From: ms Date: Thu, 10 May 2007 21:36:03 +0000 (+0000) Subject: IPSec/OpenSWAN-Update X-Git-Tag: v2.3-beta1~710 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=224bbb4e8ef8e2e0e2496dd2eadadeea68d79092 IPSec/OpenSWAN-Update UTF8-Patch im Kernel. git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@549 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 --- diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index a6a496382e..1fe86d103d 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -143,7 +143,7 @@ var/ipfire/vpn #var/ipfire/vpn/settings var/ipfire/wakeonlan #var/ipfire/wakeonlan/clients.conf -#var/ipfire/wireless +var/ipfire/wireless #var/ipfire/wireless/config #var/ipfire/wireless/settings var/ipfire/xtaccess diff --git a/doc/packages-list.txt b/doc/packages-list.txt index 3720425041..8a8601ca3f 100644 --- a/doc/packages-list.txt +++ b/doc/packages-list.txt @@ -188,6 +188,7 @@ * openssh-4.3p2 * openssl-0.9.8d * openswan-2.4.8rc1 +* openswan-2.5.13 * openvpn-2.0.9 * pam_mysql-0.7RC1 * patch-2.5.4 diff --git a/lfs/linux b/lfs/linux index c8eb679dd7..1efdc28048 100644 --- a/lfs/linux +++ b/lfs/linux @@ -53,7 +53,8 @@ objects =$(DL_FILE) \ iptables-1.3.5.tar.bz2 \ patch-o-matic-ng-20061210.tar.bz2 \ netfilter-layer7-v2.9.tar.gz \ - patch-2.6.16-nath323-1.3.bz2 + patch-2.6.16-nath323-1.3.bz2 \ + openswan-2.5.13.tar.gz $(DL_FILE) = $(DL_FROM)/$(DL_FILE) patch-o-matic-ng-20061210.tar.bz2 = $(URL_IPFIRE)/patch-o-matic-ng-20061210.tar.bz2 @@ -62,6 +63,7 @@ netfilter-layer7-v2.9.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.9.tar.gz patch-2.6.16-nath323-1.3.bz2 = $(URL_IPFIRE)/patch-2.6.16-nath323-1.3.bz2 squashfs3.2-r2.tar.gz = $(URL_IPFIRE)/squashfs3.2-r2.tar.gz mISDN-CVS-2007-01-26.tar.bz2 = $(URL_IPFIRE)/mISDN-CVS-2007-01-26.tar.bz2 +openswan-2.5.13.tar.gz = $(URL_IPFIRE)/openswan-2.5.13.tar.gz $(DL_FILE)_MD5 = cc2106c6188675187d636aa518b04958 patch-o-matic-ng-20061210.tar.bz2_MD5 = 76edac76301b45f89e467b41c8cf4393 @@ -70,6 +72,7 @@ netfilter-layer7-v2.9.tar.gz_MD5 = ebf9043a5352ebe6dbd721989ef83dee patch-2.6.16-nath323-1.3.bz2_MD5 = f926409ff703a307baf54b57ab75d138 squashfs3.2-r2.tar.gz_MD5 = bf360b92eba9e6d5610196ce2e02fcd1 mISDN-CVS-2007-01-26.tar.bz2_MD5 = 844c70dc851faffcae7549fd738c7b49 +openswan-2.5.13.tar.gz_MD5 = b83a42ea00ee24ed34413bc122cada51 install : $(TARGET) @@ -101,14 +104,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) $(DIR_SRC)/linux && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) ln -s linux-$(VER) /usr/src/linux + # An UTF8 patch from LFS + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-2.6.16.27-utf8_input-1.patch + # Openswan 2 cd $(DIR_SRC) && rm -rf openswan-* - cd $(DIR_SRC) && tar xfvz $(DIR_DL)/openswan-2.4.8rc1.tar.gz - #cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan26_netkey.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.4.8rc1.kernel-2.6-natt.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.4.8rc1.kernel-2.6-klips.patch - - + cd $(DIR_SRC) && tar xfz $(DIR_DL)/openswan-2.5.13.tar.gz + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.5.13.kernel-2.6-klips.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openswan-2.5.13.kernel-2.6-natt.patch + cd $(DIR_SRC)/openswan-* && sed -i -e 's/INC_USRLOCAL=\/usr\/local/INC_USRLOCAL=\/usr/' Makefile.inc # H323 conntrack @@ -179,7 +183,7 @@ ifeq "$(SMP)" "1" ln -sf vmlinuz-$(VER)-ipfire-smp /boot/vmlinuz-ipfire-smp cd $(DIR_APP) && make CC="$(KGCC)" $(MAKETUNING) modules cd $(DIR_APP) && make CC="$(KGCC)" $(MAKETUNING) modules_install - mkdir -p /usr/src/openswan-2.4.8rc1/modobj26/null + mkdir -p /usr/src/openswan-2.5.13/modobj26/null cd $(DIR_SRC)/openswan-* && make KERNELSRC=/usr/src/$(THISAPP) CC=$(CC) module cd $(DIR_SRC)/openswan-* && make KERNELSRC=/usr/src/$(THISAPP) CC=$(CC) minstall else @@ -192,7 +196,7 @@ else ln -sf System.map-$(VER)-ipfire /boot/System.map-ipfire cd $(DIR_APP) && make CC="$(KGCC)" $(MAKETUNING) modules cd $(DIR_APP) && make CC="$(KGCC)" $(MAKETUNING) modules_install - mkdir -p /usr/src/openswan-2.4.8rc1/modobj26/null + mkdir -p /usr/src/openswan-2.5.13/modobj26/null cd $(DIR_SRC)/openswan-* && make KERNELSRC=/usr/src/$(THISAPP) CC=$(CC) module cd $(DIR_SRC)/openswan-* && make KERNELSRC=/usr/src/$(THISAPP) CC=$(CC) minstall endif diff --git a/lfs/openswan b/lfs/openswan index 7904426aed..0d2401ca0a 100644 --- a/lfs/openswan +++ b/lfs/openswan @@ -26,7 +26,7 @@ include Config -VER = 2.4.8rc1 +VER = 2.5.13 THISAPP = openswan-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -42,7 +42,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 873613c7e691e1fd8cedfeb6dc71a729 +$(DL_FILE)_MD5 = b83a42ea00ee24ed34413bc122cada51 install : $(TARGET) @@ -76,6 +76,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's%^INC_USRLOCAL.*$$%INC_USRLOCAL=/usr%' \ -e 's%^USERCOMPILE.*$$%USERCOMPILE=$(CFLAGS)%' \ -e 's%^KLIPSCOMPILE.*$$%KLIPSCOMPILE=$(CFLAGS)%' Makefile.inc + cd $(DIR_APP) && sed -i -e 's/CWARNINGS = -Werror/CWARNINGS =/' \ + lib/liblwres/Makefile cd $(DIR_APP) && make programs cd $(DIR_APP) && make install #mv -f /etc/rc.d/init.d/ipsec /etc/rc.d/ diff --git a/make.sh b/make.sh index d0680400af..d2332b54cd 100644 --- a/make.sh +++ b/make.sh @@ -385,7 +385,6 @@ buildipfire() { ipfiremake capi4k-utils ipfiremake cdrtools ipfiremake dnsmasq - ipfiremake libaal ipfiremake dosfstools ipfiremake reiserfsprogs ipfiremake squashfstools diff --git a/src/patches/openswan-2.4.8rc1.kernel-2.6-klips.patch b/src/patches/openswan-2.5.13.kernel-2.6-klips.patch similarity index 94% rename from src/patches/openswan-2.4.8rc1.kernel-2.6-klips.patch rename to src/patches/openswan-2.5.13.kernel-2.6-klips.patch index 613c474633..a7cd127642 100644 --- a/src/patches/openswan-2.4.8rc1.kernel-2.6-klips.patch +++ b/src/patches/openswan-2.5.13.kernel-2.6-klips.patch @@ -115,83 +115,6 @@ packaging/utils/kernelpatch 2.6 +* +* --- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/crypto/ciphers/aes/test_main.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,41 @@ -+#include -+#include -+#include -+#include "aes_cbc.h" -+#define AES_BLOCK_SIZE 16 -+#define KEY_SIZE 128 /* bits */ -+#define KEY "1234567890123456" -+#define STR "hola guaso como estaisss ... 012" -+#define STRSZ (sizeof(STR)-1) -+ -+#define EMT_AESCBC_BLKLEN AES_BLOCK_SIZE -+#define AES_CONTEXT_T aes_context -+#define EMT_ESPAES_KEY_SZ 16 -+int pretty_print(const unsigned char *buf, int count) { -+ int i=0; -+ for (;i -+#include -+#include -+#include "aes.h" -+#include "aes_xcbc_mac.h" -+#define STR "Hola guasssso c|mo estais ...012" -+void print_hash(const __u8 *hash) { -+ printf("%08x %08x %08x %08x\n", -+ *(__u32*)(&hash[0]), -+ *(__u32*)(&hash[4]), -+ *(__u32*)(&hash[8]), -+ *(__u32*)(&hash[12])); -+} -+int main(int argc, char *argv[]) { -+ aes_block key= { 0xdeadbeef, 0xceedcaca, 0xcafebabe, 0xff010204 }; -+ __u8 hash[16]; -+ char *str = argv[1]; -+ aes_context_mac ctx; -+ if (str==NULL) { -+ fprintf(stderr, "pasame el str\n"); -+ return 255; -+ } -+ AES_xcbc_mac_set_key(&ctx, (__u8 *)&key, sizeof(key)); -+ AES_xcbc_mac_hash(&ctx, str, strlen(str), hash); -+ print_hash(hash); -+ str[2]='x'; -+ AES_xcbc_mac_hash(&ctx, str, strlen(str), hash); -+ print_hash(hash); -+ return 0; -+} ---- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/crypto/aes.h Mon Feb 9 13:51:03 2004 @@ -0,0 +1,97 @@ +// I retain copyright in this code but I encourage its free use provided @@ -428,7 +351,7 @@ packaging/utils/kernelpatch 2.6 +#endif /* _CBC_GENERIC_H */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/crypto/des.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,298 @@ +@@ -0,0 +1,286 @@ +/* crypto/des/des.org */ +/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -617,19 +540,7 @@ packaging/utils/kernelpatch 2.6 +int des_enc_write(int fd,char *buf,int len,des_key_schedule sched, + des_cblock *iv); +char *des_fcrypt(const char *buf,const char *salt, char *ret); -+#ifdef PERL5 -+char *des_crypt(const char *buf,const char *salt); -+#else -+/* some stupid compilers complain because I have declared char instead -+ * of const char */ -+#ifndef __KERNEL__ -+#ifdef HEADER_DES_LOCL_H -+char *crypt(const char *buf,const char *salt); -+#else /* HEADER_DES_LOCL_H */ -+char *crypt(void); -+#endif /* HEADER_DES_LOCL_H */ -+#endif /* __KERNEL__ */ -+#endif /* PERL5 */ ++ +void des_ofb_encrypt(unsigned char *in,unsigned char *out, + int numbits,long length,des_key_schedule schedule,des_cblock *ivec); +void des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length, @@ -728,8 +639,74 @@ packaging/utils/kernelpatch 2.6 + +#endif --- /dev/null Tue Mar 11 13:02:56 2003 ++++ linux/include/crypto/ocf_assist.h Mon Feb 9 13:51:03 2004 +@@ -0,0 +1,63 @@ ++#ifndef _OCF_ASSIST_H ++#define _OCF_ASSIST_H 1 ++/****************************************************************************/ ++/* The various hw_assist functions return these bits */ ++ ++#define OCF_PROVIDES_AES 0x0001 ++#define OCF_PROVIDES_DES_3DES 0x0002 ++ ++/****************************************************************************/ ++#if !defined(OCF_ASSIST) ++/****************************************************************************/ ++/* ++ * stub it all out just in case ++ */ ++ ++#define ocf_aes_assist() (0) ++#define ocf_aes_set_key(a1,a2,a3,a4) ++#define ocf_aes_cbc_encrypt(a1,a2,a3,a4,a5,a6) ++ ++#define ocf_des_assist() (0) ++#define ocf_des_set_key(a, b) ++#define ocf_des_cbc_encrypt(a1,a2,a3,a4,a5,a6) ++#define ocf_des_encrypt(a1,a2,a3) ++#define ocf_des_ede3_cbc_encrypt(a1,a2,a3,a4,a5,a6,a7,a8) ++#define ocf_des_ncbc_encrypt(a1,a2,a3,a4,a5,a6) ++#define ocf_des_ecb_encrypt(a1,a2,a3,a4) ++ ++/****************************************************************************/ ++#else ++/****************************************************************************/ ++ ++#include ++#include "aes.h" ++#include "des.h" ++ ++extern int ocf_aes_assist(void); ++extern void ocf_aes_set_key(aes_context *cx, const unsigned char in_key[], ++ int n_bytes, const int f); ++extern int ocf_aes_cbc_encrypt(aes_context *ctx, u8 *input, ++ u8 *output, ++ long length, ++ u8 *ivec, int enc); ++ ++extern int ocf_des_assist(void); ++extern int ocf_des_set_key(des_cblock *key, des_key_schedule schedule); ++extern void ocf_des_cbc_encrypt(des_cblock *input, des_cblock *output, ++ long length, des_key_schedule schedule, ++ des_cblock *ivec, int enc); ++extern void ocf_des_encrypt(DES_LONG *data, des_key_schedule ks, int enc); ++extern void ocf_des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, ++ long length, des_key_schedule ks1, ++ des_key_schedule ks2, des_key_schedule ks3, ++ des_cblock *ivec, int enc); ++extern void ocf_des_ncbc_encrypt(des_cblock *input, des_cblock *output, ++ long length, des_key_schedule schedule, ++ des_cblock *ivec, int enc); ++extern void ocf_des_ecb_encrypt(des_cblock *input, des_cblock *output, ++ des_key_schedule ks, int enc); ++ ++/****************************************************************************/ ++#endif /* !defined(OCF_ASSIST) */ ++/****************************************************************************/ ++#endif /* _OCF_ASSIST_H */ +--- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/des/des_locl.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,515 @@ +@@ -0,0 +1,506 @@ +/* crypto/des/des_locl.org */ +/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) + * All rights reserved. @@ -918,11 +895,6 @@ packaging/utils/kernelpatch 2.6 +#undef NOPROTO +#endif + -+#ifdef RAND -+#define srandom(s) srand(s) -+#define random rand -+#endif -+ +#define ITERATIONS 16 +#define HALF_ITERATIONS 8 + @@ -985,11 +957,7 @@ packaging/utils/kernelpatch 2.6 + } \ + } + -+#if defined(WIN32) -+#define ROTATE(a,n) (_lrotr(a,n)) -+#else +#define ROTATE(a,n) (((a)>>(n))+((a)<<(32-(n)))) -+#endif + +/* Don't worry about the LOAD_DATA() stuff, that is used by + * fcrypt() to add it's little bit to the front */ @@ -1838,7 +1806,7 @@ packaging/utils/kernelpatch 2.6 + --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,518 @@ +@@ -0,0 +1,559 @@ +#ifndef _OPENSWAN_H +/* + * header file for FreeS/WAN library functions @@ -1855,7 +1823,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * -+ * RCSID $Id: openswan.h,v 1.93 2005/04/14 20:21:51 mcr Exp $ ++ * RCSID $Id: openswan.h,v 1.95 2005/08/25 01:24:40 paul Exp $ + */ +#define _OPENSWAN_H /* seen it, no need to see it again */ + @@ -1875,10 +1843,12 @@ packaging/utils/kernelpatch 2.6 + * where we get them depends on whether we're in userland or not. + */ +/* things that need to come from one place or the other, depending */ -+#ifdef __KERNEL__ ++#if defined(linux) ++#if defined(__KERNEL__) +#include +#include +#include ++#include +#include +#include +#define user_assert(foo) /*nothing*/ @@ -1897,28 +1867,72 @@ packaging/utils/kernelpatch 2.6 +# define uint64_t u_int64_t + + -+# define DEBUG_NO_STATIC static + -+#endif ++#endif /* __KERNEL__ */ + ++#define DEBUG_NO_STATIC static ++#include +#include ++#endif /* linux */ + ++/* ++ * Yes Virginia, we have started a windows port. ++ */ ++#if defined(__CYGWIN32__) ++#if !defined(WIN32_KERNEL) ++/* get windows equivalents */ ++#include ++#include ++#include ++#include ++#include ++#include ++#define user_assert(foo) assert(foo) ++#endif /* _KERNEL */ ++#endif /* WIN32 */ + +/* -+ * Grab the kernel version to see if we have NET_21, and therefore -+ * IPv6. Some of this is repeated from ipsec_kversions.h. Of course, -+ * we aren't really testing if the kernel has IPv6, but rather if the -+ * the include files do. ++ * Kovacs? A macosx port? + */ -+#include -+#ifndef KERNEL_VERSION -+#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z)) ++#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)) ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#define user_assert(foo) assert(foo) ++#define __u32 unsigned int ++#define __u8 unsigned char ++#define s6_addr16 __u6_addr.__u6_addr16 ++#define DEBUG_NO_STATIC static +#endif + -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) -+#define NET_21 ++/* ++ * FreeBSD ++ */ ++#if defined(__FreeBSD__) ++# define DEBUG_NO_STATIC static ++#include ++#include ++#include ++#include ++#include ++#include ++#define user_assert(foo) assert(foo) ++/* apparently this way to deal with an IPv6 address is not standard. */ ++#define s6_addr16 __u6_addr.__u6_addr16 +#endif + ++ +#ifndef IPPROTO_COMP +# define IPPROTO_COMP 108 +#endif /* !IPPROTO_COMP */ @@ -1927,16 +1941,6 @@ packaging/utils/kernelpatch 2.6 +# define IPPROTO_INT 61 +#endif /* !IPPROTO_INT */ + -+#ifdef CONFIG_KLIPS_DEBUG -+#ifndef DEBUG_NO_STATIC -+# define DEBUG_NO_STATIC -+#endif -+#else /* CONFIG_KLIPS_DEBUG */ -+#ifndef DEBUG_NO_STATIC -+# define DEBUG_NO_STATIC static -+#endif -+#endif /* CONFIG_KLIPS_DEBUG */ -+ +#if !defined(ESPINUDP_WITH_NON_IKE) +#define ESPINUDP_WITH_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */ +#define ESPINUDP_WITH_NON_ESP 2 /* draft-ietf-ipsec-nat-t-ike-02 */ @@ -1949,13 +1953,13 @@ packaging/utils/kernelpatch 2.6 + */ + +/* first, some quick fakes in case we're on an old system with no IPv6 */ -+#ifndef s6_addr16 ++#if !defined(s6_addr16) && defined(__CYGWIN32__) +struct in6_addr { + union + { -+ __u8 u6_addr8[16]; -+ __u16 u6_addr16[8]; -+ __u32 u6_addr32[4]; ++ u_int8_t u6_addr8[16]; ++ u_int16_t u6_addr16[8]; ++ u_int32_t u6_addr32[4]; + } in6_u; +#define s6_addr in6_u.u6_addr8 +#define s6_addr16 in6_u.u6_addr16 @@ -2019,12 +2023,20 @@ packaging/utils/kernelpatch 2.6 + */ +typedef uint32_t IPsecSAref_t; + -+#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t)) ++/* Translation to/from nfmark. ++ * ++ * use bits 16-31. Leave bit 32 as a indicate that IPsec processing ++ * has already been done. ++ */ ++#define IPSEC_SA_REF_TABLE_IDX_WIDTH 15 ++#define IPSEC_SA_REF_TABLE_OFFSET 16 ++#define IPSEC_SA_REF_MAASK ((1<> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH)) ++#define IPsecSAref2NFmark(x) (((x)&IPSEC_SA_REF_MASK) << IPSEC_SA_REF_TABLE_OFFSET) ++#define NFmark2IPsecSAref(x) (((x) >> IPSEC_SA_REF_TABLE_OFFSET)&IPSEC_SA_REF_MASK) + -+#define IPSEC_SAREF_NULL (~((IPsecSAref_t)0)) ++#define IPSEC_SAREF_NULL ((IPsecSAref_t)0) ++#define IPSEC_SAREF_NA ((IPsecSAref_t)0xffff0001) + +/* GCC magic for use in function definitions! */ +#ifdef GCC_LINT @@ -2040,6 +2052,11 @@ packaging/utils/kernelpatch 2.6 +#endif + + ++/* ++ * function to log stuff from libraries that may be used in multiple ++ * places. ++ */ ++typedef int (*openswan_keying_debug_func_t)(const char *message, ...); + + + @@ -2051,7 +2068,13 @@ packaging/utils/kernelpatch 2.6 +err_t ttoul(const char *src, size_t srclen, int format, unsigned long *dst); +size_t ultot(unsigned long src, int format, char *buf, size_t buflen); +#define ULTOT_BUF (22+1) /* holds 64 bits in octal */ ++ ++/* looks up names in DNS */ +err_t ttoaddr(const char *src, size_t srclen, int af, ip_address *dst); ++ ++/* does not look up names in DNS */ ++err_t ttoaddr_num(const char *src, size_t srclen, int af, ip_address *dst); ++ +err_t tnatoaddr(const char *src, size_t srclen, int af, ip_address *dst); +size_t addrtot(const ip_address *src, int format, char *buf, size_t buflen); +/* RFC 1886 old IPv6 reverse-lookup format is the bulkiest */ @@ -2073,8 +2096,8 @@ packaging/utils/kernelpatch 2.6 +#define TTODATAV_IGNORESPACE (1<<1) /* ignore spaces in base64 encodings*/ +#define TTODATAV_SPACECOUNTS 0 /* do not ignore spaces in base64 */ + -+size_t datatot(const char *src, size_t srclen, int format, char *buf, -+ size_t buflen); ++size_t datatot(const unsigned char *src, size_t srclen, int format ++ , char *buf, size_t buflen); +size_t keyblobtoid(const unsigned char *src, size_t srclen, char *dst, + size_t dstlen); +size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m, @@ -2113,6 +2136,7 @@ packaging/utils/kernelpatch 2.6 +int samesaid(const ip_said *a, const ip_said *b); +int sameaddrtype(const ip_address *a, const ip_address *b); +int samesubnettype(const ip_subnet *a, const ip_subnet *b); ++int isvalidsubnet(const ip_subnet *a); +int isanyaddr(const ip_address *src); +int isunspecaddr(const ip_address *src); +int isloopbackaddr(const ip_address *src); @@ -2226,7 +2250,7 @@ packaging/utils/kernelpatch 2.6 +); +size_t /* 0 failure, else true size */ +bytestoa( -+ const char *src, ++ const unsigned char *src, + size_t srclen, + int format, /* character; 0 means default */ + char *dst, @@ -2243,7 +2267,7 @@ packaging/utils/kernelpatch 2.6 +); +size_t /* 0 failure, else true size */ +datatoa( -+ const char *src, ++ const unsigned char *src, + size_t srclen, + int format, /* character; 0 means default */ + char *dst, @@ -2284,21 +2308,6 @@ packaging/utils/kernelpatch 2.6 + + +/* -+ * general utilities -+ */ -+ -+#ifndef __KERNEL__ -+/* option pickup from files (userland only because of use of FILE) */ -+const char *optionsfrom(const char *filename, int *argcp, char ***argvp, -+ int optind, FILE *errorreport); -+ -+/* sanitize a string */ -+extern size_t sanitize_string(char *buf, size_t size); -+ -+#endif -+ -+ -+/* + * ENUM of klips debugging values. Not currently used in klips. + * debug flag is actually 32 -bits, but only one bit is ever used, + * so we can actually pack it all into a single 32-bit word. @@ -2423,7 +2432,7 @@ packaging/utils/kernelpatch 2.6 +#endif /* _IPCOMP_H */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_ah.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,200 @@ +@@ -0,0 +1,202 @@ +/* + * Authentication Header declarations + * Copyright (C) 1996, 1997 John Ioannidis. @@ -2453,7 +2462,9 @@ packaging/utils/kernelpatch 2.6 + +#ifdef __KERNEL__ + ++#ifndef CONFIG_XFRM_ALTERNATE_STACK +extern struct inet_protocol ah_protocol; ++#endif /* CONFIG_XFRM_ALTERNATE_STACK */ + +struct options; + @@ -2666,7 +2677,7 @@ packaging/utils/kernelpatch 2.6 +#include +#include +#include -+#include ++#include + +/* + * The following structs are used via pointers in ipsec_alg object to @@ -3318,7 +3329,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_esp.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,157 @@ +@@ -0,0 +1,159 @@ +/* + * Copyright (C) 1996, 1997 John Ioannidis. + * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. @@ -3373,7 +3384,9 @@ packaging/utils/kernelpatch 2.6 + des_key_schedule ks; +}; + ++#ifndef CONFIG_XFRM_ALTERNATE_STACK +extern struct inet_protocol esp_protocol; ++#endif /* CONFIG_XFRM_ALTERNATE_STACK */ + +struct options; + @@ -3478,7 +3491,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_ipcomp.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,94 @@ +@@ -0,0 +1,97 @@ +/* + * IP compression header declations + * @@ -3521,7 +3534,10 @@ packaging/utils/kernelpatch 2.6 + __u16 ipcomp_cpi; /* Compression Parameter Index */ +}; + ++#ifndef CONFIG_XFRM_ALTERNATE_STACK +extern struct inet_protocol comp_protocol; ++#endif /* CONFIG_XFRM_ALTERNATE_STACK */ ++ +extern int sysctl_ipsec_debug_ipcomp; + +#define IPCOMP_UNCOMPRESSABLE 0x000000001 @@ -3694,7 +3710,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_kern24.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,61 @@ +@@ -0,0 +1,152 @@ +/* + * @(#) routines to makes kernel 2.4 compatible with 2.6 usage. + * @@ -3710,204 +3726,11 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_kern24.h,v 1.4 2005/05/20 03:19:18 mcr Exp $ ++ * RCSID $Id: ipsec_kern24.h,v 1.5 2005/08/05 08:48:38 mcr Exp $ + */ + +#ifndef _IPSEC_KERN24_H + -+#ifndef NET_26 -+#define sk_receive_queue receive_queue -+#define sk_destruct destruct -+#define sk_reuse reuse -+#define sk_zapped zapped -+#define sk_family family -+#define sk_protocol protocol -+#define sk_protinfo protinfo -+#define sk_sleep sleep -+#define sk_state_change state_change -+#define sk_shutdown shutdown -+#define sk_err err -+#define sk_stamp stamp -+#define sk_socket socket -+#define sk_sndbuf sndbuf -+#define sock_flag(sk, flag) sk->dead -+#define sk_for_each(sk, node, plist) for(sk=*plist; sk!=NULL; sk = sk->next) -+#endif -+ -+/* deal with 2.4 vs 2.6 issues with module counts */ -+ -+/* in 2.6, all refcounts are maintained *outside* of the -+ * module to deal with race conditions. -+ */ -+ -+#ifdef NET_26 -+#define KLIPS_INC_USE /* nothing */ -+#define KLIPS_DEC_USE /* nothing */ -+ -+#else -+#define KLIPS_INC_USE MOD_INC_USE_COUNT -+#define KLIPS_DEC_USE MOD_DEC_USE_COUNT -+#endif -+ -+extern int printk_ratelimit(void); -+ -+ -+#define _IPSEC_KERN24_H 1 -+ -+#endif /* _IPSEC_KERN24_H */ -+ ---- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/include/openswan/ipsec_kversion.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,352 @@ -+#ifndef _OPENSWAN_KVERSIONS_H -+/* -+ * header file for FreeS/WAN library functions -+ * Copyright (C) 1998, 1999, 2000 Henry Spencer. -+ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs -+ * -+ * This library is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU Library General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or (at your -+ * option) any later version. See . -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public -+ * License for more details. -+ * -+ * RCSID $Id: ipsec_kversion.h,v 1.15.2.11 2007/02/20 03:53:16 paul Exp $ -+ */ -+#define _OPENSWAN_KVERSIONS_H /* seen it, no need to see it again */ -+ -+/* -+ * this file contains a series of atomic defines that depend upon -+ * kernel version numbers. The kernel versions are arranged -+ * in version-order number (which is often not chronological) -+ * and each clause enables or disables a feature. -+ */ -+ -+/* -+ * First, assorted kernel-version-dependent trickery. -+ */ -+#include -+#ifndef KERNEL_VERSION -+#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z)) -+#endif -+ -+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0) -+#define HEADER_CACHE_BIND_21 -+#error "KLIPS is no longer supported on Linux 2.0. Sorry" -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) -+#define SPINLOCK -+#define PROC_FS_21 -+#define NETLINK_SOCK -+#define NET_21 -+#endif -+ -+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19) -+#define net_device_stats enet_statistics -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0) -+#define SPINLOCK_23 -+#define NETDEV_23 -+# ifndef CONFIG_IP_ALIAS -+# define CONFIG_IP_ALIAS -+# endif -+#include -+#include -+#include -+# ifdef NETLINK_XFRM -+# define NETDEV_25 -+# endif -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25) -+#define PROC_FS_2325 -+#undef PROC_FS_21 -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30) -+#define PROC_NO_DUMMY -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35) -+#define SKB_COPY_EXPAND -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37) -+#define IP_SELECT_IDENT -+#endif -+ -+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER) -+#define SKB_RESET_NFCT -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2) -+#define IP_SELECT_IDENT_NEW -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) -+#define IPH_is_SKB_PULLED -+#define SKB_COW_NEW -+#define PROTO_HANDLER_SINGLE_PARM -+#define IP_FRAGMENT_LINEARIZE 1 -+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */ -+# ifdef REDHAT_BOGOSITY -+# define IP_SELECT_IDENT_NEW -+# define IPH_is_SKB_PULLED -+# define SKB_COW_NEW -+# define PROTO_HANDLER_SINGLE_PARM -+# endif /* REDHAT_BOGOSITY */ -+#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */ -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9) -+#define MALLOC_SLAB -+#define LINUX_KERNEL_HAS_SNPRINTF -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) -+#define HAVE_NETDEV_PRINTK 1 -+#define NET_26 -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8) -+#define NEED_INET_PROTOCOL -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12) -+#define HAVE_SOCK_ZAPPED -+#define NET_26_12_SKALLOC -+#endif -+ -+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,13) -+#define HAVE_SOCK_SECURITY -+/* skb->nf_debug disappared completely in 2.6.13 */ -+#define HAVE_SKB_NF_DEBUG -+#endif -+ -+#define SYSCTL_IPSEC_DEFAULT_TTL sysctl_ip_default_ttl -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14) -+/* skb->stamp changed to skb->tstamp in 2.6.14 */ -+#define HAVE_TSTAMP -+#define HAVE_INET_SK_SPORT -+#undef SYSCTL_IPSEC_DEFAULT_TTL -+#define SYSCTL_IPSEC_DEFAULT_TTL IPSEC_DEFAULT_TTL -+#else -+#define HAVE_SKB_LIST -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18) -+#define HAVE_NEW_SKB_LINEARIZE -+#endif -+ -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20) -+/* skb->nfmark changed to skb->mark in 2.6.20 */ -+#define nfmark mark -+#endif -+ +#ifdef NET_21 +# include +#else @@ -3999,6 +3822,207 @@ packaging/utils/kernelpatch 2.6 + printk(sevlevel "%s: " format , netdev->name , ## arg) +#endif + ++#ifndef NET_26 ++#define sk_receive_queue receive_queue ++#define sk_destruct destruct ++#define sk_reuse reuse ++#define sk_zapped zapped ++#define sk_family family ++#define sk_protocol protocol ++#define sk_protinfo protinfo ++#define sk_sleep sleep ++#define sk_state_change state_change ++#define sk_shutdown shutdown ++#define sk_err err ++#define sk_stamp stamp ++#define sk_socket socket ++#define sk_sndbuf sndbuf ++#define sock_flag(sk, flag) sk->dead ++#define sk_for_each(sk, node, plist) for(sk=*plist; sk!=NULL; sk = sk->next) ++#endif ++ ++/* deal with 2.4 vs 2.6 issues with module counts */ ++ ++/* in 2.6, all refcounts are maintained *outside* of the ++ * module to deal with race conditions. ++ */ ++ ++#ifdef NET_26 ++#define KLIPS_INC_USE /* nothing */ ++#define KLIPS_DEC_USE /* nothing */ ++ ++#else ++#define KLIPS_INC_USE MOD_INC_USE_COUNT ++#define KLIPS_DEC_USE MOD_DEC_USE_COUNT ++#endif ++ ++extern int printk_ratelimit(void); ++ ++ ++#define _IPSEC_KERN24_H 1 ++ ++#endif /* _IPSEC_KERN24_H */ ++ +--- /dev/null Tue Mar 11 13:02:56 2003 ++++ linux/include/openswan/ipsec_kversion.h Mon Feb 9 13:51:03 2004 +@@ -0,0 +1,260 @@ ++#ifndef _OPENSWAN_KVERSIONS_H ++/* ++ * header file for FreeS/WAN library functions ++ * Copyright (C) 1998, 1999, 2000 Henry Spencer. ++ * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs ++ * ++ * This library is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU Library General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or (at your ++ * option) any later version. See . ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public ++ * License for more details. ++ * ++ * RCSID $Id: ipsec_kversion.h,v 1.23 2005/11/13 15:24:07 ken Exp $ ++ */ ++#define _OPENSWAN_KVERSIONS_H /* seen it, no need to see it again */ ++ ++/* ++ * this file contains a series of atomic defines that depend upon ++ * kernel version numbers. The kernel versions are arranged ++ * in version-order number (which is often not chronological) ++ * and each clause enables or disables a feature. ++ */ ++ ++/* ++ * First, assorted kernel-version-dependent trickery. ++ */ ++#include ++#ifndef KERNEL_VERSION ++#define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z)) ++#endif ++ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,0) ++#define HEADER_CACHE_BIND_21 ++#error "KLIPS is no longer supported on Linux 2.0. Sorry" ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,1,0) ++#define SPINLOCK ++#define PROC_FS_21 ++#define NETLINK_SOCK ++#define NET_21 ++#endif ++ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,1,19) ++#define net_device_stats enet_statistics ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0) ++#define SPINLOCK_23 ++#define NETDEV_23 ++# ifndef CONFIG_IP_ALIAS ++# define CONFIG_IP_ALIAS ++# endif ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,25) ++#define PROC_FS_2325 ++#undef PROC_FS_21 ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,30) ++#define PROC_NO_DUMMY ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,35) ++#define SKB_COPY_EXPAND ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,37) ++#define IP_SELECT_IDENT ++#endif ++ ++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,50)) && defined(CONFIG_NETFILTER) ++#define SKB_RESET_NFCT ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,2) ++#define IP_SELECT_IDENT_NEW ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) ++#define IPH_is_SKB_PULLED ++#define SKB_COW_NEW ++#define PROTO_HANDLER_SINGLE_PARM ++#define IP_FRAGMENT_LINEARIZE 1 ++#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */ ++# ifdef REDHAT_BOGOSITY ++# define IP_SELECT_IDENT_NEW ++# define IPH_is_SKB_PULLED ++# define SKB_COW_NEW ++# define PROTO_HANDLER_SINGLE_PARM ++# endif /* REDHAT_BOGOSITY */ ++#endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,4) */ ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9) ++#define MALLOC_SLAB ++#define LINUX_KERNEL_HAS_SNPRINTF ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) ++#define HAVE_NETDEV_PRINTK 1 ++#define NET_26 ++#define NETDEV_25 ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,8) ++#define NEED_INET_PROTOCOL ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12) ++#define HAVE_SOCK_ZAPPED ++#define NET_26_12_SKALLOC ++#endif ++ ++/* see */ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,13) ++#define HAVE_SOCK_SECURITY ++/* skb->nf_debug disappared completely in 2.6.13 */ ++#define HAVE_SKB_NF_DEBUG ++#endif ++ ++/* skb->stamp changed to skb->tstamp in 2.6.14 */ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14) ++#define HAVE_TSTAMP ++#define HAVE_INET_SK_SPORT ++#else ++#define HAVE_SKB_LIST ++#endif ++ ++#define SYSCTL_IPSEC_DEFAULT_TTL sysctl_ip_default_ttl ++/* it seems 2.6.14 accidentally removed sysctl_ip_default_ttl */ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14) ++#undef SYSCTL_IPSEC_DEFAULT_TTL ++#define SYSCTL_IPSEC_DEFAULT_TTL IPSEC_DEFAULT_TTL ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18) ++#define HAVE_NEW_SKB_LINEARIZE ++#endif ++ ++/* this is the best we can do to detect XEN, which makes ++ * patches to linux/skbuff.h, making it look like 2.6.18 version ++ */ ++#ifdef CONFIG_XEN ++#define HAVE_NEW_SKB_LINEARIZE ++#endif ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20) ++/* skb->nfmark changed to skb->mark in 2.6.20 */ ++#define nfmark mark ++#endif ++ ++#if __KERNEL__ +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) +#include "openswan/ipsec_kern24.h" @@ -4006,37 +4030,31 @@ packaging/utils/kernelpatch 2.6 +#error "kernels before 2.4 are not supported at this time" +#endif +#endif -+ ++#endif + +#endif /* _OPENSWAN_KVERSIONS_H */ + +/* + * $Log: ipsec_kversion.h,v $ -+ * Revision 1.15.2.11 2007/02/20 03:53:16 paul -+ * Added comment, made layout consistent with other checks. -+ * -+ * Revision 1.15.2.10 2007/02/16 19:08:12 paul -+ * Fix for compiling on 2.6.20 (nfmark is now called mark in sk_buff) ++ * Revision 1.23 2005/11/13 15:24:07 ken ++ * sysctl_ip_default_ttl is missing in 2.6.14.2, and might be for awhile + * -+ * Revision 1.15.2.9 2006/07/29 05:00:40 paul -+ * Added HAVE_NEW_SKB_LINEARIZE for 2.6.18+ kernels where skb_linearize -+ * only takes 1 argument. ++ * Revision 1.22 2005/11/11 05:01:28 paul ++ * Added HAVE_SKB_LIST for 2.6.14 that no longer has skb->list + * -+ * Revision 1.15.2.8 2006/05/01 14:31:52 mcr -+ * FREESWAN->OPENSWAN in #ifdef. ++ * Revision 1.21 2005/11/11 04:42:02 paul ++ * Added define for HAVE_INET_SK_SPORT for 2.6.14 and up + * -+ * Revision 1.15.2.7 2006/01/11 02:02:59 mcr -+ * updated patches and DEFAULT_TTL code to work ++ * Revision 1.20 2005/11/11 03:58:34 paul ++ * Added a define for 2.6.14 that is not exporting sysctl_ip_default_ttl ++ * by accident. + * -+ * Revision 1.15.2.6 2006/01/03 19:25:02 ken -+ * Remove duplicated #ifdef for TTL fix - bad patch ++ * Revision 1.19 2005/11/11 03:16:22 paul ++ * Added HAVE_TSTAMP define for 2.6.14 kernels ++ * (skb->stamp changed to skb->tstamp) + * -+ * Revision 1.15.2.5 2006/01/03 18:06:33 ken -+ * Fix for missing sysctl default ttl -+ * -+ * Revision 1.15.2.4 2005/11/27 21:40:14 paul -+ * Pull down TTL fixes from head. this fixes "Unknown symbol sysctl_ip_default_ttl" -+ * in for klips as module. ++ * Revision 1.18 2005/08/31 23:26:11 mcr ++ * fixes for 2.6.13 + * + * Revision 1.15.2.3 2005/11/22 04:11:52 ken + * Backport fixes for 2.6.14 kernels from HEAD @@ -4044,16 +4062,13 @@ packaging/utils/kernelpatch 2.6 + * Revision 1.15.2.2 2005/09/01 01:57:19 paul + * michael's fixes for 2.6.13 from head + * -+ * Revision 1.15.2.1 2005/08/27 23:13:48 paul -+ * Fix for: -+ * 7 weeks ago: [NET]: Remove unused security member in sk_buff -+ * changeset 4280: 328ea53f5fee -+ * parent 4279: beb0afb0e3f8 -+ * author: Thomas Graf -+ * date: Tue Jul 5 21:12:44 2005 -+ * files: include/linux/skbuff.h include/linux/tc_ematch/tc_em_meta.h net/core/skbuff.c net/ipv4/ip_output.c net/ipv6/ip6_output.c net/sched/em_meta.c ++ * Revision 1.17 2005/08/27 23:07:21 paul ++ * Somewhere between 2.6.12 and 2.6.13rc7 the unused security memnber in sk_buff ++ * has been removed. This patch should fix compilation for both cases. + * -+ * This should fix compilation on 2.6.13(rc) kernels ++ * Revision 1.16 2005/08/05 08:48:38 mcr ++ * many compat definitions moved to kern24.h because ++ * ipsec_kversion.h may be needed by openswan.h. + * + * Revision 1.15 2005/07/19 20:02:15 mcr + * sk_alloc() interface change. @@ -4374,7 +4389,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_param.