Annotation of embedaddon/ipsec-tools/ChangeLog, revision 1.1
1.1 ! misho 1: 2011-03-17 Yvan Vanhullebus <vanhu@netasq.com>
! 2:
! 3: * src/racoon/oakley.c: fixed a memory leak in
! 4: oakley_append_rmconf_cr() while generating plist. patch by Roman
! 5: Hoog Antink <rha@open.ch>
! 6:
! 7: * src/racoon/oakley.c: free name later, to avoid a memory use after
! 8: free in oakley_check_certid(). also give iph1->remote to some plog()
! 9: calls. patch by Roman Hoog Antink <rha@open.ch>
! 10:
! 11: * src/racoon/oakley.c: fixed a memory leak in
! 12: oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
! 13:
! 14: 2011-03-15 Yvan Vanhullebus <vanhu@netasq.com>
! 15:
! 16: * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
! 17: isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
! 18: it is useless an can lead to memory access after free
! 19:
! 20: 2011-03-14 Timo Teras <timo.teras@iki.fi>
! 21:
! 22: * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
! 23: isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
! 24: sockmisc.h, throttle.c: Explicitly compare return value of
! 25: cmpsaddr() against a return value define to make it more obvious
! 26: what is the intended action. One more return value is also added, to
! 27: fix comparison of security policy descriptors. Namely, getsp()
! 28: should not allow wildcard matching (as the comment says, it does
! 29: exact matching) - otherwise we get problems when kernel has generic
! 30: policy with no ports, and a second similar policy with ports.
! 31:
! 32: 2011-03-14 Yvan Vanhullebus <vanhu@netasq.com>
! 33:
! 34: * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
! 35: remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
! 36: memory leaks / free memory access when reloading conf and have
! 37: inherited config. patch from Roman Hoog Antink <rha@open.ch>
! 38:
! 39: * src/racoon/handler.c: removed an useless comment
! 40:
! 41: * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
! 42: getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
! 43:
! 44: 2011-03-11 Yvan Vanhullebus <vanhu@netasq.com>
! 45:
! 46: * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
! 47: remove_ph1-) instead of scheduling it, to avoid (completely ?) a
! 48: race condition when reloading configuration
! 49:
! 50: 2011-03-06 Timo Teras <timo.teras@iki.fi>
! 51:
! 52: * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
! 53: checks are enabled. Reported by Stephen Clark.
! 54:
! 55: 2011-03-02 Yvan Vanhullebus <vanhu@netasq.com>
! 56:
! 57: * src/racoon/session.c: flush sainfo list when closing session.
! 58: patch by Roman Hoog Antink <rha@open.ch>
! 59:
! 60: * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
! 61: structures when deleting a struct rmconf. patch by Roman Hoog Antink
! 62: <rha@open.ch>
! 63:
! 64: * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
! 65: when deleting a rmconf struct. patch by Roman Hoog Antink
! 66: <rha@open.ch>
! 67:
! 68: * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
! 69: remoteconf. patch by Roman Hoog Antink <rha@open.ch>
! 70:
! 71: * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
! 72: during configuration parsing. patch by Roman Hoog Antink
! 73: <rha@open.ch>
! 74:
! 75: 2011-03-01 Yvan Vanhullebus <vanhu@netasq.com>
! 76:
! 77: * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
! 78: Andersson <debian@gisladisker.se>
! 79:
! 80: * src/racoon/cfparse.y: reset yyerrorcount before doing parse
! 81: stuff. patch by Roman Hoog Antink <rha@open.ch>
! 82:
! 83: 2011-02-20 Timo Teras <timo.teras@iki.fi>
! 84:
! 85: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
! 86: memory leak when using plain RSA key authentication.
! 87:
! 88: 2011-02-11 Timo Teras <timo.teras@iki.fi>
! 89:
! 90: * src/racoon/plainrsa-gen.c: From Mats E Andersson
! 91: <debian@gisladisker.se>: Fix fprintf format specifier usage from
! 92: previous patch.
! 93:
! 94: 2011-02-10 Timo Teras <timo.teras@iki.fi>
! 95:
! 96: * src/racoon/plainrsa-gen.c: From Mats Erik Andersson
! 97: <debian@gisladisker.se>: Implement importing of RSA keys from PEM
! 98: files.
! 99:
! 100: * src/racoon/prsa_par.y: From M E Andersson
! 101: <debian@gisladisker.se>: Fix parsing of restricted RSA key
! 102: addresses.
! 103:
! 104: 2011-02-02 Yvan Vanhullebus <vanhu@netasq.com>
! 105:
! 106: * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
! 107: sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
! 108: Patch from Christophe Carre
! 109:
! 110: 2011-01-28 Timo Teras <timo.teras@iki.fi>
! 111:
! 112: * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
! 113: Antink <rha@open.ch>: Clean up sainfo reloading: rename the
! 114: functions, and remove unneeded global variable.
! 115:
! 116: * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
! 117: Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
! 118: functions, and remove unneeded global variable.
! 119:
! 120: * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
! 121: remote IP address if available (slightly modified by tteras)
! 122:
! 123: 2011-01-22 Timo Teras <timo.teras@iki.fi>
! 124:
! 125: * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
! 126: Fixes a null pointer dereference that might occur after removing
! 127: peers from the config and then reloading.
! 128:
! 129: 2011-01-20 Yvan Vanhullebus <vanhu@netasq.com>
! 130:
! 131: * src/libipsec/pfkey.c: fixed a typo, it will now compile when
! 132: KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
! 133: open.ch)
! 134:
! 135: 2010-12-28 Timo Teras <timo.teras@iki.fi>
! 136:
! 137: * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
! 138: config reload to not delete too many phase 2 handles, because wrong
! 139: chain field is used when enumerating the handles.
! 140:
! 141: 2010-12-16 gdt
! 142:
! 143: * src/racoon/oakley.c: When encountering a certificate where "ID
! 144: mismatched with ASN1 SubjectName", and verify_identifier is off,
! 145: don't raise an error. This makes the behavior match the man page.
! 146:
! 147: Patch sent for review long ago:
! 148: http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
! 149: with no negative feedback received to date.
! 150:
! 151: 2010-12-14 Timo Teras <timo.teras@iki.fi>
! 152:
! 153: * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
! 154: possible null derefence.
! 155:
! 156: 2010-12-08 Timo Teras <timo.teras@iki.fi>
! 157:
! 158: * src/racoon/admin.c: Use separate SA addresses for phase2's
! 159: created by admin command. The phase2 startup overwrites src/dst with
! 160: ISAKMP ports if they are zero and we don't want that to happen for
! 161: the SA ports.
! 162:
! 163: 2010-12-08 joerg
! 164:
! 165: * src/libipsec/pfkey.c: ANSIfy
! 166:
! 167: 2010-12-07 Timo Teras <timo.teras@iki.fi>
! 168:
! 169: * src/racoon/isakmp_quick.c: Fix spacing and improve wording in
! 170: some log messages.
! 171:
! 172: 2010-12-03 Timo Teras <timo.teras@iki.fi>
! 173:
! 174: * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
! 175: per-socket policies.
! 176:
! 177: * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
! 178: setkey/setkey.8: Support GRE key as upper layer protocol
! 179: specifier (will be supported in Linux kernel 2.6.38).
! 180:
! 181: * src/racoon/grabmyaddr.c: Netlink deletion notification does not
! 182: guarentee actual address deletion: it might still exist on some
! 183: other interface. Make sure we do not unbind unless the address is
! 184: really gone.
! 185:
! 186: 2010-11-17 Timo Teras <timo.teras@iki.fi>
! 187:
! 188: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
! 189: previous patch to not call purge_remote() twice. Change the place
! 190: where purge_remote() is called. This fixes also a possible crash
! 191: from the same patch since ph1->remote can be NULL (when we are
! 192: responder and config is not yet selected).
! 193:
! 194: 2010-11-12 Timo Teras <timo.teras@iki.fi>
! 195:
! 196: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
! 197: isakmp_post_acquire is now called from admin commands too, add a
! 198: flag so admin commands can be used to establish even passive links
! 199: on demand.
! 200:
! 201: * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
! 202: ISAKMP-SA for the node is deleted by remote request and the phase1
! 203: rekeying is enabled (this will also trigger the new phase1_dead
! 204: script hook).
