tteras
f273c7c2bb
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
2009-04-20 13:23:54 +00:00
tteras
a2f9e36ab3
From Stephen Bevan: Fix a x509 signature verification memory leak.
2009-04-20 13:22:41 +00:00
tteras
b1fd61f62f
Originally from Bin Li: Fix a crash with racoonctl logout user.
2009-04-20 13:22:00 +00:00
tteras
8759a6c72c
Fix a memory leak in nat-t keepalive code.
2009-04-20 13:17:35 +00:00
tteras
8c22b469e0
From Paul Moore: Phase2 message id's should be unique wrt phase1, not
...
globally.
2009-04-20 13:16:52 +00:00
tteras
0c68acc1de
From Arnaud Ebalard: Fix couple of problems with previous commit.
2009-03-13 04:49:16 +00:00
he
976380d183
When casting to/from a pointer to an integral type (a bad practice,
...
if you ask me), you need to cast via intptr_t for portability.
2009-03-12 23:05:27 +00:00
wiz
2df943f931
New sentence, new line. Avoid marking up punctuation.
2009-03-12 15:18:57 +00:00
wiz
0d4480d10a
Bump date for previous. Sort options to establish-sa.
...
Stop using Xo/Xc.
2009-03-12 14:01:09 +00:00
tteras
983cc8fecf
Support multiple anonymous remotes and decide remoteconf based on identity,
...
received certificates and other information. General code clean up.
2009-03-12 10:57:26 +00:00
tteras
e3372d2f8f
setkey: fix deleteall in Linux
...
Linux requires SADB_DELETE message to have SPI. So send
a SADB_DELETE message for each matching SA. Trac #284 .
From: Gabriel Somlo <somlo@cmu.edu>
2009-03-06 11:45:03 +00:00
tteras
b1ab726a1a
From Paul Moore: Fix a heap corruption bug (yacc return non-null terminated
...
buffer and sprintf writes over bounds).
2009-02-16 18:36:21 +00:00
vanhu
3723c0b8cf
trac#301: fixed IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on tunnel
2009-02-11 15:18:59 +00:00
tteras
ee2923bc73
From: Phil Sutter. Fix script environment variables with IPv6 addresses.
2009-02-03 20:21:45 +00:00
tteras
98b638ac57
Argument parsing needs lcconf initialized.
2009-01-26 18:13:06 +00:00
wiz
58b2161948
Sort options in usage.
2009-01-24 10:43:47 +00:00
wiz
a8e14ecee0
Sort options. New sentence, new line.
2009-01-24 10:43:38 +00:00
wiz
86a90d6c4e
Sort options.
2009-01-24 10:42:31 +00:00
tteras
e9d216a40d
Update usage and manpage for racoonctl.
2009-01-23 11:44:08 +00:00
tteras
c6d64c37e0
Racoon -v to print version and compilation information. Update usage
...
message.
2009-01-23 11:28:27 +00:00
tteras
1f949d3b6c
Update NEWS with major changes since 0.7 release.
2009-01-23 09:40:56 +00:00
tteras
731a29e03b
Fix monotonic scheduler change, to not refresh 'now' before exit. Otherwise
...
we can return negative timeout after spending time handling other events.
2009-01-23 09:10:13 +00:00
tteras
7bc9f9e4ee
From Arnaud Ebalard:
...
Handle reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
2009-01-23 08:32:58 +00:00
tteras
b9ba86c968
From Arnaud Ebalard:
...
On the responder (for instance), there is a need to not only migrate local
and remote addresses of Phase 1 that match previous addresses but also
the local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the HoA and
the address of the HA (while the peer has contacted us using the CoA and
we have negotiated this address as src attribute in Phase 2). The patch
fixes that by having migrate_ph1_ike_addresses() called from
migrate_ph2_ike_addresses() callback.
2009-01-23 08:29:34 +00:00
tteras
54bcc916f5
From Arnaud Ebalard: Set phase2 spid when acting as responder.
2009-01-23 08:27:24 +00:00
tteras
5d5e4e2fa3
Detect if monotonic system clock is available, and use it for relative
...
time measurements to avoid complite hang if time jumps backwards.
2009-01-23 08:25:06 +00:00
tteras
49c6438a45
Fix authentication method ambiguity by internally using unique ID and
...
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280 .
2009-01-23 08:23:51 +00:00
tteras
69697b4655
Introduce vendorid bitmask that can be used otherwhere to detect peer
...
capabilities.
2009-01-23 08:06:56 +00:00
tteras
2b7d4cd554
Remove "fastquit" configure option and make it the default behaviour. The
...
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
2009-01-23 08:05:58 +00:00
tteras
2b68c3a06a
Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to
...
ChangeLog.old.
2009-01-20 14:36:07 +00:00
wiz
67cbe60826
Make ready for HTML output.
...
Use proper escape for backslash ('\e').
2009-01-10 21:58:38 +00:00
tteras
f7557f766d
From Cyrus Rahman:
...
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
2009-01-10 19:08:40 +00:00
tteras
a0b1dc6be0
Fix a CPPLAGS typo to CPPFLAGS which was intended
2009-01-09 06:31:38 +00:00
tteras
9df0ec5c7e
Fix a CPPLAGS type to CPPFLAGS which was intended
2009-01-09 06:31:37 +00:00
tteras
b264308e87
Remove obsolete configuration options, fix radius configuration block and
...
add GRE as recognized protocol.
