initial commit for Enea Linux 5.0 arm

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Tudor Florea <tudor.florea@enea.com> 2015-10-08 22:51:41 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-10-08 22:51:41 +0200
commit: 1219bf8a90a7bf8cd3a5363551ef635d51e8fc8e (patch)
tree: a21a5fc103bb3bd65ecd85ed22be5228fc54e447 /meta-networking/recipes-support/ipsec-tools/ipsec-tools
download: meta-openembedded-1219bf8a90a7bf8cd3a5363551ef635d51e8fc8e.tar.gz
9 files changed, 526 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch
new file mode 100644
index 000000000..d5602c03d
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch
@@ -0,0 +1,33 @@
+From 738a9857be9c92ad2f70be88ccee238e3154a936 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Wed, 2 Oct 2013 14:20:37 -0400
+Subject: [PATCH] racoon/pfkey: avoid potential null-pointer dereference
+Building with -Werror=maybe-uninitialized revealed that 'remote' from
+pk_recvmigrate() could be used with uninitialized data in
+migrate_sp_ike_addresses().  Ensure it is always at a minimum assigned
+NULL.
+Upstream-Status: Pending
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ src/racoon/pfkey.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
+index d00b166..e0dc1db 100644
+--- a/src/racoon/pfkey.c
+++ b/src/racoon/pfkey.c
+@@ -3352,7 +3352,7 @@ pk_recvmigrate(mhp)
+        struct sockaddr *old_saddr, *new_saddr;
+        struct sockaddr *old_daddr, *new_daddr;
+        struct sockaddr *old_local, *old_remote;
+-       struct sockaddr *local, *remote;
+       struct sockaddr *local, *remote = NULL;
+        struct sadb_x_kmaddress *kmaddr;
+        struct sadb_x_policy *xpl;
+        struct sadb_x_ipsecrequest *xisr_list;
+-- 
+1.7.9.5
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
new file mode 100644
index 000000000..13e9d73fc
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
@@ -0,0 +1,87 @@
+From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Wed, 5 Mar 2014 13:39:14 +0000
+Subject: [PATCH] Don't link against libfl
+We can remove all references to yywrap by adding "%option noyywrap" statements
+to each flex source file that doesn't override yywrap. After this, we no longer
+need to link against libfl and so no longer get errors about undefined
+references to yylex.
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Upstream-status: Submitted 2014-03-11
+    see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
+---
+ src/libipsec/Makefile.am | 1 -
+ src/racoon/Makefile.am   | 2 +-
+ src/racoon/cftoken.l     | 2 ++
+ src/setkey/Makefile.am   | 1 -
+ src/setkey/token.l       | 2 ++
+ 5 files changed, 5 insertions(+), 3 deletions(-)
+diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
+index 6a4e3b3..df1e106 100644
+--- a/src/libipsec/Makefile.am
+++ b/src/libipsec/Makefile.am
+@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
+ # version is current:revision:age.
+ # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
+ libipsec_la_LDFLAGS = -version-info 0:1:0
+-libipsec_la_LIBADD = $(LEXLIB)
+ 
+ noinst_HEADERS = ipsec_strerror.h
+ 
+diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
+index dbaded9..0662957 100644
+--- a/src/racoon/Makefile.am
+++ b/src/racoon/Makefile.am
+@@ -38,7 +38,7 @@ racoon_SOURCES = \
+        cftoken.l cfparse.y prsa_tok.l prsa_par.y 
+ EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
+        isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
+-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
+racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
+         $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
+ racoon_DEPENDENCIES = \
+        $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
+diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
+index 490242c..1701922 100644
+--- a/src/racoon/cftoken.l
+++ b/src/racoon/cftoken.l
+@@ -106,6 +106,8 @@ static int incstackp = 0;
+ static int yy_first_time = 1;
+ %}
+ 
+%option noyywrap
+
+ /* common seciton */
+ nl             \n
+ ws             [ \t]+
+diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
+index 746c1f1..389e6cf 100644
+--- a/src/setkey/Makefile.am
+++ b/src/setkey/Makefile.am
+@@ -13,7 +13,6 @@ setkey_SOURCES = \
+ 
+ setkey_LDFLAGS = ../libipsec/libipsec.la
+ setkey_DEPENDENCIES = ../libipsec/libipsec.la
+-setkey_LDADD = $(LEXLIB)
+ 
+ noinst_HEADERS = vchar.h extern.h
+ man8_MANS = setkey.8
+diff --git a/src/setkey/token.l b/src/setkey/token.l
+index ad3d843..eb23b76 100644
+--- a/src/setkey/token.l
+++ b/src/setkey/token.l
+@@ -88,6 +88,8 @@
+ #endif
+ %}
+ 
+%option noyywrap
+
+ /* common section */
+ nl             \n
+ ws             [ \t]+
+-- 
+1.9.0
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch
new file mode 100644
index 000000000..8d270a62b
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch
@@ -0,0 +1,13 @@
+Index: ipsec-tools-0.8.1/configure.ac
+===================================================================
+--- ipsec-tools-0.8.1.orig/configure.ac 2013-01-08 12:43:29.000000000 +0000
+++ ipsec-tools-0.8.1/configure.ac      2014-07-18 07:51:30.045555880 +0000
+@@ -6,7 +6,7 @@
+ AC_CONFIG_SRCDIR([configure.ac])
+ AC_CONFIG_HEADERS(config.h)
+ 
+-AM_INIT_AUTOMAKE(dist-bzip2)
+AM_INIT_AUTOMAKE([foreign dist-bzip2])
+ 
+ AC_ENABLE_SHARED(no)
+ 
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch
new file mode 100644
index 000000000..36efc4917
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch
@@ -0,0 +1,23 @@
