CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue May  9 02:31:02 UTC 2023

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Deal with OpenSSL-3.x


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue May  9 02:31:02 UTC 2023

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Deal with OpenSSL-3.x


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.28	Sun Apr  1 18:59:57 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Mon May  8 22:31:02 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.28 2018/04/01 22:59:57 christos Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.29 2023/05/09 02:31:02 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -876,7 +876,7 @@ eay_check_x509sign(source, sig, cert)
 		return -1;
 	}
 
-	res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
+	res = eay_rsa_verify(source, sig, __UNCONST(EVP_PKEY_get0_RSA(evp)));
 
 	EVP_PKEY_free(evp);
 	X509_free(x509);
@@ -1018,7 +1018,7 @@ eay_get_x509sign(src, privkey)
 	if (evp == NULL)
 		return NULL;
 
-	sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
+	sig = eay_rsa_sign(src, __UNCONST(EVP_PKEY_get0_RSA(evp)));
 
 	EVP_PKEY_free(evp);
 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Frank Kardel]

Module Name:src
Committed By:   kardel
Date:   Mon Feb 27 13:39:09 UTC 2023

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
cast to the correct message structure (rt_msghdr instead of if_msghdr)


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.39	Wed Nov 25 14:15:41 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Mon Feb 27 13:39:09 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.39 2020/11/25 14:15:41 christos Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.40 2023/02/27 13:39:09 kardel Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -849,7 +849,7 @@ kernel_sync()
 {
 	caddr_t ref, buf, end;
 	size_t bufsiz;
-	struct if_msghdr *ifm;
+	struct rt_msghdr *rtm;
 
 #define MIBSIZ 6
 	int mib[MIBSIZ] = {
@@ -871,8 +871,10 @@ kernel_sync()
 
 	if (sysctl(mib, MIBSIZ, buf, , NULL, 0) >= 0) {
 		/* Parse both interfaces and addresses. */
-		for (end = buf + bufsiz; buf < end; buf += ifm->ifm_msglen) {
-			ifm = (struct if_msghdr *) buf;
+		for (end = buf + bufsiz; buf < end; buf += rtm->rtm_msglen) {
+			rtm = (struct rt_msghdr *) buf;
+			if (rtm->rtm_version != RTM_VERSION)
+continue;
 			kernel_handle_message(buf);
 		}
 	} else {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Frank Kardel]

Module Name:src
Committed By:   kardel
Date:   Mon Feb 27 13:39:09 UTC 2023

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
cast to the correct message structure (rt_msghdr instead of if_msghdr)


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Roland Illig]

Module Name:src
Committed By:   rillig
Date:   Thu Apr 21 19:14:46 UTC 2022

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gnuc.h

Log Message:
ipsec-tools: in lint mode, keep keyword 'inline'

This avoids hundreds of lint warnings for OpenSSL's stack definitions:

openssl/x509.h(75): warning:
static function sk_X509_NAME_ENTRY_num unused [236]


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/gnuc.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/gnuc.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/gnuc.h:1.4 src/crypto/dist/ipsec-tools/src/racoon/gnuc.h:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/gnuc.h:1.4	Sat Sep  9 16:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/gnuc.h	Thu Apr 21 19:14:46 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: gnuc.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: gnuc.h,v 1.5 2022/04/21 19:14:46 rillig Exp $	*/
 
 /* Id: gnuc.h,v 1.4 2004/11/18 15:14:44 ludvigm Exp */
 
@@ -13,7 +13,7 @@
 #endif
 
 /* inline foo */
-#ifdef __GNUC__
+#if defined(__GNUC__) || defined(lint)
 #define inline __inline
 #else
 #define inline

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Roland Illig]

Module Name:src
Committed By:   rillig
Date:   Thu Apr 21 19:14:46 UTC 2022

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gnuc.h

Log Message:
ipsec-tools: in lint mode, keep keyword 'inline'

This avoids hundreds of lint warnings for OpenSSL's stack definitions:

openssl/x509.h(75): warning:
static function sk_X509_NAME_ENTRY_num unused [236]


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/gnuc.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Jan 23 14:55:28 UTC 2022

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: prsa_par.y

Log Message:
PR/56658: Juraj Hercek: Plain RSA keys are not loaded by racoon IKE daemon


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.7 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.7	Tue Feb  6 22:59:03 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y	Sun Jan 23 09:55:28 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: prsa_par.y,v 1.7 2018/02/07 03:59:03 christos Exp $	*/
+/*	$NetBSD: prsa_par.y,v 1.8 2022/01/23 14:55:28 christos Exp $	*/
 
 /* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
 
@@ -87,6 +87,15 @@ enum rsa_key_type prsa_cur_type = RSA_TY
 
 static RSA *rsa_cur;
 
+static BIGNUM *bn_n = NULL; /* Modulus */
+static BIGNUM *bn_e = NULL; /* Public Exponent */
+static BIGNUM *bn_d = NULL; /* Private Exponent */
+static BIGNUM *bn_p = NULL; /* Prime1 */
+static BIGNUM *bn_q = NULL; /* Prime2 */
+static BIGNUM *bn_dmp1 = NULL; /* Exponent1 */
+static BIGNUM *bn_dmq1 = NULL; /* Exponent2 */
+static BIGNUM *bn_iqmp = NULL; /* Coefficient */
+
 void
 prsaerror(const char *s, ...)
 {
@@ -174,26 +183,35 @@ statement:
 rsa_statement:
 	TAG_RSA OBRACE params EBRACE
 	{
-		const BIGNUM *n, *e, *d;
-		RSA_get0_key(rsa_cur, , , );
 		if (prsa_cur_type == RSA_TYPE_PUBLIC) {
 			prsawarning("Using private key for public key purpose.\n");
-			if (!n || !e) {
-prsaerror("Incomplete key. Mandatory parameters are missing!\n");
+			if (!bn_n || !bn_e) {
+prsaerror("Either of mandatory public key parameters "
+		" - n, d - are missing!\n");
 YYABORT;
-			}
-		}
-		else {
-			const BIGNUM *p, *q, *dmp1, *dmq1, *iqmp;
-			if (!n || !e || !d) {
-prsaerror("Incomplete key. Mandatory parameters are missing!\n");
+			} else if (1 != RSA_set0_key(rsa_cur, bn_n, bn_e, NULL)) {
+prsaerror("Invalid parameters. Public key not set up!\n");
 YYABORT;
 			}
-			RSA_get0_factors(rsa_cur, , );
-			RSA_get0_crt_params(rsa_cur, , , );
-			if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
-RSA_free(rsa_cur);
-rsa_cur = RSA_new();
+		} else {
+			if (!bn_n || !bn_e || !bn_d) {
+prsaerror("Either of mandatory private key parameters "
+		"- n, e, d -- are missing!\n");
+YYABORT;
+			} else if (1 != RSA_set0_key(rsa_cur, bn_n, bn_e, bn_d)) {
+prsaerror("Can not use mandatory private key parameters!\n");
+YYABORT;
+			} else if (!bn_p || !bn_q || !bn_dmp1 || !bn_dmq1 || !bn_iqmp) {
+/* If any of the suplementary parameters is missing, continue
+ * without setting them up.
+ */
+			} else if (1 != RSA_set0_factors(rsa_cur, bn_p, bn_q)) {
+prsaerror("Invalid p or q parameter. Private key not set up!\n");
+YYABORT;
+			} else if (1 != RSA_set0_crt_params(rsa_cur, bn_dmp1, bn_dmq1, bn_iqmp)) {
+prsaerror("Invalid dmp1, dmq1 or iqmp parameters. "
+		"Private key not set up!\n");
+YYABORT;
 			}
 		}
 		$$ = rsa_cur;
@@ -297,91 +315,75 @@ params:
 param:
 	MODULUS COLON HEX 
 	{ 
-	const BIGNUM *n;
-	RSA_get0_key(rsa_cur, , NULL, NULL);
-	if (!n)
-		RSA_set0_key(rsa_cur, $3, NULL, NULL);
-	else {
-		prsaerror("Modulus already defined\n");
-		YYABORT;
-	}
+		if (bn_n) {
+			prsaerror("Modulus already defined\n");
+			YYABORT;
+		} else {
+			bn_n = $3;
+		}
 	}
 	| PUBLIC_EXPONENT COLON HEX 
 	{ 
-	const BIGNUM *e;
-	RSA_get0_key(rsa_cur, NULL, , NULL);
-	if (!e)
-		RSA_set0_key(rsa_cur, NULL, $3, NULL);
-	else {
-		prsaerror("PublicExponent already defined\n");
-		YYABORT;
-	}
+		if (bn_e) {
+			prsaerror("PublicExponent already defined\n");
+			YYABORT;
+		} else {
+			bn_e = $3;
+		}
 	}
 	| PRIVATE_EXPONENT COLON HEX 
 	{ 
-	const BIGNUM *d;
-	RSA_get0_key(rsa_cur, NULL, NULL, );
-	if (!d)
-		RSA_set0_key(rsa_cur, NULL, NULL, $3);
-	else {
-		prsaerror("PrivateExponent already defined\n");
-		YYABORT;
-	}
+		if (bn_d) {
+			prsaerror("PrivateExponent already defined\n");
+			YYABORT;
+		} else {
+			bn_d = $3;
+		}
 	}
 	| PRIME1 COLON HEX 
 	{ 
-	const BIGNUM *p;
-	RSA_get0_factors(rsa_cur, , NULL);
-	if (!p)
-		RSA_set0_factors(rsa_cur, $3, NULL);
-	else {
-		prsaerror("Prime1 already defined\n");
-		YYABORT;
-	}
+		if (bn_p) {
+			prsaerror("Prime1 already defined\n");
+			YYABORT;
+		} else {
+			bn_p = $3;
+		}
 	}
 	| PRIME2 COLON HEX 
 	{
-	const BIGNUM *q;
-	RSA_get0_factors(rsa_cur, NULL, );
-	if (!q)
-		RSA_set0_factors(rsa_cur, NULL, $3);
-	else {
-		prsaerror("Prime2 already defined\n");
-		YYABORT;
-	}
+		if 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Jan 23 14:55:28 UTC 2022

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: prsa_par.y

Log Message:
PR/56658: Juraj Hercek: Plain RSA keys are not loaded by racoon IKE daemon


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Roland Illig]

Module Name:src
Committed By:   rillig
Date:   Tue Sep 14 21:49:31 UTC 2021

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
ipsectools: fix lint error

Returning a value from a void function is a GNU extension, but even in
GNU mode, lint does not allow these.

No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.25	Tue Aug 28 09:10:28 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Tue Sep 14 21:49:31 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.25 2018/08/28 09:10:28 christos Exp $	*/
+/*	$NetBSD: privsep.c,v 1.26 2021/09/14 21:49:31 rillig Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -1762,8 +1762,10 @@ privsep_cleanup_pam(port)
 	size_t len;
 	char *data;
 
-	if (geteuid() == 0)
-		return cleanup_pam(port);
+	if (geteuid() == 0) {
+		cleanup_pam(port);
+		return;
+	}
 
 	len = sizeof(*msg) 
 	+ sizeof(port)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Roland Illig]

Module Name:src
Committed By:   rillig
Date:   Tue Sep 14 21:49:31 UTC 2021

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
ipsectools: fix lint error

Returning a value from a void function is a GNU extension, but even in
GNU mode, lint does not allow these.

No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 18:11:00 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5

Log Message:
Add ldap parameters debug and timeout.
Fix bug when using URI (use correct len for malloc)
document ldap parameters uri, debug and timeout.


