Annotation of embedaddon/ipsec-tools/ChangeLog, revision 1.1.1.1
1.1 misho 1: 2011-03-17 Yvan Vanhullebus <vanhu@netasq.com>
2:
3: * src/racoon/oakley.c: fixed a memory leak in
4: oakley_append_rmconf_cr() while generating plist. patch by Roman
5: Hoog Antink <rha@open.ch>
6:
7: * src/racoon/oakley.c: free name later, to avoid a memory use after
8: free in oakley_check_certid(). also give iph1->remote to some plog()
9: calls. patch by Roman Hoog Antink <rha@open.ch>
10:
11: * src/racoon/oakley.c: fixed a memory leak in
12: oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
13:
14: 2011-03-15 Yvan Vanhullebus <vanhu@netasq.com>
15:
16: * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
17: isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
18: it is useless an can lead to memory access after free
19:
20: 2011-03-14 Timo Teras <timo.teras@iki.fi>
21:
22: * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
23: isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
24: sockmisc.h, throttle.c: Explicitly compare return value of
25: cmpsaddr() against a return value define to make it more obvious
26: what is the intended action. One more return value is also added, to
27: fix comparison of security policy descriptors. Namely, getsp()
28: should not allow wildcard matching (as the comment says, it does
29: exact matching) - otherwise we get problems when kernel has generic
30: policy with no ports, and a second similar policy with ports.
31:
32: 2011-03-14 Yvan Vanhullebus <vanhu@netasq.com>
33:
34: * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
35: remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
36: memory leaks / free memory access when reloading conf and have
37: inherited config. patch from Roman Hoog Antink <rha@open.ch>
38:
39: * src/racoon/handler.c: removed an useless comment
40:
41: * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
42: getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
43:
44: 2011-03-11 Yvan Vanhullebus <vanhu@netasq.com>
45:
46: * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
47: remove_ph1-) instead of scheduling it, to avoid (completely ?) a
48: race condition when reloading configuration
49:
50: 2011-03-06 Timo Teras <timo.teras@iki.fi>
51:
52: * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
53: checks are enabled. Reported by Stephen Clark.
54:
55: 2011-03-02 Yvan Vanhullebus <vanhu@netasq.com>
56:
57: * src/racoon/session.c: flush sainfo list when closing session.
58: patch by Roman Hoog Antink <rha@open.ch>
59:
60: * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
61: structures when deleting a struct rmconf. patch by Roman Hoog Antink
62: <rha@open.ch>
63:
64: * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
65: when deleting a rmconf struct. patch by Roman Hoog Antink
66: <rha@open.ch>
67:
68: * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
69: remoteconf. patch by Roman Hoog Antink <rha@open.ch>
70:
71: * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
72: during configuration parsing. patch by Roman Hoog Antink
73: <rha@open.ch>
74:
75: 2011-03-01 Yvan Vanhullebus <vanhu@netasq.com>
76:
77: * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
78: Andersson <debian@gisladisker.se>
79:
80: * src/racoon/cfparse.y: reset yyerrorcount before doing parse
81: stuff. patch by Roman Hoog Antink <rha@open.ch>
82:
83: 2011-02-20 Timo Teras <timo.teras@iki.fi>
84:
85: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
86: memory leak when using plain RSA key authentication.
87:
88: 2011-02-11 Timo Teras <timo.teras@iki.fi>
89:
90: * src/racoon/plainrsa-gen.c: From Mats E Andersson
91: <debian@gisladisker.se>: Fix fprintf format specifier usage from
92: previous patch.
93:
94: 2011-02-10 Timo Teras <timo.teras@iki.fi>
95:
96: * src/racoon/plainrsa-gen.c: From Mats Erik Andersson
97: <debian@gisladisker.se>: Implement importing of RSA keys from PEM
98: files.
99:
100: * src/racoon/prsa_par.y: From M E Andersson
101: <debian@gisladisker.se>: Fix parsing of restricted RSA key
102: addresses.
103:
104: 2011-02-02 Yvan Vanhullebus <vanhu@netasq.com>
105:
106: * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
107: sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
108: Patch from Christophe Carre
109:
110: 2011-01-28 Timo Teras <timo.teras@iki.fi>
111:
112: * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
113: Antink <rha@open.ch>: Clean up sainfo reloading: rename the
114: functions, and remove unneeded global variable.
115:
116: * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
117: Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
118: functions, and remove unneeded global variable.
119:
120: * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
121: remote IP address if available (slightly modified by tteras)
122:
123: 2011-01-22 Timo Teras <timo.teras@iki.fi>
124:
125: * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
126: Fixes a null pointer dereference that might occur after removing
127: peers from the config and then reloading.
128:
129: 2011-01-20 Yvan Vanhullebus <vanhu@netasq.com>
130:
131: * src/libipsec/pfkey.c: fixed a typo, it will now compile when
132: KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
133: open.ch)
134:
135: 2010-12-28 Timo Teras <timo.teras@iki.fi>
136:
137: * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
138: config reload to not delete too many phase 2 handles, because wrong
139: chain field is used when enumerating the handles.
140:
141: 2010-12-16 gdt
142:
143: * src/racoon/oakley.c: When encountering a certificate where "ID
144: mismatched with ASN1 SubjectName", and verify_identifier is off,
145: don't raise an error. This makes the behavior match the man page.
146:
147: Patch sent for review long ago:
148: http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
149: with no negative feedback received to date.
150:
151: 2010-12-14 Timo Teras <timo.teras@iki.fi>
152:
153: * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
154: possible null derefence.
155:
156: 2010-12-08 Timo Teras <timo.teras@iki.fi>
157:
158: * src/racoon/admin.c: Use separate SA addresses for phase2's
159: created by admin command. The phase2 startup overwrites src/dst with
160: ISAKMP ports if they are zero and we don't want that to happen for
161: the SA ports.
162:
163: 2010-12-08 joerg
164:
165: * src/libipsec/pfkey.c: ANSIfy
166:
167: 2010-12-07 Timo Teras <timo.teras@iki.fi>
168:
169: * src/racoon/isakmp_quick.c: Fix spacing and improve wording in
170: some log messages.
171:
172: 2010-12-03 Timo Teras <timo.teras@iki.fi>
173:
174: * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
175: per-socket policies.
176:
177: * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
178: setkey/setkey.8: Support GRE key as upper layer protocol
179: specifier (will be supported in Linux kernel 2.6.38).
180:
181: * src/racoon/grabmyaddr.c: Netlink deletion notification does not
182: guarentee actual address deletion: it might still exist on some
183: other interface. Make sure we do not unbind unless the address is
184: really gone.
185:
186: 2010-11-17 Timo Teras <timo.teras@iki.fi>
187:
188: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
189: previous patch to not call purge_remote() twice. Change the place
190: where purge_remote() is called. This fixes also a possible crash
191: from the same patch since ph1->remote can be NULL (when we are
192: responder and config is not yet selected).
193:
194: 2010-11-12 Timo Teras <timo.teras@iki.fi>
195:
196: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
197: isakmp_post_acquire is now called from admin commands too, add a
198: flag so admin commands can be used to establish even passive links
199: on demand.
