NetBSD Problem Report #54020

From  Tue Feb 26 21:38:11 2019
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer " CA" (not verified))
	by (Postfix) with ESMTPS id 9CBF37A14F
	for <>; Tue, 26 Feb 2019 21:38:11 +0000 (UTC)
Message-Id: <>
Date: Tue, 26 Feb 2019 21:38:10 +0000 (UTC)
Subject: three patches for ipsec-tools
X-Send-Pr-Version: www-1.0

>Number:         54020
>Category:       misc
>Synopsis:       three patches for ipsec-tools
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 26 21:40:00 +0000 2019
>Originator:     Maciej S. Szmigiero
I am attaching three patches for ipsec-tools (crypto/dist/ipsec-tools),
since NetBSD is now this package's upstream.

The first one fixes freeing uninitialized pointer in binbuf_pubkey2rsa()
on error path.

If we take the first error path (the one where the decoded string doesn't
make sense) in binbuf_pubkey2rsa() we call BN_free() on "exp" so we have
to make sure that we NULL-initialize it.

The second one fixes ipsec-tools Linux build, a configuration that some
of recent code changes have broken.

The third one makes racoon use CLOCK_BOOTTIME for measuring time, if
this clock is available.

The difference between CLOCK_BOOTTIME and CLOCK_MONOTONIC is that
CLOCK_MONOTONIC stops when the machine is sleeping.

Linux kernel uses CLOCK_BOOTTIME for measuring things like SA expiry times.
We should do likewise, so we don't get a different view than the kernel and
our peers when exactly our SAs expire when the machine gets suspended and
then resumed.


The three patches are available at:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD:,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.