CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Mon Dec 24 14:50:39 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
crypto_openssl.c
Log Message:
>From Götz Babin-Ebell : Smarter X.509 subject
name compare.
To generate a diff of this commit:
cvs rdiff -u -r1.20.4.2 -r1.20.4.3 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.2 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.3
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.2 Mon Dec 24 08:48:08 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Mon Dec 24 14:50:39 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.20.4.2 2012/12/24 08:48:08 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.20.4.3 2012/12/24 14:50:39 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -280,145 +280,6 @@ out:
}
/*
- * The following are derived from code in crypto/x509/x509_cmp.c
- * in OpenSSL0.9.7c:
- * X509_NAME_wildcmp() adds wildcard matching to the original
- * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
- */
-#include
-/* Case insensitive string comparision */
-static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- int i;
-
- if (a->length != b->length)
- return (a->length - b->length);
-
- for (i=0; ilength; i++)
- {
- int ca, cb;
-
- ca = tolower(a->data[i]);
- cb = tolower(b->data[i]);
-
- if (ca != cb)
- return(ca-cb);
- }
- return 0;
-}
-
-/* Case insensitive string comparision with space normalization
- * Space normalization - ignore leading, trailing spaces,
- * multiple spaces between characters are replaced by single space
- */
-static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- unsigned char *pa = NULL, *pb = NULL;
- int la, lb;
-
- la = a->length;
- lb = b->length;
- pa = a->data;
- pb = b->data;
-
- /* skip leading spaces */
- while (la > 0 && isspace(*pa))
- {
- la--;
- pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
- lb--;
- pb++;
- }
-
- /* skip trailing spaces */
- while (la > 0 && isspace(pa[la-1]))
- la--;
- while (lb > 0 && isspace(pb[lb-1]))
- lb--;
-
- /* compare strings with space normalization */
- while (la > 0 && lb > 0)
- {
- int ca, cb;
-
- /* compare character */
- ca = tolower(*pa);
- cb = tolower(*pb);
- if (ca != cb)
- return (ca - cb);
-
- pa++; pb++;
- la--; lb--;
-
- if (la <= 0 || lb <= 0)
- break;
-
- /* is white space next character ? */
- if (isspace(*pa) && isspace(*pb))
- {
- /* skip remaining white spaces */
- while (la > 0 && isspace(*pa))
- {
-la--;
-pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
-lb--;
-pb++;
- }
- }
- }
- if (la > 0 || lb > 0)
- return la - lb;
-
- return 0;
-}
-
-static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
-{
-int i,j;
-X509_NAME_ENTRY *na,*nb;
-
-if (sk_X509_NAME_ENTRY_num(a->entries)
- != sk_X509_NAME_ENTRY_num(b->entries))
- return sk_X509_NAME_ENTRY_num(a->entries)
- -sk_X509_NAME_ENTRY_num(b->entries);
-for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
-{
- na=sk_X509_NAME_ENTRY_value(a->entries,i);
- nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=OBJ_cmp(na->object,nb->object);
- if (j) return(j);
- if ((na->value->length == 1 && na->value->data[0] == '*')
- || (nb->value->length == 1 && nb->value->data[0] == '*'))
- continue;
- j=na->value->type-nb->value->type;
- if (j) return(j);
- if (na->value->type == V_ASN1_PRINTABLESTRING)
- j=nocase_spacenorm_cmp(na->value, nb->value);
- else if (na->value->type == V_ASN1_IA5STRING
- && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
- j=nocase_cmp(na->value, nb->value);
- else
- {
- j=na->value->length-nb->value->length;
- if (j) return(j);
- j=memcmp(na->value->data,nb->value->data,
- na->value->length);
- }
- if (j) return(j);
- j=na->set-nb->set;
- if (j) return(j);
-}
-
-return(0);
-}
-
-/*
* compare two subjectNames.
