| History log of /src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c |
| Revision | | Date | Author | Comments |
| 1.12 |
| 08-Mar-2025 |
christos | more cleanups (const related, format strings)
|
| 1.11 |
| 07-Mar-2025 |
christos | modernize, prototypes, int -> ssize_t/size_t in simple cases, remove dead
code, pass some lint.
|
| 1.10 |
| 05-Oct-2018 |
christos | branches: 1.10.12;
From Thomas Reim:
Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.
The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.
The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.
In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.
This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.
XXX: pullup-8
|
| 1.9 |
| 02-Oct-2018 |
christos | PR/53646: Thomas Reim: Incorrect detection of the packet complete code in
fragment list check.
While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon
- if (i > last_frag) /* It is complete */
+ if (i >= last_frag) /* It is complete */
has the correct behavior, it violates the test for successful
completion of the invariant of the loop:
for (i = 1; i <= last_frag; i++) {
if (!check_fragment_index())
break;
}
if (i > last_frag)
return ok;
It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.
XXX: pullup-8
|
| 1.8 |
| 19-May-2018 |
maxv | branches: 1.8.2;
More unused variables.
|
| 1.7 |
| 23-Jul-2017 |
christos | branches: 1.7.2;
PR/51682: Antoine Beaupr�: Simplify and comment previous patch.
XXX: pullup-8
|
| 1.6 |
| 24-Jan-2017 |
christos | branches: 1.6.4;
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.
|
| 1.5 |
| 22-Apr-2009 |
tteras | branches: 1.5.32; 1.5.36;
From Neil Kettle: Fix a possible null pointer dereference in fragmentation
code.
|
| 1.4 |
| 09-Sep-2006 |
manu | branches: 1.4.6; 1.4.28;
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.
|
| 1.3 |
| 21-Nov-2005 |
manu | Merge ipsec-tools 0.6.3 import
|
| 1.2 |
| 20-Aug-2005 |
manu | Update to ipsec-tools 0.6.1
|
| 1.1 |
| 12-Feb-2005 |
manu | branches: 1.1.1;
Initial revision
|
| 1.1.1.2 |
| 23-Feb-2005 |
manu | branches: 1.1.1.2.2;
Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version
according to ipsec-tools' ChangeLog:
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
* src/racoon/isakmp.c: do not reject addresses for which kernel
refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h
2005-02-18 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
related DELETE_SA
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
From Fred Senault <fred.letter@lacave.net>
* src/racoon/remoteconf.c: Fix a bug in script init
2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
2005-02-15 Michal Ludvig <michal@logix.cz>
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
|
| 1.1.1.1 |
| 12-Feb-2005 |
manu | Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS)
ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.
|
| 1.1.1.2.2.2 |
| 21-Nov-2005 |
tron | Apply patch (requested by manu in ticket #981):
Update ipsec-tools to version 0.6.3.
|
| 1.1.1.2.2.1 |
| 03-Sep-2005 |
snj | Apply patch (requested by tron in ticket #741):
Update ipsec-tools to version 0.6.1.
|
| 1.4.28.1 |
| 13-May-2009 |
jym | Sync with HEAD.
Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
|
| 1.4.6.1 |
| 22-Apr-2009 |
tteras | From Neil Kettle: Fix a possible null pointer dereference in fragmentation
code.
|
| 1.5.36.1 |
| 21-Apr-2017 |
bouyer | Sync with HEAD
|
| 1.5.32.1 |
| 20-Mar-2017 |
pgoyette | Sync with HEAD
|
| 1.6.4.1 |
| 31-Aug-2017 |
bouyer | Pull up following revision(s) (requested by christos in ticket #233):
crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c: revision 1.7
PR/51682: Antoine Beaupr?: Simplify and comment previous patch.
XXX: pullup-8
|
| 1.7.2.2 |
| 20-Oct-2018 |
pgoyette | Sync with head
|
| 1.7.2.1 |
| 21-May-2018 |
pgoyette | Sync with HEAD
|
| 1.8.2.2 |
| 21-Apr-2020 |
martin | Sync with HEAD
|
| 1.8.2.1 |
| 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.10.12.1 |
| 02-Aug-2025 |
perseant | Sync with HEAD
|
