1
---------------------------------------------
6
2008-07-23 Timo Teras <timo.teras@iki.fi>
7
* src/libipsec/Makefile.am
9
src/setkey/Makefile.am : do not remove flex/bison generated files
10
in distclean, also add the generated header file as BUILT_SOURCES
11
and use the standard autotools rule for generating them
12
* src/racoon/Makefile.am : do not use GNU make specific extension
14
2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
15
From Kohki Ohhira <ohhira@src.ricoh.co.jp>:
16
* src/racoon/proposal.c: fixed some memory leaks, when malloc
17
fails or when peer sends invalid proposals.
19
2008-07-21 Timo Teras <timo.teras@iki.fi>
20
* src/racoon/cfparse.y : do not set default gss id if xauth is used
22
2008-07-14 Matthew Grooms
23
* src/racoon/isakmp_cfg.c : fix hybrid enabled builds
25
2008-07-14 Matthew Grooms
26
* src/racoon/crypto_openssl.c
30
src/racoon/racoonctl.c : fix conflict with freebsd8 hexdump()
32
2008-07-11 Timo Teras <timo.teras@iki.fi>
33
Track:259, original patch from Atis Elsts <the.kfx@gmail.com>:
34
* src/racoon/isakmp.c, src/racoon/isakmp_inf.c: fix double memfree
35
by changing copy_ph1addresses() to not free ph1 on failure
36
and remove misplaced remph1() calls causing memory corruption
38
2008-07-09 Timo Teras <timo.teras@iki.fi>
39
Track:269, from Chong Peng <chongpeng@gmail.com>:
40
* src/racoon/cfparse.y: remove parser initialization causing
41
fd leak from cfreparse() since cfparse() initializes it anyway
43
2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
44
Track:266, from Timo Teras <timo.teras@iki.fi>:
45
* src/racoon/isakmp_inf.c: fixed some %d to %zu (size_t values)
47
2008-06-18 Matthew Grooms
48
From Timo Teras <timo.teras@iki.fi>:
49
* src/racoon/grabmyaddr.c
50
src/racoon/ipsec_doi.c
52
src/racoon/isakmp_cfg.c
53
src/racoon/isakmp_inf.c
54
src/racoon/remoteconf.c
55
src/racoon/admin.c : network port value manipulation cleanup
57
2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
58
Track:4, from Timo Teras:
59
* src/racoon/isakmp_inf.c: extract ports information from
60
SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
62
2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
1
2009-08-13 tag ipsec-tools-0_7_3
3
2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
5
* NEWS, configure.ac: 0.7.3 release
7
* src/racoon/oakley.c: fixed a potential DoS in
8
oakley_do_decrypt(), reported by Orange Labs
10
2009-08-06 Timo Teras <timo.teras@iki.fi>
12
* src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
13
setkey to make gcc happy.
15
2009-06-19 Timo Teras <timo.teras@iki.fi>
17
* src/racoon/ipsec_doi.c: Backport S.P.Zeidler's fix to IPv6
18
address related stack smashing in ipsecdoi_id2str() from CVS HEAD.
20
2009-05-18 Timo Teras <timo.teras@iki.fi>
22
* src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
23
not really used; only referenced while uninitialized causing
26
* src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
28
2009-04-29 Timo Teras <timo.teras@iki.fi>
30
* src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
31
X509 certificate validation.
33
2009-04-22 tag ipsec-tools-0_7_2
35
2009-04-22 Timo Teras <timo.teras@iki.fi>
37
* NEWS, configure.ac: Updates for 0.7.2 release
39
* src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
40
pointer dereference in fragmentation code.
42
2009-04-20 Timo Teras <timo.teras@iki.fi>
44
* src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
45
Bin Li: Fix possible memory corruption in binsanitize().
47
* src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
48
signature verification memory leak.
50
* src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
51
crash with racoonctl logout user.
53
* src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
56
* src/racoon/handler.c: From Paul Moore: Phase2 message id's should
57
be unique wrt phase1, not globally.
59
2009-02-16 Timo Teras <timo.teras@iki.fi>
61
* src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
62
corruption bug (yacc return non-null terminated buffer and sprintf
65
2009-01-20 Timo Teras <timo.teras@iki.fi>
67
* configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
69
* misc/cvs2cl.pl, misc/cvsusermap, Makefile.am: Autogenerate
70
ChangeLog from NetBSD CVS. Put sourceforge.net changes to
73
* misc/cvs2cl.pl: file cvs2cl.pl was added on branch
74
ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000
76
* misc/cvsusermap: file cvsusermap was added on branch
77
ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000
79
2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
81
* src/racoon/main.c: Set up a default value for Mode Config Pool
82
size if pool address specified but pool size not specified
84
* src/racoon/isakmp_cfg.c: Fixed pool resizing
86
2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
88
* src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
89
marker for retransmitted packets
91
2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
93
* src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
94
when NAT-T enabled and trying to purge non NAT-T SAs
96
2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
98
* src/racoon/isakmp.c: From Krzysztof Oledzki: Remove ph1handler if
99
we received an invalid first exchange from initiator.
101
2008-07-23 tag ipsec-tools-0_7_1
103
2008-07-23 Yvan Vanhullebus <vanhu@netasq.com>
105
* NEWS: NEWS for 0.7.1 release
107
2008-07-23 Timo Teras <timo.teras@iki.fi>
109
* src/racoon/Makefile.am: Do not use GNU make specific extension.
111
* src/: libipsec/Makefile.am, racoon/Makefile.am,
112
setkey/Makefile.am: Do flex/bison invocation in a more standard
113
way, and keep the generated files in the dist tarball.
115
2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
117
* configure.ac: 0.7.1 coming !
119
* src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
120
when malloc fails or when peer sends invalid proposal.
122
2008-07-21 Timo Teras <timo.teras@iki.fi>
124
* src/racoon/cfparse.y: Correct typo to fix the build.
126
* src/racoon/cfparse.y: Do not set default gss id if xauth is used.
128
2008-07-15 Matthew Grooms <mgrooms@shrew.net>
130
* src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
131
building with hybrid enabled.
133
* src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
134
racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
137
2008-07-11 Timo Teras <timo.teras@iki.fi>
139
* src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
140
Elsts: Fix a double memory free and a memory corruption
141
(LIST_REMOVE() on an uninserted node) in some error handling paths.
143
2008-07-09 Timo Teras <timo.teras@iki.fi>
145
* src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
146
memory leak on configuration file reread
148
2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
150
* src/racoon/isakmp_inf.c: From Timo Teras: fixed some %d to %zu
153
2008-06-18 Matthew Grooms <mgrooms@shrew.net>
155
* src/racoon/: grabmyaddr.c, admin.c, ipsec_doi.c, isakmp.c,
156
isakmp_cfg.c, isakmp_inf.c, remoteconf.c: Use utility functions
157
to evaluate and manipulate network port values. No functional
158
changes. Submitted by Timo Teras.
160
2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
162
* src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
163
from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
165
2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
63
167
* src/racoon/oakley.c: Generates a log if cert validation has been
64
disabled by configuration.
66
2008-03-05 Matthew Grooms
67
* src/racoon/cfparse.y: properly initialize the unity network struct
69
2008-03-05 Matthew Grooms
70
From Timo Teras <timo.teras@iki.fi>:
71
* src/racoon/pfkey.c: better handling for pfkey socket read errors
168
disabled by configuration
170
2008-03-05 Matthew Grooms <mgrooms@shrew.net>
172
* src/racoon/cfparse.y: Properly initialize the unity network
173
struct to prevent erroneous protocol and port info from being
176
* src/racoon/pfkey.c: Provide better handling for pfkey socket read
177
errors. Submitted by Timo Teras.
73
179
2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
74
From Brian Haley <brian.haley@hp.com>
75
* src/racoon/ipsec_doi.c: Do check SPI size (it was not due to a typo)
181
* src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>:
182
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
183
checking spi_size but it's not. I'm not sure this patch is correct,
184
but what's there isn't either.
186
Add fogotten entry in ChangeLog
77
188
2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
78
From Brian Haley <brian.haley@hp.com>
79
* src/racoon/isakmp.c: Fix address length
81
2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
82
* src/racoon/handler.[ch]: added an 'established' arg to getph1byaddr()
83
From Krzysztof Oledzki <olel@ans.pl>:
84
* src/racoon/isakmp.c: Only search for established ph1 handles in
85
DPD (also reported new getph1byaddr() arg)
86
* src/racoon/isakmp_inf.c: added some details to some logs (also
87
reported new getph1byaddr() arg)
88
* src/racoon/crypto_openssl.c: fixed compilation with idea and
90
From Timo Teras <timo.teras@iki.fi>:
91
* src/racoon/isakmp_inf.c: reset iph1->dpd_r_u in the scheduler's
92
callback, to avoid some access to freed memory
94
2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
95
From Natanael Copa <natanael.copa@gmail.com>:
96
* src/racoon/Makefile.am: fixed a race condition when building
99
2007-11-06 Yvan Vanhullebus <vanhu@netasq.com>
100
From Scott Lamb <slamb@slamb.org>
101
* src/racoon/plog.[ch]: new plog macro
102
* src/racoon/kmpstat.c: plog changed to _plog to work with new plog macro
103
* src/racoon/crypto_openssl.c: includes plog.h to work with the
106
2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
190
* src/racoon/isakmp.c: Fix bad address length computation, from
193
2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
195
* src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
196
the scheduler's callback, to avoid access to freed memory.
198
* src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
199
compilation with IDEA and recent gcc.
201
* src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
202
details to some logs (also reported new getph1byaddr() arg).
204
* src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
205
established ph1 handles in DPD (also reported new getph1byaddr()
208
* src/racoon/: handler.c, handler.h: added an 'established' arg to
211
2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
213
* src/racoon/Makefile.am: From Natanael Copa: fixed a race
214
condition when building yacc stuff.
216
2007-11-06 Yvan Vanhullebus <vanhu@netasq.com>
218
* src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
219
work with the new plog macro.
221
* src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
222
work with new plog macro
224
* src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
226
2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
107
228
* src/libipsec/pfkey.c: Try to increase the buffer size of the
108
pfkey socket, this may help things when we have a huge SPD.
229
pfkey socket, this may help things when we have a huge SPD
110
231
2007-09-19 Matthew Grooms <mgrooms@shrew.net>
111
From Joy Latten <latten@austin.ibm.com>
112
* configure.ac: Fix autoconf check for selinux support.
233
* configure.ac: Fix autoconf check for selinux support. Submitted
114
236
2007-09-03 Matthew Grooms <mgrooms@shrew.net>
115
* src/racoon/racoon.conf.5: Correct wins4 and nbns4 modecfg option syntax.
116
* src/racoon/cftoken.l: Add nbns4 as an alias for wins4.
118
---------------------------------------------
122
2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
238
* src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
239
wins4 in the man page and add nbns4 as an alias. Pointed out by
242
2007-08-09 tag ipsec-tools-0_7
244
2007-08-09 Matthew Grooms <mgrooms@shrew.net>
246
* NEWS, configure.ac: Prepare for 0.7 release tag.
248
2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
123
250
* src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
124
251
authorization ports. Allow interoperability with freeradius
126
2007-08-01 Yvan Vanhullebus <vanhu@netasq.com>
128
src/libipsec/ipsec_dump_policy.c
129
src/libipsec/ipsec_get_policylen.c
130
src/libipsec/ipsec_strerror.c
131
src/libipsec/key_debug.c
132
src/libipsec/libpfkey.h
134
src/libipsec/pfkey_dump.c
135
src/libipsec/policy_parse.y
136
src/libipsec/policy_token.l
137
src/libipsec/test-policy-priority.c
139
src/racoon/backupsa.c
142
src/racoon/ipsec_doi.c
144
src/racoon/isakmp_inf.c
145
src/racoon/isakmp_quick.c
148
src/racoon/proposal.c
149
src/racoon/remoteconf.c
152
src/racoon/sockmisc.c
153
src/racoon/strnames.c
157
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues.
159
2007-07-18 Matthew Grooms <mgrooms@shrew.net>
160
* src/racoon/racoon.conf.5: various man page updates
162
2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
163
* src/racoon/grabmyaddr.c: fixed a socket leak.
165
---------------------------------------------
253
2007-08-01 Yvan Vanhullebus <vanhu@netasq.com>
255
* configure.ac, src/libipsec/ipsec_dump_policy.c,
256
src/libipsec/ipsec_get_policylen.c,
257
src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
258
src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
259
src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
260
src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
261
src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
262
src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
263
src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
264
src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
265
src/racoon/policy.c, src/racoon/proposal.c,
266
src/racoon/remoteconf.c, src/racoon/sainfo.c,
267
src/racoon/session.c, src/racoon/sockmisc.c,
268
src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
269
src/setkey/token.l: use a single PATH_IPSEC_H to fix some
270
path_to_ipsec.h issues
272
2007-07-24 Matthew Grooms <mgrooms@shrew.net>
274
* NEWS: Update NEWS file with additional 0.7 improvements.
276
2007-07-18 Matthew Grooms <mgrooms@shrew.net>
278
* src/racoon/racoon.conf.5: Various racoon configuration manpage
281
2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
283
* src/racoon/grabmyaddr.c: fixed a socket leak
285
2007-06-12 tag ipsec-tools-0_7-RC1
287
2007-06-12 tag ipsec-tools-0_7-rc1
289
2007-06-12 Emmanuel Dreyfus <manu@netbsd.org>
291
* configure.ac: ipsec-tools used to use tags in lower case
293
2007-06-12 Yvan Vanhullebus <vanhu@netasq.com>
295
* configure.ac: 0.7-RC1
169
297
2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
170
From Paul Winder <Paul.Winder@tadpole.com>:
171
* src/racoon/isakmp_cfg.c: Fix ignored INTERNAL_DNS4_LIST
173
2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
299
* src/racoon/: main.c, policy.h, security.c: From Joy Latten
300
<latten@austin.ibm.com> Fix file descriptor shortage when using
303
* src/racoon/isakmp_cfg.c: From Paul Winder
304
<Paul.Winder@tadpole.com> Fix ignored INTERNAL_DNS4_LIST
306
2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
308
* src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
311
2007-06-06 Emmanuel Dreyfus <manu@netbsd.org>
313
* src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: Use the
314
specified socket path instead of the default location
316
2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
318
* src/racoon/session.c: From Jianli Liu: speed up interfaces update
174
321
* src/racoon/handler.c: ignore obsolete lifebyte when validating
175
reloaded configuration.
176
From Jianli Liu <jlliu@nortel.com>:
177
* src/racoon/session.c: speeds up interfaces update when they changed.
178
From Rong-En Fan <rafan@freebsd.org>
179
* src/racoon/{var.h|eaytest.c}: fixed compilation with gcc 4.2
181
2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
182
From Joy Latten <latten@austin.ibm.com>
183
* src/racoon/{main.c|policy.h|security.c}: Fix file descriptor
184
shortage when using labeled IPsec.
186
2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
187
From Jianli Liu <jlliu@nortel.com>:
188
* src/racoon/kmpstat.c: Use the specified socket path instead of
191
2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
192
* src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate()
193
if NAT_T support, to solve some port match problems with the
194
first IPSec SAs negociated as initiator.
195
* src/racoon/isakmp_inf.c: added some debug for DELETE_SA process.
322
reloaded configuration
324
2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
326
* src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
327
NULL when validating the new config
329
* src/racoon/handler.c: added some debug in getph1byaddr() to track
330
some port matching problems with NAT-T
196
332
* src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
197
track some port matching problems with NAT-T.
198
* src/racoon/handler.c: added some debug in getph1byaddr() to
199
track some port matching problems with NAT-T.
200
* src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
201
NULL when validating the new config.
203
2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
333
track some port matching problems with NAT-T
335
* src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
337
* src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
338
NAT_T support, to solve some port match problems with the first
339
IPSec SAs negociated as initiator
341
2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
343
* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
204
345
* src/racoon/oakley.c: dumps peer's ID and peer's certificate
205
subject /subjectaltname if they don't match.
206
* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids().
