error)");
+ return -ENOENT;
+}
-+
-+/*
-+ The ipsec_sa table better be locked before it is handed in, or races
-+ might happen
-+*/
-+int
-+ipsec_sa_delchain(struct ipsec_sa *ips)
-+{
-+ struct ipsec_sa *ipsdel;
-+ int error = 0;
-+ char sa[SATOT_BUF];
-+ size_t sa_len;
-+
-+ if(ips == NULL) {
-+ KLIPS_PRINT(debug_xform,
-+ "klips_error:ipsec_sa_delchain: "
-+ "null pointer passed in!\n");
-+ return -ENODATA;
-+ }
-+
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_delchain: "
-+ "passed SA:%s\n",
-+ sa_len ? sa : " (error)");
-+ while(ips->ips_onext != NULL) {
-+ ips = ips->ips_onext;
-+ }
-+
-+ while(ips) {
-+ /* XXX send a pfkey message up to advise of deleted ipsec_sa */
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_delchain: "
-+ "unlinking and delting SA:%s",
-+ sa_len ? sa : " (error)");
-+ ipsdel = ips;
-+ ips = ips->ips_inext;
-+ if(ips != NULL) {
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ ", inext=%s",
-+ sa_len ? sa : " (error)");
-+ atomic_dec(&ipsdel->ips_refcount);
-+ ipsdel->ips_inext = NULL;
-+ atomic_dec(&ips->ips_refcount);
-+ ips->ips_onext = NULL;
-+ }
-+ KLIPS_PRINT(debug_xform,
-+ ".\n");
-+ if((error = ipsec_sa_del(ipsdel))) {
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_delchain: "
-+ "ipsec_sa_del returned error %d.\n", -error);
-+ return error;
-+ }
-+ if((error = ipsec_sa_wipe(ipsdel))) {
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_delchain: "
-+ "ipsec_sa_wipe returned error %d.\n", -error);
-+ return error;
-+ }
-+ }
-+ return error;
-+}
++#endif
+
+int
+ipsec_sadb_cleanup(__u8 proto)
+{
+ unsigned i;
+ int error = 0;
-+ struct ipsec_sa *ips, **ipsprev, *ipsdel;
-+ char sa[SATOT_BUF];
-+ size_t sa_len;
++ struct ipsec_sa *ips;
++ //struct ipsec_sa *ipsnext, **ipsprev;
++ //char sa[SATOT_BUF];
++ //size_t sa_len;
+
+ KLIPS_PRINT(debug_xform,
+ "klips_debug:ipsec_sadb_cleanup: "
+ spin_lock_bh(&tdb_lock);
+
+ for (i = 0; i < SADB_HASHMOD; i++) {
-+ ipsprev = &(ipsec_sadb_hash[i]);
+ ips = ipsec_sadb_hash[i];
-+ if(ips != NULL) {
-+ atomic_inc(&ips->ips_refcount);
-+ }
-+ for(; ips != NULL;) {
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sadb_cleanup: "
-+ "checking SA:%s, hash=%d, ref=%d",
-+ sa_len ? sa : " (error)",
-+ i,
-+ ips->ips_ref);
-+ ipsdel = ips;
-+ ips = ipsdel->ips_hnext;
-+ if(ips != NULL) {
-+ atomic_inc(&ips->ips_refcount);
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ ", hnext=%s",
-+ sa_len ? sa : " (error)");
-+ }
-+ if(*ipsprev != NULL) {
-+ sa_len = satot(&(*ipsprev)->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ ", *ipsprev=%s",
-+ sa_len ? sa : " (error)");
-+ if((*ipsprev)->ips_hnext) {
-+ sa_len = satot(&(*ipsprev)->ips_hnext->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ ", *ipsprev->ips_hnext=%s",
-+ sa_len ? sa : " (error)");
-+ }
-+ }
-+ KLIPS_PRINT(debug_xform,
-+ ".\n");
-+ if(proto == 0 || (proto == ipsdel->ips_said.proto)) {
-+ sa_len = satot(&ipsdel->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sadb_cleanup: "
-+ "deleting SA chain:%s.\n",
-+ sa_len ? sa : " (error)");
-+ if((error = ipsec_sa_delchain(ipsdel))) {
-+ SENDERR(-error);
-+ }
-+ ipsprev = &(ipsec_sadb_hash[i]);
-+ ips = ipsec_sadb_hash[i];
++
++ while(ips) {
++ ipsec_sadb_hash[i]=ips->ips_hnext;
++ ips->ips_hnext=NULL;
++ ipsec_sa_put(ips);
+
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sadb_cleanup: "
-+ "deleted SA chain:%s",
-+ sa_len ? sa : " (error)");
-+ if(ips != NULL) {
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ ", ipsec_sadb_hash[%d]=%s",
-+ i,
-+ sa_len ? sa : " (error)");
-+ }
-+ if(*ipsprev != NULL) {
-+ sa_len = satot(&(*ipsprev)->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ ", *ipsprev=%s",
-+ sa_len ? sa : " (error)");
-+ if((*ipsprev)->ips_hnext != NULL) {
-+ sa_len = satot(&(*ipsprev)->ips_hnext->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ ", *ipsprev->ips_hnext=%s",
-+ sa_len ? sa : " (error)");
-+ }
-+ }
-+ KLIPS_PRINT(debug_xform,
-+ ".\n");
-+ } else {
-+ ipsprev = &ipsdel;
-+ }
-+ if(ipsdel != NULL) {
-+ ipsec_sa_put(ipsdel);
-+ }
++ ips = ipsec_sadb_hash[i];
+ }
+ }
-+ errlab:
++
++//errlab:
+
+ spin_unlock_bh(&tdb_lock);
+
+ }
+ for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
+ if(ipsec_sadb.refTable[table]->entry[entry] != NULL) {
-+ ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]);
++ struct ipsec_sa *sa1 = ipsec_sadb.refTable[table]->entry[entry];
++ ipsec_sa_put(sa1);
+ ipsec_sadb.refTable[table]->entry[entry] = NULL;
+ }
+ }
+ }
+ for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
+ if(ipsec_sadb.refTable[table]->entry[entry] != NULL) {
-+ ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]);
++ struct ipsec_sa *sa1 = ipsec_sadb.refTable[table]->entry[entry];
++
++ BUG_ON(atomic_read(&sa1->ips_refcount) == 1);
++ ipsec_sa_put(sa1);
+ ipsec_sadb.refTable[table]->entry[entry] = NULL;
+ }
+ }
+ return(error);
+}
+
-+int
++static int
+ipsec_sa_wipe(struct ipsec_sa *ips)
+{
+ if(ips == NULL) {
+ return -ENODATA;
+ }
+
-+ /* if(atomic_dec_and_test(ips)) {
-+ }; */
-+
-+#if IPSEC_SA_REF_CODE
-+ /* remove me from the SArefTable */
-+ {
-+ char sa[SATOT_BUF];
-+ size_t sa_len;
-+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_wipe: "
-+ "removing SA=%s(0p%p), SAref=%d, table=%d(0p%p), entry=%d from the refTable.\n",
-+ sa_len ? sa : " (error)",
-+ ips,
-+ ips->ips_ref,
-+ IPsecSAref2table(IPsecSA2SAref(ips)),
-+ ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))],
-+ IPsecSAref2entry(IPsecSA2SAref(ips)));
-+ }
-+ if(ips->ips_ref == IPSEC_SAREF_NULL) {
-+ KLIPS_PRINT(debug_xform,
-+ "klips_debug:ipsec_sa_wipe: "
-+ "why does this SA not have a valid SAref?.\n");
-+ }
-+ ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))]->entry[IPsecSAref2entry(IPsecSA2SAref(ips))] = NULL;
-+ ips->ips_ref = IPSEC_SAREF_NULL;
-+ ipsec_sa_put(ips);
-+#endif /* IPSEC_SA_REF_CODE */
-+
+ /* paranoid clean up */
+ if(ips->ips_addr_s != NULL) {
+ memset((caddr_t)(ips->ips_addr_s), 0, ips->ips_addr_s_size);
+ ipsec_alg_sa_wipe(ips);
+ }
+
++ BUG_ON(atomic_read(&ips->ips_refcount) != 0);
++
+ memset((caddr_t)ips, 0, sizeof(*ips));
+ kfree(ips);
+ ips = NULL;
+ IPS_XFORM_NAME(ipsp));
+
+ switch(ipsp->ips_said.proto) {
-+
+#ifdef CONFIG_KLIPS_IPIP
+ case IPPROTO_IPIP: {
++ ipsp->ips_xformfuncs = ipip_xform_funcs;
+ addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_addr,
+ 0,
+ ipaddr_txt, sizeof(ipaddr_txt));
+
+#ifdef CONFIG_KLIPS_AH
+ case IPPROTO_AH:
++ ipsp->ips_xformfuncs = ah_xform_funcs;
++
+ switch(ipsp->ips_authalg) {
+# ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
+ case AH_MD5: {
+
+#ifdef CONFIG_KLIPS_ESP
+ case IPPROTO_ESP:
++ ipsp->ips_xformfuncs = esp_xform_funcs;
+ {
+#if defined (CONFIG_KLIPS_AUTH_HMAC_MD5) || defined (CONFIG_KLIPS_AUTH_HMAC_SHA1)
+ unsigned char *akp;
+
+ if (ixt_e == NULL) {
+ if(printk_ratelimit()) {
-+ printk(KERN_INFO
++ printk(KERN_ERR
+ "ipsec_sa_init: "
+ "encalg=%d support not available in the kernel",
+ ipsp->ips_encalg);
+#endif /* !CONFIG_KLIPS_ESP */
+#ifdef CONFIG_KLIPS_IPCOMP
+ case IPPROTO_COMP:
++ ipsp->ips_xformfuncs = ipcomp_xform_funcs;
+ ipsp->ips_comp_adapt_tries = 0;
+ ipsp->ips_comp_adapt_skip = 0;
+ ipsp->ips_comp_ratio_cbytes = 0;
+ return(error);
+}
+
-+
-+
+/*
-+ * $Log: ipsec_sa.c,v $
-+ * Revision 1.30.2.2 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.30.2.1 2006/04/20 16:33:07 mcr
-+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
-+ * Fix in-kernel module compilation. Sub-makefiles do not work.
-+ *
-+ * Revision 1.30 2005/05/24 01:02:35 mcr
-+ * some refactoring/simplification of situation where alg
-+ * is not found.
-+ *
-+ * Revision 1.29 2005/05/18 19:13:28 mcr
-+ * rename debug messages. make sure that algo not found is not
-+ * a debug message.
-+ *
-+ * Revision 1.28 2005/05/11 01:30:20 mcr
-+ * removed "poor-man"s OOP in favour of proper C structures.
-+ *
-+ * Revision 1.27 2005/04/29 05:10:22 mcr
-+ * removed from extraenous includes to make unit testing easier.
-+ *
-+ * Revision 1.26 2005/04/14 20:56:24 mcr
-+ * moved (pfkey_)ipsec_sa_init to ipsec_sa.c.
-+ *
-+ * Revision 1.25 2004/08/22 20:12:16 mcr
-+ * one more KLIPS_NAT->IPSEC_NAT.
-+ *
-+ * Revision 1.24 2004/07/10 19:11:18 mcr
-+ * CONFIG_IPSEC -> CONFIG_KLIPS.
-+ *
-+ * Revision 1.23 2004/04/06 02:49:26 mcr
-+ * pullup of algo code from alg-branch.
-+ *
-+ * Revision 1.22.2.1 2003/12/22 15:25:52 jjo
-+ * . Merged algo-0.8.1-rc11-test1 into alg-branch
-+ *
-+ * Revision 1.22 2003/12/10 01:14:27 mcr
-+ * NAT-traversal patches to KLIPS.
-+ *
-+ * Revision 1.21 2003/10/31 02:27:55 mcr
-+ * pulled up port-selector patches and sa_id elimination.
-+ *
-+ * Revision 1.20.4.1 2003/10/29 01:30:41 mcr
-+ * elimited "struct sa_id".
-+ *
-+ * Revision 1.20 2003/02/06 01:50:34 rgb
-+ * Fixed initialisation bug for first sadb hash bucket that would only manifest itself on platforms where NULL != 0.
-+ *
-+ * Revision 1.19 2003/01/30 02:32:22 rgb
-+ *
-+ * Rename SAref table macro names for clarity.
-+ * Transmit error code through to caller from callee for better diagnosis of problems.
-+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
-+ *
-+ * Revision 1.18 2002/10/12 23:11:53 dhr
-+ *
-+ * [KenB + DHR] more 64-bit cleanup
-+ *
-+ * Revision 1.17 2002/10/07 18:31:43 rgb
-+ * Move field width sanity checks to ipsec_sa.c
-+ *
-+ * Revision 1.16 2002/09/20 15:41:02 rgb
-+ * Re-wrote most of the SAref code to eliminate Entry pointers.
-+ * Added SAref code compiler directive switch.
-+ * Added a saref test function for testing macros.
-+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
-+ * Split ipsec_sadb_cleanup from new funciton ipsec_sadb_free to avoid problem
-+ * of freeing newly created structures when clearing the reftable upon startup
-+ * to start from a known state.
