tteras
7d13a088be
Support GRE key as upper layer protocol specifier (will be supported in
...
Linux kernel 2.6.38).
2010-12-03 14:32:52 +00:00
tteras
3a9671366f
Netlink deletion notification does not guarentee actual address deletion:
...
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
2010-12-03 09:46:24 +00:00
tteras
6a6cffd67e
Fix my previous patch to not call purge_remote() twice. Change the place
...
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
2010-11-17 10:40:41 +00:00
tteras
939a5bdbb6
isakmp_post_acquire is now called from admin commands too, add a flag so
...
admin commands can be used to establish even passive links on demand.
2010-11-12 10:36:37 +00:00
tteras
fafea48525
Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted
...
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
2010-11-12 09:11:37 +00:00
tteras
3d7d638a63
Improve DPD sequence checks to allow any reply within valid sequence window
...
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
2010-11-12 09:09:47 +00:00
tteras
731159f704
Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
...
with many established SAs can be easily over the limit.
2010-11-12 09:08:26 +00:00
tteras
0a922db186
Change Linux Netlink address monitoring to monitor local route changes.
...
This works around a kernel bug, and slightly improves behaviour on some
special cases.
2010-10-22 06:26:26 +00:00
tteras
84874398b5
Introduce priorities for file descriptor polling mechanism and give
...
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.
2010-10-21 06:15:28 +00:00
tteras
af50f9e5f9
Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
...
This will avoid stale security associations if some of the delete
notifications happens to get lost.
2010-10-21 06:04:33 +00:00
tteras
976b63b0c6
Use high-level openssl EVP and HMAC functions when possible: this allows
...
openssl to perform hardware acceleration if available.
2010-10-20 13:40:02 +00:00
tteras
fa4803bf0a
Various improvements to error log messages and a few additional error log
...
messages to improve diagnosing an error condition.
2010-10-20 13:37:37 +00:00
tteras
49a8dd9d23
Fix address comparison so we actually close sockets which were bound to
...
IP-address that got deconfigured.
2010-10-20 10:56:39 +00:00
vanhu
fe1c6ea2f2
report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes
2010-10-11 14:16:30 +00:00
vanhu
45f0ad8281
fixed some typos in logs (reported by fazaeli (at) sepehrs.com)
2010-09-27 11:57:59 +00:00
vanhu
1da0e31bfc
fixed a fd leak, patch by getlaser (at) gmail.com
2010-09-24 15:09:29 +00:00
vanhu
23e038ba26
get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
2010-09-22 13:37:35 +00:00
vanhu
40e858e050
fixed a typo in macros, reported by marisp (at) mt.lv
2010-09-22 07:34:51 +00:00
vanhu
a4e6ec9d93
moved from utmp.h to utmpx.h (patch provided by marcin.cieslak (at) gmail.com)
2010-09-21 13:14:17 +00:00
vanhu
71f4bdc1a9
fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection
2010-09-08 12:18:35 +00:00
vanhu
12865805af
fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf()
2010-08-26 13:31:55 +00:00
reed
75d9fdeb7e
Add copyright and license.
...
I reported this in October 2009 and it was fixed upstream.
http://github.com/heimdal/heimdal/commits/master/kpasswd/kpasswdd.8
2010-08-25 15:08:22 +00:00
vanhu
4020e47561
fixed answer for IP4_SUBNET request
2010-08-04 09:16:58 +00:00
vanhu
62c45492f0
updated link to NetBSD's documentation
2010-07-30 14:50:47 +00:00
wiz
432f682f2f
Bump date for previous.
2010-06-22 20:51:04 +00:00
vanhu
9049130b27
added a specific script hook when a dead peer is detected
2010-06-22 09:41:33 +00:00
wiz
ee938d1113
New sentence, new line. Bump date for previous.
2010-06-04 21:53:36 +00:00
vanhu
a0bdaf1b16
Added support for spdupdate command in setkey
2010-06-04 13:06:03 +00:00
vanhu
ba30b496b8
by Eric Preston: fixed a typo
2010-04-07 14:53:52 +00:00
christos
ec03fa3be9
handle ctime returning NULL.
2010-04-02 15:26:17 +00:00
christos
467b66f1cd
make it obvious to grep that ctime is being checked.
2010-04-02 15:25:04 +00:00
christos
ef20b5e868
handle ctime returning NULL.
2010-04-02 15:23:17 +00:00
christos
53ab8e0b3c
make it obvious what ctime is used for.
2010-04-02 15:19:02 +00:00
christos
bd7ae6bd09
handle ctime returning NULL.
2010-04-02 15:13:26 +00:00
christos
fcbd1014fb
PR/42363: Yasuoka Masahiko: Second part of the patch: iterate only on the
...
phase2 handles that are bound by the given phase1 handle.
2010-03-11 15:44:48 +00:00
tteras
e3413574b5
From Stefan Bauer: Fix multiple typoes and manpage formatting errors.
2010-03-05 06:47:58 +00:00
vanhu
709abc828e
From Pierre POMES: fixed admin port initialization
2010-03-04 15:13:53 +00:00
snj
ccaf1e96be
Fight the ever-increasing size of src checkouts by spelling "useful"
...
without an extra l.