2009-01-05 06:03:58 +00:00
tteras
328859aef7
Do not use counting in signal handling as it was unsafe by not using
...
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
2009-01-05 06:00:27 +00:00
tteras
a3c1a92d23
schedular() call can now modify fd mask so make the working copy just
...
before calling select(); otherwise it can contain bad file descriptors
2008-12-30 15:50:24 +00:00
mlelstv
e5b90a2fc2
support icmp codes. Fixes PR 39056.
2008-12-29 12:54:33 +00:00
christos
aa3382cd31
remove sin{6,}_len linux does not have it. From Timo Teras.
2008-12-24 20:20:52 +00:00
christos
6c532322d2
I was wrong. addr is actually set.
2008-12-24 19:05:48 +00:00
christos
16b17fbeab
- make this compile by zeroing out the whole structure not just bogus fields.
...
- set length field of sockets appropriately.
- mark bogus no-op code (I don't understand what the author intended here).
2008-12-24 15:25:44 +00:00
wiz
c1e7a459ca
Bump date for identity configuration option removal.
2008-12-23 19:28:18 +00:00
tteras
535280aca9
Remove the obsoleted global identity configuration option.
2008-12-23 14:04:42 +00:00
tteras
bd378f6dda
rewrite local address detection
...
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()
2008-12-23 14:03:12 +00:00
tteras
182f0b93be
From Arnaud Ebalard:
...
Delete larval ph2handles when expire with hard lifetime received
2008-12-18 07:20:25 +00:00
tteras
50a2f2e6d0
Update README
2008-12-16 06:48:38 +00:00
tteras
b2b7434a10
Fix transport mode address selection in acquire handling.
...
Some earlier fixes got lost on 2008-12-05 commit.
2008-12-16 06:08:46 +00:00
vanhu
a75f34b133
Fixed compilation on FreeBSD (RTM_IFINFO and RTM_OIFINFO stuff)
2008-12-11 15:45:24 +00:00
vanhu
cffd15164d
Fixed compilation when DPD support is disabled
2008-12-11 15:33:59 +00:00
bad
f140528153
Document my fix to src/racoon/privsep.c for the SIG_IGN typo on 2008-12-04.
2008-12-09 23:28:08 +00:00
tteras
dae665ff27
Do not cache pfkey sockets: it might cause to not handle some pfkey events
...
when select() has marked pfkey socket readable, but a timer callback first
calls pfkey_dump_sadb().
2008-12-08 06:00:53 +00:00
tteras
02f2a72861
From Arnaud Ebalard:
...
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
2008-12-05 06:02:20 +00:00
bad
3ef91ecea8
Fix typo in previous and use SIG_IGN as I intended.
2008-12-04 22:30:26 +00:00
tteras
22b0737f30
Explicitly ignore SIGPIPE. Default action on Linux is terminate.
2008-12-02 07:41:43 +00:00
wiz
659c30f2ba
Remove empty line. Fix typo. New sentence, new line.
2008-11-28 22:37:44 +00:00
vanhu
0b0a39b9f9
ModeConfig fixes
2008-11-27 15:04:34 +00:00
vanhu
3a74e20575
Set up a default value for Mode Config Pool size if pool address specified but pool size not specified
2008-11-27 15:04:21 +00:00
vanhu
054e0e851d
Fixed pool resizing
2008-11-27 15:04:16 +00:00
tteras
f863fa40c3
From Arnaud Ebalard:
...
Remove MAXNESTEDSA weirdness. It's probably meant for bundle support which
is not done. When someone actually writes bundle support, the nested SA
stuff would probably be reworked too anyway.
2008-11-27 11:08:48 +00:00
tteras
1c6c2a3356
From: Matthew Krenzer
...
Ability to set pfkey socket buffer size via configuration file directive.
(Indentation and minor fixes by me.)
2008-11-27 10:53:48 +00:00
bad
e564489300
Document my changes from 2008-11-08 and today.
2008-11-25 22:39:20 +00:00
bad
f798cbf18b
Avoid using MSG_NOSIGNAL as it is not available everywhere.
...
Ignore SIGPIPE instead.
2008-11-25 22:38:31 +00:00
bad
d9c51cbeae
Ignore unspecified and looback addresses. Ignoring unspecified addresses
...
prevents racoon from trying to bind to the wildcard address and specific
addresses simultaneously after e.g. dhclient has changed an interface's
address to 0.0.0.0.
2008-11-25 22:00:15 +00:00
bad
e7c2314bc8
RTM_DELETE and RTM_IFINFO don't carry info for added or deleted addresses.
...
Ignore them silently.
2008-11-25 21:54:05 +00:00
bad
6db1040de3
Ignoring an unsuitable address is not an error. Therefore log it as
...
informational.
Make it clear from the log message that a route message is not interesting.
2008-11-25 21:50:47 +00:00
bad
220cbdde75
Use insmyaddr() instead of open coding it.
2008-11-25 21:46:12 +00:00
bad
b8d42d186b
Do not return erroneously from isakmp_open() when setting IPV6_USE_MIN_MTU
...
fails.