* OUT:0: equal
* positive:
@@ -430,16 +291,49 @@ eay_cmp_asn1dn(n1, n2)
{
X509_NAME *a = NULL, *b = NULL;
caddr_t p;
+ char oneLine[512];
int i = -1;
+ int idx;
p = n1->v;
- if (!d2i_X509_NAME(&a, (void *)&p, n1->l))
+ if (!d2i_X509_NAME(&a, (void *)&p, n1->l)) {
+ plog(LLV_ERROR, LOCATION, NULL, "eay_cmp_asn1dn: first dn not a dn");
goto end;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL, "1st name: %s\n", X509_NAME_oneline(a, oneLine, sizeof(oneLine)));
p = n2->v;
- if (!d2i_X509_NAME(&b, (void *)&p, n2->l))
+ if (!d2i_X509_NAME(&b, (void *)&p, n2->l)) {
+ plog(
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Jan 24 06:48:27 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_inf.c
Log Message:
Fix handling of deletion notification.
To generate a diff of this commit:
cvs rdiff -u -r1.47.2.1 -r1.47.2.2 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.1 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.2
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.1 Wed Aug 29 12:01:56 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Thu Jan 24 06:48:27 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.47.2.1 2012/08/29 12:01:56 tteras Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.47.2.2 2013/01/24 06:48:27 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -492,7 +492,7 @@ isakmp_info_recv_d(iph1, delete, msgid,
"delete payload for protocol %s\n",
s_ipsecdoi_proto(delete->proto_id));
- if(!iph1->rmconf->weak_phase1_check && !encrypted) {
+ if((iph1 == NULL || !iph1->rmconf->weak_phase1_check) && !encrypted) {
plog(LLV_WARNING, LOCATION, iph1->remote,
"Ignoring unencrypted delete payload "
"(check the weak_phase1_check option)\n");
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Feb 5 06:23:43 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_xauth.c
Log Message:
>From Ian West : Fix double free of the radius info on
config reload.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.22 Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Tue Feb 5 06:23:42 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.22.2.1 2013/02/05 06:23:42 tteras Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -461,10 +461,14 @@ xauth_radius_init_conf(int free)
vfree(xauth_rad_config.acct_server_list[i].host);
vfree(xauth_rad_config.acct_server_list[i].secret);
}
- if (radius_auth_state != NULL)
+ if (radius_auth_state != NULL) {
rad_close(radius_auth_state);
- if (radius_acct_state != NULL)
+ radius_auth_state = NULL;
+ }
+ if (radius_acct_state != NULL) {
rad_close(radius_acct_state);
+ radius_acct_state = NULL;
+ }
}
/* initialize radius config */
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Tue Feb 5 11:36:41 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
grabmyaddr.c
Log Message:
Fix source port selection
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28 Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Tue Feb 5 11:36:41 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: grabmyaddr.c,v 1.28 2011/03/14 17:18:12 tteras Exp $ */
+/* $NetBSD: grabmyaddr.c,v 1.28.2.1 2013/02/05 11:36:41 tteras Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* Copyright (C) 2008 Timo Teras .
