When rekeying phase2 use phase1 used to negotiate phase2 as a hint to

select the phase1 for rekeying the new phase2.
2009-09-03 09:29:07 +00:00 · 2009-09-03 09:29:07 +00:00 · 63bcd231eb
commit 63bcd231eb
parent e36a465d74
6 changed files with 174 additions and 145 deletions
--- a/crypto/dist/ipsec-tools/src/racoon/admin.c
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.c
@ -1,11 +1,11 @@
-/*	$NetBSD: admin.c,v 1.31 2009/07/03 06:41:46 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.32 2009/09/03 09:29:07 tteras Exp $	*/
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -17,7 +17,7 @@
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -341,7 +341,7 @@ admin_process(so2, combuf)
 		user[len] = 0;
 		found = purgeph1bylogin(user);
-		plog(LLV_INFO, LOCATION, NULL, 
+		plog(LLV_INFO, LOCATION, NULL,
 		    "deleted %d SA for user \"%s\"\n", found, user);
 		break;
@ -360,7 +360,7 @@ admin_process(so2, combuf)
 		rem = racoon_strdup(saddrwop2str(dst));
 		STRDUP_FATAL(rem);
-		plog(LLV_INFO, LOCATION, NULL, 
+		plog(LLV_INFO, LOCATION, NULL,
 		    "Flushing all SAs for peer %s\n", rem);
 		while ((iph1 = getph1bydstaddr(dst)) != NULL) {
@ -373,7 +373,7 @@ admin_process(so2, combuf)
 			racoon_free(loc);
 		}
-		
+
 		racoon_free(rem);
 		break;
 	}
@ -383,14 +383,14 @@ admin_process(so2, combuf)
 		char *data;
 		acp = (struct admin_com_psk *)
-		    ((char *)com + sizeof(*com) + 
+		    ((char *)com + sizeof(*com) +
 		    sizeof(struct admin_com_indexes));
 		idtype = acp->id_type;
 		if ((id = vmalloc(acp->id_len)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			    "cannot allocate memory: %s\n", 
+			    "cannot allocate memory: %s\n",
 			    strerror(errno));
 			break;
 		}
@ -399,7 +399,7 @@ admin_process(so2, combuf)
 		if ((key = vmalloc(acp->key_len)) == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
-			    "cannot allocate memory: %s\n", 
+			    "cannot allocate memory: %s\n",
 			    strerror(errno));
 			vfree(id);
 			id = NULL;
@ -474,7 +474,7 @@ admin_process(so2, combuf)
 				rmconf->xauth->pass = key;
 			}
 #endif
- 
+
 			plog(LLV_INFO, LOCATION, NULL,
 				"accept a request to establish IKE-SA: "
 				"%s\n", saddrwop2str(dst));
@ -577,7 +577,7 @@ admin_process(so2, combuf)
 			}
 			insph2(iph2);
-			if (isakmp_post_acquire(iph2) < 0) {
+			if (isakmp_post_acquire(iph2, NULL) < 0) {
 				remph2(iph2);
 				delph2(iph2);
 				break;
@ -710,17 +710,17 @@ admin_init()
 	}
 	if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
-		plog(LLV_ERROR, LOCATION, NULL, 
+		plog(LLV_ERROR, LOCATION, NULL,
-		    "chown(%s, %d, %d): %s\n", 
+		    "chown(%s, %d, %d): %s\n",
-		    sunaddr.sun_path, adminsock_owner, 
+		    sunaddr.sun_path, adminsock_owner,
 		    adminsock_group, strerror(errno));
 		(void)close(lcconf->sock_admin);
 		return -1;
 	}
 	if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
-		plog(LLV_ERROR, LOCATION, NULL, 
+		plog(LLV_ERROR, LOCATION, NULL,
-		    "chmod(%s, 0%03o): %s\n", 
+		    "chmod(%s, 0%03o): %s\n",
 		    sunaddr.sun_path, adminsock_mode, strerror(errno));
 		(void)close(lcconf->sock_admin);
 		return -1;
--- a/crypto/dist/ipsec-tools/src/racoon/handler.c
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.c
@ -1,11 +1,11 @@
-/*	$NetBSD: handler.c,v 1.29 2009/07/03 06:41:46 tteras Exp $	*/
+/*	$NetBSD: handler.c,v 1.30 2009/09/03 09:29:07 tteras Exp $	*/
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -17,7 +17,7 @@
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -64,7 +64,7 @@
 #include "evt.h"
 #include "isakmp.h"
 #ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"  
+#include "isakmp_xauth.h"
 #include "isakmp_cfg.h"
 #endif
 #include "isakmp_inf.h"
@ -177,8 +177,8 @@ getph1byindex0(index)
 * with phase 2's destinaion.