208
---------------------------------------------
212
2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
346
subject /subjectaltname if they don't match
348
2007-03-29 tag ipsec-tools-0_7-beta3
350
2007-03-29 Emmanuel Dreyfus <manu@netbsd.org>
352
* configure.ac: Bump to 0.7beta3
354
2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
213
356
* src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
214
handler, to be able to cancel it when removing the handler, and
215
some minor cleanups in DPD code.
217
2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
218
* src/racoon/{oakley.c|racoon.conf.5}: give more details about
219
what is checked when using certificates to authenticate. Patch
357
handler, to be able to cancel it when removing the handler, and some
358
minor cleanups in DPD code
360
2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
362
* src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
363
segfault when using security labels between 32bit and 64bit host.
221
365
* src/racoon/handler.c: expire zombie handlers in getph2byid(), to
222
avoid situations where we'll never negociate a phase2
223
again. Would be better to find out why do we have such zombies !!
224
* src/racoon/{ipsec_doi.c|security.c}: fixed a segfault when using
225
security labels between a 32bit and a 64bit host. Patch by
228
2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
229
* src/racoon/{ipsec_doi.c|cfparse.y}: fixed subnet check to
230
generate IPV4_ADDRESS when needed in sockaddr2id().
232
2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
233
* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL.
234
* src/racoon/{handler.c|isakmp.c|isakmp_inf.c|pfkey.c}: NULL sched
235
check is now done in SCHED_KILL.
237
2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
366
avoid situations where we'll never negociate a phase2 again
368
* src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
369
more details about what is checked when using certificates to
372
2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
374
* src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
375
generate IPV4_ADDRESS when needed in sockaddr2id()
377
2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
379
* src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
380
sched check is now done in SCHED_KILL
382
* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
384
2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
386
* src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
387
monitoring of ipv6 address changes on Linux.
238
389
* src/racoon/isakmp.c: Consider a negociation timeout when
239
retry_counter is <=0 instead of < 0.
240
* src/racoon/grabmyaddr.c: enable monitoring of ipv6 addresse
241
changes on linux. Patch by Yves-Alexis Perez.
243
---------------------------------------------
247
2007-02-27 Matthew Grooms <mgrooms@shrew.net>
248
* src/racoon/ipsec_doi.c: add logic to match ip address ids to
249
ip subnet ids when appropriate. reported by Yvan.
251
2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
252
* src/racoon/ipsec_doi.c: block variable declaration before code
253
in ipsecdoi_id2str().
255
2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
256
* src/racoon/{handler.c|isakmp_var.h}: updated delete_spd() calls.
257
* src/racoon/isakmp.c: Only delete a generated SPD if it's
258
creation date matches the creation date of the SA we are
260
* src/racoon/{pfkey.c|isakmp_inf.c}: fills creation date of
262
* src/racoon/policy.h: added 'created' var.
390
retry_counter is <=0 instead of < 0
392
2007-03-06 tag ipsec-tools-0_7-beta2
394
2007-03-06 Emmanuel Dreyfus <manu@netbsd.org>
396
* configure.ac: Bump to 0.7beta2
398
2007-03-01 Matthew Grooms <mgrooms@shrew.net>
400
* src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
401
matched to ip subnet ids when appropriate.
403
2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
405
* src/racoon/ipsec_doi.c: block variable declaration before code in
408
2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
263
410
* src/racoon/isakmp_inf.c: Removed a debug printf....
265
2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
412
* src/racoon/isakmp.c: Only delete a generated SPD if it's creation
413
date matches the creation date of the SA we are currently deleting
415
* src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
417
* src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
420
* src/racoon/policy.h: added 'created' var
422
2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
266
424
* src/racoon/isakmp.c: Removed a debug printf....
268
2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
269
* src/racoon/ipsec_doi.c: Fixed a %zu in a printf. Reported by
272
---------------------------------------------
276
2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
277
* configure.ac: fix typo in SELinux option
278
* src/racoon/security.c: missing file from Joy Latten
280
2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
426
2007-02-16 tag ipsec-tools-0_7-beta1
428
2007-02-16 Emmanuel Dreyfus <manu@netbsd.org>
430
* configure.ac: Bump to 0.7beta1
432
2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
434
* src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
437
2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
439
* src/racoon/security.c: Missing file for SELinux
441
* configure.ac: Missing stuff for SELinux
443
2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
445
* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
446
expire a ph1 handle when receiving a DELETE-SA instead of calling
281
449
* src/racoon/isakmp.c: Fixed the way phase1/2 messages are
282
sent/resent, to avoid zombie handles and acces to freed memory.
283
* src/racoon/isakmp_inf.c: Just expire a ph1 handle when receiving
284
a DELETE-SA instead of calling purge_remote(). Reported by
285
"Uncle Pedro" on Sourceforge's bugtracker.
287
2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
288
* src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec.
290
2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
291
* src/racoon/isakmp_inf.c: When receiving an Isakmp DELETE_SA,
292
gets the cookie of the SA to be deleted from payload instead of
293
just deleting the Isakmp SA used to protect the informational.
294
Problem reported by "unclepedro" on Sourceforge's bugtracker.
296
2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
297
From Joy Latten <latten@austin.ibm.com>
298
* src/racoon/crypto_openssl.c: fixed a memory leak
300
---------------------------------------------
302
Branch for 0.7 created (ipsec-tools-0_7-branch)
304
2006-12-11 Emmanuel Dreyfus <manu@netbsd.org>
305
* src/libipsec/{Makefile.am|libpfkey.h|pfkey.c}
306
src/racoon/{backupsa.c|pfkey.c}: Bring back API and ABI backward
307
compatibility with previous libipsec interface change. Bump
308
libipsec minor version. Remove ifdefs in struct pfkey_send_sa_args
309
to avoid ABI compatibility lossage.
310
* src/libipsec/{libpfkey.h|pfkey.c} src/racoon/cfparse.y: add
311
capability flags to detect missing optional feature in libipsec
313
2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
314
From Joy Latten <latten@austin.ibm.com>
315
* src/racoon/Makefile.am
316
src/racoon/doc/README.plainrsa: new file documenting plain RSA auth
318
2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
319
From Joy Latten <latten@austin.ibm.com>
320
* configure.ac src/libipsec/{libpfkey.h|pfkey.c}
321
src/racoon/{Makefile.am|backupsa.c|backupsa.h|cftoken.l|ipsec_doi.c}
322
src/racoon/{ipsec_doi.h|isakmp_inf.c|isakmp_quick.c|pfkey.c|policy.c}
323
src/racoon/{policy.h|proposal.c|proposal.h|remoteconf.c}: Add support for SELinux security contexts. Also cleanup the libipsec
324
interface for adding and updating security associations.
326
From Simon Chang <simonychang@gmail.com>
327
* src/racoon/racoon.conf.5: More hints about plain RSA authentication
329
2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
330
* src/racoon/proposal.[ch]: Check keys length regarding
331
pcheck_level in cmpsatrns().
332
* src/racoon/racoon.conf.5: updated man page about what is
333
impacted by proposal_check level.
335
2006-11-12 Matthew Grooms <mgrooms@shrew.net>
336
* src/racoon/sainfo.c: fix anonymous sainfo selection.
338
2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
339
From Michal Ruzicka <michal.ruzicka@comstar.cz>:
340
* src/racoon/{backupsa.c|cfparse.y}: fixed typos.
342
2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
344
* src/racoon/ipsec_doi.[ch]: Added ipsecdoi_chkcmpids() function
345
* src/racoon/sainfo.c: uses ipsecdoi_chkcmpids() and changed
346
src/dst to loc/rmt in getsainfo().
348
2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
349
* src/racoon/isakmp_unity.c: correctly check read() return (Coverity)
350
* src/racoon/proposal.c: Fix memory leak (Coverity)
352
2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
353
From Tomoyuki Okazaki <okazaki@kick.gr.jp>
354
* configure.ac src/libipsec/pfkey_dump.c
355
src/racoon/{algorithm.c|algorithm.h|cftoken.l|crypto_openssl.c}
356
src/racoon/{crypto_openssl.h|eaytest.c|ipsec_doi.c|ipsec_doi.h}
357
src/racoon/{oakley.h|pfkey.c|racoon.conf.5|strnames.c}
358
src/setkey/{setkey.8|test-pfkey.c|token.l}: Camelia cipher
361
2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
450
sent/resent, to avoid zombie handles and acces to freed memory
452
2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
454
* src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
456
2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
458
* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
459
receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
460
deleted from payload instead of just deleting the ISAKMP SA used to
461
protect the informational exchange.
463
2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
465
* src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
467
2006-12-10 tag ipsec-tools-0_7-base
469
2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
471
* src/: libipsec/Makefile.am, libipsec/libpfkey.h,
472
libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
473
racoon/pfkey.c: Bring back API and ABI backward compatibility
474
with previous libipsec before recent interface change. Bump libipsec
475
minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
476
ABI compatibility lossage. Add a capability flags to detect missing
477
optional feature in libipsec
479
* src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
480
README.plainrsa documenting plain RSA auth
482
2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
484
* configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
485
src/racoon/Makefile.am, src/racoon/backupsa.c,
486
src/racoon/backupsa.h, src/racoon/cftoken.l,
487
src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
488
src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
489
src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
490
src/racoon/proposal.c, src/racoon/proposal.h,
491
src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
492
security contexts. Also cleanup the libipsec interface for adding
493
and updating security associations.
495
* src/racoon/racoon.conf.5: From Simon Chang: More hints about
496
plain RSA authentication
498
2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
500
* src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
501
length regarding proposal_check level
503
2006-11-16 Matthew Grooms <mgrooms@shrew.net>
505
* src/racoon/sainfo.c: Correct issues associated with anonymous
506
sainfo selection in racoon.
508
2006-11-09 Christos Zoulas <christos@netbsd.org>
510
* src/racoon/crypto_openssl.c: eliminate the only variable stack
513
2006-10-31 Christian Biere <cbiere@netbsd.org>
515
* src/racoon/sockmisc.c: Don't define the deprecated
516
IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
517
IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
518
in the future just in case that the numeric value of the socket
519
option is ever recycled.
521
2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
523
* src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
526
2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
528
* src/racoon/sainfo.c: From Matthew Grooms: use
529
ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
531
* src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
532
ipsecdoi_chkcmpids() function.
534
2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
536
* src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
538
* src/racoon/isakmp_unity.c: Correctly check read() return value:
539
it's signed (Coverity 1251)
541
2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
543
* configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
544
src/racoon/algorithm.h, src/racoon/cftoken.l,
545
src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
546
src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
547
src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
548
src/racoon/racoon.conf.5, src/racoon/strnames.c,
549
src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
550
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
553
2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
362
555
* src/racoon/admin.c: fix endianness issue introduced yesterday
364
2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
365
* src/racoon/{remoteconf.h|sainfo.h}: Added remoteid/ph1id values.
366
* src/racoon/{handler.c|isakmp_quick.c|pfkey.c|sainfo.c}: Uses
367
remoteid/ph1id values.
368
* src/racoon/{cfparse.y|cftoken.l}: Parses remoteid/ph1id values.
369
* src/racoon/racoon.conf.5: Added remoteid/ph1id syntax.
371
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
372
* src/racoon/socketmisc.c: don't use NULL pointer (Coverity)
373
* src/racoon/racoonctl.c: don't use NULL pointer (Coverity)
374
* src/racoon/proposal.c: don't use NULL pointer (Coverity)
375
* src/racoon/pfkey.c: don't use NULL pointer (Coverity)
376
* src/racoon/ipsec_doi.c: don't use NULL pointer (Coverity)
377
* src/racoon/isakmp.c: don't use NULL pointer (Coverity)
378
* src/racoon/oakley.c: don't use NULL pointer (Coverity)
379
* src/racoon/admin.c: avoid reusing free'd pointer (Coverity)
380
* src/racoon/{admin.c|sockmisc.c}: Fix memory leak (Coverity), refactor
381
the code to use port get/set function
382
* src/racoon/admin.c: fix memory leak (Coverity)
383
* src/racoon/algorithm.c: fix array overrun (Coverity)
384
* src/racoon/isakmp_ident.c: Remove dead code (Coverity)
385
* src/racoon/isakmp_inf.c: Check for NULL pointer (Coverity)
386
* src/racoon/isakmp_base.c: avoid reusing free'd pointer (Coverity)
388
2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
389
* src/racoon/isakmp.c: Avoid using NULL pointer (Coverity)
390
* src/racoon/ipsec_doi.c: FIx memory leak (Coverity)
392
2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
393
* src/racoon/isakmp_agg.c: Remove dead code (Coverity)
394
* src/racoon/isakmp_cfg.c: Fix memory leak (Coverity)
395
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
396
update the scripts for wrorking around routing problems on NetBSD
397
* src/racoon/admin.c: Do not free id and key, as they are used later
398
* src/racoon/session.c: Reuse existing code for closing IKE sockets,
399
and avoid screwing things by setting p->sock = -1, which is not
402
2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
403
* src/racoon/racoonctl.c: Fix the previous fix
405
2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
406
* src/racoon/racoonctl.c: Fix access after free (Coverity)
407
* src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity)
409
2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
410
* src/racoon/admin.c: Fix memory leaks in racoonctl (Coverity)
557
2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
559
* src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
561
* src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
563
* src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
564
remoteid/ph1id values
566
* src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
568
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
570
* src/racoon/isakmp_base.c:
571
avoid reusing free'd pointer (Coverity 2613)
573
* src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
575
* src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
577
* src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
579
* src/racoon/admin.c: Fix memory leak (Coverity 2002)
581
* src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
582
(Coverity 2001), refactor the code to use port get/set functions
584
* src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
586
* src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
587
reformat to 80 char/line
589
2006-10-02 Tom Spindler <dogcow@netbsd.org>
591
* src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
592
you have to init it with a pointer type, not an int.
594
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
596
* src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
598
* src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
600
* src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
602
* src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
604
* src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
606
* src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
608
2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
610
* src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
612
* src/racoon/isakmp.c: Check that iph1->remote is not NULL before
613
using it (Coverity 3436)
615
2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
617
* src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
619
* src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
621
* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
622
phase1-up.sh: update the scripts for wrorking around routing
625
* src/racoon/session.c: Reuse existing code for closing IKE
626
sockets, and avoid screwing things by setting p->sock = -1, which is
627
not expected (Coverity 4173).
629
* src/racoon/admin.c: Do not free id and key, as they are used
632
2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
634
* src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
635
socket, so we must call com_init before sending any data.
637
2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
639
* src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
642
* src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
644
2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
646
* src/racoon/cfparse.y: Fix memory leak (Coverity)
648
* src/racoon/backupsa.c: Fix memory leak (Coverity)
411
650
* src/racoon/admin.c: Remove dead code (Coverity)
412
* src/racoon/backupsa.c: Fix memory leak (Coverity)
413
* src/racoon/cfparse.y: Fix memory leak (Coverity)
416
* src/racoon/{pfkey.c|proposal.c}: fix SA bundle (e.g.: ESP+IPcomp)
419
* src/racoon/ipsec_doi.c: fix buffer overflow
421
2006-09-25 Yvan Vanhullebus <vanhu@NetBSD.org>
422
Reported by Yves-Alexis Perez:
423
* src/racoon/isakmp.c: struct ip -> struct iphdr for Linux.
425
2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
427
* src/racoon/ipsec_doi.c: fix double free
429
2006-09-21 Yvan Vanhullebus <vanhu@NetBSD.org>
430
Reported by Yves-Alexis Perez:
652
* src/racoon/admin.c: Fix memory leak (Coverity)
654
* src/racoon/admin.c: One more memory leak
656
* src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
658
* src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
659
bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
660
Matthew updated the patch for current code, though.
662
* src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
663
negotiating ESP+IPcomp)
665
2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
667
* src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
670
2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
672
* src/racoon/isakmp.c: style (mostly for testing
673
ipsec-tools-commits@netbsd.org)
675
* src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
677
2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
431
679
* src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
434
2006-09-19 Yvan Vanhullebus <vanhu@NetBSD.org>
682
2006-09-19 Thomas Klausner <wiz@netbsd.org>
684
* src/racoon/racoon.conf.5: Bump date for ike_frag force.
