Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
306,427 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

692 Commits

Author SHA1 Message Date
tteras f273c7c2bb Orignally from Bin Li: Fix possible memory corruption in binsanitize(). 2009-04-20 13:23:54 +00:00
tteras a2f9e36ab3 From Stephen Bevan: Fix a x509 signature verification memory leak. 2009-04-20 13:22:41 +00:00
tteras b1fd61f62f Originally from Bin Li: Fix a crash with racoonctl logout user. 2009-04-20 13:22:00 +00:00
tteras 8759a6c72c Fix a memory leak in nat-t keepalive code. 2009-04-20 13:17:35 +00:00
tteras 8c22b469e0 From Paul Moore: Phase2 message id's should be unique wrt phase1, not 
globally.
 2009-04-20 13:16:52 +00:00
tteras 0c68acc1de From Arnaud Ebalard: Fix couple of problems with previous commit. 2009-03-13 04:49:16 +00:00
he 976380d183 When casting to/from a pointer to an integral type (a bad practice, 
if you ask me), you need to cast via intptr_t for portability.
 2009-03-12 23:05:27 +00:00
wiz 2df943f931 New sentence, new line. Avoid marking up punctuation. 2009-03-12 15:18:57 +00:00
wiz 0d4480d10a Bump date for previous. Sort options to establish-sa. 
Stop using Xo/Xc.
 2009-03-12 14:01:09 +00:00
tteras 983cc8fecf Support multiple anonymous remotes and decide remoteconf based on identity, 
received certificates and other information. General code clean up.
 2009-03-12 10:57:26 +00:00
tteras e3372d2f8f setkey: fix deleteall in Linux 
Linux requires SADB_DELETE message to have SPI. So send
a SADB_DELETE message for each matching SA. Trac #284.

From: Gabriel Somlo <somlo@cmu.edu>
 2009-03-06 11:45:03 +00:00
tteras b1ab726a1a From Paul Moore: Fix a heap corruption bug (yacc return non-null terminated 
buffer and sprintf writes over bounds).
 2009-02-16 18:36:21 +00:00
vanhu 3723c0b8cf trac#301: fixed IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on tunnel 2009-02-11 15:18:59 +00:00
tteras ee2923bc73 From: Phil Sutter. Fix script environment variables with IPv6 addresses. 2009-02-03 20:21:45 +00:00
tteras 98b638ac57 Argument parsing needs lcconf initialized. 2009-01-26 18:13:06 +00:00
wiz 58b2161948 Sort options in usage. 2009-01-24 10:43:47 +00:00
wiz a8e14ecee0 Sort options. New sentence, new line. 2009-01-24 10:43:38 +00:00
wiz 86a90d6c4e Sort options. 2009-01-24 10:42:31 +00:00
tteras e9d216a40d Update usage and manpage for racoonctl. 2009-01-23 11:44:08 +00:00
tteras c6d64c37e0 Racoon -v to print version and compilation information. Update usage 
message.
 2009-01-23 11:28:27 +00:00
tteras 1f949d3b6c Update NEWS with major changes since 0.7 release. 2009-01-23 09:40:56 +00:00
tteras 731a29e03b Fix monotonic scheduler change, to not refresh 'now' before exit. Otherwise 
we can return negative timeout after spending time handling other events.
 2009-01-23 09:10:13 +00:00
tteras 7bc9f9e4ee From Arnaud Ebalard: 
Handle reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
 2009-01-23 08:32:58 +00:00
tteras b9ba86c968 From Arnaud Ebalard: 
On the responder (for instance), there is a need to not only migrate local
and remote addresses of Phase 1 that match previous addresses but also
the local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the HoA and
the address of the HA (while the peer has contacted us using the CoA and
we have negotiated this address as src attribute in Phase 2). The patch
fixes that by having migrate_ph1_ike_addresses() called from
migrate_ph2_ike_addresses() callback.
 2009-01-23 08:29:34 +00:00
tteras 54bcc916f5 From Arnaud Ebalard: Set phase2 spid when acting as responder. 2009-01-23 08:27:24 +00:00
tteras 5d5e4e2fa3 Detect if monotonic system clock is available, and use it for relative 
time measurements to avoid complite hang if time jumps backwards.
 2009-01-23 08:25:06 +00:00
tteras 49c6438a45 Fix authentication method ambiguity by internally using unique ID and 
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280.
 2009-01-23 08:23:51 +00:00
tteras 69697b4655 Introduce vendorid bitmask that can be used otherwhere to detect peer 
capabilities.
 2009-01-23 08:06:56 +00:00
tteras 2b7d4cd554 Remove "fastquit" configure option and make it the default behaviour. The 
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
 2009-01-23 08:05:58 +00:00
tteras 2b68c3a06a Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to 
ChangeLog.old.
 2009-01-20 14:36:07 +00:00
wiz 67cbe60826 Make ready for HTML output. 
Use proper escape for backslash ('\e').
 2009-01-10 21:58:38 +00:00
tteras f7557f766d From Cyrus Rahman: 
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
 2009-01-10 19:08:40 +00:00
tteras a0b1dc6be0 Fix a CPPLAGS typo to CPPFLAGS which was intended 2009-01-09 06:31:38 +00:00
tteras 9df0ec5c7e Fix a CPPLAGS type to CPPFLAGS which was intended 2009-01-09 06:31:37 +00:00
tteras b264308e87 Remove obsolete configuration options, fix radius configuration block and 
add GRE as recognized protocol.
