349228b78c
Quiet a gcc warning when strict-aliasing checks are enabled. Reported by
...
Stephen Clark.
2011-03-06 08:28:10 +00:00
65023b30e4
flush sainfo list when closing session. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 15:09:16 +00:00
7e1e999bc0
free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 15:04:01 +00:00
78c9c4b8d1
free spspec when deleting a rmconf struct. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 14:58:27 +00:00
82409028c9
fixed some memory leaks in remoteconf. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 14:52:32 +00:00
ff2e315ab3
fixed some memory leaks during configuration parsing. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 14:49:21 +00:00
acd79fcecf
plog text fixes, patch from M E Andersson <debian@gisladisker.se>
2011-03-01 14:33:58 +00:00
3b9e5ba27f
reset yyerrorcount before doing parse stuff. patch by Roman Hoog Antink <rha@open.ch>
2011-03-01 14:14:50 +00:00
004dc7976f
From Roman Hoog Antink <rha@open.ch>: Fix memory leak when using plain RSA
...
key authentication.
2011-02-20 17:32:02 +00:00
093488593b
From Mats E Andersson <debian@gisladisker.se>: Fix fprintf format specifier
...
usage from previous patch.
2011-02-11 10:07:19 +00:00
1f21513187
From Mats Erik Andersson <debian@gisladisker.se>: Implement importing of
...
RSA keys from PEM files.
2011-02-10 11:20:08 +00:00
6615d57c07
From M E Andersson <debian@gisladisker.se>: Fix parsing of restricted RSA
...
key addresses.
2011-02-10 11:17:17 +00:00
bfe163c1a3
store ph1id in an u_int32_t instead of a (signed)int. Patch from Christophe Carre
2011-02-02 15:21:34 +00:00
2ee6d137de
From Roman Hoog Antink <rha@open.ch>: Clean up sainfo reloading: rename
...
the functions, and remove unneeded global variable.
2011-01-28 13:02:34 +00:00
5d9b9d50e9
From Roman Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename
...
the functions, and remove unneeded global variable.
2011-01-28 13:00:14 +00:00
c54595ebf5
From Roman Hoog Antink <rha@open.ch>: Log remote IP address if available
...
(slightly modified by tteras)
2011-01-28 12:51:40 +00:00
79764be6dd
From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference
...
that might occur after removing peers from the config and then reloading.
2011-01-22 07:38:51 +00:00
4d9d52d8fa
fixed a typo, it will now compile when KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) open.ch)
2011-01-20 16:08:35 +00:00
785cabdaf2
From Roman Hoog Antink <rha@open.ch>: Fix config reload to not delete
...
too many phase 2 handles, because wrong chain field is used when
enumerating the handles.
2010-12-28 06:00:18 +00:00
f1cf9a1e3b
When encountering a certificate where "ID mismatched with ASN1
...
SubjectName", and verify_identifier is off, don't raise an error.
This makes the behavior match the man page.
Patch sent for review long ago:
http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
with no negative feedback received to date.
2010-12-16 16:59:05 +00:00
566286569e
From Roman Hoog Antink <rha@open.ch>: Fix possible null derefence.
2010-12-14 17:57:31 +00:00
0303048b1e
Use separate SA addresses for phase2's created by admin command. The
...
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.
2010-12-08 07:38:35 +00:00
0d0af5032c
ANSIfy
2010-12-08 01:55:12 +00:00
1246e1db41
Fix spacing and improve wording in some log messages.
2010-12-07 14:28:12 +00:00
b3dca9dae4
Recognize direction for Linux per-socket policies.
2010-12-03 15:01:11 +00:00
7d13a088be
Support GRE key as upper layer protocol specifier (will be supported in
...
Linux kernel 2.6.38).
2010-12-03 14:32:52 +00:00
3a9671366f
Netlink deletion notification does not guarentee actual address deletion:
...
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
2010-12-03 09:46:24 +00:00
6a6cffd67e
Fix my previous patch to not call purge_remote() twice. Change the place
...
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
2010-11-17 10:40:41 +00:00
939a5bdbb6
isakmp_post_acquire is now called from admin commands too, add a flag so
...
admin commands can be used to establish even passive links on demand.
