fa4803bf0a
Various improvements to error log messages and a few additional error log
...
messages to improve diagnosing an error condition.
2010-10-20 13:37:37 +00:00
49a8dd9d23
Fix address comparison so we actually close sockets which were bound to
...
IP-address that got deconfigured.
2010-10-20 10:56:39 +00:00
fe1c6ea2f2
report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes
2010-10-11 14:16:30 +00:00
45f0ad8281
fixed some typos in logs (reported by fazaeli (at) sepehrs.com)
2010-09-27 11:57:59 +00:00
1da0e31bfc
fixed a fd leak, patch by getlaser (at) gmail.com
2010-09-24 15:09:29 +00:00
23e038ba26
get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
2010-09-22 13:37:35 +00:00
40e858e050
fixed a typo in macros, reported by marisp (at) mt.lv
2010-09-22 07:34:51 +00:00
a4e6ec9d93
moved from utmp.h to utmpx.h (patch provided by marcin.cieslak (at) gmail.com)
2010-09-21 13:14:17 +00:00
71f4bdc1a9
fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection
2010-09-08 12:18:35 +00:00
12865805af
fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf()
2010-08-26 13:31:55 +00:00
4020e47561
fixed answer for IP4_SUBNET request
2010-08-04 09:16:58 +00:00
62c45492f0
updated link to NetBSD's documentation
2010-07-30 14:50:47 +00:00
432f682f2f
Bump date for previous.
2010-06-22 20:51:04 +00:00
9049130b27
added a specific script hook when a dead peer is detected
2010-06-22 09:41:33 +00:00
ee938d1113
New sentence, new line. Bump date for previous.
2010-06-04 21:53:36 +00:00
a0bdaf1b16
Added support for spdupdate command in setkey
2010-06-04 13:06:03 +00:00
ba30b496b8
by Eric Preston: fixed a typo
2010-04-07 14:53:52 +00:00
bd7ae6bd09
handle ctime returning NULL.
2010-04-02 15:13:26 +00:00
fcbd1014fb
PR/42363: Yasuoka Masahiko: Second part of the patch: iterate only on the
...
phase2 handles that are bound by the given phase1 handle.
2010-03-11 15:44:48 +00:00
e3413574b5
From Stefan Bauer: Fix multiple typoes and manpage formatting errors.
2010-03-05 06:47:58 +00:00
709abc828e
From Pierre POMES: fixed admin port initialization
2010-03-04 15:13:53 +00:00
ccaf1e96be
Fight the ever-increasing size of src checkouts by spelling "useful"
...
without an extra l.
2010-02-28 15:52:16 +00:00
8e35c759e7
Fix typo in comment.
2010-02-09 23:05:16 +00:00
e15635055f
Free strdeupped string after using it. Found by cppcheck.
2010-01-17 23:03:01 +00:00
44e3b1fff7
Close file handles after using them. Found by cppcheck.
2010-01-17 23:02:48 +00:00
0e901e0c61
Use .%U instead of .%O for URLs.
2010-01-15 19:18:51 +00:00
119e5ecd44
From Paul Wernau: vmbuf.h was defined twice in the headers. Remove the
...
redundant entry so new install tool does not complain about overwriting
just installed file.
2009-12-11 09:04:04 +00:00
aabb31871d
PR/42363: Yasuoka Masahiko:
...
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.
racoon uses message-id to find the handle of IPsec-SA. The message-id
is a unique number for each peer, but different peers may use the same
value.
Different Windows Vista or Windows 7 peers seem to use the same
message-id. racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows. Because racoon misunderstands the
message for the second Windows as the message for the first Windows.
>Category: bin
>Synopsis: racoon uses a wrong IPsec-SA that is for different peer
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Nov 22 18:25:00 +0000 2009
>Originator: yasuoka@iij.ad.jp
2009-11-22 19:34:55 +00:00
792f03d2b0
use %option noinput nounput
2009-10-29 14:34:27 +00:00
cd2a002a7a
no unput
2009-10-28 20:59:46 +00:00
4467064d5b
Do not use .Xo/.Xc to workaround ancient groff limits.
2009-10-14 23:36:55 +00:00
a453670196
Do not use .Xo/.Xc to work around ancient groff limits.
...
Fix markup.
2009-10-14 18:34:14 +00:00
0639ebde24
Don't use .Xo/.Xc to work around ancient groff limits.
...
Set only one list type.
2009-10-14 18:22:04 +00:00
ff2c7b7d5c
From Tomas Mraz: Fix gssapi error checking.
2009-09-18 10:31:11 +00:00
63bcd231eb
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
...
select the phase1 for rekeying the new phase2.