2008-11-25 21:42:36 +00:00
bad
667107700d
Keep myaddr.sock at -1 when no socket is opened.
2008-11-25 21:37:11 +00:00
bad
96020e15cb
Preserve owner and permissions of original /etc/resolv.conf.
...
Ensure that new /etc/resolv.conf isn't group or world writable.
2008-11-08 13:41:09 +00:00
bad
447613dc6a
Print and check INTERNAL_NETMASK4.
2008-11-08 13:38:46 +00:00
bad
aabe06ab2f
Make the handling of NAT-T SPD entries automatic.
2008-11-08 13:36:35 +00:00
bad
5a8370eefd
Ensure that the determination of the default gateway and the corresponding
...
interface don't get confused by multiple, possibly non-IPv4 default routes.
Bring the NetBSD case of deleting the VPN routes and address in line with
the Linux case and delete the address after deleting the VPN routes.
2008-11-08 13:31:23 +00:00
vanhu
33dafe234f
fixed delsainfo() to avoid a crash when iddst's value is SAINFO_CLIENTADDR
2008-11-06 14:12:28 +00:00
tteras
66f152db75
Add ChangeLog entry about S.P.Zeidler's commit. Fix my name in one place.
2008-11-01 06:55:10 +00:00
spz
334414e667
Changes to ipsecdoi_id2str():
...
struct sockaddr -> struct sockaddr_storage fixes a stack overflow
For non-linklocal addresses the value in 'scope' is garbage and gets
set to zero instead.
2008-10-29 18:49:45 +00:00
tteras
0c1f013cc5
Fix commit dates to reflect reality.
2008-10-28 19:03:27 +00:00
tteras
ed890caaae
From Arnaud Ebalard:
...
Add missing return to error path
2008-10-27 06:27:05 +00:00
tteras
3ff331469e
From Francis Dupont (sent by Arnaud Ebalard):
...
recognize RTM_IFANNOUNCE
2008-10-27 06:24:27 +00:00
tteras
a06fc42a2e
From Arnaud Ebalard:
...
Fix indentation issues for readability
2008-10-27 06:21:29 +00:00
tteras
b186d55b63
From Arnaud Ebalard:
...
initfds() needs to be called only if monitored file descriptor numbers
have changed
2008-10-27 06:18:08 +00:00
tteras
38962f77a8
From Arnaud Ebalard:
...
Remove duplicate declaration
2008-10-27 06:14:04 +00:00
tteras
ede27c75ad
From Krzysztof Piotr Oledzki <olel@ans.pl>:
...
Revert parts of 2008-08-06 commit; the problem those changes address are
already handled in a sensible way by Cyrus Rahman's patch from 2008-03-06.
2008-10-23 10:56:10 +00:00
tteras
ab610e81be
Fix a spelling mistake in changelog
2008-10-09 16:44:31 +00:00
tteras
52d4b7db25
From Arnaud Ebalard: remove unnecessary unbindph12() call which is now done in remph2()
2008-10-09 15:53:12 +00:00
tteras
c724d51982
From Arnoud Ebalard <arno@natisbad.org>:
...
remove unnecessary unbindph12() call which is now done also in remph2()
2008-10-09 15:53:11 +00:00
vanhu
105e5049b7
Fixed resending mechanism to have non-ESP marker for retransmitted packets
2008-09-25 09:34:13 +00:00
wiz
e829b0a440
New sentence, new line.
2008-09-19 17:33:24 +00:00
tteras
d1a09d5477
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
...
in remote conf.
2008-09-19 11:14:49 +00:00
tteras
fbf62026bb
Change struct sched to be allocated be the caller to avoid some memory
...
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.
2008-09-19 11:01:08 +00:00
vanhu
b383a5b3e4
Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs
2008-09-17 12:39:07 +00:00
vanhu
954f7757c0
Some calls to set_port() were not correctly updated in the previous commit
2008-09-09 11:50:42 +00:00
vanhu
a20b313ea8
From Tomas Mraz: Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff.
2008-09-03 16:08:26 +00:00
vanhu
4ead39ef24
Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff
2008-09-03 16:08:25 +00:00
tteras
dbd3f137ba
- Fix reloading of SPD (Linux satype check, handling of SPD dump responses)
...
- Remove some spurious error log message from extract_port()
2008-09-03 09:57:28 +00:00
gmcgarry
dc1f2ff2f9
Eliminate gcc-specific feature of empty structures.
2008-08-29 00:31:37 +00:00
gmcgarry
f3a85cb801
Eliminate superfluous semicolon.
2008-08-29 00:31:00 +00:00
gmcgarry
b4e2d1afdf
Eliminate gcc-specific feature of unnamed structures added recently.
2008-08-29 00:30:15 +00:00
vanhu
163d7169c0
From Krzysztof Piotr Oledzki: Remove ph1handler if we received an invalid first exchange from initiator.
2008-08-12 12:45:55 +00:00
vanhu
32468f64a1
Remove ph1handler if we received an invalid first exchange from initiator
2008-08-12 12:45:54 +00:00
tteras
191869cf2a
From Krzysztof Piotr Oledzki:
...
Make privileged process exit if unprivileged process is terminated and
some spelling fixes.