 */
 struct ph1handle *
-getph1(rmconf, local, remote, flags)
+getph1(ph1hint, local, remote, flags)
-	struct remoteconf *rmconf;
+	struct ph1handle *ph1hint;
 	struct sockaddr *local, *remote;
 	int flags;
 {
@ -202,12 +202,30 @@ getph1(rmconf, local, remote, flags)
 			continue;
 		}
-		if (local != NULL && cmpsaddr(local, p->local) != 0)
+		if (local != NULL && cmpsaddr(local, p->local) == CMPSADDR_MISMATCH)
 			continue;
-		if (remote != NULL && cmpsaddr(remote, p->remote) != 0)
+		if (remote != NULL && cmpsaddr(remote, p->remote) == CMPSADDR_MISMATCH)
 			continue;
 		if (ph1hint != NULL) {
 			if (ph1hint->id && ph1hint->id->l && p->id && p->id->l &&
 			    (ph1hint->id->l != p->id->l ||
 			     memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
 				plog(LLV_DEBUG2, LOCATION, NULL,
 				     "local identity does match hint\n");
 				continue;
 			}
 			if (ph1hint->id_p && ph1hint->id_p->l &&
 			    p->id_p && p->id_p->l &&
 			    (ph1hint->id_p->l != p->id_p->l ||
 			     memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
 				plog(LLV_DEBUG2, LOCATION, NULL,
 				     "remote identity does match hint\n");
 				continue;
 			}
 		}
 		plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
 		return p;
 	}
@ -1155,7 +1173,7 @@ init_recvdpkt()
 }
 #ifdef ENABLE_HYBRID
-/* 
+/*
 * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
 * This should be in isakmp_cfg.c but ph1tree being private, it must be there
 */
@ -1182,7 +1200,7 @@ exclude_cfg_addr(addr)
-/* 
+/*
 * Reload conf code
 */
 static int revalidate_ph2(struct ph2handle *iph2){
@ -1192,11 +1210,11 @@ static int revalidate_ph2(struct ph2handle *iph2){
 	struct saprop *approval;
 	struct ph1handle *iph1;
-	/* 
+	/*
 	 * Get the new sainfo using values of the old one
 	 */
 	if (iph2->sainfo != NULL) {
-		iph2->sainfo = getsainfo(iph2->sainfo->idsrc, 
+		iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
 					  iph2->sainfo->iddst, iph2->sainfo->id_i,
 					  NULL, iph2->sainfo->remoteid);
 	}
@ -1204,7 +1222,7 @@ static int revalidate_ph2(struct ph2handle *iph2){
 	sainfo = iph2->sainfo;
 	if (sainfo == NULL) {
-		/* 
+		/*
 		 * Sainfo has been removed
 		 */
 		plog(LLV_DEBUG, LOCATION, NULL,
@ -1219,7 +1237,7 @@ static int revalidate_ph2(struct ph2handle *iph2){
 		plog(LLV_DEBUG, LOCATION, NULL,
 			 "No approval found !\n");
 		return 0;
-	}	
+	}
 	/*
 	 * Don't care about proposals, should we do something ?