! 205:
! 206: * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
! 207: to allow any reply within valid sequence window to be proof of
! 208: livelyness. This can improves things if there's random packet
! 209: delays, or if racoon is not getting enough CPU time.
! 210:
! 211: * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
! 212: admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
! 213: with many established SAs can be easily over the limit.
! 214:
! 215: 2010-10-22 Timo Teras <timo.teras@iki.fi>
! 216:
! 217: * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
! 218: to monitor local route changes. This works around a kernel bug, and
! 219: slightly improves behaviour on some special cases.
! 220:
! 221: 2010-10-21 Timo Teras <timo.teras@iki.fi>
! 222:
! 223: * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
! 224: session.c, session.h: Introduce priorities for file descriptor
! 225: polling mechanism and give priority to admin port. If admin port is
! 226: used by ISAKMP-SA hook scripts they should be preferred, other wise
! 227: heavy traffic can delay admin port requests considerably. This in
! 228: turn may cause renegotiation loop for ISAKMP-SA. This is mostly
! 229: useful for OpenNHRP setup, but can benefit other setups too.
! 230:
! 231: * src/racoon/: admin.c, handler.c, handler.h: Remove
! 232: initial-contact entry when all ISAKMP-SA are purged via adminport.
! 233: This will avoid stale security associations if some of the delete
! 234: notifications happens to get lost.
! 235:
! 236: 2010-10-20 Timo Teras <timo.teras@iki.fi>
! 237:
! 238: * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
! 239: functions when possible: this allows openssl to perform hardware
! 240: acceleration if available.
! 241:
! 242: * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
! 243: error log messages and a few additional error log messages to
! 244: improve diagnosing an error condition.
! 245:
! 246: * src/racoon/grabmyaddr.c: Fix address comparison so we actually
! 247: close sockets which were bound to IP-address that got deconfigured.
! 248:
! 249: 2010-10-11 Yvan Vanhullebus <vanhu@netasq.com>
! 250:
! 251: * src/racoon/ipsec_doi.c: report a higher encryption key length in
! 252: approval for OBEY / CLAIM / STRICT modes
! 253:
! 254: 2010-09-27 Yvan Vanhullebus <vanhu@netasq.com>
! 255:
! 256: * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
! 257: fazaeli (at) sepehrs.com)
! 258:
! 259: 2010-09-24 Yvan Vanhullebus <vanhu@netasq.com>
! 260:
! 261: * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
! 262: gmail.com
! 263:
! 264: 2010-09-22 Yvan Vanhullebus <vanhu@netasq.com>
! 265:
! 266: * src/racoon/admin.c: get the correct length of username when
! 267: processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
! 268:
! 269: * src/racoon/nattraversal.h: fixed a typo in macros, reported by
! 270: marisp (at) mt.lv
! 271:
! 272: 2010-09-21 Yvan Vanhullebus <vanhu@netasq.com>
! 273:
! 274: * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
! 275: provided by marcin.cieslak (at) gmail.com)
! 276:
! 277: 2010-09-08 Yvan Vanhullebus <vanhu@netasq.com>
! 278:
! 279: * src/racoon/remoteconf.c: fixed remoteconf selection when no ID
! 280: specified in configuration, and added some debug to remoteconf
! 281: selection
! 282:
! 283: 2010-08-26 Yvan Vanhullebus <vanhu@netasq.com>
! 284:
! 285: * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
! 286: duplicate some dynamic values in duprmconf()
! 287:
! 288: 2010-08-04 Yvan Vanhullebus <vanhu@netasq.com>
! 289:
! 290: * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request
! 291:
! 292: 2010-07-30 Yvan Vanhullebus <vanhu@netasq.com>
! 293:
! 294: * src/racoon/doc/FAQ: updated link to NetBSD's documentation
! 295:
! 296: 2010-06-22 Thomas Klausner <wiz@netbsd.org>
! 297:
! 298: * src/racoon/racoon.conf.5: Bump date for previous.
! 299:
! 300: 2010-06-22 Yvan Vanhullebus <vanhu@netasq.com>
! 301:
! 302: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
! 303: racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
! 304: script hook when a dead peer is detected
! 305:
! 306: 2010-06-04 Thomas Klausner <wiz@netbsd.org>
! 307:
! 308: * src/setkey/setkey.8: New sentence, new line. Bump date for
! 309: previous.
! 310:
! 311: 2010-06-04 Yvan Vanhullebus <vanhu@netasq.com>
! 312:
! 313: * src/setkey/: parse.y, setkey.8, token.l: Added support for
! 314: spdupdate command in setkey
! 315:
! 316: 2010-04-07 Yvan Vanhullebus <vanhu@netasq.com>
! 317:
! 318: * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo
! 319:
! 320: 2010-04-02 Christos Zoulas <christos@netbsd.org>
! 321:
! 322: * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
! 323: returning NULL.
! 324:
! 325: 2010-03-11 Christos Zoulas <christos@netbsd.org>
! 326:
! 327: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
! 328: the patch: iterate only on the phase2 handles that are bound by the
! 329: given phase1 handle.
! 330:
! 331: 2010-03-05 Timo Teras <timo.teras@iki.fi>
! 332:
! 333: * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
! 334: racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
! 335: typoes and manpage formatting errors.
! 336:
! 337: 2010-03-04 Yvan Vanhullebus <vanhu@netasq.com>
! 338:
! 339: * src/racoon/session.c: From Pierre POMES: fixed admin port
! 340: initialization
! 341:
! 342: 2010-02-28 snj
! 343:
! 344: * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
! 345: size of src checkouts by spelling "useful" without an extra l.
! 346:
! 347: 2010-02-09 Thomas Klausner <wiz@netbsd.org>
! 348:
! 349: * src/racoon/: pfkey.c, proposal.h: Fix typo in comment.
! 350:
! 351: 2010-01-17 Thomas Klausner <wiz@netbsd.org>
! 352:
! 353: * src/racoon/sainfo.c: Free strdeupped string after using it. Found
! 354: by cppcheck.
! 355:
! 356: * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
! 357: using them. Found by cppcheck.
! 358:
! 359: 2010-01-15 joerg
! 360:
! 361: * src/setkey/setkey.8: Use .%U instead of .%O for URLs.
! 362:
! 363: 2009-12-11 Timo Teras <timo.teras@iki.fi>
! 364:
! 365: * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
! 366: twice in the headers. Remove the redundant entry so new install tool
! 367: does not complain about overwriting just installed file.
! 368:
! 369: 2009-11-22 Christos Zoulas <christos@netbsd.org>
! 370:
! 371: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko:
! 372:
! 373: racoon uses a wrong IPsec-SA handle that is for other peer in case
! 374: it receives a ISAKMP message for IPsec-SA that has the same
! 375: message-id as the message-id that is received before.
! 376:
! 377: racoon uses message-id to find the handle of IPsec-SA. The
! 378: message-id is a unique number for each peer, but different peers may
! 379: use the same value.
! 380:
! 381: Different Windows Vista or Windows 7 peers seem to use the same
! 382: message-id. racoon can handle the first Windows's Phase-2, but it
! 383: cannot handle the second Windows. Because racoon misunderstands the
! 384: message for the second Windows as the message for the first Windows.
! 385:
! 386: >Category: bin >Synopsis: racoon uses a wrong IPsec-SA
! 387: that is for different peer >Confidential: no >Severity:
! 388: serious >Priority: medium >Responsible: bin-bug-people
! 389: >State: open >Class: sw-bug >Submitter-Id: net
! 390: >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator:
! 391: yasuoka@iij.ad.jp
! 392:
! 393: 2009-10-29 Christos Zoulas <christos@netbsd.org>
! 394:
! 395: * src/setkey/token.l: use %option noinput nounput
! 396:
! 397: 2009-10-28 Christos Zoulas <christos@netbsd.org>
! 398:
! 399: * src/setkey/token.l: no unput
! 400:
! 401: 2009-10-14 joerg
! 402:
! 403: * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
! 404: ancient groff limits.
! 405:
! 406: * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
! 407: groff limits. Fix markup.
! 408:
! 409: * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
! 410: ancient groff limits. Set only one list type.
! 411:
! 412: 2009-09-18 Timo Teras <timo.teras@iki.fi>
! 413:
! 414: * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
! 415: gssapi error checking.
