- version bump (not yet tested..)

package/openswan/linux-2.6.21.5-openswan-2.4.8.kernel-2.6-fixup.patch

@@ -0,0 +1,156 @@
+diff -rduNp linux-2.6.21.5.openswan28/net/ipsec/ipsec_alg_cryptoapi.c linux-2.6.21.5/net/ipsec/ipsec_alg_cryptoapi.c
+--- linux-2.6.21.5.openswan28/net/ipsec/ipsec_alg_cryptoapi.c	2007-06-21 10:44:07.000000000 +0200
++++ linux-2.6.21.5/net/ipsec/ipsec_alg_cryptoapi.c	2007-06-21 23:34:05.000000000 +0200
+@@ -197,7 +197,7 @@ static struct ipsec_alg_capi_cipher alg_
+  */
+ int setup_cipher(const char *ciphername)
+ {
+-	return crypto_alg_available(ciphername, 0);
++	return crypto_has_alg(ciphername, 0, CRYPTO_ALG_ASYNC);
+ }
+ 
+ /*
+@@ -272,7 +272,7 @@ static __u8 *
+ _capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen)
+ {
+ 	struct ipsec_alg_capi_cipher *cptr;
+-	struct crypto_tfm *tfm=NULL;
++	struct crypto_cipher *tfm=NULL;
+ 
+ 	cptr = alg->ixt_common.ixt_data;
+ 	if (!cptr) {
+@@ -289,7 +289,7 @@ _capi_new_key (struct ipsec_alg_enc *alg
+ 	/*	
+ 	 *	alloc tfm
+ 	 */
+-	tfm = crypto_alloc_tfm(cptr->ciphername, CRYPTO_TFM_MODE_CBC);
++	tfm = crypto_alloc_cipher(cptr->ciphername, 0, CRYPTO_ALG_ASYNC);
+ 	if (!tfm) {
+ 		printk(KERN_ERR "_capi_new_key(): "
+ 				"NULL tfm for \"%s\" cryptoapi (\"%s\") algo\n" 
+@@ -300,7 +300,7 @@ _capi_new_key (struct ipsec_alg_enc *alg
+ 		printk(KERN_ERR "_capi_new_key(): "
+ 				"failed new_key() for \"%s\" cryptoapi algo (keylen=%d)\n" 
+ 			, alg->ixt_common.ixt_name, keylen);
+-		crypto_free_tfm(tfm);
++		crypto_free_cipher(tfm);
+ 		tfm=NULL;
+ 	}
+ err:
+@@ -317,23 +317,26 @@ err:
+ static int 
+ _capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) {
+ 	int error =0;
+-	struct crypto_tfm *tfm=(struct crypto_tfm *)key_e;
++	struct crypto_blkcipher *tfm=(struct crypto_blkcipher *)key_e;
++	struct blkcipher_desc desc;
+ 	struct scatterlist sg = { 
+ 		.page = virt_to_page(in),
+ 		.offset = (unsigned long)(in) % PAGE_SIZE,
+ 		.length=ilen,
+ 	};
++	desc.tfm = tfm;
++	desc.flags = 0;
+ 	if (debug_crypto > 1)
+ 		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
+ 				"key_e=%p "
+ 				"in=%p out=%p ilen=%d iv=%p encrypt=%d\n"
+ 				, key_e
+ 				, in, in, ilen, iv, encrypt);
+-	crypto_cipher_set_iv(tfm, iv, crypto_tfm_alg_ivsize(tfm));
++	crypto_blkcipher_set_iv(tfm, iv, crypto_blkcipher_ivsize(tfm));
+ 	if (encrypt)
+-		error = crypto_cipher_encrypt (tfm, &sg, &sg, ilen);
++		error = crypto_blkcipher_encrypt (&desc, &sg, &sg, ilen);
+ 	else
+-		error = crypto_cipher_decrypt (tfm, &sg, &sg, ilen);
++		error = crypto_blkcipher_decrypt (&desc, &sg, &sg, ilen);
+ 	if (debug_crypto > 1)
+ 		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
+ 				"error=%d\n"
+@@ -370,8 +373,9 @@ setup_cipher_list (struct ipsec_alg_capi
+ 		 * 	use a local ci to avoid touching cptr->ci,
+ 		 * 	if register ipsec_alg success then bind cipher
+ 		 */