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,387 @@ +@@ -0,0 +1,389 @@ +/* + * @(#) Openswan tunable paramaters + * @@ -4392,7 +4407,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_param.h,v 1.29.6.3 2006/05/01 14:32:31 mcr Exp $ ++ * RCSID $Id: ipsec_param.h,v 1.31 2005/08/12 15:01:38 mcr Exp $ + * + */ + @@ -4407,13 +4422,23 @@ packaging/utils/kernelpatch 2.6 +#ifndef _IPSEC_PARAM_H_ + +#ifdef __KERNEL__ -+#include "ipsec_kversion.h" ++ ++#include "openswan/ipsec_kversion.h" + +/* Set number of ipsecX virtual devices here. */ +/* This must be < exp(field width of IPSEC_DEV_FORMAT) */ +/* It must also be reasonable so as not to overload the memory and CPU */ +/* constraints of the host. */ -+#define IPSEC_NUM_IF 4 ++#ifdef CONFIG_KLIPS_IF_MAX ++#define IPSEC_NUM_IFMAX CONFIG_KLIPS_IF_MAX ++#endif ++#ifndef IPSEC_NUM_IFMAX ++#define IPSEC_NUM_IFMAX 64 ++#endif ++ ++/* default number of ipsecX devices to create */ ++#define IPSEC_NUM_IF 2 ++ +/* The field width must be < IF_NAM_SIZ - strlen("ipsec") - 1. */ +/* With "ipsec" being 5 characters, that means 10 is the max field width */ +/* but machine memory and CPU constraints are not likely to tollerate */ @@ -4422,6 +4447,8 @@ packaging/utils/kernelpatch 2.6 +/* for now, no "0"-padding should be used (which would have been helpful */ +/* to make text-searches work */ +#define IPSEC_DEV_FORMAT "ipsec%d" ++#define MAST_DEV_FORMAT "mast%d" ++ +/* For, say, 500 virtual ipsec devices, I would recommend: */ +/* #define IPSEC_NUM_IF 500 */ +/* #define IPSEC_DEV_FORMAT "ipsec%03d" */ @@ -4438,6 +4465,7 @@ packaging/utils/kernelpatch 2.6 +#else /* CONFIG_KLIPS_BIGGATE */ +# define SADB_HASHMOD 257 +#endif /* CONFIG_KLIPS_BIGGATE */ ++ +#endif /* __KERNEL__ */ + +/* @@ -4445,14 +4473,10 @@ packaging/utils/kernelpatch 2.6 + * maximum number of SAs that KLIPS can concurrently deal with, plus enough + * space for keeping expired SAs around. + * -+ * TABLE_MAX_WIDTH is the number of bits that we will use. ++ * TABLE_IDX_WIDTH is the number of bits that we will use. + * MAIN_TABLE_WIDTH is the number of bits used for the primary index table. + * + */ -+#ifndef IPSEC_SA_REF_TABLE_IDX_WIDTH -+# define IPSEC_SA_REF_TABLE_IDX_WIDTH 16 -+#endif -+ +#ifndef IPSEC_SA_REF_MAINTABLE_IDX_WIDTH +# define IPSEC_SA_REF_MAINTABLE_IDX_WIDTH 4 +#endif @@ -4536,14 +4560,12 @@ packaging/utils/kernelpatch 2.6 +#ifndef KLIPS_PFKEY_ACQUIRE_LOSSAGE +# ifdef CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE +# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 100 ++# else /* CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE */ ++/* not by default! */ ++# define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0 +# endif /* CONFIG_KLIPS_PFKEY_ACQUIRE_LOSSAGE */ -+#else -+#define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0 +#endif /* KLIPS_PFKEY_ACQUIRE_LOSSAGE */ + -+#else /* CONFIG_KLIPS_REGRESS */ -+#define KLIPS_PFKEY_ACQUIRE_LOSSAGE 0 -+ +#endif /* CONFIG_KLIPS_REGRESS */ + + @@ -4552,8 +4574,6 @@ packaging/utils/kernelpatch 2.6 + */ +#define KLIPS_ERROR(flag, format, args...) if(printk_ratelimit() || flag) printk(KERN_ERR "KLIPS " format, ## args) +#ifdef CONFIG_KLIPS_DEBUG -+extern void ipsec_print_ip(struct iphdr *ip); -+ + #define KLIPS_PRINT(flag, format, args...) \ + ((flag) ? printk(KERN_INFO format , ## args) : 0) + #define KLIPS_PRINTMORE(flag, format, args...) \ @@ -4631,15 +4651,12 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_param.h,v $ -+ * Revision 1.29.6.3 2006/05/01 14:32:31 mcr -+ * added KLIPS_ERROR and make sure that things work without CONFIG_KLIPS_REGRESS. ++ * Revision 1.31 2005/08/12 15:01:38 mcr ++ * attempt to #undef CONFIG_IPSEC_NAT_TRAVERSAL if it is =0. + * -+ * Revision 1.29.6.2 2005/11/27 21:40:14 paul -+ * Pull down TTL fixes from head. this fixes "Unknown symbol sysctl_ip_default_ttl" -+ * in for klips as module. -+ * -+ * Revision 1.29.6.1 2005/08/12 16:24:18 ken -+ * Pull in NAT-T compile logic from HEAD ++ * Revision 1.30 2005/08/05 08:50:45 mcr ++ * move #include of skbuff.h to a place where ++ * we know it will be kernel only code. + * + * Revision 1.29 2005/01/26 00:50:35 mcr + * adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT, @@ -4780,7 +4797,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * -+ * RCSID $Id: ipsec_policy.h,v 1.7.6.1 2005/07/26 01:53:07 ken Exp $ ++ * RCSID $Id: ipsec_policy.h,v 1.8 2005/07/26 01:12:38 mcr Exp $ + */ +#define _IPSEC_POLICY_H /* seen it, no need to see it again */ + @@ -4984,7 +5001,7 @@ packaging/utils/kernelpatch 2.6 +#endif /* _IPSEC_POLICY_H */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_proto.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,199 @@ +@@ -0,0 +1,195 @@ +/* + * @(#) prototypes for FreeSWAN functions + * @@ -5038,13 +5055,9 @@ packaging/utils/kernelpatch 2.6 + + +extern struct ipsec_sa *ipsec_sa_getbyid(ip_said *); -+extern int ipsec_sa_put(struct ipsec_sa *); -+extern /* void */ int ipsec_sa_del(struct ipsec_sa *); -+extern /* void */ int ipsec_sa_delchain(struct ipsec_sa *); +extern /* void */ int ipsec_sa_add(struct ipsec_sa *); + +extern int ipsec_sa_init(struct ipsec_sa *ipsp); -+extern int ipsec_sa_wipe(struct ipsec_sa *ipsp); + +/* debug declarations */ + @@ -5368,7 +5381,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_rcv.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,199 @@ +@@ -0,0 +1,197 @@ +/* + * + * Copyright (C) 1996, 1997 John Ioannidis. @@ -5384,7 +5397,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_rcv.h,v 1.28.2.2 2006/10/06 21:39:26 paul Exp $ ++ * RCSID $Id: ipsec_rcv.h,v 1.28.2.1 2006/07/10 15:52:20 paul Exp $ + */ + +#ifndef IPSEC_RCV_H @@ -5409,8 +5422,8 @@ packaging/utils/kernelpatch 2.6 + +#define __NO_VERSION__ +#ifndef AUTOCONF_INCLUDED -+#include /* for CONFIG_IP_FORWARD */ -+#endif ++#include ++#endif /* for CONFIG_IP_FORWARD */ +#ifdef CONFIG_MODULES +#include +#endif @@ -5510,16 +5523,14 @@ packaging/utils/kernelpatch 2.6 + +extern int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type); + ++// manage ipsec rcv state objects ++extern int ipsec_rcv_state_cache_init (void); ++extern void ipsec_rcv_state_cache_cleanup (void); + +#endif /* IPSEC_RCV_H */ + +/* + * $Log: ipsec_rcv.h,v $ -+ * Revision 1.28.2.2 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.28.2.1 2006/07/10 15:52:20 paul + * Fix for bug #642 by Bart Trojanowski + * @@ -5570,7 +5581,7 @@ packaging/utils/kernelpatch 2.6 + --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_sa.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,355 @@ +@@ -0,0 +1,279 @@ +/* + * @(#) Definitions of IPsec Security Association (ipsec_sa) + * @@ -5616,7 +5627,7 @@ packaging/utils/kernelpatch 2.6 +#endif /* __KERNEL__ */ +#include "openswan/ipsec_param.h" + -+#include "pfkeyv2.h" ++#include "openswan/pfkeyv2.h" + + +/* SAs are held in a table. @@ -5681,9 +5692,11 @@ packaging/utils/kernelpatch 2.6 +#define IPSEC_SA_REF_HOST_FIELD_WIDTH (8 * sizeof(IPSEC_SA_REF_HOST_FIELD_TYPE)) +#define IPSEC_SA_REF_FIELD_WIDTH (8 * sizeof(IPsecSAref_t)) + -+#define IPSEC_SA_REF_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH)) -+#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) -+#define IPSEC_SA_REF_ENTRY_MASK (IPSEC_SAREF_NULL >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)) ++#define IPSEC_SA_REF_MAX (~IPSEC_SAREF_NULL) ++#define IPSEC_SAREF_FIRST 1 ++#define IPSEC_SA_REF_MASK (IPSEC_SA_REF_MAX >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_TABLE_IDX_WIDTH)) ++#define IPSEC_SA_REF_TABLE_MASK ((IPSEC_SA_REF_MAX >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_MAINTABLE_IDX_WIDTH)) << IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) ++#define IPSEC_SA_REF_ENTRY_MASK (IPSEC_SA_REF_MAX >> (IPSEC_SA_REF_FIELD_WIDTH - IPSEC_SA_REF_SUBTABLE_IDX_WIDTH)) + +#define IPsecSAref2table(x) (((x) & IPSEC_SA_REF_TABLE_MASK) >> IPSEC_SA_REF_SUBTABLE_IDX_WIDTH) +#define IPsecSAref2entry(x) ((x) & IPSEC_SA_REF_ENTRY_MASK) @@ -5697,14 +5710,25 @@ packaging/utils/kernelpatch 2.6 +/* 'struct ipsec_sa' should be 64bit aligned when allocated. */ +struct ipsec_sa +{ -+ IPsecSAref_t ips_ref; /* reference table entry number */ -+ atomic_t ips_refcount; /* reference count for this struct */ ++ atomic_t ips_refcount; /* reference count for this struct */ ++ int ips_marked_deleted; /* used with reference counting */ ++ IPsecSAref_t ips_ref; /* reference table entry number */ ++ IPsecSAref_t ips_refhim; /* ref of paired SA, if any */ ++ struct ipsec_sa *ips_next; /* pointer to next xform */ ++ + struct ipsec_sa *ips_hnext; /* next in hash chain */ + struct ipsec_sa *ips_inext; /* pointer to next xform */ + struct ipsec_sa *ips_onext; /* pointer to prev xform */ + + struct ifnet *ips_rcvif; /* related rcv encap interface */ + ++ struct xform_functions *ips_xformfuncs; /* pointer to routines to process this SA */ ++ ++ struct net_device *ips_out; /* what interface to emerge on */ ++ __u8 ips_transport_direct; /* if true, punt directly to ++ * the protocol layer */ ++ struct socket *ips_sock; /* cache of transport socket */ ++ + ip_said ips_said; /* SA ID */ + + __u32 ips_seq; /* seq num of msg that initiated this SA */ @@ -5780,7 +5804,7 @@ packaging/utils/kernelpatch 2.6 +#endif + struct ipsec_alg_enc *ips_alg_enc; + struct ipsec_alg_auth *ips_alg_auth; -+ IPsecSAref_t ips_ref_rel; ++//IPsecSAref_t ips_ref_rel; +}; + +struct IPsecSArefSubTable @@ -5807,13 +5831,20 @@ packaging/utils/kernelpatch 2.6 +extern struct ipsec_sa *ipsec_sa_alloc(int*error); /* pass in error var by pointer */ +extern IPsecSAref_t ipsec_SAref_alloc(int*erorr); /* pass in error var by pointer */ +extern int ipsec_sa_free(struct ipsec_sa* ips); -+extern int ipsec_sa_put(struct ipsec_sa *ips); ++ ++#define ipsec_sa_get(ips) __ipsec_sa_get(ips, __FUNCTION__, __LINE__) ++extern struct ipsec_sa * __ipsec_sa_get(struct ipsec_sa *ips, const char *func, int line); ++ ++#define ipsec_sa_put(ips) __ipsec_sa_put(ips, __FUNCTION__, __LINE__) ++extern void __ipsec_sa_put(struct ipsec_sa *ips, const char *func, int line); +extern int ipsec_sa_add(struct ipsec_sa *ips); -+extern int ipsec_sa_del(struct ipsec_sa *ips); -+extern int ipsec_sa_delchain(struct ipsec_sa *ips); ++extern void ipsec_sa_rm(struct ipsec_sa *ips); +extern int ipsec_sadb_cleanup(__u8 proto); +extern int ipsec_sadb_free(void); -+extern int ipsec_sa_wipe(struct ipsec_sa *ips); ++extern int ipsec_sa_intern(struct ipsec_sa *ips); ++extern void ipsec_sa_untern(struct ipsec_sa *ips); ++extern struct ipsec_sa *ipsec_sa_getbyref(IPsecSAref_t ref); ++ +#endif /* __KERNEL__ */ + +enum ipsec_direction { @@ -5825,102 +5856,6 @@ packaging/utils/kernelpatch 2.6 +#endif /* _IPSEC_SA_H_ */ + +/* -+ * $Log: ipsec_sa.h,v $ -+ * Revision 1.23 2005/05/11 01:18:59 mcr -+ * do not change structure based upon options, to avoid -+ * too many #ifdef. -+ * -+ * Revision 1.22 2005/04/14 01:17:09 mcr -+ * change sadb_state to an enum. -+ * -+ * Revision 1.21 2004/08/20 21:45:37 mcr -+ * CONFIG_KLIPS_NAT_TRAVERSAL is not used in an attempt to -+ * be 26sec compatible. But, some defines where changed. -+ * -+ * Revision 1.20 2004/07/10 19:08:41 mcr -+ * CONFIG_IPSEC -> CONFIG_KLIPS. -+ * -+ * Revision 1.19 2004/04/05 19:55:06 mcr -+ * Moved from linux/include/freeswan/ipsec_sa.h,v -+ * -+ * Revision 1.18 2004/04/05 19:41:05 mcr -+ * merged alg-branch code. -+ * -+ * Revision 1.17.2.1 2003/12/22 15:25:52 jjo -+ * . Merged algo-0.8.1-rc11-test1 into alg-branch -+ * -+ * Revision 1.17 2003/12/10 01:20:06 mcr -+ * NAT-traversal patches to KLIPS. -+ * -+ * Revision 1.16 2003/10/31 02:27:05 mcr -+ * pulled up port-selector patches and sa_id elimination. -+ * -+ * Revision 1.15.4.1 2003/10/29 01:10:19 mcr -+ * elimited "struct sa_id" -+ * -+ * Revision 1.15 2003/05/11 00:53:09 mcr -+ * IPsecSAref_t and macros were moved to freeswan.h. -+ * -+ * Revision 1.14 2003/02/12 19:31:55 rgb -+ * Fixed bug in "file seen" machinery. -+ * Updated copyright year. -+ * -+ * Revision 1.13 2003/01/30 02:31:52 rgb -+ * -+ * Re-wrote comments describing SAref system for accuracy. -+ * Rename SAref table macro names for clarity. -+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. -+ * Transmit error code through to caller from callee for better diagnosis of problems. -+ * Enclose all macro arguments in parens to avoid any possible obscrure bugs. -+ * -+ * Revision 1.12 2002/10/07 18:31:19 rgb -+ * Change comment to reflect the flexible nature of the main and sub-table widths. -+ * Added a counter for the number of unused entries in each subtable. -+ * Further break up host field type macro to host field. -+ * Move field width sanity checks to ipsec_sa.c -+ * Define a mask for an entire saref. -+ * -+ * Revision 1.11 2002/09/20 15:40:33 rgb -+ * Re-write most of the SAref macros and types to eliminate any pointer references to Entrys. -+ * Fixed SAref/nfmark macros. -+ * Rework saref freeslist. -+ * Place all ipsec sadb globals into one struct. -+ * Restrict some bits to kernel context for use to klips utils. -+ * -+ * Revision 1.10 2002/09/20 05:00:34 rgb -+ * Update copyright date. -+ * -+ * Revision 1.9 2002/09/17 17:19:29 mcr -+ * make it compile even if there is no netfilter - we lost -+ * functionality, but it works, especially on 2.2. -+ * -+ * Revision 1.8 2002/07/28 22:59:53 mcr -+ * clarified/expanded one comment. -+ * -+ * Revision 1.7 2002/07/26 08:48:31 rgb -+ * Added SA ref table code. -+ * -+ * Revision 1.6 2002/05/31 17:27:48 rgb -+ * Comment fix. -+ * -+ * Revision 1.5 2002/05/27 18:55:03 rgb -+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT. -+ * -+ * Revision 1.4 2002/05/23 07:13:36 rgb -+ * Convert "usecount" to "refcount" to remove ambiguity. -+ * -+ * Revision 1.3 2002/04/24 07:36:47 mcr -+ * Moved from ./klips/net/ipsec/ipsec_sa.h,v -+ * -+ * Revision 1.2 2001/11/26 09:16:15 rgb -+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. -+ * -+ * Revision 1.1.2.1 2001/09/25 02:24:58 mcr -+ * struct tdb -> struct ipsec_sa. -+ * sa(tdb) manipulation functions renamed and moved to ipsec_sa.c -+ * ipsec_xform.c removed. header file still contains useful things. -+ * -+ * + * Local variables: + * c-file-style: "linux" + * End: @@ -6089,7 +6024,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_tunnel.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,280 @@ +@@ -0,0 +1,270 @@ +/* + * IPSEC tunneling code + * Copyright (C) 1996, 1997 John Ioannidis. @@ -6109,7 +6044,6 @@ packaging/utils/kernelpatch 2.6 + */ + + -+#ifdef NET_21 +# define DEV_QUEUE_XMIT(skb, device, pri) {\ + skb->dev = device; \ + neigh_compat_output(skb); \ @@ -6119,22 +6053,9 @@ packaging/utils/kernelpatch 2.6 + icmp_send(skb_in, type, code, htonl(info)) +# define IP_SEND(skb, dev) \ + ip_send(skb); -+#else /* NET_21 */ -+# define DEV_QUEUE_XMIT(skb, device, pri) {\ -+ dev_queue_xmit(skb, device, pri); \ -+ } -+# define ICMP_SEND(skb_in, type, code, info, dev) \ -+ icmp_send(skb_in, type, code, info, dev) -+# define IP_SEND(skb, dev) \ -+ if(ntohs(iph->tot_len) > physmtu) { \ -+ ip_fragment(NULL, skb, dev, 0); \ -+ ipsec_kfree_skb(skb); \ -+ } else { \ -+ dev_queue_xmit(skb, dev, SOPRI_NORMAL); \ -+ } -+#endif /* NET_21 */ + + ++#if defined(KLIPS) +/* + * Heavily based on drivers/net/new_tunnel.c. Lots + * of ideas also taken from the 2.1.x version of drivers/net/shaper.c @@ -6153,6 +6074,7 @@ packaging/utils/kernelpatch 2.6 +#define IPSEC_SET_DEV (SIOCDEVPRIVATE) +#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1) +#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2) ++#endif + +#ifdef __KERNEL__ +#include @@ -6220,6 +6142,9 @@ packaging/utils/kernelpatch 2.6 +#define DB_TN_ENCAP 0x0200 +#endif /* CONFIG_KLIPS_DEBUG */ + ++// manage ipsec xmit state objects ++extern int ipsec_xmit_state_cache_init (void); ++extern void ipsec_xmit_state_cache_cleanup (void); +/* + * $Log: ipsec_tunnel.h,v $ + * Revision 1.33 2005/06/04 16:06:05 mcr @@ -6372,7 +6297,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/include/openswan/ipsec_xform.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,257 @@ +@@ -0,0 +1,263 @@ +/* + * Definitions relevant to IPSEC transformations + * Copyright (C) 1996, 1997 John Ioannidis. @@ -6389,7 +6314,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_xform.h,v 1.41 2004/07/10 19:08:41 mcr Exp $ ++ * RCSID $Id: ipsec_xform.h,v 1.42 2005/08/05 08:50:45 mcr Exp $ + */ + +#ifndef _IPSEC_XFORM_H_ @@ -6499,6 +6424,8 @@ packaging/utils/kernelpatch 2.6 + auth_name_id(x->ips_authalg) /* "_UNKNOWN_auth" */ \ + +#ifdef __KERNEL__ ++#include ++ +struct ipsec_rcv_state; +struct ipsec_xmit_state; + @@ -6541,6 +6468,10 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_xform.h,v $ ++ * Revision 1.42 2005/08/05 08:50:45 mcr ++ * move #include of skbuff.h to a place where ++ * we know it will be kernel only code. ++ * + * Revision 1.41 2004/07/10 19:08:41 mcr + * CONFIG_IPSEC -> CONFIG_KLIPS. + * @@ -6875,10 +6806,10 @@ packaging/utils/kernelpatch 2.6 + (*openswan_passert_fail)("impossible", __FILE__, __LINE__); \ + }} while(0) + -+extern void switch_fail(int n ++extern void openswan_switch_fail(int n + , const char *file_str, unsigned long line_no) NEVER_RETURNS; + -+# define bad_case(n) switch_fail((int) n, __FILE__, __LINE__) ++# define bad_case(n) openswan_switch_fail((int) n, __FILE__, __LINE__) + +# define passert(pred) do { \ + if (!(pred)) \ @@ -6910,348 +6841,8 @@ packaging/utils/kernelpatch 2.6 + +#endif /* _OPENSWAN_PASSERT_H */ --- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/include/openswan/pfkey_debug.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,54 @@ -+/* -+ * sanitize a string into a printable format. -+ * -+ * Copyright (C) 1998-2002 D. Hugh Redelmeier. -+ * Copyright (C) 2003 Michael Richardson -+ * -+ * This library is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU Library General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or (at your -+ * option) any later version. See . -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public -+ * License for more details. -+ * -+ * RCSID $Id: pfkey_debug.h,v 1.3 2004/04/05 19:55:07 mcr Exp $ -+ */ -+ -+#ifndef _FREESWAN_PFKEY_DEBUG_H -+#define _FREESWAN_PFKEY_DEBUG_H -+ -+#ifdef __KERNEL__ -+ -+/* note, kernel version ignores pfkey levels */ -+# define DEBUGGING(level,args...) \ -+ KLIPS_PRINT(debug_pfkey, "klips_debug:" args) -+ -+# define ERROR(args...) printk(KERN_ERR "klips:" args) -+ -+#else -+ -+extern unsigned int pfkey_lib_debug; -+ -+extern void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1); -+extern void (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1); -+ -+#define DEBUGGING(level,args...) if(pfkey_lib_debug & level) { \ -+ if(pfkey_debug_func != NULL) { \ -+ (*pfkey_debug_func)("pfkey_lib_debug:" args); \ -+ } else { \ -+ printf("pfkey_lib_debug:" args); \ -+ } } -+ -+#define ERROR(args...) if(pfkey_error_func != NULL) { \ -+ (*pfkey_error_func)("pfkey_lib_debug:" args); \ -+ } -+ -+# define MALLOC(size) malloc(size) -+# define FREE(obj) free(obj) -+ -+#endif -+ -+#endif ---- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/include/openswan/radij.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,280 @@ -+/* -+ * RCSID $Id: radij.h,v 1.13 2004/04/05 19:55:08 mcr Exp $ -+ */ -+ -+/* -+ * This file is defived from ${SRC}/sys/net/radix.h of BSD 4.4lite -+ * -+ * Variable and procedure names have been modified so that they don't -+ * conflict with the original BSD code, as a small number of modifications -+ * have been introduced and we may want to reuse this code in BSD. -+ * -+ * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek -+ * chi or a German ch sound (as `doch', not as in `milch'), or even a -+ * spanish j as in Juan. It is not as far back in the throat like -+ * the corresponding Hebrew sound, nor is it a soft breath like the English h. -+ * It has nothing to do with the Dutch ij sound. -+ * -+ * Here is the appropriate copyright notice: -+ */ -+ -+/* -+ * Copyright (c) 1988, 1989, 1993 -+ * The Regents of the University of California. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. All advertising materials mentioning features or use of this software -+ * must display the following acknowledgement: -+ * This product includes software developed by the University of -+ * California, Berkeley and its contributors. -+ * 4. Neither the name of the University nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ * -+ * @(#)radix.h 8.1 (Berkeley) 6/10/93 -+ */ -+ -+#ifndef _RADIJ_H_ -+#define _RADIJ_H_ -+ -+/* -+#define RJ_DEBUG -+*/ -+ -+#ifdef __KERNEL__ -+ -+#ifndef __P -+#ifdef __STDC__ -+#define __P(x) x -+#else -+#define __P(x) () -+#endif -+#endif -+ -+/* -+ * Radix search tree node layout. -+ */ -+ -+struct radij_node -+{ -+ struct radij_mask *rj_mklist; /* list of masks contained in subtree */ -+ struct radij_node *rj_p; /* parent */ -+ short rj_b; /* bit offset; -1-index(netmask) */ -+ char rj_bmask; /* node: mask for bit test*/ -+ u_char rj_flags; /* enumerated next */ -+#define RJF_NORMAL 1 /* leaf contains normal route */ -+#define RJF_ROOT 2 /* leaf is root leaf for tree */ -+#define RJF_ACTIVE 4 /* This node is alive (for rtfree) */ -+ union { -+ struct { /* leaf only data: */ -+ caddr_t rj_Key; /* object of search */ -+ caddr_t rj_Mask; /* netmask, if present */ -+ struct radij_node *rj_Dupedkey; -+ } rj_leaf; -+ struct { /* node only data: */ -+ int rj_Off; /* where to start compare */ -+ struct radij_node *rj_L;/* progeny */ -+ struct radij_node *rj_R;/* progeny */ -+ }rj_node; -+ } rj_u; -+#ifdef RJ_DEBUG -+ int rj_info; -+ struct radij_node *rj_twin; -+ struct radij_node *rj_ybro; -+#endif -+}; -+ -+#define rj_dupedkey rj_u.rj_leaf.rj_Dupedkey -+#define rj_key rj_u.rj_leaf.rj_Key -+#define rj_mask rj_u.rj_leaf.rj_Mask -+#define rj_off rj_u.rj_node.rj_Off -+#define rj_l rj_u.rj_node.rj_L -+#define rj_r rj_u.rj_node.rj_R -+ -+/* -+ * Annotations to tree concerning potential routes applying to subtrees. -+ */ -+ -+extern struct radij_mask { -+ short rm_b; /* bit offset; -1-index(netmask) */ -+ char rm_unused; /* cf. rj_bmask */ -+ u_char rm_flags; /* cf. rj_flags */ -+ struct radij_mask *rm_mklist; /* more masks to try */ -+ caddr_t rm_mask; /* the mask */ -+ int rm_refs; /* # of references to this struct */ -+} *rj_mkfreelist; -+ -+#define MKGet(m) {\ -+ if (rj_mkfreelist) {\ -+ m = rj_mkfreelist; \ -+ rj_mkfreelist = (m)->rm_mklist; \ -+ } else \ -+ R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\ -+ -+#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);} -+ -+struct radij_node_head { -+ struct radij_node *rnh_treetop; -+ int rnh_addrsize; /* permit, but not require fixed keys */ -+ int rnh_pktsize; /* permit, but not require fixed keys */ -+#if 0 -+ struct radij_node *(*rnh_addaddr) /* add based on sockaddr */ -+ __P((void *v, void *mask, -+ struct radij_node_head *head, struct radij_node nodes[])); -+#endif -+ int (*rnh_addaddr) /* add based on sockaddr */ -+ __P((void *v, void *mask, -+ struct radij_node_head *head, struct radij_node nodes[])); -+ struct radij_node *(*rnh_addpkt) /* add based on packet hdr */ -+ __P((void *v, void *mask, -+ struct radij_node_head *head, struct radij_node nodes[])); -+#if 0 -+ struct radij_node *(*rnh_deladdr) /* remove based on sockaddr */ -+ __P((void *v, void *mask, struct radij_node_head *head)); -+#endif -+ int (*rnh_deladdr) /* remove based on sockaddr */ -+ __P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node)); -+ struct radij_node *(*rnh_delpkt) /* remove based on packet hdr */ -+ __P((void *v, void *mask, struct radij_node_head *head)); -+ struct radij_node *(*rnh_matchaddr) /* locate based on sockaddr */ -+ __P((void *v, struct radij_node_head *head)); -+ struct radij_node *(*rnh_matchpkt) /* locate based on packet hdr */ -+ __P((void *v, struct radij_node_head *head)); -+ int (*rnh_walktree) /* traverse tree */ -+ __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w)); -+ struct radij_node rnh_nodes[3]; /* empty tree for common case */ -+}; -+ -+ -+#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) -+#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) -+#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n)) -+#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n))) -+#define Free(p) kfree((caddr_t)p); -+ -+void rj_init __P((void)); -+int rj_inithead __P((void **, int)); -+int rj_refines __P((void *, void *)); -+int rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w)); -+struct radij_node -+ *rj_addmask __P((void *, int, int)) /* , rgb */ ; -+int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *, -+ struct radij_node [2])) /* , rgb */ ; -+int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ; -+struct radij_node /* rgb */ -+ *rj_insert __P((void *, struct radij_node_head *, int *, -+ struct radij_node [2])), -+ *rj_match __P((void *, struct radij_node_head *)), -+ *rj_newpair __P((void *, int, struct radij_node[2])), -+ *rj_search __P((void *, struct radij_node *)), -+ *rj_search_m __P((void *, struct radij_node *, void *)); -+ -+void rj_deltree(struct radij_node_head *); -+void rj_delnodes(struct radij_node *); -+void rj_free_mkfreelist(void); -+int radijcleartree(void); -+int radijcleanup(void); -+ -+extern struct radij_node_head *mask_rjhead; -+extern int maj_keylen; -+#endif /* __KERNEL__ */ -+ -+#endif /* _RADIJ_H_ */ -+ -+ -+/* -+ * $Log: radij.h,v $ -+ * Revision 1.13 2004/04/05 19:55:08 mcr -+ * Moved from linux/include/freeswan/radij.h,v -+ * -+ * Revision 1.12 2002/04/24 07:36:48 mcr -+ * Moved from ./klips/net/ipsec/radij.h,v -+ * -+ * Revision 1.11 2001/09/20 15:33:00 rgb -+ * Min/max cleanup. -+ * -+ * Revision 1.10 1999/11/18 04:09:20 rgb -+ * Replaced all kernel version macros to shorter, readable form. -+ * -+ * Revision 1.9 1999/05/05 22:02:33 rgb -+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher . -+ * -+ * Revision 1.8 1999/04/29 15:24:58 rgb -+ * Add check for existence of macros min/max. -+ * -+ * Revision 1.7 1999/04/11 00:29:02 henry -+ * GPL boilerplate -+ * -+ * Revision 1.6 1999/04/06 04:54:29 rgb -+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes -+ * patch shell fixes. -+ * -+ * Revision 1.5 1999/01/22 06:30:32 rgb -+ * 64-bit clean-up. -+ * -+ * Revision 1.4 1998/11/30 13:22:55 rgb -+ * Rationalised all the klips kernel file headers. They are much shorter -+ * now and won't conflict under RH5.2. -+ * -+ * Revision 1.3 1998/10/25 02:43:27 rgb -+ * Change return type on rj_addroute and rj_delete and add and argument -+ * to the latter to be able to transmit more infomation about errors. -+ * -+ * Revision 1.2 1998/07/14 18:09:51 rgb -+ * Add a routine to clear eroute table. -+ * Added #ifdef __KERNEL__ directives to restrict scope of header. -+ * -+ * Revision 1.1 1998/06/18 21:30:22 henry -+ * move sources from klips/src to klips/net/ipsec to keep stupid kernel -+ * build scripts happier about symlinks -+ * -+ * Revision 1.4 1998/05/25 20:34:16 rgb -+ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions. -+ * -+ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and -+ * add ipsec_rj_walker_delete. -+ * -+ * Recover memory for eroute table on unload of module. -+ * -+ * Revision 1.3 1998/04/22 16:51:37 rgb -+ * Tidy up radij debug code from recent rash of modifications to debug code. -+ * -+ * Revision 1.2 1998/04/14 17:30:38 rgb -+ * Fix up compiling errors for radij tree memory reclamation. -+ * -+ * Revision 1.1 1998/04/09 03:06:16 henry -+ * sources moved up from linux/net/ipsec -+ * -+ * Revision 1.1.1.1 1998/04/08 05:35:04 henry -+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 -+ * -+ * Revision 0.4 1997/01/15 01:28:15 ji -+ * No changes. -+ * -+ * Revision 0.3 1996/11/20 14:44:45 ji -+ * Release update only. -+ * -+ * Revision 0.2 1996/11/02 00:18:33 ji -+ * First limited release. -+ * -+ * -+ */ ---- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/include/pfkey.