! 416:
! 417: 2009-09-03 Timo Teras <timo.teras@iki.fi>
! 418:
! 419: * src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
! 420: isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
! 421: negotiate phase2 as a hint to select the phase1 for rekeying the new
! 422: phase2.
! 423:
! 424: 2009-09-01 Timo Teras <timo.teras@iki.fi>
! 425:
! 426: * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
! 427: nat_traversal configuration from remote configuration candidates
! 428: when acting as responder. Enable NAT-T if any of the remote
! 429: candidates have NAT-T enabled.
! 430:
! 431: * src/racoon/remoteconf.c: Change remote conf matching level to
! 432: matching score. This way one can override anonymous certificate
! 433: block config with more exact "inhereted" IP specific block.
! 434:
! 435: * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
! 436: ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).
! 437:
! 438: 2009-08-24 Yvan Vanhullebus <vanhu@netasq.com>
! 439:
! 440: * src/racoon/oakley.c: fixed typo: algoriym -> algorithm
! 441:
! 442: 2009-08-19 Yvan Vanhullebus <vanhu@netasq.com>
! 443:
! 444: * src/racoon/remoteconf.c: fixed address check in
! 445: rmconf_match_type(), just check address with wildcard port
! 446:
! 447: 2009-08-19 Timo Teras <timo.teras@iki.fi>
! 448:
! 449: * src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
! 450: return values to make the code a bit more readable.
! 451:
! 452: 2009-08-18 Yvan Vanhullebus <vanhu@netasq.com>
! 453:
! 454: * src/racoon/oakley.c: typo: algoritym -> algorithm
! 455:
! 456: 2009-08-17 Yvan Vanhullebus <vanhu@netasq.com>
! 457:
! 458: * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
! 459: check system support for NAT-T, as at least FreeBSD doesn't have
! 460: this define anymore
! 461:
! 462: * src/racoon/schedule.h: include stddef.h so we have a chance to
! 463: get the system offsetof if present
! 464:
! 465: * src/racoon/crypto_openssl.h: removed a self include
! 466:
! 467: 2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
! 468:
! 469: * src/racoon/oakley.c: fixed a potential DoS in
! 470: oakley_do_decrypt(), reported by Orange Labs
! 471:
! 472: 2009-08-10 Timo Teras <timo.teras@iki.fi>
! 473:
! 474: * src/racoon/pfkey.c: Don't print EAGAIN error from
! 475: pfkey_handler(), it can occur normally under some code paths and is
! 476: not a hard error in any case.
! 477:
! 478: 2009-08-06 Timo Teras <timo.teras@iki.fi>
! 479:
! 480: * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
! 481: setkey to make gcc happy.
! 482:
! 483: 2009-08-05 Timo Teras <timo.teras@iki.fi>
! 484:
! 485: * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
! 486: security associations that got broke during NAT-T fixes.
! 487:
! 488: 2009-07-07 Timo Teras <timo.teras@iki.fi>
! 489:
! 490: * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
! 491: uninitialized local variable (not sure if any code path triggers
! 492: this, but this makes compiler happy).
! 493:
! 494: 2009-07-03 Timo Teras <timo.teras@iki.fi>
! 495:
! 496: * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
! 497: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
! 498: nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
! 499: sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
! 500: macro. Trac #295.
! 501:
! 502: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
! 503: racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
! 504: Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
! 505: NAT-T port information. This might break compatibility with some
! 506: kernels, but as discussed this is the proper way to pass NAT-T ports
! 507: and the broken kernels need to be fixed.
! 508:
! 509: 2009-06-24 Timo Teras <timo.teras@iki.fi>
! 510:
! 511: * src/racoon/session.c: Fix a call to null pointer: in some cases,
! 512: the unmonitor_fd can be called from another fd's callback. That
! 513: could lead to still have callback pending after unmonitoring the fd
! 514: resulting in a call to null pointer. This is fixed by making
! 515: unmonitor_fd now clear the pending fd_set too. Bug was introduced
! 516: by my commit in 2008-12-23.
! 517:
! 518: 2009-05-20 Yvan Vanhullebus <vanhu@netasq.com>
! 519:
! 520: * src/racoon/isakmp.h: typo
! 521:
! 522: 2009-05-19 Timo Teras <timo.teras@iki.fi>
! 523:
! 524: * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
! 525: of typos from previous commit.
! 526:
! 527: 2009-05-18 Timo Teras <timo.teras@iki.fi>
! 528:
! 529: * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
! 530: Tomas Mraz: Introduce union sockaddr_any and use it to make code
! 531: more readable. Related to trac #293.
! 532:
! 533: * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
! 534: not really used; only referenced while uninitialized causing
! 535: valgrind error.
! 536:
! 537: * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
! 538:
! 539: 2009-05-04 Thomas Klausner <wiz@netbsd.org>
! 540:
! 541: * src/racoon/racoon.conf.5: Remove superfluous spaces around
! 542: parentheses.
! 543:
! 544: 2009-04-29 Timo Teras <timo.teras@iki.fi>
! 545:
! 546: * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
! 547: X509 certificate validation.
! 548:
! 549: 2009-04-28 Timo Teras <timo.teras@iki.fi>
! 550:
! 551: * src/racoon/handler.c: Reset nat_oa variables too when reusing
! 552: phase two handler. Otherwise phase2 rekeying might fail in some
! 553: scenarios.
! 554:
! 555: 2009-04-22 Timo Teras <timo.teras@iki.fi>
! 556:
! 557: * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
! 558: pointer dereference in fragmentation code.
! 559:
! 560: 2009-04-21 Timo Teras <timo.teras@iki.fi>
! 561:
! 562: * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
! 563: strict_address to work again. The lists needs to be initialized
! 564: before configuration is read, which happens before my_addr_init()
! 565: call.
! 566:
! 567: 2009-04-20 Timo Teras <timo.teras@iki.fi>
! 568:
! 569: * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
! 570: in certificate request generation.
! 571:
! 572: * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
! 573: Bin Li: Fix possible memory corruption in binsanitize().
! 574:
! 575: * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
! 576: signature verification memory leak.
! 577:
! 578: * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
! 579: crash with racoonctl logout user.
! 580:
! 581: * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
! 582: code.
! 583:
! 584: * src/racoon/handler.c: From Paul Moore: Phase2 message id's should
! 585: be unique wrt phase1, not globally.
! 586:
! 587: 2009-03-13 Timo Teras <timo.teras@iki.fi>
! 588:
! 589: * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
! 590: couple of problems with previous commit.
! 591:
! 592: 2009-03-12 he
! 593:
! 594: * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
! 595: pointer to an integral type (a bad practice, if you ask me), you
! 596: need to cast via intptr_t for portability.
! 597:
! 598: 2009-03-12 Thomas Klausner <wiz@netbsd.org>
! 599:
! 600: * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
! 601: up punctuation.
! 602:
! 603: * src/racoon/racoonctl.8: Bump date for previous. Sort options to
! 604: establish-sa. Stop using Xo/Xc.
! 605:
! 606: 2009-03-12 Timo Teras <timo.teras@iki.fi>
! 607:
! 608: * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
! 609: crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
! 610: ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
! 611: isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
! 612: isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
! 613: racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
! 614: vendorid.c: Support multiple anonymous remotes and decide
! 615: remoteconf based on identity, received certificates and other
! 616: information. General code clean up.
! 617:
! 618: 2009-03-06 Timo Teras <timo.teras@iki.fi>
! 619:
! 620: * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
! 621: in Linux
! 622:
! 623: Linux requires SADB_DELETE message to have SPI. So send a
! 624: SADB_DELETE message for each matching SA. Trac #284.
! 625:
! 626: From: Gabriel Somlo <somlo@cmu.edu>
! 627:
! 628: 2009-02-16 Timo Teras <timo.teras@iki.fi>
! 629:
! 630: * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
! 631: corruption bug (yacc return non-null terminated buffer and sprintf
! 632: writes over bounds).
! 633:
! 634: 2009-02-11 Yvan Vanhullebus <vanhu@netasq.com>
! 635:
! 636: * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
! 637: IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
! 638: tunnel
! 639:
! 640: 2009-02-03 Timo Teras <timo.teras@iki.fi>
! 641:
! 642: * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
! 643: variables with IPv6 addresses.