@ -1318,7 +1336,7 @@ static int revalidate_ph2(struct ph2handle *iph2){
 	}
 	found = 0;
-	for (alg = sainfo->algs[algclass_ipsec_enc]; 
+	for (alg = sainfo->algs[algclass_ipsec_enc];
 	    (found == 0 && alg != NULL); alg = alg->next) {
 		plog(LLV_DEBUG, LOCATION, NULL,
 			 "Reload: next ph2 enc alg...\n");
@ -1351,7 +1369,7 @@ static int revalidate_ph2(struct ph2handle *iph2){
 			break;
 		default:
-			plog(LLV_ERROR, LOCATION, NULL, 
+			plog(LLV_ERROR, LOCATION, NULL,
 			    "unexpected check_level\n");
 			continue;
 			break;
@ -1375,7 +1393,7 @@ static int revalidate_ph2(struct ph2handle *iph2){
 }
-static void 
+static void
 remove_ph2(struct ph2handle *iph2)
 {
 	u_int32_t spis[2];
@ -1467,7 +1485,7 @@ static int revalidate_ph2tree(void){
 	return 1;
 }
-int 
+int
 revalidate_ph12(void)
 {
--- a/crypto/dist/ipsec-tools/src/racoon/handler.h
+++ b/crypto/dist/ipsec-tools/src/racoon/handler.h
@ -1,11 +1,11 @@
-/*	$NetBSD: handler.h,v 1.21 2009/07/03 06:41:46 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.22 2009/09/03 09:29:07 tteras Exp $	*/
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -17,7 +17,7 @@
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -214,7 +214,7 @@ struct ph1handle {
 	LIST_ENTRY(ph1handle) chain;
 #ifdef ENABLE_HYBRID
 	struct isakmp_cfg_state *mode_cfg;	/* ISAKMP mode config state */
-#endif       
+#endif
 	EVT_LISTENER_LIST(evt_listeners);
 };
@ -449,7 +449,7 @@ struct ph1dump {
 	struct sockaddr_storage remote;
 	struct sockaddr_storage local;
 	u_int8_t version;
-	u_int8_t etype;	
+	u_int8_t etype;
 	time_t created;
 	int ph2cnt;
 };
@ -468,7 +468,7 @@ extern int enumph1 __P((struct ph1selector *ph1sel,
 #define GETPH1_F_ESTABLISHED		0x0001
-extern struct ph1handle *getph1 __P((struct remoteconf *rmconf,
+extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint,
 				     struct sockaddr *local,
 				     struct sockaddr *remote,
 				     int flags));
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c
@ -1,11 +1,11 @@
-/*	$NetBSD: isakmp.c,v 1.59 2009/09/01 09:24:21 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.60 2009/09/03 09:29:07 tteras Exp $	*/
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -17,7 +17,7 @@
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -176,7 +176,7 @@ static int (*ph2exchange[][2][PHASE2ST_MAX])
 };
 static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
- 
+
 static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
 static int ph1_main __P((struct ph1handle *, vchar_t *));
 static int quick_main __P((struct ph2handle *, vchar_t *));
@ -190,7 +190,7 @@ static int isakmp_ph1resend __P((struct ph1handle *));
 static int isakmp_ph2resend __P((struct ph2handle *));
 #ifdef ENABLE_FRAG
-static int frag_handler(struct ph1handle *, 
+static int frag_handler(struct ph1handle *,
    vchar_t *, struct sockaddr *, struct sockaddr *);
 #endif
@ -259,16 +259,16 @@ isakmp_handler(ctx, so_isakmp)
 			extralen += sizeof(x.lbuf.udp) + x.lbuf.ip.ip_hl;
 		}
 #endif
-	}	
+	}
 #ifdef ENABLE_NATT
-	/* we don't know about portchange yet, 
+	/* we don't know about portchange yet,
 	   look for non-esp marker instead */
 	if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
 		extralen = NON_ESP_MARKER_LEN;
 #endif
-	/* now we know if there is an extra non-esp 
+	/* now we know if there is an extra non-esp
 	   marker at the beginning or not */
 	memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
@ -309,7 +309,7 @@ isakmp_handler(ctx, so_isakmp)
 		if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
 			    0, (struct sockaddr *)&remote, &remote_len)) < 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
-				"failed to receive isakmp packet: %s\n", 
+				"failed to receive isakmp packet: %s\n",
 				strerror (errno));
 		}
 		goto end;
@ -332,11 +332,11 @@ isakmp_handler(ctx, so_isakmp)
 			(len - extralen));
 		goto end;
 	}
-	
+
 	memcpy (buf->v, tmpbuf->v + extralen, buf->l);
 	len -= extralen;
-	
+
 	if (len != buf->l) {
 		plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
 			"received invalid length (%d != %zu), why ?\n",
@ -347,7 +347,7 @@ isakmp_handler(ctx, so_isakmp)
 	plog(LLV_DEBUG, LOCATION, NULL, "===\n");
 	plog(LLV_DEBUG, LOCATION, NULL,
 		"%d bytes message received %s\n",
-		len, saddr2str_fromto("from %s to %s", 
+		len, saddr2str_fromto("from %s to %s",
 			(struct sockaddr *)&remote,
 			(struct sockaddr *)&local));
 	plogdump(LLV_DEBUG, buf->v, buf->l);
@ -496,12 +496,12 @@ isakmp_main(msg, remote, local)
 			}
 			/* set the flag to prevent further port floating
-			   (FIXME: should we allow it? E.g. when the NAT gw 
+			   (FIXME: should we allow it? E.g. when the NAT gw
 			    is rebooted?) */
 			iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
-			
+
 			/* print some neat info */
-			plog (LLV_INFO, LOCATION, NULL, 
+			plog (LLV_INFO, LOCATION, NULL,
 			      "NAT-T: ports changed to: %s\n",
 			      saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
@ -668,7 +668,7 @@ isakmp_main(msg, remote, local)
 			return -1;
 		}
 #ifdef ENABLE_HYBRID
-		/* Reinit the IVM if it's still there */		
+		/* Reinit the IVM if it's still there */
 		if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
 			oakley_delivm(iph1->mode_cfg->ivm);
 			iph1->mode_cfg->ivm = NULL;
@ -753,7 +753,7 @@ isakmp_main(msg, remote, local)
 		isakmp_cfg_r(iph1, msg);
 		break;
-#endif	 
+#endif
 	case ISAKMP_ETYPE_NONE:
 	default:
@ -822,7 +822,7 @@ ph1_main(iph1, msg)
 	/* free resend buffer */
 	if (iph1->sendbuf == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
-			"no buffer found as sendbuf\n"); 
+			"no buffer found as sendbuf\n");
 		return -1;
 	}
 #endif
@ -925,13 +925,13 @@ ph1_main(iph1, msg)
 		log_ph1established(iph1);
 		plog(LLV_DEBUG, LOCATION, NULL, "===\n");
-		/* 
+		/*
 		 * SA up shell script hook: do it now,except if
 		 * ISAKMP mode config was requested. In the later
 		 * case it is done when we receive the configuration.
