tteras
11e30c248c
From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix default NAT-T
...
port for listen { isakmp_natt } config directive.
2012-01-01 16:14:11 +00:00
tteras
40d768bf75
From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix various typos in
...
comments and log messages. Fix default port used in copy_ph1addresses().
2012-01-01 15:57:31 +00:00
tteras
dbe8969919
Fix myaddr_getsport() to return -1 if no suitable address is found. This is
...
used in pfkey.c:pk_recvacquire() to check if IKE negotiation should be
started or not.
2012-01-01 15:54:51 +00:00
tteras
838cfe4724
Fix the previous commit.
2012-01-01 15:44:06 +00:00
tteras
b448c51c51
From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix memory leaks from
...
configuration reading code, and clean up error handling.
2012-01-01 15:29:28 +00:00
vanhu
0a7daa593d
fixed some crashes in LIST_FOREACH where current element could be removed during the loop
2011-11-17 14:41:55 +00:00
wiz
3efedf2ce7
Bump date for new tls option.
2011-11-15 19:15:58 +00:00
tteras
c7d190f034
From Vincent Bernat <bernat@luffy.cx>: TLS support for LDAP
2011-11-15 13:51:23 +00:00
tteras
84d53e8c5d
From Marcelo Leitner <mleitner@redhat.com>: do not shrink pfkey socket
...
buffers (if system default is larger than what we want as minimum)
2011-11-14 13:24:04 +00:00
tteras
a09a6d0cd5
From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Release unused
...
phase2 of passive remotes after acquire.
2011-10-11 14:50:15 +00:00
tteras
4c2f40f96a
From Wolfgang Schmieder <wolfgang.schmieder@honeywell.com>: setup phase1
...
port properly.
2011-10-11 14:37:17 +00:00
tteras
cbb586e05f
Allow inherited remote blocks without additional remote statements to
...
be specified in a simpler way. patch by Roman Hoog Antink <rha@open.ch>
2011-08-19 05:36:47 +00:00
tteras
cd00f2949d
Have privilege separation child process exit if the parent exits.
2011-08-12 05:21:50 +00:00
drochner
b9e08c16fb
replace questionable pointer games which could cause reads of
...
uninitialized memory, from Wolfgang Stukenbrock per PR bin/44951
2011-05-27 18:00:21 +00:00
drochner
0a8dabda40
pull in AES-GCM/GMAC support from OpenBSD
...
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.
2011-05-26 21:50:02 +00:00
wiz
e20f01d499
Bump date for previous.
2011-05-24 08:54:40 +00:00
drochner
fed8f3aa3c
update draft-ipsec-* -> RFC
...
clarify a sentence
2011-05-23 16:00:07 +00:00
christos
45d5b08c5f
fix prototype.
2011-05-15 17:13:23 +00:00
vanhu
2337f22d7b
fixed a memory leak in oakley_append_rmconf_cr() while generating plist. patch by Roman Hoog Antink <rha@open.ch>
2011-03-17 14:42:58 +00:00
vanhu
949304356c
free name later, to avoid a memory use after free in oakley_check_certid(). also give iph1->remote to some plog() calls. patch by Roman Hoog Antink <rha@open.ch>
2011-03-17 14:39:06 +00:00
vanhu
ebfca0c74d
fixed a memory leak in oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
2011-03-17 14:35:24 +00:00
vanhu
5279815e7c
directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free
2011-03-15 13:20:14 +00:00
tteras
4e499ee605
Explicitly compare return value of cmpsaddr() against a return value
...
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.
2011-03-14 17:18:12 +00:00
vanhu
fd67cc6416
avoid some memory leaks / free memory access when reloading conf and have inherited config. patch from Roman Hoog Antink <rha@open.ch>
2011-03-14 15:50:36 +00:00
vanhu
ba228a2812
removed an useless comment
2011-03-14 14:54:07 +00:00
vanhu
7683f452c1
check if we got RMCONF_ERR_MULTIPLE from getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
2011-03-14 09:19:23 +00:00
vanhu
ffa3b61f55
directly delete a ph1 in remove_ph1-) instead of scheduling it, to avoid (completely ?) a race condition when reloading configuration
2011-03-11 14:30:07 +00:00
tteras
349228b78c
Quiet a gcc warning when strict-aliasing checks are enabled. Reported by
...
Stephen Clark.
2011-03-06 08:28:10 +00:00
vanhu
65023b30e4
flush sainfo list when closing session. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 15:09:16 +00:00
vanhu
7e1e999bc0
free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 15:04:01 +00:00
vanhu
78c9c4b8d1
free spspec when deleting a rmconf struct. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 14:58:27 +00:00
vanhu
82409028c9
fixed some memory leaks in remoteconf. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 14:52:32 +00:00
vanhu
ff2e315ab3
fixed some memory leaks during configuration parsing. patch by Roman Hoog Antink <rha@open.ch>
2011-03-02 14:49:21 +00:00
vanhu
acd79fcecf
plog text fixes, patch from M E Andersson <debian@gisladisker.se>
2011-03-01 14:33:58 +00:00
vanhu
3b9e5ba27f
reset yyerrorcount before doing parse stuff. patch by Roman Hoog Antink <rha@open.ch>
2011-03-01 14:14:50 +00:00
tteras
004dc7976f
From Roman Hoog Antink <rha@open.ch>: Fix memory leak when using plain RSA
...
key authentication.
2011-02-20 17:32:02 +00:00
tteras
093488593b
From Mats E Andersson <debian@gisladisker.se>: Fix fprintf format specifier
...
usage from previous patch.
2011-02-11 10:07:19 +00:00
tteras
1f21513187
From Mats Erik Andersson <debian@gisladisker.se>: Implement importing of
...
RSA keys from PEM files.
2011-02-10 11:20:08 +00:00
tteras
6615d57c07
From M E Andersson <debian@gisladisker.se>: Fix parsing of restricted RSA
...
key addresses.
2011-02-10 11:17:17 +00:00
vanhu
bfe163c1a3
store ph1id in an u_int32_t instead of a (signed)int. Patch from Christophe Carre
2011-02-02 15:21:34 +00:00
tteras
2ee6d137de
From Roman Hoog Antink <rha@open.ch>: Clean up sainfo reloading: rename
...
the functions, and remove unneeded global variable.
2011-01-28 13:02:34 +00:00
tteras
5d9b9d50e9
From Roman Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename
...
the functions, and remove unneeded global variable.
2011-01-28 13:00:14 +00:00
tteras
c54595ebf5
From Roman Hoog Antink <rha@open.ch>: Log remote IP address if available
...
(slightly modified by tteras)
2011-01-28 12:51:40 +00:00
tteras
79764be6dd
From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference
...
that might occur after removing peers from the config and then reloading.
2011-01-22 07:38:51 +00:00
vanhu
4d9d52d8fa
fixed a typo, it will now compile when KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) open.ch)
2011-01-20 16:08:35 +00:00
tteras
785cabdaf2
From Roman Hoog Antink <rha@open.ch>: Fix config reload to not delete
...
too many phase 2 handles, because wrong chain field is used when
enumerating the handles.
2010-12-28 06:00:18 +00:00
gdt
f1cf9a1e3b
When encountering a certificate where "ID mismatched with ASN1
...
SubjectName", and verify_identifier is off, don't raise an error.
This makes the behavior match the man page.
Patch sent for review long ago:
http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
with no negative feedback received to date.
2010-12-16 16:59:05 +00:00
tteras
566286569e
From Roman Hoog Antink <rha@open.ch>: Fix possible null derefence.
2010-12-14 17:57:31 +00:00
tteras
0303048b1e
Use separate SA addresses for phase2's created by admin command. The
...
