« back to all changes in this revision
Viewing changes to ChangeLog
- browse files at revision 26
- compare with another revision
- download diff
- download tarball
- view history from revision 26
- Committer: Bazaar Package Importer
- Author(s): Chuck Short
- Date: 2010-05-05 02:26:50 UTC
- mfrom: (1.1.10 upstream) (3.1.8 sid)
- Revision ID: james.westby@ubuntu.com-20100505022650-z3tsr2uxt3npckr1
Tags: 1:0.7.3-6ubuntu1
* Merge from debian unstable. Remaining changes:
+ debian/control:
- Set Ubuntu maintainer address
- Depend on lsb-base
+ debian/ipsec-tools.setket.init: LSB init script.
+ debian/{control,rules}: add and enable hardening build for PIE
(Debian bug 542731)
+ src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)
+ src/racoon/isakmp.c: Fix address already in use. (LP: #332606)
+ debian/control:
- Set Ubuntu maintainer address
- Depend on lsb-base
+ debian/ipsec-tools.setket.init: LSB init script.
+ debian/{control,rules}: add and enable hardening build for PIE
(Debian bug 542731)
+ src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)
+ src/racoon/isakmp.c: Fix address already in use. (LP: #332606)
- files added:
- ChangeLog.old
- debian/patches
- debian/source
- files removed:
- debian/racoon.prerm
- files modified:
- ChangeLog
added
removed
ChangeLog
1
---------------------------------------------
2
3
0.7.1 released
4
5
6
2008-07-23 Timo Teras <timo.teras@iki.fi>
7
* src/libipsec/Makefile.am
8
src/racoon/Makefile.am
9
src/setkey/Makefile.am : do not remove flex/bison generated files
10
in distclean, also add the generated header file as BUILT_SOURCES
11
and use the standard autotools rule for generating them
12
* src/racoon/Makefile.am : do not use GNU make specific extension
13
14
2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
15
From Kohki Ohhira <ohhira@src.ricoh.co.jp>:
16
* src/racoon/proposal.c: fixed some memory leaks, when malloc
17
fails or when peer sends invalid proposals.
18
19
2008-07-21 Timo Teras <timo.teras@iki.fi>
20
* src/racoon/cfparse.y : do not set default gss id if xauth is used
21
22
2008-07-14 Matthew Grooms
23
* src/racoon/isakmp_cfg.c : fix hybrid enabled builds
24
25
2008-07-14 Matthew Grooms
26
* src/racoon/crypto_openssl.c
27
src/racoon/eaytest.c
28
src/racoon/misc.c
29
src/racoon/misc.h
30
src/racoon/racoonctl.c : fix conflict with freebsd8 hexdump()
31
32
2008-07-11 Timo Teras <timo.teras@iki.fi>
33
Track:259, original patch from Atis Elsts <the.kfx@gmail.com>:
34
* src/racoon/isakmp.c, src/racoon/isakmp_inf.c: fix double memfree
35
by changing copy_ph1addresses() to not free ph1 on failure
36
and remove misplaced remph1() calls causing memory corruption
37
38
2008-07-09 Timo Teras <timo.teras@iki.fi>
39
Track:269, from Chong Peng <chongpeng@gmail.com>:
40
* src/racoon/cfparse.y: remove parser initialization causing
41
fd leak from cfreparse() since cfparse() initializes it anyway
42
43
2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
44
Track:266, from Timo Teras <timo.teras@iki.fi>:
45
* src/racoon/isakmp_inf.c: fixed some %d to %zu (size_t values)
46
47
2008-06-18 Matthew Grooms
48
From Timo Teras <timo.teras@iki.fi>:
49
* src/racoon/grabmyaddr.c
50
src/racoon/ipsec_doi.c
51
src/racoon/isakmp.c
52
src/racoon/isakmp_cfg.c
53
src/racoon/isakmp_inf.c
54
src/racoon/remoteconf.c
55
src/racoon/admin.c : network port value manipulation cleanup
56
57
2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
58
Track:4, from Timo Teras:
59
* src/racoon/isakmp_inf.c: extract ports information from
60
SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
61
62
2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
1
2009-08-13 tag ipsec-tools-0_7_3
2
3
2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
4
5
* NEWS, configure.ac: 0.7.3 release
6
7
* src/racoon/oakley.c: fixed a potential DoS in
8
oakley_do_decrypt(), reported by Orange Labs
9
10
2009-08-06 Timo Teras <timo.teras@iki.fi>
11
12
* src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
13
setkey to make gcc happy.
14
15
2009-06-19 Timo Teras <timo.teras@iki.fi>
16
17
* src/racoon/ipsec_doi.c: Backport S.P.Zeidler's fix to IPv6
18
address related stack smashing in ipsecdoi_id2str() from CVS HEAD.
19
20
2009-05-18 Timo Teras <timo.teras@iki.fi>
21
22
* src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
23
not really used; only referenced while uninitialized causing
24
valgrind error.
25
26
* src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
27
28
2009-04-29 Timo Teras <timo.teras@iki.fi>
29
30
* src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
31
X509 certificate validation.
32
33
2009-04-22 tag ipsec-tools-0_7_2
34
35
2009-04-22 Timo Teras <timo.teras@iki.fi>
36
37
* NEWS, configure.ac: Updates for 0.7.2 release
38
39
* src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
40
pointer dereference in fragmentation code.
41
42
2009-04-20 Timo Teras <timo.teras@iki.fi>
43
44
* src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
45
Bin Li: Fix possible memory corruption in binsanitize().
46
47
* src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
48
signature verification memory leak.
49
50
* src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
51
crash with racoonctl logout user.
52
53
* src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
54
code.
55
56
* src/racoon/handler.c: From Paul Moore: Phase2 message id's should
57
be unique wrt phase1, not globally.
58
59
2009-02-16 Timo Teras <timo.teras@iki.fi>
60
61
* src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
62
corruption bug (yacc return non-null terminated buffer and sprintf
63
writes over bounds).
64
65
2009-01-20 Timo Teras <timo.teras@iki.fi>
66
67
* configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
68
69
* misc/cvs2cl.pl, misc/cvsusermap, Makefile.am: Autogenerate
70
ChangeLog from NetBSD CVS. Put sourceforge.net changes to
71
ChangeLog.old.
72
73
* misc/cvs2cl.pl: file cvs2cl.pl was added on branch
74
ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000
75
76
* misc/cvsusermap: file cvsusermap was added on branch
77
ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000
78
79
2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
80
81
* src/racoon/main.c: Set up a default value for Mode Config Pool
82
size if pool address specified but pool size not specified
83
84
* src/racoon/isakmp_cfg.c: Fixed pool resizing
85
86
2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
87
88
* src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
89
marker for retransmitted packets
90
91
2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
92
93
* src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
94
when NAT-T enabled and trying to purge non NAT-T SAs
95
96
2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
97
98
* src/racoon/isakmp.c: From Krzysztof Oledzki: Remove ph1handler if
99
we received an invalid first exchange from initiator.
100
101
2008-07-23 tag ipsec-tools-0_7_1
102
103
2008-07-23 Yvan Vanhullebus <vanhu@netasq.com>
104
105
* NEWS: NEWS for 0.7.1 release
106
107
2008-07-23 Timo Teras <timo.teras@iki.fi>
108
109
* src/racoon/Makefile.am: Do not use GNU make specific extension.
110
111
* src/: libipsec/Makefile.am, racoon/Makefile.am,
112
setkey/Makefile.am: Do flex/bison invocation in a more standard
113
way, and keep the generated files in the dist tarball.
114
115
2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
116
117
* configure.ac: 0.7.1 coming !
118
119
* src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
120
when malloc fails or when peer sends invalid proposal.
121
122
2008-07-21 Timo Teras <timo.teras@iki.fi>
123
124
* src/racoon/cfparse.y: Correct typo to fix the build.
125
126
* src/racoon/cfparse.y: Do not set default gss id if xauth is used.
127
128
2008-07-15 Matthew Grooms <mgrooms@shrew.net>
129
130
* src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
131
building with hybrid enabled.
132
133
* src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
134
racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
135
function.
136
137
2008-07-11 Timo Teras <timo.teras@iki.fi>
138
139
* src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
140
Elsts: Fix a double memory free and a memory corruption
141
(LIST_REMOVE() on an uninserted node) in some error handling paths.
142
143
2008-07-09 Timo Teras <timo.teras@iki.fi>
144
145
* src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
146
memory leak on configuration file reread
147
148
2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
149
150
* src/racoon/isakmp_inf.c: From Timo Teras: fixed some %d to %zu
151
(size_t values).
152
153
2008-06-18 Matthew Grooms <mgrooms@shrew.net>
154
155
* src/racoon/: grabmyaddr.c, admin.c, ipsec_doi.c, isakmp.c,
156
isakmp_cfg.c, isakmp_inf.c, remoteconf.c: Use utility functions
157
to evaluate and manipulate network port values. No functional
158
changes. Submitted by Timo Teras.
159
160
2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
161
162
* src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
163
from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
164
165
2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
166
63
167
* src/racoon/oakley.c: Generates a log if cert validation has been
64
disabled by configuration.
65
66
2008-03-05 Matthew Grooms
67
* src/racoon/cfparse.y: properly initialize the unity network struct
68
69
2008-03-05 Matthew Grooms
70
From Timo Teras <timo.teras@iki.fi>:
71
* src/racoon/pfkey.c: better handling for pfkey socket read errors
168
disabled by configuration
169
170
2008-03-05 Matthew Grooms <mgrooms@shrew.net>
171
172
* src/racoon/cfparse.y: Properly initialize the unity network
173
struct to prevent erroneous protocol and port info from being
174
transmitted.
175
176
* src/racoon/pfkey.c: Provide better handling for pfkey socket read
177
errors. Submitted by Timo Teras.
72
178
73
179
2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
74
From Brian Haley <brian.haley@hp.com>
75
* src/racoon/ipsec_doi.c: Do check SPI size (it was not due to a typo)
180
181
* src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>:
182
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
183
checking spi_size but it's not. I'm not sure this patch is correct,
184
but what's there isn't either.
185
186
Add fogotten entry in ChangeLog
76
187
77
188
2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
78
From Brian Haley <brian.haley@hp.com>
79
* src/racoon/isakmp.c: Fix address length
80
81
2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
82
* src/racoon/handler.[ch]: added an 'established' arg to getph1byaddr()
83
From Krzysztof Oledzki <olel@ans.pl>:
84
* src/racoon/isakmp.c: Only search for established ph1 handles in
85
DPD (also reported new getph1byaddr() arg)
86
* src/racoon/isakmp_inf.c: added some details to some logs (also
87
reported new getph1byaddr() arg)
88
* src/racoon/crypto_openssl.c: fixed compilation with idea and
89
recent gcc
90
From Timo Teras <timo.teras@iki.fi>:
91
* src/racoon/isakmp_inf.c: reset iph1->dpd_r_u in the scheduler's
92
callback, to avoid some access to freed memory
93
94
2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
95
From Natanael Copa <natanael.copa@gmail.com>:
96
* src/racoon/Makefile.am: fixed a race condition when building
97
yacc stuff.
98
99
2007-11-06 Yvan Vanhullebus <vanhu@netasq.com>
100
From Scott Lamb <slamb@slamb.org>
101
* src/racoon/plog.[ch]: new plog macro
102
* src/racoon/kmpstat.c: plog changed to _plog to work with new plog macro
103
* src/racoon/crypto_openssl.c: includes plog.h to work with the
104
new plog macro
105
106
2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
189
190
* src/racoon/isakmp.c: Fix bad address length computation, from
191
Brian Haley.
192
193
2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
194
195
* src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
196
the scheduler's callback, to avoid access to freed memory.
197
198
* src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
199
compilation with IDEA and recent gcc.
200
201
* src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
202
details to some logs (also reported new getph1byaddr() arg).
203
204
* src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
205
established ph1 handles in DPD (also reported new getph1byaddr()
206
arg).
207
208
* src/racoon/: handler.c, handler.h: added an 'established' arg to
209
getph1byaddr()
210
211
2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
212
213
* src/racoon/Makefile.am: From Natanael Copa: fixed a race
214
condition when building yacc stuff.
215
216
2007-11-06 Yvan Vanhullebus <vanhu@netasq.com>
217
218
* src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
219
work with the new plog macro.
220
221
* src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
222
work with new plog macro
223
224
* src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
225
226
2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
227
107
228
* src/libipsec/pfkey.c: Try to increase the buffer size of the
108
pfkey socket, this may help things when we have a huge SPD.
229
pfkey socket, this may help things when we have a huge SPD
109
230
110
231
2007-09-19 Matthew Grooms <mgrooms@shrew.net>
111
From Joy Latten <latten@austin.ibm.com>
112
* configure.ac: Fix autoconf check for selinux support.
232
233
* configure.ac: Fix autoconf check for selinux support. Submitted
234
by Joy Latten.
113
235
114
236
2007-09-03 Matthew Grooms <mgrooms@shrew.net>
115
* src/racoon/racoon.conf.5: Correct wins4 and nbns4 modecfg option syntax.
116
* src/racoon/cftoken.l: Add nbns4 as an alias for wins4.
117
118
---------------------------------------------
119
120
0.7 released
121
122
2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
237
238
* src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
239
wins4 in the man page and add nbns4 as an alias. Pointed out by
240
Claas Langbehn.
241
242
2007-08-09 tag ipsec-tools-0_7
243
244
2007-08-09 Matthew Grooms <mgrooms@shrew.net>
245
246
* NEWS, configure.ac: Prepare for 0.7 release tag.
247
248
2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
249
123
250
* src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
124
251
authorization ports. Allow interoperability with freeradius
125
252
126
2007-08-01 Yvan Vanhullebus <vanhu@netasq.com>
127
* configure.ac
128
src/libipsec/ipsec_dump_policy.c
129
src/libipsec/ipsec_get_policylen.c
130
src/libipsec/ipsec_strerror.c
131
src/libipsec/key_debug.c
132
src/libipsec/libpfkey.h
133
src/libipsec/pfkey.c
134
src/libipsec/pfkey_dump.c
135
src/libipsec/policy_parse.y
136
src/libipsec/policy_token.l
137
src/libipsec/test-policy-priority.c
138
src/racoon/admin.c
139
src/racoon/backupsa.c
140
src/racoon/cfparse.y
141
src/racoon/cftoken.l
142
src/racoon/ipsec_doi.c
143
src/racoon/isakmp.c
144
src/racoon/isakmp_inf.c
145
src/racoon/isakmp_quick.c
146
src/racoon/pfkey.c
147
src/racoon/policy.c
148
src/racoon/proposal.c
149
src/racoon/remoteconf.c
150
src/racoon/sainfo.c
151
src/racoon/session.c
152
src/racoon/sockmisc.c
153
src/racoon/strnames.c
154
src/setkey/parse.y
155
src/setkey/setkey.c
156
src/setkey/token.l:
157
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues.
158
159
2007-07-18 Matthew Grooms <mgrooms@shrew.net>
160
* src/racoon/racoon.conf.5: various man page updates
161
162
2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
163
* src/racoon/grabmyaddr.c: fixed a socket leak.
164
165
---------------------------------------------
166
167
0.7.rc1 released
253
2007-08-01 Yvan Vanhullebus <vanhu@netasq.com>
254
255
* configure.ac, src/libipsec/ipsec_dump_policy.c,
256
src/libipsec/ipsec_get_policylen.c,
257
src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
258
src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
259
src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
260
src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
261
src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
262
src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
263
src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
264
src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
265
src/racoon/policy.c, src/racoon/proposal.c,
266
src/racoon/remoteconf.c, src/racoon/sainfo.c,
267
src/racoon/session.c, src/racoon/sockmisc.c,
268
src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
269
src/setkey/token.l: use a single PATH_IPSEC_H to fix some
270
path_to_ipsec.h issues
271
272
2007-07-24 Matthew Grooms <mgrooms@shrew.net>
273
274
* NEWS: Update NEWS file with additional 0.7 improvements.
275
276
2007-07-18 Matthew Grooms <mgrooms@shrew.net>
277
278
* src/racoon/racoon.conf.5: Various racoon configuration manpage
279
updates.
280
281
2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
282
283
* src/racoon/grabmyaddr.c: fixed a socket leak
284
285
2007-06-12 tag ipsec-tools-0_7-RC1
286
287
2007-06-12 tag ipsec-tools-0_7-rc1
288
289
2007-06-12 Emmanuel Dreyfus <manu@netbsd.org>
290
291
* configure.ac: ipsec-tools used to use tags in lower case
292
293
2007-06-12 Yvan Vanhullebus <vanhu@netasq.com>
294
295
* configure.ac: 0.7-RC1
168
296
169
297
2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
170
From Paul Winder <Paul.Winder@tadpole.com>:
171
* src/racoon/isakmp_cfg.c: Fix ignored INTERNAL_DNS4_LIST
172
173
2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
298
299
* src/racoon/: main.c, policy.h, security.c: From Joy Latten
300
<latten@austin.ibm.com> Fix file descriptor shortage when using
301
labeled IPsec.
302
303
* src/racoon/isakmp_cfg.c: From Paul Winder
304
<Paul.Winder@tadpole.com> Fix ignored INTERNAL_DNS4_LIST
305
306
2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
307
308
* src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
309
with gcc 4.2
310
311
2007-06-06 Emmanuel Dreyfus <manu@netbsd.org>
312
313
* src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: Use the
314
specified socket path instead of the default location
315
316
2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
317
318
* src/racoon/session.c: From Jianli Liu: speed up interfaces update
319
when they change.
320
174
321
* src/racoon/handler.c: ignore obsolete lifebyte when validating
175
reloaded configuration.
176
From Jianli Liu <jlliu@nortel.com>:
177
* src/racoon/session.c: speeds up interfaces update when they changed.