2009-09-03 09:29:07 +00:00
ae0beb16dc
Check nat_traversal configuration from remote configuration candidates
...
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
2009-09-01 12:22:09 +00:00
5e74d5d98f
Change remote conf matching level to matching score. This way one can
...
override anonymous certificate block config with more exact "inhereted"
IP specific block.
2009-09-01 09:49:59 +00:00
43e6802298
From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up
...
script (trac #313 ).
2009-09-01 09:24:21 +00:00
b7f72d1283
fixed typo: algoriym -> algorithm
2009-08-24 09:33:03 +00:00
a3d9e80f96
fixed address check in rmconf_match_type(), just check address with wildcard port
2009-08-19 13:54:07 +00:00
95f3bd08bb
Have an enum for rmconf_match_type() return values to make the code a bit
...
more readable.
2009-08-19 12:20:02 +00:00
e2ffc89458
typo: algoritym -> algorithm
2009-08-18 08:21:12 +00:00
eb15fbb554
do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore
2009-08-17 13:52:14 +00:00
82dd0659f2
include stddef.h so we have a chance to get the system offsetof if present
2009-08-17 12:00:53 +00:00
c2c64af1e8
removed a self include
2009-08-17 11:59:10 +00:00
0667dd70bd
fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs
2009-08-13 09:18:28 +00:00
ea830abf58
Don't print EAGAIN error from pfkey_handler(), it can occur normally
...
under some code paths and is not a hard error in any case.
2009-08-10 08:22:13 +00:00
c2919dd501
From Paul Wenau: Check fgets return value in setkey to make gcc happy.
2009-08-06 04:44:43 +00:00
4180506456
From Paul Wernau: Fix transport mode per-port security associations that
...
got broke during NAT-T fixes.
2009-08-05 13:16:01 +00:00
aab4a00722
From Arnaud Ebalard: Fix possible usage of uninitialized local variable
...
(not sure if any code path triggers this, but this makes compiler happy).
2009-07-07 12:25:22 +00:00
3d0db58d61
Get rid of the evil CMPSADDR macro. Trac #295 .
2009-07-03 06:41:46 +00:00
edd4f79009
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
...
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.
2009-07-03 06:40:10 +00:00
a8d702d9b1
Fix a call to null pointer: in some cases, the unmonitor_fd can be called
...
from another fd's callback. That could lead to still have callback pending
after unmonitoring the fd resulting in a call to null pointer.
This is fixed by making unmonitor_fd now clear the pending fd_set too.
Bug was introduced by my commit in 2008-12-23.
2009-06-24 11:28:48 +00:00
f61fedc250
typo
2009-05-20 07:54:50 +00:00
68ab535bfd
From Jukka Salmi: Fix couple of typos from previous commit.
2009-05-19 09:34:52 +00:00
0ab43f031c
From Tomas Mraz: Introduce union sockaddr_any and use it to make code
...
more readable. Related to trac #293 .
2009-05-18 17:40:38 +00:00
ef94861331
From Tomas Mraz: Remove variable that is not really used; only referenced
...
while uninitialized causing valgrind error.
2009-05-18 17:07:15 +00:00
5e83df8c82
From Tomas Mraz: Fix natt_flags check.
2009-05-18 17:00:42 +00:00
decd684ac0
Remove superfluous spaces around parentheses.
2009-05-04 22:28:30 +00:00
ec20a1edf8
From Ross Meng: Fix a memory leak in X509 certificate validation.
2009-04-29 10:50:01 +00:00
8bcee86f68
Reset nat_oa variables too when reusing phase two handler. Otherwise
...
phase2 rekeying might fail in some scenarios.
2009-04-28 13:54:07 +00:00
95b420bbeb
From Neil Kettle: Fix a possible null pointer dereference in fragmentation
...
code.
2009-04-22 11:24:20 +00:00
fab62310e7
Fix strict_address to work again. The lists needs to be initialized
...
before configuration is read, which happens before my_addr_init() call.
2009-04-21 18:38:31 +00:00
7019ec4077
Fix a memory leak in certificate request generation.
2009-04-20 13:24:36 +00:00
f273c7c2bb
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
2009-04-20 13:23:54 +00:00
a2f9e36ab3
From Stephen Bevan: Fix a x509 signature verification memory leak.
2009-04-20 13:22:41 +00:00
b1fd61f62f
Originally from Bin Li: Fix a crash with racoonctl logout user.
2009-04-20 13:22:00 +00:00
8759a6c72c
Fix a memory leak in nat-t keepalive code.
2009-04-20 13:17:35 +00:00
8c22b469e0
From Paul Moore: Phase2 message id's should be unique wrt phase1, not
...
globally.