2010-02-28 15:52:16 +00:00
wiz
8e35c759e7
Fix typo in comment.
2010-02-09 23:05:16 +00:00
christos
6439b76ce2
make the window size function return the lines and columns variables separately
...
instead of depending on the existance of struct winsize. Technically I should
bump the library version or version the symbol, but nothing seems to use this
outside the library!
2010-01-24 16:45:57 +00:00
christos
6e3a01841c
don't expose struct winsize needlessly.
2010-01-24 16:42:12 +00:00
tsutsui
9357df271a
Backout previous.
2010-01-20 19:54:07 +00:00
tsutsui
64cc3f120f
Backout previous which breaks build on NetBSD. Pointed out by wiz@.
...
Probably we have to add a check for HAVE_STRUCT_WINSIZE
in src/tools/configure as src/crypto/dist/heimdal/configure does.
2010-01-20 15:03:50 +00:00
tsutsui
ad30688c11
Don't include src/include heimdal/roken.h on tools build because
...
it's "an OS dependent, generated file" configured for the target NetBSD
as noted in itself. Instead, include <roken-common.h>
(which is included from generated <roken.h> and required
for TRUE and fALSE definitions) and "nbtool_config.h" on tools build.
Fixes PR toolchain/41435 and makes cross build on Cygwin-1.7 work.
No particular comments in the PR.
2010-01-20 12:54:17 +00:00
wiz
e15635055f
Free strdeupped string after using it. Found by cppcheck.
2010-01-17 23:03:01 +00:00
wiz
44e3b1fff7
Close file handles after using them. Found by cppcheck.
2010-01-17 23:02:48 +00:00
joerg
0e901e0c61
Use .%U instead of .%O for URLs.
2010-01-15 19:18:51 +00:00
tteras
119e5ecd44
From Paul Wernau: vmbuf.h was defined twice in the headers. Remove the
...
redundant entry so new install tool does not complain about overwriting
just installed file.
2009-12-11 09:04:04 +00:00
christos
aabb31871d
PR/42363: Yasuoka Masahiko:
...
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.
racoon uses message-id to find the handle of IPsec-SA. The message-id
is a unique number for each peer, but different peers may use the same
value.
Different Windows Vista or Windows 7 peers seem to use the same
message-id. racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows. Because racoon misunderstands the
message for the second Windows as the message for the first Windows.
>Category: bin
>Synopsis: racoon uses a wrong IPsec-SA that is for different peer
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Nov 22 18:25:00 +0000 2009
>Originator: yasuoka@iij.ad.jp
2009-11-22 19:34:55 +00:00
christos
2853bbf4b7
use %option instead of #define YY_NO_...
2009-10-29 14:49:02 +00:00
christos
792f03d2b0
use %option noinput nounput
2009-10-29 14:34:27 +00:00
christos
cd2a002a7a
no unput
2009-10-28 20:59:46 +00:00
wiz
02d06f301f
Remove .Os argument.
...
Remove ending dot in SEE ALSO.
Use Fl Fl for long options.
New sentence, new line.
Remove trailing whitespace.
2009-10-25 10:30:47 +00:00
reed
06921da813
Fix section number for a man page reference.
...
While here put the man pages in the SEE ALSO in order too.
(This was shared and now fixed upstream too.)
2009-10-25 01:52:04 +00:00
reed
fa923fa9a7
Fix Nm macro usage.
...
Fixed upstream in April:
9747de8132
2009-10-24 11:12:56 +00:00
reed
638b376411
Fix Document Title.
...
(I already report and it is fixed upstream.)
2009-10-24 11:09:31 +00:00
joerg
d935d602c7
Fix redundancy.
2009-10-15 00:07:45 +00:00
joerg
addb345ac7
Do not work around ancient groff limits with .Xo/.Xc.
2009-10-14 23:37:33 +00:00
joerg
4467064d5b
Do not use .Xo/.Xc to workaround ancient groff limits.
2009-10-14 23:36:55 +00:00
joerg
a453670196
Do not use .Xo/.Xc to work around ancient groff limits.
...
Fix markup.
2009-10-14 18:34:14 +00:00
joerg
0639ebde24
Don't use .Xo/.Xc to work around ancient groff limits.
...
Set only one list type.
2009-10-14 18:22:04 +00:00
joerg
2644011d38
Use proper markup.
2009-10-14 17:33:56 +00:00
joerg
68d56b9fdf
Fix markup.
2009-10-13 22:49:34 +00:00
joerg
37aea36c2a
Use sane logical markup and actual cross references.
2009-10-13 22:47:55 +00:00
joerg
951207a2a8
Fix markup.
2009-10-13 22:47:31 +00:00
tteras
ff2c7b7d5c
From Tomas Mraz: Fix gssapi error checking.
2009-09-18 10:31:11 +00:00
tteras
63bcd231eb
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
...
select the phase1 for rekeying the new phase2.
2009-09-03 09:29:07 +00:00
tteras
ae0beb16dc
Check nat_traversal configuration from remote configuration candidates
...
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
2009-09-01 12:22:09 +00:00
tteras
5e74d5d98f
Change remote conf matching level to matching score. This way one can
...
override anonymous certificate block config with more exact "inhereted"
IP specific block.
2009-09-01 09:49:59 +00:00
tteras
43e6802298
From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up
...
script (trac #313 ).
2009-09-01 09:24:21 +00:00
vanhu
b7f72d1283
fixed typo: algoriym -> algorithm
2009-08-24 09:33:03 +00:00
vanhu
a3d9e80f96
fixed address check in rmconf_match_type(), just check address with wildcard port
2009-08-19 13:54:07 +00:00
tteras
95f3bd08bb
Have an enum for rmconf_match_type() return values to make the code a bit
...
more readable.
2009-08-19 12:20:02 +00:00
vanhu
e2ffc89458
typo: algoritym -> algorithm
2009-08-18 08:21:12 +00:00
vanhu
eb15fbb554
do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore
2009-08-17 13:52:14 +00:00
vanhu
82dd0659f2
include stddef.h so we have a chance to get the system offsetof if present
2009-08-17 12:00:53 +00:00
vanhu
c2c64af1e8
removed a self include
2009-08-17 11:59:10 +00:00
vanhu
0667dd70bd
fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs
2009-08-13 09:18:28 +00:00
tteras
ea830abf58
Don't print EAGAIN error from pfkey_handler(), it can occur normally
...
under some code paths and is not a hard error in any case.
2009-08-10 08:22:13 +00:00
tteras
c2919dd501
From Paul Wenau: Check fgets return value in setkey to make gcc happy.
2009-08-06 04:44:43 +00:00
tteras
4180506456
From Paul Wernau: Fix transport mode per-port security associations that
...
got broke during NAT-T fixes.
2009-08-05 13:16:01 +00:00
christos
e97383ebc1
Don't lets this linger around forever. Causes hidden bugs.
2009-07-20 22:55:47 +00:00
christos
71cfba1556
ssh has moved (a long time ago)
2009-07-20 17:39:01 +00:00
apb
87c0c2be33
Add missing va_start before varargs processing.
...
Part of PR 41255 from Kurt Lidl.
2009-07-14 20:54:25 +00:00
tteras
aab4a00722
From Arnaud Ebalard: Fix possible usage of uninitialized local variable
...
(not sure if any code path triggers this, but this makes compiler happy).
2009-07-07 12:25:22 +00:00
spz
1513d3badc
fix break for non-64bit systems due to non-applying macro resp variable
...
having crept in with the last patch.
ok martin, compile tested mbalmer and martin
2009-07-05 11:35:53 +00:00
tonnerre
a75354f443
Fix various vulnerabilities in OpenSSL which have not previously been
...
addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386
and CVE-2009-1387.
Changes deal mostly with size checking of various elements and fixes
to various error paths.
2009-07-04 19:52:10 +00:00
tteras
3d0db58d61
Get rid of the evil CMPSADDR macro. Trac #295 .
2009-07-03 06:41:46 +00:00
tteras
edd4f79009
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
...
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.
2009-07-03 06:40:10 +00:00
tonnerre
f7384c4a6a
Add special handling for CBC cipher modes to make them appear less favorable
...
than CTR modes. Also, in order to avoid creating oracles unnecessarily,
change behavior in various situations from "Drop connection" to "Ignore
packets up to 256kB". This affects CBC mode ciphers only.
Patch from OpenBSD.
2009-06-29 22:52:13 +00:00
tteras
a8d702d9b1
Fix a call to null pointer: in some cases, the unmonitor_fd can be called
...
from another fd's callback. That could lead to still have callback pending
after unmonitoring the fd resulting in a call to null pointer.
This is fixed by making unmonitor_fd now clear the pending fd_set too.
Bug was introduced by my commit in 2008-12-23.
2009-06-24 11:28:48 +00:00
christos
f48c7833ea
PR/41628: Jukka Salmi: OpenSSL's c_rehash can't find openssl binary
2009-06-23 14:08:02 +00:00
martin
14c9b3749d
Actually use the new (non-shortcut) functions for SHA224
2009-06-16 11:15:29 +00:00
joerg
a44a031cb3
Don't take short cuts and use the SHA224 functions to compute SHA224.
...
At least for Final it makes a difference in some situation.
2009-06-14 14:18:35 +00:00
stacktic
9cdc17cae0
Fixed strvisx usage (ok Christos@)
2009-05-23 14:43:36 +00:00
vanhu
f61fedc250
typo
2009-05-20 07:54:50 +00:00
tteras
68ab535bfd
From Jukka Salmi: Fix couple of typos from previous commit.
2009-05-19 09:34:52 +00:00
tteras
0ab43f031c
From Tomas Mraz: Introduce union sockaddr_any and use it to make code
...
more readable. Related to trac #293 .
2009-05-18 17:40:38 +00:00
tteras
ef94861331
From Tomas Mraz: Remove variable that is not really used; only referenced
...
while uninitialized causing valgrind error.
2009-05-18 17:07:15 +00:00
tteras
5e83df8c82
From Tomas Mraz: Fix natt_flags check.
2009-05-18 17:00:42 +00:00