200:
201: * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
202: ISAKMP-SA for the node is deleted by remote request and the phase1
203: rekeying is enabled (this will also trigger the new phase1_dead
204: script hook).
205:
206: * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
207: to allow any reply within valid sequence window to be proof of
208: livelyness. This can improves things if there's random packet
209: delays, or if racoon is not getting enough CPU time.
210:
211: * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
212: admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
213: with many established SAs can be easily over the limit.
214:
215: 2010-10-22 Timo Teras <timo.teras@iki.fi>
216:
217: * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
218: to monitor local route changes. This works around a kernel bug, and
219: slightly improves behaviour on some special cases.
220:
221: 2010-10-21 Timo Teras <timo.teras@iki.fi>
222:
223: * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
224: session.c, session.h: Introduce priorities for file descriptor
225: polling mechanism and give priority to admin port. If admin port is
226: used by ISAKMP-SA hook scripts they should be preferred, other wise
227: heavy traffic can delay admin port requests considerably. This in
228: turn may cause renegotiation loop for ISAKMP-SA. This is mostly
229: useful for OpenNHRP setup, but can benefit other setups too.
230:
231: * src/racoon/: admin.c, handler.c, handler.h: Remove
232: initial-contact entry when all ISAKMP-SA are purged via adminport.
233: This will avoid stale security associations if some of the delete
234: notifications happens to get lost.
235:
236: 2010-10-20 Timo Teras <timo.teras@iki.fi>
237:
238: * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
239: functions when possible: this allows openssl to perform hardware
240: acceleration if available.
241:
242: * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
243: error log messages and a few additional error log messages to
244: improve diagnosing an error condition.
245:
246: * src/racoon/grabmyaddr.c: Fix address comparison so we actually
247: close sockets which were bound to IP-address that got deconfigured.
248:
249: 2010-10-11 Yvan Vanhullebus <vanhu@netasq.com>
250:
251: * src/racoon/ipsec_doi.c: report a higher encryption key length in
252: approval for OBEY / CLAIM / STRICT modes
253:
254: 2010-09-27 Yvan Vanhullebus <vanhu@netasq.com>
255:
256: * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
257: fazaeli (at) sepehrs.com)
258:
259: 2010-09-24 Yvan Vanhullebus <vanhu@netasq.com>
260:
261: * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
262: gmail.com
263:
264: 2010-09-22 Yvan Vanhullebus <vanhu@netasq.com>
265:
266: * src/racoon/admin.c: get the correct length of username when
267: processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
268:
269: * src/racoon/nattraversal.h: fixed a typo in macros, reported by
270: marisp (at) mt.lv
271:
272: 2010-09-21 Yvan Vanhullebus <vanhu@netasq.com>
273:
274: * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
275: provided by marcin.cieslak (at) gmail.com)
276:
277: 2010-09-08 Yvan Vanhullebus <vanhu@netasq.com>
278:
279: * src/racoon/remoteconf.c: fixed remoteconf selection when no ID
280: specified in configuration, and added some debug to remoteconf
281: selection
282:
283: 2010-08-26 Yvan Vanhullebus <vanhu@netasq.com>
284:
285: * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
286: duplicate some dynamic values in duprmconf()
287:
288: 2010-08-04 Yvan Vanhullebus <vanhu@netasq.com>
289:
290: * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request
291:
292: 2010-07-30 Yvan Vanhullebus <vanhu@netasq.com>
293:
294: * src/racoon/doc/FAQ: updated link to NetBSD's documentation
295:
296: 2010-06-22 Thomas Klausner <wiz@netbsd.org>
297:
298: * src/racoon/racoon.conf.5: Bump date for previous.
299:
300: 2010-06-22 Yvan Vanhullebus <vanhu@netasq.com>
301:
302: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
303: racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
304: script hook when a dead peer is detected
305:
306: 2010-06-04 Thomas Klausner <wiz@netbsd.org>
307:
308: * src/setkey/setkey.8: New sentence, new line. Bump date for
309: previous.
310:
311: 2010-06-04 Yvan Vanhullebus <vanhu@netasq.com>
312:
313: * src/setkey/: parse.y, setkey.8, token.l: Added support for
314: spdupdate command in setkey
315:
316: 2010-04-07 Yvan Vanhullebus <vanhu@netasq.com>
317:
318: * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo
319:
320: 2010-04-02 Christos Zoulas <christos@netbsd.org>
321:
322: * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
323: returning NULL.
324:
325: 2010-03-11 Christos Zoulas <christos@netbsd.org>
326:
327: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
328: the patch: iterate only on the phase2 handles that are bound by the
329: given phase1 handle.
330:
331: 2010-03-05 Timo Teras <timo.teras@iki.fi>
332:
333: * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
334: racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
335: typoes and manpage formatting errors.
336:
337: 2010-03-04 Yvan Vanhullebus <vanhu@netasq.com>
338:
339: * src/racoon/session.c: From Pierre POMES: fixed admin port
340: initialization
341:
342: 2010-02-28 snj
343:
344: * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
345: size of src checkouts by spelling "useful" without an extra l.
346:
347: 2010-02-09 Thomas Klausner <wiz@netbsd.org>
348:
349: * src/racoon/: pfkey.c, proposal.h: Fix typo in comment.
350:
351: 2010-01-17 Thomas Klausner <wiz@netbsd.org>
352:
353: * src/racoon/sainfo.c: Free strdeupped string after using it. Found
354: by cppcheck.
355:
356: * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
357: using them. Found by cppcheck.
358:
359: 2010-01-15 joerg
360:
361: * src/setkey/setkey.8: Use .%U instead of .%O for URLs.
362:
363: 2009-12-11 Timo Teras <timo.teras@iki.fi>
364:
365: * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
366: twice in the headers. Remove the redundant entry so new install tool
367: does not complain about overwriting just installed file.
368:
369: 2009-11-22 Christos Zoulas <christos@netbsd.org>
370:
371: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko:
372:
373: racoon uses a wrong IPsec-SA handle that is for other peer in case
374: it receives a ISAKMP message for IPsec-SA that has the same
375: message-id as the message-id that is received before.
376:
377: racoon uses message-id to find the handle of IPsec-SA. The
378: message-id is a unique number for each peer, but different peers may
379: use the same value.
380:
381: Different Windows Vista or Windows 7 peers seem to use the same
382: message-id. racoon can handle the first Windows's Phase-2, but it
383: cannot handle the second Windows. Because racoon misunderstands the
384: message for the second Windows as the message for the first Windows.
385:
386: >Category: bin >Synopsis: racoon uses a wrong IPsec-SA
387: that is for different peer >Confidential: no >Severity:
388: serious >Priority: medium >Responsible: bin-bug-people
389: >State: open >Class: sw-bug >Submitter-Id: net
390: >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator:
391: yasuoka@iij.ad.jp
392:
393: 2009-10-29 Christos Zoulas <christos@netbsd.org>
394:
395: * src/setkey/token.l: use %option noinput nounput
396:
397: 2009-10-28 Christos Zoulas <christos@netbsd.org>
398:
399: * src/setkey/token.l: no unput
400:
401: 2009-10-14 joerg
402:
403: * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
404: ancient groff limits.
