From 939a5bdbb6af2989cb36d9fd86c09fca9cb2797f Mon Sep 17 00:00:00 2001
From: tteras <tteras@NetBSD.org>
Date: Fri, 12 Nov 2010 10:36:37 +0000
Subject: [PATCH] isakmp_post_acquire is now called from admin commands too,
 add a flag so admin commands can be used to establish even passive links on
 demand.

---
 crypto/dist/ipsec-tools/src/racoon/admin.c      |  4 ++--
 crypto/dist/ipsec-tools/src/racoon/isakmp.c     |  9 +++++----
 crypto/dist/ipsec-tools/src/racoon/isakmp_var.h |  4 ++--
 crypto/dist/ipsec-tools/src/racoon/pfkey.c      | 10 +++++-----
 4 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/crypto/dist/ipsec-tools/src/racoon/admin.c b/crypto/dist/ipsec-tools/src/racoon/admin.c
index 537febb554f7..c7b53ab9873c 100644
--- a/crypto/dist/ipsec-tools/src/racoon/admin.c
+++ b/crypto/dist/ipsec-tools/src/racoon/admin.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.36 2010/11/12 09:08:26 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.37 2010/11/12 10:36:37 tteras Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -577,7 +577,7 @@ admin_process(so2, combuf)
 			}
 
 			insph2(iph2);
-			if (isakmp_post_acquire(iph2, NULL) < 0) {
+			if (isakmp_post_acquire(iph2, NULL, FALSE) < 0) {
 				remph2(iph2);
 				delph2(iph2);
 				break;
diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp.c b/crypto/dist/ipsec-tools/src/racoon/isakmp.c
index 508f614a10f5..690b76b5e2c7 100644
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.64 2010/11/12 09:11:37 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.65 2010/11/12 10:36:37 tteras Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -2166,9 +2166,10 @@ isakmp_ph2delete(iph2)
  * if phase1 has been finished, begin phase2.
  */
 int
-isakmp_post_acquire(iph2, iph1hint)
+isakmp_post_acquire(iph2, iph1hint, nopassive)
 	struct ph2handle *iph2;
 	struct ph1handle *iph1hint;
+	int nopassive;
 {
 	struct remoteconf *rmconf;
 	struct ph1handle *iph1 = NULL;
@@ -2185,7 +2186,7 @@ isakmp_post_acquire(iph2, iph1hint)
 	 * so no need to bother yet. --arno */
 
 	if (iph1hint == NULL || iph1hint->rmconf == NULL) {
-		rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
+		rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
 		if (rmconf == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"no configuration found for %s.\n",
@@ -2197,7 +2198,7 @@ isakmp_post_acquire(iph2, iph1hint)
 	}
 
 	/* if passive mode, ignore the acquire message */
-	if (rmconf->passive) {
+	if (nopassive && rmconf->passive) {
 		plog(LLV_DEBUG, LOCATION, NULL,
 			"because of passive mode, "
 			"ignore the acquire message for %s.\n",
diff --git a/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h b/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
index 9bc68560c69b..09e4e7f2e053 100644
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_var.h,v 1.16 2009/09/03 09:29:07 tteras Exp $	*/
+/*	$NetBSD: isakmp_var.h,v 1.17 2010/11/12 10:36:37 tteras Exp $	*/
 
 /* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */
 
@@ -87,7 +87,7 @@ extern void isakmp_ph2delete_stub __P((struct sched *));
 extern void isakmp_ph2delete __P((struct ph2handle *));
 
 extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
-extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
+extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *, int));
 extern int isakmp_post_getspi __P((struct ph2handle *));
 extern void isakmp_chkph1there_stub __P((struct sched *));
 extern void isakmp_chkph1there __P((struct ph2handle *));
diff --git a/crypto/dist/ipsec-tools/src/racoon/pfkey.c b/crypto/dist/ipsec-tools/src/racoon/pfkey.c
index 7824cdc5dcea..d457f612740b 100644
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.53 2010/10/21 06:15:28 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $	*/
 
-/* $Id: pfkey.c,v 1.53 2010/10/21 06:15:28 tteras Exp $ */
+/* $Id: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1686,7 +1686,7 @@ pk_recvexpire(mhp)
 		iph2->status = PHASE2ST_STATUS2;
 
 		/* start quick exchange */
-		if (isakmp_post_acquire(iph2, iph1hint) < 0) {
+		if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
 			plog(LLV_ERROR, LOCATION, iph2->dst,
 				"failed to begin ipsec sa "
 				"re-negotication.\n");
@@ -1962,7 +1962,7 @@ pk_recvacquire(mhp)
 
 	/* start isakmp initiation by using ident exchange */
 	/* XXX should be looped if there are multiple phase 2 handler. */
-	if (isakmp_post_acquire(iph2, NULL) < 0) {
+	if (isakmp_post_acquire(iph2, NULL, TRUE) < 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
 			"failed to begin ipsec sa negotication.\n");
 		remph2(iph2);
@@ -3088,7 +3088,7 @@ migrate_ph2_sa_addresses(iph2, args)
 			iph2->status = PHASE2ST_STATUS2;
 
 			/* and start a new negotiation */
-			if (isakmp_post_acquire(iph2, iph1hint) < 0) {
+			if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
 				plog(LLV_ERROR, LOCATION, iph2->dst, "failed "
 				     "to begin IPsec SA renegotiation after "
 				     "MIGRATE reception.\n");