-+ * Place all ipsec sadb globals into one struct.
-+ * Rework saref freelist.
-+ * Added memory allocation debugging.
-+ *
-+ * Revision 1.15 2002/09/20 05:01:44 rgb
-+ * Update copyright date.
-+ *
-+ * Revision 1.14 2002/08/13 19:01:25 mcr
-+ * patches from kenb to permit compilation of FreeSWAN on ia64.
-+ * des library patched to use proper DES_LONG type for ia64.
-+ *
-+ * Revision 1.13 2002/07/29 03:06:20 mcr
-+ * get rid of variable not used warnings.
-+ *
-+ * Revision 1.12 2002/07/26 08:48:31 rgb
-+ * Added SA ref table code.
-+ *
-+ * Revision 1.11 2002/06/04 16:48:49 rgb
-+ * Tidied up pointer code for processor independance.
-+ *
-+ * Revision 1.10 2002/05/23 07:16:17 rgb
-+ * Added ipsec_sa_put() for releasing an ipsec_sa refcount.
-+ * Pointer clean-up.
-+ * Added refcount code.
-+ * Convert "usecount" to "refcount" to remove ambiguity.
-+ *
-+ * Revision 1.9 2002/05/14 02:34:49 rgb
-+ * Converted reference from ipsec_sa_put to ipsec_sa_add to avoid confusion
-+ * with "put" usage in the kernel.
-+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
-+ * ipsec_sa or ipsec_sa.
-+ * Added some preliminary refcount code.
-+ *
-+ * Revision 1.8 2002/04/24 07:55:32 mcr
-+ * #include patches and Makefiles for post-reorg compilation.
-+ *
-+ * Revision 1.7 2002/04/24 07:36:30 mcr
-+ * Moved from ./klips/net/ipsec/ipsec_sa.c,v
-+ *
-+ * Revision 1.6 2002/04/20 00:12:25 rgb
-+ * Added esp IV CBC attack fix, disabled.
-+ *
-+ * Revision 1.5 2002/01/29 17:17:56 mcr
-+ * moved include of ipsec_param.h to after include of linux/kernel.h
-+ * otherwise, it seems that some option that is set in ipsec_param.h
-+ * screws up something subtle in the include path to kernel.h, and
-+ * it complains on the snprintf() prototype.
-+ *
-+ * Revision 1.4 2002/01/29 04:00:52 mcr
-+ * more excise of kversions.h header.
-+ *
-+ * Revision 1.3 2002/01/29 02:13:18 mcr
-+ * introduction of ipsec_kversion.h means that include of
-+ * ipsec_param.h must preceed any decisions about what files to
-+ * include to deal with differences in kernel source.
-+ *
-+ * Revision 1.2 2001/11/26 09:16:15 rgb
-+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
-+ *
-+ * Revision 1.1.2.2 2001/10/22 21:05:41 mcr
-+ * removed phony prototype for des_set_key.
-+ *
-+ * Revision 1.1.2.1 2001/09/25 02:24:57 mcr
-+ * struct tdb -> struct ipsec_sa.
-+ * sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
-+ * ipsec_xform.c removed. header file still contains useful things.
-+ *
-+ *
-+ *
-+ * CLONED from ipsec_xform.c:
-+ * Revision 1.53 2001/09/08 21:13:34 rgb
-+ * Added pfkey ident extension support for ISAKMPd. (NetCelo)
-+ *
-+ * Revision 1.52 2001/06/14 19:35:11 rgb
-+ * Update copyright date.
-+ *
-+ * Revision 1.51 2001/05/30 08:14:03 rgb
-+ * Removed vestiges of esp-null transforms.
-+ *
-+ * Revision 1.50 2001/05/03 19:43:18 rgb
-+ * Initialise error return variable.
-+ * Update SENDERR macro.
-+ * Fix sign of error return code for ipsec_tdbcleanup().
-+ * Use more appropriate return code for ipsec_tdbwipe().
-+ *
-+ * Revision 1.49 2001/04/19 18:56:17 rgb
-+ * Fixed tdb table locking comments.
-+ *
-+ * Revision 1.48 2001/02/27 22:24:55 rgb
-+ * Re-formatting debug output (line-splitting, joining, 1arg/line).
-+ * Check for satoa() return codes.
-+ *
-+ * Revision 1.47 2000/11/06 04:32:08 rgb
-+ * Ditched spin_lock_irqsave in favour of spin_lock_bh.
-+ *
-+ * Revision 1.46 2000/09/20 16:21:57 rgb
-+ * Cleaned up ident string alloc/free.
-+ *
-+ * Revision 1.45 2000/09/08 19:16:51 rgb
-+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
-+ * Removed all references to CONFIG_IPSEC_PFKEYv2.
-+ *
-+ * Revision 1.44 2000/08/30 05:29:04 rgb
-+ * Compiler-define out no longer used tdb_init() in ipsec_xform.c.
-+ *
-+ * Revision 1.43 2000/08/18 21:30:41 rgb
-+ * Purged all tdb_spi, tdb_proto and tdb_dst macros. They are unclear.
-+ *
-+ * Revision 1.42 2000/08/01 14:51:51 rgb
-+ * Removed _all_ remaining traces of DES.
-+ *
-+ * Revision 1.41 2000/07/28 14:58:31 rgb
-+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
-+ *
-+ * Revision 1.40 2000/06/28 05:50:11 rgb
-+ * Actually set iv_bits.
-+ *
-+ * Revision 1.39 2000/05/10 23:11:09 rgb
-+ * Added netlink debugging output.
-+ * Added a cast to quiet down the ntohl bug.
-+ *
-+ * Revision 1.38 2000/05/10 19:18:42 rgb
-+ * Cast output of ntohl so that the broken prototype doesn't make our
-+ * compile noisy.
-+ *
-+ * Revision 1.37 2000/03/16 14:04:59 rgb
-+ * Hardwired CONFIG_IPSEC_PFKEYv2 on.
-+ *
-+ * Revision 1.36 2000/01/26 10:11:28 rgb
-+ * Fixed spacing in error text causing run-in words.
-+ *
-+ * Revision 1.35 2000/01/21 06:17:16 rgb
-+ * Tidied up compiler directive indentation for readability.
-+ * Added ictx,octx vars for simplification.(kravietz)
-+ * Added macros for HMAC padding magic numbers.(kravietz)
-+ * Fixed missing key length reporting bug.
-+ * Fixed bug in tdbwipe to return immediately on NULL tdbp passed in.
-+ *
-+ * Revision 1.34 1999/12/08 00:04:19 rgb
-+ * Fixed SA direction overwriting bug for netlink users.
-+ *
-+ * Revision 1.33 1999/12/01 22:16:44 rgb
-+ * Minor formatting changes in ESP MD5 initialisation.
-+ *
-+ * Revision 1.32 1999/11/25 09:06:36 rgb
-+ * Fixed error return messages, should be returning negative numbers.
-+ * Implemented SENDERR macro for propagating error codes.
-+ * Added debug message and separate error code for algorithms not compiled
-+ * in.
-+ *
-+ * Revision 1.31 1999/11/23 23:06:26 rgb
-+ * Sort out pfkey and freeswan headers, putting them in a library path.
-+ *
-+ * Revision 1.30 1999/11/18 04:09:20 rgb
-+ * Replaced all kernel version macros to shorter, readable form.
-+ *
-+ * Revision 1.29 1999/11/17 15:53:40 rgb
-+ * Changed all occurrences of #include "../../../lib/freeswan.h"
-+ * to #include <freeswan.h> which works due to -Ilibfreeswan in the
-+ * klips/net/ipsec/Makefile.
-+ *
-+ * Revision 1.28 1999/10/18 20:04:01 rgb
-+ * Clean-out unused cruft.
-+ *
-+ * Revision 1.27 1999/10/03 19:01:03 rgb
-+ * Spinlock support for 2.3.xx and 2.0.xx kernels.
-+ *
-+ * Revision 1.26 1999/10/01 16:22:24 rgb
-+ * Switch from assignment init. to functional init. of spinlocks.
-+ *
-+ * Revision 1.25 1999/10/01 15:44:54 rgb
-+ * Move spinlock header include to 2.1> scope.
-+ *
-+ * Revision 1.24 1999/10/01 00:03:46 rgb
-+ * Added tdb structure locking.
-+ * Minor formatting changes.
-+ * Add function to initialize tdb hash table.
-+ *
-+ * Revision 1.23 1999/05/25 22:42:12 rgb
-+ * Add deltdbchain() debugging.
-+ *
-+ * Revision 1.22 1999/05/25 21:24:31 rgb
-+ * Add debugging statements to deltdbchain().
-+ *
-+ * Revision 1.21 1999/05/25 03:51:48 rgb
-+ * Refix error return code.
-+ *
-+ * Revision 1.20 1999/05/25 03:34:07 rgb
-+ * Fix error return for flush.
-+ *
-+ * Revision 1.19 1999/05/09 03:25:37 rgb
-+ * Fix bug introduced by 2.2 quick-and-dirty patch.
-+ *
-+ * Revision 1.18 1999/05/05 22:02:32 rgb
-+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
-+ *
-+ * Revision 1.17 1999/04/29 15:20:16 rgb
-+ * Change gettdb parameter to a pointer to reduce stack loading and
-+ * facilitate parameter sanity checking.
-+ * Add sanity checking for null pointer arguments.
-+ * Add debugging instrumentation.
-+ * Add function deltdbchain() which will take care of unlinking,
-+ * zeroing and deleting a chain of tdbs.
-+ * Add a parameter to tdbcleanup to be able to delete a class of SAs.
-+ * tdbwipe now actually zeroes the tdb as well as any of its pointed
-+ * structures.
-+ *
-+ * Revision 1.16 1999/04/16 15:36:29 rgb
-+ * Fix cut-and-paste error causing a memory leak in IPIP TDB freeing.
-+ *
-+ * Revision 1.15 1999/04/11 00:29:01 henry
-+ * GPL boilerplate
-+ *
-+ * Revision 1.14 1999/04/06 04:54:28 rgb
-+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
-+ * patch shell fixes.
-+ *
-+ * Revision 1.13 1999/02/19 18:23:01 rgb
-+ * Nix debug off compile warning.
-+ *
-+ * Revision 1.12 1999/02/17 16:52:16 rgb
-+ * Consolidate satoa()s for space and speed efficiency.
-+ * Convert DEBUG_IPSEC to KLIPS_PRINT
-+ * Clean out unused cruft.
-+ * Ditch NET_IPIP dependancy.
-+ * Loop for 3des key setting.
-+ *
-+ * Revision 1.11 1999/01/26 02:09:05 rgb
-+ * Remove ah/esp/IPIP switching on include files.
-+ * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
-+ * Removed dead code.
-+ * Clean up debug code when switched off.
-+ * Remove references to INET_GET_PROTOCOL.
-+ * Added code exclusion macros to reduce code from unused algorithms.
-+ *
-+ * Revision 1.10 1999/01/22 06:28:55 rgb
-+ * Cruft clean-out.
-+ * Put random IV generation in kernel.
-+ * Added algorithm switch code.
-+ * Enhanced debugging.
-+ * 64-bit clean-up.
-+ *
-+ * Revision 1.9 1998/11/30 13:22:55 rgb
-+ * Rationalised all the klips kernel file headers. They are much shorter
-+ * now and won't conflict under RH5.2.
-+ *
-+ * Revision 1.8 1998/11/25 04:59:06 rgb
-+ * Add conditionals for no IPIP tunnel code.
-+ * Delete commented out code.
-+ *
-+ * Revision 1.7 1998/10/31 06:50:41 rgb
-+ * Convert xform ASCII names to no spaces.
-+ * Fixed up comments in #endif directives.
-+ *
-+ * Revision 1.6 1998/10/19 14:44:28 rgb
-+ * Added inclusion of freeswan.h.
-+ * sa_id structure implemented and used: now includes protocol.
-+ *
-+ * Revision 1.5 1998/10/09 04:32:19 rgb
-+ * Added 'klips_debug' prefix to all klips printk debug statements.
-+ *
-+ * Revision 1.4 1998/08/12 00:11:31 rgb
-+ * Added new xform functions to the xform table.
-+ * Fixed minor debug output spelling error.
-+ *
-+ * Revision 1.3 1998/07/09 17:45:31 rgb
-+ * Clarify algorithm not available message.
-+ *
-+ * Revision 1.2 1998/06/23 03:00:51 rgb
-+ * Check for presence of IPIP protocol if it is setup one way (we don't
-+ * know what has been set up the other way and can only assume it will be
-+ * symmetrical with the exception of keys).
-+ *
-+ * Revision 1.1 1998/06/18 21:27:51 henry
-+ * move sources from klips/src to klips/net/ipsec, to keep stupid
-+ * kernel-build scripts happier in the presence of symlinks
-+ *
-+ * Revision 1.3 1998/06/11 05:54:59 rgb
-+ * Added transform version string pointer to xformsw initialisations.
-+ *
-+ * Revision 1.2 1998/04/21 21:28:57 rgb
-+ * Rearrange debug switches to change on the fly debug output from user
-+ * space. Only kernel changes checked in at this time. radij.c was also
-+ * changed to temporarily remove buggy debugging code in rj_delete causing
-+ * an OOPS and hence, netlink device open errors.