405:
406: * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
407: groff limits. Fix markup.
408:
409: * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
410: ancient groff limits. Set only one list type.
411:
412: 2009-09-18 Timo Teras <timo.teras@iki.fi>
413:
414: * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
415: gssapi error checking.
416:
417: 2009-09-03 Timo Teras <timo.teras@iki.fi>
418:
419: * src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
420: isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
421: negotiate phase2 as a hint to select the phase1 for rekeying the new
422: phase2.
423:
424: 2009-09-01 Timo Teras <timo.teras@iki.fi>
425:
426: * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
427: nat_traversal configuration from remote configuration candidates
428: when acting as responder. Enable NAT-T if any of the remote
429: candidates have NAT-T enabled.
430:
431: * src/racoon/remoteconf.c: Change remote conf matching level to
432: matching score. This way one can override anonymous certificate
433: block config with more exact "inhereted" IP specific block.
434:
435: * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
436: ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).
437:
438: 2009-08-24 Yvan Vanhullebus <vanhu@netasq.com>
439:
440: * src/racoon/oakley.c: fixed typo: algoriym -> algorithm
441:
442: 2009-08-19 Yvan Vanhullebus <vanhu@netasq.com>
443:
444: * src/racoon/remoteconf.c: fixed address check in
445: rmconf_match_type(), just check address with wildcard port
446:
447: 2009-08-19 Timo Teras <timo.teras@iki.fi>
448:
449: * src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
450: return values to make the code a bit more readable.
451:
452: 2009-08-18 Yvan Vanhullebus <vanhu@netasq.com>
453:
454: * src/racoon/oakley.c: typo: algoritym -> algorithm
455:
456: 2009-08-17 Yvan Vanhullebus <vanhu@netasq.com>
457:
458: * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
459: check system support for NAT-T, as at least FreeBSD doesn't have
460: this define anymore
461:
462: * src/racoon/schedule.h: include stddef.h so we have a chance to
463: get the system offsetof if present
464:
465: * src/racoon/crypto_openssl.h: removed a self include
466:
467: 2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
468:
469: * src/racoon/oakley.c: fixed a potential DoS in
470: oakley_do_decrypt(), reported by Orange Labs
471:
472: 2009-08-10 Timo Teras <timo.teras@iki.fi>
473:
474: * src/racoon/pfkey.c: Don't print EAGAIN error from
475: pfkey_handler(), it can occur normally under some code paths and is
476: not a hard error in any case.
477:
478: 2009-08-06 Timo Teras <timo.teras@iki.fi>
479:
480: * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
481: setkey to make gcc happy.
482:
483: 2009-08-05 Timo Teras <timo.teras@iki.fi>
484:
485: * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
486: security associations that got broke during NAT-T fixes.
487:
488: 2009-07-07 Timo Teras <timo.teras@iki.fi>
489:
490: * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
491: uninitialized local variable (not sure if any code path triggers
492: this, but this makes compiler happy).
493:
494: 2009-07-03 Timo Teras <timo.teras@iki.fi>
495:
496: * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
497: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
498: nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
499: sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
500: macro. Trac #295.
501:
502: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
503: racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
504: Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
505: NAT-T port information. This might break compatibility with some
506: kernels, but as discussed this is the proper way to pass NAT-T ports
507: and the broken kernels need to be fixed.
508:
509: 2009-06-24 Timo Teras <timo.teras@iki.fi>
510:
511: * src/racoon/session.c: Fix a call to null pointer: in some cases,
512: the unmonitor_fd can be called from another fd's callback. That
513: could lead to still have callback pending after unmonitoring the fd
514: resulting in a call to null pointer. This is fixed by making
515: unmonitor_fd now clear the pending fd_set too. Bug was introduced
516: by my commit in 2008-12-23.
517:
518: 2009-05-20 Yvan Vanhullebus <vanhu@netasq.com>
519:
520: * src/racoon/isakmp.h: typo
521:
522: 2009-05-19 Timo Teras <timo.teras@iki.fi>
523:
524: * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
525: of typos from previous commit.
526:
527: 2009-05-18 Timo Teras <timo.teras@iki.fi>
528:
529: * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
530: Tomas Mraz: Introduce union sockaddr_any and use it to make code
531: more readable. Related to trac #293.
532:
533: * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
534: not really used; only referenced while uninitialized causing
535: valgrind error.
536:
537: * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
538:
539: 2009-05-04 Thomas Klausner <wiz@netbsd.org>
540:
541: * src/racoon/racoon.conf.5: Remove superfluous spaces around
542: parentheses.
543:
544: 2009-04-29 Timo Teras <timo.teras@iki.fi>
545:
546: * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
547: X509 certificate validation.
548:
549: 2009-04-28 Timo Teras <timo.teras@iki.fi>
550:
551: * src/racoon/handler.c: Reset nat_oa variables too when reusing
552: phase two handler. Otherwise phase2 rekeying might fail in some
553: scenarios.
554:
555: 2009-04-22 Timo Teras <timo.teras@iki.fi>
556:
557: * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
558: pointer dereference in fragmentation code.
559:
560: 2009-04-21 Timo Teras <timo.teras@iki.fi>
561:
562: * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
563: strict_address to work again. The lists needs to be initialized
564: before configuration is read, which happens before my_addr_init()
565: call.
566:
567: 2009-04-20 Timo Teras <timo.teras@iki.fi>
568:
569: * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
570: in certificate request generation.
571:
572: * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
573: Bin Li: Fix possible memory corruption in binsanitize().
574:
575: * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
576: signature verification memory leak.
577:
578: * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
579: crash with racoonctl logout user.
580:
581: * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
582: code.
583:
584: * src/racoon/handler.c: From Paul Moore: Phase2 message id's should
585: be unique wrt phase1, not globally.
586:
587: 2009-03-13 Timo Teras <timo.teras@iki.fi>
588:
589: * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
590: couple of problems with previous commit.
591:
592: 2009-03-12 he
593:
594: * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
595: pointer to an integral type (a bad practice, if you ask me), you
596: need to cast via intptr_t for portability.
597:
598: 2009-03-12 Thomas Klausner <wiz@netbsd.org>
599:
600: * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
601: up punctuation.
602:
603: * src/racoon/racoonctl.8: Bump date for previous. Sort options to
604: establish-sa. Stop using Xo/Xc.
605:
606: 2009-03-12 Timo Teras <timo.teras@iki.fi>
607:
608: * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
609: crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
610: ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
611: isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
612: isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
613: racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
614: vendorid.c: Support multiple anonymous remotes and decide
615: remoteconf based on identity, received certificates and other
616: information. General code clean up.
617:
618: 2009-03-06 Timo Teras <timo.teras@iki.fi>
619:
620: * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
621: in Linux
622:
623: Linux requires SADB_DELETE message to have SPI. So send a
624: SADB_DELETE message for each matching SA. Trac #284.
625:
626: From: Gabriel Somlo <somlo@cmu.edu>
627:
628: 2009-02-16 Timo Teras <timo.teras@iki.fi>
629:
630: * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
631: corruption bug (yacc return non-null terminated buffer and sprintf
632: writes over bounds).
