Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521
|
#
1.53 |
|
19-May-2018 |
maxv |
Remove unused labels, functions, and function prototypes.
|
#
1.52 |
|
19-May-2018 |
maxv |
Remove unused variables.
|
Revision tags: netbsd-8-0-RELEASE netbsd-8-0-RC2 pgoyette-compat-0502 pgoyette-compat-0422 netbsd-8-0-RC1 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 pgoyette-localcount-20170320
|
#
1.51 |
|
24-Jan-2017 |
christos |
branches: 1.51.10; PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list.
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base tls-maxphys-base
|
#
1.50 |
|
12-Apr-2013 |
tteras |
branches: 1.50.12; 1.50.16; Some logging improvements.
|
Revision tags: agc-symver-base
|
#
1.49 |
|
24-Jan-2013 |
tteras |
Fix handling of deletion notification.
|
Revision tags: yamt-pagecache-base8 yamt-pagecache-base7 yamt-pagecache-base6
|
#
1.48 |
|
29-Aug-2012 |
tteras |
branches: 1.48.2; From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies also in reversed order for compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base5 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base cherry-xenmp-base ipsec-tools-0_8_0
|
#
1.47 |
|
15-Mar-2011 |
vanhu |
branches: 1.47.2; 1.47.6; directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free
|
#
1.46 |
|
14-Mar-2011 |
tteras |
Explicitly compare return value of cmpsaddr() against a return value define to make it more obvious what is the intended action. One more return value is also added, to fix comparison of security policy descriptors. Namely, getsp() should not allow wildcard matching (as the comment says, it does exact matching) - otherwise we get problems when kernel has generic policy with no ports, and a second similar policy with ports.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base
|
#
1.45 |
|
22-Jan-2011 |
tteras |
From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference that might occur after removing peers from the config and then reloading.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.44 |
|
17-Nov-2010 |
tteras |
branches: 1.44.2; Fix my previous patch to not call purge_remote() twice. Change the place where purge_remote() is called. This fixes also a possible crash from the same patch since ph1->remote can be NULL (when we are responder and config is not yet selected).
|
#
1.43 |
|
12-Nov-2010 |
tteras |
Improve DPD sequence checks to allow any reply within valid sequence window to be proof of livelyness. This can improves things if there's random packet delays, or if racoon is not getting enough CPU time.
|
#
1.42 |
|
22-Jun-2010 |
vanhu |
added a specific script hook when a dead peer is detected
|
Revision tags: matt-premerge-20091211
|
#
1.41 |
|
03-Jul-2009 |
tteras |
Get rid of the evil CMPSADDR macro. Trac #295.
|
#
1.40 |
|
03-Jul-2009 |
tteras |
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the NAT-T port information. This might break compatibility with some kernels, but as discussed this is the proper way to pass NAT-T ports and the broken kernels need to be fixed.
|
#
1.39 |
|
18-May-2009 |
tteras |
From Tomas Mraz: Remove variable that is not really used; only referenced while uninitialized causing valgrind error.
|
Revision tags: jym-xensuspend-nbase jym-xensuspend-base
|
#
1.38 |
|
20-Apr-2009 |
tteras |
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
|
#
1.37 |
|
12-Mar-2009 |
tteras |
Support multiple anonymous remotes and decide remoteconf based on identity, received certificates and other information. General code clean up.
|
#
1.36 |
|
23-Jan-2009 |
tteras |
branches: 1.36.2; Detect if monotonic system clock is available, and use it for relative time measurements to avoid complite hang if time jumps backwards.
|
#
1.35 |
|
23-Dec-2008 |
tteras |
rewrite local address detection make some functions static that arr not needed globally rework how fd_set is construction for the main loop select()
|
Revision tags: netbsd-5-0-RC1 netbsd-5-base matt-mips64-base2
|
#
1.34 |
|
19-Sep-2008 |
tteras |
branches: 1.34.4; Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option in remote conf.
|
#
1.33 |
|
19-Sep-2008 |
tteras |
Change struct sched to be allocated be the caller to avoid some memory allocations. Optimize scheduling algorithm to not scan all entries in the main loop.
