tteras
fa4803bf0a
Various improvements to error log messages and a few additional error log
...
messages to improve diagnosing an error condition.
2010-10-20 13:37:37 +00:00
tteras
49a8dd9d23
Fix address comparison so we actually close sockets which were bound to
...
IP-address that got deconfigured.
2010-10-20 10:56:39 +00:00
vanhu
fe1c6ea2f2
report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes
2010-10-11 14:16:30 +00:00
vanhu
45f0ad8281
fixed some typos in logs (reported by fazaeli (at) sepehrs.com)
2010-09-27 11:57:59 +00:00
vanhu
1da0e31bfc
fixed a fd leak, patch by getlaser (at) gmail.com
2010-09-24 15:09:29 +00:00
vanhu
23e038ba26
get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
2010-09-22 13:37:35 +00:00
vanhu
40e858e050
fixed a typo in macros, reported by marisp (at) mt.lv
2010-09-22 07:34:51 +00:00
vanhu
a4e6ec9d93
moved from utmp.h to utmpx.h (patch provided by marcin.cieslak (at) gmail.com)
2010-09-21 13:14:17 +00:00
vanhu
71f4bdc1a9
fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection
2010-09-08 12:18:35 +00:00
vanhu
12865805af
fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf()
2010-08-26 13:31:55 +00:00
vanhu
4020e47561
fixed answer for IP4_SUBNET request
2010-08-04 09:16:58 +00:00
vanhu
62c45492f0
updated link to NetBSD's documentation
2010-07-30 14:50:47 +00:00
wiz
432f682f2f
Bump date for previous.
2010-06-22 20:51:04 +00:00
vanhu
9049130b27
added a specific script hook when a dead peer is detected
2010-06-22 09:41:33 +00:00
wiz
ee938d1113
New sentence, new line. Bump date for previous.
2010-06-04 21:53:36 +00:00
vanhu
a0bdaf1b16
Added support for spdupdate command in setkey
2010-06-04 13:06:03 +00:00
vanhu
ba30b496b8
by Eric Preston: fixed a typo
2010-04-07 14:53:52 +00:00
christos
bd7ae6bd09
handle ctime returning NULL.
2010-04-02 15:13:26 +00:00
christos
fcbd1014fb
PR/42363: Yasuoka Masahiko: Second part of the patch: iterate only on the
...
phase2 handles that are bound by the given phase1 handle.
2010-03-11 15:44:48 +00:00
tteras
e3413574b5
From Stefan Bauer: Fix multiple typoes and manpage formatting errors.
2010-03-05 06:47:58 +00:00
vanhu
709abc828e
From Pierre POMES: fixed admin port initialization
2010-03-04 15:13:53 +00:00
snj
ccaf1e96be
Fight the ever-increasing size of src checkouts by spelling "useful"
...
without an extra l.
2010-02-28 15:52:16 +00:00
wiz
8e35c759e7
Fix typo in comment.
2010-02-09 23:05:16 +00:00
wiz
e15635055f
Free strdeupped string after using it. Found by cppcheck.
2010-01-17 23:03:01 +00:00
wiz
44e3b1fff7
Close file handles after using them. Found by cppcheck.
2010-01-17 23:02:48 +00:00
joerg
0e901e0c61
Use .%U instead of .%O for URLs.
2010-01-15 19:18:51 +00:00
tteras
119e5ecd44
From Paul Wernau: vmbuf.h was defined twice in the headers. Remove the
...
redundant entry so new install tool does not complain about overwriting
just installed file.
2009-12-11 09:04:04 +00:00
christos
aabb31871d
PR/42363: Yasuoka Masahiko:
...
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.
racoon uses message-id to find the handle of IPsec-SA. The message-id
is a unique number for each peer, but different peers may use the same
value.
Different Windows Vista or Windows 7 peers seem to use the same
message-id. racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows. Because racoon misunderstands the
message for the second Windows as the message for the first Windows.
>Category: bin
>Synopsis: racoon uses a wrong IPsec-SA that is for different peer
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Nov 22 18:25:00 +0000 2009
>Originator: yasuoka@iij.ad.jp
2009-11-22 19:34:55 +00:00
christos
792f03d2b0
use %option noinput nounput
2009-10-29 14:34:27 +00:00
christos
cd2a002a7a
no unput
2009-10-28 20:59:46 +00:00
joerg
4467064d5b
Do not use .Xo/.Xc to workaround ancient groff limits.
2009-10-14 23:36:55 +00:00
joerg
a453670196
Do not use .Xo/.Xc to work around ancient groff limits.
...
Fix markup.
2009-10-14 18:34:14 +00:00
joerg
0639ebde24
Don't use .Xo/.Xc to work around ancient groff limits.
...
Set only one list type.
2009-10-14 18:22:04 +00:00
tteras
ff2c7b7d5c
From Tomas Mraz: Fix gssapi error checking.
2009-09-18 10:31:11 +00:00
tteras
63bcd231eb
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
...
select the phase1 for rekeying the new phase2.