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.32 -r1.33 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.68 -r1.69 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.53 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -296,7 +296,7 @@ static const char error_message_dpd_not_
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_DEBUG LDAP_TIMEOUT LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,24 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_DEBUG NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.debug = $2;
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_TIMEOUT NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.timeout = $2;
+#endif
+#endif
+		}
+		EOS
 	|	LDAP_URI QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.29 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -224,6 +224,8 @@ hexstring	0x{hexdigit}+
 ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 {bcl}		{ return(BOC); }
 version		{ YYD; return(LDAP_PVER); }
+debug		{ YYD; return(LDAP_DEBUG); }
+timeout		{ YYD; return(LDAP_TIMEOUT); }
 uri		{ YYD; return(LDAP_URI); }
 host		{ YYD; return(LDAP_HOST); }
 port		{ YYD; return(LDAP_PORT); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.33
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.33 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -803,6 +803,8 @@ xauth_ldap_init_conf(void)
 	int error = -1;
 
 	xauth_ldap_config.pver = 3;
+	xauth_ldap_config.debug = 0;
+	xauth_ldap_config.timeout = -1;
 	xauth_ldap_config.uri = NULL;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
@@ -896,7 +898,7 @@ xauth_login_ldap(iph1, usr, pwd)
 	atlist[2] = NULL;
 
 	if (xauth_ldap_config.uri != NULL) {
-		tmplen = strlen(xauth_ldap_config.host->v);
+		tmplen = strlen(xauth_ldap_config.uri->v);
 		init = racoon_malloc(tmplen);
 		if (init == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
@@ -918,6 +920,9 @@ xauth_login_ldap(iph1, usr, pwd)
 			xauth_ldap_config.host->v,
 			xauth_ldap_config.port );
 	}
+	/* initialize the debug level */
+	ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, _ldap_config.debug);
+	ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, _ldap_config.debug);
 
 	plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
 	/* initialize the ldap handle */
@@ -933,12 +938,26 @@ xauth_login_ldap(iph1, usr, pwd)
 	if ((res = ldap_set_option(ld, 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 18:11:00 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5

Log Message:
Add ldap parameters debug and timeout.
Fix bug when using URI (use correct len for malloc)
document ldap parameters uri, debug and timeout.


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.32 -r1.33 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.68 -r1.69 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:42:53 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h

Log Message:
Add an option to pass a ldap uri, instead of just server and port.
uri takes precedence.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.27 -r1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.31 -r1.32 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -296,7 +296,7 @@ static const char error_message_dpd_not_
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,19 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_URI QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.uri != NULL)
+vfree(xauth_ldap_config.uri);
+
+			xauth_ldap_config.uri = vdup($2);
+#endif
+#endif
+			vfree($2);
+		}
+		EOS
 	|	LDAP_HOST QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.27 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.27	Thu Nov 29 15:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.27 2012/11/29 15:31:24 vanhu Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -224,6 +224,7 @@ hexstring	0x{hexdigit}+
 ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 {bcl}		{ return(BOC); }
 version		{ YYD; return(LDAP_PVER); }
+uri		{ YYD; return(LDAP_URI); }
 host		{ YYD; return(LDAP_HOST); }
 port		{ YYD; return(LDAP_PORT); }
 tls		{ YYD; return(LDAP_TLS); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31	Wed Nov 25 16:41:39 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.31 2020/11/25 16:41:39 bouyer Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -803,6 +803,7 @@ xauth_ldap_init_conf(void)
 	int error = -1;
 
 	xauth_ldap_config.pver = 3;
+	xauth_ldap_config.uri = NULL;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
 	xauth_ldap_config.tls = 0;
@@ -894,19 +895,31 @@ xauth_login_ldap(iph1, usr, pwd)
 	atlist[1] = NULL;
 	atlist[2] = NULL;
 
-	/* build our initialization url */
-	tmplen = strlen("ldap://:;) + 17;
-	tmplen += strlen(xauth_ldap_config.host->v);
-	init = racoon_malloc(tmplen);
-	if (init == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL,
-			"unable to alloc ldap init url\n");
-		goto ldap_end;
+	if (xauth_ldap_config.uri != NULL) {
+		tmplen = strlen(xauth_ldap_config.host->v);
+		init = racoon_malloc(tmplen);
+		if (init == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+"unable to alloc ldap init url\n");
+			goto ldap_end;
+		}
+		sprintf(init,"%s", xauth_ldap_config.uri->v);
+	} else {
+		/* build our initialization url */
+		tmplen = strlen("ldap://:;) + 17;
+		tmplen += strlen(xauth_ldap_config.host->v);
+		init = racoon_malloc(tmplen);
+		if (init == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+"unable to alloc ldap init url\n");
+			goto ldap_end;
+		}
+		sprintf(init,"ldap://%s:%d;,
+			xauth_ldap_config.host->v,
+			xauth_ldap_config.port );
 	}
-	sprintf(init,"ldap://%s:%d;,
-		

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:42:53 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h

Log Message:
Add an option to pass a ldap uri, instead of just server and port.
uri takes precedence.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.27 -r1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.31 -r1.32 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:41:39 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
Fix ldap: ldap_sasl_bind_s() doens't like a NULL struct berval *, pass
a pointer to a zero'd struct instead.
While there use LDAP_SASL_SIMPLE instead of NULL for mechanism,
and check return of ldap_set_option().


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.30	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 16:41:39 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.30 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.31 2020/11/25 16:41:39 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -917,9 +917,15 @@ xauth_login_ldap(iph1, usr, pwd)
 	}
 
 	/* initialize the protocol version */
-	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
-		_ldap_config.pver);
-
+	if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
+		_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"LDAP_OPT_PROTOCOL_VERSION %s failed: %s\n",
+			xauth_ldap_config.pver,
+			ldap_err2string(res));
+		goto ldap_end;
+	}
+		
 	/* Enable TLS */
 	if (xauth_ldap_config.tls) {
 		res = ldap_start_tls_s(ld, NULL, NULL);
@@ -943,13 +949,15 @@ xauth_login_ldap(iph1, usr, pwd)
 		cred.bv_val = xauth_ldap_config.bind_pw->v;
 		cred.bv_len = strlen( cred.bv_val );
 		res = ldap_sasl_bind_s(ld,
-			xauth_ldap_config.bind_dn->v, NULL, ,
+			xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, ,
 			NULL, NULL, NULL);
 	}
 	else
 	{
+		cred.bv_val = NULL;
+		cred.bv_len = 0;
 		res = ldap_sasl_bind_s(ld,
-			NULL, NULL, NULL,
+			NULL, LDAP_SASL_SIMPLE, ,
 			NULL, NULL, NULL);
 	}
 	

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Manuel Bouyer]

Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:41:39 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
Fix ldap: ldap_sasl_bind_s() doens't like a NULL struct berval *, pass
a pointer to a zero'd struct instead.
While there use LDAP_SASL_SIMPLE instead of NULL for mechanism,
and check return of ldap_set_option().


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Nov 25 14:15:41 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Reduce previous


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Nov 25 14:15:41 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Reduce previous


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38	Wed Nov 25 05:57:11 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Nov 25 09:15:41 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.38 2020/11/25 10:57:11 kardel Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.39 2020/11/25 14:15:41 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -683,13 +683,11 @@ kernel_sync()
 
 #elif defined(USE_ROUTE)
 
-#ifdef RT_ROUNDUP
-#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
-#else
-#define ROUNDUP(a) \
+#ifndef RT_ROUNDUP
+#define RT_ROUNDUP(a) \
   ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
-#define SAROUNDUP(X)   ROUNDUP(((struct sockaddr *)(X))->sa_len)
 #endif
+#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
 
 
 static size_t

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Frank Kardel]

Module Name:src
Committed By:   kardel
Date:   Wed Nov 25 10:57:11 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix address advancing for i386 and other 32-bit platforms.
Makes racoon grok IPv6 addresses again on these platforms.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.37	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Nov 25 10:57:11 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.37 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.38 2020/11/25 10:57:11 kardel Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -683,10 +683,14 @@ kernel_sync()
 
 #elif defined(USE_ROUTE)
 
+#ifdef RT_ROUNDUP
+#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
+#else
 #define ROUNDUP(a) \
   ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
-
 #define SAROUNDUP(X)   ROUNDUP(((struct sockaddr *)(X))->sa_len)
+#endif
+
 
 static size_t
 parse_address(caddr_t start, caddr_t end, struct sockaddr_storage *dest)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Frank Kardel]

Module Name:src
Committed By:   kardel
Date:   Wed Nov 25 10:57:11 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix address advancing for i386 and other 32-bit platforms.
Makes racoon grok IPv6 addresses again on these platforms.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:38:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.conf.5

Log Message:
Fix SF#24: incorrect authentication algorithms, copy-pasto.


To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.67 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.68
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.67	Thu Jun 20 15:41:18 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Sat Oct 13 15:38:28 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.67 2013/06/20 15:41:18 christos Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.68 2018/10/13 15:38:28 maxv Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 17, 2013
+.Dd October 13, 2018
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -1106,7 +1106,6 @@ Note that the kernel may not support the
 .Pq used with ESP
 .\"
 .It Ic authentication_algorithm Ar algorithms ;
-.Ic des , 3des , des_iv64 , des_iv32 ,
 .Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
 .Pq used with ESP authentication and AH
 .\"

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:38:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.conf.5

Log Message:
Fix SF#24: incorrect authentication algorithms, copy-pasto.


To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:17:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: logger.c

Log Message:
Fix ticket SF#91: pass the correct size for tbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/logger.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:17:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: logger.c

Log Message:
Fix ticket SF#91: pass the correct size for tbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/logger.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/logger.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.4	Sat Sep  9 16:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/logger.c	Sat Oct 13 15:17:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: logger.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: logger.c,v 1.5 2018/10/13 15:17:45 maxv Exp $	*/
 
 /*	$KAME: logger.c,v 1.9 2002/09/03 14:37:03 itojun Exp $	*/
 
@@ -79,13 +79,13 @@ log_open(siz, fname)
 	}
 	memset(p->buf, 0, sizeof(char *) * siz);
 
-	p->tbuf = (time_t *)racoon_malloc(sizeof(time_t *) * siz);
+	p->tbuf = (time_t *)racoon_malloc(sizeof(time_t) * siz);
 	if (p->tbuf == NULL) {
 		racoon_free(p->buf);
 		racoon_free(p);
 		return NULL;
 	}
-	memset(p->tbuf, 0, sizeof(time_t *) * siz);
+	memset(p->tbuf, 0, sizeof(time_t) * siz);
 
 	p->siz = siz;
 	if (fname)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Fri Oct  5 20:12:37 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
>From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.10
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9	Tue Oct  2 14:49:24 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Fri Oct  5 16:12:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.9 2018/10/02 18:49:24 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.10 2018/10/05 20:12:37 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -219,10 +219,15 @@ isakmp_frag_extract(iph1, msg)
 	struct isakmp_frag *frag;
 	struct isakmp_frag_item *item;
 	vchar_t *buf;
-	int last_frag = 0;
+	const char *m;
 	char *data;
 	int i;
 
+ 	if (iph1->frag_chain == NULL) {
+		plog(LLV_DEBUG, LOCATION, NULL,
+		 "fragmented IKE phase 1 message payload detected\n");
+	}
+
 	if (msg->l < sizeof(*isakmp) + sizeof(*frag)) {
 		plog(LLV_ERROR, LOCATION, NULL, "Message too short\n");
 		return -1;
@@ -260,47 +265,66 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 
-	/* Check for the last frag before inserting the new item in the chain */
-	if (item->frag_last) {
-		/* if we have the last fragment, indices must match */
-		if (iph1->frag_last_index != 0 &&
-		item->frag_last != iph1->frag_last_index) {
-			plog(LLV_ERROR, LOCATION, NULL,
-			 "Repeated last fragment index mismatch\n");
-			racoon_free(item);
-			vfree(buf);
-			return -1;
+
+	/* Perform required last frag checks before inserting the new item in
+	   the chain */
+	if (iph1->frag_last_index != 0) {
+		/* Only one fragment payload allowed with last frag flag set */
+		if (item->frag_last) {
+			m = "Message has multiple tail fragments\n";
+			goto out;
 		}
 