686
* src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
689
* src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
692
2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
694
* src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
695
value for encmodesv in set_proposal_from_policy()
435
697
* src/racoon/isakmp.c: always include some headers, as they are
436
required even without NAT-T.
438
* src/libipsec/pfkey_dump.c, src/setkey/token.l: define
439
SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed.
440
* src/racoon/crypto_openssl.c: some printf() -> plog().
441
From Yves-Alexis Perez:
442
* src/racoon/proposal.c: fixed default value for encmodesv in
443
set_proposal_from_policy().
445
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
448
* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_frag.h}
449
src/racoon/{racoon.conf.5|remoteconf.c}: ike_frag force option to
450
force the use of IKE on first packet exchange (prior to peer consent)
452
2006-09-18 Yvan Vanhullebus <vanhu@NetBSD.org>
453
* src/racoon/{cfparse.c|cftoken.c|prsa_par.c|prsa_tok.c}
454
rpm/suse/ipsec-tools.spec: removed those files from the CVS,
455
as they are generated during the build.
457
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
460
* src/racoon/isakmp.c: handle IKE frag used in the first packet.
462
2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
465
* src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 conformance
467
2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
468
* src/racoon/ipsec_doi.c: fix build on Linux
470
---------------------------------------------
472
Migration to cvs.netbsd.org
474
2006-08-22 Emmanuel Dreyfus <manu@netbsd.org>
477
* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
478
src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h}
479
src/racoon/racoon.conf.5: Add a group check option
481
2006-08-17 Yvan Vanhullebus <vanhu@netasq.com>
483
Patch from Matthew Grooms:
484
* src/racoon/ipsec_doi.c: fixed an ASN1 size in
487
2006-08-11 Yvan Vanhullebus <vanhu@netasq.com>
489
Patch from Matthew Grooms:
490
* src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str()
491
* src/racoon/isakmp_quick.c: text fix
492
* src/racoon/pfkey.c: sainfo debug
493
* src/racoon/sainfo.c: sainfo debug
495
2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
497
Reported by Matthew Grooms:
498
* src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in
500
* src/racoon/racoon.conf.5: updated man page for sainfo logic.
502
2006-07-31 Emmanuel Dreyfus <manu@netbsd.org>
503
From Matthew Grooms <mgrooms@shrew.net>
504
* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
505
src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support
506
becomes dynamic, bugfixes
508
2006-07-19 Emmanuel Dreyfus <manu@netbsd.org>
509
From Peter Eisch <peter@boku.net>
510
* src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing
511
netmask in network interface configuration
513
From Matthew Grooms <mgrooms@shrew.net>
514
* configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage
516
From Matthew Grooms <mgrooms@shrew.net>
517
* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
518
src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS
519
support (server side)
521
2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
523
* src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align().
524
Break reported by Matthew Grooms.
526
2006-07-13 Frederic Senault <fred@lacave.net>
528
* src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4
529
unoperable on 64bit architectures ; add a packetdump of MODE_CFG
530
exchange in debug mode.
532
2006-07-09 Emmanuel Dreyfus <manu@netbsd.org>
533
From Matthew Grooms <mgrooms@shrew.net>
534
* src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c}
535
src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}:
536
Group authentication for Xauth. Supports system groups and LDAP.
538
2006-07-04 Yvan Vanhullebus <vanhu@netasq.com>
540
* src/racoon/nattraversal.c: fixed a malloc check in
541
natt_keepalive_add(). Patch from Bruno Wagenseil.
543
2006-06-30 Emmanuel Dreyfus <manu@netbsd.org>
545
* src/racoon/{cfparse.l|cftoken.l}: meaningful error message when
546
we cannot find the configuration file.
548
2006-06-24 Emmanuel Dreyfus <manu@netbsd.org>
549
From Matthew Grooms <mgrooms@shrew.net>
550
* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
551
src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network
552
configuration obtained from LDAP directory
554
2006-06-23 Emmanuel Dreyfus <manu@netbsd.org>
555
From Matthew Grooms <mgrooms@shrew.net>
556
* configure.ac: build fixes
558
2006-06-22 Emmanuel Dreyfus <manu@netbsd.org>
559
* src/racoon/evt.c: build fix
560
From Matthew Grooms <mgrooms@shrew.net>
561
* configure.ac: build fixes around libldap and libiconv search
563
2006-06-21 Emmanuel Dreyfus <manu@netbsd.org>
564
* src/racoon/evt.c: Do not record events if admin socket is
567
2006-06-20 Emmanuel Dreyfus <manu@netbsd.org>
569
* configure.ac: Check for conflicts between system libiconv
570
and newer libiconv header
571
From Matthew Grooms <mgrooms@shrew.net>
572
* configure.ac src/racoon/{cfparse.y|cftoken.l}
573
src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
574
src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth
576
2006-06-20 Yvan Vanhullebus <vanhu@netasq.com>
578
* configure.ac: fixed SHA256 detection on some systems. Patch by
580
* src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}:
581
changed logging levels. Patch by Michal Ruzicka.
583
2006-06-15 Emmanuel Dreyfus <manu@netbsd.org>
584
From Matthew Grooms <mgrooms@shrew.net>
585
* src/racoon/main.c: make sure RADIUS is correctly initialized
587
2006-06-14 Yvan Vanhullebus <vanhu@netasq.com>
589
* Makefile.am, src/Makefile.am: fixed make dist on *BSD
591
2006-06-07 Emmanuel Dreyfus <manu@netbsd.org>
592
* src/racoon/isakmp_cfg.c: Fix build.
594
2006-05-26 Emmanuel Dreyfus <manu@netbsd.org>
595
From Pawel Jakub Dawidek <pjd@FreeBSD.org>
596
* src/racoon/handler.c: Fix a crash caused by a NULL pointer
597
* src/racoon/oakley.c: Typos
598
* src/racoon/isakmp_base.c: Fix uninitialized buffer
599
* src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode)
601
2006-05-23 Emmanuel Dreyfus <manu@netbsd.org>
602
* src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so
603
do not assume Xauth when preparing a hook script environement.
605
* src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64
607
* src/racoon/ipsec_doi.c: Don't free a referenced buffer
608
From Matthew Grooms <mgrooms@shrew.net>
609
* src/racoon/isakmp_cfg.c: Fix for unity local_lan support
611
2006-05-07 Emmanuel Dreyfus <manu@netbsd.org>
612
* src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do
613
not reconfigure interface sockets when running in privilege
614
separation as it will not work. Add debug for setsockopt().
615
* src/racoon/racoonctl.8: Do not tell config reload is completely
616
broken (it's only somewhat broken).
618
2006-05-06 Emmanuel Dreyfus <manu@netbsd.org>
620
* src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix
621
memory leak (Coverity)
622
* src/racoon/pfkey.c: Fix memory leak (Coverity)
623
* src/racoon/ipsec_doi.c: Fix memory leak (Coverity)
624
* src/racoon/isakmp.c: Fix memory leak (Coverity)
625
* src/racoon/dnssec.c: Fix memory leak (Coverity)
626
* src/racoon/backupsa.c: Fix memory leak (Coverity)
627
* src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL
628
allocation (Coverity)
629
* src/racoon/isakmp_quick.c: Remove dead code (Coverity)
630
* src/racoon/oakley.c: Remove dead code (Coverity)
631
* src/racoon/crypto_openssl.c: Remove dead code (Coverity)
633
2006-05-05 Yvan Vanhullebus <vanhu@netasq.com>
635
* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
636
encapsulation in pk_sendgetspi().
638
2006-05-04 Yvan Vanhullebus <vanhu@netasq.com>
639
From Preggna S (spreggna@novell.com)
640
* src/racoon/schedule.h: fixed gnuc.h include.
641
* src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support.
642
* src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function.
644
2006-05-03 Yvan Vanhullebus <vanhu@netasq.com>
645
From Joy Latten <latten@austin.ibm.com>
646
* configure.ac: security context support check
647
* src/libipsec/{pfkey.c|pfkey_dump.c}:
648
SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support
649
* src/setkey/{parse.ytoken.l}: parses optionnal security context
650
* src/setkey/setkey.8: security context syntax
652
2006-04-27 Emmanuel Dreyfus <manu@netbsd.org>
654
* src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity)
656
2006-04-24 Yvan Vanhullebus <vanhu@netasq.com>
658
* src/racoon/isakmp.c: style cleanup in delete_spd()
660
2006-04-13 Yvan Vanhullebus <vanhu@netasq.com>
662
* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
663
encapsulation in pk_sendupdate().
665
2006-04-12 Emmanuel Dreyfus <manu@netbsd.org>
667
* src/racoon/ipsec_doi.c: fix memory leaks (Coverity)
669
2006-04-06 Emmanuel Dreyfus <manu@netbsd.org>
671
* src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h}
672
src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c}
673
src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add
674
strdup in the malloc debugging framework, check for strdup failures
676
* src/racoon/admin.c: Do not use an unallocated pointer (Coverity)
677
* src/racoon/schedule.c: Check for NULL pointer
678
* src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c}
679
src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check
680
that dupsaddr returns non NULL pointers (Coverity)
681
* src/racoon/isakmp_quick.c: Ignore multiple notifications in the
682
same message, and do not leak memory (Coverity)
683
* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in
684
GSSAPI code (Coverity)
685
* src/racoon/racoonctl.c: fix minor memory leak (Coverity)
686
* src/racoon/isakmp.c: fix memory leak (Coverity)
687
* src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity)
689
2006-04-05 Emmanuel Dreyfus <manu@netbsd.org>
691
* src/racoon/isakmp_xauth.c: fix unitialized variable, found by
693
* src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not
694
use deleted phase 1 handler after errors, found by coverity
695
* src/racoon/main.c: tell which config file we use
696
* src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found
698
* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1
699
handler, found by Coverity
700
* src/racoon/dnssec.c: do not return a free'ed certificate, found by
702
* src/racoon/oakley.c: fix stale pointer alias, found by Coverity
703
* src/racoon/throttle.c: do not free current item while walking a
704
chained list, found by Coverity
705
* src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity
707
2006-03-18 Emmanuel Dreyfus <manu@netbsd.org>
709
From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan
710
* src/racoon/isakmp_xauth.c: fix memory leak
712
2006-02-25 Emmanuel Dreyfus <manu@netbsd.org>
714
From Thomas Klausner <wiz@NetBSD.org>
715
* src/racoon/{cfparse.y|handler.h}: typos
717
2006-02-23 Emmanuel Dreyfus <manu@netbsd.org>
719
* src/racoon/main.c: do not reset isakmp_cfg structure after
722
2006-02-22 Yvan Vanhullebus <vanhu@netasq.com>
724
* src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not
725
be really necessary) and DPD VId hash generation
727
2006-02-17 Yvan Vanhullebus <vanhu@netasq.com>
729
* src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous"
731
* src/racoon/racoon.conf.5: updated sainfos syntax
732
* src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID
734
2006-02-15 Yvan Vanhullebus <vanhu@netasq.com>
736
* src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy
738
* src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE
739
generate policy levels
740
* src/racoon/proposal.c: Sets optionnal reqid for generated
742
* src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid
744
* src/racoon/racoon.conf.5: updated generate_policy syntax
746
2006-02-02 Yvan Vanhullebus <vanhu@netasq.com>
748
* src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send()
749
fails in isakmp_ph1resend()
751
2006-01-17 Frederic Senault <fred@lacave.net>
753
* src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the
754
peers_identifier keyword.
756
* src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the
757
adminsock to allow for racoonctl to stop looping when the
758
vpn-connect command is used and there is no mode config exchange.
760
2006-01-08 Emmanuel Dreyfus <manu@netbsd.org>
762
* src/racoon/isakmp_cfg.c: make software behave as the documentation
763
advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to
764
avoid breaking backward compatibility.
766
2005-12-19 Yvan Vanhullebus <vanhu@netasq.com>
768
* src/racoon/session.c: Fixed / cleaned up signal handling.
770
2005-12-13 Yvan Vanhullebus <vanhu@netasq.com>
772
* src/libipsec/samples/*: replaced "obey" mode by "strict" mode.
774
2005-12-07 Yvan Vanhullebus <vanhu@netasq.com>
776
* src/libipsec/pfkey_dump.c: fixed compilation when NAT_T
777
disabled (Fred has still some CVS problems).
778
* src/racoon/session.c: Calls isakmp_cfg_init() only if
779
ENABLE_HYBRID in reload_conf().
781
2005-12-04 Frederic Senault <fred@lacave.net>
783
* src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
784
function to display SAD entries with their associated ports.
785
* src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
786
in conjunction with -D to show SADs with the port, allow both get and
787
delete commands to use bracketed ports if needed.
789
2005-11-26 Emmanuel Dreyfus <manu@netbsd.org>
791
* src/racoon/session.c: fix possible race conditions in signal handlers
792
* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when
793
reloading configuration, do not new add mode_cfg config to the
794
existign one, overwrite it instead.
796
2005-11-25 Emmanuel Dreyfus <manu@netbsd.org>
798
From Thomas Klausner <wiz@netbsd.org>
799
* src/racoon/racoon.conf.5: Style changes
801
2005-11-21 Yvan Vanhullebus <vanhu@netasq.com>
803
* src/racoon/isakmp_[ident|agg].c: Check if natt is available when
804
receiving a NAT_D payload from initiator. It saves a crash,
805
reported by Dave Huang to NetBSD.
807
2005-11-20 Yvan Vanhullebus <vanhu@netasq.com>
809
* src/racoon/isakmp_agg.c: Check that we got some needed payloads
810
from peer (could cause a DoS). Crash reported by Adrian Portelli
811
using IKE test suite from
812
http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/
814
2005-11-10 Yvan Vanhullebus <vanhu@free.fr>
816
Patches from Francis Dupont
817
* src/libipsec/key_debug.c: SADB_X_EXT_PACKET support
818
* src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function
819
* src/setkey/parse.y: IPPROTO_MH support
820
* src/racoon/pfkey.c: fixed some logs
821
* src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC,
822
appropriate define for SADB_X_NAT_T_NEW_MAPPING, added
825
2005-11-06 Aidas Kasparas <a.kasparas@gmc.lt>
827
* src/racoon/main.c, src/racoon/session.c: moved .pid file writing
828
just before main loop. Thanks Stephen Thorne
829
* src/racoon/localconf.h, src/racoon/cftoken.l: introduced
830
path pidfile directive
831
* src/racoon/racoon.conf.5: documented above
832
* configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan
834
* configure.ac: added check for strlcat function
835
* src/racoon/misc.h: define strlcat function for systems without one
836
* src/racoon/remoteconf.c: strncat -> strlcat
838
2005-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
840
* src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks
843
2005-10-30 Yvan Vanhullebus <vanhu@netasq.com>
845
Patches from Christoph Nadig for compilation on MacOS X
846
* configure.ac: no lcrypt for darwin
847
* src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H
848
* src/racoon/isakmp_cfg.c: some includes and some %zu
849
* src/racoon/isakmp_unity.c: fixed a %zu
850
* src/racoon/vmbuf.h: vfree already defined for Apple
852
2005-10-17 Aidas Kasparas <a.kasparas@gmc.lt>
854
Introduced subnet sainfo type.
855
* src/racoon/cftoken.l: new token "subnet"
856
* src/racoon/cfparse.y: added address/subnet diferentiation logic
857
* src/racoon/ipsec-doi.h: new constant
858
* src/racoon/ipsec-doi.c: adopted to above
859
* src/racoon/racoon.conf.5: documented above
861
2005-09-14 Emmanuel Dreyfus <manu@netbsd.org>
863
* src/libipsec/pfkey.c: One forgotten cast caddr_t -> void *
865
2005-10-14 Yvan Vanhullebus <vanhu@netasq.com>
867
* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
868
USER_FQDNs (problem reported by Bernhard Suttner).
870
2005-09-10 Emmanuel Dreyfus <manu@netbsd.org>
872
* src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c}
873
src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for
874
kernel implementing NAT-T but unable to cope with IKE ports in
877
2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
879
From Wilfried Weissmann:
880
* src/libipsec/policy_parse.y src/racoon/oakley.c
881
src/racoon/{sockmisc.c|sockmisc.h}: build fixes
884
2005-09-03 Emmanuel Dreyfus <manu@netbsd.org>
886
From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
887
* src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions
889
2005-08-26 Emmanuel Dreyfus <manu@netbsd.org>
891
* src/racoon/evt.c: Fix memory leak when event queue overflows
893
2005-08-23 Emmanuel Dreyfus <manu@netbsd.org>
895
* src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
896
initialize NAT-T VID to avoid freeing unallocated stuff.
