CVS commit: src/crypto/dist/ipsec-tools/src
Module Name:src
Committed By: vanhu
Date: Thu Nov 29 15:31:25 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: algorithm.c algorithm.h
cfparse.y cftoken.l crypto_openssl.c crypto_openssl.h ipsec_doi.c
ipsec_doi.h pfkey.c racoon.conf.5 strnames.c
src/crypto/dist/ipsec-tools/src/setkey: token.l
Log Message:
Added support for AES GCM 16 in phase2 negociations. Code from Christophe Carre
/ NETASQ
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h
cvs rdiff -u -r1.47 -r1.48 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \
src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.21 -r1.22 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
cvs rdiff -u -r1.58 -r1.59 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.64 -r1.65 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/strnames.c
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/setkey/token.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.9
--- src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8 Fri Oct 6 12:02:27 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.c Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: algorithm.c,v 1.8 2006/10/06 12:02:27 manu Exp $ */
+/* $NetBSD: algorithm.c,v 1.9 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */
@@ -165,6 +165,9 @@ static struct enc_algorithm ipsec_encdef
{ aes, algtype_aes, IPSECDOI_ESP_AES, 16,
NULL, NULL,
NULL, eay_aes_keylen, },
+{ aes_gcm_16, algtype_aesgcm16, IPSECDOI_ESP_AESGCM16, 16,
+ NULL, NULL,
+ NULL, eay_aesgcm_keylen, },
{ twofish, algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
NULL, NULL,
NULL, eay_twofish_keylen, },
@@ -798,6 +801,7 @@ default_keylen(class, type)
case algtype_rc5:
case algtype_cast128:
case algtype_aes:
+ case algtype_aesgcm16:
case algtype_twofish:
case algtype_camellia:
return 128;
@@ -834,6 +838,7 @@ check_keylen(class, type, len)
case algtype_rc5:
case algtype_cast128:
case algtype_aes:
+ case algtype_aesgcm16:
case algtype_twofish:
case algtype_camellia:
if (len % 8 != 0) {
@@ -863,6 +868,10 @@ check_keylen(class, type, len)
if (!(len == 128 || len == 192 || len == 256))
badrange++;
break;
+ case algtype_aesgcm16:
+ if (!(len == 128 || len == 192 || len == 256))
+ badrange++;
+ break;
case algtype_twofish:
if (len 40 || 256 len)
badrange++;
Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5 Fri Oct 6 12:02:27 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.h Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: algorithm.h,v 1.5 2006/10/06 12:02:27 manu Exp $ */
+/* $NetBSD: algorithm.h,v 1.6 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: algorithm.h,v 1.10 2005/04/09 16:25:23 manubsd Exp */
@@ -69,6 +69,7 @@ enum algtype {
algtype_rc4,
algtype_null_enc,
algtype_aes,
+ algtype_aesgcm16,
algtype_twofish,
algtype_camellia,
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47 Sun Jan 1 16:14:11 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -1722,6 +1722,7 @@ algorithm
: ALGORITHMTYPE keylength
{
int defklen;
+ int encklen_tmp;
$$ = newsainfoalg();
if ($$ == NULL) {
@@ -1754,9 +1755,35 @@ algorithm
else
$$-encklen = defklen;
+ /* Check keymat size instead of human key size
+ * because kernel store keymat size instead of human key size.
+ * For example, the keymat size of aes_gcm_16 128 is 160 bits
+ * (128 bits + 4 bytes) instead of 128 bits.
+ *
+ * Currently, it is only useful for aes_gcm_16 (ipsec_enc).
+ */
+ if (cur_algclass
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Thu Nov 17 14:41:55 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c
Log Message:
fixed some crashes in LIST_FOREACH where current element could be removed
during the loop
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Nov 17 14:41:55 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.40 2011/11/17 14:41:55 vanhu Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -611,9 +611,11 @@ getph2byid(src, dst, spid)
struct sockaddr *src, *dst;
u_int32_t spid;
{
- struct ph2handle *p;
+ struct ph2handle *p, *next;
+
+ for (p = LIST_FIRST(ph2tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
- LIST_FOREACH(p, ph2tree, chain) {
if (spid == p-spid
cmpsaddr(src, p-src) = CMPSADDR_WILDPORT_MATCH
cmpsaddr(dst, p-dst) = CMPSADDR_WILDPORT_MATCH){
@@ -985,9 +987,11 @@ void
remcontacted(remote)
struct sockaddr *remote;
{
- struct contacted *p;
+ struct contacted *p, *next;
+
+ for (p = LIST_FIRST(ctdtree); p; p = next) {
+ next = LIST_NEXT(p, chain);
- LIST_FOREACH(p, ctdtree, chain) {
if (cmpsaddr(remote, p-remote) = CMPSADDR_WILDPORT_MATCH) {
LIST_REMOVE(p, chain);
racoon_free(p-remote);
@@ -1555,10 +1559,12 @@ int
purgeph1bylogin(login)
char *login;
{
- struct ph1handle *p;
+ struct ph1handle *p, *next;
int found = 0;
- LIST_FOREACH(p, ph1tree, chain) {
+ for (p = LIST_FIRST(ph1tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
+
if (p-mode_cfg == NULL)
continue;
if (strncmp(p-mode_cfg-login, login, LOGINLEN) == 0) {
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Thu Nov 17 14:46:31 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
handler.c
Log Message:
fixed some crashes in LIST_FOREACH where current element could be removed
during the loop
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Nov 17 14:46:31 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.39.2.1 2011/11/17 14:46:31 vanhu Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -611,9 +611,11 @@ getph2byid(src, dst, spid)
struct sockaddr *src, *dst;
u_int32_t spid;
{
- struct ph2handle *p;
+ struct ph2handle *p, *next;
+
+ for (p = LIST_FIRST(ph2tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
- LIST_FOREACH(p, ph2tree, chain) {
if (spid == p-spid
cmpsaddr(src, p-src) = CMPSADDR_WILDPORT_MATCH
cmpsaddr(dst, p-dst) = CMPSADDR_WILDPORT_MATCH){
@@ -985,9 +987,11 @@ void
remcontacted(remote)
struct sockaddr *remote;
{
- struct contacted *p;
+ struct contacted *p, *next;
+
+ for (p = LIST_FIRST(ctdtree); p; p = next) {
+ next = LIST_NEXT(p, chain);
- LIST_FOREACH(p, ctdtree, chain) {
if (cmpsaddr(remote, p-remote) = CMPSADDR_WILDPORT_MATCH) {
LIST_REMOVE(p, chain);
racoon_free(p-remote);
@@ -1555,10 +1559,12 @@ int
purgeph1bylogin(login)
char *login;
{
- struct ph1handle *p;
+ struct ph1handle *p, *next;
int found = 0;
- LIST_FOREACH(p, ph1tree, chain) {
+ for (p = LIST_FIRST(ph1tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
+
if (p-mode_cfg == NULL)
continue;
if (strncmp(p-mode_cfg-login, login, LOGINLEN) == 0) {
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: vanhu Date: Fri Mar 18 13:20:27 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: NEWS Log Message: updated News for 0.8 branch To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.6.1 src/crypto/dist/ipsec-tools/NEWS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/NEWS diff -u src/crypto/dist/ipsec-tools/NEWS:1.4 src/crypto/dist/ipsec-tools/NEWS:1.4.6.1 --- src/crypto/dist/ipsec-tools/NEWS:1.4 Fri Jan 23 09:40:56 2009 +++ src/crypto/dist/ipsec-tools/NEWS Fri Mar 18 13:20:27 2011 @@ -1,6 +1,6 @@ Version history: -0.8 CVS (no official release yet) +0.8 - 18 March 2011 o Fix authentication method ambiguity with kerberos and xauth o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman) o Local address code rewrite to speed things up @@ -12,6 +12,8 @@ o Rewritten event handling framework for admin port o Ability to initiate IPsec SA through admin port o NAT-T Original Address handling (transport mode NAT-T support) + o clean NAT-T - PFkey support + o support for multiple anonymous remoteconfs o Remove various obsolete configuration options o A lot of other bug fixes, performance improvements and clean ups
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: vanhu Date: Fri Mar 18 13:25:12 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_8-branch]: configure.ac Log Message: Yes: 0.8.0 is out !!! To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.10.6.1 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10 src/crypto/dist/ipsec-tools/configure.ac:1.10.6.1 --- src/crypto/dist/ipsec-tools/configure.ac:1.10 Fri Jan 23 08:25:06 2009 +++ src/crypto/dist/ipsec-tools/configure.ac Fri Mar 18 13:25:12 2011 @@ -2,7 +2,7 @@ dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp AC_PREREQ(2.52) -AC_INIT(ipsec-tools, CVS) +AC_INIT(ipsec-tools, 0.8.0) AC_CONFIG_SRCDIR([configure.ac]) AM_CONFIG_HEADER(config.h)
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Thu Mar 17 14:35:24 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c
Log Message:
fixed a memory leak in oakley_check_certid(). patch by Roman Hoog Antink
r...@open.ch
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19 Sun Feb 20 17:32:02 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Mar 17 14:35:24 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.19 2011/02/20 17:32:02 tteras Exp $ */
+/* $NetBSD: oakley.c,v 1.20 2011/03/17 14:35:24 vanhu Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1862,10 +1862,11 @@
hints.ai_socktype = SOCK_RAW;
hints.ai_flags = AI_NUMERICHOST;
error = getaddrinfo(altname, NULL, hints, res);
+ racoon_free(altname);
+ altname = NULL;
if (error != 0) {
plog(LLV_ERROR, LOCATION, NULL,
no proper subjectAltName.\n);
- racoon_free(altname);
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
switch (res-ai_family) {
@@ -1880,7 +1881,6 @@
default:
plog(LLV_ERROR, LOCATION, NULL,
family not supported: %d.\n, res-ai_family);
- racoon_free(altname);
freeaddrinfo(res);
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Thu Mar 17 14:39:07 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c
Log Message:
free name later, to avoid a memory use after free in oakley_check_certid().
also give iph1-remote to some plog() calls. patch by Roman Hoog Antink
r...@open.ch
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20 Thu Mar 17 14:35:24 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Mar 17 14:39:06 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.20 2011/03/17 14:35:24 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.21 2011/03/17 14:39:06 vanhu Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1791,7 +1791,7 @@
return 0;
if (iph1-id_p == NULL || iph1-cert_p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, no ID nor CERT found.\n);
+ plog(LLV_ERROR, LOCATION, iph1-remote, no ID nor CERT found.\n);
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
@@ -1802,26 +1802,28 @@
case IPSECDOI_ID_DER_ASN1_DN:
name = eay_get_x509asn1subjectname(iph1-cert_p);
if (!name) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, iph1-remote,
failed to get subjectName\n);
return ISAKMP_NTYPE_INVALID_CERTIFICATE;
}
if (idlen != name-l) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, iph1-remote,
Invalid ID length in phase 1.\n);
vfree(name);
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
error = memcmp(id_b + 1, name-v, idlen);
- vfree(name);
if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, iph1-remote,
ID mismatched with ASN1 SubjectName.\n);
plogdump(LLV_DEBUG, id_b + 1, idlen);
plogdump(LLV_DEBUG, name-v, idlen);
- if (iph1-rmconf-verify_identifier)
+ if (iph1-rmconf-verify_identifier) {
+vfree(name);
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ }
}
+ vfree(name);
return 0;
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV6_ADDR:
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Thu Mar 17 14:42:58 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: oakley.c Log Message: fixed a memory leak in oakley_append_rmconf_cr() while generating plist. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 --- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21 Thu Mar 17 14:39:06 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Mar 17 14:42:58 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: oakley.c,v 1.21 2011/03/17 14:39:06 vanhu Exp $ */ +/* $NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $ */ /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */ @@ -2288,7 +2288,7 @@ s_isakmp_certtype(buf-v[0])); plogdump(LLV_DEBUG, buf-v, buf-l); - actx-plist = isakmp_plist_append(actx-plist, buf, ISAKMP_NPTYPE_CR); + actx-plist = isakmp_plist_append_full(actx-plist, buf, ISAKMP_NPTYPE_CR, 1); err: vfree(asn1dn);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Tue Mar 15 13:20:14 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_inf.c pfkey.c
Log Message:
directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(),
as it is useless an can lead to memory access after free
To generate a diff of this commit:
cvs rdiff -u -r1.70 -r1.71 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.46 -r1.47 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.56 -r1.57 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.70 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.70 Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Mar 15 13:20:14 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.70 2011/03/14 17:18:12 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -2018,7 +2018,7 @@
iph1-status = PHASE1ST_EXPIRED;
}
- sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+ isakmp_ph1delete(iph1);
}
/* called from scheduler */
@@ -2046,20 +2046,16 @@
/* Discard any left phase2s */
for (p = LIST_FIRST(iph1-ph2tree); p; p = next) {
next = LIST_NEXT(p, ph1bind);
- if (p-status = PHASE2ST_ESTABLISHED)
- unbindph12(p);
- /* Should we also remove non established ph2
- * handles, as we just invalidated ph1handle ?
+ if (p-status == PHASE2ST_ESTABLISHED)
+ isakmp_info_send_d2(p);
+ /* remove all ph2 handles,
+ * as ph1handle will be expired soon
*/
+ delete_spd(p, 1);
+ remph2(p);
+ delph2(p);
}
- if (LIST_FIRST(iph1-ph2tree) != NULL) {
- sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
- return;
- }
-
- /* don't re-negosiation when the phase 1 SA expires. */
-
src = racoon_strdup(saddr2str(iph1-local));
dst = racoon_strdup(saddr2str(iph1-remote));
STRDUP_FATAL(src);
@@ -3397,7 +3393,7 @@
purged ISAKMP-SA spi=%s.\n,
isakmp_pindex((iph1-index), iph1-msgid));
- sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+ isakmp_ph1delete(iph1);
}
void
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.46 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.46 Mon Mar 14 17:18:13 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Tue Mar 15 13:20:14 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.46 2011/03/14 17:18:13 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1094,7 +1094,7 @@
isakmp_pindex(spi[i], 0));
iph1-status = PHASE1ST_EXPIRED;
- sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+ isakmp_ph1delete(iph1);
}
}
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.56 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.56 Mon Mar 14 17:18:13 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Tue Mar 15 13:20:14 2011
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $ */
+/* $NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
-/* $Id: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $ */
+/* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -2901,7 +2901,7 @@
rmconf = getrmconf(ma-remote, 0);
if (rmconf == NULL || !rmconf-passive) {
iph1-status = PHASE1ST_EXPIRED;
- sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+ isakmp_ph1delete(iph1);
/* This is unlikely, but let's just check if a Phase 1
* for the new addresses already exist */
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Mon Mar 14 09:19:24 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c
Log Message:
check if we got RMCONF_ERR_MULTIPLE from getrmconf_by_ph1() in
revalidate_ph1tree_rmconf()
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/crypto/dist/ipsec-tools/src/racoon/handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36 Fri Mar 11 14:30:07 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 09:19:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.36 2011/03/11 14:30:07 vanhu Exp $ */
+/* $NetBSD: handler.c,v 1.37 2011/03/14 09:19:23 vanhu Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -1486,6 +1486,7 @@
static int revalidate_ph1tree_rmconf(void)
{
struct ph1handle *p, *next;
+ struct remoteconf *rmconf;
for (p = LIST_FIRST(ph1tree); p; p = next) {
next = LIST_NEXT(p, chain);
@@ -1495,9 +1496,11 @@
if (p-rmconf == NULL)
continue;
- p-rmconf = getrmconf_by_ph1(p);
- if (p-rmconf == NULL || p-rmconf == RMCONF_ERR_MULTIPLE)
+ rmconf = getrmconf_by_ph1(p);
+ if (rmconf == NULL || rmconf == RMCONF_ERR_MULTIPLE)
remove_ph1(p);
+ else
+ p-rmconf = rmconf;
}
return 1;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Mar 14 14:54:07 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: handler.c Log Message: removed an useless comment To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38 --- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37 Mon Mar 14 09:19:23 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Mon Mar 14 14:54:07 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: handler.c,v 1.37 2011/03/14 09:19:23 vanhu Exp $ */ +/* $NetBSD: handler.c,v 1.38 2011/03/14 14:54:07 vanhu Exp $ */ /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */ @@ -1447,7 +1447,6 @@ * - delete SPIs in kernel * - delete generated SPD * - unbind / rem / del ph2 - * - XXX shoudld also send a delete-sa !? */ purge_ipsec_spi(iph2-dst, iph2-approval-head-proto_id, spis, 2);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Mon Mar 14 15:50:37 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y isakmp_xauth.c
isakmp_xauth.h remoteconf.c remoteconf.h rsalist.c rsalist.h
Log Message:
avoid some memory leaks / free memory access when reloading conf and have
inherited config. patch from Roman Hoog Antink r...@open.ch
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.21 -r1.22 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.6 -r1.7 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41 Wed Mar 2 14:58:27 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Mon Mar 14 15:50:36 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.41 2011/03/02 14:58:27 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -145,6 +145,7 @@
static struct secprotospec *newspspec __P((void));
static void insspspec __P((struct remoteconf *, struct secprotospec *));
+void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src));
void flushspspec __P((struct remoteconf *));
static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
@@ -1629,7 +1630,7 @@
return -1;
}
- new = duprmconf(from);
+ new = duprmconf_shallow(from);
if (new == NULL) {
yyerror(failed to duplicate remoteconf from \%s\.,
$4-v);
@@ -1674,13 +1675,14 @@
return -1;
}
- new = duprmconf(from);
+ new = duprmconf_shallow(from);
if (new == NULL) {
yyerror(failed to duplicate remoteconf from %s.,
saddr2str($4));
return -1;
}
+ racoon_free($4);
new-remote = $2;
cur_rmconf = new;
}
@@ -1727,11 +1729,19 @@
return -1;
}
}
-
+
+ if (duprmconf_finish(cur_rmconf))
+return -1;
+
+#if 0
+ /* this pointer copy will never happen, because duprmconf_shallow
+ * already copied all pointers.
+ */
if (cur_rmconf-spspec == NULL
cur_rmconf-inherited_from != NULL) {
cur_rmconf-spspec = cur_rmconf-inherited_from-spspec;
}
+#endif
if (set_isakmp_proposal(cur_rmconf) != 0)
return -1;
@@ -2415,6 +2425,62 @@
rmconf-spspec = spspec;
}
+static struct secprotospec *
+dupspspec(spspec)
+ struct secprotospec *spspec;
+{
+ struct secprotospec *new;
+
+ new = newspspec();
+ if (new == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ dupspspec: malloc failed\n);
+ return NULL;
+ }
+ memcpy(new, spspec, sizeof(*new));
+
+ if (spspec-gssid) {
+ new-gssid = racoon_strdup(spspec-gssid);
+ STRDUP_FATAL(new-gssid);
+ }
+ if (spspec-remote) {
+ new-remote = racoon_malloc(sizeof(*new-remote));
+ if (new-remote == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ dupspspec: malloc failed (remote)\n);
+ return NULL;
+ }
+ memcpy(new-remote, spspec-remote, sizeof(*new-remote));
+ }
+
+ return new;
+}
+
+/*
+ * copy the whole list
+ */
+void
+dupspspec_list(dst, src)
+ struct remoteconf *dst, *src;
+{
+ struct secprotospec *p, *new, *last;
+
+ for(p = src-spspec, last = NULL; p; p = p-next, last = new) {
+ new = dupspspec(p);
+ if (new == NULL)
+ exit(1);
+
+ new-prev = last;
+ new-next = NULL; /* not necessary but clean */
+
+ if (last)
+ last-next = new;
+ else /* first element */
+ dst-spspec = new;
+
+ }
+}
+
/*
* delete the whole list
*/
@@ -2430,8 +2496,13 @@
if (p-next != NULL)
p-next-prev = NULL; /* not necessary but clean */
- racoon_free(p);
+ if (p-gssid)
+ racoon_free(p-gssid);
+ if (p-remote)
+ racoon_free(p-remote);
+ racoon_free(p);
}
+ rmconf-spspec = NULL;
}
/* set final acceptable proposal */
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21 Mon Sep 27 11:57:59 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Mon Mar 14 15:50:36 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.21 2010/09/27 11:57:59 vanhu Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $ */
/* Id: isakmp_xauth.c,v
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Fri Mar 11 14:30:07 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c isakmp.c
Log Message:
directly delete a ph1 in remove_ph1-) instead of scheduling it, to avoid
(completely ?) a race condition when reloading configuration
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.68 -r1.69 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35 Tue Dec 28 06:00:18 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Fri Mar 11 14:30:07 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.35 2010/12/28 06:00:18 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.36 2011/03/11 14:30:07 vanhu Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -1447,6 +1447,7 @@
* - delete SPIs in kernel
* - delete generated SPD
* - unbind / rem / del ph2
+ * - XXX shoudld also send a delete-sa !?
*/
purge_ipsec_spi(iph2-dst, iph2-approval-head-proto_id,
spis, 2);
@@ -1474,7 +1475,11 @@
isakmp_info_send_d1(iph1);
}
iph1-status = PHASE1ST_EXPIRED;
- sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+ /* directly call isakmp_ph1delete to avoid as possible a race
+ * condition where we'll try to access iph1-rmconf after it has
+ * freed
+ */
+ isakmp_ph1delete(iph1);
}
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.69
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68 Tue Mar 1 14:33:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Fri Mar 11 14:30:07 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.68 2011/03/01 14:33:58 vanhu Exp $ */
+/* $NetBSD: isakmp.c,v 1.69 2011/03/11 14:30:07 vanhu Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -2048,6 +2048,9 @@
next = LIST_NEXT(p, ph1bind);
if (p-status = PHASE2ST_ESTABLISHED)
unbindph12(p);
+ /* Should we also remove non established ph2
+ * handles, as we just invalidated ph1handle ?
+ */
}
if (LIST_FIRST(iph1-ph2tree) != NULL) {
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Mar 2 14:49:21 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y prsa_par.y
Log Message:
fixed some memory leaks during configuration parsing. patch by Roman Hoog
Antink r...@open.ch
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39 Tue Mar 1 14:14:50 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Mar 2 14:49:21 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.39 2011/03/01 14:14:50 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.40 2011/03/02 14:49:21 vanhu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -423,13 +423,16 @@
: X_ISAKMP ike_addrinfo_port
{
myaddr_listen($2, FALSE);
+ racoon_free($2);
}
EOS
| X_ISAKMP_NATT ike_addrinfo_port
{
#ifdef ENABLE_NATT
myaddr_listen($2, TRUE);
+ racoon_free($2);
#else
+ racoon_free($2);
yyerror(NAT-T support not compiled in.);
#endif
}
Index: src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5 Thu Feb 10 11:17:17 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y Wed Mar 2 14:49:21 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: prsa_par.y,v 1.5 2011/02/10 11:17:17 tteras Exp $ */
+/* $NetBSD: prsa_par.y,v 1.6 2011/03/02 14:49:21 vanhu Exp $ */
/* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
@@ -211,6 +211,7 @@
YYABORT;
}
$$ = base64_pubkey2rsa($2);
+ free($2);
}
| TAG_PUB HEX
{
@@ -256,6 +257,7 @@
}
memcpy(sap, res-ai_addr, res-ai_addrlen);
freeaddrinfo(res);
+ free($1);
}
;
@@ -284,6 +286,7 @@
}
memcpy(sap, res-ai_addr, res-ai_addrlen);
freeaddrinfo(res);
+ free($1);
}
;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Mar 2 14:52:32 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c session.c Log Message: fixed some memory leaks in remoteconf. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 \ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c cvs rdiff -u -r1.30 -r1.31 src/crypto/dist/ipsec-tools/src/racoon/session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23 --- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.22 Fri Jan 28 13:00:14 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Mar 2 14:52:32 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: remoteconf.c,v 1.22 2011/01/28 13:00:14 tteras Exp $ */ +/* $NetBSD: remoteconf.c,v 1.23 2011/03/02 14:52:32 vanhu Exp $ */ /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ @@ -652,6 +652,8 @@ racoon_free(rmconf-cacertfile); if (rmconf-name) racoon_free(rmconf-name); + if (rmconf-remote) + racoon_free(rmconf-remote); racoon_free(rmconf); } Index: src/crypto/dist/ipsec-tools/src/racoon/session.c diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31 --- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30 Fri Jan 28 13:02:34 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/session.c Wed Mar 2 14:52:32 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: session.c,v 1.30 2011/01/28 13:02:34 tteras Exp $ */ +/* $NetBSD: session.c,v 1.31 2011/03/02 14:52:32 vanhu Exp $ */ /* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */ @@ -343,6 +343,7 @@ pfkey_send_flush(lcconf-sock_pfkey, SADB_SATYPE_UNSPEC); flushph2(); flushph1(); + flushrmconf(); close_sockets(); backupsa_clean();
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Mar 2 14:58:27 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y remoteconf.c
remoteconf.h
Log Message:
free spspec when deleting a rmconf struct. patch by Roman Hoog Antink
r...@open.ch
To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40 Wed Mar 2 14:49:21 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Mar 2 14:58:27 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.40 2011/03/02 14:49:21 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.41 2011/03/02 14:58:27 vanhu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -145,6 +145,7 @@
static struct secprotospec *newspspec __P((void));
static void insspspec __P((struct remoteconf *, struct secprotospec *));
+void flushspspec __P((struct remoteconf *));
static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
static int set_isakmp_proposal __P((struct remoteconf *));
@@ -2414,6 +2415,25 @@
rmconf-spspec = spspec;
}
+/*
+ * delete the whole list
+ */
+void
+flushspspec(rmconf)
+ struct remoteconf *rmconf;
+{
+ struct secprotospec *p;
+
+ while(rmconf-spspec != NULL) {
+ p = rmconf-spspec;
+ rmconf-spspec = p-next;
+ if (p-next != NULL)
+ p-next-prev = NULL; /* not necessary but clean */
+
+ racoon_free(p);
+ }
+}
+
/* set final acceptable proposal */
static int
set_isakmp_proposal(rmconf)
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23 Wed Mar 2 14:52:32 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Mar 2 14:58:27 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.c,v 1.23 2011/03/02 14:52:32 vanhu Exp $ */
+/* $NetBSD: remoteconf.c,v 1.24 2011/03/02 14:58:27 vanhu Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@@ -654,6 +654,7 @@
racoon_free(rmconf-name);
if (rmconf-remote)
racoon_free(rmconf-remote);
+ flushspspec(rmconf);
racoon_free(rmconf);
}
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.14 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.14 Wed Feb 2 15:21:34 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h Wed Mar 2 14:58:27 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.h,v 1.14 2011/02/02 15:21:34 vanhu Exp $ */
+/* $NetBSD: remoteconf.h,v 1.15 2011/03/02 14:58:27 vanhu Exp $ */
/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
@@ -208,6 +208,7 @@
extern void insrmconf __P((struct remoteconf *));
extern void remrmconf __P((struct remoteconf *));
extern void flushrmconf __P((void));
+extern void flushspspec __P((struct remoteconf *));
extern void initrmconf __P((void));
extern void rmconf_start_reload __P((void));
extern void rmconf_finish_reload __P((void));
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Mar 2 15:04:01 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c rsalist.c
rsalist.h
Log Message:
free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink
r...@open.ch
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24 Wed Mar 2 14:58:27 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Mar 2 15:04:01 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.c,v 1.24 2011/03/02 14:58:27 vanhu Exp $ */
+/* $NetBSD: remoteconf.c,v 1.25 2011/03/02 15:04:01 vanhu Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@@ -78,6 +78,7 @@
#include isakmp_frag.h
#include handler.h
#include genlist.h
+#include rsalist.h
typedef TAILQ_HEAD(_rmtree, remoteconf) remoteconf_tailq_head_t;
static remoteconf_tailq_head_t rmtree, rmtree_save;
@@ -650,6 +651,10 @@
vfree(rmconf-cacert);
if (rmconf-cacertfile)
racoon_free(rmconf-cacertfile);
+ if (rmconf-rsa_private)
+ genlist_free(rmconf-rsa_private, rsa_key_free);
+ if (rmconf-rsa_public)
+ genlist_free(rmconf-rsa_public, rsa_key_free);
if (rmconf-name)
racoon_free(rmconf-name);
if (rmconf-remote)
Index: src/crypto/dist/ipsec-tools/src/racoon/rsalist.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.4 Sat Sep 9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/rsalist.c Wed Mar 2 15:04:01 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: rsalist.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
+/* $NetBSD: rsalist.c,v 1.5 2011/03/02 15:04:01 vanhu Exp $ */
/* Id: rsalist.c,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
@@ -88,6 +88,23 @@
return 0;
}
+void
+rsa_key_free(void *data)
+{
+ struct rsa_key *rsa_key;
+
+
+ rsa_key = (struct rsa_key *)data;
+ if (rsa_key-src)
+ free(rsa_key-src);
+ if (rsa_key-dst)
+ free(rsa_key-dst);
+ if (rsa_key-rsa)
+ RSA_free(rsa_key-rsa);
+
+ free(rsa_key);
+}
+
static void *
rsa_key_dump_one(void *entry, void *arg)
{
Index: src/crypto/dist/ipsec-tools/src/racoon/rsalist.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.4 src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.4 Sat Sep 9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/rsalist.h Wed Mar 2 15:04:01 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: rsalist.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
+/* $NetBSD: rsalist.h,v 1.5 2011/03/02 15:04:01 vanhu Exp $ */
/* Id: rsalist.h,v 1.2 2004/07/12 20:43:51 ludvigm Exp */
/*
@@ -53,6 +53,7 @@
};
int rsa_key_insert(struct genlist *list, struct netaddr *src, struct netaddr *dst, RSA *rsa);
+void rsa_key_free(void *data);
void rsa_key_dump(struct genlist *list);
struct genlist *rsa_lookup_keys(struct ph1handle *iph1, int my);
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Wed Mar 2 15:09:16 UTC 2011 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: session.c Log Message: flush sainfo list when closing session. patch by Roman Hoog Antink r...@open.ch To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/crypto/dist/ipsec-tools/src/racoon/session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/session.c diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.32 --- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31 Wed Mar 2 14:52:32 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/session.c Wed Mar 2 15:09:16 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: session.c,v 1.31 2011/03/02 14:52:32 vanhu Exp $ */ +/* $NetBSD: session.c,v 1.32 2011/03/02 15:09:16 vanhu Exp $ */ /* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */ @@ -344,6 +344,7 @@ flushph2(); flushph1(); flushrmconf(); + flushsainfo(); close_sockets(); backupsa_clean();
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Tue Mar 1 14:14:50 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y
Log Message:
reset yyerrorcount before doing parse stuff. patch by M E Andersson
deb...@gisladisker.se
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38 Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Mar 1 14:14:50 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.38 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.39 2011/03/01 14:14:50 vanhu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -2617,6 +2617,7 @@
{
int error;
+ yyerrorcount = 0;
yycf_init_buffer();
if (yycf_switch_buffer(lcconf-racoon_conf) != 0) {
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Tue Mar 1 14:33:58 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c pfkey.c
Log Message:
plog text fixes, patch from M E Andersson deb...@gisladisker.se
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.54 -r1.55 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.67 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.67 Wed Feb 2 15:21:34 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Mar 1 14:33:58 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.67 2011/02/02 15:21:34 vanhu Exp $ */
+/* $NetBSD: isakmp.c,v 1.68 2011/03/01 14:33:58 vanhu Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -3422,7 +3422,7 @@
dst = iph2-dst;
plog(LLV_INFO, LOCATION, NULL,
- generated policy, deleting it.\n);
+ deleting a generated policy.\n);
memset(spidx, 0, sizeof(spidx));
iph2-spidx_gen = (caddr_t )spidx;
Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.54 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.55
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.54 Fri Nov 12 10:36:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c Tue Mar 1 14:33:58 2011
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
+/* $NetBSD: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $ */
-/* $Id: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
+/* $Id: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -231,7 +231,7 @@
}
}
- plog(LLV_DEBUG, LOCATION, NULL, get pfkey %s message\n,
+ plog(LLV_DEBUG, LOCATION, NULL, got pfkey %s message\n,
s_pfkey_type(msg-sadb_msg_type));
plogdump(LLV_DEBUG2, msg, msg-sadb_msg_len 3);
@@ -2344,8 +2344,8 @@
sp = getsp(spidx);
if (sp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- such policy does not already exist: \%s\\n,
+ plog(LLV_DEBUG, LOCATION, NULL,
+ this policy did not exist for removal: \%s\\n,
spidx2str(spidx));
} else {
/* preserve hints before deleting the SP */
@@ -3611,8 +3611,8 @@
break;
case IPSECDOI_PROTO_IPCOMP:
plog(LLV_DEBUG, LOCATION, NULL,
- compression algorithm can not be checked
- because sadb message doesn't support it.\n);
+ no check of compression algorithm;
+ not supported in sadb message.\n);
return 0;
default:
plog(LLV_ERROR, LOCATION, NULL,
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src
Committed By: vanhu
Date: Thu Jan 20 16:08:35 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: pfkey.c
Log Message:
fixed a typo, it will now compile when KMADDRESS is defined. reported by Roman
Hoog Antink (rha (at) open.ch)
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.20 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.21
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.20 Wed Dec 8 01:55:12 2010
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c Thu Jan 20 16:08:35 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey.c,v 1.20 2010/12/08 01:55:12 joerg Exp $ */
+/* $NetBSD: pfkey.c,v 1.21 2011/01/20 16:08:35 vanhu Exp $ */
/* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */
@@ -2282,7 +2282,7 @@
* `buf' must has been allocated sufficiently.
*/
static caddr_t
-pfkey_setsadbkmaddr(caddr_t buf, caddr_T lim, struct sockaddr *local,
+pfkey_setsadbkmaddr(caddr_t buf, caddr_t lim, struct sockaddr *local,
struct sockaddr *remote)
{
struct sadb_x_kmaddress *p;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Oct 11 14:16:31 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c Log Message: report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.45 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.44 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.45 --- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.44 Sun Jan 17 23:02:48 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Mon Oct 11 14:16:30 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_doi.c,v 1.44 2010/01/17 23:02:48 wiz Exp $ */ +/* $NetBSD: ipsec_doi.c,v 1.45 2010/10/11 14:16:30 vanhu Exp $ */ /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */ @@ -370,12 +370,16 @@ case PROP_CHECK_OBEY: sa-lifetime = pctx-sa-lifetime; sa-lifebyte = pctx-sa-lifebyte; + sa-encklen = pctx-sa-encklen; break; case PROP_CHECK_CLAIM: + case PROP_CHECK_STRICT: if (pctx-sa-lifetime sa-lifetime) sa-lifetime = pctx-sa-lifetime; if (pctx-sa-lifebyte sa-lifebyte) sa-lifebyte = pctx-sa-lifebyte; + if (pctx-sa-encklen sa-encklen) + sa-encklen = pctx-sa-encklen; break; default: break;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Mon Sep 27 11:57:59 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c
Log Message:
fixed some typos in logs (reported by fazaeli (at) sepehrs.com)
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.20 Mon Apr 20 13:23:55 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Mon Sep 27 11:57:59 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.20 2009/04/20 13:23:55 tteras Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.21 2010/09/27 11:57:59 vanhu Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -507,7 +507,7 @@
if (!auth_added) {
if (rad_config(radius_auth_state, NULL) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
-Cannot open librarius config file: %s\n,
+Cannot open libradius config file: %s\n,
rad_strerror(radius_auth_state));
rad_close(radius_auth_state);
radius_auth_state = NULL;
@@ -547,7 +547,7 @@
if (!acct_added) {
if (rad_config(radius_acct_state, NULL) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
-Cannot open librarius config file: %s\n,
+Cannot open libradius config file: %s\n,
rad_strerror(radius_acct_state));
rad_close(radius_acct_state);
radius_acct_state = NULL;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Fri Sep 24 15:09:29 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cftoken.l
Log Message:
fixed a fd leak, patch by getlaser (at) gmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21 Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Fri Sep 24 15:09:29 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.21 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: cftoken.l,v 1.22 2010/09/24 15:09:29 vanhu Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -638,6 +638,10 @@
EOF {
yy_delete_buffer(YY_CURRENT_BUFFER);
+ fclose (incstack[incstackp].fp);
+ incstack[incstackp].fp = NULL;
+ racoon_free(incstack[incstackp].path);
+ incstack[incstackp].path = NULL;
incstackp--;
nextfile:
if (incstack[incstackp].matchon
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Sep 22 07:34:51 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: nattraversal.h
Log Message:
fixed a typo in macros, reported by marisp (at) mt.lv
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h:1.6 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h:1.6 Sat Sep 9 16:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h Wed Sep 22 07:34:51 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: nattraversal.h,v 1.6 2006/09/09 16:22:09 manu Exp $ */
+/* $NetBSD: nattraversal.h,v 1.7 2010/09/22 07:34:51 vanhu Exp $ */
/*
* Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -42,12 +42,12 @@
#define NAT_KA_QUEUED (1L4)
#define NAT_ADD_NON_ESP_MARKER (1L5)
-#define NATT_AVAILABLE(ph1) ((iph1)-natt_flags NAT_ANNOUNCED)
+#define NATT_AVAILABLE(_ph1) ((_ph1)-natt_flags NAT_ANNOUNCED)
#define NAT_DETECTED (NAT_DETECTED_ME | NAT_DETECTED_PEER)
#define NON_ESP_MARKER_LEN sizeof(u_int32_t)
-#define NON_ESP_MARKER_USE(iph1) ((iph1)-natt_flags NAT_ADD_NON_ESP_MARKER)
+#define NON_ESP_MARKER_USE(_ph1) ((_ph1)-natt_flags NAT_ADD_NON_ESP_MARKER)
/* These are the values from parsing remote {}
block of the config file. */
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Sep 22 13:37:35 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c
Log Message:
get the correct length of username when processing ADMIN_LOGOUT_USER, patch by
rweikusat (at) mssgmbh.com
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/racoon/admin.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.33
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.32 Thu Sep 3 09:29:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Wed Sep 22 13:37:35 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.32 2009/09/03 09:29:07 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.33 2010/09/22 13:37:35 vanhu Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -329,7 +329,7 @@
case ADMIN_LOGOUT_USER: {
struct ph1handle *iph1;
char user[LOGINLEN+1];
- int found = 0, len = com-ac_len - sizeof(com);
+ int found = 0, len = com-ac_len - sizeof(*com);
if (len LOGINLEN) {
plog(LLV_ERROR, LOCATION, NULL,
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Sep 8 12:18:35 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c
Log Message:
fixed remoteconf selection when no ID specified in configuration, and added
some debug to remoteconf selection
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.20 Thu Aug 26 13:31:55 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Sep 8 12:18:35 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.c,v 1.20 2010/08/26 13:31:55 vanhu Exp $ */
+/* $NetBSD: remoteconf.c,v 1.21 2010/09/08 12:18:35 vanhu Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@@ -106,11 +106,13 @@
return 0;
for (id = genlist_next(rmconf-idvl_p, gpb); id; id = genlist_next(0, gpb)) {
+ /* No ID specified in configuration, so it is ok */
+ if (id-id == 0)
+ return 0;
+
/* check the type of both IDs */
if (id-idtype != doi2idtype(id_b-type))
continue; /* ID type mismatch */
- if (id-id == 0)
- return 0;
/* compare defined ID with the ID sent by peer. */
switch (id-idtype) {
@@ -197,23 +199,32 @@
struct rmconfselector *rmsel;
struct remoteconf *rmconf;
{
- int ret = MATCH_NONE;
+ int ret = MATCH_NONE, tmp;
/* No match at all: unwanted anonymous */
if ((rmsel-flags GETRMCONF_F_NO_ANONYMOUS)
- rmconf-remote-sa_family == AF_UNSPEC)
+ rmconf-remote-sa_family == AF_UNSPEC){
+ plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: Anonymous conf.\n);
return MATCH_NONE;
+ }
- if ((rmsel-flags GETRMCONF_F_NO_PASSIVE) rmconf-passive)
+ if ((rmsel-flags GETRMCONF_F_NO_PASSIVE) rmconf-passive){
+ plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: passive conf.\n);
return MATCH_NONE;
+ }
ret |= MATCH_BASIC;
/* Check address */
if (rmsel-remote != NULL) {
if (rmconf-remote-sa_family != AF_UNSPEC) {
- if (cmpsaddr(rmsel-remote, rmconf-remote) == CMPSADDR_MISMATCH)
+ if (cmpsaddr(rmsel-remote, rmconf-remote) == CMPSADDR_MISMATCH){
+plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: address mismatch.\n);
return MATCH_NONE;
+ }
/* Address matched */
ret |= MATCH_ADDRESS;
@@ -222,24 +233,34 @@
/* Check etype and approval */
if (rmsel-etype != ISAKMP_ETYPE_NONE) {
- if (rmconf_match_etype_and_approval(rmconf, rmsel-etype,
- rmsel-approval) != 0)
+ tmp=rmconf_match_etype_and_approval(rmconf, rmsel-etype,
+ rmsel-approval);
+ if (tmp != 0){
+ plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: etype (%d)/approval mismatch (%d).\n, rmsel-etype, tmp);
return MATCH_NONE;
+ }
ret |= MATCH_SA;
}
/* Check identity */
if (rmsel-identity != NULL rmconf-verify_identifier) {
- if (rmconf_match_identity(rmconf, rmsel-identity) != 0)
+ if (rmconf_match_identity(rmconf, rmsel-identity) != 0){
+ plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: identity mismatch.\n);
return MATCH_NONE;
+ }
ret |= MATCH_IDENTITY;
}
/* Check certificate request */
if (rmsel-certificate_request != NULL) {
if (oakley_get_certtype(rmsel-certificate_request) !=
- oakley_get_certtype(rmconf-mycert))
+ oakley_get_certtype(rmconf-mycert)){
+ plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: cert type mismatch.\n);
return MATCH_NONE;
+ }
if (rmsel-certificate_request-l 1) {
vchar_t *issuer;
@@ -249,12 +270,17 @@
memcmp(rmsel-certificate_request-v + 1,
issuer-v, issuer-l) != 0) {
vfree(issuer);
+plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: cert issuer mismatch.\n);
return MATCH_NONE;
}
vfree(issuer);
} else {
- if (!rmconf-match_empty_cr)
+ if (!rmconf-match_empty_cr){
+plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched: empty certificate request.\n);
return MATCH_NONE;
+ }
}
ret |= MATCH_AUTH_IDENTITY;
@@ -286,9 +312,17 @@
int ret = 0;
RACOON_TAILQ_FOREACH_REVERSE(p, rmtree, _rmtree, chain) {
+ plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Checking remote conf \%s\ %s.\n, p-name,
+ p-remote-sa_family == AF_UNSPEC ?
+ anonymous : saddr2str(p-remote));
+
if (rmsel != NULL) {
- if (rmconf_match_type(rmsel, p) == MATCH_NONE)
+ if (rmconf_match_type(rmsel, p) == MATCH_NONE){
+plog(LLV_DEBUG2, LOCATION, rmsel-remote,
+ Not matched.\n);
continue;
+ }
}
plog(LLV_DEBUG2, LOCATION, NULL,
@@ -740,6 +774,8 @@
for (e = rmconf-etypes; e != NULL; e =
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Aug 4 09:16:58 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_cfg.c
Log Message:
fixed answer for IP4_SUBNET request
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.22 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Wed Aug 4 09:16:58 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.22 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.23 2010/08/04 09:16:58 vanhu Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -114,6 +114,8 @@
#endif
static vchar_t *isakmp_cfg_addr4(struct ph1handle *,
struct isakmp_data *, in_addr_t *);
+static vchar_t *isakmp_cfg_addrnet4(struct ph1handle *,
+ struct isakmp_data *, in_addr_t *, in_addr_t *);
static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *);
static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *,
struct isakmp_data *, in_addr_t *, int);
@@ -901,8 +903,15 @@
break;
case INTERNAL_IP4_SUBNET:
- return isakmp_cfg_addr4(iph1,
- attr, isakmp_cfg_config.network4);
+ if(isakmp_cfg_config.splitnet_count 0){
+ return isakmp_cfg_addrnet4(iph1, attr,
+ isakmp_cfg_config.splitnet_list-network.addr4.s_addr,
+ isakmp_cfg_config.splitnet_list-network.mask4.s_addr);
+ }else{
+ plog(LLV_INFO, LOCATION, NULL,
+ %s requested but no splitnet in configuration\n,
+ s_isakmp_cfg_type(type));
+ }
break;
default:
@@ -1042,6 +1051,36 @@
}
static vchar_t *
+isakmp_cfg_addrnet4(iph1, attr, addr, mask)
+ struct ph1handle *iph1;
+ struct isakmp_data *attr;
+ in_addr_t *addr;
+ in_addr_t *mask;
+{
+ vchar_t *buffer;
+ struct isakmp_data *new;
+ size_t len;
+ in_addr_t netbuff[2];
+
+ len = sizeof(netbuff);
+ if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, Cannot allocate memory\n);
+ return NULL;
+ }
+
+ new = (struct isakmp_data *)buffer-v;
+
+ new-type = attr-type;
+ new-lorv = htons(len);
+ netbuff[0]=*addr;
+ netbuff[1]=*mask;
+ memcpy(new + 1, netbuff, len);
+
+ return buffer;
+}
+
+
+static vchar_t *
isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
struct ph1handle *iph1;
struct isakmp_data *attr;
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Aug 4 09:23:53 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_7-branch]:
isakmp_cfg.c
Log Message:
fixed answer for IP4_SUBNET request
To generate a diff of this commit:
cvs rdiff -u -r1.12.6.4 -r1.12.6.5 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.12.6.4 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.12.6.5
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.12.6.4 Thu Nov 27 15:25:20 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Wed Aug 4 09:23:53 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.12.6.4 2008/11/27 15:25:20 vanhu Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.12.6.5 2010/08/04 09:23:53 vanhu Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -114,6 +114,8 @@
#endif
static vchar_t *isakmp_cfg_addr4(struct ph1handle *,
struct isakmp_data *, in_addr_t *);
+static vchar_t *isakmp_cfg_addrnet4(struct ph1handle *,
+ struct isakmp_data *, in_addr_t *, in_addr_t *);
static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *);
static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *,
struct isakmp_data *, in_addr_t *, int);
@@ -901,8 +903,15 @@
break;
case INTERNAL_IP4_SUBNET:
- return isakmp_cfg_addr4(iph1,
- attr, isakmp_cfg_config.network4);
+ if(isakmp_cfg_config.splitnet_count 0){
+ return isakmp_cfg_addrnet4(iph1, attr,
+ isakmp_cfg_config.splitnet_list-network.addr4.s_addr,
+ isakmp_cfg_config.splitnet_list-network.mask4.s_addr);
+ }else{
+ plog(LLV_INFO, LOCATION, NULL,
+ %s requested but no splitnet in configuration\n,
+ s_isakmp_cfg_type(type));
+ }
break;
default:
@@ -1042,6 +1051,36 @@
}
static vchar_t *
+isakmp_cfg_addrnet4(iph1, attr, addr, mask)
+ struct ph1handle *iph1;
+ struct isakmp_data *attr;
+ in_addr_t *addr;
+ in_addr_t *mask;
+{
+ vchar_t *buffer;
+ struct isakmp_data *new;
+ size_t len;
+ in_addr_t netbuff[2];
+
+ len = sizeof(netbuff);
+ if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, Cannot allocate memory\n);
+ return NULL;
+ }
+
+ new = (struct isakmp_data *)buffer-v;
+
+ new-type = attr-type;
+ new-lorv = htons(len);
+ netbuff[0]=*addr;
+ netbuff[1]=*mask;
+ memcpy(new + 1, netbuff, len);
+
+ return buffer;
+}
+
+
+static vchar_t *
isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
struct ph1handle *iph1;
struct isakmp_data *attr;
CVS commit: src/crypto/dist/ipsec-tools/src/racoon/doc
Module Name:src Committed By: vanhu Date: Fri Jul 30 14:50:48 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/racoon/doc: FAQ Log Message: updated link to NetBSD's documentation To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ diff -u src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ:1.2 src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ:1.3 --- src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ:1.2 Fri Mar 5 06:47:58 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/doc/FAQ Fri Jul 30 14:50:47 2010 @@ -109,6 +109,6 @@ Q: Other documents to look at? A: - http://www.netbsd.org/Documentation/network/ipsec/ + http://www.NetBSD.org/docs/network/ipsec/ http://www.kame.net/ http://www.kame.net/newsletter/
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Tue Jun 22 09:41:34 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l isakmp.c
isakmp_inf.c racoon.conf.5 remoteconf.c remoteconf.h
Log Message:
added a specific script hook when a dead peer is detected
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.41 -r1.42 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.59 -r1.60 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
cvs rdiff -u -r1.18 -r1.19 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.37 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.37 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.38 2010/06/22 09:41:33 vanhu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -237,7 +237,7 @@
%token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
-%token SCRIPT PHASE1_UP PHASE1_DOWN
+%token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD
%token NUMBER SWITCH BOOLEAN
%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
@@ -2010,6 +2010,13 @@
cur_rmconf-script[SCRIPT_PHASE1_DOWN] =
script_path_add(vdup($2));
} EOS
+ | SCRIPT QUOTEDSTRING PHASE1_DEAD {
+ if (cur_rmconf-script[SCRIPT_PHASE1_DEAD] != NULL)
+vfree(cur_rmconf-script[SCRIPT_PHASE1_DEAD]);
+
+ cur_rmconf-script[SCRIPT_PHASE1_DEAD] =
+ script_path_add(vdup($2));
+ } EOS
| MODE_CFG SWITCH { cur_rmconf-mode_cfg = $2; } EOS
| WEAK_PHASE1_CHECK SWITCH {
cur_rmconf-weak_phase1_check = $2;
Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.20 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.20 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: cftoken.l,v 1.21 2010/06/22 09:41:33 vanhu Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -365,6 +365,7 @@
S_RMTSscript { YYD; return(SCRIPT); }
S_RMTSphase1_up { YYD; return(PHASE1_UP); }
S_RMTSphase1_down { YYD; return(PHASE1_DOWN); }
+S_RMTSphase1_dead { YYD; return(PHASE1_DEAD); }
S_RMTSmode_cfg { YYD; return(MODE_CFG); }
S_RMTSweak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); }
S_RMTSrekey { YYD; return(REKEY); }
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.60 Thu Sep 3 09:29:07 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.60 2009/09/03 09:29:07 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -1839,6 +1839,8 @@
plog(LLV_ERROR, LOCATION, NULL,
phase1 negotiation failed due to time up. %s\n,
isakmp_pindex(iph1-index, iph1-msgid));
+ /* XXX is the peer really dead here ??? */
+ script_hook(iph1, SCRIPT_PHASE1_DEAD);
evt_phase1(iph1, EVT_PHASE1_NO_RESPONSE, NULL);
return -1;
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.41 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Tue Jun 22 09:41:33 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.41 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1506,6 +1506,7 @@
DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n,
isakmp_pindex(iph1-index, 0));
+ script_hook(iph1, SCRIPT_PHASE1_DEAD);
evt_phase1(iph1, EVT_PHASE1_DPD_TIMEOUT, NULL);
purge_remote(iph1);
Index:
CVS commit: src/crypto/dist/ipsec-tools/src/setkey
Module Name:src
Committed By: vanhu
Date: Fri Jun 4 13:06:03 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.8 token.l
Log Message:
Added support for spdupdate command in setkey
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/setkey/setkey.8
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/setkey/token.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.12 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.13
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.12 Fri Mar 6 11:45:03 2009
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y Fri Jun 4 13:06:03 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: parse.y,v 1.12 2009/03/06 11:45:03 tteras Exp $ */
+/* $NetBSD: parse.y,v 1.13 2010/06/04 13:06:03 vanhu Exp $ */
/* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */
@@ -131,7 +131,7 @@
%token F_LIFEBYTE_HARD F_LIFEBYTE_SOFT
%token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
/* SPD management */
-%token SPDADD SPDDELETE SPDDUMP SPDFLUSH
+%token SPDADD SPDUPDATE SPDDELETE SPDDUMP SPDFLUSH
%token F_POLICY PL_REQUESTS
%token F_AIFLAGS
%token TAGGED
@@ -170,6 +170,7 @@
| dump_command
| exit_command
| spdadd_command
+ | spdupdate_command
| spddelete_command
| spddump_command
| spdflush_command
@@ -572,6 +573,7 @@
/* definition about command for SPD management */
/* spdadd */
spdadd_command
+ /* XXX merge with spdupdate ??? */
: SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec context_spec policy_spec EOT
{
int status;
@@ -624,6 +626,60 @@
}
;
+spdupdate_command
+ /* XXX merge with spdadd ??? */
+ : SPDUPDATE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec context_spec policy_spec EOT
+ {
+ int status;
+ struct addrinfo *src, *dst;
+
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+ last_msg_type = SADB_X_SPDUPDATE;
+#endif
+
+ /* fixed port fields if ulp is icmp */
+ if ($10.buf != NULL) {
+if (($9 != IPPROTO_ICMPV6)
+ ($9 != IPPROTO_ICMP)
+ ($9 != IPPROTO_MH))
+ return -1;
+free($5.buf);
+free($8.buf);
+if (fix_portstr($10, $5, $8))
+ return -1;
+ }
+
+ src = parse_addr($3.buf, $5.buf);
+ dst = parse_addr($6.buf, $8.buf);
+ if (!src || !dst) {
+/* yyerror is already called */
+return -1;
+ }
+ if (src-ai_next || dst-ai_next) {
+yyerror(multiple address specified);
+freeaddrinfo(src);
+freeaddrinfo(dst);
+return -1;
+ }
+
+ status = setkeymsg_spdaddr(SADB_X_SPDUPDATE, $9, $12,
+ src, $4, dst, $7);
+ freeaddrinfo(src);
+ freeaddrinfo(dst);
+ if (status 0)
+return -1;
+ }
+ | SPDUPDATE TAGGED QUOTEDSTRING policy_spec EOT
+ {
+ int status;
+
+ status = setkeymsg_spdaddr_tag(SADB_X_SPDUPDATE,
+ $3.buf, $4);
+ if (status 0)
+return -1;
+ }
+ ;
+
spddelete_command
: SPDDELETE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec context_spec policy_spec EOT
{
Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.23 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.24
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.23 Fri Mar 5 06:47:58 2010
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8 Fri Jun 4 13:06:03 2010
@@ -1,4 +1,4 @@
-.\ $NetBSD: setkey.8,v 1.23 2010/03/05 06:47:58 tteras Exp $
+.\ $NetBSD: setkey.8,v 1.24 2010/06/04 13:06:03 vanhu Exp $
.\
.\ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\ All rights reserved.
@@ -195,6 +195,15 @@
.Ar tag
must be a string surrounded by double quotes.
.\
+.It Li spdupdate Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
+Ar label Ar policy Li ;
+Updates an SPD entry.
+.\
+.It Li spdupdate tagged Ar tag Ar policy Li ;
+Update an SPD entry based on a PF tag.
+.Ar tag
+must be a string surrounded by double quotes.
+.\
.It Li spddelete Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
Fl P Ar direction Li ;
Delete an SPD entry.
Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.14 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.15
--- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.14 Thu Oct 29 14:34:27 2009
+++ src/crypto/dist/ipsec-tools/src/setkey/token.l Fri Jun 4 13:06:03 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: token.l,v 1.14 2009/10/29 14:34:27 christos Exp $ */
+/* $NetBSD: token.l,v 1.15 2010/06/04 13:06:03 vanhu Exp $ */
/* $KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $ */
@@ -127,6 +127,7 @@
/* for management SPD */
spdadd { return(SPDADD); }
+spdupdate {
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src Committed By: vanhu Date: Wed Apr 7 14:53:52 UTC 2010 Modified Files: src/crypto/dist/ipsec-tools/src/libipsec: ipsec_strerror.c Log Message: by Eric Preston: fixed a typo To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 \ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c:1.5 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c:1.6 --- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c:1.5 Wed Jul 18 12:07:50 2007 +++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.c Wed Apr 7 14:53:52 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_strerror.c,v 1.5 2007/07/18 12:07:50 vanhu Exp $ */ +/* $NetBSD: ipsec_strerror.c,v 1.6 2010/04/07 14:53:52 vanhu Exp $ */ /* $KAME: ipsec_strerror.c,v 1.7 2000/07/30 00:45:12 itojun Exp $ */ @@ -63,7 +63,7 @@ Invalid key length,/*EIPSEC_INVAL_KEYLEN*/ Invalid address family, /*EIPSEC_INVAL_FAMILY*/ Invalid prefix length, /*EIPSEC_INVAL_PREFIXLEN*/ -Invalid direciton,/*EIPSEC_INVAL_DIR*/ +Invalid direction,/*EIPSEC_INVAL_DIR*/ SPI range violation,/*EIPSEC_INVAL_SPI*/ No protocol specified, /*EIPSEC_NO_PROTO*/ No algorithm specified, /*EIPSEC_NO_ALGS*/
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Wed Aug 19 13:54:07 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c
Log Message:
fixed address check in rmconf_match_type(), just check address with wildcard
port
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.16 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.17
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.16 Wed Aug 19 12:20:02 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c Wed Aug 19 13:54:07 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: remoteconf.c,v 1.16 2009/08/19 12:20:02 tteras Exp $ */
+/* $NetBSD: remoteconf.c,v 1.17 2009/08/19 13:54:07 vanhu Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@@ -209,7 +209,7 @@
/* Check address */
if (rmsel-remote != NULL) {
if (rmconf-remote-sa_family != AF_UNSPEC) {
- if (cmpsaddr(rmsel-remote, rmconf-remote) != 0)
+ if (cmpsaddr(rmsel-remote, rmconf-remote) == CMPSADDR_MISMATCH)
return MATCH_NONE;
/* Address matched */
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Tue Aug 18 08:21:13 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c
Log Message:
typo: algoritym - algorithm
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.15 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.16
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.15 Thu Aug 13 09:18:28 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Tue Aug 18 08:21:12 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.15 2009/08/13 09:18:28 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.16 2009/08/18 08:21:12 vanhu Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -2648,7 +2648,7 @@
iph1-approval-encklen);
if (keylen == -1) {
plog(LLV_ERROR, LOCATION, NULL,
- invalid encryption algoritym %d,
+ invalid encryption algorithm %d,
or invalid key length %d.\n,
iph1-approval-enctype,
iph1-approval-encklen);
@@ -2752,7 +2752,7 @@
if (iph1-approval-enctype ARRAYLEN(oakley_encdef)
|| oakley_encdef[iph1-approval-enctype].weakkey == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- encryption algoritym %d isn't supported.\n,
+ encryption algorithm %d isn't supported.\n,
iph1-approval-enctype);
goto end;
}
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Aug 17 11:59:10 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.h Log Message: removed a self include To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 \ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.6 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.7 --- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.6 Thu Mar 12 10:57:26 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h Mon Aug 17 11:59:10 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: crypto_openssl.h,v 1.6 2009/03/12 10:57:26 tteras Exp $ */ +/* $NetBSD: crypto_openssl.h,v 1.7 2009/08/17 11:59:10 vanhu Exp $ */ /* Id: crypto_openssl.h,v 1.11 2004/11/13 11:28:01 manubsd Exp */ @@ -34,8 +34,6 @@ #ifndef _CRYPTO_OPENSSL_H #define _CRYPTO_OPENSSL_H -#include crypto_openssl.h - #include openssl/x509v3.h #include openssl/rsa.h
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: vanhu Date: Mon Aug 17 12:00:53 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/racoon: schedule.h Log Message: include stddef.h so we have a chance to get the system offsetof if present To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/schedule.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/schedule.h diff -u src/crypto/dist/ipsec-tools/src/racoon/schedule.h:1.7 src/crypto/dist/ipsec-tools/src/racoon/schedule.h:1.8 --- src/crypto/dist/ipsec-tools/src/racoon/schedule.h:1.7 Fri Jan 23 08:25:07 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/schedule.h Mon Aug 17 12:00:53 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: schedule.h,v 1.7 2009/01/23 08:25:07 tteras Exp $ */ +/* $NetBSD: schedule.h,v 1.8 2009/08/17 12:00:53 vanhu Exp $ */ /* Id: schedule.h,v 1.5 2006/05/03 21:53:42 vanhu Exp */ @@ -35,6 +35,8 @@ #ifndef _SCHEDULE_H #define _SCHEDULE_H +#include stddef.h + #include sys/queue.h #if TIME_WITH_SYS_TIME # include sys/time.h
CVS commit: src/crypto/dist/ipsec-tools/src/libipsec
Module Name:src Committed By: vanhu Date: Mon Aug 17 13:52:14 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools/src/libipsec: libpfkey.h Log Message: do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 \ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h diff -u src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.16 src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.17 --- src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h:1.16 Fri Jul 3 06:40:10 2009 +++ src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h Mon Aug 17 13:52:14 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: libpfkey.h,v 1.16 2009/07/03 06:40:10 tteras Exp $ */ +/* $NetBSD: libpfkey.h,v 1.17 2009/08/17 13:52:14 vanhu Exp $ */ /* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */ @@ -161,7 +161,7 @@ /* XXX should be somewhere else !!! */ -#ifdef SADB_X_NAT_T_NEW_MAPPING +#ifdef SADB_X_EXT_NAT_T_TYPE #define PFKEY_ADDR_X_PORT(ext) (ntohs(((struct sadb_x_nat_t_port *)ext)-sadb_x_nat_t_port_port)) #define PFKEY_ADDR_X_NATTYPE(ext) ( ext != NULL ((struct sadb_x_nat_t_type *)ext)-sadb_x_nat_t_type_type ) #endif
CVS commit: src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Thu Aug 13 09:18:28 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c
Log Message:
fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.14 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Aug 13 09:18:28 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.14 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: oakley.c,v 1.15 2009/08/13 09:18:28 vanhu Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -3001,7 +3001,7 @@
/* do decrypt */
new = alg_oakley_encdef_decrypt(iph1-approval-enctype,
buf, iph1-key, ivdp);
- if (new == NULL) {
+ if (new == NULL || new-v == NULL || new-l == 0) {
plog(LLV_ERROR, LOCATION, NULL,
decryption %d failed.\n, iph1-approval-enctype);
goto end;
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Thu Aug 13 09:18:45 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_7-branch]:
oakley.c
Log Message:
fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs
To generate a diff of this commit:
cvs rdiff -u -r1.9.6.3 -r1.9.6.4 \
src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.9.6.3 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.9.6.4
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.9.6.3 Thu Mar 6 17:00:25 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Thu Aug 13 09:18:45 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.9.6.3 2008/03/06 17:00:25 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.9.6.4 2009/08/13 09:18:45 vanhu Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -3116,7 +3116,7 @@
/* do decrypt */
new = alg_oakley_encdef_decrypt(iph1-approval-enctype,
buf, iph1-key, ivdp);
- if (new == NULL) {
+ if (new == NULL || new-v == NULL || new-l == 0) {
plog(LLV_ERROR, LOCATION, NULL,
decryption %d failed.\n, iph1-approval-enctype);
goto end;
CVS commit: [ipsec-tools-0_7-branch] src/crypto/dist/ipsec-tools
Module Name:src Committed By: vanhu Date: Thu Aug 13 09:19:22 UTC 2009 Modified Files: src/crypto/dist/ipsec-tools [ipsec-tools-0_7-branch]: NEWS configure.ac Log Message: 0.7.3 release To generate a diff of this commit: cvs rdiff -u -r1.1.1.6.6.4 -r1.1.1.6.6.5 src/crypto/dist/ipsec-tools/NEWS cvs rdiff -u -r1.3.4.12 -r1.3.4.13 src/crypto/dist/ipsec-tools/configure.ac Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/NEWS diff -u src/crypto/dist/ipsec-tools/NEWS:1.1.1.6.6.4 src/crypto/dist/ipsec-tools/NEWS:1.1.1.6.6.5 --- src/crypto/dist/ipsec-tools/NEWS:1.1.1.6.6.4 Wed Apr 22 11:26:50 2009 +++ src/crypto/dist/ipsec-tools/NEWS Thu Aug 13 09:19:22 2009 @@ -1,6 +1,11 @@ Version history: +0.7.3 - 23 August 2009 + o Fix a remote crash and a memory leak + o Fixed a NAT-T flag check + o Some code cleanups/compilation fixes with recent gcc + 0.7.2 - 22 April 2009 o Fix a remote crash in fragmentation code o Phase2 message identities are phase1 specific (Vista compatibility= Index: src/crypto/dist/ipsec-tools/configure.ac diff -u src/crypto/dist/ipsec-tools/configure.ac:1.3.4.12 src/crypto/dist/ipsec-tools/configure.ac:1.3.4.13 --- src/crypto/dist/ipsec-tools/configure.ac:1.3.4.12 Wed Apr 22 11:26:50 2009 +++ src/crypto/dist/ipsec-tools/configure.ac Thu Aug 13 09:19:22 2009 @@ -2,7 +2,7 @@ dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp AC_PREREQ(2.52) -AC_INIT(ipsec-tools, 0.7.2) +AC_INIT(ipsec-tools, 0.7.3) AC_CONFIG_SRCDIR([configure.ac]) AM_CONFIG_HEADER(config.h)