-		last_frag = iph1->frag_last_index = item->frag_num;
+		/* Fragment payload with fragment number greater than the
+		   fragment number of the last fragment is not allowed*/
+		if (item->frag_num > iph1->frag_last_index) {
+			m = "Fragment number greater than tail fragment number\n";
+			goto out;
+		}
 	}
 
 	/* insert fragment into chain */
 	if (isakmp_frag_insert(iph1, item) == -1) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		"Repeated fragment index mismatch\n");
-		racoon_free(item);
-		vfree(buf);
-		return -1;
+		m = "Duplicate fragment number\n";
+		goto out;
 	}
 
+	plog(LLV_DEBUG, LOCATION, NULL,
+	 "fragment payload #%d queued\n", item->frag_num);
+
+	/* remember last frag after insertion into fragment chain */
+	if (item->frag_last)
+		iph1->frag_last_index = item->frag_num;
+
 	/* If we saw the last frag, check if the chain is complete
 	 * we have a sorted list now, so just walk through */
-	if (last_frag != 0) {
+ 	if (iph1->frag_last_index != 0) {
 		item = iph1->frag_chain;
-		for (i = 1; i <= last_frag; i++) {
-			if (item == NULL) /* Not found */
-break;
-			if (item->frag_num != i)
-break;
+		for (i = 1; i <= iph1->frag_last_index; i++) {
+			if (item == NULL ||
+			item->frag_num != i) {
+plog(LLV_DEBUG, LOCATION, NULL,
+ "fragment payload #%d still missing\n",
+ i);
+ break;
+			}
 			item = item->frag_next;
 		}
 
-		if (i > last_frag) /* It is complete */
-			return 1;
+		if (i > iph1->frag_last_index) {/* It is complete */
+			plog(LLV_DEBUG, LOCATION, NULL,
+			 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Fri Oct  5 20:12:37 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
>From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Oct  2 18:49:24 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

- if (i > last_frag) /* It is complete */
+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

for (i = 1; i <= last_frag; i++) {
if (!check_fragment_index())
break;
}
if (i > last_frag)
return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8	Sat May 19 15:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Tue Oct  2 14:49:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.8 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.9 2018/10/02 18:49:24 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -289,11 +289,11 @@ isakmp_frag_extract(iph1, msg)
 	if (last_frag != 0) {
 		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
+			if (item == NULL) /* Not found */
+break;
 			if (item->frag_num != i)
 break;
 			item = item->frag_next;
-			if (item == NULL) /* Not found */
-break;
 		}
 
 		if (i > last_frag) /* It is complete */

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Oct  2 18:49:24 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

- if (i > last_frag) /* It is complete */
+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

for (i = 1; i <= last_frag; i++) {
if (!check_fragment_index())
break;
}
if (i > last_frag)
return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Aug 28 09:10:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
fix memory leaks: https://github.com/NetBSD/src/issues/6


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Aug 28 09:10:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
fix memory leaks: https://github.com/NetBSD/src/issues/6


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.24	Sat May 19 15:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Tue Aug 28 05:10:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.24 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: privsep.c,v 1.25 2018/08/28 09:10:28 christos Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -917,7 +917,7 @@ privsep_eay_get_pkcs1privkey(path) 
 	memcpy(msg + 1, path, msg->bufs.buflen[0]);
 
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return NULL;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return NULL;
@@ -1034,13 +1034,14 @@ privsep_script_exec(script, name, envp)
 	 * And send it!
 	 */
 	if (privsep_send(privsep_sock[1], msg, msg->hdr.ac_len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
 
 	if (msg->hdr.ac_errno != 0) {
 		errno = msg->hdr.ac_errno;
+out:
 		racoon_free(msg);
 		return -1;
 	}
@@ -1081,7 +1082,7 @@ privsep_getpsk(str, keylen)
 	memcpy(data, , sizeof(keylen));
 
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return NULL;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return NULL;
@@ -1354,12 +1355,13 @@ privsep_xauth_login_system(usr, pwd)
 	
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
 
 	if (msg->hdr.ac_errno != 0) {
+out:
 		racoon_free(msg);
 		return -1;
 	}
@@ -1416,7 +1418,7 @@ privsep_accounting_system(port, raddr, u
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1664,7 +1666,7 @@ privsep_accounting_pam(port, inout)
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1734,7 +1736,7 @@ privsep_xauth_login_pam(port, raddr, usr
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1786,7 +1788,7 @@ privsep_cleanup_pam(port)
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return;
@@ -1794,6 +1796,7 @@ privsep_cleanup_pam(port)
 	if (msg->hdr.ac_errno != 0)
 		errno = msg->hdr.ac_errno;
 
+out:
 	racoon_free(msg);
 	return;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sun May 20 06:15:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: vmbuf.c vmbuf.h

Log Message:
Style.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c \
src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c	Sun May 20 06:15:45 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: vmbuf.c,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: vmbuf.c,v 1.5 2018/05/20 06:15:45 maxv Exp $	*/
 
 /*	$KAME: vmbuf.c,v 1.11 2001/11/26 16:54:29 sakane Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -50,8 +50,7 @@
 #include "gcmalloc.h"
 
 vchar_t *
-vmalloc(size)
-	size_t size;
+vmalloc(size_t size)
 {
 	vchar_t *var;
 
@@ -73,12 +72,10 @@ vmalloc(size)
 }
 
 vchar_t *
-vrealloc(ptr, size)
-	vchar_t *ptr;
-	size_t size;
+vrealloc(vchar_t *ptr, size_t size)
 {
 	caddr_t v;
-	
+
 	if (ptr != NULL) {
 		if (ptr->l == 0) {
 			(void)vfree(ptr);
@@ -103,8 +100,7 @@ vrealloc(ptr, size)
 }
 
 void
-vfree(var)
-	vchar_t *var;
+vfree(vchar_t *var)
 {
 	if (var == NULL)
 		return;
@@ -118,8 +114,7 @@ vfree(var)
 }
 
 vchar_t *
-vdup(src)
-	vchar_t *src;
+vdup(vchar_t *src)
 {
 	vchar_t *new;
 
Index: src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.4 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h	Sun May 20 06:15:45 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: vmbuf.h,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: vmbuf.h,v 1.5 2018/05/20 06:15:45 maxv Exp $	*/
 
 /* Id: vmbuf.h,v 1.4 2005/10/30 10:28:44 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -62,7 +62,7 @@ do { \
 
 #if defined(__APPLE__) && defined(__MACH__)
 /* vfree is already defined in Apple's system libraries */
-#define vfree   vmbuf_free
+#define vfree	vmbuf_free
 #endif
 
 extern vchar_t *vmalloc __P((size_t));

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sun May 20 06:15:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: vmbuf.c vmbuf.h

Log Message:
Style.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c \
src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:40:40 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: misc.c

Log Message:
Remove dead code, and style.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/misc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/misc.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.6	Tue Jul 15 00:47:09 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/misc.c	Sat May 19 20:40:40 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: misc.c,v 1.6 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: misc.c,v 1.7 2018/05/19 20:40:40 maxv Exp $	*/
 
 /*	$KAME: misc.c,v 1.23 2001/08/16 14:37:29 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -50,33 +50,8 @@
 #include "misc.h"
 #include "debug.h"
 
-#if 0
-static int bindump __P((void *, size_t));
-
-static int
-bindump(buf0, len)
-void *buf0;
-size_t len;
-{
-	unsigned char *buf = (unsigned char *)buf0;
-	size_t i;
-
-	for (i = 0; i < len; i++) {
-		if ((buf[i] & 0x80) || !isprint(buf[i]))
-			printf("\\x%x", buf[i]);
-		else
-			printf("%c", buf[i]);
-	}
-	printf("\n");
-
-	return 0;
-}
-#endif
-
 int
-racoon_hexdump(buf0, len)
-	void *buf0;
-	size_t len;
+racoon_hexdump(void *buf0, size_t len)
 {
 	caddr_t buf = (caddr_t)buf0;
 	size_t i;
@@ -94,8 +69,7 @@ racoon_hexdump(buf0, len)
 }
 
 char *
-bit2str(n, bl)
-	int n, bl;
+bit2str(int n, int bl)
 {
 #define MAXBITLEN 128
 	static char b[MAXBITLEN + 1];
@@ -115,10 +89,7 @@ bit2str(n, bl)
 }
 
 const char *
-debug_location(file, line, func)
-	const char *file;
-	int line;
-	const char *func;
+debug_location(const char *file, int line, const char *func)
 {
 	static char buf[1024];
 	const char *p;
@@ -143,23 +114,21 @@ debug_location(file, line, func)
  * -1: error occured.
  */
 int
-getfsize(path)
-	char *path;
+getfsize(char *path)
 {
-struct stat st;
+	struct stat st;
 
-if (stat(path, ) != 0)
-return -1;
-else
-return st.st_size;
+	if (stat(path, ) != 0)
+		return -1;
+	else
+		return st.st_size;
 }
 
 /*
  * set the close-on-exec flag for file descriptor fd.
  */
 void
-close_on_exec(fd)
-	int fd;
+close_on_exec(int fd)
 {
 	fcntl(fd, F_SETFD, FD_CLOEXEC);
 }
@@ -170,8 +139,7 @@ close_on_exec(fd)
  * t2: end
  */
 double
-timedelta(t1, t2)
-	struct timeval *t1, *t2;
+timedelta(struct timeval *t1, struct timeval *t2)
 {
 	if (t2->tv_usec >= t1->tv_usec)
 		return t2->tv_sec - t1->tv_sec +

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:40:40 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: misc.c

Log Message:
Remove dead code, and style.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/misc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:21:23 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
Remove unused 'error' variables, it's obvious they should have no use.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:21:23 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
Remove unused 'error' variables, it's obvious they should have no use.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.26	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sat May 19 20:21:23 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.26 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: oakley.c,v 1.27 2018/05/19 20:21:23 maxv Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -786,7 +786,6 @@ oakley_compute_hash3(iph1, msgid, body)
 {
 	vchar_t *buf = 0, *res = 0;
 	int len;
-	int error = -1;
 
 	/* create buffer */
 	len = 1 + sizeof(u_int32_t) + body->l;
@@ -811,8 +810,6 @@ oakley_compute_hash3(iph1, msgid, body)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -841,7 +838,6 @@ oakley_compute_hash1(iph1, msgid, body)
 	vchar_t *buf = NULL, *res = NULL;
 	char *p;
 	int len;
-	int error = -1;
 
 	/* create buffer */
 	len = sizeof(u_int32_t) + body->l;
@@ -867,8 +863,6 @@ oakley_compute_hash1(iph1, msgid, body)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -893,7 +887,6 @@ oakley_ph1hash_common(iph1, sw)
 	vchar_t *buf = NULL, *res = NULL, *bp;
 	char *p, *bp2;
 	int len, bl;
-	int error = -1;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsstokens = NULL;
 #endif
@@ -986,8 +979,6 @@ oakley_ph1hash_common(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n",
 		iph1->side == INITIATOR ? "init" : "resp");
 	plogdump(LLV_DEBUG, res->v, res->l);
@@ -1019,7 +1010,6 @@ oakley_ph1hash_base_i(iph1, sw)
 	vchar_t *hash = NULL;	/* for signature mode */
 	char *p;
 	int len;
-	int error = -1;
 
 	/* sanity check */
 	if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -1133,8 +1123,6 @@ oakley_ph1hash_base_i(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -1160,7 +1148,6 @@ oakley_ph1hash_base_r(iph1, sw)
 	vchar_t *hash = NULL;
 	char *p;
 	int len;
-	int error = -1;
 
 	/* sanity check */
 	if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -1259,8 +1246,6 @@ oakley_ph1hash_base_r(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:14:56 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c cfparse.y evt.c
grabmyaddr.c handler.c ipsec_doi.c isakmp.c isakmp_var.h
isakmp_xauth.c localconf.c oakley.c pfkey.c remoteconf.c sainfo.c
session.c