|
Revision tags: wrstuden-revivesa-base-3
|
#
1.32 |
|
17-Sep-2008 |
vanhu |
Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs
|
Revision tags: wrstuden-revivesa-base-2
|
#
1.31 |
|
14-Jul-2008 |
tteras |
Clean up notification payload handling. Handle INITIAL-CONTACT notification in last main mode exchange (delayed) and during quick mode exchanges.
|
#
1.30 |
|
11-Jul-2008 |
tteras |
Original patch from Atis Elsts: Fix a double memory free and a memory corruption (LIST_REMOVE() on an uninserted node) in some error handling paths.
|
#
1.29 |
|
02-Jul-2008 |
vanhu |
From Timo Teras: fix some %d to %zu (size_t values)
|
Revision tags: wrstuden-revivesa-base-1 wrstuden-revivesa-base
|
#
1.28 |
|
18-Jun-2008 |
mgrooms |
Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.
|
Revision tags: yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2
|
#
1.27 |
|
25-Apr-2008 |
vanhu |
branches: 1.27.2; From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base
|
#
1.26 |
|
28-Mar-2008 |
manu |
branches: 1.26.2; From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation
|
Revision tags: keiichi-mipv6-base matt-armv6-nbase
|
#
1.25 |
|
06-Mar-2008 |
mgrooms |
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
|
Revision tags: hpcarm-cleanup-base
|
#
1.24 |
|
11-Jan-2008 |
vanhu |
branches: 1.24.2; From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
|
#
1.23 |
|
11-Jan-2008 |
vanhu |
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
|
Revision tags: matt-armv6-prevmlocking cube-autoconf-base matt-armv6-base matt-mips64-base
|
#
1.22 |
|
18-Jul-2007 |
vanhu |
branches: 1.22.4; 1.22.8; use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
|
#
1.21 |
|
04-May-2007 |
vanhu |
added some debug for DELETE_SA process
|
#
1.20 |
|
26-Mar-2007 |
vanhu |
Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code
|
#
1.19 |
|
21-Mar-2007 |
vanhu |
NULL sched check is now done in SCHED_KILL
|
#
1.18 |
|
20-Feb-2007 |
vanhu |
Removed a debug printf....
|
#
1.17 |
|
20-Feb-2007 |
vanhu |
fills creation date of generated SPDs
|
#
1.16 |
|
15-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
|
#
1.15 |
|
01-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
|
Revision tags: ipsec-tools-0_7-base
|
#
1.14 |
|
09-Dec-2006 |
manu |
branches: 1.14.4; From Joy Latten: Add support for SELinux security contexts. Also cleanup the libipsec interface for adding and updating security associations.
|
Revision tags: netbsd-4-base
|
#
1.13 |
|
02-Oct-2006 |
manu |
branches: 1.13.2; Check for NULL pointer (COverity 4175)
|
#
1.12 |
|
18-Sep-2006 |
manu |
From Matthew Grooms: ike_frag force option to force the use of IKE on first packet exchange (prior to peer consent)
|
#
1.11 |
|
09-Sep-2006 |
manu |
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. Since we previously had a release branch and we import here the HEAD of CVS, let's assume all local changes are to be dumped. Local patches should have been propagated upstream, anyway.
|
Revision tags: abandoned-netbsd-4-base
|
#
1.10 |
|
21-Nov-2005 |
manu |
Merge ipsec-tools 0.6.3 import
|
#
1.9 |
|
20-Aug-2005 |
manu |
Update to ipsec-tools 0.6.1
|
#
1.8 |
|
07-Aug-2005 |
manu |
Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering the newer software. Some useful local change might have been overwritten, we'll take care of this soon.
|
#
1.7 |
|
12-Jul-2005 |
manu |
Add safety checks for informational messages
|
#
1.6 |
|
12-Jul-2005 |
tron |
Backout botched patch, approved by Emmanuel Dreyfus.
|
#
1.5 |
|
12-Jul-2005 |
manu |
Safety checks on informational messages
|
#
1.4 |
|
08-May-2005 |
manu |
More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
|
#
1.3 |
|
27-Apr-2005 |
manu |
Bug fixes from the ipsec-tools 0.6 branch: - Fix NAT-T problems that prevented multiple peers behind the same NAT to talk to the same machine outside the NAT. This also require kernel fixes (already committed eralier) - Fix a LP64 bug - Fix NAT-T RFC conformance bugs (missing non ESP marker in packets) - Add a -p option to setkey to display ports that could be used for ESP over UDP when printing policies
|
#
1.2 |
|
19-Apr-2005 |
manu |
Fix simple DES support (security problems for racoon to racoon setups) Fix broken generated policies flush
|
#
1.1 |
|
12-Feb-2005 |
manu |
branches: 1.1.1; Initial revision
|
#
1.51 |
|
24-Jan-2017 |
christos |
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list.
