Commit Graph

689 Commits

Author SHA1 Message Date
rillig be4c6171de ipsec-tools: in lint mode, keep keyword 'inline'
This avoids hundreds of lint warnings for OpenSSL's stack definitions:

openssl/x509.h(75): warning:
    static function sk_X509_NAME_ENTRY_num unused [236]
2022-04-21 19:14:46 +00:00
christos 582ad8c19f PR/56658: Juraj Hercek: Plain RSA keys are not loaded by racoon IKE daemon 2022-01-23 14:55:28 +00:00
christos f0fde9902f PR/56657: Juraj Hercek: Add plainrsa-gen utility mentioned in racoon.conf(5)
and fix it for OpenSSL 1.1
2022-01-23 14:35:44 +00:00
msaitoh 777518dc50 s/implemenation/implementation/ in comment. 2022-01-01 08:34:34 +00:00
msaitoh 7332b28d50 s/vlaue/value/ 2021-12-05 08:19:57 +00:00
msaitoh 4ad66e23e4 s/stauts/status/ 2021-12-05 07:56:10 +00:00
msaitoh 18dd566a90 s/preceed/preced/ 2021-12-05 07:11:56 +00:00
msaitoh 8a3fe07864 s/from from/from/ in comment. 2021-12-05 04:54:20 +00:00
msaitoh 7ab0e6836e s/accomodate/accommodate/ 2021-12-05 03:45:03 +00:00
msaitoh 1e6ab25125 as/aggresive/aggressive/ in comment. 2021-12-05 03:43:50 +00:00
msaitoh b3477762ae s/accomodate/accommodate/ in comment. 2021-12-05 03:42:01 +00:00
msaitoh 409537651d s/mutiple/multiple/ in comment. 2021-12-05 03:13:50 +00:00
msaitoh 55b0b41821 s/funtion/function/ in comment. 2021-12-05 02:59:50 +00:00
rillig 7bb94a4c9b ipsectools: fix lint error
Returning a value from a void function is a GNU extension, but even in
GNU mode, lint does not allow these.

No functional change.
2021-09-14 21:49:31 +00:00
rillig 7d31390f35 libipsec: fix undefined behavior when calling isprint 2021-09-06 17:19:52 +00:00
andvar d7fca1ab3d fix typos in asymmetry, asymmetric(al), symmetrical. 2021-08-09 19:57:57 +00:00
andvar 7991f5a7b8 Fix all remaining typos, mainly in comments but also in few definitions and log messages, reported by me in PR kern/54889.
Also fixed some additional typos in comments, found on review of same files or typos.
2021-07-24 21:31:31 +00:00
bouyer 82797af728 Add ldap parameters debug and timeout.
Fix bug when using URI (use correct len for malloc)
document ldap parameters uri, debug and timeout.
2020-11-25 18:11:00 +00:00
bouyer 346b151099 Add an option to pass a ldap uri, instead of just server and port.
uri takes precedence.
2020-11-25 16:42:53 +00:00
bouyer b611e603fe Fix ldap: ldap_sasl_bind_s() doens't like a NULL struct berval *, pass
a pointer to a zero'd struct instead.
While there use LDAP_SASL_SIMPLE instead of NULL for mechanism,
and check return of ldap_set_option().
2020-11-25 16:41:39 +00:00
christos 1f569f5e9e Reduce previous 2020-11-25 14:15:41 +00:00
kardel d2c7ed0706 Fix address advancing for i386 and other 32-bit platforms.
Makes racoon grok IPv6 addresses again on these platforms.
2020-11-25 10:57:11 +00:00
christos 481219a259 fix wrong size addition (Andrew Cagney)
XXX: This file is nearly identical with /usr/src/sys/netipsec/key_debug.c
and should be merged.
2020-06-05 15:19:08 +00:00
msaitoh 8012ca3f0e Remove extra semicolon. 2020-05-14 08:34:17 +00:00
christos cb15ac971c - in script mode always output errors to stderr prefixed by the program name.
- in command mode always output errors to stdout not prefixed " " "
- perror(3) -> warn(3)
2020-05-12 16:17:58 +00:00
christos b11fb1d040 Keep track of the filename to print in error messages.
Change quoting of error string from [] to `'.
2020-05-12 14:29:06 +00:00
christos 95c1f4af32 prefix errors with the program name and use stderr. 2020-05-10 19:54:49 +00:00
wiz 8e1346dbb3 Remove superfluous Li; rename section to match standards. 2019-07-23 14:28:24 +00:00
ozaki-r f9e037adf1 setkey: document getspi and update 2019-07-23 04:32:06 +00:00
ozaki-r 8e5aa2c9b8 setkey: enable to use the getspi API
If a specified SPI is not zero, tell the kernel to use the SPI by using
SADB_EXT_SPIRANGE.  Otherwise, the kernel picks a random SPI.

It enables to mimic racoon.
2019-07-23 04:30:32 +00:00
mrg cf075e4cab mark promisc() __dead - it never returns. 2019-02-03 10:23:42 +00:00
ozaki-r 16fc099a65 Use Cm instead of Li or Ar for fixed command strings 2018-11-19 04:54:37 +00:00
maxv f1c81f6829 Remove dead files that have never been built, and likely can't build since
they are not correct C files.
2018-10-14 08:36:09 +00:00
maxv 0fe8cb7566 Clean up setkey: remove dead wood, KNF, localify, and slightly improve. 2018-10-14 08:27:39 +00:00
maxv 7666e47285 Fix SF#24: incorrect authentication algorithms, copy-pasto. 2018-10-13 15:38:28 +00:00
maxv 2be45af163 Fix ticket SF#91: pass the correct size for tbuf. 2018-10-13 15:17:45 +00:00
maxv 05d534bebd Reduce the diff against the latest release. Also remove netbsd-import.sh,
since we are upstream now.
2018-10-13 15:08:51 +00:00
christos 52b4b66650 From Thomas Reim:
Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8
2018-10-05 20:12:37 +00:00
christos 451f4db714 PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

	- if (i > last_frag) /* It is complete */
	+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

    for (i = 1; i <= last_frag; i++) {
	if (!check_fragment_index())
	    break;
    }
    if (i > last_frag)
	return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8
2018-10-02 18:49:24 +00:00
maxv c1cd5851ce Remove dead references to netinet6/ipsec.h. 2018-09-06 09:54:36 +00:00
maxv 6890048b2b sync with reality 2018-09-06 09:38:05 +00:00
christos 85196978fc fix memory leaks: https://github.com/NetBSD/src/issues/6 2018-08-28 09:10:28 +00:00
maxv 9cc33dc2c2 drop __P, suggested by sevan 2018-05-28 20:45:38 +00:00
maxv 02ed4ce0ae drop __P, suggested by sevan 2018-05-28 20:34:45 +00:00
maxv d5ded68d11 fix -Wold-style-definition 2018-05-28 19:52:18 +00:00
maxv a8c2f61e83 Remove ipsec_bindump, there is no prototype, so the function can't be used. 2018-05-28 19:39:21 +00:00
maxv ff1d84b094 fix -Wdiscarded-qualifiers 2018-05-28 19:36:42 +00:00
maxv abcef802a2 fix -Wunused and -Wold-style-definition 2018-05-28 19:22:40 +00:00
maxv df9d65850f Add a note about FreeBSD. 2018-05-20 09:14:18 +00:00
maxv dc0ca504c7 Update, after ten years. Importantly, add a "History" section, to explain
what's going on.

We have now become "upstream", and most of the ipsec-tools development is
done in NetBSD's CVS. However, many distributions still take their
tarballs from SourceForge (which is defunct, and not maintained).
2018-05-20 08:55:25 +00:00