Log Message:
Use strict prototypes, when they don't introduce more warnings than they fix.
Also localify a few functions.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.50 -r1.51 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \
src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/evt.c
cvs rdiff -u -r1.36 -r1.37 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.41 -r1.42 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.77 -r1.78 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.17 -r1.18 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/localconf.c
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.40 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: admin.c,v 1.41 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -97,9 +97,7 @@ static int admin_process __P((int, char 
 static int admin_reply __P((int, struct admin_com *, int, vchar_t *));
 
 static int
-admin_handler(ctx, fd)
-	void *ctx;
-	int fd;
+admin_handler(void *ctx, int fd)
 {
 	int so2;
 	struct sockaddr_storage from;

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50	Sat May 19 19:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.50 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -172,7 +172,7 @@ static int load_x509(const char *file, c
 	return 0;
 }
 
-static int process_rmconf()
+static int process_rmconf(void)
 {
 
 	/* check a exchange mode */
@@ -2611,8 +2611,7 @@ insspspec(rmconf, spspec)
 }
 
 static struct secprotospec *
-dupspspec(spspec)
-	struct secprotospec *spspec;
+dupspspec(struct secprotospec *spspec)
 {
 	struct secprotospec *new;
 
Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.50 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -197,9 +197,7 @@ ipsecdoi_checkph1proposal(sa, iph1)
 }
 
 static void
-print_ph1proposal(pair, s)
-	struct prop_pair *pair;
-	struct isakmpsa *s;
+print_ph1proposal(struct prop_pair *pair, struct isakmpsa *s)
 {
 	struct isakmp_pl_p *prop = pair->prop;
 	struct isakmp_pl_t *trns = pair->trns;
@@ -3302,9 +3300,7 @@ doi2ipproto(proto)
  */
 
 int
-ipsecdoi_subnetisaddr_v4( subnet, address )
-	const vchar_t *subnet;
-	const vchar_t *address;
+ipsecdoi_subnetisaddr_v4(const vchar_t *subnet, const vchar_t *address)
 {
 	struct in_addr *mask;
 
@@ -3325,9 +3321,7 @@ ipsecdoi_subnetisaddr_v4( subnet, addres
 #ifdef INET6
 
 int
-ipsecdoi_subnetisaddr_v6( subnet, address )
-	const vchar_t *subnet;
-	const vchar_t *address;
+ipsecdoi_subnetisaddr_v6(const vchar_t *subnet, const vchar_t *address)
 {
 	struct in6_addr *mask;
 	int i;

Index: src/crypto/dist/ipsec-tools/src/racoon/evt.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/evt.c:1.10 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:14:56 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c cfparse.y evt.c
grabmyaddr.c handler.c ipsec_doi.c isakmp.c isakmp_var.h
isakmp_xauth.c localconf.c oakley.c pfkey.c remoteconf.c sainfo.c
session.c

Log Message:
Use strict prototypes, when they don't introduce more warnings than they fix.
Also localify a few functions.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.50 -r1.51 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \
src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/evt.c
cvs rdiff -u -r1.36 -r1.37 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.41 -r1.42 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.77 -r1.78 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.17 -r1.18 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/localconf.c
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:47:47 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: backupsa.c isakmp_cfg.c
isakmp_inf.c session.c

Log Message:
Remove unused labels, functions, and function prototypes.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/backupsa.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.52 -r1.53 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/backupsa.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.10 src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.10	Fri Apr  2 15:15:00 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.c,v 1.10 2010/04/02 15:15:00 christos Exp $	*/
+/*	$NetBSD: backupsa.c,v 1.11 2018/05/19 19:47:47 maxv Exp $	*/
 
 /*	$KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $	*/
 
@@ -228,7 +228,6 @@ backupsa_from_file()
 		memset(, 0, sizeof(tm));
 		p = str2tmx(buf, );
 		if (*p != '%') {
-	err:
 			plog(LLV_ERROR, LOCATION, NULL,
 "illegal format line#%d in %s: %s\n",
 line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27	Sat May 19 19:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.27 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.28 2018/05/19 19:47:47 maxv Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -740,7 +740,7 @@ isakmp_cfg_set(iph1, attrpl)
 		delph1(iph1);
 		iph1 = NULL;
 	}
-end:
+
 	vfree(payload);
 
 	/* 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.52 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.52	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.52 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.53 2018/05/19 19:47:47 maxv Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -110,8 +110,6 @@ static int isakmp_info_recv_r_u_ack __P(
 static void isakmp_info_send_r_u __P((struct sched *));
 #endif
 
-static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
-
 /* %%%
  * Information Exchange
  */
@@ -1072,32 +1070,6 @@ isakmp_add_pl_n(buf0, np_p, type, pr, da
 	return buf;
 }
 
-static void
-purge_isakmp_spi(proto, spi, n)
-	int proto;
-	isakmp_index *spi;	/*network byteorder*/
-	size_t n;
-{
-	struct ph1handle *iph1;
-	size_t i;
-
-	for (i = 0; i < n; i++) {
-		iph1 = getph1byindex([i]);
-		if (!iph1)
-			continue;
-
-		plog(LLV_INFO, LOCATION, NULL,
-			"purged ISAKMP-SA proto_id=%s spi=%s.\n",
-			s_ipsecdoi_proto(proto),
-			isakmp_pindex([i], 0));
-
-		iph1->status = PHASE1ST_EXPIRED;
-		isakmp_ph1delete(iph1);
-	}
-}
-
-
-
 void
 purge_ipsec_spi(dst0, proto, spi, n)
 	struct sockaddr *dst0;

Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.33	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.33 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: session.c,v 1.34 2018/05/19 19:47:47 maxv Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -111,11 +111,9 @@ struct fd_monitor {
 #define NUM_PRIORITIES 2
 
 static void close_session __P((void));
-static void initfds __P((void));
 static void init_signal __P((void));
 static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int;
 static void check_sigreq __P((void));
-static void check_flushsa __P((void));
 static int close_sockets __P((void));
 
 static fd_set preset_mask, active_mask;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:47:47 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: backupsa.c isakmp_cfg.c
isakmp_inf.c session.c

Log Message:
Remove unused labels, functions, and function prototypes.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/backupsa.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.52 -r1.53 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:32:16 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y isakmp_cfg.c
isakmp_frag.c isakmp_xauth.c

Log Message:
More unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:32:16 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y isakmp_cfg.c
isakmp_frag.c isakmp_xauth.c

Log Message:
More unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49	Wed Feb 17 20:11:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.49 2016/02/17 20:11:17 christos Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.50 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1543,7 +1543,6 @@ sainfo_id
 		{
 			char portbuf[10];
 			struct sockaddr *laddr = NULL, *haddr = NULL;
-			char *cur = NULL;
 
 			if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
 			 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
@@ -2013,7 +2012,6 @@ remote_spec
 	|	PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
 		{
 			char path[MAXPATHLEN];
-			int ret = 0;
 
 			if (cur_rmconf->peerscert != NULL) {
 yyerror("peers_certfile already defined\n");
@@ -2365,7 +2363,6 @@ cert_spec
 	|	CERT_PLAINRSA QUOTEDSTRING
 		{
 			char path[MAXPATHLEN];
-			int ret = 0;
 
 			if (cur_rmconf->mycert != NULL) {
 yyerror("certificate_type already defined\n");

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26	Wed Mar  9 22:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.26 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.27 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -322,7 +322,6 @@ isakmp_cfg_reply(iph1, attrpl)
 	size_t alen;
 	char *npp;
 	int type;
-	struct sockaddr_in *sin;
 	int error;
 
 	tlen = ntohs(attrpl->h.len);
@@ -782,7 +781,6 @@ isakmp_cfg_net(iph1, attr)
 {
 	int type;
 	int confsource;
-	in_addr_t addr4;
 
 	type = ntohs(attr->type);
 
@@ -1665,7 +1663,6 @@ isakmp_cfg_accounting_system(port, raddr
 	char *usr;
 	int inout;
 {
-	int error = 0;
 	struct utmpx ut;
 	char addr[NI_MAXHOST];
 	
@@ -1880,8 +1877,6 @@ isakmp_cfg_setenv(iph1, envp, envc)
 	char defdom[MAXPATHLEN + 1];
 	int cidr, tmp;
 	char cidrstr[4];
-	int i, p;
-	int test;
 
 	plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
 
@@ -2134,7 +2129,6 @@ isakmp_cfg_init(cold) 
 	int cold;
 {
 	int i;
-	int error;
 
 	isakmp_cfg_config.network4 = (in_addr_t)0x;
 	isakmp_cfg_config.netmask4 = (in_addr_t)0x;
@@ -2184,6 +2178,7 @@ isakmp_cfg_init(cold) 
 	isakmp_cfg_config.splitdns_len = 0;
 
 #if 0
+	int error;
 	if (cold == ISAKMP_CFG_INIT_COLD) {
 		if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
 			return error;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7	Sun Jul 23 05:40:27 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.8 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -219,7 +219,6 @@ isakmp_frag_extract(iph1, msg)
 	struct isakmp_frag *frag;
 	struct isakmp_frag_item *item;
 	vchar_t *buf;
-	size_t len;
 	int last_frag = 0;
 	char *data;
 	int i;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28	Wed Mar  9 15:58:25 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.28 2016/03/09 15:58:25 christos Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.29 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -655,7 +655,6 @@ PAM_conv(msg_count, 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:23:15 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c grabmyaddr.c
ipsec_doi.c isakmp.c isakmp_agg.c isakmp_base.c isakmp_ident.c
isakmp_inf.c main.c oakley.c privsep.c remoteconf.c session.c
vendorid.c

Log Message:
Remove unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.35 -r1.36 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.76 -r1.77 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.16 -r1.17 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
cvs rdiff -u -r1.51 -r1.52 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/privsep.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/racoon/session.c
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/vendorid.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39	Mon Jun  3 05:49:31 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.39 2013/06/03 05:49:31 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.40 2018/05/19 19:23:15 maxv Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -327,7 +327,6 @@ admin_process(so2, combuf)
 
 #ifdef ENABLE_HYBRID
 	case ADMIN_LOGOUT_USER: {
-		struct ph1handle *iph1;
 		char user[LOGINLEN+1];
 		int found = 0, len = com->ac_len - sizeof(*com);
 
@@ -427,7 +426,6 @@ admin_process(so2, combuf)
 		case ADMIN_PROTO_ISAKMP: {
 			struct ph1handle *ph1;
 			struct remoteconf *rmconf;
-			u_int16_t port;
 
 			l_ac_errno = -1;
 

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.36
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35	Wed Apr 12 16:47:39 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.35 2017/04/12 16:47:39 roy Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.36 2018/05/19 19:23:15 maxv Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -140,7 +140,7 @@ myaddr_open_all_configured(addr)
 	struct sockaddr *addr;
 {
 	/* create all configured, not already opened addresses */
-	struct myaddr *cfg, *my;
+	struct myaddr *cfg;
 
 	if (addr != NULL) {
 		switch (addr->sa_family) {
@@ -859,7 +859,6 @@ kernel_sync()
 	caddr_t ref, buf, end;
 	size_t bufsiz;
 	struct if_msghdr *ifm;
-	struct interface *ifp;
 
 #define MIBSIZ 6
 	int mib[MIBSIZ] = {

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49	Tue Jun 18 05:39:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.49 2013/06/18 05:39:50 tteras Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.50 2018/05/19 19:23:15 maxv Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -264,8 +264,6 @@ get_ph1approval(iph1, doitype, sittype, 
 		for (s = pair[i]; s; s = s->next) {
 			/* compare proposal and select one */
 			for (p = s; p; p = p->tnext) {
-struct isakmp_pl_p *prop = p->prop;
-
 sa = newisakmpsa();
 ctx.p = p;
 ctx.sa = sa;
@@ -3894,7 +3892,7 @@ set_identifier_qual(vpp, type, value, qu
 		if (loglevel >= LLV_DEBUG) {
 			X509_NAME *xn;
 			BIO *bio;
-			unsigned char *ptr = (unsigned char *) new->v, *buf;
+			unsigned char *ptr = (unsigned char *) new->v;
 			size_t len;
 			char save;
 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.77
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76	Tue Jan 24 19:23:56 2017
+++ 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:23:15 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c grabmyaddr.c
ipsec_doi.c isakmp.c isakmp_agg.c isakmp_base.c isakmp_ident.c
isakmp_inf.c main.c oakley.c privsep.c remoteconf.c session.c
vendorid.c

Log Message:
Remove unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.35 -r1.36 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.76 -r1.77 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.16 -r1.17 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
cvs rdiff -u -r1.51 -r1.52 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/privsep.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/racoon/session.c
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/vendorid.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 18:51:59 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c nattraversal.c
nattraversal.h

Log Message:
Style, a little...


