CVS log for src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Up to [cvs.NetBSD.org] / src / crypto / dist / ipsec-tools / src / racoon

Request diff between arbitrary revisions

Default branch: MAIN

Revision 1.8.2.2, Tue Apr 21 18:41:28 2020 UTC (12 months ago) by martin
Branch: phil-wifi
Changes since 1.8.2.1: +1 -1 lines
FILE REMOVED

Sync with HEAD

Revision 1.8.2.1 / (download) - annotate - [select for diffs], Mon Jun 10 21:41:08 2019 UTC (22 months, 1 week ago) by christos
Branch: phil-wifi
Changes since 1.8: +51 -26 lines
Diff to previous 1.8 (unified)

Sync with HEAD

Revision 1.7.2.2 / (download) - annotate - [select for diffs], Sat Oct 20 06:58:16 2018 UTC (2 years, 6 months ago) by pgoyette
Branch: pgoyette-compat
CVS Tags: pgoyette-compat-merge-20190127
Changes since 1.7.2.1: +51 -26 lines
Diff to previous 1.7.2.1 (unified) to branchpoint 1.7 (unified) next main 1.8 (unified)

Sync with head

Revision 1.10 / (download) - annotate - [select for diffs], Fri Oct 5 20:12:37 2018 UTC (2 years, 6 months ago) by christos
Branch: MAIN
CVS Tags: phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, phil-wifi-20191119, phil-wifi-20190609, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, netbsd-9-base, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-9, is-mlppp-base, is-mlppp, HEAD
Changes since 1.9: +51 -26 lines
Diff to previous 1.9 (unified)

From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8

Revision 1.9 / (download) - annotate - [select for diffs], Tue Oct 2 18:49:24 2018 UTC (2 years, 6 months ago) by christos
Branch: MAIN
Changes since 1.8: +3 -3 lines
Diff to previous 1.8 (unified)

PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.

While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

	- if (i > last_frag) /* It is complete */
	+ if (i >= last_frag) /* It is complete */

has the correct behavior, it violates the test for successful
completion of the invariant of the loop:

    for (i = 1; i <= last_frag; i++) {
	if (!check_fragment_index())
	    break;
    }
    if (i > last_frag)
	return ok;

It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.

XXX: pullup-8

Revision 1.7.2.1 / (download) - annotate - [select for diffs], Mon May 21 04:35:49 2018 UTC (2 years, 11 months ago) by pgoyette
Branch: pgoyette-compat
Changes since 1.7: +1 -2 lines
Diff to previous 1.7 (unified)

Sync with HEAD

Revision 1.8 / (download) - annotate - [select for diffs], Sat May 19 19:32:16 2018 UTC (2 years, 11 months ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-base, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521
Branch point for: phil-wifi
Changes since 1.7: +1 -2 lines
Diff to previous 1.7 (unified)

More unused variables.

Revision 1.6.4.1 / (download) - annotate - [select for diffs], Thu Aug 31 08:50:57 2017 UTC (3 years, 7 months ago) by bouyer
Branch: netbsd-8
CVS Tags: netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, matt-nb8-mediatek-base, matt-nb8-mediatek
Changes since 1.6: +10 -5 lines
Diff to previous 1.6 (unified) next main 1.7 (unified)

Pull up following revision(s) (requested by christos in ticket #233):
	crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c: revision 1.7
PR/51682: Antoine Beaupr?: Simplify and comment previous patch.
XXX: pullup-8

Revision 1.7 / (download) - annotate - [select for diffs], Sun Jul 23 05:40:27 2017 UTC (3 years, 9 months ago) by christos
Branch: MAIN
CVS Tags: pgoyette-compat-base, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315
Branch point for: pgoyette-compat
Changes since 1.6: +10 -5 lines
Diff to previous 1.6 (unified)

