Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
203,243 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

1512 Commits

Author SHA1 Message Date
tteras 7d13a088be Support GRE key as upper layer protocol specifier (will be supported in 
Linux kernel 2.6.38).
 2010-12-03 14:32:52 +00:00
tteras 3a9671366f Netlink deletion notification does not guarentee actual address deletion: 
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
 2010-12-03 09:46:24 +00:00
tteras 6a6cffd67e Fix my previous patch to not call purge_remote() twice. Change the place 
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
 2010-11-17 10:40:41 +00:00
tteras 939a5bdbb6 isakmp_post_acquire is now called from admin commands too, add a flag so 
admin commands can be used to establish even passive links on demand.
 2010-11-12 10:36:37 +00:00
tteras fafea48525 Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted 
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
 2010-11-12 09:11:37 +00:00
tteras 3d7d638a63 Improve DPD sequence checks to allow any reply within valid sequence window 
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
 2010-11-12 09:09:47 +00:00
tteras 731159f704 Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps 
with many established SAs can be easily over the limit.
 2010-11-12 09:08:26 +00:00
tteras 0a922db186 Change Linux Netlink address monitoring to monitor local route changes. 
This works around a kernel bug, and slightly improves behaviour on some
special cases.
 2010-10-22 06:26:26 +00:00
tteras 84874398b5 Introduce priorities for file descriptor polling mechanism and give 
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.
 2010-10-21 06:15:28 +00:00
tteras af50f9e5f9 Remove initial-contact entry when all ISAKMP-SA are purged via adminport. 
This will avoid stale security associations if some of the delete
notifications happens to get lost.
 2010-10-21 06:04:33 +00:00
tteras 976b63b0c6 Use high-level openssl EVP and HMAC functions when possible: this allows 
openssl to perform hardware acceleration if available.
 2010-10-20 13:40:02 +00:00
tteras fa4803bf0a Various improvements to error log messages and a few additional error log 
messages to improve diagnosing an error condition.
 2010-10-20 13:37:37 +00:00
tteras 49a8dd9d23 Fix address comparison so we actually close sockets which were bound to 
IP-address that got deconfigured.
 2010-10-20 10:56:39 +00:00
vanhu fe1c6ea2f2 report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes 2010-10-11 14:16:30 +00:00
vanhu 45f0ad8281 fixed some typos in logs (reported by fazaeli (at) sepehrs.com) 2010-09-27 11:57:59 +00:00
vanhu 1da0e31bfc fixed a fd leak, patch by getlaser (at) gmail.com 2010-09-24 15:09:29 +00:00
vanhu 23e038ba26 get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com 2010-09-22 13:37:35 +00:00
vanhu 40e858e050 fixed a typo in macros, reported by marisp (at) mt.lv 2010-09-22 07:34:51 +00:00
vanhu a4e6ec9d93 moved from utmp.h to utmpx.h (patch provided by marcin.cieslak (at) gmail.com) 2010-09-21 13:14:17 +00:00
vanhu 71f4bdc1a9 fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection 2010-09-08 12:18:35 +00:00
vanhu 12865805af fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf() 2010-08-26 13:31:55 +00:00
reed 75d9fdeb7e Add copyright and license. 
I reported this in October 2009 and it was fixed upstream.
http://github.com/heimdal/heimdal/commits/master/kpasswd/kpasswdd.8
 2010-08-25 15:08:22 +00:00
vanhu 4020e47561 fixed answer for IP4_SUBNET request 2010-08-04 09:16:58 +00:00
vanhu 62c45492f0 updated link to NetBSD's documentation 2010-07-30 14:50:47 +00:00
wiz 432f682f2f Bump date for previous. 2010-06-22 20:51:04 +00:00
vanhu 9049130b27 added a specific script hook when a dead peer is detected 2010-06-22 09:41:33 +00:00
wiz ee938d1113 New sentence, new line. Bump date for previous. 2010-06-04 21:53:36 +00:00
vanhu a0bdaf1b16 Added support for spdupdate command in setkey 2010-06-04 13:06:03 +00:00
vanhu ba30b496b8 by Eric Preston: fixed a typo 2010-04-07 14:53:52 +00:00
christos ec03fa3be9 handle ctime returning NULL. 2010-04-02 15:26:17 +00:00
christos 467b66f1cd make it obvious to grep that ctime is being checked. 2010-04-02 15:25:04 +00:00
christos ef20b5e868 handle ctime returning NULL. 2010-04-02 15:23:17 +00:00
christos 53ab8e0b3c make it obvious what ctime is used for. 2010-04-02 15:19:02 +00:00
christos bd7ae6bd09 handle ctime returning NULL. 2010-04-02 15:13:26 +00:00
christos fcbd1014fb PR/42363: Yasuoka Masahiko: Second part of the patch: iterate only on the 
phase2 handles that are bound by the given phase1 handle.
 2010-03-11 15:44:48 +00:00
tteras e3413574b5 From Stefan Bauer: Fix multiple typoes and manpage formatting errors. 2010-03-05 06:47:58 +00:00
vanhu 709abc828e From Pierre POMES: fixed admin port initialization 2010-03-04 15:13:53 +00:00
snj ccaf1e96be Fight the ever-increasing size of src checkouts by spelling "useful" 
without an extra l.
 2010-02-28 15:52:16 +00:00
wiz 8e35c759e7 Fix typo in comment. 2010-02-09 23:05:16 +00:00
christos 6439b76ce2 make the window size function return the lines and columns variables separately 
instead of depending on the existance of struct winsize. Technically I should
bump the library version or version the symbol, but nothing seems to use this
outside the library!
 2010-01-24 16:45:57 +00:00
christos 6e3a01841c don't expose struct winsize needlessly. 2010-01-24 16:42:12 +00:00
tsutsui 9357df271a Backout previous. 2010-01-20 19:54:07 +00:00
tsutsui 64cc3f120f Backout previous which breaks build on NetBSD. Pointed out by wiz@. 
Probably we have to add a check for HAVE_STRUCT_WINSIZE
in src/tools/configure as src/crypto/dist/heimdal/configure does.
 2010-01-20 15:03:50 +00:00
tsutsui ad30688c11 Don't include src/include heimdal/roken.h on tools build because 
it's "an OS dependent, generated file" configured for the target NetBSD
as noted in itself.  Instead, include <roken-common.h>
(which is included from generated <roken.h> and required
for TRUE and fALSE definitions) and "nbtool_config.h" on tools build.