178
From Rong-En Fan <rafan@freebsd.org>
179
* src/racoon/{var.h|eaytest.c}: fixed compilation with gcc 4.2
180
181
2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
182
From Joy Latten <latten@austin.ibm.com>
183
* src/racoon/{main.c|policy.h|security.c}: Fix file descriptor
184
shortage when using labeled IPsec.
185
186
2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
187
From Jianli Liu <jlliu@nortel.com>:
188
* src/racoon/kmpstat.c: Use the specified socket path instead of
189
the default location
190
191
2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
192
* src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate()
193
if NAT_T support, to solve some port match problems with the
194
first IPSec SAs negociated as initiator.
195
* src/racoon/isakmp_inf.c: added some debug for DELETE_SA process.
322
reloaded configuration
323
324
2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
325
326
* src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
327
NULL when validating the new config
328
329
* src/racoon/handler.c: added some debug in getph1byaddr() to track
330
some port matching problems with NAT-T
331
196
332
* src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
197
track some port matching problems with NAT-T.
198
* src/racoon/handler.c: added some debug in getph1byaddr() to
199
track some port matching problems with NAT-T.
200
* src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
201
NULL when validating the new config.
202
203
2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
333
track some port matching problems with NAT-T
334
335
* src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
336
337
* src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
338
NAT_T support, to solve some port match problems with the first
339
IPSec SAs negociated as initiator
340
341
2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
342
343
* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
344
204
345
* src/racoon/oakley.c: dumps peer's ID and peer's certificate
205
subject /subjectaltname if they don't match.
206
* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids().
207
208
---------------------------------------------
209
210
0.7.beta3 released
211
212
2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
346
subject /subjectaltname if they don't match
347
348
2007-03-29 tag ipsec-tools-0_7-beta3
349
350
2007-03-29 Emmanuel Dreyfus <manu@netbsd.org>
351
352
* configure.ac: Bump to 0.7beta3
353
354
2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
355
213
356
* src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
214
handler, to be able to cancel it when removing the handler, and
215
some minor cleanups in DPD code.
216
217
2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
218
* src/racoon/{oakley.c|racoon.conf.5}: give more details about
219
what is checked when using certificates to authenticate. Patch
220
by Cyrus Rahman.
357
handler, to be able to cancel it when removing the handler, and some
358
minor cleanups in DPD code
359
360
2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
361
362
* src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
363
segfault when using security labels between 32bit and 64bit host.
364
221
365
* src/racoon/handler.c: expire zombie handlers in getph2byid(), to
222
avoid situations where we'll never negociate a phase2
223
again. Would be better to find out why do we have such zombies !!
224
* src/racoon/{ipsec_doi.c|security.c}: fixed a segfault when using
225
security labels between a 32bit and a 64bit host. Patch by
226
Joy Latten.
227
228
2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
229
* src/racoon/{ipsec_doi.c|cfparse.y}: fixed subnet check to
230
generate IPV4_ADDRESS when needed in sockaddr2id().
231
232
2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
233
* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL.
234
* src/racoon/{handler.c|isakmp.c|isakmp_inf.c|pfkey.c}: NULL sched
235
check is now done in SCHED_KILL.
236
237
2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
366
avoid situations where we'll never negociate a phase2 again
367
368
* src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
369
more details about what is checked when using certificates to
370
authenticate
371
372
2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
373
374
* src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
375
generate IPV4_ADDRESS when needed in sockaddr2id()
376
377
2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
378
379
* src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
380
sched check is now done in SCHED_KILL
381
382
* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
383
384
2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
385
386
* src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
387
monitoring of ipv6 address changes on Linux.
388
238
389
* src/racoon/isakmp.c: Consider a negociation timeout when
239
retry_counter is <=0 instead of < 0.
240
* src/racoon/grabmyaddr.c: enable monitoring of ipv6 addresse
241
changes on linux. Patch by Yves-Alexis Perez.
242
243
---------------------------------------------
244
245
0.7.beta2 released
246
247
2007-02-27 Matthew Grooms <mgrooms@shrew.net>
248
* src/racoon/ipsec_doi.c: add logic to match ip address ids to
249
ip subnet ids when appropriate. reported by Yvan.
250
251
2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
252
* src/racoon/ipsec_doi.c: block variable declaration before code
253
in ipsecdoi_id2str().
254
255
2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
256
* src/racoon/{handler.c|isakmp_var.h}: updated delete_spd() calls.
257
* src/racoon/isakmp.c: Only delete a generated SPD if it's
258
creation date matches the creation date of the SA we are
259
currently deleting.
260
* src/racoon/{pfkey.c|isakmp_inf.c}: fills creation date of
261
generated SPDs.
262
* src/racoon/policy.h: added 'created' var.
390
retry_counter is <=0 instead of < 0
391
392
2007-03-06 tag ipsec-tools-0_7-beta2
393
394
2007-03-06 Emmanuel Dreyfus <manu@netbsd.org>
395
396
* configure.ac: Bump to 0.7beta2
397
398
2007-03-01 Matthew Grooms <mgrooms@shrew.net>
399
400
* src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
401
matched to ip subnet ids when appropriate.
402
403
2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
404
405
* src/racoon/ipsec_doi.c: block variable declaration before code in
406
ipsecdoi_id2str()
407
408
2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
409
263
410
* src/racoon/isakmp_inf.c: Removed a debug printf....
264
411
265
2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
412
* src/racoon/isakmp.c: Only delete a generated SPD if it's creation
413
date matches the creation date of the SA we are currently deleting
414
415
* src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
416
417
* src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
418
generated SPDs
419
420
* src/racoon/policy.h: added 'created' var
421
422
2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
423
266
424
* src/racoon/isakmp.c: Removed a debug printf....
267
425
268
2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
269
* src/racoon/ipsec_doi.c: Fixed a %zu in a printf. Reported by
270
Olivier Warin.
271
272
---------------------------------------------
273
274
0.7.beta1 released
275
276
2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
277
* configure.ac: fix typo in SELinux option
278
* src/racoon/security.c: missing file from Joy Latten
279
280
2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
426
2007-02-16 tag ipsec-tools-0_7-beta1
427
428
2007-02-16 Emmanuel Dreyfus <manu@netbsd.org>
429
430
* configure.ac: Bump to 0.7beta1
431
432
2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
433
434
* src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
435
printf.
436
437
2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
438
439
* src/racoon/security.c: Missing file for SELinux
440
441
* configure.ac: Missing stuff for SELinux
442
443
2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
444
445
* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
446
expire a ph1 handle when receiving a DELETE-SA instead of calling
447
purge_remote().
448
281
449
* src/racoon/isakmp.c: Fixed the way phase1/2 messages are
282
sent/resent, to avoid zombie handles and acces to freed memory.
283
* src/racoon/isakmp_inf.c: Just expire a ph1 handle when receiving
284
a DELETE-SA instead of calling purge_remote(). Reported by
285
"Uncle Pedro" on Sourceforge's bugtracker.
286
287
2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
288
* src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec.
289
290
2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
291
* src/racoon/isakmp_inf.c: When receiving an Isakmp DELETE_SA,
292
gets the cookie of the SA to be deleted from payload instead of
293
just deleting the Isakmp SA used to protect the informational.
294
Problem reported by "unclepedro" on Sourceforge's bugtracker.
295
296
2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
297
From Joy Latten <latten@austin.ibm.com>
298
* src/racoon/crypto_openssl.c: fixed a memory leak
299
300
---------------------------------------------
301
302
Branch for 0.7 created (ipsec-tools-0_7-branch)
303
304
2006-12-11 Emmanuel Dreyfus <manu@netbsd.org>
305
* src/libipsec/{Makefile.am|libpfkey.h|pfkey.c}
306
src/racoon/{backupsa.c|pfkey.c}: Bring back API and ABI backward
307
compatibility with previous libipsec interface change. Bump
308
libipsec minor version. Remove ifdefs in struct pfkey_send_sa_args
309
to avoid ABI compatibility lossage.
310
* src/libipsec/{libpfkey.h|pfkey.c} src/racoon/cfparse.y: add
311
capability flags to detect missing optional feature in libipsec
312
313
2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
314
From Joy Latten <latten@austin.ibm.com>
315
* src/racoon/Makefile.am
316
src/racoon/doc/README.plainrsa: new file documenting plain RSA auth
317
318
2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
319
From Joy Latten <latten@austin.ibm.com>
320
* configure.ac src/libipsec/{libpfkey.h|pfkey.c}
321
src/racoon/{Makefile.am|backupsa.c|backupsa.h|cftoken.l|ipsec_doi.c}
322
src/racoon/{ipsec_doi.h|isakmp_inf.c|isakmp_quick.c|pfkey.c|policy.c}
323
src/racoon/{policy.h|proposal.c|proposal.h|remoteconf.c}: Add support for SELinux security contexts. Also cleanup the libipsec
324
interface for adding and updating security associations.
325
326
From Simon Chang <simonychang@gmail.com>
327
* src/racoon/racoon.conf.5: More hints about plain RSA authentication
328
329
2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
330
* src/racoon/proposal.[ch]: Check keys length regarding
331
pcheck_level in cmpsatrns().
332
* src/racoon/racoon.conf.5: updated man page about what is
333
impacted by proposal_check level.
334
335
2006-11-12 Matthew Grooms <mgrooms@shrew.net>
336
* src/racoon/sainfo.c: fix anonymous sainfo selection.
337
338
2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
339
From Michal Ruzicka <michal.ruzicka@comstar.cz>:
340
* src/racoon/{backupsa.c|cfparse.y}: fixed typos.
341
342
2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
343
From Matthew Grooms:
344
* src/racoon/ipsec_doi.[ch]: Added ipsecdoi_chkcmpids() function
345
* src/racoon/sainfo.c: uses ipsecdoi_chkcmpids() and changed
346
src/dst to loc/rmt in getsainfo().
347
348
2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
349
* src/racoon/isakmp_unity.c: correctly check read() return (Coverity)
350
* src/racoon/proposal.c: Fix memory leak (Coverity)
351
352
2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
353
From Tomoyuki Okazaki <okazaki@kick.gr.jp>
354
* configure.ac src/libipsec/pfkey_dump.c
355
src/racoon/{algorithm.c|algorithm.h|cftoken.l|crypto_openssl.c}
356
src/racoon/{crypto_openssl.h|eaytest.c|ipsec_doi.c|ipsec_doi.h}
357
src/racoon/{oakley.h|pfkey.c|racoon.conf.5|strnames.c}
358
src/setkey/{setkey.8|test-pfkey.c|token.l}: Camelia cipher
359
support (RFC 4312)
360
361
2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
450
sent/resent, to avoid zombie handles and acces to freed memory
451
452
2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
453
454
* src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
455
456
2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
457
458
* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
459
receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
460
deleted from payload instead of just deleting the ISAKMP SA used to
461
protect the informational exchange.
462
463
2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
464
465
* src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
466
467
2006-12-10 tag ipsec-tools-0_7-base
468
469
2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
470
471
* src/: libipsec/Makefile.am, libipsec/libpfkey.h,
472
libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
473
racoon/pfkey.c: Bring back API and ABI backward compatibility
474
with previous libipsec before recent interface change. Bump libipsec
475
minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
476
ABI compatibility lossage. Add a capability flags to detect missing
477
optional feature in libipsec
478
479
* src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
480
README.plainrsa documenting plain RSA auth
481
482
2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
483
484
* configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
485
src/racoon/Makefile.am, src/racoon/backupsa.c,
486
src/racoon/backupsa.h, src/racoon/cftoken.l,
487
src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
488
src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
489
src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
490
src/racoon/proposal.c, src/racoon/proposal.h,
491
src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
492
security contexts. Also cleanup the libipsec interface for adding
493
and updating security associations.
494
495
* src/racoon/racoon.conf.5: From Simon Chang: More hints about
496
plain RSA authentication
497
498
2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
499
500
* src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
501
length regarding proposal_check level
502
503
2006-11-16 Matthew Grooms <mgrooms@shrew.net>
504
505
* src/racoon/sainfo.c: Correct issues associated with anonymous
506
sainfo selection in racoon.
507
508
2006-11-09 Christos Zoulas <christos@netbsd.org>
509
510
* src/racoon/crypto_openssl.c: eliminate the only variable stack
511
array allocation.
512
513
2006-10-31 Christian Biere <cbiere@netbsd.org>
514
515
* src/racoon/sockmisc.c: Don't define the deprecated
516
IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
517
IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
518
in the future just in case that the numeric value of the socket
519
option is ever recycled.
520
521
2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
522
523
* src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
524
typos
525
526
2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
527
528
* src/racoon/sainfo.c: From Matthew Grooms: use
529
ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
530
531
* src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
532
ipsecdoi_chkcmpids() function.
533
534
2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
535
536
* src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
537
538
* src/racoon/isakmp_unity.c: Correctly check read() return value:
539
it's signed (Coverity 1251)
540
541
2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
542
543
* configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
544
src/racoon/algorithm.h, src/racoon/cftoken.l,
545
src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
546
src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
547
src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
548
src/racoon/racoon.conf.5, src/racoon/strnames.c,
549
src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
550
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
551
<okazaki@kick.gr.jp>
552
553
2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
554
362
555
* src/racoon/admin.c: fix endianness issue introduced yesterday
363
556
364
2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
365
* src/racoon/{remoteconf.h|sainfo.h}: Added remoteid/ph1id values.
366
* src/racoon/{handler.c|isakmp_quick.c|pfkey.c|sainfo.c}: Uses
367
remoteid/ph1id values.
368
* src/racoon/{cfparse.y|cftoken.l}: Parses remoteid/ph1id values.
369
* src/racoon/racoon.conf.5: Added remoteid/ph1id syntax.
370
371
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
372
* src/racoon/socketmisc.c: don't use NULL pointer (Coverity)
373
* src/racoon/racoonctl.c: don't use NULL pointer (Coverity)
374
* src/racoon/proposal.c: don't use NULL pointer (Coverity)
375
* src/racoon/pfkey.c: don't use NULL pointer (Coverity)
376
* src/racoon/ipsec_doi.c: don't use NULL pointer (Coverity)
377
* src/racoon/isakmp.c: don't use NULL pointer (Coverity)
378
* src/racoon/oakley.c: don't use NULL pointer (Coverity)
379
* src/racoon/admin.c: avoid reusing free'd pointer (Coverity)
380
* src/racoon/{admin.c|sockmisc.c}: Fix memory leak (Coverity), refactor
381
the code to use port get/set function
382
* src/racoon/admin.c: fix memory leak (Coverity)
383
* src/racoon/algorithm.c: fix array overrun (Coverity)
384
* src/racoon/isakmp_ident.c: Remove dead code (Coverity)
385
* src/racoon/isakmp_inf.c: Check for NULL pointer (Coverity)
386
* src/racoon/isakmp_base.c: avoid reusing free'd pointer (Coverity)
387
388
2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
389
* src/racoon/isakmp.c: Avoid using NULL pointer (Coverity)
390
* src/racoon/ipsec_doi.c: FIx memory leak (Coverity)
391
392
2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
393
* src/racoon/isakmp_agg.c: Remove dead code (Coverity)
394
* src/racoon/isakmp_cfg.c: Fix memory leak (Coverity)
395
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
396
update the scripts for wrorking around routing problems on NetBSD
397
* src/racoon/admin.c: Do not free id and key, as they are used later
398
* src/racoon/session.c: Reuse existing code for closing IKE sockets,
399
and avoid screwing things by setting p->sock = -1, which is not
400
expected (Coverity).
401
402
2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
403
* src/racoon/racoonctl.c: Fix the previous fix
404
405
2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
406
* src/racoon/racoonctl.c: Fix access after free (Coverity)
407
* src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity)
408
409
2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
410
* src/racoon/admin.c: Fix memory leaks in racoonctl (Coverity)
557
2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
558
559
* src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
560
561
* src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
562
563
* src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
564
remoteid/ph1id values
565
566
* src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
567
568
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
569
570
* src/racoon/isakmp_base.c:
571
avoid reusing free'd pointer (Coverity 2613)
572
573
* src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
574
575
* src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
576
577
* src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
578
579
* src/racoon/admin.c: Fix memory leak (Coverity 2002)
580
581
* src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
582
(Coverity 2001), refactor the code to use port get/set functions
583
584
* src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
585
586
* src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
587
reformat to 80 char/line
588
589
2006-10-02 Tom Spindler <dogcow@netbsd.org>
590
591
* src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
592
you have to init it with a pointer type, not an int.
593
594
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
595
596
* src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
597
598
* src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
599
600
* src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
601
602
* src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
603
604
* src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
605
606
* src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
607
608
2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
609
610
* src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
611
612
* src/racoon/isakmp.c: Check that iph1->remote is not NULL before
613
using it (Coverity 3436)
614
615
2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
616
617
* src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
618
619
* src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
620
621
* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
622
phase1-up.sh: update the scripts for wrorking around routing
623
problems on NetBSD
624
625
* src/racoon/session.c: Reuse existing code for closing IKE
626
sockets, and avoid screwing things by setting p->sock = -1, which is
627
not expected (Coverity 4173).
628
629
* src/racoon/admin.c: Do not free id and key, as they are used
630
later
631
632
2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
633
634
* src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
635
socket, so we must call com_init before sending any data.