898
2005-08-21 Emmanuel Dreyfus <manu@netbsd.org>
900
From Matthias Scheler <matthias.scheler@tadpole.com>
901
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
902
ISAKMP mode config without Xauth.
904
2005-08-16 Emmanuel Dreyfus <manu@netbsd.org>
906
From Thomas Klausner <wiz@netbsd.org>
907
* src/setkey/setkey.8: remove trailing whitespaces
909
2005-09-09 Yvan Vanhullebus <vanhu@free.fr>
911
* src/racoon/policy.c: Do not parse all sptree in inssp() if we
912
don't use Policies priority.
914
2005-08-20 Yvan Vanhullebus <vanhu@free.fr>
916
* src/racoon/handler.c: Fixed a possible crash in
917
remove_ph2(). Reported by Dietmar Eggemann.
919
2005-08-14 Emmanuel Dreyfus <manu@netbsd.org>
921
From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
922
* src/racoon/dnssec.c: fix bogus test on function result
924
2005-08-11 Yvan Vanhullebus <vanhu@free.fr>
926
* src/racoon/isakmp.c: Improved in/out SA addresses check in
927
purge_remote(). Reported by Patrick Ma.
929
2005-08-08 Emmanuel Dreyfus <manu@netbsd.org>
931
* src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings
933
2005-08-08 Yvan Vanhullebus <vanhu@free.fr>
935
* src/racoon/privsep.c: Fixed a %d -> %zu in
936
port_check() (reported by Matthias Scheler).
938
2005-08-04 Emmanuel Dreyfus <manu@netbsd.org>
940
* configure.ac: correctly quote RACOON_PATH_LIBS arguments
942
2005-08-02 Yvan Vanhullebus <vanhu@free.fr>
944
* src/racoon/isakmp_inf.c: First fix to
945
info_recv_initialcontact(): do a basic IP check when no NAT-T.
947
2005-07-26 Yvan Vanhullebus <vanhu@free.fr>
949
* src/racoon/isakmp.c: Fixed purge_remote()
951
2005-07-25 Yvan Vanhullebus <vanhu@free.fr>
953
* src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
954
a new ph1handle exists (patch by Krzysztof Oledzki)
956
2005-07-20 Aidas Kasparas <a.kasparas@gmc.lt>
958
* configure.ac: disabled --enable-samode-unspec under linux
960
2005-07-20 Yvan Vanhullebus <vanhu@free.fr>
962
* src/racoon/isakmp_quick.c: Ignore NATOA payloads in
963
quick_r1recv() as it is done in quick_i2recv().
964
* configure.ac: new --enable-fastquit option
965
* src/racoon/session.c: new code optional code when flushing SAs,
966
which is faster and should have no deadlocks. configure
967
--enable-fastquit option to enable it.
969
2005-07-19 Yvan Vanhullebus <vanhu@free.fr>
971
* src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
972
packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that
973
case (RFC 3947, sect 4, we MUST allow new phase1 negociations on
974
NAT-T floated port), to correctly generate the reply.
976
2005-07-16 Aidas Kasparas <a.kasparas@gmc.lt>
978
* src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
980
* src/racoon/setkey.c: disabled readline's filename completion
982
* src/racoon/proposal.c: fixed mode selection for SAs with
983
complex_bundle on behind NAT
985
2005-07-14 Yvan Vanhullebus <vanhu@free.fr>
987
* src/racoon/handler.c: - Clears the DPD schedule in delph1()
988
- Cleared up sanity checks in delph1()
989
- Sets p->rmconf to NULL if no new
990
remoteconf in revalidate_ph1tree_rmconf()
991
* src/racoon/isakmp.c: Added sanity checks in script_hook()
992
* src/racoon/oakley.c: Sanity check in save_certbuf()
995
2005-07-13 Emmanuel Dreyfus <manu@netbsd.org>
997
* src/setkey/Makefile.am: missing file in distribution
999
2005-07-12 Yvan Vanhullebus <vanhu@free.fr>
1001
* src/racoon/isakmp.c: Fixed a mem leak in isakmp_send().
1003
2005-07-12 Emmanuel Dreyfus <manu@netbsd.org>
1005
* src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
1007
* src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c} configure.ac
1008
src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8
1009
* src/racoon/{admin.c|session.c}: Don't use the adminport if it is
1011
* src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
1012
Add comments for using the scripts without NAT-T
1014
2005-07-11 Emmanuel Dreyfus <manu@netbsd.org>
1016
* src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux.
1017
Accomodate various libiconv versions
1019
2005-07-10 Emmanuel Dreyfus <manu@netbsd.org>
1021
* src/racoon/ipsec_doi.c configure.ac: build fixes on Linux.
1022
Accomodate various libiconv versions
1024
2005-07-09 Yvan Vanhullebus <vanhu@free.fr>
1026
* src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto
1027
algorithms with variable key size but not OpenSSL default key
1030
2005-07-07 Emmanuel Dreyfus <manu@netbsd.org>
1032
From Mathias Scheler <tron@netbsd.org>
1033
* src/racoon/raccon.conf.5: Document that aes can be used in
1036
2005-07-06 Frederic Senault <fred@lacave.net>
1038
* src/setkey/setkey.c: fix compilation with readline.
1039
* src/racoon/oakley.c: move declarations to fix compilation issues
1040
with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the
1043
2005-07-04 Emmanuel Dreyfus <manu@netbsd.org>
1045
* src/racoon/isakmp_inf.c: safety checks on informational messages
1046
* src/racoon/{pfkey.c|proposal.c}: IPcomp fixes
1048
2005-07-01 Emmanuel Dreyfus <manu@netbsd.org>
1050
From Uri Blumenthal <urimobile@optonline.net>:
1051
* src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes
1052
* src/racoon/oakley.c: pkcs7 support
1054
2005-06-29 Emmanuel Dreyfus <manu@netbsd.org>
1056
From Christos Zoulas <christos@zoulas.com>
1057
* configure.ac src/setkey/{parse.y|setkey.c|token.l}
1058
src/libipsec/{ipsec_dump_policy.c|ipsec_get_policylen.c|key_debug.c}
1059
src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint,
1060
using void * instead of caddr_t and adding const where appropriate.
1061
* src/setkey/extern.h: new file
1062
* src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y}
1063
src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned,
1064
size_t/int and lint constants
1066
2005-06-24 Yvan Vanhullebus <vanhu@free.fr>
1068
* src/racoon/handler.c: Fixed phase2 enc algo check when reloading
1069
conf (could flush a phase2 handler when not needed).
1071
2005-06-19 Emmanuel Dreyfus <manu@netbsd.org>
1073
* src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h}
1074
src/racoon/racoonctl.8:
1075
Add a logout-user command to racoonctl to kick out all SA for a
1078
From Ludo Stellingwerff <ludo@protactive.nl>:
1079
* src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as
1080
wildcard so that IKE ports are used instead. This was done on
1081
phase 2 initiation from the kernel (acquire message), but not
1082
on phase 2 initiation retries when the phase 2 had been queued
1085
From Uri Blumenthal <urimobile@optonline.net>
1086
and Larry Baird <lab@gta.com>:
1087
* src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
1088
src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
1089
src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
1090
* src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2
1091
* src/setkey/token.l: Add aliases shaxxx for sha2_xxx
1093
2005-06-07 Emmanuel Dreyfus <manu@netbsd.org>
1095
From Larry Baird <lab@gta.com>
1096
* src/racoon/isakmp.c: consume NAT keepalive data already seen
1099
2005-06-07 Frederic Senault <fred@lacave.net>
1101
* configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c}
1102
src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add
1103
support for system accounting into the utmp files, with the
1104
"accounting system" directive.
1106
* src/privsep.c: Bug fixes in the xauth password handling code.
1108
2005-06-06 Emmanuel Dreyfus <manu@netbsd.org>
1110
* src/racoon/isakmp_quick.c: endianness bug fix
1112
2005-06-05 Emmanuel Dreyfus <manu@netbsd.org>
1114
From Thomas Klausner <wiz@netbsd.org>
1115
* src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing
1118
2005-05-31 Aidas Kasparas <a.kasparas@gmc.lt>
1120
* src/racoon/ipsec_doi.c: Inserted missing 0th element of
1121
rm_idtype2doi array. Bug #1199700 fix.
1123
2005-05-30 Frederic Senault <fred@lacave.net>
1125
* src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro
1128
* src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script
1129
is executed at the end of the mode cfg exchange ; add a debug
1130
message at the script startup.
1132
2005-05-23 Emmanuel Dreyfus <manu@netbsd.org>
1134
* src/racoon/admin.c: build fix
1136
2005-05-20 Emmanuel Dreyfus <manu@netbsd.org>
1138
From Mike Robinson <sundialservices@users.sourceforge.net>
1139
* src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure
1141
* src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp
1143
From hgates <hgates.lists@gmail.com>
1144
* src/racoon/proposal.c: fix SPI size test for IPcomp
1146
From Larry Baird <lab@gta.com>
1147
* src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime,
1148
duplicate the proposal instead of modifying the configured one.
1150
2005-05-19 Frederic Senault <fred@lacave.net>
1152
* configure.ac src/racoon/plog.c: Fix the logging functions to work
1153
around the lack of support of printf %zu in FreeBSD 4 (at least).
1155
* src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
1156
fix a hangup with FreeBSD 4.
1158
* src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a
1159
unity-specific heartbeat message.
1160
* src/racoon/isakmp_inf.c: Reorganize switch statement in
1161
isakmp_check_notify.
1163
2005-05-17 Yvan Vanhullebus <vanhu@free.fr>
1165
* src/racoon/handler.c: Fixed exchange type check in
1167
* src/racoon/pfkey.c: changed includes order to fix compilation.
1169
2005-05-14 Emmanuel Dreyfus <manu@netbsd.org>
1171
* src/libipsec/policy_parse.y: Fix parse problem
1173
2005-05-14 Aidas Kasparas <a.kasparas@gmc.lt>
1175
* src/racoon/sockmisc.c: Debug message said it will send to
1176
source address insted of destination.
1178
2005-05-13 Emmanuel Dreyfus <manu@netbsd.org>
1180
* src/racoon/isakmp_inf.c: fix build problem
1182
2005-05-13 Yvan Vanhullebus <vanhu@free.fr>
1184
* src/racoon/isakmp.c: Fixed a double ph2handler free in
1185
isakmp_ph2begin_i().
1187
2005-05-12 Emmanuel Dreyfus <manu@netbsd.org>
1189
* src/racoon/isakmp_quick.c: fix build problem on some platforms
1191
* src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
1192
consider null port as a wildcard and use IKE ports.
1194
2005-05-10 Emmanuel Dreyfus <manu@netbsd.org>
1196
* src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
1197
src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
1198
src/racoon/samples/roadwarrior/client/racoon.conf: update config
1199
files to higher security settings. Remove now useless phase 1 down
1200
script on server side.
1201
* Update README to reflect server/phase1-down.sh removal
1203
2005-05-09 Emmanuel Dreyfus <manu@netbsd.org>
1205
* src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
1206
src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and
1207
save password extensions from Cisco in ISAKMP mode config.
1209
2005-05-08 Emmanuel Dreyfus <manu@netbsd.org>
1211
* src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte
1213
* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
1214
* src/racoon/handler.c: style
1216
* src/racoon/isakmp_xauth.c: fix build with shadow passwords
1218
2005-05-07 Emmanuel Dreyfus <manu@netbsd.org>
1220
* configure.ac src/racoon/isakmp_xauth.c: support shadow passwords
1221
* src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype
1222
* src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h}
1223
src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes
1224
to the right header file
1226
2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
1228
* src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
1229
ISAKMP SA termination (for DPD timeouts and delete message) to
1230
use purge_remote() so that SA and generated SPD get correctly flushed
1231
* src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
1233
* src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make
1234
purge_remote(), setcopeid() and delete_spd() public
1235
* src/racoon/isakmp_quick.c: remove duplicated setscopeid()
1236
* src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
1237
to compare with ports when ENABLE_NATT and without otherwise
1239
2005-05-06 Frederic Senault <fred@lacave.net>
1241
* src/racoon/isakmp_inf.c: Only print the contents of an informative
1242
message if the payload indicates an error ; transmit the return
1243
values from the DPD functions.
1245
2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
1247
* src/racoon/isakmp_inf.c: Fix a bug causing informational message
1248
payloads to be ignored
1250
2005-05-05 Yvan Vanhullebus <vanhu@free.fr>
1252
* src/racoon/isakmp_inf.c: Fixed some potential crashes in
1253
purge_remote() and purge_ipsec_spi().
1255
2005-05-05 Emmanuel Dreyfus <manu@netbsd.org>
1257
* src/libipsec/{policy_parse.y|policy_token.l}
1258
src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
1259
endpoints, for accurate ESP over UDP matching
1260
* src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote
1261
ports to the hook scripts
1262
* src/racoon/remoteconf.c: do not honour ports when looking up
1263
a remote config, as our remote config have no port information
1264
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
1265
use the IKE ports supplied by racoon to set up acurate endpoints
1266
ports in SP endpoints
1268
2005-05-04 Yvan Vanhullebus <vanhu@free.fr>
1270
* src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated
1271
policies are now also removed when DPD purge.
1273
2005-05-04 Emmanuel Dreyfus <manu@netbsd.org>
1275
From Manisha Malla <mmanisha@novell.com>
1276
* src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative
1278
From Ludo Stellingwerff <ludo@protactive.nl>
1279
* src/setkey/{parse.y|token.l}: build on system that do not have
1282
2005-05-04 Michal Ludvig <michal@logix.cz>
1284
* configure.ac: Revert GLIBC_BUGS change from 2005-04-15
1286
2005-05-03 Frederic Senault <fred@lacave.net>
1288
* src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5}
1289
src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check
1290
option to enable the handling of unencrypted delete payloads.
1292
* src/racoon/plog.c: Use of isgraph in binsanitize.
1294
* src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC.
1296
* src/racoon/isakmp_inf.c: Unused code cleanup.
1298
2005-04-26 Emmanuel Dreyfus <manu@netbsd.org>
1300
* bootstrap: Darwin support
1302
From Larry Baird <lab@gta.com>
1303
* src/racoon/nattraversal.c: Fix NAT-T for initiator
1305
From Andreas Tobler <toa@pop.agri.ch>:
1306
* src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c}
1307
src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c}
1308
src/racoon/configure.ac src/libipsec/policy_token.l
1309
src/setkey/token.l: Build on Darwin
1311
2005-04-25 Emmanuel Dreyfus <manu@netbsd.org>
1313
* src/racoon/handler.h: ifdef DPD and NAT-T data in data structures
1315
* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}
1316
src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
1317
enable the display of ESP over UDP ports in policies.
1319
* src/racoon/ipsec_doi.c: fix LP64 bug
1321
From Ludo Stellingwerff <ludo@protactive.nl>:
1322
* src/racoon/isakmp.c: build without NAT-T
1324
From F. Senault <fred.letter@lacave.net>
1325
* src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c}
1326
src/racoon/isakmp_xauth.c: Take into account payloads bundled after
1327
an ISAKMP informationnal message.
1329
From Patrick McHardy <kaber@trash.net>
1330
* src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire
1331
message, lookup phase 2 by (src, dst, id) instead of only id.
1333
2005-04-23 Emmanuel Dreyfus <manu@netbsd.org>
1335
* src/libipsec/ipsec_dump_policy.c: display port numbers in policies
1336
* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
1337
forget port numbers so that mutiple clients behind the same NAT
1340
From Larry Baird <lab@gta.com>
1341
* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
1342
NAT-T fixes for interoperability with greenbow VPN client.
