CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Manuel Bouyer 
Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 18:11:00 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5

Log Message:
Add ldap parameters debug and timeout.
Fix bug when using URI (use correct len for malloc)
document ldap parameters uri, debug and timeout.


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.32 -r1.33 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.68 -r1.69 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.53 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -296,7 +296,7 @@ static const char error_message_dpd_not_
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_DEBUG LDAP_TIMEOUT LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,24 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_DEBUG NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.debug = $2;
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_TIMEOUT NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.timeout = $2;
+#endif
+#endif
+		}
+		EOS
 	|	LDAP_URI QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.29 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -224,6 +224,8 @@ hexstring	0x{hexdigit}+
 ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 {bcl}		{ return(BOC); }
 version		{ YYD; return(LDAP_PVER); }
+debug		{ YYD; return(LDAP_DEBUG); }
+timeout		{ YYD; return(LDAP_TIMEOUT); }
 uri		{ YYD; return(LDAP_URI); }
 host		{ YYD; return(LDAP_HOST); }
 port		{ YYD; return(LDAP_PORT); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.33
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.33 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -803,6 +803,8 @@ xauth_ldap_init_conf(void)
 	int error = -1;
 
 	xauth_ldap_config.pver = 3;
+	xauth_ldap_config.debug = 0;
+	xauth_ldap_config.timeout = -1;
 	xauth_ldap_config.uri = NULL;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
@@ -896,7 +898,7 @@ xauth_login_ldap(iph1, usr, pwd)
 	atlist[2] = NULL;
 
 	if (xauth_ldap_config.uri != NULL) {
-		tmplen = strlen(xauth_ldap_config.host->v);
+		tmplen = strlen(xauth_ldap_config.uri->v);
 		init = racoon_malloc(tmplen);
 		if (init == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
@@ -918,6 +920,9 @@ xauth_login_ldap(iph1, usr, pwd)
 			xauth_ldap_config.host->v,
 			xauth_ldap_config.port );
 	}
+	/* initialize the debug level */
+	ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, _ldap_config.debug);
+	ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, _ldap_config.debug);
 
 	plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
 	/* initialize the ldap handle */
@@ -933,12 +938,26 @@ xauth_login_ldap(iph1, usr, pwd)
 	if ((res = ldap_set_option(ld,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Manuel Bouyer 
Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:42:53 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h

Log Message:
Add an option to pass a ldap uri, instead of just server and port.
uri takes precedence.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.27 -r1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.31 -r1.32 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -296,7 +296,7 @@ static const char error_message_dpd_not_
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,19 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_URI QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.uri != NULL)
+vfree(xauth_ldap_config.uri);
+
+			xauth_ldap_config.uri = vdup($2);
+#endif
+#endif
+			vfree($2);
+		}
+		EOS
 	|	LDAP_HOST QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.27 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.27	Thu Nov 29 15:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.27 2012/11/29 15:31:24 vanhu Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -224,6 +224,7 @@ hexstring	0x{hexdigit}+
 ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 {bcl}		{ return(BOC); }
 version		{ YYD; return(LDAP_PVER); }
+uri		{ YYD; return(LDAP_URI); }
 host		{ YYD; return(LDAP_HOST); }
 port		{ YYD; return(LDAP_PORT); }
 tls		{ YYD; return(LDAP_TLS); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31	Wed Nov 25 16:41:39 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.31 2020/11/25 16:41:39 bouyer Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -803,6 +803,7 @@ xauth_ldap_init_conf(void)
 	int error = -1;
 
 	xauth_ldap_config.pver = 3;
+	xauth_ldap_config.uri = NULL;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
 	xauth_ldap_config.tls = 0;
@@ -894,19 +895,31 @@ xauth_login_ldap(iph1, usr, pwd)
 	atlist[1] = NULL;
 	atlist[2] = NULL;
 
-	/* build our initialization url */
-	tmplen = strlen("ldap://:;) + 17;
-	tmplen += strlen(xauth_ldap_config.host->v);
-	init = racoon_malloc(tmplen);
-	if (init == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL,
-			"unable to alloc ldap init url\n");
-		goto ldap_end;
+	if (xauth_ldap_config.uri != NULL) {
+		tmplen = strlen(xauth_ldap_config.host->v);
+		init = racoon_malloc(tmplen);
+		if (init == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+"unable to alloc ldap init url\n");
+			goto ldap_end;
+		}
+		sprintf(init,"%s", xauth_ldap_config.uri->v);
+	} else {
+		/* build our initialization url */
+		tmplen = strlen("ldap://:;) + 17;
+		tmplen += strlen(xauth_ldap_config.host->v);
+		init = racoon_malloc(tmplen);
+		if (init == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+"unable to alloc ldap init url\n");
+			goto ldap_end;
+		}
+		sprintf(init,"ldap://%s:%d;,
+			xauth_ldap_config.host->v,
+			xauth_ldap_config.port );
 	}
-	sprintf(init,"ldap://%s:%d;,
-

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Manuel Bouyer 
Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:41:39 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
Fix ldap: ldap_sasl_bind_s() doens't like a NULL struct berval *, pass
a pointer to a zero'd struct instead.
While there use LDAP_SASL_SIMPLE instead of NULL for mechanism,
and check return of ldap_set_option().


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.30	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 16:41:39 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.30 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.31 2020/11/25 16:41:39 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -917,9 +917,15 @@ xauth_login_ldap(iph1, usr, pwd)
 	}
 
 	/* initialize the protocol version */
-	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
-		_ldap_config.pver);
-
+	if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
+		_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"LDAP_OPT_PROTOCOL_VERSION %s failed: %s\n",
+			xauth_ldap_config.pver,
+			ldap_err2string(res));
+		goto ldap_end;
+	}
+		
 	/* Enable TLS */
 	if (xauth_ldap_config.tls) {
 		res = ldap_start_tls_s(ld, NULL, NULL);
@@ -943,13 +949,15 @@ xauth_login_ldap(iph1, usr, pwd)
 		cred.bv_val = xauth_ldap_config.bind_pw->v;
 		cred.bv_len = strlen( cred.bv_val );
 		res = ldap_sasl_bind_s(ld,
-			xauth_ldap_config.bind_dn->v, NULL, ,
+			xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, ,
 			NULL, NULL, NULL);
 	}
 	else
 	{
+		cred.bv_val = NULL;
+		cred.bv_len = 0;
 		res = ldap_sasl_bind_s(ld,
-			NULL, NULL, NULL,
+			NULL, LDAP_SASL_SIMPLE, ,
 			NULL, NULL, NULL);
 	}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Nov 25 14:15:41 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Reduce previous


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38	Wed Nov 25 05:57:11 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Nov 25 09:15:41 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.38 2020/11/25 10:57:11 kardel Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.39 2020/11/25 14:15:41 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -683,13 +683,11 @@ kernel_sync()
 
 #elif defined(USE_ROUTE)
 
-#ifdef RT_ROUNDUP
-#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
-#else
-#define ROUNDUP(a) \
+#ifndef RT_ROUNDUP
+#define RT_ROUNDUP(a) \
   ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
-#define SAROUNDUP(X)   ROUNDUP(((struct sockaddr *)(X))->sa_len)
 #endif
+#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
 
 
 static size_t

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Frank Kardel 
Module Name:src
Committed By:   kardel
Date:   Wed Nov 25 10:57:11 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix address advancing for i386 and other 32-bit platforms.
Makes racoon grok IPv6 addresses again on these platforms.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.37	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Nov 25 10:57:11 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.37 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.38 2020/11/25 10:57:11 kardel Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -683,10 +683,14 @@ kernel_sync()
 
 #elif defined(USE_ROUTE)
 
+#ifdef RT_ROUNDUP
+#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
+#else
 #define ROUNDUP(a) \
   ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
-
 #define SAROUNDUP(X)   ROUNDUP(((struct sockaddr *)(X))->sa_len)
+#endif
+
 
 static size_t
 parse_address(caddr_t start, caddr_t end, struct sockaddr_storage *dest)

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2020-06-05 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Fri Jun  5 15:19:08 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: key_debug.c

Log Message:
fix wrong size addition (Andrew Cagney)
XXX: This file is nearly identical with /usr/src/sys/netipsec/key_debug.c
and should be merged.


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.14 src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.15
--- src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.14	Mon May 28 16:45:38 2018
+++ src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Fri Jun  5 11:19:08 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.14 2018/05/28 20:45:38 maxv Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.15 2020/06/05 15:19:08 christos Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
@@ -418,7 +418,7 @@ kdebug_sadb_key(struct sadb_ext *ext)
 			(long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key));
 	}
 
-	ipsec_hexdump(key + sizeof(struct sadb_key),
+	ipsec_hexdump(key + 1,
 	  (int)((uint32_t)key->sadb_key_bits >> 3));
 	printf(" }\n");
 	return;

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2020-05-12 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue May 12 16:17:58 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: extern.h setkey.c token.l

Log Message:
- in script mode always output errors to stderr prefixed by the program name.
- in command mode always output errors to stdout not prefixed " " "
- perror(3) -> warn(3)


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/setkey/extern.h
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/setkey/setkey.c
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/extern.h
diff -u src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.8 src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.9
--- src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.8	Tue May 12 10:29:06 2020
+++ src/crypto/dist/ipsec-tools/src/setkey/extern.h	Tue May 12 12:17:58 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: extern.h,v 1.8 2020/05/12 14:29:06 christos Exp $	*/
+/*	$NetBSD: extern.h,v 1.9 2020/05/12 16:17:58 christos Exp $	*/
 
 /*
  * Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -46,6 +46,7 @@ void yyerror(const char *);
 #ifdef HAVE_POLICY_FWD
 extern int f_rfcmode;
 #endif
+extern int f_mode;
 extern const char *filename;
 extern int lineno;
 extern int exit_now;
@@ -53,3 +54,10 @@ extern int exit_now;
 extern int last_msg_type;
 extern uint32_t last_priority;
 #endif
+
+#define MODE_SCRIPT	1
+#define MODE_CMDDUMP	2
+#define MODE_CMDFLUSH	3
+#define MODE_PROMISC	4
+#define MODE_STDIN	5
+

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.c
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.21 src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.22
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.21	Tue May 12 10:29:06 2020
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.c	Tue May 12 12:17:58 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.21 2020/05/12 14:29:06 christos Exp $	*/
+/*	$NetBSD: setkey.c,v 1.22 2020/05/12 16:17:58 christos Exp $	*/
 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
 /*
@@ -110,12 +110,6 @@ static void printdate(void);
 static int32_t gmt2local(time_t);
 static void stdin_loop(void);
 
-#define MODE_SCRIPT	1
-#define MODE_CMDDUMP	2
-#define MODE_CMDFLUSH	3
-#define MODE_PROMISC	4
-#define MODE_STDIN	5
-
 int so;
 
 int f_forever = 0;
@@ -275,8 +269,7 @@ main(int argc, char **argv)
 
 	so = pfkey_open();
 	if (so < 0) {
-		perror("pfkey_open");
-		exit(1);
+		err(1, "pfkey_open");
 	}
 
 	switch (f_mode) {
@@ -497,7 +490,7 @@ sendkeymsg_spigrep(unsigned int satype, 
 	tv.tv_sec = 1;
 	tv.tv_usec = 0;
 	if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, , sizeof(tv)) < 0) {
-		perror("setsockopt");
+		warn("setsockopt");
 		return NULL;
 	}
 }
@@ -531,14 +524,14 @@ sendkeymsg_spigrep(unsigned int satype, 
 	}
 
 	if ((l = send(so, buf, len, 0)) < 0) {
-		perror("send");
+		warn("send");
 		return NULL;
 	}
 
 	m = (struct sadb_msg *)rbuf;
 	do {
 		if ((l = recv(so, rbuf, sizeof(rbuf), 0)) < 0) {
-			perror("recv");
+			warn("recv");
 			fail = 1;
 			break;
 		}
@@ -638,7 +631,7 @@ sendkeymsg(char *buf, size_t len)
 	tv.tv_sec = 1;
 	tv.tv_usec = 0;
 	if (setsockopt(so, SOL_SOCKET, SO_RCVTIMEO, , sizeof(tv)) < 0) {
-		perror("setsockopt");
+		warn("setsockopt");
 		goto end;
 	}
 }
@@ -664,14 +657,14 @@ again:
 	}
 
 	if ((l = send(so, buf, len, 0)) < 0) {
-		perror("send");
+		warn("send");
 		goto end;
 	}
 
 	msg = (struct sadb_msg *)rbuf;
 	do {
 		if ((l = recv(so, rbuf, sizeof(rbuf), 0)) < 0) {
-			perror("recv");
+			warn("recv");
 			goto end;
 		}
 
@@ -706,15 +699,8 @@ postproc(struct sadb_msg *msg, int len)
 #endif
 
 	if (msg->sadb_msg_errno != 0) {
-		char inf[80];
 		const char *errmsg = NULL;
 
-		if (f_mode == MODE_SCRIPT)
-			snprintf(inf, sizeof(inf), "The result of line %d: ",
-			lineno);
-		else
-			inf[0] = '\0';
-
 		switch (msg->sadb_msg_errno) {
 		case ENOENT:
 			switch (msg->sadb_msg_type) {
@@ -734,7 +720,10 @@ postproc(struct sadb_msg *msg, int len)
 		default:
 			errmsg = strerror(msg->sadb_msg_errno);
 		}
-		printf("%s%s.\n", inf, errmsg);
+		if (f_mode == MODE_SCRIPT)
+			warnx("%s,%d: %s", filename, lineno, errmsg);
+		else
+			printf("%s.\n", errmsg);
 		return -1;
 	}
 
@@ -806,18 +795,27 @@ verifypriority(struct sadb_msg *m)
 
 	/* check pfkey message. */
 	if (pfkey_align(m, mhp)) {
-		printf("(%s\n", ipsec_strerror());
+		if (f_mode == MODE_SCRIPT)
+			warnx("%s", ipsec_strerror());
+		else
+			printf("%s\n", ipsec_strerror());
 		return 0;
 	}
 	if (pfkey_check(mhp)) {
-		printf("%s\n", ipsec_strerror());
+		if (f_mode == MODE_SCRIPT)
+			warnx("%s", ipsec_strerror());
+		else
+			printf("%s\n", ipsec_strerror());
 		return 0;
 	}
 
 	xpl = (struct sadb_x_policy *) mhp[SADB_X_EXT_POLICY];
 
 	if (xpl == NULL) {
-

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2020-05-12 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue May 12 14:29:06 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: extern.h setkey.c token.l

Log Message:
Keep track of the filename to print in error messages.
Change quoting of error string from [] to `'.


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/setkey/extern.h
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/setkey/setkey.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/extern.h
diff -u src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.7 src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.8
--- src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.7	Sun Oct 14 04:27:39 2018
+++ src/crypto/dist/ipsec-tools/src/setkey/extern.h	Tue May 12 10:29:06 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: extern.h,v 1.7 2018/10/14 08:27:39 maxv Exp $	*/
+/*	$NetBSD: extern.h,v 1.8 2020/05/12 14:29:06 christos Exp $	*/
 
 /*
  * Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
 void parse_init(void);
 
 /* token.l */
-int parse(FILE **);
+int parse(const char *, FILE *);
 int parse_string(char *);
 
 /* setkey.c */
@@ -46,6 +46,7 @@ void yyerror(const char *);
 #ifdef HAVE_POLICY_FWD
 extern int f_rfcmode;
 #endif
+extern const char *filename;
 extern int lineno;
 extern int exit_now;
 #ifdef HAVE_PFKEY_POLICY_PRIORITY

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.c
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.20 src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.21
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.20	Sun Feb  3 05:23:42 2019
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.c	Tue May 12 10:29:06 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.20 2019/02/03 10:23:42 mrg Exp $	*/
+/*	$NetBSD: setkey.c,v 1.21 2020/05/12 14:29:06 christos Exp $	*/
 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
 /*
@@ -149,6 +149,7 @@ rkwarn(void)
 #endif
 
 int lineno;
+const char *filename;
 int exit_now;
 static time_t thiszone;
 
@@ -172,6 +173,7 @@ int
 main(int argc, char **argv)
 {
 	FILE *fp = stdin;
+	const char *fname = "";
 	int c;
 
 	if (argc == 1) {
@@ -193,9 +195,11 @@ main(int argc, char **argv)
 			f_mode = MODE_SCRIPT;
 			if (strcmp(optarg, "-") == 0) {
 fp = stdin;
+fname = "";
 			} else if ((fp = fopen(optarg, "r")) == NULL) {
 err(1, "Can't open `%s'", optarg);
 			}
+			fname = optarg;
 			break;
 		case 'D':
 			f_mode = MODE_CMDDUMP;
@@ -286,7 +290,7 @@ main(int argc, char **argv)
 		if (get_supported() < 0) {
 			errx(1, "%s", ipsec_strerror());
 		}
-		if (parse())
+		if (parse(fname, fp))
 			exit(1);
 		break;
 	case MODE_STDIN:
@@ -826,7 +830,7 @@ verifypriority(struct sadb_msg *m)
 #endif
 
 static int
-fileproc(const char *filename)
+fileproc(const char *fname)
 {
 	int fd;
 	ssize_t len, l;
@@ -834,7 +838,7 @@ fileproc(const char *filename)
 	struct sadb_msg *msg;
 	u_char rbuf[1024 * 32];	/* XXX: Enough ? Should I do MSG_PEEK ? */
 
-	fd = open(filename, O_RDONLY);
+	fd = open(fname, O_RDONLY);
 	if (fd < 0)
 		return -1;
 

Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.24 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.25
--- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.24	Sun May 10 15:54:49 2020
+++ src/crypto/dist/ipsec-tools/src/setkey/token.l	Tue May 12 10:29:06 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.24 2020/05/10 19:54:49 christos Exp $	*/
+/*	$NetBSD: token.l,v 1.25 2020/05/12 14:29:06 christos Exp $	*/
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
 /*
@@ -336,23 +336,23 @@ yyfatal(const char *s)
 void
 yyerror(const char *s)
 {
-	warnx("line %d: %s at [%s]", lineno, s, yytext);
+	warnx("%s,%d: %s at `%s'", filename, lineno, s, yytext);
 }
 
 int
-parse(FILE **fp)
+parse(const char *fname, FILE *fp)
 {
-	yyin = *fp;
-
+	yyin = fp;
+	filename = fname;
 	lineno = 1;
 	parse_init();
 
 	if (yyparse()) {
-		warnx("line %d: parse failed", lineno);
-		return(-1);
+		warnx("%s,%d: parse failed", filename, lineno);
+		return -1;
 	}
 
-	return(0);
+	return 0;
 }
 
 int

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2020-05-10 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun May 10 19:54:49 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: token.l

Log Message:
prefix errors with the program name and use stderr.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.23 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.24
--- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.23	Tue Jul 23 00:30:32 2019
+++ src/crypto/dist/ipsec-tools/src/setkey/token.l	Sun May 10 15:54:49 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.23 2019/07/23 04:30:32 ozaki-r Exp $	*/
+/*	$NetBSD: token.l,v 1.24 2020/05/10 19:54:49 christos Exp $	*/
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
 /*
@@ -49,6 +49,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "vchar.h"
 #if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || \
@@ -335,7 +336,7 @@ yyfatal(const char *s)
 void
 yyerror(const char *s)
 {
-	printf("line %d: %s at [%s]\n", lineno, s, yytext);
+	warnx("line %d: %s at [%s]", lineno, s, yytext);
 }
 
 int
@@ -347,7 +348,7 @@ parse(FILE **fp)
 	parse_init();
 
 	if (yyparse()) {
-		printf("parse failed, line %d.\n", lineno);
+		warnx("line %d: parse failed", lineno);
 		return(-1);
 	}

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2019-02-03 Thread matthew green 
Module Name:src
Committed By:   mrg
Date:   Sun Feb  3 10:23:42 UTC 2019

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.c

Log Message:
mark promisc() __dead - it never returns.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/crypto/dist/ipsec-tools/src/setkey/setkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.c
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.19 src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.20
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.19	Sun Oct 14 08:27:39 2018
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.c	Sun Feb  3 10:23:42 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.19 2018/10/14 08:27:39 maxv Exp $	*/
+/*	$NetBSD: setkey.c,v 1.20 2019/02/03 10:23:42 mrg Exp $	*/
 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
 /*
@@ -396,7 +396,7 @@ sendkeyshort(u_int type)
 	sendkeymsg((char *), sizeof(msg));
 }
 
-static void
+static void __dead
 promisc(void)
 {
 	struct sadb_msg msg;

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2018-11-18 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Mon Nov 19 04:54:37 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.8

Log Message:
Use Cm instead of Li or Ar for fixed command strings


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/setkey/setkey.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.34 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.35
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.34	Sat Feb 18 13:51:29 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Mon Nov 19 04:54:37 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: setkey.8,v 1.34 2012/02/18 13:51:29 wiz Exp $
+.\"	$NetBSD: setkey.8,v 1.35 2018/11/19 04:54:37 ozaki-r Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd February 18, 2012
+.Dd November 19, 2018
 .Dt SETKEY 8
 .Os
 .\"
@@ -160,60 +160,60 @@ Lines starting with hash signs
 .Pq Sq #
 are treated as comment lines.
 .Bl -tag -width Ds
-.It Li add Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi \
+.It Cm add Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi \
 Oo Ar extensions Oc Ar algorithm ... Li ;
 Add an SAD entry.
-.Li add
+.Cm add
 can fail for multiple reasons, including when the key length does
 not match the specified algorithm.
 .\"
-.It Li get Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
+.It Cm get Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
 Show an SAD entry.
 .\"
-.It Li delete Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
+.It Cm delete Oo Fl 46n Oc Ar src Ar dst Ar protocol Ar spi Li ;
 Remove an SAD entry.
 .\"
-.It Li deleteall Oo Fl 46n Oc Ar src Ar dst Ar protocol Li ;
+.It Cm deleteall Oo Fl 46n Oc Ar src Ar dst Ar protocol Li ;
 Remove all SAD entries that match the specification.
 .\"
-.It Li flush Oo Ar protocol Oc Li ;
+.It Cm flush Oo Ar protocol Oc Li ;
 Clear all SAD entries matched by the options.
 .Fl F
 on the command line achieves the same functionality.
 .\"
-.It Li dump Oo Ar protocol Oc Li ;
+.It Cm dump Oo Ar protocol Oc Li ;
 Dumps all SAD entries matched by the options.
 .Fl D
 on the command line achieves the same functionality.
 .\"
-.It Li spdadd Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
+.It Cm spdadd Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
 Ar label Ar policy Li ;
 Add an SPD entry.
 .\"
-.It Li spdadd tagged Ar tag Ar policy Li ;
+.It Cm spdadd tagged Ar tag Ar policy Li ;
 Add an SPD entry based on a PF tag.
 .Ar tag
 must be a string surrounded by double quotes.
 .\"
-.It Li spdupdate Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
+.It Cm spdupdate Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
 Ar label Ar policy Li ;
 Updates an SPD entry.
 .\"
-.It Li spdupdate tagged Ar tag Ar policy Li ;
+.It Cm spdupdate tagged Ar tag Ar policy Li ;
 Update an SPD entry based on a PF tag.
 .Ar tag
 must be a string surrounded by double quotes.
 .\"
-.It Li spddelete Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
+.It Cm spddelete Oo Fl 46n Oc Ar src_range Ar dst_range Ar upperspec \
 Fl P Ar direction Li ;
 Delete an SPD entry.
 .\"
-.It Li spdflush Li ;
+.It Cm spdflush Li ;
 Clear all SPD entries.
 .Fl FP
 on the command line achieves the same functionality.
 .\"
-.It Li spddump Li ;
+.It Cm spddump Li ;
 Dumps all SPD entries.
 .Fl DP
 on the command line achieves the same functionality.
@@ -251,19 +251,19 @@ avoids FQDN resolution and requires addr
 .Ar protocol
 is one of following:
 .Bl -tag -width Fl -compact
-.It Li esp
+.It Cm esp
 ESP based on rfc2406
-.It Li esp-old
+.It Cm esp-old
 ESP based on rfc1827
-.It Li esp-udp
+.It Cm esp-udp
 UDP encapsulated ESP for NAT traversal (rfc3948)
-.It Li ah
+.It Cm ah
 AH based on rfc2402
-.It Li ah-old
+.It Cm ah-old
 AH based on rfc1826
-.It Li ipcomp
+.It Cm ipcomp
 IPComp
-.It Li tcp
+.It Cm tcp
 TCP-MD5 based on rfc2385
 .El
 .\"
@@ -290,11 +290,11 @@ take some of the following:
 Specify a security protocol mode for use.
 .Ar mode
 is one of following:
-.Li transport , tunnel ,
+.Cm transport , tunnel ,
 or
-.Li any .
+.Cm any .
 The default value is
-.Li any .
+.Cm any .
 .\"
 .It Fl r Ar size
 Specify window size of bytes for replay prevention.
@@ -314,11 +314,11 @@ defines the content of the ESP padding.
 .Ar pad_option
 is one of following:
 .Bl -tag -width random-pad -compact
-.It Li zero-pad
+.It Cm zero-pad
 All the paddings are zero.
-.It Li random-pad
+.It Cm random-pad
 A series of randomized values are used.
-.It Li seq-pad
+.It Cm seq-pad
 A series of sequential increasing numbers started from 1 are used.
 .El
 .\"
@@ -433,12 +433,12 @@ You can use one of the words

