Squashed 'import-layers/meta-openembedded/' content from commit 247b126

Change-Id: I40827e9ce5fba63f1cca2a0be44976ae8383b4c0
git-subtree-dir: import-layers/meta-openembedded
git-subtree-split: 247b1267bbe95719cd4877d2d3cfbaf2a2f4865a
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

12 files changed, 650 insertions, 0 deletions

diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch
new file mode 100644
index 000000000..d5602c03d
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch
@@ -0,0 +1,33 @@
+From 738a9857be9c92ad2f70be88ccee238e3154a936 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Wed, 2 Oct 2013 14:20:37 -0400
+Subject: [PATCH] racoon/pfkey: avoid potential null-pointer dereference
+
+Building with -Werror=maybe-uninitialized revealed that 'remote' from
+pk_recvmigrate() could be used with uninitialized data in
+migrate_sp_ike_addresses().  Ensure it is always at a minimum assigned
+NULL.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ src/racoon/pfkey.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
+index d00b166..e0dc1db 100644
+--- a/src/racoon/pfkey.c
++++ b/src/racoon/pfkey.c
+@@ -3352,7 +3352,7 @@ pk_recvmigrate(mhp)
+ 	struct sockaddr *old_saddr, *new_saddr;
+ 	struct sockaddr *old_daddr, *new_daddr;
+ 	struct sockaddr *old_local, *old_remote;
+-	struct sockaddr *local, *remote;
++	struct sockaddr *local, *remote = NULL;
+ 	struct sadb_x_kmaddress *kmaddr;
+ 	struct sadb_x_policy *xpl;
+ 	struct sadb_x_ipsecrequest *xisr_list;
+-- 
+1.7.9.5
+
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
new file mode 100644
index 000000000..13e9d73fc
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
@@ -0,0 +1,87 @@
+From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Wed, 5 Mar 2014 13:39:14 +0000
+Subject: [PATCH] Don't link against libfl
+
+We can remove all references to yywrap by adding "%option noyywrap" statements
+to each flex source file that doesn't override yywrap. After this, we no longer
+need to link against libfl and so no longer get errors about undefined
+references to yylex.
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Upstream-status: Submitted 2014-03-11
+    see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
+---
+ src/libipsec/Makefile.am | 1 -
+ src/racoon/Makefile.am   | 2 +-
+ src/racoon/cftoken.l     | 2 ++
+ src/setkey/Makefile.am   | 1 -
+ src/setkey/token.l       | 2 ++
+ 5 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
+index 6a4e3b3..df1e106 100644
+--- a/src/libipsec/Makefile.am
++++ b/src/libipsec/Makefile.am
+@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
+ # version is current:revision:age.
+ # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
+ libipsec_la_LDFLAGS = -version-info 0:1:0
+-libipsec_la_LIBADD = $(LEXLIB)
+ 
+ noinst_HEADERS = ipsec_strerror.h
+ 
+diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
+index dbaded9..0662957 100644
+--- a/src/racoon/Makefile.am
++++ b/src/racoon/Makefile.am
+@@ -38,7 +38,7 @@ racoon_SOURCES = \
+ 	cftoken.l cfparse.y prsa_tok.l prsa_par.y 
+ EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
+ 	isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
+-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
++racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
+ 	 $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
+ racoon_DEPENDENCIES = \
+ 	$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
+diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
+index 490242c..1701922 100644
+--- a/src/racoon/cftoken.l
++++ b/src/racoon/cftoken.l
+@@ -106,6 +106,8 @@ static int incstackp = 0;
+ static int yy_first_time = 1;
+ %}
+ 
++%option noyywrap
++
+ /* common seciton */
+ nl		\n
+ ws		[ \t]+
+diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
+index 746c1f1..389e6cf 100644
+--- a/src/setkey/Makefile.am
++++ b/src/setkey/Makefile.am