 		 */
 		if ((iph1->status == PHASE1ST_ESTABLISHED) &&
-		    !iph1->rmconf->mode_cfg) { 
+		    !iph1->rmconf->mode_cfg) {
 			switch (iph1->approval->authmethod) {
 #ifdef ENABLE_HYBRID
 			case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
@ -1004,7 +1004,7 @@ quick_main(iph2, msg)
 	/* free resend buffer */
 	if (iph2->sendbuf == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL,
-			"no buffer found as sendbuf\n"); 
+			"no buffer found as sendbuf\n");
 		return -1;
 	}
 	VPTRINIT(iph2->sendbuf);
@ -1754,23 +1754,23 @@ isakmp_send(iph1, sbuf)
 		extralen = 0;
 #ifdef ENABLE_FRAG
-	/* 
+	/*
 	 * Do not add the non ESP marker for a packet that will
-	 * be fragmented. The non ESP marker should appear in 
+	 * be fragmented. The non ESP marker should appear in
 	 * all fragment's packets, but not in the fragmented packet
 	 */
-	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) 
+	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
 		extralen = 0;
 #endif
 	if (extralen)
 		plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
-	/* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker) 
+	/* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
-	   must added just before the packet itself. For this we must 
+	   must added just before the packet itself. For this we must
 	   allocate a new buffer and release it at the end. */
 	if (extralen) {
 		if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL, 
+			plog(LLV_ERROR, LOCATION, NULL,
 			    "vbuf allocation failed\n");
 			return -1;
 		}
@ -1791,17 +1791,17 @@ isakmp_send(iph1, sbuf)
 	if (s == -1)
 		return -1;
-	plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l, 
+	plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
 	      saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
 #ifdef ENABLE_FRAG
 	if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
 		if (isakmp_sendfrags(iph1, sbuf) == -1) {
-			plog(LLV_ERROR, LOCATION, NULL, 
+			plog(LLV_ERROR, LOCATION, NULL,
 			    "isakmp_sendfrags failed\n");
 			return -1;
 		}
-	} else 
+	} else
 #endif
 	{
 		len = sendfromto(s, sbuf->v, sbuf->l,
@ -1812,7 +1812,7 @@ isakmp_send(iph1, sbuf)
 			return -1;
 		}
 	}
-	
+
 	return 0;
 }
@ -1959,7 +1959,7 @@ isakmp_ph1dying(iph1)
 	iph1->status = PHASE1ST_DYING;
 	/* Any fresh phase1s? */
-	new_iph1 = getph1(iph1->rmconf, iph1->local, iph1->remote, 1);
+	new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
 	if (new_iph1 == NULL) {
 		LIST_FOREACH(p, &iph1->ph2tree, ph1bind) {
 			if (p->status != PHASE2ST_ESTABLISHED)
@ -2036,7 +2036,7 @@ isakmp_ph1delete(iph1)
 	char *src, *dst;
 	/* Migrate established phase2s. Any fresh phase1s? */
-	new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
+	new_iph1 = getph1(iph1, iph1->local, iph1->remote, 1);
 	if (new_iph1 != NULL)
 		migrate_ph12(iph1, new_iph1);
@ -2143,12 +2143,13 @@ isakmp_ph2delete(iph2)
 * if phase1 has been finished, begin phase2.