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,529 @@ ++++ linux/include/openswan/pfkey.h Mon Feb 9 13:51:03 2004 +@@ -0,0 +1,344 @@ +/* + * FreeS/WAN specific PF_KEY headers + * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs. @@ -7266,7 +6857,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: pfkey.h,v 1.49 2005/05/11 00:57:29 mcr Exp $ ++ * RCSID $Id: pfkey.h,v 1.52 2005/11/09 00:30:37 mcr Exp $ + */ + +#ifndef __NET_IPSEC_PF_KEY_H @@ -7386,8 +6977,8 @@ packaging/utils/kernelpatch 2.6 +extern int pfkey_acquire(struct ipsec_sa *); +#else /* ! __KERNEL__ */ + -+extern void (*pfkey_debug_func)(const char *message, ...); -+extern void (*pfkey_error_func)(const char *message, ...); ++extern openswan_keying_debug_func_t pfkey_debug_func; ++extern openswan_keying_debug_func_t pfkey_error_func; +extern void pfkey_print(struct sadb_msg *msg, FILE *out); + + @@ -7502,7 +7093,7 @@ packaging/utils/kernelpatch 2.6 +pfkey_key_build(struct sadb_ext** pfkey_ext, + uint16_t exttype, + uint16_t key_bits, -+ char* key); ++ unsigned char *key); + +int +pfkey_ident_build(struct sadb_ext** pfkey_ext, @@ -7590,200 +7181,72 @@ packaging/utils/kernelpatch 2.6 +const char * +pfkey_v2_sadb_type_string(int sadb_type); + ++extern int ++pfkey_outif_build(struct sadb_ext **pfkey_ext, ++ uint16_t outif); + +#endif /* __NET_IPSEC_PF_KEY_H */ + +--- /dev/null Tue Mar 11 13:02:56 2003 ++++ linux/include/openswan/pfkey_debug.h Mon Feb 9 13:51:03 2004 +@@ -0,0 +1,54 @@ +/* -+ * $Log: pfkey.h,v $ -+ * Revision 1.49 2005/05/11 00:57:29 mcr -+ * rename struct supported -> struct ipsec_alg_supported. -+ * make pfkey.h more standalone. -+ * -+ * Revision 1.48 2005/05/01 03:12:50 mcr -+ * include name of algorithm in datastructure. -+ * -+ * Revision 1.47 2004/08/21 00:44:14 mcr -+ * simplify definition of nat_t related prototypes. -+ * -+ * Revision 1.46 2004/08/04 16:27:22 mcr -+ * 2.6 sk_ options. -+ * -+ * Revision 1.45 2004/04/06 02:49:00 mcr -+ * pullup of algo code from alg-branch. -+ * -+ * Revision 1.44 2003/12/10 01:20:01 mcr -+ * NAT-traversal patches to KLIPS. -+ * -+ * Revision 1.43 2003/10/31 02:26:44 mcr -+ * pulled up port-selector patches. -+ * -+ * Revision 1.42.2.2 2003/10/29 01:09:32 mcr -+ * added debugging for pfkey library. -+ * -+ * Revision 1.42.2.1 2003/09/21 13:59:34 mcr -+ * pre-liminary X.509 patch - does not yet pass tests. -+ * -+ * Revision 1.42 2003/08/25 22:08:19 mcr -+ * removed pfkey_proto_init() from pfkey.h for 2.6 support. -+ * -+ * Revision 1.41 2003/05/07 17:28:57 mcr -+ * new function pfkey_debug_func added for us in debugging from -+ -+ * pfkey library. -+ * -+ * Revision 1.40 2003/01/30 02:31:34 rgb -+ * -+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. -+ * -+ * Revision 1.39 2002/09/20 15:40:21 rgb -+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc(). -+ * Added ref parameter to pfkey_sa_build(). -+ * Cleaned out unused cruft. -+ * -+ * Revision 1.38 2002/05/14 02:37:24 rgb -+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips, -+ * ipsec_sa or ipsec_sa. -+ * Added function prototypes for the functions moved to -+ * pfkey_v2_ext_process.c. -+ * -+ * Revision 1.37 2002/04/24 07:36:49 mcr -+ * Moved from ./lib/pfkey.h,v -+ * -+ * Revision 1.36 2002/01/20 20:34:49 mcr -+ * added pfkey_v2_sadb_type_string to decode sadb_type to string. -+ * -+ * Revision 1.35 2001/11/27 05:27:47 mcr -+ * pfkey parses are now maintained by a structure -+ * that includes their name for debug purposes. -+ * -+ * Revision 1.34 2001/11/26 09:23:53 rgb -+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. -+ * -+ * Revision 1.33 2001/11/06 19:47:47 rgb -+ * Added packet parameter to lifetime and comb structures. -+ * -+ * Revision 1.32 2001/09/08 21:13:34 rgb -+ * Added pfkey ident extension support for ISAKMPd. (NetCelo) -+ * -+ * Revision 1.31 2001/06/14 19:35:16 rgb -+ * Update copyright date. -+ * -+ * Revision 1.30 2001/02/27 07:04:52 rgb -+ * Added satype2name prototype. -+ * -+ * Revision 1.29 2001/02/26 19:59:33 rgb -+ * Ditch unused sadb_satype2proto[], replaced by satype2proto(). -+ * -+ * Revision 1.28 2000/10/10 20:10:19 rgb -+ * Added support for debug_ipcomp and debug_verbose to klipsdebug. -+ * -+ * Revision 1.27 2000/09/21 04:20:45 rgb -+ * Fixed array size off-by-one error. (Thanks Svenning!) -+ * -+ * Revision 1.26 2000/09/12 03:26:05 rgb -+ * Added pfkey_acquire prototype. -+ * -+ * Revision 1.25 2000/09/08 19:21:28 rgb -+ * Fix pfkey_prop_build() parameter to be only single indirection. -+ * -+ * Revision 1.24 2000/09/01 18:46:42 rgb -+ * Added a supported algorithms array lists, one per satype and registered -+ * existing algorithms. -+ * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to -+ * list. -+ * -+ * Revision 1.23 2000/08/27 01:55:26 rgb -+ * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code. -+ * -+ * Revision 1.22 2000/08/20 21:39:23 rgb -+ * Added kernel prototypes for kernel funcitions pfkey_upmsg() and -+ * pfkey_expire(). -+ * -+ * Revision 1.21 2000/08/15 17:29:23 rgb -+ * Fixes from SZI to untested pfkey_prop_build(). -+ * -+ * Revision 1.20 2000/05/10 20:14:19 rgb -+ * Fleshed out sensitivity, proposal and supported extensions. -+ * -+ * Revision 1.19 2000/03/16 14:07:23 rgb -+ * Renamed ALIGN macro to avoid fighting with others in kernel. -+ * -+ * Revision 1.18 2000/01/22 23:24:06 rgb -+ * Added prototypes for proto2satype(), satype2proto() and proto2name(). -+ * -+ * Revision 1.17 2000/01/21 06:26:59 rgb -+ * Converted from double tdb arguments to one structure (extr) -+ * containing pointers to all temporary information structures. -+ * Added klipsdebug switching capability. -+ * Dropped unused argument to pfkey_x_satype_build(). -+ * -+ * Revision 1.16 1999/12/29 21:17:41 rgb -+ * Changed pfkey_msg_build() I/F to include a struct sadb_msg** -+ * parameter for cleaner manipulation of extensions[] and to guard -+ * against potential memory leaks. -+ * Changed the I/F to pfkey_msg_free() for the same reason. -+ * -+ * Revision 1.15 1999/12/09 23:12:54 rgb -+ * Added macro for BITS_PER_OCTET. -+ * Added argument to pfkey_sa_build() to do eroutes. -+ * -+ * Revision 1.14 1999/12/08 20:33:25 rgb -+ * Changed sa_family_t to uint16_t for 2.0.xx compatibility. -+ * -+ * Revision 1.13 1999/12/07 19:53:40 rgb -+ * Removed unused first argument from extension parsers. -+ * Changed __u* types to uint* to avoid use of asm/types.h and -+ * sys/types.h in userspace code. -+ * Added function prototypes for pfkey message and extensions -+ * initialisation and cleanup. -+ * -+ * Revision 1.12 1999/12/01 22:19:38 rgb -+ * Change pfkey_sa_build to accept an SPI in network byte order. -+ * -+ * Revision 1.11 1999/11/27 11:55:26 rgb -+ * Added extern sadb_satype2proto to enable moving protocol lookup table -+ * to lib/pfkey_v2_parse.c. -+ * Delete unused, moved typedefs. -+ * Add argument to pfkey_msg_parse() for direction. -+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array. -+ * -+ * Revision 1.10 1999/11/23 22:29:21 rgb -+ * This file has been moved in the distribution from klips/net/ipsec to -+ * lib. -+ * Add macros for dealing with alignment and rounding up more opaquely. -+ * The uint_t type defines have been moved to freeswan.h to avoid -+ * chicken-and-egg problems. -+ * Add macros for dealing with alignment and rounding up more opaque. -+ * Added prototypes for using extention header bitmaps. -+ * Added prototypes of all the build functions. -+ * -+ * Revision 1.9 1999/11/20 21:59:48 rgb -+ * Moved socketlist type declarations and prototypes for shared use. -+ * Slightly modified scope of sockaddr_key declaration. -+ * -+ * Revision 1.8 1999/11/17 14:34:25 rgb -+ * Protect sa_family_t from being used in userspace with GLIBC<2. -+ * -+ * Revision 1.7 1999/10/27 19:40:35 rgb -+ * Add a maximum PFKEY packet size macro. -+ * -+ * Revision 1.6 1999/10/26 16:58:58 rgb -+ * Created a sockaddr_key and key_opt socket extension structures. -+ * -+ * Revision 1.5 1999/06/10 05:24:41 rgb -+ * Renamed variables to reduce confusion. -+ * -+ * Revision 1.4 1999/04/29 15:21:11 rgb -+ * Add pfkey support to debugging. -+ * Add return values to init and cleanup functions. ++ * sanitize a string into a printable format. + * -+ * Revision 1.3 1999/04/15 17:58:07 rgb -+ * Add RCSID labels. ++ * Copyright (C) 1998-2002 D. Hugh Redelmeier. ++ * Copyright (C) 2003 Michael Richardson ++ * ++ * This library is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU Library General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or (at your ++ * option) any later version. See . ++ * ++ * This library is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public ++ * License for more details. + * ++ * RCSID $Id: pfkey_debug.h,v 1.3 2004/04/05 19:55:07 mcr Exp $ + */ ++ ++#ifndef _FREESWAN_PFKEY_DEBUG_H ++#define _FREESWAN_PFKEY_DEBUG_H ++ ++#ifdef __KERNEL__ ++ ++/* note, kernel version ignores pfkey levels */ ++# define DEBUGGING(level,args...) \ ++ KLIPS_PRINT(debug_pfkey, "klips_debug:" args) ++ ++# define ERROR(args...) printk(KERN_ERR "klips:" args) ++ ++#else ++ ++extern unsigned int pfkey_lib_debug; ++ ++extern int (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1); ++extern int (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1); ++ ++#define DEBUGGING(level,args...) if(pfkey_lib_debug & level) { \ ++ if(pfkey_debug_func != NULL) { \ ++ (*pfkey_debug_func)("pfkey_lib_debug:" args); \ ++ } else { \ ++ printf("pfkey_lib_debug:" args); \ ++ } } ++ ++#define ERROR(args...) if(pfkey_error_func != NULL) { \ ++ (*pfkey_error_func)("pfkey_lib_debug:" args); \ ++ } ++ ++# define MALLOC(size) malloc(size) ++# define FREE(obj) free(obj) ++ ++#endif ++ ++#endif --- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/include/pfkeyv2.h Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,472 @@ ++++ linux/include/openswan/pfkeyv2.h Mon Feb 9 13:51:03 2004 +@@ -0,0 +1,505 @@ +/* + * RCSID $Id: pfkeyv2.h,v 1.31 2005/04/14 01:14:54 mcr Exp $ + */ @@ -7818,13 +7281,41 @@ packaging/utils/kernelpatch 2.6 +#define SADB_DUMP 10 +#define SADB_X_PROMISC 11 +#define SADB_X_PCHANGE 12 -+#define SADB_X_GRPSA 13 -+#define SADB_X_ADDFLOW 14 -+#define SADB_X_DELFLOW 15 -+#define SADB_X_DEBUG 16 +#define SADB_X_NAT_T_NEW_MAPPING 17 +#define SADB_MAX 17 + ++enum sadb_msg_t { ++ K_SADB_RESERVED=SADB_RESERVED, ++ K_SADB_GETSPI=SADB_GETSPI, ++ K_SADB_UPDATE=SADB_UPDATE, ++ K_SADB_ADD=SADB_ADD, ++ K_SADB_DELETE=SADB_DELETE, ++ K_SADB_GET=SADB_GET, ++ K_SADB_ACQUIRE=SADB_ACQUIRE, ++ K_SADB_REGISTER=SADB_REGISTER, ++ K_SADB_EXPIRE=SADB_EXPIRE, ++ K_SADB_FLUSH=SADB_FLUSH, ++ K_SADB_DUMP=SADB_DUMP, ++ K_SADB_X_PROMISC=SADB_X_PROMISC, ++ K_SADB_X_PCHANGE=SADB_X_PCHANGE, ++ K_SADB_X_GRPSA=13, ++ K_SADB_X_ADDFLOW=14, ++ K_SADB_X_DELFLOW=15, ++ K_SADB_X_DEBUG=16, ++ K_SADB_X_NAT_T_NEW_MAPPING=17, ++ K_SADB_X_PLUMBIF=18, ++ K_SADB_X_UNPLUMBIF=19, ++ K_SADB_MAX=19 ++}; ++ ++#define SADB_X_GRPSA K_SADB_X_GRPSA ++#define SADB_X_ADDFLOW K_SADB_X_ADDFLOW ++#define SADB_X_DELFLOW K_SADB_X_DELFLOW ++#define SADB_X_DEBUG K_SADB_X_DEBUG ++#define SADB_X_PLUMBIF K_SADB_X_PLUMBIF ++#define SADB_X_UNPLUMBIF K_SADB_X_UNPLUMBIF ++ ++ +struct sadb_msg { + uint8_t sadb_msg_version; + uint8_t sadb_msg_type; @@ -8015,6 +7506,33 @@ packaging/utils/kernelpatch 2.6 +}; + +/* ++ * a plumbif extension can appear in ++ * - a plumbif message to create the interface. ++ * - a unplumbif message to delete the interface. ++ * - a sadb add/replace to indicate which interface ++ * a decrypted packet should emerge on. ++ * ++ * the create/delete part could/should be replaced with netlink equivalents, ++ * or better yet, FORCES versions of same. ++ * ++ */ ++struct sadb_x_plumbif { ++ uint16_t sadb_x_outif_len; ++ uint16_t sadb_x_outif_exttype; ++ uint16_t sadb_x_outif_ifnum; ++} __attribute__((packed)); ++ ++/* ++ * the ifnum describes a device that you wish to create refer to. ++ * ++ * devices 0-40959 are mastXXX devices. ++ * devices 40960-49141 are mastXXX devices with transport set. ++ * devices 49152-65536 are deprecated ipsecXXX devices. ++ */ ++#define IPSECDEV_OFFSET (48*1024) ++#define MASTTRANSPORT_OFFSET (40*1024) ++ ++/* + * A protocol structure for passing through the transport level + * protocol. It contains more fields than are actually used/needed + * but it is this way to be compatible with the structure used in @@ -8047,30 +7565,74 @@ packaging/utils/kernelpatch 2.6 +#define SADB_EXT_SUPPORTED_ENCRYPT 15 +#define SADB_EXT_SPIRANGE 16 +#define SADB_X_EXT_KMPRIVATE 17 -+#define SADB_X_EXT_SATYPE2 18 -+#ifdef KERNEL26_HAS_KAME_DUPLICATES +#define SADB_X_EXT_POLICY 18 -+#endif +#define SADB_X_EXT_SA2 19 -+#define SADB_X_EXT_ADDRESS_DST2 20 -+#define SADB_X_EXT_ADDRESS_SRC_FLOW 21 -+#define SADB_X_EXT_ADDRESS_DST_FLOW 22 -+#define SADB_X_EXT_ADDRESS_SRC_MASK 23 -+#define SADB_X_EXT_ADDRESS_DST_MASK 24 -+#define SADB_X_EXT_DEBUG 25 -+#define SADB_X_EXT_PROTOCOL 26 +#define SADB_X_EXT_NAT_T_TYPE 27 +#define SADB_X_EXT_NAT_T_SPORT 28 +#define SADB_X_EXT_NAT_T_DPORT 29 +#define SADB_X_EXT_NAT_T_OA 30 +#define SADB_EXT_MAX 30 + -+/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */ -+#define SADB_X_EXT_ADDRESS_DELFLOW \ -+ ( (1<rm_mklist; \ ++ } else \ ++ R_Malloc(m, struct radij_mask *, sizeof (*(m))); }\ ++ ++#define MKFree(m) { (m)->rm_mklist = rj_mkfreelist; rj_mkfreelist = (m);} ++ ++struct radij_node_head { ++ struct radij_node *rnh_treetop; ++ int rnh_addrsize; /* permit, but not require fixed keys */ ++ int rnh_pktsize; /* permit, but not require fixed keys */ ++#if 0 ++ struct radij_node *(*rnh_addaddr) /* add based on sockaddr */ ++ __P((void *v, void *mask, ++ struct radij_node_head *head, struct radij_node nodes[])); ++#endif ++ int (*rnh_addaddr) /* add based on sockaddr */ ++ __P((void *v, void *mask, ++ struct radij_node_head *head, struct radij_node nodes[])); ++ struct radij_node *(*rnh_addpkt) /* add based on packet hdr */ ++ __P((void *v, void *mask, ++ struct radij_node_head *head, struct radij_node nodes[])); ++#if 0 ++ struct radij_node *(*rnh_deladdr) /* remove based on sockaddr */ ++ __P((void *v, void *mask, struct radij_node_head *head)); ++#endif ++ int (*rnh_deladdr) /* remove based on sockaddr */ ++ __P((void *v, void *mask, struct radij_node_head *head, struct radij_node **node)); ++ struct radij_node *(*rnh_delpkt) /* remove based on packet hdr */ ++ __P((void *v, void *mask, struct radij_node_head *head)); ++ struct radij_node *(*rnh_matchaddr) /* locate based on sockaddr */ ++ __P((void *v, struct radij_node_head *head)); ++ struct radij_node *(*rnh_matchpkt) /* locate based on packet hdr */ ++ __P((void *v, struct radij_node_head *head)); ++ int (*rnh_walktree) /* traverse tree */ ++ __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w)); ++ struct radij_node rnh_nodes[3]; /* empty tree for common case */ ++}; ++ ++ ++#define Bcmp(a, b, n) memcmp(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) ++#define Bcopy(a, b, n) memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n)) ++#define Bzero(p, n) memset((caddr_t)(p), 0, (unsigned)(n)) ++#define R_Malloc(p, t, n) ((p = (t) kmalloc((size_t)(n), GFP_ATOMIC)), Bzero((p),(n))) ++#define Free(p) kfree((caddr_t)p); ++ ++void rj_init __P((void)); ++int rj_inithead __P((void **, int)); ++int rj_refines __P((void *, void *)); ++int rj_walktree __P((struct radij_node_head *head, int (*f)(struct radij_node *rn, void *w), void *w)); ++struct radij_node ++ *rj_addmask __P((void *, int, int)) /* , rgb */ ; ++int /* * */ rj_addroute __P((void *, void *, struct radij_node_head *, ++ struct radij_node [2])) /* , rgb */ ; ++int /* * */ rj_delete __P((void *, void *, struct radij_node_head *, struct radij_node **)) /* , rgb */ ; ++struct radij_node /* rgb */ ++ *rj_insert __P((void *, struct radij_node_head *, int *, ++ struct radij_node [2])), ++ *rj_match __P((void *, struct radij_node_head *)), ++ *rj_newpair __P((void *, int, struct radij_node[2])), ++ *rj_search __P((void *, struct radij_node *)), ++ *rj_search_m __P((void *, struct radij_node *, void *)); ++ ++void rj_deltree(struct radij_node_head *); ++void rj_delnodes(struct radij_node *); ++void rj_free_mkfreelist(void); ++int radijcleartree(void); ++int radijcleanup(void); ++ ++extern struct radij_node_head *mask_rjhead; ++extern int maj_keylen; ++#endif /* __KERNEL__ */ ++ ++#endif /* _RADIJ_H_ */ ++ ++ ++/* ++ * $Log: radij.h,v $ ++ * Revision 1.13 2004/04/05 19:55:08 mcr ++ * Moved from linux/include/freeswan/radij.h,v + * -+ * Revision 1.24 2003/07/31 22:55:27 mcr -+ * added some definitions to keep pfkeyv2.h files in sync. ++ * Revision 1.12 2002/04/24 07:36:48 mcr ++ * Moved from ./klips/net/ipsec/radij.h,v + * -+ * Revision 1.23 2003/05/11 00:43:48 mcr -+ * added comment about origin of values used ++ * Revision 1.11 2001/09/20 15:33:00 rgb ++ * Min/max cleanup. + * -+ * Revision 1.22 2003/01/30 02:31:34 rgb ++ * Revision 1.10 1999/11/18 04:09:20 rgb ++ * Replaced all kernel version macros to shorter, readable form. + * -+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. ++ * Revision 1.9 1999/05/05 22:02:33 rgb ++ * Add a quick and dirty port to 2.2 kernels by Marc Boucher . + * -+ * Revision 1.21 2002/12/16 19:26:49 mcr -+ * added definition of FS 1.xx sadb structure ++ * Revision 1.8 1999/04/29 15:24:58 rgb ++ * Add check for existence of macros min/max. + * -+ * Revision 1.20 2002/09/20 15:40:25 rgb -+ * Added sadb_x_sa_ref to struct sadb_sa. ++ * Revision 1.7 1999/04/11 00:29:02 henry ++ * GPL boilerplate + * -+ * Revision 1.19 2002/04/24 07:36:49 mcr -+ * Moved from ./lib/pfkeyv2.h,v ++ * Revision 1.6 1999/04/06 04:54:29 rgb ++ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes ++ * patch shell fixes. + * -+ * Revision 1.18 2001/11/06 19:47:47 rgb -+ * Added packet parameter to lifetime and comb structures. ++ * Revision 1.5 1999/01/22 06:30:32 rgb ++ * 64-bit clean-up. + * -+ * Revision 1.17 2001/09/08 21:13:35 rgb -+ * Added pfkey ident extension support for ISAKMPd. (NetCelo) ++ * Revision 1.4 1998/11/30 13:22:55 rgb ++ * Rationalised all the klips kernel file headers. They are much shorter ++ * now and won't conflict under RH5.2. + * -+ * Revision 1.16 2001/07/06 19:49:46 rgb -+ * Added SADB_X_SAFLAGS_INFLOW for supporting incoming policy checks. ++ * Revision 1.3 1998/10/25 02:43:27 rgb ++ * Change return type on rj_addroute and rj_delete and add and argument ++ * to the latter to be able to transmit more infomation about errors. + * -+ * Revision 1.15 2001/02/26 20:00:43 rgb -+ * Added internal IP protocol 61 for magic SAs. ++ * Revision 1.2 1998/07/14 18:09:51 rgb ++ * Add a routine to clear eroute table. ++ * Added #ifdef __KERNEL__ directives to restrict scope of header. + * -+ * Revision 1.14 2001/02/08 18:51:05 rgb -+ * Include RFC document title and appendix subsection title. ++ * Revision 1.1 1998/06/18 21:30:22 henry ++ * move sources from klips/src to klips/net/ipsec to keep stupid kernel ++ * build scripts happier about symlinks + * -+ * Revision 1.13 2000/10/10 20:10:20 rgb -+ * Added support for debug_ipcomp and debug_verbose to klipsdebug. ++ * Revision 1.4 1998/05/25 20:34:16 rgb ++ * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions. + * -+ * Revision 1.12 2000/09/15 06:41:50 rgb -+ * Added V42BIS constant. ++ * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and ++ * add ipsec_rj_walker_delete. + * -+ * Revision 1.11 2000/09/12 22:35:37 rgb -+ * Restructured to remove unused extensions from CLEARFLOW messages. ++ * Recover memory for eroute table on unload of module. + * -+ * Revision 1.10 2000/09/12 18:50:09 rgb -+ * Added IPIP tunnel types as algo support. ++ * Revision 1.3 1998/04/22 16:51:37 rgb ++ * Tidy up radij debug code from recent rash of modifications to debug code. + * -+ * Revision 1.9 2000/08/21 16:47:19 rgb -+ * Added SADB_X_CALG_* macros for IPCOMP. ++ * Revision 1.2 1998/04/14 17:30:38 rgb ++ * Fix up compiling errors for radij tree memory reclamation. + * -+ * Revision 1.8 2000/08/09 20:43:34 rgb -+ * Fixed bitmask value for SADB_X_SAFLAGS_CLEAREROUTE. ++ * Revision 1.1 1998/04/09 03:06:16 henry ++ * sources moved up from linux/net/ipsec + * -+ * Revision 1.7 2000/01/21 06:28:37 rgb -+ * Added flow add/delete message type macros. -+ * Added flow address extension type macros. -+ * Tidied up spacing. -+ * Added klipsdebug switching capability. ++ * Revision 1.1.1.1 1998/04/08 05:35:04 henry ++ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 + * -+ * Revision 1.6 1999/11/27 11:56:08 rgb -+ * Add SADB_X_SATYPE_COMP for compression, eventually. ++ * Revision 0.4 1997/01/15 01:28:15 ji ++ * No changes. + * -+ * Revision 1.5 1999/11/23 22:23:16 rgb -+ * This file has been moved in the distribution from klips/net/ipsec to -+ * lib. ++ * Revision 0.3 1996/11/20 14:44:45 ji ++ * Release update only. + * -+ * Revision 1.4 1999/04/29 15:23:29 rgb -+ * Add GRPSA support. -+ * Add support for a second SATYPE, SA and DST_ADDRESS. -+ * Add IPPROTO_IPIP support. ++ * Revision 0.2 1996/11/02 00:18:33 ji ++ * First limited release. + * -+ * Revision 1.3 1999/04/15 17:58:08 rgb -+ * Add RCSID labels. + * + */ --- /dev/null Tue Mar 11 13:02:56 2003 @@ -9692,181 +9471,6 @@ packaging/utils/kernelpatch 2.6 +#define TRY_FREE(s, p) {if (p) ZFREE(s, p);} + +#endif /* _Z_UTIL_H */ ---- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/lib/libfreeswan/Makefile.objs Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,21 @@ -+obj-y += satot.o -+obj-y += addrtot.o -+obj-y += ultot.o -+obj-y += addrtypeof.o -+obj-y += anyaddr.o -+obj-y += initaddr.o -+obj-y += ultoa.o -+obj-y += addrtoa.o -+obj-y += subnettoa.o -+obj-y += subnetof.o -+obj-y += goodmask.o -+obj-y += datatot.o -+obj-y += rangetoa.o -+obj-y += prng.o -+obj-y += pfkey_v2_parse.o -+obj-y += pfkey_v2_build.o -+obj-y += pfkey_v2_debug.o -+obj-y += pfkey_v2_ext_bits.o -+ -+#version.c: ${LIBFREESWANDIR}/version.in.c ${OPENSWANSRCDIR}/Makefile.ver -+# sed '/"/s/xxx/$(IPSECVERSION)/' ${LIBFREESWANDIR}/version.in.c >$@ ---- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/lib/zlib/Makefile Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,118 @@ -+# (kernel) Makefile for IPCOMP zlib deflate code -+# Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs. -+# Copyright (C) 2000 Svenning Soerensen -+# -+# This program is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at your -+# option) any later version. See . -+# -+# This program is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# for more details. -+# -+# RCSID $Id: Makefile,v 1.9 2002/04/24 07:55:32 mcr Exp $ -+# -+ -+ -+ -+include ../Makefile.inc -+ -+ -+ -+ifndef TOPDIR -+TOPDIR := /usr/src/linux -+endif -+ -+ -+L_TARGET := zlib.a -+ -+obj-y := -+ -+include Makefile.objs -+ -+EXTRA_CFLAGS += $(KLIPSCOMPILE) -+ -+EXTRA_CFLAGS += -Wall -+#EXTRA_CFLAGS += -Wconversion -+#EXTRA_CFLAGS += -Wmissing-prototypes -+EXTRA_CFLAGS += -Wpointer-arith -+#EXTRA_CFLAGS += -Wcast-qual -+#EXTRA_CFLAGS += -Wmissing-declarations -+EXTRA_CFLAGS += -Wstrict-prototypes -+#EXTRA_CFLAGS += -pedantic -+#EXTRA_CFLAGS += -W -+#EXTRA_CFLAGS += -Wwrite-strings -+EXTRA_CFLAGS += -Wbad-function-cast -+EXTRA_CFLAGS += -DIPCOMP_PREFIX -+ -+.S.o: -+ $(CC) -D__ASSEMBLY__ -DNO_UNDERLINE -traditional -c $< -o $*.o -+ -+asm-obj-$(CONFIG_M586) += match586.o -+asm-obj-$(CONFIG_M586TSC) += match586.o -+asm-obj-$(CONFIG_M586MMX) += match586.o -+asm-obj-$(CONFIG_M686) += match686.o -+asm-obj-$(CONFIG_MPENTIUMIII) += match686.o -+asm-obj-$(CONFIG_MPENTIUM4) += match686.o -+asm-obj-$(CONFIG_MK6) += match586.o -+asm-obj-$(CONFIG_MK7) += match686.o -+asm-obj-$(CONFIG_MCRUSOE) += match586.o -+asm-obj-$(CONFIG_MWINCHIPC6) += match586.o -+asm-obj-$(CONFIG_MWINCHIP2) += match686.o -+asm-obj-$(CONFIG_MWINCHIP3D) += match686.o -+ -+obj-y += $(asm-obj-y) -+ifneq ($(strip $(asm-obj-y)),) -+ EXTRA_CFLAGS += -DASMV -+endif -+ -+active-objs := $(sort $(obj-y) $(obj-m)) -+L_OBJS := $(obj-y) -+M_OBJS := $(obj-m) -+MIX_OBJS := $(filter $(export-objs), $(active-objs)) -+ -+include $(TOPDIR)/Rules.make -+ -+$(obj-y) : $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h -+ -+ -+clean: -+ -rm -f *.o *.a -+ -+checkprograms: -+programs: $(L_TARGET) -+ -+# -+# $Log: Makefile,v $ -+# Revision 1.9 2002/04/24 07:55:32 mcr -+# #include patches and Makefiles for post-reorg compilation. -+# -+# Revision 1.8 2002/04/24 07:36:44 mcr -+# Moved from ./zlib/Makefile,v -+# -+# Revision 1.7 2002/03/27 23:34:35 mcr -+# added programs: target -+# -+# Revision 1.6 2001/12/05 20:19:08 henry -+# use new compile-control variable -+# -+# Revision 1.5 2001/11/27 16:38:08 mcr -+# added new "checkprograms" target to deal with programs that -+# are required for "make check", but that may not be ready to -+# build for every user due to external dependancies. -+# -+# Revision 1.4 2001/10/24 14:46:24 henry -+# Makefile.inc -+# -+# Revision 1.3 2001/04/21 23:05:24 rgb -+# Update asm directives for 2.4 style makefiles. -+# -+# Revision 1.2 2001/01/29 22:22:00 rgb -+# Convert to 2.4 new style with back compat. -+# -+# Revision 1.1.1.1 2000/09/29 18:51:33 rgb -+# zlib_beginnings -+# -+# ---- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/lib/zlib/Makefile.objs Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,27 @@ -+obj-$(CONFIG_IPSEC_IPCOMP) += adler32.o -+obj-$(CONFIG_IPSEC_IPCOMP) += deflate.o -+obj-$(CONFIG_IPSEC_IPCOMP) += infblock.o -+obj-$(CONFIG_IPSEC_IPCOMP) += infcodes.o -+obj-$(CONFIG_IPSEC_IPCOMP) += inffast.o -+obj-$(CONFIG_IPSEC_IPCOMP) += inflate.o -+obj-$(CONFIG_IPSEC_IPCOMP) += inftrees.o -+obj-$(CONFIG_IPSEC_IPCOMP) += infutil.o -+obj-$(CONFIG_IPSEC_IPCOMP) += trees.o -+obj-$(CONFIG_IPSEC_IPCOMP) += zutil.o -+ -+asm-obj-$(CONFIG_M586) += ${LIBZLIBSRCDIR}/match586.o -+asm-obj-$(CONFIG_M586TSC) += ${LIBZLIBSRCDIR}/match586.o -+asm-obj-$(CONFIG_M586MMX) += ${LIBZLIBSRCDIR}/match586.o -+asm-obj-$(CONFIG_M686) += ${LIBZLIBSRCDIR}/match686.o -+asm-obj-$(CONFIG_MPENTIUMIII) += ${LIBZLIBSRCDIR}/match686.o -+asm-obj-$(CONFIG_MPENTIUM4) += ${LIBZLIBSRCDIR}/match686.o -+asm-obj-$(CONFIG_MK6) += ${LIBZLIBSRCDIR}/match586.o -+asm-obj-$(CONFIG_MK7) += ${LIBZLIBSRCDIR}/match686.o -+asm-obj-$(CONFIG_MCRUSOE) += ${LIBZLIBSRCDIR}/match586.o -+asm-obj-$(CONFIG_MWINCHIPC6) += ${LIBZLIBSRCDIR}/match586.o -+asm-obj-$(CONFIG_MWINCHIP2) += ${LIBZLIBSRCDIR}/match686.o -+asm-obj-$(CONFIG_MWINCHIP3D) += ${LIBZLIBSRCDIR}/match686.o -+ -+EXTRA_CFLAGS += -DIPCOMP_PREFIX -+ -+ --- swan26/net/Kconfig.preipsec 2005-09-01 18:15:19.000000000 -0400 +++ swan26/net/Kconfig 2005-09-03 16:51:17.000000000 -0400 @@ -215,2 +215,6 @@ @@ -9887,7 +9491,7 @@ packaging/utils/kernelpatch 2.6 + --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/Kconfig Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,161 @@ +@@ -0,0 +1,150 @@ +# +# IPSEC configuration +# Copyright (C) 2004 Michael Richardson @@ -9902,7 +9506,7 @@ packaging/utils/kernelpatch 2.6 +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# -+# RCSID $Id: Kconfig,v 1.6.2.2 2006/10/11 18:14:33 paul Exp $ ++# RCSID $Id: Kconfig,v 1.6.2.1 2006/04/20 16:33:06 mcr Exp $ + +config KLIPS + tristate "Openswan IPsec (KLIPS26)" @@ -9982,13 +9586,6 @@ packaging/utils/kernelpatch 2.6 + AES the NIST replacement for DES. AES is being widely analyzed, + and is very fast. + -+config KLIPS_ENC_NULL -+ bool 'NULL NON-encryption algorithm' -+ default n -+ help -+ NON encryption algo , maybe useful for ESP auth only scenarios -+ (eg: with NAT-T), see RFC 2410. -+ +config KLIPS_IPCOMP + bool 'IP compression' + default y @@ -10011,10 +9608,6 @@ packaging/utils/kernelpatch 2.6 +# +# +# $Log: Kconfig,v $ -+# Revision 1.6.2.2 2006/10/11 18:14:33 paul -+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled -+# per default. -+# +# Revision 1.6.2.1 2006/04/20 16:33:06 mcr +# remove all of CONFIG_KLIPS_ALG --- one can no longer build without it. +# Fix in-kernel module compilation. Sub-makefiles do not work. @@ -10051,7 +9644,7 @@ packaging/utils/kernelpatch 2.6 + --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/Makefile Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,195 @@ +@@ -0,0 +1,189 @@ +# Makefile for KLIPS kernel code as a module for 2.6 kernels +# +# Makefile for KLIPS kernel code as a module @@ -10068,7 +9661,7 @@ packaging/utils/kernelpatch 2.6 +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# -+# RCSID $Id: Makefile.fs2_6,v 1.8.2.2 2006/10/11 18:14:33 paul Exp $ ++# RCSID $Id: Makefile.fs2_6,v 1.8.2.1 2006/04/20 16:33:06 mcr Exp $ +# +# Note! Dependencies are done automagically by 'make dep', which also +# removes any old dependencies. DON'T put your own dependencies here @@ -10160,8 +9753,6 @@ packaging/utils/kernelpatch 2.6 +crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes.o +endif + -+crypto-$(CONFIG_KLIPS_ENC_NULL) += null/ipsec_alg_null.o -+ +ipsec-y += ${crypto-y} + +ipsec-$(CONFIG_KLIPS_ENC_CRYPTOAPI) += ipsec_alg_cryptoapi.o @@ -10194,14 +9785,10 @@ packaging/utils/kernelpatch 2.6 + +ipsec-$(CONFIG_KLIPS_IPCOMP) += ${base-ipcomp-objs} + -+EXTRA_CFLAGS += -DIPCOMP_PREFIX ++EXTRA_CFLAGS += -DIPCOMP_PREFIX -DKLIPS + +# +# $Log: Makefile.fs2_6,v $ -+# Revision 1.8.2.2 2006/10/11 18:14:33 paul -+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled -+# per default. -+# +# Revision 1.8.2.1 2006/04/20 16:33:06 mcr +# remove all of CONFIG_KLIPS_ALG --- one can no longer build without it. +# Fix in-kernel module compilation. Sub-makefiles do not work. @@ -10485,7 +10072,7 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/addrtot.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,423 @@ +@@ -0,0 +1,387 @@ +/* + * addresses to text + * Copyright (C) 2000 Henry Spencer. @@ -10500,7 +10087,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * -+ * RCSID $Id: addrtot.c,v 1.22.2.1 2005/11/17 22:30:49 paul Exp $ ++ * RCSID $Id: addrtot.c,v 1.24 2005/11/11 06:59:40 mcr Exp $ + */ + +#if defined(__KERNEL__) && defined(__HAVE_ARCH_STRSTR) @@ -10525,9 +10112,7 @@ packaging/utils/kernelpatch 2.6 + * Find the first occurrence of find in s. + * (from NetBSD 1.6's /src/lib/libc/string/strstr.c) + */ -+static char * -+strstr(s, find) -+ const char *s, *find; ++static char *ipsec_strstr(const char *s, const char *find) +{ + char c, sc; + size_t len; @@ -10742,6 +10327,7 @@ packaging/utils/kernelpatch 2.6 +#ifdef ADDRTOT_MAIN + +#include ++#include +#include +#include +#include @@ -10827,6 +10413,13 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: addrtot.c,v $ ++ * Revision 1.24 2005/11/11 06:59:40 mcr ++ * try this code to avoid static/extern conflict with newer ++ * kernels. ++ * ++ * Revision 1.23 2005/11/11 03:09:53 paul ++ * Fix by Toby for newer kernels that have strstr() ++ * + * Revision 1.22.2.1 2005/11/17 22:30:49 paul + * pull up strstr fix from head. + * @@ -10865,48 +10458,6 @@ packaging/utils/kernelpatch 2.6 + * if the address type is invalid, then return length of + * string! + * -+ * Revision 1.12 2003/12/30 06:42:48 mcr -+ * added $Log: addrtot.c,v $ -+ * added Revision 1.22.2.1 2005/11/17 22:30:49 paul -+ * added pull up strstr fix from head. -+ * added -+ * added Revision 1.22 2005/05/20 16:47:40 mcr -+ * added make strstr static if we need it. -+ * added -+ * added Revision 1.21 2005/03/21 00:35:12 mcr -+ * added test for strstr properly -+ * added -+ * added Revision 1.20 2004/11/09 22:52:20 mcr -+ * added until we figure out which kernels have strsep and which -+ * added do not (UML does not under certain circumstances), then -+ * added let's just provide our own. -+ * added -+ * added Revision 1.19 2004/10/08 16:30:33 mcr -+ * added pull-up of initial crypto-offload work. -+ * added -+ * added Revision 1.18 2004/09/18 19:33:08 mcr -+ * added use an appropriate kernel happy ifdef for strstr. -+ * added -+ * added Revision 1.17 2004/09/15 21:49:02 mcr -+ * added use local copy of strstr() if this is going in the kernel. -+ * added Not clear why this worked before, or why this shows up -+ * added for modules only. -+ * added -+ * added Revision 1.16 2004/07/10 07:43:47 mcr -+ * added Moved from linux/lib/libfreeswan/addrtot.c,v -+ * added -+ * added Revision 1.15 2004/04/11 17:39:25 mcr -+ * added removed internal.h requirements. -+ * added -+ * added Revision 1.14 2004/03/08 01:59:08 ken -+ * added freeswan.h -> openswan.h -+ * added -+ * added Revision 1.13 2004/01/05 23:21:05 mcr -+ * added if the address type is invalid, then return length of -+ * added string! -+ * added -+ * -+ * + */ + --- /dev/null Tue Mar 11 13:02:56 2003 @@ -11059,7 +10610,7 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/aes/Makefile Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,59 @@ +@@ -0,0 +1,56 @@ +# Makefile for KLIPS 3DES kernel code as a module for 2.6 kernels +# +# Makefile for KLIPS kernel code as a module @@ -11075,7 +10626,7 @@ packaging/utils/kernelpatch 2.6 +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# -+# RCSID $Id: Makefile.fs2_6,v 1.1.10.1 2005/08/12 16:10:05 ken Exp $ ++# RCSID $Id: Makefile.fs2_6,v 1.2 2005/08/12 14:13:58 mcr Exp $ +# +# Note! Dependencies are done automagically by 'make dep', which also +# removes any old dependencies. DON'T put your own dependencies here @@ -11103,9 +10654,6 @@ packaging/utils/kernelpatch 2.6 + +# +# $Log: Makefile.fs2_6,v $ -+# Revision 1.1.10.1 2005/08/12 16:10:05 ken -+# do not use assembly code with there are no frame pointers -+# +# Revision 1.2 2005/08/12 14:13:58 mcr +# do not use assembly code with there are no frame pointers, +# as it does not have the right linkages. @@ -13487,11 +13035,11 @@ packaging/utils/kernelpatch 2.6 +#ifdef __KERNEL__ +#include +#include -+#define DEBUG(x) ++#define AES_DEBUG(x) +#else +#include +#include -+#define DEBUG(x) x ++#define AES_DEBUG(x) x +#endif + +#include "crypto/aes.h" @@ -13518,7 +13066,7 @@ packaging/utils/kernelpatch 2.6 + if (pos <= len) + *out ^= *in; + if (pos > len) { -+ DEBUG(printf("put 0x80 at pos=%d\n", pos)); ++ AES_DEBUG(printf("put 0x80 at pos=%d\n", pos)); + *out ^= 0x80; + break; + } @@ -13540,12 +13088,12 @@ packaging/utils/kernelpatch 2.6 + } + do_pad_xor((u_int8_t *)&out, in, ilen); + if (ilen==16) { -+ DEBUG(printf("using k3\n")); ++ AES_DEBUG(printf("using k3\n")); + xor_block(out, ctxm->k3); + } + else + { -+ DEBUG(printf("using k2\n")); ++ AES_DEBUG(printf("using k2\n")); + xor_block(out, ctxm->k2); + } + aes_encrypt(&ctxm->ctx_k1, (u_int8_t *)out, hash); @@ -13553,7 +13101,7 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/aes/ipsec_alg_aes.