|
Revision tags: netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base tls-maxphys-base
|
#
1.50 |
|
12-Apr-2013 |
tteras |
Some logging improvements.
|
Revision tags: agc-symver-base
|
#
1.49 |
|
24-Jan-2013 |
tteras |
Fix handling of deletion notification.
|
Revision tags: yamt-pagecache-base8 yamt-pagecache-base7 yamt-pagecache-base6
|
#
1.48 |
|
29-Aug-2012 |
tteras |
branches: 1.48.2; From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies also in reversed order for compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 netbsd-6-1-RC2 netbsd-6-1-RC1 netbsd-6-0-1-RELEASE matt-nb6-plus-nbase netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base5 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base cherry-xenmp-base ipsec-tools-0_8_0
|
#
1.47 |
|
15-Mar-2011 |
vanhu |
branches: 1.47.2; 1.47.6; directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free
|
#
1.46 |
|
14-Mar-2011 |
tteras |
Explicitly compare return value of cmpsaddr() against a return value define to make it more obvious what is the intended action. One more return value is also added, to fix comparison of security policy descriptors. Namely, getsp() should not allow wildcard matching (as the comment says, it does exact matching) - otherwise we get problems when kernel has generic policy with no ports, and a second similar policy with ports.
|
Revision tags: bouyer-quota2-nbase bouyer-quota2-base
|
#
1.45 |
|
22-Jan-2011 |
tteras |
From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference that might occur after removing peers from the config and then reloading.
|
Revision tags: matt-mips64-premerge-20101231
|
#
1.44 |
|
17-Nov-2010 |
tteras |
branches: 1.44.2; Fix my previous patch to not call purge_remote() twice. Change the place where purge_remote() is called. This fixes also a possible crash from the same patch since ph1->remote can be NULL (when we are responder and config is not yet selected).
|
#
1.43 |
|
12-Nov-2010 |
tteras |
Improve DPD sequence checks to allow any reply within valid sequence window to be proof of livelyness. This can improves things if there's random packet delays, or if racoon is not getting enough CPU time.
|
#
1.42 |
|
22-Jun-2010 |
vanhu |
added a specific script hook when a dead peer is detected
|
Revision tags: matt-premerge-20091211
|
#
1.41 |
|
03-Jul-2009 |
tteras |
Get rid of the evil CMPSADDR macro. Trac #295.
|
#
1.40 |
|
03-Jul-2009 |
tteras |
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the NAT-T port information. This might break compatibility with some kernels, but as discussed this is the proper way to pass NAT-T ports and the broken kernels need to be fixed.
|
#
1.39 |
|
18-May-2009 |
tteras |
From Tomas Mraz: Remove variable that is not really used; only referenced while uninitialized causing valgrind error.
|
Revision tags: jym-xensuspend-nbase jym-xensuspend-base
|
#
1.38 |
|
20-Apr-2009 |
tteras |
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
|
#
1.37 |
|
12-Mar-2009 |
tteras |
Support multiple anonymous remotes and decide remoteconf based on identity, received certificates and other information. General code clean up.
|
#
1.36 |
|
23-Jan-2009 |
tteras |
branches: 1.36.2; Detect if monotonic system clock is available, and use it for relative time measurements to avoid complite hang if time jumps backwards.
|
#
1.35 |
|
23-Dec-2008 |
tteras |
rewrite local address detection make some functions static that arr not needed globally rework how fd_set is construction for the main loop select()
|
Revision tags: netbsd-5-0-RC1 netbsd-5-base matt-mips64-base2
|
#
1.34 |
|
19-Sep-2008 |
tteras |
branches: 1.34.4; Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option in remote conf.
|
#
1.33 |
|
19-Sep-2008 |
tteras |
Change struct sched to be allocated be the caller to avoid some memory allocations. Optimize scheduling algorithm to not scan all entries in the main loop.
