![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / crypto / dist / ipsec-tools / src / racoon
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: MAIN
Revision 1.10 / (download) - annotate - [select for diffs], Fri Oct 5 20:12:37 2018 UTC (4 years, 5 months ago) by christos
Branch: MAIN
CVS Tags: phil-wifi-20200421,
phil-wifi-20200411,
phil-wifi-20200406,
phil-wifi-20191119,
phil-wifi-20190609,
pgoyette-compat-20190127,
pgoyette-compat-20190118,
pgoyette-compat-1226,
pgoyette-compat-1126,
pgoyette-compat-1020,
netbsd-9-base,
netbsd-9-3-RELEASE,
netbsd-9-2-RELEASE,
netbsd-9-1-RELEASE,
netbsd-9-0-RELEASE,
netbsd-9-0-RC2,
netbsd-9-0-RC1,
netbsd-9,
netbsd-10-base,
netbsd-10,
is-mlppp-base,
is-mlppp,
cjep_sun2x-base1,
cjep_sun2x-base,
cjep_sun2x,
cjep_staticlib_x-base1,
cjep_staticlib_x-base,
cjep_staticlib_x,
HEAD
Changes since 1.9: +51 -26
lines
Diff to previous 1.9 (colored)
From Thomas Reim: Current racoon code cannot detect duplicate last fragments as it uses the fragment flag instead of the fragment number. The code does not consider that the IKE payload fragments might not be received in the correct order. In this case, packet complete detection will again fail and VPN clients abandoned from VPN service. Nevertheless, clients still can add fragments to the fragment queue and fill it up to the possible 255 fragments. Only duplicates are detected, but not the fragments with a number greater than the last fragment number. The last fragment number is kept in the Phase 1 handler after fragment queue deletion, which may lead to error notifications after succesful reassembly of the IKE phase 1 message. In general, the 2017's CVE fix added laconic and difficult to understand failure notifications, which do not much help for analysis, why a VPN client was blocked by racoon server. This patch fixes the code and aligns it to Microsoft/Cisco IKE fragmentation specification. It provides error logging which is in line with above specification and adds some debug info to the logs to better support analysis VPN client blackballing. XXX: pullup-8
Revision 1.9 / (download) - annotate - [select for diffs], Tue Oct 2 18:49:24 2018 UTC (4 years, 5 months ago) by christos
Branch: MAIN
Changes since 1.8: +3 -3
lines
Diff to previous 1.8 (colored)
PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.
While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon
- if (i > last_frag) /* It is complete */
+ if (i >= last_frag) /* It is complete */
has the correct behavior, it violates the test for successful
completion of the invariant of the loop:
for (i = 1; i <= last_frag; i++) {
if (!check_fragment_index())
break;
}
if (i > last_frag)
return ok;
It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.
XXX: pullup-8
Revision 1.8 / (download) - annotate - [select for diffs], Sat May 19 19:32:16 2018 UTC (4 years, 10 months ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-base,
pgoyette-compat-0930,
pgoyette-compat-0906,
pgoyette-compat-0728,
pgoyette-compat-0625,
pgoyette-compat-0521
Branch point for: phil-wifi
Changes since 1.7: +1 -2
lines
Diff to previous 1.7 (colored)
More unused variables.
Revision 1.7 / (download) - annotate - [select for diffs], Sun Jul 23 05:40:27 2017 UTC (5 years, 8 months ago) by christos
Branch: MAIN
CVS Tags: pgoyette-compat-base,
pgoyette-compat-0502,
pgoyette-compat-0422,
pgoyette-compat-0415,
pgoyette-compat-0407,
pgoyette-compat-0330,
pgoyette-compat-0322,
pgoyette-compat-0315
Branch point for: pgoyette-compat
Changes since 1.6: +10 -5
lines
Diff to previous 1.6 (colored)
PR/51682: Antoine Beaupr Simplify and comment previous patch. XXX: pullup-8
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jan 24 19:23:31 2017 UTC (6 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: prg-localcount2-base3,
prg-localcount2-base2,
prg-localcount2-base1,
prg-localcount2-base,
prg-localcount2,
pgoyette-localcount-20170426,
pgoyette-localcount-20170320,
perseant-stdc-iso10646-base,
perseant-stdc-iso10646,
netbsd-8-base,
bouyer-socketcan-base1
Branch point for: netbsd-8
Changes since 1.5: +63 -32
lines
Diff to previous 1.5 (colored)
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list.
