CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: tteras Date: Thu Feb 27 08:52:34 UTC 2014 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: NEWS configure.ac Log Message: ipsec-tools-0.8.2 To generate a diff of this commit: cvs rdiff -u -r1.4.6.2 -r1.4.6.3 src/crypto/dist/ipsec-tools/NEWS cvs rdiff -u -r1.10.6.4 -r1.10.6.5 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/NEWS diff -u src/crypto/dist/ipsec-tools/NEWS:1.4.6.2 src/crypto/dist/ipsec-tools/NEWS:1.4.6.3 --- src/crypto/dist/ipsec-tools/NEWS:1.4.6.2 Tue Jan 8 12:44:22 2013 +++ src/crypto/dist/ipsec-tools/NEWS Thu Feb 27 08:52:34 2014 @@ -1,5 +1,11 @@ Version history: +0.8.2 - 27 February 2014 + o Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev) + o Fix source port selection regression from version 0.8.1 + o Various logging improvements + o Additional compliance and build fixes + 0.8.1 - 08 January 2013 o Improved X.509 subject name comparation (Götz Babin-Ebell) o Relax DPD cookie check for Cisco IOS compatibility (Roman Antink) Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10.6.4 src/crypto/dist/ipsec-tools/configure.ac:1.10.6.5 --- src/crypto/dist/ipsec-tools/configure.ac:1.10.6.4 Tue Jan 8 12:44:22 2013 +++ src/crypto/dist/ipsec-tools/configure.ac Thu Feb 27 08:52:34 2014 @@ -2,7 +2,7 @@ dnl -*- mode: m4 -*- dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp AC_PREREQ(2.52) -AC_INIT(ipsec-tools, 0.8.1) +AC_INIT(ipsec-tools, 0.8.2) AC_CONFIG_SRCDIR([configure.ac]) AC_CONFIG_HEADERS(config.h)
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Feb 27 08:37:59 UTC 2014
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
Log Message:
>From Adam Majer : Support IPv6 in X509 subjectAltName
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24 Mon Dec 24 14:50:04 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Thu Feb 27 08:37:58 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.25 2014/02/27 08:37:58 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -601,26 +601,47 @@ eay_get_x509subjectaltname(cert, altname
/* read IP address */
else if (gen->type == GEN_IPADD)
{
- unsigned char p[5], *ip;
- ip = p;
-
- /* only support IPv4 */
- if (gen->d.ip->length != 4)
- goto end;
-
- /* convert Octet String to String
- * XXX ???
- */
- /*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/
- ip = gen->d.ip->data;
+ switch (gen->d.iPAddress->length) {
+ case 4: /* IPv4 */
+ *altname = racoon_malloc(4*3 + 3 + 1); /* digits + decimals + null */
+ if (!*altname)
+goto end;
- /* XXX Magic, enough for an IPv4 address
- */
- *altname = racoon_malloc(20);
- if (!*altname)
+ snprintf(*altname, 12+3+1, "%u.%u.%u.%u",
+ (unsigned)gen->d.iPAddress->data[0],
+ (unsigned)gen->d.iPAddress->data[1],
+ (unsigned)gen->d.iPAddress->data[2],
+ (unsigned)gen->d.iPAddress->data[3]);
+ break;
+ case 16: { /* IPv6 */
+ int i;
+
+ *altname = racoon_malloc(16*2 + 7 + 1); /* digits + colons + null */
+ if (!*altname)
+goto end;
+
+ /* Make NULL terminated IPv6 address */
+ for (i=0; i<16; ++i) {
+int pos = i*2 + i/2;
+
+if (i>0 && i%2==0)
+ (*altname)[pos-1] = ':';
+
+snprintf(*altname + pos, 3, "%02x",
+ (unsigned)gen->d.iPAddress->data[i]);
+
+ }
+ plog(LLV_INFO, LOCATION, NULL,
+ "Remote X509 IPv6 addr: %s", *altname);
+ break;
+ }
+ default:
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Unknown IP address length: %u octects.",
+ gen->d.iPAddress->length);
goto end;
-
- sprintf(*altname, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
+ }
+
*type = gen->type;
error = 0;
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Fri Jul 19 10:54:52 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c Log Message: >From Rainer Weikusat : Export phase1 remote address as Radius Calling-Station-Id. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.26 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25 Tue Feb 5 06:22:29 2013 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Fri Jul 19 10:54:52 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $ */ +/* $NetBSD: isakmp_xauth.c,v 1.26 2013/07/19 10:54:52 tteras Exp $ */ /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ @@ -592,6 +592,10 @@ xauth_login_radius(iph1, usr, pwd) return -1; } + if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID, + saddr2str(iph1->remote)) != 0) + return -1; + if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) return -1;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Fri Jul 12 13:12:24 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: main.c Log Message: >From Sven Vermeulen : Moves ploginit() up, allowing logging events from init_avc() to show up as well. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.6.1 src/crypto/dist/ipsec-tools/src/racoon/main.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/main.c diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12.6.1 --- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 Mon Jan 26 18:13:06 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/main.c Fri Jul 12 13:12:24 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.12 2009/01/26 18:13:06 tteras Exp $ */ +/* $NetBSD: main.c,v 1.12.6.1 2013/07/12 13:12:24 tteras Exp $ */ /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */ @@ -290,6 +290,8 @@ main(ac, av) /* NOTREACHED*/ } + ploginit(); + #ifdef DEBUG_RECORD_MALLOCATION DRM_init(); #endif @@ -302,8 +304,6 @@ main(ac, av) oakley_dhinit(); compute_vendorids(); - ploginit(); - plog(LLV_INFO, LOCATION, NULL, "%s\n", version); plog(LLV_INFO, LOCATION, NULL, "@(#)" "This product linked %s (http://www.openssl.org/)"
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Fri Jul 12 13:11:50 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: main.c Log Message: >From Sven Vermeulen : Moves ploginit() up, allowing logging events from init_avc() to show up as well. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/main.c diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13 --- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 Mon Jan 26 18:13:06 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/main.c Fri Jul 12 13:11:50 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.12 2009/01/26 18:13:06 tteras Exp $ */ +/* $NetBSD: main.c,v 1.13 2013/07/12 13:11:50 tteras Exp $ */ /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */ @@ -290,6 +290,8 @@ main(ac, av) /* NOTREACHED*/ } + ploginit(); + #ifdef DEBUG_RECORD_MALLOCATION DRM_init(); #endif @@ -302,8 +304,6 @@ main(ac, av) oakley_dhinit(); compute_vendorids(); - ploginit(); - plog(LLV_INFO, LOCATION, NULL, "%s\n", version); plog(LLV_INFO, LOCATION, NULL, "@(#)" "This product linked %s (http://www.openssl.org/)"
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Tue Jun 18 05:40:36 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: ipsec_doi.c Log Message: >From Paul Barker: Remove redundant memset after calloc that caused compile failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to dereference. To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.46.4.1 \ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46.4.1 --- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46 Tue Dec 14 17:57:31 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Tue Jun 18 05:40:36 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_doi.c,v 1.46 2010/12/14 17:57:31 tteras Exp $ */ +/* $NetBSD: ipsec_doi.c,v 1.46.4.1 2013/06/18 05:40:36 tteras Exp $ */ /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */ @@ -1183,7 +1183,6 @@ get_proppair_and_doi_sit(sa, mode, doity "failed to get buffer.\n"); goto bad; } - memset(pair, 0, sizeof(pair)); bp = (caddr_t)(sab + 1); tlen = sa->l - sizeof(*sab);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Tue Jun 18 05:39:50 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c Log Message: >From Paul Barker: Remove redundant memset after calloc that caused compile failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to dereference. To generate a diff of this commit: cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49 --- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48 Thu Nov 29 15:31:25 2012 +++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Tue Jun 18 05:39:50 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_doi.c,v 1.48 2012/11/29 15:31:25 vanhu Exp $ */ +/* $NetBSD: ipsec_doi.c,v 1.49 2013/06/18 05:39:50 tteras Exp $ */ /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */ @@ -1183,7 +1183,6 @@ get_proppair_and_doi_sit(sa, mode, doity "failed to get buffer.\n"); goto bad; } - memset(pair, 0, sizeof(pair)); bp = (caddr_t)(sab + 1); tlen = sa->l - sizeof(*sab);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Mon Jun 3 05:49:32 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c
Log Message:
>From Alexander Sbitnev : fix admin port
establish-sa for tunnel mode SAs.
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 Wed Dec 8 07:38:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Mon Jun 3 05:49:31 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.39 2013/06/03 05:49:31 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -563,18 +563,30 @@ admin_process(so2, combuf)
iph2->seq = pk_getseq();
iph2->status = PHASE2ST_STATUS2;
- /* set end addresses of SA */
- iph2->sa_dst = dupsaddr(dst);
- iph2->sa_src = dupsaddr(src);
- iph2->dst = dupsaddr(dst);
- iph2->src = dupsaddr(src);
- if (iph2->sa_src == NULL || iph2->sa_dst == NULL ||
- iph2->dst == NULL || iph2->src == NULL) {
-delph2(iph2);
-break;
- }
- set_port(iph2->dst, 0);
- set_port(iph2->src, 0);
+if (sp_out->local && sp_out->remote) {
+/* hints available, let's use them */
+iph2->sa_dst = dupsaddr(dst);
+iph2->sa_src = dupsaddr(src);
+iph2->src = dupsaddr((struct sockaddr *)sp_out->local);
+iph2->dst = dupsaddr((struct sockaddr *)sp_out->remote);
+} else if (sp_out->req && sp_out->req->saidx.mode == IPSEC_MODE_TUNNEL) {
+/* Tunnel mode and no hint, use endpoints */
+iph2->src = dupsaddr((struct sockaddr *)&sp_out->req->saidx.src);
+iph2->dst = dupsaddr((struct sockaddr *)&sp_out->req->saidx.dst);
+} else {
+/* default, use selectors as fallback */
+iph2->sa_dst = dupsaddr(dst);
+iph2->sa_src = dupsaddr(src);
+iph2->dst = dupsaddr(dst);
+iph2->src = dupsaddr(src);
+}
+
+if (iph2->dst == NULL || iph2->src == NULL) {
+delph2(iph2);
+break;
+}
+set_port(iph2->dst, 0);
+set_port(iph2->src, 0);
if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
delph2(iph2);
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Mon Jun 3 05:49:59 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
admin.c
Log Message:
>From Alexander Sbitnev : fix admin port
establish-sa for tunnel mode SAs.
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.4.1 src/crypto/dist/ipsec-tools/src/racoon/admin.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 Wed Dec 8 07:38:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Mon Jun 3 05:49:59 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.38.4.1 2013/06/03 05:49:59 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -563,18 +563,30 @@ admin_process(so2, combuf)
iph2->seq = pk_getseq();
iph2->status = PHASE2ST_STATUS2;
- /* set end addresses of SA */
- iph2->sa_dst = dupsaddr(dst);
- iph2->sa_src = dupsaddr(src);
- iph2->dst = dupsaddr(dst);
- iph2->src = dupsaddr(src);
- if (iph2->sa_src == NULL || iph2->sa_dst == NULL ||
- iph2->dst == NULL || iph2->src == NULL) {
-delph2(iph2);
-break;
- }
- set_port(iph2->dst, 0);
- set_port(iph2->src, 0);
+if (sp_out->local && sp_out->remote) {
+/* hints available, let's use them */
+iph2->sa_dst = dupsaddr(dst);
+iph2->sa_src = dupsaddr(src);
+iph2->src = dupsaddr((struct sockaddr *)sp_out->local);
+iph2->dst = dupsaddr((struct sockaddr *)sp_out->remote);
+} else if (sp_out->req && sp_out->req->saidx.mode == IPSEC_MODE_TUNNEL) {
+/* Tunnel mode and no hint, use endpoints */
+iph2->src = dupsaddr((struct sockaddr *)&sp_out->req->saidx.src);
+iph2->dst = dupsaddr((struct sockaddr *)&sp_out->req->saidx.dst);
+} else {
+/* default, use selectors as fallback */
+iph2->sa_dst = dupsaddr(dst);
+iph2->sa_src = dupsaddr(src);
+iph2->dst = dupsaddr(dst);
+iph2->src = dupsaddr(src);
+}
+
+if (iph2->dst == NULL || iph2->src == NULL) {
+delph2(iph2);
+break;
+}
+set_port(iph2->dst, 0);
+set_port(iph2->src, 0);
if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
delph2(iph2);
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/include-glibc/net
Module Name:src Committed By: tteras Date: Thu May 23 05:44:29 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/include-glibc/net [ipsec-tools-0_8-branch]: pfkeyv2.h Log Message: >From Rainer Weikusat : Fix SADB_X_EALG_CASTCBC definition to use system definition (which differs at least on Linux). To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.40.1 \ src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h diff -u src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.4 src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.4.40.1 --- src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.4 Sat Sep 9 16:22:08 2006 +++ src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h Thu May 23 05:44:28 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pfkeyv2.h,v 1.4 2006/09/09 16:22:08 manu Exp $ */ +/* $NetBSD: pfkeyv2.h,v 1.4.40.1 2013/05/23 05:44:28 tteras Exp $ */ #ifndef __NET_PFKEYV2_H_ #define __NET_PFKEYV2_H_ 1 @@ -18,7 +18,11 @@ #define SADB_X_AALG_SHA 250 /* private allocations - based on RFC2407/IANA assignment */ -#define SADB_X_EALG_CAST128CBC 5 /* SADB_X_EALG_CASTCBC? == 6 */ +#ifdef SADB_X_EALG_CASTCBC +#define SADB_X_EALG_CAST128CBC SADB_X_EALG_CASTCBC +#else +#define SADB_X_EALG_CAST128CBC 5 +#endif #define SADB_X_EALG_RIJNDAELCBC SADB_X_EALG_AESCBC #define SADB_X_EALG_AES SADB_X_EALG_AESCBC
CVS commit: src/crypto/dist/ipsec-tools/src/include-glibc/net
Module Name:src Committed By: tteras Date: Thu May 23 05:42:29 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/include-glibc/net: pfkeyv2.h Log Message: >From Rainer Weikusat : Fix SADB_X_EALG_CASTCBC definition to use system definition (which differs at least on Linux). To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 \ src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h diff -u src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.4 src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.5 --- src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.4 Sat Sep 9 16:22:08 2006 +++ src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h Thu May 23 05:42:29 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: pfkeyv2.h,v 1.4 2006/09/09 16:22:08 manu Exp $ */ +/* $NetBSD: pfkeyv2.h,v 1.5 2013/05/23 05:42:29 tteras Exp $ */ #ifndef __NET_PFKEYV2_H_ #define __NET_PFKEYV2_H_ 1 @@ -18,7 +18,11 @@ #define SADB_X_AALG_SHA 250 /* private allocations - based on RFC2407/IANA assignment */ -#define SADB_X_EALG_CAST128CBC 5 /* SADB_X_EALG_CASTCBC? == 6 */ +#ifdef SADB_X_EALG_CASTCBC +#define SADB_X_EALG_CAST128CBC SADB_X_EALG_CASTCBC +#else +#define SADB_X_EALG_CAST128CBC 5 +#endif #define SADB_X_EALG_RIJNDAELCBC SADB_X_EALG_AESCBC #define SADB_X_EALG_AES SADB_X_EALG_AESCBC
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Apr 12 10:03:46 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_cfg.c
Log Message:
>From Rainer Weikusat : Do not send out
illegal zero length MODE_CFG attributes.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 Tue Sep 21 13:14:17 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Fri Apr 12 10:03:45 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -1000,6 +1000,9 @@ isakmp_cfg_varlen(iph1, attr, string, le
struct isakmp_data *new;
char *data;
+ if (!len)
+ return NULL;
+
if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
return NULL;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Apr 12 10:04:22 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_cfg.c
Log Message:
>From Rainer Weikusat : Do not send out
illegal zero length MODE_CFG attributes.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.24.4.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 Tue Sep 21 13:14:17 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Fri Apr 12 10:04:21 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.24.4.1 2013/04/12 10:04:21 tteras Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -1000,6 +1000,9 @@ isakmp_cfg_varlen(iph1, attr, string, le
struct isakmp_data *new;
char *data;
+ if (!len)
+ return NULL;
+
if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
return NULL;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Fri Apr 12 09:53:11 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c isakmp_inf.c Log Message: Some logging improvements. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 \ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c cvs rdiff -u -r1.49 -r1.50 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31 --- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30 Tue Feb 5 11:36:17 2013 +++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Fri Apr 12 09:53:10 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $ */ +/* $NetBSD: grabmyaddr.c,v 1.31 2013/04/12 09:53:10 tteras Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 2008 Timo Teras . @@ -764,6 +764,7 @@ kernel_handle_message(msg) case RTM_ADD: case RTM_DELETE: case RTM_CHANGE: + case RTM_GET: case RTM_MISS: case RTM_IFINFO: #ifdef RTM_OIFINFO @@ -779,7 +780,7 @@ kernel_handle_message(msg) break; default: plog(LLV_WARNING, LOCATION, NULL, - "unrecognized route message with rtm_type: %d", + "unrecognized route message with rtm_type: %d\n", rtm->rtm_type); break; } Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49 Thu Jan 24 06:47:50 2013 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Apr 12 09:53:10 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_inf.c,v 1.49 2013/01/24 06:47:50 tteras Exp $ */ +/* $NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $ */ /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ @@ -1116,6 +1116,7 @@ purge_ipsec_spi(dst0, proto, spi, n) u_int64_t created; size_t i; caddr_t mhp[SADB_EXT_MAX + 1]; + unsigned num_purged = 0; plog(LLV_DEBUG2, LOCATION, NULL, "purge_ipsec_spi:\n"); @@ -1172,6 +1173,7 @@ purge_ipsec_spi(dst0, proto, spi, n) plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "spi: %u\n", ntohl(sa->sadb_sa_spi)); /* XXX n^2 algorithm, inefficient */ @@ -1210,6 +1212,7 @@ purge_ipsec_spi(dst0, proto, spi, n) "purged IPsec-SA proto_id=%s spi=%u.\n", s_ipsecdoi_proto(proto), ntohl(spi[i])); + num_purged++; } msg = next; @@ -1217,6 +1220,8 @@ purge_ipsec_spi(dst0, proto, spi, n) if (buf) vfree(buf); + + plog(LLV_DEBUG, LOCATION, NULL, "purged %u SAs.\n", num_purged); } /*
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Fri Apr 12 09:53:52 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: grabmyaddr.c isakmp_inf.c Log Message: Some logging improvements. To generate a diff of this commit: cvs rdiff -u -r1.28.2.1 -r1.28.2.2 \ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c cvs rdiff -u -r1.47.2.2 -r1.47.2.3 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.1 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.2 --- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.1 Tue Feb 5 11:36:41 2013 +++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Fri Apr 12 09:53:52 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: grabmyaddr.c,v 1.28.2.1 2013/02/05 11:36:41 tteras Exp $ */ +/* $NetBSD: grabmyaddr.c,v 1.28.2.2 2013/04/12 09:53:52 tteras Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 2008 Timo Teras . @@ -764,6 +764,7 @@ kernel_handle_message(msg) case RTM_ADD: case RTM_DELETE: case RTM_CHANGE: + case RTM_GET: case RTM_MISS: case RTM_IFINFO: #ifdef RTM_OIFINFO @@ -779,7 +780,7 @@ kernel_handle_message(msg) break; default: plog(LLV_WARNING, LOCATION, NULL, - "unrecognized route message with rtm_type: %d", + "unrecognized route message with rtm_type: %d\n", rtm->rtm_type); break; } Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.2 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.3 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.2 Thu Jan 24 06:48:27 2013 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Apr 12 09:53:52 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_inf.c,v 1.47.2.2 2013/01/24 06:48:27 tteras Exp $ */ +/* $NetBSD: isakmp_inf.c,v 1.47.2.3 2013/04/12 09:53:52 tteras Exp $ */ /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ @@ -1116,6 +1116,7 @@ purge_ipsec_spi(dst0, proto, spi, n) u_int64_t created; size_t i; caddr_t mhp[SADB_EXT_MAX + 1]; + unsigned num_purged = 0; plog(LLV_DEBUG2, LOCATION, NULL, "purge_ipsec_spi:\n"); @@ -1172,6 +1173,7 @@ purge_ipsec_spi(dst0, proto, spi, n) plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "spi: %u\n", ntohl(sa->sadb_sa_spi)); /* XXX n^2 algorithm, inefficient */ @@ -1210,6 +1212,7 @@ purge_ipsec_spi(dst0, proto, spi, n) "purged IPsec-SA proto_id=%s spi=%u.\n", s_ipsecdoi_proto(proto), ntohl(spi[i])); + num_purged++; } msg = next; @@ -1217,6 +1220,8 @@ purge_ipsec_spi(dst0, proto, spi, n) if (buf) vfree(buf); + + plog(LLV_DEBUG, LOCATION, NULL, "purged %u SAs.\n", num_purged); } /*
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Feb 5 11:36:41 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
grabmyaddr.c
Log Message:
Fix source port selection
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Tue Feb 5 11:36:41 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.28.2.1 2013/02/05 11:36:41 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -274,13 +274,24 @@ myaddr_getsport(addr)
struct sockaddr *addr;
{
struct myaddr *my;
+ int port = 0, wport;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ switch (cmpsaddr((struct sockaddr *) &my->addr, addr)) {
+ case CMPSADDR_MATCH:
return extract_port((struct sockaddr *) &my->addr);
+ case CMPSADDR_WILDPORT_MATCH:
+ wport = extract_port((struct sockaddr *) &my->addr);
+ if (port == 0 || wport < port)
+port = wport;
+ break;
+ }
}
+
+ if (port == 0)
+ port = PORT_ISAKMP;
- return PORT_ISAKMP;
+ return port;
}
void
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Feb 5 11:36:18 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c
Log Message:
Fix source port selection
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29 Sun Jan 1 15:54:51 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Tue Feb 5 11:36:17 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.29 2012/01/01 15:54:51 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -274,13 +274,24 @@ myaddr_getsport(addr)
struct sockaddr *addr;
{
struct myaddr *my;
+ int port = 0, wport;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ switch (cmpsaddr((struct sockaddr *) &my->addr, addr)) {
+ case CMPSADDR_MATCH:
return extract_port((struct sockaddr *) &my->addr);
+ case CMPSADDR_WILDPORT_MATCH:
+ wport = extract_port((struct sockaddr *) &my->addr);
+ if (port == 0 || wport < port)
+port = wport;
+ break;
+ }
}
- return -1;
+ if (port == 0)
+ port = PORT_ISAKMP;
+
+ return port;
}
void
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Feb 5 06:23:43 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_xauth.c
Log Message:
>From Ian West : Fix double free of the radius info on
config reload.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22 Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Tue Feb 5 06:23:42 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.22.2.1 2013/02/05 06:23:42 tteras Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -461,10 +461,14 @@ xauth_radius_init_conf(int free)
vfree(xauth_rad_config.acct_server_list[i].host);
vfree(xauth_rad_config.acct_server_list[i].secret);
}
- if (radius_auth_state != NULL)
+ if (radius_auth_state != NULL) {
rad_close(radius_auth_state);
- if (radius_acct_state != NULL)
+ radius_auth_state = NULL;
+ }
+ if (radius_acct_state != NULL) {
rad_close(radius_acct_state);
+ radius_acct_state = NULL;
+ }
}
/* initialize radius config */
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Feb 5 06:22:29 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c
Log Message:
>From Ian West : Fix double free of the radius info on
config reload.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24 Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Tue Feb 5 06:22:29 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -458,10 +458,14 @@ xauth_radius_init_conf(int free)
vfree(xauth_rad_config.acct_server_list[i].host);
vfree(xauth_rad_config.acct_server_list[i].secret);
}
- if (radius_auth_state != NULL)
+ if (radius_auth_state != NULL) {
rad_close(radius_auth_state);
- if (radius_acct_state != NULL)
+ radius_auth_state = NULL;
+ }
+ if (radius_acct_state != NULL) {
rad_close(radius_acct_state);
+ radius_acct_state = NULL;
+ }
}
/* initialize radius config */
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Jan 24 06:48:27 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_inf.c
Log Message:
Fix handling of deletion notification.