 */
 int
-isakmp_post_acquire(iph2)
+isakmp_post_acquire(iph2, iph1hint)
 	struct ph2handle *iph2;
 	struct ph1handle *iph1hint;
 {
 	struct remoteconf *rmconf;
 	struct ph1handle *iph1 = NULL;
-	
+
 	plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
 	/* Search appropriate configuration with masking port. Note that
@ -2159,12 +2160,17 @@ isakmp_post_acquire(iph2)
 	 * address of a mobile node (not a CoA provided by MIGRATE/KMADDRESS
 	 * as iph2->dst hint). This scenario would require additional changes,
 	 * so no need to bother yet. --arno */
-	rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
+
-	if (rmconf == NULL) {
+	if (iph1hint == NULL || iph1hint->rmconf == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL,
+		rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
-			"no configuration found for %s.\n",
+		if (rmconf == NULL) {
-			saddrwop2str(iph2->dst));
+			plog(LLV_ERROR, LOCATION, NULL,
-		return -1;
+				"no configuration found for %s.\n",
 				saddrwop2str(iph2->dst));
 			return -1;
 		}
 	} else {
 		rmconf = iph1hint->rmconf;
 	}
 	/* if passive mode, ignore the acquire message */
@ -2181,7 +2187,7 @@ isakmp_post_acquire(iph2)
 	 * some cases, we should use the ISAKMP identity to search
 	 * matching ISAKMP.
 	 */
-	iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
+	iph1 = getph1(iph1hint, iph2->src, iph2->dst, 0);
 	/* no ISAKMP-SA found. */
 	if (iph1 == NULL) {
@ -2978,7 +2984,7 @@ log_ph1established(iph1)
 		"ISAKMP-SA established %s-%s spi:%s\n",
 		src, dst,
 		isakmp_pindex(&iph1->index, 0));
-	
+
 	evt_phase1(iph1, EVT_PHASE1_UP, NULL);
 	if(!iph1->rmconf->mode_cfg)
 		evt_phase1(iph1, EVT_PHASE1_MODE_CFG, NULL);
@ -3011,7 +3017,7 @@ isakmp_plist_append_full (struct payload_list *plist, vchar_t *payload,
 	return plist;
 }
-vchar_t * 
+vchar_t *
 isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
 {
 	struct payload_list *ptr = *plist, *first;
@ -3022,7 +3028,7 @@ isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
 	/* Seek to the first item.  */
 	while (ptr->prev) ptr = ptr->prev;
 	first = ptr;
-	
+
 	/* Compute the whole length.  */
 	while (ptr) {
 		tlen += ptr->payload->l + sizeof (struct isakmp_gen);
@ -3064,7 +3070,7 @@ end:
 }
 #ifdef ENABLE_FRAG
-int 
+int
 frag_handler(iph1, msg, remote, local)
 	struct ph1handle *iph1;
 	vchar_t *msg;
@ -3075,7 +3081,7 @@ frag_handler(iph1, msg, remote, local)
 	if (isakmp_frag_extract(iph1, msg) == 1) {
 		if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
-			plog(LLV_ERROR, LOCATION, remote, 
+			plog(LLV_ERROR, LOCATION, remote,
 			    "Packet reassembly failed\n");
 			return -1;
 		}
@ -3212,7 +3218,7 @@ script_exec(script, name, envp)
 	argv[1] = script_names[name];
 	argv[2] = NULL;
-	switch (fork()) { 
+	switch (fork()) {
 	case 0:
 		execve(argv[0], argv, envp);
 		plog(LLV_ERROR, LOCATION, NULL,
@ -3227,7 +3233,7 @@ script_exec(script, name, envp)
 		break;
 	default:
 		break;
-	}	
+	}
 	return 0;
 }
@ -3253,7 +3259,7 @@ purge_remote(iph1)
 	iph1->status = PHASE1ST_EXPIRED;
 	/* Check if we have another, still valid, phase1 SA. */
-	new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
+	new_iph1 = getph1(iph1, iph1->local, iph1->remote, GETPH1_F_ESTABLISHED);
 	/*
 	 * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
@ -3329,7 +3335,7 @@ purge_remote(iph1)
 					ntohl(sa->sadb_sa_spi));
 			}else{
-				/* 
+				/*
 				 * If we have a new ph1, do not purge IPsec-SAs binded
 				 *  to a different ISAKMP-SA
 				 */
@ -3341,7 +3347,7 @@ purge_remote(iph1)
 				/* If the ph2handle is established, do not purge IPsec-SA */
 				if (iph2->status == PHASE2ST_ESTABLISHED ||
 					iph2->status == PHASE2ST_EXPIRED) {
-					
+
 					plog(LLV_INFO, LOCATION, NULL,
 						 "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
 						 ntohl(sa->sadb_sa_spi),
@ -3352,7 +3358,7 @@ purge_remote(iph1)
 			}
 		}
-		
+
 		pfkey_send_delete(lcconf->sock_pfkey,
 				  msg->sadb_msg_satype,
 				  IPSEC_MODE_ANY,
@ -3383,7 +3389,7 @@ purge_remote(iph1)
 	sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
 }
-void 
+void
 delete_spd(iph2, created)
 	struct ph2handle *iph2;
 	u_int64_t created;
@ -3409,22 +3415,22 @@ delete_spd(iph2, created)
 	plog(LLV_INFO, LOCATION, NULL,
 		 "generated policy, deleting it.\n");
-		
+
 	memset(&spidx, 0, sizeof(spidx));
 	iph2->spidx_gen = (caddr_t )&spidx;
-		
+
 	/* make inbound policy */
 	iph2->src = dst;
 	iph2->dst = src;
 	spidx.dir = IPSEC_DIR_INBOUND;
 	spidx.ul_proto = 0;
-		
+
-	/* 
+	/*
 	 * Note: code from get_proposal_r
 	 */
-		
+
 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
-		
+
 	/*
 	 * make destination address in spidx from either ID payload
 	 * or phase 1 address into a address in spidx.