@@ -274,13 +274,24 @@ myaddr_getsport(addr)
struct sockaddr *addr;
{
struct myaddr *my;
+ int port = 0, wport;
LIST_FOREACH(my, &opened, chain) {
- if (cmpsaddr((struct sockaddr *) &my->addr, addr) <= CMPSADDR_WILDPORT_MATCH)
+ switch (cmpsaddr((struct sockaddr *) &my->addr, addr)) {
+ case CMPSADDR_MATCH:
return extract_port((struct sockaddr *) &my->addr);
+ case CMPSADDR_WILDPORT_MATCH:
+ wport = extract_port((struct sockaddr *) &my->addr);
+ if (port == 0 || wport < port)
+port = wport;
+ break;
+ }
}
+
+ if (port == 0)
+ port = PORT_ISAKMP;
- return PORT_ISAKMP;
+ return port;
}
void
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: vanhu
Date: Thu Nov 17 14:46:31 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
handler.c
Log Message:
fixed some crashes in LIST_FOREACH where current element could be removed
during the loop
To generate a diff of this commit:
cvs rdiff -u -r1.39 -r1.39.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/handler.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/handler.c:1.39 Mon Mar 14 17:18:12 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.c Thu Nov 17 14:46:31 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.c,v 1.39 2011/03/14 17:18:12 tteras Exp $ */
+/* $NetBSD: handler.c,v 1.39.2.1 2011/11/17 14:46:31 vanhu Exp $ */
/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
@@ -611,9 +611,11 @@ getph2byid(src, dst, spid)
struct sockaddr *src, *dst;
u_int32_t spid;
{
- struct ph2handle *p;
+ struct ph2handle *p, *next;
+
+ for (p = LIST_FIRST(&ph2tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
- LIST_FOREACH(p, &ph2tree, chain) {
if (spid == p->spid &&
cmpsaddr(src, p->src) <= CMPSADDR_WILDPORT_MATCH &&
cmpsaddr(dst, p->dst) <= CMPSADDR_WILDPORT_MATCH){
@@ -985,9 +987,11 @@ void
remcontacted(remote)
struct sockaddr *remote;
{
- struct contacted *p;
+ struct contacted *p, *next;
+
+ for (p = LIST_FIRST(&ctdtree); p; p = next) {
+ next = LIST_NEXT(p, chain);
- LIST_FOREACH(p, &ctdtree, chain) {
if (cmpsaddr(remote, p->remote) <= CMPSADDR_WILDPORT_MATCH) {
LIST_REMOVE(p, chain);
racoon_free(p->remote);
@@ -1555,10 +1559,12 @@ int
purgeph1bylogin(login)
char *login;
{
- struct ph1handle *p;
+ struct ph1handle *p, *next;
int found = 0;
- LIST_FOREACH(p, &ph1tree, chain) {
+ for (p = LIST_FIRST(&ph1tree); p; p = next) {
+ next = LIST_NEXT(p, chain);
+
if (p->mode_cfg == NULL)
continue;
if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0) {
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Aug 12 05:46:06 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
privsep.c
Log Message:
Have privilege separation child process exit if the parent exits.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/privsep.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/privsep.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/privsep.c:1.21 Sun Mar 6 08:28:10 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/privsep.c Fri Aug 12 05:46:06 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: privsep.c,v 1.21 2011/03/06 08:28:10 tteras Exp $ */
+/* $NetBSD: privsep.c,v 1.21.2.1 2011/08/12 05:46:06 tteras Exp $ */
/* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
@@ -67,6 +67,7 @@
#include "admin.h"
#include "sockmisc.h"
#include "privsep.h"
+#include "session.h"
static int privsep_sock[2] = { -1, -1 };
@@ -193,6 +194,13 @@
return 0;
}
+static int
+privsep_do_exit(void *ctx, int fd)
+{
+ kill(getpid(), SIGTERM);
+ return 0;
+}
+
int
privsep_init(void)
{
@@ -273,6 +281,7 @@
strerror(errno));
return -1;
}
+ monitor_fd(privsep_sock[1], privsep_do_exit, NULL, 0);
return 0;
break;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Sun Jan 1 17:32:04 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: isakmp_unity.c Log Message: >From Rainer Weikusat : Fix one byte too short memory allocation in isakmp_unity.c:splitnet_list_2str(). To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.9.18.1 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9.18.1 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c:1.9 Fri Oct 19 03:37:19 2007 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c Sun Jan 1 17:32:04 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_unity.c,v 1.9 2007/10/19 03:37:19 manu Exp $ */ +/* $NetBSD: isakmp_unity.c,v 1.9.18.1 2012/01/01 17:32:04 tteras Exp $ */ /* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */ @@ -387,8 +387,9 @@ char * splitnet_list_2str(list, splitnet netentry = netentry->next; } - /* allocate network list string */ - str = racoon_malloc(len); + /* allocate network list string; we need the extra byte temporarily + * as sprintf() will write trailing 0-byte after the space. */ + str = racoon_malloc(len + 1); if (str == NULL) return NULL; @@ -414,6 +415,7 @@ char * splitnet_list_2str(list, splitnet netentry = netentry->next; } + /* trim the string to not have trailing spaces */ str[len-1]=0; return str;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Thu Aug 23 11:46:06 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