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2018-10-14 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun Oct 14 08:36:09 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: Makefile.am
Removed Files:
src/crypto/dist/ipsec-tools/src/libipsec: test-policy-priority.c
test-policy.c

Log Message:
Remove dead files that have never been built, and likely can't build since
they are not correct C files.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/crypto/dist/ipsec-tools/src/libipsec/Makefile.am
cvs rdiff -u -r1.4 -r0 \
src/crypto/dist/ipsec-tools/src/libipsec/test-policy-priority.c \
src/crypto/dist/ipsec-tools/src/libipsec/test-policy.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/Makefile.am
diff -u src/crypto/dist/ipsec-tools/src/libipsec/Makefile.am:1.3 src/crypto/dist/ipsec-tools/src/libipsec/Makefile.am:1.4
--- src/crypto/dist/ipsec-tools/src/libipsec/Makefile.am:1.3	Wed Jul 23 09:06:51 2008
+++ src/crypto/dist/ipsec-tools/src/libipsec/Makefile.am	Sun Oct 14 08:36:09 2018
@@ -1,5 +1,4 @@
 
-#bin_PROGRAMS = test-policy test-policy-priority
 lib_LTLIBRARIES = libipsec.la
 
 libipsecdir = $(includedir)/libipsec
@@ -30,10 +29,4 @@ libipsec_la_LIBADD = $(LEXLIB)
 
 noinst_HEADERS = ipsec_strerror.h
 
-#test_policy_SOURCES = test-policy.c
-#test_policy_LDFLAGS = libipsec.la
-
-#test_policy_priority_SOURCES = test-policy-priority.c
-#test_policy_priority_LDFLAGS = libipsec.la
-
-EXTRA_DIST = ${man3_MANS} test-policy.c
+EXTRA_DIST = ${man3_MANS}

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2018-10-14 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun Oct 14 08:27:39 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: Makefile.am extern.h parse.y
setkey.c token.l
Removed Files:
src/crypto/dist/ipsec-tools/src/setkey: scriptdump.pl test-pfkey.c

Log Message:
Clean up setkey: remove dead wood, KNF, localify, and slightly improve.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/crypto/dist/ipsec-tools/src/setkey/Makefile.am
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/setkey/extern.h
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/setkey/parse.y \
src/crypto/dist/ipsec-tools/src/setkey/token.l
cvs rdiff -u -r1.1.1.1 -r0 \
src/crypto/dist/ipsec-tools/src/setkey/scriptdump.pl
cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/setkey/setkey.c
cvs rdiff -u -r1.7 -r0 src/crypto/dist/ipsec-tools/src/setkey/test-pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/Makefile.am
diff -u src/crypto/dist/ipsec-tools/src/setkey/Makefile.am:1.2 src/crypto/dist/ipsec-tools/src/setkey/Makefile.am:1.3
--- src/crypto/dist/ipsec-tools/src/setkey/Makefile.am:1.2	Wed Jul 23 09:06:51 2008
+++ src/crypto/dist/ipsec-tools/src/setkey/Makefile.am	Sun Oct 14 08:27:39 2018
@@ -18,5 +18,4 @@ setkey_LDADD = $(LEXLIB)
 noinst_HEADERS = vchar.h extern.h
 man8_MANS = setkey.8
 
-EXTRA_DIST = ${man8_MANS} sample-policy01.cf sample-policy02.cf sample.cf \
-	scriptdump.pl test-pfkey.c
+EXTRA_DIST = ${man8_MANS} sample-policy01.cf sample-policy02.cf sample.cf

Index: src/crypto/dist/ipsec-tools/src/setkey/extern.h
diff -u src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.6 src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.7
--- src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.6	Mon May 28 20:34:45 2018
+++ src/crypto/dist/ipsec-tools/src/setkey/extern.h	Sun Oct 14 08:27:39 2018
@@ -1,33 +1,54 @@
-/*	$NetBSD: extern.h,v 1.6 2018/05/28 20:34:45 maxv Exp $	*/
-
+/*	$NetBSD: extern.h,v 1.7 2018/10/14 08:27:39 maxv Exp $	*/
 
+/*
+ * Copyright (c) 2018 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
+/* parse.y */
 void parse_init(void);
+
+/* token.l */
 int parse(FILE **);
 int parse_string(char *);
 
-int setkeymsg(char *, size_t *);
+/* setkey.c */
 int sendkeymsg(char *, size_t);
+uint32_t *sendkeymsg_spigrep(unsigned int, struct addrinfo *,
+struct addrinfo *, int *);
 
 int yylex(void);
 int yyparse(void);
 void yyfatal(const char *);
 void yyerror(const char *);
 
-u_int32_t *sendkeymsg_spigrep(unsigned int, struct addrinfo *,
-   struct addrinfo *, int *);
-
+#ifdef HAVE_POLICY_FWD
 extern int f_rfcmode;
+#endif
 extern int lineno;
-extern int last_msg_type;
-extern u_int32_t last_priority;
 extern int exit_now;
-
-extern u_char m_buf[BUFSIZ];
-extern u_int m_len;
-extern int f_debug;
-
 #ifdef HAVE_PFKEY_POLICY_PRIORITY
 extern int last_msg_type;
-extern u_int32_t last_priority;
+extern uint32_t last_priority;
 #endif

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.21 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.22
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.21	Mon May 28 20:34:45 2018
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Sun Oct 14 08:27:39 2018
@@ -1,5 +1,4 @@
-/*	$NetBSD: parse.y,v 1.21 2018/05/28 20:34:45 maxv Exp $	*/
-
+/*	$NetBSD: parse.y,v 1.22 2018/10/14 08:27:39 maxv Exp $	*/
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
 /*
@@ -92,7 +91,7 @@ static int

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-13 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:38:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.conf.5

Log Message:
Fix SF#24: incorrect authentication algorithms, copy-pasto.


To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.67 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.68
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.67	Thu Jun 20 15:41:18 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Sat Oct 13 15:38:28 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.67 2013/06/20 15:41:18 christos Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.68 2018/10/13 15:38:28 maxv Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 17, 2013
+.Dd October 13, 2018
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -1106,7 +1106,6 @@ Note that the kernel may not support the
 .Pq used with ESP
 .\"
 .It Ic authentication_algorithm Ar algorithms ;
-.Ic des , 3des , des_iv64 , des_iv32 ,
 .Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
 .Pq used with ESP authentication and AH
 .\"

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-13 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:17:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: logger.c

Log Message:
Fix ticket SF#91: pass the correct size for tbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/logger.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/logger.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.4	Sat Sep  9 16:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/logger.c	Sat Oct 13 15:17:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: logger.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: logger.c,v 1.5 2018/10/13 15:17:45 maxv Exp $	*/
 
 /*	$KAME: logger.c,v 1.9 2002/09/03 14:37:03 itojun Exp $	*/
 
@@ -79,13 +79,13 @@ log_open(siz, fname)
 	}
 	memset(p->buf, 0, sizeof(char *) * siz);
 
-	p->tbuf = (time_t *)racoon_malloc(sizeof(time_t *) * siz);
+	p->tbuf = (time_t *)racoon_malloc(sizeof(time_t) * siz);
 	if (p->tbuf == NULL) {
 		racoon_free(p->buf);
 		racoon_free(p);
 		return NULL;
 	}
-	memset(p->tbuf, 0, sizeof(time_t *) * siz);
+	memset(p->tbuf, 0, sizeof(time_t) * siz);
 
 	p->siz = siz;
 	if (fname)

CVS commit: src/crypto/dist/ipsec-tools

2018-10-13 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:08:51 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools: NEWS README
Removed Files:
src/crypto/dist/ipsec-tools: netbsd-import.sh

Log Message:
Reduce the diff against the latest release. Also remove netbsd-import.sh,
since we are upstream now.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/NEWS \
src/crypto/dist/ipsec-tools/README
cvs rdiff -u -r1.3 -r0 src/crypto/dist/ipsec-tools/netbsd-import.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/NEWS
diff -u src/crypto/dist/ipsec-tools/NEWS:1.4 src/crypto/dist/ipsec-tools/NEWS:1.5
--- src/crypto/dist/ipsec-tools/NEWS:1.4	Fri Jan 23 09:40:56 2009
+++ src/crypto/dist/ipsec-tools/NEWS	Sat Oct 13 15:08:51 2018
@@ -1,6 +1,24 @@
 Version history:
 
-0.8 CVS (no official release yet)
+0.8.x CVS (no official release yet)
+	o A lot of code cleanup
+	o XXX TODO
+
+0.8.2	- 27 February 2014
+	o Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev)
+	o Fix source port selection regression from version 0.8.1
+	o Various logging improvements
+	o Additional compliance and build fixes
+
+0.8.1	- 08 January 2013
+	o Improved X.509 subject name comparation (Götz Babin-Ebell)
+	o Relax DPD cookie check for Cisco IOS compatibility (Roman Antink)
+	o Allow simplified syntax for inherited remote blocks (Roman Antink)
+	o Never shring pfkey socket buffer (Marcelo Leitner)
+	o Privilege separation child process exit fix
+	o Multiple memory allocation and use-after-free fixes
+
+0.8	- 18 March 2011
 	o Fix authentication method ambiguity with kerberos and xauth
 	o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman)
 	o Local address code rewrite to speed things up
Index: src/crypto/dist/ipsec-tools/README
diff -u src/crypto/dist/ipsec-tools/README:1.4 src/crypto/dist/ipsec-tools/README:1.5
--- src/crypto/dist/ipsec-tools/README:1.4	Sun May 20 09:14:18 2018
+++ src/crypto/dist/ipsec-tools/README	Sat Oct 13 15:08:51 2018
@@ -56,5 +56,6 @@ The mailing lists from SourceForge still
 
 	ipsec-tools-de...@lists.sourceforge.net
 	ipsec-tools-us...@lists.sourceforge.net
-	http://sf.net/mailarchive/forum.php?forum_name=ipsec-tools-devel
 
+You can also browse the list archive:
+	http://sf.net/mailarchive/forum.php?forum_name=ipsec-tools-devel

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-05 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Fri Oct  5 20:12:37 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
>From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.10
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9	Tue Oct  2 14:49:24 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Fri Oct  5 16:12:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.9 2018/10/02 18:49:24 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.10 2018/10/05 20:12:37 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -219,10 +219,15 @@ isakmp_frag_extract(iph1, msg)
 	struct isakmp_frag *frag;
 	struct isakmp_frag_item *item;
 	vchar_t *buf;
-	int last_frag = 0;
+	const char *m;
 	char *data;
 	int i;
 
+ 	if (iph1->frag_chain == NULL) {
+		plog(LLV_DEBUG, LOCATION, NULL,
+		 "fragmented IKE phase 1 message payload detected\n");
+	}
+
 	if (msg->l < sizeof(*isakmp) + sizeof(*frag)) {
 		plog(LLV_ERROR, LOCATION, NULL, "Message too short\n");
 		return -1;
@@ -260,47 +265,66 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 
-	/* Check for the last frag before inserting the new item in the chain */
-	if (item->frag_last) {
-		/* if we have the last fragment, indices must match */
-		if (iph1->frag_last_index != 0 &&
-		item->frag_last != iph1->frag_last_index) {
-			plog(LLV_ERROR, LOCATION, NULL,
-			 "Repeated last fragment index mismatch\n");
-			racoon_free(item);
-			vfree(buf);
-			return -1;
+
+	/* Perform required last frag checks before inserting the new item in
+	   the chain */
+	if (iph1->frag_last_index != 0) {
+		/* Only one fragment payload allowed with last frag flag set */
+		if (item->frag_last) {
+			m = "Message has multiple tail fragments\n";
+			goto out;
 		}
 
-		last_frag = iph1->frag_last_index = item->frag_num;
+		/* Fragment payload with fragment number greater than the
+		   fragment number of the last fragment is not allowed*/
+		if (item->frag_num > iph1->frag_last_index) {
+			m = "Fragment number greater than tail fragment number\n";
+			goto out;
+		}
 	}
 
 	/* insert fragment into chain */
 	if (isakmp_frag_insert(iph1, item) == -1) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		"Repeated fragment index mismatch\n");
-		racoon_free(item);
-		vfree(buf);
-		return -1;
+		m = "Duplicate fragment number\n";
+		goto out;
 	}
 
+	plog(LLV_DEBUG, LOCATION, NULL,
+	 "fragment payload #%d queued\n", item->frag_num);
+
+	/* remember last frag after insertion into fragment chain */
+	if (item->frag_last)
+		iph1->frag_last_index = item->frag_num;
+
 	/* If we saw the last frag, check if the chain is complete
 	 * we have a sorted list now, so just walk through */
-	if (last_frag != 0) {
+ 	if (iph1->frag_last_index != 0) {
 		item = iph1->frag_chain;
-		for (i = 1; i <= last_frag; i++) {
-			if (item == NULL) /* Not found */
-break;
-			if (item->frag_num != i)
-break;
+		for (i = 1; i <= iph1->frag_last_index; i++) {
+			if (item == NULL ||
+			item->frag_num != i) {
+plog(LLV_DEBUG, LOCATION, NULL,
+ "fragment payload #%d still missing\n",
+ i);
+ break;
+			}
 			item = item->frag_next;
 		}
 
-		if (i > last_frag) /* It is complete */
-			return 1;
+		if (i > iph1->frag_last_index) {/* It is complete */
+			plog(LLV_DEBUG, LOCATION, NULL,
+

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-02 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Oct  2 18:49:24 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

- if (i > last_frag) /* It is complete */
+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

for (i = 1; i <= last_frag; i++) {
if (!check_fragment_index())
break;
}
if (i > last_frag)
return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8	Sat May 19 15:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Tue Oct  2 14:49:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.8 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.9 2018/10/02 18:49:24 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -289,11 +289,11 @@ isakmp_frag_extract(iph1, msg)
 	if (last_frag != 0) {
 		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
+			if (item == NULL) /* Not found */
+break;
 			if (item->frag_num != i)
 break;
 			item = item->frag_next;
-			if (item == NULL) /* Not found */
-break;
 		}
 
 		if (i > last_frag) /* It is complete */

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2018-09-06 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Thu Sep  6 09:38:05 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: ipsec_strerror.3

Log Message:
sync with reality


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3:1.12 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3:1.13
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3:1.12	Wed Jan  4 16:30:50 2012
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3	Thu Sep  6 09:38:05 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ipsec_strerror.3,v 1.12 2012/01/04 16:30:50 wiz Exp $
+.\"	$NetBSD: ipsec_strerror.3,v 1.13 2018/09/06 09:38:05 maxv Exp $
 .\"
 .\"	$KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 4, 2012
+.Dd September 6, 2018
 .Dt IPSEC_STRERROR 3
 .Os
 .\"
@@ -45,17 +45,9 @@
 .Fn ipsec_strerror void
 .\"
 .Sh DESCRIPTION
-.Pa netinet6/ipsec.h
-declares
-.Pp
-.Dl extern int ipsec_errcode ;
-.Pp
-which is used to pass an error code from the IPsec policy manipulation
-library to a program.
 .Fn ipsec_strerror
 can be used to obtain the error message string for the error code.
 .Pp
-The array pointed to is not to be modified by the calling program.
 Since
 .Fn ipsec_strerror
 uses

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-08-28 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Aug 28 09:10:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
fix memory leaks: https://github.com/NetBSD/src/issues/6


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.24	Sat May 19 15:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Tue Aug 28 05:10:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.24 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: privsep.c,v 1.25 2018/08/28 09:10:28 christos Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -917,7 +917,7 @@ privsep_eay_get_pkcs1privkey(path) 
 	memcpy(msg + 1, path, msg->bufs.buflen[0]);
 
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return NULL;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return NULL;
@@ -1034,13 +1034,14 @@ privsep_script_exec(script, name, envp)
 	 * And send it!
 	 */
 	if (privsep_send(privsep_sock[1], msg, msg->hdr.ac_len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
 
 	if (msg->hdr.ac_errno != 0) {
 		errno = msg->hdr.ac_errno;
+out:
 		racoon_free(msg);
 		return -1;
 	}
@@ -1081,7 +1082,7 @@ privsep_getpsk(str, keylen)
 	memcpy(data, , sizeof(keylen));
 
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return NULL;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return NULL;
@@ -1354,12 +1355,13 @@ privsep_xauth_login_system(usr, pwd)
 	
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
 
 	if (msg->hdr.ac_errno != 0) {
+out:
 		racoon_free(msg);
 		return -1;
 	}
@@ -1416,7 +1418,7 @@ privsep_accounting_system(port, raddr, u
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1664,7 +1666,7 @@ privsep_accounting_pam(port, inout)
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1734,7 +1736,7 @@ privsep_xauth_login_pam(port, raddr, usr
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1786,7 +1788,7 @@ privsep_cleanup_pam(port)
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return;
@@ -1794,6 +1796,7 @@ privsep_cleanup_pam(port)
 	if (msg->hdr.ac_errno != 0)
 		errno = msg->hdr.ac_errno;
 
+out:
 	racoon_free(msg);
 	return;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2018-05-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Mon May 28 19:39:21 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: key_debug.c

Log Message:
Remove ipsec_bindump, there is no prototype, so the function can't be used.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.12 src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.13
--- src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.12	Mon May 28 19:22:40 2018
+++ src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Mon May 28 19:39:21 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.12 2018/05/28 19:22:40 maxv Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.13 2018/05/28 19:39:21 maxv Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
@@ -868,18 +868,6 @@ kdebug_sockaddr(struct sockaddr *addr)
 }
 
 void
-ipsec_bindump(caddr_t buf, int len)
-{
-	int i;
-
-	for (i = 0; i < len; i++)
-		printf("%c", (unsigned char)buf[i]);
-
-	return;
-}
-
-
-void
 ipsec_hexdump(const void *buf, int len)
 {
 	int i;

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2018-05-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Mon May 28 20:45:38 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: ipsec_dump_policy.c
ipsec_strerror.h key_debug.c libpfkey.h pfkey.c pfkey_dump.c
policy_parse.y policy_token.l

Log Message:
drop __P, suggested by sevan


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c \
src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y
cvs rdiff -u -r1.19 -r1.20 \
src/crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/libipsec/policy_token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.10 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.11
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.10	Mon May 28 19:22:40 2018
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Mon May 28 20:45:38 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_dump_policy.c,v 1.10 2018/05/28 19:22:40 maxv Exp $	*/
+/*	$NetBSD: ipsec_dump_policy.c,v 1.11 2018/05/28 20:45:38 maxv Exp $	*/
 
 /* Id: ipsec_dump_policy.c,v 1.10 2005/06/29 09:12:37 manubsd Exp */
 
@@ -63,12 +63,12 @@ static const char *ipsp_policy_strs[] = 
 	"discard", "none", "ipsec", "entrust", "bypass",
 };
 
-static char *ipsec_dump_ipsecrequest __P((char *, size_t,
-	struct sadb_x_ipsecrequest *, size_t, int));
-static char *ipsec_dump_policy1 __P((void *, const char *, int));
-static int set_addresses __P((char *, size_t, struct sockaddr *,
-	struct sockaddr *, int));
-static char *set_address __P((char *, size_t, struct sockaddr *, int));
+static char *ipsec_dump_ipsecrequest(char *, size_t,
+	struct sadb_x_ipsecrequest *, size_t, int);
+static char *ipsec_dump_policy1(void *, const char *, int);
+static int set_addresses(char *, size_t, struct sockaddr *,
+	struct sockaddr *, int);
+static char *set_address(char *, size_t, struct sockaddr *, int);
 
 /*
  * policy is sadb_x_policy buffer.

Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h:1.4 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h:1.5
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h:1.4	Sat Sep  9 16:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.h	Mon May 28 20:45:38 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_strerror.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: ipsec_strerror.h,v 1.5 2018/05/28 20:45:38 maxv Exp $	*/
 
 /* Id: ipsec_strerror.h,v 1.4 2004/06/07 09:18:46 ludvigm Exp */
 
@@ -35,7 +35,7 @@
 #define _IPSEC_STRERROR_H
 
 extern int __ipsec_errcode;
-extern void __ipsec_set_strerror __P((const char *));
+extern void __ipsec_set_strerror(const char *);
 
 #define EIPSEC_NO_ERROR		0	/*success*/
 #define EIPSEC_NOT_SUPPORTED	1	/*not supported*/

Index: src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.13 src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.14
--- src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.13	Mon May 28 19:39:21 2018
+++ src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Mon May 28 20:45:38 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.13 2018/05/28 19:39:21 maxv Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.14 2018/05/28 20:45:38 maxv Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
@@ -71,35 +71,35 @@
 #include "config.h"
 #include "libpfkey.h"
 
-static void kdebug_sadb_prop __P((struct sadb_ext *));
-static void kdebug_sadb_identity __P((struct sadb_ext *));
-static void kdebug_sadb_supported __P((struct sadb_ext *));
-static void kdebug_sadb_lifetime __P((struct sadb_ext *));
-static void kdebug_sadb_sa __P((struct sadb_ext *));
-static void kdebug_sadb_address __P((struct sadb_ext *));
-static void kdebug_sadb_key __P((struct sadb_ext *));
-static void kdebug_sadb_x_sa2 __P((struct sadb_ext *));
-static void kdebug_sadb_x_policy __P((struct sadb_ext *ext));
-static void kdebug_sockaddr __P((struct sockaddr *addr));
+static void kdebug_sadb_prop(struct sadb_ext *);
+static void kdebug_sadb_identity(struct sadb_ext *);
+static void kdebug_sadb_supported(struct sadb_ext *);
+static void kdebug_sadb_lifetime(struct sadb_ext *);
+static void kdebug_sadb_sa(struct sadb_ext *);
+static void

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2018-05-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Mon May 28 19:52:19 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.c token.l

Log Message:
fix -Wold-style-definition


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.16 -r1.17 src/crypto/dist/ipsec-tools/src/setkey/setkey.c
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.19 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.20
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.19	Wed Jul  5 01:22:40 2017
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Mon May 28 19:52:18 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.19 2017/07/05 01:22:40 ozaki-r Exp $	*/
+/*	$NetBSD: parse.y,v 1.20 2018/05/28 19:52:18 maxv Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -939,11 +939,8 @@ exit_command
 %%
 
 int
-setkeymsg0(msg, type, satype, l)
-	struct sadb_msg *msg;
-	unsigned int type;
-	unsigned int satype;
-	size_t l;
+setkeymsg0(struct sadb_msg *msg, unsigned int type, unsigned int satype,
+size_t l)
 {
 
 	msg->sadb_msg_version = PF_KEY_V2;
@@ -959,14 +956,8 @@ setkeymsg0(msg, type, satype, l)
 
 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
 static int
-setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen)
-	unsigned int type;
-	unsigned int upper;
-	vchar_t *policy;
-	struct addrinfo *srcs;
-	int splen;
-	struct addrinfo *dsts;
-	int dplen;
+setkeymsg_spdaddr(unsigned int type, unsigned int upper, vchar_t *policy,
+struct addrinfo *srcs, int splen, struct addrinfo *dsts, int dplen)
 {
 	struct sadb_msg *msg;
 	char buf[BUFSIZ];
@@ -1108,10 +1099,7 @@ setkeymsg_spdaddr(type, upper, policy, s
 }
 
 static int
-setkeymsg_spdaddr_tag(type, tag, policy)
-	unsigned int type;
-	char *tag;
-	vchar_t *policy;
+setkeymsg_spdaddr_tag(unsigned int type, char *tag, vchar_t *policy)
 {
 	struct sadb_msg *msg;
 	char buf[BUFSIZ];
@@ -1149,12 +1137,8 @@ setkeymsg_spdaddr_tag(type, tag, policy)
 
 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
 static int
-setkeymsg_addr(type, satype, srcs, dsts, no_spi)
-	unsigned int type;
-	unsigned int satype;
-	struct addrinfo *srcs;
-	struct addrinfo *dsts;
-	int no_spi;
+setkeymsg_addr(unsigned int type, unsigned int satype, struct addrinfo *srcs,
+struct addrinfo *dsts, int no_spi)
 {
 	struct sadb_msg *msg;
 	char buf[BUFSIZ];
@@ -1295,11 +1279,8 @@ static u_int16_t get_port (struct addrin
 
 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
 static int
-setkeymsg_add(type, satype, srcs, dsts)
-	unsigned int type;
-	unsigned int satype;
-	struct addrinfo *srcs;
-	struct addrinfo *dsts;
+setkeymsg_add(unsigned int type, unsigned int satype, struct addrinfo *srcs,
+struct addrinfo *dsts)
 {
 	struct sadb_msg *msg;
 	char buf[BUFSIZ];
@@ -1577,9 +1558,7 @@ setkeymsg_add(type, satype, srcs, dsts)
 }
 
 static struct addrinfo *
-parse_addr(host, port)
-	char *host;
-	char *port;
+parse_addr(char *host, char *port)
 {
 	struct addrinfo hints, *res = NULL;
 	int error;
@@ -1598,9 +1577,7 @@ parse_addr(host, port)
 }
 
 static int
-fix_portstr(ulproto, spec, sport, dport)
-	int ulproto;
-	vchar_t *spec, *sport, *dport;
+fix_portstr(int ulproto, vchar_t *spec, vchar_t *sport, vchar_t *dport)
 {
 	char sp[16], dp[16];
 	int a, b, c, d;
@@ -1657,13 +1634,8 @@ fix_portstr(ulproto, spec, sport, dport)
 }
 
 static int
-setvarbuf(buf, off, ebuf, elen, vbuf, vlen)
-	char *buf;
-	int *off;
-	struct sadb_ext *ebuf;
-	int elen;
-	const void *vbuf;
-	int vlen;
+setvarbuf(char *buf, int *off, struct sadb_ext *ebuf, int elen,
+const void *vbuf, int vlen)
 {
 	memset(buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len));
 	memcpy(buf + *off, (caddr_t)ebuf, elen);
@@ -1674,7 +1646,7 @@ setvarbuf(buf, off, ebuf, elen, vbuf, vl
 }
 
 void
-parse_init()
+parse_init(void)
 {
 	p_spi = 0;
 
@@ -1705,7 +1677,7 @@ parse_init()
 }
 
 void
-free_buffer()
+free_buffer(void)
 {
 	/* we got tons of memory leaks in the parser anyways, leave them */
 

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.c
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.16 src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.17
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.16	Fri Jun 14 16:29:14 2013
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.c	Mon May 28 19:52:18 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.16 2013/06/14 16:29:14 christos Exp $	*/
+/*	$NetBSD: setkey.c,v 1.17 2018/05/28 19:52:18 maxv Exp $	*/
 
 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
@@ -140,9 +140,7 @@ usage(int only_version)
 }
 
 int
-main(argc, argv)
-	int argc;
-	char **argv;
+main(int argc, char **argv)
 {
 	FILE *fp = stdin;
 	int

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2018-05-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Mon May 28 20:34:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: extern.h parse.y setkey.c

Log Message:
drop __P, suggested by sevan


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/setkey/extern.h
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/setkey/setkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/extern.h
diff -u src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.5 src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.6
--- src/crypto/dist/ipsec-tools/src/setkey/extern.h:1.5	Fri Mar  6 11:45:03 2009
+++ src/crypto/dist/ipsec-tools/src/setkey/extern.h	Mon May 28 20:34:45 2018
@@ -1,21 +1,21 @@
-/*	$NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $	*/
+/*	$NetBSD: extern.h,v 1.6 2018/05/28 20:34:45 maxv Exp $	*/
 
 
 
-void parse_init __P((void));
-int parse __P((FILE **));
-int parse_string __P((char *));
+void parse_init(void);
+int parse(FILE **);
+int parse_string(char *);
 
-int setkeymsg __P((char *, size_t *));
-int sendkeymsg __P((char *, size_t));
+int setkeymsg(char *, size_t *);
+int sendkeymsg(char *, size_t);
 
-int yylex __P((void));
-int yyparse __P((void));
-void yyfatal __P((const char *));
-void yyerror __P((const char *));
+int yylex(void);
+int yyparse(void);
+void yyfatal(const char *);
+void yyerror(const char *);
 
-u_int32_t *sendkeymsg_spigrep __P((unsigned int, struct addrinfo *,
-   struct addrinfo *, int *));
+u_int32_t *sendkeymsg_spigrep(unsigned int, struct addrinfo *,
+   struct addrinfo *, int *);
 
 extern int f_rfcmode;
 extern int lineno;

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.20 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.21
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.20	Mon May 28 19:52:18 2018
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Mon May 28 20:34:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.20 2018/05/28 19:52:18 maxv Exp $	*/
+/*	$NetBSD: parse.y,v 1.21 2018/05/28 20:34:45 maxv Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -90,21 +90,21 @@ static struct addrinfo * p_natt_oa = NUL
 
 static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
 
-static struct addrinfo *parse_addr __P((char *, char *));
-static int fix_portstr __P((int, vchar_t *, vchar_t *, vchar_t *));
-static int setvarbuf __P((char *, int *, struct sadb_ext *, int, 
-const void *, int));
-void parse_init __P((void));
-void free_buffer __P((void));
-
-int setkeymsg0 __P((struct sadb_msg *, unsigned int, unsigned int, size_t));
-static int setkeymsg_spdaddr __P((unsigned int, unsigned int, vchar_t *,
-	struct addrinfo *, int, struct addrinfo *, int));
-static int setkeymsg_spdaddr_tag __P((unsigned int, char *, vchar_t *));
-static int setkeymsg_addr __P((unsigned int, unsigned int,
-	struct addrinfo *, struct addrinfo *, int));
-static int setkeymsg_add __P((unsigned int, unsigned int,
-	struct addrinfo *, struct addrinfo *));
+static struct addrinfo *parse_addr(char *, char *);
+static int fix_portstr(int, vchar_t *, vchar_t *, vchar_t *);
+static int setvarbuf(char *, int *, struct sadb_ext *, int, 
+const void *, int);
+void parse_init(void);
+void free_buffer(void);
+
+int setkeymsg0(struct sadb_msg *, unsigned int, unsigned int, size_t);
+static int setkeymsg_spdaddr(unsigned int, unsigned int, vchar_t *,
+	struct addrinfo *, int, struct addrinfo *, int);
+static int setkeymsg_spdaddr_tag(unsigned int, char *, vchar_t *);
+static int setkeymsg_addr(unsigned int, unsigned int,
+	struct addrinfo *, struct addrinfo *, int);
+static int setkeymsg_add(unsigned int, unsigned int,
+	struct addrinfo *, struct addrinfo *);
 %}
 
 %union {

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.c
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.17 src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.18
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.17	Mon May 28 19:52:18 2018
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.c	Mon May 28 20:34:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.17 2018/05/28 19:52:18 maxv Exp $	*/
+/*	$NetBSD: setkey.c,v 1.18 2018/05/28 20:34:45 maxv Exp $	*/
 
 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
@@ -71,20 +71,20 @@
 
 #define strlcpy(d,s,l) (strncpy(d,s,l), (d)[(l)-1] = '\0')
 
-void usage __P((int));
-int main __P((int, char **));
-int get_supported __P((void));
-void sendkeyshort __P((u_int));
-void promisc __P((void));
-int postproc __P((struct sadb_msg *, int));
-int verifypriority __P((struct sadb_msg *m));
-int fileproc __P((const char *));
-const char *numstr __P((int));
-void shortdump_hdr __P((void));
-void shortdump __P((struct

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2018-05-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Mon May 28 19:36:42 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: pfkey_dump.c policy_parse.y

Log Message:
fix -Wdiscarded-qualifiers


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 \
src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.22 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.23
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.22	Mon May 28 19:22:40 2018
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Mon May 28 19:36:42 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.22 2018/05/28 19:22:40 maxv Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.23 2018/05/28 19:36:42 maxv Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
@@ -105,12 +105,12 @@ do { \
 		printf("%u ", (num)); \
 } while (/*CONSTCOND*/0)
 
-static char *str_ipaddr __P((struct sockaddr *));
-static char *str_ipport __P((struct sockaddr *));
-static char *str_prefport __P((u_int, u_int, u_int, u_int));
+static const char *str_ipaddr __P((struct sockaddr *));
+static const char *str_ipport __P((struct sockaddr *));
+static const char *str_prefport __P((u_int, u_int, u_int, u_int));
 static void str_upperspec __P((u_int, u_int, u_int));
 static char *str_time __P((time_t));
-static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
+static void str_lifetime_byte __P((struct sadb_lifetime *, const char *));
 static void pfkey_sadump1(struct sadb_msg *, int);
 static void pfkey_spdump1(struct sadb_msg *, int);
 
@@ -122,7 +122,7 @@ struct val2str {
 /*
  * Must to be re-written about following strings.
  */
-static char *str_satype[] = {
+static const char *str_satype[] = {
 	"unspec",
 	"unknown",
 	"ah",
@@ -137,13 +137,13 @@ static char *str_satype[] = {
 	"tcp",
 };
 
-static char *str_mode[] = {
+static const char *str_mode[] = {
 	"any",
 	"transport",
 	"tunnel",
 };
 
-static char *str_state[] = {
+static const char *str_state[] = {
 	"larval",
 	"mature",
 	"dying",
@@ -661,7 +661,7 @@ pfkey_spdump1(struct sadb_msg *m, int wi
 /*
  * set "ipaddress" to buffer.
  */
-static char *
+static const char *
 str_ipaddr(struct sockaddr *sa)
 {
 	static char buf[NI_MAXHOST];
@@ -679,7 +679,7 @@ str_ipaddr(struct sockaddr *sa)
 /*
  * set "port" to buffer.
  */
-static char *
+static const char *
 str_ipport(struct sockaddr *sa)
 {
 	static char buf[NI_MAXHOST];
@@ -698,7 +698,7 @@ str_ipport(struct sockaddr *sa)
 /*
  * set "/prefix[port number]" to buffer.
  */
-static char *
+static const char *
 str_prefport(u_int family, u_int pref, u_int port, u_int ulp)
 {
 	static char buf[128];
@@ -793,10 +793,10 @@ str_time(time_t t)
 }
 
 static void
-str_lifetime_byte(struct sadb_lifetime *x, char *str)
+str_lifetime_byte(struct sadb_lifetime *x, const char *str)
 {
 	double y;
-	char *unit;
+	const char *unit;
 	int w;
 
 	if (x == NULL) {

Index: src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y
diff -u src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y:1.12 src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y:1.13
--- src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y:1.12	Mon May 28 19:22:40 2018
+++ src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y	Mon May 28 19:36:42 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: policy_parse.y,v 1.12 2018/05/28 19:22:40 maxv Exp $	*/
+/*	$NetBSD: policy_parse.y,v 1.13 2018/05/28 19:36:42 maxv Exp $	*/
 
 /*	$KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $	*/
 
@@ -107,7 +107,7 @@ static struct sockaddr *p_src = NULL;
 static struct sockaddr *p_dst = NULL;
 
 struct _val;
-extern void yyerror __P((char *msg));
+extern void yyerror __P((const char *msg));
 static struct sockaddr *parse_sockaddr __P((struct _val *addrbuf,
 struct _val *portbuf));
 static int rule_check __P((void));
@@ -362,7 +362,7 @@ addresses
 %%
 
 void
-yyerror(char *msg)
+yyerror(const char *msg)
 {
 	fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
 		msg, __libipsectext);

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2018-05-28 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Mon May 28 19:22:40 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: ipsec_dump_policy.c
ipsec_get_policylen.c key_debug.c pfkey.c pfkey_dump.c
policy_parse.y policy_token.l

Log Message:
fix -Wunused and -Wold-style-definition


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c \
src/crypto/dist/ipsec-tools/src/libipsec/policy_parse.y
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
cvs rdiff -u -r1.21 -r1.22 \
src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/libipsec/policy_token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.9 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.10
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c:1.9	Fri Dec  3 15:01:11 2010
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c	Mon May 28 19:22:40 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_dump_policy.c,v 1.9 2010/12/03 15:01:11 tteras Exp $	*/
+/*	$NetBSD: ipsec_dump_policy.c,v 1.10 2018/05/28 19:22:40 maxv Exp $	*/
 
 /* Id: ipsec_dump_policy.c,v 1.10 2005/06/29 09:12:37 manubsd Exp */
 
@@ -76,26 +76,19 @@ static char *set_address __P((char *, si
  * When delimiter == NULL, alternatively ' '(space) is applied.
  */
 char *
-ipsec_dump_policy(policy, delimiter)
-	ipsec_policy_t policy;
-	__ipsec_const char *delimiter;
+ipsec_dump_policy(ipsec_policy_t policy, __ipsec_const char *delimiter)
 {
 	return ipsec_dump_policy1(policy, delimiter, 0);
 }
 
 char *
-ipsec_dump_policy_withports(policy, delimiter)
-	void *policy;
-	const char *delimiter;
+ipsec_dump_policy_withports(void *policy, const char *delimiter)
 {
 	return ipsec_dump_policy1(policy, delimiter, 1);
 }
 
 static char *
-ipsec_dump_policy1(policy, delimiter, withports)
-	void *policy;
-	const char *delimiter;
-	int withports;
+ipsec_dump_policy1(void *policy, const char *delimiter, int withports)
 {
 	struct sadb_x_policy *xpl = policy;
 	struct sadb_x_ipsecrequest *xisr;
@@ -276,12 +269,8 @@ ipsec_dump_policy1(policy, delimiter, wi
 }
 
 static char *
-ipsec_dump_ipsecrequest(buf, len, xisr, bound, withports)
-	char *buf;
-	size_t len;
-	struct sadb_x_ipsecrequest *xisr;
-	size_t bound;	/* boundary */
-	int withports;
+ipsec_dump_ipsecrequest(char *buf, size_t len, struct sadb_x_ipsecrequest *xisr,
+size_t bound /* boundary */, int withports)
 {
 	const char *proto, *mode, *level;
 	char abuf[NI_MAXHOST * 2 + 2];
@@ -376,12 +365,8 @@ ipsec_dump_ipsecrequest(buf, len, xisr, 
 }
 
 static int
-set_addresses(buf, len, sa1, sa2, withports)
-	char *buf;
-	size_t len;
-	struct sockaddr *sa1;
-	struct sockaddr *sa2;
-	int withports;
+set_addresses(char *buf, size_t len, struct sockaddr *sa1, struct sockaddr *sa2,
+int withports)
 {
 	char tmp1[NI_MAXHOST], tmp2[NI_MAXHOST];
 
@@ -395,11 +380,7 @@ set_addresses(buf, len, sa1, sa2, withpo
 }
 
 static char *
-set_address(buf, len, sa, withports)
-	char *buf;
-	size_t len;
-	struct sockaddr *sa;
-	int withports;
+set_address(char *buf, size_t len, struct sockaddr *sa, int withports)
 {
 	const int niflags = NI_NUMERICHOST | NI_NUMERICSERV;
 	char host[NI_MAXHOST];

Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c:1.7 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c:1.8
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c:1.7	Wed Jul 18 12:07:50 2007
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_get_policylen.c	Mon May 28 19:22:40 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_get_policylen.c,v 1.7 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: ipsec_get_policylen.c,v 1.8 2018/05/28 19:22:40 maxv Exp $	*/
 
 /*	$KAME: ipsec_get_policylen.c,v 1.5 2000/05/07 05:25:03 itojun Exp $	*/
 
@@ -47,8 +47,7 @@
 #include "ipsec_strerror.h"
 
 int
-ipsec_get_policylen(policy)
-	ipsec_policy_t policy;
+ipsec_get_policylen(ipsec_policy_t policy)
 {
 	return policy ? PFKEY_EXTLEN(policy) : -1;
 }

Index: src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.11 src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.12
--- src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.11	Wed Apr 26 03:16:06 2017
+++ src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Mon May 28 19:22:40 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.11

CVS commit: src/crypto/dist/ipsec-tools

2018-05-20 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun May 20 09:14:18 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools: README

Log Message:
Add a note about FreeBSD.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/crypto/dist/ipsec-tools/README

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/README
diff -u src/crypto/dist/ipsec-tools/README:1.3 src/crypto/dist/ipsec-tools/README:1.4
--- src/crypto/dist/ipsec-tools/README:1.3	Sun May 20 08:55:25 2018
+++ src/crypto/dist/ipsec-tools/README	Sun May 20 09:14:18 2018
@@ -41,6 +41,11 @@ source code was moved into NetBSD's CVS 
 However, many distributions still take their tarballs from SourceForge, and
 each distribution maintains local patches.
 
+FreeBSD maintains its own libipsec and setkey tools, in:
+
+	head/lib/libipsec/
+	head/sbin/setkey/
+
 A Trac used to exist, at the following address:
 
 	https://trac.ipsec-tools.net/

CVS commit: src/crypto/dist/ipsec-tools

2018-05-20 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun May 20 08:55:25 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools: README

Log Message:
Update, after ten years. Importantly, add a "History" section, to explain
what's going on.

We have now become "upstream", and most of the ipsec-tools development is
done in NetBSD's CVS. However, many distributions still take their
tarballs from SourceForge (which is defunct, and not maintained).


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/crypto/dist/ipsec-tools/README

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/README
diff -u src/crypto/dist/ipsec-tools/README:1.2 src/crypto/dist/ipsec-tools/README:1.3
--- src/crypto/dist/ipsec-tools/README:1.2	Tue Dec 16 06:48:38 2008
+++ src/crypto/dist/ipsec-tools/README	Sun May 20 08:55:25 2018
@@ -9,30 +9,47 @@ in the Linux 2.6+ kernel. It works as we
 	- racoon, an IKEv1 keying daemon
 
 IPsec-tools were ported to Linux from the KAME project 
-(http://www.kame.net) by Derek Atkins  .
+(http://www.kame.net) by Derek Atkins .
+
+Authors
+===
+
+The ipsec-tools code has been maintained and developed by: 
 
-Currently the package is actively maintained and developed by: 
 	Emmanuel Dreyfus 
 	VANHULLEBUS Yvan 
 	Matthew Grooms 
 	Timo Teräs 
+	IHTFP Consulting 
+	SUSE Linux AG 
+
+Under the NetBSD CVS repository, several other people maintain it.
+
+History
+===
+
+Ipsec-tools was originally developed by the KAME project. It was then moved
+on SourfeForge, at the following address:
 
-Sources can be found at the IPsec-Tools home page at:
 	http://ipsec-tools.sourceforge.net/
 
-And CVS repository is hosted at NetBSD tree:
-	cvs -danon...@anoncvs.netbsd.org:/cvsroot co ipsec-tools
+Due to too restricted commit accesses, the development stalled, and the
+source code was moved into NetBSD's CVS repository, in:
+
+	src/crypto/dist/ipsec-tools
+
+However, many distributions still take their tarballs from SourceForge, and
+each distribution maintains local patches.
+
+A Trac used to exist, at the following address:
 
-Bug reports and project wiki is located at:
 	https://trac.ipsec-tools.net/
 
-Please report any problems to the mailing list:
+but the domain expired and was not renewed.
+
+The mailing lists from SourceForge still exist:
+
 	ipsec-tools-de...@lists.sourceforge.net
 	ipsec-tools-us...@lists.sourceforge.net
-
-You can also browse the list archive:
 	http://sf.net/mailarchive/forum.php?forum_name=ipsec-tools-devel
 
-Credits:
-	IHTFP Consulting, see http://www.ihtfp.com/
-	SUSE Linux AG, see http://www.suse.com/

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-20 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun May 20 06:15:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: vmbuf.c vmbuf.h

Log Message:
Style.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c \
src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c	Sun May 20 06:15:45 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: vmbuf.c,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: vmbuf.c,v 1.5 2018/05/20 06:15:45 maxv Exp $	*/
 
 /*	$KAME: vmbuf.c,v 1.11 2001/11/26 16:54:29 sakane Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -50,8 +50,7 @@
 #include "gcmalloc.h"
 
 vchar_t *
-vmalloc(size)
-	size_t size;
+vmalloc(size_t size)
 {
 	vchar_t *var;
 
@@ -73,12 +72,10 @@ vmalloc(size)
 }
 
 vchar_t *
-vrealloc(ptr, size)
-	vchar_t *ptr;
-	size_t size;
+vrealloc(vchar_t *ptr, size_t size)
 {
 	caddr_t v;
-	
+
 	if (ptr != NULL) {
 		if (ptr->l == 0) {
 			(void)vfree(ptr);
@@ -103,8 +100,7 @@ vrealloc(ptr, size)
 }
 
 void
-vfree(var)
-	vchar_t *var;
+vfree(vchar_t *var)
 {
 	if (var == NULL)
 		return;
@@ -118,8 +114,7 @@ vfree(var)
 }
 
 vchar_t *
-vdup(src)
-	vchar_t *src;
+vdup(vchar_t *src)
 {
 	vchar_t *new;
 
Index: src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.4 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h	Sun May 20 06:15:45 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: vmbuf.h,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: vmbuf.h,v 1.5 2018/05/20 06:15:45 maxv Exp $	*/
 
 /* Id: vmbuf.h,v 1.4 2005/10/30 10:28:44 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -62,7 +62,7 @@ do { \
 
 #if defined(__APPLE__) && defined(__MACH__)
 /* vfree is already defined in Apple's system libraries */
-#define vfree   vmbuf_free
+#define vfree	vmbuf_free
 #endif
 
 extern vchar_t *vmalloc __P((size_t));

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:40:40 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: misc.c

Log Message:
Remove dead code, and style.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/misc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/misc.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.6	Tue Jul 15 00:47:09 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/misc.c	Sat May 19 20:40:40 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: misc.c,v 1.6 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: misc.c,v 1.7 2018/05/19 20:40:40 maxv Exp $	*/
 
 /*	$KAME: misc.c,v 1.23 2001/08/16 14:37:29 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -50,33 +50,8 @@
 #include "misc.h"
 #include "debug.h"
 
-#if 0
-static int bindump __P((void *, size_t));
-
-static int
-bindump(buf0, len)
-void *buf0;
-size_t len;
-{
-	unsigned char *buf = (unsigned char *)buf0;
-	size_t i;
-
-	for (i = 0; i < len; i++) {
-		if ((buf[i] & 0x80) || !isprint(buf[i]))
-			printf("\\x%x", buf[i]);
-		else
-			printf("%c", buf[i]);
-	}
-	printf("\n");
-
-	return 0;
-}
-#endif
-
 int
-racoon_hexdump(buf0, len)
-	void *buf0;
-	size_t len;
+racoon_hexdump(void *buf0, size_t len)
 {
 	caddr_t buf = (caddr_t)buf0;
 	size_t i;
@@ -94,8 +69,7 @@ racoon_hexdump(buf0, len)
 }
 
 char *
-bit2str(n, bl)
-	int n, bl;
+bit2str(int n, int bl)
 {
 #define MAXBITLEN 128
 	static char b[MAXBITLEN + 1];
@@ -115,10 +89,7 @@ bit2str(n, bl)
 }
 
 const char *
-debug_location(file, line, func)
-	const char *file;
-	int line;
-	const char *func;
+debug_location(const char *file, int line, const char *func)
 {
 	static char buf[1024];
 	const char *p;
@@ -143,23 +114,21 @@ debug_location(file, line, func)
  * -1: error occured.
  */
 int
-getfsize(path)
-	char *path;
+getfsize(char *path)
 {
-struct stat st;
+	struct stat st;
 
-if (stat(path, ) != 0)
-return -1;
-else
-return st.st_size;
+	if (stat(path, ) != 0)
+		return -1;
+	else
+		return st.st_size;
 }
 
 /*
  * set the close-on-exec flag for file descriptor fd.
  */
 void
-close_on_exec(fd)
-	int fd;
+close_on_exec(int fd)
 {
 	fcntl(fd, F_SETFD, FD_CLOEXEC);
 }
@@ -170,8 +139,7 @@ close_on_exec(fd)
  * t2: end
  */
 double
-timedelta(t1, t2)
-	struct timeval *t1, *t2;
+timedelta(struct timeval *t1, struct timeval *t2)
 {
 	if (t2->tv_usec >= t1->tv_usec)
 		return t2->tv_sec - t1->tv_sec +

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:21:23 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
Remove unused 'error' variables, it's obvious they should have no use.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.26	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sat May 19 20:21:23 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.26 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: oakley.c,v 1.27 2018/05/19 20:21:23 maxv Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -786,7 +786,6 @@ oakley_compute_hash3(iph1, msgid, body)
 {
 	vchar_t *buf = 0, *res = 0;
 	int len;
-	int error = -1;
 
 	/* create buffer */
 	len = 1 + sizeof(u_int32_t) + body->l;
@@ -811,8 +810,6 @@ oakley_compute_hash3(iph1, msgid, body)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -841,7 +838,6 @@ oakley_compute_hash1(iph1, msgid, body)
 	vchar_t *buf = NULL, *res = NULL;
 	char *p;
 	int len;
-	int error = -1;
 
 	/* create buffer */
 	len = sizeof(u_int32_t) + body->l;
@@ -867,8 +863,6 @@ oakley_compute_hash1(iph1, msgid, body)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -893,7 +887,6 @@ oakley_ph1hash_common(iph1, sw)
 	vchar_t *buf = NULL, *res = NULL, *bp;
 	char *p, *bp2;
 	int len, bl;
-	int error = -1;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsstokens = NULL;
 #endif
@@ -986,8 +979,6 @@ oakley_ph1hash_common(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n",
 		iph1->side == INITIATOR ? "init" : "resp");
 	plogdump(LLV_DEBUG, res->v, res->l);
@@ -1019,7 +1010,6 @@ oakley_ph1hash_base_i(iph1, sw)
 	vchar_t *hash = NULL;	/* for signature mode */
 	char *p;
 	int len;
-	int error = -1;
 
 	/* sanity check */
 	if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -1133,8 +1123,6 @@ oakley_ph1hash_base_i(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -1160,7 +1148,6 @@ oakley_ph1hash_base_r(iph1, sw)
 	vchar_t *hash = NULL;
 	char *p;
 	int len;
-	int error = -1;
 
 	/* sanity check */
 	if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -1259,8 +1246,6 @@ oakley_ph1hash_base_r(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:14:56 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c cfparse.y evt.c
grabmyaddr.c handler.c ipsec_doi.c isakmp.c isakmp_var.h
isakmp_xauth.c localconf.c oakley.c pfkey.c remoteconf.c sainfo.c
session.c

Log Message:
Use strict prototypes, when they don't introduce more warnings than they fix.
Also localify a few functions.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.50 -r1.51 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \
src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/evt.c
cvs rdiff -u -r1.36 -r1.37 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.41 -r1.42 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.77 -r1.78 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.17 -r1.18 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/localconf.c
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.40 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: admin.c,v 1.41 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -97,9 +97,7 @@ static int admin_process __P((int, char 
 static int admin_reply __P((int, struct admin_com *, int, vchar_t *));
 
 static int
-admin_handler(ctx, fd)
-	void *ctx;
-	int fd;
+admin_handler(void *ctx, int fd)
 {
 	int so2;
 	struct sockaddr_storage from;

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50	Sat May 19 19:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.50 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -172,7 +172,7 @@ static int load_x509(const char *file, c
 	return 0;
 }
 
-static int process_rmconf()
+static int process_rmconf(void)
 {
 
 	/* check a exchange mode */
@@ -2611,8 +2611,7 @@ insspspec(rmconf, spspec)
 }
 
 static struct secprotospec *
-dupspspec(spspec)
-	struct secprotospec *spspec;
+dupspspec(struct secprotospec *spspec)
 {
 	struct secprotospec *new;
 
Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.50 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -197,9 +197,7 @@ ipsecdoi_checkph1proposal(sa, iph1)
 }
 
 static void
-print_ph1proposal(pair, s)
-	struct prop_pair *pair;
-	struct isakmpsa *s;
+print_ph1proposal(struct prop_pair *pair, struct isakmpsa *s)
 {
 	struct isakmp_pl_p *prop = pair->prop;
 	struct isakmp_pl_t *trns = pair->trns;
@@ -3302,9 +3300,7 @@ doi2ipproto(proto)
  */
 
 int
-ipsecdoi_subnetisaddr_v4( subnet, address )
-	const vchar_t *subnet;
-	const vchar_t *address;
+ipsecdoi_subnetisaddr_v4(const vchar_t *subnet, const vchar_t *address)
 {
 	struct in_addr *mask;
 
@@ -3325,9 +3321,7 @@ ipsecdoi_subnetisaddr_v4( subnet, addres
 #ifdef INET6
 
 int
-ipsecdoi_subnetisaddr_v6( subnet, address )
-	const vchar_t *subnet;
-	const vchar_t *address;
+ipsecdoi_subnetisaddr_v6(const vchar_t *subnet, const vchar_t *address)
 {
 	struct in6_addr *mask;
 	int i;

Index: src/crypto/dist/ipsec-tools/src/racoon/evt.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/evt.c:1.10

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:47:47 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: backupsa.c isakmp_cfg.c
isakmp_inf.c session.c

Log Message:
Remove unused labels, functions, and function prototypes.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/backupsa.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.52 -r1.53 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/backupsa.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.10 src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.10	Fri Apr  2 15:15:00 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.c,v 1.10 2010/04/02 15:15:00 christos Exp $	*/
+/*	$NetBSD: backupsa.c,v 1.11 2018/05/19 19:47:47 maxv Exp $	*/
 
 /*	$KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $	*/
 
@@ -228,7 +228,6 @@ backupsa_from_file()
 		memset(, 0, sizeof(tm));
 		p = str2tmx(buf, );
 		if (*p != '%') {
-	err:
 			plog(LLV_ERROR, LOCATION, NULL,
 "illegal format line#%d in %s: %s\n",
 line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27	Sat May 19 19:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.27 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.28 2018/05/19 19:47:47 maxv Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -740,7 +740,7 @@ isakmp_cfg_set(iph1, attrpl)
 		delph1(iph1);
 		iph1 = NULL;
 	}
-end:
+
 	vfree(payload);
 
 	/* 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.52 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.52	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.52 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.53 2018/05/19 19:47:47 maxv Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -110,8 +110,6 @@ static int isakmp_info_recv_r_u_ack __P(
 static void isakmp_info_send_r_u __P((struct sched *));
 #endif
 
-static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
-
 /* %%%
  * Information Exchange
  */
@@ -1072,32 +1070,6 @@ isakmp_add_pl_n(buf0, np_p, type, pr, da
 	return buf;
 }
 
-static void
-purge_isakmp_spi(proto, spi, n)
-	int proto;
-	isakmp_index *spi;	/*network byteorder*/
-	size_t n;
-{
-	struct ph1handle *iph1;
-	size_t i;
-
-	for (i = 0; i < n; i++) {
-		iph1 = getph1byindex([i]);
-		if (!iph1)
-			continue;
-
-		plog(LLV_INFO, LOCATION, NULL,
-			"purged ISAKMP-SA proto_id=%s spi=%s.\n",
-			s_ipsecdoi_proto(proto),
-			isakmp_pindex([i], 0));
-
-		iph1->status = PHASE1ST_EXPIRED;
-		isakmp_ph1delete(iph1);
-	}
-}
-
-
-
 void
 purge_ipsec_spi(dst0, proto, spi, n)
 	struct sockaddr *dst0;

Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.33	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.33 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: session.c,v 1.34 2018/05/19 19:47:47 maxv Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -111,11 +111,9 @@ struct fd_monitor {
 #define NUM_PRIORITIES 2
 
 static void close_session __P((void));
-static void initfds __P((void));
 static void init_signal __P((void));
 static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int;
 static void check_sigreq __P((void));
-static void check_flushsa __P((void));
 static int close_sockets __P((void));
 
 static fd_set preset_mask, active_mask;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:32:16 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y isakmp_cfg.c
isakmp_frag.c isakmp_xauth.c

Log Message:
More unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49	Wed Feb 17 20:11:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.49 2016/02/17 20:11:17 christos Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.50 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1543,7 +1543,6 @@ sainfo_id
 		{
 			char portbuf[10];
 			struct sockaddr *laddr = NULL, *haddr = NULL;
-			char *cur = NULL;
 
 			if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
 			 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
@@ -2013,7 +2012,6 @@ remote_spec
 	|	PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
 		{
 			char path[MAXPATHLEN];
-			int ret = 0;
 
 			if (cur_rmconf->peerscert != NULL) {
 yyerror("peers_certfile already defined\n");
@@ -2365,7 +2363,6 @@ cert_spec
 	|	CERT_PLAINRSA QUOTEDSTRING
 		{
 			char path[MAXPATHLEN];
-			int ret = 0;
 
 			if (cur_rmconf->mycert != NULL) {
 yyerror("certificate_type already defined\n");

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26	Wed Mar  9 22:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.26 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.27 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -322,7 +322,6 @@ isakmp_cfg_reply(iph1, attrpl)
 	size_t alen;
 	char *npp;
 	int type;
-	struct sockaddr_in *sin;
 	int error;
 
 	tlen = ntohs(attrpl->h.len);
@@ -782,7 +781,6 @@ isakmp_cfg_net(iph1, attr)
 {
 	int type;
 	int confsource;
-	in_addr_t addr4;
 
 	type = ntohs(attr->type);
 
@@ -1665,7 +1663,6 @@ isakmp_cfg_accounting_system(port, raddr
 	char *usr;
 	int inout;
 {
-	int error = 0;
 	struct utmpx ut;
 	char addr[NI_MAXHOST];
 	
@@ -1880,8 +1877,6 @@ isakmp_cfg_setenv(iph1, envp, envc)
 	char defdom[MAXPATHLEN + 1];
 	int cidr, tmp;
 	char cidrstr[4];
-	int i, p;
-	int test;
 
 	plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
 
@@ -2134,7 +2129,6 @@ isakmp_cfg_init(cold) 
 	int cold;
 {
 	int i;
-	int error;
 
 	isakmp_cfg_config.network4 = (in_addr_t)0x;
 	isakmp_cfg_config.netmask4 = (in_addr_t)0x;
@@ -2184,6 +2178,7 @@ isakmp_cfg_init(cold) 
 	isakmp_cfg_config.splitdns_len = 0;
 
 #if 0
+	int error;
 	if (cold == ISAKMP_CFG_INIT_COLD) {
 		if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
 			return error;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7	Sun Jul 23 05:40:27 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.8 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -219,7 +219,6 @@ isakmp_frag_extract(iph1, msg)
 	struct isakmp_frag *frag;
 	struct isakmp_frag_item *item;
 	vchar_t *buf;
-	size_t len;
 	int last_frag = 0;
 	char *data;
 	int i;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28	Wed Mar  9 15:58:25 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.28 2016/03/09 15:58:25 christos Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.29 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -655,7 +655,6 @@ PAM_conv(msg_count,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:23:15 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c grabmyaddr.c
ipsec_doi.c isakmp.c isakmp_agg.c isakmp_base.c isakmp_ident.c
isakmp_inf.c main.c oakley.c privsep.c remoteconf.c session.c
vendorid.c

Log Message:
Remove unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.35 -r1.36 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.76 -r1.77 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.16 -r1.17 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
cvs rdiff -u -r1.51 -r1.52 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/privsep.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/racoon/session.c
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/vendorid.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39	Mon Jun  3 05:49:31 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.39 2013/06/03 05:49:31 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.40 2018/05/19 19:23:15 maxv Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -327,7 +327,6 @@ admin_process(so2, combuf)
 
 #ifdef ENABLE_HYBRID
 	case ADMIN_LOGOUT_USER: {
-		struct ph1handle *iph1;
 		char user[LOGINLEN+1];
 		int found = 0, len = com->ac_len - sizeof(*com);
 
@@ -427,7 +426,6 @@ admin_process(so2, combuf)
 		case ADMIN_PROTO_ISAKMP: {
 			struct ph1handle *ph1;
 			struct remoteconf *rmconf;
-			u_int16_t port;
 
 			l_ac_errno = -1;
 

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.36
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35	Wed Apr 12 16:47:39 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.35 2017/04/12 16:47:39 roy Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.36 2018/05/19 19:23:15 maxv Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -140,7 +140,7 @@ myaddr_open_all_configured(addr)
 	struct sockaddr *addr;
 {
 	/* create all configured, not already opened addresses */
-	struct myaddr *cfg, *my;
+	struct myaddr *cfg;
 
 	if (addr != NULL) {
 		switch (addr->sa_family) {
@@ -859,7 +859,6 @@ kernel_sync()
 	caddr_t ref, buf, end;
 	size_t bufsiz;
 	struct if_msghdr *ifm;
-	struct interface *ifp;
 
 #define MIBSIZ 6
 	int mib[MIBSIZ] = {

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49	Tue Jun 18 05:39:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.49 2013/06/18 05:39:50 tteras Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.50 2018/05/19 19:23:15 maxv Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -264,8 +264,6 @@ get_ph1approval(iph1, doitype, sittype, 
 		for (s = pair[i]; s; s = s->next) {
 			/* compare proposal and select one */
 			for (p = s; p; p = p->tnext) {
-struct isakmp_pl_p *prop = p->prop;
-
 sa = newisakmpsa();
 ctx.p = p;
 ctx.sa = sa;
@@ -3894,7 +3892,7 @@ set_identifier_qual(vpp, type, value, qu
 		if (loglevel >= LLV_DEBUG) {
 			X509_NAME *xn;
 			BIO *bio;
-			unsigned char *ptr = (unsigned char *) new->v, *buf;
+			unsigned char *ptr = (unsigned char *) new->v;
 			size_t len;
 			char save;
 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.77
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76	Tue Jan 24 19:23:56 2017
+++

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 18:51:59 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c nattraversal.c
nattraversal.h

Log Message:
Style, a little...


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/main.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13	Fri Jul 12 13:11:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/main.c	Sat May 19 18:51:59 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: main.c,v 1.13 2013/07/12 13:11:50 tteras Exp $	*/
+/*	$NetBSD: main.c,v 1.14 2018/05/19 18:51:59 maxv Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -85,9 +85,9 @@ static int loading_sa = 0;	/* install sa
 
 #ifdef TOP_PACKAGE
 static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")";
-#else /* TOP_PACKAGE */
+#else
 static char version[] = "@(#) racoon / IPsec-tools";
-#endif /* TOP_PACKAGE */
+#endif
 
 static void
 print_version()
@@ -162,9 +162,7 @@ usage()
 }
 
 static void
-parse(ac, av)
-	int ac;
-	char **av;
+parse(int ac, char **av)
 {
 	extern char *optarg;
 	extern int optind;
@@ -264,9 +262,7 @@ parse(ac, av)
 }
 
 int
-main(ac, av)
-	int ac;
-	char **av;
+main(int ac, char **av)
 {
 	int error;
 
@@ -308,7 +304,7 @@ main(ac, av)
 	plog(LLV_INFO, LOCATION, NULL, "@(#)"
 	"This product linked %s (http://www.openssl.org/)"
 	"\n", eay_version());
-	plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n", 
+	plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n",
 	lcconf->racoon_conf);
 
 	/*
@@ -346,4 +342,3 @@ main(ac, av)
 
 	return 0;
 }
-

Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.14	Mon Mar 14 17:18:13 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c	Sat May 19 18:51:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: nattraversal.c,v 1.14 2011/03/14 17:18:13 tteras Exp $	*/
+/*	$NetBSD: nattraversal.c,v 1.15 2018/05/19 18:51:59 maxv Exp $	*/
 
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -230,118 +230,117 @@ natt_udp_encap (int encmode)
 }
 
 int
-natt_fill_options (struct ph1natt_options *opts, int version)
+natt_fill_options(struct ph1natt_options *opts, int version)
 {
-  if (! opts)
-return -1;
+	if (!opts)
+		return -1;
 
-  opts->version = version;
+	opts->version = version;
 
-  switch (version) {
-case VENDORID_NATT_00:
-case VENDORID_NATT_01:
-  opts->float_port = 0; /* No port floating for those drafts */
-  opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
-  opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
-  opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
-  opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
-  opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
+	switch (version) {
+	case VENDORID_NATT_00:
+	case VENDORID_NATT_01:
+		opts->float_port = 0; /* No port floating for those drafts */
+		opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
+		opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
+		opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
+		opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
+		opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
+		break;
+	case VENDORID_NATT_02:
+	case VENDORID_NATT_02_N:
+	case VENDORID_NATT_03:
+		opts->float_port = lcconf->port_isakmp_natt;
+		opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
+		opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
+		opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
+		opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-04-01 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:59:58 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Avoid double frees (thanks asan)


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27	Tue Feb  6 22:59:03 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sun Apr  1 18:59:57 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.28 2018/04/01 22:59:57 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -2331,6 +2331,7 @@ eay_dh_generate(prime, ig, publen, pub, 
 		goto end;
 	if (!DH_set0_pqg(dh, p, NULL, g))
 		goto end;
+	p = g = NULL;
 
 	if (publen != 0)
 		DH_set_length(dh, publen);
@@ -2395,9 +2396,11 @@ eay_dh_compute(prime, ig, pub, priv, pub
 
 	if (!DH_set0_pqg(dh, p, NULL, g))
 		goto end;
+	p = g = NULL;
 
 	if (!DH_set0_key(dh, pub_key, priv_key))
 		goto end;
+	pub_key = priv_key = NULL;
 
 	if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
 		goto end;
@@ -2565,7 +2568,6 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
 	return rsa_pub;
 out:
 	BN_free(exp);
-	BN_free(exp);
 	RSA_free(rsa_pub);
 	return NULL;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-04-01 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:35:22 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: debugrm.c debugrm.h

Log Message:
make debugrm compile again.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/crypto/dist/ipsec-tools/src/racoon/debugrm.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/debugrm.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/debugrm.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.3 src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.4
--- src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.3	Sat Sep  9 12:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/debugrm.c	Sun Apr  1 18:35:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: debugrm.c,v 1.3 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: debugrm.c,v 1.4 2018/04/01 22:35:22 christos Exp $	*/
 
 /*	$KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $	*/
 
@@ -51,37 +51,38 @@
 #define DRMLISTSIZE 1024
 
 struct drm_list_t {
-	void *ptr;
+	const void *ptr;
 	char msg[100];
 };
 static struct drm_list_t drmlist[DRMLISTSIZE];
 
 static int drm_unknown;
 
-static void DRM_add __P((void *, char *));
-static void DRM_del __P((void *));
-static void DRM_setmsg __P((char *, int, void *, int, char *, int, char *));
+static void DRM_add(const void *, const char *);
+static void DRM_del(const void *);
+static void DRM_setmsg(char *, size_t, const void *, size_t, const char *,
+size_t, const char *);
 
 void 
-DRM_init()
+DRM_init(void)
 {
-	int i;
+	size_t i;
 	drm_unknown = 0;
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++)
+	for (i = 0; i < __arraycount(drmlist); i++)
 		drmlist[i].ptr = 0;
 }
 
 void
-DRM_dump()
+DRM_dump(void)
 {
 	FILE *fp;
-	int i;
+	size_t i;
 
 	fp = fopen(DRMDUMPFILE, "w");
 	if (fp == NULL)
 		err(1, "fopen");	/*XXX*/
 	fprintf(fp, "drm_unknown=%d\n", drm_unknown);
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (drmlist[i].ptr)
 			fprintf(fp, "%s\n", drmlist[i].msg);
 	}
@@ -89,12 +90,10 @@ DRM_dump()
 }
 
 static void 
-DRM_add(p, msg)
-	void *p;
-	char *msg;
+DRM_add(const void *p, const char *msg)
 {
-	int i;
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	size_t i;
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (!drmlist[i].ptr) {
 			drmlist[i].ptr = p;
 			strlcpy(drmlist[i].msg, msg, sizeof(drmlist[i].msg));
@@ -104,15 +103,14 @@ DRM_add(p, msg)
 }
 
 static void
-DRM_del(p)
-	void *p;
+DRM_del(const void *p)
 {
-	int i;
+	size_t i;
 
 	if (!p)
 		return;
 
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (drmlist[i].ptr == p) {
 			drmlist[i].ptr = 0;
 			return;
@@ -122,10 +120,8 @@ DRM_del(p)
 }
 
 static void
-DRM_setmsg(buf, buflen, ptr, size, file, line, func)
-	char *buf, *file, *func;
-	int buflen, size, line;
-	void *ptr;
+DRM_setmsg(char *buf, size_t buflen, const void *ptr, size_t size,
+const char *file, size_t line, const char *func)
 {
 	time_t t;
 	struct tm *tm;
@@ -136,14 +132,11 @@ DRM_setmsg(buf, buflen, ptr, size, file,
 	len = strftime(buf, buflen, "%Y/%m/%d:%T ", tm);
 
 	snprintf(buf + len, buflen - len, "%p %6d %s:%d:%s",
-		ptr, size, file , line, func);
+		ptr, size, file, line, func);
 }
 
 void *
-DRM_malloc(file, line, func, size)
-	char *file, *func;
-	int line;
-	size_t size;
+DRM_malloc(const char *file, size_t line, const char *func, size_t size)
 {
 	void *p;
 
@@ -158,10 +151,8 @@ DRM_malloc(file, line, func, size)
 }
 
 void *
-DRM_calloc(file, line, func, number, size)
-	char *file, *func;
-	int line;
-	size_t number, size;
+DRM_calloc(const char *file, size_t line, const char *func, size_t number,
+size_t size)
 {
 	void *p;
 
@@ -175,11 +166,8 @@ DRM_calloc(file, line, func, number, siz
 }
 
 void *
-DRM_realloc(file, line, func, ptr, size)
-	char *file, *func;
-	int line;
-	void *ptr;
-	size_t size;
+DRM_realloc(const char *file, size_t line, const char *func, void *ptr,
+size_t size)
 {
 	void *p;
 
@@ -197,20 +185,14 @@ DRM_realloc(file, line, func, ptr, size)
 }
 
 void
-DRM_free(file, line, func, ptr)
-	char *file, *func;
-	int line;
-	void *ptr;
+DRM_free(const char *file, size_t line, const char *func, void *ptr)
 {
 	DRM_del(ptr);
 	free(ptr);
 }
 
 char *
-DRM_strdup(file, line, func, str)
-	char *file, *func;
-	int line;
-	const char *str;
+DRM_strdup(const char *file, size_t line, const char *func, const char *str)
 {
 	char *p;
 
@@ -218,7 +200,7 @@ DRM_strdup(file, line, func, str)
 
 	if (p) {
 		char buf[1024];
-		DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
+		DRM_setmsg(buf, sizeof(buf), p, strlen(p), file, line, func);
 		DRM_add(p, buf);
 	}
 
@@ -229,10 +211,7 @@ DRM_strdup(file, line, func, str)
  * mask vmbuf.c functions.
  */

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-02-06 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Feb  7 03:59:03 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
crypto_openssl.h prsa_par.y rsalist.c

Log Message:
Welcome to the 21st century Buck Rogers: OpenSSL-1.1


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26	Sun Jun 11 18:12:56 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Tue Feb  6 22:59:03 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -109,11 +109,11 @@
  * necessary for SSLeay/OpenSSL portability.  It sucks.
  */
 
-static int cb_check_cert_local __P((int, X509_STORE_CTX *));
-static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
-static X509 *mem2x509 __P((vchar_t *));
+static int cb_check_cert_local(int, X509_STORE_CTX *);
+static int cb_check_cert_remote(int, X509_STORE_CTX *);
+static X509 *mem2x509(vchar_t *);
 
-static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
+static caddr_t eay_hmac_init(vchar_t *, const EVP_MD *);
 
 /* X509 Certificate */
 /*
@@ -312,13 +312,19 @@ eay_cmp_asn1dn(n1, n2)
 	for(idx = 0; idx < X509_NAME_entry_count(a); idx++) {
 		X509_NAME_ENTRY *ea = X509_NAME_get_entry(a, idx);
 		X509_NAME_ENTRY *eb = X509_NAME_get_entry(b, idx);
+		ASN1_STRING *eda, *edb;
 		if (!eb) {	/* reached end of eb while still entries in ea, can not be equal... */
 			i = idx+1;
 			goto end;
 		}
-		if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-		(eb->value->length == 1 && eb->value->data[0] == '*')) {
-			if (OBJ_cmp(ea->object,eb->object)) {
+		eda = X509_NAME_ENTRY_get_data(ea);
+		edb = X509_NAME_ENTRY_get_data(eb);
+		if ((eda->length == 1 && eda->data[0] == '*') ||
+		(edb->length == 1 && edb->data[0] == '*')) {
+			ASN1_OBJECT *eoa, *eob;
+			eoa = X509_NAME_ENTRY_get_object(ea);
+			eob = X509_NAME_ENTRY_get_object(eb);
+			if (OBJ_cmp(eoa, eob)) {
 i = idx+1;
 goto end;
 			}
@@ -426,19 +432,17 @@ cb_check_cert_local(ok, ctx)
 	X509_STORE_CTX *ctx;
 {
 	char buf[256];
-	int log_tag;
+	int log_tag, error;
 
 	if (!ok) {
-		X509_NAME_oneline(
-X509_get_subject_name(ctx->current_cert),
-buf,
-256);
+		X509_NAME_oneline(X509_get_subject_name(
+		X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
 		/*
 		 * since we are just checking the certificates, it is
 		 * ok if they are self signed. But we should still warn
 		 * the user.
  		 */
-		switch (ctx->error) {
+		switch (error = X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 		case X509_V_ERR_INVALID_CA:
@@ -453,9 +457,8 @@ cb_check_cert_local(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(error), error,
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -473,14 +476,12 @@ cb_check_cert_remote(ok, ctx)
 	X509_STORE_CTX *ctx;
 {
 	char buf[256];
-	int log_tag;
+	int log_tag, error;
 
 	if (!ok) {
-		X509_NAME_oneline(
-X509_get_subject_name(ctx->current_cert),
-buf,
-256);
-		switch (ctx->error) {
+		X509_NAME_oneline(X509_get_subject_name(
+		X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
+		switch (error = X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_UNABLE_TO_GET_CRL:
 			ok = 1;
 			log_tag = LLV_WARNING;
@@ -490,9 +491,9 @@ cb_check_cert_remote(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(error),
+			error,
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -508,6 +509,7 @@ eay_get_x509asn1subjectname(cert)
 	vchar_t *cert;
 {
 	X509 *x509 = NULL;
+	X509_NAME *xname;
 	u_char *bp;
 	vchar_t *name = NULL;
 	int len;
@@ -517,13 +519,14 @@ eay_get_x509asn1subjectname(cert)
 		goto error;
 
 	/* get the length of the name */
-	len = i2d_X509_NAME(x509->cert_info->subject, NULL);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-11-09 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Nov  9 08:34:50 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: pfkey.c

Log Message:
fix typo. (does not affect actual operation, but confuses reader...)

The function is called when racoon receives SADB_X_MIGRATE pfkey message,
however the message is not used now. It was compatible code for KAME.


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.60 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.59 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.60
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.59	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Thu Nov  9 08:34:50 2017
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.60 2017/11/09 08:34:50 knakahara Exp $	*/
 
-/* $Id: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.60 2017/11/09 08:34:50 knakahara Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -3177,8 +3177,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_
 
 	/* Then, verify reqid if necessary */
 	if (isr_cur->saidx.reqid &&
-	(xisr_old->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
-	 xisr_new->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
+	(xisr_old->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
+	 xisr_new->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
 	 isr_cur->saidx.reqid != xisr_old->sadb_x_ipsecrequest_reqid ||
 	 isr_cur->saidx.reqid != xisr_new->sadb_x_ipsecrequest_reqid))
 		return -1;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-07-22 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Jul 23 05:40:28 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Antoine Beaupr�: Simplify and comment previous patch.
XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6	Tue Jan 24 14:23:31 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sun Jul 23 01:40:27 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.6 2017/01/24 19:23:31 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -179,20 +179,26 @@ isakmp_frag_insert(struct ph1handle *iph
 	struct isakmp_frag_item *pitem = NULL;
 	struct isakmp_frag_item *citem = iph1->frag_chain;
 
+	/* no frag yet, just insert at beginning of list */
 	if (iph1->frag_chain == NULL) {
 		iph1->frag_chain = item;
 		return 0;
 	}
 
 	do {
+		/* duplicate fragment number, abort (CVE-2016-10396) */
 		if (citem->frag_num == item->frag_num)
 			return -1;
 
+		/* need to insert before current item */
 		if (citem->frag_num > item->frag_num) {
-			if (pitem)
+			if (pitem != NULL)
 pitem->frag_next = item;
+			else
+/* insert at the beginning of the list  */
+iph1->frag_chain = item;
 			item->frag_next = citem;
-			break;
+			return 0;
 		}
 
 		pitem = citem;
@@ -200,8 +206,7 @@ isakmp_frag_insert(struct ph1handle *iph
 	} while (citem != NULL);
 
 	/* we reached the end of the list, insert */
-	if (citem == NULL)
-	  pitem->frag_next = item;
+	pitem->frag_next = item;
 	return 0;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2017-07-04 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Wed Jul  5 01:22:40 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: parse.y token.l

Log Message:
Add update command for testing

Updating an SA (SADB_UPDATE) requires that a process issuing
SADB_UPDATE is the same as a process issued SADB_ADD (or SADB_GETSPI).
This means that update command must be used with add command in a
configuration of setkey. This usage is normally meaningless but
useful for testing (and debugging) purposes.


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.19 -r1.20 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.18 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.19
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.18	Thu Apr 13 01:19:17 2017
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Wed Jul  5 01:22:40 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.18 2017/04/13 01:19:17 ozaki-r Exp $	*/
+/*	$NetBSD: parse.y,v 1.19 2017/07/05 01:22:40 ozaki-r Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -115,7 +115,7 @@ static int setkeymsg_add __P((unsigned i
 }
 
 %token EOT SLASH BLCL ELCL
-%token ADD GET DELETE DELETEALL FLUSH DUMP EXIT
+%token ADD UPDATE GET DELETE DELETEALL FLUSH DUMP EXIT
 %token PR_ESP PR_AH PR_IPCOMP PR_ESPUDP PR_TCP
 %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
 %token F_MODE MODE F_REQID
@@ -160,6 +160,7 @@ commands
 
 command
 	:	add_command
+	|	update_command
 	|	get_command
 	|	delete_command
 	|	deleteall_command
@@ -186,6 +187,18 @@ add_command
 		}
 	;
 
+	/* update */
+update_command
+	:	UPDATE ipaddropts ipandport ipandport protocol_spec spi extension_spec algorithm_spec EOT
+		{
+			int status;
+
+			status = setkeymsg_add(SADB_UPDATE, $5, $3, $4);
+			if (status < 0)
+return -1;
+		}
+	;
+
 	/* delete */
 delete_command
 	:	DELETE ipaddropts ipandport ipandport protocol_spec spi extension_spec EOT

Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.19 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.20
--- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.19	Wed Sep 10 21:01:33 2014
+++ src/crypto/dist/ipsec-tools/src/setkey/token.l	Wed Jul  5 01:22:40 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.19 2014/09/10 21:01:33 christos Exp $	*/
+/*	$NetBSD: token.l,v 1.20 2017/07/05 01:22:40 ozaki-r Exp $	*/
 
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
@@ -116,6 +116,7 @@ hostname	{name}(({dot}{name})+{dot}?)?
 
 
 add		{ return(ADD); }
+update		{ return(UPDATE); }
 delete		{ return(DELETE); }
 deleteall	{ return(DELETEALL); }
 get		{ return(GET); }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-06-11 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Jun 11 22:12:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
PR/52292: Shinichi Doyashiki: Fix reversed comments.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25	Thu Feb 27 03:37:58 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sun Jun 11 18:12:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.25 2014/02/27 08:37:58 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -1268,7 +1268,7 @@ eay_idea_encrypt(data, key, iv)
 	if ((res = vmalloc(data->l)) == NULL)
 		return NULL;
 
-	/* decryption data */
+	/* encrypt data */
 	idea_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
 			, (unsigned char *)iv->v, IDEA_ENCRYPT);
 
@@ -1366,7 +1366,7 @@ eay_rc5_encrypt(data, key, iv)
 	if ((res = vmalloc(data->l)) == NULL)
 		return NULL;
 
-	/* decryption data */
+	/* encrypt data */
 	RC5_32_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
 		, (unsigned char *)iv->v, RC5_ENCRYPT);

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2017-04-25 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Wed Apr 26 03:19:49 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: pfkey_dump.c

Log Message:
Print protocol number as well as its name

ex.) before: "reserved" -> after: "255(reserved)"

The original author is hsuenaga@IIJ


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 \
src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.20 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.21
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.20	Mon Jan  9 15:25:13 2012
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Wed Apr 26 03:19:49 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.20 2012/01/09 15:25:13 drochner Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.21 2017/04/26 03:19:49 ozaki-r Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
@@ -761,7 +761,7 @@ str_upperspec(ulp, p1, p2)
 
 	ent = getprotobynumber((int)ulp);
 	if (ent)
-		printf("%s", ent->p_name);
+		printf("%u(%s)", ulp, ent->p_name);
 	else
 		printf("%u", ulp);

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2017-04-12 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Thu Apr 13 01:19:17 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: parse.y

Log Message:
Fix parsing ah without a key


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/setkey/parse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.17 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.18
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.17	Wed Sep 10 21:04:08 2014
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Thu Apr 13 01:19:17 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.17 2014/09/10 21:04:08 christos Exp $	*/
+/*	$NetBSD: parse.y,v 1.18 2017/04/13 01:19:17 ozaki-r Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -497,7 +497,13 @@ auth_alg
 			p_alg_auth = $1;
 
 			p_key_auth_len = 0;
-			p_key_auth = NULL;
+			p_key_auth = "";
+			if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
+			p_alg_auth,
+			PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
+yyerror(ipsec_strerror());
+return -1;
+			}
 		}
 	;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-04-12 Thread Roy Marples 
Module Name:src
Committed By:   roy
Date:   Wed Apr 12 16:47:40 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Use RO_MSGFILTER.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34	Sat Jun 14 22:39:36 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Apr 12 16:47:39 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.34 2014/06/14 22:39:36 christos Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.35 2017/04/12 16:47:39 roy Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -827,6 +827,9 @@ static int
 kernel_open_socket()
 {
 	int fd;
+#ifdef RO_MSGFILTER
+	unsigned char msgfilter[] = { RTM_NEWADDR, RTM_DELADDR };
+#endif
 
 	fd = socket(PF_ROUTE, SOCK_RAW, 0);
 	if (fd < 0) {
@@ -835,6 +838,13 @@ kernel_open_socket()
 			strerror(errno));
 		return -1;
 	}
+#ifdef RO_MSGFILTER
+	if (setsockopt(fd, PF_ROUTE, RO_MSGFILTER,
+	, sizeof(msgfilter)) < 0)
+		plog(LLV_WARNING, LOCATION, NULL,
+		 "setsockopt(RO_MSGFILER) failed: %s",
+		 strerror(errno));
+#endif
 	close_on_exec(fd);
 	if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1)
 		plog(LLV_WARNING, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-01-24 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.h isakmp.c isakmp_inf.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.75 -r1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.50 -r1.51 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25	Wed Nov 17 05:40:41 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -141,6 +141,7 @@ struct ph1handle {
 #endif
 #ifdef ENABLE_FRAG
 	int frag;			/* IKE phase 1 fragmentation */
+	int frag_last_index;
 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
 #endif
 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75	Wed Mar  9 17:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.76 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -1077,6 +1077,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
 		iph1->frag = 1;
 	else
 		iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;
@@ -1181,6 +1182,7 @@ isakmp_ph1begin_r(msg, remote, local, et
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50	Fri Apr 12 05:53:10 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.51 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-01-24 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:31 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5	Wed Apr 22 07:24:20 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Tue Jan 24 14:23:31 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.6 2017/01/24 19:23:31 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -173,6 +173,38 @@ vendorid_frag_cap(gen)
 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
 }
 
+static int 
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+	struct isakmp_frag_item *pitem = NULL;
+	struct isakmp_frag_item *citem = iph1->frag_chain;
+
+	if (iph1->frag_chain == NULL) {
+		iph1->frag_chain = item;
+		return 0;
+	}
+
+	do {
+		if (citem->frag_num == item->frag_num)
+			return -1;
+
+		if (citem->frag_num > item->frag_num) {
+			if (pitem)
+pitem->frag_next = item;
+			item->frag_next = citem;
+			break;
+		}
+
+		pitem = citem;
+		citem = citem->frag_next;
+	} while (citem != NULL);
+
+	/* we reached the end of the list, insert */
+	if (citem == NULL)
+	  pitem->frag_next = item;
+	return 0;
+}
+
 int 
 isakmp_frag_extract(iph1, msg)
 	struct ph1handle *iph1;
@@ -224,39 +256,43 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 
-	/* Look for the last frag while inserting the new item in the chain */
-	if (item->frag_last)
-		last_frag = item->frag_num;
+	/* Check for the last frag before inserting the new item in the chain */
+	if (item->frag_last) {
+		/* if we have the last fragment, indices must match */
+		if (iph1->frag_last_index != 0 &&
+		item->frag_last != iph1->frag_last_index) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			 "Repeated last fragment index mismatch\n");
+			racoon_free(item);
+			vfree(buf);
+			return -1;
+		}
 
-	if (iph1->frag_chain == NULL) {
-		iph1->frag_chain = item;
-	} else {
-		struct isakmp_frag_item *current;
+		last_frag = iph1->frag_last_index = item->frag_num;
+	}
 
-		current = iph1->frag_chain;
-		while (current->frag_next) {
-			if (current->frag_last)
-last_frag = item->frag_num;
-			current = current->frag_next;
-		}
-		current->frag_next = item;
+	/* insert fragment into chain */
+	if (isakmp_frag_insert(iph1, item) == -1) {
+		plog(LLV_ERROR, LOCATION, NULL,
+		"Repeated fragment index mismatch\n");
+		racoon_free(item);
+		vfree(buf);
+		return -1;
 	}
 
-	/* If we saw the last frag, check if the chain is complete */
+	/* If we saw the last frag, check if the chain is complete
+	 * we have a sorted list now, so just walk through */
 	if (last_frag != 0) {
+		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
-			item = iph1->frag_chain;
-			do {
-if (item->frag_num == i)
-	break;
-item = item->frag_next;
-			} while (item != NULL);
-
+			if (item->frag_num != i)
+break;
+			item = item->frag_next;
 			if (item == NULL) /* Not found */
 break;
 		}
 
-		if (item != NULL) /* It is complete */
+		if (i > last_frag) /* It is complete */
 			return 1;
 	}
 		
@@ -291,15 +327,9 @@ isakmp_frag_reassembly(iph1)
 	}
 	data = buf->v;
 
+	item = iph1->frag_chain;
 	for (i = 1; i <= frag_count; i++) {
-		item = iph1->frag_chain;
-		do {
-			if (item->frag_num == i)
-break;
-			item = item->frag_next;
-		} while (item != NULL);
-
-		if (item == NULL) {
+		if (item->frag_num != i) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 			"Missing fragment #%d\n", i);
 			vfree(buf);
@@ -308,6 +338,7 @@ isakmp_frag_reassembly(iph1)
 		}
 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
 		data += item->frag_packet->l;
+		item = item->frag_next;
 	}
 
 out:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Mar 16 21:09:39 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_ident.c

Log Message:
CID 1356385: Add fallthrough comment


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14	Wed Mar  9 17:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Wed Mar 16 17:09:39 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.14 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.15 2016/03/16 21:09:39 christos Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -171,7 +171,7 @@ ident_i1send(iph1, msg)
 		else
 			plist = isakmp_plist_append(plist,
 			vid_xauth, ISAKMP_NPTYPE_VID);
-
+		/*FALLTHROUGH*/
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-11 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Fri Mar 11 18:28:43 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
PR/50943: David Binderman: Fix misplaced parenthesis.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22	Fri Aug 12 01:21:50 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Fri Mar 11 13:28:43 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.22 2011/08/12 05:21:50 tteras Exp $	*/
+/*	$NetBSD: privsep.c,v 1.23 2016/03/11 18:28:43 christos Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -1261,7 +1261,7 @@ privsep_setsockopt(s, level, optname, op
 	struct sockopt_args sockopt_args;
 	int err, saved_errno = 0;
 
-	if ((err = setsockopt(s, level, optname, optval, optlen) == 0) || 
+	if ((err = setsockopt(s, level, optname, optval, optlen)) == 0 || 
 	(saved_errno = errno) != EACCES ||
 	geteuid() == 0) {
 		if (saved_errno)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-09 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Mar  9 22:27:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_cfg.c
isakmp_ident.c

Log Message:
>From Frank Wille:
Request "IKE mode config" in "rsasig" (certificates on both sides only)
authentication mode, if "mode_cfg" is configured to "on".
Tested with a Lancom router, using the following configuration:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;

my_identifier asn1dn;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";

mode_cfg on;
dpd_delay 20;
nat_traversal on;
lifetime time 8 hour;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;

proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}

sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}


To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74	Sun Jan  1 10:57:31 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -890,6 +890,10 @@ ph1_main(iph1, msg)
 /* XXX Don't process INITIAL_CONTACT */
 iph1->rmconf->ini_contact = 0;
 break;
+			case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+if (iph1->rmconf->mode_cfg)
+	error = isakmp_cfg_getconfig(iph1);
+break;
 			default:
 break;
 			}
@@ -945,6 +949,10 @@ ph1_main(iph1, msg)
 break;
 			}
 		}
+		if ((iph1->rmconf->mode_cfg) &&
+		!(iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH)) {
+			error = isakmp_cfg_getconfig(iph1);
+		}
 	}
 
 	return 0;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25	Fri Apr 12 06:03:45 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.26 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -457,6 +457,7 @@ isakmp_cfg_reply(iph1, attrpl)
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:
@@ -639,6 +640,7 @@ isakmp_cfg_request(iph1, attrpl)
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13	Fri Sep 18 06:31:11 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.13 2009/09/18 10:31:11 tteras Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.14 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -172,6 +172,7 @@ ident_i1send(iph1, msg)
 			plist = isakmp_plist_append(plist,
 			vid_xauth, ISAKMP_NPTYPE_VID);
 
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,
 			 "Unity vendor ID generation failed\n");

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-09 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Mar  9 15:58:25 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
PR/50918: David Binderman: Fix memory leak


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27	Tue Mar 18 14:20:35 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Mar  9 10:58:25 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.27 2014/03/18 18:20:35 riastradh Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.28 2016/03/09 15:58:25 christos Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1803,7 +1803,7 @@ xauth_rmconf_dup(xauth_rmconf)
 		new = racoon_malloc(sizeof(*new));
 		if (new == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL, 
-			"xauth_rmconf_dup: malloc failed\n");
+			"%s: malloc failed\n", __func__);
 			return NULL;
 		}
 
@@ -1813,16 +1813,16 @@ xauth_rmconf_dup(xauth_rmconf)
 			new->login = vdup(xauth_rmconf->login);
 			if (new->login == NULL) {
 plog(LLV_ERROR, LOCATION, NULL, 
-"xauth_rmconf_dup: malloc failed (login)\n");
-return NULL;
+"%s: malloc failed (login)\n", __func__);
+goto out;
 			}
 		}
 		if (xauth_rmconf->pass != NULL) {
 			new->pass = vdup(xauth_rmconf->pass);
 			if (new->pass == NULL) {
 plog(LLV_ERROR, LOCATION, NULL, 
-"xauth_rmconf_dup: malloc failed (password)\n");
-return NULL;
+"%s: malloc failed (password)\n", __func__);
+goto out;
 			}
 		}
 
@@ -1830,4 +1830,8 @@ xauth_rmconf_dup(xauth_rmconf)
 	}
 
 	return NULL;
+out:
+	vfree(new->login);
+	racoon_free(new);
+	return NULL;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-02-17 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Feb 17 20:11:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
PR/50815: David Binderman: Remove dup test


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48	Thu Nov 29 10:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Feb 17 15:11:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.49 2016/02/17 20:11:17 christos Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1490,10 +1490,15 @@ sainfo_id
 			char portbuf[10];
 			struct sockaddr *saddr;
 
-			if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
-			 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
-yyerror("port number must be \"any\".");
+			switch ($5) {
+			case IPPROTO_ICMP:
+			case IPPROTO_ICMPV6:
+if ($4 == IPSEC_PORT_ANY)
+	break;
+yyerror("port must be \"any\" for icmp{,6}.");
 return -1;
+			default:
+break;
 			}
 
 			snprintf(portbuf, sizeof(portbuf), "%lu", $4);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2015-05-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue May 19 15:14:26 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Protect against a NULL pointer dereference described in:

https://www.altsci.com/ipsec/

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/gssapi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.4	Sat Sep  9 12:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Tue May 19 11:14:25 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.5 2015/05/19 15:14:25 christos Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
@@ -202,6 +202,10 @@ gssapi_init(struct ph1handle *iph1)
 
 	gssapi_set_state(iph1, gps);
 
+	if (iph1-rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
+		return -1;
+	}
 	if (iph1-rmconf-proposal-gssid != NULL) {
 		id_token.length = iph1-rmconf-proposal-gssid-l;
 		id_token.value = iph1-rmconf-proposal-gssid-v;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2015-05-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue May 19 15:16:01 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Detect error earlier to avoid memory leak.

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/gssapi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5	Tue May 19 11:14:25 2015
+++ src/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Tue May 19 11:16:00 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.5 2015/05/19 15:14:25 christos Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.6 2015/05/19 15:16:00 christos Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
 	gss_name_t princ, canon_princ;
 	OM_uint32 maj_stat, min_stat;
 
+	if (iph1-rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
+		return -1;
+	}
+
 	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
 	if (gps == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, racoon_calloc failed\n);
@@ -202,10 +207,6 @@ gssapi_init(struct ph1handle *iph1)
 
 	gssapi_set_state(iph1, gps);
 
-	if (iph1-rmconf == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
-		return -1;
-	}
 	if (iph1-rmconf-proposal-gssid != NULL) {
 		id_token.length = iph1-rmconf-proposal-gssid-l;
 		id_token.value = iph1-rmconf-proposal-gssid-v;

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2014-09-10 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Sep 10 21:01:33 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: token.l

Log Message:
remove dup


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.18 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.19
--- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.18	Thu Nov 29 10:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/token.l	Wed Sep 10 17:01:33 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.18 2012/11/29 15:31:25 vanhu Exp $	*/
+/*	$NetBSD: token.l,v 1.19 2014/09/10 21:01:33 christos Exp $	*/
 
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
@@ -233,16 +233,6 @@ tcp		{ 
 	yylval.num = SADB_X_EALG_AESGMAC; BEGIN INITIAL; return(ALG_ENC);
 #endif
 }
-S_ENCALGaes-gcm-16   {
-#ifdef SADB_X_EALG_AESGCM16
-	yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC);
-#endif
-}
-S_ENCALGaes-gmac {
-#ifdef SADB_X_EALG_AESGMAC
-	yylval.num = SADB_X_EALG_AESGMAC; BEGIN INITIAL; return(ALG_ENC);
-#endif
-}
 
 	/* compression algorithms */
 {hyphen}C	{ return(F_COMP); }

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2014-09-10 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Sep 10 21:04:08 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: parse.y

Log Message:
fix grammar stupidity: ipandport takes an optional port but has 2 grammar
productions, one with and one without an optional port. make the port
not optional and kill reduce-reduce conflicts.


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/crypto/dist/ipsec-tools/src/setkey/parse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.16 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.17
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.16	Sun Oct 20 17:17:28 2013
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Wed Sep 10 17:04:08 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.16 2013/10/20 21:17:28 christos Exp $	*/
+/*	$NetBSD: parse.y,v 1.17 2014/09/10 21:04:08 christos Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -141,7 +141,7 @@ static int setkeymsg_add __P((unsigned i
 %type num PR_ESP PR_AH PR_IPCOMP PR_ESPUDP PR_TCP
 %type num EXTENSION MODE
 %type ulnum DECSTRING
-%type val PL_REQUESTS portstr key_string
+%type val PL_REQUESTS portstr portstr_notempty key_string
 %type val policy_requests
 %type val QUOTEDSTRING HEXSTRING STRING
 %type val F_AIFLAGS
@@ -772,7 +772,7 @@ ipandport
 return -1;
 			}
 		}
-	|	STRING portstr
+	|	STRING portstr_notempty
 		{
 			$$ = parse_addr($1.buf, $2.buf);
 			if ($$ == NULL) {
@@ -797,7 +797,11 @@ portstr
 			}
 			$$.len = strlen($$.buf);
 		}
-	|	BLCL ANY ELCL
+	| portstr_notempty
+	;
+
+portstr_notempty
+	: 	BLCL ANY ELCL
 		{
 			$$.buf = strdup(0);
 			if (!$$.buf) {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2014-06-14 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sat Jun 14 22:39:36 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
don't warn for 80211 messages


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.33	Tue Mar 18 14:20:35 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Jun 14 18:39:36 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.33 2014/03/18 18:20:35 riastradh Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.34 2014/06/14 22:39:36 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -783,6 +783,9 @@ kernel_handle_message(msg)
 #ifdef RTM_IFANNOUNCE
 	case RTM_IFANNOUNCE:
 #endif
+#ifdef RTM_IEEE80211
+	case RTM_IEEE80211:
+#endif
 		break;
 	default:
 		plog(LLV_WARNING, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2014-02-27 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Thu Feb 27 08:37:59 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
From Adam Majer ad...@zombino.com: Support IPv6 in X509 subjectAltName


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24	Mon Dec 24 14:50:04 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Thu Feb 27 08:37:58 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.25 2014/02/27 08:37:58 tteras Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -601,26 +601,47 @@ eay_get_x509subjectaltname(cert, altname
 	/* read IP address */
 	else if (gen-type == GEN_IPADD)
 	{
-		unsigned char p[5], *ip;
-		ip = p;
-		
-		/* only support IPv4 */
-		if (gen-d.ip-length != 4)
-			goto end;
-		
-		/* convert Octet String to String
-		 * XXX ???
-		 */
-		/*i2d_ASN1_OCTET_STRING(gen-d.ip,ip);*/
-		ip = gen-d.ip-data;
+		switch (gen-d.iPAddress-length) {
+		case 4: /* IPv4 */
+			*altname = racoon_malloc(4*3 + 3 + 1); /* digits + decimals + null */
+			if (!*altname)
+goto end;
 
-		/* XXX Magic, enough for an IPv4 address
-		 */
-		*altname = racoon_malloc(20);
-		if (!*altname)
+			snprintf(*altname, 12+3+1, %u.%u.%u.%u,
+			 (unsigned)gen-d.iPAddress-data[0],
+			 (unsigned)gen-d.iPAddress-data[1],
+			 (unsigned)gen-d.iPAddress-data[2],
+			 (unsigned)gen-d.iPAddress-data[3]);
+			break;
+		case 16: { /* IPv6 */
+			int i;
+
+			*altname = racoon_malloc(16*2 + 7 + 1); /* digits + colons + null */
+			if (!*altname)
+goto end;
+
+			/* Make NULL terminated IPv6 address */
+			for (i=0; i16; ++i) {
+int pos = i*2 + i/2;
+
+if (i0  i%2==0)
+	(*altname)[pos-1] = ':';
+
+snprintf(*altname + pos, 3, %02x,
+ (unsigned)gen-d.iPAddress-data[i]);
+
+			}
+			plog(LLV_INFO, LOCATION, NULL,
+			 Remote X509 IPv6 addr: %s, *altname);
+			break;
+		}
+		default:
+			plog(LLV_ERROR, LOCATION, NULL,
+			 Unknown IP address length: %u octects.,
+			 gen-d.iPAddress-length);
 			goto end;
-		
-		sprintf(*altname, %u.%u.%u.%u, ip[0], ip[1], ip[2], ip[3]);
+		}
+
 		*type = gen-type;
 		error = 0;
 	}

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2013-10-20 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Oct 20 21:17:28 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: parse.y

Log Message:
remove unused variables


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/setkey/parse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.15 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.16
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.15	Mon Jan  9 10:25:13 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Sun Oct 20 17:17:28 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.15 2012/01/09 15:25:13 drochner Exp $	*/
+/*	$NetBSD: parse.y,v 1.16 2013/10/20 21:17:28 christos Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -954,7 +954,6 @@ setkeymsg_spdaddr(type, upper, policy, s
 	int plen;
 	struct sockaddr *sa;
 	int salen;
-	struct sadb_x_policy *sp;
 #ifdef HAVE_POLICY_FWD
 	struct sadb_x_ipsecrequest *ps = NULL;
 	int saved_level, saved_id = 0;
@@ -969,7 +968,6 @@ setkeymsg_spdaddr(type, upper, policy, s
 	setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
 	l = sizeof(struct sadb_msg);
 
-	sp = (struct sadb_x_policy*) (buf + l);
 	memcpy(buf + l, policy-buf, policy-len);
 	l += policy-len;
 
@@ -1094,11 +1092,10 @@ setkeymsg_spdaddr_tag(type, tag, policy)
 {
 	struct sadb_msg *msg;
 	char buf[BUFSIZ];
-	int l, l0;
+	int l;
 #ifdef SADB_X_EXT_TAG
 	struct sadb_x_tag m_tag;
 #endif
-	int n;
 
 	msg = (struct sadb_msg *)buf;
 
@@ -1109,9 +1106,6 @@ setkeymsg_spdaddr_tag(type, tag, policy)
 	memcpy(buf + l, policy-buf, policy-len);
 	l += policy-len;
 
-	l0 = l;
-	n = 0;
-
 #ifdef SADB_X_EXT_TAG
 	memset(m_tag, 0, sizeof(m_tag));
 	m_tag.sadb_x_tag_len = PFKEY_UNIT64(sizeof(m_tag));

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-07-19 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Jul 19 10:54:52 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Export phase1
remote address as Radius Calling-Station-Id.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25	Tue Feb  5 06:22:29 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Fri Jul 19 10:54:52 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.26 2013/07/19 10:54:52 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -592,6 +592,10 @@ xauth_login_radius(iph1, usr, pwd)
 		return -1;
 	}
 
+	if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID,
+			   saddr2str(iph1-remote)) != 0)
+		return -1;
+
 	if (isakmp_cfg_radius_common(radius_auth_state, iph1-mode_cfg-port) != 0)
 		return -1;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-07-18 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Thu Jul 18 17:02:58 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
add RTM_LOSING, RTM_REDIRECT


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31	Fri Apr 12 05:53:10 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Thu Jul 18 13:02:58 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.31 2013/04/12 09:53:10 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.32 2013/07/18 17:02:58 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -766,6 +766,12 @@ kernel_handle_message(msg)
 	case RTM_CHANGE:
 	case RTM_GET:
 	case RTM_MISS:
+#ifdef RTM_LOSING
+	case RTM_LOSING:
+#endif
+#ifdef RTM_REDIRECT
+	case RTM_REDIRECT:
+#endif
 	case RTM_IFINFO:
 #ifdef RTM_OIFINFO
 	case RTM_OIFINFO:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-07-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Jul 12 13:11:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c

Log Message:
From Sven Vermeulen sven.vermeu...@siphos.be: Moves ploginit() up,
allowing logging events from init_avc() to show up as well.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/main.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12	Mon Jan 26 18:13:06 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/main.c	Fri Jul 12 13:11:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.12 2009/01/26 18:13:06 tteras Exp $	*/
+/*	$NetBSD: main.c,v 1.13 2013/07/12 13:11:50 tteras Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
@@ -290,6 +290,8 @@ main(ac, av)
 		/* NOTREACHED*/
 	}
 
+	ploginit();
+
 #ifdef DEBUG_RECORD_MALLOCATION
 	DRM_init();
 #endif
@@ -302,8 +304,6 @@ main(ac, av)
 	oakley_dhinit();
 	compute_vendorids();
 
-	ploginit();
-
 	plog(LLV_INFO, LOCATION, NULL, %s\n, version);
 	plog(LLV_INFO, LOCATION, NULL, @(#)
 	This product linked %s (http://www.openssl.org/)

CVS commit: src/crypto/dist/ipsec-tools

2013-06-20 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Thu Jun 20 15:41:18 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools: configure.ac
src/crypto/dist/ipsec-tools/src/racoon: localconf.c racoon.conf.5

Log Message:
Add an option --enable-wildcard-match to enable wildcard matching and explain
why we might want it and why it is a bad idea in general that's why it is
not enabled by default. ok tteras@, manu@


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/configure.ac
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/localconf.c
cvs rdiff -u -r1.66 -r1.67 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/configure.ac
diff -u src/crypto/dist/ipsec-tools/configure.ac:1.13 src/crypto/dist/ipsec-tools/configure.ac:1.14
--- src/crypto/dist/ipsec-tools/configure.ac:1.13	Tue Jan  8 07:42:31 2013
+++ src/crypto/dist/ipsec-tools/configure.ac	Thu Jun 20 11:41:18 2013
@@ -105,6 +105,14 @@ case $host_os in
 ;;
 esac
 
+AH_TEMPLATE(ENABLE_WILDCARD_MATCH, [Enable wildcard matching in pre-shared-key file])
+AC_ARG_ENABLE([wildcard-match],
+[--enable-wildcard-match	Enable wildcard matching in pre-shared-key file],
+[case ${enableval} in
+(yes)	AC_DEFINE(ENABLE_WILDCARD_MATCH);;
+(no)	;;
+(*)	AC_MSG_ERROR(bad value ${enableval} for --enable-wildcard-match);;
+esac],[])
 ### Some basic toolchain checks
 
 # Checks for header files.

Index: src/crypto/dist/ipsec-tools/src/racoon/localconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/localconf.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/localconf.c:1.9
--- src/crypto/dist/ipsec-tools/src/racoon/localconf.c:1.8	Sun Jan  1 10:29:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/localconf.c	Thu Jun 20 11:41:18 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: localconf.c,v 1.8 2012/01/01 15:29:28 tteras Exp $	*/
+/*	$NetBSD: localconf.c,v 1.9 2013/06/20 15:41:18 christos Exp $	*/
 
 /*	$KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $	*/
 
@@ -247,7 +247,11 @@ getpsk(str, len)
 		if (*p == '\0')
 			continue;	/* no 2nd parameter */
 		p--;
-		if (strncmp(buf, str, len) == 0  buf[len] == '\0') {
+		if (
+#ifdef ENABLE_WILDCARD_MATCH
+		strncmp(buf, *, 2) == 0 ||
+#endif
+		(strncmp(buf, str, len) == 0  buf[len] == '\0')) {
 			p++;
 			keylen = 0;
 			for (q = p; *q != '\0'  *q != '\n'; q++)

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.66 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.67
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.66	Fri Nov 30 03:19:01 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Thu Jun 20 11:41:18 2013
@@ -1,4 +1,4 @@
-.\	$NetBSD: racoon.conf.5,v 1.66 2012/11/30 08:19:01 wiz Exp $
+.\	$NetBSD: racoon.conf.5,v 1.67 2013/06/20 15:41:18 christos Exp $
 .\
 .\	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\
@@ -29,7 +29,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd November 29, 2012
+.Dd June 17, 2013
 .Dt RACOON.CONF 5
 .Os
 .\
@@ -1468,6 +1468,32 @@ Note that the file must be owned by the 
 .Xr racoon 8
 .Pq usually the privileged user ,
 and must not be accessible by others.
+.Pp
+If configured with
+.Dv ENABLE_WILDCARD_MATCH ,
+this implementation allows a wildcard key
+.Dq * .
+This is allowed for the special case of a single user connecting to
+a gateway using an iPhone.
+On an iPhone, L2TP over IPSEC only supports
+main mode with pre-shared keys (no certificates).
+Unfortunately racoon
+only supports pre-shared-key lookup by address when identity protection
+is used, and since the iPhone does not have a specific IP address, we
+don't know what key to put in the pre-shared key file. 
+.Pp
+Sharing the connection with more than one user is strongly discouraged
+because any user can pretend to be the server since they know the pre-shared
+key.
+This means that any user can steal the traffic of any other user, by
+spoofing DNS which is not trivial but easy.
+Even worse, the malicious user will be able to then steal any other
+authentication data (CHAP/XAUTH etc.) that another user will supply
+to the compromised server, because it assumes that phase 1 is secured
+by the pre-shared key.
+.Pp
+In summary, never use wildcard keys if your gateway is hosting more than
+one user.
 .\
 .Sh EXAMPLES
 The following shows how the remote directive should be configured.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-06-17 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Jun 18 05:39:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c

Log Message:
From Paul Barker: Remove redundant memset after calloc that caused compile
failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call
is the same expression as the destination; did you mean to dereference.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Tue Jun 18 05:39:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.48 2012/11/29 15:31:25 vanhu Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.49 2013/06/18 05:39:50 tteras Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -1183,7 +1183,6 @@ get_proppair_and_doi_sit(sa, mode, doity
 			failed to get buffer.\n);
 		goto bad;
 	}
-	memset(pair, 0, sizeof(pair));
 
 	bp = (caddr_t)(sab + 1);
 	tlen = sa-l - sizeof(*sab);

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2013-06-14 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Fri Jun 14 16:29:14 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.c

Log Message:
Accept - as stdin
Be nice and let the user know which file it could not open.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/setkey/setkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.c
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.15 src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.16
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.c:1.15	Fri May 27 14:00:21 2011
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.c	Fri Jun 14 12:29:14 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: setkey.c,v 1.15 2011/05/27 18:00:21 drochner Exp $	*/
+/*	$NetBSD: setkey.c,v 1.16 2013/06/14 16:29:14 christos Exp $	*/
 
 /*	$KAME: setkey.c,v 1.36 2003/09/24 23:52:51 itojun Exp $	*/
 
@@ -165,8 +165,10 @@ main(argc, argv)
 			break;
 		case 'f':
 			f_mode = MODE_SCRIPT;
-			if ((fp = fopen(optarg, r)) == NULL) {
-err(1, fopen);
+			if (strcmp(optarg, -) == 0)
+fp = stdin;
+			else if ((fp = fopen(optarg, r)) == NULL) {
+err(1, Can't open `%s', optarg);
 /*NOTREACHED*/
 			}
 			break;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-06-02 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Mon Jun  3 05:49:32 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c

Log Message:
From Alexander Sbitnev alexander.sbit...@gmail.com: fix admin port
establish-sa for tunnel mode SAs.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38	Wed Dec  8 07:38:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Mon Jun  3 05:49:31 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.39 2013/06/03 05:49:31 tteras Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -563,18 +563,30 @@ admin_process(so2, combuf)
 			iph2-seq = pk_getseq();
 			iph2-status = PHASE2ST_STATUS2;
 
-			/* set end addresses of SA */
-			iph2-sa_dst = dupsaddr(dst);
-			iph2-sa_src = dupsaddr(src);
-			iph2-dst = dupsaddr(dst);
-			iph2-src = dupsaddr(src);
-			if (iph2-sa_src == NULL || iph2-sa_dst == NULL ||
-			iph2-dst == NULL || iph2-src == NULL) {
-delph2(iph2);
-break;
-			}
-			set_port(iph2-dst, 0);
-			set_port(iph2-src, 0);
+if (sp_out-local  sp_out-remote) {
+/* hints available, let's use them */
+iph2-sa_dst = dupsaddr(dst);
+iph2-sa_src = dupsaddr(src);
+iph2-src = dupsaddr((struct sockaddr *)sp_out-local);
+iph2-dst = dupsaddr((struct sockaddr *)sp_out-remote);
+} else if (sp_out-req  sp_out-req-saidx.mode == IPSEC_MODE_TUNNEL) {
+/* Tunnel mode and no hint, use endpoints */
+iph2-src = dupsaddr((struct sockaddr *)sp_out-req-saidx.src);
+iph2-dst = dupsaddr((struct sockaddr *)sp_out-req-saidx.dst);
+} else {
+/* default, use selectors as fallback */
+iph2-sa_dst = dupsaddr(dst);
+iph2-sa_src = dupsaddr(src);
+iph2-dst = dupsaddr(dst);
+iph2-src = dupsaddr(src);
+}
+
+if (iph2-dst == NULL || iph2-src == NULL) {
+delph2(iph2);
+break;
+}
+set_port(iph2-dst, 0);
+set_port(iph2-src, 0);
 
 			if (isakmp_get_sainfo(iph2, sp_out, sp_in)  0) {
 delph2(iph2);

CVS commit: src/crypto/dist/ipsec-tools/src/include-glibc/net

2013-05-22 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Thu May 23 05:42:29 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/include-glibc/net: pfkeyv2.h

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Fix
SADB_X_EALG_CASTCBC definition to use system definition (which
differs at least on Linux).



To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h
diff -u src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.4 src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.5
--- src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h:1.4	Sat Sep  9 16:22:08 2006
+++ src/crypto/dist/ipsec-tools/src/include-glibc/net/pfkeyv2.h	Thu May 23 05:42:29 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkeyv2.h,v 1.4 2006/09/09 16:22:08 manu Exp $	*/
+/*	$NetBSD: pfkeyv2.h,v 1.5 2013/05/23 05:42:29 tteras Exp $	*/
 
 #ifndef __NET_PFKEYV2_H_
 #define __NET_PFKEYV2_H_ 1
@@ -18,7 +18,11 @@
 #define SADB_X_AALG_SHA  250
 
 /* private allocations - based on RFC2407/IANA assignment */
-#define SADB_X_EALG_CAST128CBC	5	/* SADB_X_EALG_CASTCBC? == 6 */
+#ifdef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CAST128CBC		SADB_X_EALG_CASTCBC
+#else
+#define SADB_X_EALG_CAST128CBC		5
+#endif
 #define SADB_X_EALG_RIJNDAELCBC		SADB_X_EALG_AESCBC
 #define SADB_X_EALG_AES			SADB_X_EALG_AESCBC

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-05-08 Thread Marc Balmer 
Module Name:src
Committed By:   mbalmer
Date:   Wed May  8 20:03:02 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.8

Log Message:
racoon default config is in /etc/racoon/racoon.conf


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/racoon.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.8
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.12 src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.12	Sat Jan 24 10:42:31 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.8	Wed May  8 20:03:02 2013
@@ -1,4 +1,4 @@
-.\	$NetBSD: racoon.8,v 1.12 2009/01/24 10:42:31 wiz Exp $
+.\	$NetBSD: racoon.8,v 1.13 2013/05/08 20:03:02 mbalmer Exp $
 .\
 .\ Id: racoon.8,v 1.4 2005/04/18 11:07:55 manubsd Exp
 .\
@@ -133,7 +133,7 @@ The command exits with 0 on success, and
 .\
 .Sh FILES
 .Bl -tag -width /etc/racoon.conf -compact
-.It Pa /etc/racoon.conf
+.It Pa /etc/racoon/racoon.conf
 default configuration file.
 .El
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-04-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 09:53:11 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c isakmp_inf.c

Log Message:
Some logging improvements.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30	Tue Feb  5 11:36:17 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Fri Apr 12 09:53:10 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.31 2013/04/12 09:53:10 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -764,6 +764,7 @@ kernel_handle_message(msg)
 	case RTM_ADD:
 	case RTM_DELETE:
 	case RTM_CHANGE:
+	case RTM_GET:
 	case RTM_MISS:
 	case RTM_IFINFO:
 #ifdef RTM_OIFINFO
@@ -779,7 +780,7 @@ kernel_handle_message(msg)
 		break;
 	default:
 		plog(LLV_WARNING, LOCATION, NULL,
-		 unrecognized route message with rtm_type: %d,
+		 unrecognized route message with rtm_type: %d\n,
 		 rtm-rtm_type);
 		break;
 	}

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49	Thu Jan 24 06:47:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Fri Apr 12 09:53:10 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.49 2013/01/24 06:47:50 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1116,6 +1116,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 	u_int64_t created;
 	size_t i;
 	caddr_t mhp[SADB_EXT_MAX + 1];
+	unsigned num_purged = 0;
 
 	plog(LLV_DEBUG2, LOCATION, NULL,
 		 purge_ipsec_spi:\n);
@@ -1172,6 +1173,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 
 		plog(LLV_DEBUG2, LOCATION, NULL, src: %s\n, saddr2str(src));
 		plog(LLV_DEBUG2, LOCATION, NULL, dst: %s\n, saddr2str(dst));
+		plog(LLV_DEBUG2, LOCATION, NULL, spi: %u\n, ntohl(sa-sadb_sa_spi));
 
 		/* XXX n^2 algorithm, inefficient */
 
@@ -1210,6 +1212,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 purged IPsec-SA proto_id=%s spi=%u.\n,
 s_ipsecdoi_proto(proto),
 ntohl(spi[i]));
+			num_purged++;
 		}
 
 		msg = next;
@@ -1217,6 +1220,8 @@ purge_ipsec_spi(dst0, proto, spi, n)
 
 	if (buf)
 		vfree(buf);
+
+	plog(LLV_DEBUG, LOCATION, NULL, purged %u SAs.\n, num_purged);
 }
 
 /*

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-04-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 10:03:46 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_cfg.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Do not send out
illegal zero length MODE_CFG attributes.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24	Tue Sep 21 13:14:17 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Fri Apr 12 10:03:45 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1000,6 +1000,9 @@ isakmp_cfg_varlen(iph1, attr, string, le
 	struct isakmp_data *new;
 	char *data;
 
+	if (!len)
+		return NULL;
+
 	if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, Cannot allocate memory\n);
 		return NULL;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-02-05 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Feb  5 11:36:18 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix source port selection


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29	Sun Jan  1 15:54:51 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Tue Feb  5 11:36:17 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.29 2012/01/01 15:54:51 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -274,13 +274,24 @@ myaddr_getsport(addr)
 	struct sockaddr *addr;
 {
 	struct myaddr *my;
+	int port = 0, wport;
 
 	LIST_FOREACH(my, opened, chain) {
-		if (cmpsaddr((struct sockaddr *) my-addr, addr) = CMPSADDR_WILDPORT_MATCH)
+		switch (cmpsaddr((struct sockaddr *) my-addr, addr)) {
+		case CMPSADDR_MATCH:
 			return extract_port((struct sockaddr *) my-addr);
+		case CMPSADDR_WILDPORT_MATCH:
+			wport = extract_port((struct sockaddr *) my-addr);
+			if (port == 0 || wport  port)
+port = wport;
+			break;
+		}
 	}
 
-	return -1;
+	if (port == 0)
+		port = PORT_ISAKMP;
+
+	return port;
 }
 
 void

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-02-04 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Feb  5 06:22:29 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
From Ian West i...@niw.com.au: Fix double free of the radius info on
config reload.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24	Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Feb  5 06:22:29 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -458,10 +458,14 @@ xauth_radius_init_conf(int free)
 			vfree(xauth_rad_config.acct_server_list[i].host);
 			vfree(xauth_rad_config.acct_server_list[i].secret);
 		}
-		if (radius_auth_state != NULL)
+		if (radius_auth_state != NULL) {
 			rad_close(radius_auth_state);
-		if (radius_acct_state != NULL)
+			radius_auth_state = NULL;
+		}
+		if (radius_acct_state != NULL) {
 			rad_close(radius_acct_state);
+			radius_acct_state = NULL;
+		}
 	}
 
 	/* initialize radius config */

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-01-23 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Thu Jan 24 06:47:51 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c

Log Message:
Fix handling of deletion notification.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48	Wed Aug 29 12:01:30 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Thu Jan 24 06:47:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.48 2012/08/29 12:01:30 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.49 2013/01/24 06:47:50 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -492,7 +492,7 @@ isakmp_info_recv_d(iph1, delete, msgid, 
 		delete payload for protocol %s\n,
 		s_ipsecdoi_proto(delete-proto_id));
 
-	if(!iph1-rmconf-weak_phase1_check  !encrypted) {
+	if((iph1 == NULL || !iph1-rmconf-weak_phase1_check)  !encrypted) {
 		plog(LLV_WARNING, LOCATION, iph1-remote,
 			Ignoring unencrypted delete payload 
 			(check the weak_phase1_check option)\n);

CVS commit: src/crypto/dist/ipsec-tools/src/include-glibc

2013-01-08 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Jan  8 12:38:40 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/include-glibc: Makefile.am

Log Message:
Don't derefence the directory symlink which we might be recreating.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 \
src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am
diff -u src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.1.1.1 src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.2
--- src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am:1.1.1.1	Sat Feb 12 11:11:22 2005
+++ src/crypto/dist/ipsec-tools/src/include-glibc/Makefile.am	Tue Jan  8 12:38:40 2013
@@ -1,6 +1,6 @@
 
 .includes: ${top_builddir}/config.status
-	ln -sf $(KERNEL_INCLUDE)/linux
+	ln -snf $(KERNEL_INCLUDE)/linux
 	touch .includes
 
 all: .includes

CVS commit: src/crypto/dist/ipsec-tools

2013-01-08 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Jan  8 12:42:32 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools: configure.ac

Log Message:
Fix errors from automake 1.13


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/configure.ac

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/configure.ac
diff -u src/crypto/dist/ipsec-tools/configure.ac:1.12 src/crypto/dist/ipsec-tools/configure.ac:1.13
--- src/crypto/dist/ipsec-tools/configure.ac:1.12	Mon Dec 24 08:46:27 2012
+++ src/crypto/dist/ipsec-tools/configure.ac	Tue Jan  8 12:42:31 2013
@@ -4,14 +4,13 @@ dnl Id: configure.ac,v 1.77 2006/07/20 1
 AC_PREREQ(2.52)
 AC_INIT(ipsec-tools, CVS)
 AC_CONFIG_SRCDIR([configure.ac])
-AM_CONFIG_HEADER(config.h)
+AC_CONFIG_HEADERS(config.h)
 
 AM_INIT_AUTOMAKE(dist-bzip2)
 
 AC_ENABLE_SHARED(no)
 
 AC_PROG_CC
-AM_PROG_CC_STDC
 AC_HEADER_STDC
 AC_PROG_LIBTOOL
 AC_PROG_YACC

CVS commit: src/crypto/dist/ipsec-tools

2012-12-24 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Mon Dec 24 08:46:27 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools: configure.ac
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2: sha2.c

Log Message:
From Götz Babin-Ebell g.babin-eb...@novamedia.de:
Require OpenSSL 0.9.8s or higher


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/crypto/dist/ipsec-tools/configure.ac
cvs rdiff -u -r1.22 -r1.23 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/configure.ac
diff -u src/crypto/dist/ipsec-tools/configure.ac:1.11 src/crypto/dist/ipsec-tools/configure.ac:1.12
--- src/crypto/dist/ipsec-tools/configure.ac:1.11	Tue Jan 10 12:07:30 2012
+++ src/crypto/dist/ipsec-tools/configure.ac	Mon Dec 24 08:46:27 2012
@@ -207,12 +207,12 @@ AC_MSG_CHECKING(openssl version)
 AC_TRY_COMPILE(
 [#include openssl/opensslv.h
 ],
-[#if OPENSSL_VERSION_NUMBER  0x0090602fL
+[#if OPENSSL_VERSION_NUMBER  0x0090813fL
 #error OpenSSL version is too old ...
 #endif],
 [AC_MSG_RESULT([ok])],
 [AC_MSG_RESULT(too old)
-AC_MSG_ERROR([OpenSSL version must be 0.9.6 or higher. Aborting.])
+AC_MSG_ERROR([OpenSSL version must be 0.9.8s or higher. Aborting.])
 ])
 
 AC_CHECK_HEADERS(openssl/engine.h)

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.22	Thu Nov 29 15:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Mon Dec 24 08:46:27 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.22 2012/11/29 15:31:24 vanhu Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.23 2012/12/24 08:46:27 tteras Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -44,8 +44,8 @@
 /* get openssl/ssleay version number */
 #include openssl/opensslv.h
 
-#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER  0x0090602fL)
-#error OpenSSL version 0.9.6 or later required.
+#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER  0x0090813fL)
+#error OpenSSL version 0.9.8s or later required.
 #endif
 
 #include openssl/pem.h
@@ -91,12 +91,7 @@
 #endif
 #include plog.h
 
-/* 0.9.7 stuff? */
-#if OPENSSL_VERSION_NUMBER  0x0090700fL
-typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-#else
 #define USE_NEW_DES_API
-#endif
 
 #define OpenSSL_BUG()	do { plog(LLV_ERROR, LOCATION, NULL, OpenSSL function failed\n); } while(0)
 
@@ -505,10 +500,8 @@ eay_check_x509cert(cert, CApath, CAfile,
 	if (csc == NULL)
 		goto end;
 	X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
-#if OPENSSL_VERSION_NUMBER = 0x00907000L
 	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
 	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
-#endif
 	error = X509_verify_cert(csc);
 	X509_STORE_CTX_free(csc);
 

Index: src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c:1.4	Sat Sep  9 16:22:36 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/missing/crypto/sha2/sha2.c	Mon Dec 24 08:46:27 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: sha2.c,v 1.4 2006/09/09 16:22:36 manu Exp $	*/
+/*	$NetBSD: sha2.c,v 1.5 2012/12/24 08:46:27 tteras Exp $	*/
 
 /* Id: sha2.c,v 1.6 2004/09/21 14:35:25 ludvigm Exp */
 
@@ -56,9 +56,7 @@
 #define bzero(a, b) memset((a), 0, (b))
 #define panic(a) err(1, (a))
 
-#if OPENSSL_VERSION_NUMBER = 0x00907000L
 #define HAVE_EVP_097
-#endif
 
 /*
  * ASSERT NOTE:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-12-24 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Mon Dec 24 14:50:04 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
From Götz Babin-Ebell g.babin-eb...@novamedia.de: Smarter X.509 subject
name compare.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23	Mon Dec 24 08:46:27 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Mon Dec 24 14:50:04 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.23 2012/12/24 08:46:27 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -280,145 +280,6 @@ out:
 }
 
 /*
- * The following are derived from code in crypto/x509/x509_cmp.c
- * in OpenSSL0.9.7c:
- * X509_NAME_wildcmp() adds wildcard matching to the original
- * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
- */
-#include ctype.h
-/* Case insensitive string comparision */
-static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
-	int i;
-
-	if (a-length != b-length)
-		return (a-length - b-length);
-
-	for (i=0; ia-length; i++)
-	{
-		int ca, cb;
-
-		ca = tolower(a-data[i]);
-		cb = tolower(b-data[i]);
-
-		if (ca != cb)
-			return(ca-cb);
-	}
-	return 0;
-}
-
-/* Case insensitive string comparision with space normalization 
- * Space normalization - ignore leading, trailing spaces, 
- *   multiple spaces between characters are replaced by single space  
- */
-static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
-	unsigned char *pa = NULL, *pb = NULL;
-	int la, lb;
-	
-	la = a-length;
-	lb = b-length;
-	pa = a-data;
-	pb = b-data;
-
-	/* skip leading spaces */
-	while (la  0  isspace(*pa))
-	{
-		la--;
-		pa++;
-	}
-	while (lb  0  isspace(*pb))
-	{
-		lb--;
-		pb++;
-	}
-
-	/* skip trailing spaces */
-	while (la  0  isspace(pa[la-1]))
-		la--;
-	while (lb  0  isspace(pb[lb-1]))
-		lb--;
-
-	/* compare strings with space normalization */
-	while (la  0  lb  0)
-	{
-		int ca, cb;
-
-		/* compare character */
-		ca = tolower(*pa);
-		cb = tolower(*pb);
-		if (ca != cb)
-			return (ca - cb);
-
-		pa++; pb++;
-		la--; lb--;
-
-		if (la = 0 || lb = 0)
-			break;
-
-		/* is white space next character ? */
-		if (isspace(*pa)  isspace(*pb))
-		{
-			/* skip remaining white spaces */
-			while (la  0  isspace(*pa))
-			{
-la--;
-pa++;
-			}
-			while (lb  0  isspace(*pb))
-			{
-lb--;
-pb++;
-			}
-		}
-	}
-	if (la  0 || lb  0)
-		return la - lb;
-
-	return 0;
-}
-
-static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
-{
-int i,j;
-X509_NAME_ENTRY *na,*nb;
-
-if (sk_X509_NAME_ENTRY_num(a-entries)
-	!= sk_X509_NAME_ENTRY_num(b-entries))
-	return sk_X509_NAME_ENTRY_num(a-entries)
-	  -sk_X509_NAME_ENTRY_num(b-entries);
-for (i=sk_X509_NAME_ENTRY_num(a-entries)-1; i=0; i--)
-{
-	na=sk_X509_NAME_ENTRY_value(a-entries,i);
-	nb=sk_X509_NAME_ENTRY_value(b-entries,i);
-	j=OBJ_cmp(na-object,nb-object);
-	if (j) return(j);
-	if ((na-value-length == 1  na-value-data[0] == '*')
-	 || (nb-value-length == 1  nb-value-data[0] == '*'))
-		continue;
-	j=na-value-type-nb-value-type;
-	if (j) return(j);
-	if (na-value-type == V_ASN1_PRINTABLESTRING)
-		j=nocase_spacenorm_cmp(na-value, nb-value);
-	else if (na-value-type == V_ASN1_IA5STRING
-		 OBJ_obj2nid(na-object) == NID_pkcs9_emailAddress)
-		j=nocase_cmp(na-value, nb-value);
-	else
-		{
-		j=na-value-length-nb-value-length;
-		if (j) return(j);
-		j=memcmp(na-value-data,nb-value-data,
-			na-value-length);
-		}
-	if (j) return(j);
-	j=na-set-nb-set;
-	if (j) return(j);
-}
-
-return(0);
-}
-
-/*
  * compare two subjectNames.
  * OUT:0: equal
  *	positive:
@@ -430,16 +291,49 @@ eay_cmp_asn1dn(n1, n2)
 {
 	X509_NAME *a = NULL, *b = NULL;
 	caddr_t p;
+	char oneLine[512];
 	int i = -1;
+	int idx;
 
 	p = n1-v;
-	if (!d2i_X509_NAME(a, (void *)p, n1-l))
+	if (!d2i_X509_NAME(a, (void *)p, n1-l)) {
+		plog(LLV_ERROR, LOCATION, NULL, eay_cmp_asn1dn: first dn not a dn);
 		goto end;
+	}
+	plog(LLV_DEBUG, LOCATION, NULL, 1st name: %s\n, X509_NAME_oneline(a, oneLine, sizeof(oneLine)));
 	p = n2-v;
-	if (!d2i_X509_NAME(b, (void *)p, n2-l))
+	if (!d2i_X509_NAME(b, (void *)p, n2-l)) {
+		plog(LLV_ERROR, LOCATION, NULL, eay_cmp_asn1dn: second dn not a dn);
 		goto end;
+	}
+	plog(LLV_DEBUG, LOCATION, NULL, 2nd name: %s\n,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-11-30 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Fri Nov 30 08:19:01 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.conf.5

Log Message:
Bump date for previous.


To generate a diff of this commit:
cvs rdiff -u -r1.65 -r1.66 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.65 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.66
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.65	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Fri Nov 30 08:19:01 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: racoon.conf.5,v 1.65 2012/11/29 15:31:25 vanhu Exp $
+.\	$NetBSD: racoon.conf.5,v 1.66 2012/11/30 08:19:01 wiz Exp $
 .\
 .\	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\
@@ -29,7 +29,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd November 15, 2011
+.Dd November 29, 2012
 .Dt RACOON.CONF 5
 .Os
 .\

CVS commit: src/crypto/dist/ipsec-tools/src

2012-11-29 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Thu Nov 29 15:31:25 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: algorithm.c algorithm.h
cfparse.y cftoken.l crypto_openssl.c crypto_openssl.h ipsec_doi.c
ipsec_doi.h pfkey.c racoon.conf.5 strnames.c
src/crypto/dist/ipsec-tools/src/setkey: token.l

Log Message:
Added support for AES GCM 16 in phase2 negociations. Code from Christophe Carre 
/ NETASQ


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h
cvs rdiff -u -r1.47 -r1.48 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \
src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.21 -r1.22 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
cvs rdiff -u -r1.58 -r1.59 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.64 -r1.65 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/strnames.c
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.9
--- src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8	Fri Oct  6 12:02:27 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.c	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: algorithm.c,v 1.8 2006/10/06 12:02:27 manu Exp $	*/
+/*	$NetBSD: algorithm.c,v 1.9 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */
 
@@ -165,6 +165,9 @@ static struct enc_algorithm ipsec_encdef
 { aes,	algtype_aes,		IPSECDOI_ESP_AES,		16,
 		NULL,			NULL,
 		NULL,			eay_aes_keylen, },
+{ aes_gcm_16,	algtype_aesgcm16,		IPSECDOI_ESP_AESGCM16,		16,
+		NULL,			NULL,
+		NULL,			eay_aesgcm_keylen, },
 { twofish,	algtype_twofish,	IPSECDOI_ESP_TWOFISH,		16,
 		NULL,			NULL,
 		NULL,			eay_twofish_keylen, },
@@ -798,6 +801,7 @@ default_keylen(class, type)
 	case algtype_rc5:
 	case algtype_cast128:
 	case algtype_aes:
+	case algtype_aesgcm16:
 	case algtype_twofish:
 	case algtype_camellia:
 		return 128;
@@ -834,6 +838,7 @@ check_keylen(class, type, len)
 	case algtype_rc5:
 	case algtype_cast128:
 	case algtype_aes:
+	case algtype_aesgcm16:
 	case algtype_twofish:
 	case algtype_camellia:
 		if (len % 8 != 0) {
@@ -863,6 +868,10 @@ check_keylen(class, type, len)
 		if (!(len == 128 || len == 192 || len == 256))
 			badrange++;
 		break;
+	case algtype_aesgcm16:
+		if (!(len == 128 || len == 192 || len == 256))
+			badrange++;
+		break;
 	case algtype_twofish:
 		if (len  40 || 256  len)
 			badrange++;

Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5	Fri Oct  6 12:02:27 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.h	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: algorithm.h,v 1.5 2006/10/06 12:02:27 manu Exp $	*/
+/*	$NetBSD: algorithm.h,v 1.6 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: algorithm.h,v 1.10 2005/04/09 16:25:23 manubsd Exp */
 
@@ -69,6 +69,7 @@ enum algtype {
 	algtype_rc4,
 	algtype_null_enc,
 	algtype_aes,
+	algtype_aesgcm16,
 	algtype_twofish,
 	algtype_camellia,
 

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47	Sun Jan  1 16:14:11 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1722,6 +1722,7 @@ algorithm
 	:	ALGORITHMTYPE keylength
 		{
 			int defklen;
+			int encklen_tmp;
 
 			$$ = newsainfoalg();
 			if ($$ == NULL) {
@@ -1754,9 +1755,35 @@ algorithm
 			else
 $$-encklen = defklen;
 
+			/* Check keymat size instead of human key size
+			 * because kernel store keymat size instead of human key size.
+			 * For example, the keymat size of aes_gcm_16 128 is 160 bits
+			 * (128 bits + 4 bytes) instead of 128 bits.
+			 *
+			 * Currently, it is only useful for aes_gcm_16 (ipsec_enc).
+			 */
+			if (cur_algclass

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-29 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Aug 29 11:24:12 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
From Roman Hoog Antink r...@open.ch: do not print unnecessary warning
about non-verified certificate when using raw plain-rsa.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22	Thu Mar 17 14:42:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Wed Aug 29 11:24:11 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $	*/
+/*	$NetBSD: oakley.c,v 1.23 2012/08/29 11:24:11 tteras Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1288,6 +1288,7 @@ oakley_validate_auth(iph1)
 {
 	vchar_t *my_hash = NULL;
 	int result;
+	int no_verify_needed = -1;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsshash = NULL;
 #endif
@@ -1361,8 +1362,6 @@ oakley_validate_auth(iph1)
 		plog(LLV_DEBUG, LOCATION, NULL, HASH for PSK validated.\n);
 	}
 		break;
-	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
-	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
@@ -1370,7 +1369,10 @@ oakley_validate_auth(iph1)
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+		no_verify_needed = 0;
 #endif
+	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 	{
 		int error = 0;
 		int certtype;
@@ -1454,6 +1456,9 @@ oakley_validate_auth(iph1)
 		case ISAKMP_CERT_PLAINRSA:
 			if (get_plainrsa_fromlocal(iph1, 0))
 return ISAKMP_INTERNAL_ERROR;
+			/* suppress CERT validation warning, unless hybrid mode in use */
+			if (no_verify_needed == -1)
+no_verify_needed = 1;
 			break;
 		case ISAKMP_CERT_DNS:
 			/* don't use received cert */
@@ -1480,12 +1485,12 @@ oakley_validate_auth(iph1)
 		if ((error = oakley_check_certid(iph1)) != 0)
 			return error;
 
-		/* Generate a warning if verify_cert */
+		/* Generate a warning unless verify_cert */
 		if (iph1-rmconf-verify_cert) {
-			plog(LLV_DEBUG, LOCATION, NULL,
+			plog(LLV_DEBUG, LOCATION, iph1-remote,
 			 CERT validated\n);
-		} else {
-			plog(LLV_WARNING, LOCATION, NULL,
+		} else if (no_verify_needed != 1) {
+			plog(LLV_WARNING, LOCATION, iph1-remote,
 			 CERT validation disabled by configuration\n);
 		}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-29 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Aug 29 11:34:37 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
From Roman Hoog Antink r...@open.ch: add remote's IP address to the
certificate not verified error message.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23	Wed Aug 29 11:24:11 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Wed Aug 29 11:34:37 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.23 2012/08/29 11:24:11 tteras Exp $	*/
+/*	$NetBSD: oakley.c,v 1.24 2012/08/29 11:34:37 tteras Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1434,7 +1434,7 @@ oakley_validate_auth(iph1)
 			}
 
 			if (error != 0) {
-plog(LLV_ERROR, LOCATION, NULL,
+plog(LLV_ERROR, LOCATION, iph1-remote,
  the peer's certificate is not verified.\n);
 return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
 			}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-29 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Aug 29 12:01:30 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c

Log Message:
From Roman Hoog Antink r...@open.ch: Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47	Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Wed Aug 29 12:01:30 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.48 2012/08/29 12:01:30 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1465,8 +1465,11 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
 		return 0;
 	}
 
-	if (memcmp(ru-i_ck, iph1-index.i_ck, sizeof(cookie_t)) ||
-	memcmp(ru-r_ck, iph1-index.r_ck, sizeof(cookie_t))) {
+	/* accept cookies in original or reversed order */
+	if ((memcmp(ru-i_ck, iph1-index.i_ck, sizeof(cookie_t)) ||
+	 memcmp(ru-r_ck, iph1-index.r_ck, sizeof(cookie_t))) 
+	(memcmp(ru-r_ck, iph1-index.i_ck, sizeof(cookie_t)) ||
+	 memcmp(ru-i_ck, iph1-index.r_ck, sizeof(cookie_t {
 		plog(LLV_ERROR, LOCATION, iph1-remote,
 			 Cookie mismatch in DPD ACK!.\n);
 		return 0;
@@ -1477,7 +1480,7 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
 	sched_cancel(iph1-dpd_r_u);
 	isakmp_sched_r_u(iph1, 0);
 
-	plog(LLV_DEBUG, LOCATION, NULL, received an R-U-THERE-ACK\n);
+	plog(LLV_DEBUG, LOCATION, iph1-remote, received an R-U-THERE-ACK\n);
 
 	return 0;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-15 Thread Emmanuel Dreyfus 
Module Name:src
Committed By:   manu
Date:   Wed Aug 15 14:51:30 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Fix make test on powermac G5. Patch from Nakano Takaharu


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20	Wed Oct 20 13:40:02 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Wed Aug 15 14:51:30 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.20 2010/10/20 13:40:02 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.21 2012/08/15 14:51:30 manu Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -2501,7 +2501,7 @@ eay_bn2v(var, bn)
 	vchar_t **var;
 	BIGNUM *bn;
 {
-	*var = vmalloc(bn-top * BN_BYTES);
+	*var = vmalloc(BN_num_bytes(bn));
 	if (*var == NULL)
 		return(-1);

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2012-02-18 Thread Matthias Drochner 
Module Name:src
Committed By:   drochner
Date:   Sat Feb 18 13:42:46 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.8

Log Message:
mention esp-udp


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/setkey/setkey.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.32 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.33
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.32	Thu Jan 26 21:54:26 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Sat Feb 18 13:42:45 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: setkey.8,v 1.32 2012/01/26 21:54:26 wiz Exp $
+.\	$NetBSD: setkey.8,v 1.33 2012/02/18 13:42:45 drochner Exp $
 .\
 .\ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\ All rights reserved.
@@ -255,6 +255,8 @@ is one of following:
 ESP based on rfc2406
 .It Li esp-old
 ESP based on rfc1827
+.It Li esp-udp
+UDP encapsulated ESP for NAT traversal (rfc3948)
 .It Li ah
 AH based on rfc2402
 .It Li ah-old

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2012-02-18 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Sat Feb 18 13:51:29 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.8

Log Message:
Bump date for previous.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/setkey/setkey.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.33 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.34
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.33	Sat Feb 18 13:42:45 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Sat Feb 18 13:51:29 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: setkey.8,v 1.33 2012/02/18 13:42:45 drochner Exp $
+.\	$NetBSD: setkey.8,v 1.34 2012/02/18 13:51:29 wiz Exp $
 .\
 .\ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\ All rights reserved.
@@ -27,7 +27,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd January 26, 2012
+.Dd February 18, 2012
 .Dt SETKEY 8
 .Os
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2012-02-13 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Mon Feb 13 13:03:06 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: pfkey.c

Log Message:
Use the correct constant.
From FreeBSD via Henning Petersen in PR 46005.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.23 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.24
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.23	Mon Jan  9 15:25:13 2012
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Mon Feb 13 13:03:06 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.23 2012/01/09 15:25:13 drochner Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.24 2012/02/13 13:03:06 wiz Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -710,7 +710,7 @@ pfkey_send_register(int so, u_int satype
 {
 	int len, algno;
 
-	if (satype == PF_UNSPEC) {
+	if (satype == SADB_SATYPE_UNSPEC) {
 		for (algno = 0;
 		 algno  sizeof(supported_map)/sizeof(supported_map[0]);
 		 algno++) {

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2012-01-26 Thread Matthias Drochner 
Module Name:src
Committed By:   drochner
Date:   Thu Jan 26 21:11:27 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.8

Log Message:
also mention the aes-gcm ESP variants


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/crypto/dist/ipsec-tools/src/setkey/setkey.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.30 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.31
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.30	Mon Jan  9 15:41:21 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Thu Jan 26 21:11:27 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: setkey.8,v 1.30 2012/01/09 15:41:21 wiz Exp $
+.\	$NetBSD: setkey.8,v 1.31 2012/01/26 21:11:27 drochner Exp $
 .\
 .\ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\ All rights reserved.
@@ -726,11 +726,19 @@ rijndael-cbc	128/192/256	rfc3602
 twofish-cbc	0 to 256	draft-ietf-ipsec-ciph-aes-cbc-01
 aes-ctr		160/224/288	rfc3686
 camellia-cbc	128/192/256	rfc4312
+aes-gcm-16	160/224/288	rfc4106
+aes-gmac	160/224/288	rfc4543
 .Ed
 .Pp
 Note that the first 128/192/256 bits of a key for
-.Li aes-ctr
+.Li aes-ctr ,
+.Li aes-gcm-16
+or
+.Li aes-gmac
 will be used as AES key, and the remaining 32 bits will be used as nonce.
+Also note that
+.Li aes-gmac
+does not encrypt the payload, it only provides authentication.
 .Pp
 These compression algorithms can be used as
 .Ar calgo

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2012-01-26 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Thu Jan 26 21:54:26 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.8

Log Message:
Bump date for previous.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/crypto/dist/ipsec-tools/src/setkey/setkey.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.31 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.32
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.31	Thu Jan 26 21:11:27 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Thu Jan 26 21:54:26 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: setkey.8,v 1.31 2012/01/26 21:11:27 drochner Exp $
+.\	$NetBSD: setkey.8,v 1.32 2012/01/26 21:54:26 wiz Exp $
 .\
 .\ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\ All rights reserved.
@@ -27,7 +27,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd January 9, 2012
+.Dd January 26, 2012
 .Dt SETKEY 8
 .Os
 .\

CVS commit: src/crypto/dist/ipsec-tools

2012-01-10 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Jan 10 12:07:30 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools: configure.ac
src/crypto/dist/ipsec-tools/src/racoon: isakmp_unity.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Enhance splitnet
environment variable string value generation.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/configure.ac
cvs rdiff -u -r1.10 -r1.11 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/configure.ac
diff -u src/crypto/dist/ipsec-tools/configure.ac:1.10 src/crypto/dist/ipsec-tools/configure.ac:1.11
--- src/crypto/dist/ipsec-tools/configure.ac:1.10	Fri Jan 23 08:25:06 2009
+++ src/crypto/dist/ipsec-tools/configure.ac	Tue Jan 10 12:07:30 2012
@@ -112,7 +112,7 @@ esac
 AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
 AC_CHECK_HEADERS(limits.h sys/time.h unistd.h stdarg.h varargs.h)
-AC_CHECK_HEADERS(shadow.h)
+AC_CHECK_HEADERS(shadow.h strings.h)
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.10 src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.10	Sun Jan  1 17:31:42 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c	Tue Jan 10 12:07:30 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_unity.c,v 1.10 2012/01/01 17:31:42 tteras Exp $	*/
+/*	$NetBSD: isakmp_unity.c,v 1.11 2012/01/10 12:07:30 tteras Exp $	*/
 
 /* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */
 
@@ -62,6 +62,9 @@
 #endif
 #include ctype.h
 #include resolv.h
+#ifdef HAVE_STRINGS_H
+#include strings.h
+#endif
 
 #include var.h
 #include misc.h
@@ -399,16 +402,17 @@ char * splitnet_list_2str(list, splitnet
 	while (netentry != NULL) {
 
 		inet_ntop(AF_INET, netentry-network.addr4, tmp1, 40);
-		inet_ntop(AF_INET, netentry-network.mask4, tmp2, 40);
 		if (splitnet_ipaddr == CIDR) {
 			uint32_t tmp3;
 			int cidrmask;
 
 			tmp3 = ntohl(netentry-network.mask4.s_addr);
-			for (cidrmask = 0; tmp3 != 0; cidrmask++)
-tmp3 = 1;
+			cidrmask = 33 - ffs(tmp3);
+			if (cidrmask == 33) cidrmask = 0;
+			
 			len += sprintf(str+len, %s/%d , tmp1, cidrmask);
 		} else {
+			inet_ntop(AF_INET, netentry-network.mask4, tmp2, 40);
 			len += sprintf(str+len, %s/%s , tmp1, tmp2);
 		}

CVS commit: src/crypto/dist/ipsec-tools/src

2012-01-09 Thread Matthias Drochner 
Module Name:src
Committed By:   drochner
Date:   Mon Jan  9 15:25:14 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: key_debug.c pfkey.c
pfkey_dump.c
src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.8 token.l

Log Message:
allow setkey(8) set and display the ESP fragment size in the NAT-T case,
userland part of PR kern/44952 by Wolfgang Stukenbrock, just changed
the frag option name to esp_frag, for consistency to the existing
option of similar effect in racoon(8)


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
cvs rdiff -u -r1.19 -r1.20 \
src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/setkey/setkey.8
cvs rdiff -u -r1.16 -r1.17 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.9 src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.10
--- src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.9	Fri Dec  5 06:02:20 2008
+++ src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.9 2008/12/05 06:02:20 tteras Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.10 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
@@ -85,6 +85,9 @@ static void kdebug_sockaddr __P((struct 
 #ifdef SADB_X_EXT_NAT_T_TYPE
 static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext));
 static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext));
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static void kdebug_sadb_x_nat_t_frag __P((struct sadb_ext *ext));
+#endif
 #endif
 
 #ifdef SADB_X_EXT_PACKET
@@ -192,6 +195,11 @@ kdebug_sadb(base)
 		case SADB_X_EXT_NAT_T_OA:
 			kdebug_sadb_address(ext);
 			break;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+		case SADB_X_EXT_NAT_T_FRAG:
+			kdebug_sadb_x_nat_t_frag(ext);
+			break;
+#endif
 #endif
 #ifdef SADB_X_EXT_PACKET
 		case SADB_X_EXT_PACKET:
@@ -543,6 +551,20 @@ kdebug_sadb_x_nat_t_port(struct sadb_ext
 
 	return;
 }
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static void kdebug_sadb_x_nat_t_frag (struct sadb_ext *ext)
+{
+	struct sadb_x_nat_t_frag *esp_frag = (void *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic(kdebug_sadb_x_nat_t_frag: NULL pointer was passed.\n);
+
+	printf(sadb_x_nat_t_frag{ esp_frag=%u }\n, esp_frag-sadb_x_nat_t_frag_fraglen);
+
+	return;
+}
+#endif
 #endif
 
 #ifdef SADB_X_EXT_PACKET

Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.22 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.23
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.22	Mon Nov 14 13:24:04 2011
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.22 2011/11/14 13:24:04 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.23 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -2034,6 +2034,9 @@ pfkey_align(struct sadb_msg *msg, caddr_
 		case SADB_X_EXT_NAT_T_TYPE:
 		case SADB_X_EXT_NAT_T_SPORT:
 		case SADB_X_EXT_NAT_T_DPORT:
+#ifdef SADB_X_EXT_NAT_T_FRAG
+		case SADB_X_EXT_NAT_T_FRAG:
+#endif
 		case SADB_X_EXT_NAT_T_OA:
 #endif
 #ifdef SADB_X_EXT_TAG

Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.19 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.20
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.19	Thu May 26 21:50:02 2011
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.19 2011/05/26 21:50:02 drochner Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.20 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
@@ -260,6 +260,9 @@ pfkey_sadump1(m, withports)
 	struct sadb_x_nat_t_type *natt_type;
 	struct sadb_x_nat_t_port *natt_sport, *natt_dport;
 	struct sadb_address *natt_oa;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+	struct sadb_x_nat_t_frag *esp_frag;
+#endif
 
 	int use_natt = 0;
 #endif
@@ -300,6 +303,9 @@ pfkey_sadump1(m, withports)
 	natt_sport = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
 	natt_dport = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
 	natt_oa = (void *)mhp[SADB_X_EXT_NAT_T_OA];
+#ifdef SADB_X_EXT_NAT_T_FRAG
+	esp_frag = (void *)mhp[SADB_X_EXT_NAT_T_FRAG];
+#endif
 
 	if (natt_type  natt_type-sadb_x_nat_t_type_type)
 		use_natt = 1;
@@ -371,6 +377,11 @@ pfkey_sadump1(m, withports)
 	if (use_natt  natt_oa)

CVS commit: src/crypto/dist/ipsec-tools/src/setkey

2012-01-09 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Mon Jan  9 15:41:22 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/setkey: setkey.8

Log Message:
Bump date for previous.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/crypto/dist/ipsec-tools/src/setkey/setkey.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.29 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.30
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.29	Mon Jan  9 15:25:13 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Mon Jan  9 15:41:21 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: setkey.8,v 1.29 2012/01/09 15:25:13 drochner Exp $
+.\	$NetBSD: setkey.8,v 1.30 2012/01/09 15:41:21 wiz Exp $
 .\
 .\ Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\ All rights reserved.
@@ -27,7 +27,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd May 23, 2011
+.Dd January 9, 2012
 .Dt SETKEY 8
 .Os
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/libipsec

2012-01-04 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Wed Jan  4 16:30:51 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/libipsec: ipsec_set_policy.3
ipsec_strerror.3

Log Message:
Bump date for previous.


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3:1.17 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3:1.18
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3:1.17	Wed Jan  4 16:09:40 2012
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_set_policy.3	Wed Jan  4 16:30:50 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: ipsec_set_policy.3,v 1.17 2012/01/04 16:09:40 drochner Exp $
+.\	$NetBSD: ipsec_set_policy.3,v 1.18 2012/01/04 16:30:50 wiz Exp $
 .\
 .\	$KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
 .\
@@ -29,7 +29,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd May 5, 1998
+.Dd January 4, 2012
 .Dt IPSEC_SET_POLICY 3
 .Os
 .Sh NAME

Index: src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3
diff -u src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3:1.11 src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3:1.12
--- src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3:1.11	Wed Jan  4 16:09:40 2012
+++ src/crypto/dist/ipsec-tools/src/libipsec/ipsec_strerror.3	Wed Jan  4 16:30:50 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: ipsec_strerror.3,v 1.11 2012/01/04 16:09:40 drochner Exp $
+.\	$NetBSD: ipsec_strerror.3,v 1.12 2012/01/04 16:30:50 wiz Exp $
 .\
 .\	$KAME: ipsec_strerror.3,v 1.9 2001/08/17 07:21:36 itojun Exp $
 .\
@@ -29,7 +29,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd May 6, 1998
+.Dd January 4, 2012
 .Dt IPSEC_STRERROR 3
 .Os
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:29:28 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
cftoken_proto.h ipsec_doi.c ipsec_doi.h localconf.c localconf.h
remoteconf.c sainfo.c

Log Message:
From Wolfgang Schmieder wolfg...@die-schmieders.de: Fix memory leaks from
configuration reading code, and clean up error handling.


To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h
cvs rdiff -u -r1.46 -r1.47 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/localconf.c \
src/crypto/dist/ipsec-tools/src/racoon/localconf.h
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44	Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sun Jan  1 15:29:28 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.45 2012/01/01 15:29:28 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -137,10 +137,10 @@ static int num2dhgroup[] = {
 	OAKLEY_ATTR_GRP_DESC_MODP8192
 };
 
-static struct remoteconf *cur_rmconf;
-static int tmpalgtype[MAXALGCLASS];
-static struct sainfo *cur_sainfo;
-static int cur_algclass;
+static struct remoteconf *cur_rmconf = NULL;
+static int tmpalgtype[MAXALGCLASS] = {0};
+static struct sainfo *cur_sainfo = NULL;
+static int cur_algclass = 0;
 static int oldloglevel = LLV_BASE;
 
 static struct secprotospec *newspspec __P((void));
@@ -238,10 +238,39 @@ static int process_rmconf()
 	}
 
 	insrmconf(cur_rmconf);
+	cur_rmconf = NULL; 
 
 	return 0;
 }
 
+/* some frequently used warning texts */
+static const char error_message_hybrid_config_not_configured[] = racoon not configured with --enable-hybrid\n;
+static const char error_message_ldap_config_not_configured[]   = racoon not configured with --with-libldap\n;
+static const char error_message_admin_port_not_compiled_in[] = admin port support not compiled in\n;
+static const char error_message_natt_not_compiled_in[] = NAT-T support not compiled in\n;
+static const char error_message_dpd_not_compiled_in[] = DPD support not compiled in\n;
+
+/* macros for aborting the parsing with freeing up allocated memory */
+#define ABORT_CLEANUP {delrmconf(cur_rmconf); delsainfo(cur_sainfo); YYABORT;}
+#define ABORT() ABORT_CLEANUP
+
+#define ABORT_AND_VFREE(val0) {\
+	vfree(val0); val0 = NULL;\
+	ABORT_CLEANUP}
+	
+#define ABORT_AND_RACOON_FREE(val0) {\
+	racoon_free(val0); val0 = NULL;\
+	ABORT_CLEANUP}
+
+#define ABORT_AND_VFREE2(val0, val1) {\
+	vfree(val0); val0 = NULL;\
+	vfree(val1); val1 = NULL;\
+	ABORT_CLEANUP}
+
+#define ABORT_AND_RACOON_FREE2(val0, val1) {\
+	racoon_free(val0); val0 = NULL;\
+	racoon_free(val1); val1 = NULL;\
+	ABORT_CLEANUP}
 %}
 
 %union {
@@ -366,47 +395,55 @@ privsep_stmts
 privsep_stmt
 	:	USER QUOTEDSTRING
 		{
-			struct passwd *pw;
+			struct passwd *pw = getpwnam($2-v);
+			vfree($2);
 
-			if ((pw = getpwnam($2-v)) == NULL) {
+			if (pw == NULL) {
 yyerror(unknown user \%s\, $2-v);
-return -1;
+ABORT();
 			}
+			
 			lcconf-uid = pw-pw_uid;
 		} 
 		EOS
 	|	USER NUMBER { lcconf-uid = $2; } EOS
 	|	GROUP QUOTEDSTRING
 		{
-			struct group *gr;
+			struct group *gr = getgrnam($2-v);
+			vfree($2);
 
-			if ((gr = getgrnam($2-v)) == NULL) {
+			if (gr == NULL) {
 yyerror(unknown group \%s\, $2-v);
-return -1;
+ABORT();
 			}
+
 			lcconf-gid = gr-gr_gid;
 		}
 		EOS
 	|	GROUP NUMBER { lcconf-gid = $2; } EOS
-	|	CHROOT QUOTEDSTRING { lcconf-chroot = $2-v; } EOS
+	|	CHROOT QUOTEDSTRING 
+		{ 
+			lcconf_setchroot(racoon_strdup($2-v));
+			vfree($2);	
+		} EOS
 	;
 
 	/* path */
 path_statement
 	:	PATH PATHTYPE QUOTEDSTRING
 		{
-			if ($2 = LC_PATHTYPE_MAX) {
+			char * path = racoon_strdup($3-v);
+
+			if (path == NULL) {
+yyerror(copy string fatal error: %s, $3-v);
+ABORT_AND_VFREE($3);
+			}
+			
+			if (lcconf_setpath(path, $2)  0) {
 yyerror(invalid path type %d, $2);
-return -1;
+ABORT_AND_VFREE($3);
 			}
 
-			/* free old pathinfo */
-			if (lcconf-pathinfo[$2])
-racoon_free(lcconf-pathinfo[$2]);
-
-			/* set new pathinfo */
-

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:44:06 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
Fix the previous commit.


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45	Sun Jan  1 15:29:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sun Jan  1 15:44:06 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.45 2012/01/01 15:29:28 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.46 2012/01/01 15:44:06 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1267,7 +1267,7 @@ authgroup
 			groupname = racoon_malloc($1-l+1);
 			if (groupname == NULL) {
 yyerror(unable to allocate auth group name);
-ABORT_AND_VFREE, $1);
+ABORT_AND_VFREE($1);
 			}
 
 			memcpy(groupname,$1-v,$1-l);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:54:51 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix myaddr_getsport() to return -1 if no suitable address is found. This is
used in pfkey.c:pk_recvacquire() to check if IKE negotiation should be
started or not.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28	Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sun Jan  1 15:54:51 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.29 2012/01/01 15:54:51 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -280,7 +280,7 @@ myaddr_getsport(addr)
 			return extract_port((struct sockaddr *) my-addr);
 	}
 
-	return PORT_ISAKMP;
+	return -1;
 }
 
 void

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:57:31 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c isakmp.c pfkey.c
remoteconf.c

Log Message:
From Wolfgang Schmieder wolfg...@die-schmieders.de: Fix various typos in
comments and log messages. Fix default port used in copy_ph1addresses().


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.73 -r1.74 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.57 -r1.58 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40	Thu Nov 17 14:41:55 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Sun Jan  1 15:57:31 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.40 2011/11/17 14:41:55 vanhu Exp $	*/
+/*	$NetBSD: handler.c,v 1.41 2012/01/01 15:57:31 tteras Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -213,7 +213,7 @@ getph1(ph1hint, local, remote, flags)
 			(ph1hint-id-l != p-id-l ||
 			 memcmp(ph1hint-id-v, p-id-v, p-id-l) != 0)) {
 plog(LLV_DEBUG2, LOCATION, NULL,
- local identity does match hint\n);
+ local identity does not match hint\n);
 continue;
 			}
 			if (ph1hint-id_p  ph1hint-id_p-l 
@@ -221,7 +221,7 @@ getph1(ph1hint, local, remote, flags)
 			(ph1hint-id_p-l != p-id_p-l ||
 			 memcmp(ph1hint-id_p-v, p-id_p-v, p-id_p-l) != 0)) {
 plog(LLV_DEBUG2, LOCATION, NULL,
- remote identity does match hint\n);
+ remote identity does not match hint\n);
 continue;
 			}
 		}

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73	Tue Oct 11 14:50:15 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sun Jan  1 15:57:31 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.73 2011/10/11 14:50:15 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -624,7 +624,7 @@ isakmp_main(msg, remote, local)
 		/*
 		 * iph1 must be present for Information message.
 		 * if iph1 is null then trying to get the phase1 status
-		 * as the packet from responder againt initiator's 1st
+		 * as the packet from responder again initiator's 1st
 		 * exchange in phase 1.
 		 * NOTE: We think such informational exchange should be ignored.
 		 */
@@ -2358,7 +2358,7 @@ isakmp_chkph1there(iph2)
 		plog(LLV_ERROR, LOCATION, iph2-dst,
 			phase2 negotiation failed 
 			due to time up waiting for phase1. %s\n,
-			sadbsecas2str(iph2-dst, iph2-src,
+			sadbsecas2str(iph2-src, iph2-dst,
 iph2-satype, 0, 0));
 		plog(LLV_INFO, LOCATION, NULL,
 			delete phase 2 handler.\n);
@@ -2909,7 +2909,7 @@ copy_ph1addresses(iph1, rmconf, remote, 
 	struct remoteconf *rmconf;
 	struct sockaddr *remote, *local;
 {
-	u_int16_t port;
+	u_int16_t port = 0;
 
 	/* address portion must be grabbed from real remote address remote */
 	iph1-remote = dupsaddr(remote);
@@ -2919,7 +2919,7 @@ copy_ph1addresses(iph1, rmconf, remote, 
 	/*
 	 * if remote has no port # (in case of initiator - from ACQUIRE msg)
 	 * - if remote.conf specifies port #, use that
-	 * - if remote.conf does not, use 500
+	 * - if remote.conf does not, use lcconf-port_isakmp
 	 * if remote has port # (in case of responder - from recvfrom(2))
 	 * respect content of remote.
 	 */
@@ -2928,7 +2928,7 @@ copy_ph1addresses(iph1, rmconf, remote, 
 		if (rmconf != NULL)
 			port = extract_port(rmconf-remote);
 		if (port == 0)
-			port = PORT_ISAKMP;
+			port = lcconf-port_isakmp;
 		set_port(iph1-remote, port);
 	}
 

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.58
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57	Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Sun Jan  1 15:57:31 2012
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $	*/
 
-/* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1853,8 +1853,8 @@ pk_recvacquire(mhp)
 	 *   should ignore such a acquire message because the phase 2
 	 *   is just negotiating.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 16:14:11 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
From Wolfgang Schmieder wolfg...@die-schmieders.de: Fix default NAT-T
port for listen { isakmp_natt } config directive.


To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46	Sun Jan  1 15:44:06 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sun Jan  1 16:14:11 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.46 2012/01/01 15:44:06 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -359,6 +359,8 @@ static const char error_message_dpd_not_
 %type val identifierstring
 %type saddr remote_index ike_addrinfo_port
 %type alg algorithm
+%type saddr ike_addrinfo_port_natt
+%type num ike_port_natt
 
 %%
 
@@ -536,7 +538,7 @@ listen_stmt
 			racoon_free($2);
 		}
 		EOS
-	|	X_ISAKMP_NATT ike_addrinfo_port
+	|	X_ISAKMP_NATT ike_addrinfo_port_natt
 		{
 #ifdef ENABLE_NATT
 			myaddr_listen($2, TRUE);
@@ -591,11 +593,36 @@ ike_addrinfo_port
 ABORT();
 		}
 	;
+ike_addrinfo_port_natt
+	:	ADDRSTRING ike_port_natt
+		{
+			char portbuf[10];
+
+			snprintf(portbuf, sizeof(portbuf), %ld, $2);
+			$$ = str2saddr($1-v, portbuf);
+			
+			vfree($1);
+			if (!$$)
+ABORT();
+		}
+	;
 ike_port
 	:	/* nothing */	{	$$ = lcconf-port_isakmp; }
 	|	PORT		{ $$ = $1; } 
 	;
-
+ike_port_natt
+	:	/* nothing */ 
+		{ 
+			$$ = lcconf-port_isakmp_natt;  
+		}
+	|	PORT 
+		{ 
+			$$ = $1; 
+#ifndef ENABLE_NATT
+			yywarn(error_message_natt_not_compiled_in);
+#endif			 
+		}
+	;
 	/* radius configuration */
 radcfg_statement
 	:	RADCFG {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-11-17 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Thu Nov 17 14:41:55 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c

Log Message:
fixed some crashes in LIST_FOREACH where current element could be removed 
during the loop


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/handler.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39	Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Thu Nov 17 14:41:55 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $	*/
+/*	$NetBSD: handler.c,v 1.40 2011/11/17 14:41:55 vanhu Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -611,9 +611,11 @@ getph2byid(src, dst, spid)
 	struct sockaddr *src, *dst;
 	u_int32_t spid;
 {
-	struct ph2handle *p;
+	struct ph2handle *p, *next;
+
+	for (p = LIST_FIRST(ph2tree); p; p = next) {
+		next = LIST_NEXT(p, chain);
 
-	LIST_FOREACH(p, ph2tree, chain) {
 		if (spid == p-spid 
 		cmpsaddr(src, p-src) = CMPSADDR_WILDPORT_MATCH 
 		cmpsaddr(dst, p-dst) = CMPSADDR_WILDPORT_MATCH){
@@ -985,9 +987,11 @@ void
 remcontacted(remote)
 	struct sockaddr *remote;
 {
-	struct contacted *p;
+	struct contacted *p, *next;
+
+	for (p = LIST_FIRST(ctdtree); p; p = next) {
+		next = LIST_NEXT(p, chain);
 
-	LIST_FOREACH(p, ctdtree, chain) {
 		if (cmpsaddr(remote, p-remote) = CMPSADDR_WILDPORT_MATCH) {
 			LIST_REMOVE(p, chain);
 			racoon_free(p-remote);
@@ -1555,10 +1559,12 @@ int
 purgeph1bylogin(login)
 	char *login;
 {
-	struct ph1handle *p;
+	struct ph1handle *p, *next;
 	int found = 0;
 
-	LIST_FOREACH(p, ph1tree, chain) {
+	for (p = LIST_FIRST(ph1tree); p; p = next) {
+		next = LIST_NEXT(p, chain);
+
 		if (p-mode_cfg == NULL)
 			continue;
 		if (strncmp(p-mode_cfg-login, login, LOGINLEN) == 0) {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-11-15 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Nov 15 13:51:24 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5

Log Message:
From Vincent Bernat ber...@luffy.cx: TLS support for LDAP


To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.62 -r1.63 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43	Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -267,7 +267,7 @@ static int process_rmconf()
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -720,6 +720,15 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_TLS SWITCH
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.tls = $2;
+#endif
+#endif
+		}
+		EOS
 	|	LDAP_BASE QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24	Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.24 2011/08/19 05:36:47 tteras Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.25 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -226,6 +226,7 @@ hexstring	0x{hexdigit}+
 S_LDAPversion		{ YYD; return(LDAP_PVER); }
 S_LDAPhost		{ YYD; return(LDAP_HOST); }
 S_LDAPport		{ YYD; return(LDAP_PORT); }
+S_LDAPtls		{ YYD; return(LDAP_TLS); }
 S_LDAPbase		{ YYD; return(LDAP_BASE); }
 S_LDAPsubtree		{ YYD; return(LDAP_SUBTREE); }
 S_LDAPbind_dn		{ YYD; return(LDAP_BIND_DN); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23	Sun May 15 17:13:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.23 2011/05/15 17:13:23 christos Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -802,6 +802,7 @@ xauth_ldap_init_conf(void)
 	xauth_ldap_config.pver = 3;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
+	xauth_ldap_config.tls = 0;
 	xauth_ldap_config.base = NULL;
 	xauth_ldap_config.subtree = 0;
 	xauth_ldap_config.bind_dn = NULL;
@@ -916,6 +917,17 @@ xauth_login_ldap(iph1, usr, pwd)
 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
 		xauth_ldap_config.pver);
 
+	/* Enable TLS */
+	if (xauth_ldap_config.tls) {
+		res = ldap_start_tls_s(ld, NULL, NULL);
+		if (res != LDAP_SUCCESS) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			 ldap_start_tls_s failed: %s\n,
+			 ldap_err2string(res));
+			goto ldap_end;
+		}
+	}
+
 	/*
 	 * attempt to bind to the ldap server.
  * default to anonymous bind unless a
@@ -1144,6 +1156,17 @@ xauth_group_ldap(udn, grp)
 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
 		xauth_ldap_config.pver);
 
+	/* Enable TLS */
+	if (xauth_ldap_config.tls) {
+		res = ldap_start_tls_s(ld, NULL, NULL);
+		if (res != LDAP_SUCCESS) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			 ldap_start_tls_s failed: %s\n,
+			 ldap_err2string(res));
+			goto ldap_group_end;
+		}
+	}
+
 	/*
 	 * attempt to bind to the ldap server.
  * default to anonymous bind unless a

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
diff -u

  1   2   3   >