+@@ -13,7 +13,6 @@ setkey_SOURCES = \
+ 
+ setkey_LDFLAGS = ../libipsec/libipsec.la
+ setkey_DEPENDENCIES = ../libipsec/libipsec.la
+-setkey_LDADD = $(LEXLIB)
+ 
+ noinst_HEADERS = vchar.h extern.h
+ man8_MANS = setkey.8
+diff --git a/src/setkey/token.l b/src/setkey/token.l
+index ad3d843..eb23b76 100644
+--- a/src/setkey/token.l
++++ b/src/setkey/token.l
+@@ -88,6 +88,8 @@
+ #endif
+ %}
+ 
++%option noyywrap
++
+ /* common section */
+ nl		\n
+ ws		[ \t]+
+-- 
+1.9.0
+
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch
new file mode 100644
index 000000000..8d270a62b
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch
@@ -0,0 +1,13 @@
+Index: ipsec-tools-0.8.1/configure.ac
+===================================================================
+--- ipsec-tools-0.8.1.orig/configure.ac	2013-01-08 12:43:29.000000000 +0000
++++ ipsec-tools-0.8.1/configure.ac	2014-07-18 07:51:30.045555880 +0000
+@@ -6,7 +6,7 @@
+ AC_CONFIG_SRCDIR([configure.ac])
+ AC_CONFIG_HEADERS(config.h)
+ 
+-AM_INIT_AUTOMAKE(dist-bzip2)
++AM_INIT_AUTOMAKE([foreign dist-bzip2])
+ 
+ AC_ENABLE_SHARED(no)
+ 
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch
new file mode 100644
index 000000000..5286376ac
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch
@@ -0,0 +1,36 @@
+[PATCH] fix CVE-2015-4047
+
+Upstream-Status: Backport
+
+http://www.openwall.com/lists/oss-security/2015/05/20/1
+
+racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause
+a denial of service (NULL pointer dereference and IKE daemon crash) via
+a series of crafted UDP requests.
+
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4047
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ src/racoon/gssapi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/racoon/gssapi.c b/src/racoon/gssapi.c
+index e64b201..1ad3b42 100644
+--- a/src/racoon/gssapi.c
++++ b/src/racoon/gssapi.c
+@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
+ 	gss_name_t princ, canon_princ;
+ 	OM_uint32 maj_stat, min_stat;
+ 
++	if (iph1->rmconf == NULL) {
++	        plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
++	        return -1;
++	}
++
+ 	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
+ 	if (gps == NULL) {
+ 		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
+-- 
+1.9.1
+
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch
new file mode 100644
index 000000000..36efc4917
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch
@@ -0,0 +1,23 @@
+squahes below warning
+  warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
+
+Seen with glibc 2.20
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Pending
+Index: ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h
+===================================================================
+--- ipsec-tools-0.8.2.orig/src/include-glibc/glibc-bugs.h	2006-09-09 09:22:08.000000000 -0700
++++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h	2014-09-03 22:27:22.551563888 -0700
+@@ -4,7 +4,11 @@
+ #define __GLIBC_BUGS_H__ 1
+ 
+ #define _XOPEN_SOURCE 500
++/* Legacy feature macro.*/
+ #define _BSD_SOURCE
++/* New feature macro that provides everything _BSD_SOURCE and
++ * _SVID_SOURCE provided and possibly more.  */
++#define _DEFAULT_SOURCE
+ 
+ #include <features.h>
+ #include <sys/types.h>
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch
new file mode 100644
index 000000000..e82db087c
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch
@@ -0,0 +1,220 @@
+racoon: Resend UPDATE message when received EINTR message
+
+Upstream-Status: Pending
+
+While kernel is processing the UPDATE message which is sent from racoon,
+it maybe interrupted by system signal and if this case happens,
+kernel responds with an EINTR message to racoon and kernel fails to
+establish the corresponding SA.
+Fix this problem by resend the UPDATE message when EINTR(Interrupted
+system call) error happens.