! 644:
! 645: 2009-01-26 Timo Teras <timo.teras@iki.fi>
! 646:
! 647: * src/racoon/main.c: Argument parsing needs lcconf initialized.
! 648:
! 649: 2009-01-24 Thomas Klausner <wiz@netbsd.org>
! 650:
! 651: * src/racoon/racoonctl.c: Sort options in usage.
! 652:
! 653: * src/racoon/racoonctl.8: Sort options. New sentence, new line.
! 654:
! 655: * src/racoon/racoon.8: Sort options.
! 656:
! 657: 2009-01-23 Timo Teras <timo.teras@iki.fi>
! 658:
! 659: * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
! 660: for racoonctl.
! 661:
! 662: * src/racoon/: main.c, racoon.8: Racoon -v to print version and
! 663: compilation information. Update usage message.
! 664:
! 665: * NEWS: Update NEWS with major changes since 0.7 release.
! 666:
! 667: * src/racoon/schedule.c: Fix monotonic scheduler change, to not
! 668: refresh 'now' before exit. Otherwise we can return negative timeout
! 669: after spending time handling other events.
! 670:
! 671: * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
! 672: reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
! 673: Also corrects some debugging statements.
! 674:
! 675: * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
! 676: instance), there is a need to not only migrate local and remote
! 677: addresses of Phase 1 that match previous addresses but also the
! 678: local and remote addresses of a Phase 1 *associated* with a migrated
! 679: Phase 2. For instance, we have that need when receiving the first
! 680: MIGRATE/KMADDRESS message because the old addresses are still the
! 681: HoA and the address of the HA (while the peer has contacted us using
! 682: the CoA and we have negotiated this address as src attribute in
! 683: Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
! 684: called from migrate_ph2_ike_addresses() callback.
! 685:
! 686: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
! 687: when acting as responder.
! 688:
! 689: * configure.ac, src/racoon/handler.c, src/racoon/handler.h,
! 690: src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
! 691: src/racoon/schedule.c, src/racoon/schedule.h,
! 692: src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
! 693: system clock is available, and use it for relative time measurements
! 694: to avoid complite hang if time jumps backwards.
! 695:
! 696: * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
! 697: isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
! 698: oakley.c, oakley.h: Fix authentication method ambiguity by
! 699: internally using unique ID and setting/interpreting the wire format
! 700: based on received vendor ID:s. Fixes trac #280.
! 701:
! 702: * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
! 703: isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
! 704: bitmask that can be used otherwhere to detect peer capabilities.
! 705:
! 706: * configure.ac, src/racoon/admin.c, src/racoon/evt.c,
! 707: src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
! 708: src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
! 709: configure option and make it the default behaviour. The previous
! 710: normal behaviour is buggy, as after flush kernel can immediately
! 711: create larval SA:s which would prevent exit.
! 712:
! 713: 2009-01-20 Timo Teras <timo.teras@iki.fi>
! 714:
! 715: * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
! 716: ChangeLog from NetBSD CVS. Put sourceforge.net changes to
! 717: ChangeLog.old.
! 718:
! 719: 2009-01-10 Thomas Klausner <wiz@netbsd.org>
! 720:
! 721: * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper
! 722: escape for backslash ('\e').
! 723:
! 724: 2009-01-10 Timo Teras <timo.teras@iki.fi>
! 725:
! 726: * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
! 727: Accept RFC2253 compliant escaped special characters for asn1dn
! 728: identifier.
! 729:
! 730: 2009-01-09 Timo Teras <timo.teras@iki.fi>
! 731:
! 732: * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
! 733:
! 734: 2009-01-05 Timo Teras <timo.teras@iki.fi>
! 735:
! 736: * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
! 737: configuration options, fix radius configuration block and add GRE as
! 738: recognized protocol.
! 739:
! 740: * src/racoon/session.c: Do not use counting in signal handling as
! 741: it was unsafe by not using atomic functions (post increment is not
! 742: necessarily atomic). Instead reap all children on SIGCHLD as that
! 743: was the only signal needing signal counting.
! 744:
! 745: 2008-12-30 Timo Teras <timo.teras@iki.fi>
! 746:
! 747: * src/racoon/session.c: schedular() call can now modify fd mask so
! 748: make the working copy just before calling select(); otherwise it can
! 749: contain bad file descriptors
! 750:
! 751: 2008-12-29 Michael van Elst <mlelstv@netbsd.org>
! 752:
! 753: * src/setkey/parse.y: support icmp codes. Fixes PR 39056.
! 754:
! 755: 2008-12-24 Christos Zoulas <christos@netbsd.org>
! 756:
! 757: * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
! 758: it. From Timo Teras.
! 759:
! 760: * src/racoon/grabmyaddr.c: I was wrong. addr is actually set.
! 761:
! 762: * src/racoon/grabmyaddr.c:
! 763: - make this compile by zeroing out the whole structure not just
! 764: bogus fields.
! 765: - set length field of sockets appropriately.
! 766: - mark bogus no-op code (I don't understand what the author intended
! 767: here).
! 768:
! 769: 2008-12-23 Thomas Klausner <wiz@netbsd.org>
! 770:
! 771: * src/racoon/racoon.conf.5: Bump date for identity configuration
! 772: option removal.
! 773:
! 774: 2008-12-23 Timo Teras <timo.teras@iki.fi>
! 775:
! 776: * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
! 777: localconf.h, racoon.conf.5: Remove the obsoleted global identity
! 778: configuration option.
! 779:
! 780: * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
! 781: evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
! 782: isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
! 783: nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
! 784: session.h: rewrite local address detection make some functions
! 785: static that arr not needed globally rework how fd_set is
! 786: construction for the main loop select()
! 787:
! 788: 2008-12-18 Timo Teras <timo.teras@iki.fi>
! 789:
! 790: * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
! 791: when expire with hard lifetime received
! 792:
! 793: 2008-12-16 Timo Teras <timo.teras@iki.fi>
! 794:
! 795: * README: Update README
! 796:
! 797: * src/racoon/pfkey.c: Fix transport mode address selection in
! 798: acquire handling. Some earlier fixes got lost on 2008-12-05 commit.
! 799:
! 800: 2008-12-11 Yvan Vanhullebus <vanhu@netasq.com>
! 801:
! 802: * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
! 803: and RTM_OIFINFO stuff)
! 804:
! 805: * src/racoon/isakmp.c: Fixed compilation when DPD support is
! 806: disabled
! 807:
! 808: 2008-12-08 Timo Teras <timo.teras@iki.fi>
! 809:
! 810: * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
! 811: sockets: it might cause to not handle some pfkey events when
! 812: select() has marked pfkey socket readable, but a timer callback
! 813: first calls pfkey_dump_sadb().
! 814:
! 815: 2008-12-05 Timo Teras <timo.teras@iki.fi>
! 816:
! 817: * src/: libipsec/key_debug.c, libipsec/libpfkey.h,
! 818: libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
! 819: racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
! 820: racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
! 821: Ebalard: Improved Mobile IPv6 support per
! 822: draft-ebalard-mext-pfkey-enhanced-migrate.
! 823:
! 824: 2008-12-04 Christoph Badura <bad@netbsd.org>
! 825:
! 826: * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
! 827: intended.
! 828:
! 829: 2008-12-02 Timo Teras <timo.teras@iki.fi>
! 830:
! 831: * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
! 832: on Linux is terminate.
! 833:
! 834: 2008-11-28 Thomas Klausner <wiz@netbsd.org>
! 835:
! 836: * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
! 837: sentence, new line.
! 838:
! 839: 2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
! 840:
! 841: * src/racoon/main.c: Set up a default value for Mode Config Pool
! 842: size if pool address specified but pool size not specified
! 843:
! 844: * src/racoon/isakmp_cfg.c: Fixed pool resizing
! 845:
! 846: 2008-11-27 Timo Teras <timo.teras@iki.fi>
! 847:
! 848: * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
! 849: weirdness. It's probably meant for bundle support which is not done.
! 850: When someone actually writes bundle support, the nested SA stuff
! 851: would probably be reworked too anyway.
! 852:
! 853: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
! 854: racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
! 855: racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
! 856: Ability to set pfkey socket buffer size via configuration file
! 857: directive. (Indentation and minor fixes by me.)
