Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Explicitly compare return...
details: https://anonhg.NetBSD.org/src/rev/53b58977eefa
branches: trunk
changeset: 763238:53b58977eefa
user: tteras <tteras%NetBSD.org@localhost>
date: Mon Mar 14 17:18:12 2011 +0000
description:
Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.
diffstat:
crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c | 12 ++++----
crypto/dist/ipsec-tools/src/racoon/handler.c | 28 +++++++++++-----------
crypto/dist/ipsec-tools/src/racoon/isakmp.c | 18 +++++++-------
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c | 12 ++++----
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c | 8 +++---
crypto/dist/ipsec-tools/src/racoon/nattraversal.c | 10 ++++----
crypto/dist/ipsec-tools/src/racoon/pfkey.c | 18 +++++++-------
crypto/dist/ipsec-tools/src/racoon/policy.c | 14 +++++-----
crypto/dist/ipsec-tools/src/racoon/sockmisc.c | 12 +++++----
crypto/dist/ipsec-tools/src/racoon/sockmisc.h | 7 +++--
crypto/dist/ipsec-tools/src/racoon/throttle.c | 4 +-
11 files changed, 73 insertions(+), 70 deletions(-)
diffs (truncated from 479 to 300 lines):
diff -r b330fc028b78 -r 53b58977eefa crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
--- a/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Mon Mar 14 15:56:40 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Mon Mar 14 17:18:12 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.27 2010/12/03 09:46:24 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras <timo.teras%iki.fi@localhost>.
@@ -100,7 +100,7 @@
return TRUE;
LIST_FOREACH(cfg, &configured, chain) {
- if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH)
return TRUE;
}
@@ -116,7 +116,7 @@
/* Already open? */
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH)
return TRUE;
}
@@ -156,7 +156,7 @@
LIST_FOREACH(cfg, &configured, chain) {
if (addr != NULL &&
- cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH)
continue;
if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
return FALSE;
@@ -262,7 +262,7 @@
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
return my->fd;
}
@@ -276,7 +276,7 @@
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
return extract_port((struct sockaddr *) &my->addr);
}
diff -r b330fc028b78 -r 53b58977eefa crypto/dist/ipsec-tools/src/racoon/handler.c
--- a/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 15:56:40 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 17:18:12 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.38 2011/03/14 14:54:07 vanhu Exp $ */
+/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -120,11 +120,11 @@
LIST_FOREACH(p, &ph1tree, chain) {
if (sel != NULL) {
if (sel->local != NULL &&
- cmpsaddr(sel->local, p->local) != 0)
+ cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH)
continue;
if (sel->remote != NULL &&
- cmpsaddr(sel->remote, p->remote) != 0)
+ cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH)
continue;
}
@@ -300,8 +300,8 @@
if (p->status < PHASE1ST_DYING)
continue;
- if (cmpsaddr(iph1->local, p->local) == 0
- && cmpsaddr(iph1->remote, p->remote) == 0)
+ if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
+ && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
migrate_ph12(p, iph1);
}
}
@@ -547,11 +547,11 @@
continue;
if (sel->src != NULL &&
- cmpsaddr(sel->src, p->src) != 0)
+ cmpsaddr(sel->src, p->src) != CMPSADDR_MATCH)
continue;
if (sel->dst != NULL &&
- cmpsaddr(sel->dst, p->dst) != 0)
+ cmpsaddr(sel->dst, p->dst) != CMPSADDR_MATCH)
continue;
}
@@ -615,8 +615,8 @@
LIST_FOREACH(p, &ph2tree, chain) {
if (spid == p->spid &&
- cmpsaddr(src, p->src) == 0 &&
- cmpsaddr(dst, p->dst) == 0){
+ cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
+ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){
/* Sanity check to detect zombie handlers
* XXX Sould be done "somewhere" more interesting,
* because we have lots of getph2byxxxx(), but this one
@@ -643,8 +643,8 @@
struct ph2handle *p;
LIST_FOREACH(p, &ph2tree, chain) {
- if (cmpsaddr(src, p->src) == 0 &&
- cmpsaddr(dst, p->dst) == 0)
+ if (cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
+ cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH)
return p;
}
@@ -947,7 +947,7 @@
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
- if (cmpsaddr(remote, p->remote) == 0)
+ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH)
return p;
}
@@ -988,7 +988,7 @@
struct contacted *p;
LIST_FOREACH(p, &ctdtree, chain) {
- if (cmpsaddr(remote, p->remote) == 0) {
+ if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) {
LIST_REMOVE(p, chain);
racoon_free(p->remote);
racoon_free(p);
@@ -1042,7 +1042,7 @@
/*
* the packet was processed before, but the remote address mismatches.
