current/SOURCES/ipsec-tools-0.8.0-loopback.patch

diff -Nurp ipsec-tools-0.8.0-p103/configure.ac ipsec-tools-0.8.0-p104/configure.ac
--- ipsec-tools-0.8.0-p103/configure.ac 2011-03-18 15:25:12.000000000 +0200
+++ ipsec-tools-0.8.0-p104/configure.ac 2012-03-06 11:42:51.125378167 +0200
@@ -794,6 +794,27 @@ AC_TRY_COMPILE(
         AC_MSG_RESULT(yes)],
        [AC_MSG_RESULT(no)])
 
+AC_MSG_CHECKING(whether to support Auditing)
+AC_ARG_ENABLE(audit,
+       [  --enable-audit    build audit daemon support for SELinux],
+               enable_audit=$enableval,enable_audit=auto)
+
+AC_MSG_RESULT($enable_audit)
+
+# libaudit detection
+if test x$enable_audit = xno ; then
+    have_libaudit=no;
+else
+    AC_CHECK_LIB(audit, audit_log_user_avc_message,
+                 have_libaudit=yes, have_libaudit=no)
+fi
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
+if test x$have_libaudit = xyes ; then
+    AUDIT_LIBS="-laudit"
+    AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support])
+fi
+AC_SUBST(AUDIT_LIBS)
+
 CFLAGS="$CFLAGS $CFLAGS_ADD"
 CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
 
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/handler.h ipsec-tools-0.8.0-p104/src/racoon/handler.h
--- ipsec-tools-0.8.0-p103/src/racoon/handler.h 2012-03-06 11:39:48.485129025 +0200
+++ ipsec-tools-0.8.0-p104/src/racoon/handler.h 2012-03-06 11:42:51.125378167 +0200
@@ -318,6 +318,7 @@ struct ph2handle {
        u_int32_t msgid;                /* msgid for phase 2 */
   
        u_int32_t sa_count;             /* num of SAs sent in SADB_ADD */
+       u_int8_t loopback;
 
        struct sainfo *sainfo;          /* place holder of sainfo */
        struct saprop *proposal;        /* SA(s) proposal. */
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.c ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.c
--- ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.c    2011-03-14 19:18:13.000000000 +0200
+++ ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.c    2012-03-06 11:42:51.126378088 +0200
@@ -99,11 +99,10 @@ static vchar_t *quick_ir1mx __P((struct
 static int get_sainfo_r __P((struct ph2handle *));
 static int get_proposal_r __P((struct ph2handle *));
 static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *));
-static void quick_timeover_stub __P((struct sched *));
 static void quick_timeover __P((struct ph2handle *));
 
 /* called from scheduler */
-static void
+void
 quick_timeover_stub(p)
        struct sched *p;
 {
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.h ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.h
--- ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.h    2006-09-09 19:22:09.000000000 +0300
+++ ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.h    2012-03-06 11:42:51.126378088 +0200
@@ -47,4 +47,5 @@ extern int quick_r3recv __P((struct ph2h
 extern int quick_r3send __P((struct ph2handle *, vchar_t *));
 extern int quick_r3prep __P((struct ph2handle *, vchar_t *));
 