1344
2005-04-21 Aidas Kasparas <a.kasparas@gmc.lt>
1346
* src/libipsec/policy.parse.y, src/racoon/cfparse.y,
1347
src/libipsec/policy_parse.y, src/racoon/cfparse.y,
1348
src/racoon/cftoken.l, src/racoon/crypto_openssl.c,
1349
src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c,
1350
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
1351
src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
1352
src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
1353
src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile
1354
with gcc-4.0 (20050410 prerelease)
1356
2005-04-20 Aidas Kasparas <a.kasparas@gmc.lt>
1358
From: Ganesan Rajagopal <rganesan@users.sourceforge.net>
1359
* configure.ac: fix --enable-ipv6 logic
1361
2005-04-19 Yvan Vanhullebus <vanhu@free.fr>
1363
* src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup.
1365
2005-04-18 Aidas Kasparas <a.kasparas@gmc.lt>
1367
* src/racoon/crypto_openssl.c: fixed single DES support;
1370
2005-04-18 Emmanuel Dreyfus <manu@netbsd.org>
1372
* src/racoon/isakmp_base.c: DPD support, fix memory leak
1374
From Thomas Klausner <wiz@NetBSD.org>
1375
* src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
1376
src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8}
1377
src/racoon/samples/{racoon.conf.in|racoon.conf.sample}
1378
src/racoon/samples/racoon.conf.sample-gssapi
1379
src/racoon/samples/racoon.conf.sample-inherit
1380
src/racoon/samples/racoon.conf.sample-natt
1381
src/racoon/samples/racoon.conf.sample-plainrsa
1382
src/racoon/samples/roadwarrior/README
1383
src/racoon/samples/roadwarrior/server/phase1-down.sh
1384
src/setkey/setkey.8: docmumentation fixes
1387
* src/racoon/ipsec_doi.c: wrong check on SA lifebyte
1389
From Fred Senault <fred.letter@lacave.net>
1390
* src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive,
1391
which is now incoprated into split_net_tunnels
1392
* src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
1393
src/racoon/isakmp_xauth.h: support login and password sent
1394
in different packets during the Xauth exchange. This makes racoon
1395
interoperable with SecureComputing's sidewinder
1396
* src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth
1398
2005-04-17 Yvan Vanhullebus <vanhu@free.fr>
1400
* src/racoon/handler.c: Configuration reload validation code
1401
* src/racoon/handler.h:revalidate_ph12() function
1402
* src/racoon/ipsec_doi.c: duplicates iph1->approval in
1403
get_ph1approval(), some fields sets to NULL when needed
1404
* src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public
1405
* src/racoon/localconf.[ch]: save/restore_params() functions
1406
* src/racoon/main.c: moved restore_params functions to localconf
1407
* src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa()
1408
function, some values set to NULL when needed
1409
* src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa()
1411
* src/racoon/sainfo.[ch]: save_sainfotree() functions
1412
* src/racoon/session.c: Reloads conf on a SIGHUP without loosing
1415
2005-04-15 Aidas Kasparas <a.kasparas@gmc.lt>
1417
From Zilvinas Valinskas <zilvinas@gemtek.lt>:
1419
- cross-compile type fix (patch 1);
1420
- --enable-{frag|hybrid}=no fixes (patches 6,7);
1421
- support for --with-flex, --with-flexlib (patch 11);
1422
- GLIBC_BUGS assignment correction (patch 14 with mods).
1423
* src/racoon/isakmp.c: fix compilation when hybrid disabled.
1425
2005-04-11 Emmanuel Dreyfus <manu@netbsd.org>
1427
* src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files
1428
RFC for IPsec DOI and ISAKMP
1430
2005-04-10 Emmanuel Dreyfus <manu@netbsd.org>
1432
* src/racoon/isakmp_base.c: resurect RSASIG support
1433
* src/racoon/isakmp_ident.c: missing support for hybrid auth
1434
* src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode
1436
2005-04-09 Emmanuel Dreyfus <manu@netbsd.org>
1438
* src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c}
1439
src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c}
1440
src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}:
1441
Add Xauth + RSASIG, for client and server. Add all Xauth and
1442
IKE fragmentation logic to base and ident mode.
1443
* src/libipsec/{pfkey.c|pfkey_dump.c}
1444
src/setkey/parse.y: more missing TCP_MD5 bits from KAME
1446
2005-04-08 Emmanuel Dreyfus <manu@netbsd.org>
1448
* src/racoon/cfparse.y: a list of network can be specified for split
1450
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the
1451
netmask in CIDR notation, to the hook script environement.
1452
* src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing
1453
bits for TCP_MD5 support.
1455
From Fred Senault <fred.letter@lacave.net>
1456
* src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h}
1457
src/racoon/racoon.conf.5: KEYID identifier can be taken from
1458
a file or from a quoted string
1460
2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
1462
From Fred Senault <fred.letter@lacave.net>
1463
* src/racoon/admin.c: fix the admin interface that was left behind
1464
after recent Xauth changes
1465
* src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c}
1466
src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in
1467
remote conf within a single structure.
1468
* src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run
1469
phase1-up script before ISAKMP mode config is done
1470
* src/racoon/isakmp_inf.c: log a buggy condition
1471
* src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c}
1472
src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to
1473
distinguish between XAUTH PSK and Kerberos authentications
1474
* src/racoon/{oakley.c|remoteconf.c}: set a default for certificate
1476
* src/racoon/isakmp_xauth.c: Fix serious security bug introduced
1477
on 2005-03-09: Xauth validation was required for phase 2 on the
1478
client (thus blocking phase 2), but not on the server (thus
1479
making it open regardless of Xauth exchange).
1480
* src/racoon/vendorid.c: dump unknown VIDs
1483
2005-04-06 Yvan Vanhullebus <vanhu@free.fr>
1485
* src/racoon/crypto_openssl.c: Disable OpenSSL padding in
1486
evp_crypt(), because it may cause some interoperability problems.
1487
Solution reported by Ganesan Rajagopal.
1489
2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
1491
* src/racoon/main.c: build with hybrid but without libradius
1493
2005-04-05 Yvan Vanhullebus <vanhu@free.fr>
1495
* src/racoon/handler.h: added a flag to identify generated policies
1496
* src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
1497
* src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
1498
policy have been generated in purge_remote_spi()
1499
* src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
1501
* src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
1503
2005-04-04 Emmanuel Dreyfus <manu@netbsd.org>
1505
* src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET
1507
2005-03-30 Michal Ludvig <michal@logix.cz>
1509
* configure.ac: Don't compile with NAT-T by default (according to
1510
documentation, finally :-)
1512
2005-03-27 Michal Ludvig <michal@logix.cz>
1514
From Zilvinas Valinskas <zilvinas@gemtek.lt>:
1516
- Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE.
1517
- Fix OpenSSL check for cross-compilation.
1518
* acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.
1519
(RACOON_CHECK_BUGGY_GETADDRINFO): Ditto.
1521
2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
1523
* src/racoon/privsep.c: check for NULL path in unsafe_path()
1524
* src/racoon/privsep.c: missing space
1526
2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
1528
* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h}
1529
src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c}
1530
src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h}
1531
src/racoon/main.c: Remove most of config dependency from
1532
privilegied instance for upcoming config reload patch.
1533
* src/racoon/isakmp_cfg.h: fix the application version for Xauth
1534
* src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used
1536
2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
1538
* configure.ac: handle correctly dynamic libradius
1539
* src/racoon/cfparse.y: correctly initialize address pool
1541
2005-03-13 Yvan Vanhullebus <vanhu@free.fr>
1543
* src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)
1545
2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
1547
From Fred Senault <fred.letter@lacave.net>
1548
* src/racoon/cfparse.y: endainness bugfix
1549
* src/racoon/isakmp_xauth.c: off by one bugs in strings
1550
* src/racoon/oakley.h: missing parenthesis causing bugs
1552
2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
1554
* src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth
1556
2005-03-07 Emmanuel Dreyfus <manu@netbsd.org>
1558
From Fred Senault <fred.letter@lacave.net>
1559
* src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l}
1560
src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c}
1561
src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h}
1562
src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c}
1563
src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c}
1564
src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5}
1565
src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c}
1566
src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split
1567
tunnelling, multiple DNS & WINS in ISAKMP mode config.
1569
2005-03-02 Yvan Vanhullebus <vanhu@free.fr>
1571
* src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
1572
* src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.
1574
2005-03-01 Yvan Vanhullebus <vanhu@free.fr>
1576
* src/racoon/oakley.c: fixed oakley_newiv2() when errors
1578
2005-02-24 Emmanuel Dreyfus <manu@netbsd.org>
1580
* src/racoon/privsep.c: safety check port numbers given by the
1581
unprivilegied instance.
1582
* src/racoon/racoonctl.8: display fixes in racoonctl(8)
1584
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
1586
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
1587
support for patented algorithms: IDEA and RC5.
1588
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
1589
is not required in the configuration
1590
* src/racoon/isakmp.c: do not reject addresses for which kernel
1591
refused UDP encapsulation, they can still be used for non NAT-T
1592
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
1593
* src/libipsec/libpfkey.h: prefer __inline to inline
1594
* src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
1595
src/racoon/racoon.conf.5: Add chroot capability
1597
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
1599
* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
1600
src/setkey/setkey.c: don't use fuzzy paths for package_version.h
1602
2005-02-18 Michal Ludvig <michal@logix.cz>
1604
* configure.ac, rpm/suse/ipsec-tools.spec.in,
1605
rpm/suse/Makefile.am: Distribute .spec file with
1606
resolved version string.
1607
* src/racoon/Makefile.am: Allow parallel cluster build.
1609
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
1611
From Fred Senault <fred.letter@lacave.net>
1612
* src/racoon/remoteconf.c: Fix a bug in script init
1614
2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
1616
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
1618
2005-02-16 Yvan Vanhullebus <vanhu@free.fr>
1620
* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
1622
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
1624
2005-02-15 Michal Ludvig <michal@logix.cz>
1626
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
1628
---------------------------------------------
1630
Branch for 0.6 created (ipsec-tools-0_6-branch)
1632
2005-02-11 Emmanuel Dreyfus <manu@netbsd.org>
1634
From Jason Thorpe <thorpej@netbsd.org>
1635
* src/raccon/samples/racoon.conf.sample-gssapi
1636
src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c}
1637
src/racoon/{localconf.c|localconf.h|racoon.conf.5}
1638
configure.ac: Multiple GSSAPI fixes to get interoperability
1641
2005-02-09 Emmanuel Dreyfus <manu@netbsd.org>
1643
* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
1644
src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h}
1645
src/racoon/racoon.conf.5: Make PAM work with privilege separation
1647
2005-02-07 Michal Ludvig <michal@logix.cz>
1649
From Krisztian Kovacs:
1650
* src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".
1652
2005-01-30 Yvan Vanhullebus <vanhu@free.fr>
1654
* src/racoon/vmbuf.c: bugfix in vrealloc()
1655
* src/racoon/oakley.c: mem leak fix in INITDHVAL()
1656
* src/racoon/session.c: mem leak fix in check_flushsa()
1658
2005-01-29 Yvan Vanhullebus <vanhu@free.fr>
1660
* src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
1661
* src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
1662
* src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
1663
* src/racoon/nattraversal.[ch]: NATT cleanup, support for all
1664
drafts (disabled by default) / RFC.
1665
* src/racoon/isakmp.h: NATT cleanup for NATT RFC support
1666
* src/racoon/ipsec_doi.h: updated comments about NATT
1667
* configure.ac: enable-natt_XX options
1668
* src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed
1671
2005-01-29 Emmanuel Dreyfus <manu@netbsd.org>
1673
From Fred Senault <fred@lacave.net>
1674
* src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
1677
2005-01-23 Emmanuel Dreyfus <manu@netbsd.org>
1679
* src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's
1680
SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD.
1682
2005-01-22 Emmanuel Dreyfus <manu@netbsd.org>
1684
From Fred Senault <fred@lacave.net>
1685
* src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
1686
src/racoon/samples/roadwarrior/README: change "my_identifier login"
1687
into "xauth_login" in the config file so that we can introduce Xauth
1688
with a pre-shared key later.
1690
2005-01-21 Emmanuel Dreyfus <manu@netbsd.org>
1692
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
1693
workaround Linux problems. This needs a better fix.
1695
2005-01-18 Emmanuel Dreyfus <manu@netbsd.org>
1697
* src/racoon/privsep.c: build without ENABLE_HYBRID
1699
2005-01-14 Emmanuel Dreyfus <manu@netbsd.org>
1701
* src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T)
1703
2005-01-13 Yvan Vanhullebus <vanhu@free.fr>
1705
* src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
1707
* src/racoon/racoon.conf.5: Updated racoon man page for phase 1
1708
lifetime check / proposal_check.
1710
2005-01-11 Emmanuel Dreyfus <manu@netbsd.org>
1712
* src/racoon/isakjmp_quick.c: endianness bugfix from KAME
1714
2005-01-07 Emmanuel Dreyfus <manu@netbsd.org>
1716
* src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c}
1717
src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h}
1718
src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is
1719
now configurable (supported only on NetBSD so far).
1721
2005-01-05 Emmanuel Dreyfus <manu@netbsd.org>
1723
* src/racoon/privsep.c: Build again on Linux with privsep
1725
2005-01-03 Emmanuel Dreyfus <manu@netbsd.org>
1727
* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
1728
src/racoon/{cfparse.y|cftoken.l|racoon.conf.5}
1730
configure.ac: PAM support for authentication and accounting in
1733
2005-01-02 Emmanuel Dreyfus <manu@netbsd.org>
1735
* src/racoon/admin.c: never fork, it buys nothing an break on some
1738
2004-12-30 Emmanuel Dreyfus <manu@netbsd.org>
1740
* src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c}
1741
src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c}
1742
src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c}
1743
src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c}
1744
src/racoon/{privsep.c|privsep.h}: new files
1745
Privilege separation
1747
* src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c}
1748
src/racoon/{racoonctl.c|racoonctl.h}: new files
1749
configure.ac: publically export the adminport interface so that
1750
external program can control racoon
1752
* src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface
1755
* src/racoon/admin.h: make sure no / will be missing in adminsock path
1757
---------------------------------------------
1759
Branch for 0.5 created (ipsec-tools-0_5-branch)
1761
2004-12-23 Yvan Vanhullebus <vanhu@free.fr>
1763
* src/racoon/crypto_openssl.c: Indentation
1765
2004-12-28 Yvan Vanhullebus <vanhu@free.fr>
1767
* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1768
when getting an IP (Bug # 1092095)
1771
2004-12-26 Emmanuel Dreyfus <manu@netbsd.org>
1773
* src/racoon/session.c: remove outdated comment
1775
---------------------------------------------
1779
2004-12-21 Michal Ludvig <michal@logix.cz>
1781
* src/racoon/pfkey.c: Fix AES vs Rijndael defines.
1783
2004-12-20 Yvan Vanhullebus <vanhu@free.fr>
1785
* configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
1786
Some FreeBSD / NATT support.
1788
2004-12-17 Emmanuel Dreyfus <manu@netbsd.org>
1790
* src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
1791
* src/racoon/pfkey.c: Restore AES support on NetBSD.
1793
2004-12-17 Yvan Vanhullebus <vanhu@free.fr>
1795
* src/racoon/crypto_openssl.c: Uses sprintf() instead of
1796
asprintf() in eay_get_x509subjectaltname(), because of some
1797
compilation problems reported with asprintf() on some platforms.
1798
* src/racoon/oakley.c: just take the first cert in
1799
oakley_savecert() if cert ID check is disabled.
1801
2004-12-16 Emmanuel Dreyfus <manu@netbsd.org>
1803
* src/racoon/crypto_openssl.c: Build again on NetBSD
1804
* src/racoon/samples/roadwarrior/server/racoon
1805
src/racoon/samples/roadwarrior/server/racoon.conf-radius
1806
src/racoon/samples/roadwarrior/README: Use DPD in sample files.
1808
2004-12-16 Yvan Vanhullebus <vanhu@free.fr>
1810
* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1811
when SubjectAltName contains an IP. OpenSSL code from Ludovic
1812
Flament (ludovic.flament@free.fr).