-+ *
-+ * Revision 1.1 1998/04/09 03:06:13 henry
-+ * sources moved up from linux/net/ipsec
-+ *
-+ * Revision 1.1.1.1 1998/04/08 05:35:02 henry
-+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
-+ *
-+ * Revision 0.5 1997/06/03 04:24:48 ji
-+ * Added ESP-3DES-MD5-96
-+ *
-+ * Revision 0.4 1997/01/15 01:28:15 ji
-+ * Added new transforms.
-+ *
-+ * Revision 0.3 1996/11/20 14:39:04 ji
-+ * Minor cleanups.
-+ * Rationalized debugging code.
-+ *
-+ * Revision 0.2 1996/11/02 00:18:33 ji
-+ * First limited release.
+ *
++ * Local Variables:
++ * c-file-style: "linux"
++ * End:
+ *
+ */
++
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_sha1.c Mon Feb 9 13:51:03 2004
@@ -0,0 +1,219 @@
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_snprintf.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,130 @@
+/*
+ * @(#) ipsec_snprintf() function
+ *
+
+#include "openswan/ipsec_proto.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+/* ipsec_snprintf: like snprintf except
+ * - size is signed and a negative value is treated as if it were 0
+/*
+ *
+ * $Log: ipsec_snprintf.c,v $
-+ * Revision 1.3.2.1 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.3 2005/04/29 05:10:22 mcr
+ * removed from extraenous includes to make unit testing easier.
+ *
+
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_tunnel.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,2878 @@
+@@ -0,0 +1,2938 @@
+/*
+ * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * for more details.
+ */
+
-+char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.232.2.5 2006/10/06 21:39:26 paul Exp $";
++char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.234 2005/11/11 04:46:38 paul Exp $";
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include "openswan/ipsec_esp.h"
+#include "openswan/ipsec_kern24.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+ return 0;
+}
+
-+#ifdef NETDEV_23
+static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
+{
++
+#ifdef NETDEV_25 /* 2.6 kernels */
+ return dst_output(skb);
+#else
+ return ip_send(skb);
+#endif
+}
-+#endif /* NETDEV_23 */
+
+enum ipsec_xmit_value
+ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state *ixs)
+
+ if(ixs->skb->sk) {
+#ifdef NET_26
++#ifdef HAVE_INET_SK_SPORT
++ ixs->sport = ntohs(inet_sk(ixs->skb->sk)->sport);
++ ixs->dport = ntohs(inet_sk(ixs->skb->sk)->dport);
++#else
+ struct udp_sock *us;
+
+ us = (struct udp_sock *)ixs->skb->sk;
+
+ ixs->sport = ntohs(us->inet.sport);
+ ixs->dport = ntohs(us->inet.dport);
++#endif
+#else
+ ixs->sport = ntohs(ixs->skb->sk->sport);
+ ixs->dport = ntohs(ixs->skb->sk->dport);
+ ixs->sport = ntohs(inet_sk(ixs->skb->sk)->sport);
+ ixs->dport = ntohs(inet_sk(ixs->skb->sk)->dport);
+#else
-+ struct tcp_tw_bucket *tw;
-+
-+ tw = (struct tcp_tw_bucket *)ixs->skb->sk;
-+
-+ ixs->sport = ntohs(tw->tw_sport);
-+ ixs->dport = ntohs(tw->tw_dport);
++ struct tcp_tw_bucket *tw;
++
++ tw = (struct tcp_tw_bucket *)ixs->skb->sk;
++ ixs->sport = ntohs(tw->tw_sport);
++ ixs->dport = ntohs(tw->tw_dport);
+#endif
+#else
+ ixs->sport = ntohs(ixs->skb->sk->sport);
+enum ipsec_xmit_value
+ipsec_tunnel_send(struct ipsec_xmit_state*ixs)
+{
++ int err;
+#ifdef NETDEV_25
+ struct flowi fl;
+#endif
+
-+#ifdef NET_21 /* 2.2 and 2.4 kernels */
+ /* new route/dst cache code from James Morris */
+ ixs->skb->dev = ixs->physdev;
+#ifdef NETDEV_25
-+ memset (&fl, 0x0, sizeof (struct flowi));
+ fl.oif = ixs->physdev->iflink;
+ fl.nl_u.ip4_u.daddr = ixs->skb->nh.iph->daddr;
+ fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ixs->skb->nh.iph->saddr;
+ ixs->route->u.dst.dev->name);
+ return IPSEC_XMIT_ROUTEERR;
+ }
++
+ if(ixs->dev == ixs->route->u.dst.dev) {
+ ip_rt_put(ixs->route);
+ /* This is recursion, drop it. */
+ }
+ dst_release(ixs->skb->dst);
+ ixs->skb->dst = &ixs->route->u.dst;
++
+ ixs->stats->tx_bytes += ixs->skb->len;
+ if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
+ ixs->stats->tx_errors++;
+ __skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
+#ifdef SKB_RESET_NFCT
+ if(!ixs->pass) {
-+ nf_conntrack_put(ixs->skb->nfct);
-+ ixs->skb->nfct = NULL;
++ nf_conntrack_put(ixs->skb->nfct);
++ ixs->skb->nfct = NULL;
+ }
+#if defined(CONFIG_NETFILTER_DEBUG) && defined(HAVE_SKB_NF_DEBUG)
+ ixs->skb->nf_debug = 0;
+ "...done, calling ip_send() on device:%s\n",
+ ixs->skb->dev ? ixs->skb->dev->name : "NULL");
+ KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->skb->nh.iph);
-+#ifdef NETDEV_23 /* 2.4 kernels */
-+ {
-+ int err;
+
-+ err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
-+ ipsec_tunnel_xmit2);
-+ if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
-+ if(net_ratelimit())
-+ printk(KERN_ERR
-+ "klips_error:ipsec_xmit_send: "
-+ "ip_send() failed, err=%d\n",
-+ -err);
-+ ixs->stats->tx_errors++;
-+ ixs->stats->tx_aborted_errors++;
-+ ixs->skb = NULL;
-+ return IPSEC_XMIT_IPSENDFAILURE;
-+ }
++ if(ixs->pass) {
++ err = ipsec_tunnel_xmit2(ixs->skb);
++ } else {
++ err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT,
++ ixs->skb, NULL, ixs->route->u.dst.dev,
++ ipsec_tunnel_xmit2);
++ }
++ if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
++ if(net_ratelimit())
++ printk(KERN_ERR
++ "klips_error:ipsec_xmit_send: "
++ "ip_send() failed, err=%d\n",
++ -err);
++ ixs->stats->tx_errors++;
++ ixs->stats->tx_aborted_errors++;
++ ixs->skb = NULL;
++ return IPSEC_XMIT_IPSENDFAILURE;
+ }
-+#else /* NETDEV_23 */ /* 2.2 kernels */
-+ ip_send(ixs->skb);
-+#endif /* NETDEV_23 */
-+#else /* NET_21 */ /* 2.0 kernels */
-+ ixs->skb->arp = 1;
-+ /* ISDN/ASYNC PPP from Matjaz Godec. */
-+ /* skb->protocol = htons(ETH_P_IP); */
-+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-+ "klips_debug:ipsec_xmit_send: "
-+ "...done, calling dev_queue_xmit() or ip_fragment().\n");
-+ IP_SEND(ixs->skb, ixs->physdev);
-+#endif /* NET_21 */
++
+ ixs->stats->tx_packets++;
+
+ ixs->skb = NULL;
+ }
+}
+
++/* management of buffers */
++static struct ipsec_xmit_state * ipsec_xmit_state_new (void);
++static void ipsec_xmit_state_delete (struct ipsec_xmit_state *ixs);
++
++
+/*
+ * This function assumes it is being called from dev_queue_xmit()
+ * and that skb is filled properly by that function.
+int
+ipsec_tunnel_start_xmit(struct sk_buff *skb, struct net_device *dev)
+{
-+ struct ipsec_xmit_state ixs_mem;
-+ struct ipsec_xmit_state *ixs = &ixs_mem;
++ struct ipsec_xmit_state *ixs = NULL;
+ enum ipsec_xmit_value stat;
+
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+ ixs->natt_type = 0, ixs->natt_head = 0;
-+ ixs->natt_sport = 0, ixs->natt_dport = 0;
-+#endif
++ stat = IPSEC_XMIT_ERRMEMALLOC;
++ ixs = ipsec_xmit_state_new ();
++ if (! ixs) {
++ goto alloc_error;
++ }
+
-+ memset((caddr_t)ixs, 0, sizeof(*ixs));
-+ ixs->oskb = NULL;
-+ ixs->saved_header = NULL; /* saved copy of the hard header */
-+ ixs->route = NULL;
-+ memset((caddr_t)&(ixs->ips), 0, sizeof(ixs->ips));
+ ixs->dev = dev;
+ ixs->skb = skb;
+
+ cleanup:
+ ipsec_tunnel_cleanup(ixs);
+
++ ipsec_xmit_state_delete (ixs);
++alloc_error:
+ return 0;
+}
+
+ return error;
+}
+
++// ------------------------------------------------------------------------
++// this handles creating and managing state for xmit path
++
++static spinlock_t ixs_cache_lock = SPIN_LOCK_UNLOCKED;
++static kmem_cache_t *ixs_cache_allocator = NULL;
++static unsigned ixs_cache_allocated_count = 0;
++
++int
++ipsec_xmit_state_cache_init (void)
++{
++ if (ixs_cache_allocator)
++ return -EBUSY;
++
++ spin_lock_init(&ixs_cache_lock);
++
++ ixs_cache_allocator = kmem_cache_create ("ipsec_ixs",
++ sizeof (struct ipsec_xmit_state), 0,
++ 0, NULL, NULL);
++ if (! ixs_cache_allocator)
++ return -ENOMEM;
++
++ return 0;
++}
++
++void
++ipsec_xmit_state_cache_cleanup (void)
++{
++ if (unlikely (ixs_cache_allocated_count))
++ printk ("ipsec: deleting ipsec_ixs kmem_cache while in use\n");
++
++ if (ixs_cache_allocator) {
++ kmem_cache_destroy (ixs_cache_allocator);
++ ixs_cache_allocator = NULL;
++ }
++ ixs_cache_allocated_count = 0;
++}
++
++static struct ipsec_xmit_state *
++ipsec_xmit_state_new (void)
++{
++ struct ipsec_xmit_state *ixs;
++
++ spin_lock_bh (&ixs_cache_lock);
++
++ ixs = kmem_cache_alloc (ixs_cache_allocator, GFP_ATOMIC);
++
++ if (likely (ixs != NULL))
++ ixs_cache_allocated_count++;
++
++ spin_unlock_bh (&ixs_cache_lock);
++
++ if (unlikely (NULL == ixs))
++ goto bail;
++
++ // initialize the object
++ memset((caddr_t)ixs, 0, sizeof(*ixs));
++
++bail:
++ return ixs;
++}
++
++static void
++ipsec_xmit_state_delete (struct ipsec_xmit_state *ixs)
++{
++ if (unlikely (! ixs))
++ return;
++
++ spin_lock_bh (&ixs_cache_lock);
++
++ ixs_cache_allocated_count--;
++ kmem_cache_free (ixs_cache_allocator, ixs);
++
++ spin_unlock_bh (&ixs_cache_lock);
++}
++
+/*
+ * $Log: ipsec_tunnel.c,v $
-+ * Revision 1.232.2.5 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.232.2.4 2006/03/28 20:58:19 ken
-+ * Fix for KLIPS on 2.6.16 - need to include <net/arp.h> now
-+ *
-+ * Revision 1.232.2.3 2006/02/15 05:14:12 paul
-+ * 568: uninitialized struct in ipsec_tunnel.c coud break routing under 2.6 kernels
-+ * ipsec_tunnel_send() calls the entry point function of routing subsystem
-+ * (ip_route_output_key()) using a not fully initialized struct of type
-+ * struct flowi.
-+ * This will cause a failure in routing packets through an ipsec interface
-+ * when patches for multipath routing from http://www.ssi.bg/~ja/
-+ * are applied.
++ * Revision 1.234 2005/11/11 04:46:38 paul
++ * Patch for 2.6.14 by David McCullough
++ *
++ * Revision 1.233 2005/08/31 23:26:11 mcr
++ * fixes for 2.6.13
+ *
+ * Revision 1.232.2.2 2005/11/22 04:11:52 ken
+ * Backport fixes for 2.6.14 kernels from HEAD
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_xform.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,355 @@
+/*
+ * Common routines for IPSEC transformations.
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: ipsec_xform.c,v 1.65.2.1 2006/10/06 21:39:26 paul Exp $
++ * RCSID $Id: ipsec_xform.c,v 1.65 2005/04/29 05:10:22 mcr Exp $
+ */
+
+#ifndef AUTOCONF_INCLUDED
+#include "freeswan/ipsec_ah.h"
+#include "freeswan/ipsec_esp.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#ifdef CONFIG_KLIPS_DEBUG
+int debug_xform = 0;
+
+/*
+ * $Log: ipsec_xform.c,v $
-+ * Revision 1.65.2.1 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.65 2005/04/29 05:10:22 mcr
+ * removed from extraenous includes to make unit testing easier.