*/
- if (cmpsaddr(remote, r->remote) != 0)
+ if (cmpsaddr(remote, r->remote) != CMPSADDR_MATCH)
return 2;
/*
diff -r b330fc028b78 -r 53b58977eefa crypto/dist/ipsec-tools/src/racoon/isakmp.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c Mon Mar 14 15:56:40 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c Mon Mar 14 17:18:12 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.69 2011/03/11 14:30:07 vanhu Exp $ */
+/* $NetBSD: isakmp.c,v 1.70 2011/03/14 17:18:12 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -468,8 +468,8 @@
/* Floating ports for NAT-T */
if (NATT_AVAILABLE(iph1) &&
! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
- ((cmpsaddr(iph1->remote, remote) != 0) ||
- (cmpsaddr(iph1->local, local) != 0)))
+ ((cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) ||
+ (cmpsaddr(iph1->local, local) != CMPSADDR_MATCH)))
{
/* prevent memory leak */
racoon_free(iph1->remote);
@@ -510,7 +510,7 @@
#endif
/* must be same addresses in one stream of a phase at least. */
- if (cmpsaddr(iph1->remote, remote) != 0) {
+ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
char *saddr_db, *saddr_act;
saddr_db = racoon_strdup(saddr2str(iph1->remote));
@@ -636,7 +636,7 @@
"exchange received.\n");
return -1;
}
- if (cmpsaddr(iph1->remote, remote) != 0) {
+ if (cmpsaddr(iph1->remote, remote) != CMPSADDR_MATCH) {
plog(LLV_WARNING, LOCATION, remote,
"remote address mismatched. "
"db=%s\n",
@@ -3325,10 +3325,10 @@
* Select only SAs where src == local and dst == remote (outgoing)
* or src == remote and dst == local (incoming).
*/
- if ((cmpsaddr(iph1->local, src) ||
- cmpsaddr(iph1->remote, dst)) &&
- (cmpsaddr(iph1->local, dst) ||
- cmpsaddr(iph1->remote, src))) {
+ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
+ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH)) {
msg = next;
continue;
}
diff -r b330fc028b78 -r 53b58977eefa crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Mon Mar 14 15:56:40 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Mon Mar 14 17:18:12 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.45 2011/01/22 07:38:51 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.46 2011/03/14 17:18:13 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1177,7 +1177,7 @@
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
- if (cmpsaddr(dst0, dst)) {
+ if (cmpsaddr(dst0, dst) != CMPSADDR_MATCH) {
msg = next;
continue;
}
@@ -1355,10 +1355,10 @@
* ports. Correct thing to do is delete all entries with
* same identity. -TT
*/
- if ((cmpsaddr(iph1->local, src) != 0 ||
- cmpsaddr(iph1->remote, dst) != 0) &&
- (cmpsaddr(iph1->local, dst) != 0 ||
- cmpsaddr(iph1->remote, src) != 0))
+ if ((cmpsaddr(iph1->local, src) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, dst) != CMPSADDR_MATCH) &&
+ (cmpsaddr(iph1->local, dst) != CMPSADDR_MATCH ||
+ cmpsaddr(iph1->remote, src) != CMPSADDR_MATCH))
continue;
/*
diff -r b330fc028b78 -r 53b58977eefa crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Mon Mar 14 15:56:40 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Mon Mar 14 17:18:12 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_quick.c,v 1.28 2010/12/07 14:28:12 tteras Exp $ */
+/* $NetBSD: isakmp_quick.c,v 1.29 2011/03/14 17:18:13 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@@ -629,7 +629,7 @@
#endif
if (cmpsaddr((struct sockaddr *) &proposed_addr,
- (struct sockaddr *) &got_addr) == 0) {
+ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDci matches proposal.\n");
#ifdef ENABLE_NATT
@@ -677,13 +677,13 @@
#endif
if (cmpsaddr((struct sockaddr *) &proposed_addr,
- (struct sockaddr *) &got_addr) == 0) {
+ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches proposal.\n");
#ifdef ENABLE_NATT
} else if (iph2->natoa_dst != NULL
&& cmpsaddr(iph2->natoa_dst,
- (struct sockaddr *) &got_addr) == 0) {
+ (struct sockaddr *) &got_addr) == CMPSADDR_MATCH) {
plog(LLV_DEBUG, LOCATION, NULL,
"IDcr matches NAT-OAr.\n");
#endif
diff -r b330fc028b78 -r 53b58977eefa crypto/dist/ipsec-tools/src/racoon/nattraversal.c
--- a/crypto/dist/ipsec-tools/src/racoon/nattraversal.c Mon Mar 14 15:56:40 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/nattraversal.c Mon Mar 14 17:18:12 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: nattraversal.c,v 1.13 2009/09/01 12:22:09 tteras Exp $ */
+/* $NetBSD: nattraversal.c,v 1.14 2011/03/14 17:18:13 tteras Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -398,8 +398,8 @@
struct natt_ka_addrs *ka = NULL, *new_addr;
TAILQ_FOREACH (ka, &ka_tree, chain) {
- if (cmpsaddr(ka->src, src) == 0 &&
- cmpsaddr(ka->dst, dst) == 0) {
+ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
+ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH) {
ka->in_use++;
plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
@@ -462,8 +462,8 @@
plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
saddr2str_fromto("%s->%s", src, dst), ka->in_use);
- if (cmpsaddr(ka->src, src) == 0 &&
- cmpsaddr(ka->dst, dst) == 0 &&
+ if (cmpsaddr(ka->src, src) == CMPSADDR_MATCH &&
+ cmpsaddr(ka->dst, dst) == CMPSADDR_MATCH &&
-- ka->in_use <= 0) {
Home |
Main Index |
Thread Index |
Old Index