|
Revision tags: wrstuden-revivesa-base-3
|
#
1.32 |
|
17-Sep-2008 |
vanhu |
Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs
|
Revision tags: wrstuden-revivesa-base-2
|
#
1.31 |
|
14-Jul-2008 |
tteras |
Clean up notification payload handling. Handle INITIAL-CONTACT notification in last main mode exchange (delayed) and during quick mode exchanges.
|
#
1.30 |
|
11-Jul-2008 |
tteras |
Original patch from Atis Elsts: Fix a double memory free and a memory corruption (LIST_REMOVE() on an uninserted node) in some error handling paths.
|
#
1.29 |
|
02-Jul-2008 |
vanhu |
From Timo Teras: fix some %d to %zu (size_t values)
|
Revision tags: wrstuden-revivesa-base-1 wrstuden-revivesa-base
|
#
1.28 |
|
18-Jun-2008 |
mgrooms |
Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.
|
Revision tags: yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2
|
#
1.27 |
|
25-Apr-2008 |
vanhu |
branches: 1.27.2; From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base
|
#
1.26 |
|
28-Mar-2008 |
manu |
branches: 1.26.2; From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation
|
Revision tags: keiichi-mipv6-base matt-armv6-nbase
|
#
1.25 |
|
06-Mar-2008 |
mgrooms |
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
|
Revision tags: hpcarm-cleanup-base
|
#
1.24 |
|
11-Jan-2008 |
vanhu |
branches: 1.24.2; From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
|
#
1.23 |
|
11-Jan-2008 |
vanhu |
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
|
Revision tags: matt-armv6-prevmlocking cube-autoconf-base matt-armv6-base matt-mips64-base
|
#
1.22 |
|
18-Jul-2007 |
vanhu |
branches: 1.22.4; 1.22.8; use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
|
#
1.21 |
|
04-May-2007 |
vanhu |
added some debug for DELETE_SA process
|
#
1.20 |
|
26-Mar-2007 |
vanhu |
Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code
|
#
1.19 |
|
21-Mar-2007 |
vanhu |
NULL sched check is now done in SCHED_KILL
|
#
1.18 |
|
20-Feb-2007 |
vanhu |
Removed a debug printf....
|
#
1.17 |
|
20-Feb-2007 |
vanhu |
fills creation date of generated SPDs
|
#
1.16 |
|
15-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
|
#
1.15 |
|
01-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
|
Revision tags: ipsec-tools-0_7-base
|
#
1.14 |
|
09-Dec-2006 |
manu |
branches: 1.14.4; From Joy Latten: Add support for SELinux security contexts. Also cleanup the libipsec interface for adding and updating security associations.
|
Revision tags: netbsd-4-base
|
#
1.13 |
|
02-Oct-2006 |
manu |
branches: 1.13.2; Check for NULL pointer (COverity 4175)
|
#
1.12 |
|
18-Sep-2006 |
manu |
From Matthew Grooms: ike_frag force option to force the use of IKE on first packet exchange (prior to peer consent)
|
#
1.11 |
|
09-Sep-2006 |
manu |
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. Since we previously had a release branch and we import here the HEAD of CVS, let's assume all local changes are to be dumped. Local patches should have been propagated upstream, anyway.
|
Revision tags: abandoned-netbsd-4-base
|
#
1.10 |
|
21-Nov-2005 |
manu |
Merge ipsec-tools 0.6.3 import
|
#
1.9 |
|
20-Aug-2005 |
manu |
Update to ipsec-tools 0.6.1
|
#
1.8 |
|
07-Aug-2005 |
manu |
Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering the newer software. Some useful local change might have been overwritten, we'll take care of this soon.
|
#
1.7 |
|
12-Jul-2005 |
manu |
Add safety checks for informational messages
|
#
1.6 |
|
12-Jul-2005 |
tron |
Backout botched patch, approved by Emmanuel Dreyfus.