+
+Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+---
+--- a/src/libipsec/libpfkey.h
++++ b/src/libipsec/libpfkey.h
+@@ -92,6 +92,12 @@
+ 	u_int16_t ctxstrlen;		/* length of security context string */
+ };
+ 
++struct update_msg_info {
++        struct sadb_msg *update_msg;
++        int so;
++        int len;
++};
++
+ /* The options built into libipsec */
+ extern int libipsec_opt;
+ #define LIBIPSEC_OPT_NATT		0x01
+--- a/src/libipsec/pfkey.c
++++ b/src/libipsec/pfkey.c
+@@ -1219,7 +1219,8 @@
+ }
+ #endif
+ 
+-
++struct update_msg_info update_msg_send = {NULL, 0, 0};
++
+ /* sending SADB_ADD or SADB_UPDATE message to the kernel */
+ static int
+ pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
+@@ -1483,10 +1484,24 @@
+ 
+ 	/* send message */
+ 	len = pfkey_send(sa_parms->so, newmsg, len);
+-	free(newmsg);
+ 
+-	if (len < 0)
+-		return -1;
++	if (newmsg->sadb_msg_type == SADB_UPDATE) {
++		if (update_msg_send.update_msg)
++			free(update_msg_send.update_msg);
++		update_msg_send.update_msg = newmsg;
++		update_msg_send.so = sa_parms->so;
++		update_msg_send.len = len;
++
++		if (len < 0) {
++			free(update_msg_send.update_msg);
++			update_msg_send.update_msg = NULL;
++			return -1;
++		}
++	} else {
++		free(newmsg);
++		if (len < 0)
++			return -1;
++	}
+ 
+ 	__ipsec_errcode = EIPSEC_NO_ERROR;
+ 	return len;
+--- a/src/racoon/session.c
++++ b/src/racoon/session.c
+@@ -100,6 +100,8 @@
+ 
+ #include "sainfo.h"
+ 
++extern struct update_msg_info update_msg_send;
++
+ struct fd_monitor {
+ 	int (*callback)(void *ctx, int fd);
+ 	void *ctx;
+@@ -348,6 +350,11 @@
+ 	close_sockets();
+ 	backupsa_clean();
+ 
++	if (update_msg_send.update_msg) {
++		free(update_msg_send.update_msg);
++		update_msg_send.update_msg = NULL;
++	}
++
+ 	plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid());
+ 
+ 	exit(0);
+--- a/src/racoon/pfkey.c
++++ b/src/racoon/pfkey.c
+@@ -103,10 +103,12 @@
+ #include "crypto_openssl.h"
+ #include "grabmyaddr.h"
++#include "../libipsec/libpfkey.h"
+ 
+ #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
+ #define SADB_X_EALG_AESCBC  SADB_X_EALG_RIJNDAELCBC
+ #endif
+ 
++extern struct update_msg_info update_msg_send;
+ /* prototype */
+ static u_int ipsecdoi2pfkey_aalg __P((u_int));
+ static u_int ipsecdoi2pfkey_ealg __P((u_int));
+@@ -253,6 +255,13 @@
+ 			s_pfkey_type(msg->sadb_msg_type),
+ 			strerror(msg->sadb_msg_errno));
+ 
++		if (msg->sadb_msg_errno == EINTR &&
++			update_msg_send.update_msg) {
++			plog(LLV_DEBUG, LOCATION, NULL,
++			"pfkey update resend\n");
++			send(update_msg_send.so, (void *)update_msg_send.update_msg, (socklen_t)update_msg_send.len, 0);
++		}
++
+ 		goto end;
+ 	}
+ 
+@@ -498,6 +507,11 @@
+ {
+ 	flushsp();
+ 
++	if (update_msg_send.update_msg) {
++		free(update_msg_send.update_msg);
++		update_msg_send.update_msg = NULL;
++	}
++
+ 	if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+ 			"libipsec sending spddump failed: %s\n",
+@@ -1295,6 +1309,8 @@
+ 	return 0;
+ }
+ 
++int update_received = 0;
++