To generate a diff of this commit:
cvs rdiff -u -r1.47.2.1 -r1.47.2.2 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.1 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.2
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.1 Wed Aug 29 12:01:56 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Thu Jan 24 06:48:27 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.47.2.1 2012/08/29 12:01:56 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.47.2.2 2013/01/24 06:48:27 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -492,7 +492,7 @@ isakmp_info_recv_d(iph1, delete, msgid,
"delete payload for protocol %s\n",
s_ipsecdoi_proto(delete->proto_id));
- if(!iph1->rmconf->weak_phase1_check && !encrypted) {
+ if((iph1 == NULL || !iph1->rmconf->weak_phase1_check) && !encrypted) {
plog(LLV_WARNING, LOCATION, iph1->remote,
"Ignoring unencrypted delete payload "
"(check the weak_phase1_check option)\n");
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Jan 24 06:47:51 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c
Log Message:
Fix handling of deletion notification.
To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48 Wed Aug 29 12:01:30 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Thu Jan 24 06:47:50 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.48 2012/08/29 12:01:30 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.49 2013/01/24 06:47:50 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -492,7 +492,7 @@ isakmp_info_recv_d(iph1, delete, msgid,
"delete payload for protocol %s\n",
s_ipsecdoi_proto(delete->proto_id));
- if(!iph1->rmconf->weak_phase1_check && !encrypted) {
+ if((iph1 == NULL || !iph1->rmconf->weak_phase1_check) && !encrypted) {
plog(LLV_WARNING, LOCATION, iph1->remote,
"Ignoring unencrypted delete payload "
"(check the weak_phase1_check option)\n");
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: tteras Date: Tue Jan 8 12:44:22 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: NEWS configure.ac Log Message: ipsec-tools-0.8.1 To generate a diff of this commit: cvs rdiff -u -r1.4.6.1 -r1.4.6.2 src/crypto/dist/ipsec-tools/NEWS cvs rdiff -u -r1.10.6.3 -r1.10.6.4 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/NEWS diff -u src/crypto/dist/ipsec-tools/NEWS:1.4.6.1 src/crypto/dist/ipsec-tools/NEWS:1.4.6.2 --- src/crypto/dist/ipsec-tools/NEWS:1.4.6.1 Fri Mar 18 13:20:27 2011 +++ src/crypto/dist/ipsec-tools/NEWS Tue Jan 8 12:44:22 2013 @@ -1,5 +1,13 @@ Version history: +0.8.1 - 08 January 2013 + o Improved X.509 subject name comparation (Götz Babin-Ebell) + o Relax DPD cookie check for Cisco IOS compatibility (Roman Antink) + o Allow simplified syntax for inherited remote blocks (Roman Antink) + o Never shring pfkey socket buffer (Marcelo Leitner) + o Privilege separation child process exit fix + o Multiple memory allocation and use-after-free fixes + 0.8 - 18 March 2011 o Fix authentication method ambiguity with kerberos and xauth o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman) Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10.6.3 src/crypto/dist/ipsec-tools/configure.ac:1.10.6.4 --- src/crypto/dist/ipsec-tools/configure.ac:1.10.6.3 Tue Jan 8 12:43:07 2013 +++ src/crypto/dist/ipsec-tools/configure.ac Tue Jan 8 12:44:22 2013 @@ -2,7 +2,7 @@ dnl -*- mode: m4 -*- dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp AC_PREREQ(2.52) -AC_INIT(ipsec-tools, 0.8.0) +AC_INIT(ipsec-tools, 0.8.1) AC_CONFIG_SRCDIR([configure.ac]) AC_CONFIG_HEADERS(config.h)
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: tteras Date: Tue Jan 8 12:43:07 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: configure.ac Log Message: Fix errors from automake 1.13 To generate a diff of this commit: cvs rdiff -u -r1.10.6.2 -r1.10.6.3 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10.6.2 src/crypto/dist/ipsec-tools/configure.ac:1.10.6.3 --- src/crypto/dist/ipsec-tools/configure.ac:1.10.6.2 Mon Dec 24 08:48:08 2012 +++ src/crypto/dist/ipsec-tools/configure.ac Tue Jan 8 12:43:07 2013 @@ -4,14 +4,13 @@ dnl Id: configure.ac,v 1.77 2006/07/20 1 AC_PREREQ(2.52) AC_INIT(ipsec-tools, 0.8.0) AC_CONFIG_SRCDIR([configure.ac]) -AM_CONFIG_HEADER(config.h) +AC_CONFIG_HEADERS(config.h) AM_INIT_AUTOMAKE(dist-bzip2) AC_ENABLE_SHARED(no) AC_PROG_CC -AM_PROG_CC_STDC AC_HEADER_STDC AC_PROG_LIBTOOL AC_PROG_YACC
CVS commit: src/crypto/dist/ipsec-tools
Module Name:src Committed By: tteras Date: Tue Jan 8 12:42:32 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools: configure.ac Log Message: Fix errors from automake 1.13 To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.12 src/crypto/dist/ipsec-tools/configure.ac:1.13 --- src/crypto/dist/ipsec-tools/configure.ac:1.12 Mon Dec 24 08:46:27 2012 +++ src/crypto/dist/ipsec-tools/configure.ac Tue Jan 8 12:42:31 2013 @@ -4,14 +4,13 @@ dnl Id: configure.ac,v 1.77 2006/07/20 1 AC_PREREQ(2.52) AC_INIT(ipsec-tools, CVS) AC_CONFIG_SRCDIR([configure.ac]) -AM_CONFIG_HEADER(config.h) +AC_CONFIG_HEADERS(config.h) AM_INIT_AUTOMAKE(dist-bzip2) AC_ENABLE_SHARED(no) AC_PROG_CC -AM_PROG_CC_STDC AC_HEADER_STDC AC_PROG_LIBTOOL AC_PROG_YACC
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/include-glibc
Module Name:src
Committed By: tteras
Date: Tue Jan 8 12:38:54 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/include-glibc [ipsec-tools-0_8-branch]:
Makefile.am
Log Message:
Don't derefence the directory symlink which we might be recreating.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.48.1 \
src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am
diff -u src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.1.1.1 src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.1.1.1.48.1
--- src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.1.1.1 Sat Feb 12 11:11:22 2005
+++ src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am Tue Jan 8 12:38:54 2013
@@ -1,6 +1,6 @@
.includes: ${top_builddir}/config.status
- ln -sf $(KERNEL_INCLUDE)/linux
+ ln -snf $(KERNEL_INCLUDE)/linux
touch .includes
all: .includes
CVS commit: src/crypto/dist/ipsec-tools/src/include-glibc
Module Name:src
Committed By: tteras
Date: Tue Jan 8 12:38:40 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/include-glibc: Makefile.am
Log Message:
Don't derefence the directory symlink which we might be recreating.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am
diff -u src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.1.1.1 src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.2
--- src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.1.1.1 Sat Feb 12 11:11:22 2005
+++ src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am Tue Jan 8 12:38:40 2013
@@ -1,6 +1,6 @@
.includes: ${top_builddir}/config.status
- ln -sf $(KERNEL_INCLUDE)/linux
+ ln -snf $(KERNEL_INCLUDE)/linux
touch .includes
all: .includes
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Mon Dec 24 14:50:39 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
crypto_openssl.c
Log Message:
>From Götz Babin-Ebell : Smarter X.509 subject
name compare.
To generate a diff of this commit:
cvs rdiff -u -r1.20.4.2 -r1.20.4.3 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.2 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.3
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.2 Mon Dec 24 08:48:08 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Mon Dec 24 14:50:39 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.20.4.2 2012/12/24 08:48:08 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.20.4.3 2012/12/24 14:50:39 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -280,145 +280,6 @@ out:
}
/*
- * The following are derived from code in crypto/x509/x509_cmp.c
- * in OpenSSL0.9.7c:
- * X509_NAME_wildcmp() adds wildcard matching to the original
- * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
- */
-#include
-/* Case insensitive string comparision */
-static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- int i;
-
- if (a->length != b->length)
- return (a->length - b->length);
-
- for (i=0; ilength; i++)
- {
- int ca, cb;
-
- ca = tolower(a->data[i]);
- cb = tolower(b->data[i]);
-
- if (ca != cb)
- return(ca-cb);
- }
- return 0;
-}
-
-/* Case insensitive string comparision with space normalization
- * Space normalization - ignore leading, trailing spaces,
- * multiple spaces between characters are replaced by single space
- */
-static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- unsigned char *pa = NULL, *pb = NULL;
- int la, lb;
-
- la = a->length;
- lb = b->length;
- pa = a->data;
- pb = b->data;
-
- /* skip leading spaces */
- while (la > 0 && isspace(*pa))
- {
- la--;
- pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
- lb--;
- pb++;
- }
-
- /* skip trailing spaces */
- while (la > 0 && isspace(pa[la-1]))
- la--;
- while (lb > 0 && isspace(pb[lb-1]))
- lb--;
-
- /* compare strings with space normalization */
- while (la > 0 && lb > 0)
- {
- int ca, cb;
-
- /* compare character */
- ca = tolower(*pa);
- cb = tolower(*pb);
- if (ca != cb)
- return (ca - cb);
-
- pa++; pb++;
- la--; lb--;
-
- if (la <= 0 || lb <= 0)
- break;
-
- /* is white space next character ? */
- if (isspace(*pa) && isspace(*pb))
- {
- /* skip remaining white spaces */
- while (la > 0 && isspace(*pa))
- {
-la--;
-pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
-lb--;
-pb++;
- }
- }
- }
- if (la > 0 || lb > 0)
- return la - lb;
-
- return 0;
-}
-
-static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
-{
-int i,j;
-X509_NAME_ENTRY *na,*nb;
-
-if (sk_X509_NAME_ENTRY_num(a->entries)
- != sk_X509_NAME_ENTRY_num(b->entries))
- return sk_X509_NAME_ENTRY_num(a->entries)
- -sk_X509_NAME_ENTRY_num(b->entries);
-for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
-{
- na=sk_X509_NAME_ENTRY_value(a->entries,i);
- nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=OBJ_cmp(na->object,nb->object);
- if (j) return(j);
- if ((na->value->length == 1 && na->value->data[0] == '*')
- || (nb->value->length == 1 && nb->value->data[0] == '*'))
- continue;
- j=na->value->type-nb->value->type;
- if (j) return(j);
- if (na->value->type == V_ASN1_PRINTABLESTRING)
- j=nocase_spacenorm_cmp(na->value, nb->value);
- else if (na->value->type == V_ASN1_IA5STRING
- && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
- j=nocase_cmp(na->value, nb->value);
- else
- {
- j=na->value->length-nb->value->length;
- if (j) return(j);
- j=memcmp(na->value->data,nb->value->data,
- na->value->length);
- }
- if (j) return(j);
- j=na->set-nb->set;
- if (j) return(j);
-}
-
-return(0);
-}
-
-/*
* compare two subjectNames.
* OUT:0: equal
* positive:
@@ -430,16 +291,49 @@ eay_cmp_asn1dn(n1, n2)
{
X509_NAME *a = NULL, *b = NULL;
caddr_t p;
+ char oneLine[512];
int i = -1;
+ int idx;
p = n1->v;
- if (!d2i_X509_NAME(&a, (void *)&p, n1->l))
+ if (!d2i_X509_NAME(&a, (void *)&p, n1->l)) {
+ plog(LLV_ERROR, LOCATION, NULL, "eay_cmp_asn1dn: first dn not a dn");
goto end;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL, "1st name: %s\n", X509_NAME_oneline(a, oneLine, sizeof(oneLine)));
p = n2->v;
- if (!d2i_X509_NAME(&b, (void *)&p, n2->l))
+ if (!d2i_X509_NAME(&b, (void *)&p, n2->l)) {
+ plog(
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Mon Dec 24 14:50:04 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
Log Message:
>From Götz Babin-Ebell : Smarter X.509 subject
name compare.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23 Mon Dec 24 08:46:27 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Mon Dec 24 14:50:04 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.23 2012/12/24 08:46:27 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -280,145 +280,6 @@ out:
}
/*
- * The following are derived from code in crypto/x509/x509_cmp.c
- * in OpenSSL0.9.7c:
- * X509_NAME_wildcmp() adds wildcard matching to the original
- * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
- */
-#include
-/* Case insensitive string comparision */
-static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- int i;
-
- if (a->length != b->length)
- return (a->length - b->length);
-
- for (i=0; ilength; i++)
- {
- int ca, cb;
-
- ca = tolower(a->data[i]);
- cb = tolower(b->data[i]);
-
- if (ca != cb)
- return(ca-cb);
- }
- return 0;
-}
-
-/* Case insensitive string comparision with space normalization
- * Space normalization - ignore leading, trailing spaces,
- * multiple spaces between characters are replaced by single space
- */
-static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- unsigned char *pa = NULL, *pb = NULL;
- int la, lb;
-
- la = a->length;
- lb = b->length;
- pa = a->data;
- pb = b->data;
-
- /* skip leading spaces */
- while (la > 0 && isspace(*pa))
- {
- la--;
- pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
- lb--;
- pb++;
- }
-
- /* skip trailing spaces */
- while (la > 0 && isspace(pa[la-1]))
- la--;
- while (lb > 0 && isspace(pb[lb-1]))
- lb--;
-
- /* compare strings with space normalization */
- while (la > 0 && lb > 0)
- {
- int ca, cb;
-
- /* compare character */
- ca = tolower(*pa);
- cb = tolower(*pb);
- if (ca != cb)
- return (ca - cb);
-
- pa++; pb++;
- la--; lb--;
-
- if (la <= 0 || lb <= 0)
- break;
-
- /* is white space next character ? */
- if (isspace(*pa) && isspace(*pb))
- {
- /* skip remaining white spaces */
- while (la > 0 && isspace(*pa))
- {
-la--;
-pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
-lb--;
-pb++;
- }
- }
- }
- if (la > 0 || lb > 0)
- return la - lb;
-
- return 0;
-}
-
-static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
-{
-int i,j;
-X509_NAME_ENTRY *na,*nb;
-
-if (sk_X509_NAME_ENTRY_num(a->entries)
- != sk_X509_NAME_ENTRY_num(b->entries))
- return sk_X509_NAME_ENTRY_num(a->entries)
- -sk_X509_NAME_ENTRY_num(b->entries);
-for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
-{
- na=sk_X509_NAME_ENTRY_value(a->entries,i);
- nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=OBJ_cmp(na->object,nb->object);
- if (j) return(j);
- if ((na->value->length == 1 && na->value->data[0] == '*')
- || (nb->value->length == 1 && nb->value->data[0] == '*'))
- continue;
- j=na->value->type-nb->value->type;
- if (j) return(j);
- if (na->value->type == V_ASN1_PRINTABLESTRING)
- j=nocase_spacenorm_cmp(na->value, nb->value);
- else if (na->value->type == V_ASN1_IA5STRING
- && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
- j=nocase_cmp(na->value, nb->value);
- else
- {
- j=na->value->length-nb->value->length;
- if (j) return(j);
- j=memcmp(na->value->data,nb->value->data,
- na->value->length);
- }
- if (j) return(j);
- j=na->set-nb->set;
- if (j) return(j);
-}
-
-return(0);
-}
-
-/*
* compare two subjectNames.
* OUT:0: equal
* positive:
@@ -430,16 +291,49 @@ eay_cmp_asn1dn(n1, n2)
{
X509_NAME *a = NULL, *b = NULL;
caddr_t p;
+ char oneLine[512];
int i = -1;
+ int idx;
p = n1->v;
- if (!d2i_X509_NAME(&a, (void *)&p, n1->l))
+ if (!d2i_X509_NAME(&a, (void *)&p, n1->l)) {
+ plog(LLV_ERROR, LOCATION, NULL, "eay_cmp_asn1dn: first dn not a dn");
goto end;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL, "1st name: %s\n", X509_NAME_oneline(a, oneLine, sizeof(oneLine)));
p = n2->v;
- if (!d2i_X509_NAME(&b, (void *)&p, n2->l))
+ if (!d2i_X509_NAME(&b, (void *)&p, n2->l)) {
+ plog(LLV_ERROR, LOCATION, NULL, "eay_cmp_asn1dn: second dn not a dn");
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src
Committed By: tteras
Date: Mon Dec 24 08:48:09 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: configure.ac
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
crypto_openssl.c
src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2
[ipsec-tools-0_8-branch]:
sha2.c
Log Message:
>From Götz Babin-Ebell :
Require OpenSSL 0.9.8s or higher
To generate a diff of this commit:
cvs rdiff -u -r1.10.6.1 -r1.10.6.2 src/crypto/dist/ipsec-tools/configure.ac
cvs rdiff -u -r1.20.4.1 -r1.20.4.2 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.4 -r1.4.40.1 \
src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/configure.ac
diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10.6.1 src/crypto/dist/ipsec-tools/configure.ac:1.10.6.2
--- src/crypto/dist/ipsec-tools/configure.ac:1.10.6.1 Fri Mar 18 13:25:12 2011
+++ src/crypto/dist/ipsec-tools/configure.ac Mon Dec 24 08:48:08 2012
@@ -207,12 +207,12 @@ AC_MSG_CHECKING(openssl version)
AC_TRY_COMPILE(
[#include
],
-[#if OPENSSL_VERSION_NUMBER < 0x0090602fL
+[#if OPENSSL_VERSION_NUMBER < 0x0090813fL
#error OpenSSL version is too old ...