+extern void quick_timeover_stub __P((struct sched *));
 #endif /* _ISAKMP_QUICK_H */
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/main.c ipsec-tools-0.8.0-p104/src/racoon/main.c
--- ipsec-tools-0.8.0-p103/src/racoon/main.c    2009-01-26 20:13:06.000000000 +0200
+++ ipsec-tools-0.8.0-p104/src/racoon/main.c    2012-03-06 11:42:51.126378088 +0200
@@ -297,6 +297,9 @@ main(ac, av)
 #ifdef HAVE_SECCTX
        init_avc();
 #endif
+#ifdef HAVE_LIBAUDIT
+       audit_init();
+#endif
        eay_init();
        initrmconf();
        oakley_dhinit();
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/Makefile.am ipsec-tools-0.8.0-p104/src/racoon/Makefile.am
--- ipsec-tools-0.8.0-p103/src/racoon/Makefile.am       2012-03-06 10:41:03.975025746 +0200
+++ ipsec-tools-0.8.0-p104/src/racoon/Makefile.am       2012-03-06 11:42:51.126378088 +0200
@@ -39,7 +39,7 @@ racoon_SOURCES = \
 EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
        isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
 racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
-        $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
+        $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
 racoon_DEPENDENCIES = \
        $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
        vmbuf.o sockmisc.o misc.o
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/pfkey.c ipsec-tools-0.8.0-p104/src/racoon/pfkey.c
--- ipsec-tools-0.8.0-p103/src/racoon/pfkey.c   2012-03-06 11:39:48.486129111 +0200
+++ ipsec-tools-0.8.0-p104/src/racoon/pfkey.c   2012-03-06 11:42:51.127378011 +0200
@@ -87,6 +87,7 @@
 #include "isakmp_var.h"
 #include "isakmp.h"
 #include "isakmp_inf.h"
+#include "isakmp_quick.h"
 #include "ipsec_doi.h"
 #include "oakley.h"
 #include "pfkey.h"
@@ -101,6 +102,7 @@
 #include "nattraversal.h"
 #include "crypto_openssl.h"
 #include "grabmyaddr.h"
+#include "sockmisc.h"
 
 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
 #define SADB_X_EALG_AESCBC  SADB_X_EALG_RIJNDAELCBC
@@ -1043,6 +1045,56 @@ pk_recvgetspi(mhp)
                return -1;
        }
 
+#ifdef HAVE_SECCTX
+       if (iph2->loopback == 1) {
+               u_int satype, reqid;
+               struct sockaddr *src;
+
+               src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+               if (cmpsaddr(src, dst) != CMPSADDR_MISMATCH) {
+                       struct pfkey_send_sa_args sa_args;
+                       /* yep, this is loopback. install SA */
+                       satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id);
+                       if (satype == ~0) {
+                               plog(LLV_ERROR, LOCATION, NULL,
+                                    "invalid proto_id %d\n",
+                                    iph2->proposal->head->proto_id);
+                               return -1;
+                       }
+                             
+                       reqid = iph2->proposal->head->reqid_in;
+                       
+                       iph2->status = PHASE2ST_ADDSA;
+
+                       memset (&sa_args, 0, sizeof (sa_args));
+                       sa_args.so = lcconf->sock_pfkey;
+                       sa_args.satype = satype;
+                       sa_args.mode = IPSEC_MODE_TRANSPORT;
+                       sa_args.src = src;
+                       sa_args.dst = dst;
+                       sa_args.spi = sa->sadb_sa_spi;
+                       sa_args.reqid = reqid;
+                       sa_args.e_type = SADB_EALG_NULL;
+                       sa_args.a_type = SADB_AALG_NONE;
+                       sa_args.l_addtime = iph2->proposal->lifetime;
+                       sa_args.seq = iph2->seq;
+                       sa_args.ctxdoi = iph2->proposal->sctx.ctx_doi;
+                       sa_args.ctxalg = iph2->proposal->sctx.ctx_alg;
+                       sa_args.ctxstr = iph2->proposal->sctx.ctx_str;
+                       sa_args.ctxstrlen = iph2->proposal->sctx.ctx_strlen;
+                       if (pfkey_send_update2(&sa_args) < 0) {
+                               plog(LLV_ERROR, LOCATION, NULL, 
+                                    "failed to update loopback SA: %s\n", 
+                                    ipsec_strerror());
+                               remph2(iph2);
+                               delph2(iph2);
+                               return -1;
+                       }
+               }
+               return 0;
+       }
+#endif /* HAVE SECCTX */
+                               
        /* set SPI, and check to get all spi whether or not */
        allspiok = 1;
        notfound = 1;
@@ -1304,6 +1356,26 @@ pk_recvupdate(mhp)
                return -1;
        }
 
