Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
200,874 Commits 606 Branches 0 Tags 3.1 GiB
52e90f00f1
Commit Graph

552 Commits

Author SHA1 Message Date
christos
45d5b08c5f fix prototype. 2011-05-15 17:13:23 +00:00
vanhu
2337f22d7b fixed a memory leak in oakley_append_rmconf_cr() while generating plist. patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:42:58 +00:00
vanhu
949304356c free name later, to avoid a memory use after free in oakley_check_certid(). also give iph1->remote to some plog() calls. patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:39:06 +00:00
vanhu
ebfca0c74d fixed a memory leak in oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:35:24 +00:00
vanhu
5279815e7c directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free 2011-03-15 13:20:14 +00:00
tteras
4e499ee605 Explicitly compare return value of cmpsaddr() against a return value 
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.
 2011-03-14 17:18:12 +00:00
vanhu
fd67cc6416 avoid some memory leaks / free memory access when reloading conf and have inherited config. patch from Roman Hoog Antink <rha@open.ch> 2011-03-14 15:50:36 +00:00
vanhu
ba228a2812 removed an useless comment 2011-03-14 14:54:07 +00:00
vanhu
7683f452c1 check if we got RMCONF_ERR_MULTIPLE from getrmconf_by_ph1() in revalidate_ph1tree_rmconf() 2011-03-14 09:19:23 +00:00
vanhu
ffa3b61f55 directly delete a ph1 in remove_ph1-) instead of scheduling it, to avoid (completely ?) a race condition when reloading configuration 2011-03-11 14:30:07 +00:00
tteras
349228b78c Quiet a gcc warning when strict-aliasing checks are enabled. Reported by 
Stephen Clark.
 2011-03-06 08:28:10 +00:00
vanhu
65023b30e4 flush sainfo list when closing session. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 15:09:16 +00:00
vanhu
7e1e999bc0 free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 15:04:01 +00:00
vanhu
78c9c4b8d1 free spspec when deleting a rmconf struct. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 14:58:27 +00:00
vanhu
82409028c9 fixed some memory leaks in remoteconf. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 14:52:32 +00:00
vanhu
ff2e315ab3 fixed some memory leaks during configuration parsing. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 14:49:21 +00:00
vanhu
acd79fcecf plog text fixes, patch from M E Andersson <debian@gisladisker.se> 2011-03-01 14:33:58 +00:00
vanhu
3b9e5ba27f reset yyerrorcount before doing parse stuff. patch by Roman Hoog Antink <rha@open.ch> 2011-03-01 14:14:50 +00:00
tteras
004dc7976f From Roman Hoog Antink <rha@open.ch>: Fix memory leak when using plain RSA 
key authentication.
 2011-02-20 17:32:02 +00:00
tteras
093488593b From Mats E Andersson <debian@gisladisker.se>: Fix fprintf format specifier 
usage from previous patch.
 2011-02-11 10:07:19 +00:00
tteras
1f21513187 From Mats Erik Andersson <debian@gisladisker.se>: Implement importing of 
RSA keys from PEM files.
 2011-02-10 11:20:08 +00:00
tteras
6615d57c07 From M E Andersson <debian@gisladisker.se>: Fix parsing of restricted RSA 
key addresses.
 2011-02-10 11:17:17 +00:00
vanhu
bfe163c1a3 store ph1id in an u_int32_t instead of a (signed)int. Patch from Christophe Carre 2011-02-02 15:21:34 +00:00
tteras
2ee6d137de From Roman Hoog Antink <rha@open.ch>: Clean up sainfo reloading: rename 
the functions, and remove unneeded global variable.
 2011-01-28 13:02:34 +00:00
tteras
5d9b9d50e9 From Roman Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename 
the functions, and remove unneeded global variable.
 2011-01-28 13:00:14 +00:00
tteras
c54595ebf5 From Roman Hoog Antink <rha@open.ch>: Log remote IP address if available 
(slightly modified by tteras)
 2011-01-28 12:51:40 +00:00
tteras
79764be6dd From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference 
that might occur after removing peers from the config and then reloading.
 2011-01-22 07:38:51 +00:00
vanhu
4d9d52d8fa fixed a typo, it will now compile when KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) open.ch) 2011-01-20 16:08:35 +00:00
tteras
785cabdaf2 From Roman Hoog Antink <rha@open.ch>: Fix config reload to not delete 
too many phase 2 handles, because wrong chain field is used when
enumerating the handles.
 2010-12-28 06:00:18 +00:00
gdt
f1cf9a1e3b When encountering a certificate where "ID mismatched with ASN1 
SubjectName", and verify_identifier is off, don't raise an error.
This makes the behavior match the man page.

