CVS commit: src/crypto/dist/ipsec-tools/src
Module Name:src Committed By: vanhu Date: Thu Nov 29 15:31:25 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: algorithm.c algorithm.h cfparse.y cftoken.l crypto_openssl.c crypto_openssl.h ipsec_doi.c ipsec_doi.h pfkey.c racoon.conf.5 strnames.c src/crypto/dist/ipsec-tools/src/setkey: token.l Log Message: Added support for AES GCM 16 in phase2 negociations. Code from Christophe Carre / NETASQ To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h cvs rdiff -u -r1.47 -r1.48 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l cvs rdiff -u -r1.21 -r1.22 \ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c cvs rdiff -u -r1.7 -r1.8 \ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h cvs rdiff -u -r1.58 -r1.59 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c cvs rdiff -u -r1.64 -r1.65 \ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/strnames.c cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/setkey/token.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.c diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.9 --- src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8 Fri Oct 6 12:02:27 2006 +++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.c Thu Nov 29 15:31:24 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: algorithm.c,v 1.8 2006/10/06 12:02:27 manu Exp $ */ +/* $NetBSD: algorithm.c,v 1.9 2012/11/29 15:31:24 vanhu Exp $ */ /* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */ @@ -165,6 +165,9 @@ static struct enc_algorithm ipsec_encdef { aes, algtype_aes, IPSECDOI_ESP_AES, 16, NULL, NULL, NULL, eay_aes_keylen, }, +{ aes_gcm_16, algtype_aesgcm16, IPSECDOI_ESP_AESGCM16, 16, + NULL, NULL, + NULL, eay_aesgcm_keylen, }, { twofish, algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, NULL, NULL, NULL, eay_twofish_keylen, }, @@ -798,6 +801,7 @@ default_keylen(class, type) case algtype_rc5: case algtype_cast128: case algtype_aes: + case algtype_aesgcm16: case algtype_twofish: case algtype_camellia: return 128; @@ -834,6 +838,7 @@ check_keylen(class, type, len) case algtype_rc5: case algtype_cast128: case algtype_aes: + case algtype_aesgcm16: case algtype_twofish: case algtype_camellia: if (len % 8 != 0) { @@ -863,6 +868,10 @@ check_keylen(class, type, len) if (!(len == 128 || len == 192 || len == 256)) badrange++; break; + case algtype_aesgcm16: + if (!(len == 128 || len == 192 || len == 256)) + badrange++; + break; case algtype_twofish: if (len 40 || 256 len) badrange++; Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.h diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.6 --- src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5 Fri Oct 6 12:02:27 2006 +++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.h Thu Nov 29 15:31:24 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: algorithm.h,v 1.5 2006/10/06 12:02:27 manu Exp $ */ +/* $NetBSD: algorithm.h,v 1.6 2012/11/29 15:31:24 vanhu Exp $ */ /* Id: algorithm.h,v 1.10 2005/04/09 16:25:23 manubsd Exp */ @@ -69,6 +69,7 @@ enum algtype { algtype_rc4, algtype_null_enc, algtype_aes, + algtype_aesgcm16, algtype_twofish, algtype_camellia, Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47 Sun Jan 1 16:14:11 2012 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Thu Nov 29 15:31:24 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $ */ +/* $NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -1722,6 +1722,7 @@ algorithm : ALGORITHMTYPE keylength { int defklen; + int encklen_tmp; $$ = newsainfoalg(); if ($$ == NULL) { @@ -1754,9 +1755,35 @@ algorithm else $$-encklen = defklen; + /* Check keymat size instead of human key size + * because kernel store keymat size instead of human key size. + * For example, the keymat size of aes_gcm_16 128 is 160 bits + * (128 bits + 4 bytes) instead of 128 bits. + * + * Currently, it is only useful for aes_gcm_16 (ipsec_enc). + */ + if (cur_algclass
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Nov 17 14:41:55 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: handler.c Log Message: fixed some crashes in LIST_FOREACH where current element could be removed during the loop To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40 --- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 Mon Mar 14 17:18:12 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Nov 17 14:41:55 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */ +/* $NetBSD: handler.c,v 1.40 2011/11/17 14:41:55 vanhu Exp $ */ /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */ @@ -611,9 +611,11 @@ getph2byid(src, dst, spid) struct sockaddr *src, *dst; u_int32_t spid; { - struct ph2handle *p; + struct ph2handle *p, *next; + + for (p = LIST_FIRST(ph2tree); p; p = next) { + next = LIST_NEXT(p, chain); - LIST_FOREACH(p, ph2tree, chain) { if (spid == p-spid cmpsaddr(src, p-src) = CMPSADDR_WILDPORT_MATCH cmpsaddr(dst, p-dst) = CMPSADDR_WILDPORT_MATCH){ @@ -985,9 +987,11 @@ void remcontacted(remote) struct sockaddr *remote; { - struct contacted *p; + struct contacted *p, *next; + + for (p = LIST_FIRST(ctdtree); p; p = next) { + next = LIST_NEXT(p, chain); - LIST_FOREACH(p, ctdtree, chain) { if (cmpsaddr(remote, p-remote) = CMPSADDR_WILDPORT_MATCH) { LIST_REMOVE(p, chain); racoon_free(p-remote); @@ -1555,10 +1559,12 @@ int purgeph1bylogin(login) char *login; { - struct ph1handle *p; + struct ph1handle *p, *next; int found = 0; - LIST_FOREACH(p, ph1tree, chain) { + for (p = LIST_FIRST(ph1tree); p; p = next) { + next = LIST_NEXT(p, chain); + if (p-mode_cfg == NULL) continue; if (strncmp(p-mode_cfg-login, login, LOGINLEN) == 0) {
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Nov 17 14:46:31 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: handler.c Log Message: fixed some crashes in LIST_FOREACH where current element could be removed during the loop To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.39.2.1 \ src/crypto/dist/ipsec-tools/src/racoon/handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39.2.1 --- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 Mon Mar 14 17:18:12 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Nov 17 14:46:31 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */ +/* $NetBSD: handler.c,v 1.39.2.1 2011/11/17 14:46:31 vanhu Exp $ */ /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */ @@ -611,9 +611,11 @@ getph2byid(src, dst, spid) struct sockaddr *src, *dst; u_int32_t spid; { - struct ph2handle *p; + struct ph2handle *p, *next; + + for (p = LIST_FIRST(ph2tree); p; p = next) { + next = LIST_NEXT(p, chain); - LIST_FOREACH(p, ph2tree, chain) { if (spid == p-spid cmpsaddr(src, p-src) = CMPSADDR_WILDPORT_MATCH cmpsaddr(dst, p-dst) = CMPSADDR_WILDPORT_MATCH){ @@ -985,9 +987,11 @@ void remcontacted(remote) struct sockaddr *remote; { - struct contacted *p; + struct contacted *p, *next; + + for (p = LIST_FIRST(ctdtree); p; p = next) { + next = LIST_NEXT(p, chain); - LIST_FOREACH(p, ctdtree, chain) { if (cmpsaddr(remote, p-remote) = CMPSADDR_WILDPORT_MATCH) { LIST_REMOVE(p, chain); racoon_free(p-remote); @@ -1555,10 +1559,12 @@ int purgeph1bylogin(login) char *login; { - struct ph1handle *p; + struct ph1handle *p, *next; int found = 0; - LIST_FOREACH(p, ph1tree, chain) { + for (p = LIST_FIRST(ph1tree); p; p = next) { + next = LIST_NEXT(p, chain); + if (p-mode_cfg == NULL) continue; if (strncmp(p-mode_cfg-login, login, LOGINLEN) == 0) {
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: vanhu Date: Fri Mar 18 13:20:27 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: NEWS Log Message: updated News for 0.8 branch To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.6.1 src/crypto/dist/ipsec-tools/NEWS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/NEWS diff -u src/crypto/dist/ipsec-tools/NEWS:1.4 src/crypto/dist/ipsec-tools/NEWS:1.4.6.1 --- src/crypto/dist/ipsec-tools/NEWS:1.4 Fri Jan 23 09:40:56 2009 +++ src/crypto/dist/ipsec-tools/NEWS Fri Mar 18 13:20:27 2011 @@ -1,6 +1,6 @@ Version history: -0.8 CVS (no official release yet) +0.8 - 18 March 2011 o Fix authentication method ambiguity with kerberos and xauth o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman) o Local address code rewrite to speed things up @@ -12,6 +12,8 @@ o Rewritten event handling framework for admin port o Ability to initiate IPsec SA through admin port o NAT-T Original Address handling (transport mode NAT-T support) + o clean NAT-T - PFkey support + o support for multiple anonymous remoteconfs o Remove various obsolete configuration options o A lot of other bug fixes, performance improvements and clean ups
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: vanhu Date: Fri Mar 18 13:25:12 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: configure.ac Log Message: Yes: 0.8.0 is out !!! To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.10.6.1 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10 src/crypto/dist/ipsec-tools/configure.ac:1.10.6.1 --- src/crypto/dist/ipsec-tools/configure.ac:1.10 Fri Jan 23 08:25:06 2009 +++ src/crypto/dist/ipsec-tools/configure.ac Fri Mar 18 13:25:12 2011 @@ -2,7 +2,7 @@ dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp AC_PREREQ(2.52) -AC_INIT(ipsec-tools, CVS) +AC_INIT(ipsec-tools, 0.8.0) AC_CONFIG_SRCDIR([configure.ac]) AM_CONFIG_HEADER(config.h)
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Mar 17 14:35:24 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: oakley.c Log Message: fixed a memory leak in oakley_check_certid(). patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19 Sun Feb 20 17:32:02 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Mar 17 14:35:24 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.19 2011/02/20 17:32:02 tteras Exp $ */ +/* $NetBSD: oakley.c,v 1.20 2011/03/17 14:35:24 vanhu Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -1862,10 +1862,11 @@ hints.ai_socktype = SOCK_RAW; hints.ai_flags = AI_NUMERICHOST; error = getaddrinfo(altname, NULL, hints, res); + racoon_free(altname); + altname = NULL; if (error != 0) { plog(LLV_ERROR, LOCATION, NULL, no proper subjectAltName.\n); - racoon_free(altname); return ISAKMP_NTYPE_INVALID_CERTIFICATE; } switch (res-ai_family) { @@ -1880,7 +1881,6 @@ default: plog(LLV_ERROR, LOCATION, NULL, family not supported: %d.\n, res-ai_family); - racoon_free(altname); freeaddrinfo(res); return ISAKMP_NTYPE_INVALID_CERTIFICATE; }
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Mar 17 14:39:07 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: oakley.c Log Message: free name later, to avoid a memory use after free in oakley_check_certid(). also give iph1-remote to some plog() calls. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20 Thu Mar 17 14:35:24 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Mar 17 14:39:06 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.20 2011/03/17 14:35:24 vanhu Exp $ */ +/* $NetBSD: oakley.c,v 1.21 2011/03/17 14:39:06 vanhu Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -1791,7 +1791,7 @@ return 0; if (iph1-id_p == NULL || iph1-cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, no ID nor CERT found.\n); + plog(LLV_ERROR, LOCATION, iph1-remote, no ID nor CERT found.\n); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } @@ -1802,26 +1802,28 @@ case IPSECDOI_ID_DER_ASN1_DN: name = eay_get_x509asn1subjectname(iph1-cert_p); if (!name) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, iph1-remote, failed to get subjectName\n); return ISAKMP_NTYPE_INVALID_CERTIFICATE; } if (idlen != name-l) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, iph1-remote, Invalid ID length in phase 1.\n); vfree(name); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } error = memcmp(id_b + 1, name-v, idlen); - vfree(name); if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_ERROR, LOCATION, iph1-remote, ID mismatched with ASN1 SubjectName.\n); plogdump(LLV_DEBUG, id_b + 1, idlen); plogdump(LLV_DEBUG, name-v, idlen); - if (iph1-rmconf-verify_identifier) + if (iph1-rmconf-verify_identifier) { +vfree(name); return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } } + vfree(name); return 0; case IPSECDOI_ID_IPV4_ADDR: case IPSECDOI_ID_IPV6_ADDR:
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Mar 17 14:42:58 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: oakley.c Log Message: fixed a memory leak in oakley_append_rmconf_cr() while generating plist. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21 Thu Mar 17 14:39:06 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Mar 17 14:42:58 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.21 2011/03/17 14:39:06 vanhu Exp $ */ +/* $NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -2288,7 +2288,7 @@ s_isakmp_certtype(buf-v[0])); plogdump(LLV_DEBUG, buf-v, buf-l); - actx-plist = isakmp_plist_append(actx-plist, buf, ISAKMP_NPTYPE_CR); + actx-plist = isakmp_plist_append_full(actx-plist, buf, ISAKMP_NPTYPE_CR, 1); err: vfree(asn1dn);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Tue Mar 15 13:20:14 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_inf.c pfkey.c Log Message: directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free To generate a diff of this commit: cvs rdiff -u -r1.70 -r1.71 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c cvs rdiff -u -r1.46 -r1.47 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c cvs rdiff -u -r1.56 -r1.57 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.70 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.70 Mon Mar 14 17:18:12 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Mar 15 13:20:14 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.70 2011/03/14 17:18:12 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2018,7 +2018,7 @@ iph1-status = PHASE1ST_EXPIRED; } - sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub); + isakmp_ph1delete(iph1); } /* called from scheduler */ @@ -2046,20 +2046,16 @@ /* Discard any left phase2s */ for (p = LIST_FIRST(iph1-ph2tree); p; p = next) { next = LIST_NEXT(p, ph1bind); - if (p-status = PHASE2ST_ESTABLISHED) - unbindph12(p); - /* Should we also remove non established ph2 - * handles, as we just invalidated ph1handle ? + if (p-status == PHASE2ST_ESTABLISHED) + isakmp_info_send_d2(p); + /* remove all ph2 handles, + * as ph1handle will be expired soon */ + delete_spd(p, 1); + remph2(p); + delph2(p); } - if (LIST_FIRST(iph1-ph2tree) != NULL) { - sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub); - return; - } - - /* don't re-negosiation when the phase 1 SA expires. */ - src = racoon_strdup(saddr2str(iph1-local)); dst = racoon_strdup(saddr2str(iph1-remote)); STRDUP_FATAL(src); @@ -3397,7 +3393,7 @@ purged ISAKMP-SA spi=%s.\n, isakmp_pindex((iph1-index), iph1-msgid)); - sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub); + isakmp_ph1delete(iph1); } void Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.46 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.46 Mon Mar 14 17:18:13 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Tue Mar 15 13:20:14 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_inf.c,v 1.46 2011/03/14 17:18:13 tteras Exp $ */ +/* $NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $ */ /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ @@ -1094,7 +1094,7 @@ isakmp_pindex(spi[i], 0)); iph1-status = PHASE1ST_EXPIRED; - sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub); + isakmp_ph1delete(iph1); } } Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.56 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57 --- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.56 Mon Mar 14 17:18:13 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Tue Mar 15 13:20:14 2011 @@ -1,6 +1,6 @@ -/* $NetBSD: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $ */ +/* $NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */ -/* $Id: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $ */ +/* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -2901,7 +2901,7 @@ rmconf = getrmconf(ma-remote, 0); if (rmconf == NULL || !rmconf-passive) { iph1-status = PHASE1ST_EXPIRED; - sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub); + isakmp_ph1delete(iph1); /* This is unlikely, but let's just check if a Phase 1 * for the new addresses already exist */
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Mar 14 09:19:24 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: handler.c Log Message: check if we got RMCONF_ERR_MULTIPLE from getrmconf_by_ph1() in revalidate_ph1tree_rmconf() To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.37 src/crypto/dist/ipsec-tools/src/racoon/handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37 --- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36 Fri Mar 11 14:30:07 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 09:19:23 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: handler.c,v 1.36 2011/03/11 14:30:07 vanhu Exp $ */ +/* $NetBSD: handler.c,v 1.37 2011/03/14 09:19:23 vanhu Exp $ */ /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */ @@ -1486,6 +1486,7 @@ static int revalidate_ph1tree_rmconf(void) { struct ph1handle *p, *next; + struct remoteconf *rmconf; for (p = LIST_FIRST(ph1tree); p; p = next) { next = LIST_NEXT(p, chain); @@ -1495,9 +1496,11 @@ if (p-rmconf == NULL) continue; - p-rmconf = getrmconf_by_ph1(p); - if (p-rmconf == NULL || p-rmconf == RMCONF_ERR_MULTIPLE) + rmconf = getrmconf_by_ph1(p); + if (rmconf == NULL || rmconf == RMCONF_ERR_MULTIPLE) remove_ph1(p); + else + p-rmconf = rmconf; } return 1;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Mar 14 14:54:07 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: handler.c Log Message: removed an useless comment To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38 --- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37 Mon Mar 14 09:19:23 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 14:54:07 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: handler.c,v 1.37 2011/03/14 09:19:23 vanhu Exp $ */ +/* $NetBSD: handler.c,v 1.38 2011/03/14 14:54:07 vanhu Exp $ */ /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */ @@ -1447,7 +1447,6 @@ * - delete SPIs in kernel * - delete generated SPD * - unbind / rem / del ph2 - * - XXX shoudld also send a delete-sa !? */ purge_ipsec_spi(iph2-dst, iph2-approval-head-proto_id, spis, 2);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Mar 14 15:50:37 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cfparse.y isakmp_xauth.c isakmp_xauth.h remoteconf.c remoteconf.h rsalist.c rsalist.h Log Message: avoid some memory leaks / free memory access when reloading conf and have inherited config. patch from Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y cvs rdiff -u -r1.21 -r1.22 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c cvs rdiff -u -r1.6 -r1.7 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h cvs rdiff -u -r1.25 -r1.26 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c cvs rdiff -u -r1.15 -r1.16 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c \ src/crypto/dist/ipsec-tools/src/racoon/rsalist.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41 Wed Mar 2 14:58:27 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Mon Mar 14 15:50:36 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.41 2011/03/02 14:58:27 vanhu Exp $ */ +/* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -145,6 +145,7 @@ static struct secprotospec *newspspec __P((void)); static void insspspec __P((struct remoteconf *, struct secprotospec *)); +void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src)); void flushspspec __P((struct remoteconf *)); static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); @@ -1629,7 +1630,7 @@ return -1; } - new = duprmconf(from); + new = duprmconf_shallow(from); if (new == NULL) { yyerror(failed to duplicate remoteconf from \%s\., $4-v); @@ -1674,13 +1675,14 @@ return -1; } - new = duprmconf(from); + new = duprmconf_shallow(from); if (new == NULL) { yyerror(failed to duplicate remoteconf from %s., saddr2str($4)); return -1; } + racoon_free($4); new-remote = $2; cur_rmconf = new; } @@ -1727,11 +1729,19 @@ return -1; } } - + + if (duprmconf_finish(cur_rmconf)) +return -1; + +#if 0 + /* this pointer copy will never happen, because duprmconf_shallow + * already copied all pointers. + */ if (cur_rmconf-spspec == NULL cur_rmconf-inherited_from != NULL) { cur_rmconf-spspec = cur_rmconf-inherited_from-spspec; } +#endif if (set_isakmp_proposal(cur_rmconf) != 0) return -1; @@ -2415,6 +2425,62 @@ rmconf-spspec = spspec; } +static struct secprotospec * +dupspspec(spspec) + struct secprotospec *spspec; +{ + struct secprotospec *new; + + new = newspspec(); + if (new == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + dupspspec: malloc failed\n); + return NULL; + } + memcpy(new, spspec, sizeof(*new)); + + if (spspec-gssid) { + new-gssid = racoon_strdup(spspec-gssid); + STRDUP_FATAL(new-gssid); + } + if (spspec-remote) { + new-remote = racoon_malloc(sizeof(*new-remote)); + if (new-remote == NULL) { + plog(LLV_ERROR, LOCATION, NULL, + dupspspec: malloc failed (remote)\n); + return NULL; + } + memcpy(new-remote, spspec-remote, sizeof(*new-remote)); + } + + return new; +} + +/* + * copy the whole list + */ +void +dupspspec_list(dst, src) + struct remoteconf *dst, *src; +{ + struct secprotospec *p, *new, *last; + + for(p = src-spspec, last = NULL; p; p = p-next, last = new) { + new = dupspspec(p); + if (new == NULL) + exit(1); + + new-prev = last; + new-next = NULL; /* not necessary but clean */ + + if (last) + last-next = new; + else /* first element */ + dst-spspec = new; + + } +} + /* * delete the whole list */ @@ -2430,8 +2496,13 @@ if (p-next != NULL) p-next-prev = NULL; /* not necessary but clean */ - racoon_free(p); + if (p-gssid) + racoon_free(p-gssid); + if (p-remote) + racoon_free(p-remote); + racoon_free(p); } + rmconf-spspec = NULL; } /* set final acceptable proposal */ Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21 Mon Sep 27 11:57:59 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Mon Mar 14 15:50:36 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_xauth.c,v 1.21 2010/09/27 11:57:59 vanhu Exp $ */ +/* $NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $ */ /* Id: isakmp_xauth.c,v
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Fri Mar 11 14:30:07 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: handler.c isakmp.c Log Message: directly delete a ph1 in remove_ph1-) instead of scheduling it, to avoid (completely ?) a race condition when reloading configuration To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.36 src/crypto/dist/ipsec-tools/src/racoon/handler.c cvs rdiff -u -r1.68 -r1.69 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36 --- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35 Tue Dec 28 06:00:18 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Fri Mar 11 14:30:07 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: handler.c,v 1.35 2010/12/28 06:00:18 tteras Exp $ */ +/* $NetBSD: handler.c,v 1.36 2011/03/11 14:30:07 vanhu Exp $ */ /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */ @@ -1447,6 +1447,7 @@ * - delete SPIs in kernel * - delete generated SPD * - unbind / rem / del ph2 + * - XXX shoudld also send a delete-sa !? */ purge_ipsec_spi(iph2-dst, iph2-approval-head-proto_id, spis, 2); @@ -1474,7 +1475,11 @@ isakmp_info_send_d1(iph1); } iph1-status = PHASE1ST_EXPIRED; - sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub); + /* directly call isakmp_ph1delete to avoid as possible a race + * condition where we'll try to access iph1-rmconf after it has + * freed + */ + isakmp_ph1delete(iph1); } Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.69 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68 Tue Mar 1 14:33:58 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Fri Mar 11 14:30:07 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.68 2011/03/01 14:33:58 vanhu Exp $ */ +/* $NetBSD: isakmp.c,v 1.69 2011/03/11 14:30:07 vanhu Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2048,6 +2048,9 @@ next = LIST_NEXT(p, ph1bind); if (p-status = PHASE2ST_ESTABLISHED) unbindph12(p); + /* Should we also remove non established ph2 + * handles, as we just invalidated ph1handle ? + */ } if (LIST_FIRST(iph1-ph2tree) != NULL) {
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Mar 2 14:49:21 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cfparse.y prsa_par.y Log Message: fixed some memory leaks during configuration parsing. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39 Tue Mar 1 14:14:50 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Mar 2 14:49:21 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.39 2011/03/01 14:14:50 vanhu Exp $ */ +/* $NetBSD: cfparse.y,v 1.40 2011/03/02 14:49:21 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -423,13 +423,16 @@ : X_ISAKMP ike_addrinfo_port { myaddr_listen($2, FALSE); + racoon_free($2); } EOS | X_ISAKMP_NATT ike_addrinfo_port { #ifdef ENABLE_NATT myaddr_listen($2, TRUE); + racoon_free($2); #else + racoon_free($2); yyerror(NAT-T support not compiled in.); #endif } Index: src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y diff -u src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.6 --- src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5 Thu Feb 10 11:17:17 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y Wed Mar 2 14:49:21 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: prsa_par.y,v 1.5 2011/02/10 11:17:17 tteras Exp $ */ +/* $NetBSD: prsa_par.y,v 1.6 2011/03/02 14:49:21 vanhu Exp $ */ /* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */ @@ -211,6 +211,7 @@ YYABORT; } $$ = base64_pubkey2rsa($2); + free($2); } | TAG_PUB HEX { @@ -256,6 +257,7 @@ } memcpy(sap, res-ai_addr, res-ai_addrlen); freeaddrinfo(res); + free($1); } ; @@ -284,6 +286,7 @@ } memcpy(sap, res-ai_addr, res-ai_addrlen); freeaddrinfo(res); + free($1); } ;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Mar 2 14:52:32 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c session.c Log Message: fixed some memory leaks in remoteconf. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c cvs rdiff -u -r1.30 -r1.31 src/crypto/dist/ipsec-tools/src/racoon/session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.22 Fri Jan 28 13:00:14 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Mar 2 14:52:32 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.c,v 1.22 2011/01/28 13:00:14 tteras Exp $ */ +/* $NetBSD: remoteconf.c,v 1.23 2011/03/02 14:52:32 vanhu Exp $ */ /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ @@ -652,6 +652,8 @@ racoon_free(rmconf-cacertfile); if (rmconf-name) racoon_free(rmconf-name); + if (rmconf-remote) + racoon_free(rmconf-remote); racoon_free(rmconf); } Index: src/crypto/dist/ipsec-tools/src/racoon/session.c diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31 --- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30 Fri Jan 28 13:02:34 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/session.c Wed Mar 2 14:52:32 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: session.c,v 1.30 2011/01/28 13:02:34 tteras Exp $ */ +/* $NetBSD: session.c,v 1.31 2011/03/02 14:52:32 vanhu Exp $ */ /* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */ @@ -343,6 +343,7 @@ pfkey_send_flush(lcconf-sock_pfkey, SADB_SATYPE_UNSPEC); flushph2(); flushph1(); + flushrmconf(); close_sockets(); backupsa_clean();
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Mar 2 14:58:27 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cfparse.y remoteconf.c remoteconf.h Log Message: free spspec when deleting a rmconf struct. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y cvs rdiff -u -r1.23 -r1.24 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c cvs rdiff -u -r1.14 -r1.15 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40 Wed Mar 2 14:49:21 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Mar 2 14:58:27 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.40 2011/03/02 14:49:21 vanhu Exp $ */ +/* $NetBSD: cfparse.y,v 1.41 2011/03/02 14:58:27 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -145,6 +145,7 @@ static struct secprotospec *newspspec __P((void)); static void insspspec __P((struct remoteconf *, struct secprotospec *)); +void flushspspec __P((struct remoteconf *)); static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); static int set_isakmp_proposal __P((struct remoteconf *)); @@ -2414,6 +2415,25 @@ rmconf-spspec = spspec; } +/* + * delete the whole list + */ +void +flushspspec(rmconf) + struct remoteconf *rmconf; +{ + struct secprotospec *p; + + while(rmconf-spspec != NULL) { + p = rmconf-spspec; + rmconf-spspec = p-next; + if (p-next != NULL) + p-next-prev = NULL; /* not necessary but clean */ + + racoon_free(p); + } +} + /* set final acceptable proposal */ static int set_isakmp_proposal(rmconf) Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23 Wed Mar 2 14:52:32 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Mar 2 14:58:27 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.c,v 1.23 2011/03/02 14:52:32 vanhu Exp $ */ +/* $NetBSD: remoteconf.c,v 1.24 2011/03/02 14:58:27 vanhu Exp $ */ /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ @@ -654,6 +654,7 @@ racoon_free(rmconf-name); if (rmconf-remote) racoon_free(rmconf-remote); + flushspspec(rmconf); racoon_free(rmconf); } Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.14 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.15 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.14 Wed Feb 2 15:21:34 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Wed Mar 2 14:58:27 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.h,v 1.14 2011/02/02 15:21:34 vanhu Exp $ */ +/* $NetBSD: remoteconf.h,v 1.15 2011/03/02 14:58:27 vanhu Exp $ */ /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */ @@ -208,6 +208,7 @@ extern void insrmconf __P((struct remoteconf *)); extern void remrmconf __P((struct remoteconf *)); extern void flushrmconf __P((void)); +extern void flushspspec __P((struct remoteconf *)); extern void initrmconf __P((void)); extern void rmconf_start_reload __P((void)); extern void rmconf_finish_reload __P((void));
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Mar 2 15:04:01 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c rsalist.c rsalist.h Log Message: free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c \ src/crypto/dist/ipsec-tools/src/racoon/rsalist.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.25 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24 Wed Mar 2 14:58:27 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Mar 2 15:04:01 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.c,v 1.24 2011/03/02 14:58:27 vanhu Exp $ */ +/* $NetBSD: remoteconf.c,v 1.25 2011/03/02 15:04:01 vanhu Exp $ */ /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ @@ -78,6 +78,7 @@ #include isakmp_frag.h #include handler.h #include genlist.h +#include rsalist.h typedef TAILQ_HEAD(_rmtree, remoteconf) remoteconf_tailq_head_t; static remoteconf_tailq_head_t rmtree, rmtree_save; @@ -650,6 +651,10 @@ vfree(rmconf-cacert); if (rmconf-cacertfile) racoon_free(rmconf-cacertfile); + if (rmconf-rsa_private) + genlist_free(rmconf-rsa_private, rsa_key_free); + if (rmconf-rsa_public) + genlist_free(rmconf-rsa_public, rsa_key_free); if (rmconf-name) racoon_free(rmconf-name); if (rmconf-remote) Index: src/crypto/dist/ipsec-tools/src/racoon/rsalist.c diff -u src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.5 --- src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.4 Sat Sep 9 16:22:10 2006 +++ src/crypto/dist/ipsec-tools/src/racoon/rsalist.c Wed Mar 2 15:04:01 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: rsalist.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */ +/* $NetBSD: rsalist.c,v 1.5 2011/03/02 15:04:01 vanhu Exp $ */ /* Id: rsalist.c,v 1.3 2004/11/08 12:04:23 ludvigm Exp */ @@ -88,6 +88,23 @@ return 0; } +void +rsa_key_free(void *data) +{ + struct rsa_key *rsa_key; + + + rsa_key = (struct rsa_key *)data; + if (rsa_key-src) + free(rsa_key-src); + if (rsa_key-dst) + free(rsa_key-dst); + if (rsa_key-rsa) + RSA_free(rsa_key-rsa); + + free(rsa_key); +} + static void * rsa_key_dump_one(void *entry, void *arg) { Index: src/crypto/dist/ipsec-tools/src/racoon/rsalist.h diff -u src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.4 src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.5 --- src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.4 Sat Sep 9 16:22:10 2006 +++ src/crypto/dist/ipsec-tools/src/racoon/rsalist.h Wed Mar 2 15:04:01 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: rsalist.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */ +/* $NetBSD: rsalist.h,v 1.5 2011/03/02 15:04:01 vanhu Exp $ */ /* Id: rsalist.h,v 1.2 2004/07/12 20:43:51 ludvigm Exp */ /* @@ -53,6 +53,7 @@ }; int rsa_key_insert(struct genlist *list, struct netaddr *src, struct netaddr *dst, RSA *rsa); +void rsa_key_free(void *data); void rsa_key_dump(struct genlist *list); struct genlist *rsa_lookup_keys(struct ph1handle *iph1, int my);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Mar 2 15:09:16 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: session.c Log Message: flush sainfo list when closing session. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/crypto/dist/ipsec-tools/src/racoon/session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/session.c diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.32 --- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31 Wed Mar 2 14:52:32 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/session.c Wed Mar 2 15:09:16 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: session.c,v 1.31 2011/03/02 14:52:32 vanhu Exp $ */ +/* $NetBSD: session.c,v 1.32 2011/03/02 15:09:16 vanhu Exp $ */ /* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */ @@ -344,6 +344,7 @@ flushph2(); flushph1(); flushrmconf(); + flushsainfo(); close_sockets(); backupsa_clean();
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Tue Mar 1 14:14:50 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cfparse.y Log Message: reset yyerrorcount before doing parse stuff. patch by M E Andersson deb...@gisladisker.se To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38 Tue Jun 22 09:41:33 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Mar 1 14:14:50 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.38 2010/06/22 09:41:33 vanhu Exp $ */ +/* $NetBSD: cfparse.y,v 1.39 2011/03/01 14:14:50 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -2617,6 +2617,7 @@ { int error; + yyerrorcount = 0; yycf_init_buffer(); if (yycf_switch_buffer(lcconf-racoon_conf) != 0) {
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Tue Mar 1 14:33:58 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp.c pfkey.c Log Message: plog text fixes, patch from M E Andersson deb...@gisladisker.se To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c cvs rdiff -u -r1.54 -r1.55 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.67 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.67 Wed Feb 2 15:21:34 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Mar 1 14:33:58 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.67 2011/02/02 15:21:34 vanhu Exp $ */ +/* $NetBSD: isakmp.c,v 1.68 2011/03/01 14:33:58 vanhu Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -3422,7 +3422,7 @@ dst = iph2-dst; plog(LLV_INFO, LOCATION, NULL, - generated policy, deleting it.\n); + deleting a generated policy.\n); memset(spidx, 0, sizeof(spidx)); iph2-spidx_gen = (caddr_t )spidx; Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.54 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.55 --- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.54 Fri Nov 12 10:36:37 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Tue Mar 1 14:33:58 2011 @@ -1,6 +1,6 @@ -/* $NetBSD: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */ +/* $NetBSD: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $ */ -/* $Id: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */ +/* $Id: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -231,7 +231,7 @@ } } - plog(LLV_DEBUG, LOCATION, NULL, get pfkey %s message\n, + plog(LLV_DEBUG, LOCATION, NULL, got pfkey %s message\n, s_pfkey_type(msg-sadb_msg_type)); plogdump(LLV_DEBUG2, msg, msg-sadb_msg_len 3); @@ -2344,8 +2344,8 @@ sp = getsp(spidx); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - such policy does not already exist: \%s\\n, + plog(LLV_DEBUG, LOCATION, NULL, + this policy did not exist for removal: \%s\\n, spidx2str(spidx)); } else { /* preserve hints before deleting the SP */ @@ -3611,8 +3611,8 @@ break; case IPSECDOI_PROTO_IPCOMP: plog(LLV_DEBUG, LOCATION, NULL, - compression algorithm can not be checked - because sadb message doesn't support it.\n); + no check of compression algorithm; + not supported in sadb message.\n); return 0; default: plog(LLV_ERROR, LOCATION, NULL,
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src Committed By: vanhu Date: Thu Jan 20 16:08:35 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/libipsec: pfkey.c Log Message: fixed a typo, it will now compile when KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) open.ch) To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.20 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.21 --- src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.20 Wed Dec 8 01:55:12 2010 +++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c Thu Jan 20 16:08:35 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: pfkey.c,v 1.20 2010/12/08 01:55:12 joerg Exp $ */ +/* $NetBSD: pfkey.c,v 1.21 2011/01/20 16:08:35 vanhu Exp $ */ /* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */ @@ -2282,7 +2282,7 @@ * `buf' must has been allocated sufficiently. */ static caddr_t -pfkey_setsadbkmaddr(caddr_t buf, caddr_T lim, struct sockaddr *local, +pfkey_setsadbkmaddr(caddr_t buf, caddr_t lim, struct sockaddr *local, struct sockaddr *remote) { struct sadb_x_kmaddress *p;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Oct 11 14:16:31 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c Log Message: report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.45 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.44 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.45 --- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.44 Sun Jan 17 23:02:48 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Mon Oct 11 14:16:30 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_doi.c,v 1.44 2010/01/17 23:02:48 wiz Exp $ */ +/* $NetBSD: ipsec_doi.c,v 1.45 2010/10/11 14:16:30 vanhu Exp $ */ /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */ @@ -370,12 +370,16 @@ case PROP_CHECK_OBEY: sa-lifetime = pctx-sa-lifetime; sa-lifebyte = pctx-sa-lifebyte; + sa-encklen = pctx-sa-encklen; break; case PROP_CHECK_CLAIM: + case PROP_CHECK_STRICT: if (pctx-sa-lifetime sa-lifetime) sa-lifetime = pctx-sa-lifetime; if (pctx-sa-lifebyte sa-lifebyte) sa-lifebyte = pctx-sa-lifebyte; + if (pctx-sa-encklen sa-encklen) + sa-encklen = pctx-sa-encklen; break; default: break;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Sep 27 11:57:59 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c Log Message: fixed some typos in logs (reported by fazaeli (at) sepehrs.com) To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.20 Mon Apr 20 13:23:55 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Mon Sep 27 11:57:59 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_xauth.c,v 1.20 2009/04/20 13:23:55 tteras Exp $ */ +/* $NetBSD: isakmp_xauth.c,v 1.21 2010/09/27 11:57:59 vanhu Exp $ */ /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ @@ -507,7 +507,7 @@ if (!auth_added) { if (rad_config(radius_auth_state, NULL) != 0) { plog(LLV_ERROR, LOCATION, NULL, -Cannot open librarius config file: %s\n, +Cannot open libradius config file: %s\n, rad_strerror(radius_auth_state)); rad_close(radius_auth_state); radius_auth_state = NULL; @@ -547,7 +547,7 @@ if (!acct_added) { if (rad_config(radius_acct_state, NULL) != 0) { plog(LLV_ERROR, LOCATION, NULL, -Cannot open librarius config file: %s\n, +Cannot open libradius config file: %s\n, rad_strerror(radius_acct_state)); rad_close(radius_acct_state); radius_acct_state = NULL;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Fri Sep 24 15:09:29 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cftoken.l Log Message: fixed a fd leak, patch by getlaser (at) gmail.com To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.22 --- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21 Tue Jun 22 09:41:33 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Fri Sep 24 15:09:29 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: cftoken.l,v 1.21 2010/06/22 09:41:33 vanhu Exp $ */ +/* $NetBSD: cftoken.l,v 1.22 2010/09/24 15:09:29 vanhu Exp $ */ /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */ @@ -638,6 +638,10 @@ EOF { yy_delete_buffer(YY_CURRENT_BUFFER); + fclose (incstack[incstackp].fp); + incstack[incstackp].fp = NULL; + racoon_free(incstack[incstackp].path); + incstack[incstackp].path = NULL; incstackp--; nextfile: if (incstack[incstackp].matchon
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Sep 22 07:34:51 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: nattraversal.h Log Message: fixed a typo in macros, reported by marisp (at) mt.lv To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 \ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h:1.6 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h:1.7 --- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h:1.6 Sat Sep 9 16:22:09 2006 +++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h Wed Sep 22 07:34:51 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: nattraversal.h,v 1.6 2006/09/09 16:22:09 manu Exp $ */ +/* $NetBSD: nattraversal.h,v 1.7 2010/09/22 07:34:51 vanhu Exp $ */ /* * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. @@ -42,12 +42,12 @@ #define NAT_KA_QUEUED (1L4) #define NAT_ADD_NON_ESP_MARKER (1L5) -#define NATT_AVAILABLE(ph1) ((iph1)-natt_flags NAT_ANNOUNCED) +#define NATT_AVAILABLE(_ph1) ((_ph1)-natt_flags NAT_ANNOUNCED) #define NAT_DETECTED (NAT_DETECTED_ME | NAT_DETECTED_PEER) #define NON_ESP_MARKER_LEN sizeof(u_int32_t) -#define NON_ESP_MARKER_USE(iph1) ((iph1)-natt_flags NAT_ADD_NON_ESP_MARKER) +#define NON_ESP_MARKER_USE(_ph1) ((_ph1)-natt_flags NAT_ADD_NON_ESP_MARKER) /* These are the values from parsing remote {} block of the config file. */
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Sep 22 13:37:35 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: admin.c Log Message: get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/racoon/admin.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.33 --- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.32 Thu Sep 3 09:29:07 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Wed Sep 22 13:37:35 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: admin.c,v 1.32 2009/09/03 09:29:07 tteras Exp $ */ +/* $NetBSD: admin.c,v 1.33 2010/09/22 13:37:35 vanhu Exp $ */ /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */ @@ -329,7 +329,7 @@ case ADMIN_LOGOUT_USER: { struct ph1handle *iph1; char user[LOGINLEN+1]; - int found = 0, len = com-ac_len - sizeof(com); + int found = 0, len = com-ac_len - sizeof(*com); if (len LOGINLEN) { plog(LLV_ERROR, LOCATION, NULL,
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Sep 8 12:18:35 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c Log Message: fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.21 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.20 Thu Aug 26 13:31:55 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Sep 8 12:18:35 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.c,v 1.20 2010/08/26 13:31:55 vanhu Exp $ */ +/* $NetBSD: remoteconf.c,v 1.21 2010/09/08 12:18:35 vanhu Exp $ */ /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ @@ -106,11 +106,13 @@ return 0; for (id = genlist_next(rmconf-idvl_p, gpb); id; id = genlist_next(0, gpb)) { + /* No ID specified in configuration, so it is ok */ + if (id-id == 0) + return 0; + /* check the type of both IDs */ if (id-idtype != doi2idtype(id_b-type)) continue; /* ID type mismatch */ - if (id-id == 0) - return 0; /* compare defined ID with the ID sent by peer. */ switch (id-idtype) { @@ -197,23 +199,32 @@ struct rmconfselector *rmsel; struct remoteconf *rmconf; { - int ret = MATCH_NONE; + int ret = MATCH_NONE, tmp; /* No match at all: unwanted anonymous */ if ((rmsel-flags GETRMCONF_F_NO_ANONYMOUS) - rmconf-remote-sa_family == AF_UNSPEC) + rmconf-remote-sa_family == AF_UNSPEC){ + plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: Anonymous conf.\n); return MATCH_NONE; + } - if ((rmsel-flags GETRMCONF_F_NO_PASSIVE) rmconf-passive) + if ((rmsel-flags GETRMCONF_F_NO_PASSIVE) rmconf-passive){ + plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: passive conf.\n); return MATCH_NONE; + } ret |= MATCH_BASIC; /* Check address */ if (rmsel-remote != NULL) { if (rmconf-remote-sa_family != AF_UNSPEC) { - if (cmpsaddr(rmsel-remote, rmconf-remote) == CMPSADDR_MISMATCH) + if (cmpsaddr(rmsel-remote, rmconf-remote) == CMPSADDR_MISMATCH){ +plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: address mismatch.\n); return MATCH_NONE; + } /* Address matched */ ret |= MATCH_ADDRESS; @@ -222,24 +233,34 @@ /* Check etype and approval */ if (rmsel-etype != ISAKMP_ETYPE_NONE) { - if (rmconf_match_etype_and_approval(rmconf, rmsel-etype, - rmsel-approval) != 0) + tmp=rmconf_match_etype_and_approval(rmconf, rmsel-etype, + rmsel-approval); + if (tmp != 0){ + plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: etype (%d)/approval mismatch (%d).\n, rmsel-etype, tmp); return MATCH_NONE; + } ret |= MATCH_SA; } /* Check identity */ if (rmsel-identity != NULL rmconf-verify_identifier) { - if (rmconf_match_identity(rmconf, rmsel-identity) != 0) + if (rmconf_match_identity(rmconf, rmsel-identity) != 0){ + plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: identity mismatch.\n); return MATCH_NONE; + } ret |= MATCH_IDENTITY; } /* Check certificate request */ if (rmsel-certificate_request != NULL) { if (oakley_get_certtype(rmsel-certificate_request) != - oakley_get_certtype(rmconf-mycert)) + oakley_get_certtype(rmconf-mycert)){ + plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: cert type mismatch.\n); return MATCH_NONE; + } if (rmsel-certificate_request-l 1) { vchar_t *issuer; @@ -249,12 +270,17 @@ memcmp(rmsel-certificate_request-v + 1, issuer-v, issuer-l) != 0) { vfree(issuer); +plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: cert issuer mismatch.\n); return MATCH_NONE; } vfree(issuer); } else { - if (!rmconf-match_empty_cr) + if (!rmconf-match_empty_cr){ +plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched: empty certificate request.\n); return MATCH_NONE; + } } ret |= MATCH_AUTH_IDENTITY; @@ -286,9 +312,17 @@ int ret = 0; RACOON_TAILQ_FOREACH_REVERSE(p, rmtree, _rmtree, chain) { + plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Checking remote conf \%s\ %s.\n, p-name, + p-remote-sa_family == AF_UNSPEC ? + anonymous : saddr2str(p-remote)); + if (rmsel != NULL) { - if (rmconf_match_type(rmsel, p) == MATCH_NONE) + if (rmconf_match_type(rmsel, p) == MATCH_NONE){ +plog(LLV_DEBUG2, LOCATION, rmsel-remote, + Not matched.\n); continue; + } } plog(LLV_DEBUG2, LOCATION, NULL, @@ -740,6 +774,8 @@ for (e = rmconf-etypes; e != NULL; e =
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Aug 4 09:16:58 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp_cfg.c Log Message: fixed answer for IP4_SUBNET request To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.23 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.22 Fri Jul 3 06:41:46 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Wed Aug 4 09:16:58 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_cfg.c,v 1.22 2009/07/03 06:41:46 tteras Exp $ */ +/* $NetBSD: isakmp_cfg.c,v 1.23 2010/08/04 09:16:58 vanhu Exp $ */ /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */ @@ -114,6 +114,8 @@ #endif static vchar_t *isakmp_cfg_addr4(struct ph1handle *, struct isakmp_data *, in_addr_t *); +static vchar_t *isakmp_cfg_addrnet4(struct ph1handle *, + struct isakmp_data *, in_addr_t *, in_addr_t *); static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *); static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *, struct isakmp_data *, in_addr_t *, int); @@ -901,8 +903,15 @@ break; case INTERNAL_IP4_SUBNET: - return isakmp_cfg_addr4(iph1, - attr, isakmp_cfg_config.network4); + if(isakmp_cfg_config.splitnet_count 0){ + return isakmp_cfg_addrnet4(iph1, attr, + isakmp_cfg_config.splitnet_list-network.addr4.s_addr, + isakmp_cfg_config.splitnet_list-network.mask4.s_addr); + }else{ + plog(LLV_INFO, LOCATION, NULL, + %s requested but no splitnet in configuration\n, + s_isakmp_cfg_type(type)); + } break; default: @@ -1042,6 +1051,36 @@ } static vchar_t * +isakmp_cfg_addrnet4(iph1, attr, addr, mask) + struct ph1handle *iph1; + struct isakmp_data *attr; + in_addr_t *addr; + in_addr_t *mask; +{ + vchar_t *buffer; + struct isakmp_data *new; + size_t len; + in_addr_t netbuff[2]; + + len = sizeof(netbuff); + if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, Cannot allocate memory\n); + return NULL; + } + + new = (struct isakmp_data *)buffer-v; + + new-type = attr-type; + new-lorv = htons(len); + netbuff[0]=*addr; + netbuff[1]=*mask; + memcpy(new + 1, netbuff, len); + + return buffer; +} + + +static vchar_t * isakmp_cfg_addr4_list(iph1, attr, addr, nbr) struct ph1handle *iph1; struct isakmp_data *attr;
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Aug 4 09:23:53 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_7-branch]: isakmp_cfg.c Log Message: fixed answer for IP4_SUBNET request To generate a diff of this commit: cvs rdiff -u -r1.12.6.4 -r1.12.6.5 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.12.6.4 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.12.6.5 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.12.6.4 Thu Nov 27 15:25:20 2008 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Wed Aug 4 09:23:53 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_cfg.c,v 1.12.6.4 2008/11/27 15:25:20 vanhu Exp $ */ +/* $NetBSD: isakmp_cfg.c,v 1.12.6.5 2010/08/04 09:23:53 vanhu Exp $ */ /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */ @@ -114,6 +114,8 @@ #endif static vchar_t *isakmp_cfg_addr4(struct ph1handle *, struct isakmp_data *, in_addr_t *); +static vchar_t *isakmp_cfg_addrnet4(struct ph1handle *, + struct isakmp_data *, in_addr_t *, in_addr_t *); static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *); static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *, struct isakmp_data *, in_addr_t *, int); @@ -901,8 +903,15 @@ break; case INTERNAL_IP4_SUBNET: - return isakmp_cfg_addr4(iph1, - attr, isakmp_cfg_config.network4); + if(isakmp_cfg_config.splitnet_count 0){ + return isakmp_cfg_addrnet4(iph1, attr, + isakmp_cfg_config.splitnet_list-network.addr4.s_addr, + isakmp_cfg_config.splitnet_list-network.mask4.s_addr); + }else{ + plog(LLV_INFO, LOCATION, NULL, + %s requested but no splitnet in configuration\n, + s_isakmp_cfg_type(type)); + } break; default: @@ -1042,6 +1051,36 @@ } static vchar_t * +isakmp_cfg_addrnet4(iph1, attr, addr, mask) + struct ph1handle *iph1; + struct isakmp_data *attr; + in_addr_t *addr; + in_addr_t *mask; +{ + vchar_t *buffer; + struct isakmp_data *new; + size_t len; + in_addr_t netbuff[2]; + + len = sizeof(netbuff); + if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { + plog(LLV_ERROR, LOCATION, NULL, Cannot allocate memory\n); + return NULL; + } + + new = (struct isakmp_data *)buffer-v; + + new-type = attr-type; + new-lorv = htons(len); + netbuff[0]=*addr; + netbuff[1]=*mask; + memcpy(new + 1, netbuff, len); + + return buffer; +} + + +static vchar_t * isakmp_cfg_addr4_list(iph1, attr, addr, nbr) struct ph1handle *iph1; struct isakmp_data *attr;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon/doc
Module Name:src Committed By: vanhu Date: Fri Jul 30 14:50:48 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon/doc: FAQ Log Message: updated link to NetBSD's documentation To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ diff -u src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ:1.2 src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ:1.3 --- src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ:1.2 Fri Mar 5 06:47:58 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ Fri Jul 30 14:50:47 2010 @@ -109,6 +109,6 @@ Q: Other documents to look at? A: - http://www.netbsd.org/Documentation/network/ipsec/ + http://www.NetBSD.org/docs/network/ipsec/ http://www.kame.net/ http://www.kame.net/newsletter/
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Tue Jun 22 09:41:34 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l isakmp.c isakmp_inf.c racoon.conf.5 remoteconf.c remoteconf.h Log Message: added a specific script hook when a dead peer is detected To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c cvs rdiff -u -r1.41 -r1.42 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c cvs rdiff -u -r1.59 -r1.60 \ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 cvs rdiff -u -r1.18 -r1.19 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c cvs rdiff -u -r1.11 -r1.12 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37 Thu Mar 12 10:57:26 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.37 2009/03/12 10:57:26 tteras Exp $ */ +/* $NetBSD: cfparse.y,v 1.38 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -237,7 +237,7 @@ %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID -%token SCRIPT PHASE1_UP PHASE1_DOWN +%token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD %token NUMBER SWITCH BOOLEAN %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE @@ -2010,6 +2010,13 @@ cur_rmconf-script[SCRIPT_PHASE1_DOWN] = script_path_add(vdup($2)); } EOS + | SCRIPT QUOTEDSTRING PHASE1_DEAD { + if (cur_rmconf-script[SCRIPT_PHASE1_DEAD] != NULL) +vfree(cur_rmconf-script[SCRIPT_PHASE1_DEAD]); + + cur_rmconf-script[SCRIPT_PHASE1_DEAD] = + script_path_add(vdup($2)); + } EOS | MODE_CFG SWITCH { cur_rmconf-mode_cfg = $2; } EOS | WEAK_PHASE1_CHECK SWITCH { cur_rmconf-weak_phase1_check = $2; Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21 --- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20 Thu Mar 12 10:57:26 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: cftoken.l,v 1.20 2009/03/12 10:57:26 tteras Exp $ */ +/* $NetBSD: cftoken.l,v 1.21 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */ @@ -365,6 +365,7 @@ S_RMTSscript { YYD; return(SCRIPT); } S_RMTSphase1_up { YYD; return(PHASE1_UP); } S_RMTSphase1_down { YYD; return(PHASE1_DOWN); } +S_RMTSphase1_dead { YYD; return(PHASE1_DEAD); } S_RMTSmode_cfg { YYD; return(MODE_CFG); } S_RMTSweak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); } S_RMTSrekey { YYD; return(REKEY); } Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60 Thu Sep 3 09:29:07 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.60 2009/09/03 09:29:07 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -1839,6 +1839,8 @@ plog(LLV_ERROR, LOCATION, NULL, phase1 negotiation failed due to time up. %s\n, isakmp_pindex(iph1-index, iph1-msgid)); + /* XXX is the peer really dead here ??? */ + script_hook(iph1, SCRIPT_PHASE1_DEAD); evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL); return -1; Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41 Fri Jul 3 06:41:46 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Tue Jun 22 09:41:33 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_inf.c,v 1.41 2009/07/03 06:41:46 tteras Exp $ */ +/* $NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $ */ /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ @@ -1506,6 +1506,7 @@ DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n, isakmp_pindex(iph1-index, 0)); + script_hook(iph1, SCRIPT_PHASE1_DEAD); evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL); purge_remote(iph1); Index:
CVS commit: src/crypto/dist/ipsec-tools/src/setkey
Module Name:src Committed By: vanhu Date: Fri Jun 4 13:06:03 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.8 token.l Log Message: Added support for spdupdate command in setkey To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/setkey/parse.y cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/setkey/setkey.8 cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/setkey/token.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.12 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13 --- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.12 Fri Mar 6 11:45:03 2009 +++ src/crypto/dist/ipsec-tools/src/setkey/parse.y Fri Jun 4 13:06:03 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: parse.y,v 1.12 2009/03/06 11:45:03 tteras Exp $ */ +/* $NetBSD: parse.y,v 1.13 2010/06/04 13:06:03 vanhu Exp $ */ /* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */ @@ -131,7 +131,7 @@ %token F_LIFEBYTE_HARD F_LIFEBYTE_SOFT %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY /* SPD management */ -%token SPDADD SPDDELETE SPDDUMP SPDFLUSH +%token SPDADD SPDUPDATE SPDDELETE SPDDUMP SPDFLUSH %token F_POLICY PL_REQUESTS %token F_AIFLAGS %token TAGGED @@ -170,6 +170,7 @@ | dump_command | exit_command | spdadd_command + | spdupdate_command | spddelete_command | spddump_command | spdflush_command @@ -572,6 +573,7 @@ /* definition about command for SPD management */ /* spdadd */ spdadd_command + /* XXX merge with spdupdate ??? */ : SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec context_spec policy_spec EOT { int status; @@ -624,6 +626,60 @@ } ; +spdupdate_command + /* XXX merge with spdadd ??? */ + : SPDUPDATE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec context_spec policy_spec EOT + { + int status; + struct addrinfo *src, *dst; + +#ifdef HAVE_PFKEY_POLICY_PRIORITY + last_msg_type = SADB_X_SPDUPDATE; +#endif + + /* fixed port fields if ulp is icmp */ + if ($10.buf != NULL) { +if (($9 != IPPROTO_ICMPV6) + ($9 != IPPROTO_ICMP) + ($9 != IPPROTO_MH)) + return -1; +free($5.buf); +free($8.buf); +if (fix_portstr($10, $5, $8)) + return -1; + } + + src = parse_addr($3.buf, $5.buf); + dst = parse_addr($6.buf, $8.buf); + if (!src || !dst) { +/* yyerror is already called */ +return -1; + } + if (src-ai_next || dst-ai_next) { +yyerror(multiple address specified); +freeaddrinfo(src); +freeaddrinfo(dst); +return -1; + } + + status = setkeymsg_spdaddr(SADB_X_SPDUPDATE, $9, $12, + src, $4, dst, $7); + freeaddrinfo(src); + freeaddrinfo(dst); + if (status 0) +return -1; + } + | SPDUPDATE TAGGED QUOTEDSTRING policy_spec EOT + { + int status; + + status = setkeymsg_spdaddr_tag(SADB_X_SPDUPDATE, + $3.buf, $4); + if (status 0) +return -1; + } + ; + spddelete_command : SPDDELETE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec context_spec policy_spec EOT { Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8 diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.23 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.24 --- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.23 Fri Mar 5 06:47:58 2010 +++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8 Fri Jun 4 13:06:03 2010 @@ -1,4 +1,4 @@ -.\ $NetBSD: setkey.8,v 1.23 2010/03/05 06:47:58 tteras Exp $ +.\ $NetBSD: setkey.8,v 1.24 2010/06/04 13:06:03 vanhu Exp $ .\ .\ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\ All rights reserved. @@ -195,6 +195,15 @@ .Ar tag must be a string surrounded by double quotes. .\ +.It Li spdupdate Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \ +Ar label Ar policy Li ; +Updates an SPD entry. +.\ +.It Li spdupdate tagged Ar tag Ar policy Li ; +Update an SPD entry based on a PF tag. +.Ar tag +must be a string surrounded by double quotes. +.\ .It Li spddelete Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \ Fl P Ar direction Li ; Delete an SPD entry. Index: src/crypto/dist/ipsec-tools/src/setkey/token.l diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.14 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.15 --- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.14 Thu Oct 29 14:34:27 2009 +++ src/crypto/dist/ipsec-tools/src/setkey/token.l Fri Jun 4 13:06:03 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: token.l,v 1.14 2009/10/29 14:34:27 christos Exp $ */ +/* $NetBSD: token.l,v 1.15 2010/06/04 13:06:03 vanhu Exp $ */ /* $KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $ */ @@ -127,6 +127,7 @@ /* for management SPD */ spdadd { return(SPDADD); } +spdupdate {
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src Committed By: vanhu Date: Wed Apr 7 14:53:52 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/libipsec: ipsec_strerror.c Log Message: by Eric Preston: fixed a typo To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 \ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c:1.5 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c:1.6 --- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c:1.5 Wed Jul 18 12:07:50 2007 +++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c Wed Apr 7 14:53:52 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_strerror.c,v 1.5 2007/07/18 12:07:50 vanhu Exp $ */ +/* $NetBSD: ipsec_strerror.c,v 1.6 2010/04/07 14:53:52 vanhu Exp $ */ /* $KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $ */ @@ -63,7 +63,7 @@ Invalid key length,/*EIPSEC_INVAL_KEYLEN*/ Invalid address family, /*EIPSEC_INVAL_FAMILY*/ Invalid prefix length, /*EIPSEC_INVAL_PREFIXLEN*/ -Invalid direciton,/*EIPSEC_INVAL_DIR*/ +Invalid direction,/*EIPSEC_INVAL_DIR*/ SPI range violation,/*EIPSEC_INVAL_SPI*/ No protocol specified, /*EIPSEC_NO_PROTO*/ No algorithm specified, /*EIPSEC_NO_ALGS*/
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Aug 19 13:54:07 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c Log Message: fixed address check in rmconf_match_type(), just check address with wildcard port To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.16 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.17 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.16 Wed Aug 19 12:20:02 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Aug 19 13:54:07 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.c,v 1.16 2009/08/19 12:20:02 tteras Exp $ */ +/* $NetBSD: remoteconf.c,v 1.17 2009/08/19 13:54:07 vanhu Exp $ */ /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ @@ -209,7 +209,7 @@ /* Check address */ if (rmsel-remote != NULL) { if (rmconf-remote-sa_family != AF_UNSPEC) { - if (cmpsaddr(rmsel-remote, rmconf-remote) != 0) + if (cmpsaddr(rmsel-remote, rmconf-remote) == CMPSADDR_MISMATCH) return MATCH_NONE; /* Address matched */
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Tue Aug 18 08:21:13 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: oakley.c Log Message: typo: algoritym - algorithm To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.15 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.16 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.15 Thu Aug 13 09:18:28 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Tue Aug 18 08:21:12 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.15 2009/08/13 09:18:28 vanhu Exp $ */ +/* $NetBSD: oakley.c,v 1.16 2009/08/18 08:21:12 vanhu Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -2648,7 +2648,7 @@ iph1-approval-encklen); if (keylen == -1) { plog(LLV_ERROR, LOCATION, NULL, - invalid encryption algoritym %d, + invalid encryption algorithm %d, or invalid key length %d.\n, iph1-approval-enctype, iph1-approval-encklen); @@ -2752,7 +2752,7 @@ if (iph1-approval-enctype ARRAYLEN(oakley_encdef) || oakley_encdef[iph1-approval-enctype].weakkey == NULL) { plog(LLV_ERROR, LOCATION, NULL, - encryption algoritym %d isn't supported.\n, + encryption algorithm %d isn't supported.\n, iph1-approval-enctype); goto end; }
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Aug 17 11:59:10 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.h Log Message: removed a self include To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 \ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.6 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.7 --- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.6 Thu Mar 12 10:57:26 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h Mon Aug 17 11:59:10 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: crypto_openssl.h,v 1.6 2009/03/12 10:57:26 tteras Exp $ */ +/* $NetBSD: crypto_openssl.h,v 1.7 2009/08/17 11:59:10 vanhu Exp $ */ /* Id: crypto_openssl.h,v 1.11 2004/11/13 11:28:01 manubsd Exp */ @@ -34,8 +34,6 @@ #ifndef _CRYPTO_OPENSSL_H #define _CRYPTO_OPENSSL_H -#include crypto_openssl.h - #include openssl/x509v3.h #include openssl/rsa.h
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Aug 17 12:00:53 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: schedule.h Log Message: include stddef.h so we have a chance to get the system offsetof if present To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/schedule.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/schedule.h diff -u src/crypto/dist/ipsec-tools/src/racoon/schedule.h:1.7 src/crypto/dist/ipsec-tools/src/racoon/schedule.h:1.8 --- src/crypto/dist/ipsec-tools/src/racoon/schedule.h:1.7 Fri Jan 23 08:25:07 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/schedule.h Mon Aug 17 12:00:53 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: schedule.h,v 1.7 2009/01/23 08:25:07 tteras Exp $ */ +/* $NetBSD: schedule.h,v 1.8 2009/08/17 12:00:53 vanhu Exp $ */ /* Id: schedule.h,v 1.5 2006/05/03 21:53:42 vanhu Exp */ @@ -35,6 +35,8 @@ #ifndef _SCHEDULE_H #define _SCHEDULE_H +#include stddef.h + #include sys/queue.h #if TIME_WITH_SYS_TIME # include sys/time.h
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src Committed By: vanhu Date: Mon Aug 17 13:52:14 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/libipsec: libpfkey.h Log Message: do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 \ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h diff -u src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.16 src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17 --- src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.16 Fri Jul 3 06:40:10 2009 +++ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Mon Aug 17 13:52:14 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: libpfkey.h,v 1.16 2009/07/03 06:40:10 tteras Exp $ */ +/* $NetBSD: libpfkey.h,v 1.17 2009/08/17 13:52:14 vanhu Exp $ */ /* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */ @@ -161,7 +161,7 @@ /* XXX should be somewhere else !!! */ -#ifdef SADB_X_NAT_T_NEW_MAPPING +#ifdef SADB_X_EXT_NAT_T_TYPE #define PFKEY_ADDR_X_PORT(ext) (ntohs(((struct sadb_x_nat_t_port *)ext)-sadb_x_nat_t_port_port)) #define PFKEY_ADDR_X_NATTYPE(ext) ( ext != NULL ((struct sadb_x_nat_t_type *)ext)-sadb_x_nat_t_type_type ) #endif
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Aug 13 09:18:28 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: oakley.c Log Message: fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.15 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.14 Thu Mar 12 10:57:26 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Aug 13 09:18:28 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.14 2009/03/12 10:57:26 tteras Exp $ */ +/* $NetBSD: oakley.c,v 1.15 2009/08/13 09:18:28 vanhu Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -3001,7 +3001,7 @@ /* do decrypt */ new = alg_oakley_encdef_decrypt(iph1-approval-enctype, buf, iph1-key, ivdp); - if (new == NULL) { + if (new == NULL || new-v == NULL || new-l == 0) { plog(LLV_ERROR, LOCATION, NULL, decryption %d failed.\n, iph1-approval-enctype); goto end;
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Aug 13 09:18:45 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_7-branch]: oakley.c Log Message: fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs To generate a diff of this commit: cvs rdiff -u -r1.9.6.3 -r1.9.6.4 \ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.9.6.3 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.9.6.4 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.9.6.3 Thu Mar 6 17:00:25 2008 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Aug 13 09:18:45 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.9.6.3 2008/03/06 17:00:25 vanhu Exp $ */ +/* $NetBSD: oakley.c,v 1.9.6.4 2009/08/13 09:18:45 vanhu Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -3116,7 +3116,7 @@ /* do decrypt */ new = alg_oakley_encdef_decrypt(iph1-approval-enctype, buf, iph1-key, ivdp); - if (new == NULL) { + if (new == NULL || new-v == NULL || new-l == 0) { plog(LLV_ERROR, LOCATION, NULL, decryption %d failed.\n, iph1-approval-enctype); goto end;
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: vanhu Date: Thu Aug 13 09:19:22 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_7-branch]: NEWS configure.ac Log Message: 0.7.3 release To generate a diff of this commit: cvs rdiff -u -r1.1.1.6.6.4 -r1.1.1.6.6.5 src/crypto/dist/ipsec-tools/NEWS cvs rdiff -u -r1.3.4.12 -r1.3.4.13 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/NEWS diff -u src/crypto/dist/ipsec-tools/NEWS:1.1.1.6.6.4 src/crypto/dist/ipsec-tools/NEWS:1.1.1.6.6.5 --- src/crypto/dist/ipsec-tools/NEWS:1.1.1.6.6.4 Wed Apr 22 11:26:50 2009 +++ src/crypto/dist/ipsec-tools/NEWS Thu Aug 13 09:19:22 2009 @@ -1,6 +1,11 @@ Version history: +0.7.3 - 23 August 2009 + o Fix a remote crash and a memory leak + o Fixed a NAT-T flag check + o Some code cleanups/compilation fixes with recent gcc + 0.7.2 - 22 April 2009 o Fix a remote crash in fragmentation code o Phase2 message identities are phase1 specific (Vista compatibility= Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.3.4.12 src/crypto/dist/ipsec-tools/configure.ac:1.3.4.13 --- src/crypto/dist/ipsec-tools/configure.ac:1.3.4.12 Wed Apr 22 11:26:50 2009 +++ src/crypto/dist/ipsec-tools/configure.ac Thu Aug 13 09:19:22 2009 @@ -2,7 +2,7 @@ dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp AC_PREREQ(2.52) -AC_INIT(ipsec-tools, 0.7.2) +AC_INIT(ipsec-tools, 0.7.3) AC_CONFIG_SRCDIR([configure.ac]) AM_CONFIG_HEADER(config.h)