2009-04-20 13:16:52 +00:00
0c68acc1de
From Arnaud Ebalard: Fix couple of problems with previous commit.
2009-03-13 04:49:16 +00:00
976380d183
When casting to/from a pointer to an integral type (a bad practice,
...
if you ask me), you need to cast via intptr_t for portability.
2009-03-12 23:05:27 +00:00
2df943f931
New sentence, new line. Avoid marking up punctuation.
2009-03-12 15:18:57 +00:00
0d4480d10a
Bump date for previous. Sort options to establish-sa.
...
Stop using Xo/Xc.
2009-03-12 14:01:09 +00:00
983cc8fecf
Support multiple anonymous remotes and decide remoteconf based on identity,
...
received certificates and other information. General code clean up.
2009-03-12 10:57:26 +00:00
e3372d2f8f
setkey: fix deleteall in Linux
...
Linux requires SADB_DELETE message to have SPI. So send
a SADB_DELETE message for each matching SA. Trac #284 .
From: Gabriel Somlo <somlo@cmu.edu>
2009-03-06 11:45:03 +00:00
b1ab726a1a
From Paul Moore: Fix a heap corruption bug (yacc return non-null terminated
...
buffer and sprintf writes over bounds).
2009-02-16 18:36:21 +00:00
3723c0b8cf
trac#301: fixed IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on tunnel
2009-02-11 15:18:59 +00:00
ee2923bc73
From: Phil Sutter. Fix script environment variables with IPv6 addresses.
2009-02-03 20:21:45 +00:00
98b638ac57
Argument parsing needs lcconf initialized.
2009-01-26 18:13:06 +00:00
58b2161948
Sort options in usage.
2009-01-24 10:43:47 +00:00
a8e14ecee0
Sort options. New sentence, new line.
2009-01-24 10:43:38 +00:00
86a90d6c4e
Sort options.
2009-01-24 10:42:31 +00:00
e9d216a40d
Update usage and manpage for racoonctl.
2009-01-23 11:44:08 +00:00
c6d64c37e0
Racoon -v to print version and compilation information. Update usage
...
message.
2009-01-23 11:28:27 +00:00
1f949d3b6c
Update NEWS with major changes since 0.7 release.
2009-01-23 09:40:56 +00:00
731a29e03b
Fix monotonic scheduler change, to not refresh 'now' before exit. Otherwise
...
we can return negative timeout after spending time handling other events.
2009-01-23 09:10:13 +00:00
7bc9f9e4ee
From Arnaud Ebalard:
...
Handle reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
2009-01-23 08:32:58 +00:00
b9ba86c968
From Arnaud Ebalard:
...
On the responder (for instance), there is a need to not only migrate local
and remote addresses of Phase 1 that match previous addresses but also
the local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the HoA and
the address of the HA (while the peer has contacted us using the CoA and
we have negotiated this address as src attribute in Phase 2). The patch
fixes that by having migrate_ph1_ike_addresses() called from
migrate_ph2_ike_addresses() callback.
2009-01-23 08:29:34 +00:00
54bcc916f5
From Arnaud Ebalard: Set phase2 spid when acting as responder.
2009-01-23 08:27:24 +00:00
5d5e4e2fa3
Detect if monotonic system clock is available, and use it for relative
...
time measurements to avoid complite hang if time jumps backwards.
2009-01-23 08:25:06 +00:00
49c6438a45
Fix authentication method ambiguity by internally using unique ID and
...
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280 .
2009-01-23 08:23:51 +00:00
69697b4655
Introduce vendorid bitmask that can be used otherwhere to detect peer
...
capabilities.
2009-01-23 08:06:56 +00:00
2b7d4cd554
Remove "fastquit" configure option and make it the default behaviour. The
...
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
2009-01-23 08:05:58 +00:00
2b68c3a06a
Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to
...
ChangeLog.old.
2009-01-20 14:36:07 +00:00
67cbe60826
Make ready for HTML output.
...
Use proper escape for backslash ('\e').
2009-01-10 21:58:38 +00:00
f7557f766d
From Cyrus Rahman:
...
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
2009-01-10 19:08:40 +00:00
a0b1dc6be0
Fix a CPPLAGS typo to CPPFLAGS which was intended
2009-01-09 06:31:38 +00:00
9df0ec5c7e
Fix a CPPLAGS type to CPPFLAGS which was intended
2009-01-09 06:31:37 +00:00
b264308e87
Remove obsolete configuration options, fix radius configuration block and
...
add GRE as recognized protocol.
2009-01-05 06:03:58 +00:00
328859aef7
Do not use counting in signal handling as it was unsafe by not using
...
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
2009-01-05 06:00:27 +00:00
tteras