crypto_openssl.c
Log Message:
>From Nakano Takaharu: Fix bignum memory allocation.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.20.4.1 \
src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.20 Wed Oct 20 13:40:02 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Thu Aug 23 11:46:06 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.20 2010/10/20 13:40:02 tteras Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.20.4.1 2012/08/23 11:46:06 tteras Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -2501,7 +2501,7 @@ eay_bn2v(var, bn)
vchar_t **var;
BIGNUM *bn;
{
- *var = vmalloc(bn->top * BN_BYTES);
+ *var = vmalloc(BN_num_bytes(bn));
if (*var == NULL)
return(-1);
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 08:42:25 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
cfparse.y cftoken.l racoon.conf.5
Log Message:
Allow inherited remote blocks without additional remote statements to be
specified in a simpler way. patch by Roman Hoog Antink
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.42.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.23 -r1.23.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.61 -r1.61.4.1 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Aug 29 08:42:24 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.42.2.1 2012/08/29 08:42:24 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -172,6 +172,76 @@ static int load_x509(const char *file, c
return 0;
}
+static int process_rmconf()
+{
+
+ /* check a exchange mode */
+ if (cur_rmconf->etypes == NULL) {
+ yyerror("no exchange mode specified.\n");
+ return -1;
+ }
+
+ if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
+ cur_rmconf->idvtype = IDTYPE_ADDRESS;
+
+ if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
+ if (cur_rmconf->mycertfile) {
+ if (cur_rmconf->idv)
+yywarn("Both CERT and ASN1 ID "
+ "are set. Hope this is OK.\n");
+ /* TODO: Preparse the DN here */
+ } else if (cur_rmconf->idv) {
+ /* OK, using asn1dn without X.509. */
+ } else {
+ yyerror("ASN1 ID not specified "
+"and no CERT defined!\n");
+ return -1;
+ }
+ }
+
+ if (duprmconf_finish(cur_rmconf))
+ return -1;
+
+ if (set_isakmp_proposal(cur_rmconf) != 0)
+ return -1;
+
+ /* DH group settting if aggressive mode is there. */
+ if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+ struct isakmpsa *p;
+ int b = 0;
+
+ /* DH group */
+ for (p = cur_rmconf->proposal; p; p = p->next) {
+ if (b == 0 || (b && b == p->dh_group)) {
+b = p->dh_group;
+continue;
+ }
+ yyerror("DH group must be equal "
+"in all proposals "
+"when aggressive mode is "
+"used.\n");
+ return -1;
+ }
+ cur_rmconf->dh_group = b;
+
+ if (cur_rmconf->dh_group == 0) {
+ yyerror("DH group must be set in the proposal.\n");
+ return -1;
+ }
+
+ /* DH group settting if PFS is required. */
+ if (oakley_setdhgroup(cur_rmconf->dh_group,
+&cur_rmconf->dhgrp) < 0) {
+ yyerror("failed to set DH value.\n");
+ return -1;
+ }
+ }
+
+ insrmconf(cur_rmconf);
+
+ return 0;
+}
+
%}
%union {
@@ -1643,7 +1713,7 @@ remote_statement
vfree($2);
vfree($4);
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE QUOTEDSTRING
{
struct remoteconf *new;
@@ -1686,7 +1756,7 @@ remote_statement
new->remote = $2;
cur_rmconf = new;
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE remote_index
{
struct remoteconf *new;
@@ -1703,81 +1773,20 @@ remote_statement
remote_specs_block
;
-remote_specs_block
- : BOC remote_specs EOC
+remote_specs_inherit_block
+ : remote_specs_block
+ | EOS /* inheritance without overriding any settings */
{
- /* check a exchange mode */
- if (cur_rmconf->etypes == NULL) {
-yyerror("no exchange mode specified.\n");
-return -1;
- }
-
- if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
-cur_rmconf->idvtype = IDTYPE_ADDRESS;
-
- if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
-if (cur_rmconf->mycertfile) {
- if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
- "are set. Hope this is OK.\n");
- /* TODO: Preparse the DN here */
-} else if (cur_rmconf->idv) {
- /* OK, using asn1dn without X.509. */
-} else {
- yyerror("ASN1 ID not specified "
- "and no CERT defined!\n");
- return -1;
-}
- }
-
- if (duprmconf_finish(cur_rmconf))
+ if (process_rmconf() != 0)
return -1;
+ }
+ ;
-#if 0
- /* this pointer copy will never happen, because duprmconf_shallow
- * already copied all pointers.