+#ifdef HAVE_SECCTX
+       /* get update for loopback here */
+       if (iph2->loopback == 1 && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) {
+               plog(LLV_INFO, LOCATION, NULL,
+                       "IPsec-SA established without ISAKMP: %s\n",
+                       sadbsecas2str(iph2->dst, iph2->src,
+                       msg->sadb_msg_satype, sa->sadb_sa_spi,
+                       IPSEC_MODE_TRANSPORT));
+
+               /* turn off the timer for calling quick_timeover() */
+               sched_cancel(&iph2->sce);
+
+               sched_schedule(&iph2->sce, iph2->proposal->lifetime,
+                       isakmp_ph2expire_stub);
+               
+               iph2->status = PHASE2ST_ESTABLISHED;
+               return 0;
+       }
+#endif
+               
        /* check to complete all keys ? */
        for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
                proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
@@ -1343,7 +1415,7 @@ pk_recvupdate(mhp)
        if (incomplete)
                return 0;
 
-       /* turn off the timer for calling pfkey_timeover() */
+       /* turn off the timer for calling quick_timeover() */
        sched_cancel(&iph2->sce);
 
        /* update status */
@@ -1768,6 +1840,12 @@ pk_recvacquire(mhp)
        m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
 
        if (m_sec_ctx != NULL) {
+               if (m_sec_ctx->sadb_x_ctx_len > MAX_CTXSTR_SIZE) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                            "ignoring ACQUIRE: security context is greater than MAX, %d.\n",
+                            MAX_CTXSTR_SIZE);
+                       return -1;
+               }
                plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
                     m_sec_ctx->sadb_x_ctx_doi);
                plog(LLV_INFO, LOCATION, NULL,
@@ -1974,6 +2052,73 @@ pk_recvacquire(mhp)
                iph2->sa_dst = dupsaddr(sa_dst);
        }
 
+#ifdef HAVE_SECCTX
+       /*
+        * If the src address in the ACQUIRE is one we listen on and
+        * the src and dst addresses are the same, then assume this
+        * packet arrived over loopback and just get an SPI and
+        * install the SA.
+       */
+        if (m_sec_ctx && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) {
+               struct saprop *newpp;
+               struct saproto *newpr;
+               iph2->loopback = 1;
+               newpp = newsaprop();
+               if (newpp == NULL) {
+                       plog(LLV_ERROR, LOCATION, NULL, 
+                            "failed to allocate saprop.\n");
+                       delph2(iph2);
+                       return -1;
+               }
+               /* allocate to hold reqid */
+               newpr = newsaproto();
+               if (newpr == NULL) {
+                       plog(LLV_ERROR, LOCATION, NULL, 
+                            "failed to allocate saproto.\n");
+                       delph2(iph2);
+                       return -1;
+               }
+
+               newpr->reqid_out = sp_out->req->saidx.reqid;
+               newpr->reqid_in = sp_in->req->saidx.reqid;
+               newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto);
+               
+               inssaprotorev(newpp, newpr);
+               iph2->proposal = newpp;
+               printsaprop0(LLV_DEBUG, newpp);
+
+               set_secctx_in_proposal(iph2, spidx);
+               iph2->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
+
+               insph2(iph2);
+               
+               iph2->status = PHASE2ST_GETSPISENT;
+                plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
+                if (pfkey_send_getspi(
+                                lcconf->sock_pfkey,
+                                iph2->satype,
+                                IPSEC_MODE_TRANSPORT,
+                                dst,                    /* src of SA */
+                                src,                    /* dst of SA */
+                                0, 0,
+                                newpr->reqid_in, iph2->seq) < 0) {
+                        plog(LLV_ERROR, LOCATION, NULL,
+                                "ipseclib failed send getspi (%s)\n",
+                                ipsec_strerror());
+                       delph2(iph2);
+                        return -1;
+                }
+               sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
+                       quick_timeover_stub);
+
+                plog(LLV_DEBUG, LOCATION, NULL,
+                        "pfkey GETSPI sent: %s\n",
+                        sadbsecas2str(dst, src, iph2->satype, 0, 
+                       IPSEC_MODE_TRANSPORT));
+               return 0;
+       }
+#endif /* HAVE_SECCTX */
+
        if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
                delph2(iph2);
                return -1;
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/policy.h ipsec-tools-0.8.0-p104/src/racoon/policy.h
--- ipsec-tools-0.8.0-p103/src/racoon/policy.h  2008-12-05 08:02:20.000000000 +0200
+++ ipsec-tools-0.8.0-p104/src/racoon/policy.h  2012-03-06 11:42:51.127378011 +0200
@@ -38,7 +38,12 @@
 