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/main.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13	Fri Jul 12 13:11:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/main.c	Sat May 19 18:51:59 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: main.c,v 1.13 2013/07/12 13:11:50 tteras Exp $	*/
+/*	$NetBSD: main.c,v 1.14 2018/05/19 18:51:59 maxv Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -85,9 +85,9 @@ static int loading_sa = 0;	/* install sa
 
 #ifdef TOP_PACKAGE
 static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")";
-#else /* TOP_PACKAGE */
+#else
 static char version[] = "@(#) racoon / IPsec-tools";
-#endif /* TOP_PACKAGE */
+#endif
 
 static void
 print_version()
@@ -162,9 +162,7 @@ usage()
 }
 
 static void
-parse(ac, av)
-	int ac;
-	char **av;
+parse(int ac, char **av)
 {
 	extern char *optarg;
 	extern int optind;
@@ -264,9 +262,7 @@ parse(ac, av)
 }
 
 int
-main(ac, av)
-	int ac;
-	char **av;
+main(int ac, char **av)
 {
 	int error;
 
@@ -308,7 +304,7 @@ main(ac, av)
 	plog(LLV_INFO, LOCATION, NULL, "@(#)"
 	"This product linked %s (http://www.openssl.org/)"
 	"\n", eay_version());
-	plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n", 
+	plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n",
 	lcconf->racoon_conf);
 
 	/*
@@ -346,4 +342,3 @@ main(ac, av)
 
 	return 0;
 }
-

Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.14	Mon Mar 14 17:18:13 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c	Sat May 19 18:51:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: nattraversal.c,v 1.14 2011/03/14 17:18:13 tteras Exp $	*/
+/*	$NetBSD: nattraversal.c,v 1.15 2018/05/19 18:51:59 maxv Exp $	*/
 
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -230,118 +230,117 @@ natt_udp_encap (int encmode)
 }
 
 int
-natt_fill_options (struct ph1natt_options *opts, int version)
+natt_fill_options(struct ph1natt_options *opts, int version)
 {
-  if (! opts)
-return -1;
+	if (!opts)
+		return -1;
 
-  opts->version = version;
+	opts->version = version;
 
-  switch (version) {
-case VENDORID_NATT_00:
-case VENDORID_NATT_01:
-  opts->float_port = 0; /* No port floating for those drafts */
-  opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
-  opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
-  opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
-  opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
-  opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
+	switch (version) {
+	case VENDORID_NATT_00:
+	case VENDORID_NATT_01:
+		opts->float_port = 0; /* No port floating for those drafts */
+		opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
+		opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
+		opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
+		opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
+		opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
+		break;
+	case VENDORID_NATT_02:
+	case VENDORID_NATT_02_N:
+	case VENDORID_NATT_03:
+		opts->float_port = lcconf->port_isakmp_natt;
+		opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
+		opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
+		opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
+		opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Maxime Villard]

Module Name:src
Committed By:   maxv
Date:   Sat May 19 18:51:59 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c nattraversal.c
nattraversal.h

Log Message:
Style, a little...


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:59:58 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Avoid double frees (thanks asan)


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27	Tue Feb  6 22:59:03 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sun Apr  1 18:59:57 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.28 2018/04/01 22:59:57 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -2331,6 +2331,7 @@ eay_dh_generate(prime, ig, publen, pub, 
 		goto end;
 	if (!DH_set0_pqg(dh, p, NULL, g))
 		goto end;
+	p = g = NULL;
 
 	if (publen != 0)
 		DH_set_length(dh, publen);
@@ -2395,9 +2396,11 @@ eay_dh_compute(prime, ig, pub, priv, pub
 
 	if (!DH_set0_pqg(dh, p, NULL, g))
 		goto end;
+	p = g = NULL;
 
 	if (!DH_set0_key(dh, pub_key, priv_key))
 		goto end;
+	pub_key = priv_key = NULL;
 
 	if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
 		goto end;
@@ -2565,7 +2568,6 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
 	return rsa_pub;
 out:
 	BN_free(exp);
-	BN_free(exp);
 	RSA_free(rsa_pub);
 	return NULL;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:59:58 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Avoid double frees (thanks asan)


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:35:22 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: debugrm.c debugrm.h

Log Message:
make debugrm compile again.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/crypto/dist/ipsec-tools/src/racoon/debugrm.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/debugrm.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:35:22 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: debugrm.c debugrm.h

Log Message:
make debugrm compile again.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/crypto/dist/ipsec-tools/src/racoon/debugrm.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/debugrm.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/debugrm.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.3 src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.4
--- src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.3	Sat Sep  9 12:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/debugrm.c	Sun Apr  1 18:35:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: debugrm.c,v 1.3 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: debugrm.c,v 1.4 2018/04/01 22:35:22 christos Exp $	*/
 
 /*	$KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $	*/
 
@@ -51,37 +51,38 @@
 #define DRMLISTSIZE 1024
 
 struct drm_list_t {
-	void *ptr;
+	const void *ptr;
 	char msg[100];
 };
 static struct drm_list_t drmlist[DRMLISTSIZE];
 
 static int drm_unknown;
 
-static void DRM_add __P((void *, char *));
-static void DRM_del __P((void *));
-static void DRM_setmsg __P((char *, int, void *, int, char *, int, char *));
+static void DRM_add(const void *, const char *);
+static void DRM_del(const void *);
+static void DRM_setmsg(char *, size_t, const void *, size_t, const char *,
+size_t, const char *);
 
 void 
-DRM_init()
+DRM_init(void)
 {
-	int i;
+	size_t i;
 	drm_unknown = 0;
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++)
+	for (i = 0; i < __arraycount(drmlist); i++)
 		drmlist[i].ptr = 0;
 }
 
 void
-DRM_dump()
+DRM_dump(void)
 {
 	FILE *fp;
-	int i;
+	size_t i;
 
 	fp = fopen(DRMDUMPFILE, "w");
 	if (fp == NULL)
 		err(1, "fopen");	/*XXX*/
 	fprintf(fp, "drm_unknown=%d\n", drm_unknown);
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (drmlist[i].ptr)
 			fprintf(fp, "%s\n", drmlist[i].msg);
 	}
@@ -89,12 +90,10 @@ DRM_dump()
 }
 
 static void 
-DRM_add(p, msg)
-	void *p;
-	char *msg;
+DRM_add(const void *p, const char *msg)
 {
-	int i;
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	size_t i;
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (!drmlist[i].ptr) {
 			drmlist[i].ptr = p;
 			strlcpy(drmlist[i].msg, msg, sizeof(drmlist[i].msg));
@@ -104,15 +103,14 @@ DRM_add(p, msg)
 }
 
 static void
-DRM_del(p)
-	void *p;
+DRM_del(const void *p)
 {
-	int i;
+	size_t i;
 
 	if (!p)
 		return;
 
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (drmlist[i].ptr == p) {
 			drmlist[i].ptr = 0;
 			return;
@@ -122,10 +120,8 @@ DRM_del(p)
 }
 
 static void
-DRM_setmsg(buf, buflen, ptr, size, file, line, func)
-	char *buf, *file, *func;
-	int buflen, size, line;
-	void *ptr;
+DRM_setmsg(char *buf, size_t buflen, const void *ptr, size_t size,
+const char *file, size_t line, const char *func)
 {
 	time_t t;
 	struct tm *tm;
@@ -136,14 +132,11 @@ DRM_setmsg(buf, buflen, ptr, size, file,
 	len = strftime(buf, buflen, "%Y/%m/%d:%T ", tm);
 
 	snprintf(buf + len, buflen - len, "%p %6d %s:%d:%s",
-		ptr, size, file , line, func);
+		ptr, size, file, line, func);
 }
 
 void *
-DRM_malloc(file, line, func, size)
-	char *file, *func;
-	int line;
-	size_t size;
+DRM_malloc(const char *file, size_t line, const char *func, size_t size)
 {
 	void *p;
 
@@ -158,10 +151,8 @@ DRM_malloc(file, line, func, size)
 }
 
 void *
-DRM_calloc(file, line, func, number, size)
-	char *file, *func;
-	int line;
-	size_t number, size;
+DRM_calloc(const char *file, size_t line, const char *func, size_t number,
+size_t size)
 {
 	void *p;
 
@@ -175,11 +166,8 @@ DRM_calloc(file, line, func, number, siz
 }
 
 void *
-DRM_realloc(file, line, func, ptr, size)
-	char *file, *func;
-	int line;
-	void *ptr;
-	size_t size;
+DRM_realloc(const char *file, size_t line, const char *func, void *ptr,
+size_t size)
 {
 	void *p;
 
@@ -197,20 +185,14 @@ DRM_realloc(file, line, func, ptr, size)
 }
 
 void
-DRM_free(file, line, func, ptr)
-	char *file, *func;
-	int line;
-	void *ptr;
+DRM_free(const char *file, size_t line, const char *func, void *ptr)
 {
 	DRM_del(ptr);
 	free(ptr);
 }
 
 char *
-DRM_strdup(file, line, func, str)
-	char *file, *func;
-	int line;
-	const char *str;
+DRM_strdup(const char *file, size_t line, const char *func, const char *str)
 {
 	char *p;
 
@@ -218,7 +200,7 @@ DRM_strdup(file, line, func, str)
 
 	if (p) {
 		char buf[1024];
-		DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
+		DRM_setmsg(buf, sizeof(buf), p, strlen(p), file, line, func);
 		DRM_add(p, buf);
 	}
 
@@ -229,10 +211,7 @@ DRM_strdup(file, line, func, str)
  * mask vmbuf.c functions.
  */
 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Feb  7 03:59:03 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
crypto_openssl.h prsa_par.y rsalist.c

Log Message:
Welcome to the 21st century Buck Rogers: OpenSSL-1.1


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Feb  7 03:59:03 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
crypto_openssl.h prsa_par.y rsalist.c

Log Message:
Welcome to the 21st century Buck Rogers: OpenSSL-1.1


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26	Sun Jun 11 18:12:56 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Tue Feb  6 22:59:03 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -109,11 +109,11 @@
  * necessary for SSLeay/OpenSSL portability.  It sucks.
  */
 
-static int cb_check_cert_local __P((int, X509_STORE_CTX *));
-static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
-static X509 *mem2x509 __P((vchar_t *));
+static int cb_check_cert_local(int, X509_STORE_CTX *);
+static int cb_check_cert_remote(int, X509_STORE_CTX *);
+static X509 *mem2x509(vchar_t *);
 
-static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
+static caddr_t eay_hmac_init(vchar_t *, const EVP_MD *);
 