2010-11-12 10:36:37 +00:00
fafea48525
Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted
...
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
2010-11-12 09:11:37 +00:00
3d7d638a63
Improve DPD sequence checks to allow any reply within valid sequence window
...
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
2010-11-12 09:09:47 +00:00
731159f704
Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
...
with many established SAs can be easily over the limit.
2010-11-12 09:08:26 +00:00
0a922db186
Change Linux Netlink address monitoring to monitor local route changes.
...
This works around a kernel bug, and slightly improves behaviour on some
special cases.
2010-10-22 06:26:26 +00:00
84874398b5
Introduce priorities for file descriptor polling mechanism and give
...
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.
2010-10-21 06:15:28 +00:00
af50f9e5f9
Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
...
This will avoid stale security associations if some of the delete
notifications happens to get lost.
2010-10-21 06:04:33 +00:00
976b63b0c6
Use high-level openssl EVP and HMAC functions when possible: this allows
...
openssl to perform hardware acceleration if available.
2010-10-20 13:40:02 +00:00
fa4803bf0a
Various improvements to error log messages and a few additional error log
...
messages to improve diagnosing an error condition.
2010-10-20 13:37:37 +00:00
49a8dd9d23
Fix address comparison so we actually close sockets which were bound to
...
IP-address that got deconfigured.
2010-10-20 10:56:39 +00:00
fe1c6ea2f2
report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes
2010-10-11 14:16:30 +00:00
45f0ad8281
fixed some typos in logs (reported by fazaeli (at) sepehrs.com)
2010-09-27 11:57:59 +00:00
1da0e31bfc
fixed a fd leak, patch by getlaser (at) gmail.com
2010-09-24 15:09:29 +00:00
23e038ba26
get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
2010-09-22 13:37:35 +00:00
40e858e050
fixed a typo in macros, reported by marisp (at) mt.lv
2010-09-22 07:34:51 +00:00
a4e6ec9d93
moved from utmp.h to utmpx.h (patch provided by marcin.cieslak (at) gmail.com)
2010-09-21 13:14:17 +00:00
71f4bdc1a9
fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection
2010-09-08 12:18:35 +00:00
12865805af
fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf()
2010-08-26 13:31:55 +00:00
4020e47561
fixed answer for IP4_SUBNET request
2010-08-04 09:16:58 +00:00
62c45492f0
updated link to NetBSD's documentation
2010-07-30 14:50:47 +00:00
432f682f2f
Bump date for previous.
2010-06-22 20:51:04 +00:00
9049130b27
added a specific script hook when a dead peer is detected
2010-06-22 09:41:33 +00:00
ee938d1113
New sentence, new line. Bump date for previous.
2010-06-04 21:53:36 +00:00
a0bdaf1b16
Added support for spdupdate command in setkey
2010-06-04 13:06:03 +00:00
ba30b496b8
by Eric Preston: fixed a typo
2010-04-07 14:53:52 +00:00
bd7ae6bd09
handle ctime returning NULL.
2010-04-02 15:13:26 +00:00
fcbd1014fb
PR/42363: Yasuoka Masahiko: Second part of the patch: iterate only on the
...
phase2 handles that are bound by the given phase1 handle.
2010-03-11 15:44:48 +00:00
e3413574b5
From Stefan Bauer: Fix multiple typoes and manpage formatting errors.
2010-03-05 06:47:58 +00:00
709abc828e
From Pierre POMES: fixed admin port initialization
2010-03-04 15:13:53 +00:00
ccaf1e96be
Fight the ever-increasing size of src checkouts by spelling "useful"
...
without an extra l.
2010-02-28 15:52:16 +00:00
8e35c759e7
Fix typo in comment.
2010-02-09 23:05:16 +00:00
e15635055f
Free strdeupped string after using it. Found by cppcheck.
2010-01-17 23:03:01 +00:00
44e3b1fff7
Close file handles after using them. Found by cppcheck.
2010-01-17 23:02:48 +00:00
0e901e0c61
Use .%U instead of .%O for URLs.