1814
---------------------------------------------
1818
2004-12-13 Michal Ludvig <mludvig@suse.cz>
1820
From Ganesan R <rganesan@users.sourceforge.net>:
1821
* src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
1822
with shared libraries.
1824
2004-12-10 Yvan Vanhullebus <vanhu@free.fr>
1826
* src/racoon/oakley.c: takes the first certificate which matches
1827
the Identity, instead of just taking the first certificate.
1829
2004-12-07 Yvan Vanhullebus <vanhu@free.fr>
1831
* src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.
1833
2004-12-04 Aidas Kasparas <a.kasparas@gmc.lt>
1835
* src/libipsec/pfkey_dump.c: distinguish per-socket policies from
1836
general ones (Linux case);
1837
* src/racoon/pfkey.c: dito, do not negotiate policies if racoon
1838
do not listen on out tunnel's source address.
1840
2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
1842
* src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
1843
generation in r1send()
1845
2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
1847
* src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
1848
* src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
1849
parameters but compiled without ENABLE_DPD
1850
* src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
1851
support activated in configuration
1853
2004-11-30 Emmanuel Dreyfus <manu@netbsd.org>
1855
* src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time,
1856
to avoid garbage pointer if admin port is disabled.
1857
* src/racoon/{throttle.c|throttle.h}: new files
1858
src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
1859
configure.ac: Add a per-host throttling count. When throttling,
1860
don't sleep, schedule the answer for later instead.
1861
* src/racoon/kmpstat.c: default with no hexdump of the packet
1862
* src/racoon/admin.c: don't remove admin socket after first request,
1863
on the other hand remove on startup stale sockets left by
1865
* src/racoon/samples/roadwarrior/README
1866
src/racoon/kmpstat.c: fix option parsing problem on Linux
1868
2004-11-29 Yvan Vanhullebus <vanhu@free.fr>
1870
* src/racoon/session.c: Only listen on pfkey socket when received
1873
2004-11-28 Emmanuel Dreyfus <manu@netbsd.org>
1875
* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
1876
src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
1877
on each Xauth authentication to avoid brute force attacks
1879
2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
1881
* src/racoon/samples/roadwarrior/README
1882
src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
1883
src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
1884
src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
1885
Fill Linux gaps for hybrid auth client, Replace public IP by
1886
private and example IP in the sample config files.
1888
2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
1890
DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1891
* src/racoon/cfparse.y: missing bits for DPD support
1893
2004-11-23 Aidas Kasparas <a.kasparas@gmc.lt>
1895
* src/setkey/parse.y: generate require fwd policies for unique in
1897
* src/setkey/setkey.c: made -r/-k options awailable only when
1898
system has FWD policies.
1899
* src/setkey/setkey.8: updated docs about change above.
1901
2004-11-22 Michal Ludvig <mludvig@suse.cz>
1903
* src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
1904
#ifdef ENABLE_ADMINPORT/#endif.
1906
2004-11-22 Michal Ludvig <mludvig@suse.cz>
1908
Revert these changes (ludvigm, 2004-11-18):
1909
* src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
1910
* src/setkey/Makefile.am: Install setkey.conf.
1912
2004-11-22 Emmanuel Dreyfus <manu@netbsd.org>
1914
* src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
1915
removal so that it's not used after been deleted.
1916
* src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
1917
src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
1920
2004-11-21 Emmanuel Dreyfus <manu@netbsd.org>
1922
* src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on
1923
the ipsec-tools web site
1924
* src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to
1925
display all events reported by racoon: show-event
1926
* src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
1927
with immature or dying phase 1
1928
* src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down
1930
2004-11-20 Emmanuel Dreyfus <manu@netbsd.org>
1932
* src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself
1934
* src/racoon/{evt.c|evt.h}: new files
1935
src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
1936
src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
1937
event reporting from racoon to racoonctl
1939
2004-11-20 Aidas Kasparas <a.kasparas@gmc.lt>
1941
* src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
1942
when racoon is compiled with INET6 support and kernel is not.
1943
Fixed with help of Zilvinas Valinskas.
1944
* src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
1947
2004-11-19 Emmanuel Dreyfus <manu@netbsd.org>
1949
* src/racoon/doc/FAQ: more options and warn about software patents.
1951
2004-11-18 Emmanuel Dreyfus <manu@netbsd.org>
1953
* src/racoon/vmbuf.c: don't allocate zero-length buffer
1954
* src/racoon/samples/roadwarrior/client/phase1-down.sh
1955
src/racoon/samples/roadwarrior/server/phase1-down.sh: Also
1956
flush SAD when disconnecting.
1957
* src/racoon/admin.c: Send a notification when deleting ISAKMP SA
1958
* src/racoon/samples/roadwarrior/README: accomodate the recent
1961
2004-11-18 Michal Ludvig <mludvig@suse.cz>
1963
* src/racoon/Makefile.am: Fix adminsocket dir, install sample
1964
racoon.conf and psk.txt.
1965
* src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
1966
not $(SYSCONFDIR)/racoon.
1967
* src/racoon/algorithm.h, src/racoon/eaytest.c,
1968
src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really
1969
strict environments.
1970
* src/setkey/setkey.conf: Yet another sample config file.
1971
* src/setkey/Makefile.am: Install setkey.conf.
1972
* rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
1974
* rpm/suse/{Makefile.am,.cvsignore}: New files.
1975
* configure.ac, rpm/Makefile.am: Build in rpm/suse.
1977
2004-11-17 Aidas Kasparas <a.kasparas@gmc.lt>
1979
* configure.ac: paste bugfix by Zilvinas Valinskas
1980
* src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
1981
for generated policies. Path by Patrick McHardy.
1983
2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
1985
* src/racoon/racoonctl.8: racoonctl man page (new file)
1987
2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
1989
From Ganesan <rganesan@users.sourceforge.net>
1990
* src/racoon/ipsec_doi.c: fix free'd memory access
1992
2004-11-16 Michal Ludvig <mludvig@suse.cz>
1994
DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1995
* configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
1996
src/racoon/handler.c, src/racoon/handler.h,
1997
src/racoon/isakmp.c, src/racoon/isakmp.h,
1998
src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
1999
src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
2000
src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
2001
src/racoon/remoteconf.h, src/racoon/vendorid.c,
2002
src/racoon/vendorid.h: Dead Peer Detection (DPD) support.
2004
2004-11-16 Michal Ludvig <mludvig@suse.cz>
2006
* configure.ac: Remove a bash-specific construction, take II.
2007
* src/racoon/grabmyaddr.c: FreeBSD fix for headers.
2009
2004-11-15 Michal Ludvig <mludvig@suse.cz>
2011
* configure.ac: Use correct include paths during ./configure run.
2012
* src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
2013
remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
2014
(hint, hint, manu :-))
2016
2004-11-15 Emmanuel Dreyfus <manu@netbsd.org>
2018
* README: update the docs
2019
* src/racoon/doc/FAQ: update the docs
2020
* configure.ac: Remove a bash-specific construction
2022
2004-11-14 Aidas Kasparas <a.kasparas@gmc.lt>
2024
* src/racoon/cfparse.y: ensure that returns from rules are
2025
initialized even on erroneous config file.
2026
* src/racoon/admin_var.h: changed management socket location
2027
* src/racoon/Makefile.am: ditto, added rule to install directory
2028
for management socket.
2029
* src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes,
2030
added generation of fwd policies for every in policy spdadd'ed.
2031
* src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
2032
* src/setkey/policy_token.l: return something reasonable when
2033
fwd direction is parsed on systems with no forward policy
2036
2004-11-14 Emmanuel Dreyfus <manu@netbsd.org>
2038
* src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
2039
* src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
2040
src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings
2041
* configure.ac src/racoon/{admin.c|admin_var.h}
2042
src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
2043
src/racoon/samples/roadwarrior/client/racoon.conf: make the default
2044
mode for the admin socket more secure.
2046
2004-11-13 Emmanuel Dreyfus <manu@netbsd.org>
2048
* src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
2049
src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
2050
src/racoon/samples/roadwarrior/README
2051
src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
2052
certificate authority location per-peer and configurable.
2053
* src/racoon/isakmp_frag.c: fix unallocated memory access
2054
* src/racoon/isakmp_agg.c: fix incorrect queue deallocation
2055
* src/racoon/remoteconf.c: fix uninitialized data
2056
* src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access
2058
2004-11-12 Emmanuel Dreyfus <manu@netbsd.org>
2060
* src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd
2061
commands IPv6 friendly.
2062
* src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}:
2063
Add an admin message to flush all the SA for a given peer.
2064
Convert racoonctl vd to use it.
2065
* src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y}
2066
src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
2067
administrator to choose the admin socket path, ownership and mode.
2068
* src/racoon/sample/roadwarrior: complete config files for
2069
road warriors using hybrid authentication.
2071
2004-11-12 Michal Ludvig <mludvig@suse.cz>
2073
* configure.ac: Config option --enable-natt=kernel
2074
* src/racoon/Makefile.am: Distribute only yacc/lex source files,
2075
not the preprocessed .c files.
2077
2004-11-11 Emmanuel Dreyfus <manu@netbsd.org>
2079
* src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
2080
and comments in the VPN concentrator setup for the Cisco VPN client
2081
* src/racoon/racoon.conf.5: fix documentation
2082
* src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
2083
hooks event if we are a server.
2085
2004-11-10 Emmanuel Dreyfus <manu@netbsd.org>
2087
* src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems
2089
2004-11-09 Michal Ludvig <mludvig@suse.cz>
2091
* Makefile.am: Remove aclocal-related lines.
2092
* src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
2093
* configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
2094
better handling of KRB5 and NAT-T.
2095
* src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
2096
FreeBSD happy with includes (Arrgh...&^#$^@!!!)
2098
2004-11-08 Michal Ludvig <mludvig@suse.cz>
2100
* src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
2101
* src/libipsec/policy_token.l, src/racoon/kmpstat.c,
2102
src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
2103
fixes to support FreeBSD (tested with 4.10).
2105
2004-11-05 Michal Ludvig <mludvig@suse.cz>
2107
* configure.ac: Add --with-readline switch.
2108
* src/setkey/setkey.c(stdin_loop): Fix newlines and comments
2109
when compiled without readline.
2111
2004-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
2113
* src/racoon/isakmp_quick.c: generated policy refresh patch
2116
2004-10-29 Michal Ludvig <mludvig@suse.cz>
2118
* configure.ac: Check for IPSEC_DIR_FWD and eventually define
2120
* src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use
2121
HAVE_POLICY_FWD in ifdefs.
2122
* NEWS: Mention the fix.
2123
* src/racoon/kmpstat.c: Fix compilation on Linux.
2124
* src/racoon/ipsec_doi.h: Ditto.
2125
* src/racoon/Makefile.am, src/setkey/Makefile.am: Update
2126
explicit dependencies.
2128
2004-10-29 Emmanuel Dreyfus <manu@netbsd.org>
2130
* src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
2131
do not reconfigure internal addresses obtained through ISAKMP
2133
* src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
2134
failure, kill the phase 1 and log the failure. Do not run the sa_up
2135
script in this case.
2136
* src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
2137
Add -u user to racoonctl establish-sa, prompt for the PSK from
2138
the terminal, and add a vpn-connect target with simplified syntax
2139
for establishing a SA in the road warrior case.
2140
* src/racoon/{admin.c,kmpstat.c}: implement delete-sa and
2141
vpn-disconnect commands of racoonctl
2142
* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
2143
src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
2144
Remove sa_up and sa_down and replace them by a more general
2145
script hook framework.
2147
2004-10-27 Emmanuel Dreyfus <manu@netbsd.org>
2149
* src/racoon/nattraversal.c: Use macros instead of magic numbers
2150
* src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
2151
can actually establish a SA
2152
* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
2153
src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
2154
Shell script hooks for ISAKMP SA creation and removal
2156
2004-10-26 Emmanuel Dreyfus <manu@netbsd.org>
2158
* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
2159
src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
2160
src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
2161
src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
2162
Update to the latest drafts
2164
2004-10-25 Emmanuel Dreyfus <manu@netbsd.org>
2166
* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
2167
src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
2168
src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
2169
drafts documenting ISAKMP mode config, Xauth and hybrid auth
2170
* src/racoon/cftoken.l: fix build problem, add an error message
2171
when using hybrid auth options while hybrid auth is not built
2172
* src/racoon/isakmp_cfg.c: build without RADIUS support too
2174
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
2176
* src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
2177
src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
2178
src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
2179
src/racoon/{oakley.c,oakley.h,racoon.conf.5}
2180
src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
2181
of hybrid auth and ISAKMP mode config
2183
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
2185
* src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
2186
src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
2187
src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
2188
Receiver-side of IKE fragmentation
2190
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
2192
* src/racoon/isakmp_cfg.c: Fix read buffer overflow
2193
* src/racoon/isakmp_xauth.c: Fix weak authentication
2194
* src/racoon/{oakley.c,oakley.h}: Fix weak authentication
2196
2004-10-21 Michal Ludvig <mludvig@suse.cz>
2198
From Emmanuel Dreyfus:
2199
* src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
2200
* src/racoon/isakmp_cfg.c: Fix endianness.
2202
2004-10-20 Michal Ludvig <mludvig@suse.cz>
2204
From Emmanuel Dreyfus:
2205
* src/racoon/{cfparse.y,cftoken.l,handler.c},
2206
src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
2207
src/racoon/racoon.conf.5: RADIUS IP addresses allocation
2208
and RADIUS accounting.
2210
src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
2211
src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
2212
src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.
2214
2004-10-08 Michal Ludvig <mludvig@suse.cz>
2216
* src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.
2218
2004-10-06 Aidas Kasparas <a.kasparas@gmc.lt>
2220
* src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
2221
to duplicate dynamically allocatd structures; duprmconf() - call
2222
these functions to produce private copy of inherited id and etype
2224
* src/racoon/remoteconf.c: declaration for dupetypes().
2226
2004-10-04 Aidas Kasparas <a.kasparas@gmc.lt>
2228
* src/racoon/cfparse.y: check inherited_from dereferencing
2229
* src/racoon/crypto_openssl.c: prevent crash on incorect DNs
2231
2004-09-27 Michal Ludvig <mludvig@suse.cz>
2233
From KOVACS Krisztian <hidden@balabit.hu>:
2234
* src/racoon/sockmisc.c(sendfromto): Set src address.
2236
2004-09-24 Aidas Kasparas <a.kasparas@gmc.lt>
2238
* configure.ac: added check for linux-gnu, as my box reports
2239
* src/racoon/grabmyaddr.c: added missing <linux/types.h> include
2241
2004-09-21 Michal Ludvig <mludvig@suse.cz>
2243
Merged 'autoconf' branch to mainline:
2244
* .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
2245
src/racoon/.cvsignore, src/racoon/cfparse.y,
2246
src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
2247
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2248
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2249
src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c,
2250
src/racoon/isakmp_unity.c, src/racoon/main.c,
2251
src/racoon/nattraversal.c, src/racoon/oakley.c,
2252
src/racoon/oakley.h, src/racoon/sockmisc.c,
2253
src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
2254
in 'autoconf' branch for details).
2255
* acracoon.m4, src/racoon/Makefile.am: New files.
2256
* src/racoon/Makefile.in, src/racoon/aclocal.m4,
2257
src/racoon/client-puzzle.c, src/racoon/config.guess,
2258
src/racoon/config.sub, src/racoon/configure.in,
2259
src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp,
2260
src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp,
2261
src/racoon/doc/pattern, src/racoon/doc/question,
2262
src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt,
2263
src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en,
2264
src/racoon/doc/sandiego-result.jp,
2265
src/racoon/doc/sandiego0009-result.en,
2266
src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c,
2267
src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile,
2268
src/racoon/samples/sandiego.pl: Removed.
2270
2004-09-17 Michal Ludvig <mludvig@suse.cz>
2272
* src/racoon/vendorid.[ch]: Rewrote the VendorID handling.
2273
We don't use the array with fixed offsets anymore, instead
2274
a generally unordered structure with ID, string and
2275
precomputed MD5 hashes.
2276
* src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
2277
src/racoon/nattraversal.c: Updated to the new VID model.
2278
* src/racoon/main.c(main): Precompute VendorIDs.