 
 #ifdef HAVE_SECCTX
-#define MAX_CTXSTR_SIZE 50
+
+/* Current LSPP policy is 1024 compartments, 5 chars each 'c1024'. SE Linux
+ * will attempt to combine so, worst case is all odd or even numbers. The
+ * context size of SE Linux types is max'ed around 256. We allow 16 for
+ * sensitivity */
+#define MAX_CTXSTR_SIZE 3344  /* (6 * 512) + 256 + 16 */
 struct security_ctx {
        u_int8_t ctx_doi;       /* Security Context DOI */
        u_int8_t ctx_alg;       /* Security Context Algorithm */
@@ -158,6 +163,9 @@ extern void initsp __P((void));
 extern struct ipsecrequest *newipsecreq __P((void));
 
 extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_LIBAUDIT
+extern void audit_init __P((void));
+#endif
 #ifdef HAVE_SECCTX
 #include <selinux/selinux.h>
 extern int get_security_context __P((vchar_t *, struct policyindex *));
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/security.c ipsec-tools-0.8.0-p104/src/racoon/security.c
--- ipsec-tools-0.8.0-p103/src/racoon/security.c        2007-05-31 22:54:55.000000000 +0300
+++ ipsec-tools-0.8.0-p104/src/racoon/security.c        2012-03-06 11:42:51.128377935 +0200
@@ -55,6 +55,61 @@
 #include "proposal.h"
 #include "strnames.h"
 #include "handler.h"
+#ifdef HAVE_LIBAUDIT
+#include <unistd.h>
+#include <sys/param.h>
+#include "libaudit.h"
+#endif
+
+static void log_callback (const char *fmt, ...);
+
+static const struct avc_log_callback log_cb =
+{
+  .func_log = log_callback,
+  .func_audit = NULL
+};
+
+#ifdef HAVE_LIBAUDIT
+static int audit_fd = -1;
+void
+audit_init(void)
+{
+       audit_fd = audit_open();
+       if (audit_fd < 0) {
+       /* If kernel doesn't support audit, bail out */
+               if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+                               errno == EAFNOSUPPORT)
+                       return;
+               /* If unprivileged, bail out */
+               if (errno == EPERM && getuid() != 0)
+                       return;
+               plog (LLV_ERROR, LOCATION, NULL,
+                       "Failed opening connection to the audit subsystem");
+       }
+}
+#endif /* HAVE_LIBAUDIT */
+
+static void
+log_callback (const char *fmt, ...)
+{
+       va_list ap;
+       va_start(ap, fmt);
+#ifdef HAVE_LIBAUDIT
+       if (audit_fd >= 0) {
+               char buf[PATH_MAX*2];
+
+               /* FIXME: need to change this to show real user */
+               vsnprintf(buf, sizeof(buf), fmt, ap);
+               audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC,
+                               buf, NULL, NULL, NULL, -1);
+               return;
+       } else
+#endif /* HAVE_LIBAUDIT */
+       {
+               vsyslog (LOG_INFO, fmt, ap);
+               va_end(ap);
+       }
+}
 