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.
2010-12-08 07:38:35 +00:00
joerg
0d0af5032c
ANSIfy
2010-12-08 01:55:12 +00:00
tteras
1246e1db41
Fix spacing and improve wording in some log messages.
2010-12-07 14:28:12 +00:00
tteras
b3dca9dae4
Recognize direction for Linux per-socket policies.
2010-12-03 15:01:11 +00:00
tteras
7d13a088be
Support GRE key as upper layer protocol specifier (will be supported in
...
Linux kernel 2.6.38).
2010-12-03 14:32:52 +00:00
tteras
3a9671366f
Netlink deletion notification does not guarentee actual address deletion:
...
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
2010-12-03 09:46:24 +00:00
tteras
6a6cffd67e
Fix my previous patch to not call purge_remote() twice. Change the place
...
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
2010-11-17 10:40:41 +00:00
tteras
939a5bdbb6
isakmp_post_acquire is now called from admin commands too, add a flag so
...
admin commands can be used to establish even passive links on demand.
2010-11-12 10:36:37 +00:00
tteras
fafea48525
Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted
...
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
2010-11-12 09:11:37 +00:00
tteras
3d7d638a63
Improve DPD sequence checks to allow any reply within valid sequence window
...
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
2010-11-12 09:09:47 +00:00
tteras
731159f704
Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
...
with many established SAs can be easily over the limit.
2010-11-12 09:08:26 +00:00
tteras
0a922db186
Change Linux Netlink address monitoring to monitor local route changes.
...
This works around a kernel bug, and slightly improves behaviour on some
special cases.
2010-10-22 06:26:26 +00:00
tteras
84874398b5
Introduce priorities for file descriptor polling mechanism and give
...
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.
2010-10-21 06:15:28 +00:00
tteras
af50f9e5f9
Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
...
This will avoid stale security associations if some of the delete
notifications happens to get lost.
2010-10-21 06:04:33 +00:00
tteras
976b63b0c6
Use high-level openssl EVP and HMAC functions when possible: this allows
...
openssl to perform hardware acceleration if available.
2010-10-20 13:40:02 +00:00
tteras
fa4803bf0a
Various improvements to error log messages and a few additional error log
...
messages to improve diagnosing an error condition.
2010-10-20 13:37:37 +00:00
tteras
49a8dd9d23
Fix address comparison so we actually close sockets which were bound to
...
IP-address that got deconfigured.
2010-10-20 10:56:39 +00:00
vanhu
fe1c6ea2f2
report a higher encryption key length in approval for OBEY / CLAIM / STRICT modes
2010-10-11 14:16:30 +00:00
vanhu
45f0ad8281
fixed some typos in logs (reported by fazaeli (at) sepehrs.com)
2010-09-27 11:57:59 +00:00
vanhu
1da0e31bfc
fixed a fd leak, patch by getlaser (at) gmail.com
2010-09-24 15:09:29 +00:00
vanhu
23e038ba26
get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
2010-09-22 13:37:35 +00:00
vanhu
40e858e050
fixed a typo in macros, reported by marisp (at) mt.lv
2010-09-22 07:34:51 +00:00
vanhu
a4e6ec9d93
moved from utmp.h to utmpx.h (patch provided by marcin.cieslak (at) gmail.com)
2010-09-21 13:14:17 +00:00
vanhu
71f4bdc1a9
fixed remoteconf selection when no ID specified in configuration, and added some debug to remoteconf selection
2010-09-08 12:18:35 +00:00
vanhu
12865805af
fix by Sergio.Gelato (at) astro.su.se: duplicate some dynamic values in duprmconf()
2010-08-26 13:31:55 +00:00
vanhu
4020e47561
fixed answer for IP4_SUBNET request
2010-08-04 09:16:58 +00:00
vanhu
62c45492f0
updated link to NetBSD's documentation
2010-07-30 14:50:47 +00:00
wiz
432f682f2f
Bump date for previous.