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,296 @@ +@@ -0,0 +1,299 @@ +/* + * ipsec_alg AES cipher stubs + * @@ -13618,11 +13166,11 @@ packaging/utils/kernelpatch 2.6 +#if defined(CONFIG_KLIPS_ENC_AES_MODULE) +MODULE_AUTHOR("JuanJo Ciarlante "); +#ifdef module_param -+module_param(debug_aes,int,0600) -+module_param(test_aes,int,0600) -+module_param(excl_aes,int,0600) -+module_param(keyminbits,int,0600) -+module_param(keymaxbits,int,0600) ++module_param(debug_aes,int,0664); ++module_param(test_aes,int,0664); ++module_param(excl_aes,int,0664); ++module_param(keyminbits,int,0664); ++module_param(keymaxbits,int,0664); +#else +MODULE_PARM(debug_aes, "i"); +MODULE_PARM(test_aes, "i"); @@ -13645,10 +13193,12 @@ packaging/utils/kernelpatch 2.6 +#else +static int auth_id=9; +#endif -+#ifdef module_param -+module_param(auth_id, int, 0600); -+#else ++#if 0 ++#ifdef MODULE_PARM +MODULE_PARM(auth_id, "i"); ++#else ++module_param(auth_id,int,0664); ++#endif +#endif +#endif + @@ -13731,6 +13281,7 @@ packaging/utils/kernelpatch 2.6 + ixt_blocksize: ESP_AES_CBC_BLK_LEN, + ixt_support: { + ias_exttype: IPSEC_ALG_TYPE_ENCRYPT, ++ //ias_ivlen: 128, + ias_id: ESP_AES, + ias_keyminbits: ESP_AES_KEY_SZ_MIN*8, + ias_keymaxbits: ESP_AES_KEY_SZ_MAX*8, @@ -13872,121 +13423,6 @@ packaging/utils/kernelpatch 2.6 +source net/ipsec/alg/Config.alg_aes.in +source net/ipsec/alg/Config.alg_cryptoapi.in --- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/net/ipsec/alg/Makefile Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,112 @@ -+# Makefile,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp -+ifeq ($(strip $(KLIPSMODULE)),) -+FREESWANSRCDIR=. -+else -+FREESWANSRCDIR=../../../.. -+endif -+ifeq ($(strip $(KLIPS_TOP)),) -+KLIPS_TOP=../../.. -+override EXTRA_CFLAGS += -I$(KLIPS_TOP)/include -+endif -+ -+ifeq ($(CONFIG_IPSEC_DEBUG),y) -+override EXTRA_CFLAGS += -g -+endif -+ -+# LIBCRYPTO normally comes as an argument from "parent" Makefile -+# (this applies both to FS' "make module" and eg. Linux' "make modules" -+# But make dep doest follow same evaluations, so we need this default: -+LIBCRYPTO=$(TOPDIR)/lib/libcrypto -+ -+override EXTRA_CFLAGS += -I$(LIBCRYPTO)/include -+override EXTRA_CFLAGS += -Wall -Wpointer-arith -Wstrict-prototypes -+ -+MOD_LIST_NAME := NET_MISC_MODULES -+ -+#O_TARGET := static_init.o -+ -+subdir- := -+subdir-n := -+subdir-y := -+subdir-m := -+ -+obj-y := static_init.o -+ -+ARCH_ASM-y := -+ARCH_ASM-$(CONFIG_M586) := i586 -+ARCH_ASM-$(CONFIG_M586TSC) := i586 -+ARCH_ASM-$(CONFIG_M586MMX) := i586 -+ARCH_ASM-$(CONFIG_MK6) := i586 -+ARCH_ASM-$(CONFIG_M686) := i686 -+ARCH_ASM-$(CONFIG_MPENTIUMIII) := i686 -+ARCH_ASM-$(CONFIG_MPENTIUM4) := i686 -+ARCH_ASM-$(CONFIG_MK7) := i686 -+ARCH_ASM-$(CONFIG_MCRUSOE) := i586 -+ARCH_ASM-$(CONFIG_MWINCHIPC6) := i586 -+ARCH_ASM-$(CONFIG_MWINCHIP2) := i586 -+ARCH_ASM-$(CONFIG_MWINCHIP3D) := i586 -+ARCH_ASM-$(CONFIG_USERMODE) := i586 -+ -+ARCH_ASM :=$(ARCH_ASM-y) -+ifdef NO_ASM -+ARCH_ASM := -+endif -+ -+# The algorithm makefiles may put dependences, short-circuit them -+null: -+ -+makefiles=$(filter-out %.preipsec, $(wildcard Makefile.alg_*)) -+ifneq ($(makefiles),) -+#include Makefile.alg_aes -+#include Makefile.alg_aes-opt -+include $(makefiles) -+endif -+ -+# These rules translate from new to old makefile rules -+# Translate to Rules.make lists. -+multi-used := $(filter $(list-multi), $(obj-y) $(obj-m)) -+multi-objs := $(foreach m, $(multi-used), $($(basename $(m))-objs)) -+active-objs := $(sort $(multi-objs) $(obj-y) $(obj-m)) -+O_OBJS := $(obj-y) -+M_OBJS := $(obj-m) -+MIX_OBJS := $(filter $(export-objs), $(active-objs)) -+#OX_OBJS := $(export-objs) -+SUB_DIRS := $(subdir-y) -+ALL_SUB_DIRS := $(subdir-y) $(subdir-m) -+MOD_SUB_DIRS := $(subdir-m) -+ -+ -+static_init_mod.o: $(obj-y) -+ rm -f $@ -+ $(LD) $(LD_EXTRAFLAGS) $(obj-y) -r -o $@ -+ -+perlasm: ../../../crypto/ciphers/des/asm/perlasm -+ ln -sf $? $@ -+ -+$(obj-y) $(obj-m): $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h -+$(alg_obj-y) $(alg_obj-m): perlasm $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h -+ -+ -+all_alg_modules: perlasm $(ALG_MODULES) -+ @echo "ALG_MODULES=$(ALG_MODULES)" -+ -+ -+# -+# Construct alg. init. function: call ipsec_ALGO_init() for every static algo -+# Needed when there are static algos (with static or modular ipsec.o) -+# -+static_init.c: $(TOPDIR)/include/linux/autoconf.h Makefile $(makefiles) scripts/mk-static_init.c.sh -+ @echo "Re-creating $@" -+ $(SHELL) scripts/mk-static_init.c.sh $(static_init-func-y) > $@ -+ -+clean: -+ @for i in $(ALG_SUBDIRS);do test -d $$i && make -C $$i clean;done;exit 0 -+ @find . -type l -exec rm -f {} \; -+ -rm -f perlasm -+ -rm -rf $(ALG_SUBDIRS) -+ -rm -f *.o static_init.c -+ -+ifdef TOPDIR -+include $(TOPDIR)/Rules.make -+endif -+ ---- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/alg/Makefile.alg_aes Mon Feb 9 13:51:03 2004 @@ -0,0 +1,18 @@ +MOD_AES := ipsec_aes.o @@ -14132,7 +13568,23 @@ packaging/utils/kernelpatch 2.6 +static int debug=0; +static int test=0; +static int excl=0; ++#ifdef module_param ++module_param(debug, int, 0664); ++module_param(test, int, 0664); ++module_param(excl, int, 0664); ++#else ++MODULE_PARM(debug, "i"); ++MODULE_PARM(test, "i"); ++MODULE_PARM(excl, "i"); ++#endif ++ +static int noauto = 0; ++#ifdef module_param ++module_param(noauto,int, 0664); ++#else ++MODULE_PARM(noauto,"i"); ++#endif ++MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones"); + +static int des_ede3[] = {-1, -1}; +static int aes[] = {-1, -1}; @@ -14141,27 +13593,14 @@ packaging/utils/kernelpatch 2.6 +static int serpent[] = {-1, -1}; +static int twofish[] = {-1, -1}; + -+#ifdef module_param -+module_param(debug,int,0600); -+module_param(test,int,0600); -+module_param(ebug,int,0600); -+ -+module_param(noauto,int,0600); -+module_param(ebug,int,0600); -+ ++#ifdef module_param_array +module_param_array(des_ede3,int,NULL,0); -+module_param(aes,int,NULL,0); -+module_param(blowfish,int,NULL,0); -+module_param(cast,int,NULL,0); -+module_param(serpent,int,NULL,0); -+module_param(twofish,int,NULL,0); ++module_param_array(aes,int,NULL,0); ++module_param_array(blowfish,int,NULL,0); ++module_param_array(cast,int,NULL,0); ++module_param_array(serpent,int,NULL,0); ++module_param_array(twofish,int,NULL,0); +#else -+MODULE_PARM(debug, "i"); -+MODULE_PARM(test, "i"); -+MODULE_PARM(excl, "i"); -+ -+MODULE_PARM(noauto,"i"); -+ +MODULE_PARM(des_ede3,"1-2i"); +MODULE_PARM(aes,"1-2i"); +MODULE_PARM(blowfish,"1-2i"); @@ -14169,9 +13608,6 @@ packaging/utils/kernelpatch 2.6 +MODULE_PARM(serpent,"1-2i"); +MODULE_PARM(twofish,"1-2i"); +#endif -+ -+MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones"); -+ +MODULE_PARM_DESC(des_ede3, "0: disable | 1: force_enable | min,max: dontuse"); +MODULE_PARM_DESC(aes, "0: disable | 1: force_enable | min,max: keybitlens"); +MODULE_PARM_DESC(blowfish, "0: disable | 1: force_enable | min,max: keybitlens"); @@ -14492,7 +13928,7 @@ packaging/utils/kernelpatch 2.6 +EOF --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/anyaddr.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,148 @@ +@@ -0,0 +1,150 @@ +/* + * special addresses + * Copyright (C) 2000 Henry Spencer. @@ -14507,7 +13943,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * -+ * RCSID $Id: anyaddr.c,v 1.10.10.1 2006/11/24 05:55:46 paul Exp $ ++ * RCSID $Id: anyaddr.c,v 1.10 2004/07/10 07:43:47 mcr Exp $ + */ +#include "openswan.h" + @@ -14596,9 +14032,11 @@ packaging/utils/kernelpatch 2.6 + case AF_INET6: + cmp = memcmp(&src->u.v6.sin6_addr, &v6any, sizeof(v6any)); + break; ++ + case 0: + /* a zeroed structure is considered any address */ + return 1; ++ + default: + return 0; + break; @@ -14658,7 +14096,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * -+ * RCSID $Id: datatot.c,v 1.7 2005/04/14 20:48:43 mcr Exp $ ++ * RCSID $Id: datatot.c,v 1.9 2005/08/30 21:15:26 mcr Exp $ + */ +#include "openswan.h" + @@ -14669,7 +14107,7 @@ packaging/utils/kernelpatch 2.6 + */ +size_t /* true length (with NUL) for success */ +datatot(src, srclen, format, dst, dstlen) -+const char *src; ++const unsigned char *src; +size_t srclen; +int format; /* character indicating what format */ +char *dst; /* need not be valid if dstlen is 0 */ @@ -14680,7 +14118,7 @@ packaging/utils/kernelpatch 2.6 + size_t breakevery; /* add a _ every this many (0 means don't) */ + size_t sincebreak; /* output bytes since last _ */ + char breakchar; /* character used to break between groups */ -+ char inblock[10]; /* enough for any format */ ++ unsigned char inblock[10]; /* enough for any format */ + char outblock[10]; /* enough for any format */ + char fake[1]; /* fake output area for dstlen == 0 */ + size_t needed; /* return value */ @@ -14769,7 +14207,7 @@ packaging/utils/kernelpatch 2.6 + nreal = inblocksize; + out = (outblocksize > stop - dst) ? outblock : dst; + -+ convert(src, nreal, format, out); ++ convert((const char *)src, nreal, format, out); + needed += outblocksize; + sincebreak += outblocksize; + if (dst < stop) { @@ -14855,7 +14293,7 @@ packaging/utils/kernelpatch 2.6 + */ +size_t /* true length (with NUL) for success */ +datatoa(src, srclen, format, dst, dstlen) -+const char *src; ++const unsigned char *src; +size_t srclen; +int format; /* character indicating what format */ +char *dst; /* need not be valid if dstlen is 0 */ @@ -14870,7 +14308,7 @@ packaging/utils/kernelpatch 2.6 + */ +size_t /* true length (with NUL) for success */ +bytestoa(src, srclen, format, dst, dstlen) -+const char *src; ++const unsigned char *src; +size_t srclen; +int format; /* character indicating what format */ +char *dst; /* need not be valid if dstlen is 0 */ @@ -14880,14 +14318,14 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/defconfig Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,148 @@ +@@ -0,0 +1,147 @@ + +# -+# RCSID $Id: defconfig,v 1.28.2.1 2006/10/11 18:14:33 paul Exp $ ++# RCSID $Id: defconfig,v 1.30 2005/09/15 02:31:12 paul Exp $ +# + +# -+# FreeS/WAN IPSec implementation, KLIPS kernel config defaults ++# Openswan IPSec implementation, KLIPS kernel config defaults +# + +# @@ -14931,7 +14369,6 @@ packaging/utils/kernelpatch 2.6 +# Encryption algorithm(s): +CONFIG_KLIPS_ENC_3DES=y +CONFIG_KLIPS_ENC_AES=y -+# CONFIG_KLIPS_ENC_NULL=y + +# Use CryptoAPI for ALG? - by default, no. +CONFIG_KLIPS_ENC_CRYPTOAPI=n @@ -14942,15 +14379,15 @@ packaging/utils/kernelpatch 2.6 +# To enable userspace-switchable KLIPS debugging, say 'y'. +CONFIG_KLIPS_DEBUG=y + -+# NAT Traversal -+CONFIG_IPSEC_NAT_TRAVERSAL=y -+ +# +# +# $Log: defconfig,v $ -+# Revision 1.28.2.1 2006/10/11 18:14:33 paul -+# Add JuanJo Ciarlante's ESP_NULL patches for KLIPS, but leave it disabled -+# per default. ++# Revision 1.30 2005/09/15 02:31:12 paul ++# Changed a FreeS/WAN occurance to Openswan ++# ++# Revision 1.29 2005/08/24 22:10:05 mcr ++# do not list NAT_TRAVERSAL as a default for KLIPS, ++# let it live in the packaging "MODULE_DEF_CONFIG" files. +# +# Revision 1.28 2005/05/11 03:15:42 mcr +# adjusted makefiles to sanely build modules properly. @@ -16831,7 +16268,7 @@ packaging/utils/kernelpatch 2.6 +'x*0.9' the speed. --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/des/Makefile Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,63 @@ +@@ -0,0 +1,60 @@ +# Makefile for KLIPS kernel code as a module for 2.6 kernels +# +# Makefile for KLIPS kernel code as a module @@ -16848,7 +16285,7 @@ packaging/utils/kernelpatch 2.6 +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# -+# RCSID $Id: Makefile.fs2_6,v 1.2.2.1 2005/08/12 16:10:57 ken Exp $ ++# RCSID $Id: Makefile.fs2_6,v 1.3 2005/08/12 14:13:59 mcr Exp $ +# +# Note! Dependencies are done automagically by 'make dep', which also +# removes any old dependencies. DON'T put your own dependencies here @@ -16876,9 +16313,6 @@ packaging/utils/kernelpatch 2.6 + +# +# $Log: Makefile.fs2_6,v $ -+# Revision 1.2.2.1 2005/08/12 16:10:57 ken -+# do not use assembly code with there are no frame pointers -+# +# Revision 1.3 2005/08/12 14:13:59 mcr +# do not use assembly code with there are no frame pointers, +# as it does not have the right linkages. @@ -23170,7 +22604,7 @@ packaging/utils/kernelpatch 2.6 + --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/des/ipsec_alg_3des.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,181 @@ +@@ -0,0 +1,182 @@ +/* + * ipsec_alg 3DES cipher stubs + * @@ -23226,9 +22660,9 @@ packaging/utils/kernelpatch 2.6 +#if defined(CONFIG_KLIPS_ENC_3DES_MODULE) +MODULE_AUTHOR("Michael Richardson "); +#ifdef module_param -+module_param(debug_3des,int,0600) -+module_param(test_des,int,0600) -+module_param(excl_des,int,0600) ++module_param(debug_3des, int, 0664); ++module_param(test_des, int, 0664); ++module_param(excl_des, int, 0664); +#else +MODULE_PARM(debug_3des, "i"); +MODULE_PARM(test_des, "i"); @@ -23295,6 +22729,7 @@ packaging/utils/kernelpatch 2.6 + ixt_support: { + ias_exttype: IPSEC_ALG_TYPE_ENCRYPT, + ias_id: ESP_3DES, ++ //ias_ivlen: 64, + ias_keyminbits: ESP_3DES_KEY_SZ*8, + ias_keymaxbits: ESP_3DES_KEY_SZ*8, + }, @@ -25945,9 +25380,11 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipcomp.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,701 @@ +@@ -0,0 +1,704 @@ +/* + * IPCOMP zlib interface code. ++ * implementation of RFC 3173. ++ * + * Copyright (C) 2000 Svenning Soerensen + * Copyright (C) 2000, 2001 Richard Guy Briggs + * @@ -25962,7 +25399,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.41.2.5 2006/10/06 21:39:26 paul Exp $"; ++char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.41.2.3 2006/04/20 15:46:58 mcr Exp $"; + +/* SSS */ + @@ -25999,6 +25436,7 @@ packaging/utils/kernelpatch 2.6 + +#include + ++#include "openswan/ipsec_kern24.h" +#include "openswan/radij.h" +#include "openswan/ipsec_encap.h" +#include "openswan/ipsec_sa.h" @@ -26011,7 +25449,7 @@ packaging/utils/kernelpatch 2.6 +#include "zlib/zlib.h" +#include "zlib/zutil.h" + -+#include /* SADB_X_CALG_DEFLATE */ ++#include /* SADB_X_CALG_DEFLATE */ + +#ifdef CONFIG_KLIPS_DEBUG +int sysctl_ipsec_debug_ipcomp = 0; @@ -26631,7 +26069,7 @@ packaging/utils/kernelpatch 2.6 +#endif /* NETDEV_23 */ + n->ip_summed=0; +#ifdef HAVE_TSTAMP -+ n->tstamp = skb->tstamp; ++ n->tstamp = skb->tstamp; +#else + n->stamp=skb->stamp; +#endif @@ -26649,7 +26087,7 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_ah.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,407 @@ +@@ -0,0 +1,404 @@ +/* + * processing code for AH + * Copyright (C) 2003-2004 Michael Richardson @@ -26665,7 +26103,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_ah_c_version[] = "RCSID $Id: ipsec_ah.c,v 1.12.2.2 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_ah_c_version[] = "RCSID $Id: ipsec_ah.c,v 1.12.2.1 2006/02/15 05:35:14 paul Exp $"; +#ifndef AUTOCONF_INCLUDED +#include +#endif @@ -26979,6 +26417,7 @@ packaging/utils/kernelpatch 2.6 +}; + + ++#ifndef CONFIG_XFRM_ALTERNATE_STACK +#ifdef NET_26 +struct inet_protocol ah_protocol = { + .handler = ipsec_rcv, @@ -27000,14 +26439,10 @@ packaging/utils/kernelpatch 2.6 +#endif +}; +#endif /* NET_26 */ ++#endif /* CONFIG_XFRM_ALTERNATE_STACK */ + +/* + * $Log: ipsec_ah.c,v $ -+ * Revision 1.12.2.2 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.12.2.1 2006/02/15 05:35:14 paul + * Patch by David McCullough + * If you setup a tunnel without ESP it doesn't work. It used to work in @@ -27059,7 +26494,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_alg.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1057 @@ +@@ -0,0 +1,1044 @@ +/* + * Modular extensions service and registration functions + * @@ -27125,8 +26560,8 @@ packaging/utils/kernelpatch 2.6 +# include "openswan/ipcomp.h" +#endif /* CONFIG_KLIPS_COMP */ + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_alg.h" +#include "openswan/ipsec_proto.h" @@ -27331,11 +26766,9 @@ packaging/utils/kernelpatch 2.6 + "entering with encalg=%d, ixt_e=%p\n", + sa_p->ips_encalg, ixt_e); + if (ixt_e == NULL) { -+#ifdef CONFIG_KLIPS_DEBUG + KLIPS_ERROR(debug_flag, + "klips_debug:ipsec_alg_esp_encrypt: " + "NULL ipsec_alg_enc object\n"); -+#endif + return -1; + } + KLIPS_PRINT(debug_flag, @@ -27922,17 +27355,6 @@ packaging/utils/kernelpatch 2.6 + ipsec_3des_init(); + } +#endif -+#if defined(CONFIG_KLIPS_ENC_NULL) && CONFIG_KLIPS_ENC_NULL && !defined(CONFIG_KLIPS_ENC_NULL_MODULE) -+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI -+#warning "Using built-in null cipher rather than CryptoAPI null cipher" -+#endif -+#warning "Building with null cipher (ESP_NULL), blame on you :-)" -+ { -+ extern int ipsec_null_init(void); -+ ipsec_null_init(); -+ } -+#endif -+ + + /* If we are doing CryptoAPI, then init */ +#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI && !defined(CONFIG_KLIPS_ENC_CRYPTOAPI_MODULE) @@ -28119,7 +27541,7 @@ packaging/utils/kernelpatch 2.6 +#endif --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_alg_cryptoapi.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,455 @@ +@@ -0,0 +1,450 @@ +/* + * ipsec_alg to linux cryptoapi GLUE + * @@ -28158,7 +27580,7 @@ packaging/utils/kernelpatch 2.6 + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ -+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_CRYPTOAPI) ++#if CONFIG_KLIPS_MODULE && CONFIG_KLIPS_ENC_CRYPTOAPI +#undef MODULE +#endif + @@ -28222,22 +27644,18 @@ packaging/utils/kernelpatch 2.6 +static int debug_crypto=0; +static int test_crypto=0; +static int excl_crypto=0; -+ -+static int noauto = 0; -+ +#ifdef module_param -+module_param(debug_crypto,int,0600) -+module_param(test_crypto,int,0600) -+module_param(excl_crypto,int,0600) -+ -+module_param(noauto,int,0600) ++module_param(debug_crypto, int, 0664); ++module_param(test_crypto, int, 0664); ++module_param(excl_crypto, int, 0664); +#else +MODULE_PARM(debug_crypto, "i"); +MODULE_PARM(test_crypto, "i"); +MODULE_PARM(excl_crypto, "i"); ++#endif + ++static int noauto = 0; +MODULE_PARM(noauto,"i"); -+#endif +MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones"); + +#ifdef CONFIG_KLIPS_ENC_1DES @@ -28250,21 +27668,20 @@ packaging/utils/kernelpatch 2.6 +static int serpent[] = {-1, -1}; +static int twofish[] = {-1, -1}; + ++#ifdef module_param_array +#ifdef CONFIG_KLIPS_ENC_1DES -+#ifdef module_param -+module_param_array(des_ede1,int,NULL,0) ++module_param_array(des_ede1,int,NULL,0); ++#endif ++module_param_array(des_ede3,int,NULL,0); ++module_param_array(aes,int,NULL,0); ++module_param_array(blowfish,int,NULL,0); ++module_param_array(cast,int,NULL,0); ++module_param_array(serpent,int,NULL,0); ++module_param_array(twofish,int,NULL,0); +#else ++#ifdef CONFIG_KLIPS_ENC_1DES +MODULE_PARM(des_ede1,"1-2i"); +#endif -+#endif -+#ifdef module_param -+module_param_array(des_ede3,int,NULL,0) -+module_param_array(aes,int,NULL,0) -+module_param_array(blowfish,int,NULL,0) -+module_param_array(cast,int,NULL,0) -+module_param_array(serpent,int,NULL,0) -+module_param_array(twofish,int,NULL,0) -+#else +MODULE_PARM(des_ede3,"1-2i"); +MODULE_PARM(aes,"1-2i"); +MODULE_PARM(blowfish,"1-2i"); @@ -28577,7 +27994,7 @@ packaging/utils/kernelpatch 2.6 +#endif /* NO_CRYPTOAPI_SUPPORT */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_esp.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,607 @@ +@@ -0,0 +1,599 @@ +/* + * processing code for ESP + * Copyright (C) 2003 Michael Richardson @@ -28593,7 +28010,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_esp_c_version[] = "RCSID $Id: ipsec_esp.c,v 1.13.2.6 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_esp_c_version[] = "RCSID $Id: ipsec_esp.c,v 1.13.2.4 2006/05/06 03:07:38 ken Exp $"; +#ifndef AUTOCONF_INCLUDED +#include +#endif @@ -28818,7 +28235,6 @@ packaging/utils/kernelpatch 2.6 + if (ipsec_alg_esp_encrypt(ipsp, + idat, irs->ilen, espp->esp_iv, + IPSEC_ALG_DECRYPT) <= 0) { -+#ifdef CONFIG_KLIPS_DEBUG + KLIPS_ERROR(debug_rcv, "klips_error:ipsec_rcv: " + "got packet with esplen = %d " + "from %s -- should be on " @@ -28827,7 +28243,6 @@ packaging/utils/kernelpatch 2.6 + irs->ilen, + irs->ipsaddr_txt, + ipsp->ips_encalg); -+#endif + if(irs->stats) { + irs->stats->rx_errors++; + } @@ -29094,6 +28509,7 @@ packaging/utils/kernelpatch 2.6 + }, +}; + ++#ifndef CONFIG_XFRM_ALTERNATE_STACK +#ifdef NET_26 +struct inet_protocol esp_protocol = { + .handler = ipsec_rcv, @@ -29115,20 +28531,13 @@ packaging/utils/kernelpatch 2.6 +#endif +}; +#endif /* NET_26 */ ++#endif /* CONFIG_XFRM_ALTERNATE_STACK */ + +#endif /* !CONFIG_KLIPS_ESP */ + + +/* + * $Log: ipsec_esp.c,v $ -+ * Revision 1.13.2.6 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.13.2.5 2006/08/24 03:02:01 paul -+ * Compile fixes for when CONFIG_KLIPS_DEBUG is not set. (bug #642) -+ * + * Revision 1.13.2.4 2006/05/06 03:07:38 ken + * Pull in proper padsize->tailroom fix from #public + * Need to do correct math on padlen since padsize is not equal to tailroom @@ -29187,7 +28596,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_init.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,614 @@ +@@ -0,0 +1,683 @@ +/* + * @(#) Initialization code. + * Copyright (C) 1996, 1997 John Ioannidis. @@ -29208,7 +28617,7 @@ packaging/utils/kernelpatch 2.6 + * + */ + -+char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.104.2.4 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.104.2.2 2006/04/20 16:33:06 mcr Exp $"; + +#ifndef AUTOCONF_INCLUDED +#include @@ -29280,8 +28689,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_proto.h" +#include "openswan/ipsec_alg.h" + -+#include -+#include ++#include ++#include + +#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL) +#include @@ -29334,7 +28743,7 @@ packaging/utils/kernelpatch 2.6 +extern void ipsec_sysctl_unregister(void); +#endif + -+#if defined(NET_26) || defined(IPSKB_XFRM_TUNNEL_SIZE) ++#ifdef NET_26 +static inline int +openswan_inet_add_protocol(struct inet_protocol *prot, unsigned protocol) +{ @@ -29381,7 +28790,17 @@ packaging/utils/kernelpatch 2.6 + "KLIPS startup, Openswan KLIPS IPsec stack version: %s\n", + ipsec_version_code()); + ++ error = ipsec_xmit_state_cache_init (); ++ if (error) ++ goto error_xmit_state_cache; ++ ++ error = ipsec_rcv_state_cache_init (); ++ if (error) ++ goto error_rcv_state_cache; ++ + error |= ipsec_proc_init(); ++ if (error) ++ goto error_proc_init; + +#ifdef SPINLOCK + ipsec_sadb.sadb_lock = SPIN_LOCK_UNLOCKED; @@ -29395,11 +28814,27 @@ packaging/utils/kernelpatch 2.6 +#endif /* !SPINLOCK */ + + error |= ipsec_sadb_init(); ++ if (error) ++ goto error_sadb_init; ++ + error |= ipsec_radijinit(); ++ if (error) ++ goto error_radijinit; + + error |= pfkey_init(); ++ if (error) ++ goto error_pfkey_init; + + error |= register_netdevice_notifier(&ipsec_dev_notifier); ++ if (error) ++ goto error_netdev_notifier; ++ ++#ifdef CONFIG_XFRM_ALTERNATE_STACK ++ error = xfrm_register_alternate_rcv (ipsec_rcv); ++ if (error) ++ goto error_xfrm_register; ++ ++#else // CONFIG_XFRM_ALTERNATE_STACK + +#ifdef CONFIG_KLIPS_ESP + openswan_inet_add_protocol(&esp_protocol, IPPROTO_ESP); @@ -29416,7 +28851,11 @@ packaging/utils/kernelpatch 2.6 +#endif /* CONFIG_KLIPS_IPCOMP */ +#endif + ++#endif // CONFIG_XFRM_ALTERNATE_STACK ++ + error |= ipsec_tunnel_init_devices(); ++ if (error) ++ goto error_tunnel_init_devices; + +#if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL) + /* register our ESP-UDP handler */ @@ -29429,6 +28868,8 @@ packaging/utils/kernelpatch 2.6 + +#ifdef CONFIG_SYSCTL + error |= ipsec_sysctl_register(); ++ if (error) ++ goto error_sysctl_register; +#endif + + ipsec_alg_init(); @@ -29437,6 +28878,33 @@ packaging/utils/kernelpatch 2.6 + prng_init(&ipsec_prng, seed, sizeof(seed)); + + return error; ++ ++ // undo ipsec_sysctl_register ++error_sysctl_register: ++ ipsec_tunnel_cleanup_devices(); ++error_tunnel_init_devices: ++#ifdef CONFIG_XFRM_ALTERNATE_STACK ++ xfrm_deregister_alternate_rcv(ipsec_rcv); ++error_xfrm_register: ++#endif // CONFIG_XFRM_ALTERNATE_STACK ++ unregister_netdevice_notifier(&ipsec_dev_notifier); ++error_netdev_notifier: ++ pfkey_cleanup(); ++error_pfkey_init: ++ ipsec_radijcleanup(); ++error_radijinit: ++ ipsec_sadb_cleanup(0); ++ ipsec_sadb_free(); ++error_sadb_init: ++error_proc_init: ++ // ipsec_proc_init() does not cleanup after itself, so we have to do it here ++ // TODO: ipsec_proc_init() should roll back what it chaned on failure ++ ipsec_proc_cleanup(); ++ ipsec_rcv_state_cache_cleanup (); ++error_rcv_state_cache: ++ ipsec_xmit_state_cache_cleanup (); ++error_xmit_state_cache: ++ return error; +} + + @@ -29462,6 +28930,12 @@ packaging/utils/kernelpatch 2.6 + + KLIPS_PRINT(debug_netlink, "called ipsec_tunnel_cleanup_devices"); + ++#ifdef CONFIG_XFRM_ALTERNATE_STACK ++ ++ xfrm_deregister_alternate_rcv(ipsec_rcv); ++ ++#else // CONFIG_XFRM_ALTERNATE_STACK ++ +/* we never actually link IPCOMP to the stack */ +#ifdef IPCOMP_USED_ALONE +#ifdef CONFIG_KLIPS_IPCOMP @@ -29483,6 +28957,8 @@ packaging/utils/kernelpatch 2.6 + "esp close: can't remove protocol\n"); +#endif /* CONFIG_KLIPS_ESP */ + ++#endif // CONFIG_XFRM_ALTERNATE_STACK ++ + error |= unregister_netdevice_notifier(&ipsec_dev_notifier); + + KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */ @@ -29501,6 +28977,12 @@ packaging/utils/kernelpatch 2.6 + "calling pfkey_cleanup.\n"); + error |= pfkey_cleanup(); + ++ ipsec_rcv_state_cache_cleanup (); ++ ipsec_xmit_state_cache_cleanup (); ++ ++ ipsec_rcv_state_cache_cleanup (); ++ ipsec_xmit_state_cache_cleanup (); ++ + ipsec_proc_cleanup(); + + prng_final(&ipsec_prng); @@ -29519,6 +29001,7 @@ packaging/utils/kernelpatch 2.6 + return error; +} + ++#ifndef NET_26 +void +cleanup_module(void) +{ @@ -29531,19 +29014,14 @@ packaging/utils/kernelpatch 2.6 + KLIPS_PRINT(1, "klips_info:cleanup_module: " + "ipsec module unloaded.\n"); +} ++#endif +#endif /* MODULE */ + +/* + * $Log: ipsec_init.c,v $ -+ * Revision 1.104.2.4 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.104.2.3 2006/07/31 15:25:20 paul -+ * Check for NETKEY backport in Debian using IPSKB_XFRM_TUNNEL_SIZE to -+ * determine wether inet_add_protocol needs the protocol argument. -+ * ++ * Revision 1.106 2005/09/14 14:22:55 mcr ++ * remove module unload on 2.6. --- it just won't work, so ++ * don't let people try. + * Revision 1.104.2.2 2006/04/20 16:33:06 mcr + * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it. + * Fix in-kernel module compilation. Sub-makefiles do not work. @@ -29804,7 +29282,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_ipcomp.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,256 @@ +@@ -0,0 +1,258 @@ +/* + * processing code for IPCOMP + * Copyright (C) 2003 Michael Richardson @@ -29820,7 +29298,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_ipcomp_c_version[] = "RCSID $Id: ipsec_ipcomp.c,v 1.5.2.2 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_ipcomp_c_version[] = "RCSID $Id: ipsec_ipcomp.c,v 1.5.2.1 2006/07/07 16:39:58 paul Exp $"; +#ifndef AUTOCONF_INCLUDED +#include +#endif @@ -30042,6 +29520,7 @@ packaging/utils/kernelpatch 2.6 +/* We probably don't want to install a pure IPCOMP protocol handler, but + only want to handle IPCOMP if it is encapsulated inside an ESP payload + (which is already handled) */ ++#ifndef CONFIG_XFRM_ALTERNATE_STACK +#ifdef CONFIG_KLIPS_IPCOMP +struct inet_protocol comp_protocol = +{ @@ -30058,6 +29537,7 @@ packaging/utils/kernelpatch 2.6 +#endif +}; +#endif /* CONFIG_KLIPS_IPCOMP */ ++#endif /* CONFIG_XFRM_ALTERNATE_STACK */ +#endif + +#endif /* CONFIG_KLIPS_IPCOMP */ @@ -30079,7 +29559,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_ipip_c_version[] = "RCSID $Id: ipsec_ipip.c,v 1.3.2.3 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_ipip_c_version[] = "RCSID $Id: ipsec_ipip.c,v 1.5 2005/11/11 06:36:41 paul Exp $"; +#ifndef AUTOCONF_INCLUDED +#include +#endif @@ -30265,7 +29745,7 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_life.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,273 @@ +@@ -0,0 +1,268 @@ +/* + * @(#) lifetime structure utilities + * @@ -30282,7 +29762,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_life.c,v 1.13.10.1 2006/10/06 21:39:26 paul Exp $ ++ * RCSID $Id: ipsec_life.c,v 1.13 2004/07/10 19:11:18 mcr Exp $ + * + */ + @@ -30329,8 +29809,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipcomp.h" +#endif /* CONFIG_KLIPS_IPCOMP */ + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" + @@ -30389,10 +29869,10 @@ packaging/utils/kernelpatch 2.6 + saname, + dir); + -+ if(ips->ips_state != SADB_SASTATE_DYING) { ++ if(ips->ips_state != K_SADB_SASTATE_DYING) { + pfkey_expire(ips, 0); + } -+ ips->ips_state = SADB_SASTATE_DYING; ++ ips->ips_state = K_SADB_SASTATE_DYING; + + return ipsec_life_softdied; + } @@ -30482,11 +29962,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_life.c,v $ -+ * Revision 1.13.10.1 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.13 2004/07/10 19:11:18 mcr + * CONFIG_IPSEC -> CONFIG_KLIPS. + * @@ -30541,7 +30016,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_mast.