+-		if(cptr->alg.ixt_common.ixt_support.ias_name == NULL) {
+-		  cptr->alg.ixt_common.ixt_support.ias_name = cptr->ciphername;
++		if (cptr->alg.ixt_common.ixt_support.ias_name == NULL) {
++printk(KERN_DEBUG "klips_debug: ias_name was nil\n");
++//		  cptr->alg.ixt_common.ixt_support.ias_name = cptr->ciphername;
+ 		}
+ 
+ 		if( setup_cipher(cptr->ciphername) ) {
+diff -rduNp linux-2.6.21.5.openswan28/net/ipsec/sysctl_net_ipsec.c linux-2.6.21.5/net/ipsec/sysctl_net_ipsec.c
+--- linux-2.6.21.5.openswan28/net/ipsec/sysctl_net_ipsec.c	2007-06-21 10:44:07.000000000 +0200
++++ linux-2.6.21.5/net/ipsec/sysctl_net_ipsec.c	2007-06-21 22:33:51.000000000 +0200
+@@ -74,45 +74,45 @@ enum {
+ static ctl_table ipsec_table[] = {
+ #ifdef CONFIG_KLIPS_DEBUG
+ 	{ NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_TUNNEL, "debug_tunnel", &debug_tunnel,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_EROUTE, "debug_eroute", &debug_eroute,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_SPI, "debug_spi", &debug_spi,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_RADIJ, "debug_radij", &debug_radij,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_NETLINK, "debug_netlink", &debug_netlink,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_XFORM, "debug_xform", &debug_xform,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_RCV, "debug_rcv", &debug_rcv,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_PFKEY, "debug_pfkey", &debug_pfkey,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_DEBUG_VERBOSE, "debug_verbose",&sysctl_ipsec_debug_verbose,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ #ifdef CONFIG_KLIPS_IPCOMP
+ 	{ NET_IPSEC_DEBUG_IPCOMP, "debug_ipcomp", &sysctl_ipsec_debug_ipcomp,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ #endif /* CONFIG_KLIPS_IPCOMP */
+ 
+ #ifdef CONFIG_KLIPS_REGRESS
+ 	{ NET_IPSEC_REGRESS_PFKEY_LOSSAGE, "pfkey_lossage",
+ 	  &sysctl_ipsec_regress_pfkey_lossage,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},
++	  sizeof(int), 0644,  &proc_dointvec},
+ #endif /* CONFIG_KLIPS_REGRESS */
+ 
+ #endif /* CONFIG_KLIPS_DEBUG */
+ 	{ NET_IPSEC_ICMP, "icmp", &sysctl_ipsec_icmp,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_INBOUND_POLICY_CHECK, "inbound_policy_check", &sysctl_ipsec_inbound_policy_check,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644,  &proc_dointvec},
+ 	{ NET_IPSEC_TOS, "tos", &sysctl_ipsec_tos,
+-	  sizeof(int), 0644, NULL, &proc_dointvec},    
++	  sizeof(int), 0644, &proc_dointvec},
+ 	{0}
+ };
+ 
+@@ -130,7 +130,7 @@ static struct ctl_table_header *ipsec_ta
+ 
+ int ipsec_sysctl_register(void)
+ {
+-        ipsec_table_header = register_sysctl_table(ipsec_root_table, 0);
++        ipsec_table_header = register_sysctl_table(ipsec_root_table);
+         if (!ipsec_table_header) {
+                 return -ENOMEM;
+ 	}