|
#
1.5 |
|
12-Jul-2005 |
manu |
Safety checks on informational messages
|
#
1.4 |
|
08-May-2005 |
manu |
More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
|
#
1.3 |
|
27-Apr-2005 |
manu |
Bug fixes from the ipsec-tools 0.6 branch: - Fix NAT-T problems that prevented multiple peers behind the same NAT to talk to the same machine outside the NAT. This also require kernel fixes (already committed eralier) - Fix a LP64 bug - Fix NAT-T RFC conformance bugs (missing non ESP marker in packets) - Add a -p option to setkey to display ports that could be used for ESP over UDP when printing policies
|
#
1.2 |
|
19-Apr-2005 |
manu |
Fix simple DES support (security problems for racoon to racoon setups) Fix broken generated policies flush
|
#
1.1 |
|
12-Feb-2005 |
manu |
branches: 1.1.1; Initial revision
|
#
1.50 |
|
12-Apr-2013 |
tteras |
Some logging improvements.
|
#
1.49 |
|
23-Jan-2013 |
tteras |
Fix handling of deletion notification.
|
#
1.48 |
|
29-Aug-2012 |
tteras |
branches: 1.48.2; From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies also in reversed order for compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
|
#
1.47 |
|
15-Mar-2011 |
vanhu |
branches: 1.47.2; 1.47.6; directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free
|
#
1.46 |
|
14-Mar-2011 |
tteras |
Explicitly compare return value of cmpsaddr() against a return value define to make it more obvious what is the intended action. One more return value is also added, to fix comparison of security policy descriptors. Namely, getsp() should not allow wildcard matching (as the comment says, it does exact matching) - otherwise we get problems when kernel has generic policy with no ports, and a second similar policy with ports.
|
#
1.45 |
|
22-Jan-2011 |
tteras |
From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference that might occur after removing peers from the config and then reloading.
|
#
1.44 |
|
17-Nov-2010 |
tteras |
branches: 1.44.2; Fix my previous patch to not call purge_remote() twice. Change the place where purge_remote() is called. This fixes also a possible crash from the same patch since ph1->remote can be NULL (when we are responder and config is not yet selected).
|
#
1.43 |
|
12-Nov-2010 |
tteras |
Improve DPD sequence checks to allow any reply within valid sequence window to be proof of livelyness. This can improves things if there's random packet delays, or if racoon is not getting enough CPU time.
|
#
1.42 |
|
22-Jun-2010 |
vanhu |
added a specific script hook when a dead peer is detected
|
#
1.41 |
|
03-Jul-2009 |
tteras |
Get rid of the evil CMPSADDR macro. Trac #295.
|
#
1.40 |
|
03-Jul-2009 |
tteras |
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the NAT-T port information. This might break compatibility with some kernels, but as discussed this is the proper way to pass NAT-T ports and the broken kernels need to be fixed.
|
#
1.39 |
|
18-May-2009 |
tteras |
From Tomas Mraz: Remove variable that is not really used; only referenced while uninitialized causing valgrind error.
|
#
1.38 |
|
20-Apr-2009 |
tteras |
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
|
#
1.37 |
|
12-Mar-2009 |
tteras |
Support multiple anonymous remotes and decide remoteconf based on identity, received certificates and other information. General code clean up.
|
#
1.36 |
|
23-Jan-2009 |
tteras |
branches: 1.36.2; Detect if monotonic system clock is available, and use it for relative time measurements to avoid complite hang if time jumps backwards.
|
#
1.35 |
|
23-Dec-2008 |
tteras |
rewrite local address detection make some functions static that arr not needed globally rework how fd_set is construction for the main loop select()
|
#
1.34 |
|
19-Sep-2008 |
tteras |
branches: 1.34.4; Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option in remote conf.
|
#
1.33 |
|
19-Sep-2008 |
tteras |
Change struct sched to be allocated be the caller to avoid some memory allocations. Optimize scheduling algorithm to not scan all entries in the main loop.
|
#
1.32 |
|
17-Sep-2008 |
vanhu |
Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs
|
#
1.31 |
|
13-Jul-2008 |
tteras |
Clean up notification payload handling. Handle INITIAL-CONTACT notification in last main mode exchange (delayed) and during quick mode exchanges.
|
#
1.30 |
|
11-Jul-2008 |
tteras |
Original patch from Atis Elsts: Fix a double memory free and a memory corruption (LIST_REMOVE() on an uninserted node) in some error handling paths.
