Module Name: src
Committed By: snj
Date: Fri Apr 15 07:52:15 UTC 2016
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [netbsd-7]: isakmp.c
isakmp_cfg.c isakmp_ident.c isakmp_xauth.c
Log Message:
Pull up following revision(s) (requested by phx in ticket #1145):
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c: revision 1.26
crypto/dist/ipsec-tools/src/racoon/isakmp.c: revision 1.75
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c: revision 1.28
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c: revision 1.14
PR/50918: David Binderman: Fix memory leak
--
>From Frank Wille:
Request "IKE mode config" in "rsasig" (certificates on both sides only)
authentication mode, if "mode_cfg" is configured to "on".
Tested with a Lancom router, using the following configuration:
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;
my_identifier asn1dn;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";
mode_cfg on;
dpd_delay 20;
nat_traversal on;
lifetime time 8 hour;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.74.20.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.25 -r1.25.8.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
cvs rdiff -u -r1.13 -r1.13.28.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
cvs rdiff -u -r1.27 -r1.27.4.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74.20.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.74 Sun Jan 1 15:57:31 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Fri Apr 15 07:52:15 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.74 2012/01/01 15:57:31 tteras Exp $ */
+/* $NetBSD: isakmp.c,v 1.74.20.1 2016/04/15 07:52:15 snj Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -890,6 +890,10 @@ ph1_main(iph1, msg)
/* XXX Don't process INITIAL_CONTACT */
iph1->rmconf->ini_contact = 0;
break;
+ case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
+ if (iph1->rmconf->mode_cfg)
+ error = isakmp_cfg_getconfig(iph1);
+ break;
default:
break;
}
@@ -945,6 +949,10 @@ ph1_main(iph1, msg)
break;
}
}
+ if ((iph1->rmconf->mode_cfg) &&
+ !(iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH)) {
+ error = isakmp_cfg_getconfig(iph1);
+ }
}
return 0;
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25.8.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.25 Fri Apr 12 10:03:45 2013
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Fri Apr 15 07:52:15 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.25.8.1 2016/04/15 07:52:15 snj Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -457,6 +457,7 @@ isakmp_cfg_reply(iph1, attrpl)
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
+ case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
script_hook(iph1, SCRIPT_PHASE1_UP);
break;
default:
@@ -639,6 +640,7 @@ isakmp_cfg_request(iph1, attrpl)
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
+ case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
script_hook(iph1, SCRIPT_PHASE1_UP);
break;
default:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13.28.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13 Fri Sep 18 10:31:11 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c Fri Apr 15 07:52:15 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_ident.c,v 1.13 2009/09/18 10:31:11 tteras Exp $ */
+/* $NetBSD: isakmp_ident.c,v 1.13.28.1 2016/04/15 07:52:15 snj Exp $ */
/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
@@ -172,6 +172,7 @@ ident_i1send(iph1, msg)
plist = isakmp_plist_append(plist,
vid_xauth, ISAKMP_NPTYPE_VID);
+ case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
plog(LLV_ERROR, LOCATION, NULL,
"Unity vendor ID generation failed\n");
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.27 Tue Mar 18 18:20:35 2014
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Fri Apr 15 07:52:15 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.27 2014/03/18 18:20:35 riastradh Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.27.4.1 2016/04/15 07:52:15 snj Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -1803,7 +1803,7 @@ xauth_rmconf_dup(xauth_rmconf)
new = racoon_malloc(sizeof(*new));
if (new == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "xauth_rmconf_dup: malloc failed\n");
+ "%s: malloc failed\n", __func__);
return NULL;
}
@@ -1813,16 +1813,16 @@ xauth_rmconf_dup(xauth_rmconf)
new->login = vdup(xauth_rmconf->login);
if (new->login == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "xauth_rmconf_dup: malloc failed (login)\n");
- return NULL;
+ "%s: malloc failed (login)\n", __func__);
+ goto out;
}
}
if (xauth_rmconf->pass != NULL) {
new->pass = vdup(xauth_rmconf->pass);
if (new->pass == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "xauth_rmconf_dup: malloc failed (password)\n");
- return NULL;
+ "%s: malloc failed (password)\n", __func__);
+ goto out;
}
}
@@ -1830,4 +1830,8 @@ xauth_rmconf_dup(xauth_rmconf)
}
return NULL;
+out:
+ vfree(new->login);
+ racoon_free(new);
+ return NULL;
}