package/openswan/linux-2.6.21.5-openswan-2.4.8.kernel-2.6-natt.patch

@@ -0,0 +1,126 @@
+diff -rduNp linux-2.6.21.5.orig/include/net/xfrmudp.h linux-2.6.21.5/include/net/xfrmudp.h
+--- linux-2.6.21.5.orig/include/net/xfrmudp.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.5/include/net/xfrmudp.h	2007-06-21 10:53:38.000000000 +0200
+@@ -0,0 +1,10 @@
++/*
++ * pointer to function for type that xfrm4_input wants, to permit
++ * decoupling of XFRM from udp.c
++ */
++#define HAVE_XFRM4_UDP_REGISTER
++
++typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
++extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
++				      , xfrm4_rcv_encap_t *oldfunc);
++extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func);
+diff -rduNp linux-2.6.21.5.orig/net/ipv4/Kconfig linux-2.6.21.5/net/ipv4/Kconfig
+--- linux-2.6.21.5.orig/net/ipv4/Kconfig	2007-06-11 20:37:06.000000000 +0200
++++ linux-2.6.21.5/net/ipv4/Kconfig	2007-06-21 10:53:38.000000000 +0200
+@@ -349,6 +349,12 @@ config SYN_COOKIES
+ 	  be taken as absolute truth.
+ 
+ 	  SYN cookies may prevent correct error reporting on clients when the
++config IPSEC_NAT_TRAVERSAL
++	bool "IPSEC NAT-Traversal (KLIPS compatible)"
++	depends on INET
++	---help---
++          Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
++
+ 	  server is really overloaded. If this happens frequently better turn
+ 	  them off.
+ 
+diff -rduNp linux-2.6.21.5.orig/net/ipv4/udp.c linux-2.6.21.5/net/ipv4/udp.c
+--- linux-2.6.21.5.orig/net/ipv4/udp.c	2007-06-11 20:37:06.000000000 +0200
++++ linux-2.6.21.5/net/ipv4/udp.c	2007-06-21 10:56:18.000000000 +0200
+@@ -108,6 +108,7 @@
+  */
+ 
+ DEFINE_SNMP_STAT(struct udp_mib, udp_statistics) __read_mostly;
++#include <net/xfrmudp.h>
+ 
+ struct hlist_head udp_hash[UDP_HTABLE_SIZE];
+ DEFINE_RWLOCK(udp_hash_lock);
+@@ -915,6 +916,44 @@ int udp_disconnect(struct sock *sk, int 
+ 	return 0;
+ }
+ 
++#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++
++/* if XFRM isn't a module, then register it directly. */
++#if !defined(CONFIG_XFRM_MODULE) 
++static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = xfrm4_rcv_encap;
++#else
++static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
++#endif
++
++static xfrm4_rcv_encap_t xfrm4_rcv_encap_func;
++
++int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
++			       , xfrm4_rcv_encap_t *oldfunc)
++{
++  if(oldfunc != NULL) {
++    *oldfunc = xfrm4_rcv_encap_func;
++  }
++
++#if 0
++  if(xfrm4_rcv_encap_func != NULL)
++    return -1;
++#endif
++
++  xfrm4_rcv_encap_func = func;
++  return 0;
++}
++
++int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
++{
++  if(xfrm4_rcv_encap_func != func)
++    return -1;
++
++  xfrm4_rcv_encap_func = NULL;
++  return 0;
++}
++#endif /* CONFIG_XFRM || defined(CONFIG_IPSEC_NAT_TRAVERSAL)*/
++
++
+ /* return:
+  * 	1  if the the UDP system should process it
+  *	0  if we should drop this packet
+@@ -922,9 +961,9 @@ int udp_disconnect(struct sock *sk, int 
+  */
+ static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
+ {
+-#ifndef CONFIG_XFRM
++#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+ 	return 1;
+-#else
++#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
+ 	struct udp_sock *up = udp_sk(sk);
+ 	struct udphdr *uh;
+ 	struct iphdr *iph;
+@@ -1052,9 +1091,14 @@ int udp_queue_rcv_skb(struct sock * sk, 
+ 		}
+ 		if (ret < 0) {
+ 			/* process the ESP packet */
+-			ret = xfrm4_rcv_encap(skb, up->encap_type);
+-			UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
+-			return -ret;
++			if (xfrm4_rcv_encap_func != NULL) {
++				ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
++				UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS, up->pcflag);
++			} else {
++				UDP_INC_STATS_BH(UDP_MIB_INERRORS, up->pcflag);
++				ret = 1;
++			}
++			return ret;
+ 		}
+ 		/* FALLTHROUGH -- it's a UDP Packet */
+ 	}
+@@ -1733,3 +1777,9 @@ EXPORT_SYMBOL(udp_poll);
+ EXPORT_SYMBOL(udp_proc_register);
+ EXPORT_SYMBOL(udp_proc_unregister);
+ #endif
++
++#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
++EXPORT_SYMBOL(udp4_register_esp_rcvencap);
++EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
++#endif
++

package/openswan/openswan-2.4.7-005-pluto.patch

@@ -31,19 +31,6 @@ diff -urp openswan-2.4.7.orig/programs/pluto/connections.c openswan-2.4.7/progra
      if (isanyaddr(&b->our_client) || isanyaddr(&b->peer_client))
      {
  	cannot_oppo(NULL, b, "impossible IP address");
-@@ -3069,10 +3070,11 @@ initiate_opportunistic_body(struct find_
- 		    }
- #endif
- 		    c->gw_info->key->last_tried_time = now();
-+#ifdef DEBUG
- 		    openswan_log("initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s"
- 				 , ours, ourport, his, hisport, b->transport_proto
- 				 , oppo_step_name[b->step], b->want);
--
-+#endif
- 		    ipsecdoi_initiate(b->whackfd, c, c->policy, 1
- 				      , SOS_NOBODY, pcim_local_crypto);
- 		    b->whackfd = NULL_FD;	/* protect from close */
 @@ -4465,6 +4467,7 @@ show_connections_status(void)
  		      , c->dpd_delay, c->dpd_timeout);
  	}

package/openswan/openswan.mk

@@ -6,7 +6,7 @@
 # to enable that within busybox
 #
 #############################################################
-OPENSWAN_VERSION:=2.4.7
+OPENSWAN_VERSION:=2.4.8
 OPENSWAN_SOURCE:=openswan-$(OPENSWAN_VERSION).tar.gz
 OPENSWAN_SITE:=http://www.openswan.org/download/
 OPENSWAN_DIR:=$(BUILD_DIR)/openswan-$(OPENSWAN_VERSION)