 /* X509 Certificate */
 /*
@@ -312,13 +312,19 @@ eay_cmp_asn1dn(n1, n2)
 	for(idx = 0; idx < X509_NAME_entry_count(a); idx++) {
 		X509_NAME_ENTRY *ea = X509_NAME_get_entry(a, idx);
 		X509_NAME_ENTRY *eb = X509_NAME_get_entry(b, idx);
+		ASN1_STRING *eda, *edb;
 		if (!eb) {	/* reached end of eb while still entries in ea, can not be equal... */
 			i = idx+1;
 			goto end;
 		}
-		if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-		(eb->value->length == 1 && eb->value->data[0] == '*')) {
-			if (OBJ_cmp(ea->object,eb->object)) {
+		eda = X509_NAME_ENTRY_get_data(ea);
+		edb = X509_NAME_ENTRY_get_data(eb);
+		if ((eda->length == 1 && eda->data[0] == '*') ||
+		(edb->length == 1 && edb->data[0] == '*')) {
+			ASN1_OBJECT *eoa, *eob;
+			eoa = X509_NAME_ENTRY_get_object(ea);
+			eob = X509_NAME_ENTRY_get_object(eb);
+			if (OBJ_cmp(eoa, eob)) {
 i = idx+1;
 goto end;
 			}
@@ -426,19 +432,17 @@ cb_check_cert_local(ok, ctx)
 	X509_STORE_CTX *ctx;
 {
 	char buf[256];
-	int log_tag;
+	int log_tag, error;
 
 	if (!ok) {
-		X509_NAME_oneline(
-X509_get_subject_name(ctx->current_cert),
-buf,
-256);
+		X509_NAME_oneline(X509_get_subject_name(
+		X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
 		/*
 		 * since we are just checking the certificates, it is
 		 * ok if they are self signed. But we should still warn
 		 * the user.
  		 */
-		switch (ctx->error) {
+		switch (error = X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 		case X509_V_ERR_INVALID_CA:
@@ -453,9 +457,8 @@ cb_check_cert_local(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(error), error,
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -473,14 +476,12 @@ cb_check_cert_remote(ok, ctx)
 	X509_STORE_CTX *ctx;
 {
 	char buf[256];
-	int log_tag;
+	int log_tag, error;
 
 	if (!ok) {
-		X509_NAME_oneline(
-X509_get_subject_name(ctx->current_cert),
-buf,
-256);
-		switch (ctx->error) {
+		X509_NAME_oneline(X509_get_subject_name(
+		X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
+		switch (error = X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_UNABLE_TO_GET_CRL:
 			ok = 1;
 			log_tag = LLV_WARNING;
@@ -490,9 +491,9 @@ cb_check_cert_remote(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(error),
+			error,
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -508,6 +509,7 @@ eay_get_x509asn1subjectname(cert)
 	vchar_t *cert;
 {
 	X509 *x509 = NULL;
+	X509_NAME *xname;
 	u_char *bp;
 	vchar_t *name = NULL;
 	int len;
@@ -517,13 +519,14 @@ eay_get_x509asn1subjectname(cert)
 		goto error;
 
 	/* get the length of the name */
-	len = i2d_X509_NAME(x509->cert_info->subject, NULL);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Kengo NAKAHARA]

Module Name:src
Committed By:   knakahara
Date:   Thu Nov  9 08:34:50 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: pfkey.c

Log Message:
fix typo. (does not affect actual operation, but confuses reader...)

The function is called when racoon receives SADB_X_MIGRATE pfkey message,
however the message is not used now. It was compatible code for KAME.


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.60 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.59 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.60
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.59	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Thu Nov  9 08:34:50 2017
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.60 2017/11/09 08:34:50 knakahara Exp $	*/
 
-/* $Id: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.60 2017/11/09 08:34:50 knakahara Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -3177,8 +3177,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_
 
 	/* Then, verify reqid if necessary */
 	if (isr_cur->saidx.reqid &&
-	(xisr_old->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
-	 xisr_new->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
+	(xisr_old->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
+	 xisr_new->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
 	 isr_cur->saidx.reqid != xisr_old->sadb_x_ipsecrequest_reqid ||
 	 isr_cur->saidx.reqid != xisr_new->sadb_x_ipsecrequest_reqid))
 		return -1;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Kengo NAKAHARA]

Module Name:src
Committed By:   knakahara
Date:   Thu Nov  9 08:34:50 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: pfkey.c

Log Message:
fix typo. (does not affect actual operation, but confuses reader...)

The function is called when racoon receives SADB_X_MIGRATE pfkey message,
however the message is not used now. It was compatible code for KAME.


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.60 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Jul 23 05:40:28 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Antoine Beaupr�: Simplify and comment previous patch.
XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6	Tue Jan 24 14:23:31 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sun Jul 23 01:40:27 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.6 2017/01/24 19:23:31 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -179,20 +179,26 @@ isakmp_frag_insert(struct ph1handle *iph
 	struct isakmp_frag_item *pitem = NULL;
 	struct isakmp_frag_item *citem = iph1->frag_chain;
 
+	/* no frag yet, just insert at beginning of list */
 	if (iph1->frag_chain == NULL) {
 		iph1->frag_chain = item;
 		return 0;
 	}
 
 	do {
+		/* duplicate fragment number, abort (CVE-2016-10396) */
 		if (citem->frag_num == item->frag_num)
 			return -1;
 
+		/* need to insert before current item */
 		if (citem->frag_num > item->frag_num) {
-			if (pitem)
+			if (pitem != NULL)
 pitem->frag_next = item;
+			else
+/* insert at the beginning of the list  */
+iph1->frag_chain = item;
 			item->frag_next = citem;
-			break;
+			return 0;
 		}
 
 		pitem = citem;
@@ -200,8 +206,7 @@ isakmp_frag_insert(struct ph1handle *iph
 	} while (citem != NULL);
 
 	/* we reached the end of the list, insert */
-	if (citem == NULL)
-	  pitem->frag_next = item;
+	pitem->frag_next = item;
 	return 0;
 }
 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Jul 23 05:40:28 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Antoine Beaupr�: Simplify and comment previous patch.
XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Jun 11 22:12:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
PR/52292: Shinichi Doyashiki: Fix reversed comments.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25	Thu Feb 27 03:37:58 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sun Jun 11 18:12:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.25 2014/02/27 08:37:58 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -1268,7 +1268,7 @@ eay_idea_encrypt(data, key, iv)
 	if ((res = vmalloc(data->l)) == NULL)
 		return NULL;
 
-	/* decryption data */
+	/* encrypt data */
 	idea_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
 			, (unsigned char *)iv->v, IDEA_ENCRYPT);
 
@@ -1366,7 +1366,7 @@ eay_rc5_encrypt(data, key, iv)
 	if ((res = vmalloc(data->l)) == NULL)
 		return NULL;
 
-	/* decryption data */
+	/* encrypt data */
 	RC5_32_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
 		, (unsigned char *)iv->v, RC5_ENCRYPT);
 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sun Jun 11 22:12:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
PR/52292: Shinichi Doyashiki: Fix reversed comments.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Roy Marples]

Module Name:src
Committed By:   roy
Date:   Wed Apr 12 16:47:40 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Use RO_MSGFILTER.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Roy Marples]

Module Name:src
Committed By:   roy
Date:   Wed Apr 12 16:47:40 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Use RO_MSGFILTER.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34	Sat Jun 14 22:39:36 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Apr 12 16:47:39 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.34 2014/06/14 22:39:36 christos Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.35 2017/04/12 16:47:39 roy Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -827,6 +827,9 @@ static int
 kernel_open_socket()
 {
 	int fd;
+#ifdef RO_MSGFILTER
+	unsigned char msgfilter[] = { RTM_NEWADDR, RTM_DELADDR };
+#endif
 
 	fd = socket(PF_ROUTE, SOCK_RAW, 0);
 	if (fd < 0) {
@@ -835,6 +838,13 @@ kernel_open_socket()
 			strerror(errno));
 		return -1;
 	}
+#ifdef RO_MSGFILTER
+	if (setsockopt(fd, PF_ROUTE, RO_MSGFILTER,
+	, sizeof(msgfilter)) < 0)
+		plog(LLV_WARNING, LOCATION, NULL,
+		 "setsockopt(RO_MSGFILER) failed: %s",
+		 strerror(errno));
+#endif
 	close_on_exec(fd);
 	if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1)
 		plog(LLV_WARNING, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.h isakmp.c isakmp_inf.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.75 -r1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.50 -r1.51 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25	Wed Nov 17 05:40:41 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -141,6 +141,7 @@ struct ph1handle {
 #endif
 #ifdef ENABLE_FRAG
 	int frag;			/* IKE phase 1 fragmentation */
+	int frag_last_index;
 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
 #endif
 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75	Wed Mar  9 17:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.76 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -1077,6 +1077,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
 		iph1->frag = 1;
 	else
 		iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;
@@ -1181,6 +1182,7 @@ isakmp_ph1begin_r(msg, remote, local, et
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50	Fri Apr 12 05:53:10 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.51 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.h isakmp.c isakmp_inf.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.75 -r1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.50 -r1.51 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:31 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5	Wed Apr 22 07:24:20 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Tue Jan 24 14:23:31 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.6 2017/01/24 19:23:31 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -173,6 +173,38 @@ vendorid_frag_cap(gen)
 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
 }
 
+static int 
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+	struct isakmp_frag_item *pitem = NULL;
+	struct isakmp_frag_item *citem = iph1->frag_chain;
+
+	if (iph1->frag_chain == NULL) {
+		iph1->frag_chain = item;
+		return 0;
+	}
+
+	do {
+		if (citem->frag_num == item->frag_num)
+			return -1;
+
+		if (citem->frag_num > item->frag_num) {
+			if (pitem)
+pitem->frag_next = item;
+			item->frag_next = citem;
+			break;
+		}
+
+		pitem = citem;
+		citem = citem->frag_next;
+	} while (citem != NULL);
+
+	/* we reached the end of the list, insert */
+	if (citem == NULL)
+	  pitem->frag_next = item;
+	return 0;
+}
+
 int 
 isakmp_frag_extract(iph1, msg)
 	struct ph1handle *iph1;
@@ -224,39 +256,43 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 
-	/* Look for the last frag while inserting the new item in the chain */
-	if (item->frag_last)
-		last_frag = item->frag_num;
+	/* Check for the last frag before inserting the new item in the chain */
+	if (item->frag_last) {
+		/* if we have the last fragment, indices must match */
+		if (iph1->frag_last_index != 0 &&
+		item->frag_last != iph1->frag_last_index) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			 "Repeated last fragment index mismatch\n");
+			racoon_free(item);
+			vfree(buf);
+			return -1;
+		}
 
-	if (iph1->frag_chain == NULL) {
-		iph1->frag_chain = item;
-	} else {
-		struct isakmp_frag_item *current;
+		last_frag = iph1->frag_last_index = item->frag_num;
+	}
 
-		current = iph1->frag_chain;
-		while (current->frag_next) {
-			if (current->frag_last)
-last_frag = item->frag_num;
-			current = current->frag_next;
-		}
-		current->frag_next = item;
+	/* insert fragment into chain */
+	if (isakmp_frag_insert(iph1, item) == -1) {
+		plog(LLV_ERROR, LOCATION, NULL,
+		"Repeated fragment index mismatch\n");
+		racoon_free(item);
+		vfree(buf);
+		return -1;
 	}
 
-	/* If we saw the last frag, check if the chain is complete */
+	/* If we saw the last frag, check if the chain is complete
+	 * we have a sorted list now, so just walk through */
 	if (last_frag != 0) {
+		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
-			item = iph1->frag_chain;
-			do {
-if (item->frag_num == i)
-	break;
-item = item->frag_next;
-			} while (item != NULL);
-
+			if (item->frag_num != i)
+break;
+			item = item->frag_next;
 			if (item == NULL) /* Not found */
 break;
 		}
 
-		if (item != NULL) /* It is complete */
+		if (i > last_frag) /* It is complete */
 			return 1;
 	}
 		
@@ -291,15 +327,9 @@ isakmp_frag_reassembly(iph1)
 	}
 	data = buf->v;
 