2010-01-15 19:18:51 +00:00
119e5ecd44
From Paul Wernau: vmbuf.h was defined twice in the headers. Remove the
...
redundant entry so new install tool does not complain about overwriting
just installed file.
2009-12-11 09:04:04 +00:00
aabb31871d
PR/42363: Yasuoka Masahiko:
...
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.
racoon uses message-id to find the handle of IPsec-SA. The message-id
is a unique number for each peer, but different peers may use the same
value.
Different Windows Vista or Windows 7 peers seem to use the same
message-id. racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows. Because racoon misunderstands the
message for the second Windows as the message for the first Windows.
>Category: bin
>Synopsis: racoon uses a wrong IPsec-SA that is for different peer
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Nov 22 18:25:00 +0000 2009
>Originator: yasuoka@iij.ad.jp
2009-11-22 19:34:55 +00:00
792f03d2b0
use %option noinput nounput
2009-10-29 14:34:27 +00:00
cd2a002a7a
no unput
2009-10-28 20:59:46 +00:00
4467064d5b
Do not use .Xo/.Xc to workaround ancient groff limits.
2009-10-14 23:36:55 +00:00
a453670196
Do not use .Xo/.Xc to work around ancient groff limits.
...
Fix markup.
2009-10-14 18:34:14 +00:00
0639ebde24
Don't use .Xo/.Xc to work around ancient groff limits.
...
Set only one list type.
2009-10-14 18:22:04 +00:00
ff2c7b7d5c
From Tomas Mraz: Fix gssapi error checking.
2009-09-18 10:31:11 +00:00
63bcd231eb
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
...
select the phase1 for rekeying the new phase2.
2009-09-03 09:29:07 +00:00
ae0beb16dc
Check nat_traversal configuration from remote configuration candidates
...
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
2009-09-01 12:22:09 +00:00
5e74d5d98f
Change remote conf matching level to matching score. This way one can
...
override anonymous certificate block config with more exact "inhereted"
IP specific block.
2009-09-01 09:49:59 +00:00
43e6802298
From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up
...
script (trac #313 ).
2009-09-01 09:24:21 +00:00
b7f72d1283
fixed typo: algoriym -> algorithm
2009-08-24 09:33:03 +00:00
a3d9e80f96
fixed address check in rmconf_match_type(), just check address with wildcard port
2009-08-19 13:54:07 +00:00
95f3bd08bb
Have an enum for rmconf_match_type() return values to make the code a bit
...
more readable.
2009-08-19 12:20:02 +00:00
e2ffc89458
typo: algoritym -> algorithm
2009-08-18 08:21:12 +00:00
eb15fbb554
do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore
2009-08-17 13:52:14 +00:00
82dd0659f2
include stddef.h so we have a chance to get the system offsetof if present
2009-08-17 12:00:53 +00:00
c2c64af1e8
removed a self include
2009-08-17 11:59:10 +00:00
0667dd70bd
fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs
2009-08-13 09:18:28 +00:00
ea830abf58
Don't print EAGAIN error from pfkey_handler(), it can occur normally
...
under some code paths and is not a hard error in any case.
2009-08-10 08:22:13 +00:00
c2919dd501
From Paul Wenau: Check fgets return value in setkey to make gcc happy.
2009-08-06 04:44:43 +00:00
4180506456
From Paul Wernau: Fix transport mode per-port security associations that
...
got broke during NAT-T fixes.
2009-08-05 13:16:01 +00:00
aab4a00722
From Arnaud Ebalard: Fix possible usage of uninitialized local variable
...
(not sure if any code path triggers this, but this makes compiler happy).
2009-07-07 12:25:22 +00:00
3d0db58d61
Get rid of the evil CMPSADDR macro. Trac #295 .
2009-07-03 06:41:46 +00:00
edd4f79009
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
...
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.
2009-07-03 06:40:10 +00:00
a8d702d9b1
Fix a call to null pointer: in some cases, the unmonitor_fd can be called
...
from another fd's callback. That could lead to still have callback pending
after unmonitoring the fd resulting in a call to null pointer.
This is fixed by making unmonitor_fd now clear the pending fd_set too.