+ static int
+ pk_recvupdate(mhp)
+ 	caddr_t *mhp;
+@@ -1307,6 +1323,13 @@
+ 	int incomplete = 0;
+ 	struct saproto *pr;
+ 
++	update_received = 1;
++
++	if (update_msg_send.update_msg) {
++                free(update_msg_send.update_msg);
++                update_msg_send.update_msg = NULL;
++        }
++
+ 	/* ignore this message because of local test mode. */
+ 	if (f_local)
+ 		return 0;
+@@ -4163,3 +4186,8 @@
+ 
+ 	return buf;
+ }
++
++int receive_from_isakmp()
++{
++	return pfkey_handler(NULL, lcconf->sock_pfkey);
++}
+--- a/src/racoon/pfkey.h
++++ b/src/racoon/pfkey.h
+@@ -71,5 +71,6 @@
+ extern u_int32_t pk_getseq __P((void));
+ extern const char *sadbsecas2str
+ 	__P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int));
++extern int receive_from_isakmp __P((void));
+ 
+ #endif /* _PFKEY_H */
+--- a/src/racoon/isakmp_quick.c
++++ b/src/racoon/isakmp_quick.c
+@@ -774,6 +774,8 @@
+ 	return error;
+ }
+ 
++extern int update_received;
++
+ /*
+  * send to responder
+  * 	HDR*, HASH(3)
+@@ -892,6 +894,11 @@
+ 	}
+ 	plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
+ 
++	while (!update_received)
++		receive_from_isakmp();
++
++	update_received = 0;
++
+ 	/* Do ADD for responder */
+ 	if (pk_sendadd(iph2) < 0) {
+ 		plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
+@@ -1035,6 +1042,11 @@
+ 	}
+ 	plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
+ 
++	while (!update_received)
++		receive_from_isakmp();
++
++	update_received = 0;
++
+ 	/* Do ADD for responder */
+ 	if (pk_sendadd(iph2) < 0) {
+ 		plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
+@@ -1989,6 +2001,11 @@
+ 	}
+ 	plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
+ 
++	while (!update_received)
++		receive_from_isakmp();
++
++	update_received = 0;
++
+ 	/* Do ADD for responder */
+ 	if (pk_sendadd(iph2) < 0) {
+ 		plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch
new file mode 100644
index 000000000..e272bc20f
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch
@@ -0,0 +1,26 @@
+Subject: [PATCH] ipsec-tools: racoon: check several invalid ivm
+
+Upstream-Status: Pending
+
+Add checking for invalid ivm, or it will crash racoon.
+
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+---
+ isakmp_cfg.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
+--- a/src/racoon/isakmp_cfg.c
++++ b/src/racoon/isakmp_cfg.c
+@@ -171,6 +171,11 @@ isakmp_cfg_r(iph1, msg)
+ 	    iph1->mode_cfg->last_msgid != packet->msgid )
+ 		iph1->mode_cfg->ivm = 
+ 		    isakmp_cfg_newiv(iph1, packet->msgid);
++	if(iph1->mode_cfg->ivm == NULL) {
++		plog(LLV_ERROR, LOCATION, NULL, 
++		    "failed to create new IV\n");
++		return;
++	}
+ 	ivm = iph1->mode_cfg->ivm;
+ 
+ 	dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch
new file mode 100644
index 000000000..de1bdb407
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch
@@ -0,0 +1,61 @@
+Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers
+
+Upstream-Status: Pending
+
+Add checking for invalid pointers, or it will crash racoon.
