From 55a85124f73c8c5218c87af874b2d1c2eacfd88a Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Tue, 9 Sep 2014 12:58:42 -0400
Subject: [PATCH] added 3 patches for libreswan-3.10

---
 libreswan-3.10-autoroute.patch | 80 +++++++++++++++++++++++++++++++++
 libreswan-3.10-coverity.patch  | 81 ++++++++++++++++++++++++++++++++++
 libreswan-3.10-snprintf.patch  | 21 +++++++++
 3 files changed, 182 insertions(+)
 create mode 100644 libreswan-3.10-autoroute.patch
 create mode 100644 libreswan-3.10-coverity.patch
 create mode 100644 libreswan-3.10-snprintf.patch

diff --git a/libreswan-3.10-autoroute.patch b/libreswan-3.10-autoroute.patch
new file mode 100644
index 0000000..298a385
--- /dev/null
+++ b/libreswan-3.10-autoroute.patch
@@ -0,0 +1,80 @@
+commit dded96917330dc7726d2520ef74deff710ed7673
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Mon Sep 8 20:38:32 2014 -0400
+
+    addconn: routing should happen after listen (bug introduced in 3.10)
+    
+    This caused auto=route (auto=ondemand) connections to not load properly,
+    because pluto wasn't listening yet so these connections could not orient.
+
+diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c
+index 5961a14..4c605a7 100644
+--- a/programs/addconn/addconn.c
++++ b/programs/addconn/addconn.c
+@@ -1,8 +1,9 @@
+ /*
+  * A program to read the configuration file and load a single conn
+  * Copyright (C) 2005 Michael Richardson <mcr@xelerance.com>
+- * Copyright (C) 2012 Paul Wouters <paul@libreswan.org>
+- * Copyright (C) 2012 Kim B. Heino <b@bbbs.net>
++ * Copyright (C) 2012-2014 Paul Wouters <paul@libreswan.org>
++ * Copyright (C) 2014 D. Hugh Redelmeier <hugh@mimosa.com>
++ * Copyright (C) 2012-2013 Kim B. Heino <b@bbbs.net>
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU General Public License as published by the
+@@ -725,19 +726,37 @@ int main(int argc, char *argv[])
+ 				conn->desired_state == STARTUP_START) {
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+-				resolve_defaultroute(conn);
+ 				starter_whack_add_conn(cfg, conn);
+ 			}
+-			if (conn->desired_state == STARTUP_ONDEMAND)
+-				starter_whack_route_conn(cfg, conn);
+ 		}
+ 
+-		/* We added all connections, let pluto listen, then startup our conns */
++		/*
++		 * We loaded all connections. Now tell pluto to listen,
++		 * then route the conns and resolve default route.
++		 */
+ 		starter_whack_listen(cfg);
+ 
+ 		if (verbose)
+-			printf("  Pass #2: Initiating auto=start connections\n");
++			printf("  Pass #2: Routing auto=route and auto=start connections\n");
+ 
++		for (conn = cfg->conns.tqh_first;
++			conn != NULL;
++			conn = conn->link.tqe_next) {
++			if (conn->desired_state == STARTUP_ADD ||
++				conn->desired_state == STARTUP_ONDEMAND ||
++				conn->desired_state == STARTUP_START) {
++				if (verbose)
++					printf(" %s", conn->name);
++				resolve_defaultroute(conn);
++				if (conn->desired_state == STARTUP_ONDEMAND ||
++				    conn->desired_state == STARTUP_START) {
++					starter_whack_route_conn(cfg, conn);
++				}
++			}
++		}
++
++		if (verbose)
++			printf("  Pass #3: Initiating auto=start connections\n");
+ 
+ 		for (conn = cfg->conns.tqh_first;
+ 			conn != NULL;
+@@ -745,10 +764,10 @@ int main(int argc, char *argv[])
+ 			if (conn->desired_state == STARTUP_START) {
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+-				resolve_defaultroute(conn);
+ 				starter_whack_initiate_conn(cfg, conn);
+ 			}
+ 		}
++
+ 		if (verbose)
+ 			printf("\n");
+ 	} else {
diff --git a/libreswan-3.10-coverity.patch b/libreswan-3.10-coverity.patch
new file mode 100644
index 0000000..9380d31
--- /dev/null
+++ b/libreswan-3.10-coverity.patch
@@ -0,0 +1,81 @@
+diff --git a/programs/pluto/ikev2_crypto.c b/programs/pluto/ikev2_crypto.c