2008-08-06 19:14:28 +00:00
mgrooms
9ef0a25aeb
Add some missing ifdefs required for non-radius enabled builds.
2008-07-23 17:36:00 +00:00
tteras
4521811287
Do not use GNU make specific extension.
2008-07-23 13:53:08 +00:00
tteras
28aa26f3de
Do flex/bison invocation in a more standard way, and keep the generated
...
files in the dist tarball.
2008-07-23 09:06:51 +00:00
vanhu
826c52702d
From Kohki Ohhira: fix some memory leaks, when malloc fails or when peer sends invalid proposal.
2008-07-22 13:25:18 +00:00
vanhu
754d7776f7
fixed some memory leaks, when malloc fails or when peer sends invalid proposals
2008-07-22 13:25:17 +00:00
mgrooms
fd9755072f
Add an optional radius configuration section to the racoon.conf file. This
...
is similar to the the LDAP configuration section and overrides settings in
the system radius configuration file.
2008-07-22 01:30:02 +00:00
tron
0cc0bec23e
Correct typo to fix the build.
2008-07-21 09:43:03 +00:00
tteras
ca3b7c5a9f
Separate generic vendor id handling to a new function and use it.
2008-07-21 06:26:06 +00:00
tteras
7a1c3cb1b8
Do not set default gss id if xauth is used, otherwise gss-id attribute
...
might be sent even if it was not requested.
2008-07-21 06:24:29 +00:00
mgrooms
879eeb1025
Fix an a typo that prevented racoon from building with hybrid enabled.
2008-07-15 02:16:58 +00:00
mgrooms
6353d50296
Update changelog which was missed in my previous commit.
2008-07-15 00:53:36 +00:00
mgrooms
8f0b3482bc
Fix a conflict with the FreeBSD 8 system hexdump function.
2008-07-15 00:47:09 +00:00
tteras
56a42db6a6
Handle RESPONDER-LIFETIME notification in quick mode.
2008-07-14 05:45:15 +00:00
tteras
583275a951
Clean up notification payload handling. Handle INITIAL-CONTACT notification
...
in last main mode exchange (delayed) and during quick mode exchanges.
2008-07-14 05:40:13 +00:00
tteras
75bc4bd6cd
Original patch from Atis Elsts:
...
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.
2008-07-11 08:02:06 +00:00
tteras
7f51b6fe42
From Chong Peng:
...
fix a file descriptor and memory leak on configuration file reread
2008-07-09 12:16:50 +00:00
vanhu
d20c6ed916
From Timo Teras: fix some %d to %zu (size_t values)
2008-07-02 14:46:27 +00:00
vanhu
874968c865
fixed some %d to %zu (size_t values)
2008-07-02 14:46:26 +00:00
wiz
bf3ddb193b
Bump date for previous.
2008-06-18 07:40:16 +00:00
mgrooms
93c1205f96
Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras.
2008-06-18 07:12:04 +00:00
mgrooms
c47cb1615c
Add an admin port command to retrieve the peer certificate. Submitted by
...
Timmo Teras.
2008-06-18 07:12:03 +00:00
mgrooms
01e8cc1e5d
Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras.
2008-06-18 07:04:23 +00:00
mgrooms
5d397c5ba5
Set sockets to be closed on exec to avoid potential file descriptor
...
inheritance issues. Submitted by Timmo Teras.
2008-06-18 07:04:22 +00:00
mgrooms
7598372e37
Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.
2008-06-18 06:47:25 +00:00
mgrooms
2c40396f3a
Use utility functions to evaluate or manipulate network port values. No
...
functional changes. Submitted by Timmo Teras.
2008-06-18 06:47:24 +00:00
mgrooms
7dac642960
Admin port code cleanup. No functional changes. Submitted by Timo Teras.
2008-06-18 06:27:49 +00:00
mgrooms
18fc645e9a
Admin port code cleanup. No functional changes. Submitted by Timmo Teras.
2008-06-18 06:27:48 +00:00
mgrooms
9345b05cc4
Correct a phase2 status event. Submitted by Timo Teras.
2008-06-18 06:11:38 +00:00
mgrooms
b163716d45
Correct a phase2 status event. Submitted by Timmo Teras.
2008-06-18 06:11:37 +00:00
christos
aa3b40a116
Coverity CID 5018: Fix double frees.
2008-05-24 18:39:40 +00:00
manu
2a499f37b6
From Christian Hohnstaedt: allow out of tree building
2008-05-08 12:24:50 +00:00
martin
11a6dbe728
Convert TNF licenses to new 2 clause variant
2008-04-30 13:10:46 +00:00
vanhu
ed9bfcd9c2
From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
2008-04-25 14:41:18 +00:00
vanhu
c6898eabf6
extract ports information from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
2008-04-25 14:41:17 +00:00
christos
57a7ea54be
for symmetry set controllen the same way we set it on the receiving side.
2008-04-13 21:45:19 +00:00
manu
1c3bd4b930
fix Linux build
2008-04-02 19:02:50 +00:00
christos
5ae92982aa
properly fix the variable stack allocation code.
2008-03-28 21:18:45 +00:00
manu
fe6642740b
Still from Cyrus Rahman: fix file descriptor leak introduced by previous
...
commit.