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1099 @@ +@@ -0,0 +1,1094 @@ +/* + * IPSEC MAST code. + * Copyright (C) 1996, 1997 John Ioannidis. @@ -30558,7 +30033,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_mast_c_version[] = "RCSID $Id: ipsec_mast.c,v 1.7.2.1 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_mast_c_version[] = "RCSID $Id: ipsec_mast.c,v 1.7 2005/04/29 05:10:22 mcr Exp $"; + +#define __NO_VERSION__ +#include @@ -30610,8 +30085,8 @@ packaging/utils/kernelpatch 2.6 +#include "freeswan/ipsec_ah.h" +#include "freeswan/ipsec_esp.h" + -+#include -+#include ++#include ++#include + +#include "freeswan/ipsec_proto.h" + @@ -31609,11 +31084,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_mast.c,v $ -+ * Revision 1.7.2.1 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.7 2005/04/29 05:10:22 mcr + * removed from extraenous includes to make unit testing easier. + * @@ -32099,7 +31569,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_proc.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1186 @@ +@@ -0,0 +1,1172 @@ +/* + * @(#) /proc file system interface code. + * @@ -32120,7 +31590,7 @@ packaging/utils/kernelpatch 2.6 + * Split out from ipsec_init.c version 1.70. + */ + -+char ipsec_proc_c_version[] = "RCSID $Id: ipsec_proc.c,v 1.39.2.4 2006/11/15 22:21:39 paul Exp $"; ++char ipsec_proc_c_version[] = "RCSID $Id: ipsec_proc.c,v 1.41 2005/11/11 04:04:03 paul Exp $"; + + +#ifndef AUTOCONF_INCLUDED @@ -32191,8 +31661,8 @@ packaging/utils/kernelpatch 2.6 + +#include "openswan/ipsec_proto.h" + -+#include -+#include ++#include ++#include + +#ifdef CONFIG_PROC_FS + @@ -32218,7 +31688,6 @@ packaging/utils/kernelpatch 2.6 +extern int ipsec_xform_get_info(char *buffer, char **start, + off_t offset, int length IPSEC_PROC_LAST_ARG); + -+ +IPSEC_PROCFS_DEBUG_NO_STATIC +int +ipsec_eroute_get_info(char *buffer, @@ -32713,37 +32182,30 @@ packaging/utils/kernelpatch 2.6 + return len; +} + -+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL -+unsigned int natt_available = 1; -+#else -+unsigned int natt_available = 0; -+#endif -+module_param(natt_available, int, 0444); -+ +IPSEC_PROCFS_DEBUG_NO_STATIC +int +ipsec_natt_get_info(char *buffer, -+ char **start, -+ off_t offset, -+ int length IPSEC_PROC_LAST_ARG) ++ char **start, ++ off_t offset, ++ int length IPSEC_PROC_LAST_ARG) +{ -+ int len = 0; -+ off_t begin = 0; ++ int len = 0; ++ off_t begin = 0; + -+ len += ipsec_snprintf(buffer + len, -+ length-len, "%d\n", ++ len += ipsec_snprintf(buffer + len, ++ length-len, "%d\n", +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL -+ 1 ++ 1 +#else -+ 0 ++ 0 +#endif -+ ); ++ ); + -+ *start = buffer + (offset - begin); /* Start of wanted data */ -+ len -= (offset - begin); /* Start slop */ -+ if (len > length) -+ len = length; -+ return len; ++ *start = buffer + (offset - begin); /* Start of wanted data */ ++ len -= (offset - begin); /* Start slop */ ++ if (len > length) ++ len = length; ++ return len; +} + +IPSEC_PROCFS_DEBUG_NO_STATIC @@ -32957,6 +32419,7 @@ packaging/utils/kernelpatch 2.6 + {"stats", &proc_net_ipsec_dir, &proc_stats_dir, NULL, NULL, NULL}, + {"trap_count", &proc_stats_dir, NULL, ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_count}, + {"trap_sendcount", &proc_stats_dir, NULL, ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_sendcount}, ++ {"natt", &proc_net_ipsec_dir, NULL, ipsec_natt_get_info, NULL, NULL}, + {"version", &proc_net_ipsec_dir, NULL, ipsec_version_get_info, NULL, NULL}, + {NULL, NULL, NULL, NULL, NULL, NULL} +}; @@ -33117,19 +32580,12 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_proc.c,v $ -+ * Revision 1.39.2.4 2006/11/15 22:21:39 paul -+ * backport of creating a /sys/ file to test for nat-t capability in kernel. -+ * -+ * Revision 1.39.2.3 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. ++ * Revision 1.41 2005/11/11 04:04:03 paul ++ * Fix for compiling without CONFIG_KLIPS_ALG by Toby + * -+ * Revision 1.39.2.2 2006/02/13 18:48:12 paul -+ * Fix by Ankit Desai for module unloading. -+ * -+ * Revision 1.39.2.1 2005/09/07 00:45:59 paul -+ * pull up of mcr's nat-t klips detection patch from head ++ * Revision 1.40 2005/08/26 20:02:24 mcr ++ * added /proc/net/ipsec/natt file to indicate if NAT-T was compiled ++ * into KLIPS. + * + * Revision 1.39 2005/05/20 03:19:18 mcr + * modifications for use on 2.4.30 kernel, with backported @@ -33288,7 +32744,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_radij.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,889 @@ +@@ -0,0 +1,884 @@ +/* + * Interface between the IPSEC code and the radix (radij) tree code + * Copyright (C) 1996, 1997 John Ioannidis. @@ -33304,7 +32760,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_radij.c,v 1.73.2.1 2006/10/06 21:39:26 paul Exp $ ++ * RCSID $Id: ipsec_radij.c,v 1.73 2005/04/29 05:10:22 mcr Exp $ + */ + +#ifndef AUTOCONF_INCLUDED @@ -33350,8 +32806,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_tunnel.h" /* struct ipsecpriv */ +#include "openswan/ipsec_xform.h" + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" + @@ -33381,7 +32837,7 @@ packaging/utils/kernelpatch 2.6 +int +ipsec_radijcleanup(void) +{ -+ int error; ++ int error = 0; + + spin_lock_bh(&eroute_lock); + @@ -33843,11 +33299,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_radij.c,v $ -+ * Revision 1.73.2.1 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.73 2005/04/29 05:10:22 mcr + * removed from extraenous includes to make unit testing easier. + * @@ -34180,7 +33631,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_rcv.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,2304 @@ +@@ -0,0 +1,2395 @@ +/* + * receive code + * Copyright (C) 1996, 1997 John Ioannidis. @@ -34198,7 +33649,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.171.2.10 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.178 2005/10/21 02:19:34 mcr Exp $"; + +#ifndef AUTOCONF_INCLUDED +#include @@ -34260,8 +33711,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_ipcomp.h" +#endif /* CONFIG_KLIPS_COMP */ + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" +#include "openswan/ipsec_alg.h" @@ -34473,7 +33924,7 @@ packaging/utils/kernelpatch 2.6 + /* ipsec_sa_put(irs->ipsp);*/ /* incomplete */ + + /* If it is in larval state, drop the packet, we cannot process yet. */ -+ if(newipsp->ips_state == SADB_SASTATE_LARVAL) { ++ if(newipsp->ips_state == K_SADB_SASTATE_LARVAL) { + KLIPS_PRINT(debug_rcv, + "klips_debug:ipsec_rcv: " + "ipsec_sa in larval state, cannot be used yet, dropping packet.\n"); @@ -34484,7 +33935,7 @@ packaging/utils/kernelpatch 2.6 + return IPSEC_RCV_SAIDNOTLIVE; + } + -+ if(newipsp->ips_state == SADB_SASTATE_DEAD) { ++ if(newipsp->ips_state == K_SADB_SASTATE_DEAD) { + KLIPS_PRINT(debug_rcv, + "klips_debug:ipsec_rcv: " + "ipsec_sa in dead state, cannot be used any more, dropping packet.\n"); @@ -34546,25 +33997,26 @@ packaging/utils/kernelpatch 2.6 + + + ++ +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL -+ if (proto == IPPROTO_ESP) { -+ KLIPS_PRINT(debug_rcv, -+ "klips_debug:ipsec_rcv: " -+ "natt_type=%u tdbp->ips_natt_type=%u : %s\n", -+ irs->natt_type, newipsp->ips_natt_type, -+ (irs->natt_type==newipsp->ips_natt_type)?"ok":"bad"); -+ if (irs->natt_type != newipsp->ips_natt_type) { -+ KLIPS_PRINT(debug_rcv, -+ "klips_debug:ipsec_rcv: " -+ "SA:%s does not agree with expected NAT-T policy.\n", -+ irs->sa_len ? irs->sa : " (error)"); -+ if(irs->stats) { -+ irs->stats->rx_dropped++; -+ } -+ ipsec_sa_put(newipsp); -+ return IPSEC_RCV_FAILEDINBOUND; -+ } -+ } ++ if (proto == IPPROTO_ESP) { ++ KLIPS_PRINT(debug_rcv, ++ "klips_debug:ipsec_rcv: " ++ "natt_type=%u tdbp->ips_natt_type=%u : %s\n", ++ irs->natt_type, newipsp->ips_natt_type, ++ (irs->natt_type==newipsp->ips_natt_type)?"ok":"bad"); ++ if (irs->natt_type != newipsp->ips_natt_type) { ++ KLIPS_PRINT(debug_rcv, ++ "klips_debug:ipsec_rcv: " ++ "SA:%s does not agree with expected NAT-T policy.\n", ++ irs->sa_len ? irs->sa : " (error)"); ++ if(irs->stats) { ++ irs->stats->rx_dropped++; ++ } ++ ipsec_sa_put(newipsp); ++ return IPSEC_RCV_FAILEDINBOUND; ++ } ++ } +#endif + } + @@ -34592,7 +34044,12 @@ packaging/utils/kernelpatch 2.6 + ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_packets, "packets", + irs->sa, ipsec_life_countbased, ipsec_incoming, + irs->ipsp) == ipsec_life_harddied) { -+ ipsec_sa_delchain(irs->ipsp); ++ ++ /* ++ * disconnect SA from the hash table, so it can not be ++ * found again. ++ */ ++ ipsec_sa_rm(irs->ipsp); + if(irs->stats) { + irs->stats->rx_dropped++; + } @@ -34807,7 +34264,10 @@ packaging/utils/kernelpatch 2.6 + + /* If the sequence number == 0, expire SA, it had rolled */ + if(irs->ipsp->ips_replaywin && !replay /* !irs->ipsp->ips_replaywin_lastseq */) { -+ ipsec_sa_delchain(irs->ipsp); ++ ++ /* we need to remove it from the sadb hash, so that it can't be found again */ ++ ipsec_sa_rm(irs->ipsp); ++ + KLIPS_PRINT(debug_rcv, + "klips_debug:ipsec_rcv: " + "replay window counter rolled, expiring SA.\n"); @@ -35378,7 +34838,6 @@ packaging/utils/kernelpatch 2.6 + ipsec_kfree_skb(skb); + } + -+ /* KLIPS_DEC_USE; Artifact from refactor? bug # 454 */ + return(0); +} + @@ -35513,6 +34972,9 @@ packaging/utils/kernelpatch 2.6 +} +#endif + ++/* management of buffers */ ++static struct ipsec_rcv_state * ipsec_rcv_state_new (void); ++static void ipsec_rcv_state_delete (struct ipsec_rcv_state *irs); + +int +ipsec_rcv(struct sk_buff *skb @@ -35528,7 +34990,7 @@ packaging/utils/kernelpatch 2.6 + struct net_device_stats *stats = NULL; /* This device's statistics */ + struct net_device *ipsecdev = NULL, *prvdev; + struct ipsecpriv *prv; -+ struct ipsec_rcv_state nirs, *irs = &nirs; ++ struct ipsec_rcv_state *irs = NULL; + struct iphdr *ipp; + char name[9]; + int i; @@ -35536,22 +34998,28 @@ packaging/utils/kernelpatch 2.6 + /* Don't unlink in the middle of a turnaround */ + KLIPS_INC_USE; + -+ memset(&nirs, 0, sizeof(struct ipsec_rcv_state)); -+ + if (skb == NULL) { + KLIPS_PRINT(debug_rcv, + "klips_debug:ipsec_rcv: " + "NULL skb passed in.\n"); -+ goto rcvleave; ++ goto error_no_skb; + } + + if (skb->data == NULL) { + KLIPS_PRINT(debug_rcv, + "klips_debug:ipsec_rcv: " + "NULL skb->data passed in, packet is bogus, dropping.\n"); -+ goto rcvleave; ++ goto error_bad_skb; + } + ++ irs = ipsec_rcv_state_new (); ++ if (unlikely (! irs)) { ++ KLIPS_PRINT(debug_rcv, ++ "klips_debug:ipsec_rcv: " ++ "failled to allocate a rcv state object\n"); ++ goto error_alloc; ++ } ++ +#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) && !defined(NET_26) + { + /* NET_26 NAT-T is handled by seperate function */ @@ -35764,14 +35232,20 @@ packaging/utils/kernelpatch 2.6 + irs->authfuncs=NULL; + irs->skb = skb; + -+ ipsec_rcv_decap(irs); -+ KLIPS_DEC_USE; ++ (void)ipsec_rcv_decap(irs); ++ ++ ipsec_rcv_state_delete (irs); ++ KLIPS_DEC_USE; + return(0); + -+ rcvleave: -+ if(skb) { -+ ipsec_kfree_skb(skb); -+ } ++rcvleave: ++ ipsec_rcv_state_delete (irs); ++ ++error_alloc: ++error_bad_skb: ++ ipsec_kfree_skb(skb); ++error_no_skb: ++ + KLIPS_DEC_USE; + return(0); + @@ -35792,13 +35266,19 @@ packaging/utils/kernelpatch 2.6 + */ +int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type) +{ -+ struct ipsec_rcv_state nirs, *irs = &nirs; ++ struct ipsec_rcv_state *irs = NULL; + struct iphdr *ipp; + + /* Don't unlink in the middle of a turnaround */ + KLIPS_INC_USE; + -+ memset(irs, 0, sizeof(*irs)); ++ irs = ipsec_rcv_state_new (); ++ if (unlikely (! irs)) { ++ KLIPS_PRINT(debug_rcv, ++ "klips_debug:ipsec_rcv: " ++ "failled to allocate a rcv state object\n"); ++ goto error_alloc; ++ } + + /* XXX fudge it so that all nat-t stuff comes from ipsec0 */ + /* eventually, the SA itself will determine which device @@ -35876,39 +35356,101 @@ packaging/utils/kernelpatch 2.6 + +#endif + ipsec_rcv_decap(irs); ++ + KLIPS_DEC_USE; ++ ipsec_rcv_state_delete (irs); + return 0; + +rcvleave: + if(skb) { + ipsec_kfree_skb(skb); + } ++ ipsec_rcv_state_delete (irs); ++error_alloc: + KLIPS_DEC_USE; + return 0; +} +#endif + ++// ------------------------------------------------------------------------ ++// this handles creating and managing state for recv path ++ ++static spinlock_t irs_cache_lock = SPIN_LOCK_UNLOCKED; ++static kmem_cache_t *irs_cache_allocator = NULL; ++static unsigned irs_cache_allocated_count = 0; ++ ++int ++ipsec_rcv_state_cache_init (void) ++{ ++ if (irs_cache_allocator) ++ return -EBUSY; ++ ++ spin_lock_init(&irs_cache_lock); ++ ++ irs_cache_allocator = kmem_cache_create ("ipsec_irs", ++ sizeof (struct ipsec_rcv_state), 0, ++ 0, NULL, NULL); ++ if (! irs_cache_allocator) ++ return -ENOMEM; ++ ++ return 0; ++} ++ ++void ++ipsec_rcv_state_cache_cleanup (void) ++{ ++ if (unlikely (irs_cache_allocated_count)) ++ printk ("ipsec: deleting ipsec_irs kmem_cache while in use\n"); ++ ++ if (irs_cache_allocator) { ++ kmem_cache_destroy (irs_cache_allocator); ++ irs_cache_allocator = NULL; ++ } ++ irs_cache_allocated_count = 0; ++} ++ ++static struct ipsec_rcv_state * ++ipsec_rcv_state_new (void) ++{ ++ struct ipsec_rcv_state *irs; ++ ++ spin_lock_bh (&irs_cache_lock); ++ ++ irs = kmem_cache_alloc (irs_cache_allocator, GFP_ATOMIC); ++ ++ if (likely (irs != NULL)) ++ irs_cache_allocated_count++; ++ ++ spin_unlock_bh (&irs_cache_lock); ++ ++ if (unlikely (NULL == irs)) ++ goto bail; ++ ++ // initialize the object ++ memset((caddr_t)irs, 0, sizeof(*irs)); ++ ++bail: ++ return irs; ++} ++ ++static void ++ipsec_rcv_state_delete (struct ipsec_rcv_state *irs) ++{ ++ if (unlikely (! irs)) ++ return; ++ ++ spin_lock_bh (&irs_cache_lock); ++ ++ irs_cache_allocated_count--; ++ kmem_cache_free (irs_cache_allocator, irs); ++ ++ spin_unlock_bh (&irs_cache_lock); ++} + +/* + * $Log: ipsec_rcv.c,v $ -+ * Revision 1.171.2.10 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.171.2.9 2006/07/30 02:09:33 paul -+ * Author: Bart Trojanowski -+ * This fixes a NATT+ESP bug in rcv path. -+ * -+ * We only want to test NATT policy on the ESP packet. Doing so on the -+ * bundled SA breaks because the next layer does not know anything about -+ * NATT. -+ * -+ * Fix just puts an if(proto == IPPROTO_ESP) around the NATT policy check. -+ * -+ * Revision 1.171.2.8 2006/07/29 05:03:04 paul -+ * Added check for new version of skb_linearize that only takes 1 argument, -+ * for 2.6.18+ kernels. ++ * Revision 1.178 2005/10/21 02:19:34 mcr ++ * on 2.4 systems, we have to fix up the length as well. + * + * Revision 1.171.2.7 2006/04/20 16:33:07 mcr + * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it. @@ -36487,7 +36029,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_sa.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1870 @@ +@@ -0,0 +1,1501 @@ +/* + * Common routines for IPsec SA maintenance routines. + * @@ -36504,7 +36046,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_sa.c,v 1.30.2.2 2006/10/06 21:39:26 paul Exp $ ++ * RCSID $Id: ipsec_sa.c,v 1.31 2005/11/11 04:38:56 paul Exp $ + * + * This is the file formerly known as "ipsec_xform.h" + * @@ -36556,9 +36098,13 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_ipe4.h" +#include "openswan/ipsec_ah.h" +#include "openswan/ipsec_esp.h" ++#include "openswan/ipsec_ipip.h" ++#ifdef CONFIG_KLIPS_IPCOMP ++#include "openswan/ipsec_ipcomp.h" ++#endif /* CONFIG_KLIPS_COMP */ + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" +#include "openswan/ipsec_alg.h" @@ -36579,8 +36125,6 @@ packaging/utils/kernelpatch 2.6 + +struct ipsec_sadb ipsec_sadb; + -+#if IPSEC_SA_REF_CODE -+ +/* the sub table must be narrower (or equal) in bits than the variable type + in the main table to count the number of unused entries in it. */ +typedef struct { @@ -36599,57 +36143,24 @@ packaging/utils/kernelpatch 2.6 + +#define IPS_HASH(said) (((said)->spi + (said)->dst.u.v4.sin_addr.s_addr + (said)->proto) % SADB_HASHMOD) + -+ -+void -+ipsec_SAtest(void) -+{ -+ IPsecSAref_t SAref = 258; -+ struct ipsec_sa ips; -+ ips.ips_ref = 772; -+ -+ printk("klips_debug:ipsec_SAtest: " -+ "IPSEC_SA_REF_SUBTABLE_IDX_WIDTH=%u\n" -+ "IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES=%u\n" -+ "IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES=%u\n" -+ "IPSEC_SA_REF_HOST_FIELD_WIDTH=%lu\n" -+ "IPSEC_SA_REF_TABLE_MASK=%x\n" -+ "IPSEC_SA_REF_ENTRY_MASK=%x\n" -+ "IPsecSAref2table(%d)=%u\n" -+ "IPsecSAref2entry(%d)=%u\n" -+ "IPsecSAref2NFmark(%d)=%u\n" -+ "IPsecSAref2SA(%d)=%p\n" -+ "IPsecSA2SAref(%p)=%d\n" -+ , -+ IPSEC_SA_REF_SUBTABLE_IDX_WIDTH, -+ IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES, -+ IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES, -+ (unsigned long) IPSEC_SA_REF_HOST_FIELD_WIDTH, -+ IPSEC_SA_REF_TABLE_MASK, -+ IPSEC_SA_REF_ENTRY_MASK, -+ SAref, IPsecSAref2table(SAref), -+ SAref, IPsecSAref2entry(SAref), -+ SAref, IPsecSAref2NFmark(SAref), -+ SAref, IPsecSAref2SA(SAref), -+ (&ips), IPsecSA2SAref((&ips)) -+ ); -+ return; -+} ++// private functions for reference counting ++static int ipsec_sa_wipe(struct ipsec_sa *ips); + +int +ipsec_SAref_recycle(void) +{ -+ int table; -+ int entry; ++ int table, i; + int error = 0; ++ int addone; + -+ ipsec_sadb.refFreeListHead = -1; -+ ipsec_sadb.refFreeListTail = -1; ++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_NULL; ++ ipsec_sadb.refFreeListTail = IPSEC_SAREF_NULL; + + if(ipsec_sadb.refFreeListCont == IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES * IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES) { + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_SAref_recycle: " + "end of table reached, continuing at start..\n"); -+ ipsec_sadb.refFreeListCont = 0; ++ ipsec_sadb.refFreeListCont = IPSEC_SAREF_FIRST; + } + + KLIPS_PRINT(debug_xform, @@ -36660,33 +36171,32 @@ packaging/utils/kernelpatch 2.6 + IPsecSAref2table(ipsec_sadb.refFreeListCont), + IPsecSAref2entry(ipsec_sadb.refFreeListCont)); + -+ for(table = IPsecSAref2table(ipsec_sadb.refFreeListCont); -+ table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES; -+ table++) { -+ if(ipsec_sadb.refTable[table] == NULL) { ++ /* add one additional table entry */ ++ addone = 0; ++ ++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_FIRST; ++ for(i = 0; i < IPSEC_SA_REF_FREELIST_NUM_ENTRIES; i++) { ++ table = IPsecSAref2table(ipsec_sadb.refFreeListCont); ++ if(addone == 0 && ipsec_sadb.refTable[table] == NULL) { ++ addone = 1; + error = ipsec_SArefSubTable_alloc(table); + if(error) { + return error; + } + } -+ for(entry = IPsecSAref2entry(ipsec_sadb.refFreeListCont); -+ entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; -+ entry++) { -+ if(ipsec_sadb.refTable[table]->entry[entry] == NULL) { -+ ipsec_sadb.refFreeList[++ipsec_sadb.refFreeListTail] = IPsecSArefBuild(table, entry); -+ if(ipsec_sadb.refFreeListTail == (IPSEC_SA_REF_FREELIST_NUM_ENTRIES - 1)) { -+ ipsec_sadb.refFreeListHead = 0; -+ ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1; -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_SAref_recycle: " -+ "SArefFreeList refilled.\n"); -+ return 0; -+ } -+ } ++ if(ipsec_sadb.refTable[table] == NULL) { ++ /* we failed to add a second table, so just stop */ ++ break; ++ } ++ ++ if(IPsecSAref2SA(ipsec_sadb.refFreeListCont) == NULL) { ++ ipsec_sadb.refFreeList[i] = ipsec_sadb.refFreeListCont; + } ++ ipsec_sadb.refFreeListCont++; ++ ipsec_sadb.refFreeListTail=i; + } + -+ if(ipsec_sadb.refFreeListTail == -1) { ++ if(ipsec_sadb.refFreeListTail == IPSEC_SAREF_NULL) { + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_SAref_recycle: " + "out of room in the SArefTable.\n"); @@ -36694,8 +36204,6 @@ packaging/utils/kernelpatch 2.6 + return(-ENOSPC); + } + -+ ipsec_sadb.refFreeListHead = 0; -+ ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1; + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_SAref_recycle: " + "SArefFreeList partly refilled to %d of %d.\n", @@ -36744,7 +36252,19 @@ packaging/utils/kernelpatch 2.6 + + return 0; +} -+#endif /* IPSEC_SA_REF_CODE */ ++ ++int ++ipsec_saref_verify_slot(IPsecSAref_t ref) ++{ ++ int ref_table=IPsecSAref2table(ref); ++ ++ if(ipsec_sadb.refTable[ref_table] == NULL) { ++ int ret; ++ ret = ipsec_SArefSubTable_alloc(ref_table); ++ } ++ ++ return 0; ++} + +int +ipsec_saref_freelist_init(void) @@ -36759,9 +36279,9 @@ packaging/utils/kernelpatch 2.6 + for(i = 0; i < IPSEC_SA_REF_FREELIST_NUM_ENTRIES; i++) { + ipsec_sadb.refFreeList[i] = IPSEC_SAREF_NULL; + } -+ ipsec_sadb.refFreeListHead = -1; -+ ipsec_sadb.refFreeListCont = 0; -+ ipsec_sadb.refFreeListTail = -1; ++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_NULL; ++ ipsec_sadb.refFreeListCont = IPSEC_SAREF_FIRST+1; ++ ipsec_sadb.refFreeListTail = IPSEC_SAREF_NULL; + + return 0; +} @@ -36778,7 +36298,6 @@ packaging/utils/kernelpatch 2.6 + /* parts above are for the old style SADB hash table */ + + -+#if IPSEC_SA_REF_CODE + /* initialise SA reference table */ + + /* initialise the main table */ @@ -36801,27 +36320,25 @@ packaging/utils/kernelpatch 2.6 + } + + error = ipsec_saref_freelist_init(); -+#endif /* IPSEC_SA_REF_CODE */ + return error; +} + -+#if IPSEC_SA_REF_CODE +IPsecSAref_t +ipsec_SAref_alloc(int*error) /* pass in error var by pointer */ +{ + IPsecSAref_t SAref; + + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_SAref_alloc: " ++ "ipsec_SAref_alloc: " + "SAref requested... head=%d, cont=%d, tail=%d, listsize=%d.\n", + ipsec_sadb.refFreeListHead, + ipsec_sadb.refFreeListCont, + ipsec_sadb.refFreeListTail, + IPSEC_SA_REF_FREELIST_NUM_ENTRIES); + -+ if(ipsec_sadb.refFreeListHead == -1) { ++ if(ipsec_sadb.refFreeListHead == IPSEC_SAREF_NULL) { + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_SAref_alloc: " ++ "ipsec_SAref_alloc: " + "FreeList empty, recycling...\n"); + *error = ipsec_SAref_recycle(); + if(*error) { @@ -36831,16 +36348,16 @@ packaging/utils/kernelpatch 2.6 + + SAref = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListHead]; + if(SAref == IPSEC_SAREF_NULL) { -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_SAref_alloc: " ++ KLIPS_ERROR(debug_xform, ++ "ipsec_SAref_alloc: " + "unexpected error, refFreeListHead = %d points to invalid entry.\n", + ipsec_sadb.refFreeListHead); -+ *error = -ESPIPE; -+ return IPSEC_SAREF_NULL; ++ *error = -ESPIPE; ++ return IPSEC_SAREF_NULL; + } + + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_SAref_alloc: " ++ "ipsec_SAref_alloc: " + "allocating SAref=%d, table=%u, entry=%u of %u.\n", + SAref, + IPsecSAref2table(SAref), @@ -36851,14 +36368,13 @@ packaging/utils/kernelpatch 2.6 + ipsec_sadb.refFreeListHead++; + if(ipsec_sadb.refFreeListHead > ipsec_sadb.refFreeListTail) { + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_SAref_alloc: " ++ "ipsec_SAref_alloc: " + "last FreeList entry allocated, resetting list head to empty.\n"); -+ ipsec_sadb.refFreeListHead = -1; ++ ipsec_sadb.refFreeListHead = IPSEC_SAREF_NULL; + } + + return SAref; +} -+#endif /* IPSEC_SA_REF_CODE */ + +int +ipsec_sa_print(struct ipsec_sa *ips) @@ -36876,11 +36392,8 @@ packaging/utils/kernelpatch 2.6 + if(ips->ips_hnext != NULL) { + printk(" hnext=0p%p", ips->ips_hnext); + } -+ if(ips->ips_inext != NULL) { -+ printk(" inext=0p%p", ips->ips_inext); -+ } -+ if(ips->ips_onext != NULL) { -+ printk(" onext=0p%p", ips->ips_onext); ++ if(ips->ips_next != NULL) { ++ printk(" next=0p%p", ips->ips_next); + } + sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); + printk(" said=%s", sa_len ? sa : " (error)"); @@ -36939,42 +36452,95 @@ packaging/utils/kernelpatch 2.6 + + if((ips = kmalloc(sizeof(*ips), GFP_ATOMIC) ) == NULL) { + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_alloc: " ++ "ipsec_sa_alloc: " + "memory allocation error\n"); + *error = -ENOMEM; + return NULL; + } + memset((caddr_t)ips, 0, sizeof(*ips)); -+#if IPSEC_SA_REF_CODE -+ ips->ips_ref = ipsec_SAref_alloc(error); /* pass in error return by pointer */ -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_alloc: " -+ "allocated %lu bytes for ipsec_sa struct=0p%p ref=%d.\n", -+ (unsigned long) sizeof(*ips), -+ ips, -+ ips->ips_ref); -+ if(ips->ips_ref == IPSEC_SAREF_NULL) { -+ kfree(ips); -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_alloc: " -+ "SAref allocation error\n"); -+ return NULL; -+ } + -+ atomic_inc(&ips->ips_refcount); -+ IPsecSAref2SA(ips->ips_ref) = ips; -+#endif /* IPSEC_SA_REF_CODE */ ++ /* return with at least counter = 1 */ ++ ipsec_sa_get(ips); + + *error = 0; + return(ips); +} + ++void ++ipsec_sa_untern(struct ipsec_sa *ips) ++{ ++ IPsecSAref_t ref = ips->ips_ref; ++ int error; ++ ++ /* verify that we are removing correct item! */ ++ error = ipsec_saref_verify_slot(ref); ++ if(error) { ++ return; ++ } ++ ++ if(IPsecSAref2SA(ref) == ips) { ++ IPsecSAref2SA(ref) = NULL; ++ ipsec_sa_put(ips); ++ } else { ++ KLIPS_PRINT(debug_xform, ++ "ipsec_sa_untern: " ++ "ref=%u -> %p but untern'ing %p\n", ref, ++ IPsecSAref2SA(ref), ips); ++ } ++ ++} ++ +int -+ipsec_sa_free(struct ipsec_sa* ips) ++ipsec_sa_intern(struct ipsec_sa *ips) +{ -+ return ipsec_sa_wipe(ips); ++ int error; ++ IPsecSAref_t ref = ips->ips_ref; ++ ++ if(ref == IPSEC_SAREF_NULL) { ++ ref = ipsec_SAref_alloc(&error); /* pass in error return by pointer */ ++ KLIPS_PRINT(debug_xform, ++ "ipsec_sa_intern: " ++ "allocated ref=%u for sa %p\n", ref, ips); ++ ++ if(ref == IPSEC_SAREF_NULL) { ++ KLIPS_PRINT(debug_xform, ++ "ipsec_sa_intern: " ++ "SAref allocation error\n"); ++ return error; ++ } ++ ++ ips->ips_ref = ref; ++ } ++ ++ error = ipsec_saref_verify_slot(ref); ++ if(error) { ++ return error; ++ } ++ ++ ipsec_sa_get(ips); ++ /* ++ * if there is an existing SA at this reference, then free it ++ * note, that nsa might == ips!. That's okay, we just incremented ++ * the reference count above. ++ */ ++ { ++ struct ipsec_sa *nsa = IPsecSAref2SA(ref); ++ if(nsa) { ++ ipsec_sa_put(nsa); ++ } ++ } ++ ++ KLIPS_PRINT(debug_xform, ++ "ipsec_sa_alloc: " ++ "SAref[%d]=%p\n", ++ ips->ips_ref, ips); ++ IPsecSAref2SA(ips->ips_ref) = ips; ++ ++ /* return OK */ ++ return 0; +} + ++ +struct ipsec_sa * +ipsec_sa_getbyid(ip_said *said) +{ @@ -36985,7 +36551,7 @@ packaging/utils/kernelpatch 2.6 + + if(said == NULL) { + KLIPS_PRINT(debug_xform, -+ "klips_error:ipsec_sa_getbyid: " ++ "ipsec_sa_getbyid: " + "null pointer passed in!\n"); + return NULL; + } @@ -36995,14 +36561,14 @@ packaging/utils/kernelpatch 2.6 + hashval = IPS_HASH(said); + + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_getbyid: " ++ "ipsec_sa_getbyid: " + "linked entry in ipsec_sa table for hash=%d of SA:%s requested.\n", + hashval, + sa_len ? sa : " (error)"); + + if((ips = ipsec_sadb_hash[hashval]) == NULL) { + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_getbyid: " ++ "ipsec_sa_getbyid: " + "no entries in ipsec_sa table for hash=%d of SA:%s.\n", + hashval, + sa_len ? sa : " (error)"); @@ -37013,45 +36579,109 @@ packaging/utils/kernelpatch 2.6 + if ((ips->ips_said.spi == said->spi) && + (ips->ips_said.dst.u.v4.sin_addr.s_addr == said->dst.u.v4.sin_addr.s_addr) && + (ips->ips_said.proto == said->proto)) { -+ atomic_inc(&ips->ips_refcount); ++ ipsec_sa_get(ips); + return ips; + } + } + + KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_getbyid: " ++ "ipsec_sa_getbyid: " + "no entry in linked list for hash=%d of SA:%s.\n", + hashval, + sa_len ? sa : " (error)"); + return NULL; +} + -+int -+ipsec_sa_put(struct ipsec_sa *ips) ++struct ipsec_sa * ++ipsec_sa_getbyref(IPsecSAref_t ref) ++{ ++ struct ipsec_sa *ips; ++ struct IPsecSArefSubTable *st = ipsec_sadb.refTable[IPsecSAref2table(ref)]; ++ ++ if(st == NULL) { ++ return NULL; ++ } ++ ++ ips = st->entry[IPsecSAref2entry(ref)]; ++ if(ips) { ++ ipsec_sa_get(ips); ++ } ++ return ips; ++} ++ ++ ++void ++__ipsec_sa_put(struct ipsec_sa *ips, const char *func, int line) +{ + char sa[SATOT_BUF]; + size_t sa_len; + + if(ips == NULL) { + KLIPS_PRINT(debug_xform, -+ "klips_error:ipsec_sa_put: " ++ "ipsec_sa_put: " + "null pointer passed in!\n"); -+ return -1; ++ return; + } + -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); ++ if(debug_xform) { ++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); + -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_put: " -+ "ipsec_sa SA:%s, ref:%d reference count decremented.\n", -+ sa_len ? sa : " (error)", -+ ips->ips_ref); ++ KLIPS_PRINT(debug_xform, ++ "ipsec_sa_put: " ++ "ipsec_sa %p SA:%s, ref:%d reference count (%d--) decremented by %s:%d.\n", ++ ips, ++ sa_len ? sa : " (error)", ++ ips->ips_ref, ++ atomic_read(&ips->ips_refcount), ++ func, line); ++ } + -+ atomic_dec(&ips->ips_refcount); ++ if(atomic_dec_and_test(&ips->ips_refcount)) { ++ KLIPS_PRINT(debug_xform, ++ "ipsec_sa_put: freeing %p\n", ++ ips); ++ /* it was zero */ ++ ipsec_sa_wipe(ips); ++ } + -+ return 0; ++ return; +} + ++struct ipsec_sa * ++__ipsec_sa_get(struct ipsec_sa *ips, const char *func, int line) ++{ ++ char sa[SATOT_BUF]; ++ size_t sa_len; ++ ++ if (ips == NULL) ++ return NULL; ++ ++ if(debug_xform) { ++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); ++ ++ KLIPS_PRINT(debug_xform, ++ "ipsec_sa_get: " ++ "ipsec_sa %p SA:%s, ref:%d reference count (%d++) incremented by %s:%d.\n", ++ ips, ++ sa_len ? sa : " (error)", ++ ips->ips_ref, ++ atomic_read(&ips->ips_refcount), ++ func, line); ++ } ++ ++ atomic_inc(&ips->ips_refcount); ++ ++ // check to make sure we were not deleted ++ if (ips->ips_marked_deleted) { ++ // we cannot use this reference ++ ipsec_sa_put (ips); ++ ips = NULL; ++ } ++ ++ return ips; ++} ++ ++ +/* + The ipsec_sa table better *NOT* be locked before it is handed in, or SMP locks will happen +*/ @@ -37061,6 +36691,8 @@ packaging/utils/kernelpatch 2.6 + int error = 0; + unsigned int hashval; + ++ ips = ipsec_sa_get(ips); ++ + if(ips == NULL) { + KLIPS_PRINT(debug_xform, + "klips_error:ipsec_sa_add: " @@ -37069,7 +36701,6 @@ packaging/utils/kernelpatch 2.6 + } + hashval = IPS_HASH(&ips->ips_said); + -+ atomic_inc(&ips->ips_refcount); + spin_lock_bh(&tdb_lock); + + ips->ips_hnext = ipsec_sadb_hash[hashval]; @@ -37081,9 +36712,71 @@ packaging/utils/kernelpatch 2.6 +} + +/* -+ The ipsec_sa table better be locked before it is handed in, or races might happen -+*/ -+int ++ * remove it from the hash chain, decrementing hash count ++ */ ++void ipsec_sa_rm(struct ipsec_sa *ips) ++{ ++ unsigned int hashval; ++ char sa[SATOT_BUF]; ++ size_t sa_len; ++ ++ ++ if(ips == NULL) { ++ return; ++ } ++ ++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); ++ ++ hashval = IPS_HASH(&ips->ips_said); ++ ++ KLIPS_PRINT(debug_xform, ++ "klips_debug:ipsec_sa_del: " ++ "unhashing SA:%s (ref=%u), hashval=%d.\n", ++ sa_len ? sa : " (error)", ++ ips->ips_ref, ++ hashval); ++ ++ if(ipsec_sadb_hash[hashval] == NULL) { ++ return; ++ } ++ ++ if (ips == ipsec_sadb_hash[hashval]) { ++ ipsec_sadb_hash[hashval] = ipsec_sadb_hash[hashval]->ips_hnext; ++ ips->ips_hnext = NULL; ++ ipsec_sa_put(ips); ++ KLIPS_PRINT(debug_xform, ++ "klips_debug:ipsec_sa_del: " ++ "successfully unhashed first ipsec_sa in chain.\n"); ++ return; ++ } else { ++ struct ipsec_sa *ipstp; ++ ++ for (ipstp = ipsec_sadb_hash[hashval]; ++ ipstp; ++ ipstp = ipstp->ips_hnext) { ++ if (ipstp->ips_hnext == ips) { ++ ipstp->ips_hnext = ips->ips_hnext; ++ ips->ips_hnext = NULL; ++ ipsec_sa_put(ips); ++ KLIPS_PRINT(debug_xform, ++ "klips_debug:ipsec_sa_del: " ++ "successfully unhashed link in ipsec_sa chain.\n"); ++ return; ++ } ++ } ++ } ++} ++ ++ ++#if 0 ++/* ++ * The ipsec_sa table better be locked before it is handed in, ++ * or races might happen. ++ * ++ * this routine assumes the SA has a refcount==0, and we free it. ++ * we also assume that the pointers are already cleaned up. ++ */ ++static int +ipsec_sa_del(struct ipsec_sa *ips) +{ + unsigned int hashval; @@ -37092,33 +36785,38 @@ packaging/utils/kernelpatch 2.6 + size_t sa_len; + + if(ips == NULL) { -+ KLIPS_PRINT(debug_xform, ++ KLIPS_ERROR(debug_xform, + "klips_error:ipsec_sa_del: " + "null pointer passed in!\n"); + return -ENODATA; + } -+ -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ if(ips->ips_inext || ips->ips_onext) { -+ KLIPS_PRINT(debug_xform, -+ "klips_error:ipsec_sa_del: " -+ "SA:%s still linked!