633:
634: 2009-02-11 Yvan Vanhullebus <vanhu@netasq.com>
635:
636: * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
637: IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
638: tunnel
639:
640: 2009-02-03 Timo Teras <timo.teras@iki.fi>
641:
642: * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
643: variables with IPv6 addresses.
644:
645: 2009-01-26 Timo Teras <timo.teras@iki.fi>
646:
647: * src/racoon/main.c: Argument parsing needs lcconf initialized.
648:
649: 2009-01-24 Thomas Klausner <wiz@netbsd.org>
650:
651: * src/racoon/racoonctl.c: Sort options in usage.
652:
653: * src/racoon/racoonctl.8: Sort options. New sentence, new line.
654:
655: * src/racoon/racoon.8: Sort options.
656:
657: 2009-01-23 Timo Teras <timo.teras@iki.fi>
658:
659: * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
660: for racoonctl.
661:
662: * src/racoon/: main.c, racoon.8: Racoon -v to print version and
663: compilation information. Update usage message.
664:
665: * NEWS: Update NEWS with major changes since 0.7 release.
666:
667: * src/racoon/schedule.c: Fix monotonic scheduler change, to not
668: refresh 'now' before exit. Otherwise we can return negative timeout
669: after spending time handling other events.
670:
671: * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
672: reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
673: Also corrects some debugging statements.
674:
675: * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
676: instance), there is a need to not only migrate local and remote
677: addresses of Phase 1 that match previous addresses but also the
678: local and remote addresses of a Phase 1 *associated* with a migrated
679: Phase 2. For instance, we have that need when receiving the first
680: MIGRATE/KMADDRESS message because the old addresses are still the
681: HoA and the address of the HA (while the peer has contacted us using
682: the CoA and we have negotiated this address as src attribute in
683: Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
684: called from migrate_ph2_ike_addresses() callback.
685:
686: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
687: when acting as responder.
688:
689: * configure.ac, src/racoon/handler.c, src/racoon/handler.h,
690: src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
691: src/racoon/schedule.c, src/racoon/schedule.h,
692: src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
693: system clock is available, and use it for relative time measurements
694: to avoid complite hang if time jumps backwards.
695:
696: * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
697: isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
698: oakley.c, oakley.h: Fix authentication method ambiguity by
699: internally using unique ID and setting/interpreting the wire format
700: based on received vendor ID:s. Fixes trac #280.
701:
702: * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
703: isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
704: bitmask that can be used otherwhere to detect peer capabilities.
705:
706: * configure.ac, src/racoon/admin.c, src/racoon/evt.c,
707: src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
708: src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
709: configure option and make it the default behaviour. The previous
710: normal behaviour is buggy, as after flush kernel can immediately
711: create larval SA:s which would prevent exit.
712:
713: 2009-01-20 Timo Teras <timo.teras@iki.fi>
714:
715: * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
716: ChangeLog from NetBSD CVS. Put sourceforge.net changes to
717: ChangeLog.old.
718:
719: 2009-01-10 Thomas Klausner <wiz@netbsd.org>
720:
721: * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper
722: escape for backslash ('\e').
723:
724: 2009-01-10 Timo Teras <timo.teras@iki.fi>
725:
726: * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
727: Accept RFC2253 compliant escaped special characters for asn1dn
728: identifier.
729:
730: 2009-01-09 Timo Teras <timo.teras@iki.fi>
731:
732: * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
733:
734: 2009-01-05 Timo Teras <timo.teras@iki.fi>
735:
736: * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
737: configuration options, fix radius configuration block and add GRE as
738: recognized protocol.
739:
740: * src/racoon/session.c: Do not use counting in signal handling as
741: it was unsafe by not using atomic functions (post increment is not
742: necessarily atomic). Instead reap all children on SIGCHLD as that
743: was the only signal needing signal counting.
744:
745: 2008-12-30 Timo Teras <timo.teras@iki.fi>
746:
747: * src/racoon/session.c: schedular() call can now modify fd mask so
748: make the working copy just before calling select(); otherwise it can
749: contain bad file descriptors
750:
751: 2008-12-29 Michael van Elst <mlelstv@netbsd.org>
752:
753: * src/setkey/parse.y: support icmp codes. Fixes PR 39056.
754:
755: 2008-12-24 Christos Zoulas <christos@netbsd.org>
756:
757: * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
758: it. From Timo Teras.
759:
760: * src/racoon/grabmyaddr.c: I was wrong. addr is actually set.
761:
762: * src/racoon/grabmyaddr.c:
763: - make this compile by zeroing out the whole structure not just
764: bogus fields.
765: - set length field of sockets appropriately.
766: - mark bogus no-op code (I don't understand what the author intended
767: here).
768:
769: 2008-12-23 Thomas Klausner <wiz@netbsd.org>
770:
771: * src/racoon/racoon.conf.5: Bump date for identity configuration
772: option removal.
773:
774: 2008-12-23 Timo Teras <timo.teras@iki.fi>
775:
776: * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
777: localconf.h, racoon.conf.5: Remove the obsoleted global identity
778: configuration option.
779:
780: * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
781: evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
782: isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
783: nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
784: session.h: rewrite local address detection make some functions
785: static that arr not needed globally rework how fd_set is
786: construction for the main loop select()
787:
788: 2008-12-18 Timo Teras <timo.teras@iki.fi>
789:
790: * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
791: when expire with hard lifetime received
792:
793: 2008-12-16 Timo Teras <timo.teras@iki.fi>
794:
795: * README: Update README
796:
797: * src/racoon/pfkey.c: Fix transport mode address selection in
798: acquire handling. Some earlier fixes got lost on 2008-12-05 commit.
799:
800: 2008-12-11 Yvan Vanhullebus <vanhu@netasq.com>
801:
802: * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
803: and RTM_OIFINFO stuff)
804:
805: * src/racoon/isakmp.c: Fixed compilation when DPD support is
806: disabled
807:
808: 2008-12-08 Timo Teras <timo.teras@iki.fi>
809:
810: * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
811: sockets: it might cause to not handle some pfkey events when
812: select() has marked pfkey socket readable, but a timer callback
813: first calls pfkey_dump_sadb().
814:
815: 2008-12-05 Timo Teras <timo.teras@iki.fi>
816:
817: * src/: libipsec/key_debug.c, libipsec/libpfkey.h,
818: libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
819: racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
820: racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
821: Ebalard: Improved Mobile IPv6 support per
822: draft-ebalard-mext-pfkey-enhanced-migrate.
823:
824: 2008-12-04 Christoph Badura <bad@netbsd.org>
825:
826: * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
827: intended.
828:
829: 2008-12-02 Timo Teras <timo.teras@iki.fi>
830:
831: * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
832: on Linux is terminate.
833:
834: 2008-11-28 Thomas Klausner <wiz@netbsd.org>
835:
836: * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
837: sentence, new line.
838:
839: 2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
840:
841: * src/racoon/main.c: Set up a default value for Mode Config Pool
842: size if pool address specified but pool size not specified
843:
844: * src/racoon/isakmp_cfg.c: Fixed pool resizing
845:
846: 2008-11-27 Timo Teras <timo.teras@iki.fi>
847:
848: * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
849: weirdness. It's probably meant for bundle support which is not done.