2008-03-28 20:28:14 +00:00
manu
1d223a6207
From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation
2008-03-28 04:18:52 +00:00
manu
182dbe8881
From Cyrus Rahman <crahman@gmail.com>
...
Allow interface reconfiguration when running in privilege separation mode,
document privilege separation
2008-03-28 04:18:51 +00:00
vanhu
b5ae261d16
Generates a log if cert validation has been disabled by configuration
2008-03-06 17:00:03 +00:00
manu
b6b6316484
From Cyrus Rahman <crahman@gmail.com>
...
privilegied instance exit when unprivilegied one terminates. Save PID in real root, not in chroot
2008-03-06 04:29:20 +00:00
mgrooms
1e1f81eb1d
Add the ability to initiate IPsec SA negotiations using the admin socket.
...
Submitted by Timo Teras.
2008-03-06 00:46:04 +00:00
mgrooms
3fd729ad89
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
2008-03-06 00:34:11 +00:00
mgrooms
089a95fdcd
Refactor admin socket event protocol to be less error prone. Backwards
...
compatibility is provided. Submitted by Timmo Teras.
2008-03-06 00:34:10 +00:00
mgrooms
5e5c5d5011
Properly initialize the unity network struct to prevent erroneous protocol
...
and port info from being transmitted.
2008-03-05 22:27:50 +00:00
mgrooms
f771df75b3
Reload SPD on SIGHUP or adminport reload. Also provide better handling for
...
pfkey socket read errors. Submitted by Timo Teras.
2008-03-05 22:09:44 +00:00
manu
5ae99b01fd
Missing entries for last changes
2008-02-25 20:14:05 +00:00
manu
6ee9ace370
From Brian Haley <brian.haley@hp.com>
...
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
checking spi_size but it's not. I'm not sure this patch is correct, but
what's there isn't either.
2008-02-25 20:06:55 +00:00
manu
ebc590d76a
Fix address length, from Brian Haley
2008-02-22 18:50:03 +00:00
spz
a91c432416
closes PR bin/37644
...
did not meet violent opposition ( :) ) on ipsec-tools-devel
2008-02-10 12:11:08 +00:00
vanhu
4aacbd15e1
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
2008-01-11 14:27:34 +00:00
vanhu
ca6b517233
reset iph1->dpd_r_u in the scheduler's callback, to avoid some access to freed memory
2008-01-11 14:27:33 +00:00
vanhu
e0b7c2f9ec
reported somes fixes from Krzysztof Oledzki
2008-01-11 14:09:50 +00:00
vanhu
90cd29a77c
From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc.
2008-01-11 14:09:05 +00:00
vanhu
5e3ace1c19
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
2008-01-11 14:08:29 +00:00
vanhu
e8714f7763
From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg).
2008-01-11 14:07:39 +00:00
vanhu
223c4f34ce
added an 'established' arg to getph1byaddr()
2008-01-11 14:06:56 +00:00
mgrooms
c825a8ee5f
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timo Teras.
2007-12-31 01:42:07 +00:00
mgrooms
e2eda5513a
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timmo Teras.
2007-12-31 01:42:06 +00:00
mgrooms
3a210f56fc
Add corrections submitted in a follow up patch for the nat-t oa support.
2007-12-12 05:08:28 +00:00
mgrooms
892304dffa
Add support for nat-t oa payload handling. Submitted by Timo Teras.
2007-12-12 04:45:59 +00:00
mgrooms
4454243c5b
Add changelog entries missed in the last commit.
2007-12-04 19:54:24 +00:00
mgrooms
2ada148e80
Modify ipsecdoi_sockaddr2id() to obtain an id without specifying the exact prefix length. Correct a memory leak in phase2. Both submitted by Timo Teras.
2007-12-04 19:52:30 +00:00
wiz
e5326240e8
Fix typos. New sentence, new line.
2007-12-01 19:24:47 +00:00
vanhu
3139da7ed3
From Natanael Copa: fixed a race condition when building yacc stuff.
2007-11-29 16:22:08 +00:00
vanhu
45ebb13627
fixed a race condition when building yacc stuff
2007-11-29 16:22:07 +00:00
vanhu
e76e80b28b
From Arnaud Ebalard: some sanity checks, debug, and a better matching of SPD entries in getsp_r()
2007-11-09 16:28:14 +00:00
vanhu
faf3c4a53b
From Arnaud Ebalard: Some sanity checking in pk_recv()
2007-11-09 16:27:58 +00:00
vanhu
70597b6cab
From Arnaud Ebalard: Better matching of SPD entries in getsp_r().
2007-11-09 16:27:47 +00:00
vanhu
cd8d63d79e
From Arnaud Ebalard: Added some debug in get_proposal_r().
2007-11-09 16:27:42 +00:00
manu
57c0ea0775
Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
2007-10-19 03:37:18 +00:00
vanhu
702eac21e5
Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD
2007-10-15 16:05:01 +00:00
vanhu
657e6e5324
new plog macro
2007-10-02 09:48:08 +00:00
vanhu
4e4df07d61
From Scott Lamb: include plog.h to work with the new plog macro.
2007-10-02 09:47:55 +00:00
vanhu
400c6ca5a9
From Scott Lamb: plog changed to _plog to work with new plog macro
2007-10-02 09:47:45 +00:00
vanhu
c12d0d481a
From Scott Lamb: new plog macro.