2010-06-22 20:51:04 +00:00
vanhu
9049130b27
added a specific script hook when a dead peer is detected
2010-06-22 09:41:33 +00:00
wiz
ee938d1113
New sentence, new line. Bump date for previous.
2010-06-04 21:53:36 +00:00
vanhu
a0bdaf1b16
Added support for spdupdate command in setkey
2010-06-04 13:06:03 +00:00
vanhu
ba30b496b8
by Eric Preston: fixed a typo
2010-04-07 14:53:52 +00:00
christos
bd7ae6bd09
handle ctime returning NULL.
2010-04-02 15:13:26 +00:00
christos
fcbd1014fb
PR/42363: Yasuoka Masahiko: Second part of the patch: iterate only on the
...
phase2 handles that are bound by the given phase1 handle.
2010-03-11 15:44:48 +00:00
tteras
e3413574b5
From Stefan Bauer: Fix multiple typoes and manpage formatting errors.
2010-03-05 06:47:58 +00:00
vanhu
709abc828e
From Pierre POMES: fixed admin port initialization
2010-03-04 15:13:53 +00:00
snj
ccaf1e96be
Fight the ever-increasing size of src checkouts by spelling "useful"
...
without an extra l.
2010-02-28 15:52:16 +00:00
wiz
8e35c759e7
Fix typo in comment.
2010-02-09 23:05:16 +00:00
wiz
e15635055f
Free strdeupped string after using it. Found by cppcheck.
2010-01-17 23:03:01 +00:00
wiz
44e3b1fff7
Close file handles after using them. Found by cppcheck.
2010-01-17 23:02:48 +00:00
joerg
0e901e0c61
Use .%U instead of .%O for URLs.
2010-01-15 19:18:51 +00:00
tteras
119e5ecd44
From Paul Wernau: vmbuf.h was defined twice in the headers. Remove the
...
redundant entry so new install tool does not complain about overwriting
just installed file.
2009-12-11 09:04:04 +00:00
christos
aabb31871d
PR/42363: Yasuoka Masahiko:
...
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.
racoon uses message-id to find the handle of IPsec-SA. The message-id
is a unique number for each peer, but different peers may use the same
value.
Different Windows Vista or Windows 7 peers seem to use the same
message-id. racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows. Because racoon misunderstands the
message for the second Windows as the message for the first Windows.
>Category: bin
>Synopsis: racoon uses a wrong IPsec-SA that is for different peer
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Nov 22 18:25:00 +0000 2009
>Originator: yasuoka@iij.ad.jp
2009-11-22 19:34:55 +00:00
christos
792f03d2b0
use %option noinput nounput
2009-10-29 14:34:27 +00:00
christos
cd2a002a7a
no unput
2009-10-28 20:59:46 +00:00
joerg
4467064d5b
Do not use .Xo/.Xc to workaround ancient groff limits.
2009-10-14 23:36:55 +00:00
joerg
a453670196
Do not use .Xo/.Xc to work around ancient groff limits.
...
Fix markup.
2009-10-14 18:34:14 +00:00
joerg
0639ebde24
Don't use .Xo/.Xc to work around ancient groff limits.
...
Set only one list type.
2009-10-14 18:22:04 +00:00
tteras
ff2c7b7d5c
From Tomas Mraz: Fix gssapi error checking.
2009-09-18 10:31:11 +00:00
tteras
63bcd231eb
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
...
select the phase1 for rekeying the new phase2.
2009-09-03 09:29:07 +00:00
tteras
ae0beb16dc
Check nat_traversal configuration from remote configuration candidates
...
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
2009-09-01 12:22:09 +00:00
tteras
5e74d5d98f
Change remote conf matching level to matching score. This way one can
...
override anonymous certificate block config with more exact "inhereted"
IP specific block.
2009-09-01 09:49:59 +00:00