Revision 1.5 / (download) - annotate - [select for diffs], Wed Apr 22 11:24:20 2009 UTC (13 years, 11 months ago) by tteras
Branch: MAIN
CVS Tags: yamt-pagecache-tag8,
yamt-pagecache-base9,
yamt-pagecache-base8,
yamt-pagecache-base7,
yamt-pagecache-base6,
yamt-pagecache-base5,
yamt-pagecache-base4,
yamt-pagecache-base3,
yamt-pagecache-base2,
yamt-pagecache-base,
yamt-pagecache,
tls-maxphys-base,
tls-maxphys,
tls-earlyentropy-base,
tls-earlyentropy,
riastradh-xf86-video-intel-2-7-1-pre-2-21-15,
riastradh-drm2-base3,
riastradh-drm2-base2,
riastradh-drm2-base1,
riastradh-drm2-base,
riastradh-drm2,
pgoyette-localcount-base,
pgoyette-localcount-20170107,
pgoyette-localcount-20161104,
pgoyette-localcount-20160806,
pgoyette-localcount-20160726,
netbsd-7-nhusb-base-20170116,
netbsd-7-nhusb-base,
netbsd-7-nhusb,
netbsd-7-base,
netbsd-7-2-RELEASE,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-2-RELEASE,
netbsd-7-1-1-RELEASE,
netbsd-7-1,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE,
netbsd-7-0,
netbsd-7,
netbsd-6-base,
netbsd-6-1-RELEASE,
netbsd-6-1-RC4,
netbsd-6-1-RC3,
netbsd-6-1-RC2,
netbsd-6-1-RC1,
netbsd-6-1-5-RELEASE,
netbsd-6-1-4-RELEASE,
netbsd-6-1-3-RELEASE,
netbsd-6-1-2-RELEASE,
netbsd-6-1-1-RELEASE,
netbsd-6-1,
netbsd-6-0-RELEASE,
netbsd-6-0-RC2,
netbsd-6-0-RC1,
netbsd-6-0-6-RELEASE,
netbsd-6-0-5-RELEASE,
netbsd-6-0-4-RELEASE,
netbsd-6-0-3-RELEASE,
netbsd-6-0-2-RELEASE,
netbsd-6-0-1-RELEASE,
netbsd-6-0,
netbsd-6,
matt-premerge-20091211,
matt-nb6-plus-nbase,
matt-nb6-plus-base,
matt-nb6-plus,
matt-mips64-premerge-20101231,
localcount-20160914,
khorben-n900,
jym-xensuspend-nbase,
jym-xensuspend-base,
ipsec-tools-0_8_2,
ipsec-tools-0_8_1,
ipsec-tools-0_8_0,
ipsec-tools-0_8-branch,
cherry-xenmp-base,
cherry-xenmp,
bouyer-socketcan-base,
bouyer-quota2-nbase,
bouyer-quota2-base,
bouyer-quota2,
agc-symver-base,
agc-symver
Branch point for: pgoyette-localcount,
bouyer-socketcan
Changes since 1.4: +3 -2
lines
Diff to previous 1.4 (colored)
From Neil Kettle: Fix a possible null pointer dereference in fragmentation code.