+ *
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/ipsec_xmit.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1850 @@
+@@ -0,0 +1,1845 @@
+/*
+ * IPSEC Transmit code.
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * for more details.
+ */
+
-+char ipsec_xmit_c_version[] = "RCSID $Id: ipsec_xmit.c,v 1.20.2.8 2006/10/06 21:39:26 paul Exp $";
++char ipsec_xmit_c_version[] = "RCSID $Id: ipsec_xmit.c,v 1.20.2.6 2006/07/07 22:09:49 paul Exp $";
+
+#define __NO_VERSION__
+#include <linux/module.h>
+# include <net/tcp.h> /* TCP options */
+#endif /* MSS_HACK */
+
++#include "openswan/ipsec_kern24.h"
+#include "openswan/radij.h"
+#include "openswan/ipsec_life.h"
+#include "openswan/ipsec_xform.h"
+#include "openswan/ipcomp.h"
+#endif /* CONFIG_KLIPS_IPCOMP */
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+ dat[len - authlen - 1] = ixs->iph->protocol;
+ ixs->iph->protocol = IPPROTO_ESP;
-+#ifdef CONFIG_KLIPS_DEBUG
++
+ if(debug_tunnel & DB_TN_ENCAP) {
+ dmp("pre-encrypt", dat, len);
+ }
-+#endif
+
+ /*
+ * Do all operations here:
+ struct ipsec_alg_auth *ixt_a = NULL;
+ int blocksize = 8;
+ enum ipsec_xmit_value bundle_stat = IPSEC_XMIT_OK;
++ struct ipsec_sa *saved_ipsp;
+
+ ixs->newdst = ixs->orgdst = ixs->iph->daddr;
+ ixs->newsrc = ixs->orgsrc = ixs->iph->saddr;
+ * How much headroom do we need to be able to apply
+ * all the grouped transforms?
+ */
-+ ixs->ipsq = ixs->ipsp; /* save the head of the ipsec_sa chain */
++ saved_ipsp = ixs->ipsp; /* save the head of the ipsec_sa chain */
+ while (ixs->ipsp) {
+ ixs->sa_len = satot(&ixs->ipsp->ips_said, 0, ixs->sa_txt, sizeof(ixs->sa_txt));
+ if(ixs->sa_len == 0) {
+ }
+
+ /* If it is in larval state, drop the packet, we cannot process yet. */
-+ if(ixs->ipsp->ips_state == SADB_SASTATE_LARVAL) {
++ if(ixs->ipsp->ips_state == K_SADB_SASTATE_LARVAL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_encap_bundle: "
+ "ipsec_sa in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n",
+ goto cleanup;
+ }
+
-+ if(ixs->ipsp->ips_state == SADB_SASTATE_DEAD) {
++ if(ixs->ipsp->ips_state == K_SADB_SASTATE_DEAD) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_encap_bundle: "
+ "ipsec_sa in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n",
+ "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n",
+ IPS_XFORM_NAME(ixs->ipsp),
+ ixs->sa_len ? ixs->sa_txt : " (error)");
-+ ipsec_sa_delchain(ixs->ipsp);
++ ipsec_sa_rm(ixs->ipsp);
+ ixs->stats->tx_errors++;
+ bundle_stat = IPSEC_XMIT_REPLAYROLLED;
+ goto cleanup;
+ ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_packets, "packets",ixs->sa_txt,
+ ipsec_life_countbased, ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied) {
+
-+ ipsec_sa_delchain(ixs->ipsp);
++ ipsec_sa_rm(ixs->ipsp);
+ ixs->stats->tx_errors++;
+ bundle_stat = IPSEC_XMIT_LIFETIMEFAILED;
+ goto cleanup;
+ ixs->max_tailroom += ixs->tailroom;
+ ixs->pyldsz += (ixs->headroom + ixs->tailroom);
+ }
-+ ixs->ipsp = ixs->ipsq; /* restore the head of the ipsec_sa chain */
++ ixs->ipsp = saved_ipsp; /* restore the head of the ipsec_sa chain */
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+ "klips_debug:ipsec_xmit_encap_bundle: "
+ "head,tailroom: %d,%d after allocation\n",
+ skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
+ }
-+#ifdef CONFIG_KLIPS_DEBUG
++
++#ifdef CONFIG_KLIPS_DEBUG
+ if(debug_tunnel & DB_TN_ENCAP) {
+ ipsec_print_ip(ixs->iph);
+ }
+ enum ipsec_xmit_value encap_stat = IPSEC_XMIT_OK;
+
+ encap_stat = ipsec_xmit_encap_once(ixs);
++
+#ifdef CONFIG_KLIPS_DEBUG
+ if(debug_tunnel & DB_TN_ENCAP) {
+ ipsec_print_ip(ixs->iph);
+
+/*
+ * $Log: ipsec_xmit.c,v $
-+ * Revision 1.20.2.8 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.20.2.7 2006/08/24 03:02:01 paul
-+ * Compile fixes for when CONFIG_KLIPS_DEBUG is not set. (bug #642)
-+ *
+ * Revision 1.20.2.6 2006/07/07 22:09:49 paul
+ * From: Bart Trojanowski <bart@xelerance.com>
+ * Removing a left over '#else' that split another '#if/#endif' block in two.
+ popl %ebp
+match_init: ret
--- /dev/null Tue Mar 11 13:02:56 2003
-+++ linux/net/ipsec/null/ipsec_alg_null.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,145 @@
-+/*
-+ * ipsec_alg NULL cipher stubs
-+ *
-+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
-+ *
-+ * $Id: ipsec_alg_null.c,v 1.1.2.1 2006/10/11 18:14:33 paul Exp $
-+ *
-+ * This program is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by the
-+ * Free Software Foundation; either version 2 of the License, or (at your
-+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-+ *
-+ * This program is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * for more details.
-+ *
-+ */
-+#include <linux/config.h>
-+#include <linux/version.h>
-+
-+/*
-+ * special case: ipsec core modular with this static algo inside:
-+ * must avoid MODULE magic for this file
-+ */
-+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_NULL)
-+#undef MODULE
-+#endif
-+
-+#include <linux/module.h>
-+#include <linux/init.h>
-+
-+#include <linux/kernel.h> /* printk() */
-+#include <linux/errno.h> /* error codes */
-+#include <linux/types.h> /* size_t */
-+#include <linux/string.h>
-+
-+/* Check if __exit is defined, if not null it */
-+#ifndef __exit
-+#define __exit
-+#endif
-+
-+/* Low freeswan header coupling */
-+#include "openswan/ipsec_alg.h"
-+
-+#define ESP_NULL 11 /* from ipsec drafts */
-+#define ESP_NULL_BLK_LEN 1
-+
-+MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
-+static int debug_null=0;
-+static int test_null=0;
-+#ifdef module_param
-+module_param(debug_null, int, 0600);
-+module_param(test_null, int, 0600);
-+#else
-+MODULE_PARM(debug_null, "i");
-+MODULE_PARM(test_null, "i");
-+#endif
-+
-+typedef int null_context;
-+
-+struct null_eks{
-+ null_context null_ctx;
-+};
-+static int _null_set_key(struct ipsec_alg_enc *alg,
-+ __u8 * key_e, const __u8 * key,
-+ size_t keysize) {
-+ null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
-+ if (debug_null > 0)
-+ printk(KERN_DEBUG "klips_debug:_null_set_key:"
-+ "key_e=%p key=%p keysize=%d\n",
-+ key_e, key, keysize);
-+ *ctx = 1;
-+ return 0;
-+}
-+static int _null_cbc_encrypt(struct ipsec_alg_enc *alg,
-+ __u8 * key_e, __u8 * in, int ilen, const __u8 * iv,
-+ int encrypt) {
-+ null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
-+ if (debug_null > 0)
-+ printk(KERN_DEBUG "klips_debug:_null_cbc_encrypt:"
-+ "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
-+ key_e, in, ilen, iv, encrypt);
-+ (*ctx)++;
-+ return ilen;
-+}
-+static struct ipsec_alg_enc ipsec_alg_NULL = {
-+ ixt_common: { ixt_version: IPSEC_ALG_VERSION,
-+ ixt_refcnt: ATOMIC_INIT(0),
-+ ixt_name: "null",
-+ ixt_blocksize: ESP_NULL_BLK_LEN,
-+ ixt_support: {
-+ ias_exttype: IPSEC_ALG_TYPE_ENCRYPT,
-+ ias_id: ESP_NULL,
-+ ias_ivlen: 0,
-+ ias_keyminbits: 0,
-+ ias_keymaxbits: 0,
-+ },
-+ },
-+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
-+ ixt_module: THIS_MODULE,
-+#endif
-+ ixt_e_keylen: 0,
-+ ixt_e_ctx_size: sizeof(null_context),
-+ ixt_e_set_key: _null_set_key,
-+ ixt_e_cbc_encrypt:_null_cbc_encrypt,
-+};
-+
-+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
-+IPSEC_ALG_MODULE_INIT_MOD( ipsec_null_init )
-+#else
-+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_null_init )
-+#endif
-+{
-+ int ret, test_ret;
-+ ret=register_ipsec_alg_enc(&ipsec_alg_NULL);
-+ printk("ipsec_null_init(alg_type=%d alg_id=%d name=%s): ret=%d\n",
-+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
-+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
-+ ipsec_alg_NULL.ixt_common.ixt_name,
-+ ret);
-+ if (ret==0 && test_null) {
-+ test_ret=ipsec_alg_test(
-+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
-+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
-+ test_null);
-+ printk("ipsec_null_init(alg_type=%d alg_id=%d): test_ret=%d\n",
-+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
-+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
-+ test_ret);
-+ }
-+ return ret;
-+}
-+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
-+IPSEC_ALG_MODULE_EXIT_MOD( ipsec_null_fini )
-+#else
-+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_null_fini )
-+#endif
-+{
-+ unregister_ipsec_alg_enc(&ipsec_alg_NULL);
-+ return;
-+}
-+#ifdef MODULE_LICENSE
-+MODULE_LICENSE("GPL");
-+#endif
---- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,2022 @@
+@@ -0,0 +1,1996 @@
+/*
+ * @(#) RFC2367 PF_KEYv2 Key management API domain socket I/F
+ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: pfkey_v2.c,v 1.97.2.12 2006/11/24 05:43:29 paul Exp $
++ * RCSID $Id: pfkey_v2.c,v 1.97.2.8 2006/07/10 15:56:11 paul Exp $
+ */
+
+/*
+#include "openswan/ipsec_encap.h"
+#include "openswan/ipsec_sa.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_kern24.h"
+#endif
+
+struct net_proto_family pfkey_family_ops = {
-+#ifdef NETDEV_23
-+ .family = PF_KEY,
-+ .create = pfkey_create,
-+#ifdef NET_26
-+ .owner = THIS_MODULE,
-+#endif
-+#else
+ PF_KEY,
+ pfkey_create
-+#endif
+};
+
+struct proto_ops SOCKOPS_WRAPPED(pfkey_ops) = {
+#ifdef NETDEV_23
+ family: PF_KEY,
-+#ifdef NET_26
-+ owner: THIS_MODULE,
-+#endif
+ release: pfkey_release,
+ bind: sock_no_bind,
+ connect: sock_no_connect,
+#endif /* CONFIG_KLIPS_ENC_3DES */
+ };
+ static struct ipsec_alg_supported supported_init_ipip[] = {
-+ {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv4, 0, 32, 32}
++ {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv4_in_IPv4, 0, 32, 32}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+ , {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv4, 0, 128, 32}
-+ , {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv6, 0, 32, 128}
-+ , {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv6, 0, 128, 128}
++ , {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv6_in_IPv4, 0, 128, 32}
++ , {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv4_in_IPv6, 0, 32, 128}
++ , {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv6_in_IPv6, 0, 128, 128}
+#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
+ };
+#ifdef CONFIG_KLIPS_IPCOMP
+
+/*
+ * $Log: pfkey_v2.c,v $
-+ * Revision 1.97.2.12 2006/11/24 05:43:29 paul
-+ * kernels after 2.6.18 do not return a code from unregister_socket()
-+ * backport from git 41e54a2684dc809d7952e816860ea646a3194a72
-+ *
-+ * Revision 1.97.2.11 2006/11/15 16:05:57 paul
-+ * fix for compiling on 2.4. kernels by Matthias Haas.
-+ *
-+ * Revision 1.97.2.10 2006/10/10 20:43:28 paul
-+ * Add family/create/owner for pfkey_family_ops. This fixes bug #671
-+ *
-+ * Revision 1.97.2.9 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.97.2.8 2006/07/10 15:56:11 paul
+ * Fix for bug #642 by Bart.
+ *
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_build.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1581 @@
+@@ -0,0 +1,1642 @@
+/*
+ * RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: pfkey_v2_build.c,v 1.51.8.1 2006/05/01 14:36:39 mcr Exp $
++ * RCSID $Id: pfkey_v2_build.c,v 1.53 2005/11/09 00:30:37 mcr Exp $
+ */
+
+/*
+ * Template from klips/net/ipsec/ipsec/ipsec_parser.c.