+squahes below warning
+  warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
+Seen with glibc 2.20
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Pending
+Index: ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h
+===================================================================
+--- ipsec-tools-0.8.2.orig/src/include-glibc/glibc-bugs.h       2006-09-09 09:22:08.000000000 -0700
+++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h    2014-09-03 22:27:22.551563888 -0700
+@@ -4,7 +4,11 @@
+ #define __GLIBC_BUGS_H__ 1
+ 
+ #define _XOPEN_SOURCE 500
+/* Legacy feature macro.*/
+ #define _BSD_SOURCE
+/* New feature macro that provides everything _BSD_SOURCE and
+ * _SVID_SOURCE provided and possibly more.  */
+#define _DEFAULT_SOURCE
+ 
+ #include <features.h>
+ #include <sys/types.h>
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch
new file mode 100644
index 000000000..e82db087c
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch
@@ -0,0 +1,220 @@
+racoon: Resend UPDATE message when received EINTR message
+Upstream-Status: Pending
+While kernel is processing the UPDATE message which is sent from racoon,
+it maybe interrupted by system signal and if this case happens,
+kernel responds with an EINTR message to racoon and kernel fails to
+establish the corresponding SA.
+Fix this problem by resend the UPDATE message when EINTR(Interrupted
+system call) error happens.
+Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+---
+--- a/src/libipsec/libpfkey.h
+++ b/src/libipsec/libpfkey.h
+@@ -92,6 +92,12 @@
+        u_int16_t ctxstrlen;            /* length of security context string */
+ };
+ 
+struct update_msg_info {
+        struct sadb_msg *update_msg;
+        int so;
+        int len;
+};
+
+ /* The options built into libipsec */
+ extern int libipsec_opt;
+ #define LIBIPSEC_OPT_NATT              0x01
+--- a/src/libipsec/pfkey.c
+++ b/src/libipsec/pfkey.c
+@@ -1219,7 +1219,8 @@
+ }
+ #endif
+ 
+-
+struct update_msg_info update_msg_send = {NULL, 0, 0};
+
+ /* sending SADB_ADD or SADB_UPDATE message to the kernel */
+ static int
+ pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
+@@ -1483,10 +1484,24 @@
+ 
+        /* send message */
+        len = pfkey_send(sa_parms->so, newmsg, len);
+-       free(newmsg);
+ 
+-       if (len < 0)
+-               return -1;
+       if (newmsg->sadb_msg_type == SADB_UPDATE) {
+               if (update_msg_send.update_msg)
+                       free(update_msg_send.update_msg);
+               update_msg_send.update_msg = newmsg;
+               update_msg_send.so = sa_parms->so;
+               update_msg_send.len = len;
+
+               if (len < 0) {
+                       free(update_msg_send.update_msg);
+                       update_msg_send.update_msg = NULL;
+                       return -1;
+               }
+       } else {
+               free(newmsg);
+               if (len < 0)
+                       return -1;
+       }
+ 
+        __ipsec_errcode = EIPSEC_NO_ERROR;
+        return len;
+--- a/src/racoon/session.c
+++ b/src/racoon/session.c
+@@ -100,6 +100,8 @@
+ 
+ #include "sainfo.h"
+ 
+extern struct update_msg_info update_msg_send;
+
+ struct fd_monitor {
+        int (*callback)(void *ctx, int fd);
+        void *ctx;
+@@ -348,6 +350,11 @@
+        close_sockets();
+        backupsa_clean();
+ 
+       if (update_msg_send.update_msg) {
+               free(update_msg_send.update_msg);
+               update_msg_send.update_msg = NULL;
+       }
+
+        plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid());
+ 
+        exit(0);
+--- a/src/racoon/pfkey.c
+++ b/src/racoon/pfkey.c
+@@ -103,10 +103,12 @@
+ #include "crypto_openssl.h"
+ #include "grabmyaddr.h"
+#include "../libipsec/libpfkey.h"
+ 
+ #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
+ #define SADB_X_EALG_AESCBC  SADB_X_EALG_RIJNDAELCBC
+ #endif
+ 
+extern struct update_msg_info update_msg_send;
+ /* prototype */
+ static u_int ipsecdoi2pfkey_aalg __P((u_int));
+ static u_int ipsecdoi2pfkey_ealg __P((u_int));
+@@ -253,6 +255,13 @@
+                        s_pfkey_type(msg->sadb_msg_type),
+                        strerror(msg->sadb_msg_errno));
+ 
+               if (msg->sadb_msg_errno == EINTR &&
+                       update_msg_send.update_msg) {
+                       plog(LLV_DEBUG, LOCATION, NULL,
+                       "pfkey update resend\n");
+                       send(update_msg_send.so, (void *)update_msg_send.update_msg, (socklen_t)update_msg_send.len, 0);
+               }
+
+                goto end;
+        }
+ 
+@@ -498,6 +507,11 @@
+ {
+        flushsp();
+ 
+       if (update_msg_send.update_msg) {
+               free(update_msg_send.update_msg);
+               update_msg_send.update_msg = NULL;
+       }
+
+        if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
+                plog(LLV_ERROR, LOCATION, NULL,
+                        "libipsec sending spddump failed: %s\n",
+@@ -1295,6 +1309,8 @@
+        return 0;
+ }
+ 
+int update_received = 0;
+
+ static int
+ pk_recvupdate(mhp)
+        caddr_t *mhp;
+@@ -1307,6 +1323,13 @@
+        int incomplete = 0;
+        struct saproto *pr;
+ 
+       update_received = 1;
+
+       if (update_msg_send.update_msg) {
+                free(update_msg_send.update_msg);
+                update_msg_send.update_msg = NULL;
+        }
+
+        /* ignore this message because of local test mode. */