 /* 
  * Get the security context information from SA.
1	diff -Nurp ipsec-tools-0.8.0-p103/configure.ac ipsec-tools-0.8.0-p104/configure.ac
2	--- ipsec-tools-0.8.0-p103/configure.ac 2011-03-18 15:25:12.000000000 +0200
3	+++ ipsec-tools-0.8.0-p104/configure.ac 2012-03-06 11:42:51.125378167 +0200
4	@@ -794,6 +794,27 @@ AC_TRY_COMPILE(
5	AC_MSG_RESULT(yes)],
6	[AC_MSG_RESULT(no)])
7
8	+AC_MSG_CHECKING(whether to support Auditing)
9	+AC_ARG_ENABLE(audit,
10	+ [ --enable-audit build audit daemon support for SELinux],
11	+ enable_audit=$enableval,enable_audit=auto)
12	+
13	+AC_MSG_RESULT($enable_audit)
14	+
15	+# libaudit detection
16	+if test x$enable_audit = xno ; then
17	+ have_libaudit=no;
18	+else
19	+ AC_CHECK_LIB(audit, audit_log_user_avc_message,
20	+ have_libaudit=yes, have_libaudit=no)
21	+fi
22	+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
23	+if test x$have_libaudit = xyes ; then
24	+ AUDIT_LIBS="-laudit"
25	+ AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support])
26	+fi
27	+AC_SUBST(AUDIT_LIBS)
28	+
29	CFLAGS="$CFLAGS $CFLAGS_ADD"
30	CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
31
32	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/handler.h ipsec-tools-0.8.0-p104/src/racoon/handler.h
33	--- ipsec-tools-0.8.0-p103/src/racoon/handler.h 2012-03-06 11:39:48.485129025 +0200
34	+++ ipsec-tools-0.8.0-p104/src/racoon/handler.h 2012-03-06 11:42:51.125378167 +0200
35	@@ -318,6 +318,7 @@ struct ph2handle {
36	u_int32_t msgid; /* msgid for phase 2 */
37
38	u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
39	+ u_int8_t loopback;
40
41	struct sainfo sainfo; / place holder of sainfo */
42	struct saprop proposal; / SA(s) proposal. */
43	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.c ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.c
44	--- ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.c 2011-03-14 19:18:13.000000000 +0200
45	+++ ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.c 2012-03-06 11:42:51.126378088 +0200
46	@@ -99,11 +99,10 @@ static vchar_t *quick_ir1mx __P((struct
47	static int get_sainfo_r __P((struct ph2handle *));
48	static int get_proposal_r __P((struct ph2handle *));
49	static int ph2_recv_n __P((struct ph2handle , struct isakmp_gen ));
50	-static void quick_timeover_stub __P((struct sched *));
51	static void quick_timeover __P((struct ph2handle *));
52
53	/* called from scheduler */
54	-static void
55	+void
56	quick_timeover_stub(p)
57	struct sched *p;
58	{
59	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.h ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.h
60	--- ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.h 2006-09-09 19:22:09.000000000 +0300
61	+++ ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.h 2012-03-06 11:42:51.126378088 +0200
62	@@ -47,4 +47,5 @@ extern int quick_r3recv __P((struct ph2h
63	extern int quick_r3send __P((struct ph2handle , vchar_t ));
64	extern int quick_r3prep __P((struct ph2handle , vchar_t ));
65
66	+extern void quick_timeover_stub __P((struct sched *));
67	#endif /* _ISAKMP_QUICK_H */
68	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/main.c ipsec-tools-0.8.0-p104/src/racoon/main.c
69	--- ipsec-tools-0.8.0-p103/src/racoon/main.c 2009-01-26 20:13:06.000000000 +0200
70	+++ ipsec-tools-0.8.0-p104/src/racoon/main.c 2012-03-06 11:42:51.126378088 +0200
71	@@ -297,6 +297,9 @@ main(ac, av)
72	#ifdef HAVE_SECCTX
73	init_avc();
74	#endif
75	+#ifdef HAVE_LIBAUDIT
76	+ audit_init();
77	+#endif
78	eay_init();
79	initrmconf();
80	oakley_dhinit();
81	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/Makefile.am ipsec-tools-0.8.0-p104/src/racoon/Makefile.am
82	--- ipsec-tools-0.8.0-p103/src/racoon/Makefile.am 2012-03-06 10:41:03.975025746 +0200
83	+++ ipsec-tools-0.8.0-p104/src/racoon/Makefile.am 2012-03-06 11:42:51.126378088 +0200
84	@@ -39,7 +39,7 @@ racoon_SOURCES = \
85	EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
86	isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
87	racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
88	- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
89	+ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
90	racoon_DEPENDENCIES = \
91	$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
92	vmbuf.o sockmisc.o misc.o
93	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/pfkey.c ipsec-tools-0.8.0-p104/src/racoon/pfkey.c
94	--- ipsec-tools-0.8.0-p103/src/racoon/pfkey.c 2012-03-06 11:39:48.486129111 +0200
95	+++ ipsec-tools-0.8.0-p104/src/racoon/pfkey.c 2012-03-06 11:42:51.127378011 +0200
96	@@ -87,6 +87,7 @@
97	#include "isakmp_var.h"
98	#include "isakmp.h"
99	#include "isakmp_inf.h"
100	+#include "isakmp_quick.h"
101	#include "ipsec_doi.h"
102	#include "oakley.h"
103	#include "pfkey.h"
104	@@ -101,6 +102,7 @@
105	#include "nattraversal.h"
106	#include "crypto_openssl.h"
107	#include "grabmyaddr.h"
108	+#include "sockmisc.h"
109
110	#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
111	#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
112	@@ -1043,6 +1045,56 @@ pk_recvgetspi(mhp)
113	return -1;
114	}
115
116	+#ifdef HAVE_SECCTX
117	+ if (iph2->loopback == 1) {
118	+ u_int satype, reqid;
119	+ struct sockaddr *src;
120	+
121	+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
122	+ if (cmpsaddr(src, dst) != CMPSADDR_MISMATCH) {
123	+ struct pfkey_send_sa_args sa_args;
124	+ /* yep, this is loopback. install SA */
125	+ satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id);
126	+ if (satype == ~0) {
127	+ plog(LLV_ERROR, LOCATION, NULL,
128	+ "invalid proto_id %d\n",
129	+ iph2->proposal->head->proto_id);
130	+ return -1;
131	+ }
132	+
133	+ reqid = iph2->proposal->head->reqid_in;
134	+
135	+ iph2->status = PHASE2ST_ADDSA;
136	+
137	+ memset (&sa_args, 0, sizeof (sa_args));
138	+ sa_args.so = lcconf->sock_pfkey;
139	+ sa_args.satype = satype;
140	+ sa_args.mode = IPSEC_MODE_TRANSPORT;
141	+ sa_args.src = src;
142	+ sa_args.dst = dst;
143	+ sa_args.spi = sa->sadb_sa_spi;
144	+ sa_args.reqid = reqid;
145	+ sa_args.e_type = SADB_EALG_NULL;
146	+ sa_args.a_type = SADB_AALG_NONE;
147	+ sa_args.l_addtime = iph2->proposal->lifetime;
148	+ sa_args.seq = iph2->seq;
149	+ sa_args.ctxdoi = iph2->proposal->sctx.ctx_doi;
150	+ sa_args.ctxalg = iph2->proposal->sctx.ctx_alg;
151	+ sa_args.ctxstr = iph2->proposal->sctx.ctx_str;
152	+ sa_args.ctxstrlen = iph2->proposal->sctx.ctx_strlen;
153	+ if (pfkey_send_update2(&sa_args) < 0) {
154	+ plog(LLV_ERROR, LOCATION, NULL,
155	+ "failed to update loopback SA: %s\n",
156	+ ipsec_strerror());
157	+ remph2(iph2);
158	+ delph2(iph2);
159	+ return -1;
160	+ }
161	+ }
162	+ return 0;
163	+ }
164	+#endif /* HAVE SECCTX */
165	+
166	/* set SPI, and check to get all spi whether or not */
167	allspiok = 1;
168	notfound = 1;
169	@@ -1304,6 +1356,26 @@ pk_recvupdate(mhp)
170	return -1;