+ */
+
-+char pfkey_v2_build_c_version[] = "$Id: pfkey_v2_build.c,v 1.51.8.1 2006/05/01 14:36:39 mcr Exp $";
++char pfkey_v2_build_c_version[] = "$Id: pfkey_v2_build.c,v 1.53 2005/11/09 00:30:37 mcr Exp $";
+
+/*
+ * Some ugly stuff to allow consistent debugging code for use in the
+ * kernel and in user space
+*/
+
-+#ifdef __KERNEL__
++#if defined(__KERNEL__) && defined(linux)
+
+# include <linux/kernel.h> /* for printk */
+
+#else /* __KERNEL__ */
+
+# include <sys/types.h>
-+# include <linux/types.h>
-+# include <linux/errno.h>
-+# include <malloc.h>
++# include <sys/errno.h>
++# include <netinet/in.h>
++# include <stdlib.h>
++# include <stdio.h>
+# include <string.h> /* memset */
+
+# include <openswan.h>
+
+#endif /* __KERNEL__ */
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#ifdef __KERNEL__
+#include "openswan/radij.h" /* rd_nodes */
+ }
+#endif
+
-+ if(sa_state > SADB_SASTATE_MAX) {
++ if(sa_state > K_SADB_SASTATE_MAX) {
+ DEBUGGING(PF_KEY_DEBUG_BUILD,
+ "pfkey_sa_build: "
+ "sa_state=%d exceeds MAX=%d.\n",
+ sa_state,
-+ SADB_SASTATE_MAX);
++ K_SADB_SASTATE_MAX);
+ SENDERR(EINVAL);
+ }
+
-+ if(sa_state == SADB_SASTATE_DEAD) {
++ if(sa_state == K_SADB_SASTATE_DEAD) {
+ DEBUGGING(PF_KEY_DEBUG_BUILD,
+ "pfkey_sa_build: "
+ "sa_state=%d is DEAD=%d is not allowed.\n",
+ sa_state,
-+ SADB_SASTATE_DEAD);
++ K_SADB_SASTATE_DEAD);
+ SENDERR(EINVAL);
+ }
+
+pfkey_key_build(struct sadb_ext** pfkey_ext,
+ uint16_t exttype,
+ uint16_t key_bits,
-+ char* key)
++ unsigned char * key)
+{
+ int error = 0;
+ struct sadb_key *pfkey_key = (struct sadb_key *)*pfkey_ext;
+ return error;
+}
+
++int pfkey_outif_build(struct sadb_ext **pfkey_ext,
++ uint16_t outif)
++{
++ int error = 0;
++ struct sadb_x_plumbif * p = (struct sadb_x_plumbif *)*pfkey_ext;
++
++ if ((p = (struct sadb_x_plumbif*)MALLOC(sizeof(*p))) == 0) {
++ ERROR("pfkey_build: memory allocation failed\n");
++ SENDERR(ENOMEM);
++ }
++ *pfkey_ext = (struct sadb_ext *)p;
++
++ p->sadb_x_outif_len = IPSEC_PFKEYv2_WORDS(sizeof(*p));
++ p->sadb_x_outif_exttype = K_SADB_X_EXT_PLUMBIF;
++ p->sadb_x_outif_ifnum = outif;
++
++ errlab:
++ return error;
++}
++
++
++#if defined(I_DONT_THINK_THIS_WILL_BE_USEFUL) && I_DONT_THINK_THIS_WILL_BE_USEFUL
++int (*ext_default_builders[SADB_EXT_MAX +1])(struct sadb_msg*, struct sadb_ext*)
++ =
++{
++ NULL, /* pfkey_msg_build, */
++ pfkey_sa_build,
++ pfkey_lifetime_build,
++ pfkey_lifetime_build,
++ pfkey_lifetime_build,
++ pfkey_address_build,
++ pfkey_address_build,
++ pfkey_address_build,
++ pfkey_key_build,
++ pfkey_key_build,
++ pfkey_ident_build,
++ pfkey_ident_build,
++ pfkey_sens_build,
++ pfkey_prop_build,
++ pfkey_supported_build,
++ pfkey_supported_build,
++ pfkey_spirange_build,
++ pfkey_x_kmprivate_build,
++ pfkey_x_satype_build,
++ pfkey_sa_build,
++ pfkey_address_build,
++ pfkey_address_build,
++ pfkey_address_build,
++ pfkey_address_build,
++ pfkey_address_build,
++ pfkey_x_ext_debug_build
++};
++#endif
++
+int
+pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int dir)
+{
+ if(!(extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type] &
+ 1<<ext)) {
+ ERROR("pfkey_msg_build: "
-+ "ext type %d not permitted, exts_perm=%08x, 1<<type=%08x\n",
-+ ext,
++ "ext type %d not permitted for %d/%d/%d, exts_perm=%08x, 1<<type=%08x\n",
++ ext,
++ dir,EXT_BITS_PERM,(*pfkey_msg)->sadb_msg_type,
+ extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
+ 1<<ext);
+ SENDERR(EINVAL);
+ extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type],
+ extensions_seen,
+ extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]);
-+
++
++#if 0
+ if((extensions_seen &
+ extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) !=
+ extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) {
-+ DEBUGGING(PF_KEY_DEBUG_BUILD,
++ ERROR(PF_KEY_DEBUG_BUILD,
+ "pfkey_msg_build: "
+ "required extensions missing:%08x.\n",
+ extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type] -
+ extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) );
+ SENDERR(EINVAL);
+ }
++#endif
+
+#ifndef __KERNEL__
+/*
+
+/*
+ * $Log: pfkey_v2_build.c,v $
-+ * Revision 1.51.8.1 2006/05/01 14:36:39 mcr
-+ * get rid of dead code.
++ * Revision 1.53 2005/11/09 00:30:37 mcr
++ * adjusted signed-ness and look.in
++ *
++ * Revision 1.52 2005/08/14 21:41:15 mcr
++ * augment error message when an extension is not permitted.
+ *
+ * Revision 1.51 2004/10/03 01:26:36 mcr
+ * fixes for gcc 3.4 compilation.
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_debug.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,181 @@
+@@ -0,0 +1,185 @@
+/*
+ * @(#) pfkey version 2 debugging messages
+ *
+
+#else /* __KERNEL__ */
+
++#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
++# include <sys/types.h>
++#else
+# include <sys/types.h>
+# include <linux/types.h>
+# include <linux/errno.h>
++#endif
+
+#endif /* __KERNEL__ */
+
+#include "openswan.h"
-+#include "pfkeyv2.h"
-+#include "pfkey.h"
++#include "openswan/pfkeyv2.h"
++#include "openswan/pfkey.h"
+
+/*
+ * This file provides ASCII translations of PF_KEY magic numbers.
+ * kernel and in user space
+*/
+
-+#ifdef __KERNEL__
++#if defined(__KERNEL__) && defined(linux)
+
+# include <linux/kernel.h> /* for printk */
+
+#else /* __KERNEL__ */
+
+# include <sys/types.h>
-+# include <linux/types.h>
-+# include <linux/errno.h>
++# include <sys/errno.h>
++# include <stdio.h>
+#endif
+
+#include <openswan.h>
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_EXTENSIONS_MAX] = {
+
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_ext_process.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,951 @@
+@@ -0,0 +1,865 @@
+/*
+ * @(#) RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1998-2003 Richard Guy Briggs.
-+ * Copyright (C) 2004 Michael Richardson <mcr@xelerance.com>
++ * Copyright (C) 2004-2006 Michael Richardson <mcr@xelerance.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: pfkey_v2_ext_process.c,v 1.20.2.2 2006/10/06 21:39:26 paul Exp $
++ * RCSID $Id: pfkey_v2_ext_process.c,v 1.20 2005/04/29 05:10:22 mcr Exp $
+ */
+
+/*
+ * Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
+ */
+
-+char pfkey_v2_ext_process_c_version[] = "$Id: pfkey_v2_ext_process.c,v 1.20.2.2 2006/10/06 21:39:26 paul Exp $";
++char pfkey_v2_ext_process_c_version[] = "$Id: pfkey_v2_ext_process.c,v 1.20 2005/04/29 05:10:22 mcr Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipcomp.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+
++/* returns 0 on success */
+int
+pfkey_sa_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
+{
+ ipsp->ips_state = pfkey_sa->sadb_sa_state;
+ ipsp->ips_flags = pfkey_sa->sadb_sa_flags;
+ ipsp->ips_replaywin_lastseq = ipsp->ips_replaywin_bitmap = 0;
-+ ipsp->ips_ref_rel = pfkey_sa->sadb_x_sa_ref;
++ ipsp->ips_ref = pfkey_sa->sadb_x_sa_ref;
+
+ switch(ipsp->ips_said.proto) {
+ case IPPROTO_AH:
+ struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
+
+ KLIPS_PRINT(debug_pfkey,
-+ "klips_debug:pfkey_x_satype_process: .\n");
++ "pfkey_x_satype_process: .\n");
+
+ if(!extr || !extr->ips) {
+ KLIPS_PRINT(debug_pfkey,
-+ "klips_debug:pfkey_x_satype_process: "
++ "pfkey_x_satype_process: "
+ "extr or extr->ips is NULL, fatal\n");
+ SENDERR(EINVAL);
+ }
+ SENDERR(-error);
+ }
+ if(!(extr->ips2->ips_said.proto = satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
-+ KLIPS_PRINT(debug_pfkey,
-+ "klips_debug:pfkey_x_satype_process: "
++ KLIPS_ERROR(debug_pfkey,
++ "pfkey_x_satype_process: "
+ "proto lookup from satype=%d failed.\n",
+ pfkey_x_satype->sadb_x_satype_satype);
+ SENDERR(EINVAL);
+ }
+ KLIPS_PRINT(debug_pfkey,
-+ "klips_debug:pfkey_x_satype_process: "
++ "pfkey_x_satype_process: "
+ "protocol==%d decoded from satype==%d(%s).\n",
+ extr->ips2->ips_said.proto,
+ pfkey_x_satype->sadb_x_satype_satype,
+}
+
+/*
-+ * $Log: pfkey_v2_ext_process.c,v $
-+ * Revision 1.20.2.2 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.20.2.1 2006/04/20 16:33:07 mcr
-+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it.
-+ * Fix in-kernel module compilation. Sub-makefiles do not work.
-+ *
-+ * Revision 1.20 2005/04/29 05:10:22 mcr
-+ * removed from extraenous includes to make unit testing easier.
-+ *
-+ * Revision 1.19 2004/12/04 07:14:18 mcr
-+ * resolution to gcc3-ism was wrong. fixed to assign correct
-+ * variable.
-+ *
-+ * Revision 1.18 2004/12/03 21:25:57 mcr
-+ * compile time fixes for running on 2.6.
-+ * still experimental.
-+ *
-+ * Revision 1.17 2004/08/21 00:45:04 mcr
-+ * CONFIG_KLIPS_NAT was wrong, also need to include udp.h.
-+ *
-+ * Revision 1.16 2004/07/10 19:11:18 mcr
-+ * CONFIG_IPSEC -> CONFIG_KLIPS.
-+ *
-+ * Revision 1.15 2004/04/06 02:49:26 mcr
-+ * pullup of algo code from alg-branch.
-+ *
-+ * Revision 1.14 2004/02/03 03:13:59 mcr
-+ * no longer #ifdef out NON_ESP mode. That was a mistake.
-+ *
-+ * Revision 1.13 2003/12/15 18:13:12 mcr
-+ * when compiling with NAT traversal, don't assume that the
-+ * kernel has been patched, unless CONFIG_IPSEC_NAT_NON_ESP
-+ * is set.
-+ *
-+ * Revision 1.12.2.1 2003/12/22 15:25:52 jjo
-+ * Merged algo-0.8.1-rc11-test1 into alg-branch
-+ *
-+ * Revision 1.12 2003/12/10 01:14:27 mcr
-+ * NAT-traversal patches to KLIPS.
-+ *
-+ * Revision 1.11 2003/10/31 02:27:55 mcr
-+ * pulled up port-selector patches and sa_id elimination.
-+ *
-+ * Revision 1.10.4.2 2003/10/29 01:30:41 mcr
-+ * elimited "struct sa_id".
-+ *
-+ * Revision 1.10.4.1 2003/09/21 13:59:56 mcr
-+ * pre-liminary X.509 patch - does not yet pass tests.
-+ *
-+ * Revision 1.10 2003/02/06 01:51:41 rgb
-+ * Removed no longer relevant comment
-+ *
-+ * Revision 1.9 2003/01/30 02:32:44 rgb
-+ *
-+ * Transmit error code through to caller from callee for better diagnosis of problems.
-+ *
-+ * Revision 1.8 2002/12/13 22:42:22 mcr
-+ * restored sa_ref code
-+ *
-+ * Revision 1.7 2002/12/13 22:40:48 mcr
-+ * temporarily removed sadb_x_sa_ref reference for 2.xx
-+ *
-+ * Revision 1.6 2002/10/05 05:02:58 dhr
-+ *
-+ * C labels go on statements
-+ *
-+ * Revision 1.5 2002/09/20 15:41:08 rgb
-+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
-+ * Added sadb_x_sa_ref to struct sadb_sa.
