Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge ipsec-tools 0.6.2 import.

Browse Source
This commit is contained in:
manu 2005-10-14 14:01:34 +00:00
parent acea74a800
commit 982fc9c517
14 changed files with 127 additions and 46 deletions

54
crypto/dist/ipsec-tools/ChangeLog vendored

@ -1,15 +1,69 @@
---------------------------------------------
0.6.2 released
2005-10-14 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
USER_FQDNs (problem reported by Bernhard Suttner).
---------------------------------------------
0.6.2.beta3 released
2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
From Andreas Hasenack <ahasenack@terra.com.br>
* configure.ac: More build fixes for Linux
---------------------------------------------
0.6.2.beta2 released
2005-09-04 Emmanuel Dreyfus <manu@netbsd.org>
From Wilfried Weissmann
* src/libipsec/policy_parse.y src/racoon/{ipsec_doi.c|oakley.c}
src/racoon/{sockmisc.c|sockmisc.h}: build fixes
---------------------------------------------
0.6.2.beta1 released
2005-09-03 Emmanuel Dreyfus <manu@netbsd.org>
From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
* src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions
2005-08-26 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/cfparse.y: handle xauth_login correctly
* src/racoon/isakmp.c: catch internal error
* src/raccon/isakmp_agg.c: fix racoon as Xauth client
* src/raccon/{isakmp_agg.c|isakmp_base.c}: Proposal safety checks
* src/racoon/evt.c: Fix memory leak when event queue overflows
2005-08-23 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
initialize NAT-T VID to avoid freeing unallocated stuff.
2005-08-21 Emmanuel Dreyfus <manu@netbsd.org>
From Matthias Scheler <matthias.scheler@tadpole.com>
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
ISAKMP mode config without Xauth.
2005-09-16 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/policy.c: Do not parse all sptree in inssp() if we
don't use Policies priority.
2005-08-15 Emmanuel Dreyfus <manu@netbsd.org>
From: Thomas Klausner <wiz@netbsd.org>
src/setkey/setkey.8: Drop trailing spaces
---------------------------------------------
0.6.1 released

6
crypto/dist/ipsec-tools/src/libipsec/pfkey.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: pfkey.c,v 1.7 2005/09/24 14:40:39 christos Exp $ */
/* $NetBSD: pfkey.c,v 1.8 2005/10/14 14:01:34 manu Exp $ */
/* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */
@ -1968,6 +1968,10 @@ pfkey_align(msg, mhp)
#ifdef SADB_X_EXT_TAG
case SADB_X_EXT_TAG:
#endif
#ifdef SADB_X_EXT_PACKET
case SADB_X_EXT_PACKET:
#endif
mhp[ext->sadb_ext_type] = (void *)ext;
break;
default:

3
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: pfkey_dump.c,v 1.9 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: pfkey_dump.c,v 1.10 2005/10/14 14:01:34 manu Exp $ */
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
@ -271,7 +271,6 @@ pfkey_sadump(m)
if (natt_type && natt_type->sadb_x_nat_t_type_type)
use_natt = 1;
#endif
/* source address */
if (m_saddr == NULL) {
printf("no ADDRESS_SRC extension.\n");

4
crypto/dist/ipsec-tools/src/libipsec/policy_parse.y vendored

@ -1,4 +1,4 @@
/* $NetBSD: policy_parse.y,v 1.6 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: policy_parse.y,v 1.7 2005/10/14 14:01:34 manu Exp $ */
/* $KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $ */
@ -536,7 +536,7 @@ set_x_request(src, dst)
{
struct sadb_x_ipsecrequest *p;
int reqlen;
caddr_t n;
u_int8_t *n;
reqlen = sizeof(*p)
+ (src ? sysdep_sa_len(src) : 0)