2279
* src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
2280
Files removed. Function arc4random() renamed to eay_random()
2281
and moved to crypto_openssl.c.
2282
* src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
2283
src/racoon/isakmp.c: Updated to the above change.
2284
* src/racoon/Makefile.in, src/racoon/configure.in: Remove
2285
arc4random() from building.
2286
* src/racoon/crypto_openssl.[ch](eay_random): New function.
2287
* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
2288
src/racoon/isakmp_xauth.c: Cleaned up headers.
2290
2004-09-16 Michal Ludvig <mludvig@suse.cz>
2292
* src/racoon/crypto_openssl.c (base64_encode): Terminate
2293
the result with '\0'.
2295
2004-09-15 Michal Ludvig <mludvig@suse.cz>
2297
* configure.ac: How about calling the next version 0.5?
2298
* src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
2299
_BSD_SOURCE and don't require <linux/types.h>
2300
* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
2301
src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
2302
* src/racoon/Makefile.in: Add new files to distribution.
2303
* src/racoon/configure.in: Fix linux kernel NATT detection.
2304
* src/setkey/parse.y: Fix types.
2305
* src/racoon/backupsa.c, src/racoon/ipsec_doi.c,
2306
src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
2307
src/racoon/pfkey.c, src/racoon/remoteconf.c,
2308
src/racoon/session.c, src/racoon/sockmisc.c: Fix headers
2309
ordering, use HAVE_NETINET6_IPSEC.
2310
* src/racoon/isakmp_cfg.c: Use %z for size_t.
2311
* src/racoon/configure.in: Clean up IPv6 stack check.
2313
2004-09-15 Michal Ludvig <mludvig@suse.cz>
2315
Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
2316
* src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
2317
src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
2318
src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
2319
src/racoon/samples/racoon.conf.sample-cvpn: New files.
2320
* src/racoon/algorithm.c, src/racoon/algorithm.h,
2321
src/racoon/cfparse.y, src/racoon/cftoken.l,
2322
src/racoon/handler.c, src/racoon/handler.h,
2323
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2324
src/racoon/isakmp.h, src/racoon/isakmp_agg.c,
2325
src/racoon/isakmp_inf.c, src/racoon/oakley.c,
2326
src/racoon/oakley.h, src/racoon/strnames.c,
2327
src/racoon/vendorid.c, src/racoon/vendorid.h: Added
2328
code for XAUTH support.
2329
* src/racoon/racoon.conf.5: Documentation for XAUTH.
2330
* src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
2331
src/racoon/nattraversal.c: Added NATT VID "02\n"
2332
* src/racoon/configure.in: New config option --enable-hybrid
2334
2004-09-14 Michal Ludvig <mludvig@suse.cz>
2336
* configure.ac: Preset CFLAGS
2337
* src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
2338
Check if printf() accepts "%z" modifiers.
2339
* src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
2340
* src/setkey/parse.y(fix_portstr): Init 'p2'.
2341
* src/setkey/setkey.c: Add required prototypes.
2343
2004-09-14 Aidas Kasparas <a.kasparas@gmc.lt>
2345
* src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.
2347
2004-09-14 Michal Ludvig <mludvig@suse.cz>
2349
* src/racoon/configure.in: Check for NetBSD NAT-T kernel support.
2351
2004-09-13 Michal Ludvig <mludvig@suse.cz>
2353
* src/racoon/configure.in: Check for <openssl/engine.h>
2354
* src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
2355
* src/racoon/plainrsa-gen.c: Ditto.
2357
2004-09-13 Michal Ludvig <mludvig@suse.cz>
2359
NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
2360
* Makefile.am: build in rpm/ only on Linux
2361
* configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
2362
* src/Makefile.am: Build include-glibc only on Linux
2363
* src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
2364
ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
2365
policy_parse.y,policy_token.l,test-policy-priority.c},
2366
src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
2367
nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
2368
proposal.c,sainfo.c,schedule.c,strnames.c},
2369
src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
2371
* src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
2372
* src/racoon/configure.in: Check for kernel NAT-T support,
2373
fix libipsec.a linkage path.
2374
* src/racoon/eaytest.c(certtest): Use %z for size_t.
2376
2004-09-12 Aidas Kasparas <a.kasparas@gmc.lt>
2378
* src/racoon/grabmyaddr.c: improoved socket selection algorithm for
2379
case when link-local addresses comes w/o sin6_scope_id set.
2381
2004-09-07 Aidas Kasparas <a.kasparas@gmc.lt>
2383
* src/racoon/session.c: fix for SIGHUP handler for case when config
2384
file contains listen directives.
2386
2004-09-01 Aidas Kasparas <a.kasparas@gmc.lt>
2388
* src/racoon/grabmyaddr.c: added scope id handling for link-local
2389
IPv6 addresses. Now racoon will not err on such addresses.
2391
2004-08-19 Aidas Kasparas <a.kasparas@gmc.lt>
2393
* src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
2394
* src/racoon/eaytest.c: eay_init_error() -> eay_init() due to
2395
2004-06-01 changes in src/racoon/crypto_openssl.c
2397
2004-08-15 Aidas Kasparas <a.kasparas@gmc.lt>
2399
* src/racoon/cfparse.y src/racoon/crypto_openssl.c
2400
src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
2401
src/racoon/racoon.conf.5 src/racoon/remoteconf.c
2402
src/racoon/remoteconf.h: peers_identifier wildcard and
2403
list patch by James Matheson
2405
---------------------------------------------
2409
2004-08-09 Michal Ludvig <mludvig@suse.cz>
2411
* NEWS: Notes for release 0.4rc1
2412
* configure.ac: Bump up version to 0.4rc1
2414
2004-07-12 Michal Ludvig <mludvig@suse.cz>
2417
See ChangeLog.prsa from the 'plainrsa' branch for details.
2418
* src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
2419
* src/racoon/genlist.c src/racoon/genlist.h
2420
src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c
2421
src/racoon/prsa_par.y src/racoon/prsa_tok.l
2422
src/racoon/rsalist.c src/racoon/rsalist.h
2423
src/racoon/samples/racoon.conf.sample-plainrsa: New files.
2424
* src/racoon/Makefile.in src/racoon/configure.in
2425
src/racoon/cfparse.y src/racoon/cftoken.l
2426
src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
2427
src/racoon/handler.h src/racoon/ipsec_doi.c
2428
src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c
2429
src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c
2430
src/racoon/remoteconf.h src/racoon/sockmisc.c
2431
src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.
2433
2004-07-12 Michal Ludvig <mludvig@suse.cz>
2435
* src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
2436
f_foreground to plog.c.
2437
* src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode
2439
* src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
2440
src/racoon/oakley.c: Fix typos, newlines and printf() format strings.
2442
2004-06-16 Aidas Kasparas <a.kasparas@gmc.lt>
2444
* src/racoon/crypto_openssl.c (eay_get_x509cert): small memory
2445
leak fix. Noticed B.Buesker, patch L.Stellingwerff
2446
* src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt):
2447
small memory leaks fixed.
2449
2004-06-15 Aidas Kasparas <a.kasparas@gmc.lt>
2452
* src/racoon/crypto_openssl.[ch] (cb_check_cert_local,
2453
cb_check_cert_remote): split cb_check_cert() due to stricter
2454
requirements for certificates received from network.
2455
* src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
2456
local to specify how strict cert check should be
2457
* src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
2459
2004-06-11 Michal Ludvig <mludvig@suse.cz>
2461
* src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support
2462
for all known NAT-T versions.
2463
* vendorid.h: Ditto.
2465
2004-06-08 Michal Ludvig <mludvig@suse.cz>
2467
* src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
2468
* src/racoon/Makefile.in: Compile stringlist.o.
2470
2004-06-07 Michal Ludvig <mludvig@suse.cz>
2472
* configure.ac: Set version to 'cvs'.
2473
* src/{racoon,setkey,libipsec}/*.h: Wrap headers between
2474
#ifndef/#define/#endif to allow multiple inclusions of the
2476
* plog.h (plog): Attribute __printf__ for automatic checking
2477
of the parameters' validity.
2478
* cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
2479
isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
2480
sockmisc.c: Fix warnings/errors in the plog() parameters with
2483
2004-06-05 Aidas Kasparas <a.kasparas@gmc.lt>
2485
* src/setkey/setkey.c: -n (no action) support.
2486
Thanks Thomas Habets.
2487
* src/setkey/setkey.8: Documentation for above.
2488
* src/racoon/doc/README.certificate: updated link to more recent
2489
version of document. Debian bug #252513 by Jose Luis Domingo Lopez
2491
2004-06-01 Michal Ludvig <mludvig@suse.cz>
2493
* src/racoon/algorithm.c: Enable compilation without SHA2 support.
2494
* src/racoon/crypto_openssl.c: Ditto.
2496
2004-06-01 Michal Ludvig <mludvig@suse.cz>
2498
* src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
2500
(eay_init): New function.
2501
(eay_init_error, eay_check_pkcs7sign): Removed.
2502
* src/racoon/crypto_openssl.h: Reflect the above changes.
2503
* src/racoon/main.c: Call eay_init() instead of eay_init_error().
2505
2004-05-27 Michal Ludvig <mludvig@suse.cz>
2507
Support for inheritance of 'remote' statements:
2508
* src/racoon/cftoken.l: New keyword 'inherit'.
2509
* src/racoon/cfparse.y: Support for 'inherit', remove
2510
global 'prhead', use cur_rmconf->prhead instead.
2511
* src/racoon/remoteconf.c (rmtree): Changed from
2512
LIST queue to TAILQ queue.
2513
(getrmconf): Renamed to getrmconf_strict().
2514
(copyrmconf, duprmconf)
2515
(dump_rmconf_single, dumprmconf): New functions.
2517
* src/racoon/remoteconf.h: Prototypes for the above.
2518
(struct remoteconf): New fields 'inherited_from' and 'prhead'.
2519
* src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
2520
* src/racoon/algorithm.c (alg_oakley_encdef_name)
2521
(alg_oakley_hashdef_name, alg_oakley_dhdef_name)
2522
(alg_oakley_authdef_name): New functions.
2523
* src/racoon/algorithm.h: Prototpes for the above.
2524
* src/racoon/strnames.c (num2str): Make extern.
2525
(s_doi, s_etype, s_idtype, s_switch): New functions.
2526
* src/racoon/strnames.h: Prototpes for the above.
2527
* src/racoon/main.c: New parameter -C for dumping the parsed config.
2528
* src/racoon/racoon.conf.5: Document inheritance.
2529
* src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
2530
* src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit
2532
2004-05-24 Michal Ludvig <mludvig@suse.cz>
2534
* configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c,
2535
isakmp_quick.c, pfkey.c, remoteconf.c, session.c,
2536
sockmisc.c: Allow compilation with --disable-ipv6
2538
2004-05-21 Michal Ludvig <mludvig@suse.cz>
2540
* src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of
2541
algorithm specific functions.
2543
2004-05-20 Aidas Kasparas <a.kasparas@gmc.lt>
2545
Manual page updates. Thanks Brian
2546
* src/libipsec/ipsec_set_policy.3
2547
* src/setkey/setkey.8
2548
* src/libipsec/test-policy-priority.c: new file from policy
2549
priority patch, which I forgot to add
2551
2004-05-18 Aidas Kasparas <a.kasparas@gmc.lt>
2553
Policy priority integer handling fixes by Brian Buesker.
2554
* src/libipsec/ipsec_strerror.c
2555
* src/libipsec/ipsec_strerror.h
2556
* src/libipsec/libpfkey.h
2557
* src/libipsec/policy_parse.y
2558
* src/libipsec/test-policy-priority.c
2559
Manual page corrections by me
2560
* src/libipsec/ipsec_set_policy.3
2561
* src/setkey/setkey.8
2563
2004-05-15 Aidas Kasparas <a.kasparas@gmc.lt>
2565
Policy priority support patch from Brian Buesker. Applied as is
2566
except src/libipsec/Makefile.am is modified instead of
2567
src/libipsec/Makefile.in as found in the patch.
2569
2004-05-10 Michal Ludvig <mludvig@suse.cz>
2571
From Heiko Hund, approved by the copyright holder:
2572
* src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
2574
2004-04-27 Michal Ludvig <mludvig@suse.cz>
2577
* src/include-glibc/sys/queue.h: Update to 3-clause BSD license.
2579
2004-04-26 Aidas Kasparas <a.kasparas@gmc.lt>
2581
* src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to
2582
send notifications about changed interfaces.
2584
2004-04-24 Aidas Kasparas <a.kasparas@gmc.lt>
2586
* src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
2587
information about interfaces. Thanks Steve Grubb and Bill
2588
Nottingham. Affects users with glibc w/o getifaddrs(). Users
2589
with glibc earlier than 2003-11-14 should upgrade their glibc.
2591
2004-04-19 Michal Ludvig <mludvig@suse.cz>
2593
* src/racoon/isakmp.c (isakmp_handler): Reject too big
2594
packets (CAN-2004-0403).
2596
---------------------------------------------
2600
2004-04-14 Michal Ludvig <mludvig@suse.cz>
2602
* NEWS: Notes for release 0.3
2603
* configure.ac: Bump up version to 0.3
2604
* src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
2605
* src/racoon/remoteconf.c (foreachrmconf): Avoid warning about
2606
uninitialised variable.
2607
* src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
2610
2004-04-13 Michal Ludvig <mludvig@suse.cz>
2612
* src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
2615
2004-04-09 Michal Ludvig <mludvig@suse.cz>
2617
* src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
2618
* src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
2619
* src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
2620
mismatch to LLV_WARNING.
2621
* src/libipsec/pfkey_dump.c, src/racoon/algorithm.c
2622
src/racoon/algorithm.h src/racoon/cftoken.l
2623
src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h
2624
src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c
2625
src/setkey/token.l: Renamed Rijndael to AES.
2626
* src/setkey/token.l: Recognize exit/quit/bye tokens.
2627
* src/setkey/parse.y (exit_command): New.
2628
* src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
2631
2004-04-08 Michal Ludvig <mludvig@suse.cz>
2633
* src/setkey/setkey.c (main): Call get_supported() in interactive mode.
2634
(stdin_loop): Concat multiline input into a single line before parsing.
2636
2004-04-07 Michal Ludvig <mludvig@suse.cz>
2638
* src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA
2639
with level DEBUG. Having it with level INFO only pollutes logfiles.
2641
2004-04-06 Michal Ludvig <mludvig@suse.cz>
2643
* src/racoon/Makefile.in: eaytest now links plog.o
2644
* src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
2646
* src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now
2647
verifying both good and bad signatures.
2649
---------------------------------------------
2653
2004-04-05 Michal Ludvig <mludvig@suse.cz>
2655
* NEWS: Notes for release 0.3rc5
2656
* configure.ac: Bump up version to 0.3rc5
2658
2004-04-05 Michal Ludvig <mludvig@suse.cz>
2660
Fix for a security bug found by Ralf Spenneberg:
2661
* src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate
2662
'evp' instead of 'pubkey'.
2663
(eay_rsa_sign): Use the above.
2664
* src/racoon/crypto_openssl.h: Update prototypes for the above.
2665
* src/racoon/eaytest.c: Disabled RSA tests because of the API change.
2667
2004-04-05 Michal Ludvig <mludvig@suse.cz>
2669
* src/racoon/pfkey.c (pfkey_handler): Safety check before accessing
2670
the array (thx to Ren.J.Y for report).
2671
(pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
2672
* src/racoon/strnames.c (name_pfkey_type): Ditto.
2674
2004-04-02 Michal Ludvig <mludvig@suse.cz>
2676
* src/racoon/eaytest.c (ciphertest_1): Correct padlen.
2678
2004-04-01 Michal Ludvig <mludvig@suse.cz>
2680
* src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
2681
update from here ...
2682
(ipsecdoi_setph2proposal): ... to here. Hopefully this is a
2683
better place to do the update.
2685
2004-03-30 Michal Ludvig <mludvig@suse.cz>
2687
* src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
2688
(eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
2689
* src/racoon/eaytest.c (ciphertest_1): New function.
2690
(ciphertest): Simplified to simple calls of ciphertest_1().