@ -3440,48 +3446,48 @@ delete_spd(iph2, created)
 									 &spidx.prefd, &spidx.ul_proto);
 		if (error)
 			goto purge;
-			
+
 #ifdef INET6
 		/*
 		 * get scopeid from the SA address.
 		 * note that the phase 1 source address is used as
-		 * a destination address to search for a inbound 
+		 * a destination address to search for a inbound
 		 * policy entry because rcoon is responder.
 		 */
 		if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
-			if ((error = 
+			if ((error =
 				 setscopeid((struct sockaddr *)&spidx.dst,
 							iph2->src)) != 0)
 				goto purge;
 		}
 #endif
-			
+
 		if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
 			|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
 			idi2type = _XIDT(iph2->id);
-			
+
 	} else {
-			
+
 		plog(LLV_DEBUG, LOCATION, NULL,
 			 "get a destination address of SP index "
 			 "from phase1 address "
 			 "due to no ID payloads found "
 			 "OR because ID type is not address.\n");
-			
+
 		/*
-		 * copy the SOURCE address of IKE into the 
+		 * copy the SOURCE address of IKE into the
-		 * DESTINATION address of the key to search the 
+		 * DESTINATION address of the key to search the
 		 * SPD because the direction of policy is inbound.
 		 */
 		memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
 		switch (spidx.dst.ss_family) {
 		case AF_INET:
-			spidx.prefd = 
+			spidx.prefd =
 				sizeof(struct in_addr) << 3;
 			break;
 #ifdef INET6
 		case AF_INET6:
-			spidx.prefd = 
+			spidx.prefd =
 				sizeof(struct in6_addr) << 3;
 			break;
 #endif
@ -3490,7 +3496,7 @@ delete_spd(iph2, created)
 			break;
 		}
 	}
-					
+
 	/* make source address in spidx */
 	if (iph2->id_p != NULL
 		&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
@ -3510,7 +3516,7 @@ delete_spd(iph2, created)
 		 * for more detail, see above of this function.
 		 */
 		if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
-			error = 
+			error =
 				setscopeid((struct sockaddr *)&spidx.src,
 						   iph2->dst);
 			if (error)
@ -3548,12 +3554,12 @@ delete_spd(iph2, created)
 		memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
 		switch (spidx.src.ss_family) {
 		case AF_INET:
-			spidx.prefs = 
+			spidx.prefs =
 				sizeof(struct in_addr) << 3;
 			break;
 #ifdef INET6
 		case AF_INET6:
-			spidx.prefs = 
+			spidx.prefs =
 				sizeof(struct in6_addr) << 3;
 			break;
 #endif
@ -3584,14 +3590,14 @@ delete_spd(iph2, created)
 		spidx.ul_proto = IPSEC_ULPROTO_ANY;
 #undef _XIDT
-	
+
 	/* Check if the generated SPD has the same timestamp as the SA.
 	 * If timestamps are different, this means that the SPD entry has been
 	 * refreshed by another SA, and should NOT be deleted with the current SA.
 	 */
 	if( created ){
 		struct secpolicy *p;
-		
+
 		p = getsp(&spidx);
 		if(p != NULL){
 			/* just do no test if p is NULL, because this probably just means
@ -3656,7 +3662,7 @@ setscopeid(sp_addr0, sa_addr0)
 	struct sockaddr *sp_addr0, *sa_addr0;
 {
 	struct sockaddr_in6 *sp_addr, *sa_addr;
-    
+
 	sp_addr = (struct sockaddr_in6 *)sp_addr0;
 	sa_addr = (struct sockaddr_in6 *)sa_addr0;
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
@ -1,11 +1,11 @@
-/*	$NetBSD: isakmp_var.h,v 1.15 2009/04/20 13:24:36 tteras Exp $	*/
+/*	$NetBSD: isakmp_var.h,v 1.16 2009/09/03 09:29:07 tteras Exp $	*/
 /* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -17,7 +17,7 @@
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -87,7 +87,7 @@ extern void isakmp_ph2delete_stub __P((struct sched *));
 extern void isakmp_ph2delete __P((struct ph2handle *));
 extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
-extern int isakmp_post_acquire __P((struct ph2handle *));
+extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
 extern int isakmp_post_getspi __P((struct ph2handle *));
 extern void isakmp_chkph1there_stub __P((struct sched *));
 extern void isakmp_chkph1there __P((struct ph2handle *));
@ -131,7 +131,7 @@ extern int copy_ph1addresses __P(( struct ph1handle *,
 	struct remoteconf *, struct sockaddr *, struct sockaddr *));
 extern void log_ph1established __P((const struct ph1handle *));
-extern void script_hook __P((struct ph1handle *, int)); 
+extern void script_hook __P((struct ph1handle *, int));
 extern int script_env_append __P((char ***, int *, char *, char *));
 extern int script_exec __P((char *, int, char * const *));
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c
@ -1,11 +1,11 @@
-/*	$NetBSD: pfkey.c,v 1.50 2009/08/10 08:22:13 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.51 2009/09/03 09:29:07 tteras Exp $	*/
-/* $Id: pfkey.c,v 1.50 2009/08/10 08:22:13 tteras Exp $ */
+/* $Id: pfkey.c,v 1.51 2009/09/03 09:29:07 tteras Exp $ */
 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -17,7 +17,7 @@
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -173,7 +173,7 @@ static int addnewsp __P((caddr_t *, struct sockaddr *, struct sockaddr *));
 /* cope with old kame headers - ugly */
 #ifndef SADB_X_AALG_MD5
-#define SADB_X_AALG_MD5		SADB_AALG_MD5	
+#define SADB_X_AALG_MD5		SADB_AALG_MD5
 #endif
 #ifndef SADB_X_AALG_SHA
 #define SADB_X_AALG_SHA		SADB_AALG_SHA
@ -353,7 +353,7 @@ pfkey_dump_sadb(satype)
 			 "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
 		    continue;
 		}
-		
+
 		ml = msg->sadb_msg_len << 3;
 		bl = buf ? buf->l : 0;
@ -839,7 +839,7 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
 			goto bad;
 		*a_keylen >>= 3;
-		if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 
+		if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
 		 && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
 			/* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
 			*a_type = SADB_X_AALG_MD5;
@ -919,7 +919,7 @@ pk_sendgetspi(iph2)
 		racoon_free(dst);
 		return -1;
 	}
-	
+
 	for (pr = pp->head; pr != NULL; pr = pr->next) {
 		/* validity check */
@ -991,7 +991,7 @@ pk_sendgetspi(iph2)
 * receive GETSPI from kernel.
 */
 static int
-pk_recvgetspi(mhp) 
+pk_recvgetspi(mhp)
 	caddr_t *mhp;
 {
 	struct sadb_msg *msg;
@ -1111,7 +1111,7 @@ pk_sendupdate(iph2)
 		sa_args.l_addtime = iph2->lifetime_secs;
 	else
 		sa_args.l_addtime = iph2->approval->lifetime;
-	sa_args.seq = iph2->seq; 
+	sa_args.seq = iph2->seq;
 	sa_args.wsize = 4;
 	if (iph2->sa_src && iph2->sa_dst) {
@ -1163,7 +1163,7 @@ pk_sendupdate(iph2)
 				pr->head->trns_id,
 				pr->head->authtype,
 				&sa_args.e_type, &sa_args.e_keylen,
-				&sa_args.a_type, &sa_args.a_keylen, 
+				&sa_args.a_type, &sa_args.a_keylen,
 				&sa_args.flags) < 0){
 			racoon_free(sa_args.src);
 			racoon_free(sa_args.dst);
@ -1221,11 +1221,11 @@ pk_sendupdate(iph2)
 		 * But it is impossible because there is not key in the
 		 * information from the kernel.
 		 */
-		
+
 		/* change some things before backing up */
 		sa_args.wsize = 4;
 		sa_args.l_bytes = iph2->approval->lifebyte * 1024;
-		
+
 		if (backupsa_to_file(&sa_args) < 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"backuped SA failed: %s\n",
@ -1447,7 +1447,7 @@ pk_sendadd(iph2)
 				pr->head->trns_id,
 				pr->head->authtype,
 				&sa_args.e_type, &sa_args.e_keylen,
-				&sa_args.a_type, &sa_args.a_keylen, 
+				&sa_args.a_type, &sa_args.a_keylen,
 				&sa_args.flags) < 0){
 			racoon_free(sa_args.src);
 			racoon_free(sa_args.dst);
@ -1668,11 +1668,12 @@ pk_recvexpire(mhp)
 		     " being negotiated. Stopping negotiation.\n");
 	}
-	/* turn off the timer for calling isakmp_ph2expire() */ 
+	/* turn off the timer for calling isakmp_ph2expire() */
 	sched_cancel(&iph2->sce);
 	if (iph2->status == PHASE2ST_ESTABLISHED &&
 	    iph2->side == INITIATOR) {
 		struct ph1handle *iph1hint;
 		/*
 		 * Active phase 2 expired and we were initiator.
 		 * Begin new phase 2 exchange, so we can keep on sending
@ -1680,11 +1681,12 @@ pk_recvexpire(mhp)
 		 */
 		/* update status for re-use */
 		iph1hint = iph2->ph1;
 		initph2(iph2);
 		iph2->status = PHASE2ST_STATUS2;
 		/* start quick exchange */
-		if (isakmp_post_acquire(iph2) < 0) {
+		if (isakmp_post_acquire(iph2, iph1hint) < 0) {
 			plog(LLV_ERROR, LOCATION, iph2->dst,
 				"failed to begin ipsec sa "
 				"re-negotication.\n");
@ -1750,7 +1752,7 @@ pk_recvacquire(mhp)
 	if (m_sec_ctx != NULL) {
 		plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
 		     m_sec_ctx->sadb_x_ctx_doi);
-		plog(LLV_INFO, LOCATION, NULL, 
+		plog(LLV_INFO, LOCATION, NULL,
 		     "security context algorithm: %u\n",
 		     m_sec_ctx->sadb_x_ctx_alg);
 		plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
@ -1960,7 +1962,7 @@ pk_recvacquire(mhp)
 	/* start isakmp initiation by using ident exchange */
 	/* XXX should be looped if there are multiple phase 2 handler. */
-	if (isakmp_post_acquire(iph2) < 0) {
+	if (isakmp_post_acquire(iph2, NULL) < 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to begin ipsec sa negotication.\n");
 		remph2(iph2);
@ -2145,7 +2147,7 @@ getsadbpolicy(policy0, policylen0, type, iph2)
 		p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
 		p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
 		p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
- 
+
 		memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
 		len += ctxlen;
 	}
@ -2184,7 +2186,7 @@ getsadbpolicy(policy0, policylen0, type, iph2)
 			goto err;
 		}
-		/* 
+		/*
 		 * the policy level cannot be unique because the policy
 		 * is defined later than SA, so req_id cannot be bound to SA.
 		 */
@ -2217,7 +2219,7 @@ getsadbpolicy(policy0, policylen0, type, iph2)
 		xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
 		xisr = (struct sadb_x_ipsecrequest *)p;
-		
+
 	}
 	racoon_free(pr_rlist);
@ -3070,6 +3072,8 @@ migrate_ph2_sa_addresses(iph2, args)
 			rmconf = getrmconf(iph2->dst, 0);
 		if (rmconf && !rmconf->passive) {
 			struct ph1handle *iph1hint;
 			plog(LLV_WARNING, LOCATION, iph2->dst, "MIGRATE received "
 			     "*during* IPsec SA negotiation. As initiator, "
 			     "restarting it.\n");
@ -3079,11 +3083,12 @@ migrate_ph2_sa_addresses(iph2, args)
 			iph2->status = PHASE2ST_EXPIRED;
 			/* ... clean Phase 2 handle ... */
 			iph1hint = iph2->ph1;
 			initph2(iph2);
 			iph2->status = PHASE2ST_STATUS2;
 			/* and start a new negotiation */
-			if (isakmp_post_acquire(iph2) < 0) {
+			if (isakmp_post_acquire(iph2, iph1hint) < 0) {
 				plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
 				     "to begin IPsec SA renegotiation after "
 				     "MIGRATE reception.\n");