 2009-01-05 06:03:58 +00:00
tteras 328859aef7 Do not use counting in signal handling as it was unsafe by not using 
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
 2009-01-05 06:00:27 +00:00
tteras a3c1a92d23 schedular() call can now modify fd mask so make the working copy just 
before calling select(); otherwise it can contain bad file descriptors
 2008-12-30 15:50:24 +00:00
mlelstv e5b90a2fc2 support icmp codes. Fixes PR 39056. 2008-12-29 12:54:33 +00:00
christos aa3382cd31 remove sin{6,}_len linux does not have it. From Timo Teras. 2008-12-24 20:20:52 +00:00
christos 6c532322d2 I was wrong. addr is actually set. 2008-12-24 19:05:48 +00:00
christos 16b17fbeab - make this compile by zeroing out the whole structure not just bogus fields. 
- set length field of sockets appropriately.
- mark bogus no-op code (I don't understand what the author intended here).
 2008-12-24 15:25:44 +00:00
wiz c1e7a459ca Bump date for identity configuration option removal. 2008-12-23 19:28:18 +00:00
tteras 535280aca9 Remove the obsoleted global identity configuration option. 2008-12-23 14:04:42 +00:00
tteras bd378f6dda rewrite local address detection 
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()
 2008-12-23 14:03:12 +00:00
tteras 182f0b93be From Arnaud Ebalard: 
Delete larval ph2handles when expire with hard lifetime received
 2008-12-18 07:20:25 +00:00
tteras 50a2f2e6d0 Update README 2008-12-16 06:48:38 +00:00
tteras b2b7434a10 Fix transport mode address selection in acquire handling. 
Some earlier fixes got lost on 2008-12-05 commit.
 2008-12-16 06:08:46 +00:00
vanhu a75f34b133 Fixed compilation on FreeBSD (RTM_IFINFO and RTM_OIFINFO stuff) 2008-12-11 15:45:24 +00:00
vanhu cffd15164d Fixed compilation when DPD support is disabled 2008-12-11 15:33:59 +00:00
bad f140528153 Document my fix to src/racoon/privsep.c for the SIG_IGN typo on 2008-12-04. 2008-12-09 23:28:08 +00:00
tteras dae665ff27 Do not cache pfkey sockets: it might cause to not handle some pfkey events 
when select() has marked pfkey socket readable, but a timer callback first
calls pfkey_dump_sadb().
 2008-12-08 06:00:53 +00:00
tteras 02f2a72861 From Arnaud Ebalard: 
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
 2008-12-05 06:02:20 +00:00
bad 3ef91ecea8 Fix typo in previous and use SIG_IGN as I intended. 2008-12-04 22:30:26 +00:00
tteras 22b0737f30 Explicitly ignore SIGPIPE. Default action on Linux is terminate. 2008-12-02 07:41:43 +00:00
wiz 659c30f2ba Remove empty line. Fix typo. New sentence, new line. 2008-11-28 22:37:44 +00:00
vanhu 0b0a39b9f9 ModeConfig fixes 2008-11-27 15:04:34 +00:00
vanhu 3a74e20575 Set up a default value for Mode Config Pool size if pool address specified but pool size not specified 2008-11-27 15:04:21 +00:00
vanhu 054e0e851d Fixed pool resizing 2008-11-27 15:04:16 +00:00
tteras f863fa40c3 From Arnaud Ebalard: 
Remove MAXNESTEDSA weirdness. It's probably meant for bundle support which
is not done. When someone actually writes bundle support, the nested SA
stuff would probably be reworked too anyway.
 2008-11-27 11:08:48 +00:00
tteras 1c6c2a3356 From: Matthew Krenzer 
Ability to set pfkey socket buffer size via configuration file directive.
(Indentation and minor fixes by me.)
 2008-11-27 10:53:48 +00:00
bad e564489300 Document my changes from 2008-11-08 and today. 2008-11-25 22:39:20 +00:00
bad f798cbf18b Avoid using MSG_NOSIGNAL as it is not available everywhere. 
Ignore SIGPIPE instead.
 2008-11-25 22:38:31 +00:00
bad d9c51cbeae Ignore unspecified and looback addresses. Ignoring unspecified addresses 
prevents racoon from trying to bind to the wildcard address and specific
addresses simultaneously after e.g. dhclient has changed an interface's
address to 0.0.0.0.
 2008-11-25 22:00:15 +00:00
bad e7c2314bc8 RTM_DELETE and RTM_IFINFO don't carry info for added or deleted addresses. 
Ignore them silently.
 2008-11-25 21:54:05 +00:00
bad 6db1040de3 Ignoring an unsuitable address is not an error. Therefore log it as 
informational.
Make it clear from the log message that a route message is not interesting.
 2008-11-25 21:50:47 +00:00
bad 220cbdde75 Use insmyaddr() instead of open coding it. 2008-11-25 21:46:12 +00:00
bad b8d42d186b Do not return erroneously from isakmp_open() when setting IPV6_USE_MIN_MTU 
fails.