171	}
172
173	+#ifdef HAVE_SECCTX
174	+ /* get update for loopback here */
175	+ if (iph2->loopback == 1 && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) {
176	+ plog(LLV_INFO, LOCATION, NULL,
177	+ "IPsec-SA established without ISAKMP: %s\n",
178	+ sadbsecas2str(iph2->dst, iph2->src,
179	+ msg->sadb_msg_satype, sa->sadb_sa_spi,
180	+ IPSEC_MODE_TRANSPORT));
181	+
182	+ /* turn off the timer for calling quick_timeover() */
183	+ sched_cancel(&iph2->sce);
184	+
185	+ sched_schedule(&iph2->sce, iph2->proposal->lifetime,
186	+ isakmp_ph2expire_stub);
187	+
188	+ iph2->status = PHASE2ST_ESTABLISHED;
189	+ return 0;
190	+ }
191	+#endif
192	+
193	/* check to complete all keys ? */
194	for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
195	proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
196	@@ -1343,7 +1415,7 @@ pk_recvupdate(mhp)
197	if (incomplete)
198	return 0;
199
200	- /* turn off the timer for calling pfkey_timeover() */
201	+ /* turn off the timer for calling quick_timeover() */
202	sched_cancel(&iph2->sce);
203
204	/* update status */
205	@@ -1768,6 +1840,12 @@ pk_recvacquire(mhp)
206	m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
207
208	if (m_sec_ctx != NULL) {
209	+ if (m_sec_ctx->sadb_x_ctx_len > MAX_CTXSTR_SIZE) {
210	+ plog(LLV_ERROR, LOCATION, NULL,
211	+ "ignoring ACQUIRE: security context is greater than MAX, %d.\n",
212	+ MAX_CTXSTR_SIZE);
213	+ return -1;
214	+ }
215	plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
216	m_sec_ctx->sadb_x_ctx_doi);
217	plog(LLV_INFO, LOCATION, NULL,
218	@@ -1974,6 +2052,73 @@ pk_recvacquire(mhp)
219	iph2->sa_dst = dupsaddr(sa_dst);
220	}
221
222	+#ifdef HAVE_SECCTX
223	+ /*
224	+ * If the src address in the ACQUIRE is one we listen on and
225	+ * the src and dst addresses are the same, then assume this
226	+ * packet arrived over loopback and just get an SPI and
227	+ * install the SA.
228	+ */
229	+ if (m_sec_ctx && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) {
230	+ struct saprop *newpp;
231	+ struct saproto *newpr;
232	+ iph2->loopback = 1;
233	+ newpp = newsaprop();
234	+ if (newpp == NULL) {
235	+ plog(LLV_ERROR, LOCATION, NULL,
236	+ "failed to allocate saprop.\n");
237	+ delph2(iph2);
238	+ return -1;
239	+ }
240	+ /* allocate to hold reqid */
241	+ newpr = newsaproto();
242	+ if (newpr == NULL) {
243	+ plog(LLV_ERROR, LOCATION, NULL,
244	+ "failed to allocate saproto.\n");
245	+ delph2(iph2);
246	+ return -1;
247	+ }
248	+
249	+ newpr->reqid_out = sp_out->req->saidx.reqid;
250	+ newpr->reqid_in = sp_in->req->saidx.reqid;
251	+ newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto);
252	+
253	+ inssaprotorev(newpp, newpr);
254	+ iph2->proposal = newpp;
255	+ printsaprop0(LLV_DEBUG, newpp);
256	+
257	+ set_secctx_in_proposal(iph2, spidx);
258	+ iph2->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
259	+
260	+ insph2(iph2);
261	+
262	+ iph2->status = PHASE2ST_GETSPISENT;
263	+ plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
264	+ if (pfkey_send_getspi(
265	+ lcconf->sock_pfkey,
266	+ iph2->satype,
267	+ IPSEC_MODE_TRANSPORT,
268	+ dst, /* src of SA */
269	+ src, /* dst of SA */
270	+ 0, 0,
271	+ newpr->reqid_in, iph2->seq) < 0) {
272	+ plog(LLV_ERROR, LOCATION, NULL,
273	+ "ipseclib failed send getspi (%s)\n",
274	+ ipsec_strerror());
275	+ delph2(iph2);
276	+ return -1;
277	+ }
278	+ sched_schedule(&iph2->sce, lcconf->wait_ph2complete,
