#
1.26 |
|
24-Jan-2017 |
christos |
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list.
|
Revision tags: netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-7-base yamt-pagecache-base9 yamt-pagecache-tag8 netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 ipsec-tools-0_8_2 netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 ipsec-tools-0_8_1 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 tls-maxphys-base matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base5 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base cherry-xenmp-base ipsec-tools-0_8_0 bouyer-quota2-nbase bouyer-quota2-base matt-mips64-premerge-20101231
|
#
1.25 |
|
17-Nov-2010 |
tteras |
Fix my previous patch to not call purge_remote() twice. Change the place where purge_remote() is called. This fixes also a possible crash from the same patch since ph1->remote can be NULL (when we are responder and config is not yet selected).
|
#
1.24 |
|
12-Nov-2010 |
tteras |
Improve DPD sequence checks to allow any reply within valid sequence window to be proof of livelyness. This can improves things if there's random packet delays, or if racoon is not getting enough CPU time.
|
#
1.23 |
|
21-Oct-2010 |
tteras |
Remove initial-contact entry when all ISAKMP-SA are purged via adminport. This will avoid stale security associations if some of the delete notifications happens to get lost.
|
Revision tags: matt-premerge-20091211
|
#
1.22 |
|
03-Sep-2009 |
tteras |
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to select the phase1 for rekeying the new phase2.
|
#
1.21 |
|
03-Jul-2009 |
tteras |
Get rid of the evil CMPSADDR macro. Trac #295.
|
Revision tags: jym-xensuspend-nbase jym-xensuspend-base
|
#
1.20 |
|
12-Mar-2009 |
tteras |
Support multiple anonymous remotes and decide remoteconf based on identity, received certificates and other information. General code clean up.
|
#
1.19 |
|
23-Jan-2009 |
tteras |
branches: 1.19.2; Detect if monotonic system clock is available, and use it for relative time measurements to avoid complite hang if time jumps backwards.
|
#
1.18 |
|
23-Jan-2009 |
tteras |
Introduce vendorid bitmask that can be used otherwhere to detect peer capabilities.
|
#
1.17 |
|
05-Dec-2008 |
tteras |
From Arnaud Ebalard: Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
|
Revision tags: netbsd-5-0-RC1 netbsd-5-base matt-mips64-base2
|
#
1.16 |
|
19-Sep-2008 |
tteras |
branches: 1.16.4; Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option in remote conf.
|
#
1.15 |
|
19-Sep-2008 |
tteras |
Change struct sched to be allocated be the caller to avoid some memory allocations. Optimize scheduling algorithm to not scan all entries in the main loop.
|
Revision tags: wrstuden-revivesa-base-3 wrstuden-revivesa-base-2
|
#
1.14 |
|
14-Jul-2008 |
tteras |
Handle RESPONDER-LIFETIME notification in quick mode.
|
#
1.13 |
|
14-Jul-2008 |
tteras |
Clean up notification payload handling. Handle INITIAL-CONTACT notification in last main mode exchange (delayed) and during quick mode exchanges.
|
Revision tags: wrstuden-revivesa-base-1 yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 wrstuden-revivesa-base yamt-pf42-base keiichi-mipv6-base matt-armv6-nbase
|
#
1.12 |
|
06-Mar-2008 |
mgrooms |
branches: 1.12.4; Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
|
Revision tags: hpcarm-cleanup-base
|
#
1.11 |
|
11-Jan-2008 |
vanhu |
branches: 1.11.2; added an 'established' arg to getph1byaddr()
|
Revision tags: matt-armv6-base
|
#
1.10 |
|
12-Dec-2007 |
mgrooms |
Add support for nat-t oa payload handling. Submitted by Timo Teras.
|
Revision tags: matt-armv6-prevmlocking wrstuden-fixsa-base-1 netbsd-4-0-RELEASE cube-autoconf-base netbsd-4-0-RC5 netbsd-4-0-RC4 netbsd-4-0-RC3 netbsd-4-0-RC2 netbsd-4-0-RC1 ipsec-tools-0_7 matt-mips64-base ipsec-tools-0_7-rc1 ipsec-tools-0_7-RC1 ipsec-tools-0_7-beta3 ipsec-tools-0_7-beta2 ipsec-tools-0_7-beta1 ipsec-tools-0_7-base netbsd-4-base
|
#
1.9 |
|
09-Sep-2006 |
manu |
branches: 1.9.2; 1.9.4; 1.9.6; 1.9.10; 1.9.14; Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. Since we previously had a release branch and we import here the HEAD of CVS, let's assume all local changes are to be dumped. Local patches should have been propagated upstream, anyway.