+
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+---
+ ipsec_doi.c    |    5 +++--
+ isakmp_cfg.c   |    7 +++++++
+ isakmp_quick.c |    6 ++++--
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+
+diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
+--- a/src/racoon/ipsec_doi.c
++++ b/src/racoon/ipsec_doi.c
+@@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact )
+ 
+ 	/* handle wildcard IDs */
+ 
+-	if (idt == NULL || ids == NULL)
+-	{
++	if (idt == NULL || ids == NULL ||
++	    idt->v == NULL || idt->l == 0 ||
++	    ids->v == NULL || ids->l == 0) {
+ 		if( !exact )
+ 		{
+ 			plog(LLV_DEBUG, LOCATION, NULL,
+diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
+--- a/src/racoon/isakmp_cfg.c
++++ b/src/racoon/isakmp_cfg.c
+@@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid)
+ 		return NULL;
+ 	}
+ 
++	if (iph1->ivm == NULL || iph1->ivm->iv == NULL ||
++	    iph1->ivm->iv->v == NULL || iph1->ivm->iv->l == 0) {
++		plog(LLV_ERROR, LOCATION, NULL,
++		    "isakmp_cfg_newiv called with invalid IV management\n");
++		return NULL;
++	}
++
+ 	if (ics->ivm != NULL)
+ 		oakley_delivm(ics->ivm);
+ 
+diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
+--- a/src/racoon/isakmp_quick.c
++++ b/src/racoon/isakmp_quick.c
+@@ -2243,8 +2243,10 @@ get_proposal_r(iph2)
+ 	int error = ISAKMP_INTERNAL_ERROR;
+ 
+ 	/* check the existence of ID payload */
+-	if ((iph2->id_p != NULL && iph2->id == NULL)
+-	 || (iph2->id_p == NULL && iph2->id != NULL)) {
++	if ((iph2->id_p != NULL &&
++	    (iph2->id == NULL || iph2->id->v == NULL || iph2->id->l == 0)) ||
++	    (iph2->id != NULL &&
++	    (iph2->id_p == NULL || iph2->id_p->v == NULL || iph2->id_p->l == 0))) {
+ 		plog(LLV_ERROR, LOCATION, NULL,
+ 			"Both IDs wasn't found in payload.\n");
+ 		return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf
new file mode 100644
index 000000000..6b507508b
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf
@@ -0,0 +1,8 @@
+# Defaults for racoon service
+# sourced by racoon.service
+# installed at /etc/default/racoon by the maintainer scripts
+#
+# This is a POSIX shell fragment
+#
+# Arguments to pass to racoon
+RACOON_ARGS=""
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample
new file mode 100644
index 000000000..2948a4a35
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample
@@ -0,0 +1,40 @@
+#
+# NOTE: This file will not be used if you use racoon-tool(8) to manage your
+# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
+# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
+# of this file.
+#
+# Simple racoon.conf
+# 
+#
+# Please look in /usr/share/doc/racoon/examples for
+# examples that come with the source.
+#
+# Please read racoon.conf(5) for details, and alsoread setkey(8).
+#
+#
+# Also read the Linux IPSEC Howto up at 
+# http://www.ipsec-howto.org/t1.html 
+#
+log notify;
+path pre_shared_key "/etc/racoon/psk.txt";
+path certificate "/etc/racoon/certs";
+
+#remote 172.31.1.1 {
+#        exchange_mode main,aggressive;
+#        proposal {
+#                encryption_algorithm 3des;
+#                hash_algorithm sha1;
+#                authentication_method pre_shared_key;
+#                dh_group modp1024;
+#        }
+#        generate_policy off;
+#}
+# 
+#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any {
+#        pfs_group modp768;
+#        encryption_algorithm 3des;
+#        authentication_algorithm hmac_md5;
+#        compression_algorithm deflate;
+#}
+
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service
new file mode 100644
index 000000000..a10e77027
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Racoon IKEv1 key management daemon for IPSEC
+After=syslog.target network.target
+
+[Service]
+Type=forking
+EnvironmentFile=-@SYSCONFDIR@/default/racoon
+ExecStart=@SBINDIR@/racoon $RACOON_ARGS
+
+[Install]
+WantedBy=multi-user.target
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
new file mode 100644
index 000000000..d9f121273
--- /dev/null
+++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
@@ -0,0 +1,92 @@
+DESCRIPTION = "IPsec-Tools is a port of KAME's IPsec utilities to the \
+Linux-2.6 IPsec implementation."