279	+ quick_timeover_stub);
280	+
281	+ plog(LLV_DEBUG, LOCATION, NULL,
282	+ "pfkey GETSPI sent: %s\n",
283	+ sadbsecas2str(dst, src, iph2->satype, 0,
284	+ IPSEC_MODE_TRANSPORT));
285	+ return 0;
286	+ }
287	+#endif /* HAVE_SECCTX */
288	+
289	if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
290	delph2(iph2);
291	return -1;
292	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/policy.h ipsec-tools-0.8.0-p104/src/racoon/policy.h
293	--- ipsec-tools-0.8.0-p103/src/racoon/policy.h 2008-12-05 08:02:20.000000000 +0200
294	+++ ipsec-tools-0.8.0-p104/src/racoon/policy.h 2012-03-06 11:42:51.127378011 +0200
295	@@ -38,7 +38,12 @@
296
297
298	#ifdef HAVE_SECCTX
299	-#define MAX_CTXSTR_SIZE 50
300	+
301	+/* Current LSPP policy is 1024 compartments, 5 chars each 'c1024'. SE Linux
302	+ * will attempt to combine so, worst case is all odd or even numbers. The
303	+ * context size of SE Linux types is max'ed around 256. We allow 16 for
304	+ * sensitivity */
305	+#define MAX_CTXSTR_SIZE 3344 /* (6 * 512) + 256 + 16 */
306	struct security_ctx {
307	u_int8_t ctx_doi; /* Security Context DOI */
308	u_int8_t ctx_alg; /* Security Context Algorithm */
309	@@ -158,6 +163,9 @@ extern void initsp __P((void));
310	extern struct ipsecrequest *newipsecreq __P((void));
311
312	extern const char spidx2str __P((const struct policyindex ));
313	+#ifdef HAVE_LIBAUDIT
314	+extern void audit_init __P((void));
315	+#endif
316	#ifdef HAVE_SECCTX
317	#include <selinux/selinux.h>
318	extern int get_security_context __P((vchar_t , struct policyindex ));
319	diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/security.c ipsec-tools-0.8.0-p104/src/racoon/security.c
320	--- ipsec-tools-0.8.0-p103/src/racoon/security.c 2007-05-31 22:54:55.000000000 +0300
321	+++ ipsec-tools-0.8.0-p104/src/racoon/security.c 2012-03-06 11:42:51.128377935 +0200
322	@@ -55,6 +55,61 @@
323	#include "proposal.h"
324	#include "strnames.h"
325	#include "handler.h"
326	+#ifdef HAVE_LIBAUDIT
327	+#include <unistd.h>
328	+#include <sys/param.h>
329	+#include "libaudit.h"
330	+#endif
331	+
332	+static void log_callback (const char *fmt, ...);
333	+
334	+static const struct avc_log_callback log_cb =
335	+{
336	+ .func_log = log_callback,
337	+ .func_audit = NULL
338	+};
339	+
340	+#ifdef HAVE_LIBAUDIT
341	+static int audit_fd = -1;
342	+void
343	+audit_init(void)
344	+{
345	+ audit_fd = audit_open();
346	+ if (audit_fd < 0) {
347	+ /* If kernel doesn't support audit, bail out */
348	+ if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
349	+ errno == EAFNOSUPPORT)
350	+ return;
351	+ /* If unprivileged, bail out */
352	+ if (errno == EPERM && getuid() != 0)
353	+ return;
354	+ plog (LLV_ERROR, LOCATION, NULL,
355	+ "Failed opening connection to the audit subsystem");
356	+ }
357	+}
358	+#endif /* HAVE_LIBAUDIT */
359	+
360	+static void
361	+log_callback (const char *fmt, ...)
362	+{
363	+ va_list ap;
364	+ va_start(ap, fmt);
365	+#ifdef HAVE_LIBAUDIT
366	+ if (audit_fd >= 0) {
367	+ char buf[PATH_MAX*2];
368	+
369	+ /* FIXME: need to change this to show real user */
370	+ vsnprintf(buf, sizeof(buf), fmt, ap);
371	+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC,
372	+ buf, NULL, NULL, NULL, -1);
373	+ return;
374	+ } else
375	+#endif /* HAVE_LIBAUDIT */
376	+ {
377	+ vsyslog (LOG_INFO, fmt, ap);
378	+ va_end(ap);
379	+ }
380	+}
381
382	/*
383	* Get the security context information from SA.