29
crypto/dist/ipsec-tools/src/racoon/cfparse.y vendored

@ -1,4 +1,4 @@
/* $NetBSD: cfparse.y,v 1.8 2005/09/26 16:24:57 manu Exp $ */
/* $NetBSD: cfparse.y,v 1.9 2005/10/14 14:01:34 manu Exp $ */
/* Id: cfparse.y,v 1.37.2.4 2005/05/10 09:45:45 manubsd Exp */
@ -280,12 +280,10 @@ privsep_stmts
privsep_stmt
: USER QUOTEDSTRING
{
struct passwd *pw, pwres;
char buf[1024];
struct passwd *pw;
(void)getpwnam_r($2->v, &pwres, buf, sizeof(buf), &pw);
if (pw == NULL) {
yyerror("Unknown user `%s'", $2->v);
if ((pw = getpwnam($2->v)) == NULL) {
yyerror("unkown user \"%s\"", $2->v);
return -1;
}
lcconf->uid = pw->pw_uid;
@ -294,12 +292,10 @@ privsep_stmt
| USER NUMBER { lcconf->uid = $2; } EOS
| GROUP QUOTEDSTRING
{
struct group *gr, grres;
char buf[1024];
struct group *gr;
(void)getgrnam_r($2->v, &grres, buf, sizeof(buf), &gr);
if (gr == NULL) {
yyerror("Unknown group `%s'", $2->v);
if ((gr = getgrnam($2->v)) == NULL) {
yyerror("unkown group \"%s\"", $2->v);
return -1;
}
lcconf->gid = gr->gr_gid;
@ -1988,13 +1984,12 @@ adminsock_conf(path, owner, group, mode_dec)
vchar_t *group;
int mode_dec;
{
struct passwd *pw = NULL, pwres;
struct group *gr = NULL, grres;
struct passwd *pw = NULL;
struct group *gr = NULL;
mode_t mode = 0;
uid_t uid;
gid_t gid;
int isnum;
char buf[1024];
adminsock_path = path->v;
@ -2004,8 +1999,7 @@ adminsock_conf(path, owner, group, mode_dec)
errno = 0;
uid = atoi(owner->v);
isnum = !errno;
(void)getpwnam_r(owner->v, &pwres, buf, sizeof(buf), &pw);
if ((pw == NULL) && !isnum)
if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
yyerror("User \"%s\" does not exist", owner->v);
if (pw)
@ -2019,8 +2013,7 @@ adminsock_conf(path, owner, group, mode_dec)
errno = 0;
gid = atoi(group->v);
isnum = !errno;
(void)getgrnam_r(group->v, &grres, buf, sizeof(buf), &gr);
if ((gr == NULL) && !isnum)
if (((gr = getgrnam(group->v)) == NULL) && !isnum)
yyerror("Group \"%s\" does not exist", group->v);
if (gr)

22
crypto/dist/ipsec-tools/src/racoon/evt.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: evt.c,v 1.2 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: evt.c,v 1.3 2005/10/14 14:01:34 manu Exp $ */
/* Id: evt.c,v 1.2 2004/11/29 23:30:39 manubsd Exp */
@ -63,6 +63,23 @@ evt_push(src, dst, type, optdata)
struct evt *evt;
size_t len;
/* If we are above the limit, don't record anything */
if (evtlist_len > EVTLIST_MAX) {
plog(LLV_DEBUG, LOCATION, NULL,
"Cannot record event: event queue overflowed\n");
return;
}
/* If we hit the limit, record an overflow event instead */
if (evtlist_len == EVTLIST_MAX) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot record event: event queue overflow\n");
src = NULL;
dst = NULL;
type = EVTT_OVERFLOW;
optdata = NULL;
}
len = sizeof(*evtdump);
if (optdata)
len += optdata->l;
@ -94,8 +111,7 @@ evt_push(src, dst, type, optdata)
evt->dump = evtdump;
TAILQ_INSERT_TAIL(&evtlist, evt, next);
if (evtlist_len++ == EVTLIST_MAX)
evt_push(NULL, NULL, EVTT_OVERFLOW, NULL);
evtlist_len++;
return;
}

17
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_doi.c,v 1.10 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: ipsec_doi.c,v 1.11 2005/10/14 14:01:34 manu Exp $ */
/* Id: ipsec_doi.c,v 1.26.2.12 2005/07/12 11:50:15 manubsd Exp */
@ -782,7 +782,7 @@ t2isakmpsa(trns, sa)
sa->gssid = vmalloc(len / 2);
src = (const char *)(d + 1);
src = (__iconv_const char *)(d + 1);
srcleft = len;
dst = sa->gssid->v;
@ -3563,12 +3563,23 @@ set_identifier(vpp, type, value)
vchar_t *new = NULL;
/* simply return if value is null. */
if (!value)
if (!value){
if( type == IDTYPE_FQDN || type == IDTYPE_USERFQDN){
plog(LLV_ERROR, LOCATION, NULL,
"No %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
return -1;
}
return 0;
}
switch (type) {
case IDTYPE_FQDN:
case IDTYPE_USERFQDN:
if(value->l <= 1){
plog(LLV_ERROR, LOCATION, NULL,
"Empty %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
return -1;
}
#ifdef ENABLE_HYBRID
case IDTYPE_LOGIN:
#endif

8
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: isakmp_xauth.c,v 1.6 2005/09/24 17:34:17 christos Exp $ */
/* $NetBSD: isakmp_xauth.c,v 1.7 2005/10/14 14:01:34 manu Exp $ */
/* Id: isakmp_xauth.c,v 1.17.2.5 2005/05/20 07:31:09 manubsd Exp */
@ -690,10 +690,9 @@ xauth_login_system(usr, pwd)
char *usr;
char *pwd;
{
struct passwd *pw, pwres;
struct passwd *pw;
char *cryptpwd;
char *syscryptpwd;
char buf[1024];
#ifdef HAVE_SHADOW_H
struct spwd *spw;
@ -703,8 +702,7 @@ xauth_login_system(usr, pwd)
syscryptpwd = spw->sp_pwdp;
#endif
(void)getpwnam_r(usr, &pwres, buf, sizeof(buf), &pw);
if (pw == NULL)
if ((pw = getpwnam(usr)) == NULL)
return -1;
#ifndef HAVE_SHADOW_H

4
crypto/dist/ipsec-tools/src/racoon/oakley.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: oakley.c,v 1.5 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: oakley.c,v 1.6 2005/10/14 14:01:34 manu Exp $ */
/* Id: oakley.c,v 1.17.2.4 2005/07/12 11:50:15 manubsd Exp */
@ -2261,7 +2261,7 @@ save_certx509(cert)
new = NULL;
return NULL;
}
bp = new->pl->v;
bp = (u_char *) new->pl->v;
len = i2d_X509(cert, &bp);
new->type = ISAKMP_CERT_X509SIGN;
new->cert.v = new->pl->v;

6
crypto/dist/ipsec-tools/src/racoon/pfkey.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: pfkey.c,v 1.9 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: pfkey.c,v 1.10 2005/10/14 14:01:34 manu Exp $ */
/* Id: pfkey.c,v 1.31.2.9 2005/07/28 05:05:52 manubsd Exp */
@ -156,6 +156,10 @@ NULL, /* SADB_X_SPDSETIDX */
pk_recvspdexpire,
NULL, /* SADB_X_SPDDELETE2 */
NULL, /* SADB_X_NAT_T_NEW_MAPPING */
NULL, /* SADB_X_MIGRATE */
#if (SADB_MAX > 24)
#error "SADB extra message?"
#endif
};
static int addnewsp __P((caddr_t *));

4
crypto/dist/ipsec-tools/src/racoon/policy.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: policy.c,v 1.2 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: policy.c,v 1.3 2005/10/14 14:01:34 manu Exp $ */
/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */
@ -373,6 +373,7 @@ void
inssp(new)
struct secpolicy *new;
{
#ifdef HAVE_PFKEY_POLICY_PRIORITY
struct secpolicy *p;
TAILQ_FOREACH(p, &sptree, chain) {
@ -382,6 +383,7 @@ inssp(new)
}
}
if (p == NULL)
#endif
TAILQ_INSERT_TAIL(&sptree, new, chain);
return;

8
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 vendored

@ -1,4 +1,4 @@
.\" $NetBSD: racoon.conf.5,v 1.22 2005/09/23 19:58:28 wiz Exp $
.\" $NetBSD: racoon.conf.5,v 1.23 2005/10/14 14:01:34 manu Exp $
.\"
.\" Id: racoon.conf.5,v 1.41 2005/09/21 14:35:16 manubsd Exp
.\"
@ -936,12 +936,12 @@ The default is off.
Defines the information to return for remote hosts' ISAKMP mode config
requests.
Also defines the authentication source for remote peers
authenticating through Xauth.
authenticating through hybrid auth.
.Pp
The following are valid statements:
.Bl -tag -width Ds -compact
.It Ic auth_source (system \(ba radius \(ba pam) ;
Specify the source for authentication of users through Xauth.
Specify the source for authentication of users through hybrid auth.
.Ar system
means to use the Unix user database.
This is the default.
@ -958,7 +958,7 @@ It works only if
was built with libpam support.
.It Ic conf_source (local \(ba radius) ;
Specify the source for IP addresses and netmask allocated through ISAKMP
mode config.
mode config.
.Ar local
means to use the local IP pool defined by the
.Ic network4

4
crypto/dist/ipsec-tools/src/racoon/sockmisc.c vendored

@ -1,4 +1,4 @@
/* $NetBSD: sockmisc.c,v 1.2 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: sockmisc.c,v 1.3 2005/10/14 14:01:34 manu Exp $ */
/* Id: sockmisc.c,v 1.17.4.3 2005/06/29 13:01:29 manubsd Exp */
@ -314,7 +314,7 @@ recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen)
size_t buflen;
int flags;
struct sockaddr *from;
int *fromlen;
socklen_t *fromlen;
struct sockaddr *to;
u_int *tolen;
{

4
crypto/dist/ipsec-tools/src/racoon/sockmisc.h vendored

@ -1,4 +1,4 @@
/* $NetBSD: sockmisc.h,v 1.4 2005/08/20 00:57:06 manu Exp $ */
/* $NetBSD: sockmisc.h,v 1.5 2005/10/14 14:01:34 manu Exp $ */
/* Id: sockmisc.h,v 1.5.10.3 2005/06/29 13:01:29 manubsd Exp */
@ -58,7 +58,7 @@ extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *)
extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
extern int recvfromto __P((int, void *, size_t, int,
struct sockaddr *, int *, struct sockaddr *, unsigned int *));
struct sockaddr *, socklen_t *, struct sockaddr *, unsigned int *));
extern int sendfromto __P((int, const void *, size_t,
struct sockaddr *, struct sockaddr *, int));