636
637
2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
638
639
* src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
640
4174)
641
642
* src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
643
644
2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
645
646
* src/racoon/cfparse.y: Fix memory leak (Coverity)
647
648
* src/racoon/backupsa.c: Fix memory leak (Coverity)
649
411
650
* src/racoon/admin.c: Remove dead code (Coverity)
412
* src/racoon/backupsa.c: Fix memory leak (Coverity)
413
* src/racoon/cfparse.y: Fix memory leak (Coverity)
414
415
From Jeff Bailey:
416
* src/racoon/{pfkey.c|proposal.c}: fix SA bundle (e.g.: ESP+IPcomp)
417
418
From Matthew Grooms:
419
* src/racoon/ipsec_doi.c: fix buffer overflow
420
421
2006-09-25 Yvan Vanhullebus <vanhu@NetBSD.org>
422
Reported by Yves-Alexis Perez:
423
* src/racoon/isakmp.c: struct ip -> struct iphdr for Linux.
424
425
2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
426
From Matthew Grooms:
427
* src/racoon/ipsec_doi.c: fix double free
428
429
2006-09-21 Yvan Vanhullebus <vanhu@NetBSD.org>
430
Reported by Yves-Alexis Perez:
651
652
* src/racoon/admin.c: Fix memory leak (Coverity)
653
654
* src/racoon/admin.c: One more memory leak
655
656
* src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
657
658
* src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
659
bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
660
Matthew updated the patch for current code, though.
661
662
* src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
663
negotiating ESP+IPcomp)
664
665
2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
666
667
* src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
668
iphdr for Linux
669
670
2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
671
672
* src/racoon/isakmp.c: style (mostly for testing
673
ipsec-tools-commits@netbsd.org)
674
675
* src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
676
677
2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
678
431
679
* src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
432
Linux.
433
434
2006-09-19 Yvan Vanhullebus <vanhu@NetBSD.org>
680
Linux
681
682
2006-09-19 Thomas Klausner <wiz@netbsd.org>
683
684
* src/racoon/racoon.conf.5: Bump date for ike_frag force.
685
686
* src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
687
line.
688
689
* src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
690
whitespace.
691
692
2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
693
694
* src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
695
value for encmodesv in set_proposal_from_policy()
696
435
697
* src/racoon/isakmp.c: always include some headers, as they are
436
required even without NAT-T.
437
From Larry Baird:
438
* src/libipsec/pfkey_dump.c, src/setkey/token.l: define
439
SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed.
440
* src/racoon/crypto_openssl.c: some printf() -> plog().
441
From Yves-Alexis Perez:
442
* src/racoon/proposal.c: fixed default value for encmodesv in
443
set_proposal_from_policy().
444
445
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
446
447
From Matthew Grooms:
448
* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_frag.h}
449
src/racoon/{racoon.conf.5|remoteconf.c}: ike_frag force option to
450
force the use of IKE on first packet exchange (prior to peer consent)
451
452
2006-09-18 Yvan Vanhullebus <vanhu@NetBSD.org>
453
* src/racoon/{cfparse.c|cftoken.c|prsa_par.c|prsa_tok.c}
454
rpm/suse/ipsec-tools.spec: removed those files from the CVS,
455
as they are generated during the build.
456
457
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
458
459
From Matthew Grooms:
460
* src/racoon/isakmp.c: handle IKE frag used in the first packet.
461
462
2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
463
464
From Matthew Grooms:
465
* src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 conformance
466
467
2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
468
* src/racoon/ipsec_doi.c: fix build on Linux
469
470
---------------------------------------------
471
472
Migration to cvs.netbsd.org
473
474
2006-08-22 Emmanuel Dreyfus <manu@netbsd.org>
475
476
From Matthew Grooms:
477
* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
478
src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h}
479
src/racoon/racoon.conf.5: Add a group check option
480
481
2006-08-17 Yvan Vanhullebus <vanhu@netasq.com>
482
483
Patch from Matthew Grooms:
484
* src/racoon/ipsec_doi.c: fixed an ASN1 size in
485
ipsecdoi_checkid1()
486
487
2006-08-11 Yvan Vanhullebus <vanhu@netasq.com>
488
489
Patch from Matthew Grooms:
490
* src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str()
491
* src/racoon/isakmp_quick.c: text fix
492
* src/racoon/pfkey.c: sainfo debug
493
* src/racoon/sainfo.c: sainfo debug
494
495
2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
496
497
Reported by Matthew Grooms:
498
* src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in
499
get_sainfo_r().
500
* src/racoon/racoon.conf.5: updated man page for sainfo logic.
501
502
2006-07-31 Emmanuel Dreyfus <manu@netbsd.org>
503
From Matthew Grooms <mgrooms@shrew.net>
504
* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
505
src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support
506
becomes dynamic, bugfixes
507
508
2006-07-19 Emmanuel Dreyfus <manu@netbsd.org>
509
From Peter Eisch <peter@boku.net>
510
* src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing
511
netmask in network interface configuration
512
513
From Matthew Grooms <mgrooms@shrew.net>
514
* configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage
515
516
From Matthew Grooms <mgrooms@shrew.net>
517
* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
518
src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS
519
support (server side)
520
521
2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
522
523
* src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align().
524
Break reported by Matthew Grooms.
525
526
2006-07-13 Frederic Senault <fred@lacave.net>
527
528
* src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4
529
unoperable on 64bit architectures ; add a packetdump of MODE_CFG
530
exchange in debug mode.
531
532
2006-07-09 Emmanuel Dreyfus <manu@netbsd.org>
533
From Matthew Grooms <mgrooms@shrew.net>
534
* src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c}
535
src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}:
536
Group authentication for Xauth. Supports system groups and LDAP.
537
538
2006-07-04 Yvan Vanhullebus <vanhu@netasq.com>
539
540
* src/racoon/nattraversal.c: fixed a malloc check in
541
natt_keepalive_add(). Patch from Bruno Wagenseil.
542
543
2006-06-30 Emmanuel Dreyfus <manu@netbsd.org>
544
545
* src/racoon/{cfparse.l|cftoken.l}: meaningful error message when
546
we cannot find the configuration file.
547
548
2006-06-24 Emmanuel Dreyfus <manu@netbsd.org>
549
From Matthew Grooms <mgrooms@shrew.net>
550
* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
551
src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network
552
configuration obtained from LDAP directory
553
554
2006-06-23 Emmanuel Dreyfus <manu@netbsd.org>
555
From Matthew Grooms <mgrooms@shrew.net>
556
* configure.ac: build fixes
557
558
2006-06-22 Emmanuel Dreyfus <manu@netbsd.org>
559
* src/racoon/evt.c: build fix
560
From Matthew Grooms <mgrooms@shrew.net>
561
* configure.ac: build fixes around libldap and libiconv search
562
563
2006-06-21 Emmanuel Dreyfus <manu@netbsd.org>
564
* src/racoon/evt.c: Do not record events if admin socket is
565
disabled.
566
567
2006-06-20 Emmanuel Dreyfus <manu@netbsd.org>
568
569
* configure.ac: Check for conflicts between system libiconv
570
and newer libiconv header
571
From Matthew Grooms <mgrooms@shrew.net>
572
* configure.ac src/racoon/{cfparse.y|cftoken.l}
573
src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
574
src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth
575
576
2006-06-20 Yvan Vanhullebus <vanhu@netasq.com>
577
578
* configure.ac: fixed SHA256 detection on some systems. Patch by
579
Dmitry Andrianov.
580
* src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}:
581
changed logging levels. Patch by Michal Ruzicka.
582
583
2006-06-15 Emmanuel Dreyfus <manu@netbsd.org>
584
From Matthew Grooms <mgrooms@shrew.net>
585
* src/racoon/main.c: make sure RADIUS is correctly initialized
586
587
2006-06-14 Yvan Vanhullebus <vanhu@netasq.com>
588
589
* Makefile.am, src/Makefile.am: fixed make dist on *BSD
590
591
2006-06-07 Emmanuel Dreyfus <manu@netbsd.org>
592
* src/racoon/isakmp_cfg.c: Fix build.
593
594
2006-05-26 Emmanuel Dreyfus <manu@netbsd.org>
595
From Pawel Jakub Dawidek <pjd@FreeBSD.org>
596
* src/racoon/handler.c: Fix a crash caused by a NULL pointer
597
* src/racoon/oakley.c: Typos
598
* src/racoon/isakmp_base.c: Fix uninitialized buffer
599
* src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode)
600
601
2006-05-23 Emmanuel Dreyfus <manu@netbsd.org>
602
* src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so
603
do not assume Xauth when preparing a hook script environement.
604
From chunkeey@web.de
605
* src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64
606
build warnings
607
* src/racoon/ipsec_doi.c: Don't free a referenced buffer
608
From Matthew Grooms <mgrooms@shrew.net>
609
* src/racoon/isakmp_cfg.c: Fix for unity local_lan support
610
611
2006-05-07 Emmanuel Dreyfus <manu@netbsd.org>
612
* src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do
613
not reconfigure interface sockets when running in privilege
614
separation as it will not work. Add debug for setsockopt().
615
* src/racoon/racoonctl.8: Do not tell config reload is completely
616
broken (it's only somewhat broken).
617
618
2006-05-06 Emmanuel Dreyfus <manu@netbsd.org>
619
620
* src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix
621
memory leak (Coverity)
622
* src/racoon/pfkey.c: Fix memory leak (Coverity)
623
* src/racoon/ipsec_doi.c: Fix memory leak (Coverity)
624
* src/racoon/isakmp.c: Fix memory leak (Coverity)
625
* src/racoon/dnssec.c: Fix memory leak (Coverity)
626
* src/racoon/backupsa.c: Fix memory leak (Coverity)
627
* src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL
628
allocation (Coverity)
629
* src/racoon/isakmp_quick.c: Remove dead code (Coverity)
630
* src/racoon/oakley.c: Remove dead code (Coverity)
631
* src/racoon/crypto_openssl.c: Remove dead code (Coverity)
632
633
2006-05-05 Yvan Vanhullebus <vanhu@netasq.com>
634
635
* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
636
encapsulation in pk_sendgetspi().
637
638
2006-05-04 Yvan Vanhullebus <vanhu@netasq.com>
639
From Preggna S (spreggna@novell.com)
640
* src/racoon/schedule.h: fixed gnuc.h include.
641
* src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support.
642
* src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function.
643
644
2006-05-03 Yvan Vanhullebus <vanhu@netasq.com>
645
From Joy Latten <latten@austin.ibm.com>
646
* configure.ac: security context support check
647
* src/libipsec/{pfkey.c|pfkey_dump.c}:
648
SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support
649
* src/setkey/{parse.ytoken.l}: parses optionnal security context
650
* src/setkey/setkey.8: security context syntax
651
652
2006-04-27 Emmanuel Dreyfus <manu@netbsd.org>
653
654
* src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity)
655
656
2006-04-24 Yvan Vanhullebus <vanhu@netasq.com>
657
658
* src/racoon/isakmp.c: style cleanup in delete_spd()
659
660
2006-04-13 Yvan Vanhullebus <vanhu@netasq.com>
661
662
* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
663
encapsulation in pk_sendupdate().
664
665
2006-04-12 Emmanuel Dreyfus <manu@netbsd.org>
666
667
* src/racoon/ipsec_doi.c: fix memory leaks (Coverity)
668
669
2006-04-06 Emmanuel Dreyfus <manu@netbsd.org>
670
671
* src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h}
672
src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c}
673
src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add
674
strdup in the malloc debugging framework, check for strdup failures
675
(found by Coverity)
676
* src/racoon/admin.c: Do not use an unallocated pointer (Coverity)
677
* src/racoon/schedule.c: Check for NULL pointer
678
* src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c}
679
src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check
680
that dupsaddr returns non NULL pointers (Coverity)
681
* src/racoon/isakmp_quick.c: Ignore multiple notifications in the
682
same message, and do not leak memory (Coverity)
683
* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in
684
GSSAPI code (Coverity)
685
* src/racoon/racoonctl.c: fix minor memory leak (Coverity)
686
* src/racoon/isakmp.c: fix memory leak (Coverity)
687
* src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity)
688
689
2006-04-05 Emmanuel Dreyfus <manu@netbsd.org>
690
691
* src/racoon/isakmp_xauth.c: fix unitialized variable, found by
692
Coverity
693
* src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not
694
use deleted phase 1 handler after errors, found by coverity
695
* src/racoon/main.c: tell which config file we use
696
* src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found
697
by Coverity
698
* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1
699
handler, found by Coverity
700
* src/racoon/dnssec.c: do not return a free'ed certificate, found by
701
Coverity
702
* src/racoon/oakley.c: fix stale pointer alias, found by Coverity
703
* src/racoon/throttle.c: do not free current item while walking a
704
chained list, found by Coverity
705
* src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity
706
707
2006-03-18 Emmanuel Dreyfus <manu@netbsd.org>
708
709
From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan
710
* src/racoon/isakmp_xauth.c: fix memory leak
711
712
2006-02-25 Emmanuel Dreyfus <manu@netbsd.org>
713
714
From Thomas Klausner <wiz@NetBSD.org>
715
* src/racoon/{cfparse.y|handler.h}: typos
716
717
2006-02-23 Emmanuel Dreyfus <manu@netbsd.org>
718
719
* src/racoon/main.c: do not reset isakmp_cfg structure after
720
config reload.
721
722
2006-02-22 Yvan Vanhullebus <vanhu@netasq.com>
723
724
* src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not
725
be really necessary) and DPD VId hash generation
726
727
2006-02-17 Yvan Vanhullebus <vanhu@netasq.com>
728
729
* src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous"
730
sainfos.
731
* src/racoon/racoon.conf.5: updated sainfos syntax
732
* src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID
733
734
2006-02-15 Yvan Vanhullebus <vanhu@netasq.com>
735
736
* src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy
737
levels
738
* src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE
739
generate policy levels
740
* src/racoon/proposal.c: Sets optionnal reqid for generated
741
policies
742
* src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid
743
specified
744
* src/racoon/racoon.conf.5: updated generate_policy syntax
745
746
2006-02-02 Yvan Vanhullebus <vanhu@netasq.com>
747
748
* src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send()
749
fails in isakmp_ph1resend()
750
751
2006-01-17 Frederic Senault <fred@lacave.net>
752
753
* src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the
754
peers_identifier keyword.
755
756
* src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the
757
adminsock to allow for racoonctl to stop looping when the
758
vpn-connect command is used and there is no mode config exchange.
759
760
2006-01-08 Emmanuel Dreyfus <manu@netbsd.org>
761
762
* src/racoon/isakmp_cfg.c: make software behave as the documentation
763
advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to
764
avoid breaking backward compatibility.
765
766
2005-12-19 Yvan Vanhullebus <vanhu@netasq.com>
767
768
* src/racoon/session.c: Fixed / cleaned up signal handling.
769
770
2005-12-13 Yvan Vanhullebus <vanhu@netasq.com>
771
772
* src/libipsec/samples/*: replaced "obey" mode by "strict" mode.
773
774
2005-12-07 Yvan Vanhullebus <vanhu@netasq.com>
775
776
* src/libipsec/pfkey_dump.c: fixed compilation when NAT_T
777
disabled (Fred has still some CVS problems).
778
* src/racoon/session.c: Calls isakmp_cfg_init() only if
779
ENABLE_HYBRID in reload_conf().
780
781
2005-12-04 Frederic Senault <fred@lacave.net>
782
783
* src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
784
function to display SAD entries with their associated ports.
785
* src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
786
in conjunction with -D to show SADs with the port, allow both get and
787
delete commands to use bracketed ports if needed.
788
789
2005-11-26 Emmanuel Dreyfus <manu@netbsd.org>
790
791
* src/racoon/session.c: fix possible race conditions in signal handlers
792
* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when
793
reloading configuration, do not new add mode_cfg config to the
794
existign one, overwrite it instead.
795
796
2005-11-25 Emmanuel Dreyfus <manu@netbsd.org>
797
798
From Thomas Klausner <wiz@netbsd.org>
799
* src/racoon/racoon.conf.5: Style changes
800
801
2005-11-21 Yvan Vanhullebus <vanhu@netasq.com>
802
803
* src/racoon/isakmp_[ident|agg].c: Check if natt is available when
804
receiving a NAT_D payload from initiator. It saves a crash,
805
reported by Dave Huang to NetBSD.
806
807
2005-11-20 Yvan Vanhullebus <vanhu@netasq.com>
808
809
* src/racoon/isakmp_agg.c: Check that we got some needed payloads
810
from peer (could cause a DoS). Crash reported by Adrian Portelli
811
using IKE test suite from
812
http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/
813
814
2005-11-10 Yvan Vanhullebus <vanhu@free.fr>
815
816
Patches from Francis Dupont
817
* src/libipsec/key_debug.c: SADB_X_EXT_PACKET support
818
* src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function
819
* src/setkey/parse.y: IPPROTO_MH support
820
* src/racoon/pfkey.c: fixed some logs
821
* src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC,
822
appropriate define for SADB_X_NAT_T_NEW_MAPPING, added
823
SADB_X_MIGRATE
824
825
2005-11-06 Aidas Kasparas <a.kasparas@gmc.lt>
826
827
* src/racoon/main.c, src/racoon/session.c: moved .pid file writing
828
just before main loop. Thanks Stephen Thorne
829
* src/racoon/localconf.h, src/racoon/cftoken.l: introduced
830
path pidfile directive
831
* src/racoon/racoon.conf.5: documented above
832
* configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan
833
Rajagopal
834
* configure.ac: added check for strlcat function
835
* src/racoon/misc.h: define strlcat function for systems without one
836
* src/racoon/remoteconf.c: strncat -> strlcat
837
838
2005-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
839
840
* src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks
841
Andreas Tobler
842
843
2005-10-30 Yvan Vanhullebus <vanhu@netasq.com>
844
845
Patches from Christoph Nadig for compilation on MacOS X
846
* configure.ac: no lcrypt for darwin
847
* src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H
848
* src/racoon/isakmp_cfg.c: some includes and some %zu
849
* src/racoon/isakmp_unity.c: fixed a %zu
850
* src/racoon/vmbuf.h: vfree already defined for Apple
851
852
2005-10-17 Aidas Kasparas <a.kasparas@gmc.lt>
853
854
Introduced subnet sainfo type.