Bug was introduced by my commit in 2008-12-23.
2009-06-24 11:28:48 +00:00
f61fedc250
typo
2009-05-20 07:54:50 +00:00
68ab535bfd
From Jukka Salmi: Fix couple of typos from previous commit.
2009-05-19 09:34:52 +00:00
0ab43f031c
From Tomas Mraz: Introduce union sockaddr_any and use it to make code
...
more readable. Related to trac #293 .
2009-05-18 17:40:38 +00:00
ef94861331
From Tomas Mraz: Remove variable that is not really used; only referenced
...
while uninitialized causing valgrind error.
2009-05-18 17:07:15 +00:00
5e83df8c82
From Tomas Mraz: Fix natt_flags check.
2009-05-18 17:00:42 +00:00
decd684ac0
Remove superfluous spaces around parentheses.
2009-05-04 22:28:30 +00:00
ec20a1edf8
From Ross Meng: Fix a memory leak in X509 certificate validation.
2009-04-29 10:50:01 +00:00
8bcee86f68
Reset nat_oa variables too when reusing phase two handler. Otherwise
...
phase2 rekeying might fail in some scenarios.
2009-04-28 13:54:07 +00:00
95b420bbeb
From Neil Kettle: Fix a possible null pointer dereference in fragmentation
...
code.
2009-04-22 11:24:20 +00:00
fab62310e7
Fix strict_address to work again. The lists needs to be initialized
...
before configuration is read, which happens before my_addr_init() call.
2009-04-21 18:38:31 +00:00
7019ec4077
Fix a memory leak in certificate request generation.
2009-04-20 13:24:36 +00:00
f273c7c2bb
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
2009-04-20 13:23:54 +00:00
a2f9e36ab3
From Stephen Bevan: Fix a x509 signature verification memory leak.
2009-04-20 13:22:41 +00:00
b1fd61f62f
Originally from Bin Li: Fix a crash with racoonctl logout user.
2009-04-20 13:22:00 +00:00
8759a6c72c
Fix a memory leak in nat-t keepalive code.
2009-04-20 13:17:35 +00:00
8c22b469e0
From Paul Moore: Phase2 message id's should be unique wrt phase1, not
...
globally.
2009-04-20 13:16:52 +00:00
0c68acc1de
From Arnaud Ebalard: Fix couple of problems with previous commit.
2009-03-13 04:49:16 +00:00
976380d183
When casting to/from a pointer to an integral type (a bad practice,
...
if you ask me), you need to cast via intptr_t for portability.
2009-03-12 23:05:27 +00:00
2df943f931
New sentence, new line. Avoid marking up punctuation.
2009-03-12 15:18:57 +00:00
0d4480d10a
Bump date for previous. Sort options to establish-sa.
...
Stop using Xo/Xc.
2009-03-12 14:01:09 +00:00
983cc8fecf
Support multiple anonymous remotes and decide remoteconf based on identity,
...
received certificates and other information. General code clean up.
2009-03-12 10:57:26 +00:00
e3372d2f8f
setkey: fix deleteall in Linux
...
Linux requires SADB_DELETE message to have SPI. So send
a SADB_DELETE message for each matching SA. Trac #284 .
From: Gabriel Somlo <somlo@cmu.edu>
2009-03-06 11:45:03 +00:00
b1ab726a1a
From Paul Moore: Fix a heap corruption bug (yacc return non-null terminated
...
buffer and sprintf writes over bounds).
2009-02-16 18:36:21 +00:00
3723c0b8cf
trac#301: fixed IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on tunnel
2009-02-11 15:18:59 +00:00
ee2923bc73
From: Phil Sutter. Fix script environment variables with IPv6 addresses.
2009-02-03 20:21:45 +00:00
98b638ac57
Argument parsing needs lcconf initialized.
2009-01-26 18:13:06 +00:00
58b2161948
Sort options in usage.
2009-01-24 10:43:47 +00:00
a8e14ecee0
Sort options. New sentence, new line.
2009-01-24 10:43:38 +00:00
86a90d6c4e
Sort options.