850: When someone actually writes bundle support, the nested SA stuff
851: would probably be reworked too anyway.
852:
853: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
854: racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
855: racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
856: Ability to set pfkey socket buffer size via configuration file
857: directive. (Indentation and minor fixes by me.)
858:
859: 2008-11-25 Christoph Badura <bad@netbsd.org>
860:
861: * src/racoon/: evt.c, privsep.c, session.c: Avoid using
862: MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE
863: instead.
864:
865: * src/racoon/grabmyaddr.c: Ignore unspecified and looback
866: addresses. Ignoring unspecified addresses prevents racoon from
867: trying to bind to the wildcard address and specific addresses
868: simultaneously after e.g. dhclient has changed an interface's
869: address to 0.0.0.0.
870:
871: * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
872: info for added or deleted addresses. Ignore them silently.
873:
874: * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
875: error. Therefore log it as informational. Make it clear from the
876: log message that a route message is not interesting.
877:
878: * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
879: it.
880:
881: * src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
882: when setting IPV6_USE_MIN_MTU fails.
883:
884: * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
885: no socket is opened.
886:
887: 2008-11-08 Christoph Badura <bad@netbsd.org>
888:
889: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
890: phase1-up.sh: Preserve owner and permissions of original
891: /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or
892: world writable.
893:
894: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
895: phase1-up.sh: Print and check INTERNAL_NETMASK4.
896:
897: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
898: phase1-up.sh: Make the handling of NAT-T SPD entries automatic.
899:
900: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
901: phase1-up.sh: Ensure that the determination of the default
902: gateway and the corresponding interface don't get confused by
903: multiple, possibly non-IPv4 default routes. Bring the NetBSD case
904: of deleting the VPN routes and address in line with the Linux case
905: and delete the address after deleting the VPN routes.
906:
907: 2008-11-06 Yvan Vanhullebus <vanhu@netasq.com>
908:
909: * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
910: iddst's value is SAINFO_CLIENTADDR
911:
912: 2008-10-29 S.P.Zeidler <spz@netbsd.org>
913:
914: * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():
915:
916: struct sockaddr -> struct sockaddr_storage fixes a stack overflow
917:
918: For non-linklocal addresses the value in 'scope' is garbage and gets
919: set to zero instead.
920:
921: 2008-10-27 Timo Teras <timo.teras@iki.fi>
922:
923: * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
924: error path
925:
926: * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
927: Ebalard): recognize RTM_IFANNOUNCE
928:
929: * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
930: issues for readability
931:
932: * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
933: called only if monitored file descriptor numbers have changed
934:
935: * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
936: declaration
937:
938: 2008-10-23 Timo Teras <timo.teras@iki.fi>
939:
940: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
941: Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
942: problem those changes address are already handled in a sensible way
943: by Cyrus Rahman's patch from 2008-03-06.
944:
945: 2008-10-09 Timo Teras <timo.teras@iki.fi>
946:
947: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
948: unnecessary unbindph12() call which is now done in remph2()
949:
950: 2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
951:
952: * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
953: marker for retransmitted packets
954:
955: 2008-09-19 Thomas Klausner <wiz@netbsd.org>
956:
957: * src/racoon/racoon.conf.5: New sentence, new line.
958:
959: 2008-09-19 Timo Teras <timo.teras@iki.fi>
960:
961: * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
962: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
963: isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
964: remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
965: configurable with rekey {on|off|force} option in remote conf.
966:
967: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
968: isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
969: nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
970: session.c: Change struct sched to be allocated be the caller to
971: avoid some memory allocations. Optimize scheduling algorithm to not
972: scan all entries in the main loop.
973:
974: 2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
975:
976: * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
977: when NAT-T enabled and trying to purge non NAT-T SAs
978:
979: 2008-09-09 Yvan Vanhullebus <vanhu@netasq.com>
980:
981: * src/racoon/pfkey.c: Some calls to set_port() were not correctly
982: updated in the previous commit
983:
984: 2008-09-03 Yvan Vanhullebus <vanhu@netasq.com>
985:
986: * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
987: pk_sendxxx functions, as they may be altered for NAT-T stuff.
988:
989: 2008-09-03 Timo Teras <timo.teras@iki.fi>
990:
991: * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
992: - Fix reloading of SPD (Linux satype check, handling of SPD dump
993: responses)
994: - Remove some spurious error log message from extract_port()
995:
996: 2008-08-29 Gregory McGarry <gmcgarry@netbsd.org>
997:
998: * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
999: structures.
1000:
1001: * src/racoon/evt.h: Eliminate superfluous semicolon.
1002:
1003: * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
1004: unnamed structures added recently.
1005:
1006: 2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
1007:
1008: * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
1009: ph1handler if we received an invalid first exchange from initiator.
1010:
1011: 2008-08-06 Timo Teras <timo.teras@iki.fi>
1012:
1013: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
1014: Piotr Oledzki: Make privileged process exit if unprivileged process
1015: is terminated and some spelling fixes.
1016:
1017: 2008-07-23 Matthew Grooms <mgrooms@shrew.net>
1018:
1019: * src/racoon/: cfparse.y, session.c: Add some missing ifdefs
1020: required for non-radius enabled builds.
1021:
1022: 2008-07-23 Timo Teras <timo.teras@iki.fi>
1023:
1024: * src/racoon/Makefile.am: Do not use GNU make specific extension.
1025:
1026: * src/: libipsec/Makefile.am, racoon/Makefile.am,
1027: setkey/Makefile.am: Do flex/bison invocation in a more standard
1028: way, and keep the generated files in the dist tarball.
1029:
1030: 2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
1031:
1032: * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
1033: when malloc fails or when peer sends invalid proposal.
1034:
1035: 2008-07-22 Matthew Grooms <mgrooms@shrew.net>
1036:
1037: * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
1038: isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
1039: radius configuration section to the racoon.conf file. This is
1040: similar to the the LDAP configuration section and overrides settings
1041: in the system radius configuration file.
1042:
1043: 2008-07-21 Matthias Scheler <tron@netbsd.org>
1044:
1045: * src/racoon/cfparse.y: Correct typo to fix the build.
1046:
1047: 2008-07-21 Timo Teras <timo.teras@iki.fi>
1048:
1049: * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
1050: vendorid.c, vendorid.h: Separate generic vendor id handling to a
1051: new function and use it.
1052:
1053: * src/racoon/cfparse.y: Do not set default gss id if xauth is used,
1054: otherwise gss-id attribute might be sent even if it was not
1055: requested.
1056:
1057: 2008-07-15 Matthew Grooms <mgrooms@shrew.net>
1058:
1059: * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
1060: building with hybrid enabled.
1061:
1062: * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
1063: racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
1064: function.
1065:
1066: 2008-07-14 Timo Teras <timo.teras@iki.fi>
1067:
1068: * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
1069: pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.
1070:
1071: * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
1072: isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
1073: notification payload handling. Handle INITIAL-CONTACT notification
1074: in last main mode exchange (delayed) and during quick mode
1075: exchanges.