! 858:
! 859: 2008-11-25 Christoph Badura <bad@netbsd.org>
! 860:
! 861: * src/racoon/: evt.c, privsep.c, session.c: Avoid using
! 862: MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE
! 863: instead.
! 864:
! 865: * src/racoon/grabmyaddr.c: Ignore unspecified and looback
! 866: addresses. Ignoring unspecified addresses prevents racoon from
! 867: trying to bind to the wildcard address and specific addresses
! 868: simultaneously after e.g. dhclient has changed an interface's
! 869: address to 0.0.0.0.
! 870:
! 871: * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
! 872: info for added or deleted addresses. Ignore them silently.
! 873:
! 874: * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
! 875: error. Therefore log it as informational. Make it clear from the
! 876: log message that a route message is not interesting.
! 877:
! 878: * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
! 879: it.
! 880:
! 881: * src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
! 882: when setting IPV6_USE_MIN_MTU fails.
! 883:
! 884: * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
! 885: no socket is opened.
! 886:
! 887: 2008-11-08 Christoph Badura <bad@netbsd.org>
! 888:
! 889: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
! 890: phase1-up.sh: Preserve owner and permissions of original
! 891: /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or
! 892: world writable.
! 893:
! 894: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
! 895: phase1-up.sh: Print and check INTERNAL_NETMASK4.
! 896:
! 897: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
! 898: phase1-up.sh: Make the handling of NAT-T SPD entries automatic.
! 899:
! 900: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
! 901: phase1-up.sh: Ensure that the determination of the default
! 902: gateway and the corresponding interface don't get confused by
! 903: multiple, possibly non-IPv4 default routes. Bring the NetBSD case
! 904: of deleting the VPN routes and address in line with the Linux case
! 905: and delete the address after deleting the VPN routes.
! 906:
! 907: 2008-11-06 Yvan Vanhullebus <vanhu@netasq.com>
! 908:
! 909: * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
! 910: iddst's value is SAINFO_CLIENTADDR
! 911:
! 912: 2008-10-29 S.P.Zeidler <spz@netbsd.org>
! 913:
! 914: * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():
! 915:
! 916: struct sockaddr -> struct sockaddr_storage fixes a stack overflow
! 917:
! 918: For non-linklocal addresses the value in 'scope' is garbage and gets
! 919: set to zero instead.
! 920:
! 921: 2008-10-27 Timo Teras <timo.teras@iki.fi>
! 922:
! 923: * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
! 924: error path
! 925:
! 926: * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
! 927: Ebalard): recognize RTM_IFANNOUNCE
! 928:
! 929: * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
! 930: issues for readability
! 931:
! 932: * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
! 933: called only if monitored file descriptor numbers have changed
! 934:
! 935: * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
! 936: declaration
! 937:
! 938: 2008-10-23 Timo Teras <timo.teras@iki.fi>
! 939:
! 940: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
! 941: Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
! 942: problem those changes address are already handled in a sensible way
! 943: by Cyrus Rahman's patch from 2008-03-06.
! 944:
! 945: 2008-10-09 Timo Teras <timo.teras@iki.fi>
! 946:
! 947: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
! 948: unnecessary unbindph12() call which is now done in remph2()
! 949:
! 950: 2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
! 951:
! 952: * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
! 953: marker for retransmitted packets
! 954:
! 955: 2008-09-19 Thomas Klausner <wiz@netbsd.org>
! 956:
! 957: * src/racoon/racoon.conf.5: New sentence, new line.
! 958:
! 959: 2008-09-19 Timo Teras <timo.teras@iki.fi>
! 960:
! 961: * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
! 962: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
! 963: isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
! 964: remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
! 965: configurable with rekey {on|off|force} option in remote conf.
! 966:
! 967: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
! 968: isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
! 969: nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
! 970: session.c: Change struct sched to be allocated be the caller to
! 971: avoid some memory allocations. Optimize scheduling algorithm to not
! 972: scan all entries in the main loop.
! 973:
! 974: 2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
! 975:
! 976: * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
! 977: when NAT-T enabled and trying to purge non NAT-T SAs
! 978:
! 979: 2008-09-09 Yvan Vanhullebus <vanhu@netasq.com>
! 980:
! 981: * src/racoon/pfkey.c: Some calls to set_port() were not correctly
! 982: updated in the previous commit
! 983:
! 984: 2008-09-03 Yvan Vanhullebus <vanhu@netasq.com>
! 985:
! 986: * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
! 987: pk_sendxxx functions, as they may be altered for NAT-T stuff.
! 988:
! 989: 2008-09-03 Timo Teras <timo.teras@iki.fi>
! 990:
! 991: * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
! 992: - Fix reloading of SPD (Linux satype check, handling of SPD dump
! 993: responses)
! 994: - Remove some spurious error log message from extract_port()
! 995:
! 996: 2008-08-29 Gregory McGarry <gmcgarry@netbsd.org>
! 997:
! 998: * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
! 999: structures.
! 1000:
! 1001: * src/racoon/evt.h: Eliminate superfluous semicolon.
! 1002:
! 1003: * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
! 1004: unnamed structures added recently.
! 1005:
! 1006: 2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
! 1007:
! 1008: * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
! 1009: ph1handler if we received an invalid first exchange from initiator.
! 1010:
! 1011: 2008-08-06 Timo Teras <timo.teras@iki.fi>
! 1012:
! 1013: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
! 1014: Piotr Oledzki: Make privileged process exit if unprivileged process
! 1015: is terminated and some spelling fixes.
! 1016:
! 1017: 2008-07-23 Matthew Grooms <mgrooms@shrew.net>
! 1018:
! 1019: * src/racoon/: cfparse.y, session.c: Add some missing ifdefs
! 1020: required for non-radius enabled builds.
! 1021:
! 1022: 2008-07-23 Timo Teras <timo.teras@iki.fi>
! 1023:
! 1024: * src/racoon/Makefile.am: Do not use GNU make specific extension.
! 1025:
! 1026: * src/: libipsec/Makefile.am, racoon/Makefile.am,
! 1027: setkey/Makefile.am: Do flex/bison invocation in a more standard
! 1028: way, and keep the generated files in the dist tarball.
! 1029:
! 1030: 2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
! 1031:
! 1032: * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
! 1033: when malloc fails or when peer sends invalid proposal.
! 1034:
! 1035: 2008-07-22 Matthew Grooms <mgrooms@shrew.net>
! 1036:
! 1037: * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
! 1038: isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
! 1039: radius configuration section to the racoon.conf file. This is
! 1040: similar to the the LDAP configuration section and overrides settings
! 1041: in the system radius configuration file.
! 1042:
! 1043: 2008-07-21 Matthias Scheler <tron@netbsd.org>
! 1044:
! 1045: * src/racoon/cfparse.y: Correct typo to fix the build.
! 1046:
! 1047: 2008-07-21 Timo Teras <timo.teras@iki.fi>
! 1048:
! 1049: * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
! 1050: vendorid.c, vendorid.h: Separate generic vendor id handling to a
! 1051: new function and use it.
! 1052:
! 1053: * src/racoon/cfparse.y: Do not set default gss id if xauth is used,
! 1054: otherwise gss-id attribute might be sent even if it was not
! 1055: requested.
! 1056:
! 1057: 2008-07-15 Matthew Grooms <mgrooms@shrew.net>
! 1058:
! 1059: * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
! 1060: building with hybrid enabled.
! 1061:
! 1062: * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
! 1063: racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
! 1064: function.
! 1065:
! 1066: 2008-07-14 Timo Teras <timo.teras@iki.fi>
! 1067:
! 1068: * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
! 1069: pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.
! 1070:
! 1071: * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
! 1072: isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
! 1073: notification payload handling. Handle INITIAL-CONTACT notification
! 1074: in last main mode exchange (delayed) and during quick mode
! 1075: exchanges.
! 1076:
! 1077: 2008-07-11 Timo Teras <timo.teras@iki.fi>
! 1078:
! 1079: * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
! 1080: Elsts: Fix a double memory free and a memory corruption
! 1081: (LIST_REMOVE() on an uninserted node) in some error handling paths.