|
#
1.29 |
|
02-Jul-2008 |
vanhu |
From Timo Teras: fix some %d to %zu (size_t values)
|
#
1.28 |
|
18-Jun-2008 |
mgrooms |
Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.
|
#
1.27 |
|
25-Apr-2008 |
vanhu |
branches: 1.27.2; From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
|
#
1.26 |
|
27-Mar-2008 |
manu |
branches: 1.26.2; From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation
|
#
1.25 |
|
05-Mar-2008 |
mgrooms |
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
|
#
1.24 |
|
11-Jan-2008 |
vanhu |
branches: 1.24.2; From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
|
#
1.23 |
|
11-Jan-2008 |
vanhu |
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
|
#
1.22 |
|
18-Jul-2007 |
vanhu |
branches: 1.22.4; 1.22.8; use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
|
#
1.21 |
|
04-May-2007 |
vanhu |
added some debug for DELETE_SA process
|
#
1.20 |
|
26-Mar-2007 |
vanhu |
Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code
|
#
1.19 |
|
21-Mar-2007 |
vanhu |
NULL sched check is now done in SCHED_KILL
|
#
1.18 |
|
20-Feb-2007 |
vanhu |
Removed a debug printf....
|
#
1.17 |
|
20-Feb-2007 |
vanhu |
fills creation date of generated SPDs
|
#
1.16 |
|
15-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
|
#
1.15 |
|
01-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
|
#
1.14 |
|
08-Dec-2006 |
manu |
branches: 1.14.4; From Joy Latten: Add support for SELinux security contexts. Also cleanup the libipsec interface for adding and updating security associations.
|
#
1.13 |
|
02-Oct-2006 |
manu |
branches: 1.13.2; Check for NULL pointer (COverity 4175)
|
#
1.12 |
|
18-Sep-2006 |
manu |
From Matthew Grooms: ike_frag force option to force the use of IKE on first packet exchange (prior to peer consent)
|
#
1.11 |
|
08-Sep-2006 |
manu |
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. Since we previously had a release branch and we import here the HEAD of CVS, let's assume all local changes are to be dumped. Local patches should have been propagated upstream, anyway.
|
#
1.10 |
|
21-Nov-2005 |
manu |
Merge ipsec-tools 0.6.3 import
|
#
1.9 |
|
19-Aug-2005 |
manu |
Update to ipsec-tools 0.6.1
|
#
1.8 |
|
07-Aug-2005 |
manu |
Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering the newer software. Some useful local change might have been overwritten, we'll take care of this soon.
|
#
1.7 |
|
12-Jul-2005 |
manu |
Add safety checks for informational messages
|
#
1.6 |
|
12-Jul-2005 |
tron |
Backout botched patch, approved by Emmanuel Dreyfus.
|
#
1.5 |
|
12-Jul-2005 |
manu |
Safety checks on informational messages
|
#
1.4 |
|
08-May-2005 |
manu |
More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
|
#
1.3 |
|
26-Apr-2005 |
manu |
Bug fixes from the ipsec-tools 0.6 branch: - Fix NAT-T problems that prevented multiple peers behind the same NAT to talk to the same machine outside the NAT. This also require kernel fixes (already committed eralier) - Fix a LP64 bug - Fix NAT-T RFC conformance bugs (missing non ESP marker in packets) - Add a -p option to setkey to display ports that could be used for ESP over UDP when printing policies
|
#
1.2 |
|
19-Apr-2005 |
manu |
Fix simple DES support (security problems for racoon to racoon setups) Fix broken generated policies flush
|
#
1.1 |
|
12-Feb-2005 |
manu |
branches: 1.1.1; Initial revision
|
#
1.1.1.6 |
|
08-Sep-2006 |
manu |
Migrate ipsec-tools CVS to cvs.netbsd.org
|
#
1.1.1.5 |
|
19-Aug-2005 |
manu |
Import ipsec-tools 0.6.1
|
#
1.1.1.4 |
|
07-Aug-2005 |
manu |
Update ipsec-tools to 0.6.1rc1 Most of the changes since 0.6b4 have already been committed to the NetBSD tree. This upgrade fixes some IPcomp and NAT-T related problems that were left unadressed in the NetBSD tree.
