$OpenBSD: BUGS,v 1.15 2006/06/02 19:35:55 hshoexer Exp $ $EOM: BUGS,v 1.38 2000/02/18 08:47:35 niklas Exp $ Until we have a bug-tracking system setup, we might just add bugs to this file: ------------------------------------------------------------------------------ * message_drop frees the message, this is sometimes wrong and can cause duplicate frees, for example when a proposal does not get chosen. [fixed] * Notifications should be their own exchanges, otherwise the IV gets disturbed. [fixed] * We need a death timeout on half-ready SAs just like exchanges. At the moment we leak SAs. * When we establish a phase 2 exchange we seem to get the wrong IV set, according to SSH's logs. [fixed] * If a phase 1 SA negotiation terminates with a cause that is to be sent in a NOTIFY to the peer, we get multiple free calls on the cleanup of the informational exchange. [fixed] * IKE mandates that a HASH should be added to informational exchanges in phase 2. [fixed] * Message_send requires an exchange to exist, and potentially it tries to encrypt a message multiple times when retransmitting. [fixed] * Multiple protocol proposals seems to fail. [fixed] * The initiator fails to match the responders choice of protocol suite with the correct one of its own when several are offered. [fixed] * Duplicate specified sections is not detected. [fixed] * Quick mode establishments via UI using -P bind-addr gets "Address already in use". * Not chosen proposals should be deleted from the protos list in the sa structure. [fixed] * Setting SPIs generates "Invalid argument" errors due to one tunnel endpoint being INADDR_ANY. [fixed] * ipsec_proto structs are never allocated. [fixed] * Remove SPIs of unused proposals. [fixed] * If the first proposal is turned down, the initiator gets confused. * Renegotiation after a failed phase 1 fails. * Phase 1 rekey event removal seems to be done twice. [fixed] * PF_ENCAP expirations does not find the proper phase 2 SA to remove. [fixed] * ISAKMP SA expirations should have a soft/hard timeout just like IPsec ones. The soft one should put a watchdog on the SA, and start a renegotiation as soon as something used the SA. Hard ones should just clean it up, no renegotiation at all. [fixed] * ISAKMP SAs does not get removed after rekeying. [fixed] * On-demand PF_ENCAP SAs does not get reestablished. [fixed] * Rekeying is now done automatically on expirations, it should not. The SAs should be brought up on-demand just like the first time. * Notifications regarding exchange errors seems to not have the right SPI, at least not in phase 1, in NO_PROPOSAL_CHOSEN. * Outgoing informational exchanges when we use INVALID_PAYLOAD_TYPE cause a DOI error. * In Linux select(2) of named pipes seems broken as they will return as readable even when nothing is there after one read has succeeded. * I have seen INITIAL-CONTACT sent on the second Main Mode. * When ID mismatches occur, coredumps may follow, investigate! * ESP+AH does not work properly * Looping QM seen (due to lost sendpackets from other participant?) * Teardown from UI does not remove exchanges. * Wrong error message when policy check fails. * Retransmit of QM (packet 1) after INFO/PAYLOAD_MALFORMED was received. * SIGSEGV after sa_enter: sa added to sa list, trigged by DELETE notify (Linux) * Passive connections, undefined local&remote IDs will cause IKE peer IDs to be used. * host route support in KLIPS does not work properly * When not having compiled in support for a certain crypto algorithm and the config file still tells us to propose it, we segfault.