+        if (f_local)
+                return 0;
+@@ -4163,3 +4186,8 @@
+ 
+        return buf;
+ }
+
+int receive_from_isakmp()
+{
+       return pfkey_handler(NULL, lcconf->sock_pfkey);
+}
+--- a/src/racoon/pfkey.h
+++ b/src/racoon/pfkey.h
+@@ -71,5 +71,6 @@
+ extern u_int32_t pk_getseq __P((void));
+ extern const char *sadbsecas2str
+        __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int));
+extern int receive_from_isakmp __P((void));
+ 
+ #endif /* _PFKEY_H */
+--- a/src/racoon/isakmp_quick.c
+++ b/src/racoon/isakmp_quick.c
+@@ -774,6 +774,8 @@
+        return error;
+ }
+ 
+extern int update_received;
+
+ /*
+  * send to responder
+  *     HDR*, HASH(3)
+@@ -892,6 +894,11 @@
+        }
+        plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
+ 
+       while (!update_received)
+               receive_from_isakmp();
+
+       update_received = 0;
+
+        /* Do ADD for responder */
+        if (pk_sendadd(iph2) < 0) {
+                plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
+@@ -1035,6 +1042,11 @@
+        }
+        plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
+ 
+       while (!update_received)
+               receive_from_isakmp();
+
+       update_received = 0;
+
+        /* Do ADD for responder */
+        if (pk_sendadd(iph2) < 0) {
+                plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
+@@ -1989,6 +2001,11 @@
+        }
+        plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
+ 
+       while (!update_received)
+               receive_from_isakmp();
+
+       update_received = 0;
+
+        /* Do ADD for responder */
+        if (pk_sendadd(iph2) < 0) {
+                plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch
new file mode 100644
index 000000000..e272bc20f
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch
@@ -0,0 +1,26 @@
+Subject: [PATCH] ipsec-tools: racoon: check several invalid ivm
+Upstream-Status: Pending
+Add checking for invalid ivm, or it will crash racoon.
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+---
+ isakmp_cfg.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
+--- a/src/racoon/isakmp_cfg.c
+++ b/src/racoon/isakmp_cfg.c
+@@ -171,6 +171,11 @@ isakmp_cfg_r(iph1, msg)
+            iph1->mode_cfg->last_msgid != packet->msgid )
+                iph1->mode_cfg->ivm = 
+                    isakmp_cfg_newiv(iph1, packet->msgid);
+       if(iph1->mode_cfg->ivm == NULL) {
+               plog(LLV_ERROR, LOCATION, NULL, 
+                   "failed to create new IV\n");
+               return;
+       }
+        ivm = iph1->mode_cfg->ivm;
+ 
+        dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch
new file mode 100644
index 000000000..de1bdb407
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch
@@ -0,0 +1,61 @@
+Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers
+Upstream-Status: Pending
+Add checking for invalid pointers, or it will crash racoon.
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+---
+ ipsec_doi.c    |    5 +++--
+ isakmp_cfg.c   |    7 +++++++
+ isakmp_quick.c |    6 ++++--
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
+--- a/src/racoon/ipsec_doi.c
+++ b/src/racoon/ipsec_doi.c
+@@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact )
+ 
+        /* handle wildcard IDs */
+ 
+-       if (idt == NULL || ids == NULL)
+-       {
+       if (idt == NULL || ids == NULL ||
+           idt->v == NULL || idt->l == 0 ||
+           ids->v == NULL || ids->l == 0) {
+                if( !exact )
+                {
+                        plog(LLV_DEBUG, LOCATION, NULL,
+diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
+--- a/src/racoon/isakmp_cfg.c
+++ b/src/racoon/isakmp_cfg.c
+@@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid)
+                return NULL;
+        }
+ 
+       if (iph1->ivm == NULL || iph1->ivm->iv == NULL ||
+           iph1->ivm->iv->v == NULL || iph1->ivm->iv->l == 0) {
+               plog(LLV_ERROR, LOCATION, NULL,
+                   "isakmp_cfg_newiv called with invalid IV management\n");
+               return NULL;
+       }
+
+        if (ics->ivm != NULL)
+                oakley_delivm(ics->ivm);
+ 
+diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
+--- a/src/racoon/isakmp_quick.c
+++ b/src/racoon/isakmp_quick.c
+@@ -2243,8 +2243,10 @@ get_proposal_r(iph2)
+        int error = ISAKMP_INTERNAL_ERROR;
+ 
+        /* check the existence of ID payload */
+-       if ((iph2->id_p != NULL && iph2->id == NULL)
+-        || (iph2->id_p == NULL && iph2->id != NULL)) {
+       if ((iph2->id_p != NULL &&
+           (iph2->id == NULL || iph2->id->v == NULL || iph2->id->l == 0)) ||
+           (iph2->id != NULL &&
+           (iph2->id_p == NULL || iph2->id_p->v == NULL || iph2->id_p->l == 0))) {
+                plog(LLV_ERROR, LOCATION, NULL,
+                        "Both IDs wasn't found in payload.\n");
+                return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch
new file mode 100644
index 000000000..f77fa8638
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch
@@ -0,0 +1,49 @@
+Subject: [PATCH] ipsec-tools: racoonctl buildfix
+Upstream-Status: Pending
+building ipsec-tools failed building/linking racoonctl with some errors:
+ - missing "yylex" error
+ - some linking errors for variables defined in racoon but not racoonctl
+ - some symbols from nattraversal.c where not found as it wasn't linked
+    when building with NAT support.
+Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan@enea.com>
+Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
+---
+diff -rupN a/src/racoon/Makefile.am b/src/racoon/Makefile.am
+--- a/src/racoon/Makefile.am    2014-03-05 12:16:52.907101044 +0100
+++ b/src/racoon/Makefile.am    2014-03-05 12:17:10.946320064 +0100
+@@ -44,7 +44,17 @@ racoon_DEPENDENCIES = \
+        $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
+        vmbuf.o sockmisc.o misc.o
+ 
+-racoonctl_SOURCES = racoonctl.c str2val.c 
+racoonctl_SOURCES = \
+       session.c isakmp.c handler.c \
+       isakmp_ident.c isakmp_agg.c isakmp_base.c \
+       isakmp_quick.c isakmp_inf.c isakmp_newg.c \
+       gssapi.c dnssec.c getcertsbyname.c privsep.c \
+       pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
+       policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
+       proposal.c sainfo.c strnames.c nattraversal.c \
+       plog.c logger.c schedule.c str2val.c \
+       safefile.c backupsa.c genlist.c rsalist.c \
+       cftoken.l cfparse.y prsa_tok.l prsa_par.y racoonctl.c
+ racoonctl_LDADD = libracoon.la ../libipsec/libipsec.la 
+ 
+ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
+diff -rupN a/src/racoon/racoonctl.c b/src/racoon/racoonctl.c
+--- a/src/racoon/racoonctl.c    2014-03-05 12:16:52.915100698 +0100
+++ b/src/racoon/racoonctl.c    2014-03-05 12:17:17.906018754 +0100
+@@ -247,6 +247,9 @@ usage()
+ #error "Incompatible racoonctl interface"
+ #endif
+ 
+int f_local = 0;       /* local test mode.  behave like a wall. */
+int dump_config =0;
+
+ int
+ main(ac, av)
+        int ac;
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch
new file mode 100644
index 000000000..da1169218
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch
@@ -0,0 +1,14 @@
+--- ipsec-tools-0.8.1.old/configure.ac  2014-03-04 16:24:57.431207664 +0100
+++ ipsec-tools-0.8.1/configure.ac      2014-03-04 16:26:00.372461304 +0100
+@@ -171,9 +171,9 @@ if test $with_readline != "no"; then
+ fi
+ 
+ 
+-AC_MSG_CHECKING(if --with-flex option is specified)
+AC_MSG_CHECKING(if --with-flexdir option is specified)
+ AC_ARG_WITH(flexdir,
+-       [AC_HELP_STRING([--with-flex], [use directiory (default: no)])],
+       [AC_HELP_STRING([--with-flexdir], [use directory (default: no)])],
+        [flexdir="$withval"])
+ AC_MSG_RESULT(${flexdir-dirdefault})
+
author	Tudor Florea <tudor.florea@enea.com>	2015-10-08 22:51:41 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-10-08 22:51:41 +0200
commit	1219bf8a90a7bf8cd3a5363551ef635d51e8fc8e (patch)
tree	a21a5fc103bb3bd65ecd85ed22be5228fc54e447 /meta-networking/recipes-support/ipsec-tools/ipsec-tools
download	meta-openembedded-1219bf8a90a7bf8cd3a5363551ef635d51e8fc8e.tar.gz

diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch new file mode 100644 index 000000000..d5602c03d --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch
@@ -0,0 +1,33 @@
	1	From 738a9857be9c92ad2f70be88ccee238e3154a936 Mon Sep 17 00:00:00 2001
	2	From: Joe MacDonald <joe.macdonald@windriver.com>
	3	Date: Wed, 2 Oct 2013 14:20:37 -0400
	4	Subject: [PATCH] racoon/pfkey: avoid potential null-pointer dereference
	5
	6	Building with -Werror=maybe-uninitialized revealed that 'remote' from
	7	pk_recvmigrate() could be used with uninitialized data in
	8	migrate_sp_ike_addresses(). Ensure it is always at a minimum assigned
	9	NULL.
	10
	11	Upstream-Status: Pending
	12
	13	Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
	14	---
	15	src/racoon/pfkey.c \| 2 +-
	16	1 file changed, 1 insertion(+), 1 deletion(-)
	17
	18	diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
	19	index d00b166..e0dc1db 100644
	20	--- a/src/racoon/pfkey.c
	21	+++ b/src/racoon/pfkey.c
	22	@@ -3352,7 +3352,7 @@ pk_recvmigrate(mhp)
	23	struct sockaddr old_saddr, new_saddr;
	24	struct sockaddr old_daddr, new_daddr;
	25	struct sockaddr old_local, old_remote;
	26	- struct sockaddr local, remote;
	27	+ struct sockaddr local, remote = NULL;
	28	struct sadb_x_kmaddress *kmaddr;
	29	struct sadb_x_policy *xpl;
	30	struct sadb_x_ipsecrequest *xisr_list;
	31	--
	32	1.7.9.5
	33


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch new file mode 100644 index 000000000..13e9d73fc --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
@@ -0,0 +1,87 @@
	1	From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
	2	From: Paul Barker <paul@paulbarker.me.uk>
	3	Date: Wed, 5 Mar 2014 13:39:14 +0000
	4	Subject: [PATCH] Don't link against libfl
	5
	6	We can remove all references to yywrap by adding "%option noyywrap" statements
	7	to each flex source file that doesn't override yywrap. After this, we no longer
	8	need to link against libfl and so no longer get errors about undefined
	9	references to yylex.
	10
	11	Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
	12	Upstream-status: Submitted 2014-03-11
	13	see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
	14	---
	15	src/libipsec/Makefile.am \| 1 -
	16	src/racoon/Makefile.am \| 2 +-
	17	src/racoon/cftoken.l \| 2 ++
	18	src/setkey/Makefile.am \| 1 -
	19	src/setkey/token.l \| 2 ++
	20	5 files changed, 5 insertions(+), 3 deletions(-)
	21
	22	diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
	23	index 6a4e3b3..df1e106 100644
	24	--- a/src/libipsec/Makefile.am
	25	+++ b/src/libipsec/Makefile.am
	26	@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
	27	# version is current:revision:age.
	28	# See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
	29	libipsec_la_LDFLAGS = -version-info 0:1:0
	30	-libipsec_la_LIBADD = $(LEXLIB)
	31
	32	noinst_HEADERS = ipsec_strerror.h
	33
	34	diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
	35	index dbaded9..0662957 100644
	36	--- a/src/racoon/Makefile.am
	37	+++ b/src/racoon/Makefile.am
	38	@@ -38,7 +38,7 @@ racoon_SOURCES = \
	39	cftoken.l cfparse.y prsa_tok.l prsa_par.y
	40	EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
	41	isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
	42	-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
	43	+racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
	44	$(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
	45	racoon_DEPENDENCIES = \
	46	$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
	47	diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
	48	index 490242c..1701922 100644
	49	--- a/src/racoon/cftoken.l
	50	+++ b/src/racoon/cftoken.l
	51	@@ -106,6 +106,8 @@ static int incstackp = 0;
	52	static int yy_first_time = 1;
	53	%}
	54
	55	+%option noyywrap
	56	+
	57	/* common seciton */
	58	nl \n
	59	ws [ \t]+
	60	diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
	61	index 746c1f1..389e6cf 100644
	62	--- a/src/setkey/Makefile.am
	63	+++ b/src/setkey/Makefile.am
	64	@@ -13,7 +13,6 @@ setkey_SOURCES = \
	65
	66	setkey_LDFLAGS = ../libipsec/libipsec.la
	67	setkey_DEPENDENCIES = ../libipsec/libipsec.la
	68	-setkey_LDADD = $(LEXLIB)
	69
	70	noinst_HEADERS = vchar.h extern.h
	71	man8_MANS = setkey.8
	72	diff --git a/src/setkey/token.l b/src/setkey/token.l
	73	index ad3d843..eb23b76 100644
	74	--- a/src/setkey/token.l
	75	+++ b/src/setkey/token.l
	76	@@ -88,6 +88,8 @@
	77	#endif
	78	%}
	79
	80	+%option noyywrap
	81	+
	82	/* common section */
	83	nl \n
	84	ws [ \t]+
	85	--
	86	1.9.0
	87


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch new file mode 100644 index 000000000..8d270a62b --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch
@@ -0,0 +1,13 @@
	1	Index: ipsec-tools-0.8.1/configure.ac
	2	===================================================================
	3	--- ipsec-tools-0.8.1.orig/configure.ac 2013-01-08 12:43:29.000000000 +0000
	4	+++ ipsec-tools-0.8.1/configure.ac 2014-07-18 07:51:30.045555880 +0000
	5	@@ -6,7 +6,7 @@
	6	AC_CONFIG_SRCDIR([configure.ac])
	7	AC_CONFIG_HEADERS(config.h)
	8
	9	-AM_INIT_AUTOMAKE(dist-bzip2)
	10	+AM_INIT_AUTOMAKE([foreign dist-bzip2])
	11
	12	AC_ENABLE_SHARED(no)
	13


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch new file mode 100644 index 000000000..36efc4917 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch
@@ -0,0 +1,23 @@
	1	squahes below warning
	2	warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
	3
	4	Seen with glibc 2.20
	5
	6	Signed-off-by: Khem Raj <raj.khem@gmail.com>
	7	Upstream-Status: Pending
	8	Index: ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h
	9	===================================================================
	10	--- ipsec-tools-0.8.2.orig/src/include-glibc/glibc-bugs.h 2006-09-09 09:22:08.000000000 -0700
	11	+++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h 2014-09-03 22:27:22.551563888 -0700
	12	@@ -4,7 +4,11 @@
	13	#define __GLIBC_BUGS_H__ 1
	14
	15	#define _XOPEN_SOURCE 500
	16	+/* Legacy feature macro.*/
	17	#define _BSD_SOURCE
	18	+/* New feature macro that provides everything _BSD_SOURCE and
	19	+ * _SVID_SOURCE provided and possibly more. */
	20	+#define _DEFAULT_SOURCE
	21
	22	#include <features.h>
	23	#include <sys/types.h>


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch new file mode 100644 index 000000000..e82db087c --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch
@@ -0,0 +1,220 @@
	1	racoon: Resend UPDATE message when received EINTR message
	2
	3	Upstream-Status: Pending
	4
	5	While kernel is processing the UPDATE message which is sent from racoon,
	6	it maybe interrupted by system signal and if this case happens,
	7	kernel responds with an EINTR message to racoon and kernel fails to
	8	establish the corresponding SA.