855
* src/racoon/cftoken.l: new token "subnet"
856
* src/racoon/cfparse.y: added address/subnet diferentiation logic
857
* src/racoon/ipsec-doi.h: new constant
858
* src/racoon/ipsec-doi.c: adopted to above
859
* src/racoon/racoon.conf.5: documented above
860
861
2005-09-14 Emmanuel Dreyfus <manu@netbsd.org>
862
863
* src/libipsec/pfkey.c: One forgotten cast caddr_t -> void *
864
865
2005-10-14 Yvan Vanhullebus <vanhu@netasq.com>
866
867
* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
868
USER_FQDNs (problem reported by Bernhard Suttner).
869
870
2005-09-10 Emmanuel Dreyfus <manu@netbsd.org>
871
872
* src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c}
873
src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for
874
kernel implementing NAT-T but unable to cope with IKE ports in
875
SAD and SPD.
876
877
2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
878
879
From Wilfried Weissmann:
880
* src/libipsec/policy_parse.y src/racoon/oakley.c
881
src/racoon/{sockmisc.c|sockmisc.h}: build fixes
882
883
884
2005-09-03 Emmanuel Dreyfus <manu@netbsd.org>
885
886
From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
887
* src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions
888
889
2005-08-26 Emmanuel Dreyfus <manu@netbsd.org>
890
891
* src/racoon/evt.c: Fix memory leak when event queue overflows
892
893
2005-08-23 Emmanuel Dreyfus <manu@netbsd.org>
894
895
* src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
896
initialize NAT-T VID to avoid freeing unallocated stuff.
897
898
2005-08-21 Emmanuel Dreyfus <manu@netbsd.org>
899
900
From Matthias Scheler <matthias.scheler@tadpole.com>
901
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
902
ISAKMP mode config without Xauth.
903
904
2005-08-16 Emmanuel Dreyfus <manu@netbsd.org>
905
906
From Thomas Klausner <wiz@netbsd.org>
907
* src/setkey/setkey.8: remove trailing whitespaces
908
909
2005-09-09 Yvan Vanhullebus <vanhu@free.fr>
910
911
* src/racoon/policy.c: Do not parse all sptree in inssp() if we
912
don't use Policies priority.
913
914
2005-08-20 Yvan Vanhullebus <vanhu@free.fr>
915
916
* src/racoon/handler.c: Fixed a possible crash in
917
remove_ph2(). Reported by Dietmar Eggemann.
918
919
2005-08-14 Emmanuel Dreyfus <manu@netbsd.org>
920
921
From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
922
* src/racoon/dnssec.c: fix bogus test on function result
923
924
2005-08-11 Yvan Vanhullebus <vanhu@free.fr>
925
926
* src/racoon/isakmp.c: Improved in/out SA addresses check in
927
purge_remote(). Reported by Patrick Ma.
928
929
2005-08-08 Emmanuel Dreyfus <manu@netbsd.org>
930
931
* src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings
932
933
2005-08-08 Yvan Vanhullebus <vanhu@free.fr>
934
935
* src/racoon/privsep.c: Fixed a %d -> %zu in
936
port_check() (reported by Matthias Scheler).
937
938
2005-08-04 Emmanuel Dreyfus <manu@netbsd.org>
939
940
* configure.ac: correctly quote RACOON_PATH_LIBS arguments
941
942
2005-08-02 Yvan Vanhullebus <vanhu@free.fr>
943
944
* src/racoon/isakmp_inf.c: First fix to
945
info_recv_initialcontact(): do a basic IP check when no NAT-T.
946
947
2005-07-26 Yvan Vanhullebus <vanhu@free.fr>
948
949
* src/racoon/isakmp.c: Fixed purge_remote()
950
951
2005-07-25 Yvan Vanhullebus <vanhu@free.fr>
952
953
* src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
954
a new ph1handle exists (patch by Krzysztof Oledzki)
955
956
2005-07-20 Aidas Kasparas <a.kasparas@gmc.lt>
957
958
* configure.ac: disabled --enable-samode-unspec under linux
959
960
2005-07-20 Yvan Vanhullebus <vanhu@free.fr>
961
962
* src/racoon/isakmp_quick.c: Ignore NATOA payloads in
963
quick_r1recv() as it is done in quick_i2recv().
964
* configure.ac: new --enable-fastquit option
965
* src/racoon/session.c: new code optional code when flushing SAs,
966
which is faster and should have no deadlocks. configure
967
--enable-fastquit option to enable it.
968
969
2005-07-19 Yvan Vanhullebus <vanhu@free.fr>
970
971
* src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
972
packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that
973
case (RFC 3947, sect 4, we MUST allow new phase1 negociations on
974
NAT-T floated port), to correctly generate the reply.
975
976
2005-07-16 Aidas Kasparas <a.kasparas@gmc.lt>
977
978
* src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
979
Patrice Fournier
980
* src/racoon/setkey.c: disabled readline's filename completion
981
(bug 1179281 fix)
982
* src/racoon/proposal.c: fixed mode selection for SAs with
983
complex_bundle on behind NAT
984
985
2005-07-14 Yvan Vanhullebus <vanhu@free.fr>
986
987
* src/racoon/handler.c: - Clears the DPD schedule in delph1()
988
- Cleared up sanity checks in delph1()
989
- Sets p->rmconf to NULL if no new
990
remoteconf in revalidate_ph1tree_rmconf()
991
* src/racoon/isakmp.c: Added sanity checks in script_hook()
992
* src/racoon/oakley.c: Sanity check in save_certbuf()
993
994
995
2005-07-13 Emmanuel Dreyfus <manu@netbsd.org>
996
997
* src/setkey/Makefile.am: missing file in distribution
998
999
2005-07-12 Yvan Vanhullebus <vanhu@free.fr>
1000
1001
* src/racoon/isakmp.c: Fixed a mem leak in isakmp_send().
1002
1003
2005-07-12 Emmanuel Dreyfus <manu@netbsd.org>
1004
1005
* src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
1006
used.
1007
* src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c} configure.ac
1008
src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8
1009
* src/racoon/{admin.c|session.c}: Don't use the adminport if it is
1010
disabled
1011
* src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
1012
Add comments for using the scripts without NAT-T
1013
1014
2005-07-11 Emmanuel Dreyfus <manu@netbsd.org>
1015
1016
* src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux.
1017
Accomodate various libiconv versions
1018
1019
2005-07-10 Emmanuel Dreyfus <manu@netbsd.org>
1020
1021
* src/racoon/ipsec_doi.c configure.ac: build fixes on Linux.
1022
Accomodate various libiconv versions
1023
1024
2005-07-09 Yvan Vanhullebus <vanhu@free.fr>
1025
1026
* src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto
1027
algorithms with variable key size but not OpenSSL default key
1028
size.
1029
1030
2005-07-07 Emmanuel Dreyfus <manu@netbsd.org>
1031
1032
From Mathias Scheler <tron@netbsd.org>
1033
* src/racoon/raccon.conf.5: Document that aes can be used in
1034
racoon.conf
1035
1036
2005-07-06 Frederic Senault <fred@lacave.net>
1037
1038
* src/setkey/setkey.c: fix compilation with readline.
1039
* src/racoon/oakley.c: move declarations to fix compilation issues
1040
with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the
1041
pkcs7 patch.
1042
1043
2005-07-04 Emmanuel Dreyfus <manu@netbsd.org>
1044
1045
* src/racoon/isakmp_inf.c: safety checks on informational messages
1046
* src/racoon/{pfkey.c|proposal.c}: IPcomp fixes
1047
1048
2005-07-01 Emmanuel Dreyfus <manu@netbsd.org>
1049
1050
From Uri Blumenthal <urimobile@optonline.net>:
1051
* src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes
1052
* src/racoon/oakley.c: pkcs7 support
1053
1054
2005-06-29 Emmanuel Dreyfus <manu@netbsd.org>
1055
1056
From Christos Zoulas <christos@zoulas.com>
1057
* configure.ac src/setkey/{parse.y|setkey.c|token.l}
1058
src/libipsec/{ipsec_dump_policy.c|ipsec_get_policylen.c|key_debug.c}
1059
src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint,
1060
using void * instead of caddr_t and adding const where appropriate.
1061
* src/setkey/extern.h: new file
1062
* src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y}
1063
src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned,
1064
size_t/int and lint constants
1065
1066
2005-06-24 Yvan Vanhullebus <vanhu@free.fr>
1067
1068
* src/racoon/handler.c: Fixed phase2 enc algo check when reloading
1069
conf (could flush a phase2 handler when not needed).
1070
1071
2005-06-19 Emmanuel Dreyfus <manu@netbsd.org>
1072
1073
* src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h}
1074
src/racoon/racoonctl.8:
1075
Add a logout-user command to racoonctl to kick out all SA for a
1076
given Xauth user
1077
1078
From Ludo Stellingwerff <ludo@protactive.nl>:
1079
* src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as
1080
wildcard so that IKE ports are used instead. This was done on
1081
phase 2 initiation from the kernel (acquire message), but not
1082
on phase 2 initiation retries when the phase 2 had been queued
1083
for a phase 1.
1084
1085
From Uri Blumenthal <urimobile@optonline.net>
1086
and Larry Baird <lab@gta.com>:
1087
* src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
1088
src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
1089
src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
1090
* src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2
1091
* src/setkey/token.l: Add aliases shaxxx for sha2_xxx
1092
1093
2005-06-07 Emmanuel Dreyfus <manu@netbsd.org>
1094
1095
From Larry Baird <lab@gta.com>
1096
* src/racoon/isakmp.c: consume NAT keepalive data already seen
1097
with MSG_PEEK
1098
1099
2005-06-07 Frederic Senault <fred@lacave.net>
1100
1101
* configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c}
1102
src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add
1103
support for system accounting into the utmp files, with the
1104
"accounting system" directive.
1105
1106
* src/privsep.c: Bug fixes in the xauth password handling code.
1107
1108
2005-06-06 Emmanuel Dreyfus <manu@netbsd.org>
1109
1110
* src/racoon/isakmp_quick.c: endianness bug fix
1111
1112
2005-06-05 Emmanuel Dreyfus <manu@netbsd.org>
1113
1114
From Thomas Klausner <wiz@netbsd.org>
1115
* src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing
1116
spaces, grammar fix
1117
1118
2005-05-31 Aidas Kasparas <a.kasparas@gmc.lt>
1119
1120
* src/racoon/ipsec_doi.c: Inserted missing 0th element of
1121
rm_idtype2doi array. Bug #1199700 fix.
1122
1123
2005-05-30 Frederic Senault <fred@lacave.net>
1124
1125
* src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro
1126
definition.
1127
1128
* src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script
1129
is executed at the end of the mode cfg exchange ; add a debug
1130
message at the script startup.
1131
1132
2005-05-23 Emmanuel Dreyfus <manu@netbsd.org>
1133
1134
* src/racoon/admin.c: build fix
1135
1136
2005-05-20 Emmanuel Dreyfus <manu@netbsd.org>
1137
1138
From Mike Robinson <sundialservices@users.sourceforge.net>
1139
* src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure
1140
1141
* src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp
1142
1143
From hgates <hgates.lists@gmail.com>
1144
* src/racoon/proposal.c: fix SPI size test for IPcomp
1145
1146
From Larry Baird <lab@gta.com>
1147
* src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime,
1148
duplicate the proposal instead of modifying the configured one.
1149
1150
2005-05-19 Frederic Senault <fred@lacave.net>
1151
1152
* configure.ac src/racoon/plog.c: Fix the logging functions to work
1153
around the lack of support of printf %zu in FreeBSD 4 (at least).
1154
1155
* src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
1156
fix a hangup with FreeBSD 4.
1157
1158
* src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a
1159
unity-specific heartbeat message.
1160
* src/racoon/isakmp_inf.c: Reorganize switch statement in
1161
isakmp_check_notify.
1162
1163
2005-05-17 Yvan Vanhullebus <vanhu@free.fr>
1164
1165
* src/racoon/handler.c: Fixed exchange type check in
1166
revalidate_ph1().
1167
* src/racoon/pfkey.c: changed includes order to fix compilation.
1168
1169
2005-05-14 Emmanuel Dreyfus <manu@netbsd.org>
1170
1171
* src/libipsec/policy_parse.y: Fix parse problem
1172
1173
2005-05-14 Aidas Kasparas <a.kasparas@gmc.lt>
1174
1175
* src/racoon/sockmisc.c: Debug message said it will send to
1176
source address insted of destination.
1177
1178
2005-05-13 Emmanuel Dreyfus <manu@netbsd.org>
1179
1180
* src/racoon/isakmp_inf.c: fix build problem
1181
1182
2005-05-13 Yvan Vanhullebus <vanhu@free.fr>
1183
1184
* src/racoon/isakmp.c: Fixed a double ph2handler free in
1185
isakmp_ph2begin_i().
1186
1187
2005-05-12 Emmanuel Dreyfus <manu@netbsd.org>
1188
1189
* src/racoon/isakmp_quick.c: fix build problem on some platforms
1190
1191
* src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
1192
consider null port as a wildcard and use IKE ports.
1193
1194
2005-05-10 Emmanuel Dreyfus <manu@netbsd.org>
1195
1196
* src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
1197
src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
1198
src/racoon/samples/roadwarrior/client/racoon.conf: update config
1199
files to higher security settings. Remove now useless phase 1 down
1200
script on server side.
1201
* Update README to reflect server/phase1-down.sh removal
1202
1203
2005-05-09 Emmanuel Dreyfus <manu@netbsd.org>
1204
1205
* src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
1206
src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and
1207
save password extensions from Cisco in ISAKMP mode config.
1208
1209
2005-05-08 Emmanuel Dreyfus <manu@netbsd.org>
1210
1211
* src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte
1212
in proposals
1213
* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
1214
* src/racoon/handler.c: style
1215
1216
* src/racoon/isakmp_xauth.c: fix build with shadow passwords
1217
1218
2005-05-07 Emmanuel Dreyfus <manu@netbsd.org>
1219
1220
* configure.ac src/racoon/isakmp_xauth.c: support shadow passwords
1221
* src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype
1222
* src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h}
1223
src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes
1224
to the right header file
1225
1226
2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
1227
1228
* src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
1229
ISAKMP SA termination (for DPD timeouts and delete message) to
1230
use purge_remote() so that SA and generated SPD get correctly flushed
1231
* src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
1232
getph2bysaddr()
1233
* src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make
1234
purge_remote(), setcopeid() and delete_spd() public
1235
* src/racoon/isakmp_quick.c: remove duplicated setscopeid()
1236
* src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
1237
to compare with ports when ENABLE_NATT and without otherwise
1238
1239
2005-05-06 Frederic Senault <fred@lacave.net>
1240
1241
* src/racoon/isakmp_inf.c: Only print the contents of an informative
1242
message if the payload indicates an error ; transmit the return
1243
values from the DPD functions.
1244
1245
2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
1246
1247
* src/racoon/isakmp_inf.c: Fix a bug causing informational message
1248
payloads to be ignored
1249
1250
2005-05-05 Yvan Vanhullebus <vanhu@free.fr>
1251
1252
* src/racoon/isakmp_inf.c: Fixed some potential crashes in
1253
purge_remote() and purge_ipsec_spi().
1254
1255
2005-05-05 Emmanuel Dreyfus <manu@netbsd.org>
1256
1257
* src/libipsec/{policy_parse.y|policy_token.l}
1258
src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
1259
endpoints, for accurate ESP over UDP matching
1260
* src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote
1261
ports to the hook scripts
1262
* src/racoon/remoteconf.c: do not honour ports when looking up
1263
a remote config, as our remote config have no port information
1264
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
1265
use the IKE ports supplied by racoon to set up acurate endpoints
1266
ports in SP endpoints
1267
1268
2005-05-04 Yvan Vanhullebus <vanhu@free.fr>
1269
1270
* src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated
1271
policies are now also removed when DPD purge.
1272
1273
2005-05-04 Emmanuel Dreyfus <manu@netbsd.org>
1274
1275
From Manisha Malla <mmanisha@novell.com>
1276
* src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative
1277
1278
From Ludo Stellingwerff <ludo@protactive.nl>
1279
* src/setkey/{parse.y|token.l}: build on system that do not have
1280
TCP-MD5 support
1281
1282
2005-05-04 Michal Ludvig <michal@logix.cz>
1283
1284
* configure.ac: Revert GLIBC_BUGS change from 2005-04-15
1285
1286
2005-05-03 Frederic Senault <fred@lacave.net>
1287
1288
* src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5}
1289
src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check
1290
option to enable the handling of unencrypted delete payloads.
1291
1292
* src/racoon/plog.c: Use of isgraph in binsanitize.
1293
1294
* src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC.
1295
1296
* src/racoon/isakmp_inf.c: Unused code cleanup.
1297
1298
2005-04-26 Emmanuel Dreyfus <manu@netbsd.org>
1299
1300
* bootstrap: Darwin support
1301
1302
From Larry Baird <lab@gta.com>
1303
* src/racoon/nattraversal.c: Fix NAT-T for initiator
1304
1305
From Andreas Tobler <toa@pop.agri.ch>:
1306
* src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c}
1307
src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c}
1308
src/racoon/configure.ac src/libipsec/policy_token.l
1309
src/setkey/token.l: Build on Darwin
1310
1311
2005-04-25 Emmanuel Dreyfus <manu@netbsd.org>
1312
1313
* src/racoon/handler.h: ifdef DPD and NAT-T data in data structures
1314
1315
* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}
1316
src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
1317
enable the display of ESP over UDP ports in policies.
