Module Name: src
Committed By: tteras
Date: Mon Mar 14 17:18:13 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c handler.c isakmp.c
isakmp_inf.c isakmp_quick.c nattraversal.c pfkey.c policy.c
sockmisc.c sockmisc.h throttle.c
Log Message:
Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.69 -r1.70 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.45 -r1.46 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.55 -r1.56 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.11 -r1.12 src/crypto/dist/ipsec-tools/src/racoon/policy.c
cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/throttle.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27 Fri Dec 3 09:46:24 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Mon Mar 14 17:18:12 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.27 2010/12/03 09:46:24 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras <[email protected]>.
@@ -100,7 +100,7 @@
return TRUE;
LIST_FOREACH(cfg, &configured, chain) {
- if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH)
return TRUE;
}
@@ -116,7 +116,7 @@
/* Already open? */
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH)
return TRUE;
}
@@ -156,7 +156,7 @@
LIST_FOREACH(cfg, &configured, chain) {
if (addr != NULL &&
- cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH)
continue;
if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
return FALSE;
@@ -262,7 +262,7 @@
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
return my->fd;
}
@@ -276,7 +276,7 @@
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
return extract_port((struct sockaddr *) &my->addr);
}
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38 Mon Mar 14 14:54:07 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 17:18:12 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.38 2011/03/14 14:54:07 vanhu Exp $ */
+/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -120,11 +120,11 @@
LIST_FOREACH(p, &ph1tree, chain) {
if (sel != NULL) {
if (sel->local != NULL &&
- cmpsaddr(sel->local, p->local) != 0)
+ cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH)
continue;
if (sel->remote != NULL &&
- cmpsaddr(sel->remote, p->remote) != 0)
+ cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH)
continue;
}
@@ -300,8 +300,8 @@
if (p->status < PHASE1ST_DYING)
continue;
- if (cmpsaddr(iph1->local, p->local) == 0
- && cmpsaddr(iph1->remote, p->remote) == 0)
+ if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
+ && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
migrate_ph12(p, iph1);
}
}
@@ -547,11 +547,11 @@
continue;
if (sel->src != NULL &&
- cmpsaddr(sel->src, p->src) != 0)
+ cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH)
continue;
if (sel->dst != NULL &&
- cmpsaddr(sel->dst, p->dst) != 0)
+ cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH)
continue;
}
@@ -615,8 +615,8 @@
LIST_FOREACH(p, &ph2tree, chain) {
if (spid == p->spid &&
- cmpsaddr(src, p->src) == 0 &&
- cmpsaddr(dst, p->dst) == 0){
+ cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
+ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){
/* Sanity check to detect zombie handlers
* XXX Sould be done "somewhere" more interesting,
* because we have lots of getph2byxxxx(), but this one
@@ -643,8 +643,8 @@
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
- if (cmpsaddr(src, p->src) == 0 &&
- cmpsaddr(dst, p->dst) == 0)
+ if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
+ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH)
return p;
}
@@ -947,7 +947,7 @@
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
- if (cmpsaddr(remote, p->remote) == 0)
+ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH)
return p;
}
@@ -988,7 +988,7 @@
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
- if (cmpsaddr(remote, p->remote) == 0) {
+ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) {
LIST_REMOVE(p, chain);
racoon_free(p->remote);
racoon_free(p);
@@ -1042,7 +1042,7 @@
/*
* the packet was processed before, but the remote address mismatches.
*/
- if (cmpsaddr(remote, r->remote) != 0)
+ if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH)
return 2;
/*
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.69 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.70
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.69 Fri Mar 11 14:30:07 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Mon Mar 14 17:18:12 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.69 2011/03/11 14:30:07 vanhu Exp $ */
+/* $NetBSD: isakmp.c,v 1.70 2011/03/14 17:18:12 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -468,8 +468,8 @@
/* Floating ports for NAT-T */
if (NATT_AVAILABLE(iph1) &&
! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
- ((cmpsaddr(iph1->remote, remote) != 0) ||
- (cmpsaddr(iph1->local, local) != 0)))
+ ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) ||
+ (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH)))
{
/* prevent memory leak */
racoon_free(iph1->remote);
@@ -510,7 +510,7 @@
#endif
/* must be same addresses in one stream of a phase at least. */
- if (cmpsaddr(iph1->remote, remote) != 0) {
+ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
char *saddr_db, *saddr_act;
saddr_db = racoon_strdup(saddr2str(iph1->remote));
@@ -636,7 +636,7 @@
"exchange received.\n");
return -1;
}
- if (cmpsaddr(iph1->remote, remote) != 0) {
+ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
plog(LLV_WARNING, LOCATION, remote,
"remote address mismatched. "
"db=%s\n",
@@ -3325,10 +3325,10 @@
* Select only SAs where src == local and dst == remote (outgoing)
* or src == remote and dst == local (incoming).
