on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that

multiple SA can be used in transport mode

While I'm there, patch ipsec-tools ChangeLog to reflect the changes we
took from ipsec-tools-0_6-branch

crypto/dist/ipsec-tools/ChangeLog

@@ -1,3 +1,77 @@
+2005-05-03  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Patrick McHardy <kaber@trash.net>
+	* src/racoon/{pfkey.c|handler.h|hendler.c}: on phase 2 acquire,
+	  lookup phase 2 by (src, dst, policy id) so that multiple SA can
+	  be used in transport mode
+
+2005-04-26  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Larry Baird <lab@gta.com>
+	* src/racoon/nattraversal.c: Fix NAT-T initiator problem
+
+2005-04-25  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}:
+	  src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
+	  enable the display of ESP over UDP ports in policies.
+
+	* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
+	  forget port numbers so that mutiple clients behind the same NAT
+	  can work.
+
+	* src/racoon/ipsec_doi.c: fix LP64 bug
+
+	From Larry Baird <lab@gta.com>
+	* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
+	  NAT-T fixes for interoperability with greenbow VPN client.
+
+2005-04-19  Yvan Vanhullebus  <vanhu@free.fr>
+
+	* src/racoon/handler.h: added a flag to identify generated policies
+	* src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
+	* src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
+	  policy have been generated in purge_remote_spi()
+	* src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
+	  generated policies
+	* src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
+
+2005-04-18  Aidas Kasparas  <a.kasparas@gmc.lt>
+
+	* src/racoon/crypto_openssl.c: fixed single DES support;
+
+2005-04-18  Emmanuel Dreyfus  <manu@netbsd.org>
+
+	From Thomas Klausner <wiz@NetBSD.org>
+	* src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
+	  src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8}
+	  src/racoon/samples/{racoon.conf.in|racoon.conf.sample}
+	  src/racoon/samples/racoon.conf.sample-gssapi
+	  src/racoon/samples/racoon.conf.sample-inherit
+	  src/racoon/samples/racoon.conf.sample-natt
+	  src/racoon/samples/racoon.conf.sample-plainrsa
+	  src/racoon/samples/roadwarrior/README
+	  src/racoon/samples/roadwarrior/server/phase1-down.sh
+	  src/setkey/setkey.8: docmumentation fixes
+
+	From KAME
+	* src/racoon/ipsec_doi.c: wrong check on SA lifebyte
+
+2005-04-10  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/isakmp_agg.c: fix a memory leak when using hybrid auth
+	* src/libipsec/{pfkey.c|pfkey_dump.c}
+	  src/setkey/{token.l|parse.y|setkey.8}: missing bits for TCP_MD5
+	  support, from KAME
+
+2005-04-04  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET
+
+---------------------------------------------
+
+	0.6b1 released
+
 2005-03-16  Emmanuel Dreyfus <manu@netbsd.org>
 
 	* src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}

crypto/dist/ipsec-tools/src/racoon/handler.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.1.1.2 2005/02/23 14:54:15 manu Exp $	*/
+/*	$NetBSD: handler.c,v 1.2 2005/05/03 21:08:47 manu Exp $	*/
 
 /* Id: handler.c,v 1.13 2004/11/21 19:36:26 manubsd Exp */
 
@@ -433,6 +433,23 @@ getph2bymsgid(iph1, msgid)
 	return NULL;
 }
 
+struct ph2handle *
+getph2byid(src, dst, spid)
+	struct sockaddr *src, *dst;
+	u_int32_t spid;
+{
+	struct ph2handle *p;
+
+	LIST_FOREACH(p, &ph2tree, chain) {
+		if (spid == p->spid &&
+		    cmpsaddrwop(src, p->src) == 0 &&
+		    cmpsaddrwop(dst, p->dst) == 0)
+			return p;
+	}
+
+	return NULL;
+}
+
 /*
  * call by pk_recvexpire().
  */

crypto/dist/ipsec-tools/src/racoon/handler.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.2 2005/04/19 19:42:09 manu Exp $	*/
+/*	$NetBSD: handler.h,v 1.3 2005/05/03 21:08:47 manu Exp $	*/
 
 /* Id: handler.h,v 1.11 2004/11/16 15:44:46 ludvigm Exp */
 
@@ -436,6 +436,8 @@ extern struct ph2handle *getph2byspidx __P((struct policyindex *));
 extern struct ph2handle *getph2byspid __P((u_int32_t));
 extern struct ph2handle *getph2byseq __P((u_int32_t));
 extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
+extern struct ph2handle *getph2byid __P((struct sockaddr *,
+	struct sockaddr *, u_int32_t));
 extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
 	struct sockaddr *, u_int, u_int32_t));
 extern struct ph2handle *newph2 __P((void));

crypto/dist/ipsec-tools/src/racoon/pfkey.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.3 2005/04/27 05:19:50 manu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.4 2005/05/03 21:08:47 manu Exp $	*/
 
 /* Id: pfkey.c,v 1.31.2.1 2005/02/18 10:01:40 vanhu Exp */
 
@@ -1613,6 +1613,7 @@ pk_recvacquire(mhp)
 	struct secpolicy *sp_out = NULL, *sp_in = NULL;
 #define MAXNESTEDSA	5	/* XXX */
 	struct ph2handle *iph2[MAXNESTEDSA];
+	struct sockaddr *src, *dst;
 	int n;	/* # of phase 2 handler */
 
 	/* ignore this message because of local test mode. */
@@ -1630,6 +1631,8 @@ pk_recvacquire(mhp)
 	}
 	msg = (struct sadb_msg *)mhp[0];
 	xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
 
 	/* ignore if type is not IPSEC_POLICY_IPSEC */
 	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
@@ -1694,7 +1697,7 @@ pk_recvacquire(mhp)
 	 *       has to prcesss such a acquire message because racoon may
 	 *       lost the expire message.
 	 */
-	iph2[0] = getph2byspid(xpl->sadb_x_policy_id);
+	iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
 	if (iph2[0] != NULL) {
 		if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
 			plog(LLV_DEBUG, LOCATION, NULL,

lib/libipsec/package_version.h

@@ -1,5 +1,5 @@
 #define TOP_PACKAGE "ipsec-tools"
 #define TOP_PACKAGE_NAME "ipsec-tools"
-#define TOP_PACKAGE_VERSION  "0.6-nb20050426"
-#define TOP_PACKAGE_STRING  "ipsec-tools 0.6-nb20050426"
+#define TOP_PACKAGE_VERSION  "0.6-nb200500503"
+#define TOP_PACKAGE_STRING  "ipsec-tools 0.6-nb20050503"
 #define TOP_PACKAGE_URL "http://ipsec-tools.sourceforge.net"