1318
1319
* src/racoon/ipsec_doi.c: fix LP64 bug
1320
1321
From Ludo Stellingwerff <ludo@protactive.nl>:
1322
* src/racoon/isakmp.c: build without NAT-T
1323
1324
From F. Senault <fred.letter@lacave.net>
1325
* src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c}
1326
src/racoon/isakmp_xauth.c: Take into account payloads bundled after
1327
an ISAKMP informationnal message.
1328
1329
From Patrick McHardy <kaber@trash.net>
1330
* src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire
1331
message, lookup phase 2 by (src, dst, id) instead of only id.
1332
1333
2005-04-23 Emmanuel Dreyfus <manu@netbsd.org>
1334
1335
* src/libipsec/ipsec_dump_policy.c: display port numbers in policies
1336
* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
1337
forget port numbers so that mutiple clients behind the same NAT
1338
can work.
1339
1340
From Larry Baird <lab@gta.com>
1341
* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
1342
NAT-T fixes for interoperability with greenbow VPN client.
1343
1344
2005-04-21 Aidas Kasparas <a.kasparas@gmc.lt>
1345
1346
* src/libipsec/policy.parse.y, src/racoon/cfparse.y,
1347
src/libipsec/policy_parse.y, src/racoon/cfparse.y,
1348
src/racoon/cftoken.l, src/racoon/crypto_openssl.c,
1349
src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c,
1350
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
1351
src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
1352
src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
1353
src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile
1354
with gcc-4.0 (20050410 prerelease)
1355
1356
2005-04-20 Aidas Kasparas <a.kasparas@gmc.lt>
1357
1358
From: Ganesan Rajagopal <rganesan@users.sourceforge.net>
1359
* configure.ac: fix --enable-ipv6 logic
1360
1361
2005-04-19 Yvan Vanhullebus <vanhu@free.fr>
1362
1363
* src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup.
1364
1365
2005-04-18 Aidas Kasparas <a.kasparas@gmc.lt>
1366
1367
* src/racoon/crypto_openssl.c: fixed single DES support;
1368
* NEWS: noted fix
1369
1370
2005-04-18 Emmanuel Dreyfus <manu@netbsd.org>
1371
1372
* src/racoon/isakmp_base.c: DPD support, fix memory leak
1373
1374
From Thomas Klausner <wiz@NetBSD.org>
1375
* src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
1376
src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8}
1377
src/racoon/samples/{racoon.conf.in|racoon.conf.sample}
1378
src/racoon/samples/racoon.conf.sample-gssapi
1379
src/racoon/samples/racoon.conf.sample-inherit
1380
src/racoon/samples/racoon.conf.sample-natt
1381
src/racoon/samples/racoon.conf.sample-plainrsa
1382
src/racoon/samples/roadwarrior/README
1383
src/racoon/samples/roadwarrior/server/phase1-down.sh
1384
src/setkey/setkey.8: docmumentation fixes
1385
1386
From KAME
1387
* src/racoon/ipsec_doi.c: wrong check on SA lifebyte
1388
1389
From Fred Senault <fred.letter@lacave.net>
1390
* src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive,
1391
which is now incoprated into split_net_tunnels
1392
* src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
1393
src/racoon/isakmp_xauth.h: support login and password sent
1394
in different packets during the Xauth exchange. This makes racoon
1395
interoperable with SecureComputing's sidewinder
1396
* src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth
1397
1398
2005-04-17 Yvan Vanhullebus <vanhu@free.fr>
1399
1400
* src/racoon/handler.c: Configuration reload validation code
1401
* src/racoon/handler.h:revalidate_ph12() function
1402
* src/racoon/ipsec_doi.c: duplicates iph1->approval in
1403
get_ph1approval(), some fields sets to NULL when needed
1404
* src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public
1405
* src/racoon/localconf.[ch]: save/restore_params() functions
1406
* src/racoon/main.c: moved restore_params functions to localconf
1407
* src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa()
1408
function, some values set to NULL when needed
1409
* src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa()
1410
function
1411
* src/racoon/sainfo.[ch]: save_sainfotree() functions
1412
* src/racoon/session.c: Reloads conf on a SIGHUP without loosing
1413
existing tunnels
1414
1415
2005-04-15 Aidas Kasparas <a.kasparas@gmc.lt>
1416
1417
From Zilvinas Valinskas <zilvinas@gemtek.lt>:
1418
* configure.ac:
1419
- cross-compile type fix (patch 1);
1420
- --enable-{frag|hybrid}=no fixes (patches 6,7);
1421
- support for --with-flex, --with-flexlib (patch 11);
1422
- GLIBC_BUGS assignment correction (patch 14 with mods).
1423
* src/racoon/isakmp.c: fix compilation when hybrid disabled.
1424
1425
2005-04-11 Emmanuel Dreyfus <manu@netbsd.org>
1426
1427
* src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files
1428
RFC for IPsec DOI and ISAKMP
1429
1430
2005-04-10 Emmanuel Dreyfus <manu@netbsd.org>
1431
1432
* src/racoon/isakmp_base.c: resurect RSASIG support
1433
* src/racoon/isakmp_ident.c: missing support for hybrid auth
1434
* src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode
1435
1436
2005-04-09 Emmanuel Dreyfus <manu@netbsd.org>
1437
1438
* src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c}
1439
src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c}
1440
src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}:
1441
Add Xauth + RSASIG, for client and server. Add all Xauth and
1442
IKE fragmentation logic to base and ident mode.
1443
* src/libipsec/{pfkey.c|pfkey_dump.c}
1444
src/setkey/parse.y: more missing TCP_MD5 bits from KAME
1445
1446
2005-04-08 Emmanuel Dreyfus <manu@netbsd.org>
1447
1448
* src/racoon/cfparse.y: a list of network can be specified for split
1449
tunnelling
1450
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the
1451
netmask in CIDR notation, to the hook script environement.
1452
* src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing
1453
bits for TCP_MD5 support.
1454
1455
From Fred Senault <fred.letter@lacave.net>
1456
* src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h}
1457
src/racoon/racoon.conf.5: KEYID identifier can be taken from
1458
a file or from a quoted string
1459
1460
2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
1461
1462
From Fred Senault <fred.letter@lacave.net>
1463
* src/racoon/admin.c: fix the admin interface that was left behind
1464
after recent Xauth changes
1465
* src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c}
1466
src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in
1467
remote conf within a single structure.
1468
* src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run
1469
phase1-up script before ISAKMP mode config is done
1470
* src/racoon/isakmp_inf.c: log a buggy condition
1471
* src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c}
1472
src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to
1473
distinguish between XAUTH PSK and Kerberos authentications
1474
* src/racoon/{oakley.c|remoteconf.c}: set a default for certificate
1475
requests
1476
* src/racoon/isakmp_xauth.c: Fix serious security bug introduced
1477
on 2005-03-09: Xauth validation was required for phase 2 on the
1478
client (thus blocking phase 2), but not on the server (thus
1479
making it open regardless of Xauth exchange).
1480
* src/racoon/vendorid.c: dump unknown VIDs
1481
1482
1483
2005-04-06 Yvan Vanhullebus <vanhu@free.fr>
1484
1485
* src/racoon/crypto_openssl.c: Disable OpenSSL padding in
1486
evp_crypt(), because it may cause some interoperability problems.
1487
Solution reported by Ganesan Rajagopal.
1488
1489
2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
1490
1491
* src/racoon/main.c: build with hybrid but without libradius
1492
1493
2005-04-05 Yvan Vanhullebus <vanhu@free.fr>
1494
1495
* src/racoon/handler.h: added a flag to identify generated policies
1496
* src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
1497
* src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
1498
policy have been generated in purge_remote_spi()
1499
* src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
1500
generated policies
1501
* src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
1502
1503
2005-04-04 Emmanuel Dreyfus <manu@netbsd.org>
1504
1505
* src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET
1506
1507
2005-03-30 Michal Ludvig <michal@logix.cz>
1508
1509
* configure.ac: Don't compile with NAT-T by default (according to
1510
documentation, finally :-)
1511
1512
2005-03-27 Michal Ludvig <michal@logix.cz>
1513
1514
From Zilvinas Valinskas <zilvinas@gemtek.lt>:
1515
* configure.ac:
1516
- Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE.
1517
- Fix OpenSSL check for cross-compilation.
1518
* acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.
1519
(RACOON_CHECK_BUGGY_GETADDRINFO): Ditto.
1520
1521
2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
1522
1523
* src/racoon/privsep.c: check for NULL path in unsafe_path()
1524
* src/racoon/privsep.c: missing space
1525
1526
2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
1527
1528
* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h}
1529
src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c}
1530
src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h}
1531
src/racoon/main.c: Remove most of config dependency from
1532
privilegied instance for upcoming config reload patch.
1533
* src/racoon/isakmp_cfg.h: fix the application version for Xauth
1534
* src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used
1535
1536
2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
1537
1538
* configure.ac: handle correctly dynamic libradius
1539
* src/racoon/cfparse.y: correctly initialize address pool
1540
1541
2005-03-13 Yvan Vanhullebus <vanhu@free.fr>
1542
1543
* src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)
1544
1545
2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
1546
1547
From Fred Senault <fred.letter@lacave.net>
1548
* src/racoon/cfparse.y: endainness bugfix
1549
* src/racoon/isakmp_xauth.c: off by one bugs in strings
1550
* src/racoon/oakley.h: missing parenthesis causing bugs
1551
1552
2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
1553
1554
* src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth
1555
1556
2005-03-07 Emmanuel Dreyfus <manu@netbsd.org>
1557
1558
From Fred Senault <fred.letter@lacave.net>
1559
* src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l}
1560
src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c}
1561
src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h}
1562
src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c}
1563
src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c}
1564
src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5}
1565
src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c}
1566
src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split
1567
tunnelling, multiple DNS & WINS in ISAKMP mode config.
1568
1569
2005-03-02 Yvan Vanhullebus <vanhu@free.fr>
1570
1571
* src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
1572
* src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.
1573
1574
2005-03-01 Yvan Vanhullebus <vanhu@free.fr>
1575
1576
* src/racoon/oakley.c: fixed oakley_newiv2() when errors
1577
1578
2005-02-24 Emmanuel Dreyfus <manu@netbsd.org>
1579
1580
* src/racoon/privsep.c: safety check port numbers given by the
1581
unprivilegied instance.
1582
* src/racoon/racoonctl.8: display fixes in racoonctl(8)
1583
1584
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
1585
1586
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
1587
support for patented algorithms: IDEA and RC5.
1588
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
1589
is not required in the configuration
1590
* src/racoon/isakmp.c: do not reject addresses for which kernel
1591
refused UDP encapsulation, they can still be used for non NAT-T
1592
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
1593
* src/libipsec/libpfkey.h: prefer __inline to inline
1594
* src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
1595
src/racoon/racoon.conf.5: Add chroot capability
1596
1597
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
1598
1599
* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
1600
src/setkey/setkey.c: don't use fuzzy paths for package_version.h
1601
1602
2005-02-18 Michal Ludvig <michal@logix.cz>
1603
1604
* configure.ac, rpm/suse/ipsec-tools.spec.in,
1605
rpm/suse/Makefile.am: Distribute .spec file with
1606
resolved version string.
1607
* src/racoon/Makefile.am: Allow parallel cluster build.
1608
1609
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
1610
1611
From Fred Senault <fred.letter@lacave.net>
1612
* src/racoon/remoteconf.c: Fix a bug in script init
1613
1614
2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
1615
1616
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
1617
1618
2005-02-16 Yvan Vanhullebus <vanhu@free.fr>
1619
1620
* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
1621
related DELETE_SA
1622
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
1623
1624
2005-02-15 Michal Ludvig <michal@logix.cz>
1625
1626
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
1627
1628
---------------------------------------------
1629
1630
Branch for 0.6 created (ipsec-tools-0_6-branch)
1631
1632
2005-02-11 Emmanuel Dreyfus <manu@netbsd.org>
1633
1634
From Jason Thorpe <thorpej@netbsd.org>
1635
* src/raccon/samples/racoon.conf.sample-gssapi
1636
src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c}
1637
src/racoon/{localconf.c|localconf.h|racoon.conf.5}
1638
configure.ac: Multiple GSSAPI fixes to get interoperability
1639
with Microsoft IKE.
1640
1641
2005-02-09 Emmanuel Dreyfus <manu@netbsd.org>
1642
1643
* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
1644
src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h}
1645
src/racoon/racoon.conf.5: Make PAM work with privilege separation
1646
1647
2005-02-07 Michal Ludvig <michal@logix.cz>
1648
1649
From Krisztian Kovacs:
1650
* src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".
1651
1652
2005-01-30 Yvan Vanhullebus <vanhu@free.fr>
1653
1654
* src/racoon/vmbuf.c: bugfix in vrealloc()
1655
* src/racoon/oakley.c: mem leak fix in INITDHVAL()
1656
* src/racoon/session.c: mem leak fix in check_flushsa()
1657
1658
2005-01-29 Yvan Vanhullebus <vanhu@free.fr>
1659
1660
* src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
1661
* src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
1662
* src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
1663
* src/racoon/nattraversal.[ch]: NATT cleanup, support for all
1664
drafts (disabled by default) / RFC.
1665
* src/racoon/isakmp.h: NATT cleanup for NATT RFC support
1666
* src/racoon/ipsec_doi.h: updated comments about NATT
1667
* configure.ac: enable-natt_XX options
1668
* src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed
1669
1670
1671
2005-01-29 Emmanuel Dreyfus <manu@netbsd.org>
1672
1673
From Fred Senault <fred@lacave.net>
1674
* src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
1675
phase2 can start.
1676
1677
2005-01-23 Emmanuel Dreyfus <manu@netbsd.org>
1678
1679
* src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's
1680
SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD.
1681
1682
2005-01-22 Emmanuel Dreyfus <manu@netbsd.org>
1683
1684
From Fred Senault <fred@lacave.net>
1685
* src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
1686
src/racoon/samples/roadwarrior/README: change "my_identifier login"
1687
into "xauth_login" in the config file so that we can introduce Xauth
1688
with a pre-shared key later.
1689
1690
2005-01-21 Emmanuel Dreyfus <manu@netbsd.org>
1691
1692
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
1693
workaround Linux problems. This needs a better fix.
1694
1695
2005-01-18 Emmanuel Dreyfus <manu@netbsd.org>
1696
1697
* src/racoon/privsep.c: build without ENABLE_HYBRID
1698
1699
2005-01-14 Emmanuel Dreyfus <manu@netbsd.org>
1700
1701
* src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T)
1702
1703
2005-01-13 Yvan Vanhullebus <vanhu@free.fr>
1704
1705
* src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
1706
1 lifetime.
1707
* src/racoon/racoon.conf.5: Updated racoon man page for phase 1
1708
lifetime check / proposal_check.
1709
1710
2005-01-11 Emmanuel Dreyfus <manu@netbsd.org>
1711
1712
* src/racoon/isakjmp_quick.c: endianness bugfix from KAME
1713
1714
2005-01-07 Emmanuel Dreyfus <manu@netbsd.org>
1715
1716
* src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c}
1717
src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h}
1718
src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is
1719
now configurable (supported only on NetBSD so far).
1720
1721
2005-01-05 Emmanuel Dreyfus <manu@netbsd.org>
1722
1723
* src/racoon/privsep.c: Build again on Linux with privsep
1724
1725
2005-01-03 Emmanuel Dreyfus <manu@netbsd.org>
1726
1727
* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
1728
src/racoon/{cfparse.y|cftoken.l|racoon.conf.5}
1729
src/racoon/doc/FAQ
1730
configure.ac: PAM support for authentication and accounting in
1731
hybrid auth
1732
1733
2005-01-02 Emmanuel Dreyfus <manu@netbsd.org>
1734
1735
* src/racoon/admin.c: never fork, it buys nothing an break on some
1736
operations
1737
1738
2004-12-30 Emmanuel Dreyfus <manu@netbsd.org>
1739
1740
* src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c}
1741
src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c}
1742
src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c}
1743
src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c}
1744
src/racoon/{privsep.c|privsep.h}: new files
1745
Privilege separation
1746
1747
* src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c}
1748
src/racoon/{racoonctl.c|racoonctl.h}: new files
1749
configure.ac: publically export the adminport interface so that
1750
external program can control racoon
1751
1752
* src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface
1753
versionning
1754
1755
* src/racoon/admin.h: make sure no / will be missing in adminsock path
1756
1757
---------------------------------------------
1758
1759
Branch for 0.5 created (ipsec-tools-0_5-branch)
1760
1761
2004-12-23 Yvan Vanhullebus <vanhu@free.fr>
1762
1763
* src/racoon/crypto_openssl.c: Indentation
1764
1765
2004-12-28 Yvan Vanhullebus <vanhu@free.fr>
1766
1767
* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1768
when getting an IP (Bug # 1092095)
1769
1770
1771
2004-12-26 Emmanuel Dreyfus <manu@netbsd.org>
1772
1773
* src/racoon/session.c: remove outdated comment
1774
1775
---------------------------------------------
1776
1777
0.5.beta2 released
1778
1779
2004-12-21 Michal Ludvig <michal@logix.cz>
1780
1781
* src/racoon/pfkey.c: Fix AES vs Rijndael defines.
1782
1783
2004-12-20 Yvan Vanhullebus <vanhu@free.fr>
1784
1785
* configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
1786
Some FreeBSD / NATT support.
1787
1788
2004-12-17 Emmanuel Dreyfus <manu@netbsd.org>
1789
1790
* src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
1791
* src/racoon/pfkey.c: Restore AES support on NetBSD.
1792
1793
2004-12-17 Yvan Vanhullebus <vanhu@free.fr>
1794
1795
* src/racoon/crypto_openssl.c: Uses sprintf() instead of
1796
asprintf() in eay_get_x509subjectaltname(), because of some
1797
compilation problems reported with asprintf() on some platforms.