 2008-11-25 21:42:36 +00:00
bad 667107700d Keep myaddr.sock at -1 when no socket is opened. 2008-11-25 21:37:11 +00:00
bad 96020e15cb Preserve owner and permissions of original /etc/resolv.conf. 
Ensure that new /etc/resolv.conf isn't group or world writable.
 2008-11-08 13:41:09 +00:00
bad 447613dc6a Print and check INTERNAL_NETMASK4. 2008-11-08 13:38:46 +00:00
bad aabe06ab2f Make the handling of NAT-T SPD entries automatic. 2008-11-08 13:36:35 +00:00
bad 5a8370eefd Ensure that the determination of the default gateway and the corresponding 
interface don't get confused by multiple, possibly non-IPv4  default routes.
Bring the NetBSD case of deleting the VPN routes and address in line with
the Linux case and delete the address after deleting the VPN routes.
 2008-11-08 13:31:23 +00:00
vanhu 33dafe234f fixed delsainfo() to avoid a crash when iddst's value is SAINFO_CLIENTADDR 2008-11-06 14:12:28 +00:00
tteras 66f152db75 Add ChangeLog entry about S.P.Zeidler's commit. Fix my name in one place. 2008-11-01 06:55:10 +00:00
spz 334414e667 Changes to ipsecdoi_id2str(): 
struct sockaddr -> struct sockaddr_storage fixes a stack overflow

For non-linklocal addresses the value in 'scope' is garbage and gets
set to zero instead.
 2008-10-29 18:49:45 +00:00
tteras 0c1f013cc5 Fix commit dates to reflect reality. 2008-10-28 19:03:27 +00:00
tteras ed890caaae From Arnaud Ebalard: 
Add missing return to error path
 2008-10-27 06:27:05 +00:00
tteras 3ff331469e From Francis Dupont (sent by Arnaud Ebalard): 
recognize RTM_IFANNOUNCE
 2008-10-27 06:24:27 +00:00
tteras a06fc42a2e From Arnaud Ebalard: 
Fix indentation issues for readability
 2008-10-27 06:21:29 +00:00
tteras b186d55b63 From Arnaud Ebalard: 
initfds() needs to be called only if monitored file descriptor numbers
have changed
 2008-10-27 06:18:08 +00:00
tteras 38962f77a8 From Arnaud Ebalard: 
Remove duplicate declaration
 2008-10-27 06:14:04 +00:00
tteras ede27c75ad From Krzysztof Piotr Oledzki <olel@ans.pl>: 
Revert parts of 2008-08-06 commit; the problem those changes address are
already handled in a sensible way by Cyrus Rahman's patch from 2008-03-06.
 2008-10-23 10:56:10 +00:00
tteras ab610e81be Fix a spelling mistake in changelog 2008-10-09 16:44:31 +00:00
tteras 52d4b7db25 From Arnaud Ebalard: remove unnecessary unbindph12() call which is now done in remph2() 2008-10-09 15:53:12 +00:00
tteras c724d51982 From Arnoud Ebalard <arno@natisbad.org>: 
remove unnecessary unbindph12() call which is now done also in remph2()
 2008-10-09 15:53:11 +00:00
vanhu 105e5049b7 Fixed resending mechanism to have non-ESP marker for retransmitted packets 2008-09-25 09:34:13 +00:00
wiz e829b0a440 New sentence, new line. 2008-09-19 17:33:24 +00:00
tteras d1a09d5477 Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option 
in remote conf.
 2008-09-19 11:14:49 +00:00
tteras fbf62026bb Change struct sched to be allocated be the caller to avoid some memory 
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.
 2008-09-19 11:01:08 +00:00
vanhu b383a5b3e4 Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs 2008-09-17 12:39:07 +00:00
vanhu 954f7757c0 Some calls to set_port() were not correctly updated in the previous commit 2008-09-09 11:50:42 +00:00
vanhu a20b313ea8 From Tomas Mraz: Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff. 2008-09-03 16:08:26 +00:00
vanhu 4ead39ef24 Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff 2008-09-03 16:08:25 +00:00
tteras dbd3f137ba - Fix reloading of SPD (Linux satype check, handling of SPD dump responses) 
- Remove some spurious error log message from extract_port()
 2008-09-03 09:57:28 +00:00
gmcgarry dc1f2ff2f9 Eliminate gcc-specific feature of empty structures. 2008-08-29 00:31:37 +00:00
gmcgarry f3a85cb801 Eliminate superfluous semicolon. 2008-08-29 00:31:00 +00:00
gmcgarry b4e2d1afdf Eliminate gcc-specific feature of unnamed structures added recently. 2008-08-29 00:30:15 +00:00
vanhu 163d7169c0 From Krzysztof Piotr Oledzki: Remove ph1handler if we received an invalid first exchange from initiator. 2008-08-12 12:45:55 +00:00
vanhu 32468f64a1 Remove ph1handler if we received an invalid first exchange from initiator 2008-08-12 12:45:54 +00:00
tteras 191869cf2a From Krzysztof Piotr Oledzki: 
Make privileged process exit if unprivileged process is terminated and
some spelling fixes.