\n", -+ sa_len ? sa : " (error)"); -+ return -EMLINK; ++ ++ if(ips->ips_next) { ++ struct ipsec_sa *in = ips->ips_next; ++ ++ ips->ips_next=NULL; ++ ipsec_sa_put(in); + } + ++ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); + hashval = IPS_HASH(&ips->ips_said); + + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_sa_del: " -+ "deleting SA:%s, hashval=%d.\n", ++ "deleting SA:%s (ref=%u), hashval=%d.\n", + sa_len ? sa : " (error)", ++ ips->ips_ref, + hashval); ++ + if(ipsec_sadb_hash[hashval] == NULL) { ++ /* if this is NULL, then we can be sure that the SA was never ++ * added to the SADB, so we just free it. ++ */ + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_sa_del: " -+ "no entries in ipsec_sa table for hash=%d of SA:%s.\n", ++ "no entries in ipsec_sa table for hash=%d (ref=%u) of SA:%s.\n", + hashval, ++ ips->ips_ref, + sa_len ? sa : " (error)"); + return -ENOENT; + } @@ -37126,7 +36824,8 @@ packaging/utils/kernelpatch 2.6 + if (ips == ipsec_sadb_hash[hashval]) { + ipsec_sadb_hash[hashval] = ipsec_sadb_hash[hashval]->ips_hnext; + ips->ips_hnext = NULL; -+ atomic_dec(&ips->ips_refcount); ++ ++ ipsec_sa_put(ips); + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_sa_del: " + "successfully deleted first ipsec_sa in chain.\n"); @@ -37138,7 +36837,7 @@ packaging/utils/kernelpatch 2.6 + if (ipstp->ips_hnext == ips) { + ipstp->ips_hnext = ips->ips_hnext; + ips->ips_hnext = NULL; -+ atomic_dec(&ips->ips_refcount); ++ ipsec_sa_put(ips); + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_sa_del: " + "successfully deleted link in ipsec_sa chain.\n"); @@ -37154,80 +36853,17 @@ packaging/utils/kernelpatch 2.6 + sa_len ? sa : " (error)"); + return -ENOENT; +} -+ -+/* -+ The ipsec_sa table better be locked before it is handed in, or races -+ might happen -+*/ -+int -+ipsec_sa_delchain(struct ipsec_sa *ips) -+{ -+ struct ipsec_sa *ipsdel; -+ int error = 0; -+ char sa[SATOT_BUF]; -+ size_t sa_len; -+ -+ if(ips == NULL) { -+ KLIPS_PRINT(debug_xform, -+ "klips_error:ipsec_sa_delchain: " -+ "null pointer passed in!\n"); -+ return -ENODATA; -+ } -+ -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_delchain: " -+ "passed SA:%s\n", -+ sa_len ? sa : " (error)"); -+ while(ips->ips_onext != NULL) { -+ ips = ips->ips_onext; -+ } -+ -+ while(ips) { -+ /* XXX send a pfkey message up to advise of deleted ipsec_sa */ -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_delchain: " -+ "unlinking and delting SA:%s", -+ sa_len ? sa : " (error)"); -+ ipsdel = ips; -+ ips = ips->ips_inext; -+ if(ips != NULL) { -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ ", inext=%s", -+ sa_len ? sa : " (error)"); -+ atomic_dec(&ipsdel->ips_refcount); -+ ipsdel->ips_inext = NULL; -+ atomic_dec(&ips->ips_refcount); -+ ips->ips_onext = NULL; -+ } -+ KLIPS_PRINT(debug_xform, -+ ".\n"); -+ if((error = ipsec_sa_del(ipsdel))) { -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_delchain: " -+ "ipsec_sa_del returned error %d.\n", -error); -+ return error; -+ } -+ if((error = ipsec_sa_wipe(ipsdel))) { -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_delchain: " -+ "ipsec_sa_wipe returned error %d.\n", -error); -+ return error; -+ } -+ } -+ return error; -+} ++#endif + +int +ipsec_sadb_cleanup(__u8 proto) +{ + unsigned i; + int error = 0; -+ struct ipsec_sa *ips, **ipsprev, *ipsdel; -+ char sa[SATOT_BUF]; -+ size_t sa_len; ++ struct ipsec_sa *ips; ++ //struct ipsec_sa *ipsnext, **ipsprev; ++ //char sa[SATOT_BUF]; ++ //size_t sa_len; + + KLIPS_PRINT(debug_xform, + "klips_debug:ipsec_sadb_cleanup: " @@ -37237,88 +36873,18 @@ packaging/utils/kernelpatch 2.6 + spin_lock_bh(&tdb_lock); + + for (i = 0; i < SADB_HASHMOD; i++) { -+ ipsprev = &(ipsec_sadb_hash[i]); + ips = ipsec_sadb_hash[i]; -+ if(ips != NULL) { -+ atomic_inc(&ips->ips_refcount); -+ } -+ for(; ips != NULL;) { -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sadb_cleanup: " -+ "checking SA:%s, hash=%d, ref=%d", -+ sa_len ? sa : " (error)", -+ i, -+ ips->ips_ref); -+ ipsdel = ips; -+ ips = ipsdel->ips_hnext; -+ if(ips != NULL) { -+ atomic_inc(&ips->ips_refcount); -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ ", hnext=%s", -+ sa_len ? sa : " (error)"); -+ } -+ if(*ipsprev != NULL) { -+ sa_len = satot(&(*ipsprev)->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ ", *ipsprev=%s", -+ sa_len ? sa : " (error)"); -+ if((*ipsprev)->ips_hnext) { -+ sa_len = satot(&(*ipsprev)->ips_hnext->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ ", *ipsprev->ips_hnext=%s", -+ sa_len ? sa : " (error)"); -+ } -+ } -+ KLIPS_PRINT(debug_xform, -+ ".\n"); -+ if(proto == 0 || (proto == ipsdel->ips_said.proto)) { -+ sa_len = satot(&ipsdel->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sadb_cleanup: " -+ "deleting SA chain:%s.\n", -+ sa_len ? sa : " (error)"); -+ if((error = ipsec_sa_delchain(ipsdel))) { -+ SENDERR(-error); -+ } -+ ipsprev = &(ipsec_sadb_hash[i]); -+ ips = ipsec_sadb_hash[i]; ++ ++ while(ips) { ++ ipsec_sadb_hash[i]=ips->ips_hnext; ++ ips->ips_hnext=NULL; ++ ipsec_sa_put(ips); + -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sadb_cleanup: " -+ "deleted SA chain:%s", -+ sa_len ? sa : " (error)"); -+ if(ips != NULL) { -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ ", ipsec_sadb_hash[%d]=%s", -+ i, -+ sa_len ? sa : " (error)"); -+ } -+ if(*ipsprev != NULL) { -+ sa_len = satot(&(*ipsprev)->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ ", *ipsprev=%s", -+ sa_len ? sa : " (error)"); -+ if((*ipsprev)->ips_hnext != NULL) { -+ sa_len = satot(&(*ipsprev)->ips_hnext->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ ", *ipsprev->ips_hnext=%s", -+ sa_len ? sa : " (error)"); -+ } -+ } -+ KLIPS_PRINT(debug_xform, -+ ".\n"); -+ } else { -+ ipsprev = &ipsdel; -+ } -+ if(ipsdel != NULL) { -+ ipsec_sa_put(ipsdel); -+ } ++ ips = ipsec_sadb_hash[i]; + } + } -+ errlab: ++ ++//errlab: + + spin_unlock_bh(&tdb_lock); + @@ -37347,7 +36913,8 @@ packaging/utils/kernelpatch 2.6 + } + for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) { + if(ipsec_sadb.refTable[table]->entry[entry] != NULL) { -+ ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]); ++ struct ipsec_sa *sa1 = ipsec_sadb.refTable[table]->entry[entry]; ++ ipsec_sa_put(sa1); + ipsec_sadb.refTable[table]->entry[entry] = NULL; + } + } @@ -37390,7 +36957,10 @@ packaging/utils/kernelpatch 2.6 + } + for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) { + if(ipsec_sadb.refTable[table]->entry[entry] != NULL) { -+ ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]); ++ struct ipsec_sa *sa1 = ipsec_sadb.refTable[table]->entry[entry]; ++ ++ BUG_ON(atomic_read(&sa1->ips_refcount) == 1); ++ ipsec_sa_put(sa1); + ipsec_sadb.refTable[table]->entry[entry] = NULL; + } + } @@ -37402,42 +36972,13 @@ packaging/utils/kernelpatch 2.6 + return(error); +} + -+int ++static int +ipsec_sa_wipe(struct ipsec_sa *ips) +{ + if(ips == NULL) { + return -ENODATA; + } + -+ /* if(atomic_dec_and_test(ips)) { -+ }; */ -+ -+#if IPSEC_SA_REF_CODE -+ /* remove me from the SArefTable */ -+ { -+ char sa[SATOT_BUF]; -+ size_t sa_len; -+ sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa)); -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_wipe: " -+ "removing SA=%s(0p%p), SAref=%d, table=%d(0p%p), entry=%d from the refTable.\n", -+ sa_len ? sa : " (error)", -+ ips, -+ ips->ips_ref, -+ IPsecSAref2table(IPsecSA2SAref(ips)), -+ ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))], -+ IPsecSAref2entry(IPsecSA2SAref(ips))); -+ } -+ if(ips->ips_ref == IPSEC_SAREF_NULL) { -+ KLIPS_PRINT(debug_xform, -+ "klips_debug:ipsec_sa_wipe: " -+ "why does this SA not have a valid SAref?.\n"); -+ } -+ ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))]->entry[IPsecSAref2entry(IPsecSA2SAref(ips))] = NULL; -+ ips->ips_ref = IPSEC_SAREF_NULL; -+ ipsec_sa_put(ips); -+#endif /* IPSEC_SA_REF_CODE */ -+ + /* paranoid clean up */ + if(ips->ips_addr_s != NULL) { + memset((caddr_t)(ips->ips_addr_s), 0, ips->ips_addr_s_size); @@ -37511,6 +37052,8 @@ packaging/utils/kernelpatch 2.6 + ipsec_alg_sa_wipe(ips); + } + ++ BUG_ON(atomic_read(&ips->ips_refcount) != 0); ++ + memset((caddr_t)ips, 0, sizeof(*ips)); + kfree(ips); + ips = NULL; @@ -37554,9 +37097,9 @@ packaging/utils/kernelpatch 2.6 + IPS_XFORM_NAME(ipsp)); + + switch(ipsp->ips_said.proto) { -+ +#ifdef CONFIG_KLIPS_IPIP + case IPPROTO_IPIP: { ++ ipsp->ips_xformfuncs = ipip_xform_funcs; + addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_addr, + 0, + ipaddr_txt, sizeof(ipaddr_txt)); @@ -37574,6 +37117,8 @@ packaging/utils/kernelpatch 2.6 + +#ifdef CONFIG_KLIPS_AH + case IPPROTO_AH: ++ ipsp->ips_xformfuncs = ah_xform_funcs; ++ + switch(ipsp->ips_authalg) { +# ifdef CONFIG_KLIPS_AUTH_HMAC_MD5 + case AH_MD5: { @@ -37748,6 +37293,7 @@ packaging/utils/kernelpatch 2.6 + +#ifdef CONFIG_KLIPS_ESP + case IPPROTO_ESP: ++ ipsp->ips_xformfuncs = esp_xform_funcs; + { +#if defined (CONFIG_KLIPS_AUTH_HMAC_MD5) || defined (CONFIG_KLIPS_AUTH_HMAC_SHA1) + unsigned char *akp; @@ -37759,7 +37305,7 @@ packaging/utils/kernelpatch 2.6 + + if (ixt_e == NULL) { + if(printk_ratelimit()) { -+ printk(KERN_INFO ++ printk(KERN_ERR + "ipsec_sa_init: " + "encalg=%d support not available in the kernel", + ipsp->ips_encalg); @@ -37959,6 +37505,7 @@ packaging/utils/kernelpatch 2.6 +#endif /* !CONFIG_KLIPS_ESP */ +#ifdef CONFIG_KLIPS_IPCOMP + case IPPROTO_COMP: ++ ipsp->ips_xformfuncs = ipcomp_xform_funcs; + ipsp->ips_comp_adapt_tries = 0; + ipsp->ips_comp_adapt_skip = 0; + ipsp->ips_comp_ratio_cbytes = 0; @@ -37976,388 +37523,14 @@ packaging/utils/kernelpatch 2.6 + return(error); +} + -+ -+ +/* -+ * $Log: ipsec_sa.c,v $ -+ * Revision 1.30.2.2 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.30.2.1 2006/04/20 16:33:07 mcr -+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it. -+ * Fix in-kernel module compilation. Sub-makefiles do not work. -+ * -+ * Revision 1.30 2005/05/24 01:02:35 mcr -+ * some refactoring/simplification of situation where alg -+ * is not found. -+ * -+ * Revision 1.29 2005/05/18 19:13:28 mcr -+ * rename debug messages. make sure that algo not found is not -+ * a debug message. -+ * -+ * Revision 1.28 2005/05/11 01:30:20 mcr -+ * removed "poor-man"s OOP in favour of proper C structures. -+ * -+ * Revision 1.27 2005/04/29 05:10:22 mcr -+ * removed from extraenous includes to make unit testing easier. -+ * -+ * Revision 1.26 2005/04/14 20:56:24 mcr -+ * moved (pfkey_)ipsec_sa_init to ipsec_sa.c. -+ * -+ * Revision 1.25 2004/08/22 20:12:16 mcr -+ * one more KLIPS_NAT->IPSEC_NAT. -+ * -+ * Revision 1.24 2004/07/10 19:11:18 mcr -+ * CONFIG_IPSEC -> CONFIG_KLIPS. -+ * -+ * Revision 1.23 2004/04/06 02:49:26 mcr -+ * pullup of algo code from alg-branch. -+ * -+ * Revision 1.22.2.1 2003/12/22 15:25:52 jjo -+ * . Merged algo-0.8.1-rc11-test1 into alg-branch -+ * -+ * Revision 1.22 2003/12/10 01:14:27 mcr -+ * NAT-traversal patches to KLIPS. -+ * -+ * Revision 1.21 2003/10/31 02:27:55 mcr -+ * pulled up port-selector patches and sa_id elimination. -+ * -+ * Revision 1.20.4.1 2003/10/29 01:30:41 mcr -+ * elimited "struct sa_id". -+ * -+ * Revision 1.20 2003/02/06 01:50:34 rgb -+ * Fixed initialisation bug for first sadb hash bucket that would only manifest itself on platforms where NULL != 0. -+ * -+ * Revision 1.19 2003/01/30 02:32:22 rgb -+ * -+ * Rename SAref table macro names for clarity. -+ * Transmit error code through to caller from callee for better diagnosis of problems. -+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. -+ * -+ * Revision 1.18 2002/10/12 23:11:53 dhr -+ * -+ * [KenB + DHR] more 64-bit cleanup -+ * -+ * Revision 1.17 2002/10/07 18:31:43 rgb -+ * Move field width sanity checks to ipsec_sa.c -+ * -+ * Revision 1.16 2002/09/20 15:41:02 rgb -+ * Re-wrote most of the SAref code to eliminate Entry pointers. -+ * Added SAref code compiler directive switch. -+ * Added a saref test function for testing macros. -+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc(). -+ * Split ipsec_sadb_cleanup from new funciton ipsec_sadb_free to avoid problem -+ * of freeing newly created structures when clearing the reftable upon startup -+ * to start from a known state. -+ * Place all ipsec sadb globals into one struct. -+ * Rework saref freelist. -+ * Added memory allocation debugging. -+ * -+ * Revision 1.15 2002/09/20 05:01:44 rgb -+ * Update copyright date. -+ * -+ * Revision 1.14 2002/08/13 19:01:25 mcr -+ * patches from kenb to permit compilation of FreeSWAN on ia64. -+ * des library patched to use proper DES_LONG type for ia64. -+ * -+ * Revision 1.13 2002/07/29 03:06:20 mcr -+ * get rid of variable not used warnings. -+ * -+ * Revision 1.12 2002/07/26 08:48:31 rgb -+ * Added SA ref table code. -+ * -+ * Revision 1.11 2002/06/04 16:48:49 rgb -+ * Tidied up pointer code for processor independance. -+ * -+ * Revision 1.10 2002/05/23 07:16:17 rgb -+ * Added ipsec_sa_put() for releasing an ipsec_sa refcount. -+ * Pointer clean-up. -+ * Added refcount code. -+ * Convert "usecount" to "refcount" to remove ambiguity. -+ * -+ * Revision 1.9 2002/05/14 02:34:49 rgb -+ * Converted reference from ipsec_sa_put to ipsec_sa_add to avoid confusion -+ * with "put" usage in the kernel. -+ * Change all references to tdb, TDB or Tunnel Descriptor Block to ips, -+ * ipsec_sa or ipsec_sa. -+ * Added some preliminary refcount code. -+ * -+ * Revision 1.8 2002/04/24 07:55:32 mcr -+ * #include patches and Makefiles for post-reorg compilation. -+ * -+ * Revision 1.7 2002/04/24 07:36:30 mcr -+ * Moved from ./klips/net/ipsec/ipsec_sa.c,v -+ * -+ * Revision 1.6 2002/04/20 00:12:25 rgb -+ * Added esp IV CBC attack fix, disabled. -+ * -+ * Revision 1.5 2002/01/29 17:17:56 mcr -+ * moved include of ipsec_param.h to after include of linux/kernel.h -+ * otherwise, it seems that some option that is set in ipsec_param.h -+ * screws up something subtle in the include path to kernel.h, and -+ * it complains on the snprintf() prototype. -+ * -+ * Revision 1.4 2002/01/29 04:00:52 mcr -+ * more excise of kversions.h header. -+ * -+ * Revision 1.3 2002/01/29 02:13:18 mcr -+ * introduction of ipsec_kversion.h means that include of -+ * ipsec_param.h must preceed any decisions about what files to -+ * include to deal with differences in kernel source. -+ * -+ * Revision 1.2 2001/11/26 09:16:15 rgb -+ * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. -+ * -+ * Revision 1.1.2.2 2001/10/22 21:05:41 mcr -+ * removed phony prototype for des_set_key. -+ * -+ * Revision 1.1.2.1 2001/09/25 02:24:57 mcr -+ * struct tdb -> struct ipsec_sa. -+ * sa(tdb) manipulation functions renamed and moved to ipsec_sa.c -+ * ipsec_xform.c removed. header file still contains useful things. -+ * -+ * -+ * -+ * CLONED from ipsec_xform.c: -+ * Revision 1.53 2001/09/08 21:13:34 rgb -+ * Added pfkey ident extension support for ISAKMPd. (NetCelo) -+ * -+ * Revision 1.52 2001/06/14 19:35:11 rgb -+ * Update copyright date. -+ * -+ * Revision 1.51 2001/05/30 08:14:03 rgb -+ * Removed vestiges of esp-null transforms. -+ * -+ * Revision 1.50 2001/05/03 19:43:18 rgb -+ * Initialise error return variable. -+ * Update SENDERR macro. -+ * Fix sign of error return code for ipsec_tdbcleanup(). -+ * Use more appropriate return code for ipsec_tdbwipe(). -+ * -+ * Revision 1.49 2001/04/19 18:56:17 rgb -+ * Fixed tdb table locking comments. -+ * -+ * Revision 1.48 2001/02/27 22:24:55 rgb -+ * Re-formatting debug output (line-splitting, joining, 1arg/line). -+ * Check for satoa() return codes. -+ * -+ * Revision 1.47 2000/11/06 04:32:08 rgb -+ * Ditched spin_lock_irqsave in favour of spin_lock_bh. -+ * -+ * Revision 1.46 2000/09/20 16:21:57 rgb -+ * Cleaned up ident string alloc/free. -+ * -+ * Revision 1.45 2000/09/08 19:16:51 rgb -+ * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. -+ * Removed all references to CONFIG_IPSEC_PFKEYv2. -+ * -+ * Revision 1.44 2000/08/30 05:29:04 rgb -+ * Compiler-define out no longer used tdb_init() in ipsec_xform.c. -+ * -+ * Revision 1.43 2000/08/18 21:30:41 rgb -+ * Purged all tdb_spi, tdb_proto and tdb_dst macros. They are unclear. -+ * -+ * Revision 1.42 2000/08/01 14:51:51 rgb -+ * Removed _all_ remaining traces of DES. -+ * -+ * Revision 1.41 2000/07/28 14:58:31 rgb -+ * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5. -+ * -+ * Revision 1.40 2000/06/28 05:50:11 rgb -+ * Actually set iv_bits. -+ * -+ * Revision 1.39 2000/05/10 23:11:09 rgb -+ * Added netlink debugging output. -+ * Added a cast to quiet down the ntohl bug. -+ * -+ * Revision 1.38 2000/05/10 19:18:42 rgb -+ * Cast output of ntohl so that the broken prototype doesn't make our -+ * compile noisy. -+ * -+ * Revision 1.37 2000/03/16 14:04:59 rgb -+ * Hardwired CONFIG_IPSEC_PFKEYv2 on. -+ * -+ * Revision 1.36 2000/01/26 10:11:28 rgb -+ * Fixed spacing in error text causing run-in words. -+ * -+ * Revision 1.35 2000/01/21 06:17:16 rgb -+ * Tidied up compiler directive indentation for readability. -+ * Added ictx,octx vars for simplification.(kravietz) -+ * Added macros for HMAC padding magic numbers.(kravietz) -+ * Fixed missing key length reporting bug. -+ * Fixed bug in tdbwipe to return immediately on NULL tdbp passed in. -+ * -+ * Revision 1.34 1999/12/08 00:04:19 rgb -+ * Fixed SA direction overwriting bug for netlink users. -+ * -+ * Revision 1.33 1999/12/01 22:16:44 rgb -+ * Minor formatting changes in ESP MD5 initialisation. -+ * -+ * Revision 1.32 1999/11/25 09:06:36 rgb -+ * Fixed error return messages, should be returning negative numbers. -+ * Implemented SENDERR macro for propagating error codes. -+ * Added debug message and separate error code for algorithms not compiled -+ * in. -+ * -+ * Revision 1.31 1999/11/23 23:06:26 rgb -+ * Sort out pfkey and freeswan headers, putting them in a library path. -+ * -+ * Revision 1.30 1999/11/18 04:09:20 rgb -+ * Replaced all kernel version macros to shorter, readable form. -+ * -+ * Revision 1.29 1999/11/17 15:53:40 rgb -+ * Changed all occurrences of #include "../../../lib/freeswan.h" -+ * to #include which works due to -Ilibfreeswan in the -+ * klips/net/ipsec/Makefile. -+ * -+ * Revision 1.28 1999/10/18 20:04:01 rgb -+ * Clean-out unused cruft. -+ * -+ * Revision 1.27 1999/10/03 19:01:03 rgb -+ * Spinlock support for 2.3.xx and 2.0.xx kernels. -+ * -+ * Revision 1.26 1999/10/01 16:22:24 rgb -+ * Switch from assignment init. to functional init. of spinlocks. -+ * -+ * Revision 1.25 1999/10/01 15:44:54 rgb -+ * Move spinlock header include to 2.1> scope. -+ * -+ * Revision 1.24 1999/10/01 00:03:46 rgb -+ * Added tdb structure locking. -+ * Minor formatting changes. -+ * Add function to initialize tdb hash table. -+ * -+ * Revision 1.23 1999/05/25 22:42:12 rgb -+ * Add deltdbchain() debugging. -+ * -+ * Revision 1.22 1999/05/25 21:24:31 rgb -+ * Add debugging statements to deltdbchain(). -+ * -+ * Revision 1.21 1999/05/25 03:51:48 rgb -+ * Refix error return code. -+ * -+ * Revision 1.20 1999/05/25 03:34:07 rgb -+ * Fix error return for flush. -+ * -+ * Revision 1.19 1999/05/09 03:25:37 rgb -+ * Fix bug introduced by 2.2 quick-and-dirty patch. -+ * -+ * Revision 1.18 1999/05/05 22:02:32 rgb -+ * Add a quick and dirty port to 2.2 kernels by Marc Boucher . -+ * -+ * Revision 1.17 1999/04/29 15:20:16 rgb -+ * Change gettdb parameter to a pointer to reduce stack loading and -+ * facilitate parameter sanity checking. -+ * Add sanity checking for null pointer arguments. -+ * Add debugging instrumentation. -+ * Add function deltdbchain() which will take care of unlinking, -+ * zeroing and deleting a chain of tdbs. -+ * Add a parameter to tdbcleanup to be able to delete a class of SAs. -+ * tdbwipe now actually zeroes the tdb as well as any of its pointed -+ * structures. -+ * -+ * Revision 1.16 1999/04/16 15:36:29 rgb -+ * Fix cut-and-paste error causing a memory leak in IPIP TDB freeing. -+ * -+ * Revision 1.15 1999/04/11 00:29:01 henry -+ * GPL boilerplate -+ * -+ * Revision 1.14 1999/04/06 04:54:28 rgb -+ * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes -+ * patch shell fixes. -+ * -+ * Revision 1.13 1999/02/19 18:23:01 rgb -+ * Nix debug off compile warning. -+ * -+ * Revision 1.12 1999/02/17 16:52:16 rgb -+ * Consolidate satoa()s for space and speed efficiency. -+ * Convert DEBUG_IPSEC to KLIPS_PRINT -+ * Clean out unused cruft. -+ * Ditch NET_IPIP dependancy. -+ * Loop for 3des key setting. -+ * -+ * Revision 1.11 1999/01/26 02:09:05 rgb -+ * Remove ah/esp/IPIP switching on include files. -+ * Removed CONFIG_IPSEC_ALGO_SWITCH macro. -+ * Removed dead code. -+ * Clean up debug code when switched off. -+ * Remove references to INET_GET_PROTOCOL. -+ * Added code exclusion macros to reduce code from unused algorithms. -+ * -+ * Revision 1.10 1999/01/22 06:28:55 rgb -+ * Cruft clean-out. -+ * Put random IV generation in kernel. -+ * Added algorithm switch code. -+ * Enhanced debugging. -+ * 64-bit clean-up. -+ * -+ * Revision 1.9 1998/11/30 13:22:55 rgb -+ * Rationalised all the klips kernel file headers. They are much shorter -+ * now and won't conflict under RH5.2. -+ * -+ * Revision 1.8 1998/11/25 04:59:06 rgb -+ * Add conditionals for no IPIP tunnel code. -+ * Delete commented out code. -+ * -+ * Revision 1.7 1998/10/31 06:50:41 rgb -+ * Convert xform ASCII names to no spaces. -+ * Fixed up comments in #endif directives. -+ * -+ * Revision 1.6 1998/10/19 14:44:28 rgb -+ * Added inclusion of freeswan.h. -+ * sa_id structure implemented and used: now includes protocol. -+ * -+ * Revision 1.5 1998/10/09 04:32:19 rgb -+ * Added 'klips_debug' prefix to all klips printk debug statements. -+ * -+ * Revision 1.4 1998/08/12 00:11:31 rgb -+ * Added new xform functions to the xform table. -+ * Fixed minor debug output spelling error. -+ * -+ * Revision 1.3 1998/07/09 17:45:31 rgb -+ * Clarify algorithm not available message. -+ * -+ * Revision 1.2 1998/06/23 03:00:51 rgb -+ * Check for presence of IPIP protocol if it is setup one way (we don't -+ * know what has been set up the other way and can only assume it will be -+ * symmetrical with the exception of keys). -+ * -+ * Revision 1.1 1998/06/18 21:27:51 henry -+ * move sources from klips/src to klips/net/ipsec, to keep stupid -+ * kernel-build scripts happier in the presence of symlinks -+ * -+ * Revision 1.3 1998/06/11 05:54:59 rgb -+ * Added transform version string pointer to xformsw initialisations. -+ * -+ * Revision 1.2 1998/04/21 21:28:57 rgb -+ * Rearrange debug switches to change on the fly debug output from user -+ * space. Only kernel changes checked in at this time. radij.c was also -+ * changed to temporarily remove buggy debugging code in rj_delete causing -+ * an OOPS and hence, netlink device open errors. -+ * -+ * Revision 1.1 1998/04/09 03:06:13 henry -+ * sources moved up from linux/net/ipsec -+ * -+ * Revision 1.1.1.1 1998/04/08 05:35:02 henry -+ * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 -+ * -+ * Revision 0.5 1997/06/03 04:24:48 ji -+ * Added ESP-3DES-MD5-96 -+ * -+ * Revision 0.4 1997/01/15 01:28:15 ji -+ * Added new transforms. -+ * -+ * Revision 0.3 1996/11/20 14:39:04 ji -+ * Minor cleanups. -+ * Rationalized debugging code. -+ * -+ * Revision 0.2 1996/11/02 00:18:33 ji -+ * First limited release. + * ++ * Local Variables: ++ * c-file-style: "linux" ++ * End: + * + */ ++ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_sha1.c Mon Feb 9 13:51:03 2004 @@ -0,0 +1,219 @@ @@ -38582,7 +37755,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_snprintf.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,135 @@ +@@ -0,0 +1,130 @@ +/* + * @(#) ipsec_snprintf() function + * @@ -38639,8 +37812,8 @@ packaging/utils/kernelpatch 2.6 + +#include "openswan/ipsec_proto.h" + -+#include -+#include ++#include ++#include + +/* ipsec_snprintf: like snprintf except + * - size is signed and a negative value is treated as if it were 0 @@ -38700,11 +37873,6 @@ packaging/utils/kernelpatch 2.6 +/* + * + * $Log: ipsec_snprintf.c,v $ -+ * Revision 1.3.2.1 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.3 2005/04/29 05:10:22 mcr + * removed from extraenous includes to make unit testing easier. + * @@ -38720,7 +37888,7 @@ packaging/utils/kernelpatch 2.6 + --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_tunnel.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,2878 @@ +@@ -0,0 +1,2938 @@ +/* + * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c + * Copyright (C) 1996, 1997 John Ioannidis. @@ -38737,7 +37905,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.232.2.5 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.234 2005/11/11 04:46:38 paul Exp $"; + +#define __NO_VERSION__ +#include @@ -38803,8 +37971,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_esp.h" +#include "openswan/ipsec_kern24.h" + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" +#ifdef CONFIG_IPSEC_NAT_TRAVERSAL @@ -38845,16 +38013,15 @@ packaging/utils/kernelpatch 2.6 + return 0; +} + -+#ifdef NETDEV_23 +static inline int ipsec_tunnel_xmit2(struct sk_buff *skb) +{ ++ +#ifdef NETDEV_25 /* 2.6 kernels */ + return dst_output(skb); +#else + return ip_send(skb); +#endif +} -+#endif /* NETDEV_23 */ + +enum ipsec_xmit_value +ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state *ixs) @@ -38958,12 +38125,17 @@ packaging/utils/kernelpatch 2.6 + + if(ixs->skb->sk) { +#ifdef NET_26 ++#ifdef HAVE_INET_SK_SPORT ++ ixs->sport = ntohs(inet_sk(ixs->skb->sk)->sport); ++ ixs->dport = ntohs(inet_sk(ixs->skb->sk)->dport); ++#else + struct udp_sock *us; + + us = (struct udp_sock *)ixs->skb->sk; + + ixs->sport = ntohs(us->inet.sport); + ixs->dport = ntohs(us->inet.dport); ++#endif +#else + ixs->sport = ntohs(ixs->skb->sk->sport); + ixs->dport = ntohs(ixs->skb->sk->dport); @@ -39002,12 +38174,11 @@ packaging/utils/kernelpatch 2.6 + ixs->sport = ntohs(inet_sk(ixs->skb->sk)->sport); + ixs->dport = ntohs(inet_sk(ixs->skb->sk)->dport); +#else -+ struct tcp_tw_bucket *tw; -+ -+ tw = (struct tcp_tw_bucket *)ixs->skb->sk; -+ -+ ixs->sport = ntohs(tw->tw_sport); -+ ixs->dport = ntohs(tw->tw_dport); ++ struct tcp_tw_bucket *tw; ++ ++ tw = (struct tcp_tw_bucket *)ixs->skb->sk; ++ ixs->sport = ntohs(tw->tw_sport); ++ ixs->dport = ntohs(tw->tw_dport); +#endif +#else + ixs->sport = ntohs(ixs->skb->sk->sport); @@ -39283,15 +38454,14 @@ packaging/utils/kernelpatch 2.6 +enum ipsec_xmit_value +ipsec_tunnel_send(struct ipsec_xmit_state*ixs) +{ ++ int err; +#ifdef NETDEV_25 + struct flowi fl; +#endif + -+#ifdef NET_21 /* 2.2 and 2.4 kernels */ + /* new route/dst cache code from James Morris */ + ixs->skb->dev = ixs->physdev; +#ifdef NETDEV_25 -+ memset (&fl, 0x0, sizeof (struct flowi)); + fl.oif = ixs->physdev->iflink; + fl.nl_u.ip4_u.daddr = ixs->skb->nh.iph->daddr; + fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ixs->skb->nh.iph->saddr; @@ -39315,6 +38485,7 @@ packaging/utils/kernelpatch 2.6 + ixs->route->u.dst.dev->name); + return IPSEC_XMIT_ROUTEERR; + } ++ + if(ixs->dev == ixs->route->u.dst.dev) { + ip_rt_put(ixs->route); + /* This is recursion, drop it. */ @@ -39327,6 +38498,7 @@ packaging/utils/kernelpatch 2.6 + } + dst_release(ixs->skb->dst); + ixs->skb->dst = &ixs->route->u.dst; ++ + ixs->stats->tx_bytes += ixs->skb->len; + if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) { + ixs->stats->tx_errors++; @@ -39340,8 +38512,8 @@ packaging/utils/kernelpatch 2.6 + __skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data); +#ifdef SKB_RESET_NFCT + if(!ixs->pass) { -+ nf_conntrack_put(ixs->skb->nfct); -+ ixs->skb->nfct = NULL; ++ nf_conntrack_put(ixs->skb->nfct); ++ ixs->skb->nfct = NULL; + } +#if defined(CONFIG_NETFILTER_DEBUG) && defined(HAVE_SKB_NF_DEBUG) + ixs->skb->nf_debug = 0; @@ -39352,36 +38524,26 @@ packaging/utils/kernelpatch 2.6 + "...done, calling ip_send() on device:%s\n", + ixs->skb->dev ? ixs->skb->dev->name : "NULL"); + KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->skb->nh.iph); -+#ifdef NETDEV_23 /* 2.4 kernels */ -+ { -+ int err; + -+ err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev, -+ ipsec_tunnel_xmit2); -+ if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) { -+ if(net_ratelimit()) -+ printk(KERN_ERR -+ "klips_error:ipsec_xmit_send: " -+ "ip_send() failed, err=%d\n", -+ -err); -+ ixs->stats->tx_errors++; -+ ixs->stats->tx_aborted_errors++; -+ ixs->skb = NULL; -+ return IPSEC_XMIT_IPSENDFAILURE; -+ } ++ if(ixs->pass) { ++ err = ipsec_tunnel_xmit2(ixs->skb); ++ } else { ++ err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ++ ixs->skb, NULL, ixs->route->u.dst.dev, ++ ipsec_tunnel_xmit2); ++ } ++ if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) { ++ if(net_ratelimit()) ++ printk(KERN_ERR ++ "klips_error:ipsec_xmit_send: " ++ "ip_send() failed, err=%d\n", ++ -err); ++ ixs->stats->tx_errors++; ++ ixs->stats->tx_aborted_errors++; ++ ixs->skb = NULL; ++ return IPSEC_XMIT_IPSENDFAILURE; + } -+#else /* NETDEV_23 */ /* 2.2 kernels */ -+ ip_send(ixs->skb); -+#endif /* NETDEV_23 */ -+#else /* NET_21 */ /* 2.0 kernels */ -+ ixs->skb->arp = 1; -+ /* ISDN/ASYNC PPP from Matjaz Godec. */ -+ /* skb->protocol = htons(ETH_P_IP); */ -+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, -+ "klips_debug:ipsec_xmit_send: " -+ "...done, calling dev_queue_xmit() or ip_fragment().\n"); -+ IP_SEND(ixs->skb, ixs->physdev); -+#endif /* NET_21 */ ++ + ixs->stats->tx_packets++; + + ixs->skb = NULL; @@ -39414,6 +38576,11 @@ packaging/utils/kernelpatch 2.6 + } +} + ++/* management of buffers */ ++static struct ipsec_xmit_state * ipsec_xmit_state_new (void); ++static void ipsec_xmit_state_delete (struct ipsec_xmit_state *ixs); ++ ++ +/* + * This function assumes it is being called from dev_queue_xmit() + * and that skb is filled properly by that function. @@ -39421,20 +38588,15 @@ packaging/utils/kernelpatch 2.6 +int +ipsec_tunnel_start_xmit(struct sk_buff *skb, struct net_device *dev) +{ -+ struct ipsec_xmit_state ixs_mem; -+ struct ipsec_xmit_state *ixs = &ixs_mem; ++ struct ipsec_xmit_state *ixs = NULL; + enum ipsec_xmit_value stat; + -+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL -+ ixs->natt_type = 0, ixs->natt_head = 0; -+ ixs->natt_sport = 0, ixs->natt_dport = 0; -+#endif ++ stat = IPSEC_XMIT_ERRMEMALLOC; ++ ixs = ipsec_xmit_state_new (); ++ if (! ixs) { ++ goto alloc_error; ++ } + -+ memset((caddr_t)ixs, 0, sizeof(*ixs)); -+ ixs->oskb = NULL; -+ ixs->saved_header = NULL; /* saved copy of the hard header */ -+ ixs->route = NULL; -+ memset((caddr_t)&(ixs->ips), 0, sizeof(ixs->ips)); + ixs->dev = dev; + ixs->skb = skb; + @@ -39515,6 +38677,8 @@ packaging/utils/kernelpatch 2.6 + cleanup: + ipsec_tunnel_cleanup(ixs); + ++ ipsec_xmit_state_delete (ixs); ++alloc_error: + return 0; +} + @@ -40569,24 +39733,88 @@ packaging/utils/kernelpatch 2.6 + return error; +} + ++// ------------------------------------------------------------------------ ++// this handles creating and managing state for xmit path ++ ++static spinlock_t ixs_cache_lock = SPIN_LOCK_UNLOCKED; ++static kmem_cache_t *ixs_cache_allocator = NULL; ++static unsigned ixs_cache_allocated_count = 0; ++ ++int ++ipsec_xmit_state_cache_init (void) ++{ ++ if (ixs_cache_allocator) ++ return -EBUSY; ++ ++ spin_lock_init(&ixs_cache_lock); ++ ++ ixs_cache_allocator = kmem_cache_create ("ipsec_ixs", ++ sizeof (struct ipsec_xmit_state), 0, ++ 0, NULL, NULL); ++ if (! ixs_cache_allocator) ++ return -ENOMEM; ++ ++ return 0; ++} ++ ++void ++ipsec_xmit_state_cache_cleanup (void) ++{ ++ if (unlikely (ixs_cache_allocated_count)) ++ printk ("ipsec: deleting ipsec_ixs kmem_cache while in use\n"); ++ ++ if (ixs_cache_allocator) { ++ kmem_cache_destroy (ixs_cache_allocator); ++ ixs_cache_allocator = NULL; ++ } ++ ixs_cache_allocated_count = 0; ++} ++ ++static struct ipsec_xmit_state * ++ipsec_xmit_state_new (void) ++{ ++ struct ipsec_xmit_state *ixs; ++ ++ spin_lock_bh (&ixs_cache_lock); ++ ++ ixs = kmem_cache_alloc (ixs_cache_allocator, GFP_ATOMIC); ++ ++ if (likely (ixs != NULL)) ++ ixs_cache_allocated_count++; ++ ++ spin_unlock_bh (&ixs_cache_lock); ++ ++ if (unlikely (NULL == ixs)) ++ goto bail; ++ ++ // initialize the object ++ memset((caddr_t)ixs, 0, sizeof(*ixs)); ++ ++bail: ++ return ixs; ++} ++ ++static void ++ipsec_xmit_state_delete (struct ipsec_xmit_state *ixs) ++{ ++ if (unlikely (! ixs)) ++ return; ++ ++ spin_lock_bh (&ixs_cache_lock); ++ ++ ixs_cache_allocated_count--; ++ kmem_cache_free (ixs_cache_allocator, ixs); ++ ++ spin_unlock_bh (&ixs_cache_lock); ++} ++ +/* + * $Log: ipsec_tunnel.c,v $ -+ * Revision 1.232.2.5 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.232.2.4 2006/03/28 20:58:19 ken -+ * Fix for KLIPS on 2.6.16 - need to include now -+ * -+ * Revision 1.232.2.3 2006/02/15 05:14:12 paul -+ * 568: uninitialized struct in ipsec_tunnel.c coud break routing under 2.6 kernels -+ * ipsec_tunnel_send() calls the entry point function of routing subsystem -+ * (ip_route_output_key()) using a not fully initialized struct of type -+ * struct flowi. -+ * This will cause a failure in routing packets through an ipsec interface -+ * when patches for multipath routing from http://www.ssi.bg/~ja/ -+ * are applied. ++ * Revision 1.234 2005/11/11 04:46:38 paul ++ * Patch for 2.6.14 by David McCullough ++ * ++ * Revision 1.233 2005/08/31 23:26:11 mcr ++ * fixes for 2.6.13 + * + * Revision 1.232.2.2 2005/11/22 04:11:52 ken + * Backport fixes for 2.6.14 kernels from HEAD @@ -41601,7 +40829,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_xform.