+index 58c62c8..4a305c7 100644
+--- a/programs/pluto/ikev2_crypto.c
++++ b/programs/pluto/ikev2_crypto.c
+@@ -65,8 +65,8 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role)
+ 		st->st_ah.present? &st->st_ah :
+ 		NULL;
+ 
+-	assert(ipi != NULL);	/* ESP or AH must be present */
+-	assert(st->st_esp.present != st->st_ah.present);	/* only one */
++	passert(ipi != NULL);	/* ESP or AH must be present */
++	passert(st->st_esp.present != st->st_ah.present);	/* only one */
+ 
+ 	/* ??? there is no kernel_alg_ah_info */
+ 	ipi->attrs.transattrs.ei = kernel_alg_esp_info(
+@@ -142,14 +142,6 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role)
+ 	v2genbytes(&rkeymat, ipi->keymat_len,
+ 		   "responder keys", &childsacalc);
+ 
+-	/* This should really be role == O_INITIATOR, but then our keys are
+-	 * installed reversed. This is a workaround until we locate the
+-	 * real problem. It's better not to release copies of our code
+-	 * that will be incompatible with everything else, including our
+-	 * own updated version
+-	 * Found by Herbert Xu
+-	 * if(role == O_INITIATOR) {
+-	 */
+ 	if (role != O_INITIATOR) {
+ 		DBG(DBG_CRYPT, {
+ 			    DBG_dump_chunk("our  keymat", ikeymat);
+@@ -167,4 +159,3 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role)
+ 	}
+ 
+ }
+-
+diff --git a/programs/pluto/pluto_crypt.c b/programs/pluto/pluto_crypt.c
+index 7bf3a2a..080d2a0 100644
+--- a/programs/pluto/pluto_crypt.c
++++ b/programs/pluto/pluto_crypt.c
+@@ -657,7 +657,7 @@ static void kill_helper(struct pluto_crypto_worker *w)
+ }
+ 
+ void log_crypto_workers(void) {
+-	bool first_time = TRUE;
++	static bool first_time = TRUE;
+ 	int i;
+ 
+ 	if (!first_time)
+diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c
+index 483f34c..9c6fb11 100644
+--- a/programs/pluto/rcv_whack.c
++++ b/programs/pluto/rcv_whack.c
+@@ -690,7 +690,7 @@ bool whack_prompt_for(int whackfd,
+ 		return FALSE;
+ 	}
+ 
+-	if (strlen(ansbuf) == 0) {
++	if (n == 0) {
+ 		whack_log(RC_LOG_SERIOUS, "no %s entered, aborted", prompt2);
+ 		return FALSE;
+ 	}
+diff --git a/programs/rsasigkey/rsasigkey.c b/programs/rsasigkey/rsasigkey.c
+index f3f0194..d853365 100644
+--- a/programs/rsasigkey/rsasigkey.c
++++ b/programs/rsasigkey/rsasigkey.c
+@@ -321,7 +321,14 @@ int main(int argc, char *argv[])
+ 			device = optarg;
+ 			break;
+ 		case 'H':       /* set hostname for output */
+-			strcpy(outputhostname, optarg);
++			{
++				size_t full_len = strlen(optarg);
++				bool oflow = sizeof(outputhostname) - 1 < full_len;
++				size_t copy_len = oflow ? sizeof(outputhostname) - 1 : full_len;
++
++				memcpy(outputhostname, optarg, copy_len);
++				outputhostname[copy_len] = '\0';
++			}
+ 			break;
+ 		case 'h':       /* help */
+ 			printf("Usage:\t%s\n", usage);
diff --git a/libreswan-3.10-snprintf.patch b/libreswan-3.10-snprintf.patch
new file mode 100644
index 0000000..55bae52
--- /dev/null
+++ b/libreswan-3.10-snprintf.patch
@@ -0,0 +1,21 @@
+diff -Naur libreswan-3.10-orig/programs/pluto/kernel.c libreswan-3.10/programs/pluto/kernel.c
+--- libreswan-3.10-orig/programs/pluto/kernel.c	2014-09-01 17:44:22.000000000 -0400
++++ libreswan-3.10/programs/pluto/kernel.c	2014-09-08 09:10:29.173718430 -0400
+@@ -441,7 +441,7 @@
+ 			"PLUTO_STACK='%s' "
+ 			"%s"		/* optional metric */
+ 			"%s"		/* optional mtu */
+-			"PLUTO_ADDTIME='%lu' "
++			"PLUTO_ADDTIME='%" PRIu64 "' "
+ 			"PLUTO_CONN_POLICY='%s' "
+ 			"PLUTO_CONN_ADDRFAMILY='ipv%d' "
+ 			"XAUTH_FAILED=%d "
+@@ -479,7 +479,7 @@
+ 			kernel_ops->kern_name,
+ 			metric_str,
+ 			connmtu_str,
+-			st == NULL ? 0 : st->st_esp.add_time,
++			(u_int64_t)(st == NULL ? 0U : st->st_esp.add_time),
+ 			prettypolicy(c->policy),
+ 			(c->addr_family == AF_INET) ? 4 : 6,
+ 			(st && st->st_xauth_soft) ? 1 : 0,