+	item = iph1->frag_chain;
 	for (i = 1; i <= frag_count; i++) {
-		item = iph1->frag_chain;
-		do {
-			if (item->frag_num == i)
-break;
-			item = item->frag_next;
-		} while (item != NULL);
-
-		if (item == NULL) {
+		if (item->frag_num != i) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 			"Missing fragment #%d\n", i);
 			vfree(buf);
@@ -308,6 +338,7 @@ isakmp_frag_reassembly(iph1)
 		}
 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
 		data += item->frag_packet->l;
+		item = item->frag_next;
 	}
 
 out:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:31 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Mar 16 21:09:39 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_ident.c

Log Message:
CID 1356385: Add fallthrough comment


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14	Wed Mar  9 17:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Wed Mar 16 17:09:39 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.14 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.15 2016/03/16 21:09:39 christos Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -171,7 +171,7 @@ ident_i1send(iph1, msg)
 		else
 			plist = isakmp_plist_append(plist,
 			vid_xauth, ISAKMP_NPTYPE_VID);
-
+		/*FALLTHROUGH*/
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Mar 16 21:09:39 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_ident.c

Log Message:
CID 1356385: Add fallthrough comment


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Fri Mar 11 18:28:43 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
PR/50943: David Binderman: Fix misplaced parenthesis.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22	Fri Aug 12 01:21:50 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Fri Mar 11 13:28:43 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.22 2011/08/12 05:21:50 tteras Exp $	*/
+/*	$NetBSD: privsep.c,v 1.23 2016/03/11 18:28:43 christos Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -1261,7 +1261,7 @@ privsep_setsockopt(s, level, optname, op
 	struct sockopt_args sockopt_args;
 	int err, saved_errno = 0;
 
-	if ((err = setsockopt(s, level, optname, optval, optlen) == 0) || 
+	if ((err = setsockopt(s, level, optname, optval, optlen)) == 0 || 
 	(saved_errno = errno) != EACCES ||
 	geteuid() == 0) {
 		if (saved_errno)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Fri Mar 11 18:28:43 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
PR/50943: David Binderman: Fix misplaced parenthesis.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Mar  9 22:27:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_cfg.c
isakmp_ident.c

Log Message:
>From Frank Wille:
Request "IKE mode config" in "rsasig" (certificates on both sides only)
authentication mode, if "mode_cfg" is configured to "on".
Tested with a Lancom router, using the following configuration:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;

my_identifier asn1dn;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";

mode_cfg on;
dpd_delay 20;
nat_traversal on;
lifetime time 8 hour;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;

proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}

sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}


To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74	Sun Jan  1 10:57:31 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -890,6 +890,10 @@ ph1_main(iph1, msg)
 /* XXX Don't process INITIAL_CONTACT */
 iph1->rmconf->ini_contact = 0;
 break;
+			case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+if (iph1->rmconf->mode_cfg)
+	error = isakmp_cfg_getconfig(iph1);
+break;
 			default:
 break;
 			}
@@ -945,6 +949,10 @@ ph1_main(iph1, msg)
 break;
 			}
 		}
+		if ((iph1->rmconf->mode_cfg) &&
+		!(iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH)) {
+			error = isakmp_cfg_getconfig(iph1);
+		}
 	}
 
 	return 0;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25	Fri Apr 12 06:03:45 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.26 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -457,6 +457,7 @@ isakmp_cfg_reply(iph1, attrpl)
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:
@@ -639,6 +640,7 @@ isakmp_cfg_request(iph1, attrpl)
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13	Fri Sep 18 06:31:11 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.13 2009/09/18 10:31:11 tteras Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.14 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -172,6 +172,7 @@ ident_i1send(iph1, msg)
 			plist = isakmp_plist_append(plist,
 			vid_xauth, ISAKMP_NPTYPE_VID);
 
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,
 			 "Unity vendor ID generation failed\n");

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Mar  9 22:27:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_cfg.c
isakmp_ident.c

Log Message:
>From Frank Wille:
Request "IKE mode config" in "rsasig" (certificates on both sides only)
authentication mode, if "mode_cfg" is configured to "on".
Tested with a Lancom router, using the following configuration:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;

my_identifier asn1dn;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";

mode_cfg on;
dpd_delay 20;
nat_traversal on;
lifetime time 8 hour;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;

proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}

sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}


To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Mar  9 15:58:25 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
PR/50918: David Binderman: Fix memory leak


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Mar  9 15:58:25 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
PR/50918: David Binderman: Fix memory leak


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27	Tue Mar 18 14:20:35 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Mar  9 10:58:25 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.27 2014/03/18 18:20:35 riastradh Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.28 2016/03/09 15:58:25 christos Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1803,7 +1803,7 @@ xauth_rmconf_dup(xauth_rmconf)
 		new = racoon_malloc(sizeof(*new));
 		if (new == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL, 
-			"xauth_rmconf_dup: malloc failed\n");
+			"%s: malloc failed\n", __func__);
 			return NULL;
 		}
 
@@ -1813,16 +1813,16 @@ xauth_rmconf_dup(xauth_rmconf)
 			new->login = vdup(xauth_rmconf->login);
 			if (new->login == NULL) {
 plog(LLV_ERROR, LOCATION, NULL, 
-"xauth_rmconf_dup: malloc failed (login)\n");
-return NULL;
+"%s: malloc failed (login)\n", __func__);
+goto out;
 			}
 		}
 		if (xauth_rmconf->pass != NULL) {
 			new->pass = vdup(xauth_rmconf->pass);
 			if (new->pass == NULL) {
 plog(LLV_ERROR, LOCATION, NULL, 
-"xauth_rmconf_dup: malloc failed (password)\n");
-return NULL;
+"%s: malloc failed (password)\n", __func__);
+goto out;
 			}
 		}
 
@@ -1830,4 +1830,8 @@ xauth_rmconf_dup(xauth_rmconf)
 	}
 
 	return NULL;
+out:
+	vfree(new->login);
+	racoon_free(new);
+	return NULL;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Feb 17 20:11:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
PR/50815: David Binderman: Remove dup test


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Wed Feb 17 20:11:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
PR/50815: David Binderman: Remove dup test


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48	Thu Nov 29 10:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Feb 17 15:11:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.49 2016/02/17 20:11:17 christos Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1490,10 +1490,15 @@ sainfo_id
 			char portbuf[10];
 			struct sockaddr *saddr;
 
-			if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
-			 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
-yyerror("port number must be \"any\".");
+			switch ($5) {
+			case IPPROTO_ICMP:
+			case IPPROTO_ICMPV6:
+if ($4 == IPSEC_PORT_ANY)
+	break;
+yyerror("port must be \"any\" for icmp{,6}.");
 return -1;
+			default:
+break;
 			}
 
 			snprintf(portbuf, sizeof(portbuf), "%lu", $4);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue May 19 15:14:26 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Protect against a NULL pointer dereference described in:

https://www.altsci.com/ipsec/

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/gssapi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.4	Sat Sep  9 12:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Tue May 19 11:14:25 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.5 2015/05/19 15:14:25 christos Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
@@ -202,6 +202,10 @@ gssapi_init(struct ph1handle *iph1)
 
 	gssapi_set_state(iph1, gps);
 
+	if (iph1-rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
+		return -1;
+	}
 	if (iph1-rmconf-proposal-gssid != NULL) {
 		id_token.length = iph1-rmconf-proposal-gssid-l;
 		id_token.value = iph1-rmconf-proposal-gssid-v;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue May 19 15:14:26 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Protect against a NULL pointer dereference described in:

https://www.altsci.com/ipsec/

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue May 19 15:16:01 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Detect error earlier to avoid memory leak.

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/gssapi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5	Tue May 19 11:14:25 2015
+++ src/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Tue May 19 11:16:00 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.5 2015/05/19 15:14:25 christos Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.6 2015/05/19 15:16:00 christos Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
 	gss_name_t princ, canon_princ;
 	OM_uint32 maj_stat, min_stat;
 
+	if (iph1-rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
+		return -1;
+	}
+
 	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
 	if (gps == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, racoon_calloc failed\n);
@@ -202,10 +207,6 @@ gssapi_init(struct ph1handle *iph1)
 
 	gssapi_set_state(iph1, gps);
 
-	if (iph1-rmconf == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
-		return -1;
-	}
 	if (iph1-rmconf-proposal-gssid != NULL) {
 		id_token.length = iph1-rmconf-proposal-gssid-l;
 		id_token.value = iph1-rmconf-proposal-gssid-v;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Tue May 19 15:16:01 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Detect error earlier to avoid memory leak.

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sat Jun 14 22:39:36 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
don't warn for 80211 messages


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.33	Tue Mar 18 14:20:35 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Jun 14 18:39:36 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.33 2014/03/18 18:20:35 riastradh Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.34 2014/06/14 22:39:36 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -783,6 +783,9 @@ kernel_handle_message(msg)
 #ifdef RTM_IFANNOUNCE
 	case RTM_IFANNOUNCE:
 #endif
+#ifdef RTM_IEEE80211
+	case RTM_IEEE80211:
+#endif
 		break;
 	default:
 		plog(LLV_WARNING, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Sat Jun 14 22:39:36 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
don't warn for 80211 messages


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Thu Feb 27 08:37:59 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
From Adam Majer ad...@zombino.com: Support IPv6 in X509 subjectAltName


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24	Mon Dec 24 14:50:04 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Thu Feb 27 08:37:58 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.25 2014/02/27 08:37:58 tteras Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -601,26 +601,47 @@ eay_get_x509subjectaltname(cert, altname
 	/* read IP address */
 	else if (gen-type == GEN_IPADD)
 	{
-		unsigned char p[5], *ip;
-		ip = p;
-		
-		/* only support IPv4 */
-		if (gen-d.ip-length != 4)
-			goto end;
-		
-		/* convert Octet String to String
-		 * XXX ???
-		 */
-		/*i2d_ASN1_OCTET_STRING(gen-d.ip,ip);*/
-		ip = gen-d.ip-data;
+		switch (gen-d.iPAddress-length) {
+		case 4: /* IPv4 */
+			*altname = racoon_malloc(4*3 + 3 + 1); /* digits + decimals + null */
+			if (!*altname)
+goto end;
 
-		/* XXX Magic, enough for an IPv4 address
-		 */
-		*altname = racoon_malloc(20);
-		if (!*altname)
+			snprintf(*altname, 12+3+1, %u.%u.%u.%u,
+			 (unsigned)gen-d.iPAddress-data[0],
+			 (unsigned)gen-d.iPAddress-data[1],
+			 (unsigned)gen-d.iPAddress-data[2],
+			 (unsigned)gen-d.iPAddress-data[3]);
+			break;
+		case 16: { /* IPv6 */
+			int i;
+
+			*altname = racoon_malloc(16*2 + 7 + 1); /* digits + colons + null */
+			if (!*altname)
+goto end;
+
+			/* Make NULL terminated IPv6 address */
+			for (i=0; i16; ++i) {
+int pos = i*2 + i/2;
+
+if (i0  i%2==0)
+	(*altname)[pos-1] = ':';
+
+snprintf(*altname + pos, 3, %02x,
+ (unsigned)gen-d.iPAddress-data[i]);
+
+			}
+			plog(LLV_INFO, LOCATION, NULL,
+			 Remote X509 IPv6 addr: %s, *altname);
+			break;
+		}
+		default:
+			plog(LLV_ERROR, LOCATION, NULL,
+			 Unknown IP address length: %u octects.,
+			 gen-d.iPAddress-length);
 			goto end;
-		
-		sprintf(*altname, %u.%u.%u.%u, ip[0], ip[1], ip[2], ip[3]);
+		}
+
 		*type = gen-type;
 		error = 0;
 	}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Thu Feb 27 08:37:59 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
From Adam Majer ad...@zombino.com: Support IPv6 in X509 subjectAltName