+HOMEPAGE = "http://ipsec-tools.sourceforge.net/"
+SECTION = "net"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://src/libipsec/pfkey.c;beginline=6;endline=31;md5=bc9b7ff40beff19fe6bc6aef26bd2b24"
+
+DEPENDS = "virtual/kernel openssl readline flex-native bison-native"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+SRC_URI = "ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${PV}.tar.bz2 \
+           file://0002-Don-t-link-against-libfl.patch \
+           file://configure.patch \
+           file://0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch \
+           file://racoon-check-invalid-pointers.patch \
+           file://racoon-check-invalid-ivm.patch \
+           file://glibc-2.20.patch \
+           file://racoon-Resend-UPDATE-message-when-received-EINTR-message.patch \
+           file://racoon.conf.sample \
+           file://racoon.conf \
+           file://racoon.service \
+           file://fix-CVE-2015-4047.patch \
+          "
+SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41"
+SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d"
+
+inherit autotools systemd
+
+# Options:
+#  --enable-adminport      enable admin port
+#  --enable-rc5            enable RC5 encryption (patented)
+#  --enable-idea enable IDEA encryption (patented)
+#  --enable-gssapi         enable GSS-API authentication
+#  --enable-hybrid         enable hybrid, both mode-cfg and xauth support
+#  --enable-frag           enable IKE fragmentation payload support
+#  --enable-stats          enable statistics logging function
+#  --enable-dpd            enable dead peer detection
+#  --enable-samode-unspec  enable to use unspecified a mode of SA
+#  --disable-ipv6          disable ipv6 support
+#  --enable-natt           enable NAT-Traversal (yes/no/kernel)
+#  --enable-natt-versions=list    list of supported NAT-T versions delimited by coma.
+#  --with-kernel-headers=/lib/modules/<uname>/build/include
+#                          where your Linux Kernel headers are installed
+#  --with-readline         support readline input (yes by default)
+#  --with-flex             use directiory (default: no)
+#  --with-flexlib=<LIB>    specify flex library.
+#  --with-openssl=DIR      specify OpenSSL directory
+#  --with-libradius=DIR    specify libradius path (like/usr/pkg)
+#  --with-libpam=DIR       specify libpam path (like/usr/pkg)
+#
+# Note: if you give it the actual kernel headers it won't build, it actually
+# needs to point at the linux-libc-headers version of the kernel headers.
+#
+EXTRA_OECONF = "--with-kernel-headers=${STAGING_INCDIR} \
+                --with-readline \
+                --with-openssl=${STAGING_LIBDIR}/.. \
+                --without-libradius \
+                --disable-security-context \
+                --enable-shared \
+                --enable-dpd \
+                --enable-natt=yes \
+                --sysconfdir=${sysconfdir}/racoon \
+                ${@base_contains('DISTRO_FEATURES', 'ipv6', '--enable-ipv6=yes', '', d)}"
+
+# See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530527
+CFLAGS += "-fno-strict-aliasing"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,"
+PACKAGECONFIG[selinux] = "--enable-security-context,--disable-security-context,libselinux,"
+
+SYSTEMD_SERVICE_${PN} = "racoon.service"
+
+do_install_append() {
+    install -d ${D}${sysconfdir}/racoon
+    install -m 0644 ${WORKDIR}/racoon.conf.sample ${D}${sysconfdir}/racoon/racoon.conf
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${systemd_unitdir}/system
+        install -m 0644 ${WORKDIR}/racoon.service ${D}${systemd_unitdir}/system
+
+        sed -i -e 's#@SYSCONFDIR@#${sysconfdir}#g' ${D}${systemd_unitdir}/system/racoon.service
+        sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/racoon.service
+
+        install -d ${D}${sysconfdir}/default/
+        install -m 0644 ${WORKDIR}/racoon.conf ${D}${sysconfdir}/default/racoon
+    fi
+}
+
+FILES_${PN} += "${sysconfdir}/racoon/racoon.conf \
+                ${sysconfdir}/default/racoon"