	9	Fix this problem by resend the UPDATE message when EINTR(Interrupted
	10	system call) error happens.
	11
	12	Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
	13	---
	14	--- a/src/libipsec/libpfkey.h
	15	+++ b/src/libipsec/libpfkey.h
	16	@@ -92,6 +92,12 @@
	17	u_int16_t ctxstrlen; /* length of security context string */
	18	};
	19
	20	+struct update_msg_info {
	21	+ struct sadb_msg *update_msg;
	22	+ int so;
	23	+ int len;
	24	+};
	25	+
	26	/* The options built into libipsec */
	27	extern int libipsec_opt;
	28	#define LIBIPSEC_OPT_NATT 0x01
	29	--- a/src/libipsec/pfkey.c
	30	+++ b/src/libipsec/pfkey.c
	31	@@ -1219,7 +1219,8 @@
	32	}
	33	#endif
	34
	35	-
	36	+struct update_msg_info update_msg_send = {NULL, 0, 0};
	37	+
	38	/* sending SADB_ADD or SADB_UPDATE message to the kernel */
	39	static int
	40	pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
	41	@@ -1483,10 +1484,24 @@
	42
	43	/* send message */
	44	len = pfkey_send(sa_parms->so, newmsg, len);
	45	- free(newmsg);
	46
	47	- if (len < 0)
	48	- return -1;
	49	+ if (newmsg->sadb_msg_type == SADB_UPDATE) {
	50	+ if (update_msg_send.update_msg)
	51	+ free(update_msg_send.update_msg);
	52	+ update_msg_send.update_msg = newmsg;
	53	+ update_msg_send.so = sa_parms->so;
	54	+ update_msg_send.len = len;
	55	+
	56	+ if (len < 0) {
	57	+ free(update_msg_send.update_msg);
	58	+ update_msg_send.update_msg = NULL;
	59	+ return -1;
	60	+ }
	61	+ } else {
	62	+ free(newmsg);
	63	+ if (len < 0)
	64	+ return -1;
	65	+ }
	66
	67	__ipsec_errcode = EIPSEC_NO_ERROR;
	68	return len;
	69	--- a/src/racoon/session.c
	70	+++ b/src/racoon/session.c
	71	@@ -100,6 +100,8 @@
	72
	73	#include "sainfo.h"
	74
	75	+extern struct update_msg_info update_msg_send;
	76	+
	77	struct fd_monitor {
	78	int (callback)(void ctx, int fd);
	79	void *ctx;
	80	@@ -348,6 +350,11 @@
	81	close_sockets();
	82	backupsa_clean();
	83
	84	+ if (update_msg_send.update_msg) {
	85	+ free(update_msg_send.update_msg);
	86	+ update_msg_send.update_msg = NULL;
	87	+ }
	88	+
	89	plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid());
	90
	91	exit(0);
	92	--- a/src/racoon/pfkey.c
	93	+++ b/src/racoon/pfkey.c
	94	@@ -103,10 +103,12 @@
	95	#include "crypto_openssl.h"
	96	#include "grabmyaddr.h"
	97	+#include "../libipsec/libpfkey.h"
	98
	99	#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
	100	#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
	101	#endif
	102
	103	+extern struct update_msg_info update_msg_send;
	104	/* prototype */
	105	static u_int ipsecdoi2pfkey_aalg __P((u_int));
	106	static u_int ipsecdoi2pfkey_ealg __P((u_int));
	107	@@ -253,6 +255,13 @@
	108	s_pfkey_type(msg->sadb_msg_type),
	109	strerror(msg->sadb_msg_errno));
	110
	111	+ if (msg->sadb_msg_errno == EINTR &&
	112	+ update_msg_send.update_msg) {
	113	+ plog(LLV_DEBUG, LOCATION, NULL,
	114	+ "pfkey update resend\n");
	115	+ send(update_msg_send.so, (void *)update_msg_send.update_msg, (socklen_t)update_msg_send.len, 0);
	116	+ }
	117	+
	118	goto end;
	119	}
	120
	121	@@ -498,6 +507,11 @@
	122	{
	123	flushsp();
	124
	125	+ if (update_msg_send.update_msg) {
	126	+ free(update_msg_send.update_msg);
	127	+ update_msg_send.update_msg = NULL;
	128	+ }
	129	+
	130	if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
	131	plog(LLV_ERROR, LOCATION, NULL,