1798
* src/racoon/oakley.c: just take the first cert in
1799
oakley_savecert() if cert ID check is disabled.
1800
1801
2004-12-16 Emmanuel Dreyfus <manu@netbsd.org>
1802
1803
* src/racoon/crypto_openssl.c: Build again on NetBSD
1804
* src/racoon/samples/roadwarrior/server/racoon
1805
src/racoon/samples/roadwarrior/server/racoon.conf-radius
1806
src/racoon/samples/roadwarrior/README: Use DPD in sample files.
1807
1808
2004-12-16 Yvan Vanhullebus <vanhu@free.fr>
1809
1810
* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1811
when SubjectAltName contains an IP. OpenSSL code from Ludovic
1812
Flament (ludovic.flament@free.fr).
1813
1814
---------------------------------------------
1815
1816
0.5.beta1 released
1817
1818
2004-12-13 Michal Ludvig <mludvig@suse.cz>
1819
1820
From Ganesan R <rganesan@users.sourceforge.net>:
1821
* src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
1822
with shared libraries.
1823
1824
2004-12-10 Yvan Vanhullebus <vanhu@free.fr>
1825
1826
* src/racoon/oakley.c: takes the first certificate which matches
1827
the Identity, instead of just taking the first certificate.
1828
1829
2004-12-07 Yvan Vanhullebus <vanhu@free.fr>
1830
1831
* src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.
1832
1833
2004-12-04 Aidas Kasparas <a.kasparas@gmc.lt>
1834
1835
* src/libipsec/pfkey_dump.c: distinguish per-socket policies from
1836
general ones (Linux case);
1837
* src/racoon/pfkey.c: dito, do not negotiate policies if racoon
1838
do not listen on out tunnel's source address.
1839
1840
2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
1841
1842
* src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
1843
generation in r1send()
1844
1845
2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
1846
1847
* src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
1848
* src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
1849
parameters but compiled without ENABLE_DPD
1850
* src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
1851
support activated in configuration
1852
1853
2004-11-30 Emmanuel Dreyfus <manu@netbsd.org>
1854
1855
* src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time,
1856
to avoid garbage pointer if admin port is disabled.
1857
* src/racoon/{throttle.c|throttle.h}: new files
1858
src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
1859
configure.ac: Add a per-host throttling count. When throttling,
1860
don't sleep, schedule the answer for later instead.
1861
* src/racoon/kmpstat.c: default with no hexdump of the packet
1862
* src/racoon/admin.c: don't remove admin socket after first request,
1863
on the other hand remove on startup stale sockets left by
1864
crashed racoon.
1865
* src/racoon/samples/roadwarrior/README
1866
src/racoon/kmpstat.c: fix option parsing problem on Linux
1867
1868
2004-11-29 Yvan Vanhullebus <vanhu@free.fr>
1869
1870
* src/racoon/session.c: Only listen on pfkey socket when received
1871
shutdown signal
1872
1873
2004-11-28 Emmanuel Dreyfus <manu@netbsd.org>
1874
1875
* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
1876
src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
1877
on each Xauth authentication to avoid brute force attacks
1878
1879
2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
1880
1881
* src/racoon/samples/roadwarrior/README
1882
src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
1883
src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
1884
src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
1885
Fill Linux gaps for hybrid auth client, Replace public IP by
1886
private and example IP in the sample config files.
1887
1888
2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
1889
1890
DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1891
* src/racoon/cfparse.y: missing bits for DPD support
1892
1893
2004-11-23 Aidas Kasparas <a.kasparas@gmc.lt>
1894
1895
* src/setkey/parse.y: generate require fwd policies for unique in
1896
policies.
1897
* src/setkey/setkey.c: made -r/-k options awailable only when
1898
system has FWD policies.
1899
* src/setkey/setkey.8: updated docs about change above.
1900
1901
2004-11-22 Michal Ludvig <mludvig@suse.cz>
1902
1903
* src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
1904
#ifdef ENABLE_ADMINPORT/#endif.
1905
1906
2004-11-22 Michal Ludvig <mludvig@suse.cz>
1907
1908
Revert these changes (ludvigm, 2004-11-18):
1909
* src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
1910
* src/setkey/Makefile.am: Install setkey.conf.
1911
1912
2004-11-22 Emmanuel Dreyfus <manu@netbsd.org>
1913
1914
* src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
1915
removal so that it's not used after been deleted.
1916
* src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
1917
src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
1918
errors to racoonctl
1919
1920
2004-11-21 Emmanuel Dreyfus <manu@netbsd.org>
1921
1922
* src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on
1923
the ipsec-tools web site
1924
* src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to
1925
display all events reported by racoon: show-event
1926
* src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
1927
with immature or dying phase 1
1928
* src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down
1929
1930
2004-11-20 Emmanuel Dreyfus <manu@netbsd.org>
1931
1932
* src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself
1933
as Unity compliant.
1934
* src/racoon/{evt.c|evt.h}: new files
1935
src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
1936
src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
1937
event reporting from racoon to racoonctl
1938
1939
2004-11-20 Aidas Kasparas <a.kasparas@gmc.lt>
1940
1941
* src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
1942
when racoon is compiled with INET6 support and kernel is not.
1943
Fixed with help of Zilvinas Valinskas.
1944
* src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
1945
problem.
1946
1947
2004-11-19 Emmanuel Dreyfus <manu@netbsd.org>
1948
1949
* src/racoon/doc/FAQ: more options and warn about software patents.
1950
1951
2004-11-18 Emmanuel Dreyfus <manu@netbsd.org>
1952
1953
* src/racoon/vmbuf.c: don't allocate zero-length buffer
1954
* src/racoon/samples/roadwarrior/client/phase1-down.sh
1955
src/racoon/samples/roadwarrior/server/phase1-down.sh: Also
1956
flush SAD when disconnecting.
1957
* src/racoon/admin.c: Send a notification when deleting ISAKMP SA
1958
* src/racoon/samples/roadwarrior/README: accomodate the recent
1959
sysconfdir change
1960
1961
2004-11-18 Michal Ludvig <mludvig@suse.cz>
1962
1963
* src/racoon/Makefile.am: Fix adminsocket dir, install sample
1964
racoon.conf and psk.txt.
1965
* src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
1966
not $(SYSCONFDIR)/racoon.
1967
* src/racoon/algorithm.h, src/racoon/eaytest.c,
1968
src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really
1969
strict environments.
1970
* src/setkey/setkey.conf: Yet another sample config file.
1971
* src/setkey/Makefile.am: Install setkey.conf.
1972
* rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
1973
files.
1974
* rpm/suse/{Makefile.am,.cvsignore}: New files.
1975
* configure.ac, rpm/Makefile.am: Build in rpm/suse.
1976
1977
2004-11-17 Aidas Kasparas <a.kasparas@gmc.lt>
1978
1979
* configure.ac: paste bugfix by Zilvinas Valinskas
1980
* src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
1981
for generated policies. Path by Patrick McHardy.
1982
1983
2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
1984
1985
* src/racoon/racoonctl.8: racoonctl man page (new file)
1986
1987
2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
1988
1989
From Ganesan <rganesan@users.sourceforge.net>
1990
* src/racoon/ipsec_doi.c: fix free'd memory access
1991
1992
2004-11-16 Michal Ludvig <mludvig@suse.cz>
1993
1994
DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1995
* configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
1996
src/racoon/handler.c, src/racoon/handler.h,
1997
src/racoon/isakmp.c, src/racoon/isakmp.h,
1998
src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
1999
src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
2000
src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
2001
src/racoon/remoteconf.h, src/racoon/vendorid.c,
2002
src/racoon/vendorid.h: Dead Peer Detection (DPD) support.
2003
2004
2004-11-16 Michal Ludvig <mludvig@suse.cz>
2005
2006
* configure.ac: Remove a bash-specific construction, take II.
2007
* src/racoon/grabmyaddr.c: FreeBSD fix for headers.
2008
2009
2004-11-15 Michal Ludvig <mludvig@suse.cz>
2010
2011
* configure.ac: Use correct include paths during ./configure run.
2012
* src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
2013
remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
2014
(hint, hint, manu :-))
2015
2016
2004-11-15 Emmanuel Dreyfus <manu@netbsd.org>
2017
2018
* README: update the docs
2019
* src/racoon/doc/FAQ: update the docs
2020
* configure.ac: Remove a bash-specific construction
2021
2022
2004-11-14 Aidas Kasparas <a.kasparas@gmc.lt>
2023
2024
* src/racoon/cfparse.y: ensure that returns from rules are
2025
initialized even on erroneous config file.
2026
* src/racoon/admin_var.h: changed management socket location
2027
* src/racoon/Makefile.am: ditto, added rule to install directory
2028
for management socket.
2029
* src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes,
2030
added generation of fwd policies for every in policy spdadd'ed.
2031
* src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
2032
* src/setkey/policy_token.l: return something reasonable when
2033
fwd direction is parsed on systems with no forward policy
2034
support.
2035
2036
2004-11-14 Emmanuel Dreyfus <manu@netbsd.org>
2037
2038
* src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
2039
* src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
2040
src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings
2041
* configure.ac src/racoon/{admin.c|admin_var.h}
2042
src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
2043
src/racoon/samples/roadwarrior/client/racoon.conf: make the default
2044
mode for the admin socket more secure.
2045
2046
2004-11-13 Emmanuel Dreyfus <manu@netbsd.org>
2047
2048
* src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
2049
src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
2050
src/racoon/samples/roadwarrior/README
2051
src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
2052
certificate authority location per-peer and configurable.
2053
* src/racoon/isakmp_frag.c: fix unallocated memory access
2054
* src/racoon/isakmp_agg.c: fix incorrect queue deallocation
2055
* src/racoon/remoteconf.c: fix uninitialized data
2056
* src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access
2057
2058
2004-11-12 Emmanuel Dreyfus <manu@netbsd.org>
2059
2060
* src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd
2061
commands IPv6 friendly.
2062
* src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}:
2063
Add an admin message to flush all the SA for a given peer.
2064
Convert racoonctl vd to use it.
2065
* src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y}
2066
src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
2067
administrator to choose the admin socket path, ownership and mode.
2068
* src/racoon/sample/roadwarrior: complete config files for
2069
road warriors using hybrid authentication.
2070
2071
2004-11-12 Michal Ludvig <mludvig@suse.cz>
2072
2073
* configure.ac: Config option --enable-natt=kernel
2074
* src/racoon/Makefile.am: Distribute only yacc/lex source files,
2075
not the preprocessed .c files.
2076
2077
2004-11-11 Emmanuel Dreyfus <manu@netbsd.org>
2078
2079
* src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
2080
and comments in the VPN concentrator setup for the Cisco VPN client
2081
* src/racoon/racoon.conf.5: fix documentation
2082
* src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
2083
hooks event if we are a server.
2084
2085
2004-11-10 Emmanuel Dreyfus <manu@netbsd.org>
2086
2087
* src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems
2088
2089
2004-11-09 Michal Ludvig <mludvig@suse.cz>
2090
2091
* Makefile.am: Remove aclocal-related lines.
2092
* src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
2093
* configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
2094
better handling of KRB5 and NAT-T.
2095
* src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
2096
FreeBSD happy with includes (Arrgh...&^#$^@!!!)
2097
2098
2004-11-08 Michal Ludvig <mludvig@suse.cz>
2099
2100
* src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
2101
* src/libipsec/policy_token.l, src/racoon/kmpstat.c,
2102
src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
2103
fixes to support FreeBSD (tested with 4.10).
2104
2105
2004-11-05 Michal Ludvig <mludvig@suse.cz>
2106
2107
* configure.ac: Add --with-readline switch.
2108
* src/setkey/setkey.c(stdin_loop): Fix newlines and comments
2109
when compiled without readline.
2110
2111
2004-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
2112
2113
* src/racoon/isakmp_quick.c: generated policy refresh patch
2114
by Yvan Vanhullebus
2115
2116
2004-10-29 Michal Ludvig <mludvig@suse.cz>
2117
2118
* configure.ac: Check for IPSEC_DIR_FWD and eventually define
2119
HAVE_POLICY_FWD.
2120
* src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use
2121
HAVE_POLICY_FWD in ifdefs.
2122
* NEWS: Mention the fix.
2123
* src/racoon/kmpstat.c: Fix compilation on Linux.
2124
* src/racoon/ipsec_doi.h: Ditto.
2125
* src/racoon/Makefile.am, src/setkey/Makefile.am: Update
2126
explicit dependencies.
2127
2128
2004-10-29 Emmanuel Dreyfus <manu@netbsd.org>
2129
2130
* src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
2131
do not reconfigure internal addresses obtained through ISAKMP
2132
mode config.
2133
* src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
2134
failure, kill the phase 1 and log the failure. Do not run the sa_up
2135
script in this case.
2136
* src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
2137
Add -u user to racoonctl establish-sa, prompt for the PSK from
2138
the terminal, and add a vpn-connect target with simplified syntax
2139
for establishing a SA in the road warrior case.
2140
* src/racoon/{admin.c,kmpstat.c}: implement delete-sa and
2141
vpn-disconnect commands of racoonctl
2142
* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
2143
src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
2144
Remove sa_up and sa_down and replace them by a more general
2145
script hook framework.
2146
2147
2004-10-27 Emmanuel Dreyfus <manu@netbsd.org>
2148
2149
* src/racoon/nattraversal.c: Use macros instead of magic numbers
2150
* src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
2151
can actually establish a SA
2152
* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
2153
src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
2154
Shell script hooks for ISAKMP SA creation and removal
2155
2156
2004-10-26 Emmanuel Dreyfus <manu@netbsd.org>
2157
2158
* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
2159
src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
2160
src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
2161
src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
2162
Update to the latest drafts
2163
2164
2004-10-25 Emmanuel Dreyfus <manu@netbsd.org>
2165
2166
* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
2167
src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
2168
src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
2169
drafts documenting ISAKMP mode config, Xauth and hybrid auth
2170
* src/racoon/cftoken.l: fix build problem, add an error message
2171
when using hybrid auth options while hybrid auth is not built
2172
* src/racoon/isakmp_cfg.c: build without RADIUS support too
2173
2174
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
2175
2176
* src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
2177
src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
2178
src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
2179
src/racoon/{oakley.c,oakley.h,racoon.conf.5}
2180
src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
2181
of hybrid auth and ISAKMP mode config
2182
2183
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
2184
2185
* src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
2186
src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
2187
src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
2188
Receiver-side of IKE fragmentation
2189
2190
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
2191
2192
* src/racoon/isakmp_cfg.c: Fix read buffer overflow
2193
* src/racoon/isakmp_xauth.c: Fix weak authentication
2194
* src/racoon/{oakley.c,oakley.h}: Fix weak authentication
2195
2196
2004-10-21 Michal Ludvig <mludvig@suse.cz>
2197
2198
From Emmanuel Dreyfus:
2199
* src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
2200
* src/racoon/isakmp_cfg.c: Fix endianness.
2201
2202
2004-10-20 Michal Ludvig <mludvig@suse.cz>
2203
2204
From Emmanuel Dreyfus:
2205
* src/racoon/{cfparse.y,cftoken.l,handler.c},
2206
src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
2207
src/racoon/racoon.conf.5: RADIUS IP addresses allocation
2208
and RADIUS accounting.
2209
* configure.ac,
2210
src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
2211
src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
2212
src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.
2213
2214
2004-10-08 Michal Ludvig <mludvig@suse.cz>
2215
2216
* src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.
2217
2218
2004-10-06 Aidas Kasparas <a.kasparas@gmc.lt>
2219
2220
* src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
2221
to duplicate dynamically allocatd structures; duprmconf() - call
2222
these functions to produce private copy of inherited id and etype
2223
structures.
2224
* src/racoon/remoteconf.c: declaration for dupetypes().
2225
2226
2004-10-04 Aidas Kasparas <a.kasparas@gmc.lt>
2227
2228
* src/racoon/cfparse.y: check inherited_from dereferencing
2229
* src/racoon/crypto_openssl.c: prevent crash on incorect DNs
2230
2231
2004-09-27 Michal Ludvig <mludvig@suse.cz>
2232
2233
From KOVACS Krisztian <hidden@balabit.hu>:
2234
* src/racoon/sockmisc.c(sendfromto): Set src address.
2235
2236
2004-09-24 Aidas Kasparas <a.kasparas@gmc.lt>
2237
2238
* configure.ac: added check for linux-gnu, as my box reports
2239
* src/racoon/grabmyaddr.c: added missing <linux/types.h> include
2240
2241
2004-09-21 Michal Ludvig <mludvig@suse.cz>
2242
2243
Merged 'autoconf' branch to mainline:
2244
* .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
2245
src/racoon/.cvsignore, src/racoon/cfparse.y,
2246
src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
2247
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2248
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2249
src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c,
2250
src/racoon/isakmp_unity.c, src/racoon/main.c,
2251
src/racoon/nattraversal.c, src/racoon/oakley.c,
2252
src/racoon/oakley.h, src/racoon/sockmisc.c,
2253
src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
2254
in 'autoconf' branch for details).
2255
* acracoon.m4, src/racoon/Makefile.am: New files.
2256
* src/racoon/Makefile.in, src/racoon/aclocal.m4,
2257
src/racoon/client-puzzle.c, src/racoon/config.guess,
2258
src/racoon/config.sub, src/racoon/configure.in,
2259
src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp,
2260
src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp,
2261
src/racoon/doc/pattern, src/racoon/doc/question,
2262
src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt,
2263
src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en,
2264
src/racoon/doc/sandiego-result.jp,
2265
src/racoon/doc/sandiego0009-result.en,
2266
src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c,
2267
src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile,
2268
src/racoon/samples/sandiego.pl: Removed.