|
#
1.1.1.3 |
|
14-Mar-2005 |
manu |
branches: 1.1.1.3.2; Import ipsec-tools ipsec-tools-0_6-20050314
|
#
1.1.1.2 |
|
23-Feb-2005 |
manu |
Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version according to ipsec-tools' ChangeLog:
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal support for patented algorithms: IDEA and RC5. * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it is not required in the configuration * src/racoon/isakmp.c: do not reject addresses for which kernel refused UDP encapsulation, they can still be used for non NAT-T traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{main.c|eaytest.c|plairsa-gen.c} src/setkey/setkey.c: don't use fuzzy paths for package_version.h
2005-02-18 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a related DELETE_SA * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
From Fred Senault <fred.letter@lacave.net> * src/racoon/remoteconf.c: Fix a bug in script init
2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
2005-02-15 Michal Ludvig <michal@logix.cz>
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
|
#
1.1.1.1 |
|
12-Feb-2005 |
manu |
Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS) ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many enhancements.
|
#
1.1.1.3.2.8 |
|
13-Apr-2007 |
ghen |
Apply patch (requested by adrianp in ticket #1763): crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fix a denial of service vulnerability (CVE-2007-1841) which could allow an attacker to disrupt a connection between IPSec peers.
|
#
1.1.1.3.2.7 |
|
21-Nov-2005 |
tron |
branches: 1.1.1.3.2.7.2; 1.1.1.3.2.7.4; Apply patch (requested by manu in ticket #981): Update ipsec-tools to version 0.6.3.
|
#
1.1.1.3.2.6 |
|
03-Sep-2005 |
snj |
Apply patch (requested by tron in ticket #741): Update ipsec-tools to version 0.6.1.
|
#
1.1.1.3.2.5 |
|
12-Jul-2005 |
tron |
Backout ticket 579 because it causes build failures.
|
#
1.1.1.3.2.4 |
|
12-Jul-2005 |
tron |
Pull up revision 1.5 (requested by manu in ticket #579): Safety checks on informational messages
|
#
1.1.1.3.2.3 |
|
11-May-2005 |
tron |
Pull up revision 1.4 (requested by manu in ticket #277): More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
|
#
1.1.1.3.2.2 |
|
01-May-2005 |
tron |
Pull up revision 1.3 (requested by manu in ticket #215): Bug fixes from the ipsec-tools 0.6 branch: - Fix NAT-T problems that prevented multiple peers behind the same NAT to talk to the same machine outside the NAT. This also require kernel fixes (already committed eralier) - Fix a LP64 bug - Fix NAT-T RFC conformance bugs (missing non ESP marker in packets) - Add a -p option to setkey to display ports that could be used for ESP over UDP when printing policies
|
#
1.1.1.3.2.1 |
|
20-Apr-2005 |
tron |
Pull up revision 1.2 (requested by manu in ticket #179): Fix simple DES support (security problems for racoon to racoon setups) Fix broken generated policies flush
|
#
1.1.1.3.2.7.4.1 |
|
13-Apr-2007 |
ghen |
Apply patch (requested by adrianp in ticket #1763): crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fix a denial of service vulnerability (CVE-2007-1841) which could allow an attacker to disrupt a connection between IPSec peers.
|
#
1.1.1.3.2.7.2.1 |
|
13-Apr-2007 |
ghen |
Apply patch (requested by adrianp in ticket #1763): crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c Fix a denial of service vulnerability (CVE-2007-1841) which could allow an attacker to disrupt a connection between IPSec peers.
|
#
1.13.2.3 |
|
18-Aug-2008 |
jdc |
Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).
|
#
1.13.2.2 |
|
28-Aug-2007 |
liamjfoy |
branches: 1.13.2.2.2; Pull up following revision(s) (requested by manu in ticket #830):
Import ipsec-tools 0.7
|
#
1.13.2.1 |
|
13-May-2007 |
jdc |
branches: 1.13.2.1.2; Upgrade ipsec-tools to 0.7-beta3 (Requested by manu in ticket #634).
|
#
1.13.2.2.2.1 |
|
18-Aug-2008 |
jdc |
Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).
|
#
1.13.2.1.2.2 |
|
04-Sep-2008 |
skrll |
Sync with netbsd-4.