- */
- if (cur_rmconf->spspec == NULL &&
- cur_rmconf->inherited_from != NULL) {
-cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
- }
-#endif
- if (set_isakmp_proposal(cur_rmconf) != 0)
+remote_specs_block
+ : BOC remote_specs EOC
+ {
+ if (process_rmconf() != 0)
return -1;
-
- /* DH group settting if aggressive mode is there. */
- if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
-struct isakmpsa *p;
-int b = 0;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Wed Aug 29 08:54:00 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: isakmp.c Log Message: >From Wolfgang Schmieder : setup phase1 port properly. To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.71.2.1 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.1 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71 Tue Mar 15 13:20:14 2011 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Aug 29 08:54:00 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.71 2011/03/15 13:20:14 vanhu Exp $ */ +/* $NetBSD: isakmp.c,v 1.71.2.1 2012/08/29 08:54:00 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2943,7 +2943,7 @@ copy_ph1addresses(iph1, rmconf, remote, port = myaddr_getsport(iph1->local); if (port == 0) port = PORT_ISAKMP; - set_port(iph1->local, PORT_ISAKMP); + set_port(iph1->local, port); } #ifdef ENABLE_NATT
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Wed Aug 29 08:55:27 UTC 2012 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: isakmp.c Log Message: >From Rainer Weikusat : Release unused phase2 of passive remotes after acquire. To generate a diff of this commit: cvs rdiff -u -r1.71.2.1 -r1.71.2.2 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.1 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.2 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.71.2.1 Wed Aug 29 08:54:00 2012 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Aug 29 08:55:26 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.71.2.1 2012/08/29 08:54:00 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.71.2.2 2012/08/29 08:55:26 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -2186,7 +2186,7 @@ isakmp_post_acquire(iph2, iph1hint, nopa "because of passive mode, " "ignore the acquire message for %s.\n", saddrwop2str(iph2->dst)); - return 0; + return -1; } /*
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 11:24:28 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
oakley.c
Log Message:
>From Roman Hoog Antink : do not print unnecessary warning
about non-verified certificate when using raw plain-rsa.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22 Thu Mar 17 14:42:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Wed Aug 29 11:24:28 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.22 2011/03/17 14:42:58 vanhu Exp $ */
+/* $NetBSD: oakley.c,v 1.22.2.1 2012/08/29 11:24:28 tteras Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1288,6 +1288,7 @@ oakley_validate_auth(iph1)
{
vchar_t *my_hash = NULL;
int result;
+ int no_verify_needed = -1;
#ifdef HAVE_GSSAPI
vchar_t *gsshash = NULL;
#endif
@@ -1361,8 +1362,6 @@ oakley_validate_auth(iph1)
plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
}
break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
#ifdef ENABLE_HYBRID
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
@@ -1370,7 +1369,10 @@ oakley_validate_auth(iph1)
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
+ no_verify_needed = 0;
#endif
+ case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
+ case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
{
int error = 0;
int certtype;