2007-10-02 09:47:40 +00:00
mgrooms
26182f1f5d
Set REUSE option on sockets to prevent failures associated with closing and immediately re-opening. Submitted by Gabriel Somlo.
2007-09-19 19:29:36 +00:00
mgrooms
33e6656ef9
Prevent duplicate entries in splitnet list. Submitted by Gabriel Somlo.
2007-09-19 19:20:25 +00:00
mgrooms
8293a09746
Fix autoconf check for selinux support. Submitted by Joy Latten.
2007-09-13 00:26:14 +00:00
mgrooms
aca8e1eed2
Implement clientaddr sainfo remote id option and refine the sainfo man page syntax.
2007-09-12 23:39:49 +00:00
mgrooms
324a68d0b7
Sort sainfo sections on insert and improve matching logic.
2007-09-05 06:55:44 +00:00
mgrooms
edac7dae7c
Correct the syntax for wins4 in the man page and add nbns4 as an alias. Pointed out by Claas Langbehn.
2007-09-03 18:08:42 +00:00
manu
1c79bc103b
src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
...
authorization ports. Allow interoperability with freeradius
2007-08-07 04:35:01 +00:00
mgrooms
8628a88239
Update NEWS file with additional 0.7 improvements.
2007-07-24 04:29:23 +00:00
mgrooms
9b7e05e155
Various racoon configuration manpage updates.
2007-07-18 22:50:47 +00:00
vanhu
c3bc7fe364
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
2007-07-18 12:07:49 +00:00
vanhu
9f7ae421ea
fixed a socket leak
2007-07-16 15:05:10 +00:00
vanhu
0fd2ceaf72
indentation
2007-07-16 15:03:13 +00:00
manu
72fe4c3a84
From Paul Winder <Paul.Winder@tadpole.com>:
...
Fix ignored INTERNAL_DNS4_LIST
2007-06-07 20:04:26 +00:00
vanhu
6ae0ffb7d9
From Rong-En Fan: fix compilation with gcc 4.2
2007-06-06 15:37:15 +00:00
vanhu
cc41629a4c
fixed compilation with gcc 4.2
2007-06-06 15:37:14 +00:00
vanhu
6817ea28d9
speeds up interfaces update when they changed
2007-06-06 09:47:30 +00:00
vanhu
1ed22670fa
From Jianli Liu: speed up interfaces update when they change.
2007-06-06 09:47:29 +00:00
vanhu
7c53bfe0b6
ignore obsolete lifebyte when validating reloaded configuration
2007-06-06 09:18:16 +00:00
manu
a16fcccee0
From Joy Latten <latten@austin.ibm.com>
...
Fix file descriptor shortage when using labeled IPsec.
2007-05-31 19:54:54 +00:00
manu
23326f5b62
From Jianli Liu <jlliu@nortel.com>:
...
In racoonctl, use the specified socket path instead of the default location
2007-05-30 21:02:39 +00:00
christos
538010e358
coverity CID 4168: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 21:00:40 +00:00
christos
dc073934fe
coverity CID 4170: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 20:59:04 +00:00
vanhu
5e29f1f1bb
search a ph1 by address if iph2->ph1 is NULL when validating the new config
2007-05-04 14:33:38 +00:00
vanhu
79dfa780cb
...
2007-05-04 09:10:07 +00:00
vanhu
0f20ab497d
added some debug in getph1byaddr() to track some port matching problems with NAT-T
2007-05-04 09:09:54 +00:00
vanhu
e91f01072a
added some debug in isakmp_chkph1there() to track some port matching problems with NAT-T
2007-05-04 09:09:47 +00:00
vanhu
ff0f36d165
added some debug for DELETE_SA process
2007-05-04 09:09:35 +00:00
vanhu
ae24f5b259
Force the update of ph2 in pk_recvupdate() if NAT_T support, to solve some port match problems with the first IPSec SAs negociated as initiator
2007-05-04 09:09:26 +00:00
vanhu
ace683e685
checks proto_id in ipsecdoi_chkcmpids()
2007-04-04 13:09:36 +00:00
vanhu
f31c3aee8e
dumps peer's ID and peer's certificate subject /subjectaltname if they don't match
2007-04-04 13:07:31 +00:00
vanhu
52c7a2891e
Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code
2007-03-26 15:58:07 +00:00
christos
8f6921b522
PR/36069: Huang Yushuo: racoon can't work with pam_group
...
Set RUSER.
2007-03-24 02:07:42 +00:00
vanhu
2af4eed892
From Joy Latten: fix a segfault when using security labels between 32bit and 64bit host.
2007-03-23 15:43:19 +00:00
vanhu
38a126966c
fixed a segfault when using security labels between a 32bit and a 64bit host
2007-03-23 15:43:18 +00:00
vanhu
27934310cd
expire zombie handlers in getph2byid(), to avoid situations where we'll never negociate a phase2 again
2007-03-23 15:34:31 +00:00
vanhu
1046a9e619
From Cyrus Rahman: give more details about what is checked when using certificates to authenticate
2007-03-23 09:57:29 +00:00
vanhu
a1d41ca41d
give more details about what is checked when using certificates to authenticate
2007-03-23 09:57:28 +00:00
vanhu
27187d08ab
fixed subnet check to generate IPV4_ADDRESS when needed in sockaddr2id()
2007-03-22 10:26:19 +00:00
vanhu
002f3b4723
checks if arg is NULL in SCHED_KILL
2007-03-21 14:37:58 +00:00
vanhu
452cfb7edf
NULL sched check is now done in SCHED_KILL
2007-03-21 14:29:22 +00:00
vanhu
43c152a498
checks if arg is NULL in SCHED_KILL
2007-03-21 14:28:59 +00:00
vanhu
a270a7afb9
From Yves-Alexis Perez: enable monitoring of ipv6 address changes on Linux.
