Commit Graph

80 Commits

Author SHA1 Message Date
jmc
06b42f5e66 Redo previous rework to generate yacc/lex output again and remove generated
copies from the import as they don't compile clean across all archs.
2005-12-16 16:25:07 +00:00
jmc
a2899ef21e Don't yacc/lex here as dist includes generated copies already and depending
on timestamps it's possible for gcc2 on vax to get confused on which .h
to use.
2005-12-15 04:27:32 +00:00
manu
a5b1c92448 Add NAT ports to SAD in setkey so that NAT SAD entries generated by
racoon can be removed by hand.
2005-12-04 20:46:40 +00:00
manu
c263eb3142 Merge ipsec-tools 0.6.3 import 2005-11-21 14:20:28 +00:00
manu
acea74a800 Update ipsec-tools version 2005-10-14 13:30:10 +00:00
manu
0b97cbeb71 Update to ipsec-tools 0.6.1 2005-08-20 00:57:06 +00:00
manu
6f554afd12 Update config.h and package_version.h to match the upcoming import
of ipsec-tools 0.6.1rc1
2005-08-07 08:36:28 +00:00
christos
5223acf25d Ignore lint argument promotion warnings (for now). 2005-06-28 16:01:59 +00:00
manu
8612e62aa3 Bump version number 2005-05-20 00:58:58 +00:00
manu
6add206c2f - Fix a double free
- For acquire messages, when NAT-T is in use, consider null port as a
  wildcard and use IKE port
2005-05-13 14:09:44 +00:00
manu
a5a80e2b4d Update sample config file to higher security settings 2005-05-10 10:22:03 +00:00
manu
873e8e21a9 More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads
2005-05-08 08:57:26 +00:00
manu
8bf053b3f3 on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that
multiple SA can be used in transport mode

While I'm there, patch ipsec-tools ChangeLog to reflect the changes we
took from ipsec-tools-0_6-branch
2005-05-03 21:08:47 +00:00
manu
10802677c9 Bug fixes from the ipsec-tools 0.6 branch:
- Fix NAT-T problems that prevented multiple peers behind the same NAT
  to talk to the same machine outside the NAT. This also require kernel
  fixes (already committed eralier)
- Fix a LP64 bug
- Fix NAT-T RFC conformance bugs (missing non ESP marker in packets)
- Add a -p option to setkey to display ports that could be used for ESP
  over UDP when printing policies
2005-04-27 05:19:49 +00:00
manu
5a6c417352 Resurrect TCP-MD5 support. This fixes bin/29915 2005-04-10 21:20:55 +00:00
manu
ec81f7eda5 update ipsec-tools version 2005-03-16 23:52:56 +00:00
manu
b586aa59be update ipsec-tools version 2005-03-14 08:15:28 +00:00
manu
34ec7ca0bb update ipsec-tools version 2005-02-24 20:56:19 +00:00
manu
be15b99c92 Define SADB_X_EALG_AESCBC=SADB_X_EALG_AES, as we define SADB_X_EALG_AES
in <net/pfkeyv2.h> while ipsec-tools uses SADB_X_EALG_AESCBC in the code.
2005-02-24 13:45:08 +00:00
manu
da4d1abb40 bump ipsec-tools package version 2005-02-23 15:27:09 +00:00
thorpej
05597c360c Enable building the lint library. 2005-02-19 22:03:49 +00:00
thorpej
01db58f7e8 Bump shlib version to 2.1 as was intended with ipsec-tools integration. 2005-02-19 21:44:35 +00:00
thorpej
c5aea678b7 Additional cleanup pass. 2005-02-19 16:58:26 +00:00
thorpej
354f2a1004 Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.
2005-02-19 16:55:02 +00:00
lukem
7157011597 Only compile in IPv6 support if ${USE_INET6} != "no"
MKINET6 is for providing IPv6 infrastructure.
USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6).
2005-01-10 02:58:58 +00:00
itojun
da88342476 NI_WITHSCOPEID was not picked up by IETF standardization process 2004-11-16 06:04:12 +00:00
abs
ea19f3b80d I'm not sure what the comment is trying to say, but it can say it with
'making' at least as well as 'makeing'.
2004-10-13 23:46:46 +00:00
jonathan
887b782b0b Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP).  Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net.  Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct.  Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures.  Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary.  Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
2004-04-25 22:25:03 +00:00
wiz
f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
itojun
2a85abd333 avoid memory leak. hint from Andrew Lunn 2003-11-23 08:33:13 +00:00
itojun
5451f8a14e do not malloc(0). Andrew Lunn 2003-11-23 08:23:02 +00:00
itojun
ffe9fe35e1 realloc error check failure; Greg Troxel, sync w/ kame 2003-10-03 21:53:08 +00:00
itojun
27ed6671c7 correct unsafe use of realloc(). 2003-10-02 19:38:59 +00:00
wiz
cff5e477ad Process has only one c. From miod@openbsd. 2003-09-26 22:23:58 +00:00
itojun
ce87a439ff deal with policy without selector. sync w/ kame 2003-09-08 10:16:31 +00:00
itojun
e4b5e8fb10 protect SADB_X_EXT_TAG with #ifdef 2003-08-26 03:49:05 +00:00
itojun
1bb4de9b71 typo 2003-08-26 03:37:25 +00:00
itojun
182a98314c support new algorithms 2003-07-25 10:06:09 +00:00
itojun
0ee6664ebd support hmac-sha2 2003-07-22 03:33:10 +00:00
itojun
26585fc6b8 don't explicitly clear "reserved" field. instead clear "id" field. 2003-07-22 03:32:58 +00:00
itojun
24389b0290 plug memory leak 2003-07-22 03:32:17 +00:00
itojun
536967658d cosmetic 2003-07-22 03:31:44 +00:00
itojun
7a580d5968 clear malloc'ed memory. sync w/kame 2003-06-27 03:40:44 +00:00
wiz
472351e13d Use
.In header.h
instead of
.Fd #include \*[Lt]header.h\*[Gt]
Much easier to read and write, and supported by groff for ages.
Okayed by ross.
2003-04-16 13:34:34 +00:00
lukem
8bf240ccae use __RCSID() 2003-03-09 01:03:54 +00:00
christos
aa229efdc3 Avoid memory leak. Pointed out by Patrick Latifi <patrickl at secureops dot com> 2003-03-04 18:30:58 +00:00
lukem
ec5dbc56b8 Explicitly move setting of NOxxx and USE_SHLIBDIR to the top of the
Makefile (before including <bsd.own.mk>)
2002-08-19 14:55:14 +00:00
lukem
ebb6fc9eb8 Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path (etc).
(Reduces make output by ~ 20%)
2002-08-19 09:41:27 +00:00
itojun
2cd481ef73 plug memory leak. from ebisawa@iij, sync w/kame 2002-07-31 07:00:22 +00:00
itojun
2169d69bcf correct %d/%u mismatch. sync w/kame 2002-06-27 14:39:45 +00:00