PR/51682: Antoine Beaupr Simplify and comment previous patch.
XXX: pullup-8

Revision 1.5.36.1 / (download) - annotate - [select for diffs], Fri Apr 21 16:50:42 2017 UTC (4 years ago) by bouyer
Branch: bouyer-socketcan
Changes since 1.5: +63 -32 lines
Diff to previous 1.5 (unified) next main 1.6 (unified)

Sync with HEAD

Revision 1.5.32.1 / (download) - annotate - [select for diffs], Mon Mar 20 06:51:38 2017 UTC (4 years, 1 month ago) by pgoyette
Branch: pgoyette-localcount
Changes since 1.5: +63 -32 lines
Diff to previous 1.5 (unified) next main 1.6 (unified)

Sync with HEAD

Revision 1.6 / (download) - annotate - [select for diffs], Tue Jan 24 19:23:31 2017 UTC (4 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, pgoyette-localcount-20170426, pgoyette-localcount-20170320, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-8-base, bouyer-socketcan-base1
Branch point for: netbsd-8
Changes since 1.5: +63 -32 lines
Diff to previous 1.5 (unified)

PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.

Revision 1.4.28.1 / (download) - annotate - [select for diffs], Wed May 13 19:15:54 2009 UTC (11 years, 11 months ago) by jym
Branch: jym-xensuspend
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (unified) next main 1.5 (unified)

Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html

Revision 1.4.6.1 / (download) - annotate - [select for diffs], Wed Apr 22 11:25:35 2009 UTC (12 years ago) by tteras
Branch: ipsec-tools-0_7-branch
CVS Tags: ipsec-tools-0_7_3, ipsec-tools-0_7_2
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (unified) next main 1.5 (unified)

From Neil Kettle: Fix a possible null pointer dereference in fragmentation
code.

Revision 1.5 / (download) - annotate - [select for diffs], Wed Apr 22 11:24:20 2009 UTC (12 years ago) by tteras
Branch: MAIN
CVS Tags: yamt-pagecache-tag8, yamt-pagecache-base9, yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, yamt-pagecache, tls-maxphys-base, tls-maxphys, tls-earlyentropy-base, tls-earlyentropy, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, pgoyette-localcount-base, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, matt-premerge-20091211, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, matt-mips64-premerge-20101231, localcount-20160914, khorben-n900, jym-xensuspend-nbase, jym-xensuspend-base, ipsec-tools-0_8_2, ipsec-tools-0_8_1, ipsec-tools-0_8_0, ipsec-tools-0_8-branch, cherry-xenmp-base, cherry-xenmp, bouyer-socketcan-base, bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2, agc-symver-base, agc-symver
Branch point for: pgoyette-localcount, bouyer-socketcan
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (unified)

From Neil Kettle: Fix a possible null pointer dereference in fragmentation
code.

Revision 1.4 / (download) - annotate - [select for diffs], Sat Sep 9 16:22:09 2006 UTC (14 years, 7 months ago) by manu
Branch: MAIN
CVS Tags: yamt-pf42-baseX, yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-pf42-base, yamt-pf42, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, wrstuden-fixsa, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, netbsd-4-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1, netbsd-4-0-1-RELEASE, netbsd-4-0, netbsd-4, mjf-devfs2-base, mjf-devfs2, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2, matt-mips64-base, matt-mips64, matt-armv6-prevmlocking, matt-armv6-nbase, matt-armv6-base, matt-armv6, keiichi-mipv6-base, keiichi-mipv6, ipsec-tools-0_7_1, ipsec-tools-0_7-rc1, ipsec-tools-0_7-beta3, ipsec-tools-0_7-beta2, ipsec-tools-0_7-beta1, ipsec-tools-0_7-base, ipsec-tools-0_7-RC1, ipsec-tools-0_7, hpcarm-cleanup-nbase, hpcarm-cleanup-base, hpcarm-cleanup, cube-autoconf-base, cube-autoconf
Branch point for: jym-xensuspend, ipsec-tools-0_7-branch
Changes since 1.3: +0 -0 lines
Diff to previous 1.3 (unified)