2007-03-15 14:12:12 +00:00
vanhu
7a26f531db
enable monitoring of ipv6 addresse changes on linux
2007-03-15 14:12:11 +00:00
vanhu
0fca99dc2f
Consider a negociation timeout when retry_counter is <=0 instead of < 0
2007-03-15 10:37:44 +00:00
mgrooms
adf474a143
Add logic to allow ip address ids to be matched to ip subnet ids when
...
appropriate.
2007-02-28 05:36:45 +00:00
vanhu
f1c1e37275
block variable declaration before code in ipsecdoi_id2str()
2007-02-21 11:01:06 +00:00
vanhu
740b198715
Removed a debug printf....
2007-02-20 16:32:28 +00:00
vanhu
bd81981229
Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting
2007-02-20 09:11:30 +00:00
vanhu
1cb0c229b8
updated delete_spd() calls
2007-02-20 09:11:14 +00:00
vanhu
19df9f5fcc
fills creation date of generated SPDs
2007-02-20 09:11:03 +00:00
vanhu
57d8173408
added 'created' var
2007-02-20 09:10:47 +00:00
vanhu
3c99a9f776
Removed a debug printf....
2007-02-19 13:08:47 +00:00
vanhu
496e74bcde
From Olivier Warin: Fix a %zu in a printf.
2007-02-16 11:01:35 +00:00
vanhu
834d2e72c5
Fixed a %zu in a printf
2007-02-16 11:01:34 +00:00
manu
eac241862b
Missing SELinux file
2007-02-15 16:31:38 +00:00
manu
1b2a464d38
Missing stuff for SELinux
2007-02-15 16:23:40 +00:00
vanhu
6c4dc9e4c6
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
2007-02-15 13:01:26 +00:00
vanhu
5f4b4e0b21
Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote()
2007-02-15 13:01:25 +00:00
vanhu
6ced6eb0cd
Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory
2007-02-15 10:19:24 +00:00
vanhu
5374d6ac89
Fixed a check of NAT-T support in libipsec
2007-02-02 13:42:28 +00:00
vanhu
1634f1d295
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
2007-02-01 08:48:32 +00:00
vanhu
e25ad0ee61
When receiving an Isakmp DELETE_SA, gets the cookie of the SA to be deleted from payload instead of just deleting the Isakmp SA used to protect the informational
2007-02-01 08:48:31 +00:00
alc
bdf6fc4f47
CID-4167: check for 'iph1->approval != NULL'
2006-12-26 00:04:00 +00:00
wiz
9e2cc05c4b
Use even more macros.
2006-12-23 09:29:53 +00:00
wiz
710cf70831
Use more macros.
2006-12-23 09:29:01 +00:00
wiz
fc51d9d324
Serial comma, and bump date for previous.
2006-12-23 09:22:52 +00:00
vanhu
1a38b96eff
From Joy Latten: fix a memory leak
2006-12-18 10:15:30 +00:00
vanhu
591299b29f
fixed a memory leak in crypto_openssl
2006-12-18 10:15:29 +00:00
manu
fcdf5459d0
branch 0.7 created
2006-12-10 22:36:06 +00:00
manu
7c683c0b23
Bring back API and ABI backward compatibility with previous libipsec before
...
recent interface change. Bump libipsec minor version. Remove ifdefs in
struct pfkey_send_sa_args to avoid ABI compatibility lossage.
Add a capability flags to detect missing optional feature in libipsec
2006-12-10 18:46:39 +00:00
manu
78f5cfece3
From Joy Latten: README.plainrsa documenting plain RSA auth
2006-12-10 05:51:14 +00:00
manu
99a403e274
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
...
libipsec interface for adding and updating security associations.
2006-12-09 05:52:57 +00:00
manu
10cadc281e
From Simon Chang: More hints about plain RSA authentication
2006-12-09 05:44:34 +00:00
vanhu
3db7f7800e
Check keys length regarding proposal_check level
2006-12-05 13:38:40 +00:00
mgrooms
8ceadc3208
Correct issues associated with anonymous sainfo selection in racoon.
2006-11-16 00:30:55 +00:00
christos
9f3fa7dc87
eliminate the only variable stack array allocation.
2006-11-09 20:22:18 +00:00
cbiere
577883a31d
Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is
...
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
2006-10-31 00:17:21 +00:00
vanhu
b0d7d1da89
From Michal Ruzicka: fix typos
2006-10-22 15:10:31 +00:00
vanhu
df130f3c13
fixed typos
2006-10-22 15:10:30 +00:00
vanhu
5328e8c78b
Added ipsecdoi_chkcmpids() function
2006-10-19 09:36:22 +00:00
vanhu
3835b0b6a5
From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
2006-10-19 09:35:51 +00:00
vanhu
b0f2fc5ddb
From Matthew Grooms: Added ipsecdoi_chkcmpids() function.