 2008-08-06 19:14:28 +00:00
mgrooms 9ef0a25aeb Add some missing ifdefs required for non-radius enabled builds. 2008-07-23 17:36:00 +00:00
tteras 4521811287 Do not use GNU make specific extension. 2008-07-23 13:53:08 +00:00
tteras 28aa26f3de Do flex/bison invocation in a more standard way, and keep the generated 
files in the dist tarball.
 2008-07-23 09:06:51 +00:00
vanhu 826c52702d From Kohki Ohhira: fix some memory leaks, when malloc fails or when peer sends invalid proposal. 2008-07-22 13:25:18 +00:00
vanhu 754d7776f7 fixed some memory leaks, when malloc fails or when peer sends invalid proposals 2008-07-22 13:25:17 +00:00
mgrooms fd9755072f Add an optional radius configuration section to the racoon.conf file. This 
is similar to the the LDAP configuration section and overrides settings in
the system radius configuration file.
 2008-07-22 01:30:02 +00:00
tron 0cc0bec23e Correct typo to fix the build. 2008-07-21 09:43:03 +00:00
tteras ca3b7c5a9f Separate generic vendor id handling to a new function and use it. 2008-07-21 06:26:06 +00:00
tteras 7a1c3cb1b8 Do not set default gss id if xauth is used, otherwise gss-id attribute 
might be sent even if it was not requested.
 2008-07-21 06:24:29 +00:00
mgrooms 879eeb1025 Fix an a typo that prevented racoon from building with hybrid enabled. 2008-07-15 02:16:58 +00:00
mgrooms 6353d50296 Update changelog which was missed in my previous commit. 2008-07-15 00:53:36 +00:00
mgrooms 8f0b3482bc Fix a conflict with the FreeBSD 8 system hexdump function. 2008-07-15 00:47:09 +00:00
tteras 56a42db6a6 Handle RESPONDER-LIFETIME notification in quick mode. 2008-07-14 05:45:15 +00:00
tteras 583275a951 Clean up notification payload handling. Handle INITIAL-CONTACT notification 
in last main mode exchange (delayed) and during quick mode exchanges.
 2008-07-14 05:40:13 +00:00
tteras 75bc4bd6cd Original patch from Atis Elsts: 
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.
 2008-07-11 08:02:06 +00:00
tteras 7f51b6fe42 From Chong Peng: 
fix a file descriptor and memory leak on configuration file reread
 2008-07-09 12:16:50 +00:00
vanhu d20c6ed916 From Timo Teras: fix some %d to %zu (size_t values) 2008-07-02 14:46:27 +00:00
vanhu 874968c865 fixed some %d to %zu (size_t values) 2008-07-02 14:46:26 +00:00
wiz bf3ddb193b Bump date for previous. 2008-06-18 07:40:16 +00:00
mgrooms 93c1205f96 Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras. 2008-06-18 07:12:04 +00:00
mgrooms c47cb1615c Add an admin port command to retrieve the peer certificate. Submitted by 
Timmo Teras.
 2008-06-18 07:12:03 +00:00
mgrooms 01e8cc1e5d Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras. 2008-06-18 07:04:23 +00:00
mgrooms 5d397c5ba5 Set sockets to be closed on exec to avoid potential file descriptor 
inheritance issues. Submitted by Timmo Teras.
 2008-06-18 07:04:22 +00:00
mgrooms 7598372e37 Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras. 2008-06-18 06:47:25 +00:00
mgrooms 2c40396f3a Use utility functions to evaluate or manipulate network port values. No 
functional changes. Submitted by Timmo Teras.
 2008-06-18 06:47:24 +00:00
mgrooms 7dac642960 Admin port code cleanup. No functional changes. Submitted by Timo Teras. 2008-06-18 06:27:49 +00:00
mgrooms 18fc645e9a Admin port code cleanup. No functional changes. Submitted by Timmo Teras. 2008-06-18 06:27:48 +00:00
mgrooms 9345b05cc4 Correct a phase2 status event. Submitted by Timo Teras. 2008-06-18 06:11:38 +00:00
mgrooms b163716d45 Correct a phase2 status event. Submitted by Timmo Teras. 2008-06-18 06:11:37 +00:00
christos aa3b40a116 Coverity CID 5018: Fix double frees. 2008-05-24 18:39:40 +00:00
manu 2a499f37b6 From Christian Hohnstaedt: allow out of tree building 2008-05-08 12:24:50 +00:00
martin 11a6dbe728 Convert TNF licenses to new 2 clause variant 2008-04-30 13:10:46 +00:00
vanhu ed9bfcd9c2 From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). 2008-04-25 14:41:18 +00:00
vanhu c6898eabf6 extract ports information from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi() 2008-04-25 14:41:17 +00:00
christos 57a7ea54be for symmetry set controllen the same way we set it on the receiving side. 2008-04-13 21:45:19 +00:00
manu 1c3bd4b930 fix Linux build 2008-04-02 19:02:50 +00:00
christos 5ae92982aa properly fix the variable stack allocation code. 2008-03-28 21:18:45 +00:00
manu fe6642740b Still from Cyrus Rahman: fix file descriptor leak introduced by previous 
commit.