@@ -1454,6 +1456,9 @@ oakley_validate_auth(iph1)
case ISAKMP_CERT_PLAINRSA:
if (get_plainrsa_fromlocal(iph1, 0))
return ISAKMP_INTERNAL_ERROR;
+ /* suppress CERT validation warning, unless hybrid mode in use */
+ if (no_verify_needed == -1)
+no_verify_needed = 1;
break;
case ISAKMP_CERT_DNS:
/* don't use received cert */
@@ -1480,12 +1485,12 @@ oakley_validate_auth(iph1)
if ((error = oakley_check_certid(iph1)) != 0)
return error;
- /* Generate a warning if verify_cert */
+ /* Generate a warning unless verify_cert */
if (iph1->rmconf->verify_cert) {
- plog(LLV_DEBUG, LOCATION, NULL,
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
"CERT validated\n");
- } else {
- plog(LLV_WARNING, LOCATION, NULL,
+ } else if (no_verify_needed != 1) {
+ plog(LLV_WARNING, LOCATION, iph1->remote,
"CERT validation disabled by configuration\n");
}
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 11:35:09 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
oakley.c
Log Message:
>From Roman Hoog Antink : add remote's IP address to the
"certificate not verified" error message.
To generate a diff of this commit:
cvs rdiff -u -r1.22.2.1 -r1.22.2.2 \
src/crypto/dist/ipsec-tools/src/racoon/oakley.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/oakley.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.1 src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.2
--- src/crypto/dist/ipsec-tools/src/racoon/oakley.c:1.22.2.1 Wed Aug 29 11:24:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/oakley.c Wed Aug 29 11:35:09 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: oakley.c,v 1.22.2.1 2012/08/29 11:24:28 tteras Exp $ */
+/* $NetBSD: oakley.c,v 1.22.2.2 2012/08/29 11:35:09 tteras Exp $ */
/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
@@ -1434,7 +1434,7 @@ oakley_validate_auth(iph1)
}
if (error != 0) {
-plog(LLV_ERROR, LOCATION, NULL,
+plog(LLV_ERROR, LOCATION, iph1->remote,
"the peer's certificate is not verified.\n");
return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
}
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Wed Aug 29 12:01:56 UTC 2012
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_inf.c
Log Message:
>From Roman Hoog Antink : Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.2.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47 Tue Mar 15 13:20:14 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Wed Aug 29 12:01:56 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_inf.c,v 1.47 2011/03/15 13:20:14 vanhu Exp $ */
+/* $NetBSD: isakmp_inf.c,v 1.47.2.1 2012/08/29 12:01:56 tteras Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@@ -1465,8 +1465,11 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
return 0;
}
- if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
- memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) {
+ /* accept cookies in original or reversed order */
+ if ((memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) &&
+ (memcmp(ru->r_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
+ memcmp(ru->i_ck, iph1->index.r_ck, sizeof(cookie_t {
plog(LLV_ERROR, LOCATION, iph1->remote,
"Cookie mismatch in DPD ACK!.\n");
return 0;
@@ -1477,7 +1480,7 @@ isakmp_info_recv_r_u_ack (iph1, ru, msgi
sched_cancel(&iph1->dpd_r_u);
isakmp_sched_r_u(iph1, 0);
- plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n");
+ plog(LLV_DEBUG, LOCATION, iph1->remote, "received an R-U-THERE-ACK\n");
return 0;
}