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,360 @@ +@@ -0,0 +1,355 @@ +/* + * Common routines for IPSEC transformations. + * Copyright (C) 1996, 1997 John Ioannidis. @@ -41617,7 +40845,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: ipsec_xform.c,v 1.65.2.1 2006/10/06 21:39:26 paul Exp $ ++ * RCSID $Id: ipsec_xform.c,v 1.65 2005/04/29 05:10:22 mcr Exp $ + */ + +#ifndef AUTOCONF_INCLUDED @@ -41661,8 +40889,8 @@ packaging/utils/kernelpatch 2.6 +#include "freeswan/ipsec_ah.h" +#include "freeswan/ipsec_esp.h" + -+#include -+#include ++#include ++#include + +#ifdef CONFIG_KLIPS_DEBUG +int debug_xform = 0; @@ -41676,11 +40904,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_xform.c,v $ -+ * Revision 1.65.2.1 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.65 2005/04/29 05:10:22 mcr + * removed from extraenous includes to make unit testing easier. + * @@ -41964,7 +41187,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/ipsec_xmit.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1850 @@ +@@ -0,0 +1,1845 @@ +/* + * IPSEC Transmit code. + * Copyright (C) 1996, 1997 John Ioannidis. @@ -41982,7 +41205,7 @@ packaging/utils/kernelpatch 2.6 + * for more details. + */ + -+char ipsec_xmit_c_version[] = "RCSID $Id: ipsec_xmit.c,v 1.20.2.8 2006/10/06 21:39:26 paul Exp $"; ++char ipsec_xmit_c_version[] = "RCSID $Id: ipsec_xmit.c,v 1.20.2.6 2006/07/07 22:09:49 paul Exp $"; + +#define __NO_VERSION__ +#include @@ -42030,6 +41253,7 @@ packaging/utils/kernelpatch 2.6 +# include /* TCP options */ +#endif /* MSS_HACK */ + ++#include "openswan/ipsec_kern24.h" +#include "openswan/radij.h" +#include "openswan/ipsec_life.h" +#include "openswan/ipsec_xform.h" @@ -42047,8 +41271,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipcomp.h" +#endif /* CONFIG_KLIPS_IPCOMP */ + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" +#include "openswan/ipsec_alg.h" @@ -42613,11 +41837,10 @@ packaging/utils/kernelpatch 2.6 + + dat[len - authlen - 1] = ixs->iph->protocol; + ixs->iph->protocol = IPPROTO_ESP; -+#ifdef CONFIG_KLIPS_DEBUG ++ + if(debug_tunnel & DB_TN_ENCAP) { + dmp("pre-encrypt", dat, len); + } -+#endif + + /* + * Do all operations here: @@ -43029,6 +42252,7 @@ packaging/utils/kernelpatch 2.6 + struct ipsec_alg_auth *ixt_a = NULL; + int blocksize = 8; + enum ipsec_xmit_value bundle_stat = IPSEC_XMIT_OK; ++ struct ipsec_sa *saved_ipsp; + + ixs->newdst = ixs->orgdst = ixs->iph->daddr; + ixs->newsrc = ixs->orgsrc = ixs->iph->saddr; @@ -43208,7 +42432,7 @@ packaging/utils/kernelpatch 2.6 + * How much headroom do we need to be able to apply + * all the grouped transforms? + */ -+ ixs->ipsq = ixs->ipsp; /* save the head of the ipsec_sa chain */ ++ saved_ipsp = ixs->ipsp; /* save the head of the ipsec_sa chain */ + while (ixs->ipsp) { + ixs->sa_len = satot(&ixs->ipsp->ips_said, 0, ixs->sa_txt, sizeof(ixs->sa_txt)); + if(ixs->sa_len == 0) { @@ -43216,7 +42440,7 @@ packaging/utils/kernelpatch 2.6 + } + + /* If it is in larval state, drop the packet, we cannot process yet. */ -+ if(ixs->ipsp->ips_state == SADB_SASTATE_LARVAL) { ++ if(ixs->ipsp->ips_state == K_SADB_SASTATE_LARVAL) { + KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, + "klips_debug:ipsec_xmit_encap_bundle: " + "ipsec_sa in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n", @@ -43229,7 +42453,7 @@ packaging/utils/kernelpatch 2.6 + goto cleanup; + } + -+ if(ixs->ipsp->ips_state == SADB_SASTATE_DEAD) { ++ if(ixs->ipsp->ips_state == K_SADB_SASTATE_DEAD) { + KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, + "klips_debug:ipsec_xmit_encap_bundle: " + "ipsec_sa in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n", @@ -43248,7 +42472,7 @@ packaging/utils/kernelpatch 2.6 + "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n", + IPS_XFORM_NAME(ixs->ipsp), + ixs->sa_len ? ixs->sa_txt : " (error)"); -+ ipsec_sa_delchain(ixs->ipsp); ++ ipsec_sa_rm(ixs->ipsp); + ixs->stats->tx_errors++; + bundle_stat = IPSEC_XMIT_REPLAYROLLED; + goto cleanup; @@ -43276,7 +42500,7 @@ packaging/utils/kernelpatch 2.6 + ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_packets, "packets",ixs->sa_txt, + ipsec_life_countbased, ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied) { + -+ ipsec_sa_delchain(ixs->ipsp); ++ ipsec_sa_rm(ixs->ipsp); + ixs->stats->tx_errors++; + bundle_stat = IPSEC_XMIT_LIFETIMEFAILED; + goto cleanup; @@ -43396,7 +42620,7 @@ packaging/utils/kernelpatch 2.6 + ixs->max_tailroom += ixs->tailroom; + ixs->pyldsz += (ixs->headroom + ixs->tailroom); + } -+ ixs->ipsp = ixs->ipsq; /* restore the head of the ipsec_sa chain */ ++ ixs->ipsp = saved_ipsp; /* restore the head of the ipsec_sa chain */ + + KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, + "klips_debug:ipsec_xmit_encap_bundle: " @@ -43664,7 +42888,8 @@ packaging/utils/kernelpatch 2.6 + "head,tailroom: %d,%d after allocation\n", + skb_headroom(ixs->skb), skb_tailroom(ixs->skb)); + } -+#ifdef CONFIG_KLIPS_DEBUG ++ ++#ifdef CONFIG_KLIPS_DEBUG + if(debug_tunnel & DB_TN_ENCAP) { + ipsec_print_ip(ixs->iph); + } @@ -43677,6 +42902,7 @@ packaging/utils/kernelpatch 2.6 + enum ipsec_xmit_value encap_stat = IPSEC_XMIT_OK; + + encap_stat = ipsec_xmit_encap_once(ixs); ++ +#ifdef CONFIG_KLIPS_DEBUG + if(debug_tunnel & DB_TN_ENCAP) { + ipsec_print_ip(ixs->iph); @@ -43704,14 +42930,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: ipsec_xmit.c,v $ -+ * Revision 1.20.2.8 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.20.2.7 2006/08/24 03:02:01 paul -+ * Compile fixes for when CONFIG_KLIPS_DEBUG is not set. (bug #642) -+ * + * Revision 1.20.2.6 2006/07/07 22:09:49 paul + * From: Bart Trojanowski + * Removing a left over '#else' that split another '#if/#endif' block in two. @@ -44509,156 +43727,8 @@ packaging/utils/kernelpatch 2.6 + popl %ebp +match_init: ret --- /dev/null Tue Mar 11 13:02:56 2003 -+++ linux/net/ipsec/null/ipsec_alg_null.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,145 @@ -+/* -+ * ipsec_alg NULL cipher stubs -+ * -+ * Author: JuanJo Ciarlante -+ * -+ * $Id: ipsec_alg_null.c,v 1.1.2.1 2006/10/11 18:14:33 paul Exp $ -+ * -+ * This program is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by the -+ * Free Software Foundation; either version 2 of the License, or (at your -+ * option) any later version. See . -+ * -+ * This program is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * for more details. -+ * -+ */ -+#include -+#include -+ -+/* -+ * special case: ipsec core modular with this static algo inside: -+ * must avoid MODULE magic for this file -+ */ -+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_NULL) -+#undef MODULE -+#endif -+ -+#include -+#include -+ -+#include /* printk() */ -+#include /* error codes */ -+#include /* size_t */ -+#include -+ -+/* Check if __exit is defined, if not null it */ -+#ifndef __exit -+#define __exit -+#endif -+ -+/* Low freeswan header coupling */ -+#include "openswan/ipsec_alg.h" -+ -+#define ESP_NULL 11 /* from ipsec drafts */ -+#define ESP_NULL_BLK_LEN 1 -+ -+MODULE_AUTHOR("JuanJo Ciarlante "); -+static int debug_null=0; -+static int test_null=0; -+#ifdef module_param -+module_param(debug_null, int, 0600); -+module_param(test_null, int, 0600); -+#else -+MODULE_PARM(debug_null, "i"); -+MODULE_PARM(test_null, "i"); -+#endif -+ -+typedef int null_context; -+ -+struct null_eks{ -+ null_context null_ctx; -+}; -+static int _null_set_key(struct ipsec_alg_enc *alg, -+ __u8 * key_e, const __u8 * key, -+ size_t keysize) { -+ null_context *ctx=&((struct null_eks*)key_e)->null_ctx; -+ if (debug_null > 0) -+ printk(KERN_DEBUG "klips_debug:_null_set_key:" -+ "key_e=%p key=%p keysize=%d\n", -+ key_e, key, keysize); -+ *ctx = 1; -+ return 0; -+} -+static int _null_cbc_encrypt(struct ipsec_alg_enc *alg, -+ __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, -+ int encrypt) { -+ null_context *ctx=&((struct null_eks*)key_e)->null_ctx; -+ if (debug_null > 0) -+ printk(KERN_DEBUG "klips_debug:_null_cbc_encrypt:" -+ "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", -+ key_e, in, ilen, iv, encrypt); -+ (*ctx)++; -+ return ilen; -+} -+static struct ipsec_alg_enc ipsec_alg_NULL = { -+ ixt_common: { ixt_version: IPSEC_ALG_VERSION, -+ ixt_refcnt: ATOMIC_INIT(0), -+ ixt_name: "null", -+ ixt_blocksize: ESP_NULL_BLK_LEN, -+ ixt_support: { -+ ias_exttype: IPSEC_ALG_TYPE_ENCRYPT, -+ ias_id: ESP_NULL, -+ ias_ivlen: 0, -+ ias_keyminbits: 0, -+ ias_keymaxbits: 0, -+ }, -+ }, -+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE) -+ ixt_module: THIS_MODULE, -+#endif -+ ixt_e_keylen: 0, -+ ixt_e_ctx_size: sizeof(null_context), -+ ixt_e_set_key: _null_set_key, -+ ixt_e_cbc_encrypt:_null_cbc_encrypt, -+}; -+ -+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE) -+IPSEC_ALG_MODULE_INIT_MOD( ipsec_null_init ) -+#else -+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_null_init ) -+#endif -+{ -+ int ret, test_ret; -+ ret=register_ipsec_alg_enc(&ipsec_alg_NULL); -+ printk("ipsec_null_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", -+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype, -+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id, -+ ipsec_alg_NULL.ixt_common.ixt_name, -+ ret); -+ if (ret==0 && test_null) { -+ test_ret=ipsec_alg_test( -+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype, -+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id, -+ test_null); -+ printk("ipsec_null_init(alg_type=%d alg_id=%d): test_ret=%d\n", -+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype, -+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id, -+ test_ret); -+ } -+ return ret; -+} -+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE) -+IPSEC_ALG_MODULE_EXIT_MOD( ipsec_null_fini ) -+#else -+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_null_fini ) -+#endif -+{ -+ unregister_ipsec_alg_enc(&ipsec_alg_NULL); -+ return; -+} -+#ifdef MODULE_LICENSE -+MODULE_LICENSE("GPL"); -+#endif ---- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/pfkey_v2.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,2022 @@ +@@ -0,0 +1,1996 @@ +/* + * @(#) RFC2367 PF_KEYv2 Key management API domain socket I/F + * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs. @@ -44673,7 +43743,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: pfkey_v2.c,v 1.97.2.12 2006/11/24 05:43:29 paul Exp $ ++ * RCSID $Id: pfkey_v2.c,v 1.97.2.8 2006/07/10 15:56:11 paul Exp $ + */ + +/* @@ -44730,8 +43800,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_encap.h" +#include "openswan/ipsec_sa.h" + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" +#include "openswan/ipsec_kern24.h" @@ -44777,24 +43847,13 @@ packaging/utils/kernelpatch 2.6 +#endif + +struct net_proto_family pfkey_family_ops = { -+#ifdef NETDEV_23 -+ .family = PF_KEY, -+ .create = pfkey_create, -+#ifdef NET_26 -+ .owner = THIS_MODULE, -+#endif -+#else + PF_KEY, + pfkey_create -+#endif +}; + +struct proto_ops SOCKOPS_WRAPPED(pfkey_ops) = { +#ifdef NETDEV_23 + family: PF_KEY, -+#ifdef NET_26 -+ owner: THIS_MODULE, -+#endif + release: pfkey_release, + bind: sock_no_bind, + connect: sock_no_connect, @@ -46107,11 +45166,11 @@ packaging/utils/kernelpatch 2.6 +#endif /* CONFIG_KLIPS_ENC_3DES */ + }; + static struct ipsec_alg_supported supported_init_ipip[] = { -+ {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv4, 0, 32, 32} ++ {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv4_in_IPv4, 0, 32, 32} +#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -+ , {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv4, 0, 128, 32} -+ , {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv6, 0, 32, 128} -+ , {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv6, 0, 128, 128} ++ , {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv6_in_IPv4, 0, 128, 32} ++ , {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv4_in_IPv6, 0, 32, 128} ++ , {SADB_EXT_SUPPORTED_ENCRYPT, K_SADB_X_TALG_IPv6_in_IPv6, 0, 128, 128} +#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */ + }; +#ifdef CONFIG_KLIPS_IPCOMP @@ -46224,21 +45283,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: pfkey_v2.c,v $ -+ * Revision 1.97.2.12 2006/11/24 05:43:29 paul -+ * kernels after 2.6.18 do not return a code from unregister_socket() -+ * backport from git 41e54a2684dc809d7952e816860ea646a3194a72 -+ * -+ * Revision 1.97.2.11 2006/11/15 16:05:57 paul -+ * fix for compiling on 2.4. kernels by Matthias Haas. -+ * -+ * Revision 1.97.2.10 2006/10/10 20:43:28 paul -+ * Add family/create/owner for pfkey_family_ops. This fixes bug #671 -+ * -+ * Revision 1.97.2.9 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.97.2.8 2006/07/10 15:56:11 paul + * Fix for bug #642 by Bart. + * @@ -46683,7 +45727,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/pfkey_v2_build.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1581 @@ +@@ -0,0 +1,1642 @@ +/* + * RFC2367 PF_KEYv2 Key management API message parser + * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs. @@ -46698,21 +45742,21 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: pfkey_v2_build.c,v 1.51.8.1 2006/05/01 14:36:39 mcr Exp $ ++ * RCSID $Id: pfkey_v2_build.c,v 1.53 2005/11/09 00:30:37 mcr Exp $ + */ + +/* + * Template from klips/net/ipsec/ipsec/ipsec_parser.c. + */ + -+char pfkey_v2_build_c_version[] = "$Id: pfkey_v2_build.c,v 1.51.8.1 2006/05/01 14:36:39 mcr Exp $"; ++char pfkey_v2_build_c_version[] = "$Id: pfkey_v2_build.c,v 1.53 2005/11/09 00:30:37 mcr Exp $"; + +/* + * Some ugly stuff to allow consistent debugging code for use in the + * kernel and in user space +*/ + -+#ifdef __KERNEL__ ++#if defined(__KERNEL__) && defined(linux) + +# include /* for printk */ + @@ -46739,17 +45783,18 @@ packaging/utils/kernelpatch 2.6 +#else /* __KERNEL__ */ + +# include -+# include -+# include -+# include ++# include ++# include ++# include ++# include +# include /* memset */ + +# include + +#endif /* __KERNEL__ */ + -+#include -+#include ++#include ++#include + +#ifdef __KERNEL__ +#include "openswan/radij.h" /* rd_nodes */ @@ -46958,21 +46003,21 @@ packaging/utils/kernelpatch 2.6 + } +#endif + -+ if(sa_state > SADB_SASTATE_MAX) { ++ if(sa_state > K_SADB_SASTATE_MAX) { + DEBUGGING(PF_KEY_DEBUG_BUILD, + "pfkey_sa_build: " + "sa_state=%d exceeds MAX=%d.\n", + sa_state, -+ SADB_SASTATE_MAX); ++ K_SADB_SASTATE_MAX); + SENDERR(EINVAL); + } + -+ if(sa_state == SADB_SASTATE_DEAD) { ++ if(sa_state == K_SADB_SASTATE_DEAD) { + DEBUGGING(PF_KEY_DEBUG_BUILD, + "pfkey_sa_build: " + "sa_state=%d is DEAD=%d is not allowed.\n", + sa_state, -+ SADB_SASTATE_DEAD); ++ K_SADB_SASTATE_DEAD); + SENDERR(EINVAL); + } + @@ -47227,7 +46272,7 @@ packaging/utils/kernelpatch 2.6 +pfkey_key_build(struct sadb_ext** pfkey_ext, + uint16_t exttype, + uint16_t key_bits, -+ char* key) ++ unsigned char * key) +{ + int error = 0; + struct sadb_key *pfkey_key = (struct sadb_key *)*pfkey_ext; @@ -47943,6 +46988,60 @@ packaging/utils/kernelpatch 2.6 + return error; +} + ++int pfkey_outif_build(struct sadb_ext **pfkey_ext, ++ uint16_t outif) ++{ ++ int error = 0; ++ struct sadb_x_plumbif * p = (struct sadb_x_plumbif *)*pfkey_ext; ++ ++ if ((p = (struct sadb_x_plumbif*)MALLOC(sizeof(*p))) == 0) { ++ ERROR("pfkey_build: memory allocation failed\n"); ++ SENDERR(ENOMEM); ++ } ++ *pfkey_ext = (struct sadb_ext *)p; ++ ++ p->sadb_x_outif_len = IPSEC_PFKEYv2_WORDS(sizeof(*p)); ++ p->sadb_x_outif_exttype = K_SADB_X_EXT_PLUMBIF; ++ p->sadb_x_outif_ifnum = outif; ++ ++ errlab: ++ return error; ++} ++ ++ ++#if defined(I_DONT_THINK_THIS_WILL_BE_USEFUL) && I_DONT_THINK_THIS_WILL_BE_USEFUL ++int (*ext_default_builders[SADB_EXT_MAX +1])(struct sadb_msg*, struct sadb_ext*) ++ = ++{ ++ NULL, /* pfkey_msg_build, */ ++ pfkey_sa_build, ++ pfkey_lifetime_build, ++ pfkey_lifetime_build, ++ pfkey_lifetime_build, ++ pfkey_address_build, ++ pfkey_address_build, ++ pfkey_address_build, ++ pfkey_key_build, ++ pfkey_key_build, ++ pfkey_ident_build, ++ pfkey_ident_build, ++ pfkey_sens_build, ++ pfkey_prop_build, ++ pfkey_supported_build, ++ pfkey_supported_build, ++ pfkey_spirange_build, ++ pfkey_x_kmprivate_build, ++ pfkey_x_satype_build, ++ pfkey_sa_build, ++ pfkey_address_build, ++ pfkey_address_build, ++ pfkey_address_build, ++ pfkey_address_build, ++ pfkey_address_build, ++ pfkey_x_ext_debug_build ++}; ++#endif ++ +int +pfkey_msg_build(struct sadb_msg **pfkey_msg, struct sadb_ext *extensions[], int dir) +{ @@ -48004,8 +47103,9 @@ packaging/utils/kernelpatch 2.6 + if(!(extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type] & + 1<sadb_msg_type, + extensions_bitmaps[dir][EXT_BITS_PERM][(*pfkey_msg)->sadb_msg_type], + 1<sadb_msg_type], + extensions_seen, + extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]); -+ ++ ++#if 0 + if((extensions_seen & + extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) != + extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) { -+ DEBUGGING(PF_KEY_DEBUG_BUILD, ++ ERROR(PF_KEY_DEBUG_BUILD, + "pfkey_msg_build: " + "required extensions missing:%08x.\n", + extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type] - @@ -48052,6 +47153,7 @@ packaging/utils/kernelpatch 2.6 + extensions_bitmaps[dir][EXT_BITS_REQ][(*pfkey_msg)->sadb_msg_type]) ); + SENDERR(EINVAL); + } ++#endif + +#ifndef __KERNEL__ +/* @@ -48074,8 +47176,11 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: pfkey_v2_build.c,v $ -+ * Revision 1.51.8.1 2006/05/01 14:36:39 mcr -+ * get rid of dead code. ++ * Revision 1.53 2005/11/09 00:30:37 mcr ++ * adjusted signed-ness and look.in ++ * ++ * Revision 1.52 2005/08/14 21:41:15 mcr ++ * augment error message when an extension is not permitted. + * + * Revision 1.51 2004/10/03 01:26:36 mcr + * fixes for gcc 3.4 compilation. @@ -48267,7 +47372,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/pfkey_v2_debug.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,181 @@ +@@ -0,0 +1,185 @@ +/* + * @(#) pfkey version 2 debugging messages + * @@ -48308,15 +47413,19 @@ packaging/utils/kernelpatch 2.6 + +#else /* __KERNEL__ */ + ++#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)) ++# include ++#else +# include +# include +# include ++#endif + +#endif /* __KERNEL__ */ + +#include "openswan.h" -+#include "pfkeyv2.h" -+#include "pfkey.h" ++#include "openswan/pfkeyv2.h" ++#include "openswan/pfkey.h" + +/* + * This file provides ASCII translations of PF_KEY magic numbers. @@ -48480,7 +47589,7 @@ packaging/utils/kernelpatch 2.6 + * kernel and in user space +*/ + -+#ifdef __KERNEL__ ++#if defined(__KERNEL__) && defined(linux) + +# include /* for printk */ + @@ -48504,13 +47613,13 @@ packaging/utils/kernelpatch 2.6 +#else /* __KERNEL__ */ + +# include -+# include -+# include ++# include ++# include +#endif + +#include -+#include -+#include ++#include ++#include + +unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_EXTENSIONS_MAX] = { + @@ -49268,11 +48377,11 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/pfkey_v2_ext_process.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,951 @@ +@@ -0,0 +1,865 @@ +/* + * @(#) RFC2367 PF_KEYv2 Key management API message parser + * Copyright (C) 1998-2003 Richard Guy Briggs. -+ * Copyright (C) 2004 Michael Richardson ++ * Copyright (C) 2004-2006 Michael Richardson + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the @@ -49284,14 +48393,14 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: pfkey_v2_ext_process.c,v 1.20.2.2 2006/10/06 21:39:26 paul Exp $ ++ * RCSID $Id: pfkey_v2_ext_process.c,v 1.20 2005/04/29 05:10:22 mcr Exp $ + */ + +/* + * Template from klips/net/ipsec/ipsec/ipsec_netlink.c. + */ + -+char pfkey_v2_ext_process_c_version[] = "$Id: pfkey_v2_ext_process.c,v 1.20.2.2 2006/10/06 21:39:26 paul Exp $"; ++char pfkey_v2_ext_process_c_version[] = "$Id: pfkey_v2_ext_process.c,v 1.20 2005/04/29 05:10:22 mcr Exp $"; + +#ifndef AUTOCONF_INCLUDED +#include @@ -49353,14 +48462,15 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_rcv.h" +#include "openswan/ipcomp.h" + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" +#include "openswan/ipsec_alg.h" + +#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0) + ++/* returns 0 on success */ +int +pfkey_sa_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr) +{ @@ -49404,7 +48514,7 @@ packaging/utils/kernelpatch 2.6 + ipsp->ips_state = pfkey_sa->sadb_sa_state; + ipsp->ips_flags = pfkey_sa->sadb_sa_flags; + ipsp->ips_replaywin_lastseq = ipsp->ips_replaywin_bitmap = 0; -+ ipsp->ips_ref_rel = pfkey_sa->sadb_x_sa_ref; ++ ipsp->ips_ref = pfkey_sa->sadb_x_sa_ref; + + switch(ipsp->ips_said.proto) { + case IPPROTO_AH: @@ -49939,11 +49049,11 @@ packaging/utils/kernelpatch 2.6 + struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext; + + KLIPS_PRINT(debug_pfkey, -+ "klips_debug:pfkey_x_satype_process: .\n"); ++ "pfkey_x_satype_process: .\n"); + + if(!extr || !extr->ips) { + KLIPS_PRINT(debug_pfkey, -+ "klips_debug:pfkey_x_satype_process: " ++ "pfkey_x_satype_process: " + "extr or extr->ips is NULL, fatal\n"); + SENDERR(EINVAL); + } @@ -49955,14 +49065,14 @@ packaging/utils/kernelpatch 2.6 + SENDERR(-error); + } + if(!(extr->ips2->ips_said.proto = satype2proto(pfkey_x_satype->sadb_x_satype_satype))) { -+ KLIPS_PRINT(debug_pfkey, -+ "klips_debug:pfkey_x_satype_process: " ++ KLIPS_ERROR(debug_pfkey, ++ "pfkey_x_satype_process: " + "proto lookup from satype=%d failed.\n", + pfkey_x_satype->sadb_x_satype_satype); + SENDERR(EINVAL); + } + KLIPS_PRINT(debug_pfkey, -+ "klips_debug:pfkey_x_satype_process: " ++ "pfkey_x_satype_process: " + "protocol==%d decoded from satype==%d(%s).\n", + extr->ips2->ips_said.proto, + pfkey_x_satype->sadb_x_satype_satype, @@ -50128,93 +49238,6 @@ packaging/utils/kernelpatch 2.6 +} + +/* -+ * $Log: pfkey_v2_ext_process.c,v $ -+ * Revision 1.20.2.2 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.20.2.1 2006/04/20 16:33:07 mcr -+ * remove all of CONFIG_KLIPS_ALG --- one can no longer build without it. -+ * Fix in-kernel module compilation. Sub-makefiles do not work. -+ * -+ * Revision 1.20 2005/04/29 05:10:22 mcr -+ * removed from extraenous includes to make unit testing easier. -+ * -+ * Revision 1.19 2004/12/04 07:14:18 mcr -+ * resolution to gcc3-ism was wrong. fixed to assign correct -+ * variable. -+ * -+ * Revision 1.18 2004/12/03 21:25:57 mcr -+ * compile time fixes for running on 2.6. -+ * still experimental. -+ * -+ * Revision 1.17 2004/08/21 00:45:04 mcr -+ * CONFIG_KLIPS_NAT was wrong, also need to include udp.h. -+ * -+ * Revision 1.16 2004/07/10 19:11:18 mcr -+ * CONFIG_IPSEC -> CONFIG_KLIPS. -+ * -+ * Revision 1.15 2004/04/06 02:49:26 mcr -+ * pullup of algo code from alg-branch. -+ * -+ * Revision 1.14 2004/02/03 03:13:59 mcr -+ * no longer #ifdef out NON_ESP mode. That was a mistake. -+ * -+ * Revision 1.13 2003/12/15 18:13:12 mcr -+ * when compiling with NAT traversal, don't assume that the -+ * kernel has been patched, unless CONFIG_IPSEC_NAT_NON_ESP -+ * is set. -+ * -+ * Revision 1.12.2.1 2003/12/22 15:25:52 jjo -+ * Merged algo-0.8.1-rc11-test1 into alg-branch -+ * -+ * Revision 1.12 2003/12/10 01:14:27 mcr -+ * NAT-traversal patches to KLIPS. -+ * -+ * Revision 1.11 2003/10/31 02:27:55 mcr -+ * pulled up port-selector patches and sa_id elimination. -+ * -+ * Revision 1.10.4.2 2003/10/29 01:30:41 mcr -+ * elimited "struct sa_id". -+ * -+ * Revision 1.10.4.1 2003/09/21 13:59:56 mcr -+ * pre-liminary X.509 patch - does not yet pass tests. -+ * -+ * Revision 1.10 2003/02/06 01:51:41 rgb -+ * Removed no longer relevant comment -+ * -+ * Revision 1.9 2003/01/30 02:32:44 rgb -+ * -+ * Transmit error code through to caller from callee for better diagnosis of problems. -+ * -+ * Revision 1.8 2002/12/13 22:42:22 mcr -+ * restored sa_ref code -+ * -+ * Revision 1.7 2002/12/13 22:40:48 mcr -+ * temporarily removed sadb_x_sa_ref reference for 2.xx -+ * -+ * Revision 1.6 2002/10/05 05:02:58 dhr -+ * -+ * C labels go on statements -+ * -+ * Revision 1.5 2002/09/20 15:41:08 rgb -+ * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc(). -+ * Added sadb_x_sa_ref to struct sadb_sa. -+ * -+ * Revision 1.4 2002/09/20 05:02:02 rgb -+ * Added memory allocation debugging. -+ * -+ * Revision 1.3 2002/07/24 18:44:54 rgb -+ * Type fiddling to tame ia64 compiler. -+ * -+ * Revision 1.2 2002/05/27 18:55:03 rgb -+ * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT. -+ * -+ * Revision 1.1 2002/05/14 02:33:51 rgb -+ * Moved all the extension processing functions to pfkey_v2_ext_process.c. -+ * -+ * + * Local variables: + * c-file-style: "linux" + * End: @@ -50222,7 +49245,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/pfkey_v2_parse.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1846 @@ +@@ -0,0 +1,1564 @@ +/* + * RFC2367 PF_KEYv2 Key management API message parser + * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs. @@ -50281,18 +49304,17 @@ packaging/utils/kernelpatch 2.6 +#else /* __KERNEL__ */ + +# include -+# include -+# include ++# include ++# include + +# include +# include "constants.h" -+# include "programs/pluto/defs.h" /* for PRINTF_LIKE */ + +#endif /* __KERNEL__ */ + + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_sa.h" /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */ + @@ -50302,8 +49324,8 @@ packaging/utils/kernelpatch 2.6 +#include + +unsigned int pfkey_lib_debug = PF_KEY_DEBUG_PARSE_NONE; -+void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1); -+void (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1); ++int (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1); ++int (*pfkey_error_func)(const char *message, ...) PRINTF_LIKE(1); + + +#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0) @@ -50393,21 +49415,6 @@ packaging/utils/kernelpatch 2.6 + SENDERR(EINVAL); + } + -+#if 0 -+ /* check if this structure is short, and if so, fix it up. -+ * XXX this is NOT the way to do things. -+ */ -+ if(pfkey_sa->sadb_sa_len == sizeof(struct sadb_sa_v1)/IPSEC_PFKEYv2_ALIGN) { -+ -+ /* yes, so clear out a temporary structure, and copy first */ -+ memset(&sav2, 0, sizeof(sav2)); -+ memcpy(&sav2, pfkey_sa, sizeof(struct sadb_sa_v1)); -+ sav2.sadb_x_sa_ref=-1; -+ sav2.sadb_sa_len = sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN; -+ -+ pfkey_sa = &sav2; -+ } -+#endif + + + if(pfkey_sa->sadb_sa_len != sizeof(struct sadb_sa) / IPSEC_PFKEYv2_ALIGN) { @@ -50441,23 +49448,23 @@ packaging/utils/kernelpatch 2.6 + } +#endif + -+#if SADB_SASTATE_MAX < 255 -+ if(pfkey_sa->sadb_sa_state > SADB_SASTATE_MAX) { ++#if K_SADB_SASTATE_MAX < 255 ++ if(pfkey_sa->sadb_sa_state > K_SADB_SASTATE_MAX) { + ERROR( + "pfkey_sa_parse: " + "state=%d exceeds MAX=%d.\n", + pfkey_sa->sadb_sa_state, -+ SADB_SASTATE_MAX); ++ K_SADB_SASTATE_MAX); + SENDERR(EINVAL); + } +#endif + -+ if(pfkey_sa->sadb_sa_state == SADB_SASTATE_DEAD) { ++ if(pfkey_sa->sadb_sa_state == K_SADB_SASTATE_DEAD) { + ERROR( + "pfkey_sa_parse: " + "state=%d is DEAD=%d.\n", + pfkey_sa->sadb_sa_state, -+ SADB_SASTATE_DEAD); ++ K_SADB_SASTATE_DEAD); + SENDERR(EINVAL); + } + @@ -50547,14 +49554,13 @@ packaging/utils/kernelpatch 2.6 + + DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT, + "pfkey_lifetime_parse: " -+ "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u pkts=%u.\n", ++ "life_type=%d(%s) alloc=%u bytes=%u add=%u use=%u.\n", + pfkey_lifetime->sadb_lifetime_exttype, + pfkey_v2_sadb_ext_string(pfkey_lifetime->sadb_lifetime_exttype), + pfkey_lifetime->sadb_lifetime_allocations, + (unsigned)pfkey_lifetime->sadb_lifetime_bytes, + (unsigned)pfkey_lifetime->sadb_lifetime_addtime, -+ (unsigned)pfkey_lifetime->sadb_lifetime_usetime, -+ pfkey_lifetime->sadb_x_lifetime_packets); ++ (unsigned)pfkey_lifetime->sadb_lifetime_usetime); +errlab: + return error; +} @@ -50612,7 +49618,7 @@ packaging/utils/kernelpatch 2.6 + "pfkey_address_parse: " + "unexpected ext_type=%d.\n", + pfkey_address->sadb_address_exttype); -+ SENDERR(ENOPKG); ++ SENDERR(ENODEV); + } + + switch(s->sa_family) { @@ -51047,14 +50053,6 @@ packaging/utils/kernelpatch 2.6 + SENDERR(EINVAL); + } + -+ if(pfkey_comb->sadb_comb_reserved) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_prop_parse: " -+ "comb[%d].res=%d, must be zero.\n", -+ i, -+ pfkey_comb->sadb_comb_reserved); -+ SENDERR(EINVAL); -+ } + pfkey_comb++; + } + @@ -51435,13 +50433,14 @@ packaging/utils/kernelpatch 2.6 + &pfkey_address_parse_def, + &pfkey_address_parse_def, + &pfkey_x_ext_debug_parse_def, -+ &pfkey_x_ext_protocol_parse_def ++ &pfkey_x_ext_protocol_parse_def, +#ifdef NAT_TRAVERSAL -+ , + &pfkey_x_ext_nat_t_type_parse_def, + &pfkey_x_ext_nat_t_port_parse_def, + &pfkey_x_ext_nat_t_port_parse_def, -+ &pfkey_address_parse_def ++ &pfkey_address_parse_def, ++#else ++ NULL,NULL,NULL,NULL, +#endif +}; + @@ -51454,7 +50453,7 @@ packaging/utils/kernelpatch 2.6 + int error = 0; + int remain; + struct sadb_ext *pfkey_ext; -+ int extensions_seen = 0; ++ unsigned int extensions_seen = 0; + + DEBUGGING(PF_KEY_DEBUG_PARSE_STRUCT, + "pfkey_msg_parse: " @@ -51572,8 +50571,7 @@ packaging/utils/kernelpatch 2.6 + while( (remain * IPSEC_PFKEYv2_ALIGN) >= sizeof(struct sadb_ext) ) { + /* Is there enough message left to support another extension header? */ + if(remain < pfkey_ext->sadb_ext_len) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "remain %d less than ext len %d.\n", + remain, pfkey_ext->sadb_ext_len); + SENDERR(EINVAL); @@ -51588,8 +50586,7 @@ packaging/utils/kernelpatch 2.6 + + /* Is the extension header type valid? */ + if((pfkey_ext->sadb_ext_type > SADB_EXT_MAX) || (!pfkey_ext->sadb_ext_type)) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "ext type %d(%s) invalid, SADB_EXT_MAX=%d.\n", + pfkey_ext->sadb_ext_type, + pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type), @@ -51600,8 +50597,7 @@ packaging/utils/kernelpatch 2.6 + /* Have we already seen this type of extension? */ + if((extensions_seen & ( 1 << pfkey_ext->sadb_ext_type )) != 0) + { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "ext type %d(%s) already seen.\n", + pfkey_ext->sadb_ext_type, + pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type)); @@ -51620,8 +50616,7 @@ packaging/utils/kernelpatch 2.6 + /* Is this type of extension permitted for this type of message? */ + if(!