 2008-03-28 20:28:14 +00:00
manu 1d223a6207 From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation 2008-03-28 04:18:52 +00:00
manu 182dbe8881 From Cyrus Rahman <crahman@gmail.com> 
Allow interface reconfiguration when running in privilege separation mode,
document privilege separation
 2008-03-28 04:18:51 +00:00
vanhu b5ae261d16 Generates a log if cert validation has been disabled by configuration 2008-03-06 17:00:03 +00:00
manu b6b6316484 From Cyrus Rahman <crahman@gmail.com> 
privilegied instance exit when unprivilegied one terminates. Save PID in real root, not in chroot
 2008-03-06 04:29:20 +00:00
mgrooms 1e1f81eb1d Add the ability to initiate IPsec SA negotiations using the admin socket. 
Submitted by Timo Teras.
 2008-03-06 00:46:04 +00:00
mgrooms 3fd729ad89 Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras. 2008-03-06 00:34:11 +00:00
mgrooms 089a95fdcd Refactor admin socket event protocol to be less error prone. Backwards 
compatibility is provided. Submitted by Timmo Teras.
 2008-03-06 00:34:10 +00:00
mgrooms 5e5c5d5011 Properly initialize the unity network struct to prevent erroneous protocol 
and port info from being transmitted.
 2008-03-05 22:27:50 +00:00
mgrooms f771df75b3 Reload SPD on SIGHUP or adminport reload. Also provide better handling for 
pfkey socket read errors. Submitted by Timo Teras.
 2008-03-05 22:09:44 +00:00
manu 5ae99b01fd Missing entries for last changes 2008-02-25 20:14:05 +00:00
manu 6ee9ace370 From Brian Haley <brian.haley@hp.com> 
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
checking spi_size but it's not.  I'm not sure this patch is correct, but
what's there isn't either.
 2008-02-25 20:06:55 +00:00
manu ebc590d76a Fix address length, from Brian Haley 2008-02-22 18:50:03 +00:00
spz a91c432416 closes PR bin/37644 
did not meet violent opposition ( :) ) on ipsec-tools-devel
 2008-02-10 12:11:08 +00:00
vanhu 4aacbd15e1 From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory. 2008-01-11 14:27:34 +00:00
vanhu ca6b517233 reset iph1->dpd_r_u in the scheduler's callback, to avoid some access to freed memory 2008-01-11 14:27:33 +00:00
vanhu e0b7c2f9ec reported somes fixes from Krzysztof Oledzki 2008-01-11 14:09:50 +00:00
vanhu 90cd29a77c From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc. 2008-01-11 14:09:05 +00:00
vanhu 5e3ace1c19 From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg). 2008-01-11 14:08:29 +00:00
vanhu e8714f7763 From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg). 2008-01-11 14:07:39 +00:00
vanhu 223c4f34ce added an 'established' arg to getph1byaddr() 2008-01-11 14:06:56 +00:00
mgrooms c825a8ee5f Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timo Teras. 2007-12-31 01:42:07 +00:00
mgrooms e2eda5513a Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timmo Teras. 2007-12-31 01:42:06 +00:00
mgrooms 3a210f56fc Add corrections submitted in a follow up patch for the nat-t oa support. 2007-12-12 05:08:28 +00:00
mgrooms 892304dffa Add support for nat-t oa payload handling. Submitted by Timo Teras. 2007-12-12 04:45:59 +00:00
mgrooms 4454243c5b Add changelog entries missed in the last commit. 2007-12-04 19:54:24 +00:00
mgrooms 2ada148e80 Modify ipsecdoi_sockaddr2id() to obtain an id without specifying the exact prefix length. Correct a memory leak in phase2. Both submitted by Timo Teras. 2007-12-04 19:52:30 +00:00
wiz e5326240e8 Fix typos. New sentence, new line. 2007-12-01 19:24:47 +00:00
vanhu 3139da7ed3 From Natanael Copa: fixed a race condition when building yacc stuff. 2007-11-29 16:22:08 +00:00
vanhu 45ebb13627 fixed a race condition when building yacc stuff 2007-11-29 16:22:07 +00:00
vanhu e76e80b28b From Arnaud Ebalard: some sanity checks, debug, and a better matching of SPD entries in getsp_r() 2007-11-09 16:28:14 +00:00
vanhu faf3c4a53b From Arnaud Ebalard: Some sanity checking in pk_recv() 2007-11-09 16:27:58 +00:00
vanhu 70597b6cab From Arnaud Ebalard: Better matching of SPD entries in getsp_r(). 2007-11-09 16:27:47 +00:00
vanhu cd8d63d79e From Arnaud Ebalard: Added some debug in get_proposal_r(). 2007-11-09 16:27:42 +00:00
manu 57c0ea0775 Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts 2007-10-19 03:37:18 +00:00