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Fri Apr 12 09:53:52 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: grabmyaddr.c isakmp_inf.c Log Message: Some logging improvements. To generate a diff of this commit: cvs rdiff -u -r1.28.2.1 -r1.28.2.2 \ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c cvs rdiff -u -r1.47.2.2 -r1.47.2.3 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c diff -u src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.1 src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.2 --- src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c:1.28.2.1 Tue Feb 5 11:36:41 2013 +++ src/crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c Fri Apr 12 09:53:52 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: grabmyaddr.c,v 1.28.2.1 2013/02/05 11:36:41 tteras Exp $ */ +/* $NetBSD: grabmyaddr.c,v 1.28.2.2 2013/04/12 09:53:52 tteras Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 2008 Timo Teras . @@ -764,6 +764,7 @@ kernel_handle_message(msg) case RTM_ADD: case RTM_DELETE: case RTM_CHANGE: + case RTM_GET: case RTM_MISS: case RTM_IFINFO: #ifdef RTM_OIFINFO @@ -779,7 +780,7 @@ kernel_handle_message(msg) break; default: plog(LLV_WARNING, LOCATION, NULL, - "unrecognized route message with rtm_type: %d", + "unrecognized route message with rtm_type: %d\n", rtm->rtm_type); break; } Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.2 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.3 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c:1.47.2.2 Thu Jan 24 06:48:27 2013 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fri Apr 12 09:53:52 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_inf.c,v 1.47.2.2 2013/01/24 06:48:27 tteras Exp $ */ +/* $NetBSD: isakmp_inf.c,v 1.47.2.3 2013/04/12 09:53:52 tteras Exp $ */ /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ @@ -1116,6 +1116,7 @@ purge_ipsec_spi(dst0, proto, spi, n) u_int64_t created; size_t i; caddr_t mhp[SADB_EXT_MAX + 1]; + unsigned num_purged = 0; plog(LLV_DEBUG2, LOCATION, NULL, "purge_ipsec_spi:\n"); @@ -1172,6 +1173,7 @@ purge_ipsec_spi(dst0, proto, spi, n) plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src)); plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst)); + plog(LLV_DEBUG2, LOCATION, NULL, "spi: %u\n", ntohl(sa->sadb_sa_spi)); /* XXX n^2 algorithm, inefficient */ @@ -1210,6 +1212,7 @@ purge_ipsec_spi(dst0, proto, spi, n) "purged IPsec-SA proto_id=%s spi=%u.\n", s_ipsecdoi_proto(proto), ntohl(spi[i])); + num_purged++; } msg = next; @@ -1217,6 +1220,8 @@ purge_ipsec_spi(dst0, proto, spi, n) if (buf) vfree(buf); + + plog(LLV_DEBUG, LOCATION, NULL, "purged %u SAs.\n", num_purged); } /*
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Fri Apr 12 10:04:22 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
isakmp_cfg.c
Log Message:
>From Rainer Weikusat : Do not send out
illegal zero length MODE_CFG attributes.
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.24.4.1 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c:1.24 Tue Sep 21 13:14:17 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c Fri Apr 12 10:04:21 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $ */
+/* $NetBSD: isakmp_cfg.c,v 1.24.4.1 2013/04/12 10:04:21 tteras Exp $ */
/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
@@ -1000,6 +1000,9 @@ isakmp_cfg_varlen(iph1, attr, string, le
struct isakmp_data *new;
char *data;
+ if (!len)
+ return NULL;
+
if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
return NULL;
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src
Committed By: tteras
Date: Mon Jun 3 05:49:59 UTC 2013
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
admin.c
Log Message:
>From Alexander Sbitnev : fix admin port
establish-sa for tunnel mode SAs.