#endif],
[AC_MSG_RESULT([ok])],
[AC_MSG_RESULT(too old)
-AC_MSG_ERROR([OpenSSL version must be 0.9.6 or higher. Aborting.])
+AC_MSG_ERROR([OpenSSL version must be 0.9.8s or higher. Aborting.])
])
AC_CHECK_HEADERS(openssl/engine.h)
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.1 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.2
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.1 Thu Aug 23 11:46:06 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Mon Dec 24 08:48:08 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.20.4.1 2012/08/23 11:46:06 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.20.4.2 2012/12/24 08:48:08 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -44,8 +44,8 @@
/* get openssl/ssleay version number */
#include
-#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090602fL)
-#error OpenSSL version 0.9.6 or later required.
+#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090813fL)
+#error OpenSSL version 0.9.8s or later required.
#endif
#include
@@ -91,12 +91,7 @@
#endif
#include "plog.h"
-/* 0.9.7 stuff? */
-#if OPENSSL_VERSION_NUMBER < 0x0090700fL
-typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-#else
#define USE_NEW_DES_API
-#endif
#define OpenSSL_BUG() do { plog(LLV_ERROR, LOCATION, NULL, "OpenSSL function failed\n"); } while(0)
@@ -505,10 +500,8 @@ eay_check_x509cert(cert, CApath, CAfile,
if (csc == NULL)
goto end;
X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
-#endif
error = X509_verify_cert(csc);
X509_STORE_CTX_free(csc);
Index: src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.4.40.1
--- src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.4 Sat Sep 9 16:22:36 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c Mon Dec 24 08:48:08 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: sha2.c,v 1.4 2006/09/09 16:22:36 manu Exp $ */
+/* $NetBSD: sha2.c,v 1.4.40.1 2012/12/24 08:48:08 tteras Exp $ */
/* Id: sha2.c,v 1.6 2004/09/21 14:35:25 ludvigm Exp */
@@ -56,9 +56,7 @@
#define bzero(a, b) memset((a), 0, (b))
#define panic(a) err(1, (a))
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
#define HAVE_EVP_097
-#endif
/*
* ASSERT NOTE:
CVS commit: src/crypto/dist/ipsec-tools
Module Name:src
Committed By: tteras
Date: Mon Dec 24 08:46:27 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools: configure.ac
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2: sha2.c
Log Message:
>From Götz Babin-Ebell Modified files:
Index: src/crypto/dist/ipsec-tools/configure.ac
diff -u src/crypto/dist/ipsec-tools/configure.ac:1.11 src/crypto/dist/ipsec-tools/configure.ac:1.12
--- src/crypto/dist/ipsec-tools/configure.ac:1.11 Tue Jan 10 12:07:30 2012
+++ src/crypto/dist/ipsec-tools/configure.ac Mon Dec 24 08:46:27 2012
@@ -207,12 +207,12 @@ AC_MSG_CHECKING(openssl version)
AC_TRY_COMPILE(
[#include
],
-[#if OPENSSL_VERSION_NUMBER < 0x0090602fL
+[#if OPENSSL_VERSION_NUMBER < 0x0090813fL
#error OpenSSL version is too old ...
#endif],
[AC_MSG_RESULT([ok])],
[AC_MSG_RESULT(too old)
-AC_MSG_ERROR([OpenSSL version must be 0.9.6 or higher. Aborting.])
+AC_MSG_ERROR([OpenSSL version must be 0.9.8s or higher. Aborting.])
])
AC_CHECK_HEADERS(openssl/engine.h)
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.22 Thu Nov 29 15:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Mon Dec 24 08:46:27 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.22 2012/11/29 15:31:24 vanhu Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.23 2012/12/24 08:46:27 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -44,8 +44,8 @@
/* get openssl/ssleay version number */
#include
-#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090602fL)
-#error OpenSSL version 0.9.6 or later required.
+#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090813fL)
+#error OpenSSL version 0.9.8s or later required.
#endif
#include
@@ -91,12 +91,7 @@
#endif
#include "plog.h"
-/* 0.9.7 stuff? */
-#if OPENSSL_VERSION_NUMBER < 0x0090700fL
-typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-#else
#define USE_NEW_DES_API
-#endif
#define OpenSSL_BUG() do { plog(LLV_ERROR, LOCATION, NULL, "OpenSSL function failed\n"); } while(0)
@@ -505,10 +500,8 @@ eay_check_x509cert(cert, CApath, CAfile,
if (csc == NULL)
goto end;
X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
-#endif
error = X509_verify_cert(csc);
X509_STORE_CTX_free(csc);
Index: src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.4 Sat Sep 9 16:22:36 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c Mon Dec 24 08:46:27 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: sha2.c,v 1.4 2006/09/09 16:22:36 manu Exp $ */
+/* $NetBSD: sha2.c,v 1.5 2012/12/24 08:46:27 tteras Exp $ */
/* Id: sha2.c,v 1.6 2004/09/21 14:35:25 ludvigm Exp */
@@ -56,9 +56,7 @@
#define bzero(a, b) memset((a), 0, (b))
#define panic(a) err(1, (a))
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
#define HAVE_EVP_097
-#endif
/*
* ASSERT NOTE:
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 12:01:56 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_inf.c
Log Message:
>From Roman Hoog Antink : Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Wed Aug 29 12:01:56 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.47.2.1 2012/08/29 12:01:56 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1465,8 +1465,11 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
return 0;
}
- if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
- memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) {
+ /* accept cookies in original or reversed order */
+ if ((memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) &&
+ (memcmp(ru->r_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->i_ck, iph1->index.r_ck, sizeof(cookie_t {
plog(LLV_ERROR, LOCATION, iph1->remote,
"Cookie mismatch in DPD ACK!.\n");
return 0;
@@ -1477,7 +1480,7 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
sched_cancel(&iph1->dpd_r_u);
isakmp_sched_r_u(iph1, 0);
- plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n");
+ plog(LLV_DEBUG, LOCATION, iph1->remote, "received an R-U-THERE-ACK\n");
return 0;
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 12:01:30 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c
Log Message:
>From Roman Hoog Antink : Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Wed Aug 29 12:01:30 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.48 2012/08/29 12:01:30 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1465,8 +1465,11 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
return 0;
}
- if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
- memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) {
+ /* accept cookies in original or reversed order */
+ if ((memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) &&
+ (memcmp(ru->r_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->i_ck, iph1->index.r_ck, sizeof(cookie_t {
plog(LLV_ERROR, LOCATION, iph1->remote,
"Cookie mismatch in DPD ACK!.\n");
return 0;
@@ -1477,7 +1480,7 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
sched_cancel(&iph1->dpd_r_u);
isakmp_sched_r_u(iph1, 0);
- plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n");
+ plog(LLV_DEBUG, LOCATION, iph1->remote, "received an R-U-THERE-ACK\n");
return 0;
}
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 11:35:09 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
oakley.c
Log Message:
>From Roman Hoog Antink : add remote's IP address to the
"certificate not verified" error message.
To generate a diff of this commit:
cvs rdiff -u -r1.22.2.1 -r1.22.2.2 \
src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.1 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.2
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.1 Wed Aug 29 11:24:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Wed Aug 29 11:35:09 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.22.2.1 2012/08/29 11:24:28 tteras Exp $ */
+/* $NetBSD: oakley.c,v 1.22.2.2 2012/08/29 11:35:09 tteras Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1434,7 +1434,7 @@ oakley_validate_auth(iph1)
}
if (error != 0) {
-plog(LLV_ERROR, LOCATION, NULL,
+plog(LLV_ERROR, LOCATION, iph1->remote,
"the peer's certificate is not verified.\n");
return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 11:34:37 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c
Log Message:
>From Roman Hoog Antink : add remote's IP address to the
"certificate not verified" error message.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23 Wed Aug 29 11:24:11 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Wed Aug 29 11:34:37 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.23 2012/08/29 11:24:11 tteras Exp $ */
+/* $NetBSD: oakley.c,v 1.24 2012/08/29 11:34:37 tteras Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1434,7 +1434,7 @@ oakley_validate_auth(iph1)
}
if (error != 0) {
-plog(LLV_ERROR, LOCATION, NULL,
+plog(LLV_ERROR, LOCATION, iph1->remote,
"the peer's certificate is not verified.\n");
return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
}
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 11:24:28 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
oakley.c
Log Message:
>From Roman Hoog Antink : do not print unnecessary warning
about non-verified certificate when using raw plain-rsa.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 Thu Mar 17 14:42:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Wed Aug 29 11:24:28 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.22.2.1 2012/08/29 11:24:28 tteras Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1288,6 +1288,7 @@ oakley_validate_auth(iph1)
{
vchar_t *my_hash = NULL;
int result;
+ int no_verify_needed = -1;
#ifdef HAVE_GSSAPI
vchar_t *gsshash = NULL;
#endif
@@ -1361,8 +1362,6 @@ oakley_validate_auth(iph1)
plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
}
break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
#ifdef ENABLE_HYBRID
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
@@ -1370,7 +1369,10 @@ oakley_validate_auth(iph1)
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+ no_verify_needed = 0;
#endif
+ case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
+ case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
{
int error = 0;
int certtype;
@@ -1454,6 +1456,9 @@ oakley_validate_auth(iph1)
case ISAKMP_CERT_PLAINRSA:
if (get_plainrsa_fromlocal(iph1, 0))
return ISAKMP_INTERNAL_ERROR;
+ /* suppress CERT validation warning, unless hybrid mode in use */
+ if (no_verify_needed == -1)
+no_verify_needed = 1;
break;
case ISAKMP_CERT_DNS:
/* don't use received cert */
@@ -1480,12 +1485,12 @@ oakley_validate_auth(iph1)
if ((error = oakley_check_certid(iph1)) != 0)
return error;
- /* Generate a warning if verify_cert */
+ /* Generate a warning unless verify_cert */
if (iph1->rmconf->verify_cert) {
- plog(LLV_DEBUG, LOCATION, NULL,
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
"CERT validated\n");
- } else {
- plog(LLV_WARNING, LOCATION, NULL,
+ } else if (no_verify_needed != 1) {
+ plog(LLV_WARNING, LOCATION, iph1->remote,
"CERT validation disabled by configuration\n");
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 11:24:12 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c
Log Message:
>From Roman Hoog Antink : do not print unnecessary warning
about non-verified certificate when using raw plain-rsa.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 Thu Mar 17 14:42:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Wed Aug 29 11:24:11 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.23 2012/08/29 11:24:11 tteras Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1288,6 +1288,7 @@ oakley_validate_auth(iph1)
{
vchar_t *my_hash = NULL;
int result;
+ int no_verify_needed = -1;
#ifdef HAVE_GSSAPI
vchar_t *gsshash = NULL;
#endif
@@ -1361,8 +1362,6 @@ oakley_validate_auth(iph1)
plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
}
break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
#ifdef ENABLE_HYBRID
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
@@ -1370,7 +1369,10 @@ oakley_validate_auth(iph1)
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+ no_verify_needed = 0;
#endif
+ case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
+ case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
{
int error = 0;
int certtype;
@@ -1454,6 +1456,9 @@ oakley_validate_auth(iph1)
case ISAKMP_CERT_PLAINRSA:
if (get_plainrsa_fromlocal(iph1, 0))
return ISAKMP_INTERNAL_ERROR;
+ /* suppress CERT validation warning, unless hybrid mode in use */
+ if (no_verify_needed == -1)
+no_verify_needed = 1;
break;
case ISAKMP_CERT_DNS:
/* don't use received cert */
@@ -1480,12 +1485,12 @@ oakley_validate_auth(iph1)
if ((error = oakley_check_certid(iph1)) != 0)
return error;
- /* Generate a warning if verify_cert */
+ /* Generate a warning unless verify_cert */
if (iph1->rmconf->verify_cert) {
- plog(LLV_DEBUG, LOCATION, NULL,
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
"CERT validated\n");
- } else {
- plog(LLV_WARNING, LOCATION, NULL,
+ } else if (no_verify_needed != 1) {
+ plog(LLV_WARNING, LOCATION, iph1->remote,
"CERT validation disabled by configuration\n");
}
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Wed Aug 29 08:55:27 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: isakmp.c Log Message: >From Rainer Weikusat : Release unused phase2 of passive remotes after acquire. To generate a diff of this commit: cvs rdiff -u -r1.71.2.1 -r1.71.2.2 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.1 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.2 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.1 Wed Aug 29 08:54:00 2012 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Aug 29 08:55:26 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.71.2.1 2012/08/29 08:54:00 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.71.2.2 2012/08/29 08:55:26 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2186,7 +2186,7 @@ isakmp_post_acquire(iph2, iph1hint, nopa "because of passive mode, " "ignore the acquire message for %s.\n", saddrwop2str(iph2->dst)); - return 0; + return -1; } /*
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Wed Aug 29 08:54:00 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: isakmp.c Log Message: >From Wolfgang Schmieder : setup phase1 port properly. To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.71.2.1 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.1 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 Tue Mar 15 13:20:14 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Aug 29 08:54:00 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $ */ +/* $NetBSD: isakmp.c,v 1.71.2.1 2012/08/29 08:54:00 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2943,7 +2943,7 @@ copy_ph1addresses(iph1, rmconf, remote, port = myaddr_getsport(iph1->local); if (port == 0) port = PORT_ISAKMP; - set_port(iph1->local, PORT_ISAKMP); + set_port(iph1->local, port); } #ifdef ENABLE_NATT
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 08:42:25 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
cfparse.y cftoken.l racoon.conf.5
Log Message:
Allow inherited remote blocks without additional remote statements to be
specified in a simpler way. patch by Roman Hoog Antink
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.42.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.23 -r1.23.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.61 -r1.61.4.1 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Aug 29 08:42:24 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.42.2.1 2012/08/29 08:42:24 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -172,6 +172,76 @@ static int load_x509(const char *file, c
return 0;
}
+static int process_rmconf()
+{
+
+ /* check a exchange mode */
+ if (cur_rmconf->etypes == NULL) {
+ yyerror("no exchange mode specified.\n");
+ return -1;
+ }
+
+ if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
+ cur_rmconf->idvtype = IDTYPE_ADDRESS;
+
+ if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
+ if (cur_rmconf->mycertfile) {
+ if (cur_rmconf->idv)
+yywarn("Both CERT and ASN1 ID "
+ "are set. Hope this is OK.\n");
+ /* TODO: Preparse the DN here */
+ } else if (cur_rmconf->idv) {
+ /* OK, using asn1dn without X.509. */
+ } else {
+ yyerror("ASN1 ID not specified "
+"and no CERT defined!\n");
+ return -1;
+ }
+ }
+
+ if (duprmconf_finish(cur_rmconf))
+ return -1;
+
+ if (set_isakmp_proposal(cur_rmconf) != 0)
+ return -1;
+
+ /* DH group settting if aggressive mode is there. */
+ if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+ struct isakmpsa *p;
+ int b = 0;
+
+ /* DH group */
+ for (p = cur_rmconf->proposal; p; p = p->next) {
+ if (b == 0 || (b && b == p->dh_group)) {
+b = p->dh_group;
+continue;
+ }
+ yyerror("DH group must be equal "
+"in all proposals "
+"when aggressive mode is "
+"used.\n");
+ return -1;
+ }
+ cur_rmconf->dh_group = b;
+
+ if (cur_rmconf->dh_group == 0) {
+ yyerror("DH group must be set in the proposal.\n");
+ return -1;
+ }
+
+ /* DH group settting if PFS is required. */
+ if (oakley_setdhgroup(cur_rmconf->dh_group,
+&cur_rmconf->dhgrp) < 0) {
+ yyerror("failed to set DH value.\n");
+ return -1;
+ }
+ }
+
+ insrmconf(cur_rmconf);
+
+ return 0;
+}
+
%}
%union {
@@ -1643,7 +1713,7 @@ remote_statement
vfree($2);
vfree($4);
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE QUOTEDSTRING
{
struct remoteconf *new;
@@ -1686,7 +1756,7 @@ remote_statement
new->remote = $2;
cur_rmconf = new;
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE remote_index
{
struct remoteconf *new;
@@ -1703,81 +1773,20 @@ remote_statement
remote_specs_block
;
-remote_specs_block
- : BOC remote_specs EOC
+remote_specs_inherit_block
+ : remote_specs_block
+ | EOS /* inheritance without overriding any settings */
{
- /* check a exchange mode */
- if (cur_rmconf->etypes == NULL) {
-yyerror("no exchange mode specified.\n");
-return -1;
- }
-
- if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
-cur_rmconf->idvtype = IDTYPE_ADDRESS;
-
- if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
-if (cur_rmconf->mycertfile) {
- if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
- "are set. Hope this is OK.\n");
- /* TODO: Preparse the DN here */
-} else if (cur_rmconf->idv) {
- /* OK, using asn1dn without X.509. */
-} else {
- yyerror("ASN1 ID not specified "
- "and no CERT defined!\n");
- return -1;
-}
- }
-
- if (duprmconf_finish(cur_rmconf))
+ if (process_rmconf() != 0)
return -1;
+ }
+ ;
-#if 0
- /* this pointer copy will never happen, because duprmconf_shallow
- * already copied all pointers.
- */
- if (cur_rmconf->spspec == NULL &&
- cur_rmconf->inherited_from != NULL) {
-cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
- }
-#endif
- if (set_isakmp_proposal(cur_rmconf) != 0)
+remote_specs_block
+ : BOC remote_specs EOC
+ {
+ if (process_rmconf() != 0)
return -1;
-
- /* DH group settting if aggressive mode is there. */
- if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
-struct isakmpsa *p;
-int b = 0;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Aug 23 11:46:06 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
crypto_openssl.c
Log Message:
>From Nakano Takaharu: Fix bignum memory allocation.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.20.4.1 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20 Wed Oct 20 13:40:02 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Thu Aug 23 11:46:06 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.20 2010/10/20 13:40:02 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.20.4.1 2012/08/23 11:46:06 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -2501,7 +2501,7 @@ eay_bn2v(var, bn)
vchar_t **var;
BIGNUM *bn;
{
- *var = vmalloc(bn->top * BN_BYTES);
+ *var = vmalloc(BN_num_bytes(bn));
if (*var == NULL)
return(-1);
CVS commit: src/crypto/dist/ipsec-tools
Module Name:src
Committed By: tteras
Date: Tue Jan 10 12:07:30 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools: configure.ac
src/crypto/dist/ipsec-tools/src/racoon: isakmp_unity.c
Log Message:
>From Rainer Weikusat : Enhance splitnet
environment variable string value generation.
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/configure.ac
cvs rdiff -u -r1.10 -r1.11 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/configure.ac
diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10 src/crypto/dist/ipsec-tools/configure.ac:1.11
--- src/crypto/dist/ipsec-tools/configure.ac:1.10 Fri Jan 23 08:25:06 2009
+++ src/crypto/dist/ipsec-tools/configure.ac Tue Jan 10 12:07:30 2012
@@ -112,7 +112,7 @@ esac
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS(limits.h sys/time.h unistd.h stdarg.h varargs.h)
-AC_CHECK_HEADERS(shadow.h)
+AC_CHECK_HEADERS(shadow.h strings.h)
# Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.10 src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.10 Sun Jan 1 17:31:42 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c Tue Jan 10 12:07:30 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_unity.c,v 1.10 2012/01/01 17:31:42 tteras Exp $ */
+/* $NetBSD: isakmp_unity.c,v 1.11 2012/01/10 12:07:30 tteras Exp $ */
/* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */
@@ -62,6 +62,9 @@
#endif
#include
#include
+#ifdef HAVE_STRINGS_H
+#include
+#endif
#include "var.h"
#include "misc.h"
@@ -399,16 +402,17 @@ char * splitnet_list_2str(list, splitnet
while (netentry != NULL) {
inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
- inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
if (splitnet_ipaddr == CIDR) {
uint32_t tmp3;
int cidrmask;
tmp3 = ntohl(netentry->network.mask4.s_addr);
- for (cidrmask = 0; tmp3 != 0; cidrmask++)
-tmp3 <<= 1;
+ cidrmask = 33 - ffs(tmp3);
+ if (cidrmask == 33) cidrmask = 0;
+
len += sprintf(str+len, "%s/%d ", tmp1, cidrmask);
} else {
+ inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
len += sprintf(str+len, "%s/%s ", tmp1, tmp2);
}
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Sun Jan 1 17:32:04 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: isakmp_unity.c Log Message: >From Rainer Weikusat : Fix one byte too short memory allocation in isakmp_unity.c:splitnet_list_2str(). To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.9.18.1 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9.18.1 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9 Fri Oct 19 03:37:19 2007 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c Sun Jan 1 17:32:04 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_unity.c,v 1.9 2007/10/19 03:37:19 manu Exp $ */ +/* $NetBSD: isakmp_unity.c,v 1.9.18.1 2012/01/01 17:32:04 tteras Exp $ */ /* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */ @@ -387,8 +387,9 @@ char * splitnet_list_2str(list, splitnet netentry = netentry->next; } - /* allocate network list string */ - str = racoon_malloc(len); + /* allocate network list string; we need the extra byte temporarily + * as sprintf() will write trailing 0-byte after the space. */ + str = racoon_malloc(len + 1); if (str == NULL) return NULL; @@ -414,6 +415,7 @@ char * splitnet_list_2str(list, splitnet netentry = netentry->next; } + /* trim the string to not have trailing spaces */ str[len-1]=0; return str;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Sun Jan 1 17:31:42 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp_unity.c Log Message: >From Rainer Weikusat : Fix one byte too short memory allocation in isakmp_unity.c:splitnet_list_2str(). To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.10 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9 Fri Oct 19 03:37:19 2007 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c Sun Jan 1 17:31:42 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_unity.c,v 1.9 2007/10/19 03:37:19 manu Exp $ */ +/* $NetBSD: isakmp_unity.c,v 1.10 2012/01/01 17:31:42 tteras Exp $ */ /* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */ @@ -387,8 +387,9 @@ char * splitnet_list_2str(list, splitnet netentry = netentry->next; } - /* allocate network list string */ - str = racoon_malloc(len); + /* allocate network list string; we need the extra byte temporarily + * as sprintf() will write trailing 0-byte after the space. */ + str = racoon_malloc(len + 1); if (str == NULL) return NULL; @@ -414,6 +415,7 @@ char * splitnet_list_2str(list, splitnet netentry = netentry->next; } + /* trim the string to not have trailing spaces */ str[len-1]=0; return str;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Sun Jan 1 16:14:11 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y
Log Message:
>From Wolfgang Schmieder : Fix default NAT-T
port for listen { isakmp_natt } config directive.
To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46 Sun Jan 1 15:44:06 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Sun Jan 1 16:14:11 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.46 2012/01/01 15:44:06 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -359,6 +359,8 @@ static const char error_message_dpd_not_
%type identifierstring
%type remote_index ike_addrinfo_port
%type algorithm
+%type ike_addrinfo_port_natt
+%type ike_port_natt
%%
@@ -536,7 +538,7 @@ listen_stmt
racoon_free($2);
}
EOS
- | X_ISAKMP_NATT ike_addrinfo_port
+ | X_ISAKMP_NATT ike_addrinfo_port_natt
{
#ifdef ENABLE_NATT
myaddr_listen($2, TRUE);
@@ -591,11 +593,36 @@ ike_addrinfo_port
ABORT();
}
;
+ike_addrinfo_port_natt
+ : ADDRSTRING ike_port_natt
+ {
+ char portbuf[10];
+
+ snprintf(portbuf, sizeof(portbuf), "%ld", $2);
+ $$ = str2saddr($1->v, portbuf);
+
+ vfree($1);
+ if (!$$)
+ABORT();
+ }
+ ;
ike_port
: /* nothing */ { $$ = lcconf->port_isakmp; }
| PORT { $$ = $1; }
;
-
+ike_port_natt
+ : /* nothing */
+ {
+ $$ = lcconf->port_isakmp_natt;
+ }
+ | PORT
+ {
+ $$ = $1;
+#ifndef ENABLE_NATT
+ yywarn(error_message_natt_not_compiled_in);
+#endif
+ }
+ ;
/* radius configuration */
radcfg_statement
: RADCFG {
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Sun Jan 1 15:57:31 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c isakmp.c pfkey.c
remoteconf.c
Log Message:
>From Wolfgang Schmieder : Fix various typos in
comments and log messages. Fix default port used in copy_ph1addresses().
To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.73 -r1.74 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.57 -r1.58 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40 Thu Nov 17 14:41:55 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Sun Jan 1 15:57:31 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.40 2011/11/17 14:41:55 vanhu Exp $ */
+/* $NetBSD: handler.c,v 1.41 2012/01/01 15:57:31 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -213,7 +213,7 @@ getph1(ph1hint, local, remote, flags)
(ph1hint->id->l != p->id->l ||
memcmp(ph1hint->id->v, p->id->v, p->id->l) != 0)) {
plog(LLV_DEBUG2, LOCATION, NULL,
- "local identity does match hint\n");
+ "local identity does not match hint\n");
continue;
}
if (ph1hint->id_p && ph1hint->id_p->l &&
@@ -221,7 +221,7 @@ getph1(ph1hint, local, remote, flags)
(ph1hint->id_p->l != p->id_p->l ||
memcmp(ph1hint->id_p->v, p->id_p->v, p->id_p->l) != 0)) {
plog(LLV_DEBUG2, LOCATION, NULL,
- "remote identity does match hint\n");
+ "remote identity does not match hint\n");
continue;
}
}
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73 Tue Oct 11 14:50:15 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Sun Jan 1 15:57:31 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.73 2011/10/11 14:50:15 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -624,7 +624,7 @@ isakmp_main(msg, remote, local)
/*
* iph1 must be present for Information message.
* if iph1 is null then trying to get the phase1 status
- * as the packet from responder againt initiator's 1st
+ * as the packet from responder again initiator's 1st
* exchange in phase 1.
* NOTE: We think such informational exchange should be ignored.
*/
@@ -2358,7 +2358,7 @@ isakmp_chkph1there(iph2)
plog(LLV_ERROR, LOCATION, iph2->dst,
"phase2 negotiation failed "
"due to time up waiting for phase1. %s\n",
- sadbsecas2str(iph2->dst, iph2->src,
+ sadbsecas2str(iph2->src, iph2->dst,
iph2->satype, 0, 0));
plog(LLV_INFO, LOCATION, NULL,
"delete phase 2 handler.\n");
@@ -2909,7 +2909,7 @@ copy_ph1addresses(iph1, rmconf, remote,
struct remoteconf *rmconf;
struct sockaddr *remote, *local;
{
- u_int16_t port;
+ u_int16_t port = 0;
/* address portion must be grabbed from real remote address "remote" */
iph1->remote = dupsaddr(remote);
@@ -2919,7 +2919,7 @@ copy_ph1addresses(iph1, rmconf, remote,
/*
* if remote has no port # (in case of initiator - from ACQUIRE msg)
* - if remote.conf specifies port #, use that
- * - if remote.conf does not, use 500
+ * - if remote.conf does not, use lcconf->port_isakmp
* if remote has port # (in case of responder - from recvfrom(2))
* respect content of "remote".
*/
@@ -2928,7 +2928,7 @@ copy_ph1addresses(iph1, rmconf, remote,
if (rmconf != NULL)
port = extract_port(rmconf->remote);
if (port == 0)
- port = PORT_ISAKMP;
+ port = lcconf->port_isakmp;
set_port(iph1->remote, port);
}
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.58
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57 Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Sun Jan 1 15:57:31 2012
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
+/* $NetBSD: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $ */
-/* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1853,8 +1853,8 @@ pk_recvacquire(mhp)
* should ignore such a acquire message because the phase 2
*
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Sun Jan 1 15:54:51 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c Log Message: Fix myaddr_getsport() to return -1 if no suitable address is found. This is used in pfkey.c:pk_recvacquire() to check if IKE negotiation should be started or not. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 \ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29 --- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 Mon Mar 14 17:18:12 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Sun Jan 1 15:54:51 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $ */ +/* $NetBSD: grabmyaddr.c,v 1.29 2012/01/01 15:54:51 tteras Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 2008 Timo Teras . @@ -280,7 +280,7 @@ myaddr_getsport(addr) return extract_port((struct sockaddr *) &my->addr); } - return PORT_ISAKMP; + return -1; } void
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Sun Jan 1 15:44:06 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y
Log Message:
Fix the previous commit.
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45 Sun Jan 1 15:29:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Sun Jan 1 15:44:06 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.45 2012/01/01 15:29:28 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.46 2012/01/01 15:44:06 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -1267,7 +1267,7 @@ authgroup
groupname = racoon_malloc($1->l+1);
if (groupname == NULL) {
yyerror("unable to allocate auth group name");
-ABORT_AND_VFREE, $1);
+ABORT_AND_VFREE($1);
}
memcpy(groupname,$1->v,$1->l);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Sun Jan 1 15:29:28 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
cftoken_proto.h ipsec_doi.c ipsec_doi.h localconf.c localconf.h
remoteconf.c sainfo.c
Log Message:
>From Wolfgang Schmieder : Fix memory leaks from
configuration reading code, and clean up error handling.
To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h
cvs rdiff -u -r1.46 -r1.47 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/localconf.c \
src/crypto/dist/ipsec-tools/src/racoon/localconf.h
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44 Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Sun Jan 1 15:29:28 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.45 2012/01/01 15:29:28 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -137,10 +137,10 @@ static int num2dhgroup[] = {
OAKLEY_ATTR_GRP_DESC_MODP8192
};
-static struct remoteconf *cur_rmconf;
-static int tmpalgtype[MAXALGCLASS];
-static struct sainfo *cur_sainfo;
-static int cur_algclass;
+static struct remoteconf *cur_rmconf = NULL;
+static int tmpalgtype[MAXALGCLASS] = {0};
+static struct sainfo *cur_sainfo = NULL;
+static int cur_algclass = 0;
static int oldloglevel = LLV_BASE;
static struct secprotospec *newspspec __P((void));
@@ -238,10 +238,39 @@ static int process_rmconf()
}
insrmconf(cur_rmconf);
+ cur_rmconf = NULL;
return 0;
}
+/* some frequently used warning texts */
+static const char error_message_hybrid_config_not_configured[] = "racoon not configured with --enable-hybrid\n";
+static const char error_message_ldap_config_not_configured[] = "racoon not configured with --with-libldap\n";
+static const char error_message_admin_port_not_compiled_in[] = "admin port support not compiled in\n";
+static const char error_message_natt_not_compiled_in[] = "NAT-T support not compiled in\n";
+static const char error_message_dpd_not_compiled_in[] = "DPD support not compiled in\n";
+
+/* macros for aborting the parsing with freeing up allocated memory */
+#define ABORT_CLEANUP {delrmconf(cur_rmconf); delsainfo(cur_sainfo); YYABORT;}
+#define ABORT() ABORT_CLEANUP
+
+#define ABORT_AND_VFREE(val0) {\
+ vfree(val0); val0 = NULL;\
+ ABORT_CLEANUP}
+
+#define ABORT_AND_RACOON_FREE(val0) {\
+ racoon_free(val0); val0 = NULL;\
+ ABORT_CLEANUP}
+
+#define ABORT_AND_VFREE2(val0, val1) {\
+ vfree(val0); val0 = NULL;\
+ vfree(val1); val1 = NULL;\
+ ABORT_CLEANUP}
+
+#define ABORT_AND_RACOON_FREE2(val0, val1) {\
+ racoon_free(val0); val0 = NULL;\
+ racoon_free(val1); val1 = NULL;\
+ ABORT_CLEANUP}
%}
%union {
@@ -366,47 +395,55 @@ privsep_stmts
privsep_stmt
: USER QUOTEDSTRING
{
- struct passwd *pw;
+ struct passwd *pw = getpwnam($2->v);
+ vfree($2);
- if ((pw = getpwnam($2->v)) == NULL) {
+ if (pw == NULL) {
yyerror("unknown user \"%s\"", $2->v);
-return -1;
+ABORT();
}
+
lcconf->uid = pw->pw_uid;
}
EOS
| USER NUMBER { lcconf->uid = $2; } EOS
| GROUP QUOTEDSTRING
{
- struct group *gr;
+ struct group *gr = getgrnam($2->v);
+ vfree($2);
- if ((gr = getgrnam($2->v)) == NULL) {
+ if (gr == NULL) {
yyerror("unknown group \"%s\"", $2->v);
-return -1;
+ABORT();
}
+
lcconf->gid = gr->gr_gid;
}
EOS
| GROUP NUMBER { lcconf->gid = $2; } EOS
- | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
+ | CHROOT QUOTEDSTRING
+ {
+ lcconf_setchroot(racoon_strdup($2->v));
+ vfree($2);
+ } EOS
;
/* path */
path_statement
: PATH PATHTYPE QUOTEDSTRING
{
- if ($2 >= LC_PATHTYPE_MAX) {
+ char * path = racoon_strdup($3->v);
+
+ if (path == NULL) {
+yyerror("copy string fatal error: %s", $3->v);
+ABORT_AND_VFREE($3);
+ }
+
+ if (lcconf_setpath(path, $2) < 0) {
yyerror("invalid path type %d", $2);
-return -1;
+ABORT_AND_VFREE($3);
}
- /* free old pathinfo */
- if (lcconf->pathinfo[$2])
-racoon_free(lcconf->pathinfo[$2]);
-
- /* set new pathinfo */
-
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Nov 15 13:51:24 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5
Log Message:
>From Vincent Bernat : TLS support for LDAP
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.62 -r1.63 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43 Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -267,7 +267,7 @@ static int process_rmconf()
/* listen */
%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
/* radius config */
%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -720,6 +720,15 @@ ldapcfg_stmt
#endif
}
EOS
+ | LDAP_TLS SWITCH
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ xauth_ldap_config.tls = $2;
+#endif
+#endif
+ }
+ EOS
| LDAP_BASE QUOTEDSTRING
{
#ifdef ENABLE_HYBRID
Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24 Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.24 2011/08/19 05:36:47 tteras Exp $ */
+/* $NetBSD: cftoken.l,v 1.25 2011/11/15 13:51:23 tteras Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -226,6 +226,7 @@ hexstring 0x{hexdigit}+
version { YYD; return(LDAP_PVER); }
host { YYD; return(LDAP_HOST); }
port { YYD; return(LDAP_PORT); }
+tls { YYD; return(LDAP_TLS); }
base { YYD; return(LDAP_BASE); }
subtree { YYD; return(LDAP_SUBTREE); }
bind_dn { YYD; return(LDAP_BIND_DN); }
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23 Sun May 15 17:13:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.23 2011/05/15 17:13:23 christos Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -802,6 +802,7 @@ xauth_ldap_init_conf(void)
xauth_ldap_config.pver = 3;
xauth_ldap_config.host = NULL;
xauth_ldap_config.port = LDAP_PORT;
+ xauth_ldap_config.tls = 0;
xauth_ldap_config.base = NULL;
xauth_ldap_config.subtree = 0;
xauth_ldap_config.bind_dn = NULL;
@@ -916,6 +917,17 @@ xauth_login_ldap(iph1, usr, pwd)
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&xauth_ldap_config.pver);
+ /* Enable TLS */
+ if (xauth_ldap_config.tls) {
+ res = ldap_start_tls_s(ld, NULL, NULL);
+ if (res != LDAP_SUCCESS) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ldap_start_tls_s failed: %s\n",
+ ldap_err2string(res));
+ goto ldap_end;
+ }
+ }
+
/*
* attempt to bind to the ldap server.
* default to anonymous bind unless a
@@ -1144,6 +1156,17 @@ xauth_group_ldap(udn, grp)
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&xauth_ldap_config.pver);
+ /* Enable TLS */
+ if (xauth_ldap_config.tls) {
+ res = ldap_start_tls_s(ld, NULL, NULL);
+ if (res != LDAP_SUCCESS) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ldap_start_tls_s failed: %s\n",
+ ldap_err2string(res));
+ goto ldap_group_end;
+ }
+ }
+
/*
* attempt to bind to the ldap server.
* default to anonymous bind unless a
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.7 sr
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src
Committed By: tteras
Date: Mon Nov 14 13:25:06 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec [ipsec-tools-0_8-branch]:
pfkey.c
Log Message:
>From Marcelo Leitner : do not shrink pfkey socket
buffers (if system default is larger than what we want as minimum)
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.2.1 \
src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.21 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.21.2.1
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.21 Thu Jan 20 16:08:35 2011
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c Mon Nov 14 13:25:06 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey.c,v 1.21 2011/01/20 16:08:35 vanhu Exp $ */
+/* $NetBSD: pfkey.c,v 1.21.2.1 2011/11/14 13:25:06 tteras Exp $ */
/* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */
@@ -1783,7 +1783,9 @@ int
pfkey_open(void)
{
int so;
- int bufsiz = 128 * 1024; /*is 128K enough?*/
+ int bufsiz_current, bufsiz_wanted;
+ int ret;
+ socklen_t len;
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
__ipsec_set_strerror(strerror(errno));
@@ -1794,14 +1796,29 @@ pfkey_open(void)
* This is a temporary workaround for KAME PR 154.
* Don't really care even if it fails.
*/
- (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
- bufsiz = 256 * 1024;
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
- bufsiz = 512 * 1024;
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
- bufsiz = 1024 * 1024;
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+ /* Try to have 128k. If we have more, do not lower it. */
+ bufsiz_wanted = 128 * 1024;
+ len = sizeof(bufsiz_current);
+ ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF,
+ &bufsiz_current, &len);
+ if ((ret < 0) || (bufsiz_current < bufsiz_wanted))
+ (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF,
+ &bufsiz_wanted, sizeof(bufsiz_wanted));
+
+ /* Try to have have at least 2MB. If we have more, do not lower it. */
+ bufsiz_wanted = 2 * 1024 * 1024;
+ len = sizeof(bufsiz_current);
+ ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF,
+ &bufsiz_current, &len);
+ if (ret < 0)
+ bufsiz_current = 128 * 1024;
+
+ for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) {
+ if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
+&bufsiz_wanted, sizeof(bufsiz_wanted)) == 0)
+ break;
+ }
+
__ipsec_errcode = EIPSEC_NO_ERROR;
return so;
}
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src
Committed By: tteras
Date: Mon Nov 14 13:24:05 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: pfkey.c
Log Message:
>From Marcelo Leitner : do not shrink pfkey socket
buffers (if system default is larger than what we want as minimum)
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.21 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.22
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.21 Thu Jan 20 16:08:35 2011
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c Mon Nov 14 13:24:04 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey.c,v 1.21 2011/01/20 16:08:35 vanhu Exp $ */
+/* $NetBSD: pfkey.c,v 1.22 2011/11/14 13:24:04 tteras Exp $ */
/* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */
@@ -1783,7 +1783,9 @@ int
pfkey_open(void)
{
int so;
- int bufsiz = 128 * 1024; /*is 128K enough?*/
+ int bufsiz_current, bufsiz_wanted;
+ int ret;
+ socklen_t len;
if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
__ipsec_set_strerror(strerror(errno));
@@ -1794,14 +1796,29 @@ pfkey_open(void)
* This is a temporary workaround for KAME PR 154.
* Don't really care even if it fails.
*/
- (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
- bufsiz = 256 * 1024;
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
- bufsiz = 512 * 1024;
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
- bufsiz = 1024 * 1024;
- (void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+ /* Try to have 128k. If we have more, do not lower it. */
+ bufsiz_wanted = 128 * 1024;
+ len = sizeof(bufsiz_current);
+ ret = getsockopt(so, SOL_SOCKET, SO_SNDBUF,
+ &bufsiz_current, &len);
+ if ((ret < 0) || (bufsiz_current < bufsiz_wanted))
+ (void)setsockopt(so, SOL_SOCKET, SO_SNDBUF,
+ &bufsiz_wanted, sizeof(bufsiz_wanted));
+
+ /* Try to have have at least 2MB. If we have more, do not lower it. */
+ bufsiz_wanted = 2 * 1024 * 1024;
+ len = sizeof(bufsiz_current);
+ ret = getsockopt(so, SOL_SOCKET, SO_RCVBUF,
+ &bufsiz_current, &len);
+ if (ret < 0)
+ bufsiz_current = 128 * 1024;
+
+ for (; bufsiz_wanted > bufsiz_current; bufsiz_wanted /= 2) {
+ if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
+&bufsiz_wanted, sizeof(bufsiz_wanted)) == 0)
+ break;
+ }
+
__ipsec_errcode = EIPSEC_NO_ERROR;
return so;
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Tue Oct 11 14:50:15 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp.c Log Message: >From Rainer Weikusat : Release unused phase2 of passive remotes after acquire. To generate a diff of this commit: cvs rdiff -u -r1.72 -r1.73 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.72 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.72 Tue Oct 11 14:37:17 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Oct 11 14:50:15 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.72 2011/10/11 14:37:17 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.73 2011/10/11 14:50:15 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2186,7 +2186,7 @@ isakmp_post_acquire(iph2, iph1hint, nopa "because of passive mode, " "ignore the acquire message for %s.\n", saddrwop2str(iph2->dst)); - return 0; + return -1; } /*
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Tue Oct 11 14:37:17 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp.c Log Message: >From Wolfgang Schmieder : setup phase1 port properly. To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.72 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.72 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 Tue Mar 15 13:20:14 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Oct 11 14:37:17 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $ */ +/* $NetBSD: isakmp.c,v 1.72 2011/10/11 14:37:17 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2943,7 +2943,7 @@ copy_ph1addresses(iph1, rmconf, remote, port = myaddr_getsport(iph1->local); if (port == 0) port = PORT_ISAKMP; - set_port(iph1->local, PORT_ISAKMP); + set_port(iph1->local, port); } #ifdef ENABLE_NATT
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Aug 19 05:36:48 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
racoon.conf.5
Log Message:
Allow inherited remote blocks without additional remote statements to
be specified in a simpler way. patch by Roman Hoog Antink
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.61 -r1.62 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Fri Aug 19 05:36:47 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -172,6 +172,76 @@
return 0;
}
+static int process_rmconf()
+{
+
+ /* check a exchange mode */
+ if (cur_rmconf->etypes == NULL) {
+ yyerror("no exchange mode specified.\n");
+ return -1;
+ }
+
+ if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
+ cur_rmconf->idvtype = IDTYPE_ADDRESS;
+
+ if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
+ if (cur_rmconf->mycertfile) {
+ if (cur_rmconf->idv)
+yywarn("Both CERT and ASN1 ID "
+ "are set. Hope this is OK.\n");
+ /* TODO: Preparse the DN here */
+ } else if (cur_rmconf->idv) {
+ /* OK, using asn1dn without X.509. */
+ } else {
+ yyerror("ASN1 ID not specified "
+"and no CERT defined!\n");
+ return -1;
+ }
+ }
+
+ if (duprmconf_finish(cur_rmconf))
+ return -1;
+
+ if (set_isakmp_proposal(cur_rmconf) != 0)
+ return -1;
+
+ /* DH group settting if aggressive mode is there. */
+ if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+ struct isakmpsa *p;
+ int b = 0;
+
+ /* DH group */
+ for (p = cur_rmconf->proposal; p; p = p->next) {
+ if (b == 0 || (b && b == p->dh_group)) {
+b = p->dh_group;
+continue;
+ }
+ yyerror("DH group must be equal "
+"in all proposals "
+"when aggressive mode is "
+"used.\n");
+ return -1;
+ }
+ cur_rmconf->dh_group = b;
+
+ if (cur_rmconf->dh_group == 0) {
+ yyerror("DH group must be set in the proposal.\n");
+ return -1;
+ }
+
+ /* DH group settting if PFS is required. */
+ if (oakley_setdhgroup(cur_rmconf->dh_group,
+&cur_rmconf->dhgrp) < 0) {
+ yyerror("failed to set DH value.\n");
+ return -1;
+ }
+ }
+
+ insrmconf(cur_rmconf);
+
+ return 0;
+}
+
%}
%union {
@@ -1643,7 +1713,7 @@
vfree($2);
vfree($4);
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE QUOTEDSTRING
{
struct remoteconf *new;
@@ -1686,7 +1756,7 @@
new->remote = $2;
cur_rmconf = new;
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE remote_index
{
struct remoteconf *new;
@@ -1703,81 +1773,20 @@
remote_specs_block
;
-remote_specs_block
- : BOC remote_specs EOC
+remote_specs_inherit_block
+ : remote_specs_block
+ | EOS /* inheritance without overriding any settings */
{
- /* check a exchange mode */
- if (cur_rmconf->etypes == NULL) {
-yyerror("no exchange mode specified.\n");
-return -1;
- }
-
- if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
-cur_rmconf->idvtype = IDTYPE_ADDRESS;
-
- if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
-if (cur_rmconf->mycertfile) {
- if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
- "are set. Hope this is OK.\n");
- /* TODO: Preparse the DN here */
-} else if (cur_rmconf->idv) {
- /* OK, using asn1dn without X.509. */
-} else {
- yyerror("ASN1 ID not specified "
- "and no CERT defined!\n");
- return -1;
-}
- }
-
- if (duprmconf_finish(cur_rmconf))
+ if (process_rmconf() != 0)
return -1;
+ }
+ ;
-#if 0
- /* this pointer copy will never happen, because duprmconf_shallow
- * already copied all pointers.
- */
- if (cur_rmconf->spspec == NULL &&
- cur_rmconf->inherited_from != NULL) {
-cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
- }
-#endif
- if (set_isakmp_proposal(cur_rmconf) != 0)
+remote_specs_block
+ : BOC remote_specs EOC
+ {
+ if (process_rmconf() != 0)
return -1;
-
- /* DH group settting if aggressive mode is there. */
- if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
-struct isakmpsa *p;
-int b = 0;
-
-/* DH group */
-for (p = cur_rmconf->proposal; p; p = p->next) {
- if (b == 0 || (b && b == p->dh_group)) {
- b = p->dh_group;
-
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Aug 12 05:46:06 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
privsep.c
Log Message:
Have privilege separation child process exit if the parent exits.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/privsep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21 Sun Mar 6 08:28:10 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c Fri Aug 12 05:46:06 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: privsep.c,v 1.21 2011/03/06 08:28:10 tteras Exp $ */
+/* $NetBSD: privsep.c,v 1.21.2.1 2011/08/12 05:46:06 tteras Exp $ */
/* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
@@ -67,6 +67,7 @@
#include "admin.h"
#include "sockmisc.h"
#include "privsep.h"
+#include "session.h"
static int privsep_sock[2] = { -1, -1 };
@@ -193,6 +194,13 @@
return 0;
}
+static int
+privsep_do_exit(void *ctx, int fd)
+{
+ kill(getpid(), SIGTERM);
+ return 0;
+}
+
int
privsep_init(void)
{
@@ -273,6 +281,7 @@
strerror(errno));
return -1;
}
+ monitor_fd(privsep_sock[1], privsep_do_exit, NULL, 0);
return 0;
break;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: tteras Date: Fri Aug 12 05:42:16 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: Makefile.am Log Message: Create ChangeLog for proper CVS branch. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.6.1 src/crypto/dist/ipsec-tools/Makefile.am Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/Makefile.am diff -u src/crypto/dist/ipsec-tools/Makefile.am:1.2 src/crypto/dist/ipsec-tools/Makefile.am:1.2.6.1 --- src/crypto/dist/ipsec-tools/Makefile.am:1.2 Tue Jan 20 14:36:08 2009 +++ src/crypto/dist/ipsec-tools/Makefile.am Fri Aug 12 05:42:16 2011 @@ -8,7 +8,7 @@ $(srcdir)/ChangeLog: @if test -d "$(srcdir)/CVS"; then \ - $(srcdir)/misc/cvs2cl.pl --follow-only TRUNK -I ChangeLog --utc -U $(srcdir)/misc/cvsusermap --group-by-author --fsf -T -l "-d2006-09-10 $@ ; \ + $(srcdir)/misc/cvs2cl.pl --follow-only ipsec-tools-0_8-branch -I ChangeLog --utc -U $(srcdir)/misc/cvsusermap --group-by-author --fsf -T -l "-d2006-09-10 $@ ; \ echo "For older changes see ChangeLog.old" >> $@ ; \ else \ echo "A CVS checkout and perl is required to generate ChangeLog" ; \
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Aug 12 05:21:50 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c
Log Message:
Have privilege separation child process exit if the parent exits.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/privsep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21 Sun Mar 6 08:28:10 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c Fri Aug 12 05:21:50 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: privsep.c,v 1.21 2011/03/06 08:28:10 tteras Exp $ */
+/* $NetBSD: privsep.c,v 1.22 2011/08/12 05:21:50 tteras Exp $ */
/* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
@@ -67,6 +67,7 @@
#include "admin.h"
#include "sockmisc.h"
#include "privsep.h"
+#include "session.h"
static int privsep_sock[2] = { -1, -1 };
@@ -193,6 +194,13 @@
return 0;
}
+static int
+privsep_do_exit(void *ctx, int fd)
+{
+ kill(getpid(), SIGTERM);
+ return 0;
+}
+
int
privsep_init(void)
{
@@ -273,6 +281,7 @@
strerror(errno));
return -1;
}
+ monitor_fd(privsep_sock[1], privsep_do_exit, NULL, 0);
return 0;
break;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Mon Mar 14 17:18:13 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c handler.c isakmp.c
isakmp_inf.c isakmp_quick.c nattraversal.c pfkey.c policy.c
sockmisc.c sockmisc.h throttle.c
Log Message:
Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.69 -r1.70 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.45 -r1.46 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.55 -r1.56 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.11 -r1.12 src/crypto/dist/ipsec-tools/src/racoon/policy.c
cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/throttle.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27 Fri Dec 3 09:46:24 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Mon Mar 14 17:18:12 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.27 2010/12/03 09:46:24 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -100,7 +100,7 @@
return TRUE;
LIST_FOREACH(cfg, &configured, chain) {
- if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &cfg->addr) <= CMPSADDR_WILDPORT_MATCH)
return TRUE;
}
@@ -116,7 +116,7 @@
/* Already open? */
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr(addr, (struct sockaddr *) &my->addr) == 0)
+ if (cmpsaddr(addr, (struct sockaddr *) &my->addr) <= CMPSADDR_WILDPORT_MATCH)
return TRUE;
}
@@ -156,7 +156,7 @@
LIST_FOREACH(cfg, &configured, chain) {
if (addr != NULL &&
- cmpsaddr(addr, (struct sockaddr *) &cfg->addr) != 0)
+ cmpsaddr(addr, (struct sockaddr *) &cfg->addr) > CMPSADDR_WILDPORT_MATCH)
continue;
if (!myaddr_open((struct sockaddr *) &cfg->addr, cfg->udp_encap))
return FALSE;
@@ -262,7 +262,7 @@
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
return my->fd;
}
@@ -276,7 +276,7 @@
struct myaddr *my;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) == 0)
+ if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
return extract_port((struct sockaddr *) &my->addr);
}
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38 Mon Mar 14 14:54:07 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 17:18:12 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.38 2011/03/14 14:54:07 vanhu Exp $ */
+/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -120,11 +120,11 @@
LIST_FOREACH(p, &ph1tree, chain) {
if (sel != NULL) {
if (sel->local != NULL &&
- cmpsaddr(sel->local, p->local) != 0)
+ cmpsaddr(sel->local, p->local) > CMPSADDR_WILDPORT_MATCH)
continue;
if (sel->remote != NULL &&
- cmpsaddr(sel->remote, p->remote) != 0)
+ cmpsaddr(sel->remote, p->remote) > CMPSADDR_WILDPORT_MATCH)
continue;
}
@@ -300,8 +300,8 @@
if (p->status < PHASE1ST_DYING)
continue;
- if (cmpsaddr(iph1->local, p->local) == 0
- && cmpsaddr(iph1->remote, p->remote) == 0)
+ if (cmpsaddr(iph1->local, p->local) == CMPSADDR_MATCH
+ && cmpsaddr(iph1->remote, p->remote) == CMPSADDR_MATCH)
migrate_ph12(p, iph1);
}
}
@@ -5
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Sun Mar 6 08:28:11 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c
Log Message:
Quiet a gcc warning when strict-aliasing checks are enabled. Reported by
Stephen Clark.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/privsep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.20 Fri Mar 5 06:47:58 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c Sun Mar 6 08:28:10 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: privsep.c,v 1.20 2010/03/05 06:47:58 tteras Exp $ */
+/* $NetBSD: privsep.c,v 1.21 2011/03/06 08:28:10 tteras Exp $ */
/* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
@@ -1544,6 +1544,7 @@
{
struct msghdr msg;
struct cmsghdr *cmsg;
+ int *fdptr;
int fd;
char cmsbuf[1024];
struct iovec iov;
@@ -1569,7 +1570,8 @@
return -1;
cmsg = CMSG_FIRSTHDR(&msg);
- return *(int *)CMSG_DATA(cmsg);
+ fdptr = (int *) CMSG_DATA(cmsg);
+ return fdptr[0];
}
/* Send the file descriptor fd through the argument socket s */
@@ -1582,6 +1584,7 @@
struct cmsghdr *cmsg;
char cmsbuf[1024];
struct iovec iov;
+ int *fdptr;
iov.iov_base = " ";
iov.iov_len = 1;
@@ -1604,7 +1607,8 @@
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
- *(int *)CMSG_DATA(cmsg) = fd;
+ fdptr = (int *)CMSG_DATA(cmsg);
+ fdptr[0] = fd;
msg.msg_controllen = cmsg->cmsg_len;
if (sendmsg(s, &msg, 0) == -1)
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Sun Feb 20 17:32:02 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: oakley.c Log Message: >From Roman Hoog Antink : Fix memory leak when using plain RSA key authentication. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.18 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.18 Thu Dec 16 16:59:05 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Sun Feb 20 17:32:02 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.18 2010/12/16 16:59:05 gdt Exp $ */ +/* $NetBSD: oakley.c,v 1.19 2011/02/20 17:32:02 tteras Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -1524,6 +1524,8 @@ iph1->rsa_p = rsa_try_check_rsasign(my_hash, iph1->sig_p, iph1->rsa_candidates); error = iph1->rsa_p ? 0 : -1; + genlist_free(iph1->rsa_candidates, NULL); + iph1->rsa_candidates = NULL; break; default: plog(LLV_ERROR, LOCATION, NULL,
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Feb 11 10:07:20 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: plainrsa-gen.c
Log Message:
>From Mats E Andersson : Fix fprintf format specifier
usage from previous patch.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.5 Thu Feb 10 11:20:08 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c Fri Feb 11 10:07:19 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: plainrsa-gen.c,v 1.5 2011/02/10 11:20:08 tteras Exp $ */
+/* $NetBSD: plainrsa-gen.c,v 1.6 2011/02/11 10:07:19 tteras Exp $ */
/* Id: plainrsa-gen.c,v 1.6 2005/04/21 09:08:40 monas Exp */
/*
@@ -131,7 +131,7 @@
fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
fprintf(fp, ": RSA\t{\n");
- fprintf(fp, "\t# RSA %zu bits\n", BN_num_bits(key->n));
+ fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n));
fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Feb 10 11:21:55 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_7-branch]:
prsa_par.y
Log Message:
>From Mats Erik Andersson : Fix address
initialization of restricted RSA keys to work on non-linux platforms.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.4.6.1 \
src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.4 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.4.6.1
--- src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.4 Sat Sep 9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y Thu Feb 10 11:21:55 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: prsa_par.y,v 1.4 2006/09/09 16:22:10 manu Exp $ */
+/* $NetBSD: prsa_par.y,v 1.4.6.1 2011/02/10 11:21:55 tteras Exp $ */
/* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
@@ -246,6 +246,9 @@
$$->prefix = $2;
sap = (struct sockaddr_in *)(&$$->sa);
sap->sin_family = AF_INET;
+#ifndef __linux__
+ sap->sin_len = sizeof(*sap);
+#endif
err = inet_pton(AF_INET, $1, (struct in_addr*)(&sap->sin_addr));
if (err <= 0) {
prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
@@ -269,6 +272,9 @@
$$->prefix = $2;
sap = (struct sockaddr_in6 *)(&$$->sa);
sap->sin6_family = AF_INET6;
+#ifndef __linux__
+ sap->sin6_len = sizeof(*sap);
+#endif
err = inet_pton(AF_INET6, $1, (struct in6_addr*)(&sap->sin6_addr));
if (err <= 0) {
prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Feb 10 11:20:08 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: plainrsa-gen.c
Log Message:
>From Mats Erik Andersson : Implement importing of
RSA keys from PEM files.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.4 Sat Sep 9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c Thu Feb 10 11:20:08 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: plainrsa-gen.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
+/* $NetBSD: plainrsa-gen.c,v 1.5 2011/02/10 11:20:08 tteras Exp $ */
/* Id: plainrsa-gen.c,v 1.6 2005/04/21 09:08:40 monas Exp */
/*
@@ -43,11 +43,13 @@
#include
#include
#include
+#include
#include
#include
#include
#include
+#include
#include
#include
#ifdef HAVE_OPENSSL_ENGINE_H
@@ -72,6 +74,7 @@
fprintf(stderr, " -b bits Generate long RSA key (default=1024)\n");
fprintf(stderr, " -e pubexp Public exponent to use (default=0x3)\n");
fprintf(stderr, " -f filename Filename to store the key to (default=stdout)\n");
+ fprintf(stderr, " -i filename Input source for format conversion\n");
fprintf(stderr, " -hHelp\n");
fprintf(stderr, "\n");
fprintf(stderr, "Report bugs to \n");
@@ -82,7 +85,7 @@
* See RFC 2065, section 3.5 for details about the output format.
*/
vchar_t *
-mix_b64_pubkey(RSA *key)
+mix_b64_pubkey(const RSA *key)
{
char *binbuf;
long binlen, ret;
@@ -116,17 +119,10 @@
}
int
-gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
+print_rsa_key(FILE *fp, const RSA *key)
{
- RSA *key;
vchar_t *pubkey64 = NULL;
- key = RSA_generate_key(bits, exp, NULL, NULL);
- if (!key) {
- fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
- return -1;
- }
-
pubkey64 = mix_b64_pubkey(key);
if (!pubkey64) {
fprintf(stderr, "mix_b64_pubkey(): %s\n", eay_strerror());
@@ -135,7 +131,7 @@
fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
fprintf(fp, ": RSA\t{\n");
- fprintf(fp, "\t# RSA %zu bits\n", bits);
+ fprintf(fp, "\t# RSA %zu bits\n", BN_num_bits(key->n));
fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
@@ -148,23 +144,92 @@
fprintf(fp, " }\n");
vfree(pubkey64);
+ return 0;
+}
+
+int
+print_public_rsa_key(FILE *fp, const RSA *key)
+{
+ vchar_t *pubkey64 = NULL;
+ pubkey64 = mix_b64_pubkey(key);
+ if (!pubkey64) {
+ fprintf(stderr, "mix_b64_pubkey(): %s\n", eay_strerror());
+ return -1;
+ }
+
+ fprintf(fp, ": PUB 0s%s\n", pubkey64->v);
+
+ vfree(pubkey64);
return 0;
}
int
+convert_rsa_key(FILE *fpout, FILE *fpin)
+{
+ int ret;
+ RSA *key = NULL;
+
+ key = PEM_read_RSAPrivateKey(fpin, NULL, NULL, NULL);
+ if (key) {
+ ret = print_rsa_key(fpout, key);
+ RSA_free(key);
+
+ return ret;
+ }
+
+ rewind(fpin);
+
+ key = PEM_read_RSA_PUBKEY(fpin, NULL, NULL, NULL);
+ if (key) {
+ ret = print_public_rsa_key(fpout, key);
+ RSA_free(key);
+
+ return ret;
+ }
+
+ /* Implement parsing of input stream containing
+ * private or public "plainrsa" formatted text.
+ * Convert the result to PEM formatted output.
+ *
+ * This seemingly needs manual use of prsaparse().
+ * An expert ought to do this. */
+
+ fprintf(stderr, "convert_rsa_key: %s\n", "Only conversion from PEM at this time");
+ return -1;
+}
+
+int
+gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
+{
+ int ret;
+ RSA *key;
+
+ key = RSA_generate_key(bits, exp, NULL, NULL);
+ if (!key) {
+ fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
+ return -1;
+ }
+
+ ret = print_rsa_key(fp, key);
+ RSA_free(key);
+
+ return ret;
+}
+
+int
main (int argc, char *argv[])
{
- FILE *fp = stdout;
+ FILE *fp = stdout, *fpin = NULL;
size_t bits = 1024;
unsigned int pubexp = 0x3;
struct stat st;
extern char *optarg;
extern int optind;
- int c;
- char *fname = NULL;
+ int c, fd = -1, fdin = -1;
+ char *fname = NULL, *finput = NULL;
- while ((c = getopt(argc, argv, "e:b:f:h")) != -1)
+ while ((c = getopt(argc, argv, "e:b:f:i:h")) != -1)
switch (c) {
case 'e':
if (strncmp(optarg, "0x", 2) == 0)
@@ -178,31 +243,65 @@
case 'f':
fname = optarg;
break;
+ case 'i':
+finput = optarg;
+break;
case 'h':
default:
usage(argv[0]);
}
if (fname) {
- if (stat(fname, &st) >= 0) {
- fprintf(stderr, "%s: file exists! Please use a different name.\n", fname);
+ umask(0077);
+ /* Restrictive access due to priva
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Feb 10 11:17:17 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: prsa_par.y
Log Message:
>From M E Andersson : Fix parsing of restricted RSA
key addresses.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.4 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.4 Sat Sep 9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y Thu Feb 10 11:17:17 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: prsa_par.y,v 1.4 2006/09/09 16:22:10 manu Exp $ */
+/* $NetBSD: prsa_par.y,v 1.5 2011/02/10 11:17:17 tteras Exp $ */
/* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
@@ -236,6 +236,7 @@
{
int err;
struct sockaddr_in *sap;
+ struct addrinfo hints, *res;
if ($2 == -1) $2 = 32;
if ($2 < 0 || $2 > 32) {
@@ -245,12 +246,16 @@
$$ = calloc (sizeof(struct netaddr), 1);
$$->prefix = $2;
sap = (struct sockaddr_in *)(&$$->sa);
- sap->sin_family = AF_INET;
- err = inet_pton(AF_INET, $1, (struct in_addr*)(&sap->sin_addr));
- if (err <= 0) {
- prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET;
+ hints.ai_flags = AI_NUMERICHOST;
+ err = getaddrinfo($1, NULL, &hints, &res);
+ if (err < 0) {
+ prsaerror("getaddrinfo(%s): %s\n", $1, gai_strerror(err));
YYABORT;
}
+ memcpy(sap, res->ai_addr, res->ai_addrlen);
+ freeaddrinfo(res);
}
;
@@ -259,6 +264,7 @@
{
int err;
struct sockaddr_in6 *sap;
+ struct addrinfo hints, *res;
if ($2 == -1) $2 = 128;
if ($2 < 0 || $2 > 128) {
@@ -268,12 +274,16 @@
$$ = calloc (sizeof(struct netaddr), 1);
$$->prefix = $2;
sap = (struct sockaddr_in6 *)(&$$->sa);
- sap->sin6_family = AF_INET6;
- err = inet_pton(AF_INET6, $1, (struct in6_addr*)(&sap->sin6_addr));
- if (err <= 0) {
- prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET6;
+ hints.ai_flags = AI_NUMERICHOST;
+ err = getaddrinfo($1, NULL, &hints, &res);
+ if (err < 0) {
+ prsaerror("getaddrinfo(%s): %s\n", $1, gai_strerror(err));
YYABORT;
}
+ memcpy(sap, res->ai_addr, res->ai_addrlen);
+ freeaddrinfo(res);
}
;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Jan 28 13:02:34 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: sainfo.c sainfo.h session.c
Log Message:
>From Roman Hoog Antink : Clean up sainfo reloading: rename
the functions, and remove unneeded global variable.
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/sainfo.h
cvs rdiff -u -r1.29 -r1.30 src/crypto/dist/ipsec-tools/src/racoon/session.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/sainfo.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/sainfo.c:1.12 Sun Jan 17 23:03:01 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/sainfo.c Fri Jan 28 13:02:34 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: sainfo.c,v 1.12 2010/01/17 23:03:01 wiz Exp $ */
+/* $NetBSD: sainfo.c,v 1.13 2011/01/28 13:02:34 tteras Exp $ */
/* $KAME: sainfo.c,v 1.16 2003/06/27 07:32:39 sakane Exp $ */
@@ -64,7 +64,8 @@
#include "sainfo.h"
#include "gcmalloc.h"
-static LIST_HEAD(_sitree, sainfo) sitree, sitree_save, sitree_tmp;
+typedef LIST_HEAD(_sitree, sainfo) sainfo_tailq_head_t;
+static sainfo_tailq_head_t sitree, sitree_save;
/* %%%
* modules for ipsec sa info
@@ -392,12 +393,14 @@
return buf;
}
-void save_sainfotree(void){
+void sainfo_start_reload(void){
sitree_save=sitree;
initsainfo();
}
-void save_sainfotree_flush(void){
+void sainfo_finish_reload(void){
+ sainfo_tailq_head_t sitree_tmp;
+
sitree_tmp=sitree;
sitree=sitree_save;
flushsainfo();
Index: src/crypto/dist/ipsec-tools/src/racoon/sainfo.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/sainfo.h:1.6 src/crypto/dist/ipsec-tools/src/racoon/sainfo.h:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/sainfo.h:1.6 Wed Sep 12 23:39:51 2007
+++ src/crypto/dist/ipsec-tools/src/racoon/sainfo.h Fri Jan 28 13:02:34 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: sainfo.h,v 1.6 2007/09/12 23:39:51 mgrooms Exp $ */
+/* $NetBSD: sainfo.h,v 1.7 2011/01/28 13:02:34 tteras Exp $ */
/* Id: sainfo.h,v 1.5 2006/07/09 17:19:38 manubsd Exp */
@@ -85,8 +85,8 @@
extern void inssainfoalg __P((struct sainfoalg **, struct sainfoalg *));
extern const char * sainfo2str __P((const struct sainfo *));
-extern void save_sainfotree __P((void));
-extern void save_sainfotree_flush __P((void));
+extern void sainfo_start_reload __P((void));
+extern void sainfo_finish_reload __P((void));
extern void save_sainfotree_restore __P((void));
#endif /* _SAINFO_H */
Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.29 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.29 Fri Jan 28 13:00:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c Fri Jan 28 13:02:34 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: session.c,v 1.29 2011/01/28 13:00:14 tteras Exp $ */
+/* $NetBSD: session.c,v 1.30 2011/01/28 13:02:34 tteras Exp $ */
/* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */
@@ -387,7 +387,7 @@
}
#endif
- save_sainfotree();
+ sainfo_start_reload();
/* TODO: save / restore / flush old lcconf (?) / rmtree
*/
@@ -429,7 +429,7 @@
/* Update ctdtree ?
*/
- save_sainfotree_flush();
+ sainfo_finish_reload();
rmconf_finish_reload();
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Jan 28 13:00:14 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c remoteconf.h
session.c
Log Message:
>From Roman Hoog Antink : Clean up rmconf reloading: rename
the functions, and remove unneeded global variable.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/session.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.21 Wed Sep 8 12:18:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Fri Jan 28 13:00:14 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.c,v 1.21 2010/09/08 12:18:35 vanhu Exp $ */
+/* $NetBSD: remoteconf.c,v 1.22 2011/01/28 13:00:14 tteras Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@@ -79,7 +79,8 @@
#include "handler.h"
#include "genlist.h"
-static TAILQ_HEAD(_rmtree, remoteconf) rmtree, rmtree_save, rmtree_tmp;
+typedef TAILQ_HEAD(_rmtree, remoteconf) remoteconf_tailq_head_t;
+static remoteconf_tailq_head_t rmtree, rmtree_save;
/*
* Script hook names and script hook paths
@@ -744,15 +745,17 @@
}
void
-save_rmconf()
+rmconf_start_reload()
{
rmtree_save=rmtree;
initrmconf();
}
void
-save_rmconf_flush()
+rmconf_finish_reload()
{
+ remoteconf_tailq_head_t rmtree_tmp;
+
rmtree_tmp=rmtree;
rmtree=rmtree_save;
flushrmconf();
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.12 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.12 Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Fri Jan 28 13:00:14 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.h,v 1.12 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: remoteconf.h,v 1.13 2011/01/28 13:00:14 tteras Exp $ */
/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
@@ -209,8 +209,8 @@
extern void remrmconf __P((struct remoteconf *));
extern void flushrmconf __P((void));
extern void initrmconf __P((void));
-extern void save_rmconf __P((void));
-extern void save_rmconf_flush __P((void));
+extern void rmconf_start_reload __P((void));
+extern void rmconf_finish_reload __P((void));
extern int check_etypeok __P((struct remoteconf *, void *));
Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.28 Thu Oct 21 06:15:28 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c Fri Jan 28 13:00:14 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: session.c,v 1.28 2010/10/21 06:15:28 tteras Exp $ */
+/* $NetBSD: session.c,v 1.29 2011/01/28 13:00:14 tteras Exp $ */
/* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */
@@ -391,8 +391,7 @@
/* TODO: save / restore / flush old lcconf (?) / rmtree
*/
- save_rmconf();
- initrmconf();
+ rmconf_start_reload();
#ifdef HAVE_LIBRADIUS
/* free and init radius configuration */
@@ -431,7 +430,7 @@
*/
save_sainfotree_flush();
- save_rmconf_flush();
+ rmconf_finish_reload();
}
static void
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Jan 28 12:51:40 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: plog.c
Log Message:
>From Roman Hoog Antink : Log remote IP address if available
(slightly modified by tteras)
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/plog.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/plog.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/plog.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/plog.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/plog.c:1.6 Mon Apr 20 13:23:55 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/plog.c Fri Jan 28 12:51:40 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: plog.c,v 1.6 2009/04/20 13:23:55 tteras Exp $ */
+/* $NetBSD: plog.c,v 1.7 2011/01/28 12:51:40 tteras Exp $ */
/* Id: plog.c,v 1.11 2006/06/20 09:57:31 vanhu Exp */
@@ -36,6 +36,7 @@
#include
#include
+#include
#include
#include
#include
@@ -78,7 +79,7 @@
static struct log *logp = NULL;
static char *logfile = NULL;
-static char *plog_common __P((int, const char *, const char *));
+static char *plog_common __P((int, const char *, const char *, struct sockaddr *));
static struct plogtags {
char *name;
@@ -94,11 +95,13 @@
};
static char *
-plog_common(pri, fmt, func)
+plog_common(pri, fmt, func, sa)
int pri;
const char *fmt, *func;
+ struct sockaddr *sa;
{
static char buf[800]; /* XXX shoule be allocated every time ? */
+ void *addr;
char *p;
int reslen, len;
@@ -116,19 +119,43 @@
reslen -= len;
}
+ if (sa && reslen > 3) {
+ addr = NULL;
+ switch (sa->sa_family) {
+ case AF_INET:
+ addr = &((struct sockaddr_in*)sa)->sin_addr;
+ break;
+ case AF_INET6:
+ addr = &((struct sockaddr_in6*)sa)->sin6_addr;
+ break;
+ }
+ if (inet_ntop(sa->sa_family, addr, p + 1, reslen - 3) != NULL) {
+ *p++ = '[';
+ len = strlen(p);
+ p += len;
+ *p++ = ']';
+ *p++ = ' ';
+ reslen -= len + 3;
+ }
+ }
+
if (pri < ARRAYLEN(ptab)) {
len = snprintf(p, reslen, "%s: ", ptab[pri].name);
- if (len >= 0 && len < reslen) {
- p += len;
- reslen -= len;
- } else
- *p = '\0';
+ p += len;
+ reslen -= len;
}
if (print_location)
- snprintf(p, reslen, "%s: %s", func, fmt);
+ len = snprintf(p, reslen, "%s: %s", func, fmt);
else
- snprintf(p, reslen, "%s", fmt);
+ len = snprintf(p, reslen, "%s", fmt);
+ p += len;
+ reslen -= len;
+
+ /* Force nul termination */
+ if (reslen == 0)
+ p[-1] = 0;
+
#ifdef BROKEN_PRINTF
while ((p = strstr(buf,"%z")) != NULL)
p[1] = 'l';
@@ -157,7 +184,7 @@
if (pri > loglevel)
return;
- newfmt = plog_common(pri, fmt, func);
+ newfmt = plog_common(pri, fmt, func, sa);
VA_COPY(ap_bak, ap);
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Sat Jan 22 07:44:39 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_7-branch]:
isakmp_inf.c
Log Message:
>From Roman Hoog Antink : Fixes a null pointer dereference
that might occur after removing peers from the config and then reloading.
To generate a diff of this commit:
cvs rdiff -u -r1.14.4.17 -r1.14.4.18 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.14.4.17 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.14.4.18
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.14.4.17 Mon May 18 17:07:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Sat Jan 22 07:44:39 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.14.4.17 2009/05/18 17:07:46 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.14.4.18 2011/01/22 07:44:39 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1624,6 +1624,15 @@
iph1->dpd_r_u=NULL;
+ if (iph1->status == PHASE1ST_EXPIRED) {
+ /* This can happen after removing tunnels from the
+ * config file and then reloading.
+ * Such iph1 have rmconf=NULL, so return before the if
+ * block below.
+ */
+ return;
+ }
+
if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
plog(LLV_INFO, LOCATION, iph1->remote,
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Sat Jan 22 07:38:52 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c
Log Message:
>From Roman Hoog Antink : Fixes a null pointer dereference
that might occur after removing peers from the config and then reloading.
To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.44 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.45
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.44 Wed Nov 17 10:40:41 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Sat Jan 22 07:38:51 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.44 2010/11/17 10:40:41 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.45 2011/01/22 07:38:51 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1502,6 +1502,15 @@
plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring\n");
+ if (iph1->status == PHASE1ST_EXPIRED) {
+ /* This can happen after removing tunnels from the
+ * config file and then reloading.
+ * Such iph1 have rmconf=NULL, so return before the if
+ * block below.
+ */
+ return;
+ }
+
if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
plog(LLV_INFO, LOCATION, iph1->remote,
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Dec 28 06:02:45 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_7-branch]:
handler.c
Log Message:
>From Roman Hoog Antink : Fix config reload to not delete too
many phase 2 handles, because wrong chain field is used when enumerating
the handles.
To generate a diff of this commit:
cvs rdiff -u -r1.9.6.8 -r1.9.6.9 \
src/crypto/dist/ipsec-tools/src/racoon/handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.9.6.8 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.9.6.9
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.9.6.8 Mon Apr 20 13:25:27 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Tue Dec 28 06:02:45 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.9.6.8 2009/04/20 13:25:27 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.9.6.9 2010/12/28 06:02:45 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -1306,7 +1306,7 @@
if (iph1->status == PHASE1ST_ESTABLISHED){
for (iph2 = LIST_FIRST(&iph1->ph2tree); iph2; iph2 = iph2_next) {
- iph2_next = LIST_NEXT(iph2, chain);
+ iph2_next = LIST_NEXT(iph2, ph1bind);
remove_ph2(iph2);
}
isakmp_info_send_d1(iph1);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Dec 28 06:00:18 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c
Log Message:
>From Roman Hoog Antink : Fix config reload to not delete
too many phase 2 handles, because wrong chain field is used when
enumerating the handles.
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/racoon/handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.34 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.34 Wed Nov 17 10:40:41 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Tue Dec 28 06:00:18 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.34 2010/11/17 10:40:41 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.35 2010/12/28 06:00:18 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -1468,7 +1468,7 @@
if (iph1->status == PHASE1ST_ESTABLISHED ||
iph1->status == PHASE1ST_DYING) {
for (iph2 = LIST_FIRST(&iph1->ph2tree); iph2; iph2 = iph2_next) {
- iph2_next = LIST_NEXT(iph2, chain);
+ iph2_next = LIST_NEXT(iph2, ph1bind);
remove_ph2(iph2);
}
isakmp_info_send_d1(iph1);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Dec 14 17:57:32 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c
Log Message:
>From Roman Hoog Antink : Fix possible null derefence.
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.45 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.45 Mon Oct 11 14:16:30 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Tue Dec 14 17:57:31 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_doi.c,v 1.45 2010/10/11 14:16:30 vanhu Exp $ */
+/* $NetBSD: ipsec_doi.c,v 1.46 2010/12/14 17:57:31 tteras Exp $ */
/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
@@ -4166,9 +4166,14 @@
u_int8_t *prefixlen;
u_int16_t *ul_proto;
{
- struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v;
+ struct ipsecdoi_id_b *id_b = NULL;
u_int plen = 0;
+ if (buf == NULL)
+ return ISAKMP_INTERNAL_ERROR;
+
+ id_b = (struct ipsecdoi_id_b *)buf->v;
+
/*
* When a ID payload of subnet type with a IP address of full bit
* masked, it has to be processed as host address.
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Dec 8 07:38:35 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c
Log Message:
Use separate SA addresses for phase2's created by admin command. The
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.37 Fri Nov 12 10:36:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Wed Dec 8 07:38:35 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.37 2010/11/12 10:36:37 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -564,12 +564,17 @@
iph2->status = PHASE2ST_STATUS2;
/* set end addresses of SA */
+ iph2->sa_dst = dupsaddr(dst);
+ iph2->sa_src = dupsaddr(src);
iph2->dst = dupsaddr(dst);
iph2->src = dupsaddr(src);
- if (iph2->dst == NULL || iph2->src == NULL) {
+ if (iph2->sa_src == NULL || iph2->sa_dst == NULL ||
+ iph2->dst == NULL || iph2->src == NULL) {
delph2(iph2);
break;
}
+ set_port(iph2->dst, 0);
+ set_port(iph2->src, 0);
if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
delph2(iph2);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Dec 7 14:28:12 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_quick.c
Log Message:
Fix spacing and improve wording in some log messages.
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.27 Wed Oct 20 13:37:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Tue Dec 7 14:28:12 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_quick.c,v 1.27 2010/10/20 13:37:37 tteras Exp $ */
+/* $NetBSD: isakmp_quick.c,v 1.28 2010/12/07 14:28:12 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@@ -2383,9 +2383,9 @@
}
} else {
plog(LLV_DEBUG, LOCATION, NULL,
- "Either family (%d - %d), types (%d - %d) of ID"
- "from initiator differ or matching sainfo has"
- "has no id_i defined for the peer. Not filling"
+ "Either family (%d - %d), types (%d - %d) of ID "
+ "from initiator differ or matching sainfo "
+ "has no id_i defined for the peer. Not filling "
"iph2->sa_src and iph2->sa_dst.\n",
spidx.src.ss_family, spidx.dst.ss_family,
_XIDT(iph2->id_p),idi2type);
@@ -2416,7 +2416,7 @@
#undef _XIDT
plog(LLV_DEBUG, LOCATION, NULL,
- "get a src address from ID payload "
+ "get src address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
saddr2str((struct sockaddr *)&spidx.src),
spidx.prefs, spidx.ul_proto);
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src
Committed By: tteras
Date: Fri Dec 3 15:01:11 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: ipsec_dump_policy.c
Log Message:
Recognize direction for Linux per-socket policies.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.8 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.9
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.8 Wed Jul 18 12:07:50 2007
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c Fri Dec 3 15:01:11 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_dump_policy.c,v 1.8 2007/07/18 12:07:50 vanhu Exp $ */
+/* $NetBSD: ipsec_dump_policy.c,v 1.9 2010/12/03 15:01:11 tteras Exp $ */
/* Id: ipsec_dump_policy.c,v 1.10 2005/06/29 09:12:37 manubsd Exp */
@@ -53,7 +53,10 @@
#include "libpfkey.h"
static const char *ipsp_dir_strs[] = {
- "any", "in", "out", "fwd"
+ "any", "in", "out", "fwd",
+#ifdef __linux__
+ "in(socket)", "out(socket)"
+#endif
};
static const char *ipsp_policy_strs[] = {
@@ -165,6 +168,8 @@
case IPSEC_DIR_OUTBOUND:
#ifdef HAVE_POLICY_FWD
case IPSEC_DIR_FWD:
+ case IPSEC_DIR_FWD + 1:
+ case IPSEC_DIR_FWD + 2:
#endif
break;
default:
CVS commit: src/crypto/dist/ipsec-tools/src
Module Name:src
Committed By: tteras
Date: Fri Dec 3 14:32:53 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: libpfkey.h pfkey_dump.c
src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.8
Log Message:
Support GRE key as upper layer protocol specifier (will be supported in
Linux kernel 2.6.38).
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 \
src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h \
src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/setkey/setkey.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
diff -u src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17 src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.18
--- src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17 Mon Aug 17 13:52:14 2009
+++ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Fri Dec 3 14:32:52 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: libpfkey.h,v 1.17 2009/08/17 13:52:14 vanhu Exp $ */
+/* $NetBSD: libpfkey.h,v 1.18 2010/12/03 14:32:52 tteras Exp $ */
/* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */
@@ -210,6 +210,10 @@
#define IPPROTO_IPCOMP IPPROTO_COMP
#endif
+#ifndef IPPROTO_MH
+#define IPPROTO_MH 135
+#endif
+
static __inline u_int8_t
sysdep_sa_len (const struct sockaddr *sa)
{
Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.17 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.18
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.17 Fri Apr 2 15:13:26 2010
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Fri Dec 3 14:32:52 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey_dump.c,v 1.17 2010/04/02 15:13:26 christos Exp $ */
+/* $NetBSD: pfkey_dump.c,v 1.18 2010/12/03 14:32:52 tteras Exp $ */
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
@@ -716,13 +716,19 @@
else
snprintf(prefbuf, sizeof(prefbuf), "/%u", pref);
- if (ulp == IPPROTO_ICMPV6)
+ switch (ulp) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ case IPPROTO_MH:
+ case IPPROTO_GRE:
memset(portbuf, 0, sizeof(portbuf));
- else {
+ break;
+ default:
if (port == IPSEC_PORT_ANY)
- snprintf(portbuf, sizeof(portbuf), "[%s]", "any");
+ strcpy(portbuf, "[any]");
else
snprintf(portbuf, sizeof(portbuf), "[%u]", port);
+ break;
}
snprintf(buf, sizeof(buf), "%s%s", prefbuf, portbuf);
@@ -734,29 +740,26 @@
str_upperspec(ulp, p1, p2)
u_int ulp, p1, p2;
{
- if (ulp == IPSEC_ULPROTO_ANY)
- printf("any");
- else if (ulp == IPPROTO_ICMPV6) {
- printf("icmp6");
- if (!(p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY))
- printf(" %u,%u", p1, p2);
- } else {
- struct protoent *ent;
+ struct protoent *ent;
- switch (ulp) {
- case IPPROTO_IPV4:
- printf("ip4");
- break;
- default:
- ent = getprotobynumber((int)ulp);
- if (ent)
-printf("%s", ent->p_name);
- else
-printf("%u", ulp);
+ ent = getprotobynumber((int)ulp);
+ if (ent)
+ printf("%s", ent->p_name);
+ else
+ printf("%u", ulp);
- endprotoent();
- break;
- }
+ if (p1 == IPSEC_PORT_ANY && p2 == IPSEC_PORT_ANY)
+ return;
+
+ switch (ulp) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ case IPPROTO_MH:
+ printf(" %u,%u", p1, p2);
+ break;
+ case IPPROTO_GRE:
+ printf(" %u", (p1 << 16) + p2);
+ break;
}
}
Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.14
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13 Fri Jun 4 13:06:03 2010
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y Fri Dec 3 14:32:52 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: parse.y,v 1.13 2010/06/04 13:06:03 vanhu Exp $ */
+/* $NetBSD: parse.y,v 1.14 2010/12/03 14:32:52 tteras Exp $ */
/* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */
@@ -57,10 +57,6 @@
#include "vchar.h"
#include "extern.h"
-#ifndef IPPROTO_MH
-#define IPPROTO_MH 135
-#endif
-
#define DEFAULT_NATT_PORT 4500
#ifndef UDP_ENCAP_ESPINUDP
@@ -95,7 +91,7 @@
static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
static struct addrinfo *parse_addr __P((char *, char *));
-static int fix_portstr __P((vchar_t *, vchar_t *, vchar_t *));
+static int fix_portstr __P((int, vchar_t *, vchar_t *, vchar_t *));
static int setvarbuf __P((char *, int *, struct sadb_ext *, int,
const void *, int));
void parse_init __P((void));
@@ -584,16 +580,8 @@
#endif
/* fixed port fields if ulp is icmp */
- if ($10.buf != NULL) {
-if (($9 != IPPROTO_ICMPV6) &&
- ($9 != IPPROTO_ICMP) &&
- ($9 != IPPROTO_MH))
- return -1;
-free($5.buf);
-free($8.buf);
-if (fix_portstr(&$10, &$5, &$8))
-
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Dec 3 09:46:24 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c
Log Message:
Netlink deletion notification does not guarentee actual address deletion:
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.26 Fri Oct 22 06:26:26 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Fri Dec 3 09:46:24 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.26 2010/10/22 06:26:26 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.27 2010/12/03 09:46:24 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -319,6 +319,11 @@
#if defined(USE_NETLINK)
+static int netlink_fd = -1;
+
+#define NLMSG_TAIL(nmsg) \
+ ((struct rtattr *) (((void *) (nmsg)) + NLMSG_ALIGN((nmsg)->nlmsg_len)))
+
static void
parse_rtattr(struct rtattr *tb[], int max, struct rtattr *rta, int len)
{
@@ -331,6 +336,24 @@
}
static int
+netlink_add_rtattr_l(struct nlmsghdr *n, int maxlen, int type,
+ const void *data, int alen)
+{
+ int len = RTA_LENGTH(alen);
+ struct rtattr *rta;
+
+ if (NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len) > maxlen)
+ return FALSE;
+
+ rta = NLMSG_TAIL(n);
+ rta->rta_type = type;
+ rta->rta_len = len;
+ memcpy(RTA_DATA(rta), data, alen);
+ n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
+ return TRUE;
+}
+
+static int
netlink_enumerate(fd, family, type)
int fd;
int family;
@@ -410,6 +433,42 @@
#endif
static int
+netlink_route_is_local(int family, const unsigned char *addr, size_t addr_len)
+{
+ struct {
+ struct nlmsghdr n;
+ struct rtmsgr;
+ charbuf[1024];
+ } req;
+ struct rtmsg *r = NLMSG_DATA(&req.n);
+ struct rtattr *rta[RTA_MAX+1];
+ struct sockaddr_nl nladdr;
+ ssize_t rlen;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+ req.n.nlmsg_flags = NLM_F_REQUEST;
+ req.n.nlmsg_type = RTM_GETROUTE;
+ req.r.rtm_family = family;
+ netlink_add_rtattr_l(&req.n, sizeof(req), RTA_DST,
+ addr, addr_len);
+ req.r.rtm_dst_len = addr_len * 8;
+
+ memset(&nladdr, 0, sizeof(nladdr));
+ nladdr.nl_family = AF_NETLINK;
+
+ if (sendto(netlink_fd, &req, sizeof(req), 0,
+ (struct sockaddr *) &nladdr, sizeof(nladdr)) < 0)
+ return 0;
+ rlen = recv(netlink_fd, &req, sizeof(req), 0);
+ if (rlen < 0)
+ return 0;
+
+ return req.n.nlmsg_type == RTM_NEWROUTE &&
+ req.r.rtm_type == RTN_LOCAL;
+}
+
+static int
netlink_process_route(struct nlmsghdr *h)
{
struct sockaddr_storage addr;
@@ -455,6 +514,18 @@
return 0;
}
+ /* If local route was deleted, check if there is still local
+ * route for the same IP on another interface */
+ if (h->nlmsg_type == RTM_DELROUTE &&
+ netlink_route_is_local(rtm->rtm_family,
+ RTA_DATA(rta[RTA_DST]),
+ RTA_PAYLOAD(rta[RTA_DST]))) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Netlink: not deleting %s yet, it exists still\n",
+ saddrwop2str((struct sockaddr *) &addr));
+ return 0;
+ }
+
netlink_add_del_address(h->nlmsg_type == RTM_NEWROUTE,
(struct sockaddr *) &addr);
return 0;
@@ -518,9 +589,8 @@
}
static int
-kernel_open_socket()
+netlink_open_socket()
{
- struct sockaddr_nl nl;
int fd;
fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
@@ -535,6 +605,25 @@
plog(LLV_WARNING, LOCATION, NULL,
"failed to put socket in non-blocking mode\n");
+ return fd;
+}
+
+static int
+kernel_open_socket()
+{
+ struct sockaddr_nl nl;
+ int fd;
+
+ if (netlink_fd < 0) {
+ netlink_fd = netlink_open_socket();
+ if (netlink_fd < 0)
+ return -1;
+ }
+
+ fd = netlink_open_socket();
+ if (fd < 0)
+ return fd;
+
/* We monitor IPv4 addresses using RTMGRP_IPV4_ROUTE group
* the get the RTN_LOCAL routes which are automatically added
* by kernel. This is because:
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Nov 17 10:40:41 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c handler.h isakmp.c
isakmp_inf.c
Log Message:
Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.65 -r1.66 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.43 -r1.44 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.33 Thu Oct 21 06:04:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.33 2010/10/21 06:04:33 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.34 2010/11/17 10:40:41 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -514,6 +514,22 @@
LIST_INIT(&ph1tree);
}
+int
+ph1_rekey_enabled(iph1)
+ struct ph1handle *iph1;
+{
+ if (iph1->rmconf == NULL)
+ return 0;
+ if (iph1->rmconf->rekey == REKEY_FORCE)
+ return 1;
+#ifdef ENABLE_DPD
+ if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
+ iph1->rmconf->dpd_interval)
+ return 1;
+#endif
+ return 0;
+}
+
/* %%% management phase 2 handler */
int
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.24 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.24 Fri Nov 12 09:09:47 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.24 2010/11/12 09:09:47 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -493,6 +493,7 @@
extern int resolveph1rmconf __P((struct ph1handle *));
extern void flushph1 __P((void));
extern void initph1tree __P((void));
+extern int ph1_rekey_enabled __P((struct ph1handle *));
extern int enumph2 __P((struct ph2selector *ph2sel,
int (* enum_func)(struct ph2handle *iph2, void *arg),
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.65 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.66
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.65 Fri Nov 12 10:36:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.65 2010/11/12 10:36:37 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.66 2010/11/17 10:40:41 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -766,20 +766,6 @@
return 0;
}
-static int
-ph1_rekey_enabled(iph1)
- struct ph1handle *iph1;
-{
- if (iph1->rmconf->rekey == REKEY_FORCE)
- return 1;
-#ifdef ENABLE_DPD
- if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
- iph1->rmconf->dpd_interval)
- return 1;
-#endif
- return 0;
-}
-
/*
* main function of phase 1.
*/
@@ -2081,11 +2067,9 @@
src, dst, isakmp_pindex(&iph1->index, 0));
evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
-
- if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) {
- purge_remote(iph1);
+ if (new_iph1 == NULL && ph1_rekey_enabled(iph1))
script_hook(iph1, SCRIPT_PHASE1_DEAD);
- }
+
racoon_free(src);
racoon_free(dst);
@@ -3521,7 +3505,7 @@
}
}
- /* make source address in spidx */
+ /* make source address in spidx */
if (iph2->id_p != NULL
&& (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.43 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.44
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.43 Fri Nov 12 09:09:47 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.43 2010/11/12 09:09:47 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.44 2010/11/17 10:40:41 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -516,10 +516,12 @@
sched_cancel(&del_ph1->scr);
/*
- * Do not delete IPsec SAs when receiving an IKE delete notification.
- * Just delete the IKE SA.
+ * Delete also IPsec-SAs if rekeying is enabl
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Nov 12 10:36:37 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c isakmp.c isakmp_var.h
pfkey.c
Log Message:
isakmp_post_acquire is now called from admin commands too, add a flag so
admin commands can be used to establish even passive links on demand.
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.64 -r1.65 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.16 -r1.17 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
cvs rdiff -u -r1.53 -r1.54 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.36 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.37
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.36 Fri Nov 12 09:08:26 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Fri Nov 12 10:36:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.36 2010/11/12 09:08:26 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.37 2010/11/12 10:36:37 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -577,7 +577,7 @@
}
insph2(iph2);
- if (isakmp_post_acquire(iph2, NULL) < 0) {
+ if (isakmp_post_acquire(iph2, NULL, FALSE) < 0) {
remph2(iph2);
delph2(iph2);
break;
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.64 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.65
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.64 Fri Nov 12 09:11:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Fri Nov 12 10:36:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.64 2010/11/12 09:11:37 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.65 2010/11/12 10:36:37 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -2166,9 +2166,10 @@
* if phase1 has been finished, begin phase2.
*/
int
-isakmp_post_acquire(iph2, iph1hint)
+isakmp_post_acquire(iph2, iph1hint, nopassive)
struct ph2handle *iph2;
struct ph1handle *iph1hint;
+ int nopassive;
{
struct remoteconf *rmconf;
struct ph1handle *iph1 = NULL;
@@ -2185,7 +2186,7 @@
* so no need to bother yet. --arno */
if (iph1hint == NULL || iph1hint->rmconf == NULL) {
- rmconf = getrmconf(iph2->dst, GETRMCONF_F_NO_PASSIVE);
+ rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
if (rmconf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no configuration found for %s.\n",
@@ -2197,7 +2198,7 @@
}
/* if passive mode, ignore the acquire message */
- if (rmconf->passive) {
+ if (nopassive && rmconf->passive) {
plog(LLV_DEBUG, LOCATION, NULL,
"because of passive mode, "
"ignore the acquire message for %s.\n",
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h:1.16 src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h:1.17
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h:1.16 Thu Sep 3 09:29:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h Fri Nov 12 10:36:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_var.h,v 1.16 2009/09/03 09:29:07 tteras Exp $ */
+/* $NetBSD: isakmp_var.h,v 1.17 2010/11/12 10:36:37 tteras Exp $ */
/* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */
@@ -87,7 +87,7 @@
extern void isakmp_ph2delete __P((struct ph2handle *));
extern int isakmp_get_sainfo __P((struct ph2handle *, struct secpolicy *, struct secpolicy *));
-extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *));
+extern int isakmp_post_acquire __P((struct ph2handle *, struct ph1handle *, int));
extern int isakmp_post_getspi __P((struct ph2handle *));
extern void isakmp_chkph1there_stub __P((struct sched *));
extern void isakmp_chkph1there __P((struct ph2handle *));
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.53 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.54
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.53 Thu Oct 21 06:15:28 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Fri Nov 12 10:36:37 2010
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.53 2010/10/21 06:15:28 tteras Exp $ */
+/* $NetBSD: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
-/* $Id: pfkey.c,v 1.53 2010/10/21 06:15:28 tteras Exp $ */
+/* $Id: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1686,7 +1686,7 @@
iph2->status = PHASE2ST_STATUS2;
/* start quick exchange */
- if (isakmp_post_acquire(iph2, iph1hint) < 0) {
+ if (isakmp_post_acquire(iph2, iph1hint, FALSE) < 0) {
plog(LLV_ERROR, LOCATION, iph2->dst,
"failed
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Nov 12 09:11:37 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c
Log Message:
Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.63 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.64
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.63 Thu Oct 21 06:15:28 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Fri Nov 12 09:11:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.63 2010/10/21 06:15:28 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.64 2010/11/12 09:11:37 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -766,6 +766,20 @@
return 0;
}
+static int
+ph1_rekey_enabled(iph1)
+ struct ph1handle *iph1;
+{
+ if (iph1->rmconf->rekey == REKEY_FORCE)
+ return 1;
+#ifdef ENABLE_DPD
+ if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
+ iph1->rmconf->dpd_interval)
+ return 1;
+#endif
+ return 0;
+}
+
/*
* main function of phase 1.
*/
@@ -866,13 +880,7 @@
migrate_dying_ph12(iph1);
/* add to the schedule to expire, and seve back pointer. */
- if ((iph1->rmconf->rekey == REKEY_FORCE)
-#ifdef ENABLE_DPD
- ||
- (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support &&
- iph1->rmconf->dpd_interval)
-#endif
- ) {
+ if (ph1_rekey_enabled(iph1)) {
sched_schedule(&iph1->sce,
iph1->approval->lifetime *
PFKEY_SOFT_LIFETIME_RATE / 100,
@@ -2071,7 +2079,13 @@
plog(LLV_INFO, LOCATION, NULL,
"ISAKMP-SA deleted %s-%s spi:%s\n",
src, dst, isakmp_pindex(&iph1->index, 0));
+
evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
+
+ if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) {
+ purge_remote(iph1);
+ script_hook(iph1, SCRIPT_PHASE1_DEAD);
+ }
racoon_free(src);
racoon_free(dst);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Nov 12 09:09:48 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.h isakmp_inf.c
Log Message:
Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.42 -r1.43 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.23 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.23 Thu Oct 21 06:04:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h Fri Nov 12 09:09:47 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.23 2010/10/21 06:04:33 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.24 2010/11/12 09:09:47 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -202,7 +202,8 @@
#ifdef ENABLE_DPD
int dpd_support; /* Does remote supports DPD ? */
- u_int16_t dpd_seq; /* DPD seq number to receive */
+ u_int32_t dpd_last_ack;
+ u_int32_t dpd_seq; /* DPD seq number to receive */
u_int8_t dpd_fails; /* number of failures */
struct sched dpd_r_u;
#endif
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.43
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42 Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Nov 12 09:09:47 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.43 2010/11/12 09:09:47 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1450,17 +1450,16 @@
struct isakmp_pl_ru *ru;
u_int32_t msgid;
{
+ u_int32_t seq;
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There-Ack received\n");
- /* XXX Maintain window of acceptable sequence numbers ?
- * => ru->data <= iph2->dpd_seq &&
- *ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */
- if (ntohl(ru->data) != iph1->dpd_seq-1) {
+ seq = ntohl(ru->data);
+ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "Wrong DPD sequence number (%d, %d expected).\n",
- ntohl(ru->data), iph1->dpd_seq-1);
+ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n",
+ seq, iph1->dpd_last_ack, iph1->dpd_seq);
return 0;
}
@@ -1472,6 +1471,7 @@
}
iph1->dpd_fails = 0;
+ iph1->dpd_last_ack = seq;
sched_cancel(&iph1->dpd_r_u);
isakmp_sched_r_u(iph1, 0);
@@ -1536,12 +1536,13 @@
memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
- if (iph1->dpd_seq == 0){
+ if (iph1->dpd_seq == 0) {
/* generate a random seq which is not too big */
- srand(time(NULL));
- iph1->dpd_seq = rand() & 0x0fff;
+ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
}
+ iph1->dpd_seq++;
+ iph1->dpd_fails++;
ru->data = htonl(iph1->dpd_seq);
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
@@ -1550,12 +1551,6 @@
plog(LLV_DEBUG, LOCATION, iph1->remote,
"DPD R-U-There sent (%d)\n", error);
- /* will be decreased if ACK received... */
- iph1->dpd_fails++;
-
- /* XXX should be increased only when ACKed ? */
- iph1->dpd_seq++;
-
/* Reschedule the r_u_there with a short delay,
* will be deleted/rescheduled if ACK received before */
isakmp_sched_r_u(iph1, 1);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Nov 12 09:08:26 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c admin.h kmpstat.c
racoonctl.c
Log Message:
Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
with many established SAs can be easily over the limit.
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/admin.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.36
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.35 Thu Oct 21 06:15:28 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.35 2010/10/21 06:15:28 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.36 2010/11/12 09:08:26 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -638,9 +638,15 @@
}
combuf = (struct admin_com *) retbuf;
- combuf->ac_len = tlen;
+ combuf->ac_len = (u_int16_t) tlen;
combuf->ac_cmd = req->ac_cmd & ~ADMIN_FLAG_VERSION;
- combuf->ac_errno = l_ac_errno;
+ if (tlen != (u_int32_t) combuf->ac_len &&
+ l_ac_errno == 0) {
+ combuf->ac_len_high = tlen >> 16;
+ combuf->ac_cmd |= ADMIN_FLAG_LONG_REPLY;
+ } else {
+ combuf->ac_errno = l_ac_errno;
+ }
combuf->ac_proto = req->ac_proto;
if (buf != NULL)
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.h:1.7 src/crypto/dist/ipsec-tools/src/racoon/admin.h:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/admin.h:1.7 Fri Aug 29 00:30:15 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.h Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.h,v 1.7 2008/08/29 00:30:15 gmcgarry Exp $ */
+/* $NetBSD: admin.h,v 1.8 2010/11/12 09:08:26 tteras Exp $ */
/* Id: admin.h,v 1.11 2005/06/19 22:37:47 manubsd Exp */
@@ -49,16 +49,19 @@
union {
int16_t ac_un_errno;
uint16_t ac_un_version;
+ uint16_t ac_un_len_high;
} u;
u_int16_t ac_proto;
};
#define ac_errno u.ac_un_errno
#define ac_version u.ac_un_version
+#define ac_len_high u.ac_un_len_high
/*
* Version field in request is valid.
*/
#define ADMIN_FLAG_VERSION 0x8000
+#define ADMIN_FLAG_LONG_REPLY 0x8000
/*
* No data follows as the data.
Index: src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c:1.6 Tue Oct 2 09:47:45 2007
+++ src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: kmpstat.c,v 1.6 2007/10/02 09:47:45 vanhu Exp $ */
+/* $NetBSD: kmpstat.c,v 1.7 2010/11/12 09:08:26 tteras Exp $ */
/* $KAME: kmpstat.c,v 1.33 2004/08/16 08:20:28 itojun Exp $ */
@@ -138,7 +138,7 @@
{
struct admin_com h, *com;
caddr_t buf;
- int len;
+ int len, rlen;
int l = 0;
caddr_t p;
@@ -153,19 +153,25 @@
if (len < sizeof(h))
goto bad1;
- if (h.ac_errno) {
+ if (h.ac_errno && !(h.ac_cmd & ADMIN_FLAG_LONG_REPLY)) {
errno = h.ac_errno;
goto bad1;
}
+ /* real length */
+ if (h.ac_cmd & ADMIN_FLAG_LONG_REPLY)
+ rlen = ((u_int32_t)h.ac_len) + (((u_int32_t)h.ac_len_high) << 16);
+ else
+ rlen = h.ac_len;
+
/* allocate buffer */
- if ((*combufp = vmalloc(h.ac_len)) == NULL)
+ if ((*combufp = vmalloc(rlen)) == NULL)
goto bad1;
/* read real message */
p = (*combufp)->v;
- while (l < len) {
- if ((len = recv(so, p, h.ac_len, 0)) < 0) {
+ while (l < rlen) {
+ if ((len = recv(so, p, rlen - l, 0)) < 0) {
perror("recv");
goto bad2;
}
Index: src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c:1.17 src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c:1.18
--- src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c:1.17 Mon Apr 20 13:22:00 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: racoonctl.c,v 1.17 2009/04/20 13:22:00 tteras Exp $ */
+/* $NetBSD: racoonctl.c,v 1.18 2010/11/12 09:08:26 tteras Exp $ */
/* Id: racoonctl.c,v 1.11 2006/04/06 17:06:25 manubsd Exp */
@@ -1426,10 +1426,14 @@
int len;
com = (struct admin_com *)combuf->v;
- len = com->ac_len - sizeof(*com);
+ if (com->ac_cmd & ADMIN_FLAG_LONG_REPLY)
+ len = ((u_int32_t)com->ac_len) + (((u_int32_t)com->ac_len_high) << 16);
+ else
+ len = com->ac_len;
+ len -= sizeof(*com);
buf = combuf->v + sizeof(*com);
- sw
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Oct 22 06:26:26 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c
Log Message:
Change Linux Netlink address monitoring to monitor local route changes.
This works around a kernel bug, and slightly improves behaviour on some
special cases.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.25 Thu Oct 21 06:15:28 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Fri Oct 22 06:26:26 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.25 2010/10/21 06:15:28 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.26 2010/10/22 06:26:26 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -358,65 +358,121 @@
(struct sockaddr *) &addr, sizeof(addr)) >= 0;
}
+static void
+netlink_add_del_address(int add, struct sockaddr *saddr)
+{
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Netlink: address %s %s\n",
+ saddrwop2str((struct sockaddr *) saddr),
+ add ? "added" : "deleted");
+
+ if (add)
+ myaddr_open_all_configured(saddr);
+ else
+ myaddr_close_all_open(saddr);
+}
+
+#ifdef INET6
static int
-netlink_process(struct nlmsghdr *h)
+netlink_process_addr(struct nlmsghdr *h)
{
struct sockaddr_storage addr;
struct ifaddrmsg *ifa;
struct rtattr *rta[IFA_MAX+1];
- struct sockaddr_in *sin;
-#ifdef INET6
struct sockaddr_in6 *sin6;
-#endif
-
- /* is this message interesting? */
- if (h->nlmsg_type != RTM_NEWADDR &&
- h->nlmsg_type != RTM_DELADDR)
- return 0;
ifa = NLMSG_DATA(h);
parse_rtattr(rta, IFA_MAX, IFA_RTA(ifa), IFA_PAYLOAD(h));
+ if (ifa->ifa_family != AF_INET6)
+ return 0;
if (ifa->ifa_flags & IFA_F_TENTATIVE)
return 0;
-
if (rta[IFA_LOCAL] == NULL)
rta[IFA_LOCAL] = rta[IFA_ADDRESS];
if (rta[IFA_LOCAL] == NULL)
return 0;
- /* setup the socket address */
memset(&addr, 0, sizeof(addr));
addr.ss_family = ifa->ifa_family;
- switch (ifa->ifa_family) {
+ sin6 = (struct sockaddr_in6 *) &addr;
+ memcpy(&sin6->sin6_addr, RTA_DATA(rta[IFA_LOCAL]),
+ sizeof(sin6->sin6_addr));
+ if (!IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+ return 0;
+ sin6->sin6_scope_id = ifa->ifa_index;
+
+ netlink_add_del_address(h->nlmsg_type == RTM_NEWADDR,
+(struct sockaddr *) &addr);
+
+ return 0;
+}
+#endif
+
+static int
+netlink_process_route(struct nlmsghdr *h)
+{
+ struct sockaddr_storage addr;
+ struct rtmsg *rtm;
+ struct rtattr *rta[RTA_MAX+1];
+ struct sockaddr_in *sin;
+#ifdef INET6
+ struct sockaddr_in6 *sin6;
+#endif
+
+ rtm = NLMSG_DATA(h);
+
+ /* local IP addresses get local route in the local table */
+ if (rtm->rtm_type != RTN_LOCAL ||
+ rtm->rtm_table != RT_TABLE_LOCAL)
+ return 0;
+
+ parse_rtattr(rta, IFA_MAX, RTM_RTA(rtm), IFA_PAYLOAD(h));
+ if (rta[RTA_DST] == NULL)
+ return 0;
+
+ /* setup the socket address */
+ memset(&addr, 0, sizeof(addr));
+ addr.ss_family = rtm->rtm_family;
+ switch (rtm->rtm_family) {
case AF_INET:
sin = (struct sockaddr_in *) &addr;
- memcpy(&sin->sin_addr, RTA_DATA(rta[IFA_LOCAL]),
+ memcpy(&sin->sin_addr, RTA_DATA(rta[RTA_DST]),
sizeof(sin->sin_addr));
break;
#ifdef INET6
case AF_INET6:
sin6 = (struct sockaddr_in6 *) &addr;
- memcpy(&sin6->sin6_addr, RTA_DATA(rta[IFA_LOCAL]),
+ memcpy(&sin6->sin6_addr, RTA_DATA(rta[RTA_DST]),
sizeof(sin6->sin6_addr));
+ /* Link-local addresses are handled with RTM_NEWADDR
+ * notifications */
if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
- sin6->sin6_scope_id = ifa->ifa_index;
+ return 0;
break;
#endif
default:
return 0;
}
- plog(LLV_DEBUG, LOCATION, NULL,
- "Netlink: address %s %s\n",
- saddrwop2str((struct sockaddr *) &addr),
- h->nlmsg_type == RTM_NEWADDR ? "added" : "deleted");
-
- if (h->nlmsg_type == RTM_NEWADDR)
- myaddr_open_all_configured((struct sockaddr *) &addr);
- else
- myaddr_close_all_open((struct sockaddr *) &addr);
+ netlink_add_del_address(h->nlmsg_type == RTM_NEWROUTE,
+(struct sockaddr *) &addr);
+ return 0;
+}
+static int
+netlink_process(struct nlmsghdr *h)
+{
+ switch (h->nlmsg_type) {
+#ifdef INET6
+ case RTM_NEWADDR:
+ case RTM_DELADDR:
+ return netlink_process_addr(h);
+#endif
+ case RTM_NEWROUTE:
+ case RTM_DELROUTE:
+ return netlink_process_route(h);
+ }
return 0;
}
@@ -479,9 +535,26 @@
plog(LLV_WARNING, LOCATION, NULL,
"failed to put socket in non-blocking mode\n");
+ /* We monitor IPv4 addresses using RTMGRP_IPV4_ROUTE group
+ * the get the RTN_LOCAL routes which are automatically a
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Oct 21 06:15:29 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c evt.c grabmyaddr.c
isakmp.c pfkey.c session.c session.h
Log Message:
Introduce priorities for file descriptor polling mechanism and give
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/evt.c
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.62 -r1.63 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.52 -r1.53 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.27 -r1.28 src/crypto/dist/ipsec-tools/src/racoon/session.c
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/session.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.34 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.35
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.34 Thu Oct 21 06:04:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Thu Oct 21 06:15:28 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.34 2010/10/21 06:04:33 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.35 2010/10/21 06:15:28 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -734,7 +734,7 @@
return -1;
}
- monitor_fd(lcconf->sock_admin, admin_handler, NULL);
+ monitor_fd(lcconf->sock_admin, admin_handler, NULL, 0);
plog(LLV_DEBUG, LOCATION, NULL,
"open %s as racoon management.\n", sunaddr.sun_path);
Index: src/crypto/dist/ipsec-tools/src/racoon/evt.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/evt.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/evt.c:1.10
--- src/crypto/dist/ipsec-tools/src/racoon/evt.c:1.9 Fri Jan 23 08:05:58 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/evt.c Thu Oct 21 06:15:28 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: evt.c,v 1.9 2009/01/23 08:05:58 tteras Exp $ */
+/* $NetBSD: evt.c,v 1.10 2010/10/21 06:15:28 tteras Exp $ */
/* Id: evt.c,v 1.5 2006/06/22 20:11:35 manubsd Exp */
@@ -373,7 +373,7 @@
LIST_INSERT_HEAD(list, l, ll_chain);
l->fd = fd;
- monitor_fd(l->fd, evt_unsubscribe_cb, l);
+ monitor_fd(l->fd, evt_unsubscribe_cb, l, 0);
plog(LLV_DEBUG, LOCATION, NULL,
"[%d] admin connection is polling events\n", fd);
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.24 Wed Oct 20 10:56:39 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Thu Oct 21 06:15:28 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.24 2010/10/20 10:56:39 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.25 2010/10/21 06:15:28 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -297,7 +297,7 @@
lcconf->rtsock = kernel_open_socket();
if (lcconf->rtsock < 0)
return -1;
- monitor_fd(lcconf->rtsock, kernel_receive, NULL);
+ monitor_fd(lcconf->rtsock, kernel_receive, NULL, 0);
} else {
lcconf->rtsock = -1;
if (!myaddr_open_all_configured(NULL))
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.62 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.63
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.62 Wed Oct 20 13:37:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Thu Oct 21 06:15:28 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.62 2010/10/20 13:37:37 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.63 2010/10/21 06:15:28 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -1727,7 +1727,7 @@
"%s used as isakmp port (fd=%d)\n",
saddr2str(addr), fd);
- monitor_fd(fd, isakmp_handler, NULL);
+ monitor_fd(fd, isakmp_handler, NULL, 1);
return fd;
err:
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.52 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.52 Tue Feb 9 23:05:16 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Thu Oct 21 06:15:28 2010
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.52 2010/02/09 23:05:16 wiz Exp $ */
+/* $NetBSD: pfkey.c,v 1.53 2010/10/21 06:15:28 tteras Exp $ */
-/* $Id: pfkey.c,v 1.52 2010/02/09 23:05:16 wiz
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Oct 21 06:04:33 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c handler.c handler.h
Log Message:
Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
This will avoid stale security associations if some of the delete
notifications happens to get lost.
To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/handler.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.33 Wed Sep 22 13:37:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Thu Oct 21 06:04:33 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.33 2010/09/22 13:37:35 vanhu Exp $ */
+/* $NetBSD: admin.c,v 1.34 2010/10/21 06:04:33 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -299,9 +299,8 @@
break;
case ADMIN_DELETE_SA: {
- struct ph1handle *iph1;
- struct ph1selector sel;
char *loc, *rem;
+ struct ph1selector sel;
memset(&sel, 0, sizeof(sel));
sel.local = (struct sockaddr *)
@@ -319,6 +318,7 @@
plog(LLV_INFO, LOCATION, NULL,
"admin delete-sa %s %s\n", loc, rem);
enumph1(&sel, admin_ph1_delete_sa, NULL);
+ remcontacted(sel.remote);
racoon_free(loc);
racoon_free(rem);
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.33
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.32 Thu Mar 11 15:44:48 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Oct 21 06:04:33 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.32 2010/03/11 15:44:48 christos Exp $ */
+/* $NetBSD: handler.c,v 1.33 2010/10/21 06:04:33 tteras Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -966,6 +966,22 @@
}
void
+remcontacted(remote)
+ struct sockaddr *remote;
+{
+ struct contacted *p;
+
+ LIST_FOREACH(p, &ctdtree, chain) {
+ if (cmpsaddr(remote, p->remote) == 0) {
+ LIST_REMOVE(p, chain);
+ racoon_free(p->remote);
+ racoon_free(p);
+ break;
+ }
+ }
+}
+
+void
initctdtree()
{
LIST_INIT(&ctdtree);
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.22 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.22 Thu Sep 3 09:29:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h Thu Oct 21 06:04:33 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.22 2009/09/03 09:29:07 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.23 2010/10/21 06:04:33 tteras Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -518,6 +518,7 @@
extern struct contacted *getcontacted __P((struct sockaddr *));
extern int inscontacted __P((struct sockaddr *));
+extern void remcontacted __P((struct sockaddr *));
extern void initctdtree __P((void));
extern int check_recvdpkt __P((struct sockaddr *,
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Oct 20 13:40:02 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
Log Message:
Use high-level openssl EVP and HMAC functions when possible: this allows
openssl to perform hardware acceleration if available.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.19 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.19 Wed Apr 29 10:50:01 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Wed Oct 20 13:40:02 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.19 2009/04/29 10:50:01 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.20 2010/10/20 13:40:02 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -1800,6 +1800,42 @@
return (caddr_t)c;
}
+static vchar_t *eay_hmac_one(key, data, type)
+ vchar_t *key, *data;
+ const EVP_MD *type;
+{
+ vchar_t *res;
+
+ if ((res = vmalloc(EVP_MD_size(type))) == 0)
+ return NULL;
+
+ if (!HMAC(type, (void *) key->v, key->l,
+ (void *) data->v, data->l, (void *) res->v, NULL)) {
+ vfree(res);
+ return NULL;
+ }
+
+ return res;
+}
+
+static vchar_t *eay_digest_one(data, type)
+ vchar_t *data;
+ const EVP_MD *type;
+{
+ vchar_t *res;
+
+ if ((res = vmalloc(EVP_MD_size(type))) == 0)
+ return NULL;
+
+ if (!EVP_Digest((void *) data->v, data->l,
+ (void *) res->v, NULL, type, NULL)) {
+ vfree(res);
+ return NULL;
+ }
+
+ return res;
+}
+
#ifdef WITH_SHA2
/*
* HMAC SHA2-512
@@ -1808,14 +1844,7 @@
eay_hmacsha2_512_one(key, data)
vchar_t *key, *data;
{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha2_512_init(key);
- eay_hmacsha2_512_update(ctx, data);
- res = eay_hmacsha2_512_final(ctx);
-
- return(res);
+ return eay_hmac_one(key, data, EVP_sha2_512());
}
caddr_t
@@ -1865,14 +1894,7 @@
eay_hmacsha2_384_one(key, data)
vchar_t *key, *data;
{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha2_384_init(key);
- eay_hmacsha2_384_update(ctx, data);
- res = eay_hmacsha2_384_final(ctx);
-
- return(res);
+ return eay_hmac_one(key, data, EVP_sha2_384());
}
caddr_t
@@ -1922,14 +1944,7 @@
eay_hmacsha2_256_one(key, data)
vchar_t *key, *data;
{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha2_256_init(key);
- eay_hmacsha2_256_update(ctx, data);
- res = eay_hmacsha2_256_final(ctx);
-
- return(res);
+ return eay_hmac_one(key, data, EVP_sha2_256());
}
caddr_t
@@ -1980,14 +1995,7 @@
eay_hmacsha1_one(key, data)
vchar_t *key, *data;
{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha1_init(key);
- eay_hmacsha1_update(ctx, data);
- res = eay_hmacsha1_final(ctx);
-
- return(res);
+ return eay_hmac_one(key, data, EVP_sha1());
}
caddr_t
@@ -2037,14 +2045,7 @@
eay_hmacmd5_one(key, data)
vchar_t *key, *data;
{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacmd5_init(key);
- eay_hmacmd5_update(ctx, data);
- res = eay_hmacmd5_final(ctx);
-
- return(res);
+ return eay_hmac_one(key, data, EVP_md5());
}
caddr_t
@@ -2130,14 +2131,7 @@
eay_sha2_512_one(data)
vchar_t *data;
{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha2_512_init();
- eay_sha2_512_update(ctx, data);
- res = eay_sha2_512_final(ctx);
-
- return(res);
+ return eay_digest_one(data, EVP_sha512());
}
int
@@ -2190,14 +2184,7 @@
eay_sha2_384_one(data)
vchar_t *data;
{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha2_384_init();
- eay_sha2_384_update(ctx, data);
- res = eay_sha2_384_final(ctx);
-
- return(res);
+ return eay_digest_one(data, EVP_sha2_384());
}
int
@@ -2250,14 +2237,7 @@
eay_sha2_256_one(data)
vchar_t *data;
{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha2_256_init();
- eay_sha2_256_update(ctx, data);
- res = eay_sha2_256_final(ctx);
-
- return(res);
+ return eay_digest_one(data, EVP_sha2_256());
}
int
@@ -2309,14 +2289,7 @@
eay_sha1_one(data)
vchar_t *data;
{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha1_init();
- eay_sha1_update(ctx, data);
- res = eay_sha1_final(ctx);
-
- return(res);
+ return eay_digest_one(data, EVP_sha1());
}
int
@@ -2367,14 +2340,7 @@
eay_md5_one(data)
vchar_t *data;
{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_md5_init();
- eay_md5_update(ctx, data);
- res = eay_md5_final(ctx);
-
- return(res);
+ return eay_digest_one(data, EVP_md5());
}
int
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Oct 20 13:37:37 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_quick.c
Log Message:
Various improvements to error log messages and a few additional error log
messages to improve diagnosing an error condition.
To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.62
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61 Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Oct 20 13:37:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: isakmp.c,v 1.62 2010/10/20 13:37:37 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -810,7 +810,8 @@
if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
plog(LLV_ERROR, LOCATION, iph1->remote,
-"failed to pre-process packet.\n");
+"failed to pre-process ph1 packet (side: %d, status %d).\n",
+iph1->side, iph1->status);
return -1;
} else {
/* ignore the error and keep phase 1 handler */
@@ -838,7 +839,8 @@
[iph1->side]
[iph1->status])(iph1, msg) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to process packet.\n");
+ "failed to process ph1 packet (side: %d, status: %d).\n",
+ iph1->side, iph1->status);
return -1;
}
@@ -990,7 +992,8 @@
[iph2->status])(iph2, msg);
if (error != 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph2 packet (side: %d, status %d).\n",
+ iph2->side, iph2->status);
if (error == ISAKMP_INTERNAL_ERROR)
return 0;
isakmp_info_send_n1(iph2->ph1, error, NULL);
@@ -1018,7 +1021,8 @@
[iph2->side]
[iph2->status])(iph2, msg) != 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
+ "failed to process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
return -1;
}
@@ -1226,7 +1230,8 @@
[iph1->side]
[iph1->status])(iph1, msg) < 0) {
plog(LLV_ERROR, LOCATION, remote,
- "failed to process packet.\n");
+ "failed to process ph1 packet (side: %d, status: %d).\n",
+ iph1->side, iph1->status);
remph1(iph1);
delph1(iph1);
return -1;
@@ -1379,7 +1384,8 @@
[iph2->status])(iph2, msg);
if (error != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
if (error != ISAKMP_INTERNAL_ERROR)
isakmp_info_send_n1(iph2->ph1, error, NULL);
/*
@@ -1397,7 +1403,8 @@
[iph2->side]
[iph2->status])(iph2, msg) < 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
+ "failed to process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
/* don't release handler */
return -1;
}
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.26 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Wed Oct 20 13:37:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_quick.c,v 1.26 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: isakmp_quick.c,v 1.27 2010/10/20 13:37:37 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@@ -495,18 +495,27 @@
"isn't supported.\n");
break;
}
- if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
+plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_SA.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
+plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_NONCE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
+plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_KE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_ID:
@@ -517,6 +526,8 @@
if (isakmp_p2ph(&idcr, pa->ptr) < 0)
goto end;
} else {
+plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "too many ISAKMP_NPTYPE_ID payloads.\n");
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Oct 20 10:56:40 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c
Log Message:
Fix address comparison so we actually close sockets which were bound to
IP-address that got deconfigured.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.23 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Wed Oct 20 10:56:39 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.23 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.24 2010/10/20 10:56:39 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -187,8 +187,9 @@
for (my = LIST_FIRST(&opened); my; my = next) {
next = LIST_NEXT(my, chain);
- if (!cmpsaddr((struct sockaddr *) &addr,
- (struct sockaddr *) &my->addr))
+ if (cmpsaddr((struct sockaddr *) addr,
+ (struct sockaddr *) &my->addr)
+ <= CMPSADDR_WOP_MATCH)
myaddr_delete(my);
}
}