(extensions_bitmaps[dir][EXT_BITS_PERM][pfkey_msg->sadb_msg_type] & + 1<sadb_ext_type)) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "ext type %d(%s) not permitted, exts_perm_in=%08x, 1<sadb_ext_type, + pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type), @@ -51643,8 +50638,7 @@ packaging/utils/kernelpatch 2.6 + /* Parse the extension */ + if((error = + (*ext_parsers[pfkey_ext->sadb_ext_type]->parser)(pfkey_ext))) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "extension parsing for type %d(%s) failed with error %d.\n", + pfkey_ext->sadb_ext_type, + pfkey_v2_sadb_ext_string(pfkey_ext->sadb_ext_type), @@ -51699,8 +50693,7 @@ packaging/utils/kernelpatch 2.6 + if((extensions_seen & + extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) != + extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type]) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "required extensions missing:%08x.\n", + extensions_bitmaps[dir][EXT_BITS_REQ][pfkey_msg->sadb_msg_type] - + (extensions_seen & @@ -51709,8 +50702,8 @@ packaging/utils/kernelpatch 2.6 + } + + if((dir == EXT_BITS_IN) && (pfkey_msg->sadb_msg_type == SADB_X_DELFLOW) -+ && ((extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW) -+ != SADB_X_EXT_ADDRESS_DELFLOW) ++ && ((extensions_seen & K_SADB_X_EXT_ADDRESS_DELFLOW) ++ != K_SADB_X_EXT_ADDRESS_DELFLOW) + && (((extensions_seen & (1<sadb_sa_flags + & SADB_X_SAFLAGS_CLEARFLOW) @@ -51718,8 +50711,8 @@ packaging/utils/kernelpatch 2.6 + DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, + "pfkey_msg_parse: " + "required SADB_X_DELFLOW extensions missing: either %08x must be present or %08x must be present with SADB_X_SAFLAGS_CLEARFLOW set.\n", -+ SADB_X_EXT_ADDRESS_DELFLOW -+ - (extensions_seen & SADB_X_EXT_ADDRESS_DELFLOW), ++ K_SADB_X_EXT_ADDRESS_DELFLOW ++ - (extensions_seen & K_SADB_X_EXT_ADDRESS_DELFLOW), + (1<sadb_sa_state != -+ SADB_SASTATE_MATURE) { ++ K_SADB_SASTATE_MATURE) { + DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, + "pfkey_msg_parse: " + "state=%d for add or update should be MATURE=%d.\n", + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state, -+ SADB_SASTATE_MATURE); ++ K_SADB_SASTATE_MATURE); + SENDERR(EINVAL); + } + @@ -51744,15 +50737,13 @@ packaging/utils/kernelpatch 2.6 + if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) && + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_auth != + SADB_AALG_NONE)) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "auth alg is zero, must be non-zero for AH SAs.\n"); + SENDERR(EINVAL); + } + if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt != + SADB_EALG_NONE) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "AH handed encalg=%d, must be zero.\n", + ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_encrypt); + SENDERR(EINVAL); @@ -51762,8 +50753,7 @@ packaging/utils/kernelpatch 2.6 + if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) && + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt != + SADB_EALG_NONE)) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "encrypt alg=%d is zero, must be non-zero for ESP=%d SAs.\n", + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt, + ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype); @@ -51773,8 +50763,7 @@ packaging/utils/kernelpatch 2.6 + SADB_EALG_NULL) && + (((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth == + SADB_AALG_NONE) ) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "ESP handed encNULL+authNONE, illegal combination.\n"); + SENDERR(EINVAL); + } @@ -51783,8 +50772,7 @@ packaging/utils/kernelpatch 2.6 + if(!(((struct sadb_sa*)extensions[SADB_EXT_SA]) && + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt != + SADB_EALG_NONE)) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "encrypt alg=%d is zero, must be non-zero for COMP=%d SAs.\n", + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_encrypt, + ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype); @@ -51792,8 +50780,7 @@ packaging/utils/kernelpatch 2.6 + } + if(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth != + SADB_AALG_NONE) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "COMP handed auth=%d, must be zero.\n", + ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_auth); + SENDERR(EINVAL); @@ -51802,9 +50789,9 @@ packaging/utils/kernelpatch 2.6 + default: + break; + } ++ + if(ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi) <= 255) { -+ DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, -+ "pfkey_msg_parse: " ++ ERROR("pfkey_msg_parse: " + "spi=%08x must be > 255.\n", + ntohl(((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_sa_spi)); + SENDERR(EINVAL); @@ -51812,258 +50799,12 @@ packaging/utils/kernelpatch 2.6 + default: + break; + } -+errlab: + ++errlab: + return error; +} + +/* -+ * $Log: pfkey_v2_parse.c,v $ -+ * Revision 1.65 2005/04/06 17:46:05 mcr -+ * failure to recognize an extension is considered an error. -+ * This could be a problem in the future, but we need some kind -+ * of logging. This should be rate limited, probably. -+ * -+ * Revision 1.64 2005/01/26 00:50:35 mcr -+ * adjustment of confusion of CONFIG_IPSEC_NAT vs CONFIG_KLIPS_NAT, -+ * and make sure that NAT_TRAVERSAL is set as well to match -+ * userspace compiles of code. -+ * -+ * Revision 1.63 2004/10/28 22:54:10 mcr -+ * results from valgrind, thanks to: Harald Hoyer -+ * -+ * Revision 1.62 2004/10/03 01:26:36 mcr -+ * fixes for gcc 3.4 compilation. -+ * -+ * Revision 1.61 2004/07/10 19:11:18 mcr -+ * CONFIG_IPSEC -> CONFIG_KLIPS. -+ * -+ * Revision 1.59 2004/04/18 03:03:49 mcr -+ * renamed common include files from pluto directory. -+ * -+ * Revision 1.58 2004/03/08 01:59:08 ken -+ * freeswan.h -> openswan.h -+ * -+ * Revision 1.57 2003/12/10 01:20:19 mcr -+ * NAT-traversal patches to KLIPS. -+ * -+ * Revision 1.56 2003/12/04 23:01:12 mcr -+ * removed ipsec_netlink.h -+ * -+ * Revision 1.55 2003/11/07 01:30:37 ken -+ * Cast sizeof() to int to keep things 64bit clean -+ * -+ * Revision 1.54 2003/10/31 02:27:12 mcr -+ * pulled up port-selector patches and sa_id elimination. -+ * -+ * Revision 1.53.20.2 2003/10/29 01:11:32 mcr -+ * added debugging for pfkey library. -+ * -+ * Revision 1.53.20.1 2003/09/21 13:59:44 mcr -+ * pre-liminary X.509 patch - does not yet pass tests. -+ * -+ * Revision 1.53 2003/01/30 02:32:09 rgb -+ * -+ * Rename SAref table macro names for clarity. -+ * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug. -+ * -+ * Revision 1.52 2002/12/30 06:53:07 mcr -+ * deal with short SA structures... #if 0 out for now. Probably -+ * not quite the right way. -+ * -+ * Revision 1.51 2002/12/13 18:16:02 mcr -+ * restored sa_ref code -+ * -+ * Revision 1.50 2002/12/13 18:06:52 mcr -+ * temporarily removed sadb_x_sa_ref reference for 2.xx -+ * -+ * Revision 1.49 2002/10/05 05:02:58 dhr -+ * -+ * C labels go on statements -+ * -+ * Revision 1.48 2002/09/20 15:40:45 rgb -+ * Added sadb_x_sa_ref to struct sadb_sa. -+ * -+ * Revision 1.47 2002/09/20 05:01:31 rgb -+ * Fixed usage of pfkey_lib_debug. -+ * Format for function declaration style consistency. -+ * Added text labels to elucidate numeric values presented. -+ * Re-organised debug output to reduce noise in output. -+ * -+ * Revision 1.46 2002/07/24 18:44:54 rgb -+ * Type fiddling to tame ia64 compiler. -+ * -+ * Revision 1.45 2002/05/23 07:14:11 rgb -+ * Cleaned up %p variants to 0p%p for test suite cleanup. -+ * -+ * Revision 1.44 2002/04/24 07:55:32 mcr -+ * #include patches and Makefiles for post-reorg compilation. -+ * -+ * Revision 1.43 2002/04/24 07:36:40 mcr -+ * Moved from ./lib/pfkey_v2_parse.c,v -+ * -+ * Revision 1.42 2002/01/29 22:25:36 rgb -+ * Re-add ipsec_kversion.h to keep MALLOC happy. -+ * -+ * Revision 1.41 2002/01/29 01:59:10 mcr -+ * removal of kversions.h - sources that needed it now use ipsec_param.h. -+ * updating of IPv6 structures to match latest in6.h version. -+ * removed dead code from openswan.h that also duplicated kversions.h -+ * code. -+ * -+ * Revision 1.40 2002/01/20 20:34:50 mcr -+ * added pfkey_v2_sadb_type_string to decode sadb_type to string. -+ * -+ * Revision 1.39 2001/11/27 05:29:22 mcr -+ * pfkey parses are now maintained by a structure -+ * that includes their name for debug purposes. -+ * DEBUGGING() macro changed so that it takes a debug -+ * level so that pf_key() can use this to decode the -+ * structures without innundanting humans. -+ * Also uses pfkey_v2_sadb_ext_string() in messages. -+ * -+ * Revision 1.38 2001/11/06 19:47:47 rgb -+ * Added packet parameter to lifetime and comb structures. -+ * -+ * Revision 1.37 2001/10/18 04:45:24 rgb -+ * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h, -+ * lib/openswan.h version macros moved to lib/kversions.h. -+ * Other compiler directive cleanups. -+ * -+ * Revision 1.36 2001/06/14 19:35:16 rgb -+ * Update copyright date. -+ * -+ * Revision 1.35 2001/05/03 19:44:51 rgb -+ * Standardise on SENDERR() macro. -+ * -+ * Revision 1.34 2001/03/16 07:41:51 rgb -+ * Put openswan.h include before pluto includes. -+ * -+ * Revision 1.33 2001/02/27 07:13:51 rgb -+ * Added satype2name() function. -+ * Added text to default satype_tbl entry. -+ * Added satype2name() conversions for most satype debug output. -+ * -+ * Revision 1.32 2001/02/26 20:01:09 rgb -+ * Added internal IP protocol 61 for magic SAs. -+ * Ditch unused sadb_satype2proto[], replaced by satype2proto(). -+ * Re-formatted debug output (split lines, consistent spacing). -+ * Removed acquire, register and expire requirements for a known satype. -+ * Changed message type checking to a switch structure. -+ * Verify expected NULL auth for IPCOMP. -+ * Enforced spi > 0x100 requirement, now that pass uses a magic SA for -+ * appropriate message types. -+ * -+ * Revision 1.31 2000/12/01 07:09:00 rgb -+ * Added ipcomp sanity check to require encalgo is set. -+ * -+ * Revision 1.30 2000/11/17 18:10:30 rgb -+ * Fixed bugs mostly relating to spirange, to treat all spi variables as -+ * network byte order since this is the way PF_KEYv2 stored spis. -+ * -+ * Revision 1.29 2000/10/12 00:02:39 rgb -+ * Removed 'format, ##' nonsense from debug macros for RH7.0. -+ * -+ * Revision 1.28 2000/09/20 16:23:04 rgb -+ * Remove over-paranoid extension check in the presence of sadb_msg_errno. -+ * -+ * Revision 1.27 2000/09/20 04:04:21 rgb -+ * Changed static functions to DEBUG_NO_STATIC to reveal function names in -+ * oopsen. -+ * -+ * Revision 1.26 2000/09/15 11:37:02 rgb -+ * Merge in heavily modified Svenning Soerensen's -+ * IPCOMP zlib deflate code. -+ * -+ * Revision 1.25 2000/09/12 22:35:37 rgb -+ * Restructured to remove unused extensions from CLEARFLOW messages. -+ * -+ * Revision 1.24 2000/09/12 18:59:54 rgb -+ * Added Gerhard's IPv6 support to pfkey parts of libopenswan. -+ * -+ * Revision 1.23 2000/09/12 03:27:00 rgb -+ * Moved DEBUGGING definition to compile kernel with debug off. -+ * -+ * Revision 1.22 2000/09/09 06:39:27 rgb -+ * Restrict pfkey errno check to downward messages only. -+ * -+ * Revision 1.21 2000/09/08 19:22:34 rgb -+ * Enabled pfkey_sens_parse(). -+ * Added check for errno on downward acquire messages only. -+ * -+ * Revision 1.20 2000/09/01 18:48:23 rgb -+ * Fixed reserved check bug and added debug output in -+ * pfkey_supported_parse(). -+ * Fixed debug output label bug in pfkey_ident_parse(). -+ * -+ * Revision 1.19 2000/08/27 01:55:26 rgb -+ * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code. -+ * -+ * Revision 1.18 2000/08/24 17:00:36 rgb -+ * Ignore unknown extensions instead of failing. -+ * -+ * Revision 1.17 2000/06/02 22:54:14 rgb -+ * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support. -+ * -+ * Revision 1.16 2000/05/10 19:25:11 rgb -+ * Fleshed out proposal and supported extensions. -+ * -+ * Revision 1.15 2000/01/24 21:15:31 rgb -+ * Added disabled pluto pfkey lib debug flag. -+ * Added algo debugging reporting. -+ * -+ * Revision 1.14 2000/01/22 23:24:29 rgb -+ * Added new functions proto2satype() and satype2proto() and lookup -+ * table satype_tbl. Also added proto2name() since it was easy. -+ * -+ * Revision 1.13 2000/01/21 09:43:59 rgb -+ * Cast ntohl(spi) as (unsigned long int) to shut up compiler. -+ * -+ * Revision 1.12 2000/01/21 06:28:19 rgb -+ * Added address cases for eroute flows. -+ * Indented compiler directives for readability. -+ * Added klipsdebug switching capability. -+ * -+ * Revision 1.11 1999/12/29 21:14:59 rgb -+ * Fixed debug text cut and paste typo. -+ * -+ * Revision 1.10 1999/12/10 17:45:24 rgb -+ * Added address debugging. -+ * -+ * Revision 1.9 1999/12/09 23:11:42 rgb -+ * Ditched include since we no longer use memset(). -+ * Use new pfkey_extensions_init() instead of memset(). -+ * Added check for SATYPE in pfkey_msg_build(). -+ * Tidy up comments and debugging comments. -+ * -+ * Revision 1.8 1999/12/07 19:55:26 rgb -+ * Removed unused first argument from extension parsers. -+ * Removed static pluto debug flag. -+ * Moved message type and state checking to pfkey_msg_parse(). -+ * Changed print[fk] type from lx to x to quiet compiler. -+ * Removed redundant remain check. -+ * Changed __u* types to uint* to avoid use of asm/types.h and -+ * sys/types.h in userspace code. -+ * -+ * Revision 1.7 1999/12/01 22:20:51 rgb -+ * Moved pfkey_lib_debug variable into the library. -+ * Added pfkey version check into header parsing. -+ * Added check for SATYPE only for those extensions that require a -+ * non-zero value. -+ * -+ * Revision 1.6 1999/11/27 11:58:05 rgb -+ * Added ipv6 headers. -+ * Moved sadb_satype2proto protocol lookup table from -+ * klips/net/ipsec/pfkey_v2_parser.c. -+ * Enable lifetime_current checking. -+ * Debugging error messages added. -+ * Add argument to pfkey_msg_parse() for direction. -+ * Consolidated the 4 1-d extension bitmap arrays into one 4-d array. -+ * Add CVS log entry to bottom of file. -+ * Moved auth and enc alg check to pfkey_msg_parse(). -+ * Enable accidentally disabled spirange parsing. -+ * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c -+ * + * Local variables: + * c-file-style: "linux" + * End: @@ -52071,7 +50812,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/pfkey_v2_parser.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,3520 @@ +@@ -0,0 +1,3543 @@ +/* + * @(#) RFC2367 PF_KEYv2 Key management API message parser + * Copyright (C) 1999, 2000, 2001 Richard Guy Briggs @@ -52086,14 +50827,14 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * -+ * RCSID $Id: pfkey_v2_parser.c,v 1.134.2.2 2006/10/06 21:39:26 paul Exp $ ++ * RCSID $Id: pfkey_v2_parser.c,v 1.134 2005/05/11 01:48:20 mcr Exp $ + */ + +/* + * Template from klips/net/ipsec/ipsec/ipsec_netlink.c. + */ + -+char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.134.2.2 2006/10/06 21:39:26 paul Exp $"; ++char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.134 2005/05/11 01:48:20 mcr Exp $"; + +#ifndef AUTOCONF_INCLUDED +#include @@ -52128,9 +50869,12 @@ packaging/utils/kernelpatch 2.6 +# include /* *lock* */ +# endif /* SPINLOCK_23 */ +#endif /* SPINLOCK */ -+ -+#include -+#include ++#ifdef NET_21 ++# include /* inet_addr_type */ ++# include ++# define ip_chk_addr inet_addr_type ++# define IS_MYADDR RTN_LOCAL ++#endif + +#include +#ifdef NETLINK_SOCK @@ -52153,8 +50897,8 @@ packaging/utils/kernelpatch 2.6 +#include "openswan/ipsec_rcv.h" +#include "openswan/ipcomp.h" + -+#include -+#include ++#include ++#include + +#include "openswan/ipsec_proto.h" +#include "openswan/ipsec_alg.h" @@ -52258,8 +51002,10 @@ packaging/utils/kernelpatch 2.6 +DEBUG_NO_STATIC int +pfkey_ipsec_sa_init(struct ipsec_sa *ipsp) +{ -+ -+ return ipsec_sa_init(ipsp); ++ int rc; ++ KLIPS_PRINT(debug_pfkey, "Calling SA_INIT\n"); ++ rc = ipsec_sa_init(ipsp); ++ return rc; +} + +int @@ -52360,7 +51106,7 @@ packaging/utils/kernelpatch 2.6 + SENDERR(EEXIST); + } + -+ if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) { ++ if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) { + extr->ips->ips_flags |= EMT_INBOUND; + } + @@ -52374,7 +51120,7 @@ packaging/utils/kernelpatch 2.6 + extr->ips->ips_rcvif = NULL; + extr->ips->ips_life.ipl_addtime.ipl_count = jiffies/HZ; + -+ extr->ips->ips_state = SADB_SASTATE_LARVAL; ++ extr->ips->ips_state = K_SADB_SASTATE_LARVAL; + + if(!extr->ips->ips_life.ipl_allocations.ipl_count) { + extr->ips->ips_life.ipl_allocations.ipl_count += 1; @@ -52391,7 +51137,7 @@ packaging/utils/kernelpatch 2.6 + SADB_EXT_SA, + extr->ips->ips_said.spi, + 0, -+ SADB_SASTATE_LARVAL, ++ K_SADB_SASTATE_LARVAL, + 0, + 0, + 0, @@ -52479,12 +51225,12 @@ packaging/utils/kernelpatch 2.6 + + pfkey_extensions_init(extensions_reply); + -+ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) { ++ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != K_SADB_SASTATE_MATURE) { + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_update_parse: " + "error, sa_state=%d must be MATURE=%d\n", + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state, -+ SADB_SASTATE_MATURE); ++ K_SADB_SASTATE_MATURE); + SENDERR(EINVAL); + } + @@ -52509,7 +51255,7 @@ packaging/utils/kernelpatch 2.6 + SENDERR(ENOENT); + } + -+ if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) { ++ if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) { + extr->ips->ips_flags |= EMT_INBOUND; + } + @@ -52544,35 +51290,27 @@ packaging/utils/kernelpatch 2.6 + nat_t_ips_saved = extr->ips; + extr->ips = ipsq; + } -+ else { ++ else +#endif ++ { + -+ /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/ -+ extr->ips->ips_rcvif = NULL; -+ if ((error = pfkey_ipsec_sa_init(extr->ips))) { -+ ipsec_sa_put(ipsq); -+ spin_unlock_bh(&tdb_lock); -+ KLIPS_PRINT(debug_pfkey, -+ "klips_debug:pfkey_update_parse: " -+ "not successful for SA: %s, deleting.\n", -+ sa_len ? sa : " (error)"); -+ SENDERR(-error); -+ } ++ /* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/ ++ extr->ips->ips_rcvif = NULL; ++ if ((error = pfkey_ipsec_sa_init(extr->ips))) { ++ ipsec_sa_put(ipsq); ++ spin_unlock_bh(&tdb_lock); ++ KLIPS_PRINT(debug_pfkey, ++ "klips_debug:pfkey_update_parse: " ++ "not successful for SA: %s, deleting.\n", ++ sa_len ? sa : " (error)"); ++ SENDERR(-error); ++ } + -+ extr->ips->ips_life.ipl_addtime.ipl_count = ipsq->ips_life.ipl_addtime.ipl_count; -+ ipsec_sa_put(ipsq); -+ if((error = ipsec_sa_delchain(ipsq))) { -+ spin_unlock_bh(&tdb_lock); -+ KLIPS_PRINT(debug_pfkey, -+ "klips_debug:pfkey_update_parse: " -+ "error=%d, trouble deleting intermediate ipsec_sa for SA=%s.\n", -+ error, -+ sa_len ? sa : " (error)"); -+ SENDERR(-error); -+ } -+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL ++ extr->ips->ips_life.ipl_addtime.ipl_count = ipsq->ips_life.ipl_addtime.ipl_count; ++ ++ /* this will call delchain-equivalent if refcount=>0 */ ++ ipsec_sa_put(ipsq); + } -+#endif + + spin_unlock_bh(&tdb_lock); + @@ -52758,12 +51496,12 @@ packaging/utils/kernelpatch 2.6 + + pfkey_extensions_init(extensions_reply); + -+ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) { ++ if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != K_SADB_SASTATE_MATURE) { + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_add_parse: " + "error, sa_state=%d must be MATURE=%d\n", + ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state, -+ SADB_SASTATE_MATURE); ++ K_SADB_SASTATE_MATURE); + SENDERR(EINVAL); + } + @@ -52786,7 +51524,7 @@ packaging/utils/kernelpatch 2.6 + SENDERR(EEXIST); + } + -+ if(inet_addr_type((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == RTN_LOCAL) { ++ if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) { + extr->ips->ips_flags |= EMT_INBOUND; + } + @@ -52807,6 +51545,28 @@ packaging/utils/kernelpatch 2.6 + SENDERR(-error); + } + ++#if 0 ++ /* extensions would provide this information, but not in this branch */ ++ if(extr->sarefme!=IPSEC_SAREF_NULL ++ && extr->ips->ips_ref==IPSEC_SAREF_NULL) { ++ extr->ips->ips_ref=extr->sarefme; ++ } ++ ++ if(extr->sarefhim!=IPSEC_SAREF_NULL ++ && extr->ips->ips_refhim==IPSEC_SAREF_NULL) { ++ extr->ips->ips_refhim=extr->sarefhim; ++ } ++#endif ++ ++ /* attach it to the SAref table */ ++ if((error = ipsec_sa_intern(extr->ips)) != 0) { ++ KLIPS_ERROR(debug_pfkey, ++ "pfkey_add_parse: " ++ "failed to intern SA as SAref#%lu\n" ++ , (unsigned long)extr->ips->ips_ref); ++ SENDERR(-error); ++ } ++ + extr->ips->ips_life.ipl_addtime.ipl_count = jiffies / HZ; + if(!extr->ips->ips_life.ipl_allocations.ipl_count) { + extr->ips->ips_life.ipl_allocations.ipl_count += 1; @@ -52927,6 +51687,7 @@ packaging/utils/kernelpatch 2.6 + error); + SENDERR(-error); + } ++ ipsec_sa_put(extr->ips); + extr->ips = NULL; + + KLIPS_PRINT(debug_pfkey, @@ -52953,6 +51714,7 @@ packaging/utils/kernelpatch 2.6 + struct sadb_msg *pfkey_reply = NULL; + struct socket_list *pfkey_socketsp; + uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype; ++ IPsecSAref_t ref; + + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_delete_parse: .\n"); @@ -52980,16 +51742,14 @@ packaging/utils/kernelpatch 2.6 + SENDERR(ESRCH); + } + ++ /* remove it from SAref tables */ ++ ref = ipsp->ips_ref; ++ ipsec_sa_untern(ipsp); ++ ipsec_sa_rm(ipsp); ++ ++ /* this will call delchain-equivalent if refcount -> 0 ++ * noting that get() above, added to ref count */ + ipsec_sa_put(ipsp); -+ if((error = ipsec_sa_delchain(ipsp))) { -+ spin_unlock_bh(&tdb_lock); -+ KLIPS_PRINT(debug_pfkey, -+ "klips_debug:pfkey_delete_parse: " -+ "error=%d returned trying to delete ipsec_sa for SA:%s.\n", -+ error, -+ sa_len ? sa : " (error)"); -+ SENDERR(-error); -+ } + spin_unlock_bh(&tdb_lock); + + if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0], @@ -53007,7 +51767,7 @@ packaging/utils/kernelpatch 2.6 + 0, + 0, + 0, -+ extr->ips->ips_ref), ++ ref), + extensions_reply) + && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC], + SADB_EXT_ADDRESS_SRC, @@ -53914,8 +52674,8 @@ packaging/utils/kernelpatch 2.6 + buf1, buf2); + } +#endif /* CONFIG_KLIPS_DEBUG */ -+ + if(extr->ips->ips_flags & SADB_X_SAFLAGS_INFLOW) { ++/* if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.u.v4.sin_addr.s_addr) == IS_MYADDR) */ + struct ipsec_sa *ipsp, *ipsq; + char sa[SATOT_BUF]; + size_t sa_len; @@ -54002,14 +52762,14 @@ packaging/utils/kernelpatch 2.6 + "klips_debug:pfkey_x_addflow_parse: " + "first=0p%p HOLD packet re-injected.\n", + first); -+ DEV_QUEUE_XMIT(first, first->dev, SOPRI_NORMAL); ++ dst_output(first); + } + if(last != NULL) { + KLIPS_PRINT(debug_eroute, + "klips_debug:pfkey_x_addflow_parse: " + "last=0p%p HOLD packet re-injected.\n", + last); -+ DEV_QUEUE_XMIT(last, last->dev, SOPRI_NORMAL); ++ dst_output(last); + } + } + @@ -54150,11 +52910,12 @@ packaging/utils/kernelpatch 2.6 + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_x_delflow_parse: " + "CLEARFLOW flag set, calling cleareroutes.\n"); -+ if ((error = ipsec_cleareroutes())) ++ if ((error = ipsec_cleareroutes())) { + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_x_delflow_parse: " + "cleareroutes returned %d.\n", error); + SENDERR(-error); ++ } + } else { + struct sk_buff *first = NULL, *last = NULL; + @@ -54208,48 +52969,59 @@ packaging/utils/kernelpatch 2.6 + } + } + -+ if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0], -+ SADB_X_DELFLOW, -+ satype, -+ 0, -+ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq, -+ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid), -+ extensions_reply) -+ && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA], -+ SADB_EXT_SA, -+ extr->ips->ips_said.spi, -+ extr->ips->ips_replaywin, -+ extr->ips->ips_state, -+ extr->ips->ips_authalg, -+ extr->ips->ips_encalg, -+ extr->ips->ips_flags, -+ extr->ips->ips_ref), -+ extensions_reply) -+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW], -+ SADB_X_EXT_ADDRESS_SRC_FLOW, -+ 0, /*extr->ips->ips_said.proto,*/ -+ 0, -+ (struct sockaddr*)&srcflow), -+ extensions_reply) -+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW], -+ SADB_X_EXT_ADDRESS_DST_FLOW, -+ 0, /*extr->ips->ips_said.proto,*/ -+ 0, -+ (struct sockaddr*)&dstflow), -+ extensions_reply) -+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK], -+ SADB_X_EXT_ADDRESS_SRC_MASK, -+ 0, /*extr->ips->ips_said.proto,*/ -+ 0, -+ (struct sockaddr*)&srcmask), -+ extensions_reply) -+ && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK], -+ SADB_X_EXT_ADDRESS_DST_MASK, -+ 0, /*extr->ips->ips_said.proto,*/ -+ 0, -+ (struct sockaddr*)&dstmask), -+ extensions_reply) -+ )) { ++ error = pfkey_msg_hdr_build(&extensions_reply[0], ++ SADB_X_DELFLOW, ++ satype, 0, ++ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq, ++ ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid); ++ ++ if(pfkey_safe_build(error, extensions_reply)) { ++ error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA], ++ SADB_EXT_SA, ++ extr->ips->ips_said.spi, ++ extr->ips->ips_replaywin, ++ extr->ips->ips_state, ++ extr->ips->ips_authalg, ++ extr->ips->ips_encalg, ++ extr->ips->ips_flags, ++ extr->ips->ips_ref); ++ } ++ ++ if(!(extr->ips->ips_flags & SADB_X_SAFLAGS_CLEARFLOW)) { ++ if(pfkey_safe_build(error, extensions_reply)) { ++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW], ++ SADB_X_EXT_ADDRESS_SRC_FLOW, ++ 0, /*extr->ips->ips_said.proto,*/ ++ 0, ++ (struct sockaddr*)&srcflow); ++ } ++ ++ if(pfkey_safe_build(error, extensions_reply)) { ++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW], ++ SADB_X_EXT_ADDRESS_DST_FLOW, ++ 0, /*extr->ips->ips_said.proto,*/ ++ 0, ++ (struct sockaddr*)&dstflow); ++ } ++ ++ if(pfkey_safe_build(error, extensions_reply)) { ++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK], ++ SADB_X_EXT_ADDRESS_SRC_MASK, ++ 0, /*extr->ips->ips_said.proto,*/ ++ 0, ++ (struct sockaddr*)&srcmask); ++ } ++ ++ if(pfkey_safe_build(error, extensions_reply)) { ++ error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK], ++ SADB_X_EXT_ADDRESS_DST_MASK, ++ 0, /*extr->ips->ips_said.proto,*/ ++ 0, ++ (struct sockaddr*)&dstmask); ++ } ++ } ++ ++ if(!pfkey_safe_build(error, extensions_reply)) { + KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: " + "failed to build the x_delflow reply message extensions\n"); + SENDERR(-error); @@ -54545,7 +53317,7 @@ packaging/utils/kernelpatch 2.6 + SENDERR(-error); + } + -+#if KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0 ++#if defined(KLIPS_PFKEY_ACQUIRE_LOSSAGE) && KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0 + if(sysctl_ipsec_regress_pfkey_lossage) { + return(0); + } @@ -54762,7 +53534,7 @@ packaging/utils/kernelpatch 2.6 + if (!extr || !extr->ips) { + KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: " + "bad ipsec_sa passed\n"); -+ return EINVAL; ++ return EINVAL; // TODO: should this not be negative? + } + error = pfkey_safe_build(pfkey_msg_hdr_build(&extensions[0], + msg_type, @@ -54913,7 +53685,7 @@ packaging/utils/kernelpatch 2.6 + + /* Process the extensions */ + for(i=1; i <= SADB_EXT_MAX;i++) { -+ if(extensions[i] != NULL) { ++ if(extensions[i] != NULL && ext_processors[i]!=NULL) { + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_msg_interp: " + "processing ext %d 0p%p with processor 0p%p.\n", @@ -54954,10 +53726,10 @@ packaging/utils/kernelpatch 2.6 +#endif + errlab: + if(extr.ips != NULL) { -+ ipsec_sa_wipe(extr.ips); ++ ipsec_sa_put(extr.ips); + } + if(extr.ips2 != NULL) { -+ ipsec_sa_wipe(extr.ips2); ++ ipsec_sa_put(extr.ips2); + } + if (extr.eroute != NULL) { + kfree(extr.eroute); @@ -54967,14 +53739,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: pfkey_v2_parser.c,v $ -+ * Revision 1.134.2.2 2006/10/06 21:39:26 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * -+ * Revision 1.134.2.1 2006/05/01 14:37:25 mcr -+ * ip_chk_addr -> inet_addr_type for more direct 2.4/2.6 support. -+ * + * Revision 1.134 2005/05/11 01:48:20 mcr + * removed "poor-man"s OOP in favour of proper C structures. + * @@ -55594,7 +54358,7 @@ packaging/utils/kernelpatch 2.6 + */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/prng.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,201 @@ +@@ -0,0 +1,202 @@ +/* + * crypto-class pseudorandom number generator + * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397 @@ -55610,7 +54374,7 @@ packaging/utils/kernelpatch 2.6 + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public + * License for more details. + * -+ * RCSID $Id: prng.c,v 1.7 2004/07/10 07:48:36 mcr Exp $ ++ * RCSID $Id: prng.c,v 1.8 2005/08/25 01:20:21 paul Exp $ + */ +#include "openswan.h" + @@ -55662,7 +54426,7 @@ packaging/utils/kernelpatch 2.6 + int i, j, t; + unsigned char *p = dst; + size_t remain = dstlen; -+# define MAX 4000000000ul ++# define MAXCOUNT 4000000000ul + + while (remain > 0) { + i = (prng->i + 1) & 0xff; @@ -55676,10 +54440,10 @@ packaging/utils/kernelpatch 2.6 + *p++ = prng->sbox[t]; + remain--; + } -+ if (prng->count < MAX - dstlen) ++ if (prng->count < MAXCOUNT - dstlen) + prng->count += dstlen; + else -+ prng->count = MAX; ++ prng->count = MAXCOUNT; +} + +/* @@ -55713,6 +54477,7 @@ packaging/utils/kernelpatch 2.6 +#ifdef PRNG_MAIN + +#include ++#include + +void regress(); + @@ -55798,8 +54563,8 @@ packaging/utils/kernelpatch 2.6 +#endif /* PRNG_MAIN */ --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/radij.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,1237 @@ -+char radij_c_version[] = "RCSID $Id: radij.c,v 1.48.2.1 2006/10/06 21:39:27 paul Exp $"; +@@ -0,0 +1,1232 @@ ++char radij_c_version[] = "RCSID $Id: radij.c,v 1.48 2005/04/29 05:10:22 mcr Exp $"; + +/* + * This file is defived from ${SRC}/sys/net/radix.c of BSD 4.4lite @@ -56807,11 +55572,6 @@ packaging/utils/kernelpatch 2.6 + +/* + * $Log: radij.c,v $ -+ * Revision 1.48.2.1 2006/10/06 21:39:27 paul -+ * Fix for 2.6.18+ only include linux/config.h if AUTOCONF_INCLUDED is not -+ * set. This is defined through autoconf.h which is included through the -+ * linux kernel build macros. -+ * + * Revision 1.48 2005/04/29 05:10:22 mcr + * removed from extraenous includes to make unit testing easier. + * @@ -57101,7 +55861,7 @@ packaging/utils/kernelpatch 2.6 +} --- /dev/null Tue Mar 11 13:02:56 2003 +++ linux/net/ipsec/satot.c Mon Feb 9 13:51:03 2004 -@@ -0,0 +1,133 @@ +@@ -0,0 +1,134 @@ +/* + * convert from binary form of SA ID to text + * Copyright (C) 2000, 2001 Henry Spencer. @@ -57198,6 +55958,7 @@ packaging/utils/kernelpatch 2.6 + } + + if (sa->proto == SA_INT) { ++ char intunk[10]; + switch (ntohl(sa->spi)) { + case SPI_PASS: p = "%pass"; break; + case SPI_DROP: p = "%drop"; break; @@ -57205,7 +55966,7 @@ packaging/utils/kernelpatch 2.6 + case SPI_HOLD: p = "%hold"; break; + case SPI_TRAP: p = "%trap"; break; + case SPI_TRAPSUBNET: p = "%trapsubnet"; break; -+ default: p = NULL; break; ++ default: snprintf(intunk, 10, "%%unk-%d", ntohl(sa->spi)); p = intunk; break; + } + if (p != NULL) { + strcpy(buf, p); @@ -59091,7 +57852,7 @@ packaging/utils/kernelpatch 2.6 + +#include "openswan.h" + -+#define V "2.4.8rc1" /* substituted in by Makefile */ ++#define V "2.5.13" /* substituted in by Makefile */ +static const char openswan_number[] = V; +static const char openswan_string[] = "Openswan " V; + @@ -59366,4 +58127,4 @@ packaging/utils/kernelpatch 2.6 --- /dev/null Fri May 10 13:59:54 2002 +++ linux/net/ipsec/Makefile.ver Sun Jul 28 22:10:40 2002 @@ -0,0 +1 @@ -+IPSECVERSION=2.4.8rc1 ++IPSECVERSION='2.5.13' diff --git a/src/patches/openswan-2.4.8rc1.kernel-2.6-natt.patch b/src/patches/openswan-2.5.13.kernel-2.6-natt.patch similarity index 98% rename from src/patches/openswan-2.4.8rc1.kernel-2.6-natt.patch rename to src/patches/openswan-2.5.13.kernel-2.6-natt.patch index 9fdab418e4..d367edc04d 100644 --- a/src/patches/openswan-2.4.8rc1.kernel-2.6-natt.patch +++ b/src/patches/openswan-2.5.13.kernel-2.6-natt.patch @@ -68,7 +68,7 @@ packaging/utils/nattpatch 2.6 + xfrm4_rcv_encap_func = NULL; + return 0; +} -+#endif /* CONFIG_XFRM || defined(CONFIG_IPSEC_NAT_TRAVERSAL)*/ ++#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */ + + /* return: