CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Manuel Bouyer 
Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 18:11:00 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5

Log Message:
Add ldap parameters debug and timeout.
Fix bug when using URI (use correct len for malloc)
document ldap parameters uri, debug and timeout.


To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.32 -r1.33 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.68 -r1.69 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.53 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -296,7 +296,7 @@ static const char error_message_dpd_not_
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_DEBUG LDAP_TIMEOUT LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,24 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_DEBUG NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.debug = $2;
+#endif
+#endif
+		}
+		EOS
+	|	LDAP_TIMEOUT NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.timeout = $2;
+#endif
+#endif
+		}
+		EOS
 	|	LDAP_URI QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.29 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -224,6 +224,8 @@ hexstring	0x{hexdigit}+
 ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 {bcl}		{ return(BOC); }
 version		{ YYD; return(LDAP_PVER); }
+debug		{ YYD; return(LDAP_DEBUG); }
+timeout		{ YYD; return(LDAP_TIMEOUT); }
 uri		{ YYD; return(LDAP_URI); }
 host		{ YYD; return(LDAP_HOST); }
 port		{ YYD; return(LDAP_PORT); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.33
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32	Wed Nov 25 16:42:53 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 18:11:00 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.33 2020/11/25 18:11:00 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -803,6 +803,8 @@ xauth_ldap_init_conf(void)
 	int error = -1;
 
 	xauth_ldap_config.pver = 3;
+	xauth_ldap_config.debug = 0;
+	xauth_ldap_config.timeout = -1;
 	xauth_ldap_config.uri = NULL;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
@@ -896,7 +898,7 @@ xauth_login_ldap(iph1, usr, pwd)
 	atlist[2] = NULL;
 
 	if (xauth_ldap_config.uri != NULL) {
-		tmplen = strlen(xauth_ldap_config.host->v);
+		tmplen = strlen(xauth_ldap_config.uri->v);
 		init = racoon_malloc(tmplen);
 		if (init == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
@@ -918,6 +920,9 @@ xauth_login_ldap(iph1, usr, pwd)
 			xauth_ldap_config.host->v,
 			xauth_ldap_config.port );
 	}
+	/* initialize the debug level */
+	ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, _ldap_config.debug);
+	ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, _ldap_config.debug);
 
 	plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
 	/* initialize the ldap handle */
@@ -933,12 +938,26 @@ xauth_login_ldap(iph1, usr, pwd)
 	if ((res = ldap_set_option(ld,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Manuel Bouyer 
Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:42:53 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h

Log Message:
Add an option to pass a ldap uri, instead of just server and port.
uri takes precedence.


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.27 -r1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.31 -r1.32 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -296,7 +296,7 @@ static const char error_message_dpd_not_
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -773,6 +773,19 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_URI QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			if (xauth_ldap_config.uri != NULL)
+vfree(xauth_ldap_config.uri);
+
+			xauth_ldap_config.uri = vdup($2);
+#endif
+#endif
+			vfree($2);
+		}
+		EOS
 	|	LDAP_HOST QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.27 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.27	Thu Nov 29 15:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.27 2012/11/29 15:31:24 vanhu Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -224,6 +224,7 @@ hexstring	0x{hexdigit}+
 ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 {bcl}		{ return(BOC); }
 version		{ YYD; return(LDAP_PVER); }
+uri		{ YYD; return(LDAP_URI); }
 host		{ YYD; return(LDAP_HOST); }
 port		{ YYD; return(LDAP_PORT); }
 tls		{ YYD; return(LDAP_TLS); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31	Wed Nov 25 16:41:39 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 16:42:53 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.31 2020/11/25 16:41:39 bouyer Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -803,6 +803,7 @@ xauth_ldap_init_conf(void)
 	int error = -1;
 
 	xauth_ldap_config.pver = 3;
+	xauth_ldap_config.uri = NULL;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
 	xauth_ldap_config.tls = 0;
@@ -894,19 +895,31 @@ xauth_login_ldap(iph1, usr, pwd)
 	atlist[1] = NULL;
 	atlist[2] = NULL;
 
-	/* build our initialization url */
-	tmplen = strlen("ldap://:;) + 17;
-	tmplen += strlen(xauth_ldap_config.host->v);
-	init = racoon_malloc(tmplen);
-	if (init == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL,
-			"unable to alloc ldap init url\n");
-		goto ldap_end;
+	if (xauth_ldap_config.uri != NULL) {
+		tmplen = strlen(xauth_ldap_config.host->v);
+		init = racoon_malloc(tmplen);
+		if (init == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+"unable to alloc ldap init url\n");
+			goto ldap_end;
+		}
+		sprintf(init,"%s", xauth_ldap_config.uri->v);
+	} else {
+		/* build our initialization url */
+		tmplen = strlen("ldap://:;) + 17;
+		tmplen += strlen(xauth_ldap_config.host->v);
+		init = racoon_malloc(tmplen);
+		if (init == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL,
+"unable to alloc ldap init url\n");
+			goto ldap_end;
+		}
+		sprintf(init,"ldap://%s:%d;,
+			xauth_ldap_config.host->v,
+			xauth_ldap_config.port );
 	}
-	sprintf(init,"ldap://%s:%d;,
-

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Manuel Bouyer 
Module Name:src
Committed By:   bouyer
Date:   Wed Nov 25 16:41:39 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
Fix ldap: ldap_sasl_bind_s() doens't like a NULL struct berval *, pass
a pointer to a zero'd struct instead.
While there use LDAP_SASL_SIMPLE instead of NULL for mechanism,
and check return of ldap_set_option().


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.30	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Nov 25 16:41:39 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.30 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.31 2020/11/25 16:41:39 bouyer Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -917,9 +917,15 @@ xauth_login_ldap(iph1, usr, pwd)
 	}
 
 	/* initialize the protocol version */
-	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
-		_ldap_config.pver);
-
+	if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
+		_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
+		plog(LLV_ERROR, LOCATION, NULL,
+			"LDAP_OPT_PROTOCOL_VERSION %s failed: %s\n",
+			xauth_ldap_config.pver,
+			ldap_err2string(res));
+		goto ldap_end;
+	}
+		
 	/* Enable TLS */
 	if (xauth_ldap_config.tls) {
 		res = ldap_start_tls_s(ld, NULL, NULL);
@@ -943,13 +949,15 @@ xauth_login_ldap(iph1, usr, pwd)
 		cred.bv_val = xauth_ldap_config.bind_pw->v;
 		cred.bv_len = strlen( cred.bv_val );
 		res = ldap_sasl_bind_s(ld,
-			xauth_ldap_config.bind_dn->v, NULL, ,
+			xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, ,
 			NULL, NULL, NULL);
 	}
 	else
 	{
+		cred.bv_val = NULL;
+		cred.bv_len = 0;
 		res = ldap_sasl_bind_s(ld,
-			NULL, NULL, NULL,
+			NULL, LDAP_SASL_SIMPLE, ,
 			NULL, NULL, NULL);
 	}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Nov 25 14:15:41 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Reduce previous


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38	Wed Nov 25 05:57:11 2020
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Nov 25 09:15:41 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.38 2020/11/25 10:57:11 kardel Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.39 2020/11/25 14:15:41 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -683,13 +683,11 @@ kernel_sync()
 
 #elif defined(USE_ROUTE)
 
-#ifdef RT_ROUNDUP
-#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
-#else
-#define ROUNDUP(a) \
+#ifndef RT_ROUNDUP
+#define RT_ROUNDUP(a) \
   ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
-#define SAROUNDUP(X)   ROUNDUP(((struct sockaddr *)(X))->sa_len)
 #endif
+#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
 
 
 static size_t

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2020-11-25 Thread Frank Kardel 
Module Name:src
Committed By:   kardel
Date:   Wed Nov 25 10:57:11 UTC 2020

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix address advancing for i386 and other 32-bit platforms.
Makes racoon grok IPv6 addresses again on these platforms.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.37	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Nov 25 10:57:11 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.37 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.38 2020/11/25 10:57:11 kardel Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -683,10 +683,14 @@ kernel_sync()
 
 #elif defined(USE_ROUTE)
 
+#ifdef RT_ROUNDUP
+#define SAROUNDUP(X)   RT_ROUNDUP(((struct sockaddr *)(X))->sa_len)
+#else
 #define ROUNDUP(a) \
   ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
-
 #define SAROUNDUP(X)   ROUNDUP(((struct sockaddr *)(X))->sa_len)
+#endif
+
 
 static size_t
 parse_address(caddr_t start, caddr_t end, struct sockaddr_storage *dest)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-13 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:38:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.conf.5

Log Message:
Fix SF#24: incorrect authentication algorithms, copy-pasto.


To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.67 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.68
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.67	Thu Jun 20 15:41:18 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Sat Oct 13 15:38:28 2018
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.67 2013/06/20 15:41:18 christos Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.68 2018/10/13 15:38:28 maxv Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 17, 2013
+.Dd October 13, 2018
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -1106,7 +1106,6 @@ Note that the kernel may not support the
 .Pq used with ESP
 .\"
 .It Ic authentication_algorithm Ar algorithms ;
-.Ic des , 3des , des_iv64 , des_iv32 ,
 .Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
 .Pq used with ESP authentication and AH
 .\"

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-13 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat Oct 13 15:17:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: logger.c

Log Message:
Fix ticket SF#91: pass the correct size for tbuf.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/logger.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/logger.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/logger.c:1.4	Sat Sep  9 16:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/logger.c	Sat Oct 13 15:17:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: logger.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: logger.c,v 1.5 2018/10/13 15:17:45 maxv Exp $	*/
 
 /*	$KAME: logger.c,v 1.9 2002/09/03 14:37:03 itojun Exp $	*/
 
@@ -79,13 +79,13 @@ log_open(siz, fname)
 	}
 	memset(p->buf, 0, sizeof(char *) * siz);
 
-	p->tbuf = (time_t *)racoon_malloc(sizeof(time_t *) * siz);
+	p->tbuf = (time_t *)racoon_malloc(sizeof(time_t) * siz);
 	if (p->tbuf == NULL) {
 		racoon_free(p->buf);
 		racoon_free(p);
 		return NULL;
 	}
-	memset(p->tbuf, 0, sizeof(time_t *) * siz);
+	memset(p->tbuf, 0, sizeof(time_t) * siz);
 
 	p->siz = siz;
 	if (fname)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-05 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Fri Oct  5 20:12:37 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
>From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.10
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9	Tue Oct  2 14:49:24 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Fri Oct  5 16:12:37 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.9 2018/10/02 18:49:24 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.10 2018/10/05 20:12:37 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -219,10 +219,15 @@ isakmp_frag_extract(iph1, msg)
 	struct isakmp_frag *frag;
 	struct isakmp_frag_item *item;
 	vchar_t *buf;
-	int last_frag = 0;
+	const char *m;
 	char *data;
 	int i;
 
+ 	if (iph1->frag_chain == NULL) {
+		plog(LLV_DEBUG, LOCATION, NULL,
+		 "fragmented IKE phase 1 message payload detected\n");
+	}
+
 	if (msg->l < sizeof(*isakmp) + sizeof(*frag)) {
 		plog(LLV_ERROR, LOCATION, NULL, "Message too short\n");
 		return -1;
@@ -260,47 +265,66 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 
-	/* Check for the last frag before inserting the new item in the chain */
-	if (item->frag_last) {
-		/* if we have the last fragment, indices must match */
-		if (iph1->frag_last_index != 0 &&
-		item->frag_last != iph1->frag_last_index) {
-			plog(LLV_ERROR, LOCATION, NULL,
-			 "Repeated last fragment index mismatch\n");
-			racoon_free(item);
-			vfree(buf);
-			return -1;
+
+	/* Perform required last frag checks before inserting the new item in
+	   the chain */
+	if (iph1->frag_last_index != 0) {
+		/* Only one fragment payload allowed with last frag flag set */
+		if (item->frag_last) {
+			m = "Message has multiple tail fragments\n";
+			goto out;
 		}
 
-		last_frag = iph1->frag_last_index = item->frag_num;
+		/* Fragment payload with fragment number greater than the
+		   fragment number of the last fragment is not allowed*/
+		if (item->frag_num > iph1->frag_last_index) {
+			m = "Fragment number greater than tail fragment number\n";
+			goto out;
+		}
 	}
 
 	/* insert fragment into chain */
 	if (isakmp_frag_insert(iph1, item) == -1) {
-		plog(LLV_ERROR, LOCATION, NULL,
-		"Repeated fragment index mismatch\n");
-		racoon_free(item);
-		vfree(buf);
-		return -1;
+		m = "Duplicate fragment number\n";
+		goto out;
 	}
 
+	plog(LLV_DEBUG, LOCATION, NULL,
+	 "fragment payload #%d queued\n", item->frag_num);
+
+	/* remember last frag after insertion into fragment chain */
+	if (item->frag_last)
+		iph1->frag_last_index = item->frag_num;
+
 	/* If we saw the last frag, check if the chain is complete
 	 * we have a sorted list now, so just walk through */
-	if (last_frag != 0) {
+ 	if (iph1->frag_last_index != 0) {
 		item = iph1->frag_chain;
-		for (i = 1; i <= last_frag; i++) {
-			if (item == NULL) /* Not found */
-break;
-			if (item->frag_num != i)
-break;
+		for (i = 1; i <= iph1->frag_last_index; i++) {
+			if (item == NULL ||
+			item->frag_num != i) {
+plog(LLV_DEBUG, LOCATION, NULL,
+ "fragment payload #%d still missing\n",
+ i);
+ break;
+			}
 			item = item->frag_next;
 		}
 
-		if (i > last_frag) /* It is complete */
-			return 1;
+		if (i > iph1->frag_last_index) {/* It is complete */
+			plog(LLV_DEBUG, LOCATION, NULL,
+

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-10-02 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Oct  2 18:49:24 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

- if (i > last_frag) /* It is complete */
+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

for (i = 1; i <= last_frag; i++) {
if (!check_fragment_index())
break;
}
if (i > last_frag)
return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.9
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8	Sat May 19 15:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Tue Oct  2 14:49:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.8 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.9 2018/10/02 18:49:24 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -289,11 +289,11 @@ isakmp_frag_extract(iph1, msg)
 	if (last_frag != 0) {
 		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
+			if (item == NULL) /* Not found */
+break;
 			if (item->frag_num != i)
 break;
 			item = item->frag_next;
-			if (item == NULL) /* Not found */
-break;
 		}
 
 		if (i > last_frag) /* It is complete */

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-08-28 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Aug 28 09:10:28 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
fix memory leaks: https://github.com/NetBSD/src/issues/6


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.24	Sat May 19 15:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Tue Aug 28 05:10:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.24 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: privsep.c,v 1.25 2018/08/28 09:10:28 christos Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -917,7 +917,7 @@ privsep_eay_get_pkcs1privkey(path) 
 	memcpy(msg + 1, path, msg->bufs.buflen[0]);
 
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return NULL;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return NULL;
@@ -1034,13 +1034,14 @@ privsep_script_exec(script, name, envp)
 	 * And send it!
 	 */
 	if (privsep_send(privsep_sock[1], msg, msg->hdr.ac_len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
 
 	if (msg->hdr.ac_errno != 0) {
 		errno = msg->hdr.ac_errno;
+out:
 		racoon_free(msg);
 		return -1;
 	}
@@ -1081,7 +1082,7 @@ privsep_getpsk(str, keylen)
 	memcpy(data, , sizeof(keylen));
 
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return NULL;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return NULL;
@@ -1354,12 +1355,13 @@ privsep_xauth_login_system(usr, pwd)
 	
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
 
 	if (msg->hdr.ac_errno != 0) {
+out:
 		racoon_free(msg);
 		return -1;
 	}
@@ -1416,7 +1418,7 @@ privsep_accounting_system(port, raddr, u
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1664,7 +1666,7 @@ privsep_accounting_pam(port, inout)
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1734,7 +1736,7 @@ privsep_xauth_login_pam(port, raddr, usr
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return -1;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return -1;
@@ -1786,7 +1788,7 @@ privsep_cleanup_pam(port)
 
 	/* frees msg */
 	if (privsep_send(privsep_sock[1], msg, len) != 0)
-		return;
+		goto out;
 
 	if (privsep_recv(privsep_sock[1], , ) != 0)
 		return;
@@ -1794,6 +1796,7 @@ privsep_cleanup_pam(port)
 	if (msg->hdr.ac_errno != 0)
 		errno = msg->hdr.ac_errno;
 
+out:
 	racoon_free(msg);
 	return;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-20 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun May 20 06:15:45 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: vmbuf.c vmbuf.h

Log Message:
Style.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c \
src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/vmbuf.c	Sun May 20 06:15:45 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: vmbuf.c,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: vmbuf.c,v 1.5 2018/05/20 06:15:45 maxv Exp $	*/
 
 /*	$KAME: vmbuf.c,v 1.11 2001/11/26 16:54:29 sakane Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -50,8 +50,7 @@
 #include "gcmalloc.h"
 
 vchar_t *
-vmalloc(size)
-	size_t size;
+vmalloc(size_t size)
 {
 	vchar_t *var;
 
@@ -73,12 +72,10 @@ vmalloc(size)
 }
 
 vchar_t *
-vrealloc(ptr, size)
-	vchar_t *ptr;
-	size_t size;
+vrealloc(vchar_t *ptr, size_t size)
 {
 	caddr_t v;
-	
+
 	if (ptr != NULL) {
 		if (ptr->l == 0) {
 			(void)vfree(ptr);
@@ -103,8 +100,7 @@ vrealloc(ptr, size)
 }
 
 void
-vfree(var)
-	vchar_t *var;
+vfree(vchar_t *var)
 {
 	if (var == NULL)
 		return;
@@ -118,8 +114,7 @@ vfree(var)
 }
 
 vchar_t *
-vdup(src)
-	vchar_t *src;
+vdup(vchar_t *src)
 {
 	vchar_t *new;
 
Index: src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.4 src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/vmbuf.h	Sun May 20 06:15:45 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: vmbuf.h,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: vmbuf.h,v 1.5 2018/05/20 06:15:45 maxv Exp $	*/
 
 /* Id: vmbuf.h,v 1.4 2005/10/30 10:28:44 vanhu Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -62,7 +62,7 @@ do { \
 
 #if defined(__APPLE__) && defined(__MACH__)
 /* vfree is already defined in Apple's system libraries */
-#define vfree   vmbuf_free
+#define vfree	vmbuf_free
 #endif
 
 extern vchar_t *vmalloc __P((size_t));

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:40:40 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: misc.c

Log Message:
Remove dead code, and style.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/misc.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/misc.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/misc.c:1.6	Tue Jul 15 00:47:09 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/misc.c	Sat May 19 20:40:40 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: misc.c,v 1.6 2008/07/15 00:47:09 mgrooms Exp $	*/
+/*	$NetBSD: misc.c,v 1.7 2018/05/19 20:40:40 maxv Exp $	*/
 
 /*	$KAME: misc.c,v 1.23 2001/08/16 14:37:29 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -50,33 +50,8 @@
 #include "misc.h"
 #include "debug.h"
 
-#if 0
-static int bindump __P((void *, size_t));
-
-static int
-bindump(buf0, len)
-void *buf0;
-size_t len;
-{
-	unsigned char *buf = (unsigned char *)buf0;
-	size_t i;
-
-	for (i = 0; i < len; i++) {
-		if ((buf[i] & 0x80) || !isprint(buf[i]))
-			printf("\\x%x", buf[i]);
-		else
-			printf("%c", buf[i]);
-	}
-	printf("\n");
-
-	return 0;
-}
-#endif
-
 int
-racoon_hexdump(buf0, len)
-	void *buf0;
-	size_t len;
+racoon_hexdump(void *buf0, size_t len)
 {
 	caddr_t buf = (caddr_t)buf0;
 	size_t i;
@@ -94,8 +69,7 @@ racoon_hexdump(buf0, len)
 }
 
 char *
-bit2str(n, bl)
-	int n, bl;
+bit2str(int n, int bl)
 {
 #define MAXBITLEN 128
 	static char b[MAXBITLEN + 1];
@@ -115,10 +89,7 @@ bit2str(n, bl)
 }
 
 const char *
-debug_location(file, line, func)
-	const char *file;
-	int line;
-	const char *func;
+debug_location(const char *file, int line, const char *func)
 {
 	static char buf[1024];
 	const char *p;
@@ -143,23 +114,21 @@ debug_location(file, line, func)
  * -1: error occured.
  */
 int
-getfsize(path)
-	char *path;
+getfsize(char *path)
 {
-struct stat st;
+	struct stat st;
 
-if (stat(path, ) != 0)
-return -1;
-else
-return st.st_size;
+	if (stat(path, ) != 0)
+		return -1;
+	else
+		return st.st_size;
 }
 
 /*
  * set the close-on-exec flag for file descriptor fd.
  */
 void
-close_on_exec(fd)
-	int fd;
+close_on_exec(int fd)
 {
 	fcntl(fd, F_SETFD, FD_CLOEXEC);
 }
@@ -170,8 +139,7 @@ close_on_exec(fd)
  * t2: end
  */
 double
-timedelta(t1, t2)
-	struct timeval *t1, *t2;
+timedelta(struct timeval *t1, struct timeval *t2)
 {
 	if (t2->tv_usec >= t1->tv_usec)
 		return t2->tv_sec - t1->tv_sec +

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:21:23 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
Remove unused 'error' variables, it's obvious they should have no use.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.26	Sat May 19 20:14:56 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sat May 19 20:21:23 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.26 2018/05/19 20:14:56 maxv Exp $	*/
+/*	$NetBSD: oakley.c,v 1.27 2018/05/19 20:21:23 maxv Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -786,7 +786,6 @@ oakley_compute_hash3(iph1, msgid, body)
 {
 	vchar_t *buf = 0, *res = 0;
 	int len;
-	int error = -1;
 
 	/* create buffer */
 	len = 1 + sizeof(u_int32_t) + body->l;
@@ -811,8 +810,6 @@ oakley_compute_hash3(iph1, msgid, body)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -841,7 +838,6 @@ oakley_compute_hash1(iph1, msgid, body)
 	vchar_t *buf = NULL, *res = NULL;
 	char *p;
 	int len;
-	int error = -1;
 
 	/* create buffer */
 	len = sizeof(u_int32_t) + body->l;
@@ -867,8 +863,6 @@ oakley_compute_hash1(iph1, msgid, body)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -893,7 +887,6 @@ oakley_ph1hash_common(iph1, sw)
 	vchar_t *buf = NULL, *res = NULL, *bp;
 	char *p, *bp2;
 	int len, bl;
-	int error = -1;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsstokens = NULL;
 #endif
@@ -986,8 +979,6 @@ oakley_ph1hash_common(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n",
 		iph1->side == INITIATOR ? "init" : "resp");
 	plogdump(LLV_DEBUG, res->v, res->l);
@@ -1019,7 +1010,6 @@ oakley_ph1hash_base_i(iph1, sw)
 	vchar_t *hash = NULL;	/* for signature mode */
 	char *p;
 	int len;
-	int error = -1;
 
 	/* sanity check */
 	if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -1133,8 +1123,6 @@ oakley_ph1hash_base_i(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);
 
@@ -1160,7 +1148,6 @@ oakley_ph1hash_base_r(iph1, sw)
 	vchar_t *hash = NULL;
 	char *p;
 	int len;
-	int error = -1;
 
 	/* sanity check */
 	if (iph1->etype != ISAKMP_ETYPE_BASE) {
@@ -1259,8 +1246,6 @@ oakley_ph1hash_base_r(iph1, sw)
 	if (res == NULL)
 		goto end;
 
-	error = 0;
-
 	plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n");
 	plogdump(LLV_DEBUG, res->v, res->l);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 20:14:56 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c cfparse.y evt.c
grabmyaddr.c handler.c ipsec_doi.c isakmp.c isakmp_var.h
isakmp_xauth.c localconf.c oakley.c pfkey.c remoteconf.c sainfo.c
session.c

Log Message:
Use strict prototypes, when they don't introduce more warnings than they fix.
Also localify a few functions.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.50 -r1.51 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \
src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/evt.c
cvs rdiff -u -r1.36 -r1.37 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.41 -r1.42 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.77 -r1.78 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.17 -r1.18 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/localconf.c
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.60 -r1.61 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.15 -r1.16 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.40 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: admin.c,v 1.41 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -97,9 +97,7 @@ static int admin_process __P((int, char 
 static int admin_reply __P((int, struct admin_com *, int, vchar_t *));
 
 static int
-admin_handler(ctx, fd)
-	void *ctx;
-	int fd;
+admin_handler(void *ctx, int fd)
 {
 	int so2;
 	struct sockaddr_storage from;

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50	Sat May 19 19:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.50 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -172,7 +172,7 @@ static int load_x509(const char *file, c
 	return 0;
 }
 
-static int process_rmconf()
+static int process_rmconf(void)
 {
 
 	/* check a exchange mode */
@@ -2611,8 +2611,7 @@ insspspec(rmconf, spspec)
 }
 
 static struct secprotospec *
-dupspspec(spspec)
-	struct secprotospec *spspec;
+dupspspec(struct secprotospec *spspec)
 {
 	struct secprotospec *new;
 
Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat May 19 20:14:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.50 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.51 2018/05/19 20:14:56 maxv Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -197,9 +197,7 @@ ipsecdoi_checkph1proposal(sa, iph1)
 }
 
 static void
-print_ph1proposal(pair, s)
-	struct prop_pair *pair;
-	struct isakmpsa *s;
+print_ph1proposal(struct prop_pair *pair, struct isakmpsa *s)
 {
 	struct isakmp_pl_p *prop = pair->prop;
 	struct isakmp_pl_t *trns = pair->trns;
@@ -3302,9 +3300,7 @@ doi2ipproto(proto)
  */
 
 int
-ipsecdoi_subnetisaddr_v4( subnet, address )
-	const vchar_t *subnet;
-	const vchar_t *address;
+ipsecdoi_subnetisaddr_v4(const vchar_t *subnet, const vchar_t *address)
 {
 	struct in_addr *mask;
 
@@ -3325,9 +3321,7 @@ ipsecdoi_subnetisaddr_v4( subnet, addres
 #ifdef INET6
 
 int
-ipsecdoi_subnetisaddr_v6( subnet, address )
-	const vchar_t *subnet;
-	const vchar_t *address;
+ipsecdoi_subnetisaddr_v6(const vchar_t *subnet, const vchar_t *address)
 {
 	struct in6_addr *mask;
 	int i;

Index: src/crypto/dist/ipsec-tools/src/racoon/evt.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/evt.c:1.10

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:47:47 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: backupsa.c isakmp_cfg.c
isakmp_inf.c session.c

Log Message:
Remove unused labels, functions, and function prototypes.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/dist/ipsec-tools/src/racoon/backupsa.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.52 -r1.53 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/backupsa.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.10 src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.11
--- src/crypto/dist/ipsec-tools/src/racoon/backupsa.c:1.10	Fri Apr  2 15:15:00 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/backupsa.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: backupsa.c,v 1.10 2010/04/02 15:15:00 christos Exp $	*/
+/*	$NetBSD: backupsa.c,v 1.11 2018/05/19 19:47:47 maxv Exp $	*/
 
 /*	$KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $	*/
 
@@ -228,7 +228,6 @@ backupsa_from_file()
 		memset(, 0, sizeof(tm));
 		p = str2tmx(buf, );
 		if (*p != '%') {
-	err:
 			plog(LLV_ERROR, LOCATION, NULL,
 "illegal format line#%d in %s: %s\n",
 line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27	Sat May 19 19:32:16 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.27 2018/05/19 19:32:16 maxv Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.28 2018/05/19 19:47:47 maxv Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -740,7 +740,7 @@ isakmp_cfg_set(iph1, attrpl)
 		delph1(iph1);
 		iph1 = NULL;
 	}
-end:
+
 	vfree(payload);
 
 	/* 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.52 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.53
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.52	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.52 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.53 2018/05/19 19:47:47 maxv Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -110,8 +110,6 @@ static int isakmp_info_recv_r_u_ack __P(
 static void isakmp_info_send_r_u __P((struct sched *));
 #endif
 
-static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
-
 /* %%%
  * Information Exchange
  */
@@ -1072,32 +1070,6 @@ isakmp_add_pl_n(buf0, np_p, type, pr, da
 	return buf;
 }
 
-static void
-purge_isakmp_spi(proto, spi, n)
-	int proto;
-	isakmp_index *spi;	/*network byteorder*/
-	size_t n;
-{
-	struct ph1handle *iph1;
-	size_t i;
-
-	for (i = 0; i < n; i++) {
-		iph1 = getph1byindex([i]);
-		if (!iph1)
-			continue;
-
-		plog(LLV_INFO, LOCATION, NULL,
-			"purged ISAKMP-SA proto_id=%s spi=%s.\n",
-			s_ipsecdoi_proto(proto),
-			isakmp_pindex([i], 0));
-
-		iph1->status = PHASE1ST_EXPIRED;
-		isakmp_ph1delete(iph1);
-	}
-}
-
-
-
 void
 purge_ipsec_spi(dst0, proto, spi, n)
 	struct sockaddr *dst0;

Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.33	Sat May 19 19:23:15 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c	Sat May 19 19:47:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.33 2018/05/19 19:23:15 maxv Exp $	*/
+/*	$NetBSD: session.c,v 1.34 2018/05/19 19:47:47 maxv Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -111,11 +111,9 @@ struct fd_monitor {
 #define NUM_PRIORITIES 2
 
 static void close_session __P((void));
-static void initfds __P((void));
 static void init_signal __P((void));
 static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int;
 static void check_sigreq __P((void));
-static void check_flushsa __P((void));
 static int close_sockets __P((void));
 
 static fd_set preset_mask, active_mask;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:32:16 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y isakmp_cfg.c
isakmp_frag.c isakmp_xauth.c

Log Message:
More unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49	Wed Feb 17 20:11:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.49 2016/02/17 20:11:17 christos Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.50 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1543,7 +1543,6 @@ sainfo_id
 		{
 			char portbuf[10];
 			struct sockaddr *laddr = NULL, *haddr = NULL;
-			char *cur = NULL;
 
 			if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
 			 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
@@ -2013,7 +2012,6 @@ remote_spec
 	|	PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
 		{
 			char path[MAXPATHLEN];
-			int ret = 0;
 
 			if (cur_rmconf->peerscert != NULL) {
 yyerror("peers_certfile already defined\n");
@@ -2365,7 +2363,6 @@ cert_spec
 	|	CERT_PLAINRSA QUOTEDSTRING
 		{
 			char path[MAXPATHLEN];
-			int ret = 0;
 
 			if (cur_rmconf->mycert != NULL) {
 yyerror("certificate_type already defined\n");

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26	Wed Mar  9 22:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.26 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.27 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -322,7 +322,6 @@ isakmp_cfg_reply(iph1, attrpl)
 	size_t alen;
 	char *npp;
 	int type;
-	struct sockaddr_in *sin;
 	int error;
 
 	tlen = ntohs(attrpl->h.len);
@@ -782,7 +781,6 @@ isakmp_cfg_net(iph1, attr)
 {
 	int type;
 	int confsource;
-	in_addr_t addr4;
 
 	type = ntohs(attr->type);
 
@@ -1665,7 +1663,6 @@ isakmp_cfg_accounting_system(port, raddr
 	char *usr;
 	int inout;
 {
-	int error = 0;
 	struct utmpx ut;
 	char addr[NI_MAXHOST];
 	
@@ -1880,8 +1877,6 @@ isakmp_cfg_setenv(iph1, envp, envc)
 	char defdom[MAXPATHLEN + 1];
 	int cidr, tmp;
 	char cidrstr[4];
-	int i, p;
-	int test;
 
 	plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
 
@@ -2134,7 +2129,6 @@ isakmp_cfg_init(cold) 
 	int cold;
 {
 	int i;
-	int error;
 
 	isakmp_cfg_config.network4 = (in_addr_t)0x;
 	isakmp_cfg_config.netmask4 = (in_addr_t)0x;
@@ -2184,6 +2178,7 @@ isakmp_cfg_init(cold) 
 	isakmp_cfg_config.splitdns_len = 0;
 
 #if 0
+	int error;
 	if (cold == ISAKMP_CFG_INIT_COLD) {
 		if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
 			return error;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7	Sun Jul 23 05:40:27 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.8 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -219,7 +219,6 @@ isakmp_frag_extract(iph1, msg)
 	struct isakmp_frag *frag;
 	struct isakmp_frag_item *item;
 	vchar_t *buf;
-	size_t len;
 	int last_frag = 0;
 	char *data;
 	int i;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28	Wed Mar  9 15:58:25 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sat May 19 19:32:16 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.28 2016/03/09 15:58:25 christos Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.29 2018/05/19 19:32:16 maxv Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -655,7 +655,6 @@ PAM_conv(msg_count,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 19:23:15 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c grabmyaddr.c
ipsec_doi.c isakmp.c isakmp_agg.c isakmp_base.c isakmp_ident.c
isakmp_inf.c main.c oakley.c privsep.c remoteconf.c session.c
vendorid.c

Log Message:
Remove unused variables.


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.35 -r1.36 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.76 -r1.77 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.16 -r1.17 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
cvs rdiff -u -r1.51 -r1.52 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/oakley.c
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/privsep.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.32 -r1.33 src/crypto/dist/ipsec-tools/src/racoon/session.c
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/vendorid.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39	Mon Jun  3 05:49:31 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.39 2013/06/03 05:49:31 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.40 2018/05/19 19:23:15 maxv Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -327,7 +327,6 @@ admin_process(so2, combuf)
 
 #ifdef ENABLE_HYBRID
 	case ADMIN_LOGOUT_USER: {
-		struct ph1handle *iph1;
 		char user[LOGINLEN+1];
 		int found = 0, len = com->ac_len - sizeof(*com);
 
@@ -427,7 +426,6 @@ admin_process(so2, combuf)
 		case ADMIN_PROTO_ISAKMP: {
 			struct ph1handle *ph1;
 			struct remoteconf *rmconf;
-			u_int16_t port;
 
 			l_ac_errno = -1;
 

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.36
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35	Wed Apr 12 16:47:39 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.35 2017/04/12 16:47:39 roy Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.36 2018/05/19 19:23:15 maxv Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -140,7 +140,7 @@ myaddr_open_all_configured(addr)
 	struct sockaddr *addr;
 {
 	/* create all configured, not already opened addresses */
-	struct myaddr *cfg, *my;
+	struct myaddr *cfg;
 
 	if (addr != NULL) {
 		switch (addr->sa_family) {
@@ -859,7 +859,6 @@ kernel_sync()
 	caddr_t ref, buf, end;
 	size_t bufsiz;
 	struct if_msghdr *ifm;
-	struct interface *ifp;
 
 #define MIBSIZ 6
 	int mib[MIBSIZ] = {

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49	Tue Jun 18 05:39:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Sat May 19 19:23:15 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.49 2013/06/18 05:39:50 tteras Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.50 2018/05/19 19:23:15 maxv Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -264,8 +264,6 @@ get_ph1approval(iph1, doitype, sittype, 
 		for (s = pair[i]; s; s = s->next) {
 			/* compare proposal and select one */
 			for (p = s; p; p = p->tnext) {
-struct isakmp_pl_p *prop = p->prop;
-
 sa = newisakmpsa();
 ctx.p = p;
 ctx.sa = sa;
@@ -3894,7 +3892,7 @@ set_identifier_qual(vpp, type, value, qu
 		if (loglevel >= LLV_DEBUG) {
 			X509_NAME *xn;
 			BIO *bio;
-			unsigned char *ptr = (unsigned char *) new->v, *buf;
+			unsigned char *ptr = (unsigned char *) new->v;
 			size_t len;
 			char save;
 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.77
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76	Tue Jan 24 19:23:56 2017
+++

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-05-19 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sat May 19 18:51:59 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c nattraversal.c
nattraversal.h

Log Message:
Style, a little...


To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/main.c
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/main.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13	Fri Jul 12 13:11:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/main.c	Sat May 19 18:51:59 2018
@@ -1,11 +1,11 @@
-/*	$NetBSD: main.c,v 1.13 2013/07/12 13:11:50 tteras Exp $	*/
+/*	$NetBSD: main.c,v 1.14 2018/05/19 18:51:59 maxv Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -17,7 +17,7 @@
  * 3. Neither the name of the project nor the names of its contributors
  *may be used to endorse or promote products derived from this software
  *without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -85,9 +85,9 @@ static int loading_sa = 0;	/* install sa
 
 #ifdef TOP_PACKAGE
 static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")";
-#else /* TOP_PACKAGE */
+#else
 static char version[] = "@(#) racoon / IPsec-tools";
-#endif /* TOP_PACKAGE */
+#endif
 
 static void
 print_version()
@@ -162,9 +162,7 @@ usage()
 }
 
 static void
-parse(ac, av)
-	int ac;
-	char **av;
+parse(int ac, char **av)
 {
 	extern char *optarg;
 	extern int optind;
@@ -264,9 +262,7 @@ parse(ac, av)
 }
 
 int
-main(ac, av)
-	int ac;
-	char **av;
+main(int ac, char **av)
 {
 	int error;
 
@@ -308,7 +304,7 @@ main(ac, av)
 	plog(LLV_INFO, LOCATION, NULL, "@(#)"
 	"This product linked %s (http://www.openssl.org/)"
 	"\n", eay_version());
-	plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n", 
+	plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n",
 	lcconf->racoon_conf);
 
 	/*
@@ -346,4 +342,3 @@ main(ac, av)
 
 	return 0;
 }
-

Index: src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c:1.14	Mon Mar 14 17:18:13 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c	Sat May 19 18:51:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: nattraversal.c,v 1.14 2011/03/14 17:18:13 tteras Exp $	*/
+/*	$NetBSD: nattraversal.c,v 1.15 2018/05/19 18:51:59 maxv Exp $	*/
 
 /*
  * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
@@ -230,118 +230,117 @@ natt_udp_encap (int encmode)
 }
 
 int
-natt_fill_options (struct ph1natt_options *opts, int version)
+natt_fill_options(struct ph1natt_options *opts, int version)
 {
-  if (! opts)
-return -1;
+	if (!opts)
+		return -1;
 
-  opts->version = version;
+	opts->version = version;
 
-  switch (version) {
-case VENDORID_NATT_00:
-case VENDORID_NATT_01:
-  opts->float_port = 0; /* No port floating for those drafts */
-  opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
-  opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
-  opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
-  opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
-  opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
+	switch (version) {
+	case VENDORID_NATT_00:
+	case VENDORID_NATT_01:
+		opts->float_port = 0; /* No port floating for those drafts */
+		opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
+		opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
+		opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
+		opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
+		opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
+		break;
+	case VENDORID_NATT_02:
+	case VENDORID_NATT_02_N:
+	case VENDORID_NATT_03:
+		opts->float_port = lcconf->port_isakmp_natt;
+		opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
+		opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
+		opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
+		opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-04-01 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:59:58 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Avoid double frees (thanks asan)


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27	Tue Feb  6 22:59:03 2018
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sun Apr  1 18:59:57 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.28 2018/04/01 22:59:57 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -2331,6 +2331,7 @@ eay_dh_generate(prime, ig, publen, pub, 
 		goto end;
 	if (!DH_set0_pqg(dh, p, NULL, g))
 		goto end;
+	p = g = NULL;
 
 	if (publen != 0)
 		DH_set_length(dh, publen);
@@ -2395,9 +2396,11 @@ eay_dh_compute(prime, ig, pub, priv, pub
 
 	if (!DH_set0_pqg(dh, p, NULL, g))
 		goto end;
+	p = g = NULL;
 
 	if (!DH_set0_key(dh, pub_key, priv_key))
 		goto end;
+	pub_key = priv_key = NULL;
 
 	if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
 		goto end;
@@ -2565,7 +2568,6 @@ binbuf_pubkey2rsa(vchar_t *binbuf)
 	return rsa_pub;
 out:
 	BN_free(exp);
-	BN_free(exp);
 	RSA_free(rsa_pub);
 	return NULL;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-04-01 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Apr  1 22:35:22 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: debugrm.c debugrm.h

Log Message:
make debugrm compile again.


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/crypto/dist/ipsec-tools/src/racoon/debugrm.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/debugrm.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/debugrm.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.3 src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.4
--- src/crypto/dist/ipsec-tools/src/racoon/debugrm.c:1.3	Sat Sep  9 12:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/debugrm.c	Sun Apr  1 18:35:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: debugrm.c,v 1.3 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: debugrm.c,v 1.4 2018/04/01 22:35:22 christos Exp $	*/
 
 /*	$KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $	*/
 
@@ -51,37 +51,38 @@
 #define DRMLISTSIZE 1024
 
 struct drm_list_t {
-	void *ptr;
+	const void *ptr;
 	char msg[100];
 };
 static struct drm_list_t drmlist[DRMLISTSIZE];
 
 static int drm_unknown;
 
-static void DRM_add __P((void *, char *));
-static void DRM_del __P((void *));
-static void DRM_setmsg __P((char *, int, void *, int, char *, int, char *));
+static void DRM_add(const void *, const char *);
+static void DRM_del(const void *);
+static void DRM_setmsg(char *, size_t, const void *, size_t, const char *,
+size_t, const char *);
 
 void 
-DRM_init()
+DRM_init(void)
 {
-	int i;
+	size_t i;
 	drm_unknown = 0;
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++)
+	for (i = 0; i < __arraycount(drmlist); i++)
 		drmlist[i].ptr = 0;
 }
 
 void
-DRM_dump()
+DRM_dump(void)
 {
 	FILE *fp;
-	int i;
+	size_t i;
 
 	fp = fopen(DRMDUMPFILE, "w");
 	if (fp == NULL)
 		err(1, "fopen");	/*XXX*/
 	fprintf(fp, "drm_unknown=%d\n", drm_unknown);
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (drmlist[i].ptr)
 			fprintf(fp, "%s\n", drmlist[i].msg);
 	}
@@ -89,12 +90,10 @@ DRM_dump()
 }
 
 static void 
-DRM_add(p, msg)
-	void *p;
-	char *msg;
+DRM_add(const void *p, const char *msg)
 {
-	int i;
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	size_t i;
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (!drmlist[i].ptr) {
 			drmlist[i].ptr = p;
 			strlcpy(drmlist[i].msg, msg, sizeof(drmlist[i].msg));
@@ -104,15 +103,14 @@ DRM_add(p, msg)
 }
 
 static void
-DRM_del(p)
-	void *p;
+DRM_del(const void *p)
 {
-	int i;
+	size_t i;
 
 	if (!p)
 		return;
 
-	for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) {
+	for (i = 0; i < __arraycount(drmlist); i++) {
 		if (drmlist[i].ptr == p) {
 			drmlist[i].ptr = 0;
 			return;
@@ -122,10 +120,8 @@ DRM_del(p)
 }
 
 static void
-DRM_setmsg(buf, buflen, ptr, size, file, line, func)
-	char *buf, *file, *func;
-	int buflen, size, line;
-	void *ptr;
+DRM_setmsg(char *buf, size_t buflen, const void *ptr, size_t size,
+const char *file, size_t line, const char *func)
 {
 	time_t t;
 	struct tm *tm;
@@ -136,14 +132,11 @@ DRM_setmsg(buf, buflen, ptr, size, file,
 	len = strftime(buf, buflen, "%Y/%m/%d:%T ", tm);
 
 	snprintf(buf + len, buflen - len, "%p %6d %s:%d:%s",
-		ptr, size, file , line, func);
+		ptr, size, file, line, func);
 }
 
 void *
-DRM_malloc(file, line, func, size)
-	char *file, *func;
-	int line;
-	size_t size;
+DRM_malloc(const char *file, size_t line, const char *func, size_t size)
 {
 	void *p;
 
@@ -158,10 +151,8 @@ DRM_malloc(file, line, func, size)
 }
 
 void *
-DRM_calloc(file, line, func, number, size)
-	char *file, *func;
-	int line;
-	size_t number, size;
+DRM_calloc(const char *file, size_t line, const char *func, size_t number,
+size_t size)
 {
 	void *p;
 
@@ -175,11 +166,8 @@ DRM_calloc(file, line, func, number, siz
 }
 
 void *
-DRM_realloc(file, line, func, ptr, size)
-	char *file, *func;
-	int line;
-	void *ptr;
-	size_t size;
+DRM_realloc(const char *file, size_t line, const char *func, void *ptr,
+size_t size)
 {
 	void *p;
 
@@ -197,20 +185,14 @@ DRM_realloc(file, line, func, ptr, size)
 }
 
 void
-DRM_free(file, line, func, ptr)
-	char *file, *func;
-	int line;
-	void *ptr;
+DRM_free(const char *file, size_t line, const char *func, void *ptr)
 {
 	DRM_del(ptr);
 	free(ptr);
 }
 
 char *
-DRM_strdup(file, line, func, str)
-	char *file, *func;
-	int line;
-	const char *str;
+DRM_strdup(const char *file, size_t line, const char *func, const char *str)
 {
 	char *p;
 
@@ -218,7 +200,7 @@ DRM_strdup(file, line, func, str)
 
 	if (p) {
 		char buf[1024];
-		DRM_setmsg(buf, sizeof(buf), p, size, file, line, func);
+		DRM_setmsg(buf, sizeof(buf), p, strlen(p), file, line, func);
 		DRM_add(p, buf);
 	}
 
@@ -229,10 +211,7 @@ DRM_strdup(file, line, func, str)
  * mask vmbuf.c functions.
  */

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2018-02-06 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Feb  7 03:59:03 UTC 2018

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c
crypto_openssl.h prsa_par.y rsalist.c

Log Message:
Welcome to the 21st century Buck Rogers: OpenSSL-1.1


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26	Sun Jun 11 18:12:56 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Tue Feb  6 22:59:03 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -109,11 +109,11 @@
  * necessary for SSLeay/OpenSSL portability.  It sucks.
  */
 
-static int cb_check_cert_local __P((int, X509_STORE_CTX *));
-static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
-static X509 *mem2x509 __P((vchar_t *));
+static int cb_check_cert_local(int, X509_STORE_CTX *);
+static int cb_check_cert_remote(int, X509_STORE_CTX *);
+static X509 *mem2x509(vchar_t *);
 
-static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
+static caddr_t eay_hmac_init(vchar_t *, const EVP_MD *);
 
 /* X509 Certificate */
 /*
@@ -312,13 +312,19 @@ eay_cmp_asn1dn(n1, n2)
 	for(idx = 0; idx < X509_NAME_entry_count(a); idx++) {
 		X509_NAME_ENTRY *ea = X509_NAME_get_entry(a, idx);
 		X509_NAME_ENTRY *eb = X509_NAME_get_entry(b, idx);
+		ASN1_STRING *eda, *edb;
 		if (!eb) {	/* reached end of eb while still entries in ea, can not be equal... */
 			i = idx+1;
 			goto end;
 		}
-		if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-		(eb->value->length == 1 && eb->value->data[0] == '*')) {
-			if (OBJ_cmp(ea->object,eb->object)) {
+		eda = X509_NAME_ENTRY_get_data(ea);
+		edb = X509_NAME_ENTRY_get_data(eb);
+		if ((eda->length == 1 && eda->data[0] == '*') ||
+		(edb->length == 1 && edb->data[0] == '*')) {
+			ASN1_OBJECT *eoa, *eob;
+			eoa = X509_NAME_ENTRY_get_object(ea);
+			eob = X509_NAME_ENTRY_get_object(eb);
+			if (OBJ_cmp(eoa, eob)) {
 i = idx+1;
 goto end;
 			}
@@ -426,19 +432,17 @@ cb_check_cert_local(ok, ctx)
 	X509_STORE_CTX *ctx;
 {
 	char buf[256];
-	int log_tag;
+	int log_tag, error;
 
 	if (!ok) {
-		X509_NAME_oneline(
-X509_get_subject_name(ctx->current_cert),
-buf,
-256);
+		X509_NAME_oneline(X509_get_subject_name(
+		X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
 		/*
 		 * since we are just checking the certificates, it is
 		 * ok if they are self signed. But we should still warn
 		 * the user.
  		 */
-		switch (ctx->error) {
+		switch (error = X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 		case X509_V_ERR_INVALID_CA:
@@ -453,9 +457,8 @@ cb_check_cert_local(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(error), error,
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -473,14 +476,12 @@ cb_check_cert_remote(ok, ctx)
 	X509_STORE_CTX *ctx;
 {
 	char buf[256];
-	int log_tag;
+	int log_tag, error;
 
 	if (!ok) {
-		X509_NAME_oneline(
-X509_get_subject_name(ctx->current_cert),
-buf,
-256);
-		switch (ctx->error) {
+		X509_NAME_oneline(X509_get_subject_name(
+		X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
+		switch (error = X509_STORE_CTX_get_error(ctx)) {
 		case X509_V_ERR_UNABLE_TO_GET_CRL:
 			ok = 1;
 			log_tag = LLV_WARNING;
@@ -490,9 +491,9 @@ cb_check_cert_remote(ok, ctx)
 		}
 		plog(log_tag, LOCATION, NULL,
 			"%s(%d) at depth:%d SubjectName:%s\n",
-			X509_verify_cert_error_string(ctx->error),
-			ctx->error,
-			ctx->error_depth,
+			X509_verify_cert_error_string(error),
+			error,
+			X509_STORE_CTX_get_error_depth(ctx),
 			buf);
 	}
 	ERR_clear_error();
@@ -508,6 +509,7 @@ eay_get_x509asn1subjectname(cert)
 	vchar_t *cert;
 {
 	X509 *x509 = NULL;
+	X509_NAME *xname;
 	u_char *bp;
 	vchar_t *name = NULL;
 	int len;
@@ -517,13 +519,14 @@ eay_get_x509asn1subjectname(cert)
 		goto error;
 
 	/* get the length of the name */
-	len = i2d_X509_NAME(x509->cert_info->subject, NULL);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-11-09 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Nov  9 08:34:50 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: pfkey.c

Log Message:
fix typo. (does not affect actual operation, but confuses reader...)

The function is called when racoon receives SADB_X_MIGRATE pfkey message,
however the message is not used now. It was compatible code for KAME.


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.60 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.59 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.60
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.59	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Thu Nov  9 08:34:50 2017
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.60 2017/11/09 08:34:50 knakahara Exp $	*/
 
-/* $Id: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.60 2017/11/09 08:34:50 knakahara Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -3177,8 +3177,8 @@ migrate_ph2_one_isr(spid, isr_cur, xisr_
 
 	/* Then, verify reqid if necessary */
 	if (isr_cur->saidx.reqid &&
-	(xisr_old->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
-	 xisr_new->sadb_x_ipsecrequest_reqid != IPSEC_LEVEL_UNIQUE ||
+	(xisr_old->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
+	 xisr_new->sadb_x_ipsecrequest_level != IPSEC_LEVEL_UNIQUE ||
 	 isr_cur->saidx.reqid != xisr_old->sadb_x_ipsecrequest_reqid ||
 	 isr_cur->saidx.reqid != xisr_new->sadb_x_ipsecrequest_reqid))
 		return -1;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-07-22 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Jul 23 05:40:28 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Antoine Beaupr�: Simplify and comment previous patch.
XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6	Tue Jan 24 14:23:31 2017
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Sun Jul 23 01:40:27 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.6 2017/01/24 19:23:31 christos Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -179,20 +179,26 @@ isakmp_frag_insert(struct ph1handle *iph
 	struct isakmp_frag_item *pitem = NULL;
 	struct isakmp_frag_item *citem = iph1->frag_chain;
 
+	/* no frag yet, just insert at beginning of list */
 	if (iph1->frag_chain == NULL) {
 		iph1->frag_chain = item;
 		return 0;
 	}
 
 	do {
+		/* duplicate fragment number, abort (CVE-2016-10396) */
 		if (citem->frag_num == item->frag_num)
 			return -1;
 
+		/* need to insert before current item */
 		if (citem->frag_num > item->frag_num) {
-			if (pitem)
+			if (pitem != NULL)
 pitem->frag_next = item;
+			else
+/* insert at the beginning of the list  */
+iph1->frag_chain = item;
 			item->frag_next = citem;
-			break;
+			return 0;
 		}
 
 		pitem = citem;
@@ -200,8 +206,7 @@ isakmp_frag_insert(struct ph1handle *iph
 	} while (citem != NULL);
 
 	/* we reached the end of the list, insert */
-	if (citem == NULL)
-	  pitem->frag_next = item;
+	pitem->frag_next = item;
 	return 0;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-06-11 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun Jun 11 22:12:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
PR/52292: Shinichi Doyashiki: Fix reversed comments.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25	Thu Feb 27 03:37:58 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Sun Jun 11 18:12:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.25 2014/02/27 08:37:58 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -1268,7 +1268,7 @@ eay_idea_encrypt(data, key, iv)
 	if ((res = vmalloc(data->l)) == NULL)
 		return NULL;
 
-	/* decryption data */
+	/* encrypt data */
 	idea_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
 			, (unsigned char *)iv->v, IDEA_ENCRYPT);
 
@@ -1366,7 +1366,7 @@ eay_rc5_encrypt(data, key, iv)
 	if ((res = vmalloc(data->l)) == NULL)
 		return NULL;
 
-	/* decryption data */
+	/* encrypt data */
 	RC5_32_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
 		, (unsigned char *)iv->v, RC5_ENCRYPT);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-04-12 Thread Roy Marples 
Module Name:src
Committed By:   roy
Date:   Wed Apr 12 16:47:40 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Use RO_MSGFILTER.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.35
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34	Sat Jun 14 22:39:36 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Wed Apr 12 16:47:39 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.34 2014/06/14 22:39:36 christos Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.35 2017/04/12 16:47:39 roy Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras .
@@ -827,6 +827,9 @@ static int
 kernel_open_socket()
 {
 	int fd;
+#ifdef RO_MSGFILTER
+	unsigned char msgfilter[] = { RTM_NEWADDR, RTM_DELADDR };
+#endif
 
 	fd = socket(PF_ROUTE, SOCK_RAW, 0);
 	if (fd < 0) {
@@ -835,6 +838,13 @@ kernel_open_socket()
 			strerror(errno));
 		return -1;
 	}
+#ifdef RO_MSGFILTER
+	if (setsockopt(fd, PF_ROUTE, RO_MSGFILTER,
+	, sizeof(msgfilter)) < 0)
+		plog(LLV_WARNING, LOCATION, NULL,
+		 "setsockopt(RO_MSGFILER) failed: %s",
+		 strerror(errno));
+#endif
 	close_on_exec(fd);
 	if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1)
 		plog(LLV_WARNING, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-01-24 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:56 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.h isakmp.c isakmp_inf.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.75 -r1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.50 -r1.51 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25	Wed Nov 17 05:40:41 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -141,6 +141,7 @@ struct ph1handle {
 #endif
 #ifdef ENABLE_FRAG
 	int frag;			/* IKE phase 1 fragmentation */
+	int frag_last_index;
 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
 #endif
 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.76
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75	Wed Mar  9 17:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.76 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -1077,6 +1077,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
 		iph1->frag = 1;
 	else
 		iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;
@@ -1181,6 +1182,7 @@ isakmp_ph1begin_r(msg, remote, local, et
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.51
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50	Fri Apr 12 05:53:10 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Tue Jan 24 14:23:56 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.51 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2017-01-24 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue Jan 24 19:23:31 UTC 2017

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c:1.5	Wed Apr 22 07:24:20 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c	Tue Jan 24 14:23:31 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.6 2017/01/24 19:23:31 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -173,6 +173,38 @@ vendorid_frag_cap(gen)
 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
 }
 
+static int 
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+	struct isakmp_frag_item *pitem = NULL;
+	struct isakmp_frag_item *citem = iph1->frag_chain;
+
+	if (iph1->frag_chain == NULL) {
+		iph1->frag_chain = item;
+		return 0;
+	}
+
+	do {
+		if (citem->frag_num == item->frag_num)
+			return -1;
+
+		if (citem->frag_num > item->frag_num) {
+			if (pitem)
+pitem->frag_next = item;
+			item->frag_next = citem;
+			break;
+		}
+
+		pitem = citem;
+		citem = citem->frag_next;
+	} while (citem != NULL);
+
+	/* we reached the end of the list, insert */
+	if (citem == NULL)
+	  pitem->frag_next = item;
+	return 0;
+}
+
 int 
 isakmp_frag_extract(iph1, msg)
 	struct ph1handle *iph1;
@@ -224,39 +256,43 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 
-	/* Look for the last frag while inserting the new item in the chain */
-	if (item->frag_last)
-		last_frag = item->frag_num;
+	/* Check for the last frag before inserting the new item in the chain */
+	if (item->frag_last) {
+		/* if we have the last fragment, indices must match */
+		if (iph1->frag_last_index != 0 &&
+		item->frag_last != iph1->frag_last_index) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			 "Repeated last fragment index mismatch\n");
+			racoon_free(item);
+			vfree(buf);
+			return -1;
+		}
 
-	if (iph1->frag_chain == NULL) {
-		iph1->frag_chain = item;
-	} else {
-		struct isakmp_frag_item *current;
+		last_frag = iph1->frag_last_index = item->frag_num;
+	}
 
-		current = iph1->frag_chain;
-		while (current->frag_next) {
-			if (current->frag_last)
-last_frag = item->frag_num;
-			current = current->frag_next;
-		}
-		current->frag_next = item;
+	/* insert fragment into chain */
+	if (isakmp_frag_insert(iph1, item) == -1) {
+		plog(LLV_ERROR, LOCATION, NULL,
+		"Repeated fragment index mismatch\n");
+		racoon_free(item);
+		vfree(buf);
+		return -1;
 	}
 
-	/* If we saw the last frag, check if the chain is complete */
+	/* If we saw the last frag, check if the chain is complete
+	 * we have a sorted list now, so just walk through */
 	if (last_frag != 0) {
+		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
-			item = iph1->frag_chain;
-			do {
-if (item->frag_num == i)
-	break;
-item = item->frag_next;
-			} while (item != NULL);
-
+			if (item->frag_num != i)
+break;
+			item = item->frag_next;
 			if (item == NULL) /* Not found */
 break;
 		}
 
-		if (item != NULL) /* It is complete */
+		if (i > last_frag) /* It is complete */
 			return 1;
 	}
 		
@@ -291,15 +327,9 @@ isakmp_frag_reassembly(iph1)
 	}
 	data = buf->v;
 
+	item = iph1->frag_chain;
 	for (i = 1; i <= frag_count; i++) {
-		item = iph1->frag_chain;
-		do {
-			if (item->frag_num == i)
-break;
-			item = item->frag_next;
-		} while (item != NULL);
-
-		if (item == NULL) {
+		if (item->frag_num != i) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 			"Missing fragment #%d\n", i);
 			vfree(buf);
@@ -308,6 +338,7 @@ isakmp_frag_reassembly(iph1)
 		}
 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
 		data += item->frag_packet->l;
+		item = item->frag_next;
 	}
 
 out:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Mar 16 21:09:39 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_ident.c

Log Message:
CID 1356385: Add fallthrough comment


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14	Wed Mar  9 17:27:17 2016
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Wed Mar 16 17:09:39 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.14 2016/03/09 22:27:17 christos Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.15 2016/03/16 21:09:39 christos Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -171,7 +171,7 @@ ident_i1send(iph1, msg)
 		else
 			plist = isakmp_plist_append(plist,
 			vid_xauth, ISAKMP_NPTYPE_VID);
-
+		/*FALLTHROUGH*/
 	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-11 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Fri Mar 11 18:28:43 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
PR/50943: David Binderman: Fix misplaced parenthesis.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22	Fri Aug 12 01:21:50 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Fri Mar 11 13:28:43 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.22 2011/08/12 05:21:50 tteras Exp $	*/
+/*	$NetBSD: privsep.c,v 1.23 2016/03/11 18:28:43 christos Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -1261,7 +1261,7 @@ privsep_setsockopt(s, level, optname, op
 	struct sockopt_args sockopt_args;
 	int err, saved_errno = 0;
 
-	if ((err = setsockopt(s, level, optname, optval, optlen) == 0) || 
+	if ((err = setsockopt(s, level, optname, optval, optlen)) == 0 || 
 	(saved_errno = errno) != EACCES ||
 	geteuid() == 0) {
 		if (saved_errno)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-09 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Mar  9 22:27:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_cfg.c
isakmp_ident.c

Log Message:
>From Frank Wille:
Request "IKE mode config" in "rsasig" (certificates on both sides only)
authentication mode, if "mode_cfg" is configured to "on".
Tested with a Lancom router, using the following configuration:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;

my_identifier asn1dn;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";

mode_cfg on;
dpd_delay 20;
nat_traversal on;
lifetime time 8 hour;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;

proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}

sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}


To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.75
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74	Sun Jan  1 10:57:31 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -890,6 +890,10 @@ ph1_main(iph1, msg)
 /* XXX Don't process INITIAL_CONTACT */
 iph1->rmconf->ini_contact = 0;
 break;
+			case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+if (iph1->rmconf->mode_cfg)
+	error = isakmp_cfg_getconfig(iph1);
+break;
 			default:
 break;
 			}
@@ -945,6 +949,10 @@ ph1_main(iph1, msg)
 break;
 			}
 		}
+		if ((iph1->rmconf->mode_cfg) &&
+		!(iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH)) {
+			error = isakmp_cfg_getconfig(iph1);
+		}
 	}
 
 	return 0;

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25	Fri Apr 12 06:03:45 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.26 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -457,6 +457,7 @@ isakmp_cfg_reply(iph1, attrpl)
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:
@@ -639,6 +640,7 @@ isakmp_cfg_request(iph1, attrpl)
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 
 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 
+		case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 			script_hook(iph1, SCRIPT_PHASE1_UP);
 			break;
 		default:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13	Fri Sep 18 06:31:11 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c	Wed Mar  9 17:27:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_ident.c,v 1.13 2009/09/18 10:31:11 tteras Exp $	*/
+/*	$NetBSD: isakmp_ident.c,v 1.14 2016/03/09 22:27:17 christos Exp $	*/
 
 /* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
 
@@ -172,6 +172,7 @@ ident_i1send(iph1, msg)
 			plist = isakmp_plist_append(plist,
 			vid_xauth, ISAKMP_NPTYPE_VID);
 
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 		if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
 			plog(LLV_ERROR, LOCATION, NULL,
 			 "Unity vendor ID generation failed\n");

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-03-09 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Mar  9 15:58:25 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
PR/50918: David Binderman: Fix memory leak


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27	Tue Mar 18 14:20:35 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Wed Mar  9 10:58:25 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.27 2014/03/18 18:20:35 riastradh Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.28 2016/03/09 15:58:25 christos Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1803,7 +1803,7 @@ xauth_rmconf_dup(xauth_rmconf)
 		new = racoon_malloc(sizeof(*new));
 		if (new == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL, 
-			"xauth_rmconf_dup: malloc failed\n");
+			"%s: malloc failed\n", __func__);
 			return NULL;
 		}
 
@@ -1813,16 +1813,16 @@ xauth_rmconf_dup(xauth_rmconf)
 			new->login = vdup(xauth_rmconf->login);
 			if (new->login == NULL) {
 plog(LLV_ERROR, LOCATION, NULL, 
-"xauth_rmconf_dup: malloc failed (login)\n");
-return NULL;
+"%s: malloc failed (login)\n", __func__);
+goto out;
 			}
 		}
 		if (xauth_rmconf->pass != NULL) {
 			new->pass = vdup(xauth_rmconf->pass);
 			if (new->pass == NULL) {
 plog(LLV_ERROR, LOCATION, NULL, 
-"xauth_rmconf_dup: malloc failed (password)\n");
-return NULL;
+"%s: malloc failed (password)\n", __func__);
+goto out;
 			}
 		}
 
@@ -1830,4 +1830,8 @@ xauth_rmconf_dup(xauth_rmconf)
 	}
 
 	return NULL;
+out:
+	vfree(new->login);
+	racoon_free(new);
+	return NULL;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2016-02-17 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Feb 17 20:11:17 UTC 2016

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
PR/50815: David Binderman: Remove dup test


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48	Thu Nov 29 10:31:24 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Feb 17 15:11:17 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.49 2016/02/17 20:11:17 christos Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1490,10 +1490,15 @@ sainfo_id
 			char portbuf[10];
 			struct sockaddr *saddr;
 
-			if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
-			 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
-yyerror("port number must be \"any\".");
+			switch ($5) {
+			case IPPROTO_ICMP:
+			case IPPROTO_ICMPV6:
+if ($4 == IPSEC_PORT_ANY)
+	break;
+yyerror("port must be \"any\" for icmp{,6}.");
 return -1;
+			default:
+break;
 			}
 
 			snprintf(portbuf, sizeof(portbuf), "%lu", $4);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2015-05-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue May 19 15:14:26 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Protect against a NULL pointer dereference described in:

https://www.altsci.com/ipsec/

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/gssapi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.4	Sat Sep  9 12:22:09 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Tue May 19 11:14:25 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.5 2015/05/19 15:14:25 christos Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
@@ -202,6 +202,10 @@ gssapi_init(struct ph1handle *iph1)
 
 	gssapi_set_state(iph1, gps);
 
+	if (iph1-rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
+		return -1;
+	}
 	if (iph1-rmconf-proposal-gssid != NULL) {
 		id_token.length = iph1-rmconf-proposal-gssid-l;
 		id_token.value = iph1-rmconf-proposal-gssid-v;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2015-05-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Tue May 19 15:16:01 UTC 2015

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: gssapi.c

Log Message:
Detect error earlier to avoid memory leak.

XXX: pullup-7


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/gssapi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/gssapi.c:1.5	Tue May 19 11:14:25 2015
+++ src/crypto/dist/ipsec-tools/src/racoon/gssapi.c	Tue May 19 11:16:00 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: gssapi.c,v 1.5 2015/05/19 15:14:25 christos Exp $	*/
+/*	$NetBSD: gssapi.c,v 1.6 2015/05/19 15:16:00 christos Exp $	*/
 
 /*	$KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $	*/
 
@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
 	gss_name_t princ, canon_princ;
 	OM_uint32 maj_stat, min_stat;
 
+	if (iph1-rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
+		return -1;
+	}
+
 	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
 	if (gps == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, racoon_calloc failed\n);
@@ -202,10 +207,6 @@ gssapi_init(struct ph1handle *iph1)
 
 	gssapi_set_state(iph1, gps);
 
-	if (iph1-rmconf == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, no remote config\n);
-		return -1;
-	}
 	if (iph1-rmconf-proposal-gssid != NULL) {
 		id_token.length = iph1-rmconf-proposal-gssid-l;
 		id_token.value = iph1-rmconf-proposal-gssid-v;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2014-06-14 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sat Jun 14 22:39:36 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
don't warn for 80211 messages


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.33	Tue Mar 18 14:20:35 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sat Jun 14 18:39:36 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.33 2014/03/18 18:20:35 riastradh Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.34 2014/06/14 22:39:36 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -783,6 +783,9 @@ kernel_handle_message(msg)
 #ifdef RTM_IFANNOUNCE
 	case RTM_IFANNOUNCE:
 #endif
+#ifdef RTM_IEEE80211
+	case RTM_IEEE80211:
+#endif
 		break;
 	default:
 		plog(LLV_WARNING, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2014-02-27 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Thu Feb 27 08:37:59 UTC 2014

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
From Adam Majer ad...@zombino.com: Support IPv6 in X509 subjectAltName


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24	Mon Dec 24 14:50:04 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Thu Feb 27 08:37:58 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.25 2014/02/27 08:37:58 tteras Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -601,26 +601,47 @@ eay_get_x509subjectaltname(cert, altname
 	/* read IP address */
 	else if (gen-type == GEN_IPADD)
 	{
-		unsigned char p[5], *ip;
-		ip = p;
-		
-		/* only support IPv4 */
-		if (gen-d.ip-length != 4)
-			goto end;
-		
-		/* convert Octet String to String
-		 * XXX ???
-		 */
-		/*i2d_ASN1_OCTET_STRING(gen-d.ip,ip);*/
-		ip = gen-d.ip-data;
+		switch (gen-d.iPAddress-length) {
+		case 4: /* IPv4 */
+			*altname = racoon_malloc(4*3 + 3 + 1); /* digits + decimals + null */
+			if (!*altname)
+goto end;
 
-		/* XXX Magic, enough for an IPv4 address
-		 */
-		*altname = racoon_malloc(20);
-		if (!*altname)
+			snprintf(*altname, 12+3+1, %u.%u.%u.%u,
+			 (unsigned)gen-d.iPAddress-data[0],
+			 (unsigned)gen-d.iPAddress-data[1],
+			 (unsigned)gen-d.iPAddress-data[2],
+			 (unsigned)gen-d.iPAddress-data[3]);
+			break;
+		case 16: { /* IPv6 */
+			int i;
+
+			*altname = racoon_malloc(16*2 + 7 + 1); /* digits + colons + null */
+			if (!*altname)
+goto end;
+
+			/* Make NULL terminated IPv6 address */
+			for (i=0; i16; ++i) {
+int pos = i*2 + i/2;
+
+if (i0  i%2==0)
+	(*altname)[pos-1] = ':';
+
+snprintf(*altname + pos, 3, %02x,
+ (unsigned)gen-d.iPAddress-data[i]);
+
+			}
+			plog(LLV_INFO, LOCATION, NULL,
+			 Remote X509 IPv6 addr: %s, *altname);
+			break;
+		}
+		default:
+			plog(LLV_ERROR, LOCATION, NULL,
+			 Unknown IP address length: %u octects.,
+			 gen-d.iPAddress-length);
 			goto end;
-		
-		sprintf(*altname, %u.%u.%u.%u, ip[0], ip[1], ip[2], ip[3]);
+		}
+
 		*type = gen-type;
 		error = 0;
 	}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-07-19 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Jul 19 10:54:52 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Export phase1
remote address as Radius Calling-Station-Id.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.26
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25	Tue Feb  5 06:22:29 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Fri Jul 19 10:54:52 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.26 2013/07/19 10:54:52 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -592,6 +592,10 @@ xauth_login_radius(iph1, usr, pwd)
 		return -1;
 	}
 
+	if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID,
+			   saddr2str(iph1-remote)) != 0)
+		return -1;
+
 	if (isakmp_cfg_radius_common(radius_auth_state, iph1-mode_cfg-port) != 0)
 		return -1;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-07-18 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Thu Jul 18 17:02:58 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
add RTM_LOSING, RTM_REDIRECT


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31	Fri Apr 12 05:53:10 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Thu Jul 18 13:02:58 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.31 2013/04/12 09:53:10 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.32 2013/07/18 17:02:58 christos Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -766,6 +766,12 @@ kernel_handle_message(msg)
 	case RTM_CHANGE:
 	case RTM_GET:
 	case RTM_MISS:
+#ifdef RTM_LOSING
+	case RTM_LOSING:
+#endif
+#ifdef RTM_REDIRECT
+	case RTM_REDIRECT:
+#endif
 	case RTM_IFINFO:
 #ifdef RTM_OIFINFO
 	case RTM_OIFINFO:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-07-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Jul 12 13:11:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: main.c

Log Message:
From Sven Vermeulen sven.vermeu...@siphos.be: Moves ploginit() up,
allowing logging events from init_avc() to show up as well.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/main.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/main.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12	Mon Jan 26 18:13:06 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/main.c	Fri Jul 12 13:11:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.12 2009/01/26 18:13:06 tteras Exp $	*/
+/*	$NetBSD: main.c,v 1.13 2013/07/12 13:11:50 tteras Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
@@ -290,6 +290,8 @@ main(ac, av)
 		/* NOTREACHED*/
 	}
 
+	ploginit();
+
 #ifdef DEBUG_RECORD_MALLOCATION
 	DRM_init();
 #endif
@@ -302,8 +304,6 @@ main(ac, av)
 	oakley_dhinit();
 	compute_vendorids();
 
-	ploginit();
-
 	plog(LLV_INFO, LOCATION, NULL, %s\n, version);
 	plog(LLV_INFO, LOCATION, NULL, @(#)
 	This product linked %s (http://www.openssl.org/)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-06-17 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Jun 18 05:39:50 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c

Log Message:
From Paul Barker: Remove redundant memset after calloc that caused compile
failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call
is the same expression as the destination; did you mean to dereference.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Tue Jun 18 05:39:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.48 2012/11/29 15:31:25 vanhu Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.49 2013/06/18 05:39:50 tteras Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -1183,7 +1183,6 @@ get_proppair_and_doi_sit(sa, mode, doity
 			failed to get buffer.\n);
 		goto bad;
 	}
-	memset(pair, 0, sizeof(pair));
 
 	bp = (caddr_t)(sab + 1);
 	tlen = sa-l - sizeof(*sab);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-06-02 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Mon Jun  3 05:49:32 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c

Log Message:
From Alexander Sbitnev alexander.sbit...@gmail.com: fix admin port
establish-sa for tunnel mode SAs.


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/admin.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38	Wed Dec  8 07:38:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Mon Jun  3 05:49:31 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.39 2013/06/03 05:49:31 tteras Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -563,18 +563,30 @@ admin_process(so2, combuf)
 			iph2-seq = pk_getseq();
 			iph2-status = PHASE2ST_STATUS2;
 
-			/* set end addresses of SA */
-			iph2-sa_dst = dupsaddr(dst);
-			iph2-sa_src = dupsaddr(src);
-			iph2-dst = dupsaddr(dst);
-			iph2-src = dupsaddr(src);
-			if (iph2-sa_src == NULL || iph2-sa_dst == NULL ||
-			iph2-dst == NULL || iph2-src == NULL) {
-delph2(iph2);
-break;
-			}
-			set_port(iph2-dst, 0);
-			set_port(iph2-src, 0);
+if (sp_out-local  sp_out-remote) {
+/* hints available, let's use them */
+iph2-sa_dst = dupsaddr(dst);
+iph2-sa_src = dupsaddr(src);
+iph2-src = dupsaddr((struct sockaddr *)sp_out-local);
+iph2-dst = dupsaddr((struct sockaddr *)sp_out-remote);
+} else if (sp_out-req  sp_out-req-saidx.mode == IPSEC_MODE_TUNNEL) {
+/* Tunnel mode and no hint, use endpoints */
+iph2-src = dupsaddr((struct sockaddr *)sp_out-req-saidx.src);
+iph2-dst = dupsaddr((struct sockaddr *)sp_out-req-saidx.dst);
+} else {
+/* default, use selectors as fallback */
+iph2-sa_dst = dupsaddr(dst);
+iph2-sa_src = dupsaddr(src);
+iph2-dst = dupsaddr(dst);
+iph2-src = dupsaddr(src);
+}
+
+if (iph2-dst == NULL || iph2-src == NULL) {
+delph2(iph2);
+break;
+}
+set_port(iph2-dst, 0);
+set_port(iph2-src, 0);
 
 			if (isakmp_get_sainfo(iph2, sp_out, sp_in)  0) {
 delph2(iph2);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-05-08 Thread Marc Balmer 
Module Name:src
Committed By:   mbalmer
Date:   Wed May  8 20:03:02 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.8

Log Message:
racoon default config is in /etc/racoon/racoon.conf


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/racoon.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.8
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.12 src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.8:1.12	Sat Jan 24 10:42:31 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.8	Wed May  8 20:03:02 2013
@@ -1,4 +1,4 @@
-.\	$NetBSD: racoon.8,v 1.12 2009/01/24 10:42:31 wiz Exp $
+.\	$NetBSD: racoon.8,v 1.13 2013/05/08 20:03:02 mbalmer Exp $
 .\
 .\ Id: racoon.8,v 1.4 2005/04/18 11:07:55 manubsd Exp
 .\
@@ -133,7 +133,7 @@ The command exits with 0 on success, and
 .\
 .Sh FILES
 .Bl -tag -width /etc/racoon.conf -compact
-.It Pa /etc/racoon.conf
+.It Pa /etc/racoon/racoon.conf
 default configuration file.
 .El
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-04-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 09:53:11 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c isakmp_inf.c

Log Message:
Some logging improvements.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.49 -r1.50 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30	Tue Feb  5 11:36:17 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Fri Apr 12 09:53:10 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.31 2013/04/12 09:53:10 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -764,6 +764,7 @@ kernel_handle_message(msg)
 	case RTM_ADD:
 	case RTM_DELETE:
 	case RTM_CHANGE:
+	case RTM_GET:
 	case RTM_MISS:
 	case RTM_IFINFO:
 #ifdef RTM_OIFINFO
@@ -779,7 +780,7 @@ kernel_handle_message(msg)
 		break;
 	default:
 		plog(LLV_WARNING, LOCATION, NULL,
-		 unrecognized route message with rtm_type: %d,
+		 unrecognized route message with rtm_type: %d\n,
 		 rtm-rtm_type);
 		break;
 	}

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.50
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49	Thu Jan 24 06:47:50 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Fri Apr 12 09:53:10 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.49 2013/01/24 06:47:50 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1116,6 +1116,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 	u_int64_t created;
 	size_t i;
 	caddr_t mhp[SADB_EXT_MAX + 1];
+	unsigned num_purged = 0;
 
 	plog(LLV_DEBUG2, LOCATION, NULL,
 		 purge_ipsec_spi:\n);
@@ -1172,6 +1173,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 
 		plog(LLV_DEBUG2, LOCATION, NULL, src: %s\n, saddr2str(src));
 		plog(LLV_DEBUG2, LOCATION, NULL, dst: %s\n, saddr2str(dst));
+		plog(LLV_DEBUG2, LOCATION, NULL, spi: %u\n, ntohl(sa-sadb_sa_spi));
 
 		/* XXX n^2 algorithm, inefficient */
 
@@ -1210,6 +1212,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
 purged IPsec-SA proto_id=%s spi=%u.\n,
 s_ipsecdoi_proto(proto),
 ntohl(spi[i]));
+			num_purged++;
 		}
 
 		msg = next;
@@ -1217,6 +1220,8 @@ purge_ipsec_spi(dst0, proto, spi, n)
 
 	if (buf)
 		vfree(buf);
+
+	plog(LLV_DEBUG, LOCATION, NULL, purged %u SAs.\n, num_purged);
 }
 
 /*

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-04-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Apr 12 10:03:46 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_cfg.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Do not send out
illegal zero length MODE_CFG attributes.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24	Tue Sep 21 13:14:17 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Fri Apr 12 10:03:45 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1000,6 +1000,9 @@ isakmp_cfg_varlen(iph1, attr, string, le
 	struct isakmp_data *new;
 	char *data;
 
+	if (!len)
+		return NULL;
+
 	if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, Cannot allocate memory\n);
 		return NULL;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-02-05 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Feb  5 11:36:18 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix source port selection


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.30
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29	Sun Jan  1 15:54:51 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Tue Feb  5 11:36:17 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.29 2012/01/01 15:54:51 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.30 2013/02/05 11:36:17 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -274,13 +274,24 @@ myaddr_getsport(addr)
 	struct sockaddr *addr;
 {
 	struct myaddr *my;
+	int port = 0, wport;
 
 	LIST_FOREACH(my, opened, chain) {
-		if (cmpsaddr((struct sockaddr *) my-addr, addr) = CMPSADDR_WILDPORT_MATCH)
+		switch (cmpsaddr((struct sockaddr *) my-addr, addr)) {
+		case CMPSADDR_MATCH:
 			return extract_port((struct sockaddr *) my-addr);
+		case CMPSADDR_WILDPORT_MATCH:
+			wport = extract_port((struct sockaddr *) my-addr);
+			if (port == 0 || wport  port)
+port = wport;
+			break;
+		}
 	}
 
-	return -1;
+	if (port == 0)
+		port = PORT_ISAKMP;
+
+	return port;
 }
 
 void

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-02-04 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Feb  5 06:22:29 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
From Ian West i...@niw.com.au: Fix double free of the radius info on
config reload.


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24	Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Feb  5 06:22:29 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.25 2013/02/05 06:22:29 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -458,10 +458,14 @@ xauth_radius_init_conf(int free)
 			vfree(xauth_rad_config.acct_server_list[i].host);
 			vfree(xauth_rad_config.acct_server_list[i].secret);
 		}
-		if (radius_auth_state != NULL)
+		if (radius_auth_state != NULL) {
 			rad_close(radius_auth_state);
-		if (radius_acct_state != NULL)
+			radius_auth_state = NULL;
+		}
+		if (radius_acct_state != NULL) {
 			rad_close(radius_acct_state);
+			radius_acct_state = NULL;
+		}
 	}
 
 	/* initialize radius config */

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2013-01-23 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Thu Jan 24 06:47:51 UTC 2013

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c

Log Message:
Fix handling of deletion notification.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.49
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48	Wed Aug 29 12:01:30 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Thu Jan 24 06:47:50 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.48 2012/08/29 12:01:30 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.49 2013/01/24 06:47:50 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -492,7 +492,7 @@ isakmp_info_recv_d(iph1, delete, msgid, 
 		delete payload for protocol %s\n,
 		s_ipsecdoi_proto(delete-proto_id));
 
-	if(!iph1-rmconf-weak_phase1_check  !encrypted) {
+	if((iph1 == NULL || !iph1-rmconf-weak_phase1_check)  !encrypted) {
 		plog(LLV_WARNING, LOCATION, iph1-remote,
 			Ignoring unencrypted delete payload 
 			(check the weak_phase1_check option)\n);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-12-24 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Mon Dec 24 14:50:04 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
From Götz Babin-Ebell g.babin-eb...@novamedia.de: Smarter X.509 subject
name compare.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.23	Mon Dec 24 08:46:27 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Mon Dec 24 14:50:04 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.23 2012/12/24 08:46:27 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.24 2012/12/24 14:50:04 tteras Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -280,145 +280,6 @@ out:
 }
 
 /*
- * The following are derived from code in crypto/x509/x509_cmp.c
- * in OpenSSL0.9.7c:
- * X509_NAME_wildcmp() adds wildcard matching to the original
- * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
- */
-#include ctype.h
-/* Case insensitive string comparision */
-static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
-	int i;
-
-	if (a-length != b-length)
-		return (a-length - b-length);
-
-	for (i=0; ia-length; i++)
-	{
-		int ca, cb;
-
-		ca = tolower(a-data[i]);
-		cb = tolower(b-data[i]);
-
-		if (ca != cb)
-			return(ca-cb);
-	}
-	return 0;
-}
-
-/* Case insensitive string comparision with space normalization 
- * Space normalization - ignore leading, trailing spaces, 
- *   multiple spaces between characters are replaced by single space  
- */
-static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
-	unsigned char *pa = NULL, *pb = NULL;
-	int la, lb;
-	
-	la = a-length;
-	lb = b-length;
-	pa = a-data;
-	pb = b-data;
-
-	/* skip leading spaces */
-	while (la  0  isspace(*pa))
-	{
-		la--;
-		pa++;
-	}
-	while (lb  0  isspace(*pb))
-	{
-		lb--;
-		pb++;
-	}
-
-	/* skip trailing spaces */
-	while (la  0  isspace(pa[la-1]))
-		la--;
-	while (lb  0  isspace(pb[lb-1]))
-		lb--;
-
-	/* compare strings with space normalization */
-	while (la  0  lb  0)
-	{
-		int ca, cb;
-
-		/* compare character */
-		ca = tolower(*pa);
-		cb = tolower(*pb);
-		if (ca != cb)
-			return (ca - cb);
-
-		pa++; pb++;
-		la--; lb--;
-
-		if (la = 0 || lb = 0)
-			break;
-
-		/* is white space next character ? */
-		if (isspace(*pa)  isspace(*pb))
-		{
-			/* skip remaining white spaces */
-			while (la  0  isspace(*pa))
-			{
-la--;
-pa++;
-			}
-			while (lb  0  isspace(*pb))
-			{
-lb--;
-pb++;
-			}
-		}
-	}
-	if (la  0 || lb  0)
-		return la - lb;
-
-	return 0;
-}
-
-static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
-{
-int i,j;
-X509_NAME_ENTRY *na,*nb;
-
-if (sk_X509_NAME_ENTRY_num(a-entries)
-	!= sk_X509_NAME_ENTRY_num(b-entries))
-	return sk_X509_NAME_ENTRY_num(a-entries)
-	  -sk_X509_NAME_ENTRY_num(b-entries);
-for (i=sk_X509_NAME_ENTRY_num(a-entries)-1; i=0; i--)
-{
-	na=sk_X509_NAME_ENTRY_value(a-entries,i);
-	nb=sk_X509_NAME_ENTRY_value(b-entries,i);
-	j=OBJ_cmp(na-object,nb-object);
-	if (j) return(j);
-	if ((na-value-length == 1  na-value-data[0] == '*')
-	 || (nb-value-length == 1  nb-value-data[0] == '*'))
-		continue;
-	j=na-value-type-nb-value-type;
-	if (j) return(j);
-	if (na-value-type == V_ASN1_PRINTABLESTRING)
-		j=nocase_spacenorm_cmp(na-value, nb-value);
-	else if (na-value-type == V_ASN1_IA5STRING
-		 OBJ_obj2nid(na-object) == NID_pkcs9_emailAddress)
-		j=nocase_cmp(na-value, nb-value);
-	else
-		{
-		j=na-value-length-nb-value-length;
-		if (j) return(j);
-		j=memcmp(na-value-data,nb-value-data,
-			na-value-length);
-		}
-	if (j) return(j);
-	j=na-set-nb-set;
-	if (j) return(j);
-}
-
-return(0);
-}
-
-/*
  * compare two subjectNames.
  * OUT:0: equal
  *	positive:
@@ -430,16 +291,49 @@ eay_cmp_asn1dn(n1, n2)
 {
 	X509_NAME *a = NULL, *b = NULL;
 	caddr_t p;
+	char oneLine[512];
 	int i = -1;
+	int idx;
 
 	p = n1-v;
-	if (!d2i_X509_NAME(a, (void *)p, n1-l))
+	if (!d2i_X509_NAME(a, (void *)p, n1-l)) {
+		plog(LLV_ERROR, LOCATION, NULL, eay_cmp_asn1dn: first dn not a dn);
 		goto end;
+	}
+	plog(LLV_DEBUG, LOCATION, NULL, 1st name: %s\n, X509_NAME_oneline(a, oneLine, sizeof(oneLine)));
 	p = n2-v;
-	if (!d2i_X509_NAME(b, (void *)p, n2-l))
+	if (!d2i_X509_NAME(b, (void *)p, n2-l)) {
+		plog(LLV_ERROR, LOCATION, NULL, eay_cmp_asn1dn: second dn not a dn);
 		goto end;
+	}
+	plog(LLV_DEBUG, LOCATION, NULL, 2nd name: %s\n,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-11-30 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Fri Nov 30 08:19:01 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.conf.5

Log Message:
Bump date for previous.


To generate a diff of this commit:
cvs rdiff -u -r1.65 -r1.66 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.65 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.66
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.65	Thu Nov 29 15:31:25 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Fri Nov 30 08:19:01 2012
@@ -1,4 +1,4 @@
-.\	$NetBSD: racoon.conf.5,v 1.65 2012/11/29 15:31:25 vanhu Exp $
+.\	$NetBSD: racoon.conf.5,v 1.66 2012/11/30 08:19:01 wiz Exp $
 .\
 .\	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\
@@ -29,7 +29,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd November 15, 2011
+.Dd November 29, 2012
 .Dt RACOON.CONF 5
 .Os
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-29 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Aug 29 11:24:12 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
From Roman Hoog Antink r...@open.ch: do not print unnecessary warning
about non-verified certificate when using raw plain-rsa.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22	Thu Mar 17 14:42:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Wed Aug 29 11:24:11 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $	*/
+/*	$NetBSD: oakley.c,v 1.23 2012/08/29 11:24:11 tteras Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1288,6 +1288,7 @@ oakley_validate_auth(iph1)
 {
 	vchar_t *my_hash = NULL;
 	int result;
+	int no_verify_needed = -1;
 #ifdef HAVE_GSSAPI
 	vchar_t *gsshash = NULL;
 #endif
@@ -1361,8 +1362,6 @@ oakley_validate_auth(iph1)
 		plog(LLV_DEBUG, LOCATION, NULL, HASH for PSK validated.\n);
 	}
 		break;
-	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
-	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 #ifdef ENABLE_HYBRID
 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
@@ -1370,7 +1369,10 @@ oakley_validate_auth(iph1)
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+		no_verify_needed = 0;
 #endif
+	case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
+	case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
 	{
 		int error = 0;
 		int certtype;
@@ -1454,6 +1456,9 @@ oakley_validate_auth(iph1)
 		case ISAKMP_CERT_PLAINRSA:
 			if (get_plainrsa_fromlocal(iph1, 0))
 return ISAKMP_INTERNAL_ERROR;
+			/* suppress CERT validation warning, unless hybrid mode in use */
+			if (no_verify_needed == -1)
+no_verify_needed = 1;
 			break;
 		case ISAKMP_CERT_DNS:
 			/* don't use received cert */
@@ -1480,12 +1485,12 @@ oakley_validate_auth(iph1)
 		if ((error = oakley_check_certid(iph1)) != 0)
 			return error;
 
-		/* Generate a warning if verify_cert */
+		/* Generate a warning unless verify_cert */
 		if (iph1-rmconf-verify_cert) {
-			plog(LLV_DEBUG, LOCATION, NULL,
+			plog(LLV_DEBUG, LOCATION, iph1-remote,
 			 CERT validated\n);
-		} else {
-			plog(LLV_WARNING, LOCATION, NULL,
+		} else if (no_verify_needed != 1) {
+			plog(LLV_WARNING, LOCATION, iph1-remote,
 			 CERT validation disabled by configuration\n);
 		}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-29 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Aug 29 11:34:37 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
From Roman Hoog Antink r...@open.ch: add remote's IP address to the
certificate not verified error message.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.23	Wed Aug 29 11:24:11 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Wed Aug 29 11:34:37 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.23 2012/08/29 11:24:11 tteras Exp $	*/
+/*	$NetBSD: oakley.c,v 1.24 2012/08/29 11:34:37 tteras Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1434,7 +1434,7 @@ oakley_validate_auth(iph1)
 			}
 
 			if (error != 0) {
-plog(LLV_ERROR, LOCATION, NULL,
+plog(LLV_ERROR, LOCATION, iph1-remote,
  the peer's certificate is not verified.\n);
 return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
 			}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-29 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Aug 29 12:01:30 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c

Log Message:
From Roman Hoog Antink r...@open.ch: Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47	Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Wed Aug 29 12:01:30 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.48 2012/08/29 12:01:30 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1465,8 +1465,11 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
 		return 0;
 	}
 
-	if (memcmp(ru-i_ck, iph1-index.i_ck, sizeof(cookie_t)) ||
-	memcmp(ru-r_ck, iph1-index.r_ck, sizeof(cookie_t))) {
+	/* accept cookies in original or reversed order */
+	if ((memcmp(ru-i_ck, iph1-index.i_ck, sizeof(cookie_t)) ||
+	 memcmp(ru-r_ck, iph1-index.r_ck, sizeof(cookie_t))) 
+	(memcmp(ru-r_ck, iph1-index.i_ck, sizeof(cookie_t)) ||
+	 memcmp(ru-i_ck, iph1-index.r_ck, sizeof(cookie_t {
 		plog(LLV_ERROR, LOCATION, iph1-remote,
 			 Cookie mismatch in DPD ACK!.\n);
 		return 0;
@@ -1477,7 +1480,7 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
 	sched_cancel(iph1-dpd_r_u);
 	isakmp_sched_r_u(iph1, 0);
 
-	plog(LLV_DEBUG, LOCATION, NULL, received an R-U-THERE-ACK\n);
+	plog(LLV_DEBUG, LOCATION, iph1-remote, received an R-U-THERE-ACK\n);
 
 	return 0;
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-08-15 Thread Emmanuel Dreyfus 
Module Name:src
Committed By:   manu
Date:   Wed Aug 15 14:51:30 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: crypto_openssl.c

Log Message:
Fix make test on powermac G5. Patch from Nakano Takaharu


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20	Wed Oct 20 13:40:02 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Wed Aug 15 14:51:30 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.20 2010/10/20 13:40:02 tteras Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.21 2012/08/15 14:51:30 manu Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -2501,7 +2501,7 @@ eay_bn2v(var, bn)
 	vchar_t **var;
 	BIGNUM *bn;
 {
-	*var = vmalloc(bn-top * BN_BYTES);
+	*var = vmalloc(BN_num_bytes(bn));
 	if (*var == NULL)
 		return(-1);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:29:28 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
cftoken_proto.h ipsec_doi.c ipsec_doi.h localconf.c localconf.h
remoteconf.c sainfo.c

Log Message:
From Wolfgang Schmieder wolfg...@die-schmieders.de: Fix memory leaks from
configuration reading code, and clean up error handling.


To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/racoon/cftoken_proto.h
cvs rdiff -u -r1.46 -r1.47 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/localconf.c \
src/crypto/dist/ipsec-tools/src/racoon/localconf.h
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44	Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sun Jan  1 15:29:28 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.45 2012/01/01 15:29:28 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -137,10 +137,10 @@ static int num2dhgroup[] = {
 	OAKLEY_ATTR_GRP_DESC_MODP8192
 };
 
-static struct remoteconf *cur_rmconf;
-static int tmpalgtype[MAXALGCLASS];
-static struct sainfo *cur_sainfo;
-static int cur_algclass;
+static struct remoteconf *cur_rmconf = NULL;
+static int tmpalgtype[MAXALGCLASS] = {0};
+static struct sainfo *cur_sainfo = NULL;
+static int cur_algclass = 0;
 static int oldloglevel = LLV_BASE;
 
 static struct secprotospec *newspspec __P((void));
@@ -238,10 +238,39 @@ static int process_rmconf()
 	}
 
 	insrmconf(cur_rmconf);
+	cur_rmconf = NULL; 
 
 	return 0;
 }
 
+/* some frequently used warning texts */
+static const char error_message_hybrid_config_not_configured[] = racoon not configured with --enable-hybrid\n;
+static const char error_message_ldap_config_not_configured[]   = racoon not configured with --with-libldap\n;
+static const char error_message_admin_port_not_compiled_in[] = admin port support not compiled in\n;
+static const char error_message_natt_not_compiled_in[] = NAT-T support not compiled in\n;
+static const char error_message_dpd_not_compiled_in[] = DPD support not compiled in\n;
+
+/* macros for aborting the parsing with freeing up allocated memory */
+#define ABORT_CLEANUP {delrmconf(cur_rmconf); delsainfo(cur_sainfo); YYABORT;}
+#define ABORT() ABORT_CLEANUP
+
+#define ABORT_AND_VFREE(val0) {\
+	vfree(val0); val0 = NULL;\
+	ABORT_CLEANUP}
+	
+#define ABORT_AND_RACOON_FREE(val0) {\
+	racoon_free(val0); val0 = NULL;\
+	ABORT_CLEANUP}
+
+#define ABORT_AND_VFREE2(val0, val1) {\
+	vfree(val0); val0 = NULL;\
+	vfree(val1); val1 = NULL;\
+	ABORT_CLEANUP}
+
+#define ABORT_AND_RACOON_FREE2(val0, val1) {\
+	racoon_free(val0); val0 = NULL;\
+	racoon_free(val1); val1 = NULL;\
+	ABORT_CLEANUP}
 %}
 
 %union {
@@ -366,47 +395,55 @@ privsep_stmts
 privsep_stmt
 	:	USER QUOTEDSTRING
 		{
-			struct passwd *pw;
+			struct passwd *pw = getpwnam($2-v);
+			vfree($2);
 
-			if ((pw = getpwnam($2-v)) == NULL) {
+			if (pw == NULL) {
 yyerror(unknown user \%s\, $2-v);
-return -1;
+ABORT();
 			}
+			
 			lcconf-uid = pw-pw_uid;
 		} 
 		EOS
 	|	USER NUMBER { lcconf-uid = $2; } EOS
 	|	GROUP QUOTEDSTRING
 		{
-			struct group *gr;
+			struct group *gr = getgrnam($2-v);
+			vfree($2);
 
-			if ((gr = getgrnam($2-v)) == NULL) {
+			if (gr == NULL) {
 yyerror(unknown group \%s\, $2-v);
-return -1;
+ABORT();
 			}
+
 			lcconf-gid = gr-gr_gid;
 		}
 		EOS
 	|	GROUP NUMBER { lcconf-gid = $2; } EOS
-	|	CHROOT QUOTEDSTRING { lcconf-chroot = $2-v; } EOS
+	|	CHROOT QUOTEDSTRING 
+		{ 
+			lcconf_setchroot(racoon_strdup($2-v));
+			vfree($2);	
+		} EOS
 	;
 
 	/* path */
 path_statement
 	:	PATH PATHTYPE QUOTEDSTRING
 		{
-			if ($2 = LC_PATHTYPE_MAX) {
+			char * path = racoon_strdup($3-v);
+
+			if (path == NULL) {
+yyerror(copy string fatal error: %s, $3-v);
+ABORT_AND_VFREE($3);
+			}
+			
+			if (lcconf_setpath(path, $2)  0) {
 yyerror(invalid path type %d, $2);
-return -1;
+ABORT_AND_VFREE($3);
 			}
 
-			/* free old pathinfo */
-			if (lcconf-pathinfo[$2])
-racoon_free(lcconf-pathinfo[$2]);
-
-			/* set new pathinfo */
-

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:44:06 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
Fix the previous commit.


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.45	Sun Jan  1 15:29:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sun Jan  1 15:44:06 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.45 2012/01/01 15:29:28 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.46 2012/01/01 15:44:06 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1267,7 +1267,7 @@ authgroup
 			groupname = racoon_malloc($1-l+1);
 			if (groupname == NULL) {
 yyerror(unable to allocate auth group name);
-ABORT_AND_VFREE, $1);
+ABORT_AND_VFREE($1);
 			}
 
 			memcpy(groupname,$1-v,$1-l);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:54:51 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Fix myaddr_getsport() to return -1 if no suitable address is found. This is
used in pfkey.c:pk_recvacquire() to check if IKE negotiation should be
started or not.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.29
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28	Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Sun Jan  1 15:54:51 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.29 2012/01/01 15:54:51 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -280,7 +280,7 @@ myaddr_getsport(addr)
 			return extract_port((struct sockaddr *) my-addr);
 	}
 
-	return PORT_ISAKMP;
+	return -1;
 }
 
 void

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 15:57:31 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c isakmp.c pfkey.c
remoteconf.c

Log Message:
From Wolfgang Schmieder wolfg...@die-schmieders.de: Fix various typos in
comments and log messages. Fix default port used in copy_ph1addresses().


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.73 -r1.74 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.57 -r1.58 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40	Thu Nov 17 14:41:55 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Sun Jan  1 15:57:31 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.40 2011/11/17 14:41:55 vanhu Exp $	*/
+/*	$NetBSD: handler.c,v 1.41 2012/01/01 15:57:31 tteras Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -213,7 +213,7 @@ getph1(ph1hint, local, remote, flags)
 			(ph1hint-id-l != p-id-l ||
 			 memcmp(ph1hint-id-v, p-id-v, p-id-l) != 0)) {
 plog(LLV_DEBUG2, LOCATION, NULL,
- local identity does match hint\n);
+ local identity does not match hint\n);
 continue;
 			}
 			if (ph1hint-id_p  ph1hint-id_p-l 
@@ -221,7 +221,7 @@ getph1(ph1hint, local, remote, flags)
 			(ph1hint-id_p-l != p-id_p-l ||
 			 memcmp(ph1hint-id_p-v, p-id_p-v, p-id_p-l) != 0)) {
 plog(LLV_DEBUG2, LOCATION, NULL,
- remote identity does match hint\n);
+ remote identity does not match hint\n);
 continue;
 			}
 		}

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73	Tue Oct 11 14:50:15 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Sun Jan  1 15:57:31 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.73 2011/10/11 14:50:15 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -624,7 +624,7 @@ isakmp_main(msg, remote, local)
 		/*
 		 * iph1 must be present for Information message.
 		 * if iph1 is null then trying to get the phase1 status
-		 * as the packet from responder againt initiator's 1st
+		 * as the packet from responder again initiator's 1st
 		 * exchange in phase 1.
 		 * NOTE: We think such informational exchange should be ignored.
 		 */
@@ -2358,7 +2358,7 @@ isakmp_chkph1there(iph2)
 		plog(LLV_ERROR, LOCATION, iph2-dst,
 			phase2 negotiation failed 
 			due to time up waiting for phase1. %s\n,
-			sadbsecas2str(iph2-dst, iph2-src,
+			sadbsecas2str(iph2-src, iph2-dst,
 iph2-satype, 0, 0));
 		plog(LLV_INFO, LOCATION, NULL,
 			delete phase 2 handler.\n);
@@ -2909,7 +2909,7 @@ copy_ph1addresses(iph1, rmconf, remote, 
 	struct remoteconf *rmconf;
 	struct sockaddr *remote, *local;
 {
-	u_int16_t port;
+	u_int16_t port = 0;
 
 	/* address portion must be grabbed from real remote address remote */
 	iph1-remote = dupsaddr(remote);
@@ -2919,7 +2919,7 @@ copy_ph1addresses(iph1, rmconf, remote, 
 	/*
 	 * if remote has no port # (in case of initiator - from ACQUIRE msg)
 	 * - if remote.conf specifies port #, use that
-	 * - if remote.conf does not, use 500
+	 * - if remote.conf does not, use lcconf-port_isakmp
 	 * if remote has port # (in case of responder - from recvfrom(2))
 	 * respect content of remote.
 	 */
@@ -2928,7 +2928,7 @@ copy_ph1addresses(iph1, rmconf, remote, 
 		if (rmconf != NULL)
 			port = extract_port(rmconf-remote);
 		if (port == 0)
-			port = PORT_ISAKMP;
+			port = lcconf-port_isakmp;
 		set_port(iph1-remote, port);
 	}
 

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.58
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57	Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Sun Jan  1 15:57:31 2012
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $	*/
 
-/* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1853,8 +1853,8 @@ pk_recvacquire(mhp)
 	 *   should ignore such a acquire message because the phase 2
 	 *   is just negotiating.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2012-01-01 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Jan  1 16:14:11 UTC 2012

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
From Wolfgang Schmieder wolfg...@die-schmieders.de: Fix default NAT-T
port for listen { isakmp_natt } config directive.


To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.46	Sun Jan  1 15:44:06 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Sun Jan  1 16:14:11 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.46 2012/01/01 15:44:06 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -359,6 +359,8 @@ static const char error_message_dpd_not_
 %type val identifierstring
 %type saddr remote_index ike_addrinfo_port
 %type alg algorithm
+%type saddr ike_addrinfo_port_natt
+%type num ike_port_natt
 
 %%
 
@@ -536,7 +538,7 @@ listen_stmt
 			racoon_free($2);
 		}
 		EOS
-	|	X_ISAKMP_NATT ike_addrinfo_port
+	|	X_ISAKMP_NATT ike_addrinfo_port_natt
 		{
 #ifdef ENABLE_NATT
 			myaddr_listen($2, TRUE);
@@ -591,11 +593,36 @@ ike_addrinfo_port
 ABORT();
 		}
 	;
+ike_addrinfo_port_natt
+	:	ADDRSTRING ike_port_natt
+		{
+			char portbuf[10];
+
+			snprintf(portbuf, sizeof(portbuf), %ld, $2);
+			$$ = str2saddr($1-v, portbuf);
+			
+			vfree($1);
+			if (!$$)
+ABORT();
+		}
+	;
 ike_port
 	:	/* nothing */	{	$$ = lcconf-port_isakmp; }
 	|	PORT		{ $$ = $1; } 
 	;
-
+ike_port_natt
+	:	/* nothing */ 
+		{ 
+			$$ = lcconf-port_isakmp_natt;  
+		}
+	|	PORT 
+		{ 
+			$$ = $1; 
+#ifndef ENABLE_NATT
+			yywarn(error_message_natt_not_compiled_in);
+#endif			 
+		}
+	;
 	/* radius configuration */
 radcfg_statement
 	:	RADCFG {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-11-17 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Thu Nov 17 14:41:55 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c

Log Message:
fixed some crashes in LIST_FOREACH where current element could be removed 
during the loop


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/handler.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39	Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Thu Nov 17 14:41:55 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $	*/
+/*	$NetBSD: handler.c,v 1.40 2011/11/17 14:41:55 vanhu Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -611,9 +611,11 @@ getph2byid(src, dst, spid)
 	struct sockaddr *src, *dst;
 	u_int32_t spid;
 {
-	struct ph2handle *p;
+	struct ph2handle *p, *next;
+
+	for (p = LIST_FIRST(ph2tree); p; p = next) {
+		next = LIST_NEXT(p, chain);
 
-	LIST_FOREACH(p, ph2tree, chain) {
 		if (spid == p-spid 
 		cmpsaddr(src, p-src) = CMPSADDR_WILDPORT_MATCH 
 		cmpsaddr(dst, p-dst) = CMPSADDR_WILDPORT_MATCH){
@@ -985,9 +987,11 @@ void
 remcontacted(remote)
 	struct sockaddr *remote;
 {
-	struct contacted *p;
+	struct contacted *p, *next;
+
+	for (p = LIST_FIRST(ctdtree); p; p = next) {
+		next = LIST_NEXT(p, chain);
 
-	LIST_FOREACH(p, ctdtree, chain) {
 		if (cmpsaddr(remote, p-remote) = CMPSADDR_WILDPORT_MATCH) {
 			LIST_REMOVE(p, chain);
 			racoon_free(p-remote);
@@ -1555,10 +1559,12 @@ int
 purgeph1bylogin(login)
 	char *login;
 {
-	struct ph1handle *p;
+	struct ph1handle *p, *next;
 	int found = 0;
 
-	LIST_FOREACH(p, ph1tree, chain) {
+	for (p = LIST_FIRST(ph1tree); p; p = next) {
+		next = LIST_NEXT(p, chain);
+
 		if (p-mode_cfg == NULL)
 			continue;
 		if (strncmp(p-mode_cfg-login, login, LOGINLEN) == 0) {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-11-15 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Nov 15 13:51:24 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5

Log Message:
From Vincent Bernat ber...@luffy.cx: TLS support for LDAP


To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.62 -r1.63 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43	Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -267,7 +267,7 @@ static int process_rmconf()
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -720,6 +720,15 @@ ldapcfg_stmt
 #endif
 		}
 		EOS
+	|	LDAP_TLS SWITCH
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.tls = $2;
+#endif
+#endif
+		}
+		EOS
 	|	LDAP_BASE QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24	Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.24 2011/08/19 05:36:47 tteras Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.25 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -226,6 +226,7 @@ hexstring	0x{hexdigit}+
 S_LDAPversion		{ YYD; return(LDAP_PVER); }
 S_LDAPhost		{ YYD; return(LDAP_HOST); }
 S_LDAPport		{ YYD; return(LDAP_PORT); }
+S_LDAPtls		{ YYD; return(LDAP_TLS); }
 S_LDAPbase		{ YYD; return(LDAP_BASE); }
 S_LDAPsubtree		{ YYD; return(LDAP_SUBTREE); }
 S_LDAPbind_dn		{ YYD; return(LDAP_BIND_DN); }

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23	Sun May 15 17:13:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.23 2011/05/15 17:13:23 christos Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -802,6 +802,7 @@ xauth_ldap_init_conf(void)
 	xauth_ldap_config.pver = 3;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
+	xauth_ldap_config.tls = 0;
 	xauth_ldap_config.base = NULL;
 	xauth_ldap_config.subtree = 0;
 	xauth_ldap_config.bind_dn = NULL;
@@ -916,6 +917,17 @@ xauth_login_ldap(iph1, usr, pwd)
 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
 		xauth_ldap_config.pver);
 
+	/* Enable TLS */
+	if (xauth_ldap_config.tls) {
+		res = ldap_start_tls_s(ld, NULL, NULL);
+		if (res != LDAP_SUCCESS) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			 ldap_start_tls_s failed: %s\n,
+			 ldap_err2string(res));
+			goto ldap_end;
+		}
+	}
+
 	/*
 	 * attempt to bind to the ldap server.
  * default to anonymous bind unless a
@@ -1144,6 +1156,17 @@ xauth_group_ldap(udn, grp)
 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
 		xauth_ldap_config.pver);
 
+	/* Enable TLS */
+	if (xauth_ldap_config.tls) {
+		res = ldap_start_tls_s(ld, NULL, NULL);
+		if (res != LDAP_SUCCESS) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			 ldap_start_tls_s failed: %s\n,
+			 ldap_err2string(res));
+			goto ldap_group_end;
+		}
+	}
+
 	/*
 	 * attempt to bind to the ldap server.
  * default to anonymous bind unless a

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
diff -u

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-11-15 Thread Thomas Klausner 
Module Name:src
Committed By:   wiz
Date:   Tue Nov 15 19:15:58 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: racoon.conf.5

Log Message:
Bump date for new tls option.


To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.63 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.64
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.63	Tue Nov 15 13:51:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Tue Nov 15 19:15:58 2011
@@ -1,4 +1,4 @@
-.\	$NetBSD: racoon.conf.5,v 1.63 2011/11/15 13:51:23 tteras Exp $
+.\	$NetBSD: racoon.conf.5,v 1.64 2011/11/15 19:15:58 wiz Exp $
 .\
 .\	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\
@@ -29,7 +29,7 @@
 .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\ SUCH DAMAGE.
 .\
-.Dd June 22, 2010
+.Dd November 15, 2011
 .Dt RACOON.CONF 5
 .Os
 .\

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-10-11 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Oct 11 14:37:17 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c

Log Message:
From Wolfgang Schmieder wolfgang.schmie...@honeywell.com: setup phase1
port properly.


To generate a diff of this commit:
cvs rdiff -u -r1.71 -r1.72 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.72
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71	Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Oct 11 14:37:17 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.72 2011/10/11 14:37:17 tteras Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -2943,7 +2943,7 @@ copy_ph1addresses(iph1, rmconf, remote, 
 		port = myaddr_getsport(iph1-local);
 		if (port == 0)
 			port = PORT_ISAKMP;
-		set_port(iph1-local, PORT_ISAKMP);
+		set_port(iph1-local, port);
 	}
 
 #ifdef ENABLE_NATT

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-10-11 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Oct 11 14:50:15 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c

Log Message:
From Rainer Weikusat rweiku...@mobileactivedefense.com: Release unused
phase2 of passive remotes after acquire.


To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.72 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.73
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.72	Tue Oct 11 14:37:17 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Oct 11 14:50:15 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.72 2011/10/11 14:37:17 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.73 2011/10/11 14:50:15 tteras Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -2186,7 +2186,7 @@ isakmp_post_acquire(iph2, iph1hint, nopa
 			because of passive mode, 
 			ignore the acquire message for %s.\n,
 			saddrwop2str(iph2-dst));
-		return 0;
+		return -1;
 	}
 
 	/*

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-08-18 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Aug 19 05:36:48 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
racoon.conf.5

Log Message:
Allow inherited remote blocks without additional remote statements to
be specified in a simpler way. patch by Roman Hoog Antink r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.61 -r1.62 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42	Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Fri Aug 19 05:36:47 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -172,6 +172,76 @@
 	return 0;
 }
 
+static int process_rmconf()
+{
+
+	/* check a exchange mode */
+	if (cur_rmconf-etypes == NULL) {
+		yyerror(no exchange mode specified.\n);
+		return -1;
+	}
+
+	if (cur_rmconf-idvtype == IDTYPE_UNDEFINED)
+		cur_rmconf-idvtype = IDTYPE_ADDRESS;
+
+	if (cur_rmconf-idvtype == IDTYPE_ASN1DN) {
+		if (cur_rmconf-mycertfile) {
+			if (cur_rmconf-idv)
+yywarn(Both CERT and ASN1 ID 
+   are set. Hope this is OK.\n);
+			/* TODO: Preparse the DN here */
+		} else if (cur_rmconf-idv) {
+			/* OK, using asn1dn without X.509. */
+		} else {
+			yyerror(ASN1 ID not specified 
+and no CERT defined!\n);
+			return -1;
+		}
+	}
+
+	if (duprmconf_finish(cur_rmconf))
+		return -1;
+
+	if (set_isakmp_proposal(cur_rmconf) != 0)
+		return -1;
+
+	/* DH group settting if aggressive mode is there. */
+	if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+		struct isakmpsa *p;
+		int b = 0;
+
+		/* DH group */
+		for (p = cur_rmconf-proposal; p; p = p-next) {
+			if (b == 0 || (b  b == p-dh_group)) {
+b = p-dh_group;
+continue;
+			}
+			yyerror(DH group must be equal 
+in all proposals 
+when aggressive mode is 
+used.\n);
+			return -1;
+		}
+		cur_rmconf-dh_group = b;
+
+		if (cur_rmconf-dh_group == 0) {
+			yyerror(DH group must be set in the proposal.\n);
+			return -1;
+		}
+
+		/* DH group settting if PFS is required. */
+		if (oakley_setdhgroup(cur_rmconf-dh_group,
+cur_rmconf-dhgrp)  0) {
+			yyerror(failed to set DH value.\n);
+			return -1;
+		}
+	}
+
+	insrmconf(cur_rmconf);
+
+	return 0;
+}
+
 %}
 
 %union {
@@ -1643,7 +1713,7 @@
 			vfree($2);
 			vfree($4);
 		}
-		remote_specs_block
+		remote_specs_inherit_block
 	| REMOTE QUOTEDSTRING
 		{
 			struct remoteconf *new;
@@ -1686,7 +1756,7 @@
 			new-remote = $2;
 			cur_rmconf = new;
 		}
-		remote_specs_block
+		remote_specs_inherit_block
 	|	REMOTE remote_index
 		{
 			struct remoteconf *new;
@@ -1703,81 +1773,20 @@
 		remote_specs_block
 	;
 
-remote_specs_block
-	:	BOC remote_specs EOC
+remote_specs_inherit_block
+	:	remote_specs_block
+	|	EOS /* inheritance without overriding any settings */
 		{
-			/* check a exchange mode */
-			if (cur_rmconf-etypes == NULL) {
-yyerror(no exchange mode specified.\n);
-return -1;
-			}
-
-			if (cur_rmconf-idvtype == IDTYPE_UNDEFINED)
-cur_rmconf-idvtype = IDTYPE_ADDRESS;
-
-			if (cur_rmconf-idvtype == IDTYPE_ASN1DN) {
-if (cur_rmconf-mycertfile) {
-	if (cur_rmconf-idv)
-		yywarn(Both CERT and ASN1 ID 
-		   are set. Hope this is OK.\n);
-	/* TODO: Preparse the DN here */
-} else if (cur_rmconf-idv) {
-	/* OK, using asn1dn without X.509. */
-} else {
-	yyerror(ASN1 ID not specified 
-		and no CERT defined!\n);
-	return -1;
-}
-			}
-
-			if (duprmconf_finish(cur_rmconf))
+			if (process_rmconf() != 0)
 return -1;
+		}
+	;
 
-#if 0
-			/* this pointer copy will never happen, because duprmconf_shallow
-			 * already copied all pointers.
-			 */
-			if (cur_rmconf-spspec == NULL 
-			cur_rmconf-inherited_from != NULL) {
-cur_rmconf-spspec = cur_rmconf-inherited_from-spspec;
-			}
-#endif
-			if (set_isakmp_proposal(cur_rmconf) != 0)
+remote_specs_block
+	:	BOC remote_specs EOC
+		{
+			if (process_rmconf() != 0)
 return -1;
-
-			/* DH group settting if aggressive mode is there. */
-			if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
-struct isakmpsa *p;
-int b = 0;
-
-/* DH group */
-for (p = cur_rmconf-proposal; p; p = p-next) {
-	if (b == 0 || (b  b == p-dh_group)) {
-		b = p-dh_group;
-		continue;
-	}
-	yyerror(DH group must be

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-08-11 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Aug 12 05:21:50 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
Have privilege separation child process exit if the parent exits.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21	Sun Mar  6 08:28:10 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Fri Aug 12 05:21:50 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.21 2011/03/06 08:28:10 tteras Exp $	*/
+/*	$NetBSD: privsep.c,v 1.22 2011/08/12 05:21:50 tteras Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -67,6 +67,7 @@
 #include admin.h
 #include sockmisc.h
 #include privsep.h
+#include session.h
 
 static int privsep_sock[2] = { -1, -1 };
 
@@ -193,6 +194,13 @@
 	return 0;
 }
 
+static int
+privsep_do_exit(void *ctx, int fd)
+{
+	kill(getpid(), SIGTERM);
+	return 0;
+}
+
 int
 privsep_init(void)
 {
@@ -273,6 +281,7 @@
 			strerror(errno));
 			return -1;
 		}
+		monitor_fd(privsep_sock[1], privsep_do_exit, NULL, 0);
 
 		return 0;
 		break;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-05-15 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Sun May 15 17:13:23 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_xauth.c

Log Message:
fix prototype.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22	Mon Mar 14 11:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Sun May 15 13:13:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.23 2011/05/15 17:13:23 christos Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -372,10 +372,7 @@
 }
 
 int
-xauth_reply(iph1, port, id, res)
-	struct ph1handle *iph1;
-	int port;
-	int id;
+xauth_reply(struct ph1handle *iph1, int port, int id, int res)
 {
 	struct xauth_state *xst = iph1-mode_cfg-xauth;
 	char *usr = xst-authdata.generic.usr;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-17 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Thu Mar 17 14:35:24 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
fixed a memory leak in oakley_check_certid(). patch by Roman Hoog Antink 
r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19	Sun Feb 20 17:32:02 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Thu Mar 17 14:35:24 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.19 2011/02/20 17:32:02 tteras Exp $	*/
+/*	$NetBSD: oakley.c,v 1.20 2011/03/17 14:35:24 vanhu Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1862,10 +1862,11 @@
 		hints.ai_socktype = SOCK_RAW;
 		hints.ai_flags = AI_NUMERICHOST;
 		error = getaddrinfo(altname, NULL, hints, res);
+		racoon_free(altname);
+		altname = NULL;
 		if (error != 0) {
 			plog(LLV_ERROR, LOCATION, NULL,
 no proper subjectAltName.\n);
-			racoon_free(altname);
 			return ISAKMP_NTYPE_INVALID_CERTIFICATE;
 		}
 		switch (res-ai_family) {
@@ -1880,7 +1881,6 @@
 		default:
 			plog(LLV_ERROR, LOCATION, NULL,
 family not supported: %d.\n, res-ai_family);
-			racoon_free(altname);
 			freeaddrinfo(res);
 			return ISAKMP_NTYPE_INVALID_CERTIFICATE;
 		}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-17 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Thu Mar 17 14:39:07 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
free name later, to avoid a memory use after free in oakley_check_certid(). 
also give iph1-remote to some plog() calls. patch by Roman Hoog Antink 
r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.20	Thu Mar 17 14:35:24 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Thu Mar 17 14:39:06 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.20 2011/03/17 14:35:24 vanhu Exp $	*/
+/*	$NetBSD: oakley.c,v 1.21 2011/03/17 14:39:06 vanhu Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1791,7 +1791,7 @@
 		return 0;
 
 	if (iph1-id_p == NULL || iph1-cert_p == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, no ID nor CERT found.\n);
+		plog(LLV_ERROR, LOCATION, iph1-remote, no ID nor CERT found.\n);
 		return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
 	}
 
@@ -1802,26 +1802,28 @@
 	case IPSECDOI_ID_DER_ASN1_DN:
 		name = eay_get_x509asn1subjectname(iph1-cert_p);
 		if (!name) {
-			plog(LLV_ERROR, LOCATION, NULL,
+			plog(LLV_ERROR, LOCATION, iph1-remote,
 failed to get subjectName\n);
 			return ISAKMP_NTYPE_INVALID_CERTIFICATE;
 		}
 		if (idlen != name-l) {
-			plog(LLV_ERROR, LOCATION, NULL,
+			plog(LLV_ERROR, LOCATION, iph1-remote,
 Invalid ID length in phase 1.\n);
 			vfree(name);
 			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
 		}
 		error = memcmp(id_b + 1, name-v, idlen);
-		vfree(name);
 		if (error != 0) {
-			plog(LLV_ERROR, LOCATION, NULL,
+			plog(LLV_ERROR, LOCATION, iph1-remote,
 ID mismatched with ASN1 SubjectName.\n);
 			plogdump(LLV_DEBUG, id_b + 1, idlen);
 			plogdump(LLV_DEBUG, name-v, idlen);
-			if (iph1-rmconf-verify_identifier)
+			if (iph1-rmconf-verify_identifier) {
+vfree(name);
 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+			}
 		}
+		vfree(name);
 		return 0;
 	case IPSECDOI_ID_IPV4_ADDR:
 	case IPSECDOI_ID_IPV6_ADDR:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-17 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Thu Mar 17 14:42:58 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
fixed a memory leak in oakley_append_rmconf_cr() while generating plist. patch 
by Roman Hoog Antink r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.21	Thu Mar 17 14:39:06 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Thu Mar 17 14:42:58 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.21 2011/03/17 14:39:06 vanhu Exp $	*/
+/*	$NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -2288,7 +2288,7 @@
 	 s_isakmp_certtype(buf-v[0]));
 	plogdump(LLV_DEBUG, buf-v, buf-l);
 
-	actx-plist = isakmp_plist_append(actx-plist, buf, ISAKMP_NPTYPE_CR);
+	actx-plist = isakmp_plist_append_full(actx-plist, buf, ISAKMP_NPTYPE_CR, 1);
 
 err:
 	vfree(asn1dn);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-15 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Tue Mar 15 13:20:14 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_inf.c pfkey.c

Log Message:
directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), 
as it is useless an can lead to memory access after free


To generate a diff of this commit:
cvs rdiff -u -r1.70 -r1.71 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.46 -r1.47 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.56 -r1.57 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.70 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.70	Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Mar 15 13:20:14 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.70 2011/03/14 17:18:12 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -2018,7 +2018,7 @@
 		iph1-status = PHASE1ST_EXPIRED;
 	}
 
-	sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+	isakmp_ph1delete(iph1);
 }
 
 /* called from scheduler */
@@ -2046,20 +2046,16 @@
 	/* Discard any left phase2s */
 	for (p = LIST_FIRST(iph1-ph2tree); p; p = next) {
 		next = LIST_NEXT(p, ph1bind);
-		if (p-status = PHASE2ST_ESTABLISHED)
-			unbindph12(p);
-		/* Should we also remove non established ph2
-		 * handles, as we just invalidated ph1handle ?
+		if (p-status == PHASE2ST_ESTABLISHED)
+			isakmp_info_send_d2(p);
+		/* remove all ph2 handles,
+		 * as ph1handle will be expired soon
 		 */
+		delete_spd(p, 1);
+		remph2(p);
+		delph2(p);
 	}
 
-	if (LIST_FIRST(iph1-ph2tree) != NULL) {
-		sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
-		return;
-	}
-
-	/* don't re-negosiation when the phase 1 SA expires. */
-
 	src = racoon_strdup(saddr2str(iph1-local));
 	dst = racoon_strdup(saddr2str(iph1-remote));
 	STRDUP_FATAL(src);
@@ -3397,7 +3393,7 @@
 		 purged ISAKMP-SA spi=%s.\n,
 		 isakmp_pindex((iph1-index), iph1-msgid));
 
-	sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+	isakmp_ph1delete(iph1);
 }
 
 void

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.46 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.46	Mon Mar 14 17:18:13 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Tue Mar 15 13:20:14 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.46 2011/03/14 17:18:13 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1094,7 +1094,7 @@
 			isakmp_pindex(spi[i], 0));
 
 		iph1-status = PHASE1ST_EXPIRED;
-		sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+		isakmp_ph1delete(iph1);
 	}
 }
 

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.56 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.57
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.56	Mon Mar 14 17:18:13 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Tue Mar 15 13:20:14 2011
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $	*/
 
-/* $Id: pfkey.c,v 1.56 2011/03/14 17:18:13 tteras Exp $ */
+/* $Id: pfkey.c,v 1.57 2011/03/15 13:20:14 vanhu Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -2901,7 +2901,7 @@
 		rmconf = getrmconf(ma-remote, 0);
 		if (rmconf == NULL || !rmconf-passive) {
 			iph1-status = PHASE1ST_EXPIRED;
-			sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+			isakmp_ph1delete(iph1);
 
 			/* This is unlikely, but let's just check if a Phase 1
 			 * for the new addresses already exist */

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-14 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Mon Mar 14 09:19:24 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c

Log Message:
check if we got RMCONF_ERR_MULTIPLE from getrmconf_by_ph1() in 
revalidate_ph1tree_rmconf()


To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/crypto/dist/ipsec-tools/src/racoon/handler.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36	Fri Mar 11 14:30:07 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Mon Mar 14 09:19:23 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.36 2011/03/11 14:30:07 vanhu Exp $	*/
+/*	$NetBSD: handler.c,v 1.37 2011/03/14 09:19:23 vanhu Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -1486,6 +1486,7 @@
 static int revalidate_ph1tree_rmconf(void)
 {
 	struct ph1handle *p, *next;
+	struct remoteconf *rmconf;
 
 	for (p = LIST_FIRST(ph1tree); p; p = next) {
 		next = LIST_NEXT(p, chain);
@@ -1495,9 +1496,11 @@
 		if (p-rmconf == NULL)
 			continue;
 
-		p-rmconf = getrmconf_by_ph1(p);
-		if (p-rmconf == NULL || p-rmconf == RMCONF_ERR_MULTIPLE)
+		rmconf = getrmconf_by_ph1(p);
+		if (rmconf == NULL || rmconf == RMCONF_ERR_MULTIPLE)
 			remove_ph1(p);
+		else
+			p-rmconf = rmconf;
 	}
 
 	return 1;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-14 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Mon Mar 14 14:54:07 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c

Log Message:
removed an useless comment


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/handler.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.37	Mon Mar 14 09:19:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Mon Mar 14 14:54:07 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.37 2011/03/14 09:19:23 vanhu Exp $	*/
+/*	$NetBSD: handler.c,v 1.38 2011/03/14 14:54:07 vanhu Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -1447,7 +1447,6 @@
 		 * - delete SPIs in kernel
 		 * - delete generated SPD
 		 * - unbind / rem / del ph2
-		 * - XXX shoudld also send a delete-sa !?
 		 */
 		purge_ipsec_spi(iph2-dst, iph2-approval-head-proto_id,
 		spis, 2);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-14 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Mon Mar 14 15:50:37 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y isakmp_xauth.c
isakmp_xauth.h remoteconf.c remoteconf.h rsalist.c rsalist.h

Log Message:
avoid some memory leaks / free memory access when reloading conf and have 
inherited config. patch from Roman Hoog Antink r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.21 -r1.22 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.6 -r1.7 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.25 -r1.26 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41	Wed Mar  2 14:58:27 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Mon Mar 14 15:50:36 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.41 2011/03/02 14:58:27 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -145,6 +145,7 @@
 
 static struct secprotospec *newspspec __P((void));
 static void insspspec __P((struct remoteconf *, struct secprotospec *));
+void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src));
 void flushspspec __P((struct remoteconf *));
 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
 
@@ -1629,7 +1630,7 @@
 return -1;
 			}
 
-			new = duprmconf(from);
+			new = duprmconf_shallow(from);
 			if (new == NULL) {
 yyerror(failed to duplicate remoteconf from \%s\.,
 	$4-v);
@@ -1674,13 +1675,14 @@
 return -1;
 			}
 
-			new = duprmconf(from);
+			new = duprmconf_shallow(from);
 			if (new == NULL) {
 yyerror(failed to duplicate remoteconf from %s.,
 	saddr2str($4));
 return -1;
 			}
 
+			racoon_free($4);
 			new-remote = $2;
 			cur_rmconf = new;
 		}
@@ -1727,11 +1729,19 @@
 	return -1;
 }
 			}
-			
+
+			if (duprmconf_finish(cur_rmconf))
+return -1;
+
+#if 0
+			/* this pointer copy will never happen, because duprmconf_shallow
+			 * already copied all pointers.
+			 */
 			if (cur_rmconf-spspec == NULL 
 			cur_rmconf-inherited_from != NULL) {
 cur_rmconf-spspec = cur_rmconf-inherited_from-spspec;
 			}
+#endif
 			if (set_isakmp_proposal(cur_rmconf) != 0)
 return -1;
 
@@ -2415,6 +2425,62 @@
 	rmconf-spspec = spspec;
 }
 
+static struct secprotospec *
+dupspspec(spspec)
+	struct secprotospec *spspec;
+{
+	struct secprotospec *new;
+
+	new = newspspec();
+	if (new == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		dupspspec: malloc failed\n);
+		return NULL;
+	}
+	memcpy(new, spspec, sizeof(*new));
+
+	if (spspec-gssid) {
+		new-gssid = racoon_strdup(spspec-gssid);
+		STRDUP_FATAL(new-gssid);
+	}
+	if (spspec-remote) {
+		new-remote = racoon_malloc(sizeof(*new-remote));
+		if (new-remote == NULL) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			dupspspec: malloc failed (remote)\n);
+			return NULL;
+		}
+		memcpy(new-remote, spspec-remote, sizeof(*new-remote));
+	}
+
+	return new;
+}
+
+/*
+ * copy the whole list
+ */
+void
+dupspspec_list(dst, src)
+	struct remoteconf *dst, *src;
+{
+	struct secprotospec *p, *new, *last;
+
+	for(p = src-spspec, last = NULL; p; p = p-next, last = new) {
+		new = dupspspec(p);
+		if (new == NULL)
+			exit(1);
+
+		new-prev = last;
+		new-next = NULL; /* not necessary but clean */
+
+		if (last)
+			last-next = new;
+		else /* first element */
+			dst-spspec = new;
+
+	}
+}
+
 /*
  * delete the whole list
  */
@@ -2430,8 +2496,13 @@
 		if (p-next != NULL)
 			p-next-prev = NULL; /* not necessary but clean */
 
-		racoon_free(p);		  
+		if (p-gssid)
+			racoon_free(p-gssid);
+		if (p-remote)
+			racoon_free(p-remote);
+		racoon_free(p);
 	}
+	rmconf-spspec = NULL;
 }
 
 /* set final acceptable proposal */

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.21	Mon Sep 27 11:57:59 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Mon Mar 14 15:50:36 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.21 2010/09/27 11:57:59 vanhu Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $	*/
 
 /* Id: isakmp_xauth.c,v

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-14 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Mon Mar 14 17:18:13 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c handler.c isakmp.c
isakmp_inf.c isakmp_quick.c nattraversal.c pfkey.c policy.c
sockmisc.c sockmisc.h throttle.c

Log Message:
Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.69 -r1.70 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.45 -r1.46 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs rdiff -u -r1.28 -r1.29 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c
cvs rdiff -u -r1.55 -r1.56 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.11 -r1.12 src/crypto/dist/ipsec-tools/src/racoon/policy.c
cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.c
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/sockmisc.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/throttle.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27	Fri Dec  3 09:46:24 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Mon Mar 14 17:18:12 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.27 2010/12/03 09:46:24 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -100,7 +100,7 @@
 		return TRUE;
 
 	LIST_FOREACH(cfg, configured, chain) {
-		if (cmpsaddr(addr, (struct sockaddr *) cfg-addr) == 0)
+		if (cmpsaddr(addr, (struct sockaddr *) cfg-addr) = CMPSADDR_WILDPORT_MATCH)
 			return TRUE;
 	}
 
@@ -116,7 +116,7 @@
 
 	/* Already open? */
 	LIST_FOREACH(my, opened, chain) {
-		if (cmpsaddr(addr, (struct sockaddr *) my-addr) == 0)
+		if (cmpsaddr(addr, (struct sockaddr *) my-addr) = CMPSADDR_WILDPORT_MATCH)
 			return TRUE;
 	}
 
@@ -156,7 +156,7 @@
 
 	LIST_FOREACH(cfg, configured, chain) {
 		if (addr != NULL 
-		cmpsaddr(addr, (struct sockaddr *) cfg-addr) != 0)
+		cmpsaddr(addr, (struct sockaddr *) cfg-addr)  CMPSADDR_WILDPORT_MATCH)
 			continue;
 		if (!myaddr_open((struct sockaddr *) cfg-addr, cfg-udp_encap))
 			return FALSE;
@@ -262,7 +262,7 @@
 	struct myaddr *my;
 
 	LIST_FOREACH(my, opened, chain) {
-		if (cmpsaddr((struct sockaddr *) my-addr, addr) == 0)
+		if (cmpsaddr((struct sockaddr *) my-addr, addr) = CMPSADDR_WILDPORT_MATCH)
 			return my-fd;
 	}
 
@@ -276,7 +276,7 @@
 	struct myaddr *my;
 
 	LIST_FOREACH(my, opened, chain) {
-		if (cmpsaddr((struct sockaddr *) my-addr, addr) == 0)
+		if (cmpsaddr((struct sockaddr *) my-addr, addr) = CMPSADDR_WILDPORT_MATCH)
 			return extract_port((struct sockaddr *) my-addr);
 	}
 

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.38	Mon Mar 14 14:54:07 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Mon Mar 14 17:18:12 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.38 2011/03/14 14:54:07 vanhu Exp $	*/
+/*	$NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -120,11 +120,11 @@
 	LIST_FOREACH(p, ph1tree, chain) {
 		if (sel != NULL) {
 			if (sel-local != NULL 
-			cmpsaddr(sel-local, p-local) != 0)
+			cmpsaddr(sel-local, p-local)  CMPSADDR_WILDPORT_MATCH)
 continue;
 
 			if (sel-remote != NULL 
-			cmpsaddr(sel-remote, p-remote) != 0)
+			cmpsaddr(sel-remote, p-remote)  CMPSADDR_WILDPORT_MATCH)
 continue;
 		}
 
@@ -300,8 +300,8 @@
 		if (p-status  PHASE1ST_DYING)
 			continue;
 
-		if (cmpsaddr(iph1-local, p-local) == 0
-		  cmpsaddr(iph1-remote, p-remote) == 0)
+		if (cmpsaddr(iph1-local, p-local) == CMPSADDR_MATCH
+		  cmpsaddr(iph1-remote, p-remote) == CMPSADDR_MATCH)
 			migrate_ph12(p, iph1);
 	}
 }
@@ -547,11 +547,11 @@
 continue;
 
 			if (sel-src

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-11 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Fri Mar 11 14:30:07 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c isakmp.c

Log Message:
directly delete a ph1 in remove_ph1-) instead of scheduling it, to avoid 
(completely ?) a race condition when reloading configuration


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.68 -r1.69 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.36
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35	Tue Dec 28 06:00:18 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Fri Mar 11 14:30:07 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.35 2010/12/28 06:00:18 tteras Exp $	*/
+/*	$NetBSD: handler.c,v 1.36 2011/03/11 14:30:07 vanhu Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -1447,6 +1447,7 @@
 		 * - delete SPIs in kernel
 		 * - delete generated SPD
 		 * - unbind / rem / del ph2
+		 * - XXX shoudld also send a delete-sa !?
 		 */
 		purge_ipsec_spi(iph2-dst, iph2-approval-head-proto_id,
 		spis, 2);
@@ -1474,7 +1475,11 @@
 		isakmp_info_send_d1(iph1);
 	}
 	iph1-status = PHASE1ST_EXPIRED;
-	sched_schedule(iph1-sce, 1, isakmp_ph1delete_stub);
+	/* directly call isakmp_ph1delete to avoid as possible a race
+	 * condition where we'll try to access iph1-rmconf after it has
+	 * freed
+	 */
+	isakmp_ph1delete(iph1);
 }
 
 

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.69
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68	Tue Mar  1 14:33:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Fri Mar 11 14:30:07 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.68 2011/03/01 14:33:58 vanhu Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.69 2011/03/11 14:30:07 vanhu Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -2048,6 +2048,9 @@
 		next = LIST_NEXT(p, ph1bind);
 		if (p-status = PHASE2ST_ESTABLISHED)
 			unbindph12(p);
+		/* Should we also remove non established ph2
+		 * handles, as we just invalidated ph1handle ?
+		 */
 	}
 
 	if (LIST_FIRST(iph1-ph2tree) != NULL) {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-06 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Mar  6 08:28:11 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: privsep.c

Log Message:
Quiet a gcc warning when strict-aliasing checks are enabled. Reported by
Stephen Clark.


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/crypto/dist/ipsec-tools/src/racoon/privsep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.20	Fri Mar  5 06:47:58 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c	Sun Mar  6 08:28:10 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: privsep.c,v 1.20 2010/03/05 06:47:58 tteras Exp $	*/
+/*	$NetBSD: privsep.c,v 1.21 2011/03/06 08:28:10 tteras Exp $	*/
 
 /* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
 
@@ -1544,6 +1544,7 @@
 {
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
+	int *fdptr;
 	int fd;
 	char cmsbuf[1024];
 	struct iovec iov;
@@ -1569,7 +1570,8 @@
 		return -1;
 
 	cmsg = CMSG_FIRSTHDR(msg);
-	return *(int *)CMSG_DATA(cmsg);
+	fdptr = (int *) CMSG_DATA(cmsg);
+	return fdptr[0];
 }
 
 /* Send the file descriptor fd through the argument socket s */
@@ -1582,6 +1584,7 @@
 	struct cmsghdr *cmsg;
 	char cmsbuf[1024];
 	struct iovec iov;
+	int *fdptr;
 
 	iov.iov_base =  ;
 	iov.iov_len = 1;
@@ -1604,7 +1607,8 @@
 	cmsg-cmsg_level = SOL_SOCKET;
 	cmsg-cmsg_type = SCM_RIGHTS;
 	cmsg-cmsg_len = CMSG_LEN(sizeof(fd));
-	*(int *)CMSG_DATA(cmsg) = fd;
+	fdptr = (int *)CMSG_DATA(cmsg);
+	fdptr[0] = fd;
 	msg.msg_controllen = cmsg-cmsg_len;
 
 	if (sendmsg(s, msg, 0) == -1)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-02 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Wed Mar  2 14:49:21 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y prsa_par.y

Log Message:
fixed some memory leaks during configuration parsing. patch by Roman Hoog 
Antink r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.40 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39	Tue Mar  1 14:14:50 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Mar  2 14:49:21 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.39 2011/03/01 14:14:50 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.40 2011/03/02 14:49:21 vanhu Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -423,13 +423,16 @@
 	:	X_ISAKMP ike_addrinfo_port
 		{
 			myaddr_listen($2, FALSE);
+			racoon_free($2);
 		}
 		EOS
 	|	X_ISAKMP_NATT ike_addrinfo_port
 		{
 #ifdef ENABLE_NATT
 			myaddr_listen($2, TRUE);
+			racoon_free($2);
 #else
+			racoon_free($2);
 			yyerror(NAT-T support not compiled in.);
 #endif
 		}

Index: src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5	Thu Feb 10 11:17:17 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y	Wed Mar  2 14:49:21 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: prsa_par.y,v 1.5 2011/02/10 11:17:17 tteras Exp $	*/
+/*	$NetBSD: prsa_par.y,v 1.6 2011/03/02 14:49:21 vanhu Exp $	*/
 
 /* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
 
@@ -211,6 +211,7 @@
 			YYABORT;
 		}
 		$$ = base64_pubkey2rsa($2);
+		free($2);
 	}
 	| TAG_PUB HEX
 	{
@@ -256,6 +257,7 @@
 		}
 		memcpy(sap, res-ai_addr, res-ai_addrlen);
 		freeaddrinfo(res);
+		free($1);
 	}
 	;
 
@@ -284,6 +286,7 @@
 		}
 		memcpy(sap, res-ai_addr, res-ai_addrlen);
 		freeaddrinfo(res);
+		free($1);
 	}
 	;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-02 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Wed Mar  2 14:52:32 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c session.c

Log Message:
fixed some memory leaks in remoteconf. patch by Roman Hoog Antink r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.30 -r1.31 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.22	Fri Jan 28 13:00:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Wed Mar  2 14:52:32 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.c,v 1.22 2011/01/28 13:00:14 tteras Exp $	*/
+/*	$NetBSD: remoteconf.c,v 1.23 2011/03/02 14:52:32 vanhu Exp $	*/
 
 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
 
@@ -652,6 +652,8 @@
 		racoon_free(rmconf-cacertfile);
 	if (rmconf-name)
 		racoon_free(rmconf-name);
+	if (rmconf-remote)
+		racoon_free(rmconf-remote);
 	racoon_free(rmconf);
 }
 

Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30	Fri Jan 28 13:02:34 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c	Wed Mar  2 14:52:32 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.30 2011/01/28 13:02:34 tteras Exp $	*/
+/*	$NetBSD: session.c,v 1.31 2011/03/02 14:52:32 vanhu Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -343,6 +343,7 @@
 	pfkey_send_flush(lcconf-sock_pfkey, SADB_SATYPE_UNSPEC);
 	flushph2();
 	flushph1();
+	flushrmconf();
 	close_sockets();
 	backupsa_clean();

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-02 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Wed Mar  2 14:58:27 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y remoteconf.c
remoteconf.h

Log Message:
free spspec when deleting a rmconf struct. patch by Roman Hoog Antink 
r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.41
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.40	Wed Mar  2 14:49:21 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Mar  2 14:58:27 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.40 2011/03/02 14:49:21 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.41 2011/03/02 14:58:27 vanhu Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -145,6 +145,7 @@
 
 static struct secprotospec *newspspec __P((void));
 static void insspspec __P((struct remoteconf *, struct secprotospec *));
+void flushspspec __P((struct remoteconf *));
 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
 
 static int set_isakmp_proposal __P((struct remoteconf *));
@@ -2414,6 +2415,25 @@
 	rmconf-spspec = spspec;
 }
 
+/*
+ * delete the whole list
+ */
+void
+flushspspec(rmconf)
+	struct remoteconf *rmconf;
+{
+	struct secprotospec *p;
+
+	while(rmconf-spspec != NULL) {
+		p = rmconf-spspec;
+		rmconf-spspec = p-next;
+		if (p-next != NULL)
+			p-next-prev = NULL; /* not necessary but clean */
+
+		racoon_free(p);		  
+	}
+}
+
 /* set final acceptable proposal */
 static int
 set_isakmp_proposal(rmconf)

Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.23	Wed Mar  2 14:52:32 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Wed Mar  2 14:58:27 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.c,v 1.23 2011/03/02 14:52:32 vanhu Exp $	*/
+/*	$NetBSD: remoteconf.c,v 1.24 2011/03/02 14:58:27 vanhu Exp $	*/
 
 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
 
@@ -654,6 +654,7 @@
 		racoon_free(rmconf-name);
 	if (rmconf-remote)
 		racoon_free(rmconf-remote);
+	flushspspec(rmconf);
 	racoon_free(rmconf);
 }
 

Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.14 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.15
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h:1.14	Wed Feb  2 15:21:34 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.h	Wed Mar  2 14:58:27 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.h,v 1.14 2011/02/02 15:21:34 vanhu Exp $	*/
+/*	$NetBSD: remoteconf.h,v 1.15 2011/03/02 14:58:27 vanhu Exp $	*/
 
 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
 
@@ -208,6 +208,7 @@
 extern void insrmconf __P((struct remoteconf *));
 extern void remrmconf __P((struct remoteconf *));
 extern void flushrmconf __P((void));
+extern void flushspspec __P((struct remoteconf *));
 extern void initrmconf __P((void));
 extern void rmconf_start_reload __P((void));
 extern void rmconf_finish_reload __P((void));

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-02 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Wed Mar  2 15:04:01 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: remoteconf.c rsalist.c
rsalist.h

Log Message:
free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink 
r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 \
src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c \
src/crypto/dist/ipsec-tools/src/racoon/rsalist.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c:1.24	Wed Mar  2 14:58:27 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/remoteconf.c	Wed Mar  2 15:04:01 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: remoteconf.c,v 1.24 2011/03/02 14:58:27 vanhu Exp $	*/
+/*	$NetBSD: remoteconf.c,v 1.25 2011/03/02 15:04:01 vanhu Exp $	*/
 
 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
 
@@ -78,6 +78,7 @@
 #include isakmp_frag.h
 #include handler.h
 #include genlist.h
+#include rsalist.h
 
 typedef TAILQ_HEAD(_rmtree, remoteconf) remoteconf_tailq_head_t;
 static remoteconf_tailq_head_t rmtree, rmtree_save;
@@ -650,6 +651,10 @@
 		vfree(rmconf-cacert);
 	if (rmconf-cacertfile)
 		racoon_free(rmconf-cacertfile);
+	if (rmconf-rsa_private)
+		genlist_free(rmconf-rsa_private, rsa_key_free);
+	if (rmconf-rsa_public)
+		genlist_free(rmconf-rsa_public, rsa_key_free);
 	if (rmconf-name)
 		racoon_free(rmconf-name);
 	if (rmconf-remote)

Index: src/crypto/dist/ipsec-tools/src/racoon/rsalist.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/rsalist.c:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/rsalist.c	Wed Mar  2 15:04:01 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: rsalist.c,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: rsalist.c,v 1.5 2011/03/02 15:04:01 vanhu Exp $	*/
 
 /* Id: rsalist.c,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
 
@@ -88,6 +88,23 @@
 	return 0;
 }
 
+void
+rsa_key_free(void *data)
+{
+	struct rsa_key *rsa_key;
+
+	
+	rsa_key = (struct rsa_key *)data;
+	if (rsa_key-src)
+		free(rsa_key-src);
+	if (rsa_key-dst)
+		free(rsa_key-dst);
+	if (rsa_key-rsa)
+		RSA_free(rsa_key-rsa);
+
+	free(rsa_key);
+}
+
 static void *
 rsa_key_dump_one(void *entry, void *arg)
 {
Index: src/crypto/dist/ipsec-tools/src/racoon/rsalist.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.4 src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/rsalist.h:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/rsalist.h	Wed Mar  2 15:04:01 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: rsalist.h,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: rsalist.h,v 1.5 2011/03/02 15:04:01 vanhu Exp $	*/
 
 /* Id: rsalist.h,v 1.2 2004/07/12 20:43:51 ludvigm Exp */
 /*
@@ -53,6 +53,7 @@
 };
 
 int rsa_key_insert(struct genlist *list, struct netaddr *src, struct netaddr *dst, RSA *rsa);
+void rsa_key_free(void *data);
 void rsa_key_dump(struct genlist *list);
 
 struct genlist *rsa_lookup_keys(struct ph1handle *iph1, int my);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-02 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Wed Mar  2 15:09:16 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: session.c

Log Message:
flush sainfo list when closing session. patch by Roman Hoog Antink 
r...@open.ch


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.32
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.31	Wed Mar  2 14:52:32 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c	Wed Mar  2 15:09:16 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.31 2011/03/02 14:52:32 vanhu Exp $	*/
+/*	$NetBSD: session.c,v 1.32 2011/03/02 15:09:16 vanhu Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -344,6 +344,7 @@
 	flushph2();
 	flushph1();
 	flushrmconf();
+	flushsainfo();
 	close_sockets();
 	backupsa_clean();

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-01 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Tue Mar  1 14:14:50 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y

Log Message:
reset yyerrorcount before doing parse stuff. patch by M E Andersson 
deb...@gisladisker.se


To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.39
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.38	Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Tue Mar  1 14:14:50 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.38 2010/06/22 09:41:33 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.39 2011/03/01 14:14:50 vanhu Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -2617,6 +2617,7 @@
 {
 	int error;
 
+	yyerrorcount = 0;
 	yycf_init_buffer();
 
 	if (yycf_switch_buffer(lcconf-racoon_conf) != 0) {

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-03-01 Thread VANHULLEBUS Yvan 
Module Name:src
Committed By:   vanhu
Date:   Tue Mar  1 14:33:58 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c pfkey.c

Log Message:
plog text fixes, patch from M E Andersson deb...@gisladisker.se


To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.54 -r1.55 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.67 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.68
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.67	Wed Feb  2 15:21:34 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Tue Mar  1 14:33:58 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.67 2011/02/02 15:21:34 vanhu Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.68 2011/03/01 14:33:58 vanhu Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -3422,7 +3422,7 @@
 	dst = iph2-dst;
 
 	plog(LLV_INFO, LOCATION, NULL,
-		 generated policy, deleting it.\n);
+		 deleting a generated policy.\n);
 
 	memset(spidx, 0, sizeof(spidx));
 	iph2-spidx_gen = (caddr_t )spidx;

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.54 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.55
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.54	Fri Nov 12 10:36:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Tue Mar  1 14:33:58 2011
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $	*/
 
-/* $Id: pfkey.c,v 1.54 2010/11/12 10:36:37 tteras Exp $ */
+/* $Id: pfkey.c,v 1.55 2011/03/01 14:33:58 vanhu Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -231,7 +231,7 @@
 		}
 	}
 
-	plog(LLV_DEBUG, LOCATION, NULL, get pfkey %s message\n,
+	plog(LLV_DEBUG, LOCATION, NULL, got pfkey %s message\n,
 		s_pfkey_type(msg-sadb_msg_type));
 	plogdump(LLV_DEBUG2, msg, msg-sadb_msg_len  3);
 
@@ -2344,8 +2344,8 @@
 
 	sp = getsp(spidx);
 	if (sp == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL,
-			such policy does not already exist: \%s\\n,
+		plog(LLV_DEBUG, LOCATION, NULL,
+			this policy did not exist for removal: \%s\\n,
 			spidx2str(spidx));
 	} else {
 		/* preserve hints before deleting the SP */
@@ -3611,8 +3611,8 @@
 		break;
 	case IPSECDOI_PROTO_IPCOMP:
 		plog(LLV_DEBUG, LOCATION, NULL,
-			compression algorithm can not be checked 
-			because sadb message doesn't support it.\n);
+			no check of compression algorithm; 
+			not supported in sadb message.\n);
 		return 0;
 	default:
 		plog(LLV_ERROR, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-02-20 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sun Feb 20 17:32:02 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
From Roman Hoog Antink r...@open.ch: Fix memory leak when using plain RSA
key authentication.


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.18 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.19
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.18	Thu Dec 16 16:59:05 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Sun Feb 20 17:32:02 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.18 2010/12/16 16:59:05 gdt Exp $	*/
+/*	$NetBSD: oakley.c,v 1.19 2011/02/20 17:32:02 tteras Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1524,6 +1524,8 @@
 			iph1-rsa_p = rsa_try_check_rsasign(my_hash,
 	iph1-sig_p, iph1-rsa_candidates);
 			error = iph1-rsa_p ? 0 : -1;
+			genlist_free(iph1-rsa_candidates, NULL);
+			iph1-rsa_candidates = NULL;
 			break;
 		default:
 			plog(LLV_ERROR, LOCATION, NULL,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-02-11 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Feb 11 10:07:20 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: plainrsa-gen.c

Log Message:
From Mats E Andersson deb...@gisladisker.se: Fix fprintf format specifier
usage from previous patch.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.5 src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.5	Thu Feb 10 11:20:08 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c	Fri Feb 11 10:07:19 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: plainrsa-gen.c,v 1.5 2011/02/10 11:20:08 tteras Exp $	*/
+/*	$NetBSD: plainrsa-gen.c,v 1.6 2011/02/11 10:07:19 tteras Exp $	*/
 
 /* Id: plainrsa-gen.c,v 1.6 2005/04/21 09:08:40 monas Exp */
 /*
@@ -131,7 +131,7 @@
 	
 	fprintf(fp, # : PUB 0s%s\n, pubkey64-v);
 	fprintf(fp, : RSA\t{\n);
-	fprintf(fp, \t# RSA %zu bits\n, BN_num_bits(key-n));
+	fprintf(fp, \t# RSA %d bits\n, BN_num_bits(key-n));
 	fprintf(fp, \t# pubkey=0s%s\n, pubkey64-v);
 	fprintf(fp, \tModulus: 0x%s\n, lowercase(BN_bn2hex(key-n)));
 	fprintf(fp, \tPublicExponent: 0x%s\n, lowercase(BN_bn2hex(key-e)));

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-02-10 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Thu Feb 10 11:17:17 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: prsa_par.y

Log Message:
From M E Andersson deb...@gisladisker.se: Fix parsing of restricted RSA
key addresses.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.4 src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/prsa_par.y	Thu Feb 10 11:17:17 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: prsa_par.y,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: prsa_par.y,v 1.5 2011/02/10 11:17:17 tteras Exp $	*/
 
 /* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
 
@@ -236,6 +236,7 @@
 	{
 		int err;
 		struct sockaddr_in *sap;
+		struct addrinfo hints, *res;
 		
 		if ($2 == -1) $2 = 32;
 		if ($2  0 || $2  32) {
@@ -245,12 +246,16 @@
 		$$ = calloc (sizeof(struct netaddr), 1);
 		$$-prefix = $2;
 		sap = (struct sockaddr_in *)($$-sa);
-		sap-sin_family = AF_INET;
-		err = inet_pton(AF_INET, $1, (struct in_addr*)(sap-sin_addr));
-		if (err = 0) {
-			prsaerror(inet_pton(%s): %s\n, $1, strerror(errno));
+		memset(hints, 0, sizeof(hints));
+		hints.ai_family = AF_INET;
+		hints.ai_flags = AI_NUMERICHOST;
+		err = getaddrinfo($1, NULL, hints, res);
+		if (err  0) {
+			prsaerror(getaddrinfo(%s): %s\n, $1, gai_strerror(err));
 			YYABORT;
 		}
+		memcpy(sap, res-ai_addr, res-ai_addrlen);
+		freeaddrinfo(res);
 	}
 	;
 
@@ -259,6 +264,7 @@
 	{
 		int err;
 		struct sockaddr_in6 *sap;
+		struct addrinfo hints, *res;
 		
 		if ($2 == -1) $2 = 128;
 		if ($2  0 || $2  128) {
@@ -268,12 +274,16 @@
 		$$ = calloc (sizeof(struct netaddr), 1);
 		$$-prefix = $2;
 		sap = (struct sockaddr_in6 *)($$-sa);
-		sap-sin6_family = AF_INET6;
-		err = inet_pton(AF_INET6, $1, (struct in6_addr*)(sap-sin6_addr));
-		if (err = 0) {
-			prsaerror(inet_pton(%s): %s\n, $1, strerror(errno));
+		memset(hints, 0, sizeof(hints));
+		hints.ai_family = AF_INET6;
+		hints.ai_flags = AI_NUMERICHOST;
+		err = getaddrinfo($1, NULL, hints, res);
+		if (err  0) {
+			prsaerror(getaddrinfo(%s): %s\n, $1, gai_strerror(err));
 			YYABORT;
 		}
+		memcpy(sap, res-ai_addr, res-ai_addrlen);
+		freeaddrinfo(res);
 	}
 	;

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-02-10 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Thu Feb 10 11:20:08 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: plainrsa-gen.c

Log Message:
From Mats Erik Andersson deb...@gisladisker.se: Implement importing of
RSA keys from PEM files.


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.4 src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.5
--- src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c:1.4	Sat Sep  9 16:22:10 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c	Thu Feb 10 11:20:08 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: plainrsa-gen.c,v 1.4 2006/09/09 16:22:10 manu Exp $	*/
+/*	$NetBSD: plainrsa-gen.c,v 1.5 2011/02/10 11:20:08 tteras Exp $	*/
 
 /* Id: plainrsa-gen.c,v 1.6 2005/04/21 09:08:40 monas Exp */
 /*
@@ -43,11 +43,13 @@
 #include sys/stat.h
 #include sys/socket.h
 #include unistd.h
+#include fcntl.h
 
 #include openssl/bio.h
 #include openssl/bn.h
 #include openssl/err.h
 #include openssl/objects.h
+#include openssl/pem.h
 #include openssl/rsa.h
 #include openssl/evp.h
 #ifdef HAVE_OPENSSL_ENGINE_H
@@ -72,6 +74,7 @@
 	fprintf(stderr,   -b bits   Generate bits long RSA key (default=1024)\n);
 	fprintf(stderr,   -e pubexp Public exponent to use (default=0x3)\n);
 	fprintf(stderr,   -f filename   Filename to store the key to (default=stdout)\n);
+	fprintf(stderr,   -i filename   Input source for format conversion\n);
 	fprintf(stderr,   -hHelp\n);
 	fprintf(stderr, \n);
 	fprintf(stderr, Report bugs to ipsec-tools-de...@lists.sourceforge.net\n);
@@ -82,7 +85,7 @@
  * See RFC 2065, section 3.5 for details about the output format.
  */
 vchar_t *
-mix_b64_pubkey(RSA *key)
+mix_b64_pubkey(const RSA *key)
 {
 	char *binbuf;
 	long binlen, ret;
@@ -116,17 +119,10 @@
 }
 
 int
-gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
+print_rsa_key(FILE *fp, const RSA *key)
 {
-	RSA *key;
 	vchar_t *pubkey64 = NULL;
 
-	key = RSA_generate_key(bits, exp, NULL, NULL);
-	if (!key) {
-		fprintf(stderr, RSA_generate_key(): %s\n, eay_strerror());
-		return -1;
-	}
-	
 	pubkey64 = mix_b64_pubkey(key);
 	if (!pubkey64) {
 		fprintf(stderr, mix_b64_pubkey(): %s\n, eay_strerror());
@@ -135,7 +131,7 @@
 	
 	fprintf(fp, # : PUB 0s%s\n, pubkey64-v);
 	fprintf(fp, : RSA\t{\n);
-	fprintf(fp, \t# RSA %zu bits\n, bits);
+	fprintf(fp, \t# RSA %zu bits\n, BN_num_bits(key-n));
 	fprintf(fp, \t# pubkey=0s%s\n, pubkey64-v);
 	fprintf(fp, \tModulus: 0x%s\n, lowercase(BN_bn2hex(key-n)));
 	fprintf(fp, \tPublicExponent: 0x%s\n, lowercase(BN_bn2hex(key-e)));
@@ -148,23 +144,92 @@
 	fprintf(fp,   }\n);
 
 	vfree(pubkey64);
+	return 0;
+}
+
+int
+print_public_rsa_key(FILE *fp, const RSA *key)
+{
+	vchar_t *pubkey64 = NULL;
 
+	pubkey64 = mix_b64_pubkey(key);
+	if (!pubkey64) {
+		fprintf(stderr, mix_b64_pubkey(): %s\n, eay_strerror());
+		return -1;
+	}
+	
+	fprintf(fp, : PUB 0s%s\n, pubkey64-v);
+
+	vfree(pubkey64);
 	return 0;
 }
 
 int
+convert_rsa_key(FILE *fpout, FILE *fpin)
+{
+	int ret;
+	RSA *key = NULL;
+
+	key = PEM_read_RSAPrivateKey(fpin, NULL, NULL, NULL);
+	if (key) {
+		ret = print_rsa_key(fpout, key);
+		RSA_free(key);
+
+		return ret;
+	}
+	
+	rewind(fpin);
+
+	key = PEM_read_RSA_PUBKEY(fpin, NULL, NULL, NULL);
+	if (key) {
+		ret = print_public_rsa_key(fpout, key);
+		RSA_free(key);
+
+		return ret;
+	}
+
+	/* Implement parsing of input stream containing
+	 * private or public plainrsa formatted text.
+	 * Convert the result to PEM formatted output.
+	 *
+	 * This seemingly needs manual use of prsaparse().
+	 * An expert ought to do this. */
+
+	fprintf(stderr, convert_rsa_key: %s\n, Only conversion from PEM at this time);
+	return -1;
+}
+
+int
+gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
+{
+	int ret;
+	RSA *key;
+
+	key = RSA_generate_key(bits, exp, NULL, NULL);
+	if (!key) {
+		fprintf(stderr, RSA_generate_key(): %s\n, eay_strerror());
+		return -1;
+	}
+	
+	ret = print_rsa_key(fp, key);
+	RSA_free(key);
+
+	return ret;
+}
+
+int
 main (int argc, char *argv[])
 {
-	FILE *fp = stdout;
+	FILE *fp = stdout, *fpin = NULL;
 	size_t bits = 1024;
 	unsigned int pubexp = 0x3;
 	struct stat st;
 	extern char *optarg;
 	extern int optind;
-	int c;
-	char *fname = NULL;
+	int c, fd = -1, fdin = -1;
+	char *fname = NULL, *finput = NULL;
 
-	while ((c = getopt(argc, argv, e:b:f:h)) != -1)
+	while ((c = getopt(argc, argv, e:b:f:i:h)) != -1)
 		switch (c) {
 			case 'e':
 if (strncmp(optarg, 0x, 2) == 0)
@@ -178,31 +243,65 @@
 			case 'f':
 fname = optarg;
 break;
+			case 'i':
+finput = optarg;
+break;
 			case 'h':
 			default:
 usage(argv[0]);
 		}
 
 	if (fname) {
-		if (stat(fname, st) = 0)

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-01-28 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Jan 28 12:51:40 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: plog.c

Log Message:
From Roman Hoog Antink r...@open.ch: Log remote IP address if available
(slightly modified by tteras)


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/plog.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/plog.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/plog.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/plog.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/plog.c:1.6	Mon Apr 20 13:23:55 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/plog.c	Fri Jan 28 12:51:40 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: plog.c,v 1.6 2009/04/20 13:23:55 tteras Exp $	*/
+/*	$NetBSD: plog.c,v 1.7 2011/01/28 12:51:40 tteras Exp $	*/
 
 /* Id: plog.c,v 1.11 2006/06/20 09:57:31 vanhu Exp */
 
@@ -36,6 +36,7 @@
 #include sys/types.h
 #include sys/param.h
 
+#include arpa/inet.h
 #include stdlib.h
 #include stdio.h
 #include string.h
@@ -78,7 +79,7 @@
 static struct log *logp = NULL;
 static char *logfile = NULL;
 
-static char *plog_common __P((int, const char *, const char *));
+static char *plog_common __P((int, const char *, const char *, struct sockaddr *));
 
 static struct plogtags {
 	char *name;
@@ -94,11 +95,13 @@
 };
 
 static char *
-plog_common(pri, fmt, func)
+plog_common(pri, fmt, func, sa)
 	int pri;
 	const char *fmt, *func;
+	struct sockaddr *sa;
 {
 	static char buf[800];	/* XXX shoule be allocated every time ? */
+	void *addr;
 	char *p;
 	int reslen, len;
 
@@ -116,19 +119,43 @@
 		reslen -= len;
 	}
 
+	if (sa  reslen  3) {
+		addr = NULL;
+		switch (sa-sa_family) {
+		case AF_INET:
+			addr = ((struct sockaddr_in*)sa)-sin_addr;
+			break;
+		case AF_INET6:
+			addr = ((struct sockaddr_in6*)sa)-sin6_addr;
+			break;
+		}
+		if (inet_ntop(sa-sa_family, addr, p + 1, reslen - 3) != NULL) {
+			*p++ = '[';
+			len = strlen(p);
+			p += len;
+			*p++ = ']';
+			*p++ = ' ';
+			reslen -= len + 3;
+		}
+	}
+
 	if (pri  ARRAYLEN(ptab)) {
 		len = snprintf(p, reslen, %s: , ptab[pri].name);
-		if (len = 0  len  reslen) {
-			p += len;
-			reslen -= len;
-		} else
-			*p = '\0';
+		p += len;
+		reslen -= len;
 	}
 
 	if (print_location)
-		snprintf(p, reslen, %s: %s, func, fmt);
+		len = snprintf(p, reslen, %s: %s, func, fmt);
 	else
-		snprintf(p, reslen, %s, fmt);
+		len = snprintf(p, reslen, %s, fmt);
+	p += len;
+	reslen -= len;
+
+	/* Force nul termination */
+	if (reslen == 0)
+		p[-1] = 0;
+
 #ifdef BROKEN_PRINTF
 	while ((p = strstr(buf,%z)) != NULL)
 		p[1] = 'l';
@@ -157,7 +184,7 @@
 	if (pri  loglevel)
 		return;
 
-	newfmt = plog_common(pri, fmt, func);
+	newfmt = plog_common(pri, fmt, func, sa);
 
 	VA_COPY(ap_bak, ap);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-01-28 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Jan 28 13:02:34 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: sainfo.c sainfo.h session.c

Log Message:
From Roman Hoog Antink r...@open.ch: Clean up sainfo reloading: rename
the functions, and remove unneeded global variable.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/sainfo.h
cvs rdiff -u -r1.29 -r1.30 src/crypto/dist/ipsec-tools/src/racoon/session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/sainfo.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/sainfo.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/sainfo.c:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/sainfo.c:1.12	Sun Jan 17 23:03:01 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/sainfo.c	Fri Jan 28 13:02:34 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: sainfo.c,v 1.12 2010/01/17 23:03:01 wiz Exp $	*/
+/*	$NetBSD: sainfo.c,v 1.13 2011/01/28 13:02:34 tteras Exp $	*/
 
 /*	$KAME: sainfo.c,v 1.16 2003/06/27 07:32:39 sakane Exp $	*/
 
@@ -64,7 +64,8 @@
 #include sainfo.h
 #include gcmalloc.h
 
-static LIST_HEAD(_sitree, sainfo) sitree, sitree_save, sitree_tmp;
+typedef LIST_HEAD(_sitree, sainfo) sainfo_tailq_head_t;
+static sainfo_tailq_head_t sitree, sitree_save;
 
 /* %%%
  * modules for ipsec sa info
@@ -392,12 +393,14 @@
 return buf;
 }
 
-void save_sainfotree(void){
+void sainfo_start_reload(void){
 	sitree_save=sitree;
 	initsainfo();
 }
 
-void save_sainfotree_flush(void){
+void sainfo_finish_reload(void){
+	sainfo_tailq_head_t sitree_tmp;
+
 	sitree_tmp=sitree;
 	sitree=sitree_save;
 	flushsainfo();

Index: src/crypto/dist/ipsec-tools/src/racoon/sainfo.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/sainfo.h:1.6 src/crypto/dist/ipsec-tools/src/racoon/sainfo.h:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/sainfo.h:1.6	Wed Sep 12 23:39:51 2007
+++ src/crypto/dist/ipsec-tools/src/racoon/sainfo.h	Fri Jan 28 13:02:34 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: sainfo.h,v 1.6 2007/09/12 23:39:51 mgrooms Exp $	*/
+/*	$NetBSD: sainfo.h,v 1.7 2011/01/28 13:02:34 tteras Exp $	*/
 
 /* Id: sainfo.h,v 1.5 2006/07/09 17:19:38 manubsd Exp */
 
@@ -85,8 +85,8 @@
 extern void inssainfoalg __P((struct sainfoalg **, struct sainfoalg *));
 extern const char * sainfo2str __P((const struct sainfo *));
 
-extern void save_sainfotree __P((void));
-extern void save_sainfotree_flush __P((void));
+extern void sainfo_start_reload __P((void));
+extern void sainfo_finish_reload __P((void));
 extern void save_sainfotree_restore __P((void));
 
 #endif /* _SAINFO_H */

Index: src/crypto/dist/ipsec-tools/src/racoon/session.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/session.c:1.29 src/crypto/dist/ipsec-tools/src/racoon/session.c:1.30
--- src/crypto/dist/ipsec-tools/src/racoon/session.c:1.29	Fri Jan 28 13:00:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/session.c	Fri Jan 28 13:02:34 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.29 2011/01/28 13:00:14 tteras Exp $	*/
+/*	$NetBSD: session.c,v 1.30 2011/01/28 13:02:34 tteras Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -387,7 +387,7 @@
 	}
 #endif
 
-	save_sainfotree();
+	sainfo_start_reload();
 
 	/* TODO: save / restore / flush old lcconf (?) / rmtree
 	 */
@@ -429,7 +429,7 @@
 	/* Update ctdtree ?
 	 */
 
-	save_sainfotree_flush();
+	sainfo_finish_reload();
 	rmconf_finish_reload();
 }

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2011-01-21 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Sat Jan 22 07:38:52 UTC 2011

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_inf.c

Log Message:
From Roman Hoog Antink r...@open.ch: Fixes a null pointer dereference
that might occur after removing peers from the config and then reloading.


To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.44 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.45
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.44	Wed Nov 17 10:40:41 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Sat Jan 22 07:38:51 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.44 2010/11/17 10:40:41 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.45 2011/01/22 07:38:51 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1502,6 +1502,15 @@
 
 	plog(LLV_DEBUG, LOCATION, iph1-remote, DPD monitoring\n);
 
+	if (iph1-status == PHASE1ST_EXPIRED) {
+		/* This can happen after removing tunnels from the
+		 * config file and then reloading.
+		 * Such iph1 have rmconf=NULL, so return before the if
+		 * block below.
+		 */
+		return;
+	}
+
 	if (iph1-dpd_fails = iph1-rmconf-dpd_maxfails) {
 
 		plog(LLV_INFO, LOCATION, iph1-remote,

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-12-27 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Dec 28 06:00:18 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c

Log Message:
From Roman Hoog Antink r...@open.ch: Fix config reload to not delete
too many phase 2 handles, because wrong chain field is used when
enumerating the handles.


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/crypto/dist/ipsec-tools/src/racoon/handler.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.34 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.35
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.34	Wed Nov 17 10:40:41 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Tue Dec 28 06:00:18 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.34 2010/11/17 10:40:41 tteras Exp $	*/
+/*	$NetBSD: handler.c,v 1.35 2010/12/28 06:00:18 tteras Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -1468,7 +1468,7 @@
 	if (iph1-status == PHASE1ST_ESTABLISHED ||
 	iph1-status == PHASE1ST_DYING) {
 		for (iph2 = LIST_FIRST(iph1-ph2tree); iph2; iph2 = iph2_next) {
-			iph2_next = LIST_NEXT(iph2, chain);
+			iph2_next = LIST_NEXT(iph2, ph1bind);
 			remove_ph2(iph2);
 		}
 		isakmp_info_send_d1(iph1);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-12-16 Thread Greg Troxel 
Module Name:src
Committed By:   gdt
Date:   Thu Dec 16 16:59:05 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: oakley.c

Log Message:
When encountering a certificate where ID mismatched with ASN1
SubjectName, and verify_identifier is off, don't raise an error.
This makes the behavior match the man page.

Patch sent for review long ago:
  http://mail-index.netbsd.org/tech-security/2006/03/24/.html
with no negative feedback received to date.


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/racoon/oakley.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.17 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.18
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.17	Mon Aug 24 09:33:03 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c	Thu Dec 16 16:59:05 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: oakley.c,v 1.17 2009/08/24 09:33:03 vanhu Exp $	*/
+/*	$NetBSD: oakley.c,v 1.18 2010/12/16 16:59:05 gdt Exp $	*/
 
 /* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
 
@@ -1817,7 +1817,8 @@
 ID mismatched with ASN1 SubjectName.\n);
 			plogdump(LLV_DEBUG, id_b + 1, idlen);
 			plogdump(LLV_DEBUG, name-v, idlen);
-			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+			if (iph1-rmconf-verify_identifier)
+return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
 		}
 		return 0;
 	case IPSECDOI_ID_IPV4_ADDR:
@@ -1889,7 +1890,8 @@
 ID mismatched with subjectAltName.\n);
 			plogdump(LLV_DEBUG, id_b + 1, idlen);
 			plogdump(LLV_DEBUG, a, idlen);
-			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+			if (iph1-rmconf-verify_identifier)
+return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
 		}
 		return 0;
 	}

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-12-14 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Dec 14 17:57:32 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: ipsec_doi.c

Log Message:
From Roman Hoog Antink r...@open.ch: Fix possible null derefence.


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.45 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.45	Mon Oct 11 14:16:30 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Tue Dec 14 17:57:31 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.45 2010/10/11 14:16:30 vanhu Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.46 2010/12/14 17:57:31 tteras Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -4166,9 +4166,14 @@
 	u_int8_t *prefixlen;
 	u_int16_t *ul_proto;
 {
-	struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf-v;
+	struct ipsecdoi_id_b *id_b = NULL;
 	u_int plen = 0;
 
+	if (buf == NULL)
+		return ISAKMP_INTERNAL_ERROR;
+
+	id_b = (struct ipsecdoi_id_b *)buf-v;
+
 	/*
 	 * When a ID payload of subnet type with a IP address of full bit
 	 * masked, it has to be processed as host address.

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-12-07 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Tue Dec  7 14:28:12 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_quick.c

Log Message:
Fix spacing and improve wording in some log messages.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.28
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.27	Wed Oct 20 13:37:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c	Tue Dec  7 14:28:12 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_quick.c,v 1.27 2010/10/20 13:37:37 tteras Exp $	*/
+/*	$NetBSD: isakmp_quick.c,v 1.28 2010/12/07 14:28:12 tteras Exp $	*/
 
 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
 
@@ -2383,9 +2383,9 @@
 			}
 		} else {
 			plog(LLV_DEBUG, LOCATION, NULL,
-			 Either family (%d - %d), types (%d - %d) of ID
-			 from initiator differ or matching sainfo has
-			 has no id_i defined for the peer. Not filling
+			 Either family (%d - %d), types (%d - %d) of ID 
+			 from initiator differ or matching sainfo 
+			 has no id_i defined for the peer. Not filling 
 			 iph2-sa_src and iph2-sa_dst.\n,
 			 spidx.src.ss_family, spidx.dst.ss_family,
 			 _XIDT(iph2-id_p),idi2type);
@@ -2416,7 +2416,7 @@
 #undef _XIDT
 
 	plog(LLV_DEBUG, LOCATION, NULL,
-		get a src address from ID payload 
+		get src address from ID payload 
 		%s prefixlen=%u ul_proto=%u\n,
 		saddr2str((struct sockaddr *)spidx.src),
 		spidx.prefs, spidx.ul_proto);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-12-07 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Dec  8 07:38:35 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c

Log Message:
Use separate SA addresses for phase2's created by admin command. The
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.37 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.37	Fri Nov 12 10:36:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Wed Dec  8 07:38:35 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.37 2010/11/12 10:36:37 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -564,12 +564,17 @@
 			iph2-status = PHASE2ST_STATUS2;
 
 			/* set end addresses of SA */
+			iph2-sa_dst = dupsaddr(dst);
+			iph2-sa_src = dupsaddr(src);
 			iph2-dst = dupsaddr(dst);
 			iph2-src = dupsaddr(src);
-			if (iph2-dst == NULL || iph2-src == NULL) {
+			if (iph2-sa_src == NULL || iph2-sa_dst == NULL ||
+			iph2-dst == NULL || iph2-src == NULL) {
 delph2(iph2);
 break;
 			}
+			set_port(iph2-dst, 0);
+			set_port(iph2-src, 0);
 
 			if (isakmp_get_sainfo(iph2, sp_out, sp_in)  0) {
 delph2(iph2);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-12-03 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Dec  3 09:46:24 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: grabmyaddr.c

Log Message:
Netlink deletion notification does not guarentee actual address deletion:
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.26	Fri Oct 22 06:26:26 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c	Fri Dec  3 09:46:24 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: grabmyaddr.c,v 1.26 2010/10/22 06:26:26 tteras Exp $	*/
+/*	$NetBSD: grabmyaddr.c,v 1.27 2010/12/03 09:46:24 tteras Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * Copyright (C) 2008 Timo Teras timo.te...@iki.fi.
@@ -319,6 +319,11 @@
 
 #if defined(USE_NETLINK)
 
+static int netlink_fd = -1;
+
+#define NLMSG_TAIL(nmsg) \
+	((struct rtattr *) (((void *) (nmsg)) + NLMSG_ALIGN((nmsg)-nlmsg_len)))
+
 static void
 parse_rtattr(struct rtattr *tb[], int max, struct rtattr *rta, int len)
 {
@@ -331,6 +336,24 @@
 }
 
 static int
+netlink_add_rtattr_l(struct nlmsghdr *n, int maxlen, int type,
+		 const void *data, int alen)
+{
+	int len = RTA_LENGTH(alen);
+	struct rtattr *rta;
+
+	if (NLMSG_ALIGN(n-nlmsg_len) + RTA_ALIGN(len)  maxlen)
+		return FALSE;
+
+	rta = NLMSG_TAIL(n);
+	rta-rta_type = type;
+	rta-rta_len = len;
+	memcpy(RTA_DATA(rta), data, alen);
+	n-nlmsg_len = NLMSG_ALIGN(n-nlmsg_len) + RTA_ALIGN(len);
+	return TRUE;
+}
+
+static int
 netlink_enumerate(fd, family, type)
 	int fd;
 	int family;
@@ -410,6 +433,42 @@
 #endif
 
 static int
+netlink_route_is_local(int family, const unsigned char *addr, size_t addr_len)
+{
+	struct {
+		struct nlmsghdr n;
+		struct rtmsgr;
+		charbuf[1024];
+	} req;
+	struct rtmsg *r = NLMSG_DATA(req.n);
+	struct rtattr *rta[RTA_MAX+1];
+	struct sockaddr_nl nladdr;
+	ssize_t rlen;
+
+	memset(req, 0, sizeof(req));
+	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = RTM_GETROUTE;
+	req.r.rtm_family = family;
+	netlink_add_rtattr_l(req.n, sizeof(req), RTA_DST,
+			 addr, addr_len);
+	req.r.rtm_dst_len = addr_len * 8;
+
+	memset(nladdr, 0, sizeof(nladdr));
+	nladdr.nl_family = AF_NETLINK;
+
+	if (sendto(netlink_fd, req, sizeof(req), 0,
+		   (struct sockaddr *) nladdr, sizeof(nladdr))  0)
+		return 0;
+	rlen = recv(netlink_fd, req, sizeof(req), 0);
+	if (rlen  0)
+		return 0;
+
+	return  req.n.nlmsg_type == RTM_NEWROUTE 
+		req.r.rtm_type == RTN_LOCAL;
+}
+
+static int
 netlink_process_route(struct nlmsghdr *h)
 {
 	struct sockaddr_storage addr;
@@ -455,6 +514,18 @@
 		return 0;
 	}
 
+	/* If local route was deleted, check if there is still local
+	 * route for the same IP on another interface */
+	if (h-nlmsg_type == RTM_DELROUTE 
+	netlink_route_is_local(rtm-rtm_family,
+   RTA_DATA(rta[RTA_DST]),
+   RTA_PAYLOAD(rta[RTA_DST]))) {
+		plog(LLV_DEBUG, LOCATION, NULL,
+			Netlink: not deleting %s yet, it exists still\n,
+			saddrwop2str((struct sockaddr *) addr));
+		return 0;
+	}
+
 	netlink_add_del_address(h-nlmsg_type == RTM_NEWROUTE,
 (struct sockaddr *) addr);
 	return 0;
@@ -518,9 +589,8 @@
 }
 
 static int
-kernel_open_socket()
+netlink_open_socket()
 {
-	struct sockaddr_nl nl;
 	int fd;
 
 	fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
@@ -535,6 +605,25 @@
 		plog(LLV_WARNING, LOCATION, NULL,
 		 failed to put socket in non-blocking mode\n);
 
+	return fd;
+}
+
+static int
+kernel_open_socket()
+{
+	struct sockaddr_nl nl;
+	int fd;
+
+	if (netlink_fd  0) {
+		netlink_fd = netlink_open_socket();
+		if (netlink_fd  0)
+			return -1;
+	}
+
+	fd = netlink_open_socket();
+	if (fd  0)
+		return fd;
+
 	/* We monitor IPv4 addresses using RTMGRP_IPV4_ROUTE group
 	 * the get the RTN_LOCAL routes which are automatically added
 	 * by kernel. This is because:

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-11-17 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Wed Nov 17 10:40:41 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.c handler.h isakmp.c
isakmp_inf.c

Log Message:
Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1-remote can be NULL (when we are responder and config
is not yet selected).


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/crypto/dist/ipsec-tools/src/racoon/handler.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.65 -r1.66 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.43 -r1.44 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.33 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.34
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.33	Thu Oct 21 06:04:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c	Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.c,v 1.33 2010/10/21 06:04:33 tteras Exp $	*/
+/*	$NetBSD: handler.c,v 1.34 2010/11/17 10:40:41 tteras Exp $	*/
 
 /* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
 
@@ -514,6 +514,22 @@
 	LIST_INIT(ph1tree);
 }
 
+int
+ph1_rekey_enabled(iph1)
+	struct ph1handle *iph1;
+{
+	if (iph1-rmconf == NULL)
+		return 0;
+	if (iph1-rmconf-rekey == REKEY_FORCE)
+		return 1;
+#ifdef ENABLE_DPD
+	if (iph1-rmconf-rekey == REKEY_ON  iph1-dpd_support 
+	iph1-rmconf-dpd_interval)
+		return 1;
+#endif
+	return 0;
+}
+
 /* %%% management phase 2 handler */
 
 int

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.24 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.24	Fri Nov 12 09:09:47 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h	Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.24 2010/11/12 09:09:47 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -493,6 +493,7 @@
 extern int resolveph1rmconf __P((struct ph1handle *));
 extern void flushph1 __P((void));
 extern void initph1tree __P((void));
+extern int ph1_rekey_enabled __P((struct ph1handle *));
 
 extern int enumph2 __P((struct ph2selector *ph2sel,
 			int (* enum_func)(struct ph2handle *iph2, void *arg),

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.65 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.66
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.65	Fri Nov 12 10:36:37 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.65 2010/11/12 10:36:37 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.66 2010/11/17 10:40:41 tteras Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -766,20 +766,6 @@
 	return 0;
 }
 
-static int
-ph1_rekey_enabled(iph1)
-	struct ph1handle *iph1;
-{
-	if (iph1-rmconf-rekey == REKEY_FORCE)
-		return 1;
-#ifdef ENABLE_DPD
-	if (iph1-rmconf-rekey == REKEY_ON  iph1-dpd_support 
-	iph1-rmconf-dpd_interval)
-		return 1;
-#endif
-	return 0;
-}
-
 /*
  * main function of phase 1.
  */
@@ -2081,11 +2067,9 @@
 		src, dst, isakmp_pindex(iph1-index, 0));
 
 	evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
-
-	if (new_iph1 == NULL  ph1_rekey_enabled(iph1)) {
-		purge_remote(iph1);
+	if (new_iph1 == NULL  ph1_rekey_enabled(iph1))
 		script_hook(iph1, SCRIPT_PHASE1_DEAD);
-	}
+
 	racoon_free(src);
 	racoon_free(dst);
 
@@ -3521,7 +3505,7 @@
 		}
 	}
 
-	/* make source address in spidx */
+		/* make source address in spidx */
 	if (iph2-id_p != NULL
 		 (_XIDT(iph2-id_p) == IPSECDOI_ID_IPV4_ADDR
 			|| _XIDT(iph2-id_p) == IPSECDOI_ID_IPV6_ADDR

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.43 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.44
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.43	Fri Nov 12 09:09:47 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Wed Nov 17 10:40:41 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.43 2010/11/12 09:09:47 tteras Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.44 2010/11/17 10:40:41 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -516,10 +516,12 @@
 			sched_cancel(del_ph1-scr);
 
 			/*
-			 * Do not delete IPsec SAs when receiving an IKE delete notification.
-			 * Just delete the IKE SA.
+			 * Delete also IPsec-SAs if rekeying is enabled.
 			 */
-

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-11-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Nov 12 09:08:26 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: admin.c admin.h kmpstat.c
racoonctl.c

Log Message:
Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
with many established SAs can be easily over the limit.


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/crypto/dist/ipsec-tools/src/racoon/admin.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/dist/ipsec-tools/src/racoon/admin.h
cvs rdiff -u -r1.6 -r1.7 src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.35 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.36
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.35	Thu Oct 21 06:15:28 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c	Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.35 2010/10/21 06:15:28 tteras Exp $	*/
+/*	$NetBSD: admin.c,v 1.36 2010/11/12 09:08:26 tteras Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -638,9 +638,15 @@
 	}
 
 	combuf = (struct admin_com *) retbuf;
-	combuf-ac_len = tlen;
+	combuf-ac_len = (u_int16_t) tlen;
 	combuf-ac_cmd = req-ac_cmd  ~ADMIN_FLAG_VERSION;
-	combuf-ac_errno = l_ac_errno;
+	if (tlen != (u_int32_t) combuf-ac_len 
+	l_ac_errno == 0) {
+		combuf-ac_len_high = tlen  16;
+		combuf-ac_cmd |= ADMIN_FLAG_LONG_REPLY;
+	} else {
+		combuf-ac_errno = l_ac_errno;
+	}
 	combuf-ac_proto = req-ac_proto;
 
 	if (buf != NULL)

Index: src/crypto/dist/ipsec-tools/src/racoon/admin.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.h:1.7 src/crypto/dist/ipsec-tools/src/racoon/admin.h:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/admin.h:1.7	Fri Aug 29 00:30:15 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.h	Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.h,v 1.7 2008/08/29 00:30:15 gmcgarry Exp $	*/
+/*	$NetBSD: admin.h,v 1.8 2010/11/12 09:08:26 tteras Exp $	*/
 
 /* Id: admin.h,v 1.11 2005/06/19 22:37:47 manubsd Exp */
 
@@ -49,16 +49,19 @@
 	union {
 		int16_t ac_un_errno;
 		uint16_t ac_un_version;
+		uint16_t ac_un_len_high;
 	} u;
 	u_int16_t ac_proto;
 };
 #define ac_errno u.ac_un_errno
 #define ac_version u.ac_un_version
+#define ac_len_high u.ac_un_len_high
 
 /*
  * Version field in request is valid.
  */
 #define ADMIN_FLAG_VERSION	0x8000
+#define ADMIN_FLAG_LONG_REPLY	0x8000
 
 /*
  * No data follows as the data.

Index: src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c:1.6 src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c:1.7
--- src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c:1.6	Tue Oct  2 09:47:45 2007
+++ src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c	Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: kmpstat.c,v 1.6 2007/10/02 09:47:45 vanhu Exp $	*/
+/*	$NetBSD: kmpstat.c,v 1.7 2010/11/12 09:08:26 tteras Exp $	*/
 
 /*	$KAME: kmpstat.c,v 1.33 2004/08/16 08:20:28 itojun Exp $	*/
 
@@ -138,7 +138,7 @@
 {
 	struct admin_com h, *com;
 	caddr_t buf;
-	int len;
+	int len, rlen;
 	int l = 0;
 	caddr_t p;
 
@@ -153,19 +153,25 @@
 	if (len  sizeof(h))
 		goto bad1;
 
-	if (h.ac_errno) {
+	if (h.ac_errno  !(h.ac_cmd  ADMIN_FLAG_LONG_REPLY)) {
 		errno = h.ac_errno;
 		goto bad1;
 	}
 
+	/* real length */
+	if (h.ac_cmd  ADMIN_FLAG_LONG_REPLY)
+		rlen = ((u_int32_t)h.ac_len) + (((u_int32_t)h.ac_len_high)  16);
+	else
+		rlen = h.ac_len;
+
 	/* allocate buffer */
-	if ((*combufp = vmalloc(h.ac_len)) == NULL)
+	if ((*combufp = vmalloc(rlen)) == NULL)
 		goto bad1;
 
 	/* read real message */
 	p = (*combufp)-v;
-	while (l  len) {
-		if ((len = recv(so, p, h.ac_len, 0))  0) {
+	while (l  rlen) {
+		if ((len = recv(so, p, rlen - l, 0))  0) {
 			perror(recv);
 			goto bad2;
 		}

Index: src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c:1.17 src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c:1.18
--- src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c:1.17	Mon Apr 20 13:22:00 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/racoonctl.c	Fri Nov 12 09:08:26 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: racoonctl.c,v 1.17 2009/04/20 13:22:00 tteras Exp $	*/
+/*	$NetBSD: racoonctl.c,v 1.18 2010/11/12 09:08:26 tteras Exp $	*/
 
 /*	Id: racoonctl.c,v 1.11 2006/04/06 17:06:25 manubsd Exp */
 
@@ -1426,10 +1426,14 @@
 int len;
 
 	com = (struct admin_com *)combuf-v;
-	len = com-ac_len - sizeof(*com);
+	if (com-ac_cmd  ADMIN_FLAG_LONG_REPLY)
+		len = ((u_int32_t)com-ac_len) + (((u_int32_t)com-ac_len_high)  16);
+	else
+		len = com-ac_len;
+	len -= sizeof(*com);
 	buf = combuf-v + sizeof(*com);
 
-	switch (com-ac_cmd) {
+	switch

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-11-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Nov 12 09:09:48 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: handler.h isakmp_inf.c

Log Message:
Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/crypto/dist/ipsec-tools/src/racoon/handler.h
cvs rdiff -u -r1.42 -r1.43 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.23 src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/handler.h:1.23	Thu Oct 21 06:04:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h	Fri Nov 12 09:09:47 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.23 2010/10/21 06:04:33 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.24 2010/11/12 09:09:47 tteras Exp $	*/
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -202,7 +202,8 @@
 
 #ifdef ENABLE_DPD
 	int		dpd_support;	/* Does remote supports DPD ? */
-	u_int16_t	dpd_seq;		/* DPD seq number to receive */
+	u_int32_t	dpd_last_ack;
+	u_int32_t	dpd_seq;		/* DPD seq number to receive */
 	u_int8_t	dpd_fails;		/* number of failures */
 	struct sched	dpd_r_u;
 #endif

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.43
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.42	Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c	Fri Nov 12 09:09:47 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_inf.c,v 1.42 2010/06/22 09:41:33 vanhu Exp $	*/
+/*	$NetBSD: isakmp_inf.c,v 1.43 2010/11/12 09:09:47 tteras Exp $	*/
 
 /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
 
@@ -1450,17 +1450,16 @@
 	struct isakmp_pl_ru *ru;
 	u_int32_t msgid;
 {
+	u_int32_t seq;
 
 	plog(LLV_DEBUG, LOCATION, iph1-remote,
 		 DPD R-U-There-Ack received\n);
 
-	/* XXX Maintain window of acceptable sequence numbers ?
-	 * = ru-data = iph2-dpd_seq 
-	 *ru-data = iph2-dpd_seq - iph2-dpd_fails ? */
-	if (ntohl(ru-data) != iph1-dpd_seq-1) {
+	seq = ntohl(ru-data);
+	if (seq = iph1-dpd_last_ack || seq  iph1-dpd_seq) {
 		plog(LLV_ERROR, LOCATION, iph1-remote,
-			 Wrong DPD sequence number (%d, %d expected).\n, 
-			 ntohl(ru-data), iph1-dpd_seq-1);
+			 Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n, 
+			 seq, iph1-dpd_last_ack, iph1-dpd_seq);
 		return 0;
 	}
 
@@ -1472,6 +1471,7 @@
 	}
 
 	iph1-dpd_fails = 0;
+	iph1-dpd_last_ack = seq;
 	sched_cancel(iph1-dpd_r_u);
 	isakmp_sched_r_u(iph1, 0);
 
@@ -1536,12 +1536,13 @@
 	memcpy(ru-i_ck, iph1-index.i_ck, sizeof(cookie_t));
 	memcpy(ru-r_ck, iph1-index.r_ck, sizeof(cookie_t));
 
-	if (iph1-dpd_seq == 0){
+	if (iph1-dpd_seq == 0) {
 		/* generate a random seq which is not too big */
-		srand(time(NULL));
-		iph1-dpd_seq = rand()  0x0fff;
+		iph1-dpd_seq = iph1-dpd_last_ack = rand()  0x0fff;
 	}
 
+	iph1-dpd_seq++;
+	iph1-dpd_fails++;
 	ru-data = htonl(iph1-dpd_seq);
 
 	error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
@@ -1550,12 +1551,6 @@
 	plog(LLV_DEBUG, LOCATION, iph1-remote,
 		 DPD R-U-There sent (%d)\n, error);
 
-	/* will be decreased if ACK received... */
-	iph1-dpd_fails++;
-
-	/* XXX should be increased only when ACKed ? */
-	iph1-dpd_seq++;
-
 	/* Reschedule the r_u_there with a short delay,
 	 * will be deleted/rescheduled if ACK received before */
 	isakmp_sched_r_u(iph1, 1);

CVS commit: src/crypto/dist/ipsec-tools/src/racoon

2010-11-12 Thread Timo Teräs 
Module Name:src
Committed By:   tteras
Date:   Fri Nov 12 09:11:37 UTC 2010

Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c

Log Message:
Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).


To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.63 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.64
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.63	Thu Oct 21 06:15:28 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c	Fri Nov 12 09:11:37 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp.c,v 1.63 2010/10/21 06:15:28 tteras Exp $	*/
+/*	$NetBSD: isakmp.c,v 1.64 2010/11/12 09:11:37 tteras Exp $	*/
 
 /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
 
@@ -766,6 +766,20 @@
 	return 0;
 }
 
+static int
+ph1_rekey_enabled(iph1)
+	struct ph1handle *iph1;
+{
+	if (iph1-rmconf-rekey == REKEY_FORCE)
+		return 1;
+#ifdef ENABLE_DPD
+	if (iph1-rmconf-rekey == REKEY_ON  iph1-dpd_support 
+	iph1-rmconf-dpd_interval)
+		return 1;
+#endif
+	return 0;
+}
+
 /*
  * main function of phase 1.
  */
@@ -866,13 +880,7 @@
 		migrate_dying_ph12(iph1);
 
 		/* add to the schedule to expire, and seve back pointer. */
-		if ((iph1-rmconf-rekey == REKEY_FORCE)
-#ifdef ENABLE_DPD
-			||
-		(iph1-rmconf-rekey == REKEY_ON  iph1-dpd_support 
-		 iph1-rmconf-dpd_interval)
-#endif
-			) {
+		if (ph1_rekey_enabled(iph1)) {
 			sched_schedule(iph1-sce,
    iph1-approval-lifetime *
    PFKEY_SOFT_LIFETIME_RATE / 100,
@@ -2071,7 +2079,13 @@
 	plog(LLV_INFO, LOCATION, NULL,
 		ISAKMP-SA deleted %s-%s spi:%s\n,
 		src, dst, isakmp_pindex(iph1-index, 0));
+
 	evt_phase1(iph1, EVT_PHASE1_DOWN, NULL);
+
+	if (new_iph1 == NULL  ph1_rekey_enabled(iph1)) {
+		purge_remote(iph1);
+		script_hook(iph1, SCRIPT_PHASE1_DEAD);
+	}
 	racoon_free(src);
 	racoon_free(dst);

  1   2   >