	132	"libipsec sending spddump failed: %s\n",
	133	@@ -1295,6 +1309,8 @@
	134	return 0;
	135	}
	136
	137	+int update_received = 0;
	138	+
	139	static int
	140	pk_recvupdate(mhp)
	141	caddr_t *mhp;
	142	@@ -1307,6 +1323,13 @@
	143	int incomplete = 0;
	144	struct saproto *pr;
	145
	146	+ update_received = 1;
	147	+
	148	+ if (update_msg_send.update_msg) {
	149	+ free(update_msg_send.update_msg);
	150	+ update_msg_send.update_msg = NULL;
	151	+ }
	152	+
	153	/* ignore this message because of local test mode. */
	154	if (f_local)
	155	return 0;
	156	@@ -4163,3 +4186,8 @@
	157
	158	return buf;
	159	}
	160	+
	161	+int receive_from_isakmp()
	162	+{
	163	+ return pfkey_handler(NULL, lcconf->sock_pfkey);
	164	+}
	165	--- a/src/racoon/pfkey.h
	166	+++ b/src/racoon/pfkey.h
	167	@@ -71,5 +71,6 @@
	168	extern u_int32_t pk_getseq __P((void));
	169	extern const char *sadbsecas2str
	170	__P((struct sockaddr , struct sockaddr , int, u_int32_t, int));
	171	+extern int receive_from_isakmp __P((void));
	172
	173	#endif /* _PFKEY_H */
	174	--- a/src/racoon/isakmp_quick.c
	175	+++ b/src/racoon/isakmp_quick.c
	176	@@ -774,6 +774,8 @@
	177	return error;
	178	}
	179
	180	+extern int update_received;
	181	+
	182	/*
	183	* send to responder
	184	* HDR*, HASH(3)
	185	@@ -892,6 +894,11 @@
	186	}
	187	plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
	188
	189	+ while (!update_received)
	190	+ receive_from_isakmp();
	191	+
	192	+ update_received = 0;
	193	+
	194	/* Do ADD for responder */
	195	if (pk_sendadd(iph2) < 0) {
	196	plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
	197	@@ -1035,6 +1042,11 @@
	198	}
	199	plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
	200
	201	+ while (!update_received)
	202	+ receive_from_isakmp();
	203	+
	204	+ update_received = 0;
	205	+
	206	/* Do ADD for responder */
	207	if (pk_sendadd(iph2) < 0) {
	208	plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
	209	@@ -1989,6 +2001,11 @@
	210	}
	211	plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
	212
	213	+ while (!update_received)
	214	+ receive_from_isakmp();
	215	+
	216	+ update_received = 0;
	217	+
	218	/* Do ADD for responder */
	219	if (pk_sendadd(iph2) < 0) {
	220	plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch new file mode 100644 index 000000000..e272bc20f --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch
@@ -0,0 +1,26 @@
	1	Subject: [PATCH] ipsec-tools: racoon: check several invalid ivm
	2
	3	Upstream-Status: Pending
	4
	5	Add checking for invalid ivm, or it will crash racoon.
	6
	7	Signed-off-by: Ming Liu <ming.liu@windriver.com>
	8	---
	9	isakmp_cfg.c \| 5 +++++
	10	1 file changed, 5 insertions(+)
	11
	12	diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
	13	--- a/src/racoon/isakmp_cfg.c
	14	+++ b/src/racoon/isakmp_cfg.c
	15	@@ -171,6 +171,11 @@ isakmp_cfg_r(iph1, msg)
	16	iph1->mode_cfg->last_msgid != packet->msgid )
	17	iph1->mode_cfg->ivm =
	18	isakmp_cfg_newiv(iph1, packet->msgid);
	19	+ if(iph1->mode_cfg->ivm == NULL) {
	20	+ plog(LLV_ERROR, LOCATION, NULL,
	21	+ "failed to create new IV\n");
	22	+ return;
	23	+ }
	24	ivm = iph1->mode_cfg->ivm;
	25
	26	dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch new file mode 100644 index 000000000..de1bdb407 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch
@@ -0,0 +1,61 @@
	1	Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers
	2
	3	Upstream-Status: Pending
	4
	5	Add checking for invalid pointers, or it will crash racoon.
	6
	7	Signed-off-by: Ming Liu <ming.liu@windriver.com>
	8	---
	9	ipsec_doi.c \| 5 +++--
	10	isakmp_cfg.c \| 7 +++++++
	11	isakmp_quick.c \| 6 ++++--
	12	3 files changed, 14 insertions(+), 4 deletions(-)
	13
	14	diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
	15	--- a/src/racoon/ipsec_doi.c
	16	+++ b/src/racoon/ipsec_doi.c
	17	@@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact )
	18
	19	/* handle wildcard IDs */
	20
	21	- if (idt == NULL \|\| ids == NULL)
	22	- {
	23	+ if (idt == NULL \|\| ids == NULL \|\|
	24	+ idt->v == NULL \|\| idt->l == 0 \|\|
	25	+ ids->v == NULL \|\| ids->l == 0) {
	26	if( !exact )
	27	{
	28	plog(LLV_DEBUG, LOCATION, NULL,
	29	diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
	30	--- a/src/racoon/isakmp_cfg.c
	31	+++ b/src/racoon/isakmp_cfg.c
	32	@@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid)
	33	return NULL;
	34	}
	35
	36	+ if (iph1->ivm == NULL \|\| iph1->ivm->iv == NULL \|\|
	37	+ iph1->ivm->iv->v == NULL \|\| iph1->ivm->iv->l == 0) {
	38	+ plog(LLV_ERROR, LOCATION, NULL,
	39	+ "isakmp_cfg_newiv called with invalid IV management\n");
	40	+ return NULL;
	41	+ }
	42	+
	43	if (ics->ivm != NULL)
	44	oakley_delivm(ics->ivm);
	45
	46	diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
	47	--- a/src/racoon/isakmp_quick.c
	48	+++ b/src/racoon/isakmp_quick.c
	49	@@ -2243,8 +2243,10 @@ get_proposal_r(iph2)
	50	int error = ISAKMP_INTERNAL_ERROR;
	51
	52	/* check the existence of ID payload */
	53	- if ((iph2->id_p != NULL && iph2->id == NULL)
	54	- \|\| (iph2->id_p == NULL && iph2->id != NULL)) {
	55	+ if ((iph2->id_p != NULL &&
	56	+ (iph2->id == NULL \|\| iph2->id->v == NULL \|\| iph2->id->l == 0)) \|\|
	57	+ (iph2->id != NULL &&
	58	+ (iph2->id_p == NULL \|\| iph2->id_p->v == NULL \|\| iph2->id_p->l == 0))) {
	59	plog(LLV_ERROR, LOCATION, NULL,
	60	"Both IDs wasn't found in payload.\n");
	61	return ISAKMP_NTYPE_INVALID_ID_INFORMATION;


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch new file mode 100644 index 000000000..f77fa8638 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch
@@ -0,0 +1,49 @@
	1	Subject: [PATCH] ipsec-tools: racoonctl buildfix
	2
	3	Upstream-Status: Pending
	4
	5	building ipsec-tools failed building/linking racoonctl with some errors:
	6	- missing "yylex" error
	7	- some linking errors for variables defined in racoon but not racoonctl
	8	- some symbols from nattraversal.c where not found as it wasn't linked
	9	when building with NAT support.
	10
	11	Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan@enea.com>
	12	Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
	13	---
	14	diff -rupN a/src/racoon/Makefile.am b/src/racoon/Makefile.am
	15	--- a/src/racoon/Makefile.am 2014-03-05 12:16:52.907101044 +0100
	16	+++ b/src/racoon/Makefile.am 2014-03-05 12:17:10.946320064 +0100
	17	@@ -44,7 +44,17 @@ racoon_DEPENDENCIES = \
	18	$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
	19	vmbuf.o sockmisc.o misc.o
	20
	21	-racoonctl_SOURCES = racoonctl.c str2val.c
	22	+racoonctl_SOURCES = \
	23	+ session.c isakmp.c handler.c \
	24	+ isakmp_ident.c isakmp_agg.c isakmp_base.c \
	25	+ isakmp_quick.c isakmp_inf.c isakmp_newg.c \
	26	+ gssapi.c dnssec.c getcertsbyname.c privsep.c \
	27	+ pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
	28	+ policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
	29	+ proposal.c sainfo.c strnames.c nattraversal.c \
	30	+ plog.c logger.c schedule.c str2val.c \
	31	+ safefile.c backupsa.c genlist.c rsalist.c \
	32	+ cftoken.l cfparse.y prsa_tok.l prsa_par.y racoonctl.c
	33	racoonctl_LDADD = libracoon.la ../libipsec/libipsec.la
	34
	35	libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
	36
	37	diff -rupN a/src/racoon/racoonctl.c b/src/racoon/racoonctl.c
	38	--- a/src/racoon/racoonctl.c 2014-03-05 12:16:52.915100698 +0100
	39	+++ b/src/racoon/racoonctl.c 2014-03-05 12:17:17.906018754 +0100
	40	@@ -247,6 +247,9 @@ usage()
	41	#error "Incompatible racoonctl interface"
	42	#endif
	43
	44	+int f_local = 0; /* local test mode. behave like a wall. */
	45	+int dump_config =0;
	46	+
	47	int
	48	main(ac, av)
	49	int ac;


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch new file mode 100644 index 000000000..da1169218 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch
@@ -0,0 +1,14 @@
	1	--- ipsec-tools-0.8.1.old/configure.ac 2014-03-04 16:24:57.431207664 +0100
	2	+++ ipsec-tools-0.8.1/configure.ac 2014-03-04 16:26:00.372461304 +0100
	3	@@ -171,9 +171,9 @@ if test $with_readline != "no"; then
	4	fi
	5
	6
	7	-AC_MSG_CHECKING(if --with-flex option is specified)
	8	+AC_MSG_CHECKING(if --with-flexdir option is specified)
	9	AC_ARG_WITH(flexdir,
	10	- [AC_HELP_STRING([--with-flex], [use directiory (default: no)])],
	11	+ [AC_HELP_STRING([--with-flexdir], [use directory (default: no)])],
	12	[flexdir="$withval"])
	13	AC_MSG_RESULT(${flexdir-dirdefault})
	14