|
Revision tags: abandoned-netbsd-4-base
|
#
1.8 |
|
21-Nov-2005 |
manu |
Merge ipsec-tools 0.6.3 import
|
#
1.7 |
|
20-Aug-2005 |
manu |
Update to ipsec-tools 0.6.1
|
#
1.6 |
|
07-Aug-2005 |
manu |
Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering the newer software. Some useful local change might have been overwritten, we'll take care of this soon.
|
#
1.5 |
|
08-May-2005 |
he |
Add a prototype for getph2bysaddr(), fixes build problem for isakmp.c.
|
#
1.4 |
|
08-May-2005 |
manu |
More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
|
#
1.3 |
|
03-May-2005 |
manu |
on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that multiple SA can be used in transport mode
While I'm there, patch ipsec-tools ChangeLog to reflect the changes we took from ipsec-tools-0_6-branch
|
#
1.2 |
|
19-Apr-2005 |
manu |
Fix simple DES support (security problems for racoon to racoon setups) Fix broken generated policies flush
|
#
1.1 |
|
12-Feb-2005 |
manu |
branches: 1.1.1; Initial revision
|
#
1.25 |
|
17-Nov-2010 |
tteras |
Fix my previous patch to not call purge_remote() twice. Change the place where purge_remote() is called. This fixes also a possible crash from the same patch since ph1->remote can be NULL (when we are responder and config is not yet selected).
|
#
1.24 |
|
12-Nov-2010 |
tteras |
Improve DPD sequence checks to allow any reply within valid sequence window to be proof of livelyness. This can improves things if there's random packet delays, or if racoon is not getting enough CPU time.
|
#
1.23 |
|
21-Oct-2010 |
tteras |
Remove initial-contact entry when all ISAKMP-SA are purged via adminport. This will avoid stale security associations if some of the delete notifications happens to get lost.
|
#
1.22 |
|
03-Sep-2009 |
tteras |
When rekeying phase2 use phase1 used to negotiate phase2 as a hint to select the phase1 for rekeying the new phase2.
|
#
1.21 |
|
03-Jul-2009 |
tteras |
Get rid of the evil CMPSADDR macro. Trac #295.
|
#
1.20 |
|
12-Mar-2009 |
tteras |
Support multiple anonymous remotes and decide remoteconf based on identity, received certificates and other information. General code clean up.
|
#
1.19 |
|
23-Jan-2009 |
tteras |
branches: 1.19.2; Detect if monotonic system clock is available, and use it for relative time measurements to avoid complite hang if time jumps backwards.
|
#
1.18 |
|
23-Jan-2009 |
tteras |
Introduce vendorid bitmask that can be used otherwhere to detect peer capabilities.
|
#
1.17 |
|
04-Dec-2008 |
tteras |
From Arnaud Ebalard: Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
|
#
1.16 |
|
19-Sep-2008 |
tteras |
branches: 1.16.4; Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option in remote conf.
|
#
1.15 |
|
19-Sep-2008 |
tteras |
Change struct sched to be allocated be the caller to avoid some memory allocations. Optimize scheduling algorithm to not scan all entries in the main loop.
|
#
1.14 |
|
13-Jul-2008 |
tteras |
Handle RESPONDER-LIFETIME notification in quick mode.
|
#
1.13 |
|
13-Jul-2008 |
tteras |
Clean up notification payload handling. Handle INITIAL-CONTACT notification in last main mode exchange (delayed) and during quick mode exchanges.
|
#
1.12 |
|
05-Mar-2008 |
mgrooms |
branches: 1.12.4; Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
|
#
1.11 |
|
11-Jan-2008 |
vanhu |
branches: 1.11.2; added an 'established' arg to getph1byaddr()
|
#
1.10 |
|
11-Dec-2007 |
mgrooms |
Add support for nat-t oa payload handling. Submitted by Timo Teras.
|
#
1.9 |
|
08-Sep-2006 |
manu |
branches: 1.9.2; 1.9.4; 1.9.6; 1.9.10; 1.9.14; Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. Since we previously had a release branch and we import here the HEAD of CVS, let's assume all local changes are to be dumped. Local patches should have been propagated upstream, anyway.
|
#
1.8 |
|
21-Nov-2005 |
manu |
Merge ipsec-tools 0.6.3 import
|
#
1.7 |
|
19-Aug-2005 |
manu |
Update to ipsec-tools 0.6.1
|
#
1.6 |
|
07-Aug-2005 |
manu |
Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering the newer software. Some useful local change might have been overwritten, we'll take care of this soon.