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Jul 19 10:54:52 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Export phase1
remote address as Radius Calling-Station-Id.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25	Tue Feb  5 06:22:29 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Fri Jul 19 10:54:52 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.26 2013/07/19 10:54:52 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -592,6 +592,10 @@ xauth_login_radius(iph1, usr, pwd)
 		return -1;
 	}
 
+	if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID,
+			   saddr2str(iph1-remote)) != 0)
+		return -1;
+
 	if (isakmp_cfg_radius_common(radius_auth_state, iph1-mode_cfg-port) != 0)
 		return -1;
 

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Jul 19 10:54:52 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Export phase1
remote address as Radius Calling-Station-Id.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Christos Zoulas]

Module Name:src
Committed By:   christos
Date:   Thu Jul 18 17:02:58 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
add RTM_LOSING, RTM_REDIRECT


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31	Fri Apr 12 05:53:10 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Thu Jul 18 13:02:58 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.31 2013/04/12 09:53:10 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.32 2013/07/18 17:02:58 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -766,6 +766,12 @@ kernel_handle_message(msg)
 	case RTM_CHANGE:
 	case RTM_GET:
 	case RTM_MISS:
+#ifdef RTM_LOSING
+	case RTM_LOSING:
+#endif
+#ifdef RTM_REDIRECT
+	case RTM_REDIRECT:
+#endif
 	case RTM_IFINFO:
 #ifdef RTM_OIFINFO
 	case RTM_OIFINFO:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Jul 12 13:11:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c

Log Message:
From Sven Vermeulen sven.vermeu...@siphos.be: Moves ploginit() up,
allowing logging events from init_avc() to show up as well.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/main.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12	Mon Jan 26 18:13:06 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/main.c	Fri Jul 12 13:11:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.12 2009/01/26 18:13:06 tteras Exp $	*/
+/*	$NetBSD: main.c,v 1.13 2013/07/12 13:11:50 tteras Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
@@ -290,6 +290,8 @@ main(ac, av)
 		/* NOTREACHED*/
 	}
 
+	ploginit();
+
 #ifdef DEBUG_RECORD_MALLOCATION
 	DRM_init();
 #endif
@@ -302,8 +304,6 @@ main(ac, av)
 	oakley_dhinit();
 	compute_vendorids();
 
-	ploginit();
-
 	plog(LLV_INFO, LOCATION, NULL, %s\n, version);
 	plog(LLV_INFO, LOCATION, NULL, @(#)
 	This product linked %s (http://www.openssl.org/)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Jul 12 13:11:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c

Log Message:
From Sven Vermeulen sven.vermeu...@siphos.be: Moves ploginit() up,
allowing logging events from init_avc() to show up as well.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Tue Jun 18 05:39:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c

Log Message:
From Paul Barker: Remove redundant memset after calloc that caused compile
failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call
is the same expression as the destination; did you mean to dereference.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Tue Jun 18 05:39:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.48 2012/11/29 15:31:25 vanhu Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.49 2013/06/18 05:39:50 tteras Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -1183,7 +1183,6 @@ get_proppair_and_doi_sit(sa, mode, doity
 			failed to get buffer.\n);
 		goto bad;
 	}
-	memset(pair, 0, sizeof(pair));
 
 	bp = (caddr_t)(sab + 1);
 	tlen = sa-l - sizeof(*sab);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Tue Jun 18 05:39:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c

Log Message:
From Paul Barker: Remove redundant memset after calloc that caused compile
failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call
is the same expression as the destination; did you mean to dereference.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Mon Jun  3 05:49:32 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c

Log Message:
From Alexander Sbitnev alexander.sbit...@gmail.com: fix admin port
establish-sa for tunnel mode SAs.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38	Wed Dec  8 07:38:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Mon Jun  3 05:49:31 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.39 2013/06/03 05:49:31 tteras Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -563,18 +563,30 @@ admin_process(so2, combuf)
 			iph2-seq = pk_getseq();
 			iph2-status = PHASE2ST_STATUS2;
 
-			/* set end addresses of SA */
-			iph2-sa_dst = dupsaddr(dst);
-			iph2-sa_src = dupsaddr(src);
-			iph2-dst = dupsaddr(dst);
-			iph2-src = dupsaddr(src);
-			if (iph2-sa_src == NULL || iph2-sa_dst == NULL ||
-			iph2-dst == NULL || iph2-src == NULL) {
-delph2(iph2);
-break;
-			}
-			set_port(iph2-dst, 0);
-			set_port(iph2-src, 0);
+if (sp_out-local  sp_out-remote) {
+/* hints available, let's use them */
+iph2-sa_dst = dupsaddr(dst);
+iph2-sa_src = dupsaddr(src);
+iph2-src = dupsaddr((struct sockaddr *)sp_out-local);
+iph2-dst = dupsaddr((struct sockaddr *)sp_out-remote);
+} else if (sp_out-req  sp_out-req-saidx.mode == IPSEC_MODE_TUNNEL) {
+/* Tunnel mode and no hint, use endpoints */
+iph2-src = dupsaddr((struct sockaddr *)sp_out-req-saidx.src);
+iph2-dst = dupsaddr((struct sockaddr *)sp_out-req-saidx.dst);
+} else {
+/* default, use selectors as fallback */
+iph2-sa_dst = dupsaddr(dst);
+iph2-sa_src = dupsaddr(src);
+iph2-dst = dupsaddr(dst);
+iph2-src = dupsaddr(src);
+}
+
+if (iph2-dst == NULL || iph2-src == NULL) {
+delph2(iph2);
+break;
+}
+set_port(iph2-dst, 0);
+set_port(iph2-src, 0);
 
 			if (isakmp_get_sainfo(iph2, sp_out, sp_in)  0) {
 delph2(iph2);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Mon Jun  3 05:49:32 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c

Log Message:
From Alexander Sbitnev alexander.sbit...@gmail.com: fix admin port
establish-sa for tunnel mode SAs.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Marc Balmer]

Module Name:src
Committed By:   mbalmer
Date:   Wed May  8 20:03:02 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.8

Log Message:
racoon default config is in /etc/racoon/racoon.conf


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/racoon.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.8
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.12 src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.12	Sat Jan 24 10:42:31 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.8	Wed May  8 20:03:02 2013
@@ -1,4 +1,4 @@
-.\	$NetBSD: racoon.8,v 1.12 2009/01/24 10:42:31 wiz Exp $
+.\	$NetBSD: racoon.8,v 1.13 2013/05/08 20:03:02 mbalmer Exp $
 .\
 .\ Id: racoon.8,v 1.4 2005/04/18 11:07:55 manubsd Exp
 .\
@@ -133,7 +133,7 @@ The command exits with 0 on success, and
 .\
 .Sh FILES
 .Bl -tag -width /etc/racoon.conf -compact
-.It Pa /etc/racoon.conf
+.It Pa /etc/racoon/racoon.conf
 default configuration file.
 .El
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Marc Balmer]

Module Name:src
Committed By:   mbalmer
Date:   Wed May  8 20:03:02 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.8

Log Message:
racoon default config is in /etc/racoon/racoon.conf


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/racoon.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 09:53:11 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c isakmp_inf.c

Log Message:
Some logging improvements.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30	Tue Feb  5 11:36:17 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Fri Apr 12 09:53:10 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.31 2013/04/12 09:53:10 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -764,6 +764,7 @@ kernel_handle_message(msg)
 	case RTM_ADD:
 	case RTM_DELETE:
 	case RTM_CHANGE:
+	case RTM_GET:
 	case RTM_MISS:
 	case RTM_IFINFO:
 #ifdef RTM_OIFINFO
@@ -779,7 +780,7 @@ kernel_handle_message(msg)
 		break;
 	default:
 		plog(LLV_WARNING, LOCATION, NULL,
-		 unrecognized route message with rtm_type: %d,
+		 unrecognized route message with rtm_type: %d\n,
 		 rtm-rtm_type);
 		break;
 	}

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49	Thu Jan 24 06:47:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Fri Apr 12 09:53:10 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.49 2013/01/24 06:47:50 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1116,6 +1116,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 	u_int64_t created;
 	size_t i;
 	caddr_t mhp[SADB_EXT_MAX + 1];
+	unsigned num_purged = 0;
 
 	plog(LLV_DEBUG2, LOCATION, NULL,
 		 purge_ipsec_spi:\n);
@@ -1172,6 +1173,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 
 		plog(LLV_DEBUG2, LOCATION, NULL, src: %s\n, saddr2str(src));
 		plog(LLV_DEBUG2, LOCATION, NULL, dst: %s\n, saddr2str(dst));
+		plog(LLV_DEBUG2, LOCATION, NULL, spi: %u\n, ntohl(sa-sadb_sa_spi));
 
 		/* XXX n^2 algorithm, inefficient */
 
@@ -1210,6 +1212,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 purged IPsec-SA proto_id=%s spi=%u.\n,
 s_ipsecdoi_proto(proto),
 ntohl(spi[i]));
+			num_purged++;
 		}
 
 		msg = next;
@@ -1217,6 +1220,8 @@ purge_ipsec_spi(dst0, proto, spi, n)
 
 	if (buf)
 		vfree(buf);
+
+	plog(LLV_DEBUG, LOCATION, NULL, purged %u SAs.\n, num_purged);
 }
 
 /*

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 10:03:46 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_cfg.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Do not send out
illegal zero length MODE_CFG attributes.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24	Tue Sep 21 13:14:17 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Fri Apr 12 10:03:45 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1000,6 +1000,9 @@ isakmp_cfg_varlen(iph1, attr, string, le
 	struct isakmp_data *new;
 	char *data;
 
+	if (!len)
+		return NULL;
+
 	if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, Cannot allocate memory\n);
 		return NULL;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 09:53:11 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c isakmp_inf.c

Log Message:
Some logging improvements.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 10:03:46 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_cfg.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Do not send out
illegal zero length MODE_CFG attributes.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Tue Feb  5 11:36:18 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix source port selection


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29	Sun Jan  1 15:54:51 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Tue Feb  5 11:36:17 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.29 2012/01/01 15:54:51 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -274,13 +274,24 @@ myaddr_getsport(addr)
 	struct sockaddr *addr;
 {
 	struct myaddr *my;
+	int port = 0, wport;
 
 	LIST_FOREACH(my, opened, chain) {
-		if (cmpsaddr((struct sockaddr *) my-addr, addr) = CMPSADDR_WILDPORT_MATCH)
+		switch (cmpsaddr((struct sockaddr *) my-addr, addr)) {
+		case CMPSADDR_MATCH:
 			return extract_port((struct sockaddr *) my-addr);
+		case CMPSADDR_WILDPORT_MATCH:
+			wport = extract_port((struct sockaddr *) my-addr);
+			if (port == 0 || wport  port)
+port = wport;
+			break;
+		}
 	}
 
-	return -1;
+	if (port == 0)
+		port = PORT_ISAKMP;
+
+	return port;
 }
 
 void

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Tue Feb  5 11:36:18 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix source port selection


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

[Timo Teräs]

Module Name:src
Committed By:   tteras
Date:   Tue Feb  5 06:22:29 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
From Ian West i...@niw.com.au: Fix double free of the radius info on
config reload.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24	Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Feb  5 06:22:29 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -458,10 +458,14 @@ xauth_radius_init_conf(int free)
 			vfree(xauth_rad_config.acct_server_list[i].host);
 			vfree(xauth_rad_config.acct_server_list[i].secret);
 		}
-		if (radius_auth_state != NULL)
+		if (radius_auth_state != NULL) {
 			rad_close(radius_auth_state);
-		if (radius_acct_state != NULL)
+			radius_auth_state = NULL;
+		}
+		if (radius_acct_state != NULL) {
 			rad_close(radius_acct_state);
+			radius_acct_state = NULL;
+		}
 	}
 
 	/* initialize radius config */