1076:
1077: 2008-07-11 Timo Teras <timo.teras@iki.fi>
1078:
1079: * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
1080: Elsts: Fix a double memory free and a memory corruption
1081: (LIST_REMOVE() on an uninserted node) in some error handling paths.
1082:
1083: 2008-07-09 Timo Teras <timo.teras@iki.fi>
1084:
1085: * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
1086: memory leak on configuration file reread
1087:
1088: 2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
1089:
1090: * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
1091: (size_t values)
1092:
1093: 2008-06-18 Thomas Klausner <wiz@netbsd.org>
1094:
1095: * src/racoon/racoonctl.8: Bump date for previous.
1096:
1097: 2008-06-18 Matthew Grooms <mgrooms@shrew.net>
1098:
1099: * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
1100: admin port command to retrieve the peer certificate. Submitted by
1101: Timo Teras.
1102:
1103: * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
1104: sockets to be closed on exec to avoid potential file descriptor
1105: inheritance issues. Submitted by Timo Teras.
1106:
1107: * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
1108: isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
1109: functions to evaluate and manipulate network port values. No
1110: functional changes. Submitted by Timo Teras.
1111:
1112: * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
1113: functional changes. Submitted by Timo Teras.
1114:
1115: * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
1116: Timo Teras.
1117:
1118: 2008-05-24 Christos Zoulas <christos@netbsd.org>
1119:
1120: * src/racoon/privsep.c: Coverity CID 5018: Fix double frees.
1121:
1122: 2008-05-08 Emmanuel Dreyfus <manu@netbsd.org>
1123:
1124: * configure.ac: From Christian Hohnstaedt: allow out of tree
1125: building
1126:
1127: 2008-04-30 Martin Husemann <martin@netbsd.org>
1128:
1129: * netbsd-import.sh: Convert TNF licenses to new 2 clause variant
1130:
1131: 2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
1132:
1133: * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
1134: from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
1135:
1136: 2008-04-13 Christos Zoulas <christos@netbsd.org>
1137:
1138: * src/racoon/privsep.c: for symmetry set controllen the same way we
1139: set it on the receiving side.
1140:
1141: 2008-04-02 Emmanuel Dreyfus <manu@netbsd.org>
1142:
1143: * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build
1144:
1145: 2008-03-28 Christos Zoulas <christos@netbsd.org>
1146:
1147: * src/racoon/privsep.c: properly fix the variable stack allocation
1148: code.
1149:
1150: 2008-03-28 Emmanuel Dreyfus <manu@netbsd.org>
1151:
1152: * src/racoon/privsep.c: Still from Cyrus Rahman: fix file
1153: descriptor leak introduced by previous commit.
1154:
1155: * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
1156: privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
1157: Allow interface reconfiguration when running in privilege separation
1158: mode, document privilege separation
1159:
1160: 2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
1161:
1162: * src/racoon/oakley.c: Generates a log if cert validation has been
1163: disabled by configuration
1164:
1165: 2008-03-06 Emmanuel Dreyfus <manu@netbsd.org>
1166:
1167: * src/racoon/: privsep.c, session.c: From Cyrus Rahman
1168: <crahman@gmail.com> privilegied instance exit when unprivilegied one
1169: terminates. Save PID in real root, not in chroot
1170:
1171: 2008-03-06 Matthew Grooms <mgrooms@shrew.net>
1172:
1173: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
1174: racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
1175: negotiations using the admin socket. Submitted by Timo Teras.
1176:
1177: * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
1178: handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
1179: isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
1180: racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
1181: protocol to be less error prone. Backwards compatibility is
1182: provided. Submitted by Timo Teras.
1183:
1184: 2008-03-05 Matthew Grooms <mgrooms@shrew.net>
1185:
1186: * src/racoon/cfparse.y: Properly initialize the unity network
1187: struct to prevent erroneous protocol and port info from being
1188: transmitted.
1189:
1190: * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
1191: adminport reload. Also provide better handling for pfkey socket read
1192: errors. Submitted by Timo Teras.
1193:
1194: 2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
1195:
1196: * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
1197: There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
1198: checking spi_size but it's not. I'm not sure this patch is correct,
1199: but what's there isn't either.
1200:
1201: 2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
1202:
1203: * src/racoon/isakmp.c: Fix address length, from Brian Haley
1204:
1205: 2008-02-10 S.P.Zeidler <spz@netbsd.org>
1206:
1207: * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
1208: opposition ( :) ) on ipsec-tools-devel
1209:
1210: 2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
1211:
1212: * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
1213: the scheduler's callback, to avoid access to freed memory.
1214:
1215: * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
1216: compilation with IDEA and recent gcc.
1217:
1218: * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
1219: details to some logs (also reported new getph1byaddr() arg).
1220:
1221: * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
1222: established ph1 handles in DPD (also reported new getph1byaddr()
1223: arg).
1224:
1225: * src/racoon/: handler.c, handler.h: added an 'established' arg to
1226: getph1byaddr()
1227:
1228: 2007-12-31 Matthew Grooms <mgrooms@shrew.net>
1229:
1230: * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
1231: number to racoonctl. Correct id wildcard matching for transport
1232: mode. Submitted by Timo Teras.
1233:
1234: 2007-12-12 Matthew Grooms <mgrooms@shrew.net>
1235:
1236: * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
1237: follow up patch for the nat-t oa support.
1238:
1239: * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
1240: support for nat-t oa payload handling. Submitted by Timo Teras.
1241:
1242: 2007-12-04 Matthew Grooms <mgrooms@shrew.net>
1243:
1244: * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
1245: ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
1246: prefix length. Correct a memory leak in phase2. Both submitted by
1247: Timo Teras.
1248:
1249: 2007-12-01 Thomas Klausner <wiz@netbsd.org>
1250:
1251: * src/racoon/racoon.conf.5: Fix typos. New sentence, new line.
1252:
1253: 2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
1254:
1255: * src/racoon/Makefile.am: From Natanael Copa: fixed a race
1256: condition when building yacc stuff.
1257:
1258: 2007-11-09 Yvan Vanhullebus <vanhu@netasq.com>
1259:
1260: * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
1261: pk_recv()
1262:
1263: * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
1264: entries in getsp_r().
1265:
1266: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
1267: in get_proposal_r().
1268:
1269: 2007-10-19 Emmanuel Dreyfus <manu@netbsd.org>
1270:
1271: * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
1272: racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
1273:
1274: 2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
1275:
1276: * src/libipsec/pfkey.c: Try to increase the buffer size of the
1277: pfkey socket, this may help things when we have a huge SPD
1278:
1279: 2007-10-02 Yvan Vanhullebus <vanhu@netasq.com>
1280:
1281: * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
1282: work with the new plog macro.
1283:
1284: * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
1285: work with new plog macro
1286:
1287: * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
1288:
1289: 2007-09-19 Matthew Grooms <mgrooms@shrew.net>
1290:
1291: * src/racoon/isakmp.c: Set REUSE option on sockets to prevent
1292: failures associated with closing and immediately re-opening.
1293: Submitted by Gabriel Somlo.
1294:
1295: * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
1296: list. Submitted by Gabriel Somlo.
1297:
1298: 2007-09-13 Matthew Grooms <mgrooms@shrew.net>
1299:
1300: * configure.ac: Fix autoconf check for selinux support. Submitted
1301: by Joy Latten.
1302:
1303: 2007-09-12 Matthew Grooms <mgrooms@shrew.net>
1304:
1305: * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
1306: pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
1307: sainfo remote id option and refine the sainfo man page syntax.
1308:
1309: 2007-09-05 Matthew Grooms <mgrooms@shrew.net>
1310:
1311: * src/racoon/sainfo.c: Sort sainfo sections on insert and improve
1312: matching logic.
1313:
1314: 2007-09-03 Matthew Grooms <mgrooms@shrew.net>
1315:
1316: * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
1317: wins4 in the man page and add nbns4 as an alias. Pointed out by
1318: Claas Langbehn.
1319:
1320: 2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
1321:
1322: * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
1323: up RADIUS authentication and authorization ports. Allow
1324: interoperability with freeradius
1325:
1326: 2007-07-24 Matthew Grooms <mgrooms@shrew.net>
1327:
1328: * NEWS: Update NEWS file with additional 0.7 improvements.
1329:
1330: 2007-07-18 Matthew Grooms <mgrooms@shrew.net>
1331:
1332: * src/racoon/racoon.conf.5: Various racoon configuration manpage
1333: updates.
1334:
1335: 2007-07-18 Yvan Vanhullebus <vanhu@netasq.com>
1336:
1337: * configure.ac, src/libipsec/ipsec_dump_policy.c,
1338: src/libipsec/ipsec_get_policylen.c,
1339: src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
1340: src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1341: src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
1342: src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
1343: src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
1344: src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
1345: src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
1346: src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
1347: src/racoon/policy.c, src/racoon/proposal.c,
1348: src/racoon/remoteconf.c, src/racoon/sainfo.c,
1349: src/racoon/session.c, src/racoon/sockmisc.c,
1350: src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
1351: src/setkey/token.l: use a single PATH_IPSEC_H to fix some
1352: path_to_ipsec.h issues
1353:
1354: 2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
1355:
1356: * src/racoon/grabmyaddr.c: fixed a socket leak
1357:
1358: * src/racoon/proposal.c: indentation
1359:
1360: 2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
1361:
1362: * src/racoon/isakmp_cfg.c: From Paul Winder
1363: <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST
1364:
1365: 2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
1366:
1367: * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
1368: with gcc 4.2
1369:
1370: * src/racoon/session.c: From Jianli Liu: speed up interfaces update
1371: when they change.
1372:
1373: * src/racoon/handler.c: ignore obsolete lifebyte when validating
1374: reloaded configuration
1375:
1376: 2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
1377:
1378: * src/racoon/: main.c, policy.h, security.c: From Joy Latten
1379: <latten@austin.ibm.com> Fix file descriptor shortage when using
1380: labeled IPsec.
1381:
1382: 2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
1383:
1384: * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
1385: racoonctl, use the specified socket path instead of the default
1386: location
1387:
1388: 2007-05-16 Christos Zoulas <christos@netbsd.org>
1389:
1390: * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
1391: return, so we proceed to de-reference NULL. Make it return -1
1392: instead like in other places.
1393:
1394: * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
1395: return, so we proceed to de-reference NULL. Make it return -1
1396: instead like in other places.
1397:
1398: 2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
1399:
1400: * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
1401: NULL when validating the new config
1402:
1403: * src/racoon/handler.c: added some debug in getph1byaddr() to track
1404: some port matching problems with NAT-T
1405:
1406: * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
1407: track some port matching problems with NAT-T
1408:
1409: * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
1410:
1411: * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
1412: NAT_T support, to solve some port match problems with the first
1413: IPSec SAs negociated as initiator
1414:
1415: 2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
1416:
1417: * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
1418:
1419: * src/racoon/oakley.c: dumps peer's ID and peer's certificate
1420: subject /subjectaltname if they don't match
1421:
1422: 2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
1423:
1424: * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
1425: handler, to be able to cancel it when removing the handler, and some
1426: minor cleanups in DPD code
1427:
1428: 2007-03-24 Christos Zoulas <christos@netbsd.org>
1429:
1430: * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
1431: work with pam_group Set RUSER.
1432:
1433: 2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
1434:
1435: * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
1436: segfault when using security labels between 32bit and 64bit host.
1437:
1438: * src/racoon/handler.c: expire zombie handlers in getph2byid(), to
1439: avoid situations where we'll never negociate a phase2 again
1440:
1441: * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
1442: more details about what is checked when using certificates to
1443: authenticate
1444:
1445: 2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
1446:
1447: * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
1448: generate IPV4_ADDRESS when needed in sockaddr2id()
1449:
1450: 2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
1451:
1452: * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
1453: sched check is now done in SCHED_KILL
1454:
1455: * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
1456:
1457: 2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
1458:
1459: * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
1460: monitoring of ipv6 address changes on Linux.
1461:
1462: * src/racoon/isakmp.c: Consider a negociation timeout when
1463: retry_counter is <=0 instead of < 0
1464:
1465: 2007-02-28 Matthew Grooms <mgrooms@shrew.net>
1466:
1467: * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
1468: matched to ip subnet ids when appropriate.
1469:
1470: 2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
1471:
1472: * src/racoon/ipsec_doi.c: block variable declaration before code in
1473: ipsecdoi_id2str()
1474:
1475: 2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
1476:
1477: * src/racoon/isakmp_inf.c: Removed a debug printf....
1478:
1479: * src/racoon/isakmp.c: Only delete a generated SPD if it's creation
1480: date matches the creation date of the SA we are currently deleting
1481:
1482: * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
1483:
1484: * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
1485: generated SPDs
1486:
1487: * src/racoon/policy.h: added 'created' var
1488:
1489: 2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
1490:
1491: * src/racoon/isakmp.c: Removed a debug printf....
1492:
1493: 2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
1494:
1495: * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
1496: printf.
1497:
1498: 2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
1499:
1500: * src/racoon/security.c: Missing SELinux file
1501:
1502: * configure.ac: Missing stuff for SELinux
1503:
1504: 2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
1505:
1506: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
1507: expire a ph1 handle when receiving a DELETE-SA instead of calling
1508: purge_remote().
1509:
1510: * src/racoon/isakmp.c: Fixed the way phase1/2 messages are
1511: sent/resent, to avoid zombie handles and acces to freed memory
1512:
1513: 2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
1514:
1515: * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
1516:
1517: 2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
1518:
1519: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
1520: receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
1521: deleted from payload instead of just deleting the ISAKMP SA used to
1522: protect the informational exchange.
1523:
1524: 2006-12-26 Arnaud Lacombe <alc@netbsd.org>
1525:
1526: * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
1527: NULL'
1528:
1529: 2006-12-23 Thomas Klausner <wiz@netbsd.org>
1530:
1531: * src/racoon/racoon.conf.5: Use even more macros.
1532:
1533: * src/racoon/racoon.conf.5: Use more macros.
1534:
1535: * src/racoon/racoon.conf.5: Serial comma, and bump date for
1536: previous.
1537:
1538: 2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
1539:
1540: * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
1541:
1542: 2006-12-10 tag ipsec-tools-0_7-base
1543:
1544: 2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
1545:
1546: * src/: libipsec/Makefile.am, libipsec/libpfkey.h,
1547: libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
1548: racoon/pfkey.c: Bring back API and ABI backward compatibility
1549: with previous libipsec before recent interface change. Bump libipsec
1550: minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
1551: ABI compatibility lossage. Add a capability flags to detect missing
1552: optional feature in libipsec
1553:
1554: * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
1555: README.plainrsa documenting plain RSA auth
1556:
1557: 2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
1558:
1559: * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1560: src/racoon/Makefile.am, src/racoon/backupsa.c,
1561: src/racoon/backupsa.h, src/racoon/cftoken.l,
1562: src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
1563: src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
1564: src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
1565: src/racoon/proposal.c, src/racoon/proposal.h,
1566: src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
1567: security contexts. Also cleanup the libipsec interface for adding
1568: and updating security associations.
1569:
1570: * src/racoon/racoon.conf.5: From Simon Chang: More hints about
1571: plain RSA authentication
1572:
1573: 2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
1574:
1575: * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
1576: length regarding proposal_check level
1577:
1578: 2006-11-16 Matthew Grooms <mgrooms@shrew.net>
1579:
1580: * src/racoon/sainfo.c: Correct issues associated with anonymous
1581: sainfo selection in racoon.
1582:
1583: 2006-11-09 Christos Zoulas <christos@netbsd.org>
1584:
1585: * src/racoon/crypto_openssl.c: eliminate the only variable stack
1586: array allocation.
1587:
1588: 2006-10-31 Christian Biere <cbiere@netbsd.org>
1589:
1590: * src/racoon/sockmisc.c: Don't define the deprecated
1591: IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
1592: IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
1593: in the future just in case that the numeric value of the socket
1594: option is ever recycled.
1595:
1596: 2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
1597:
1598: * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
1599: typos
1600:
1601: 2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
1602:
1603: * src/racoon/sainfo.c: From Matthew Grooms: use
1604: ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
1605:
1606: * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
1607: ipsecdoi_chkcmpids() function.
1608:
1609: 2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
1610:
1611: * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
1612:
1613: * src/racoon/isakmp_unity.c: Correctly check read() return value:
1614: it's signed (Coverity 1251)
1615:
1616: 2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
1617:
1618: * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
1619: src/racoon/algorithm.h, src/racoon/cftoken.l,
1620: src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
1621: src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
1622: src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
1623: src/racoon/racoon.conf.5, src/racoon/strnames.c,
1624: src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
1625: Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
1626: <okazaki@kick.gr.jp>
1627:
1628: 2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
1629:
1630: * src/racoon/admin.c: fix endianness issue introduced yesterday
1631:
1632: 2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
1633:
1634: * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
1635:
1636: * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
1637:
1638: * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
1639: remoteid/ph1id values
1640:
1641: * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
1642:
1643: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
1644:
1645: * src/racoon/isakmp_base.c:
1646: avoid reusing free'd pointer (Coverity 2613)
1647:
1648: * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
1649:
1650: * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
1651:
1652: * src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
1653:
1654: * src/racoon/admin.c: Fix memory leak (Coverity 2002)
1655:
1656: * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
1657: (Coverity 2001), refactor the code to use port get/set functions
1658:
1659: * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
1660:
1661: * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
1662: reformat to 80 char/line
1663:
1664: 2006-10-02 Tom Spindler <dogcow@netbsd.org>
1665:
1666: * src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
1667: you have to init it with a pointer type, not an int.
1668:
1669: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
1670:
1671: * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
1672:
1673: * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
1674:
1675: * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
1676:
1677: * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
1678:
1679: * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
1680:
1681: * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
1682:
1683: 2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
1684:
1685: * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
1686:
1687: * src/racoon/isakmp.c: Check that iph1->remote is not NULL before
1688: using it (Coverity 3436)
1689:
1690: 2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
1691:
1692: * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
1693:
1694: * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
1695:
1696: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1697: phase1-up.sh: update the scripts for wrorking around routing
1698: problems on NetBSD
1699:
1700: * src/racoon/session.c: Reuse existing code for closing IKE
1701: sockets, and avoid screwing things by setting p->sock = -1, which is
1702: not expected (Coverity 4173).
1703:
1704: * src/racoon/admin.c: Do not free id and key, as they are used
1705: later
1706:
1707: 2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
1708:
1709: * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
1710: socket, so we must call com_init before sending any data.
1711:
1712: 2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
1713:
1714: * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
1715: 4174)
1716:
1717: * src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
1718:
1719: 2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
1720:
1721: * src/racoon/cfparse.y: Fix memory leak (Coverity)
1722:
1723: * src/racoon/backupsa.c: Fix memory leak (Coverity)
1724:
1725: * src/racoon/admin.c: Remove dead code (Coverity)
1726:
1727: * src/racoon/admin.c: Fix memory leak (Coverity)
1728:
1729: * src/racoon/admin.c: One more memory leak
1730:
1731: * src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
1732:
1733: * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
1734: bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
1735: Matthew updated the patch for current code, though.
1736:
1737: * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
1738: negotiating ESP+IPcomp)
1739:
1740: 2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
1741:
1742: * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
1743: iphdr for Linux
1744:
1745: 2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
1746:
1747: * src/racoon/isakmp.c: style (mostly for testing
1748: ipsec-tools-commits@netbsd.org)
1749:
1750: * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
1751:
1752: 2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
1753:
1754: * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
1755: Linux
1756:
1757: 2006-09-19 Thomas Klausner <wiz@netbsd.org>
1758:
1759: * src/racoon/racoon.conf.5: Bump date for ike_frag force.
1760:
1761: * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
1762: line.
1763:
1764: * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
1765: whitespace.
1766:
1767: 2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
1768:
1769: * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
1770: value for encmodesv in set_proposal_from_policy()
1771:
1772: * src/racoon/isakmp.c: always include some headers, as they are
1773: required even without NAT-T
1774:
1775: * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
1776: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
1777:
1778: * src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
1779: plog()
1780:
1781: 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
1782:
1783: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
1784: isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
1785: ike_frag force option to force the use of IKE on first packet
1786: exchange (prior to peer consent)
1787:
1788: 2006-09-18 Yvan Vanhullebus <vanhu@netasq.com>
1789:
1790: * rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed
1791: generated files from the CVS
1792:
1793: * src/racoon/prsa_par.c: removed generated files from the CVS
1794:
1795: * src/racoon/: cfparse.c, cftoken.c: removed generated files from
1796: the CVS
1797:
1798: 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
1799:
1800: * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
1801: the first packet. That should not normally happen, as the initiator
1802: does not know yet if the responder can handle IKE frag. However, in
1803: some setups, the first packet is too big to get through, and
1804: assuming the peer supports IKE frag is the only way to go.
1805:
1806: racoon should have a setting in the remote section to do taht
1807: (something like ike_frag force)
1808:
1809: 2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
1810:
1811: * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
1812: conformance, from Matthew Grooms
1813:
1814: 2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
1815:
1816: * src/racoon/ipsec_doi.c: Fix build on Linux
1817:
1818: For older changes see ChangeLog.old
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>