2009-09-03 09:29:07 +00:00
tteras
ae0beb16dc
Check nat_traversal configuration from remote configuration candidates
...
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
2009-09-01 12:22:09 +00:00
tteras
5e74d5d98f
Change remote conf matching level to matching score. This way one can
...
override anonymous certificate block config with more exact "inhereted"
IP specific block.
2009-09-01 09:49:59 +00:00
tteras
43e6802298
From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up
...
script (trac #313 ).
2009-09-01 09:24:21 +00:00
vanhu
b7f72d1283
fixed typo: algoriym -> algorithm
2009-08-24 09:33:03 +00:00
vanhu
a3d9e80f96
fixed address check in rmconf_match_type(), just check address with wildcard port
2009-08-19 13:54:07 +00:00
tteras
95f3bd08bb
Have an enum for rmconf_match_type() return values to make the code a bit
...
more readable.
2009-08-19 12:20:02 +00:00
vanhu
e2ffc89458
typo: algoritym -> algorithm
2009-08-18 08:21:12 +00:00
vanhu
eb15fbb554
do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore
2009-08-17 13:52:14 +00:00
vanhu
82dd0659f2
include stddef.h so we have a chance to get the system offsetof if present
2009-08-17 12:00:53 +00:00
vanhu
c2c64af1e8
removed a self include
2009-08-17 11:59:10 +00:00
vanhu
0667dd70bd
fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs
2009-08-13 09:18:28 +00:00
tteras
ea830abf58
Don't print EAGAIN error from pfkey_handler(), it can occur normally
...
under some code paths and is not a hard error in any case.
2009-08-10 08:22:13 +00:00
tteras
c2919dd501
From Paul Wenau: Check fgets return value in setkey to make gcc happy.
2009-08-06 04:44:43 +00:00
tteras
4180506456
From Paul Wernau: Fix transport mode per-port security associations that
...
got broke during NAT-T fixes.
2009-08-05 13:16:01 +00:00
tteras
aab4a00722
From Arnaud Ebalard: Fix possible usage of uninitialized local variable
...
(not sure if any code path triggers this, but this makes compiler happy).
2009-07-07 12:25:22 +00:00
tteras
3d0db58d61
Get rid of the evil CMPSADDR macro. Trac #295 .
2009-07-03 06:41:46 +00:00
tteras
edd4f79009
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
...
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.
2009-07-03 06:40:10 +00:00
tteras
a8d702d9b1
Fix a call to null pointer: in some cases, the unmonitor_fd can be called
...
from another fd's callback. That could lead to still have callback pending
after unmonitoring the fd resulting in a call to null pointer.
This is fixed by making unmonitor_fd now clear the pending fd_set too.
Bug was introduced by my commit in 2008-12-23.
2009-06-24 11:28:48 +00:00
vanhu
f61fedc250
typo
2009-05-20 07:54:50 +00:00
tteras
68ab535bfd
From Jukka Salmi: Fix couple of typos from previous commit.
2009-05-19 09:34:52 +00:00
tteras
0ab43f031c
From Tomas Mraz: Introduce union sockaddr_any and use it to make code
...
more readable. Related to trac #293 .
2009-05-18 17:40:38 +00:00
tteras
ef94861331
From Tomas Mraz: Remove variable that is not really used; only referenced
...
while uninitialized causing valgrind error.
2009-05-18 17:07:15 +00:00
tteras
5e83df8c82
From Tomas Mraz: Fix natt_flags check.
2009-05-18 17:00:42 +00:00
wiz
decd684ac0
Remove superfluous spaces around parentheses.
2009-05-04 22:28:30 +00:00
tteras
ec20a1edf8
From Ross Meng: Fix a memory leak in X509 certificate validation.
2009-04-29 10:50:01 +00:00
tteras
8bcee86f68
Reset nat_oa variables too when reusing phase two handler. Otherwise
...
phase2 rekeying might fail in some scenarios.
2009-04-28 13:54:07 +00:00
tteras
95b420bbeb
From Neil Kettle: Fix a possible null pointer dereference in fragmentation
...
code.
2009-04-22 11:24:20 +00:00
tteras
fab62310e7
Fix strict_address to work again. The lists needs to be initialized
...
before configuration is read, which happens before my_addr_init() call.
2009-04-21 18:38:31 +00:00
tteras
7019ec4077
Fix a memory leak in certificate request generation.
2009-04-20 13:24:36 +00:00
tteras
f273c7c2bb
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
2009-04-20 13:23:54 +00:00
tteras
a2f9e36ab3
From Stephen Bevan: Fix a x509 signature verification memory leak.
2009-04-20 13:22:41 +00:00
tteras
b1fd61f62f
Originally from Bin Li: Fix a crash with racoonctl logout user.
2009-04-20 13:22:00 +00:00
tteras
8759a6c72c
Fix a memory leak in nat-t keepalive code.
2009-04-20 13:17:35 +00:00
tteras
8c22b469e0
From Paul Moore: Phase2 message id's should be unique wrt phase1, not
...
globally.
2009-04-20 13:16:52 +00:00
tteras
0c68acc1de
From Arnaud Ebalard: Fix couple of problems with previous commit.
2009-03-13 04:49:16 +00:00
he
976380d183
When casting to/from a pointer to an integral type (a bad practice,
...
if you ask me), you need to cast via intptr_t for portability.
2009-03-12 23:05:27 +00:00
wiz
2df943f931
New sentence, new line. Avoid marking up punctuation.
2009-03-12 15:18:57 +00:00
wiz
0d4480d10a
Bump date for previous. Sort options to establish-sa.
...
Stop using Xo/Xc.
2009-03-12 14:01:09 +00:00
tteras
983cc8fecf
Support multiple anonymous remotes and decide remoteconf based on identity,
...
received certificates and other information. General code clean up.
2009-03-12 10:57:26 +00:00
tteras
e3372d2f8f
setkey: fix deleteall in Linux
...
Linux requires SADB_DELETE message to have SPI. So send
a SADB_DELETE message for each matching SA. Trac #284 .
From: Gabriel Somlo <somlo@cmu.edu>
2009-03-06 11:45:03 +00:00
tteras
b1ab726a1a
From Paul Moore: Fix a heap corruption bug (yacc return non-null terminated
...
buffer and sprintf writes over bounds).
2009-02-16 18:36:21 +00:00
vanhu
3723c0b8cf
trac#301: fixed IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on tunnel
2009-02-11 15:18:59 +00:00
tteras
ee2923bc73
From: Phil Sutter. Fix script environment variables with IPv6 addresses.
2009-02-03 20:21:45 +00:00
tteras
98b638ac57
Argument parsing needs lcconf initialized.
2009-01-26 18:13:06 +00:00
wiz
58b2161948
Sort options in usage.
2009-01-24 10:43:47 +00:00
wiz
a8e14ecee0
Sort options. New sentence, new line.
2009-01-24 10:43:38 +00:00
wiz
86a90d6c4e
Sort options.
2009-01-24 10:42:31 +00:00
tteras
e9d216a40d
Update usage and manpage for racoonctl.
2009-01-23 11:44:08 +00:00
tteras
c6d64c37e0
Racoon -v to print version and compilation information. Update usage
...
message.
2009-01-23 11:28:27 +00:00
tteras
1f949d3b6c
Update NEWS with major changes since 0.7 release.
2009-01-23 09:40:56 +00:00
tteras
731a29e03b
Fix monotonic scheduler change, to not refresh 'now' before exit. Otherwise
...
we can return negative timeout after spending time handling other events.
2009-01-23 09:10:13 +00:00
tteras
7bc9f9e4ee
From Arnaud Ebalard:
...
Handle reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
2009-01-23 08:32:58 +00:00
tteras
b9ba86c968
From Arnaud Ebalard:
...
On the responder (for instance), there is a need to not only migrate local
and remote addresses of Phase 1 that match previous addresses but also
the local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the HoA and
the address of the HA (while the peer has contacted us using the CoA and
we have negotiated this address as src attribute in Phase 2). The patch
fixes that by having migrate_ph1_ike_addresses() called from
migrate_ph2_ike_addresses() callback.
2009-01-23 08:29:34 +00:00
tteras
54bcc916f5
From Arnaud Ebalard: Set phase2 spid when acting as responder.
2009-01-23 08:27:24 +00:00
tteras
5d5e4e2fa3
Detect if monotonic system clock is available, and use it for relative
...
time measurements to avoid complite hang if time jumps backwards.
2009-01-23 08:25:06 +00:00
tteras
49c6438a45
Fix authentication method ambiguity by internally using unique ID and
...
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280 .
2009-01-23 08:23:51 +00:00
tteras
69697b4655
Introduce vendorid bitmask that can be used otherwhere to detect peer
...
capabilities.
2009-01-23 08:06:56 +00:00
tteras
2b7d4cd554
Remove "fastquit" configure option and make it the default behaviour. The
...
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
2009-01-23 08:05:58 +00:00
tteras
2b68c3a06a
Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to
...
ChangeLog.old.
2009-01-20 14:36:07 +00:00
wiz
67cbe60826
Make ready for HTML output.
...
Use proper escape for backslash ('\e').
2009-01-10 21:58:38 +00:00
tteras
f7557f766d
From Cyrus Rahman:
...
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
2009-01-10 19:08:40 +00:00
tteras
a0b1dc6be0
Fix a CPPLAGS typo to CPPFLAGS which was intended
2009-01-09 06:31:38 +00:00
tteras
9df0ec5c7e
Fix a CPPLAGS type to CPPFLAGS which was intended
2009-01-09 06:31:37 +00:00
tteras
b264308e87
Remove obsolete configuration options, fix radius configuration block and
...
add GRE as recognized protocol.
2009-01-05 06:03:58 +00:00
tteras
328859aef7
Do not use counting in signal handling as it was unsafe by not using
...
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
2009-01-05 06:00:27 +00:00