|
#
1.5 |
|
08-May-2005 |
he |
Add a prototype for getph2bysaddr(), fixes build problem for isakmp.c.
|
#
1.4 |
|
08-May-2005 |
manu |
More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
|
#
1.3 |
|
03-May-2005 |
manu |
on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that multiple SA can be used in transport mode
While I'm there, patch ipsec-tools ChangeLog to reflect the changes we took from ipsec-tools-0_6-branch
|
#
1.2 |
|
19-Apr-2005 |
manu |
Fix simple DES support (security problems for racoon to racoon setups) Fix broken generated policies flush
|
#
1.1 |
|
12-Feb-2005 |
manu |
branches: 1.1.1; Initial revision
|
#
1.1.1.4 |
|
08-Sep-2006 |
manu |
Migrate ipsec-tools CVS to cvs.netbsd.org
|
#
1.1.1.3 |
|
07-Aug-2005 |
manu |
Update ipsec-tools to 0.6.1rc1 Most of the changes since 0.6b4 have already been committed to the NetBSD tree. This upgrade fixes some IPcomp and NAT-T related problems that were left unadressed in the NetBSD tree.
|
#
1.1.1.2 |
|
23-Feb-2005 |
manu |
branches: 1.1.1.2.2; Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version according to ipsec-tools' ChangeLog:
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal support for patented algorithms: IDEA and RC5. * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it is not required in the configuration * src/racoon/isakmp.c: do not reject addresses for which kernel refused UDP encapsulation, they can still be used for non NAT-T traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{main.c|eaytest.c|plairsa-gen.c} src/setkey/setkey.c: don't use fuzzy paths for package_version.h
2005-02-18 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a related DELETE_SA * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
From Fred Senault <fred.letter@lacave.net> * src/racoon/remoteconf.c: Fix a bug in script init
2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
2005-02-15 Michal Ludvig <michal@logix.cz>
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
|
#
1.1.1.1 |
|
12-Feb-2005 |
manu |
Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS) ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many enhancements.
|
#
1.1.1.2.2.6 |
|
21-Nov-2005 |
tron |
Apply patch (requested by manu in ticket #981): Update ipsec-tools to version 0.6.3.
|
#
1.1.1.2.2.5 |
|
03-Sep-2005 |
snj |
Apply patch (requested by tron in ticket #741): Update ipsec-tools to version 0.6.1.
|
#
1.1.1.2.2.4 |
|
11-May-2005 |
tron |
Pull up revision 1.5 (requested by manu in ticket #278): Add a prototype for getph2bysaddr(), fixes build problem for isakmp.c.
|
#
1.1.1.2.2.3 |
|
11-May-2005 |
tron |
Pull up revision 1.4 (requested by manu in ticket #277): More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
|
#
1.1.1.2.2.2 |
|
09-May-2005 |
tron |
Pull up revision 1.3 (requested by manu in ticket #274): on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that multiple SA can be used in transport mode While I'm there, patch ipsec-tools ChangeLog to reflect the changes we took from ipsec-tools-0_6-branch
|
#
1.1.1.2.2.1 |
|
20-Apr-2005 |
tron |
Pull up revision 1.2 (requested by manu in ticket #179): Fix simple DES support (security problems for racoon to racoon setups) Fix broken generated policies flush
|
#
1.9.14.1 |
|
18-Aug-2008 |
jdc |
Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).
|
#
1.9.10.2 |
|
22-Mar-2008 |
matt |
sync with HEAD
|
#
1.9.10.1 |
|
08-Jan-2008 |
matt |
sync with HEAD
|
#
1.9.6.1 |
|
11-Jan-2008 |
vanhu |
added an 'established' arg to getph1byaddr()
|
#
1.9.4.1 |
|
04-Sep-2008 |
skrll |
Sync with netbsd-4.
|
#
1.9.2.1 |
|
18-Aug-2008 |
jdc |
Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).
|
#
1.11.2.1 |
|
24-Mar-2008 |
keiichi |
sync with head.
|
#
1.12.4.1 |
|
17-Sep-2008 |
wrstuden |
Sync with wrstuden-revivesa-base-2.
|
#
1.16.4.1 |
|
08-Feb-2009 |
snj |
Apply patch (requested by manu/spz in #378): Downgrade ipsec-tools to 0.7.1nb1.
|
#
1.19.2.1 |
|
13-May-2009 |
jym |
Sync with HEAD.
Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
|