2269
2270
2004-09-17 Michal Ludvig <mludvig@suse.cz>
2271
2272
* src/racoon/vendorid.[ch]: Rewrote the VendorID handling.
2273
We don't use the array with fixed offsets anymore, instead
2274
a generally unordered structure with ID, string and
2275
precomputed MD5 hashes.
2276
* src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
2277
src/racoon/nattraversal.c: Updated to the new VID model.
2278
* src/racoon/main.c(main): Precompute VendorIDs.
2279
* src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
2280
Files removed. Function arc4random() renamed to eay_random()
2281
and moved to crypto_openssl.c.
2282
* src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
2283
src/racoon/isakmp.c: Updated to the above change.
2284
* src/racoon/Makefile.in, src/racoon/configure.in: Remove
2285
arc4random() from building.
2286
* src/racoon/crypto_openssl.[ch](eay_random): New function.
2287
* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
2288
src/racoon/isakmp_xauth.c: Cleaned up headers.
2289
2290
2004-09-16 Michal Ludvig <mludvig@suse.cz>
2291
2292
* src/racoon/crypto_openssl.c (base64_encode): Terminate
2293
the result with '\0'.
2294
2295
2004-09-15 Michal Ludvig <mludvig@suse.cz>
2296
2297
* configure.ac: How about calling the next version 0.5?
2298
* src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
2299
_BSD_SOURCE and don't require <linux/types.h>
2300
* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
2301
src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
2302
* src/racoon/Makefile.in: Add new files to distribution.
2303
* src/racoon/configure.in: Fix linux kernel NATT detection.
2304
* src/setkey/parse.y: Fix types.
2305
* src/racoon/backupsa.c, src/racoon/ipsec_doi.c,
2306
src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
2307
src/racoon/pfkey.c, src/racoon/remoteconf.c,
2308
src/racoon/session.c, src/racoon/sockmisc.c: Fix headers
2309
ordering, use HAVE_NETINET6_IPSEC.
2310
* src/racoon/isakmp_cfg.c: Use %z for size_t.
2311
* src/racoon/configure.in: Clean up IPv6 stack check.
2312
2313
2004-09-15 Michal Ludvig <mludvig@suse.cz>
2314
2315
Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
2316
* src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
2317
src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
2318
src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
2319
src/racoon/samples/racoon.conf.sample-cvpn: New files.
2320
* src/racoon/algorithm.c, src/racoon/algorithm.h,
2321
src/racoon/cfparse.y, src/racoon/cftoken.l,
2322
src/racoon/handler.c, src/racoon/handler.h,
2323
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2324
src/racoon/isakmp.h, src/racoon/isakmp_agg.c,
2325
src/racoon/isakmp_inf.c, src/racoon/oakley.c,
2326
src/racoon/oakley.h, src/racoon/strnames.c,
2327
src/racoon/vendorid.c, src/racoon/vendorid.h: Added
2328
code for XAUTH support.
2329
* src/racoon/racoon.conf.5: Documentation for XAUTH.
2330
* src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
2331
src/racoon/nattraversal.c: Added NATT VID "02\n"
2332
* src/racoon/configure.in: New config option --enable-hybrid
2333
2334
2004-09-14 Michal Ludvig <mludvig@suse.cz>
2335
2336
* configure.ac: Preset CFLAGS
2337
* src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
2338
Check if printf() accepts "%z" modifiers.
2339
* src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
2340
* src/setkey/parse.y(fix_portstr): Init 'p2'.
2341
* src/setkey/setkey.c: Add required prototypes.
2342
2343
2004-09-14 Aidas Kasparas <a.kasparas@gmc.lt>
2344
2345
* src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.
2346
2347
2004-09-14 Michal Ludvig <mludvig@suse.cz>
2348
2349
* src/racoon/configure.in: Check for NetBSD NAT-T kernel support.
2350
2351
2004-09-13 Michal Ludvig <mludvig@suse.cz>
2352
2353
* src/racoon/configure.in: Check for <openssl/engine.h>
2354
* src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
2355
* src/racoon/plainrsa-gen.c: Ditto.
2356
2357
2004-09-13 Michal Ludvig <mludvig@suse.cz>
2358
2359
NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
2360
* Makefile.am: build in rpm/ only on Linux
2361
* configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
2362
* src/Makefile.am: Build include-glibc only on Linux
2363
* src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
2364
ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
2365
policy_parse.y,policy_token.l,test-policy-priority.c},
2366
src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
2367
nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
2368
proposal.c,sainfo.c,schedule.c,strnames.c},
2369
src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
2370
ifdefs.
2371
* src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
2372
* src/racoon/configure.in: Check for kernel NAT-T support,
2373
fix libipsec.a linkage path.
2374
* src/racoon/eaytest.c(certtest): Use %z for size_t.
2375
2376
2004-09-12 Aidas Kasparas <a.kasparas@gmc.lt>
2377
2378
* src/racoon/grabmyaddr.c: improoved socket selection algorithm for
2379
case when link-local addresses comes w/o sin6_scope_id set.
2380
2381
2004-09-07 Aidas Kasparas <a.kasparas@gmc.lt>
2382
2383
* src/racoon/session.c: fix for SIGHUP handler for case when config
2384
file contains listen directives.
2385
2386
2004-09-01 Aidas Kasparas <a.kasparas@gmc.lt>
2387
2388
* src/racoon/grabmyaddr.c: added scope id handling for link-local
2389
IPv6 addresses. Now racoon will not err on such addresses.
2390
2391
2004-08-19 Aidas Kasparas <a.kasparas@gmc.lt>
2392
2393
* src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
2394
* src/racoon/eaytest.c: eay_init_error() -> eay_init() due to
2395
2004-06-01 changes in src/racoon/crypto_openssl.c
2396
2397
2004-08-15 Aidas Kasparas <a.kasparas@gmc.lt>
2398
2399
* src/racoon/cfparse.y src/racoon/crypto_openssl.c
2400
src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
2401
src/racoon/racoon.conf.5 src/racoon/remoteconf.c
2402
src/racoon/remoteconf.h: peers_identifier wildcard and
2403
list patch by James Matheson
2404
2405
---------------------------------------------
2406
2407
0.4rc1 released
2408
2409
2004-08-09 Michal Ludvig <mludvig@suse.cz>
2410
2411
* NEWS: Notes for release 0.4rc1
2412
* configure.ac: Bump up version to 0.4rc1
2413
2414
2004-07-12 Michal Ludvig <mludvig@suse.cz>
2415
2416
PlainRSA support.
2417
See ChangeLog.prsa from the 'plainrsa' branch for details.
2418
* src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
2419
* src/racoon/genlist.c src/racoon/genlist.h
2420
src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c
2421
src/racoon/prsa_par.y src/racoon/prsa_tok.l
2422
src/racoon/rsalist.c src/racoon/rsalist.h
2423
src/racoon/samples/racoon.conf.sample-plainrsa: New files.
2424
* src/racoon/Makefile.in src/racoon/configure.in
2425
src/racoon/cfparse.y src/racoon/cftoken.l
2426
src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
2427
src/racoon/handler.h src/racoon/ipsec_doi.c
2428
src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c
2429
src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c
2430
src/racoon/remoteconf.h src/racoon/sockmisc.c
2431
src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.
2432
2433
2004-07-12 Michal Ludvig <mludvig@suse.cz>
2434
2435
* src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
2436
f_foreground to plog.c.
2437
* src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode
2438
adjusting.
2439
* src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
2440
src/racoon/oakley.c: Fix typos, newlines and printf() format strings.
2441
2442
2004-06-16 Aidas Kasparas <a.kasparas@gmc.lt>
2443
2444
* src/racoon/crypto_openssl.c (eay_get_x509cert): small memory
2445
leak fix. Noticed B.Buesker, patch L.Stellingwerff
2446
* src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt):
2447
small memory leaks fixed.
2448
2449
2004-06-15 Aidas Kasparas <a.kasparas@gmc.lt>
2450
2451
SECURITY
2452
* src/racoon/crypto_openssl.[ch] (cb_check_cert_local,
2453
cb_check_cert_remote): split cb_check_cert() due to stricter
2454
requirements for certificates received from network.
2455
* src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
2456
local to specify how strict cert check should be
2457
* src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
2458
2459
2004-06-11 Michal Ludvig <mludvig@suse.cz>
2460
2461
* src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support
2462
for all known NAT-T versions.
2463
* vendorid.h: Ditto.
2464
2465
2004-06-08 Michal Ludvig <mludvig@suse.cz>
2466
2467
* src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
2468
* src/racoon/Makefile.in: Compile stringlist.o.
2469
2470
2004-06-07 Michal Ludvig <mludvig@suse.cz>
2471
2472
* configure.ac: Set version to 'cvs'.
2473
* src/{racoon,setkey,libipsec}/*.h: Wrap headers between
2474
#ifndef/#define/#endif to allow multiple inclusions of the
2475
same file.
2476
* plog.h (plog): Attribute __printf__ for automatic checking
2477
of the parameters' validity.
2478
* cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
2479
isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
2480
sockmisc.c: Fix warnings/errors in the plog() parameters with
2481
the above change.
2482
2483
2004-06-05 Aidas Kasparas <a.kasparas@gmc.lt>
2484
2485
* src/setkey/setkey.c: -n (no action) support.
2486
Thanks Thomas Habets.
2487
* src/setkey/setkey.8: Documentation for above.
2488
* src/racoon/doc/README.certificate: updated link to more recent
2489
version of document. Debian bug #252513 by Jose Luis Domingo Lopez
2490
2491
2004-06-01 Michal Ludvig <mludvig@suse.cz>
2492
2493
* src/racoon/algorithm.c: Enable compilation without SHA2 support.
2494
* src/racoon/crypto_openssl.c: Ditto.
2495
2496
2004-06-01 Michal Ludvig <mludvig@suse.cz>
2497
2498
* src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
2499
OpenSSLs.
2500
(eay_init): New function.
2501
(eay_init_error, eay_check_pkcs7sign): Removed.
2502
* src/racoon/crypto_openssl.h: Reflect the above changes.
2503
* src/racoon/main.c: Call eay_init() instead of eay_init_error().
2504
2505
2004-05-27 Michal Ludvig <mludvig@suse.cz>
2506
2507
Support for inheritance of 'remote' statements:
2508
* src/racoon/cftoken.l: New keyword 'inherit'.
2509
* src/racoon/cfparse.y: Support for 'inherit', remove
2510
global 'prhead', use cur_rmconf->prhead instead.
2511
* src/racoon/remoteconf.c (rmtree): Changed from
2512
LIST queue to TAILQ queue.
2513
(getrmconf): Renamed to getrmconf_strict().
2514
(copyrmconf, duprmconf)
2515
(dump_rmconf_single, dumprmconf): New functions.
2516
(rm2str): Deleted.
2517
* src/racoon/remoteconf.h: Prototypes for the above.
2518
(struct remoteconf): New fields 'inherited_from' and 'prhead'.
2519
* src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
2520
* src/racoon/algorithm.c (alg_oakley_encdef_name)
2521
(alg_oakley_hashdef_name, alg_oakley_dhdef_name)
2522
(alg_oakley_authdef_name): New functions.
2523
* src/racoon/algorithm.h: Prototpes for the above.
2524
* src/racoon/strnames.c (num2str): Make extern.
2525
(s_doi, s_etype, s_idtype, s_switch): New functions.
2526
* src/racoon/strnames.h: Prototpes for the above.
2527
* src/racoon/main.c: New parameter -C for dumping the parsed config.
2528
* src/racoon/racoon.conf.5: Document inheritance.
2529
* src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
2530
* src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit
2531
2532
2004-05-24 Michal Ludvig <mludvig@suse.cz>
2533
2534
* configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c,
2535
isakmp_quick.c, pfkey.c, remoteconf.c, session.c,
2536
sockmisc.c: Allow compilation with --disable-ipv6
2537
2538
2004-05-21 Michal Ludvig <mludvig@suse.cz>
2539
2540
* src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of
2541
algorithm specific functions.
2542
2543
2004-05-20 Aidas Kasparas <a.kasparas@gmc.lt>
2544
2545
Manual page updates. Thanks Brian
2546
* src/libipsec/ipsec_set_policy.3
2547
* src/setkey/setkey.8
2548
* src/libipsec/test-policy-priority.c: new file from policy
2549
priority patch, which I forgot to add
2550
2551
2004-05-18 Aidas Kasparas <a.kasparas@gmc.lt>
2552
2553
Policy priority integer handling fixes by Brian Buesker.
2554
* src/libipsec/ipsec_strerror.c
2555
* src/libipsec/ipsec_strerror.h
2556
* src/libipsec/libpfkey.h
2557
* src/libipsec/policy_parse.y
2558
* src/libipsec/test-policy-priority.c
2559
Manual page corrections by me
2560
* src/libipsec/ipsec_set_policy.3
2561
* src/setkey/setkey.8
2562
2563
2004-05-15 Aidas Kasparas <a.kasparas@gmc.lt>
2564
2565
Policy priority support patch from Brian Buesker. Applied as is
2566
except src/libipsec/Makefile.am is modified instead of
2567
src/libipsec/Makefile.in as found in the patch.
2568
2569
2004-05-10 Michal Ludvig <mludvig@suse.cz>
2570
2571
From Heiko Hund, approved by the copyright holder:
2572
* src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
2573
2574
2004-04-27 Michal Ludvig <mludvig@suse.cz>
2575
2576
From Heiko Hund:
2577
* src/include-glibc/sys/queue.h: Update to 3-clause BSD license.
2578
2579
2004-04-26 Aidas Kasparas <a.kasparas@gmc.lt>
2580
2581
* src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to
2582
send notifications about changed interfaces.
2583
2584
2004-04-24 Aidas Kasparas <a.kasparas@gmc.lt>
2585
2586
* src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
2587
information about interfaces. Thanks Steve Grubb and Bill
2588
Nottingham. Affects users with glibc w/o getifaddrs(). Users
2589
with glibc earlier than 2003-11-14 should upgrade their glibc.
2590
2591
2004-04-19 Michal Ludvig <mludvig@suse.cz>
2592
2593
* src/racoon/isakmp.c (isakmp_handler): Reject too big
2594
packets (CAN-2004-0403).
2595
2596
---------------------------------------------
2597
2598
0.3 released
2599
2600
2004-04-14 Michal Ludvig <mludvig@suse.cz>
2601
2602
* NEWS: Notes for release 0.3
2603
* configure.ac: Bump up version to 0.3
2604
* src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
2605
* src/racoon/remoteconf.c (foreachrmconf): Avoid warning about
2606
uninitialised variable.
2607
* src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
2608
and FreeSWAN.
2609
2610
2004-04-13 Michal Ludvig <mludvig@suse.cz>
2611
2612
* src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
2613
not suitable.
2614
2615
2004-04-09 Michal Ludvig <mludvig@suse.cz>
2616
2617
* src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
2618
* src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
2619
* src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
2620
mismatch to LLV_WARNING.
2621
* src/libipsec/pfkey_dump.c, src/racoon/algorithm.c
2622
src/racoon/algorithm.h src/racoon/cftoken.l
2623
src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h
2624
src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c
2625
src/setkey/token.l: Renamed Rijndael to AES.
2626
* src/setkey/token.l: Recognize exit/quit/bye tokens.
2627
* src/setkey/parse.y (exit_command): New.
2628
* src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
2629
in exit_command.
2630
2631
2004-04-08 Michal Ludvig <mludvig@suse.cz>
2632
2633
* src/setkey/setkey.c (main): Call get_supported() in interactive mode.
2634
(stdin_loop): Concat multiline input into a single line before parsing.
2635
2636
2004-04-07 Michal Ludvig <mludvig@suse.cz>
2637
2638
* src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA
2639
with level DEBUG. Having it with level INFO only pollutes logfiles.
2640
2641
2004-04-06 Michal Ludvig <mludvig@suse.cz>
2642
2643
* src/racoon/Makefile.in: eaytest now links plog.o
2644
* src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
2645
surrounding plog().
2646
* src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now
2647
verifying both good and bad signatures.
2648
2649
---------------------------------------------
2650
2651
0.3rc5 released
2652
2653
2004-04-05 Michal Ludvig <mludvig@suse.cz>
2654
2655
* NEWS: Notes for release 0.3rc5
2656
* configure.ac: Bump up version to 0.3rc5
2657
2658
2004-04-05 Michal Ludvig <mludvig@suse.cz>
2659
2660
Fix for a security bug found by Ralf Spenneberg:
2661
* src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate
2662
'evp' instead of 'pubkey'.
2663
(eay_rsa_sign): Use the above.
2664
* src/racoon/crypto_openssl.h: Update prototypes for the above.
2665
* src/racoon/eaytest.c: Disabled RSA tests because of the API change.
2666
2667
2004-04-05 Michal Ludvig <mludvig@suse.cz>
2668
2669
* src/racoon/pfkey.c (pfkey_handler): Safety check before accessing
2670
the array (thx to Ren.J.Y for report).
2671
(pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
2672
* src/racoon/strnames.c (name_pfkey_type): Ditto.
2673
2674
2004-04-02 Michal Ludvig <mludvig@suse.cz>
2675
2676
* src/racoon/eaytest.c (ciphertest_1): Correct padlen.
2677
2678
2004-04-01 Michal Ludvig <mludvig@suse.cz>
2679
2680
* src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
2681
update from here ...
2682
(ipsecdoi_setph2proposal): ... to here. Hopefully this is a
2683
better place to do the update.
2684
2685
2004-03-30 Michal Ludvig <mludvig@suse.cz>
2686
2687
* src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
2688
(eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
2689
* src/racoon/eaytest.c (ciphertest_1): New function.
2690
(ciphertest): Simplified to simple calls of ciphertest_1().