|
#
1.13.2.1.2.1 |
|
03-Sep-2007 |
wrstuden |
Sync w/ NetBSD-4-RC_1
|
#
1.14.4.18 |
|
22-Jan-2011 |
tteras |
From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference that might occur after removing peers from the config and then reloading.
|
#
1.14.4.17 |
|
18-May-2009 |
tteras |
From Tomas Mraz: Remove variable that is not really used; only referenced while uninitialized causing valgrind error.
|
#
1.14.4.16 |
|
20-Apr-2009 |
tteras |
Orignally from Bin Li: Fix possible memory corruption in binsanitize().
|
#
1.14.4.15 |
|
17-Sep-2008 |
vanhu |
Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs
|
#
1.14.4.14 |
|
11-Jul-2008 |
tteras |
Original patch from Atis Elsts: Fix a double memory free and a memory corruption (LIST_REMOVE() on an uninserted node) in some error handling paths.
|
#
1.14.4.13 |
|
02-Jul-2008 |
vanhu |
From Timo Teras: fixed some %d to %zu (size_t values).
|
#
1.14.4.12 |
|
18-Jun-2008 |
mgrooms |
Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.
|
#
1.14.4.11 |
|
25-Apr-2008 |
vanhu |
From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
|
#
1.14.4.10 |
|
11-Jan-2008 |
vanhu |
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
|
#
1.14.4.9 |
|
11-Jan-2008 |
vanhu |
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
|
#
1.14.4.8 |
|
01-Aug-2007 |
vanhu |
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
|
#
1.14.4.7 |
|
04-May-2007 |
vanhu |
added some debug for DELETE_SA process
|
#
1.14.4.6 |
|
26-Mar-2007 |
vanhu |
Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code
|
#
1.14.4.5 |
|
21-Mar-2007 |
vanhu |
NULL sched check is now done in SCHED_KILL
|
#
1.14.4.4 |
|
20-Feb-2007 |
vanhu |
Removed a debug printf....
|
#
1.14.4.3 |
|
20-Feb-2007 |
vanhu |
fills creation date of generated SPDs
|
#
1.14.4.2 |
|
15-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
|
#
1.14.4.1 |
|
01-Feb-2007 |
vanhu |
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
|
#
1.22.8.2 |
|
18-Jul-2007 |
vanhu |
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
|
#
1.22.8.1 |
|
18-Jul-2007 |
vanhu |
file isakmp_inf.c was added on branch matt-mips64 on 2007-07-18 12:07:52 +0000
|
#
1.22.4.1 |
|
22-Mar-2008 |
matt |
sync with HEAD
|
#
1.24.2.1 |
|
24-Mar-2008 |
keiichi |
sync with head.
|
#
1.26.2.1 |
|
18-May-2008 |
yamt |
sync with head.
|
#
1.27.2.3 |
|
23-Sep-2008 |
wrstuden |
Merge in changes between wrstuden-revivesa-base-2 and wrstuden-revivesa-base-3.
|
#
1.27.2.2 |
|
17-Sep-2008 |
wrstuden |
Sync with wrstuden-revivesa-base-2.
|
#
1.27.2.1 |
|
22-Jun-2008 |
wrstuden |
Sync w/ -current. 34 merge conflicts to follow.
|
#
1.34.4.1 |
|
08-Feb-2009 |
snj |
Apply patch (requested by manu/spz in #378): Downgrade ipsec-tools to 0.7.1nb1.
|
#
1.36.2.1 |
|
13-May-2009 |
jym |
Sync with HEAD.
Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
|
#
1.44.2.1 |
|
08-Feb-2011 |
bouyer |
Sync with HEAD
|
#
1.47.6.2 |
|
22-May-2014 |
yamt |
sync with head.
for a reference, the tree before this commit was tagged as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments")
|
#
1.47.6.1 |
|
30-Oct-2012 |
yamt |
sync with head
|
#
1.47.2.3 |
|
12-Apr-2013 |
tteras |
Some logging improvements.
|
#
1.47.2.2 |
|
23-Jan-2013 |
tteras |
Fix handling of deletion notification.
|
#
1.47.2.1 |
|
29-Aug-2012 |
tteras |
From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies also in reversed order for compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
|
#
1.48.2.2 |
|
23-Jun-2013 |
tls |
resync from head
|
#
1.48.2.1 |
|
24-Feb-2013 |
tls |
resync with head
|