-+ *
-+ * Revision 1.4 2002/09/20 05:02:02 rgb
-+ * Added memory allocation debugging.
-+ *
-+ * Revision 1.3 2002/07/24 18:44:54 rgb
-+ * Type fiddling to tame ia64 compiler.
-+ *
-+ * Revision 1.2 2002/05/27 18:55:03 rgb
-+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
-+ *
-+ * Revision 1.1 2002/05/14 02:33:51 rgb
-+ * Moved all the extension processing functions to pfkey_v2_ext_process.c.
-+ *
-+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_parse.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1846 @@
+@@ -0,0 +1,1564 @@
+/*
+ * RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs.
+#else /* __KERNEL__ */
+
+# include <sys/types.h>
-+# include <linux/types.h>
-+# include <linux/errno.h>
++# include <sys/errno.h>
++# include <stdio.h>
+
+# include <openswan.h>
+# include "constants.h"
-+# include "programs/pluto/defs.h" /* for PRINTF_LIKE */
+
+#endif /* __KERNEL__ */
+
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
+
+#include <openswan/pfkey_debug.h>
+
+unsigned int pfkey_lib_debug = PF_KEY_DEBUG_PARSE_NONE;
-+void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
-+void (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1);
++int (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
++int (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1);
+
+
+#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
+ SENDERR(EINVAL);
+ }
+
-+#if 0
-+ /* check if this structure is short, and if so, fix it up.
-+ * XXX this is NOT the way to do things.
-+ */
-+ if(pfkey_sa->sadb_sa_len == sizeof(struct sadb_sa_v1)/IPSEC_PFKEYv2_ALIGN) {
-+
-+ /* yes, so clear out a temporary structure, and copy first */
-+ memset(&sav2, 0, sizeof(sav2));
-+ memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1));
-+ sav2.sadb_x_sa_ref=-1;
-+ sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN;
-+
-+ pfkey_sa = &sav2;
-+ }
-+#endif
+
+
+ if(pfkey_sa->sadb_sa_len != sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN) {
+ }
+#endif
+
-+#if SADB_SASTATE_MAX < 255
-+ if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) {
++#if K_SADB_SASTATE_MAX < 255
++ if(pfkey_sa->sadb_sa_state > K_SADB_SASTATE_MAX) {
+ ERROR(
+ "pfkey_sa_parse: "
+ "state=%d exceeds MAX=%d.\n",
+ pfkey_sa->sadb_sa_state,
-+ SADB_SASTATE_MAX);
++ K_SADB_SASTATE_MAX);
+ SENDERR(EINVAL);
+ }
+#endif
+
-+ if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
++ if(pfkey_sa->sadb_sa_state == K_SADB_SASTATE_DEAD) {
+ ERROR(
+ "pfkey_sa_parse: "
+ "state=%d is DEAD=%d.\n",
+ pfkey_sa->sadb_sa_state,
-+ SADB_SASTATE_DEAD);
++ K_SADB_SASTATE_DEAD);
+ SENDERR(EINVAL);
+ }
+
+
+ DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+ "pfkey_lifetime_parse: "
-+ "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n",
++ "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u.\n",
+ pfkey_lifetime->sadb_lifetime_exttype,
+ pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype),
+ pfkey_lifetime->sadb_lifetime_allocations,
+ (unsigned)pfkey_lifetime->sadb_lifetime_bytes,
+ (unsigned)pfkey_lifetime->sadb_lifetime_addtime,
-+ (unsigned)pfkey_lifetime->sadb_lifetime_usetime,
-+ pfkey_lifetime->sadb_x_lifetime_packets);
++ (unsigned)pfkey_lifetime->sadb_lifetime_usetime);
+errlab:
+ return error;
+}
+ "pfkey_address_parse: "
+ "unexpected ext_type=%d.\n",
+ pfkey_address->sadb_address_exttype);
-+ SENDERR(ENOPKG);
++ SENDERR(ENODEV);
+ }
+
+ switch(s->sa_family) {
+ SENDERR(EINVAL);
+ }
+
-+ if(pfkey_comb->sadb_comb_reserved) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_prop_parse: "
-+ "comb[%d].res=%d, must be zero.\n",
-+ i,
-+ pfkey_comb->sadb_comb_reserved);
-+ SENDERR(EINVAL);
-+ }
+ pfkey_comb++;
+ }
+
+ &pfkey_address_parse_def,
+ &pfkey_address_parse_def,
+ &pfkey_x_ext_debug_parse_def,
-+ &pfkey_x_ext_protocol_parse_def
++ &pfkey_x_ext_protocol_parse_def,
+#ifdef NAT_TRAVERSAL
-+ ,
+ &pfkey_x_ext_nat_t_type_parse_def,
+ &pfkey_x_ext_nat_t_port_parse_def,
+ &pfkey_x_ext_nat_t_port_parse_def,
-+ &pfkey_address_parse_def
++ &pfkey_address_parse_def,
++#else
++ NULL,NULL,NULL,NULL,
+#endif
+};
+
+ int error = 0;
+ int remain;
+ struct sadb_ext *pfkey_ext;
-+ int extensions_seen = 0;
++ unsigned int extensions_seen = 0;
+
+ DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT,
+ "pfkey_msg_parse: "
+ while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) {
+ /* Is there enough message left to support another extension header? */
+ if(remain < pfkey_ext->sadb_ext_len) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "remain %d less than ext len %d.\n",
+ remain, pfkey_ext->sadb_ext_len);
+ SENDERR(EINVAL);
+
+ /* Is the extension header type valid? */
+ if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n",
+ pfkey_ext->sadb_ext_type,
+ pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+ /* Have we already seen this type of extension? */
+ if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0)
+ {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "ext type %d(%s) already seen.\n",
+ pfkey_ext->sadb_ext_type,
+ pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type));
+ /* Is this type of extension permitted for this type of message? */
+ if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] &
+ 1<<pfkey_ext->sadb_ext_type)) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "ext type %d(%s) not permitted, exts_perm_in=%08x, 1<<type=%08x\n",
+ pfkey_ext->sadb_ext_type,
+ pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+ /* Parse the extension */
+ if((error =
+ (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "extension parsing for type %d(%s) failed with error %d.\n",
+ pfkey_ext->sadb_ext_type,
+ pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type),
+ if((extensions_seen &
+ extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) !=
+ extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "required extensions missing:%08x.\n",
+ extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] -
+ (extensions_seen &
+ }
+
+ if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW)
-+ && ((extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW)
-+ != SADB_X_EXT_ADDRESS_DELFLOW)
++ && ((extensions_seen & K_SADB_X_EXT_ADDRESS_DELFLOW)
++ != K_SADB_X_EXT_ADDRESS_DELFLOW)
+ && (((extensions_seen & (1<<SADB_EXT_SA)) != (1<<SADB_EXT_SA))
+ || ((((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_flags
+ & SADB_X_SAFLAGS_CLEARFLOW)
+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+ "pfkey_msg_parse: "
+ "required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n",
-+ SADB_X_EXT_ADDRESS_DELFLOW
-+ - (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW),
++ K_SADB_X_EXT_ADDRESS_DELFLOW
++ - (extensions_seen & K_SADB_X_EXT_ADDRESS_DELFLOW),
+ (1<<SADB_EXT_SA) - (extensions_seen & (1<<SADB_EXT_SA)));
+ SENDERR(EINVAL);
+ }
+ case SADB_UPDATE:
+ /* check maturity */
+ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state !=
-+ SADB_SASTATE_MATURE) {
++ K_SADB_SASTATE_MATURE) {
+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
+ "pfkey_msg_parse: "
+ "state=%d for add or update should be MATURE=%d.\n",
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
-+ SADB_SASTATE_MATURE);
++ K_SADB_SASTATE_MATURE);
+ SENDERR(EINVAL);
+ }
+
+ if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth !=
+ SADB_AALG_NONE)) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "auth alg is zero, must be non-zero for AH SAs.\n");
+ SENDERR(EINVAL);
+ }
+ if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt !=
+ SADB_EALG_NONE) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "AH handed encalg=%d, must be zero.\n",
+ ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt);
+ SENDERR(EINVAL);
+ if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
+ SADB_EALG_NONE)) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n",
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
+ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
+ SADB_EALG_NULL) &&
+ (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth ==
+ SADB_AALG_NONE) ) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "ESP handed encNULL+authNONE, illegal combination.\n");
+ SENDERR(EINVAL);
+ }
+ if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) &&
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt !=
+ SADB_EALG_NONE)) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n",
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt,
+ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
+ }
+ if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth !=
+ SADB_AALG_NONE) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "COMP handed auth=%d, must be zero.\n",
+ ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth);
+ SENDERR(EINVAL);
+ default:
+ break;
+ }
++
+ if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) {
-+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM,
-+ "pfkey_msg_parse: "
++ ERROR("pfkey_msg_parse: "
+ "spi=%08x must be > 255.\n",
+ ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi));
+ SENDERR(EINVAL);
+ default:
+ break;
+ }
-+errlab:
+
++errlab:
+ return error;
+}
+
+/*
-+ * $Log: pfkey_v2_parse.c,v $
-+ * Revision 1.65 2005/04/06 17:46:05 mcr
-+ * failure to recognize an extension is considered an error.
-+ * This could be a problem in the future, but we need some kind
-+ * of logging. This should be rate limited, probably.
-+ *
-+ * Revision 1.64 2005/01/26 00:50:35 mcr
-+ * adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT,
-+ * and make sure that NAT_TRAVERSAL is set as well to match
-+ * userspace compiles of code.
-+ *
-+ * Revision 1.63 2004/10/28 22:54:10 mcr
-+ * results from valgrind, thanks to: Harald Hoyer <harald@redhat.com>
-+ *
-+ * Revision 1.62 2004/10/03 01:26:36 mcr
-+ * fixes for gcc 3.4 compilation.
-+ *
-+ * Revision 1.61 2004/07/10 19:11:18 mcr
-+ * CONFIG_IPSEC -> CONFIG_KLIPS.
-+ *
-+ * Revision 1.59 2004/04/18 03:03:49 mcr
-+ * renamed common include files from pluto directory.
-+ *
-+ * Revision 1.58 2004/03/08 01:59:08 ken
-+ * freeswan.h -> openswan.h
-+ *
-+ * Revision 1.57 2003/12/10 01:20:19 mcr
-+ * NAT-traversal patches to KLIPS.
-+ *
-+ * Revision 1.56 2003/12/04 23:01:12 mcr
-+ * removed ipsec_netlink.h
-+ *
-+ * Revision 1.55 2003/11/07 01:30:37 ken
-+ * Cast sizeof() to int to keep things 64bit clean
-+ *
-+ * Revision 1.54 2003/10/31 02:27:12 mcr
-+ * pulled up port-selector patches and sa_id elimination.
-+ *
-+ * Revision 1.53.20.2 2003/10/29 01:11:32 mcr
-+ * added debugging for pfkey library.
-+ *
-+ * Revision 1.53.20.1 2003/09/21 13:59:44 mcr
-+ * pre-liminary X.509 patch - does not yet pass tests.
-+ *
-+ * Revision 1.53 2003/01/30 02:32:09 rgb
-+ *
-+ * Rename SAref table macro names for clarity.
-+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
-+ *
-+ * Revision 1.52 2002/12/30 06:53:07 mcr
-+ * deal with short SA structures... #if 0 out for now. Probably
-+ * not quite the right way.
-+ *
-+ * Revision 1.51 2002/12/13 18:16:02 mcr
-+ * restored sa_ref code
-+ *
-+ * Revision 1.50 2002/12/13 18:06:52 mcr
-+ * temporarily removed sadb_x_sa_ref reference for 2.xx
-+ *
-+ * Revision 1.49 2002/10/05 05:02:58 dhr
-+ *
-+ * C labels go on statements
-+ *
-+ * Revision 1.48 2002/09/20 15:40:45 rgb
-+ * Added sadb_x_sa_ref to struct sadb_sa.
-+ *
-+ * Revision 1.47 2002/09/20 05:01:31 rgb
-+ * Fixed usage of pfkey_lib_debug.
-+ * Format for function declaration style consistency.
-+ * Added text labels to elucidate numeric values presented.
-+ * Re-organised debug output to reduce noise in output.
-+ *
-+ * Revision 1.46 2002/07/24 18:44:54 rgb
-+ * Type fiddling to tame ia64 compiler.
-+ *
-+ * Revision 1.45 2002/05/23 07:14:11 rgb
-+ * Cleaned up %p variants to 0p%p for test suite cleanup.
-+ *
-+ * Revision 1.44 2002/04/24 07:55:32 mcr
-+ * #include patches and Makefiles for post-reorg compilation.
-+ *
-+ * Revision 1.43 2002/04/24 07:36:40 mcr
-+ * Moved from ./lib/pfkey_v2_parse.c,v
-+ *
-+ * Revision 1.42 2002/01/29 22:25:36 rgb
-+ * Re-add ipsec_kversion.h to keep MALLOC happy.
-+ *
-+ * Revision 1.41 2002/01/29 01:59:10 mcr
-+ * removal of kversions.h - sources that needed it now use ipsec_param.h.
-+ * updating of IPv6 structures to match latest in6.h version.