! 1082:
! 1083: 2008-07-09 Timo Teras <timo.teras@iki.fi>
! 1084:
! 1085: * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
! 1086: memory leak on configuration file reread
! 1087:
! 1088: 2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
! 1089:
! 1090: * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
! 1091: (size_t values)
! 1092:
! 1093: 2008-06-18 Thomas Klausner <wiz@netbsd.org>
! 1094:
! 1095: * src/racoon/racoonctl.8: Bump date for previous.
! 1096:
! 1097: 2008-06-18 Matthew Grooms <mgrooms@shrew.net>
! 1098:
! 1099: * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
! 1100: admin port command to retrieve the peer certificate. Submitted by
! 1101: Timo Teras.
! 1102:
! 1103: * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
! 1104: sockets to be closed on exec to avoid potential file descriptor
! 1105: inheritance issues. Submitted by Timo Teras.
! 1106:
! 1107: * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
! 1108: isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
! 1109: functions to evaluate and manipulate network port values. No
! 1110: functional changes. Submitted by Timo Teras.
! 1111:
! 1112: * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
! 1113: functional changes. Submitted by Timo Teras.
! 1114:
! 1115: * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
! 1116: Timo Teras.
! 1117:
! 1118: 2008-05-24 Christos Zoulas <christos@netbsd.org>
! 1119:
! 1120: * src/racoon/privsep.c: Coverity CID 5018: Fix double frees.
! 1121:
! 1122: 2008-05-08 Emmanuel Dreyfus <manu@netbsd.org>
! 1123:
! 1124: * configure.ac: From Christian Hohnstaedt: allow out of tree
! 1125: building
! 1126:
! 1127: 2008-04-30 Martin Husemann <martin@netbsd.org>
! 1128:
! 1129: * netbsd-import.sh: Convert TNF licenses to new 2 clause variant
! 1130:
! 1131: 2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
! 1132:
! 1133: * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
! 1134: from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
! 1135:
! 1136: 2008-04-13 Christos Zoulas <christos@netbsd.org>
! 1137:
! 1138: * src/racoon/privsep.c: for symmetry set controllen the same way we
! 1139: set it on the receiving side.
! 1140:
! 1141: 2008-04-02 Emmanuel Dreyfus <manu@netbsd.org>
! 1142:
! 1143: * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build
! 1144:
! 1145: 2008-03-28 Christos Zoulas <christos@netbsd.org>
! 1146:
! 1147: * src/racoon/privsep.c: properly fix the variable stack allocation
! 1148: code.
! 1149:
! 1150: 2008-03-28 Emmanuel Dreyfus <manu@netbsd.org>
! 1151:
! 1152: * src/racoon/privsep.c: Still from Cyrus Rahman: fix file
! 1153: descriptor leak introduced by previous commit.
! 1154:
! 1155: * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
! 1156: privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
! 1157: Allow interface reconfiguration when running in privilege separation
! 1158: mode, document privilege separation
! 1159:
! 1160: 2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
! 1161:
! 1162: * src/racoon/oakley.c: Generates a log if cert validation has been
! 1163: disabled by configuration
! 1164:
! 1165: 2008-03-06 Emmanuel Dreyfus <manu@netbsd.org>
! 1166:
! 1167: * src/racoon/: privsep.c, session.c: From Cyrus Rahman
! 1168: <crahman@gmail.com> privilegied instance exit when unprivilegied one
! 1169: terminates. Save PID in real root, not in chroot
! 1170:
! 1171: 2008-03-06 Matthew Grooms <mgrooms@shrew.net>
! 1172:
! 1173: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
! 1174: racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
! 1175: negotiations using the admin socket. Submitted by Timo Teras.
! 1176:
! 1177: * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
! 1178: handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
! 1179: isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
! 1180: racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
! 1181: protocol to be less error prone. Backwards compatibility is
! 1182: provided. Submitted by Timo Teras.
! 1183:
! 1184: 2008-03-05 Matthew Grooms <mgrooms@shrew.net>
! 1185:
! 1186: * src/racoon/cfparse.y: Properly initialize the unity network
! 1187: struct to prevent erroneous protocol and port info from being
! 1188: transmitted.
! 1189:
! 1190: * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
! 1191: adminport reload. Also provide better handling for pfkey socket read
! 1192: errors. Submitted by Timo Teras.
! 1193:
! 1194: 2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
! 1195:
! 1196: * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
! 1197: There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
! 1198: checking spi_size but it's not. I'm not sure this patch is correct,
! 1199: but what's there isn't either.
! 1200:
! 1201: 2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
! 1202:
! 1203: * src/racoon/isakmp.c: Fix address length, from Brian Haley
! 1204:
! 1205: 2008-02-10 S.P.Zeidler <spz@netbsd.org>
! 1206:
! 1207: * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
! 1208: opposition ( :) ) on ipsec-tools-devel
! 1209:
! 1210: 2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
! 1211:
! 1212: * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
! 1213: the scheduler's callback, to avoid access to freed memory.
! 1214:
! 1215: * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
! 1216: compilation with IDEA and recent gcc.
! 1217:
! 1218: * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
! 1219: details to some logs (also reported new getph1byaddr() arg).
! 1220:
! 1221: * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
! 1222: established ph1 handles in DPD (also reported new getph1byaddr()
! 1223: arg).
! 1224:
! 1225: * src/racoon/: handler.c, handler.h: added an 'established' arg to
! 1226: getph1byaddr()
! 1227:
! 1228: 2007-12-31 Matthew Grooms <mgrooms@shrew.net>
! 1229:
! 1230: * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
! 1231: number to racoonctl. Correct id wildcard matching for transport
! 1232: mode. Submitted by Timo Teras.
! 1233:
! 1234: 2007-12-12 Matthew Grooms <mgrooms@shrew.net>
! 1235:
! 1236: * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
! 1237: follow up patch for the nat-t oa support.
! 1238:
! 1239: * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
! 1240: support for nat-t oa payload handling. Submitted by Timo Teras.
! 1241:
! 1242: 2007-12-04 Matthew Grooms <mgrooms@shrew.net>
! 1243:
! 1244: * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
! 1245: ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
! 1246: prefix length. Correct a memory leak in phase2. Both submitted by
! 1247: Timo Teras.
! 1248:
! 1249: 2007-12-01 Thomas Klausner <wiz@netbsd.org>
! 1250:
! 1251: * src/racoon/racoon.conf.5: Fix typos. New sentence, new line.
! 1252:
! 1253: 2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
! 1254:
! 1255: * src/racoon/Makefile.am: From Natanael Copa: fixed a race
! 1256: condition when building yacc stuff.
! 1257:
! 1258: 2007-11-09 Yvan Vanhullebus <vanhu@netasq.com>
! 1259:
! 1260: * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
! 1261: pk_recv()
! 1262:
! 1263: * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
! 1264: entries in getsp_r().
! 1265:
! 1266: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
! 1267: in get_proposal_r().
! 1268:
! 1269: 2007-10-19 Emmanuel Dreyfus <manu@netbsd.org>
! 1270:
! 1271: * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
! 1272: racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
! 1273:
! 1274: 2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
! 1275:
! 1276: * src/libipsec/pfkey.c: Try to increase the buffer size of the
! 1277: pfkey socket, this may help things when we have a huge SPD
! 1278:
! 1279: 2007-10-02 Yvan Vanhullebus <vanhu@netasq.com>
! 1280:
! 1281: * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
! 1282: work with the new plog macro.
! 1283:
! 1284: * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
! 1285: work with new plog macro
! 1286:
! 1287: * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
! 1288:
! 1289: 2007-09-19 Matthew Grooms <mgrooms@shrew.net>
! 1290:
! 1291: * src/racoon/isakmp.c: Set REUSE option on sockets to prevent
! 1292: failures associated with closing and immediately re-opening.
! 1293: Submitted by Gabriel Somlo.
! 1294:
! 1295: * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
! 1296: list. Submitted by Gabriel Somlo.
! 1297:
! 1298: 2007-09-13 Matthew Grooms <mgrooms@shrew.net>
! 1299:
! 1300: * configure.ac: Fix autoconf check for selinux support. Submitted
! 1301: by Joy Latten.
! 1302:
! 1303: 2007-09-12 Matthew Grooms <mgrooms@shrew.net>
! 1304:
! 1305: * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
! 1306: pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
! 1307: sainfo remote id option and refine the sainfo man page syntax.