Patch sent for review long ago:
  http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
with no negative feedback received to date.
 2010-12-16 16:59:05 +00:00
tteras
566286569e From Roman Hoog Antink <rha@open.ch>: Fix possible null derefence. 2010-12-14 17:57:31 +00:00
tteras
0303048b1e Use separate SA addresses for phase2's created by admin command. The 
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.
 2010-12-08 07:38:35 +00:00
joerg
0d0af5032c ANSIfy 2010-12-08 01:55:12 +00:00
tteras
1246e1db41 Fix spacing and improve wording in some log messages. 2010-12-07 14:28:12 +00:00
tteras
b3dca9dae4 Recognize direction for Linux per-socket policies. 2010-12-03 15:01:11 +00:00
tteras
7d13a088be Support GRE key as upper layer protocol specifier (will be supported in 
Linux kernel 2.6.38).
 2010-12-03 14:32:52 +00:00
tteras
3a9671366f Netlink deletion notification does not guarentee actual address deletion: 
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
 2010-12-03 09:46:24 +00:00
tteras
6a6cffd67e Fix my previous patch to not call purge_remote() twice. Change the place 
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
 2010-11-17 10:40:41 +00:00
tteras
939a5bdbb6 isakmp_post_acquire is now called from admin commands too, add a flag so 
admin commands can be used to establish even passive links on demand.
 2010-11-12 10:36:37 +00:00
tteras
fafea48525 Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted 
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
 2010-11-12 09:11:37 +00:00
tteras
3d7d638a63 Improve DPD sequence checks to allow any reply within valid sequence window 
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
 2010-11-12 09:09:47 +00:00
tteras
731159f704 Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps 
with many established SAs can be easily over the limit.
 2010-11-12 09:08:26 +00:00
tteras
0a922db186 Change Linux Netlink address monitoring to monitor local route changes. 
This works around a kernel bug, and slightly improves behaviour on some
special cases.
 2010-10-22 06:26:26 +00:00
tteras
84874398b5 Introduce priorities for file descriptor polling mechanism and give 
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.
 2010-10-21 06:15:28 +00:00
tteras
af50f9e5f9 Remove initial-contact entry when all ISAKMP-SA are purged via adminport. 
This will avoid stale security associations if some of the delete
notifications happens to get lost.
 2010-10-21 06:04:33 +00:00
tteras
976b63b0c6 Use high-level openssl EVP and HMAC functions when possible: this allows 
openssl to perform hardware acceleration if available.
 2010-10-20 13:40:02 +00:00
tteras
fa4803bf0a Various improvements to error log messages and a few additional error log 
messages to improve diagnosing an error condition.
 2010-10-20 13:37:37 +00:00
tteras
49a8dd9d23 Fix address comparison so we actually close sockets which were bound to 
IP-address that got deconfigured.
 2010-10-20 10:56:39 +00:00
vanhu
fe1c6ea2f2 report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes 2010-10-11 14:16:30 +00:00
vanhu
45f0ad8281 fixed some typos in logs (reported by fazaeli (at) sepehrs.com) 2010-09-27 11:57:59 +00:00