-+ * removed dead code from openswan.h that also duplicated kversions.h
-+ * code.
-+ *
-+ * Revision 1.40 2002/01/20 20:34:50 mcr
-+ * added pfkey_v2_sadb_type_string to decode sadb_type to string.
-+ *
-+ * Revision 1.39 2001/11/27 05:29:22 mcr
-+ * pfkey parses are now maintained by a structure
-+ * that includes their name for debug purposes.
-+ * DEBUGGING() macro changed so that it takes a debug
-+ * level so that pf_key() can use this to decode the
-+ * structures without innundanting humans.
-+ * Also uses pfkey_v2_sadb_ext_string() in messages.
-+ *
-+ * Revision 1.38 2001/11/06 19:47:47 rgb
-+ * Added packet parameter to lifetime and comb structures.
-+ *
-+ * Revision 1.37 2001/10/18 04:45:24 rgb
-+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
-+ * lib/openswan.h version macros moved to lib/kversions.h.
-+ * Other compiler directive cleanups.
-+ *
-+ * Revision 1.36 2001/06/14 19:35:16 rgb
-+ * Update copyright date.
-+ *
-+ * Revision 1.35 2001/05/03 19:44:51 rgb
-+ * Standardise on SENDERR() macro.
-+ *
-+ * Revision 1.34 2001/03/16 07:41:51 rgb
-+ * Put openswan.h include before pluto includes.
-+ *
-+ * Revision 1.33 2001/02/27 07:13:51 rgb
-+ * Added satype2name() function.
-+ * Added text to default satype_tbl entry.
-+ * Added satype2name() conversions for most satype debug output.
-+ *
-+ * Revision 1.32 2001/02/26 20:01:09 rgb
-+ * Added internal IP protocol 61 for magic SAs.
-+ * Ditch unused sadb_satype2proto[], replaced by satype2proto().
-+ * Re-formatted debug output (split lines, consistent spacing).
-+ * Removed acquire, register and expire requirements for a known satype.
-+ * Changed message type checking to a switch structure.
-+ * Verify expected NULL auth for IPCOMP.
-+ * Enforced spi > 0x100 requirement, now that pass uses a magic SA for
-+ * appropriate message types.
-+ *
-+ * Revision 1.31 2000/12/01 07:09:00 rgb
-+ * Added ipcomp sanity check to require encalgo is set.
-+ *
-+ * Revision 1.30 2000/11/17 18:10:30 rgb
-+ * Fixed bugs mostly relating to spirange, to treat all spi variables as
-+ * network byte order since this is the way PF_KEYv2 stored spis.
-+ *
-+ * Revision 1.29 2000/10/12 00:02:39 rgb
-+ * Removed 'format, ##' nonsense from debug macros for RH7.0.
-+ *
-+ * Revision 1.28 2000/09/20 16:23:04 rgb
-+ * Remove over-paranoid extension check in the presence of sadb_msg_errno.
-+ *
-+ * Revision 1.27 2000/09/20 04:04:21 rgb
-+ * Changed static functions to DEBUG_NO_STATIC to reveal function names in
-+ * oopsen.
-+ *
-+ * Revision 1.26 2000/09/15 11:37:02 rgb
-+ * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
-+ * IPCOMP zlib deflate code.
-+ *
-+ * Revision 1.25 2000/09/12 22:35:37 rgb
-+ * Restructured to remove unused extensions from CLEARFLOW messages.
-+ *
-+ * Revision 1.24 2000/09/12 18:59:54 rgb
-+ * Added Gerhard's IPv6 support to pfkey parts of libopenswan.
-+ *
-+ * Revision 1.23 2000/09/12 03:27:00 rgb
-+ * Moved DEBUGGING definition to compile kernel with debug off.
-+ *
-+ * Revision 1.22 2000/09/09 06:39:27 rgb
-+ * Restrict pfkey errno check to downward messages only.
-+ *
-+ * Revision 1.21 2000/09/08 19:22:34 rgb
-+ * Enabled pfkey_sens_parse().
-+ * Added check for errno on downward acquire messages only.
-+ *
-+ * Revision 1.20 2000/09/01 18:48:23 rgb
-+ * Fixed reserved check bug and added debug output in
-+ * pfkey_supported_parse().
-+ * Fixed debug output label bug in pfkey_ident_parse().
-+ *
-+ * Revision 1.19 2000/08/27 01:55:26 rgb
-+ * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
-+ *
-+ * Revision 1.18 2000/08/24 17:00:36 rgb
-+ * Ignore unknown extensions instead of failing.
-+ *
-+ * Revision 1.17 2000/06/02 22:54:14 rgb
-+ * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
-+ *
-+ * Revision 1.16 2000/05/10 19:25:11 rgb
-+ * Fleshed out proposal and supported extensions.
-+ *
-+ * Revision 1.15 2000/01/24 21:15:31 rgb
-+ * Added disabled pluto pfkey lib debug flag.
-+ * Added algo debugging reporting.
-+ *
-+ * Revision 1.14 2000/01/22 23:24:29 rgb
-+ * Added new functions proto2satype() and satype2proto() and lookup
-+ * table satype_tbl. Also added proto2name() since it was easy.
-+ *
-+ * Revision 1.13 2000/01/21 09:43:59 rgb
-+ * Cast ntohl(spi) as (unsigned long int) to shut up compiler.
-+ *
-+ * Revision 1.12 2000/01/21 06:28:19 rgb
-+ * Added address cases for eroute flows.
-+ * Indented compiler directives for readability.
-+ * Added klipsdebug switching capability.
-+ *
-+ * Revision 1.11 1999/12/29 21:14:59 rgb
-+ * Fixed debug text cut and paste typo.
-+ *
-+ * Revision 1.10 1999/12/10 17:45:24 rgb
-+ * Added address debugging.
-+ *
-+ * Revision 1.9 1999/12/09 23:11:42 rgb
-+ * Ditched <string.h> include since we no longer use memset().
-+ * Use new pfkey_extensions_init() instead of memset().
-+ * Added check for SATYPE in pfkey_msg_build().
-+ * Tidy up comments and debugging comments.
-+ *
-+ * Revision 1.8 1999/12/07 19:55:26 rgb
-+ * Removed unused first argument from extension parsers.
-+ * Removed static pluto debug flag.
-+ * Moved message type and state checking to pfkey_msg_parse().
-+ * Changed print[fk] type from lx to x to quiet compiler.
-+ * Removed redundant remain check.
-+ * Changed __u* types to uint* to avoid use of asm/types.h and
-+ * sys/types.h in userspace code.
-+ *
-+ * Revision 1.7 1999/12/01 22:20:51 rgb
-+ * Moved pfkey_lib_debug variable into the library.
-+ * Added pfkey version check into header parsing.
-+ * Added check for SATYPE only for those extensions that require a
-+ * non-zero value.
-+ *
-+ * Revision 1.6 1999/11/27 11:58:05 rgb
-+ * Added ipv6 headers.
-+ * Moved sadb_satype2proto protocol lookup table from
-+ * klips/net/ipsec/pfkey_v2_parser.c.
-+ * Enable lifetime_current checking.
-+ * Debugging error messages added.
-+ * Add argument to pfkey_msg_parse() for direction.
-+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
-+ * Add CVS log entry to bottom of file.
-+ * Moved auth and enc alg check to pfkey_msg_parse().
-+ * Enable accidentally disabled spirange parsing.
-+ * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c
-+ *
+ * Local variables:
+ * c-file-style: "linux"
+ * End:
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/pfkey_v2_parser.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,3520 @@
+@@ -0,0 +1,3543 @@
+/*
+ * @(#) RFC2367 PF_KEYv2 Key management API message parser
+ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs <rgb@freeswan.org>
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
-+ * RCSID $Id: pfkey_v2_parser.c,v 1.134.2.2 2006/10/06 21:39:26 paul Exp $
++ * RCSID $Id: pfkey_v2_parser.c,v 1.134 2005/05/11 01:48:20 mcr Exp $
+ */
+
+/*
+ * Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
+ */
+
-+char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.134.2.2 2006/10/06 21:39:26 paul Exp $";
++char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.134 2005/05/11 01:48:20 mcr Exp $";
+
+#ifndef AUTOCONF_INCLUDED
+#include <linux/config.h>
+# include <asm/spinlock.h> /* *lock* */
+# endif /* SPINLOCK_23 */
+#endif /* SPINLOCK */
-+
-+#include <linux/in6.h>
-+#include <net/route.h>
++#ifdef NET_21
++# include <net/route.h> /* inet_addr_type */
++# include <linux/in6.h>
++# define ip_chk_addr inet_addr_type
++# define IS_MYADDR RTN_LOCAL
++#endif
+
+#include <net/ip.h>
+#ifdef NETLINK_SOCK
+#include "openswan/ipsec_rcv.h"
+#include "openswan/ipcomp.h"
+
-+#include <pfkeyv2.h>
-+#include <pfkey.h>
++#include <openswan/pfkeyv2.h>
++#include <openswan/pfkey.h>
+
+#include "openswan/ipsec_proto.h"
+#include "openswan/ipsec_alg.h"
+DEBUG_NO_STATIC int
+pfkey_ipsec_sa_init(struct ipsec_sa *ipsp)
+{
-+
-+ return ipsec_sa_init(ipsp);
++ int rc;
++ KLIPS_PRINT(debug_pfkey, "Calling SA_INIT\n");
++ rc = ipsec_sa_init(ipsp);
++ return rc;
+}
+
+int
+ SENDERR(EEXIST);
+ }
+
-+ if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) {
++ if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) {
+ extr->ips->ips_flags |= EMT_INBOUND;
+ }
+
+ extr->ips->ips_rcvif = NULL;
+ extr->ips->ips_life.ipl_addtime.ipl_count = jiffies/HZ;
+
-+ extr->ips->ips_state = SADB_SASTATE_LARVAL;
++ extr->ips->ips_state = K_SADB_SASTATE_LARVAL;
+
+ if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
+ extr->ips->ips_life.ipl_allocations.ipl_count += 1;
+ SADB_EXT_SA,
+ extr->ips->ips_said.spi,
+ 0,
-+ SADB_SASTATE_LARVAL,
++ K_SADB_SASTATE_LARVAL,
+ 0,
+ 0,
+ 0,
+
+ pfkey_extensions_init(extensions_reply);
+
-+ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
++ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != K_SADB_SASTATE_MATURE) {
+ KLIPS_PRINT(debug_pfkey,
+ "klips_debug:pfkey_update_parse: "
+ "error, sa_state=%d must be MATURE=%d\n",
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
-+ SADB_SASTATE_MATURE);
++ K_SADB_SASTATE_MATURE);
+ SENDERR(EINVAL);
+ }
+
+ SENDERR(ENOENT);
+ }
+
-+ if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) {
++ if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) {
+ extr->ips->ips_flags |= EMT_INBOUND;
+ }
+
+ nat_t_ips_saved = extr->ips;
+ extr->ips = ipsq;
+ }
-+ else {
++ else
+#endif
++ {
+
-+ /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
-+ extr->ips->ips_rcvif = NULL;
-+ if ((error = pfkey_ipsec_sa_init(extr->ips))) {
-+ ipsec_sa_put(ipsq);
-+ spin_unlock_bh(&tdb_lock);
-+ KLIPS_PRINT(debug_pfkey,
-+ "klips_debug:pfkey_update_parse: "
-+ "not successful for SA: %s, deleting.\n",
-+ sa_len ? sa : " (error)");
-+ SENDERR(-error);
-+ }
++ /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
++ extr->ips->ips_rcvif = NULL;
++ if ((error = pfkey_ipsec_sa_init(extr->ips))) {
++ ipsec_sa_put(ipsq);
++ spin_unlock_bh(&tdb_lock);
++ KLIPS_PRINT(debug_pfkey,
++ "klips_debug:pfkey_update_parse: "
++ "not successful for SA: %s, deleting.\n",
++ sa_len ? sa : " (error)");
++ SENDERR(-error);
++ }
+
-+ extr->ips->ips_life.ipl_addtime.ipl_count = ipsq->ips_life.ipl_addtime.ipl_count;
-+ ipsec_sa_put(ipsq);
-+ if((error = ipsec_sa_delchain(ipsq))) {
-+ spin_unlock_bh(&tdb_lock);
-+ KLIPS_PRINT(debug_pfkey,
-+ "klips_debug:pfkey_update_parse: "
-+ "error=%d, trouble deleting intermediate ipsec_sa for SA=%s.\n",
-+ error,
-+ sa_len ? sa : " (error)");
-+ SENDERR(-error);
-+ }
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
++ extr->ips->ips_life.ipl_addtime.ipl_count = ipsq->ips_life.ipl_addtime.ipl_count;
++
++ /* this will call delchain-equivalent if refcount=>0 */
++ ipsec_sa_put(ipsq);
+ }
-+#endif
+
+ spin_unlock_bh(&tdb_lock);
+
+
+ pfkey_extensions_init(extensions_reply);
+