2009-01-24 10:42:31 +00:00
e9d216a40d
Update usage and manpage for racoonctl.
2009-01-23 11:44:08 +00:00
c6d64c37e0
Racoon -v to print version and compilation information. Update usage
...
message.
2009-01-23 11:28:27 +00:00
1f949d3b6c
Update NEWS with major changes since 0.7 release.
2009-01-23 09:40:56 +00:00
731a29e03b
Fix monotonic scheduler change, to not refresh 'now' before exit. Otherwise
...
we can return negative timeout after spending time handling other events.
2009-01-23 09:10:13 +00:00
7bc9f9e4ee
From Arnaud Ebalard:
...
Handle reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
2009-01-23 08:32:58 +00:00
b9ba86c968
From Arnaud Ebalard:
...
On the responder (for instance), there is a need to not only migrate local
and remote addresses of Phase 1 that match previous addresses but also
the local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the HoA and
the address of the HA (while the peer has contacted us using the CoA and
we have negotiated this address as src attribute in Phase 2). The patch
fixes that by having migrate_ph1_ike_addresses() called from
migrate_ph2_ike_addresses() callback.
2009-01-23 08:29:34 +00:00
54bcc916f5
From Arnaud Ebalard: Set phase2 spid when acting as responder.
2009-01-23 08:27:24 +00:00
5d5e4e2fa3
Detect if monotonic system clock is available, and use it for relative
...
time measurements to avoid complite hang if time jumps backwards.
2009-01-23 08:25:06 +00:00
49c6438a45
Fix authentication method ambiguity by internally using unique ID and
...
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280 .
2009-01-23 08:23:51 +00:00
69697b4655
Introduce vendorid bitmask that can be used otherwhere to detect peer
...
capabilities.
2009-01-23 08:06:56 +00:00
2b7d4cd554
Remove "fastquit" configure option and make it the default behaviour. The
...
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
2009-01-23 08:05:58 +00:00
2b68c3a06a
Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to
...
ChangeLog.old.
2009-01-20 14:36:07 +00:00
67cbe60826
Make ready for HTML output.
...
Use proper escape for backslash ('\e').
2009-01-10 21:58:38 +00:00
f7557f766d
From Cyrus Rahman:
...
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
2009-01-10 19:08:40 +00:00
a0b1dc6be0
Fix a CPPLAGS typo to CPPFLAGS which was intended
2009-01-09 06:31:38 +00:00
9df0ec5c7e
Fix a CPPLAGS type to CPPFLAGS which was intended
2009-01-09 06:31:37 +00:00
b264308e87
Remove obsolete configuration options, fix radius configuration block and
...
add GRE as recognized protocol.
2009-01-05 06:03:58 +00:00
328859aef7
Do not use counting in signal handling as it was unsafe by not using
...
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
2009-01-05 06:00:27 +00:00
a3c1a92d23
schedular() call can now modify fd mask so make the working copy just
...
before calling select(); otherwise it can contain bad file descriptors
2008-12-30 15:50:24 +00:00
e5b90a2fc2
support icmp codes. Fixes PR 39056.
2008-12-29 12:54:33 +00:00
aa3382cd31
remove sin{6,}_len linux does not have it. From Timo Teras.
2008-12-24 20:20:52 +00:00
6c532322d2
I was wrong. addr is actually set.
2008-12-24 19:05:48 +00:00
16b17fbeab
- make this compile by zeroing out the whole structure not just bogus fields.
...
- set length field of sockets appropriately.
- mark bogus no-op code (I don't understand what the author intended here).
2008-12-24 15:25:44 +00:00
c1e7a459ca
Bump date for identity configuration option removal.
2008-12-23 19:28:18 +00:00
535280aca9
Remove the obsoleted global identity configuration option.
2008-12-23 14:04:42 +00:00
bd378f6dda
rewrite local address detection
...
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()
2008-12-23 14:03:12 +00:00
182f0b93be
From Arnaud Ebalard:
...
Delete larval ph2handles when expire with hard lifetime received
2008-12-18 07:20:25 +00:00
50a2f2e6d0
Update README
2008-12-16 06:48:38 +00:00
b2b7434a10
Fix transport mode address selection in acquire handling.