2006-10-19 09:35:44 +00:00
manu
966e3f130f
Fix memory leak (Coverity 3438 and 3437)
2006-10-09 06:32:59 +00:00
manu
331d3b1287
List modified files for last commit
2006-10-09 06:21:11 +00:00
manu
6eca4f09f3
Correctly check read() return value: it's signed (Coverity 1251)
2006-10-09 06:17:20 +00:00
manu
56f4977415
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
...
<okazaki@kick.gr.jp>
2006-10-06 12:02:26 +00:00
manu
20d3dfdcfa
fix endianness issue introduced yesterday
2006-10-03 20:43:10 +00:00
vanhu
2b72a4f236
remoteid/ph1id support
2006-10-03 08:04:31 +00:00
vanhu
b45c893ef4
Added remoteid/ph1id syntax
2006-10-03 08:03:59 +00:00
vanhu
7d2c6acefd
Parses remoteid/ph1id values
2006-10-03 08:03:33 +00:00
vanhu
dd3c365568
Uses remoteid/ph1id values
2006-10-03 08:02:51 +00:00
vanhu
80d5a8a518
Added remoteid/ph1id values
2006-10-03 08:01:56 +00:00
manu
9547d0f260
avoid reusing free'd pointer (Coverity 2613)
2006-10-02 21:51:33 +00:00
manu
1966cc3311
Check for NULL pointer (COverity 4175)
2006-10-02 21:47:32 +00:00
manu
e1ade705e1
Remove dead code (Coverity 3451)
2006-10-02 21:41:59 +00:00
manu
520ec462f7
Fix array overrun (Coverity 4172)
2006-10-02 21:33:14 +00:00
manu
e5d24ec446
Fix memory leak (Coverity 2002)
2006-10-02 21:27:08 +00:00
manu
cdb1e64a8c
Fix memory leak (Coverity 2001), refactor the code to use port get/set
...
functions
2006-10-02 21:19:43 +00:00
manu
cd350eaf6d
Avoid reusing free'd pointer (Coverity 4200)
2006-10-02 20:52:17 +00:00
manu
d564be9350
Don't use NULL pointer (Coverity 3443), reformat to 80 char/line
2006-10-02 18:54:46 +00:00
dogcow
f54a9b4797
If you're going to initialize a pointer, you have to init it with a pointer
...
type, not an int.
2006-10-02 12:44:40 +00:00
manu
68e9583818
Don't use NULL pointer (coverity 3439)
2006-10-02 12:04:53 +00:00
manu
5227e9475b
Don't use NULL pointer (Coverity 1334)
2006-10-02 11:59:40 +00:00
manu
41042afaf6
Don't use NULL pointer (Coverity 944)
2006-10-02 07:17:57 +00:00
manu
01d5ad642c
Don't use NULL pointer (Coverity 941)
2006-10-02 07:15:09 +00:00
manu
9a55720f5c
Don't use NULL pointer (Coverity 942)
2006-10-02 07:12:26 +00:00
manu
bfd607cda0
Don't use null pointer (Coverity 863)
2006-10-02 07:08:25 +00:00
manu
626d146a75
FIx memory leak (Coverity 4181)
2006-10-01 22:04:03 +00:00
manu
7be862b0db
Check that iph1->remote is not NULL before using it (Coverity 3436)
2006-10-01 19:23:57 +00:00
manu
c7242e7e9f
emove dead code (Coverity 4165)
2006-09-30 21:49:37 +00:00
manu
07b750b745
Fix memory leak (Coverity 4179)
2006-09-30 21:38:39 +00:00
manu
df69765a89
update the scripts for wrorking around routing problems on NetBSD
2006-09-30 21:22:21 +00:00
manu
172675f3db
Reuse existing code for closing IKE sockets, and avoid screwing things by
...
setting p->sock = -1, which is not expected (Coverity 4173).
2006-09-30 16:14:18 +00:00
manu
d5f44674f8
Do not free id and key, as they are used later
2006-09-30 15:51:42 +00:00
manu
efb59e1b32
Fix the fix: handle_recv closes the socket, so we must call com_init before
...
sending any data.
2006-09-29 21:39:35 +00:00
manu
ca09533497
Fix unchecked mallocs (Coverity 4176, 4174)
2006-09-28 20:30:13 +00:00
manu
87b827ea10
Fix access after free (Coverity 4178)
2006-09-28 20:09:35 +00:00
manu
eb5be25aad
Fix memory leak (Coverity)
2006-09-26 21:42:55 +00:00
manu
8b9e0af1db
Fix memory leak (Coverity)
2006-09-26 21:25:52 +00:00
manu
1d587602b5
Remove dead code (Coverity)
2006-09-26 21:10:55 +00:00
manu
75ada6df8d
Fix memory leak (Coverity)
2006-09-26 21:06:54 +00:00
manu
ab1354320a
One more memory leak
2006-09-26 20:58:03 +00:00
manu
ea585e8293
Fix memory leak in racoonctl (coverity)
2006-09-26 20:51:43 +00:00