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Revision 1.1.1.2.2.2 / (download) - annotate - [select for diffs], Mon Nov 21 21:12:30 2005 UTC (15 years, 5 months ago) by tron
Branch: netbsd-3
CVS Tags: netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-1, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, netbsd-3-0
Changes since 1.1.1.2.2.1: +1 -1 lines
Diff to previous 1.1.1.2.2.1 (unified) to branchpoint 1.1.1.2 (unified) next main 1.2 (unified)

Apply patch (requested by manu in ticket #981):
Update ipsec-tools to version 0.6.3.

Revision 1.3 / (download) - annotate - [select for diffs], Mon Nov 21 14:20:29 2005 UTC (15 years, 5 months ago) by manu
Branch: MAIN
CVS Tags: abandoned-netbsd-4-base, abandoned-netbsd-4
Changes since 1.2: +0 -0 lines
Diff to previous 1.2 (unified)

Merge ipsec-tools 0.6.3 import

Revision 1.1.1.2.2.1 / (download) - annotate - [select for diffs], Sat Sep 3 07:03:49 2005 UTC (15 years, 7 months ago) by snj
Branch: netbsd-3
CVS Tags: netbsd-3-0-RC1
Changes since 1.1.1.2: +1 -1 lines
Diff to previous 1.1.1.2 (unified)

Apply patch (requested by tron in ticket #741):
Update ipsec-tools to version 0.6.1.

Revision 1.2 / (download) - annotate - [select for diffs], Sat Aug 20 00:57:06 2005 UTC (15 years, 8 months ago) by manu
Branch: MAIN
Changes since 1.1: +3 -1 lines
Diff to previous 1.1 (unified)

Update to ipsec-tools 0.6.1

Revision 1.1.1.2 / (download) - annotate - [select for diffs] (vendor branch), Wed Feb 23 14:54:19 2005 UTC (16 years, 2 months ago) by manu
Branch: IPSEC_TOOLS
CVS Tags: netbsd-3-base, ipsec-tools-base, ipsec-tools-0_6_3, ipsec-tools-0_6_2, ipsec-tools-0_6_1-rc1, ipsec-tools-0_6_1, ipsec-tools-0_6-20050317, ipsec-tools-0_6-20050314, ipsec-tools-0_6-20050224, ipsec-tools-0_6-20050223
Branch point for: netbsd-3
Changes since 1.1.1.1: +3 -1 lines
Diff to previous 1.1.1.1 (unified)

Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version
according to ipsec-tools' ChangeLog:

2005-02-23  Emmanuel Dreyfus <manu@netbsd.org>

        * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
          support for patented algorithms: IDEA and RC5.
        * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
          is not required in the configuration
        * src/racoon/isakmp.c: do not reject addresses for which kernel
          refused UDP encapsulation, they can still be used for non NAT-T
          traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)

2005-02-18  Emmanuel Dreyfus <manu@netbsd.org>

        * src/racoon/{main.c|eaytest.c|plairsa-gen.c}
          src/setkey/setkey.c: don't use fuzzy paths for package_version.h

2005-02-18  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
          related DELETE_SA
        * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire

2005-02-17  Emmanuel Dreyfus <manu@netbsd.org>

        From Fred Senault <fred.letter@lacave.net>
        * src/racoon/remoteconf.c: Fix a bug in script init

2005-02-17  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks

2005-02-15  Michal Ludvig  <michal@logix.cz>

        * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Sat Feb 12 11:12:20 2005 UTC (16 years, 2 months ago) by manu
Branch: IPSEC_TOOLS
CVS Tags: ipsec-tools-0_6-base
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (unified)

Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS)
ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.

Revision 1.1 / (download) - annotate - [select for diffs], Sat Feb 12 11:12:20 2005 UTC (16 years, 2 months ago) by manu
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.