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.38.4.1 src/crypto/dist/ipsec-tools/src/racoon/admin.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/admin.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/admin.c:1.38 Wed Dec 8 07:38:35 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/admin.c Mon Jun 3 05:49:59 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: admin.c,v 1.38 2010/12/08 07:38:35 tteras Exp $ */
+/* $NetBSD: admin.c,v 1.38.4.1 2013/06/03 05:49:59 tteras Exp $ */
/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
@@ -563,18 +563,30 @@ admin_process(so2, combuf)
iph2->seq = pk_getseq();
iph2->status = PHASE2ST_STATUS2;
- /* set end addresses of SA */
- iph2->sa_dst = dupsaddr(dst);
- iph2->sa_src = dupsaddr(src);
- iph2->dst = dupsaddr(dst);
- iph2->src = dupsaddr(src);
- if (iph2->sa_src == NULL || iph2->sa_dst == NULL ||
- iph2->dst == NULL || iph2->src == NULL) {
-delph2(iph2);
-break;
- }
- set_port(iph2->dst, 0);
- set_port(iph2->src, 0);
+if (sp_out->local && sp_out->remote) {
+/* hints available, let's use them */
+iph2->sa_dst = dupsaddr(dst);
+iph2->sa_src = dupsaddr(src);
+iph2->src = dupsaddr((struct sockaddr *)sp_out->local);
+iph2->dst = dupsaddr((struct sockaddr *)sp_out->remote);
+} else if (sp_out->req && sp_out->req->saidx.mode == IPSEC_MODE_TUNNEL) {
+/* Tunnel mode and no hint, use endpoints */
+iph2->src = dupsaddr((struct sockaddr *)&sp_out->req->saidx.src);
+iph2->dst = dupsaddr((struct sockaddr *)&sp_out->req->saidx.dst);
+} else {
+/* default, use selectors as fallback */
+iph2->sa_dst = dupsaddr(dst);
+iph2->sa_src = dupsaddr(src);
+iph2->dst = dupsaddr(dst);
+iph2->src = dupsaddr(src);
+}
+
+if (iph2->dst == NULL || iph2->src == NULL) {
+delph2(iph2);
+break;
+}
+set_port(iph2->dst, 0);
+set_port(iph2->src, 0);
if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) {
delph2(iph2);
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Tue Jun 18 05:40:36 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: ipsec_doi.c Log Message: >From Paul Barker: Remove redundant memset after calloc that caused compile failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to dereference. To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.46.4.1 \ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46.4.1 --- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.46 Tue Dec 14 17:57:31 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Tue Jun 18 05:40:36 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_doi.c,v 1.46 2010/12/14 17:57:31 tteras Exp $ */ +/* $NetBSD: ipsec_doi.c,v 1.46.4.1 2013/06/18 05:40:36 tteras Exp $ */ /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */ @@ -1183,7 +1183,6 @@ get_proppair_and_doi_sit(sa, mode, doity "failed to get buffer.\n"); goto bad; } - memset(pair, 0, sizeof(pair)); bp = (caddr_t)(sab + 1); tlen = sa->l - sizeof(*sab);
CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon
Module Name:src Committed By: tteras Date: Fri Jul 12 13:12:24 UTC 2013 Modified Files: src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]: main.c Log Message: >From Sven Vermeulen : Moves ploginit() up, allowing logging events from init_avc() to show up as well. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.6.1 src/crypto/dist/ipsec-tools/src/racoon/main.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/main.c diff -u src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12.6.1 --- src/crypto/dist/ipsec-tools/src/racoon/main.c:1.12 Mon Jan 26 18:13:06 2009 +++ src/crypto/dist/ipsec-tools/src/racoon/main.c Fri Jul 12 13:12:24 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.12 2009/01/26 18:13:06 tteras Exp $ */ +/* $NetBSD: main.c,v 1.12.6.1 2013/07/12 13:12:24 tteras Exp $ */ /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */ @@ -290,6 +290,8 @@ main(ac, av) /* NOTREACHED*/ } + ploginit(); + #ifdef DEBUG_RECORD_MALLOCATION DRM_init(); #endif @@ -302,8 +304,6 @@ main(ac, av) oakley_dhinit(); compute_vendorids(); - ploginit(); - plog(LLV_INFO, LOCATION, NULL, "%s\n", version); plog(LLV_INFO, LOCATION, NULL, "@(#)" "This product linked %s (http://www.openssl.org/)"