2692
2004-03-29 Michal Ludvig <mludvig@suse.cz>
2694
* README: Rewritten. Mentioned where to report bugs.
2696
2004-03-26 Michal Ludvig <mludvig@suse.cz>
2698
* configure.ac: Check for readline.h and libreadline.
2699
* src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
2700
(stdin_loop): Read user input and parse it line-by-line.
2701
* src/setkey/token.l (parse_string): New function.
2703
---------------------------------------------
2707
2004-03-25 Michal Ludvig <mludvig@suse.cz>
2709
* configure.ac: Bump up version to 0.3rc4
2710
* NEWS: Notes for release 0.3rc4
2711
* src/racoon/cfparse.y (algorithm): Hint about missing module.
2712
* src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key
2713
length only with old API.
2714
(eay_des_encrypt): Ditto.
2715
* src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
2716
non-zero error code if any of the tests fail.
2717
(main): Print banner with version.
2718
* src/racoon/Makefile.in: Run eaytest in 'make check'.
2720
2004-03-23 Michal Ludvig <mludvig@suse.cz>
2722
* src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before
2723
comparing NAT-D payloads. (thx to Gaurav Kansal for report).
2724
* src/racoon/crypto_openssl.c: Avoid type-punned warnings.
2725
* src/racoon/eaytest.c: Disable 'cert' tests.
2726
* src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check
2728
(eay_aes_encrypt): Keylength is in bits, not bytes.
2730
2004-03-22 Michal Ludvig <mludvig@suse.cz>
2732
* src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key
2733
instead of NULL and check for availability.
2735
---------------------------------------------
2739
2004-03-19 Michal Ludvig <mludvig@suse.cz>
2741
* configure.ac: Bump up version to 0.3rc3
2742
* NEWS: Notes for release 0.3rc3
2743
* src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
2744
* src/racoon/proposal.c (cmpsatrns): New parameter proto_id,
2745
better diagnostic output when trns_id don't match.
2746
* src/racoon/proposal.h (cmpsatrns): Update prototype.
2747
* src/setkey/setkey.c: Change option -h to -H (for hexdump), new
2748
options -h (help) and -V (version).
2749
* src/setkey/setkey.8: Document the above changes.
2750
* src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...
2752
2004-03-15 Michal Ludvig <mludvig@suse.cz>
2754
* src/racoon/configure.in: Prevent compilation error with
2757
---------------------------------------------
2761
2004-03-11 Michal Ludvig <mludvig@suse.cz>
2763
* configure.ac: Bump up version to 0.3rc2
2764
* NEWS: Notes for release 0.3rc2
2765
* src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
2766
* src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
2767
* src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
2768
* src/racoon/racoon.conf.5: Note that NAT-T support is a compile
2771
2004-03-10 Michal Ludvig <mludvig@suse.cz>
2773
* src/racoon/racoon.conf.5: Document nat_traversal option.
2774
* src/racoon/racoon.8: DOcument new options (-L and -P).
2776
2004-03-09 Michal Ludvig <mludvig@suse.cz>
2778
* src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
2779
UDP-Encap ports if NAT-T is enabled.
2780
(dupmyaddr): New function.
2781
* src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
2782
* src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but
2783
no port for UDP-Encap was open.
2784
* src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
2785
* src/racoon/localconf.c, src/racoon/localconf.h: Define and setup
2786
lcconf->port_isakmp_natt.
2787
* src/racoon/main.c (main): Print nicer banner,
2788
(usage): Document new options (-L and -P).
2789
(parse): Recognise the above.
2790
* src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded
2791
constants for float_port.
2792
(natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
2793
* src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
2794
* src/racoon/plog.c: Don't print source:line:function by default.
2795
* src/racoon/remoteconf.c (foreachrmconf): New helper function.
2796
* src/racoon/remoteconf.h: Prototype for the above.
2797
* package_version.h: Define strings for use in banners.
2798
* configure.ac: Fill up the above header.
2800
2004-03-09 Michal Ludvig <mludvig@suse.cz>
2802
* src/racoon/configure.in: Don't put -O into OPTFLAGS,
2803
add new option --disable-natt.
2804
* src/racoon/cfparse.y, src/racoon/handler.c,
2805
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2806
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2807
src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
2808
src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
2810
* src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.
2812
2004-03-06 Aidas Kasparas <a.kasparas@gmc.lt>
2814
* configure.ac: Refuse to continue if lexer library (yywrap()
2815
function) is missing. Should prevent bugs like #892067, #908758
2816
* src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
2817
Users should not be given false idea that they require both OpenSSL
2818
and SSLeay to compile racoon. (See bug #902197)
2820
---------------------------------------------
2824
2004-03-04 Michal Ludvig <mludvig@suse.cz>
2826
* configure.ac: Bump up version to 0.3rc1
2827
* NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
2829
* src/racoon/samples/racoon.conf.sample-natt: New sample config file.
2830
* src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
2831
enabled NATT by default (will become a config option later).
2833
2004-03-04 Michal Ludvig <mludvig@suse.cz>
2835
Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
2837
* src/racoon/Makefile.in, src/racoon/cfparse.y,
2838
src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
2839
src/racoon/grabmyaddr.h, src/racoon/handler.c,
2840
src/racoon/handler.h, src/racoon/ipsec_doi.c,
2841
src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
2842
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2843
src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
2844
src/racoon/localconf.c, src/racoon/localconf.h,
2845
src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
2846
src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
2847
src/racoon/remoteconf.h, src/racoon/session.c,
2848
src/racoon/strnames.c, src/racoon/vendorid.h
2849
src/libipsec/pfkey.c,
2850
src/racoon/nattraversal.c, src/racoon/nattraversal.h,
2851
src/racoon/sockmisc.c: Affected files.
2853
2004-02-27 Michal Ludvig <mludvig@suse.cz>
2855
* src/racoon/isakmp.c (set_isakmp_header1): Renamed from
2856
set_isakmp_header().
2857
(set_isakmp_header): New function common for set_isakmp_header1()
2858
and set_isakmp_header2().
2859
(copy_ph1addresses): Obey original port.
2860
(isakmp_plist_append, isakmp_plist_set_all): New helper functions.
2861
* src/racoon/isakmp_var.h: Prototypes for the above.
2862
* src/racoon/isakmp.h (struct payload_list): New structure.
2863
* src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2864
src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.
2866
2004-02-03 Michal Ludvig <mludvig@suse.cz>
2868
* src/racoon/Makefile.in: Fix install to $(sbindir)
2869
* src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).
2871
2004-01-19 Michal Ludvig <mludvig@suse.cz>
2873
* rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
2874
(thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)
2876
2004-01-17 Aidas Kasparas <a.kasparas@gmc.lt>
2878
* src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team
2880
2004-01-15 Michal Ludvig <mludvig@suse.cz>
2882
* src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
2883
(reported on bugtraq, fixed by iij seil team).
2884
* src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.
2886
2004-01-14 Michal Ludvig <mludvig@suse.cz>
2888
* src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used
2890
* configure.ac: Don't build shared libipsec by default (can be
2891
enabled by --enable-shared).
2892
* bootstrap: Don't run automake for racoon.
2894
2004-01-12 Michal Ludvig <mludvig@suse.cz>
2896
* src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
2897
use config.h for defines instead of -DHAVE_* gcc options,
2898
fix CRYPTOBJS to include missing rijndael libraries only once,
2899
checking for AES support in OpenSSL now (hopefully) finally
2900
works on both OpenSSL 0.9.6 and 0.9.7.
2901
* src/racoon/*.[cyl]: Include autogenerated "config.h"
2902
* src/racoon/missing/crypto/*/*.c: Ditto.
2903
* src/racoon/.cvsignore: Add config.h, config.h.in
2905
2004-01-09 Michal Ludvig <mludvig@suse.cz>
2907
* src/racoon/.cvsignore: Add "autom4te.cache" and "configure".
2909
2004-01-09 Aidas Kasparas <a.kasparas@gmc.lt>
2911
Sync with KAME 2004-01-07
2912
* src/libipsec/pfkey.c: memory leak fix; comment typo fixes
2913
* src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even
2914
no SADB_X_EXT_TAG defined
2915
* src/libipsec/pfkey_dump.c: information about algorithms
2916
ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
2917
* src/libipsec/policy_parse.y: memory leak
2918
* src/libipsec/policy_token.l: memory leak
2919
* src/libipsec/test-policy.c: unneeded \n removed
2920
* src/racoon/Makefile.in: $(sbindir) support
2921
* src/racoon/admin.c: interface changes due to proxy support
2922
* src/racoon/algorithm.c: SHA2 #ifdefs
2923
* src/racoon/{cfparse.y,cftoken.l}: license text added
2924
* src/racoon/cfparse.y: mip6 obsoleted by proxy support
2925
* src/racoon/cfparse.y: from directive support; new algorithms
2926
* src/racoon/cftoken.l: support for globbing of include files
2927
* src/racoon/configure.in: more verbose information about problems
2929
* src/racoon/crypto_openssl.c: use new DES API if supported; algorithm
2931
* src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
2932
* src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
2934
* src/racoon/isakmp.c: use VPTRINIT; interface changes due to
2936
* src/racoon/isakmp_inf.c: use VPTRINIT
2937
* src/racoon/isakmp_quick.c: mip6->proxy
2938
* src/racoon/kmpstat.c: not used variables removed
2939
* src/racoon/pfkey.c: mip6->proxy; schedule leak
2940
* src/racoon/proposal.c: style
2941
* src/racoon/remoteconf.c: mip6->proxy
2942
* src/racoon/sainfo.c: from directive support
2943
* src/racoon/sockmisc.c: side correction; addrinfo leak
2944
* src/racoon/strnames.c: typo in descriptions; wrong upper bound check
2945
* src/racoon/missing/crypto/sha2/sha2.c: wrong size
2946
* src/setkey/parse.y: extra algorithms; tagged; not needed periods
2947
removed; memory shortage checks
2948
* src/setkey/setkey.8: typos; tagged; new algorithms
2949
* src/setkey/setkey.c: standard argument names for main(); hexdump
2950
support; info in file support
2951
* src/setkey/token.l: new algorithms; memory shortage checks
2952
Parts not taken from KAME:
2956
2004-01-08 Michal Ludvig <mludvig@suse.cz>
2958
* src/racoon/config.{sub,guess}: Update from automake 1.7.
2960
2004-01-08 Michal Ludvig <mludvig@suse.cz>
2962
Patch from Kostadin Karaivanov <larry@minfin.bg>:
2963
* src/racoon/configure.in: Check for openssl/aes.h.
2964
* src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.
2966
2004-01-08 Michal Ludvig <mludvig@suse.cz>
2968
* src/racoon/configure: Remove, should be regenerated by bootstrap.
2970
2004-01-02 Michal Ludvig <michal@logix.cz>
2972
* src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
2973
(by Brian Buesker <bbuesker@qualcomm.com>
2974
and Christophe Saout <christophe@saout.de>)
2975
* src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
2976
* src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
2978
* src/setkey/token.l, src/setkey/parse.y: Add support for lifetime
2979
specified in bytes (by Michal Ludvig).
2980
* src/setkey/setkey.8: Document -bh/-bs options for the above feature.
2981
* src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE
2982
message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
2983
* src/racoon/cfparse.y: Flush SA on SIGHUP
2984
(by Brian Buesker <bbuesker@qualcomm.com>)
2985
* src/racoon/pfkey.c: IPcomp fixes
2986
(by Brian Buesker <bbuesker@qualcomm.com>)
2987
* src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
2988
* src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
2989
an entry with NULL ifa_addr (Michal Ludvig).
2990
* configure.ac: Change path to kernel headers
2991
from /usr/src/devel-2.5/devel to /usr/src/linux
2992
* bootstrap: Use default tools, reconfigure src/racoon
2993
* src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
2994
changed comments from 'dnl' to '#'.
2996
2003-06-20 Derek Atkins <derek@ihtfp.com>
2998
* src/racoon/aclocal.m4:
2999
* src/racoon/configure:
3000
Don't execute "for i in $3" if "$3" doesn't exist.
3003
2003-03-31 Derek Atkins <derek@ihtfp.com>
3005
* src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
3006
(which is value '2')
3008
2003-03-27 Derek Atkins <derek@ihtfp.com>
3010
* src/libipsec/key_debug.c: use ntohs() before printing port
3011
* src/libipsec/pfkey.c: convert port# to network byte order
3012
* src/libipsec/pfkey_dump.c: use ntohs() before printing ports
3013
* src/setkey/parse.y: convert port#'s to network byte order
3015
2003-03-24 Derek Atkins <derek@ihtfp.com>
3017
* src/libipsec/pfkey.c: Don't switch off NAT-T extensions
3018
if they don't exist in the kernel.
3020
* src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
3021
as per Tom Lendacky <toml@us.ibm.com>. Also move the
3022
setting of IPV6_IPSEC_POLICY to the top of the file.
3024
2003-03-13 Derek Atkins <derek@ihtfp.com>
3026
Add initial support for NAT-T PFKey Extensions:
3027
* src/libipsec/key_debug.c: add support to print information
3028
about NAT-T extension packets.
3029
* src/libipsec/libpfkey.h: add two new APIs to support NAT-T
3030
for add and update as part of the SADB.
3031
* src/libipsec/pfkey.c:
3032
- Implement extended APIs to support NAT-T for add and update
3034
- Add APIs to fill a buffer with NAT-T packet types
3035
* src/libipsec/pfkey_dump.c: Extend the SADB output to include
3036
PFKey packets. Put port numbers with the source and dest
3037
addresses, add an 'esp-udp' SA-type, and add a printout for
3039
* src/setkey/parse.y:
3040
- Extend setkey to create an ESP-UDP SA.
3041
- default UDP port is 4500
3042
- extend 'add' to allow <ip-addr>[<portnum>] for source and dest
3043
(the portnum specification requires the [] characters)
3044
- add an ESPUDP "protocol" from the lexer. This will use
3045
ESP and allow an optional Original Address setting.
3046
- add a function to get a udp port from a struct sockaddr *
3047
- pass the NAT-T extentions into PFKey
3048
* src/setkey/token.l: add "esp-udp" token
3050
* rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
3051
This switches it to use %{_lib} (for /lib64 systems such as
3052
x86-64 and s390x, and has it own the /etc/racoon directory in
3053
the package as well.
3055
---------------------------------------------
3059
2003-03-13 Derek Atkins <derek@ihtfp.com>
3061
* configure.am, NEWS:
3062
Update for 0.2.2 release
3064
* Makefile.am: distribute depcomp
3066
2003-03-10 Derek Atkins <derek@ihtfp.com>
3068
* src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
3069
sure we link against the lexer library when necessary.
3071
2003-03-07 Derek Atkins <derek@ihtfp.com>
3076
* rpm/ipsec-tools.spec.in:
3077
Added RPM SPEC to CVS
3079
---------------------------------------------
3083
2003-03-07 Derek Atkins <derek@ihtfp.com>
3085
* src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for
3086
ssl include directory, to make sure the other tests work properly.
3088
2003-03-06 Derek Atkins <derek@ihtfp.com>
3090
* src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning
3092
* src/racoon/configure.in: look for krb5-config and don't
3093
use it if it's not found. Fixes a configure-time warning.
3095
--------------------------------------------
698
required even without NAT-T
700
* src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
701
define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
703
* src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
706
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
708
* src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
709
isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
710
ike_frag force option to force the use of IKE on first packet
711
exchange (prior to peer consent)
713
2006-09-18 Yvan Vanhullebus <vanhu@netasq.com>
715
* rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed
716
generated files from the CVS
718
* src/racoon/prsa_par.c: removed generated files from the CVS
720
* src/racoon/: cfparse.c, cftoken.c: removed generated files from
723
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
725
* src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
726
the first packet. That should not normally happen, as the initiator
727
does not know yet if the responder can handle IKE frag. However, in
728
some setups, the first packet is too big to get through, and
729
assuming the peer supports IKE frag is the only way to go.
731
racoon should have a setting in the remote section to do taht
732
(something like ike_frag force)
734
2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
736
* src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
737
conformance, from Matthew Grooms
739
2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
741
* src/racoon/ipsec_doi.c: Fix build on Linux
743
For older changes see ChangeLog.old