-+ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
++ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != K_SADB_SASTATE_MATURE) {
+ KLIPS_PRINT(debug_pfkey,
+ "klips_debug:pfkey_add_parse: "
+ "error, sa_state=%d must be MATURE=%d\n",
+ ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
-+ SADB_SASTATE_MATURE);
++ K_SADB_SASTATE_MATURE);
+ SENDERR(EINVAL);
+ }
+
+ SENDERR(EEXIST);
+ }
+
-+ if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) {
++ if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) {
+ extr->ips->ips_flags |= EMT_INBOUND;
+ }
+
+ SENDERR(-error);
+ }
+
++#if 0
++ /* extensions would provide this information, but not in this branch */
++ if(extr->sarefme!=IPSEC_SAREF_NULL
++ && extr->ips->ips_ref==IPSEC_SAREF_NULL) {
++ extr->ips->ips_ref=extr->sarefme;
++ }
++
++ if(extr->sarefhim!=IPSEC_SAREF_NULL
++ && extr->ips->ips_refhim==IPSEC_SAREF_NULL) {
++ extr->ips->ips_refhim=extr->sarefhim;
++ }
++#endif
++
++ /* attach it to the SAref table */
++ if((error = ipsec_sa_intern(extr->ips)) != 0) {
++ KLIPS_ERROR(debug_pfkey,
++ "pfkey_add_parse: "
++ "failed to intern SA as SAref#%lu\n"
++ , (unsigned long)extr->ips->ips_ref);
++ SENDERR(-error);
++ }
++
+ extr->ips->ips_life.ipl_addtime.ipl_count = jiffies / HZ;
+ if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
+ extr->ips->ips_life.ipl_allocations.ipl_count += 1;
+ error);
+ SENDERR(-error);
+ }
++ ipsec_sa_put(extr->ips);
+ extr->ips = NULL;
+
+ KLIPS_PRINT(debug_pfkey,
+ struct sadb_msg *pfkey_reply = NULL;
+ struct socket_list *pfkey_socketsp;
+ uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
++ IPsecSAref_t ref;
+
+ KLIPS_PRINT(debug_pfkey,
+ "klips_debug:pfkey_delete_parse: .\n");
+ SENDERR(ESRCH);
+ }
+
++ /* remove it from SAref tables */
++ ref = ipsp->ips_ref;
++ ipsec_sa_untern(ipsp);
++ ipsec_sa_rm(ipsp);
++
++ /* this will call delchain-equivalent if refcount -> 0
++ * noting that get() above, added to ref count */
+ ipsec_sa_put(ipsp);
-+ if((error = ipsec_sa_delchain(ipsp))) {
-+ spin_unlock_bh(&tdb_lock);
-+ KLIPS_PRINT(debug_pfkey,
-+ "klips_debug:pfkey_delete_parse: "
-+ "error=%d returned trying to delete ipsec_sa for SA:%s.\n",
-+ error,
-+ sa_len ? sa : " (error)");
-+ SENDERR(-error);
-+ }
+ spin_unlock_bh(&tdb_lock);
+
+ if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
+ 0,
+ 0,
+ 0,
-+ extr->ips->ips_ref),
++ ref),
+ extensions_reply)
+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
+ SADB_EXT_ADDRESS_SRC,
+ buf1, buf2);
+ }
+#endif /* CONFIG_KLIPS_DEBUG */
-+
+ if(extr->ips->ips_flags & SADB_X_SAFLAGS_INFLOW) {
++/* if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) */
+ struct ipsec_sa *ipsp, *ipsq;
+ char sa[SATOT_BUF];
+ size_t sa_len;
+ "klips_debug:pfkey_x_addflow_parse: "
+ "first=0p%p HOLD packet re-injected.\n",
+ first);
-+ DEV_QUEUE_XMIT(first, first->dev, SOPRI_NORMAL);
++ dst_output(first);
+ }
+ if(last != NULL) {
+ KLIPS_PRINT(debug_eroute,
+ "klips_debug:pfkey_x_addflow_parse: "
+ "last=0p%p HOLD packet re-injected.\n",
+ last);
-+ DEV_QUEUE_XMIT(last, last->dev, SOPRI_NORMAL);
++ dst_output(last);
+ }
+ }
+
+ KLIPS_PRINT(debug_pfkey,
+ "klips_debug:pfkey_x_delflow_parse: "
+ "CLEARFLOW flag set, calling cleareroutes.\n");
-+ if ((error = ipsec_cleareroutes()))
++ if ((error = ipsec_cleareroutes())) {
+ KLIPS_PRINT(debug_pfkey,
+ "klips_debug:pfkey_x_delflow_parse: "
+ "cleareroutes returned %d.\n", error);
+ SENDERR(-error);
++ }
+ } else {
+ struct sk_buff *first = NULL, *last = NULL;
+
+ }
+ }
+
-+ if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-+ SADB_X_DELFLOW,
-+ satype,
-+ 0,
-+ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-+ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-+ extensions_reply)
-+ && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-+ SADB_EXT_SA,
-+ extr->ips->ips_said.spi,
-+ extr->ips->ips_replaywin,
-+ extr->ips->ips_state,
-+ extr->ips->ips_authalg,
-+ extr->ips->ips_encalg,
-+ extr->ips->ips_flags,
-+ extr->ips->ips_ref),
-+ extensions_reply)
-+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
-+ SADB_X_EXT_ADDRESS_SRC_FLOW,
-+ 0, /*extr->ips->ips_said.proto,*/
-+ 0,
-+ (struct sockaddr*)&srcflow),
-+ extensions_reply)
-+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
-+ SADB_X_EXT_ADDRESS_DST_FLOW,
-+ 0, /*extr->ips->ips_said.proto,*/
-+ 0,
-+ (struct sockaddr*)&dstflow),
-+ extensions_reply)
-+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
-+ SADB_X_EXT_ADDRESS_SRC_MASK,
-+ 0, /*extr->ips->ips_said.proto,*/
-+ 0,
-+ (struct sockaddr*)&srcmask),
-+ extensions_reply)
-+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
-+ SADB_X_EXT_ADDRESS_DST_MASK,
-+ 0, /*extr->ips->ips_said.proto,*/
-+ 0,
-+ (struct sockaddr*)&dstmask),
-+ extensions_reply)
-+ )) {
++ error = pfkey_msg_hdr_build(&extensions_reply[0],
++ SADB_X_DELFLOW,
++ satype, 0,
++ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
++ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid);
++
++ if(pfkey_safe_build(error, extensions_reply)) {
++ error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
++ SADB_EXT_SA,
++ extr->ips->ips_said.spi,
++ extr->ips->ips_replaywin,
++ extr->ips->ips_state,
++ extr->ips->ips_authalg,
++ extr->ips->ips_encalg,
++ extr->ips->ips_flags,
++ extr->ips->ips_ref);
++ }
++
++ if(!(extr->ips->ips_flags & SADB_X_SAFLAGS_CLEARFLOW)) {
++ if(pfkey_safe_build(error, extensions_reply)) {
++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
++ SADB_X_EXT_ADDRESS_SRC_FLOW,
++ 0, /*extr->ips->ips_said.proto,*/
++ 0,
++ (struct sockaddr*)&srcflow);
++ }
++
++ if(pfkey_safe_build(error, extensions_reply)) {
++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
++ SADB_X_EXT_ADDRESS_DST_FLOW,
++ 0, /*extr->ips->ips_said.proto,*/
++ 0,
++ (struct sockaddr*)&dstflow);
++ }
++
++ if(pfkey_safe_build(error, extensions_reply)) {
++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
++ SADB_X_EXT_ADDRESS_SRC_MASK,
++ 0, /*extr->ips->ips_said.proto,*/
++ 0,
++ (struct sockaddr*)&srcmask);
++ }
++
++ if(pfkey_safe_build(error, extensions_reply)) {
++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
++ SADB_X_EXT_ADDRESS_DST_MASK,
++ 0, /*extr->ips->ips_said.proto,*/
++ 0,
++ (struct sockaddr*)&dstmask);
++ }
++ }
++
++ if(!pfkey_safe_build(error, extensions_reply)) {
+ KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
+ "failed to build the x_delflow reply message extensions\n");
+ SENDERR(-error);
+ SENDERR(-error);
+ }
+
-+#if KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0
++#if defined(KLIPS_PFKEY_ACQUIRE_LOSSAGE) && KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0
+ if(sysctl_ipsec_regress_pfkey_lossage) {
+ return(0);
+ }
+ if (!extr || !extr->ips) {
+ KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
+ "bad ipsec_sa passed\n");
-+ return EINVAL;
++ return EINVAL; // TODO: should this not be negative?
+ }
+ error = pfkey_safe_build(pfkey_msg_hdr_build(&extensions[0],
+ msg_type,
+
+ /* Process the extensions */
+ for(i=1; i <= SADB_EXT_MAX;i++) {
-+ if(extensions[i] != NULL) {
++ if(extensions[i] != NULL && ext_processors[i]!=NULL) {
+ KLIPS_PRINT(debug_pfkey,
+ "klips_debug:pfkey_msg_interp: "
+ "processing ext %d 0p%p with processor 0p%p.\n",
+#endif
+ errlab:
+ if(extr.ips != NULL) {
-+ ipsec_sa_wipe(extr.ips);
++ ipsec_sa_put(extr.ips);
+ }
+ if(extr.ips2 != NULL) {
-+ ipsec_sa_wipe(extr.ips2);
++ ipsec_sa_put(extr.ips2);
+ }
+ if (extr.eroute != NULL) {
+ kfree(extr.eroute);
+
+/*
+ * $Log: pfkey_v2_parser.c,v $
-+ * Revision 1.134.2.2 2006/10/06 21:39:26 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
-+ * Revision 1.134.2.1 2006/05/01 14:37:25 mcr
-+ * ip_chk_addr -> inet_addr_type for more direct 2.4/2.6 support.
-+ *
+ * Revision 1.134 2005/05/11 01:48:20 mcr
+ * removed "poor-man"s OOP in favour of proper C structures.
+ *
+ */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/prng.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,202 @@
+/*
+ * crypto-class pseudorandom number generator
+ * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
+ * License for more details.
+ *
-+ * RCSID $Id: prng.c,v 1.7 2004/07/10 07:48:36 mcr Exp $
++ * RCSID $Id: prng.c,v 1.8 2005/08/25 01:20:21 paul Exp $
+ */
+#include "openswan.h"
+
+ int i, j, t;
+ unsigned char *p = dst;
+ size_t remain = dstlen;
-+# define MAX 4000000000ul
++# define MAXCOUNT 4000000000ul
+
+ while (remain > 0) {
+ i = (prng->i + 1) & 0xff;
+ *p++ = prng->sbox[t];
+ remain--;
+ }
-+ if (prng->count < MAX - dstlen)
++ if (prng->count < MAXCOUNT - dstlen)
+ prng->count += dstlen;
+ else
-+ prng->count = MAX;
++ prng->count = MAXCOUNT;
+}
+
+/*
+#ifdef PRNG_MAIN
+
+#include <stdio.h>
++#include <stdlib.h>
+
+void regress();
+
+#endif /* PRNG_MAIN */
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/radij.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,1237 @@
-+char radij_c_version[] = "RCSID $Id: radij.c,v 1.48.2.1 2006/10/06 21:39:27 paul Exp $";
+@@ -0,0 +1,1232 @@
++char radij_c_version[] = "RCSID $Id: radij.c,v 1.48 2005/04/29 05:10:22 mcr Exp $";
+
+/*
+ * This file is defived from ${SRC}/sys/net/radix.c of BSD 4.4lite
+
+/*
+ * $Log: radij.c,v $
-+ * Revision 1.48.2.1 2006/10/06 21:39:27 paul
-+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not
-+ * set. This is defined through autoconf.h which is included through the
-+ * linux kernel build macros.
-+ *
+ * Revision 1.48 2005/04/29 05:10:22 mcr
+ * removed from extraenous includes to make unit testing easier.
+ *
+}
--- /dev/null Tue Mar 11 13:02:56 2003
+++ linux/net/ipsec/satot.c Mon Feb 9 13:51:03 2004
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,134 @@
+/*
+ * convert from binary form of SA ID to text
+ * Copyright (C) 2000, 2001 Henry Spencer.
+ }
+
+ if (sa->proto == SA_INT) {
++ char intunk[10];
+ switch (ntohl(sa->spi)) {
+ case SPI_PASS: p = "%pass"; break;
+ case SPI_DROP: p = "%drop"; break;
+ case SPI_HOLD: p = "%hold"; break;
+ case SPI_TRAP: p = "%trap"; break;
+ case SPI_TRAPSUBNET: p = "%trapsubnet"; break;
-+ default: p = NULL; break;
++ default: snprintf(intunk, 10, "%%unk-%d", ntohl(sa->spi)); p = intunk; break;
+ }
+ if (p != NULL) {
+ strcpy(buf, p);
+
+#include "openswan.h"
+
-+#define V "2.4.8rc1" /* substituted in by Makefile */
++#define V "2.5.13" /* substituted in by Makefile */
+static const char openswan_number[] = V;
+static const char openswan_string[] = "Openswan " V;
+
--- /dev/null Fri May 10 13:59:54 2002
+++ linux/net/ipsec/Makefile.ver Sun Jul 28 22:10:40 2002
@@ -0,0 +1 @@
-+IPSECVERSION=2.4.8rc1
++IPSECVERSION='2.5.13'