vanhu 702eac21e5 Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD 2007-10-15 16:05:01 +00:00
vanhu 657e6e5324 new plog macro 2007-10-02 09:48:08 +00:00
vanhu 4e4df07d61 From Scott Lamb: include plog.h to work with the new plog macro. 2007-10-02 09:47:55 +00:00
vanhu 400c6ca5a9 From Scott Lamb: plog changed to _plog to work with new plog macro 2007-10-02 09:47:45 +00:00
vanhu c12d0d481a From Scott Lamb: new plog macro. 2007-10-02 09:47:40 +00:00
mgrooms 26182f1f5d Set REUSE option on sockets to prevent failures associated with closing and immediately re-opening. Submitted by Gabriel Somlo. 2007-09-19 19:29:36 +00:00
mgrooms 33e6656ef9 Prevent duplicate entries in splitnet list. Submitted by Gabriel Somlo. 2007-09-19 19:20:25 +00:00
mgrooms 8293a09746 Fix autoconf check for selinux support. Submitted by Joy Latten. 2007-09-13 00:26:14 +00:00
mgrooms aca8e1eed2 Implement clientaddr sainfo remote id option and refine the sainfo man page syntax. 2007-09-12 23:39:49 +00:00
mgrooms 324a68d0b7 Sort sainfo sections on insert and improve matching logic. 2007-09-05 06:55:44 +00:00
mgrooms edac7dae7c Correct the syntax for wins4 in the man page and add nbns4 as an alias. Pointed out by Claas Langbehn. 2007-09-03 18:08:42 +00:00
manu 1c79bc103b src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and 
authorization ports. Allow interoperability with freeradius
 2007-08-07 04:35:01 +00:00
mgrooms 8628a88239 Update NEWS file with additional 0.7 improvements. 2007-07-24 04:29:23 +00:00
mgrooms 9b7e05e155 Various racoon configuration manpage updates. 2007-07-18 22:50:47 +00:00
vanhu c3bc7fe364 use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues 2007-07-18 12:07:49 +00:00
vanhu 9f7ae421ea fixed a socket leak 2007-07-16 15:05:10 +00:00
vanhu 0fd2ceaf72 indentation 2007-07-16 15:03:13 +00:00
manu 72fe4c3a84 From Paul Winder <Paul.Winder@tadpole.com>: 
Fix ignored INTERNAL_DNS4_LIST
 2007-06-07 20:04:26 +00:00
vanhu 6ae0ffb7d9 From Rong-En Fan: fix compilation with gcc 4.2 2007-06-06 15:37:15 +00:00
vanhu cc41629a4c fixed compilation with gcc 4.2 2007-06-06 15:37:14 +00:00
vanhu 6817ea28d9 speeds up interfaces update when they changed 2007-06-06 09:47:30 +00:00
vanhu 1ed22670fa From Jianli Liu: speed up interfaces update when they change. 2007-06-06 09:47:29 +00:00
vanhu 7c53bfe0b6 ignore obsolete lifebyte when validating reloaded configuration 2007-06-06 09:18:16 +00:00
manu a16fcccee0 From Joy Latten <latten@austin.ibm.com> 
Fix file descriptor shortage when using labeled IPsec.
 2007-05-31 19:54:54 +00:00
manu 23326f5b62 From Jianli Liu <jlliu@nortel.com>: 
In racoonctl, use the specified socket path instead of the default location
 2007-05-30 21:02:39 +00:00
christos 538010e358 coverity CID 4168: yyerror() does not return, so we proceed to de-reference 
NULL. Make it return -1 instead like in other places.
 2007-05-16 21:00:40 +00:00
christos dc073934fe coverity CID 4170: yyerror() does not return, so we proceed to de-reference 
NULL. Make it return -1 instead like in other places.
 2007-05-16 20:59:04 +00:00
vanhu 5e29f1f1bb search a ph1 by address if iph2->ph1 is NULL when validating the new config 2007-05-04 14:33:38 +00:00
vanhu 79dfa780cb ... 2007-05-04 09:10:07 +00:00
vanhu 0f20ab497d added some debug in getph1byaddr() to track some port matching problems with NAT-T 2007-05-04 09:09:54 +00:00
vanhu e91f01072a added some debug in isakmp_chkph1there() to track some port matching problems with NAT-T 2007-05-04 09:09:47 +00:00
vanhu ff0f36d165 added some debug for DELETE_SA process 2007-05-04 09:09:35 +00:00
vanhu ae24f5b259 Force the update of ph2 in pk_recvupdate() if NAT_T support, to solve some port match problems with the first IPSec SAs negociated as initiator 2007-05-04 09:09:26 +00:00
vanhu ace683e685 checks proto_id in ipsecdoi_chkcmpids() 2007-04-04 13:09:36 +00:00
vanhu f31c3aee8e dumps peer's ID and peer's certificate subject /subjectaltname if they don't match 2007-04-04 13:07:31 +00:00
vanhu 52c7a2891e Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code 2007-03-26 15:58:07 +00:00
christos 8f6921b522 PR/36069: Huang Yushuo: racoon can't work with pam_group 
Set RUSER.