2691
2692
2004-03-29 Michal Ludvig <mludvig@suse.cz>
2693
2694
* README: Rewritten. Mentioned where to report bugs.
2695
2696
2004-03-26 Michal Ludvig <mludvig@suse.cz>
2697
2698
* configure.ac: Check for readline.h and libreadline.
2699
* src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
2700
(stdin_loop): Read user input and parse it line-by-line.
2701
* src/setkey/token.l (parse_string): New function.
2702
2703
---------------------------------------------
2704
2705
0.3rc4 released
2706
2707
2004-03-25 Michal Ludvig <mludvig@suse.cz>
2708
2709
* configure.ac: Bump up version to 0.3rc4
2710
* NEWS: Notes for release 0.3rc4
2711
* src/racoon/cfparse.y (algorithm): Hint about missing module.
2712
* src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key
2713
length only with old API.
2714
(eay_des_encrypt): Ditto.
2715
* src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
2716
non-zero error code if any of the tests fail.
2717
(main): Print banner with version.
2718
* src/racoon/Makefile.in: Run eaytest in 'make check'.
2719
2720
2004-03-23 Michal Ludvig <mludvig@suse.cz>
2721
2722
* src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before
2723
comparing NAT-D payloads. (thx to Gaurav Kansal for report).
2724
* src/racoon/crypto_openssl.c: Avoid type-punned warnings.
2725
* src/racoon/eaytest.c: Disable 'cert' tests.
2726
* src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check
2727
for strict length.
2728
(eay_aes_encrypt): Keylength is in bits, not bytes.
2729
2730
2004-03-22 Michal Ludvig <mludvig@suse.cz>
2731
2732
* src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key
2733
instead of NULL and check for availability.
2734
2735
---------------------------------------------
2736
2737
0.3rc3 released
2738
2739
2004-03-19 Michal Ludvig <mludvig@suse.cz>
2740
2741
* configure.ac: Bump up version to 0.3rc3
2742
* NEWS: Notes for release 0.3rc3
2743
* src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
2744
* src/racoon/proposal.c (cmpsatrns): New parameter proto_id,
2745
better diagnostic output when trns_id don't match.
2746
* src/racoon/proposal.h (cmpsatrns): Update prototype.
2747
* src/setkey/setkey.c: Change option -h to -H (for hexdump), new
2748
options -h (help) and -V (version).
2749
* src/setkey/setkey.8: Document the above changes.
2750
* src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...
2751
2752
2004-03-15 Michal Ludvig <mludvig@suse.cz>
2753
2754
* src/racoon/configure.in: Prevent compilation error with
2755
--enable-yydebug.
2756
2757
---------------------------------------------
2758
2759
0.3rc2 released
2760
2761
2004-03-11 Michal Ludvig <mludvig@suse.cz>
2762
2763
* configure.ac: Bump up version to 0.3rc2
2764
* NEWS: Notes for release 0.3rc2
2765
* src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
2766
* src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
2767
* src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
2768
* src/racoon/racoon.conf.5: Note that NAT-T support is a compile
2769
time option.
2770
2771
2004-03-10 Michal Ludvig <mludvig@suse.cz>
2772
2773
* src/racoon/racoon.conf.5: Document nat_traversal option.
2774
* src/racoon/racoon.8: DOcument new options (-L and -P).
2775
2776
2004-03-09 Michal Ludvig <mludvig@suse.cz>
2777
2778
* src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
2779
UDP-Encap ports if NAT-T is enabled.
2780
(dupmyaddr): New function.
2781
* src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
2782
* src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but
2783
no port for UDP-Encap was open.
2784
* src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
2785
* src/racoon/localconf.c, src/racoon/localconf.h: Define and setup
2786
lcconf->port_isakmp_natt.
2787
* src/racoon/main.c (main): Print nicer banner,
2788
(usage): Document new options (-L and -P).
2789
(parse): Recognise the above.
2790
* src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded
2791
constants for float_port.
2792
(natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
2793
* src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
2794
* src/racoon/plog.c: Don't print source:line:function by default.
2795
* src/racoon/remoteconf.c (foreachrmconf): New helper function.
2796
* src/racoon/remoteconf.h: Prototype for the above.
2797
* package_version.h: Define strings for use in banners.
2798
* configure.ac: Fill up the above header.
2799
2800
2004-03-09 Michal Ludvig <mludvig@suse.cz>
2801
2802
* src/racoon/configure.in: Don't put -O into OPTFLAGS,
2803
add new option --disable-natt.
2804
* src/racoon/cfparse.y, src/racoon/handler.c,
2805
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2806
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2807
src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
2808
src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
2809
with ENABLE_NATT.
2810
* src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.
2811
2812
2004-03-06 Aidas Kasparas <a.kasparas@gmc.lt>
2813
2814
* configure.ac: Refuse to continue if lexer library (yywrap()
2815
function) is missing. Should prevent bugs like #892067, #908758
2816
* src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
2817
Users should not be given false idea that they require both OpenSSL
2818
and SSLeay to compile racoon. (See bug #902197)
2819
2820
---------------------------------------------
2821
2822
0.3rc1 released
2823
2824
2004-03-04 Michal Ludvig <mludvig@suse.cz>
2825
2826
* configure.ac: Bump up version to 0.3rc1
2827
* NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
2828
from 0.2 branch).
2829
* src/racoon/samples/racoon.conf.sample-natt: New sample config file.
2830
* src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
2831
enabled NATT by default (will become a config option later).
2832
2833
2004-03-04 Michal Ludvig <mludvig@suse.cz>
2834
2835
Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
2836
to racoon.
2837
* src/racoon/Makefile.in, src/racoon/cfparse.y,
2838
src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
2839
src/racoon/grabmyaddr.h, src/racoon/handler.c,
2840
src/racoon/handler.h, src/racoon/ipsec_doi.c,
2841
src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
2842
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2843
src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
2844
src/racoon/localconf.c, src/racoon/localconf.h,
2845
src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
2846
src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
2847
src/racoon/remoteconf.h, src/racoon/session.c,
2848
src/racoon/strnames.c, src/racoon/vendorid.h
2849
src/libipsec/pfkey.c,
2850
src/racoon/nattraversal.c, src/racoon/nattraversal.h,
2851
src/racoon/sockmisc.c: Affected files.
2852
2853
2004-02-27 Michal Ludvig <mludvig@suse.cz>
2854
2855
* src/racoon/isakmp.c (set_isakmp_header1): Renamed from
2856
set_isakmp_header().
2857
(set_isakmp_header): New function common for set_isakmp_header1()
2858
and set_isakmp_header2().
2859
(copy_ph1addresses): Obey original port.
2860
(isakmp_plist_append, isakmp_plist_set_all): New helper functions.
2861
* src/racoon/isakmp_var.h: Prototypes for the above.
2862
* src/racoon/isakmp.h (struct payload_list): New structure.
2863
* src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2864
src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.
2865
2866
2004-02-03 Michal Ludvig <mludvig@suse.cz>
2867
2868
* src/racoon/Makefile.in: Fix install to $(sbindir)
2869
* src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).
2870
2871
2004-01-19 Michal Ludvig <mludvig@suse.cz>
2872
2873
* rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
2874
(thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)
2875
2876
2004-01-17 Aidas Kasparas <a.kasparas@gmc.lt>
2877
2878
* src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team
2879
2880
2004-01-15 Michal Ludvig <mludvig@suse.cz>
2881
2882
* src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
2883
(reported on bugtraq, fixed by iij seil team).
2884
* src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.
2885
2886
2004-01-14 Michal Ludvig <mludvig@suse.cz>
2887
2888
* src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used
2889
only once).
2890
* configure.ac: Don't build shared libipsec by default (can be
2891
enabled by --enable-shared).
2892
* bootstrap: Don't run automake for racoon.
2893
2894
2004-01-12 Michal Ludvig <mludvig@suse.cz>
2895
2896
* src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
2897
use config.h for defines instead of -DHAVE_* gcc options,
2898
fix CRYPTOBJS to include missing rijndael libraries only once,
2899
checking for AES support in OpenSSL now (hopefully) finally
2900
works on both OpenSSL 0.9.6 and 0.9.7.
2901
* src/racoon/*.[cyl]: Include autogenerated "config.h"
2902
* src/racoon/missing/crypto/*/*.c: Ditto.
2903
* src/racoon/.cvsignore: Add config.h, config.h.in
2904
2905
2004-01-09 Michal Ludvig <mludvig@suse.cz>
2906
2907
* src/racoon/.cvsignore: Add "autom4te.cache" and "configure".
2908
2909
2004-01-09 Aidas Kasparas <a.kasparas@gmc.lt>
2910
2911
Sync with KAME 2004-01-07
2912
* src/libipsec/pfkey.c: memory leak fix; comment typo fixes
2913
* src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even
2914
no SADB_X_EXT_TAG defined
2915
* src/libipsec/pfkey_dump.c: information about algorithms
2916
ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
2917
* src/libipsec/policy_parse.y: memory leak
2918
* src/libipsec/policy_token.l: memory leak
2919
* src/libipsec/test-policy.c: unneeded \n removed
2920
* src/racoon/Makefile.in: $(sbindir) support
2921
* src/racoon/admin.c: interface changes due to proxy support
2922
* src/racoon/algorithm.c: SHA2 #ifdefs
2923
* src/racoon/{cfparse.y,cftoken.l}: license text added
2924
* src/racoon/cfparse.y: mip6 obsoleted by proxy support
2925
* src/racoon/cfparse.y: from directive support; new algorithms
2926
* src/racoon/cftoken.l: support for globbing of include files
2927
* src/racoon/configure.in: more verbose information about problems
2928
with SHA2
2929
* src/racoon/crypto_openssl.c: use new DES API if supported; algorithm
2930
key size fixes
2931
* src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
2932
* src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
2933
style change
2934
* src/racoon/isakmp.c: use VPTRINIT; interface changes due to
2935
mip6->proxy; typo
2936
* src/racoon/isakmp_inf.c: use VPTRINIT
2937
* src/racoon/isakmp_quick.c: mip6->proxy
2938
* src/racoon/kmpstat.c: not used variables removed
2939
* src/racoon/pfkey.c: mip6->proxy; schedule leak
2940
* src/racoon/proposal.c: style
2941
* src/racoon/remoteconf.c: mip6->proxy
2942
* src/racoon/sainfo.c: from directive support
2943
* src/racoon/sockmisc.c: side correction; addrinfo leak
2944
* src/racoon/strnames.c: typo in descriptions; wrong upper bound check
2945
* src/racoon/missing/crypto/sha2/sha2.c: wrong size
2946
* src/setkey/parse.y: extra algorithms; tagged; not needed periods
2947
removed; memory shortage checks
2948
* src/setkey/setkey.8: typos; tagged; new algorithms
2949
* src/setkey/setkey.c: standard argument names for main(); hexdump
2950
support; info in file support
2951
* src/setkey/token.l: new algorithms; memory shortage checks
2952
Parts not taken from KAME:
2953
* kernelfs stuff;
2954
* sysctl stuff
2955
2956
2004-01-08 Michal Ludvig <mludvig@suse.cz>
2957
2958
* src/racoon/config.{sub,guess}: Update from automake 1.7.
2959
2960
2004-01-08 Michal Ludvig <mludvig@suse.cz>
2961
2962
Patch from Kostadin Karaivanov <larry@minfin.bg>:
2963
* src/racoon/configure.in: Check for openssl/aes.h.
2964
* src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.
2965
2966
2004-01-08 Michal Ludvig <mludvig@suse.cz>
2967
2968
* src/racoon/configure: Remove, should be regenerated by bootstrap.
2969
2970
2004-01-02 Michal Ludvig <michal@logix.cz>
2971
2972
* src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
2973
(by Brian Buesker <bbuesker@qualcomm.com>
2974
and Christophe Saout <christophe@saout.de>)
2975
* src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
2976
* src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
2977
(by Michal Ludvig).
2978
* src/setkey/token.l, src/setkey/parse.y: Add support for lifetime
2979
specified in bytes (by Michal Ludvig).
2980
* src/setkey/setkey.8: Document -bh/-bs options for the above feature.
2981
* src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE
2982
message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
2983
* src/racoon/cfparse.y: Flush SA on SIGHUP
2984
(by Brian Buesker <bbuesker@qualcomm.com>)
2985
* src/racoon/pfkey.c: IPcomp fixes
2986
(by Brian Buesker <bbuesker@qualcomm.com>)
2987
* src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
2988
* src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
2989
an entry with NULL ifa_addr (Michal Ludvig).
2990
* configure.ac: Change path to kernel headers
2991
from /usr/src/devel-2.5/devel to /usr/src/linux
2992
* bootstrap: Use default tools, reconfigure src/racoon
2993
* src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
2994
changed comments from 'dnl' to '#'.
2995
2996
2003-06-20 Derek Atkins <derek@ihtfp.com>
2997
2998
* src/racoon/aclocal.m4:
2999
* src/racoon/configure:
3000
Don't execute "for i in $3" if "$3" doesn't exist.
3001
Fixes bug #721296.
3002
3003
2003-03-31 Derek Atkins <derek@ihtfp.com>
3004
3005
* src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
3006
(which is value '2')
3007
3008
2003-03-27 Derek Atkins <derek@ihtfp.com>
3009
3010
* src/libipsec/key_debug.c: use ntohs() before printing port
3011
* src/libipsec/pfkey.c: convert port# to network byte order
3012
* src/libipsec/pfkey_dump.c: use ntohs() before printing ports
3013
* src/setkey/parse.y: convert port#'s to network byte order
3014
3015
2003-03-24 Derek Atkins <derek@ihtfp.com>
3016
3017
* src/libipsec/pfkey.c: Don't switch off NAT-T extensions
3018
if they don't exist in the kernel.
3019
3020
* src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
3021
as per Tom Lendacky <toml@us.ibm.com>. Also move the
3022
setting of IPV6_IPSEC_POLICY to the top of the file.
3023
3024
2003-03-13 Derek Atkins <derek@ihtfp.com>
3025
3026
Add initial support for NAT-T PFKey Extensions:
3027
* src/libipsec/key_debug.c: add support to print information
3028
about NAT-T extension packets.
3029
* src/libipsec/libpfkey.h: add two new APIs to support NAT-T
3030
for add and update as part of the SADB.
3031
* src/libipsec/pfkey.c:
3032
- Implement extended APIs to support NAT-T for add and update
3033
of the SADB.
3034
- Add APIs to fill a buffer with NAT-T packet types
3035
* src/libipsec/pfkey_dump.c: Extend the SADB output to include
3036
PFKey packets. Put port numbers with the source and dest
3037
addresses, add an 'esp-udp' SA-type, and add a printout for
3038
the NAT-OA.
3039
* src/setkey/parse.y:
3040
- Extend setkey to create an ESP-UDP SA.
3041
- default UDP port is 4500
3042
- extend 'add' to allow <ip-addr>[<portnum>] for source and dest
3043
(the portnum specification requires the [] characters)
3044
- add an ESPUDP "protocol" from the lexer. This will use
3045
ESP and allow an optional Original Address setting.
3046
- add a function to get a udp port from a struct sockaddr *
3047
- pass the NAT-T extentions into PFKey
3048
* src/setkey/token.l: add "esp-udp" token
3049
3050
* rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
3051
This switches it to use %{_lib} (for /lib64 systems such as
3052
x86-64 and s390x, and has it own the /etc/racoon directory in
3053
the package as well.
3054
3055
---------------------------------------------
3056
3057
0.2.2 released
3058
3059
2003-03-13 Derek Atkins <derek@ihtfp.com>
3060
3061
* configure.am, NEWS:
3062
Update for 0.2.2 release
3063
3064
* Makefile.am: distribute depcomp
3065
3066
2003-03-10 Derek Atkins <derek@ihtfp.com>
3067
3068
* src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
3069
sure we link against the lexer library when necessary.
3070
3071
2003-03-07 Derek Atkins <derek@ihtfp.com>
3072
3073
* configure.am:
3074
* Makefile.am:
3075
* rpm/Makefile.am:
3076
* rpm/ipsec-tools.spec.in:
3077
Added RPM SPEC to CVS
3078
3079
---------------------------------------------
3080
3081
0.2.1 released
3082
3083
2003-03-07 Derek Atkins <derek@ihtfp.com>
3084
3085
* src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for
3086
ssl include directory, to make sure the other tests work properly.
3087
3088
2003-03-06 Derek Atkins <derek@ihtfp.com>
3089
3090
* src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning
3091
3092
* src/racoon/configure.in: look for krb5-config and don't
3093
use it if it's not found. Fixes a configure-time warning.
3094
3095
--------------------------------------------
3096
3097
0.2 Released
698
required even without NAT-T
699
700
* src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
701
define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
702
703
* src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
704
plog()
705
706
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
707
708
* src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
709
isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
710
ike_frag force option to force the use of IKE on first packet
711
exchange (prior to peer consent)
712
713
2006-09-18 Yvan Vanhullebus <vanhu@netasq.com>
714
715
* rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed
716
generated files from the CVS
717
718
* src/racoon/prsa_par.c: removed generated files from the CVS
719
720
* src/racoon/: cfparse.c, cftoken.c: removed generated files from
721
the CVS
722
723
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
724
725
* src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
726
the first packet. That should not normally happen, as the initiator
727
does not know yet if the responder can handle IKE frag. However, in
728
some setups, the first packet is too big to get through, and
729
assuming the peer supports IKE frag is the only way to go.
730
731
racoon should have a setting in the remote section to do taht
732
(something like ike_frag force)
733
734
2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
735
736
* src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
737
conformance, from Matthew Grooms
738
739
2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
740
741
* src/racoon/ipsec_doi.c: Fix build on Linux
742
743
For older changes see ChangeLog.old
Loggerhead is a web-based interface for Breezy
Version: 2.0.1