...
Some earlier fixes got lost on 2008-12-05 commit.
2008-12-16 06:08:46 +00:00
a75f34b133
Fixed compilation on FreeBSD (RTM_IFINFO and RTM_OIFINFO stuff)
2008-12-11 15:45:24 +00:00
cffd15164d
Fixed compilation when DPD support is disabled
2008-12-11 15:33:59 +00:00
f140528153
Document my fix to src/racoon/privsep.c for the SIG_IGN typo on 2008-12-04.
2008-12-09 23:28:08 +00:00
dae665ff27
Do not cache pfkey sockets: it might cause to not handle some pfkey events
...
when select() has marked pfkey socket readable, but a timer callback first
calls pfkey_dump_sadb().
2008-12-08 06:00:53 +00:00
02f2a72861
From Arnaud Ebalard:
...
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
2008-12-05 06:02:20 +00:00
3ef91ecea8
Fix typo in previous and use SIG_IGN as I intended.
2008-12-04 22:30:26 +00:00
22b0737f30
Explicitly ignore SIGPIPE. Default action on Linux is terminate.
2008-12-02 07:41:43 +00:00
659c30f2ba
Remove empty line. Fix typo. New sentence, new line.
2008-11-28 22:37:44 +00:00
0b0a39b9f9
ModeConfig fixes
2008-11-27 15:04:34 +00:00
3a74e20575
Set up a default value for Mode Config Pool size if pool address specified but pool size not specified
2008-11-27 15:04:21 +00:00
054e0e851d
Fixed pool resizing
2008-11-27 15:04:16 +00:00
f863fa40c3
From Arnaud Ebalard:
...
Remove MAXNESTEDSA weirdness. It's probably meant for bundle support which
is not done. When someone actually writes bundle support, the nested SA
stuff would probably be reworked too anyway.
2008-11-27 11:08:48 +00:00
1c6c2a3356
From: Matthew Krenzer
...
Ability to set pfkey socket buffer size via configuration file directive.
(Indentation and minor fixes by me.)
2008-11-27 10:53:48 +00:00
e564489300
Document my changes from 2008-11-08 and today.
2008-11-25 22:39:20 +00:00
f798cbf18b
Avoid using MSG_NOSIGNAL as it is not available everywhere.
...
Ignore SIGPIPE instead.
2008-11-25 22:38:31 +00:00
d9c51cbeae
Ignore unspecified and looback addresses. Ignoring unspecified addresses
...
prevents racoon from trying to bind to the wildcard address and specific
addresses simultaneously after e.g. dhclient has changed an interface's
address to 0.0.0.0.
2008-11-25 22:00:15 +00:00
e7c2314bc8
RTM_DELETE and RTM_IFINFO don't carry info for added or deleted addresses.
...
Ignore them silently.
2008-11-25 21:54:05 +00:00
6db1040de3
Ignoring an unsuitable address is not an error. Therefore log it as
...
informational.
Make it clear from the log message that a route message is not interesting.
2008-11-25 21:50:47 +00:00
220cbdde75
Use insmyaddr() instead of open coding it.
2008-11-25 21:46:12 +00:00
b8d42d186b
Do not return erroneously from isakmp_open() when setting IPV6_USE_MIN_MTU
...
fails.
2008-11-25 21:42:36 +00:00
667107700d
Keep myaddr.sock at -1 when no socket is opened.
2008-11-25 21:37:11 +00:00
96020e15cb
Preserve owner and permissions of original /etc/resolv.conf.
...
Ensure that new /etc/resolv.conf isn't group or world writable.
2008-11-08 13:41:09 +00:00
447613dc6a
Print and check INTERNAL_NETMASK4.
2008-11-08 13:38:46 +00:00
aabe06ab2f
Make the handling of NAT-T SPD entries automatic.
2008-11-08 13:36:35 +00:00
5a8370eefd
Ensure that the determination of the default gateway and the corresponding
...
interface don't get confused by multiple, possibly non-IPv4 default routes.
Bring the NetBSD case of deleting the VPN routes and address in line with
the Linux case and delete the address after deleting the VPN routes.
2008-11-08 13:31:23 +00:00
33dafe234f
fixed delsainfo() to avoid a crash when iddst's value is SAINFO_CLIENTADDR
2008-11-06 14:12:28 +00:00
66f152db75
Add ChangeLog entry about S.P.Zeidler's commit. Fix my name in one place.
2008-11-01 06:55:10 +00:00
334414e667
Changes to ipsecdoi_id2str():
...
struct sockaddr -> struct sockaddr_storage fixes a stack overflow
For non-linklocal addresses the value in 'scope' is garbage and gets
set to zero instead.
2008-10-29 18:49:45 +00:00
0c1f013cc5
Fix commit dates to reflect reality.
2008-10-28 19:03:27 +00:00
ed890caaae
From Arnaud Ebalard:
...
Add missing return to error path
2008-10-27 06:27:05 +00:00
3ff331469e
From Francis Dupont (sent by Arnaud Ebalard):
...
recognize RTM_IFANNOUNCE
2008-10-27 06:24:27 +00:00
a06fc42a2e
From Arnaud Ebalard:
...
Fix indentation issues for readability
2008-10-27 06:21:29 +00:00
b186d55b63
From Arnaud Ebalard:
...
initfds() needs to be called only if monitored file descriptor numbers
have changed
2008-10-27 06:18:08 +00:00
38962f77a8
From Arnaud Ebalard:
...
Remove duplicate declaration
2008-10-27 06:14:04 +00:00
ede27c75ad
From Krzysztof Piotr Oledzki <olel@ans.pl>:
...
Revert parts of 2008-08-06 commit; the problem those changes address are
already handled in a sensible way by Cyrus Rahman's patch from 2008-03-06.
2008-10-23 10:56:10 +00:00
ab610e81be
Fix a spelling mistake in changelog
2008-10-09 16:44:31 +00:00
52d4b7db25
From Arnaud Ebalard: remove unnecessary unbindph12() call which is now done in remph2()
2008-10-09 15:53:12 +00:00
c724d51982
From Arnoud Ebalard <arno@natisbad.org>:
...
remove unnecessary unbindph12() call which is now done also in remph2()
2008-10-09 15:53:11 +00:00
105e5049b7
Fixed resending mechanism to have non-ESP marker for retransmitted packets
2008-09-25 09:34:13 +00:00
e829b0a440
New sentence, new line.
2008-09-19 17:33:24 +00:00
d1a09d5477
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
...
in remote conf.
2008-09-19 11:14:49 +00:00
fbf62026bb
Change struct sched to be allocated be the caller to avoid some memory
...
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.
2008-09-19 11:01:08 +00:00
b383a5b3e4
Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs
2008-09-17 12:39:07 +00:00
954f7757c0
Some calls to set_port() were not correctly updated in the previous commit
2008-09-09 11:50:42 +00:00
a20b313ea8
From Tomas Mraz: Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff.
2008-09-03 16:08:26 +00:00
4ead39ef24
Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff
2008-09-03 16:08:25 +00:00
dbd3f137ba
- Fix reloading of SPD (Linux satype check, handling of SPD dump responses)
...
- Remove some spurious error log message from extract_port()
2008-09-03 09:57:28 +00:00
dc1f2ff2f9
Eliminate gcc-specific feature of empty structures.
2008-08-29 00:31:37 +00:00
f3a85cb801
Eliminate superfluous semicolon.
2008-08-29 00:31:00 +00:00
b4e2d1afdf
Eliminate gcc-specific feature of unnamed structures added recently.
2008-08-29 00:30:15 +00:00
163d7169c0
From Krzysztof Piotr Oledzki: Remove ph1handler if we received an invalid first exchange from initiator.
2008-08-12 12:45:55 +00:00
32468f64a1
Remove ph1handler if we received an invalid first exchange from initiator
2008-08-12 12:45:54 +00:00
191869cf2a
From Krzysztof Piotr Oledzki:
...
Make privileged process exit if unprivileged process is terminated and
some spelling fixes.
2008-08-06 19:14:28 +00:00
tteras