 2007-03-24 02:07:42 +00:00
vanhu 2af4eed892 From Joy Latten: fix a segfault when using security labels between 32bit and 64bit host. 2007-03-23 15:43:19 +00:00
vanhu 38a126966c fixed a segfault when using security labels between a 32bit and a 64bit host 2007-03-23 15:43:18 +00:00
vanhu 27934310cd expire zombie handlers in getph2byid(), to avoid situations where we'll never negociate a phase2 again 2007-03-23 15:34:31 +00:00
vanhu 1046a9e619 From Cyrus Rahman: give more details about what is checked when using certificates to authenticate 2007-03-23 09:57:29 +00:00
vanhu a1d41ca41d give more details about what is checked when using certificates to authenticate 2007-03-23 09:57:28 +00:00
vanhu 27187d08ab fixed subnet check to generate IPV4_ADDRESS when needed in sockaddr2id() 2007-03-22 10:26:19 +00:00
vanhu 002f3b4723 checks if arg is NULL in SCHED_KILL 2007-03-21 14:37:58 +00:00
vanhu 452cfb7edf NULL sched check is now done in SCHED_KILL 2007-03-21 14:29:22 +00:00
vanhu 43c152a498 checks if arg is NULL in SCHED_KILL 2007-03-21 14:28:59 +00:00
vanhu a270a7afb9 From Yves-Alexis Perez: enable monitoring of ipv6 address changes on Linux. 2007-03-15 14:12:12 +00:00
vanhu 7a26f531db enable monitoring of ipv6 addresse changes on linux 2007-03-15 14:12:11 +00:00
vanhu 0fca99dc2f Consider a negociation timeout when retry_counter is <=0 instead of < 0 2007-03-15 10:37:44 +00:00
mgrooms adf474a143 Add logic to allow ip address ids to be matched to ip subnet ids when 
appropriate.
 2007-02-28 05:36:45 +00:00
vanhu f1c1e37275 block variable declaration before code in ipsecdoi_id2str() 2007-02-21 11:01:06 +00:00
vanhu 740b198715 Removed a debug printf.... 2007-02-20 16:32:28 +00:00
vanhu bd81981229 Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting 2007-02-20 09:11:30 +00:00
vanhu 1cb0c229b8 updated delete_spd() calls 2007-02-20 09:11:14 +00:00
vanhu 19df9f5fcc fills creation date of generated SPDs 2007-02-20 09:11:03 +00:00
vanhu 57d8173408 added 'created' var 2007-02-20 09:10:47 +00:00
vanhu 3c99a9f776 Removed a debug printf.... 2007-02-19 13:08:47 +00:00
vanhu 496e74bcde From Olivier Warin: Fix a %zu in a printf. 2007-02-16 11:01:35 +00:00
vanhu 834d2e72c5 Fixed a %zu in a printf 2007-02-16 11:01:34 +00:00
manu eac241862b Missing SELinux file 2007-02-15 16:31:38 +00:00
manu 1b2a464d38 Missing stuff for SELinux 2007-02-15 16:23:40 +00:00
vanhu 6c4dc9e4c6 From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote(). 2007-02-15 13:01:26 +00:00
vanhu 5f4b4e0b21 Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote() 2007-02-15 13:01:25 +00:00
vanhu 6ced6eb0cd Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory 2007-02-15 10:19:24 +00:00
vanhu 5374d6ac89 Fixed a check of NAT-T support in libipsec 2007-02-02 13:42:28 +00:00
vanhu 1634f1d295 From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange. 2007-02-01 08:48:32 +00:00
vanhu e25ad0ee61 When receiving an Isakmp DELETE_SA, gets the cookie of the SA to be deleted from payload instead of just deleting the Isakmp SA used to protect the informational 2007-02-01 08:48:31 +00:00
alc bdf6fc4f47 CID-4167: check for 'iph1->approval != NULL' 2006-12-26 00:04:00 +00:00
wiz 9e2cc05c4b Use even more macros. 2006-12-23 09:29:53 +00:00
wiz 710cf70831 Use more macros. 2006-12-23 09:29:01 +00:00
wiz fc51d9d324 Serial comma, and bump date for previous. 2006-12-23 09:22:52 +00:00
vanhu 1a38b96eff From Joy Latten: fix a memory leak 2006-12-18 10:15:30 +00:00
vanhu 591299b29f fixed a memory leak in crypto_openssl 2006-12-18 10:15:29 +00:00
manu fcdf5459d0 branch 0.7 created 2006-12-10 22:36:06 +00:00
manu 7c683c0b23 Bring back API and ABI backward compatibility with previous libipsec before 
recent interface change. Bump libipsec minor version. Remove ifdefs in
struct pfkey_send_sa_args to avoid ABI compatibility lossage.
Add a capability flags to detect missing optional feature in libipsec
 2006-12-10 18:46:39 +00:00
manu 78f5cfece3 From Joy Latten: README.plainrsa documenting plain RSA auth 2006-12-10 05:51:14 +00:00
manu 99a403e274 From Joy Latten: Add support for SELinux security contexts. Also cleanup the 
libipsec interface for adding and updating security associations.