*/
- if ((cmpsaddr(iph1->local, src) ||
- cmpsaddr(iph1->remote, dst)) &&
- (cmpsaddr(iph1->local, dst) ||
- cmpsaddr(iph1->remote, src))) {
+ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
+ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) {
msg = next;
continue;
}
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.45 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.46
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.45 Sat Jan 22 07:38:51 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Mon Mar 14 17:18:13 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.45 2011/01/22 07:38:51 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.46 2011/03/14 17:18:13 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1177,7 +1177,7 @@
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
- if (cmpsaddr(dst0, dst)) {
+ if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) {
msg = next;
continue;
}
@@ -1355,10 +1355,10 @@
* ports. Correct thing to do is delete all entries with
* same identity. -TT
*/
- if ((cmpsaddr(iph1->local, src) != 0 ||
- cmpsaddr(iph1->remote, dst) != 0) &&
- (cmpsaddr(iph1->local, dst) != 0 ||
- cmpsaddr(iph1->remote, src) != 0))
+ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
+ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH))
continue;
/*
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.28 Tue Dec 7 14:28:12 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Mon Mar 14 17:18:13 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_quick.c,v 1.28 2010/12/07 14:28:12 tteras Exp $ */
+/* $NetBSD: isakmp_quick.c,v 1.29 2011/03/14 17:18:13 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@@ -629,7 +629,7 @@
#endif
if (cmpsaddr((struct sockaddr *) &proposed_addr,
- (struct sockaddr *) &got_addr) == 0) {
+ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDci matches proposal.\n");
#ifdef ENABLE_NATT
@@ -677,13 +677,13 @@
#endif
if (cmpsaddr((struct sockaddr *) &proposed_addr,
- (struct sockaddr *) &got_addr) == 0) {
+ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches proposal.\n");
#ifdef ENABLE_NATT
} else if (iph2->natoa_dst != NULL
&& cmpsaddr(iph2->natoa_dst,
- (struct sockaddr *) &got_addr) == 0) {
+ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches NAT-OAr.\n");
#endif
Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.13 Tue Sep 1 12:22:09 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c Mon Mar 14 17:18:13 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: nattraversal.c,v 1.13 2009/09/01 12:22:09 tteras Exp $ */
+/* $NetBSD: nattraversal.c,v 1.14 2011/03/14 17:18:13 tteras Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -398,8 +398,8 @@
struct natt_ka_addrs *ka = NULL, *new_addr;
TAILQ_FOREACH (ka, &ka_tree, chain) {
- if (cmpsaddr(ka->src, src) == 0 &&
- cmpsaddr(ka->dst, dst) == 0) {
+ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
+ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) {
ka->in_use++;
plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
@@ -462,8 +462,8 @@
plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
- if (cmpsaddr(ka->src, src) == 0 &&
- cmpsaddr(ka->dst, dst) == 0 &&
+ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
+ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH &&
-- ka->in_use <= 0) {
plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.55 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.56
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.55 Tue Mar 1 14:33:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Mon Mar 14 17:18:13 2011
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $ */
+/* $NetBSD: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $ */
-/* $Id: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -2882,8 +2882,8 @@
u_int16_t port;
/* Already up-to-date? */
- if (cmpsaddr(iph1->local, ma->local) == 0 &&
- cmpsaddr(iph1->remote, ma->remote) == 0)
+ if (cmpsaddr(iph1->local, ma->local) == CMPSADDR_MATCH &&
+ cmpsaddr(iph1->remote, ma->remote) == CMPSADDR_MATCH)
return 0;
if (iph1->status < PHASE1ST_ESTABLISHED) {
@@ -2983,8 +2983,8 @@
migrate_ph1_ike_addresses(iph2->ph1, arg);
/* Already up-to-date? */
- if (cmpsaddr(iph2->src, ma->local) == 0 &&
- cmpsaddr(iph2->dst, ma->remote) == 0)
+ if (cmpsaddr(iph2->src, ma->local) == CMPSADDR_MATCH &&
+ cmpsaddr(iph2->dst, ma->remote) == CMPSADDR_MATCH)
return 0;
/* save src/dst as sa_src/sa_dst before rewriting */
@@ -3207,8 +3207,8 @@
"changing address families (%d to %d) for endpoints.\n",
osaddr->sa_family, nsaddr->sa_family);
- if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) ||
- cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst)) {