Revision 1.4 / (download) - annotate - [select for diffs], Sat Sep 9 16:22:09 2006 UTC (16 years, 6 months ago) by manu
Branch: MAIN
CVS Tags: yamt-pf42-baseX,
yamt-pf42-base4,
yamt-pf42-base3,
yamt-pf42-base2,
yamt-pf42-base,
yamt-pf42,
wrstuden-revivesa-base-3,
wrstuden-revivesa-base-2,
wrstuden-revivesa-base-1,
wrstuden-revivesa-base,
wrstuden-revivesa,
wrstuden-fixsa-newbase,
wrstuden-fixsa-base-1,
wrstuden-fixsa-base,
wrstuden-fixsa,
netbsd-5-base,
netbsd-5-2-RELEASE,
netbsd-5-2-RC1,
netbsd-5-2-3-RELEASE,
netbsd-5-2-2-RELEASE,
netbsd-5-2-1-RELEASE,
netbsd-5-2,
netbsd-5-1-RELEASE,
netbsd-5-1-RC4,
netbsd-5-1-RC3,
netbsd-5-1-RC2,
netbsd-5-1-RC1,
netbsd-5-1-5-RELEASE,
netbsd-5-1-4-RELEASE,
netbsd-5-1-3-RELEASE,
netbsd-5-1-2-RELEASE,
netbsd-5-1-1-RELEASE,
netbsd-5-1,
netbsd-5-0-RELEASE,
netbsd-5-0-RC4,
netbsd-5-0-RC3,
netbsd-5-0-RC2,
netbsd-5-0-RC1,
netbsd-5-0-2-RELEASE,
netbsd-5-0-1-RELEASE,
netbsd-5-0,
netbsd-5,
netbsd-4-base,
netbsd-4-0-RELEASE,
netbsd-4-0-RC5,
netbsd-4-0-RC4,
netbsd-4-0-RC3,
netbsd-4-0-RC2,
netbsd-4-0-RC1,
netbsd-4-0-1-RELEASE,
netbsd-4-0,
netbsd-4,
mjf-devfs2-base,
mjf-devfs2,
matt-nb5-pq3-base,
matt-nb5-pq3,
matt-nb5-mips64-u2-k2-k4-k7-k8-k9,
matt-nb5-mips64-u1-k1-k5,
matt-nb5-mips64-premerge-20101231,
matt-nb5-mips64-premerge-20091211,
matt-nb5-mips64-k15,
matt-nb5-mips64,
matt-nb4-mips64-k7-u2a-k9b,
matt-mips64-base2,
matt-mips64-base,
matt-mips64,
matt-armv6-prevmlocking,
matt-armv6-nbase,
matt-armv6-base,
matt-armv6,
keiichi-mipv6-base,
keiichi-mipv6,
ipsec-tools-0_7_1,
ipsec-tools-0_7-rc1,
ipsec-tools-0_7-beta3,
ipsec-tools-0_7-beta2,
ipsec-tools-0_7-beta1,
ipsec-tools-0_7-base,
ipsec-tools-0_7-RC1,
ipsec-tools-0_7,
hpcarm-cleanup-nbase,
hpcarm-cleanup-base,
hpcarm-cleanup,
cube-autoconf-base,
cube-autoconf
Branch point for: jym-xensuspend,
ipsec-tools-0_7-branch
Changes since 1.3: +0 -0
lines
Diff to previous 1.3 (colored)
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. Since we previously had a release branch and we import here the HEAD of CVS, let's assume all local changes are to be dumped. Local patches should have been propagated upstream, anyway.
Revision 1.3 / (download) - annotate - [select for diffs], Mon Nov 21 14:20:29 2005 UTC (17 years, 4 months ago) by manu
Branch: MAIN
CVS Tags: abandoned-netbsd-4-base,
abandoned-netbsd-4
Changes since 1.2: +0 -0
lines
Diff to previous 1.2 (colored)
Merge ipsec-tools 0.6.3 import
Revision 1.2 / (download) - annotate - [select for diffs], Sat Aug 20 00:57:06 2005 UTC (17 years, 7 months ago) by manu
Branch: MAIN
Changes since 1.1: +3 -1
lines
Diff to previous 1.1 (colored)
Update to ipsec-tools 0.6.1
Revision 1.1 / (download) - annotate - [select for diffs], Sat Feb 12 11:12:20 2005 UTC (18 years, 1 month ago) by manu
Branch: MAIN
Initial revision