 2006-12-09 05:52:57 +00:00
manu 10cadc281e From Simon Chang: More hints about plain RSA authentication 2006-12-09 05:44:34 +00:00
vanhu 3db7f7800e Check keys length regarding proposal_check level 2006-12-05 13:38:40 +00:00
mgrooms 8ceadc3208 Correct issues associated with anonymous sainfo selection in racoon. 2006-11-16 00:30:55 +00:00
christos 9f3fa7dc87 eliminate the only variable stack array allocation. 2006-11-09 20:22:18 +00:00
cbiere 577883a31d Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is 
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
 2006-10-31 00:17:21 +00:00
vanhu b0d7d1da89 From Michal Ruzicka: fix typos 2006-10-22 15:10:31 +00:00
vanhu df130f3c13 fixed typos 2006-10-22 15:10:30 +00:00
vanhu 5328e8c78b Added ipsecdoi_chkcmpids() function 2006-10-19 09:36:22 +00:00
vanhu 3835b0b6a5 From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). 2006-10-19 09:35:51 +00:00
vanhu b0f2fc5ddb From Matthew Grooms: Added ipsecdoi_chkcmpids() function. 2006-10-19 09:35:44 +00:00
manu 966e3f130f Fix memory leak (Coverity 3438 and 3437) 2006-10-09 06:32:59 +00:00
manu 331d3b1287 List modified files for last commit 2006-10-09 06:21:11 +00:00
manu 6eca4f09f3 Correctly check read() return value: it's signed (Coverity 1251) 2006-10-09 06:17:20 +00:00
manu 56f4977415 Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki 
<okazaki@kick.gr.jp>
 2006-10-06 12:02:26 +00:00
manu 20d3dfdcfa fix endianness issue introduced yesterday 2006-10-03 20:43:10 +00:00
vanhu 2b72a4f236 remoteid/ph1id support 2006-10-03 08:04:31 +00:00
vanhu b45c893ef4 Added remoteid/ph1id syntax 2006-10-03 08:03:59 +00:00
vanhu 7d2c6acefd Parses remoteid/ph1id values 2006-10-03 08:03:33 +00:00
vanhu dd3c365568 Uses remoteid/ph1id values 2006-10-03 08:02:51 +00:00
vanhu 80d5a8a518 Added remoteid/ph1id values 2006-10-03 08:01:56 +00:00
manu 9547d0f260 avoid reusing free'd pointer (Coverity 2613) 2006-10-02 21:51:33 +00:00
manu 1966cc3311 Check for NULL pointer (COverity 4175) 2006-10-02 21:47:32 +00:00
manu e1ade705e1 Remove dead code (Coverity 3451) 2006-10-02 21:41:59 +00:00
manu 520ec462f7 Fix array overrun (Coverity 4172) 2006-10-02 21:33:14 +00:00
manu e5d24ec446 Fix memory leak (Coverity 2002) 2006-10-02 21:27:08 +00:00
manu cdb1e64a8c Fix memory leak (Coverity 2001), refactor the code to use port get/set 
functions
 2006-10-02 21:19:43 +00:00
manu cd350eaf6d Avoid reusing free'd pointer (Coverity 4200) 2006-10-02 20:52:17 +00:00
manu d564be9350 Don't use NULL pointer (Coverity 3443), reformat to 80 char/line 2006-10-02 18:54:46 +00:00
dogcow f54a9b4797 If you're going to initialize a pointer, you have to init it with a pointer 
type, not an int.
 2006-10-02 12:44:40 +00:00
manu 68e9583818 Don't use NULL pointer (coverity 3439) 2006-10-02 12:04:53 +00:00
manu 5227e9475b Don't use NULL pointer (Coverity 1334) 2006-10-02 11:59:40 +00:00
manu 41042afaf6 Don't use NULL pointer (Coverity 944) 2006-10-02 07:17:57 +00:00
manu 01d5ad642c Don't use NULL pointer (Coverity 941) 2006-10-02 07:15:09 +00:00
manu 9a55720f5c Don't use NULL pointer (Coverity 942) 2006-10-02 07:12:26 +00:00
manu bfd607cda0 Don't use null pointer (Coverity 863) 2006-10-02 07:08:25 +00:00
manu 626d146a75 FIx memory leak (Coverity 4181) 2006-10-01 22:04:03 +00:00
manu 7be862b0db Check that iph1->remote is not NULL before using it (Coverity 3436) 2006-10-01 19:23:57 +00:00
manu c7242e7e9f emove dead code (Coverity 4165) 2006-09-30 21:49:37 +00:00
manu 07b750b745 Fix memory leak (Coverity 4179) 2006-09-30 21:38:39 +00:00
manu df69765a89 update the scripts for wrorking around routing problems on NetBSD 2006-09-30 21:22:21 +00:00
manu 172675f3db Reuse existing code for closing IKE sockets, and avoid screwing things by 
setting p->sock = -1, which is not expected (Coverity 4173).
 2006-09-30 16:14:18 +00:00
manu d5f44674f8 Do not free id and key, as they are used later 2006-09-30 15:51:42 +00:00
manu efb59e1b32 Fix the fix: handle_recv closes the socket, so we must call com_init before 
sending any data.
 2006-09-29 21:39:35 +00:00
manu ca09533497 Fix unchecked mallocs (Coverity 4176, 4174) 2006-09-28 20:30:13 +00:00
manu 87b827ea10 Fix access after free (Coverity 4178) 2006-09-28 20:09:35 +00:00
manu eb5be25aad Fix memory leak (Coverity) 2006-09-26 21:42:55 +00:00
manu 8b9e0af1db Fix memory leak (Coverity) 2006-09-26 21:25:52 +00:00
manu 1d587602b5 Remove dead code (Coverity) 2006-09-26 21:10:55 +00:00
manu 75ada6df8d Fix memory leak (Coverity) 2006-09-26 21:06:54 +00:00
manu ab1354320a One more memory leak 2006-09-26 20:58:03 +00:00
manu ea585e8293 Fix memory leak in racoonctl (coverity) 2006-09-26 20:51:43 +00:00