+ if (cmpsaddr(osaddr, (struct sockaddr *) &saidx->src) != CMPSADDR_MATCH ||
+ cmpsaddr(odaddr, (struct sockaddr *) &saidx->dst) != CMPSADDR_MATCH) {
plog(LLV_DEBUG, LOCATION, NULL, "SADB_X_MIGRATE: "
"mismatch of addresses in saidx and xisr.\n");
return -1;
Index: src/crypto/dist/ipsec-tools/src/racoon/policy.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/policy.c:1.11 src/crypto/dist/ipsec-tools/src/racoon/policy.c:1.12
--- src/crypto/dist/ipsec-tools/src/racoon/policy.c:1.11 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/policy.c Mon Mar 14 17:18:13 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: policy.c,v 1.11 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: policy.c,v 1.12 2011/03/14 17:18:13 tteras Exp $ */
/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */
@@ -142,7 +142,7 @@
plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
saddr2str((struct sockaddr *)&spidx->src));
- if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) ||
+ if (cmpsaddr(iph2->src, (struct sockaddr *) &spidx->src) != CMPSADDR_MATCH ||
spidx->prefs != prefixlen)
return NULL;
@@ -151,7 +151,7 @@
plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
saddr2str((struct sockaddr *)&spidx->dst));
- if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) ||
+ if (cmpsaddr(iph2->dst, (struct sockaddr *) &spidx->dst) != CMPSADDR_MATCH ||
spidx->prefd != prefixlen)
return NULL;
@@ -201,10 +201,10 @@
return 1;
if (cmpsaddr((struct sockaddr *) &a->src,
- (struct sockaddr *) &b->src))
+ (struct sockaddr *) &b->src) != CMPSADDR_MATCH)
return 1;
if (cmpsaddr((struct sockaddr *) &a->dst,
- (struct sockaddr *) &b->dst))
+ (struct sockaddr *) &b->dst) != CMPSADDR_MATCH)
return 1;
#ifdef HAVE_SECCTX
@@ -261,7 +261,7 @@
a, b->prefs, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefs, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
return 1;
#ifndef __linux__
@@ -279,7 +279,7 @@
a, b->prefd, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefd, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
+ if (cmpsaddr((struct sockaddr *)&sa1, (struct sockaddr *)&sa2) > CMPSADDR_WILDPORT_MATCH)
return 1;
#ifdef HAVE_SECCTX
Index: src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c:1.18 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c:1.19
--- src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c:1.18 Sun Feb 28 15:52:16 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c Mon Mar 14 17:18:13 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: sockmisc.c,v 1.18 2010/02/28 15:52:16 snj Exp $ */
+/* $NetBSD: sockmisc.c,v 1.19 2011/03/14 17:18:13 tteras Exp $ */
/* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */
@@ -132,11 +132,13 @@
return CMPSADDR_MISMATCH;
}
- if (port1 == port2 ||
- port1 == IPSEC_PORT_ANY ||
- port2 == IPSEC_PORT_ANY)
+ if (port1 == port2)
return CMPSADDR_MATCH;
+ if (port1 == IPSEC_PORT_ANY ||
+ port2 == IPSEC_PORT_ANY)
+ return CMPSADDR_WILDPORT_MATCH;
+
return CMPSADDR_WOP_MATCH;
}
@@ -934,7 +936,7 @@
free(a2);
free(a3);
}
- if (cmpsaddr(&sa, &naddr->sa.sa) == 0)
+ if (cmpsaddr(&sa, &naddr->sa.sa) <= CMPSADDR_WOP_MATCH)
return naddr->prefix + port_score;
return -1;
Index: src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h:1.12 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h:1.12 Sun Feb 28 15:52:16 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h Mon Mar 14 17:18:13 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: sockmisc.h,v 1.12 2010/02/28 15:52:16 snj Exp $ */
+/* $NetBSD: sockmisc.h,v 1.13 2011/03/14 17:18:13 tteras Exp $ */
/* Id: sockmisc.h,v 1.9 2005/10/05 16:55:41 manubsd Exp */
@@ -57,8 +57,9 @@
extern const int niflags;
#define CMPSADDR_MATCH 0
-#define CMPSADDR_WOP_MATCH 1
-#define CMPSADDR_MISMATCH 2
+#define CMPSADDR_WILDPORT_MATCH 1
+#define CMPSADDR_WOP_MATCH 2
+#define CMPSADDR_MISMATCH 3
extern int cmpsaddr __P((const struct sockaddr *, const struct sockaddr *));
Index: src/crypto/dist/ipsec-tools/src/racoon/throttle.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/throttle.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/throttle.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/throttle.c:1.6 Fri Jul 3 06:41:47 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/throttle.c Mon Mar 14 17:18:13 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: throttle.c,v 1.6 2009/07/03 06:41:47 tteras Exp $ */
+/* $NetBSD: throttle.c,v 1.7 2011/03/14 17:18:13 tteras Exp $ */
/* Id: throttle.c,v 1.5 2006/04/05 20:54:50 manubsd Exp */
@@ -104,7 +104,7 @@
goto restart;
}
- if (cmpsaddr(addr, (struct sockaddr *) &te->host) == 0) {
+ if (cmpsaddr(addr, (struct sockaddr *) &te->host) <= CMPSADDR_WOP_MATCH) {
found = 1;
break;
}