Fixes PR toolchain/41435 and makes cross build on Cygwin-1.7 work.
No particular comments in the PR.
 2010-01-20 12:54:17 +00:00
wiz e15635055f Free strdeupped string after using it. Found by cppcheck. 2010-01-17 23:03:01 +00:00
wiz 44e3b1fff7 Close file handles after using them. Found by cppcheck. 2010-01-17 23:02:48 +00:00
joerg 0e901e0c61 Use .%U instead of .%O for URLs. 2010-01-15 19:18:51 +00:00
tteras 119e5ecd44 From Paul Wernau: vmbuf.h was defined twice in the headers. Remove the 
redundant entry so new install tool does not complain about overwriting
just installed file.
 2009-12-11 09:04:04 +00:00
christos aabb31871d PR/42363: Yasuoka Masahiko: 
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.

racoon uses message-id to find the handle of IPsec-SA.  The message-id
is a unique number for each peer, but different peers may use the same
value.

Different Windows Vista or Windows 7 peers seem to use the same
message-id.  racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows.  Because racoon misunderstands the
message for the second Windows as the message for the first Windows.

>Category:       bin
>Synopsis:       racoon uses a wrong IPsec-SA that is for different peer
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 22 18:25:00 +0000 2009
>Originator:     yasuoka@iij.ad.jp
 2009-11-22 19:34:55 +00:00
christos 2853bbf4b7 use %option instead of #define YY_NO_... 2009-10-29 14:49:02 +00:00
christos 792f03d2b0 use %option noinput nounput 2009-10-29 14:34:27 +00:00
christos cd2a002a7a no unput 2009-10-28 20:59:46 +00:00
wiz 02d06f301f Remove .Os argument. 
Remove ending dot in SEE ALSO.
Use Fl Fl for long options.
New sentence, new line.
Remove trailing whitespace.
 2009-10-25 10:30:47 +00:00
reed 06921da813 Fix section number for a man page reference. 
While here put the man pages in the SEE ALSO in order too.
(This was shared and now fixed upstream too.)
 2009-10-25 01:52:04 +00:00
reed fa923fa9a7 Fix Nm macro usage. 
Fixed upstream in April:
9747de8132
 2009-10-24 11:12:56 +00:00
reed 638b376411 Fix Document Title. 
(I already report and it is fixed upstream.)
 2009-10-24 11:09:31 +00:00
joerg d935d602c7 Fix redundancy. 2009-10-15 00:07:45 +00:00
joerg addb345ac7 Do not work around ancient groff limits with .Xo/.Xc. 2009-10-14 23:37:33 +00:00
joerg 4467064d5b Do not use .Xo/.Xc to workaround ancient groff limits. 2009-10-14 23:36:55 +00:00
joerg a453670196 Do not use .Xo/.Xc to work around ancient groff limits. 
Fix markup.
 2009-10-14 18:34:14 +00:00
joerg 0639ebde24 Don't use .Xo/.Xc to work around ancient groff limits. 
Set only one list type.
 2009-10-14 18:22:04 +00:00
joerg 2644011d38 Use proper markup. 2009-10-14 17:33:56 +00:00
joerg 68d56b9fdf Fix markup. 2009-10-13 22:49:34 +00:00
joerg 37aea36c2a Use sane logical markup and actual cross references. 2009-10-13 22:47:55 +00:00
joerg 951207a2a8 Fix markup. 2009-10-13 22:47:31 +00:00
tteras ff2c7b7d5c From Tomas Mraz: Fix gssapi error checking. 2009-09-18 10:31:11 +00:00
tteras 63bcd231eb When rekeying phase2 use phase1 used to negotiate phase2 as a hint to 
select the phase1 for rekeying the new phase2.
 2009-09-03 09:29:07 +00:00
tteras ae0beb16dc Check nat_traversal configuration from remote configuration candidates 
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
 2009-09-01 12:22:09 +00:00
tteras 5e74d5d98f Change remote conf matching level to matching score. This way one can 
override anonymous certificate block config with more exact "inhereted"
IP specific block.
 2009-09-01 09:49:59 +00:00
tteras 43e6802298 From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up 
script (trac #313).
 2009-09-01 09:24:21 +00:00
vanhu b7f72d1283 fixed typo: algoriym -> algorithm 2009-08-24 09:33:03 +00:00
vanhu a3d9e80f96 fixed address check in rmconf_match_type(), just check address with wildcard port 2009-08-19 13:54:07 +00:00
tteras 95f3bd08bb Have an enum for rmconf_match_type() return values to make the code a bit 
more readable.
 2009-08-19 12:20:02 +00:00
vanhu e2ffc89458 typo: algoritym -> algorithm 2009-08-18 08:21:12 +00:00
vanhu eb15fbb554 do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore 2009-08-17 13:52:14 +00:00
vanhu 82dd0659f2 include stddef.h so we have a chance to get the system offsetof if present 2009-08-17 12:00:53 +00:00
vanhu c2c64af1e8 removed a self include 2009-08-17 11:59:10 +00:00
vanhu 0667dd70bd fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs 2009-08-13 09:18:28 +00:00
tteras ea830abf58 Don't print EAGAIN error from pfkey_handler(), it can occur normally 
under some code paths and is not a hard error in any case.
 2009-08-10 08:22:13 +00:00
tteras c2919dd501 From Paul Wenau: Check fgets return value in setkey to make gcc happy. 2009-08-06 04:44:43 +00:00
tteras 4180506456 From Paul Wernau: Fix transport mode per-port security associations that 
got broke during NAT-T fixes.
 2009-08-05 13:16:01 +00:00
christos e97383ebc1 Don't lets this linger around forever. Causes hidden bugs. 2009-07-20 22:55:47 +00:00
christos 71cfba1556 ssh has moved (a long time ago) 2009-07-20 17:39:01 +00:00
apb 87c0c2be33 Add missing va_start before varargs processing. 
Part of PR 41255 from Kurt Lidl.
 2009-07-14 20:54:25 +00:00
tteras aab4a00722 From Arnaud Ebalard: Fix possible usage of uninitialized local variable 
(not sure if any code path triggers this, but this makes compiler happy).
 2009-07-07 12:25:22 +00:00
spz 1513d3badc fix break for non-64bit systems due to non-applying macro resp variable 
having crept in with the last patch.
ok martin, compile tested mbalmer and martin
 2009-07-05 11:35:53 +00:00
tonnerre a75354f443 Fix various vulnerabilities in OpenSSL which have not previously been 
addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386
and CVE-2009-1387.

Changes deal mostly with size checking of various elements and fixes
to various error paths.
 2009-07-04 19:52:10 +00:00
tteras 3d0db58d61 Get rid of the evil CMPSADDR macro. Trac #295. 2009-07-03 06:41:46 +00:00
tteras edd4f79009 From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the 
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.
 2009-07-03 06:40:10 +00:00
tonnerre f7384c4a6a Add special handling for CBC cipher modes to make them appear less favorable 
than CTR modes. Also, in order to avoid creating oracles unnecessarily,
change behavior in various situations from "Drop connection" to "Ignore
packets up to 256kB". This affects CBC mode ciphers only.

Patch from OpenBSD.
 2009-06-29 22:52:13 +00:00
tteras a8d702d9b1 Fix a call to null pointer: in some cases, the unmonitor_fd can be called 
from another fd's callback. That could lead to still have callback pending
after unmonitoring the fd resulting in a call to null pointer.
This is fixed by making unmonitor_fd now clear the pending fd_set too.
Bug was introduced by my commit in 2008-12-23.
 2009-06-24 11:28:48 +00:00
christos f48c7833ea PR/41628: Jukka Salmi: OpenSSL's c_rehash can't find openssl binary 2009-06-23 14:08:02 +00:00
martin 14c9b3749d Actually use the new (non-shortcut) functions for SHA224 2009-06-16 11:15:29 +00:00
joerg a44a031cb3 Don't take short cuts and use the SHA224 functions to compute SHA224. 
At least for Final it makes a difference in some situation.
 2009-06-14 14:18:35 +00:00
stacktic 9cdc17cae0 Fixed strvisx usage (ok Christos@) 2009-05-23 14:43:36 +00:00
vanhu f61fedc250 typo 2009-05-20 07:54:50 +00:00
tteras 68ab535bfd From Jukka Salmi: Fix couple of typos from previous commit. 2009-05-19 09:34:52 +00:00
tteras 0ab43f031c From Tomas Mraz: Introduce union sockaddr_any and use it to make code 
more readable. Related to trac #293.
 2009-05-18 17:40:38 +00:00
tteras ef94861331 From Tomas Mraz: Remove variable that is not really used; only referenced 
while uninitialized causing valgrind error.
 2009-05-18 17:07:15 +00:00
tteras 5e83df8c82 From Tomas Mraz: Fix natt_flags check. 2009-05-18 17:00:42 +00:00