! 1308:
! 1309: 2007-09-05 Matthew Grooms <mgrooms@shrew.net>
! 1310:
! 1311: * src/racoon/sainfo.c: Sort sainfo sections on insert and improve
! 1312: matching logic.
! 1313:
! 1314: 2007-09-03 Matthew Grooms <mgrooms@shrew.net>
! 1315:
! 1316: * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
! 1317: wins4 in the man page and add nbns4 as an alias. Pointed out by
! 1318: Claas Langbehn.
! 1319:
! 1320: 2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
! 1321:
! 1322: * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
! 1323: up RADIUS authentication and authorization ports. Allow
! 1324: interoperability with freeradius
! 1325:
! 1326: 2007-07-24 Matthew Grooms <mgrooms@shrew.net>
! 1327:
! 1328: * NEWS: Update NEWS file with additional 0.7 improvements.
! 1329:
! 1330: 2007-07-18 Matthew Grooms <mgrooms@shrew.net>
! 1331:
! 1332: * src/racoon/racoon.conf.5: Various racoon configuration manpage
! 1333: updates.
! 1334:
! 1335: 2007-07-18 Yvan Vanhullebus <vanhu@netasq.com>
! 1336:
! 1337: * configure.ac, src/libipsec/ipsec_dump_policy.c,
! 1338: src/libipsec/ipsec_get_policylen.c,
! 1339: src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
! 1340: src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
! 1341: src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
! 1342: src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
! 1343: src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
! 1344: src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
! 1345: src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
! 1346: src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
! 1347: src/racoon/policy.c, src/racoon/proposal.c,
! 1348: src/racoon/remoteconf.c, src/racoon/sainfo.c,
! 1349: src/racoon/session.c, src/racoon/sockmisc.c,
! 1350: src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
! 1351: src/setkey/token.l: use a single PATH_IPSEC_H to fix some
! 1352: path_to_ipsec.h issues
! 1353:
! 1354: 2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
! 1355:
! 1356: * src/racoon/grabmyaddr.c: fixed a socket leak
! 1357:
! 1358: * src/racoon/proposal.c: indentation
! 1359:
! 1360: 2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
! 1361:
! 1362: * src/racoon/isakmp_cfg.c: From Paul Winder
! 1363: <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST
! 1364:
! 1365: 2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
! 1366:
! 1367: * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
! 1368: with gcc 4.2
! 1369:
! 1370: * src/racoon/session.c: From Jianli Liu: speed up interfaces update
! 1371: when they change.
! 1372:
! 1373: * src/racoon/handler.c: ignore obsolete lifebyte when validating
! 1374: reloaded configuration
! 1375:
! 1376: 2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
! 1377:
! 1378: * src/racoon/: main.c, policy.h, security.c: From Joy Latten
! 1379: <latten@austin.ibm.com> Fix file descriptor shortage when using
! 1380: labeled IPsec.
! 1381:
! 1382: 2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
! 1383:
! 1384: * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
! 1385: racoonctl, use the specified socket path instead of the default
! 1386: location
! 1387:
! 1388: 2007-05-16 Christos Zoulas <christos@netbsd.org>
! 1389:
! 1390: * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
! 1391: return, so we proceed to de-reference NULL. Make it return -1
! 1392: instead like in other places.
! 1393:
! 1394: * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
! 1395: return, so we proceed to de-reference NULL. Make it return -1
! 1396: instead like in other places.
! 1397:
! 1398: 2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
! 1399:
! 1400: * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
! 1401: NULL when validating the new config
! 1402:
! 1403: * src/racoon/handler.c: added some debug in getph1byaddr() to track
! 1404: some port matching problems with NAT-T
! 1405:
! 1406: * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
! 1407: track some port matching problems with NAT-T
! 1408:
! 1409: * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
! 1410:
! 1411: * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
! 1412: NAT_T support, to solve some port match problems with the first
! 1413: IPSec SAs negociated as initiator
! 1414:
! 1415: 2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
! 1416:
! 1417: * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
! 1418:
! 1419: * src/racoon/oakley.c: dumps peer's ID and peer's certificate
! 1420: subject /subjectaltname if they don't match
! 1421:
! 1422: 2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
! 1423:
! 1424: * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
! 1425: handler, to be able to cancel it when removing the handler, and some
! 1426: minor cleanups in DPD code
! 1427:
! 1428: 2007-03-24 Christos Zoulas <christos@netbsd.org>
! 1429:
! 1430: * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
! 1431: work with pam_group Set RUSER.
! 1432:
! 1433: 2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
! 1434:
! 1435: * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
! 1436: segfault when using security labels between 32bit and 64bit host.
! 1437:
! 1438: * src/racoon/handler.c: expire zombie handlers in getph2byid(), to
! 1439: avoid situations where we'll never negociate a phase2 again
! 1440:
! 1441: * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
! 1442: more details about what is checked when using certificates to
! 1443: authenticate
! 1444:
! 1445: 2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
! 1446:
! 1447: * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
! 1448: generate IPV4_ADDRESS when needed in sockaddr2id()
! 1449:
! 1450: 2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
! 1451:
! 1452: * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
! 1453: sched check is now done in SCHED_KILL
! 1454:
! 1455: * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
! 1456:
! 1457: 2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
! 1458:
! 1459: * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
! 1460: monitoring of ipv6 address changes on Linux.
! 1461:
! 1462: * src/racoon/isakmp.c: Consider a negociation timeout when
! 1463: retry_counter is <=0 instead of < 0
! 1464:
! 1465: 2007-02-28 Matthew Grooms <mgrooms@shrew.net>
! 1466:
! 1467: * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
! 1468: matched to ip subnet ids when appropriate.
! 1469:
! 1470: 2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
! 1471:
! 1472: * src/racoon/ipsec_doi.c: block variable declaration before code in
! 1473: ipsecdoi_id2str()
! 1474:
! 1475: 2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
! 1476:
! 1477: * src/racoon/isakmp_inf.c: Removed a debug printf....
! 1478:
! 1479: * src/racoon/isakmp.c: Only delete a generated SPD if it's creation
! 1480: date matches the creation date of the SA we are currently deleting
! 1481:
! 1482: * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
! 1483:
! 1484: * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
! 1485: generated SPDs
! 1486:
! 1487: * src/racoon/policy.h: added 'created' var
! 1488:
! 1489: 2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
! 1490:
! 1491: * src/racoon/isakmp.c: Removed a debug printf....
! 1492:
! 1493: 2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
! 1494:
! 1495: * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
! 1496: printf.
! 1497:
! 1498: 2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
! 1499:
! 1500: * src/racoon/security.c: Missing SELinux file
! 1501:
! 1502: * configure.ac: Missing stuff for SELinux
! 1503:
! 1504: 2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
! 1505:
! 1506: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
! 1507: expire a ph1 handle when receiving a DELETE-SA instead of calling
! 1508: purge_remote().
! 1509:
! 1510: * src/racoon/isakmp.c: Fixed the way phase1/2 messages are
! 1511: sent/resent, to avoid zombie handles and acces to freed memory
! 1512:
! 1513: 2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
! 1514:
! 1515: * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
! 1516:
! 1517: 2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
! 1518:
! 1519: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
! 1520: receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
! 1521: deleted from payload instead of just deleting the ISAKMP SA used to
! 1522: protect the informational exchange.
! 1523:
! 1524: 2006-12-26 Arnaud Lacombe <alc@netbsd.org>
! 1525:
! 1526: * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
! 1527: NULL'
! 1528:
! 1529: 2006-12-23 Thomas Klausner <wiz@netbsd.org>
! 1530:
! 1531: * src/racoon/racoon.conf.5: Use even more macros.
! 1532:
! 1533: * src/racoon/racoon.conf.5: Use more macros.
! 1534:
! 1535: * src/racoon/racoon.conf.5: Serial comma, and bump date for
! 1536: previous.
! 1537:
! 1538: 2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
! 1539:
! 1540: * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
! 1541:
! 1542: 2006-12-10 tag ipsec-tools-0_7-base
! 1543:
! 1544: 2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
! 1545:
! 1546: * src/: libipsec/Makefile.am, libipsec/libpfkey.h,
! 1547: libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
! 1548: racoon/pfkey.c: Bring back API and ABI backward compatibility
! 1549: with previous libipsec before recent interface change. Bump libipsec
! 1550: minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
! 1551: ABI compatibility lossage. Add a capability flags to detect missing
! 1552: optional feature in libipsec
! 1553:
! 1554: * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
! 1555: README.plainrsa documenting plain RSA auth
! 1556:
! 1557: 2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
! 1558:
! 1559: * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
! 1560: src/racoon/Makefile.am, src/racoon/backupsa.c,
! 1561: src/racoon/backupsa.h, src/racoon/cftoken.l,
! 1562: src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
! 1563: src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
! 1564: src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
! 1565: src/racoon/proposal.c, src/racoon/proposal.h,
! 1566: src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
! 1567: security contexts. Also cleanup the libipsec interface for adding
! 1568: and updating security associations.
! 1569:
! 1570: * src/racoon/racoon.conf.5: From Simon Chang: More hints about
! 1571: plain RSA authentication
! 1572:
! 1573: 2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
! 1574:
! 1575: * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
! 1576: length regarding proposal_check level
! 1577:
! 1578: 2006-11-16 Matthew Grooms <mgrooms@shrew.net>
! 1579:
! 1580: * src/racoon/sainfo.c: Correct issues associated with anonymous
! 1581: sainfo selection in racoon.
! 1582:
! 1583: 2006-11-09 Christos Zoulas <christos@netbsd.org>
! 1584:
! 1585: * src/racoon/crypto_openssl.c: eliminate the only variable stack
! 1586: array allocation.
! 1587:
! 1588: 2006-10-31 Christian Biere <cbiere@netbsd.org>
! 1589:
! 1590: * src/racoon/sockmisc.c: Don't define the deprecated
! 1591: IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
! 1592: IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
! 1593: in the future just in case that the numeric value of the socket
! 1594: option is ever recycled.
! 1595:
! 1596: 2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
! 1597:
! 1598: * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
! 1599: typos
! 1600:
! 1601: 2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
! 1602:
! 1603: * src/racoon/sainfo.c: From Matthew Grooms: use
! 1604: ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
! 1605:
! 1606: * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
! 1607: ipsecdoi_chkcmpids() function.
! 1608:
! 1609: 2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
! 1610:
! 1611: * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
! 1612:
! 1613: * src/racoon/isakmp_unity.c: Correctly check read() return value:
! 1614: it's signed (Coverity 1251)
! 1615:
! 1616: 2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
! 1617:
! 1618: * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
! 1619: src/racoon/algorithm.h, src/racoon/cftoken.l,
! 1620: src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
! 1621: src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
! 1622: src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
! 1623: src/racoon/racoon.conf.5, src/racoon/strnames.c,
! 1624: src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
! 1625: Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
! 1626: <okazaki@kick.gr.jp>
! 1627:
! 1628: 2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
! 1629:
! 1630: * src/racoon/admin.c: fix endianness issue introduced yesterday
! 1631:
! 1632: 2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
! 1633:
! 1634: * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
! 1635:
! 1636: * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
! 1637:
! 1638: * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
! 1639: remoteid/ph1id values
! 1640:
! 1641: * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
! 1642:
! 1643: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
! 1644:
! 1645: * src/racoon/isakmp_base.c:
! 1646: avoid reusing free'd pointer (Coverity 2613)
! 1647:
! 1648: * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
! 1649:
! 1650: * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
! 1651:
! 1652: * src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
! 1653:
! 1654: * src/racoon/admin.c: Fix memory leak (Coverity 2002)
! 1655:
! 1656: * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
! 1657: (Coverity 2001), refactor the code to use port get/set functions
! 1658:
! 1659: * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
! 1660:
! 1661: * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
! 1662: reformat to 80 char/line
! 1663:
! 1664: 2006-10-02 Tom Spindler <dogcow@netbsd.org>
! 1665:
! 1666: * src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
! 1667: you have to init it with a pointer type, not an int.
! 1668:
! 1669: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
! 1670:
! 1671: * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
! 1672:
! 1673: * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
! 1674:
! 1675: * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
! 1676:
! 1677: * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
! 1678:
! 1679: * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
! 1680:
! 1681: * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
! 1682:
! 1683: 2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
! 1684:
! 1685: * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
! 1686:
! 1687: * src/racoon/isakmp.c: Check that iph1->remote is not NULL before
! 1688: using it (Coverity 3436)
! 1689:
! 1690: 2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
! 1691:
! 1692: * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
! 1693:
! 1694: * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
! 1695:
! 1696: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
! 1697: phase1-up.sh: update the scripts for wrorking around routing
! 1698: problems on NetBSD
! 1699:
! 1700: * src/racoon/session.c: Reuse existing code for closing IKE
! 1701: sockets, and avoid screwing things by setting p->sock = -1, which is
! 1702: not expected (Coverity 4173).
! 1703:
! 1704: * src/racoon/admin.c: Do not free id and key, as they are used
! 1705: later
! 1706:
! 1707: 2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
! 1708:
! 1709: * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
! 1710: socket, so we must call com_init before sending any data.
! 1711:
! 1712: 2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
! 1713:
! 1714: * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
! 1715: 4174)
! 1716:
! 1717: * src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
! 1718:
! 1719: 2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
! 1720:
! 1721: * src/racoon/cfparse.y: Fix memory leak (Coverity)
! 1722:
! 1723: * src/racoon/backupsa.c: Fix memory leak (Coverity)
! 1724:
! 1725: * src/racoon/admin.c: Remove dead code (Coverity)
! 1726:
! 1727: * src/racoon/admin.c: Fix memory leak (Coverity)
! 1728:
! 1729: * src/racoon/admin.c: One more memory leak
! 1730:
! 1731: * src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
! 1732:
! 1733: * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
! 1734: bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
! 1735: Matthew updated the patch for current code, though.
! 1736:
! 1737: * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
! 1738: negotiating ESP+IPcomp)
! 1739:
! 1740: 2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
! 1741:
! 1742: * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
! 1743: iphdr for Linux
! 1744:
! 1745: 2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
! 1746:
! 1747: * src/racoon/isakmp.c: style (mostly for testing
! 1748: ipsec-tools-commits@netbsd.org)
! 1749:
! 1750: * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
! 1751:
! 1752: 2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
! 1753:
! 1754: * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
! 1755: Linux
! 1756:
! 1757: 2006-09-19 Thomas Klausner <wiz@netbsd.org>
! 1758:
! 1759: * src/racoon/racoon.conf.5: Bump date for ike_frag force.
! 1760:
! 1761: * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
! 1762: line.
! 1763:
! 1764: * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
! 1765: whitespace.
! 1766:
! 1767: 2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
! 1768:
! 1769: * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
! 1770: value for encmodesv in set_proposal_from_policy()
! 1771:
! 1772: * src/racoon/isakmp.c: always include some headers, as they are
! 1773: required even without NAT-T
! 1774:
! 1775: * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
! 1776: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
! 1777:
! 1778: * src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
! 1779: plog()
! 1780:
! 1781: 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
! 1782:
! 1783: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
! 1784: isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
! 1785: ike_frag force option to force the use of IKE on first packet
! 1786: exchange (prior to peer consent)
! 1787:
! 1788: 2006-09-18 Yvan Vanhullebus <vanhu@netasq.com>
! 1789:
! 1790: * rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed
! 1791: generated files from the CVS
! 1792:
! 1793: * src/racoon/prsa_par.c: removed generated files from the CVS
! 1794:
! 1795: * src/racoon/: cfparse.c, cftoken.c: removed generated files from
! 1796: the CVS
! 1797:
! 1798: 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
! 1799:
! 1800: * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
! 1801: the first packet. That should not normally happen, as the initiator
! 1802: does not know yet if the responder can handle IKE frag. However, in
! 1803: some setups, the first packet is too big to get through, and
! 1804: assuming the peer supports IKE frag is the only way to go.
! 1805:
! 1806: racoon should have a setting in the remote section to do taht
! 1807: (something like ike_frag force)
! 1808:
! 1809: 2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
! 1810:
! 1811: * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
! 1812: conformance, from Matthew Grooms
! 1813:
! 1814: 2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
! 1815:
! 1816: * src/racoon/ipsec_doi.c: Fix build on Linux
! 1817:
! 1818: For older changes see ChangeLog.old
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ChangeLog CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools