Annotation of embedaddon/ipsec-tools/ChangeLog, revision 1.1.1.2
1.1.1.2 ! misho 1: 2013-01-08 tag ipsec-tools-0_8_1
! 2:
! 3: 2013-01-08 Timo Teras <timo.teras@iki.fi>
! 4:
! 5: * NEWS, configure.ac: ipsec-tools-0.8.1
! 6:
! 7: * configure.ac: Fix errors from automake 1.13
! 8:
! 9: * src/include-glibc/Makefile.am: Don't derefence the directory
! 10: symlink which we might be recreating.
! 11:
! 12: 2012-12-24 Timo Teras <timo.teras@iki.fi>
! 13:
! 14: * src/racoon/crypto_openssl.c: From Götz Babin-Ebell
! 15: <g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare.
! 16:
! 17: * configure.ac, src/racoon/crypto_openssl.c,
! 18: src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell
! 19: <g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher
! 20:
! 21: 2012-08-29 Timo Teras <timo.teras@iki.fi>
! 22:
! 23: * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
! 24: Accept DPD messages with cookies also in reversed order for
! 25: compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
! 26:
! 27: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add
! 28: remote's IP address to the "certificate not verified" error message.
! 29:
! 30: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not
! 31: print unnecessary warning about non-verified certificate when using
! 32: raw plain-rsa.
! 33:
! 34: * src/racoon/isakmp.c: From Rainer Weikusat
! 35: <rweikusat@mobileactivedefense.com>: Release unused phase2 of
! 36: passive remotes after acquire.
! 37:
! 38: * src/racoon/isakmp.c: From Wolfgang Schmieder
! 39: <wolfgang.schmieder@honeywell.com>: setup phase1 port properly.
! 40:
! 41: * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
! 42: remote blocks without additional remote statements to be specified
! 43: in a simpler way. patch by Roman Hoog Antink <rha@open.ch>
! 44:
! 45: 2012-08-23 Timo Teras <timo.teras@iki.fi>
! 46:
! 47: * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
! 48: memory allocation.
! 49:
! 50: 2012-01-01 Timo Teras <timo.teras@iki.fi>
! 51:
! 52: * src/racoon/isakmp_unity.c: From Rainer Weikusat
! 53: <rweikusat@mobileactivedefense.com>: Fix one byte too short memory
! 54: allocation in isakmp_unity.c:splitnet_list_2str().
! 55:
! 56: 2011-11-17 Yvan Vanhullebus <vanhu@netasq.com>
! 57:
! 58: * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
! 59: current element could be removed during the loop
! 60:
! 61: 2011-11-14 Timo Teras <timo.teras@iki.fi>
! 62:
! 63: * src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>:
! 64: do not shrink pfkey socket buffers (if system default is larger than
! 65: what we want as minimum)
! 66:
! 67: 2011-08-12 Timo Teras <timo.teras@iki.fi>
! 68:
! 69: * src/racoon/privsep.c: Have privilege separation child process
! 70: exit if the parent exits.
! 71:
! 72: * Makefile.am: Create ChangeLog for proper CVS branch.
! 73:
! 74: 2011-03-18 tag ipsec-tools-0_8_0
! 75:
! 76: 2011-03-18 Yvan Vanhullebus <vanhu@netasq.com>
! 77:
! 78: * configure.ac: Yes: 0.8.0 is out !!!
! 79:
! 80: * NEWS: updated News for 0.8 branch
! 81:
1.1 misho 82: 2011-03-17 Yvan Vanhullebus <vanhu@netasq.com>
83:
84: * src/racoon/oakley.c: fixed a memory leak in
85: oakley_append_rmconf_cr() while generating plist. patch by Roman
86: Hoog Antink <rha@open.ch>
87:
88: * src/racoon/oakley.c: free name later, to avoid a memory use after
89: free in oakley_check_certid(). also give iph1->remote to some plog()
90: calls. patch by Roman Hoog Antink <rha@open.ch>
91:
92: * src/racoon/oakley.c: fixed a memory leak in
93: oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
94:
95: 2011-03-15 Yvan Vanhullebus <vanhu@netasq.com>
96:
97: * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
98: isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
99: it is useless an can lead to memory access after free
100:
101: 2011-03-14 Timo Teras <timo.teras@iki.fi>
102:
103: * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
104: isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
105: sockmisc.h, throttle.c: Explicitly compare return value of
106: cmpsaddr() against a return value define to make it more obvious
107: what is the intended action. One more return value is also added, to
108: fix comparison of security policy descriptors. Namely, getsp()
109: should not allow wildcard matching (as the comment says, it does
110: exact matching) - otherwise we get problems when kernel has generic
111: policy with no ports, and a second similar policy with ports.
112:
113: 2011-03-14 Yvan Vanhullebus <vanhu@netasq.com>
114:
115: * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
116: remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
117: memory leaks / free memory access when reloading conf and have
118: inherited config. patch from Roman Hoog Antink <rha@open.ch>
119:
120: * src/racoon/handler.c: removed an useless comment
121:
122: * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
123: getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
124:
125: 2011-03-11 Yvan Vanhullebus <vanhu@netasq.com>
126:
127: * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
128: remove_ph1-) instead of scheduling it, to avoid (completely ?) a
129: race condition when reloading configuration
130:
131: 2011-03-06 Timo Teras <timo.teras@iki.fi>
132:
133: * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
134: checks are enabled. Reported by Stephen Clark.
135:
136: 2011-03-02 Yvan Vanhullebus <vanhu@netasq.com>
137:
138: * src/racoon/session.c: flush sainfo list when closing session.
139: patch by Roman Hoog Antink <rha@open.ch>
140:
141: * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
142: structures when deleting a struct rmconf. patch by Roman Hoog Antink
143: <rha@open.ch>
144:
145: * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
146: when deleting a rmconf struct. patch by Roman Hoog Antink
147: <rha@open.ch>
148:
149: * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
150: remoteconf. patch by Roman Hoog Antink <rha@open.ch>
151:
152: * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
153: during configuration parsing. patch by Roman Hoog Antink
154: <rha@open.ch>
155:
156: 2011-03-01 Yvan Vanhullebus <vanhu@netasq.com>
157:
158: * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
159: Andersson <debian@gisladisker.se>
160:
161: * src/racoon/cfparse.y: reset yyerrorcount before doing parse
162: stuff. patch by Roman Hoog Antink <rha@open.ch>
163:
164: 2011-02-20 Timo Teras <timo.teras@iki.fi>
165:
166: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
167: memory leak when using plain RSA key authentication.
168:
169: 2011-02-11 Timo Teras <timo.teras@iki.fi>
170:
171: * src/racoon/plainrsa-gen.c: From Mats E Andersson
172: <debian@gisladisker.se>: Fix fprintf format specifier usage from
173: previous patch.
174:
175: 2011-02-10 Timo Teras <timo.teras@iki.fi>
176:
177: * src/racoon/plainrsa-gen.c: From Mats Erik Andersson
178: <debian@gisladisker.se>: Implement importing of RSA keys from PEM
179: files.
180:
181: * src/racoon/prsa_par.y: From M E Andersson
182: <debian@gisladisker.se>: Fix parsing of restricted RSA key
183: addresses.
184:
185: 2011-02-02 Yvan Vanhullebus <vanhu@netasq.com>
186:
187: * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
188: sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
189: Patch from Christophe Carre
190:
191: 2011-01-28 Timo Teras <timo.teras@iki.fi>
192:
193: * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
194: Antink <rha@open.ch>: Clean up sainfo reloading: rename the
195: functions, and remove unneeded global variable.
196:
197: * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
198: Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
199: functions, and remove unneeded global variable.
200:
201: * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
202: remote IP address if available (slightly modified by tteras)
203:
204: 2011-01-22 Timo Teras <timo.teras@iki.fi>
205:
206: * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
207: Fixes a null pointer dereference that might occur after removing
208: peers from the config and then reloading.
209:
210: 2011-01-20 Yvan Vanhullebus <vanhu@netasq.com>
211:
212: * src/libipsec/pfkey.c: fixed a typo, it will now compile when
213: KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
214: open.ch)
215:
216: 2010-12-28 Timo Teras <timo.teras@iki.fi>
217:
218: * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
219: config reload to not delete too many phase 2 handles, because wrong
220: chain field is used when enumerating the handles.
221:
222: 2010-12-16 gdt
223:
224: * src/racoon/oakley.c: When encountering a certificate where "ID
225: mismatched with ASN1 SubjectName", and verify_identifier is off,
226: don't raise an error. This makes the behavior match the man page.
227:
228: Patch sent for review long ago:
229: http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
230: with no negative feedback received to date.
231:
232: 2010-12-14 Timo Teras <timo.teras@iki.fi>
233:
234: * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
235: possible null derefence.
236:
237: 2010-12-08 Timo Teras <timo.teras@iki.fi>
238:
239: * src/racoon/admin.c: Use separate SA addresses for phase2's
240: created by admin command. The phase2 startup overwrites src/dst with
241: ISAKMP ports if they are zero and we don't want that to happen for
242: the SA ports.
243:
244: 2010-12-08 joerg
245:
246: * src/libipsec/pfkey.c: ANSIfy
247:
248: 2010-12-07 Timo Teras <timo.teras@iki.fi>
249:
250: * src/racoon/isakmp_quick.c: Fix spacing and improve wording in
251: some log messages.
252:
253: 2010-12-03 Timo Teras <timo.teras@iki.fi>
254:
255: * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
256: per-socket policies.
257:
258: * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
259: setkey/setkey.8: Support GRE key as upper layer protocol
260: specifier (will be supported in Linux kernel 2.6.38).
261:
262: * src/racoon/grabmyaddr.c: Netlink deletion notification does not
263: guarentee actual address deletion: it might still exist on some
264: other interface. Make sure we do not unbind unless the address is
265: really gone.
266:
267: 2010-11-17 Timo Teras <timo.teras@iki.fi>
268:
269: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
270: previous patch to not call purge_remote() twice. Change the place
271: where purge_remote() is called. This fixes also a possible crash
272: from the same patch since ph1->remote can be NULL (when we are
273: responder and config is not yet selected).
274:
275: 2010-11-12 Timo Teras <timo.teras@iki.fi>
276:
277: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
278: isakmp_post_acquire is now called from admin commands too, add a
279: flag so admin commands can be used to establish even passive links
280: on demand.
281:
282: * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
283: ISAKMP-SA for the node is deleted by remote request and the phase1
284: rekeying is enabled (this will also trigger the new phase1_dead
285: script hook).
286:
287: * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
288: to allow any reply within valid sequence window to be proof of
289: livelyness. This can improves things if there's random packet
290: delays, or if racoon is not getting enough CPU time.
291:
292: * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
293: admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
294: with many established SAs can be easily over the limit.
295:
296: 2010-10-22 Timo Teras <timo.teras@iki.fi>
297:
298: * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
299: to monitor local route changes. This works around a kernel bug, and
300: slightly improves behaviour on some special cases.
301:
302: 2010-10-21 Timo Teras <timo.teras@iki.fi>
303:
304: * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
305: session.c, session.h: Introduce priorities for file descriptor
306: polling mechanism and give priority to admin port. If admin port is
307: used by ISAKMP-SA hook scripts they should be preferred, other wise
308: heavy traffic can delay admin port requests considerably. This in
309: turn may cause renegotiation loop for ISAKMP-SA. This is mostly
310: useful for OpenNHRP setup, but can benefit other setups too.
311:
312: * src/racoon/: admin.c, handler.c, handler.h: Remove
313: initial-contact entry when all ISAKMP-SA are purged via adminport.
314: This will avoid stale security associations if some of the delete
315: notifications happens to get lost.
316:
317: 2010-10-20 Timo Teras <timo.teras@iki.fi>
318:
319: * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
320: functions when possible: this allows openssl to perform hardware
321: acceleration if available.
322:
323: * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
324: error log messages and a few additional error log messages to
325: improve diagnosing an error condition.
326:
327: * src/racoon/grabmyaddr.c: Fix address comparison so we actually
328: close sockets which were bound to IP-address that got deconfigured.
329:
330: 2010-10-11 Yvan Vanhullebus <vanhu@netasq.com>
331:
332: * src/racoon/ipsec_doi.c: report a higher encryption key length in
333: approval for OBEY / CLAIM / STRICT modes
334:
335: 2010-09-27 Yvan Vanhullebus <vanhu@netasq.com>
336:
337: * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
338: fazaeli (at) sepehrs.com)
339:
340: 2010-09-24 Yvan Vanhullebus <vanhu@netasq.com>
341:
342: * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
343: gmail.com
344:
345: 2010-09-22 Yvan Vanhullebus <vanhu@netasq.com>
346:
347: * src/racoon/admin.c: get the correct length of username when
348: processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
349:
350: * src/racoon/nattraversal.h: fixed a typo in macros, reported by
351: marisp (at) mt.lv
352:
353: 2010-09-21 Yvan Vanhullebus <vanhu@netasq.com>
354:
355: * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
356: provided by marcin.cieslak (at) gmail.com)
357:
358: 2010-09-08 Yvan Vanhullebus <vanhu@netasq.com>
359:
360: * src/racoon/remoteconf.c: fixed remoteconf selection when no ID
361: specified in configuration, and added some debug to remoteconf
362: selection
363:
364: 2010-08-26 Yvan Vanhullebus <vanhu@netasq.com>
365:
366: * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
367: duplicate some dynamic values in duprmconf()
368:
369: 2010-08-04 Yvan Vanhullebus <vanhu@netasq.com>
370:
371: * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request
372:
373: 2010-07-30 Yvan Vanhullebus <vanhu@netasq.com>
374:
375: * src/racoon/doc/FAQ: updated link to NetBSD's documentation
376:
377: 2010-06-22 Thomas Klausner <wiz@netbsd.org>
378:
379: * src/racoon/racoon.conf.5: Bump date for previous.
380:
381: 2010-06-22 Yvan Vanhullebus <vanhu@netasq.com>
382:
383: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
384: racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
385: script hook when a dead peer is detected
386:
387: 2010-06-04 Thomas Klausner <wiz@netbsd.org>
388:
389: * src/setkey/setkey.8: New sentence, new line. Bump date for
390: previous.
391:
392: 2010-06-04 Yvan Vanhullebus <vanhu@netasq.com>
393:
394: * src/setkey/: parse.y, setkey.8, token.l: Added support for
395: spdupdate command in setkey
396:
397: 2010-04-07 Yvan Vanhullebus <vanhu@netasq.com>
398:
399: * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo
400:
401: 2010-04-02 Christos Zoulas <christos@netbsd.org>
402:
403: * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
404: returning NULL.
405:
406: 2010-03-11 Christos Zoulas <christos@netbsd.org>
407:
408: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
409: the patch: iterate only on the phase2 handles that are bound by the
410: given phase1 handle.
411:
412: 2010-03-05 Timo Teras <timo.teras@iki.fi>
413:
414: * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
415: racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
416: typoes and manpage formatting errors.
417:
418: 2010-03-04 Yvan Vanhullebus <vanhu@netasq.com>
419:
420: * src/racoon/session.c: From Pierre POMES: fixed admin port
421: initialization
422:
423: 2010-02-28 snj
424:
425: * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
426: size of src checkouts by spelling "useful" without an extra l.
427:
428: 2010-02-09 Thomas Klausner <wiz@netbsd.org>
429:
430: * src/racoon/: pfkey.c, proposal.h: Fix typo in comment.
431:
432: 2010-01-17 Thomas Klausner <wiz@netbsd.org>
433:
434: * src/racoon/sainfo.c: Free strdeupped string after using it. Found
435: by cppcheck.
436:
437: * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
438: using them. Found by cppcheck.
439:
440: 2010-01-15 joerg
441:
442: * src/setkey/setkey.8: Use .%U instead of .%O for URLs.
443:
444: 2009-12-11 Timo Teras <timo.teras@iki.fi>
445:
446: * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
447: twice in the headers. Remove the redundant entry so new install tool
448: does not complain about overwriting just installed file.
449:
450: 2009-11-22 Christos Zoulas <christos@netbsd.org>
451:
452: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko:
453:
454: racoon uses a wrong IPsec-SA handle that is for other peer in case
455: it receives a ISAKMP message for IPsec-SA that has the same
456: message-id as the message-id that is received before.
457:
458: racoon uses message-id to find the handle of IPsec-SA. The
459: message-id is a unique number for each peer, but different peers may
460: use the same value.
461:
462: Different Windows Vista or Windows 7 peers seem to use the same
463: message-id. racoon can handle the first Windows's Phase-2, but it
464: cannot handle the second Windows. Because racoon misunderstands the
465: message for the second Windows as the message for the first Windows.
466:
467: >Category: bin >Synopsis: racoon uses a wrong IPsec-SA
468: that is for different peer >Confidential: no >Severity:
469: serious >Priority: medium >Responsible: bin-bug-people
470: >State: open >Class: sw-bug >Submitter-Id: net
471: >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator:
472: yasuoka@iij.ad.jp
473:
474: 2009-10-29 Christos Zoulas <christos@netbsd.org>
475:
476: * src/setkey/token.l: use %option noinput nounput
477:
478: 2009-10-28 Christos Zoulas <christos@netbsd.org>
479:
480: * src/setkey/token.l: no unput
481:
482: 2009-10-14 joerg
483:
484: * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
485: ancient groff limits.
486:
487: * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
488: groff limits. Fix markup.
489:
490: * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
491: ancient groff limits. Set only one list type.
492:
493: 2009-09-18 Timo Teras <timo.teras@iki.fi>
494:
495: * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
496: gssapi error checking.
497:
498: 2009-09-03 Timo Teras <timo.teras@iki.fi>
499:
500: * src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
501: isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
502: negotiate phase2 as a hint to select the phase1 for rekeying the new
503: phase2.
504:
505: 2009-09-01 Timo Teras <timo.teras@iki.fi>
506:
507: * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
508: nat_traversal configuration from remote configuration candidates
509: when acting as responder. Enable NAT-T if any of the remote
510: candidates have NAT-T enabled.
511:
512: * src/racoon/remoteconf.c: Change remote conf matching level to
513: matching score. This way one can override anonymous certificate
514: block config with more exact "inhereted" IP specific block.
515:
516: * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
517: ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).
518:
519: 2009-08-24 Yvan Vanhullebus <vanhu@netasq.com>
520:
521: * src/racoon/oakley.c: fixed typo: algoriym -> algorithm
522:
523: 2009-08-19 Yvan Vanhullebus <vanhu@netasq.com>
524:
525: * src/racoon/remoteconf.c: fixed address check in
526: rmconf_match_type(), just check address with wildcard port
527:
528: 2009-08-19 Timo Teras <timo.teras@iki.fi>
529:
530: * src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
531: return values to make the code a bit more readable.
532:
533: 2009-08-18 Yvan Vanhullebus <vanhu@netasq.com>
534:
535: * src/racoon/oakley.c: typo: algoritym -> algorithm
536:
537: 2009-08-17 Yvan Vanhullebus <vanhu@netasq.com>
538:
539: * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
540: check system support for NAT-T, as at least FreeBSD doesn't have
541: this define anymore
542:
543: * src/racoon/schedule.h: include stddef.h so we have a chance to
544: get the system offsetof if present
545:
546: * src/racoon/crypto_openssl.h: removed a self include
547:
548: 2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
549:
550: * src/racoon/oakley.c: fixed a potential DoS in
551: oakley_do_decrypt(), reported by Orange Labs
552:
553: 2009-08-10 Timo Teras <timo.teras@iki.fi>
554:
555: * src/racoon/pfkey.c: Don't print EAGAIN error from
556: pfkey_handler(), it can occur normally under some code paths and is
557: not a hard error in any case.
558:
559: 2009-08-06 Timo Teras <timo.teras@iki.fi>
560:
561: * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
562: setkey to make gcc happy.
563:
564: 2009-08-05 Timo Teras <timo.teras@iki.fi>
565:
566: * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
567: security associations that got broke during NAT-T fixes.
568:
569: 2009-07-07 Timo Teras <timo.teras@iki.fi>
570:
571: * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
572: uninitialized local variable (not sure if any code path triggers
573: this, but this makes compiler happy).
574:
575: 2009-07-03 Timo Teras <timo.teras@iki.fi>
576:
577: * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
578: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
579: nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
580: sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
581: macro. Trac #295.
582:
583: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
584: racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
585: Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
586: NAT-T port information. This might break compatibility with some
587: kernels, but as discussed this is the proper way to pass NAT-T ports
588: and the broken kernels need to be fixed.
589:
590: 2009-06-24 Timo Teras <timo.teras@iki.fi>
591:
592: * src/racoon/session.c: Fix a call to null pointer: in some cases,
593: the unmonitor_fd can be called from another fd's callback. That
594: could lead to still have callback pending after unmonitoring the fd
595: resulting in a call to null pointer. This is fixed by making
596: unmonitor_fd now clear the pending fd_set too. Bug was introduced
597: by my commit in 2008-12-23.
598:
599: 2009-05-20 Yvan Vanhullebus <vanhu@netasq.com>
600:
601: * src/racoon/isakmp.h: typo
602:
603: 2009-05-19 Timo Teras <timo.teras@iki.fi>
604:
605: * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
606: of typos from previous commit.
607:
608: 2009-05-18 Timo Teras <timo.teras@iki.fi>
609:
610: * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
611: Tomas Mraz: Introduce union sockaddr_any and use it to make code
612: more readable. Related to trac #293.
613:
614: * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
615: not really used; only referenced while uninitialized causing
616: valgrind error.
617:
618: * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
619:
620: 2009-05-04 Thomas Klausner <wiz@netbsd.org>
621:
622: * src/racoon/racoon.conf.5: Remove superfluous spaces around
623: parentheses.
624:
625: 2009-04-29 Timo Teras <timo.teras@iki.fi>
626:
627: * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
628: X509 certificate validation.
629:
630: 2009-04-28 Timo Teras <timo.teras@iki.fi>
631:
632: * src/racoon/handler.c: Reset nat_oa variables too when reusing
633: phase two handler. Otherwise phase2 rekeying might fail in some
634: scenarios.
635:
636: 2009-04-22 Timo Teras <timo.teras@iki.fi>
637:
638: * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
639: pointer dereference in fragmentation code.
640:
641: 2009-04-21 Timo Teras <timo.teras@iki.fi>
642:
643: * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
644: strict_address to work again. The lists needs to be initialized
645: before configuration is read, which happens before my_addr_init()
646: call.
647:
648: 2009-04-20 Timo Teras <timo.teras@iki.fi>
649:
650: * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
651: in certificate request generation.
652:
653: * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
654: Bin Li: Fix possible memory corruption in binsanitize().
655:
656: * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
657: signature verification memory leak.
658:
659: * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
660: crash with racoonctl logout user.
661:
662: * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
663: code.
664:
665: * src/racoon/handler.c: From Paul Moore: Phase2 message id's should
666: be unique wrt phase1, not globally.
667:
668: 2009-03-13 Timo Teras <timo.teras@iki.fi>
669:
670: * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
671: couple of problems with previous commit.
672:
673: 2009-03-12 he
674:
675: * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
676: pointer to an integral type (a bad practice, if you ask me), you
677: need to cast via intptr_t for portability.
678:
679: 2009-03-12 Thomas Klausner <wiz@netbsd.org>
680:
681: * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
682: up punctuation.
683:
684: * src/racoon/racoonctl.8: Bump date for previous. Sort options to
685: establish-sa. Stop using Xo/Xc.
686:
687: 2009-03-12 Timo Teras <timo.teras@iki.fi>
688:
689: * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
690: crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
691: ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
692: isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
693: isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
694: racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
695: vendorid.c: Support multiple anonymous remotes and decide
696: remoteconf based on identity, received certificates and other
697: information. General code clean up.
698:
699: 2009-03-06 Timo Teras <timo.teras@iki.fi>
700:
701: * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
702: in Linux
703:
704: Linux requires SADB_DELETE message to have SPI. So send a
705: SADB_DELETE message for each matching SA. Trac #284.
706:
707: From: Gabriel Somlo <somlo@cmu.edu>
708:
709: 2009-02-16 Timo Teras <timo.teras@iki.fi>
710:
711: * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
712: corruption bug (yacc return non-null terminated buffer and sprintf
713: writes over bounds).
714:
715: 2009-02-11 Yvan Vanhullebus <vanhu@netasq.com>
716:
717: * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
718: IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
719: tunnel
720:
721: 2009-02-03 Timo Teras <timo.teras@iki.fi>
722:
723: * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
724: variables with IPv6 addresses.
725:
726: 2009-01-26 Timo Teras <timo.teras@iki.fi>
727:
728: * src/racoon/main.c: Argument parsing needs lcconf initialized.
729:
730: 2009-01-24 Thomas Klausner <wiz@netbsd.org>
731:
732: * src/racoon/racoonctl.c: Sort options in usage.
733:
734: * src/racoon/racoonctl.8: Sort options. New sentence, new line.
735:
736: * src/racoon/racoon.8: Sort options.
737:
738: 2009-01-23 Timo Teras <timo.teras@iki.fi>
739:
740: * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
741: for racoonctl.
742:
743: * src/racoon/: main.c, racoon.8: Racoon -v to print version and
744: compilation information. Update usage message.
745:
746: * NEWS: Update NEWS with major changes since 0.7 release.
747:
748: * src/racoon/schedule.c: Fix monotonic scheduler change, to not
749: refresh 'now' before exit. Otherwise we can return negative timeout
750: after spending time handling other events.
751:
752: * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
753: reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
754: Also corrects some debugging statements.
755:
756: * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
757: instance), there is a need to not only migrate local and remote
758: addresses of Phase 1 that match previous addresses but also the
759: local and remote addresses of a Phase 1 *associated* with a migrated
760: Phase 2. For instance, we have that need when receiving the first
761: MIGRATE/KMADDRESS message because the old addresses are still the
762: HoA and the address of the HA (while the peer has contacted us using
763: the CoA and we have negotiated this address as src attribute in
764: Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
765: called from migrate_ph2_ike_addresses() callback.
766:
767: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
768: when acting as responder.
769:
770: * configure.ac, src/racoon/handler.c, src/racoon/handler.h,
771: src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
772: src/racoon/schedule.c, src/racoon/schedule.h,
773: src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
774: system clock is available, and use it for relative time measurements
775: to avoid complite hang if time jumps backwards.
776:
777: * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
778: isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
779: oakley.c, oakley.h: Fix authentication method ambiguity by
780: internally using unique ID and setting/interpreting the wire format
781: based on received vendor ID:s. Fixes trac #280.
782:
783: * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
784: isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
785: bitmask that can be used otherwhere to detect peer capabilities.
786:
787: * configure.ac, src/racoon/admin.c, src/racoon/evt.c,
788: src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
789: src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
790: configure option and make it the default behaviour. The previous
791: normal behaviour is buggy, as after flush kernel can immediately
792: create larval SA:s which would prevent exit.
793:
794: 2009-01-20 Timo Teras <timo.teras@iki.fi>
795:
796: * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
797: ChangeLog from NetBSD CVS. Put sourceforge.net changes to
798: ChangeLog.old.
799:
800: 2009-01-10 Thomas Klausner <wiz@netbsd.org>
801:
802: * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper
803: escape for backslash ('\e').
804:
805: 2009-01-10 Timo Teras <timo.teras@iki.fi>
806:
807: * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
808: Accept RFC2253 compliant escaped special characters for asn1dn
809: identifier.
810:
811: 2009-01-09 Timo Teras <timo.teras@iki.fi>
812:
813: * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
814:
815: 2009-01-05 Timo Teras <timo.teras@iki.fi>
816:
817: * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
818: configuration options, fix radius configuration block and add GRE as
819: recognized protocol.
820:
821: * src/racoon/session.c: Do not use counting in signal handling as
822: it was unsafe by not using atomic functions (post increment is not
823: necessarily atomic). Instead reap all children on SIGCHLD as that
824: was the only signal needing signal counting.
825:
826: 2008-12-30 Timo Teras <timo.teras@iki.fi>
827:
828: * src/racoon/session.c: schedular() call can now modify fd mask so
829: make the working copy just before calling select(); otherwise it can
830: contain bad file descriptors
831:
832: 2008-12-29 Michael van Elst <mlelstv@netbsd.org>
833:
834: * src/setkey/parse.y: support icmp codes. Fixes PR 39056.
835:
836: 2008-12-24 Christos Zoulas <christos@netbsd.org>
837:
838: * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
839: it. From Timo Teras.
840:
841: * src/racoon/grabmyaddr.c: I was wrong. addr is actually set.
842:
843: * src/racoon/grabmyaddr.c:
844: - make this compile by zeroing out the whole structure not just
845: bogus fields.
846: - set length field of sockets appropriately.
847: - mark bogus no-op code (I don't understand what the author intended
848: here).
849:
850: 2008-12-23 Thomas Klausner <wiz@netbsd.org>
851:
852: * src/racoon/racoon.conf.5: Bump date for identity configuration
853: option removal.
854:
855: 2008-12-23 Timo Teras <timo.teras@iki.fi>
856:
857: * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
858: localconf.h, racoon.conf.5: Remove the obsoleted global identity
859: configuration option.
860:
861: * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
862: evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
863: isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
864: nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
865: session.h: rewrite local address detection make some functions
866: static that arr not needed globally rework how fd_set is
867: construction for the main loop select()
868:
869: 2008-12-18 Timo Teras <timo.teras@iki.fi>
870:
871: * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
872: when expire with hard lifetime received
873:
874: 2008-12-16 Timo Teras <timo.teras@iki.fi>
875:
876: * README: Update README
877:
878: * src/racoon/pfkey.c: Fix transport mode address selection in
879: acquire handling. Some earlier fixes got lost on 2008-12-05 commit.
880:
881: 2008-12-11 Yvan Vanhullebus <vanhu@netasq.com>
882:
883: * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
884: and RTM_OIFINFO stuff)
885:
886: * src/racoon/isakmp.c: Fixed compilation when DPD support is
887: disabled
888:
889: 2008-12-08 Timo Teras <timo.teras@iki.fi>
890:
891: * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
892: sockets: it might cause to not handle some pfkey events when
893: select() has marked pfkey socket readable, but a timer callback
894: first calls pfkey_dump_sadb().
895:
896: 2008-12-05 Timo Teras <timo.teras@iki.fi>
897:
898: * src/: libipsec/key_debug.c, libipsec/libpfkey.h,
899: libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
900: racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
901: racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
902: Ebalard: Improved Mobile IPv6 support per
903: draft-ebalard-mext-pfkey-enhanced-migrate.
904:
905: 2008-12-04 Christoph Badura <bad@netbsd.org>
906:
907: * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
908: intended.
909:
910: 2008-12-02 Timo Teras <timo.teras@iki.fi>
911:
912: * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
913: on Linux is terminate.
914:
915: 2008-11-28 Thomas Klausner <wiz@netbsd.org>
916:
917: * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
918: sentence, new line.
919:
920: 2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
921:
922: * src/racoon/main.c: Set up a default value for Mode Config Pool
923: size if pool address specified but pool size not specified
924:
925: * src/racoon/isakmp_cfg.c: Fixed pool resizing
926:
927: 2008-11-27 Timo Teras <timo.teras@iki.fi>
928:
929: * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
930: weirdness. It's probably meant for bundle support which is not done.
931: When someone actually writes bundle support, the nested SA stuff
932: would probably be reworked too anyway.
933:
934: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
935: racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
936: racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
937: Ability to set pfkey socket buffer size via configuration file
938: directive. (Indentation and minor fixes by me.)
939:
940: 2008-11-25 Christoph Badura <bad@netbsd.org>
941:
942: * src/racoon/: evt.c, privsep.c, session.c: Avoid using
943: MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE
944: instead.
945:
946: * src/racoon/grabmyaddr.c: Ignore unspecified and looback
947: addresses. Ignoring unspecified addresses prevents racoon from
948: trying to bind to the wildcard address and specific addresses
949: simultaneously after e.g. dhclient has changed an interface's
950: address to 0.0.0.0.
951:
952: * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
953: info for added or deleted addresses. Ignore them silently.
954:
955: * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
956: error. Therefore log it as informational. Make it clear from the
957: log message that a route message is not interesting.
958:
959: * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
960: it.
961:
962: * src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
963: when setting IPV6_USE_MIN_MTU fails.
964:
965: * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
966: no socket is opened.
967:
968: 2008-11-08 Christoph Badura <bad@netbsd.org>
969:
970: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
971: phase1-up.sh: Preserve owner and permissions of original
972: /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or
973: world writable.
974:
975: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
976: phase1-up.sh: Print and check INTERNAL_NETMASK4.
977:
978: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
979: phase1-up.sh: Make the handling of NAT-T SPD entries automatic.
980:
981: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
982: phase1-up.sh: Ensure that the determination of the default
983: gateway and the corresponding interface don't get confused by
984: multiple, possibly non-IPv4 default routes. Bring the NetBSD case
985: of deleting the VPN routes and address in line with the Linux case
986: and delete the address after deleting the VPN routes.
987:
988: 2008-11-06 Yvan Vanhullebus <vanhu@netasq.com>
989:
990: * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
991: iddst's value is SAINFO_CLIENTADDR
992:
993: 2008-10-29 S.P.Zeidler <spz@netbsd.org>
994:
995: * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():
996:
997: struct sockaddr -> struct sockaddr_storage fixes a stack overflow
998:
999: For non-linklocal addresses the value in 'scope' is garbage and gets
1000: set to zero instead.
1001:
1002: 2008-10-27 Timo Teras <timo.teras@iki.fi>
1003:
1004: * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
1005: error path
1006:
1007: * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
1008: Ebalard): recognize RTM_IFANNOUNCE
1009:
1010: * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
1011: issues for readability
1012:
1013: * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
1014: called only if monitored file descriptor numbers have changed
1015:
1016: * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
1017: declaration
1018:
1019: 2008-10-23 Timo Teras <timo.teras@iki.fi>
1020:
1021: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
1022: Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
1023: problem those changes address are already handled in a sensible way
1024: by Cyrus Rahman's patch from 2008-03-06.
1025:
1026: 2008-10-09 Timo Teras <timo.teras@iki.fi>
1027:
1028: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
1029: unnecessary unbindph12() call which is now done in remph2()
1030:
1031: 2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
1032:
1033: * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
1034: marker for retransmitted packets
1035:
1036: 2008-09-19 Thomas Klausner <wiz@netbsd.org>
1037:
1038: * src/racoon/racoon.conf.5: New sentence, new line.
1039:
1040: 2008-09-19 Timo Teras <timo.teras@iki.fi>
1041:
1042: * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
1043: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
1044: isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
1045: remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
1046: configurable with rekey {on|off|force} option in remote conf.
1047:
1048: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
1049: isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
1050: nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
1051: session.c: Change struct sched to be allocated be the caller to
1052: avoid some memory allocations. Optimize scheduling algorithm to not
1053: scan all entries in the main loop.
1054:
1055: 2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
1056:
1057: * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
1058: when NAT-T enabled and trying to purge non NAT-T SAs
1059:
1060: 2008-09-09 Yvan Vanhullebus <vanhu@netasq.com>
1061:
1062: * src/racoon/pfkey.c: Some calls to set_port() were not correctly
1063: updated in the previous commit
1064:
1065: 2008-09-03 Yvan Vanhullebus <vanhu@netasq.com>
1066:
1067: * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
1068: pk_sendxxx functions, as they may be altered for NAT-T stuff.
1069:
1070: 2008-09-03 Timo Teras <timo.teras@iki.fi>
1071:
1072: * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
1073: - Fix reloading of SPD (Linux satype check, handling of SPD dump
1074: responses)
1075: - Remove some spurious error log message from extract_port()
1076:
1077: 2008-08-29 Gregory McGarry <gmcgarry@netbsd.org>
1078:
1079: * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
1080: structures.
1081:
1082: * src/racoon/evt.h: Eliminate superfluous semicolon.
1083:
1084: * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
1085: unnamed structures added recently.
1086:
1087: 2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
1088:
1089: * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
1090: ph1handler if we received an invalid first exchange from initiator.
1091:
1092: 2008-08-06 Timo Teras <timo.teras@iki.fi>
1093:
1094: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
1095: Piotr Oledzki: Make privileged process exit if unprivileged process
1096: is terminated and some spelling fixes.
1097:
1098: 2008-07-23 Matthew Grooms <mgrooms@shrew.net>
1099:
1100: * src/racoon/: cfparse.y, session.c: Add some missing ifdefs
1101: required for non-radius enabled builds.
1102:
1103: 2008-07-23 Timo Teras <timo.teras@iki.fi>
1104:
1105: * src/racoon/Makefile.am: Do not use GNU make specific extension.
1106:
1107: * src/: libipsec/Makefile.am, racoon/Makefile.am,
1108: setkey/Makefile.am: Do flex/bison invocation in a more standard
1109: way, and keep the generated files in the dist tarball.
1110:
1111: 2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
1112:
1113: * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
1114: when malloc fails or when peer sends invalid proposal.
1115:
1116: 2008-07-22 Matthew Grooms <mgrooms@shrew.net>
1117:
1118: * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
1119: isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
1120: radius configuration section to the racoon.conf file. This is
1121: similar to the the LDAP configuration section and overrides settings
1122: in the system radius configuration file.
1123:
1124: 2008-07-21 Matthias Scheler <tron@netbsd.org>
1125:
1126: * src/racoon/cfparse.y: Correct typo to fix the build.
1127:
1128: 2008-07-21 Timo Teras <timo.teras@iki.fi>
1129:
1130: * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
1131: vendorid.c, vendorid.h: Separate generic vendor id handling to a
1132: new function and use it.
1133:
1134: * src/racoon/cfparse.y: Do not set default gss id if xauth is used,
1135: otherwise gss-id attribute might be sent even if it was not
1136: requested.
1137:
1138: 2008-07-15 Matthew Grooms <mgrooms@shrew.net>
1139:
1140: * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
1141: building with hybrid enabled.
1142:
1143: * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
1144: racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
1145: function.
1146:
1147: 2008-07-14 Timo Teras <timo.teras@iki.fi>
1148:
1149: * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
1150: pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.
1151:
1152: * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
1153: isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
1154: notification payload handling. Handle INITIAL-CONTACT notification
1155: in last main mode exchange (delayed) and during quick mode
1156: exchanges.
1157:
1158: 2008-07-11 Timo Teras <timo.teras@iki.fi>
1159:
1160: * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
1161: Elsts: Fix a double memory free and a memory corruption
1162: (LIST_REMOVE() on an uninserted node) in some error handling paths.
1163:
1164: 2008-07-09 Timo Teras <timo.teras@iki.fi>
1165:
1166: * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
1167: memory leak on configuration file reread
1168:
1169: 2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
1170:
1171: * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
1172: (size_t values)
1173:
1174: 2008-06-18 Thomas Klausner <wiz@netbsd.org>
1175:
1176: * src/racoon/racoonctl.8: Bump date for previous.
1177:
1178: 2008-06-18 Matthew Grooms <mgrooms@shrew.net>
1179:
1180: * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
1181: admin port command to retrieve the peer certificate. Submitted by
1182: Timo Teras.
1183:
1184: * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
1185: sockets to be closed on exec to avoid potential file descriptor
1186: inheritance issues. Submitted by Timo Teras.
1187:
1188: * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
1189: isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
1190: functions to evaluate and manipulate network port values. No
1191: functional changes. Submitted by Timo Teras.
1192:
1193: * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
1194: functional changes. Submitted by Timo Teras.
1195:
1196: * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
1197: Timo Teras.
1198:
1199: 2008-05-24 Christos Zoulas <christos@netbsd.org>
1200:
1201: * src/racoon/privsep.c: Coverity CID 5018: Fix double frees.
1202:
1203: 2008-05-08 Emmanuel Dreyfus <manu@netbsd.org>
1204:
1205: * configure.ac: From Christian Hohnstaedt: allow out of tree
1206: building
1207:
1208: 2008-04-30 Martin Husemann <martin@netbsd.org>
1209:
1210: * netbsd-import.sh: Convert TNF licenses to new 2 clause variant
1211:
1212: 2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
1213:
1214: * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
1215: from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
1216:
1217: 2008-04-13 Christos Zoulas <christos@netbsd.org>
1218:
1219: * src/racoon/privsep.c: for symmetry set controllen the same way we
1220: set it on the receiving side.
1221:
1222: 2008-04-02 Emmanuel Dreyfus <manu@netbsd.org>
1223:
1224: * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build
1225:
1226: 2008-03-28 Christos Zoulas <christos@netbsd.org>
1227:
1228: * src/racoon/privsep.c: properly fix the variable stack allocation
1229: code.
1230:
1231: 2008-03-28 Emmanuel Dreyfus <manu@netbsd.org>
1232:
1233: * src/racoon/privsep.c: Still from Cyrus Rahman: fix file
1234: descriptor leak introduced by previous commit.
1235:
1236: * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
1237: privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
1238: Allow interface reconfiguration when running in privilege separation
1239: mode, document privilege separation
1240:
1241: 2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
1242:
1243: * src/racoon/oakley.c: Generates a log if cert validation has been
1244: disabled by configuration
1245:
1246: 2008-03-06 Emmanuel Dreyfus <manu@netbsd.org>
1247:
1248: * src/racoon/: privsep.c, session.c: From Cyrus Rahman
1249: <crahman@gmail.com> privilegied instance exit when unprivilegied one
1250: terminates. Save PID in real root, not in chroot
1251:
1252: 2008-03-06 Matthew Grooms <mgrooms@shrew.net>
1253:
1254: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
1255: racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
1256: negotiations using the admin socket. Submitted by Timo Teras.
1257:
1258: * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
1259: handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
1260: isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
1261: racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
1262: protocol to be less error prone. Backwards compatibility is
1263: provided. Submitted by Timo Teras.
1264:
1265: 2008-03-05 Matthew Grooms <mgrooms@shrew.net>
1266:
1267: * src/racoon/cfparse.y: Properly initialize the unity network
1268: struct to prevent erroneous protocol and port info from being
1269: transmitted.
1270:
1271: * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
1272: adminport reload. Also provide better handling for pfkey socket read
1273: errors. Submitted by Timo Teras.
1274:
1275: 2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
1276:
1277: * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
1278: There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
1279: checking spi_size but it's not. I'm not sure this patch is correct,
1280: but what's there isn't either.
1281:
1282: 2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
1283:
1284: * src/racoon/isakmp.c: Fix address length, from Brian Haley
1285:
1286: 2008-02-10 S.P.Zeidler <spz@netbsd.org>
1287:
1288: * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
1289: opposition ( :) ) on ipsec-tools-devel
1290:
1291: 2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
1292:
1293: * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
1294: the scheduler's callback, to avoid access to freed memory.
1295:
1296: * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
1297: compilation with IDEA and recent gcc.
1298:
1299: * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
1300: details to some logs (also reported new getph1byaddr() arg).
1301:
1302: * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
1303: established ph1 handles in DPD (also reported new getph1byaddr()
1304: arg).
1305:
1306: * src/racoon/: handler.c, handler.h: added an 'established' arg to
1307: getph1byaddr()
1308:
1309: 2007-12-31 Matthew Grooms <mgrooms@shrew.net>
1310:
1311: * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
1312: number to racoonctl. Correct id wildcard matching for transport
1313: mode. Submitted by Timo Teras.
1314:
1315: 2007-12-12 Matthew Grooms <mgrooms@shrew.net>
1316:
1317: * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
1318: follow up patch for the nat-t oa support.
1319:
1320: * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
1321: support for nat-t oa payload handling. Submitted by Timo Teras.
1322:
1323: 2007-12-04 Matthew Grooms <mgrooms@shrew.net>
1324:
1325: * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
1326: ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
1327: prefix length. Correct a memory leak in phase2. Both submitted by
1328: Timo Teras.
1329:
1330: 2007-12-01 Thomas Klausner <wiz@netbsd.org>
1331:
1332: * src/racoon/racoon.conf.5: Fix typos. New sentence, new line.
1333:
1334: 2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
1335:
1336: * src/racoon/Makefile.am: From Natanael Copa: fixed a race
1337: condition when building yacc stuff.
1338:
1339: 2007-11-09 Yvan Vanhullebus <vanhu@netasq.com>
1340:
1341: * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
1342: pk_recv()
1343:
1344: * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
1345: entries in getsp_r().
1346:
1347: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
1348: in get_proposal_r().
1349:
1350: 2007-10-19 Emmanuel Dreyfus <manu@netbsd.org>
1351:
1352: * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
1353: racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
1354:
1355: 2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
1356:
1357: * src/libipsec/pfkey.c: Try to increase the buffer size of the
1358: pfkey socket, this may help things when we have a huge SPD
1359:
1360: 2007-10-02 Yvan Vanhullebus <vanhu@netasq.com>
1361:
1362: * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
1363: work with the new plog macro.
1364:
1365: * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
1366: work with new plog macro
1367:
1368: * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
1369:
1370: 2007-09-19 Matthew Grooms <mgrooms@shrew.net>
1371:
1372: * src/racoon/isakmp.c: Set REUSE option on sockets to prevent
1373: failures associated with closing and immediately re-opening.
1374: Submitted by Gabriel Somlo.
1375:
1376: * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
1377: list. Submitted by Gabriel Somlo.
1378:
1379: 2007-09-13 Matthew Grooms <mgrooms@shrew.net>
1380:
1381: * configure.ac: Fix autoconf check for selinux support. Submitted
1382: by Joy Latten.
1383:
1384: 2007-09-12 Matthew Grooms <mgrooms@shrew.net>
1385:
1386: * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
1387: pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
1388: sainfo remote id option and refine the sainfo man page syntax.
1389:
1390: 2007-09-05 Matthew Grooms <mgrooms@shrew.net>
1391:
1392: * src/racoon/sainfo.c: Sort sainfo sections on insert and improve
1393: matching logic.
1394:
1395: 2007-09-03 Matthew Grooms <mgrooms@shrew.net>
1396:
1397: * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
1398: wins4 in the man page and add nbns4 as an alias. Pointed out by
1399: Claas Langbehn.
1400:
1401: 2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
1402:
1403: * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
1404: up RADIUS authentication and authorization ports. Allow
1405: interoperability with freeradius
1406:
1407: 2007-07-24 Matthew Grooms <mgrooms@shrew.net>
1408:
1409: * NEWS: Update NEWS file with additional 0.7 improvements.
1410:
1411: 2007-07-18 Matthew Grooms <mgrooms@shrew.net>
1412:
1413: * src/racoon/racoon.conf.5: Various racoon configuration manpage
1414: updates.
1415:
1416: 2007-07-18 Yvan Vanhullebus <vanhu@netasq.com>
1417:
1418: * configure.ac, src/libipsec/ipsec_dump_policy.c,
1419: src/libipsec/ipsec_get_policylen.c,
1420: src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
1421: src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1422: src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
1423: src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
1424: src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
1425: src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
1426: src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
1427: src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
1428: src/racoon/policy.c, src/racoon/proposal.c,
1429: src/racoon/remoteconf.c, src/racoon/sainfo.c,
1430: src/racoon/session.c, src/racoon/sockmisc.c,
1431: src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
1432: src/setkey/token.l: use a single PATH_IPSEC_H to fix some
1433: path_to_ipsec.h issues
1434:
1435: 2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
1436:
1437: * src/racoon/grabmyaddr.c: fixed a socket leak
1438:
1439: * src/racoon/proposal.c: indentation
1440:
1441: 2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
1442:
1443: * src/racoon/isakmp_cfg.c: From Paul Winder
1444: <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST
1445:
1446: 2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
1447:
1448: * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
1449: with gcc 4.2
1450:
1451: * src/racoon/session.c: From Jianli Liu: speed up interfaces update
1452: when they change.
1453:
1454: * src/racoon/handler.c: ignore obsolete lifebyte when validating
1455: reloaded configuration
1456:
1457: 2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
1458:
1459: * src/racoon/: main.c, policy.h, security.c: From Joy Latten
1460: <latten@austin.ibm.com> Fix file descriptor shortage when using
1461: labeled IPsec.
1462:
1463: 2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
1464:
1465: * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
1466: racoonctl, use the specified socket path instead of the default
1467: location
1468:
1469: 2007-05-16 Christos Zoulas <christos@netbsd.org>
1470:
1471: * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
1472: return, so we proceed to de-reference NULL. Make it return -1
1473: instead like in other places.
1474:
1475: * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
1476: return, so we proceed to de-reference NULL. Make it return -1
1477: instead like in other places.
1478:
1479: 2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
1480:
1481: * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
1482: NULL when validating the new config
1483:
1484: * src/racoon/handler.c: added some debug in getph1byaddr() to track
1485: some port matching problems with NAT-T
1486:
1487: * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
1488: track some port matching problems with NAT-T
1489:
1490: * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
1491:
1492: * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
1493: NAT_T support, to solve some port match problems with the first
1494: IPSec SAs negociated as initiator
1495:
1496: 2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
1497:
1498: * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
1499:
1500: * src/racoon/oakley.c: dumps peer's ID and peer's certificate
1501: subject /subjectaltname if they don't match
1502:
1503: 2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
1504:
1505: * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
1506: handler, to be able to cancel it when removing the handler, and some
1507: minor cleanups in DPD code
1508:
1509: 2007-03-24 Christos Zoulas <christos@netbsd.org>
1510:
1511: * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
1512: work with pam_group Set RUSER.
1513:
1514: 2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
1515:
1516: * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
1517: segfault when using security labels between 32bit and 64bit host.
1518:
1519: * src/racoon/handler.c: expire zombie handlers in getph2byid(), to
1520: avoid situations where we'll never negociate a phase2 again
1521:
1522: * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
1523: more details about what is checked when using certificates to
1524: authenticate
1525:
1526: 2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
1527:
1528: * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
1529: generate IPV4_ADDRESS when needed in sockaddr2id()
1530:
1531: 2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
1532:
1533: * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
1534: sched check is now done in SCHED_KILL
1535:
1536: * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
1537:
1538: 2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
1539:
1540: * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
1541: monitoring of ipv6 address changes on Linux.
1542:
1543: * src/racoon/isakmp.c: Consider a negociation timeout when
1544: retry_counter is <=0 instead of < 0
1545:
1546: 2007-02-28 Matthew Grooms <mgrooms@shrew.net>
1547:
1548: * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
1549: matched to ip subnet ids when appropriate.
1550:
1551: 2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
1552:
1553: * src/racoon/ipsec_doi.c: block variable declaration before code in
1554: ipsecdoi_id2str()
1555:
1556: 2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
1557:
1558: * src/racoon/isakmp_inf.c: Removed a debug printf....
1559:
1560: * src/racoon/isakmp.c: Only delete a generated SPD if it's creation
1561: date matches the creation date of the SA we are currently deleting
1562:
1563: * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
1564:
1565: * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
1566: generated SPDs
1567:
1568: * src/racoon/policy.h: added 'created' var
1569:
1570: 2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
1571:
1572: * src/racoon/isakmp.c: Removed a debug printf....
1573:
1574: 2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
1575:
1576: * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
1577: printf.
1578:
1579: 2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
1580:
1581: * src/racoon/security.c: Missing SELinux file
1582:
1583: * configure.ac: Missing stuff for SELinux
1584:
1585: 2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
1586:
1587: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
1588: expire a ph1 handle when receiving a DELETE-SA instead of calling
1589: purge_remote().
1590:
1591: * src/racoon/isakmp.c: Fixed the way phase1/2 messages are
1592: sent/resent, to avoid zombie handles and acces to freed memory
1593:
1594: 2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
1595:
1596: * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
1597:
1598: 2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
1599:
1600: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
1601: receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
1602: deleted from payload instead of just deleting the ISAKMP SA used to
1603: protect the informational exchange.
1604:
1605: 2006-12-26 Arnaud Lacombe <alc@netbsd.org>
1606:
1607: * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
1608: NULL'
1609:
1610: 2006-12-23 Thomas Klausner <wiz@netbsd.org>
1611:
1612: * src/racoon/racoon.conf.5: Use even more macros.
1613:
1614: * src/racoon/racoon.conf.5: Use more macros.
1615:
1616: * src/racoon/racoon.conf.5: Serial comma, and bump date for
1617: previous.
1618:
1619: 2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
1620:
1621: * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
1622:
1623: 2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
1624:
1625: * src/: libipsec/Makefile.am, libipsec/libpfkey.h,
1626: libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
1627: racoon/pfkey.c: Bring back API and ABI backward compatibility
1628: with previous libipsec before recent interface change. Bump libipsec
1629: minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
1630: ABI compatibility lossage. Add a capability flags to detect missing
1631: optional feature in libipsec
1632:
1633: * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
1634: README.plainrsa documenting plain RSA auth
1635:
1636: 2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
1637:
1638: * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1639: src/racoon/Makefile.am, src/racoon/backupsa.c,
1640: src/racoon/backupsa.h, src/racoon/cftoken.l,
1641: src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
1642: src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
1643: src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
1644: src/racoon/proposal.c, src/racoon/proposal.h,
1645: src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
1646: security contexts. Also cleanup the libipsec interface for adding
1647: and updating security associations.
1648:
1649: * src/racoon/racoon.conf.5: From Simon Chang: More hints about
1650: plain RSA authentication
1651:
1652: 2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
1653:
1654: * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
1655: length regarding proposal_check level
1656:
1657: 2006-11-16 Matthew Grooms <mgrooms@shrew.net>
1658:
1659: * src/racoon/sainfo.c: Correct issues associated with anonymous
1660: sainfo selection in racoon.
1661:
1662: 2006-11-09 Christos Zoulas <christos@netbsd.org>
1663:
1664: * src/racoon/crypto_openssl.c: eliminate the only variable stack
1665: array allocation.
1666:
1667: 2006-10-31 Christian Biere <cbiere@netbsd.org>
1668:
1669: * src/racoon/sockmisc.c: Don't define the deprecated
1670: IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
1671: IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
1672: in the future just in case that the numeric value of the socket
1673: option is ever recycled.
1674:
1675: 2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
1676:
1677: * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
1678: typos
1679:
1680: 2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
1681:
1682: * src/racoon/sainfo.c: From Matthew Grooms: use
1683: ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
1684:
1685: * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
1686: ipsecdoi_chkcmpids() function.
1687:
1688: 2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
1689:
1690: * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
1691:
1692: * src/racoon/isakmp_unity.c: Correctly check read() return value:
1693: it's signed (Coverity 1251)
1694:
1695: 2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
1696:
1697: * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
1698: src/racoon/algorithm.h, src/racoon/cftoken.l,
1699: src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
1700: src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
1701: src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
1702: src/racoon/racoon.conf.5, src/racoon/strnames.c,
1703: src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
1704: Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
1705: <okazaki@kick.gr.jp>
1706:
1707: 2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
1708:
1709: * src/racoon/admin.c: fix endianness issue introduced yesterday
1710:
1711: 2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
1712:
1713: * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
1714:
1715: * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
1716:
1717: * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
1718: remoteid/ph1id values
1719:
1720: * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
1721:
1722: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
1723:
1724: * src/racoon/isakmp_base.c:
1725: avoid reusing free'd pointer (Coverity 2613)
1726:
1727: * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
1728:
1729: * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
1730:
1731: * src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
1732:
1733: * src/racoon/admin.c: Fix memory leak (Coverity 2002)
1734:
1735: * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
1736: (Coverity 2001), refactor the code to use port get/set functions
1737:
1738: * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
1739:
1740: * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
1741: reformat to 80 char/line
1742:
1743: 2006-10-02 Tom Spindler <dogcow@netbsd.org>
1744:
1745: * src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
1746: you have to init it with a pointer type, not an int.
1747:
1748: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
1749:
1750: * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
1751:
1752: * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
1753:
1754: * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
1755:
1756: * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
1757:
1758: * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
1759:
1760: * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
1761:
1762: 2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
1763:
1764: * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
1765:
1766: * src/racoon/isakmp.c: Check that iph1->remote is not NULL before
1767: using it (Coverity 3436)
1768:
1769: 2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
1770:
1771: * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
1772:
1773: * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
1774:
1775: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1776: phase1-up.sh: update the scripts for wrorking around routing
1777: problems on NetBSD
1778:
1779: * src/racoon/session.c: Reuse existing code for closing IKE
1780: sockets, and avoid screwing things by setting p->sock = -1, which is
1781: not expected (Coverity 4173).
1782:
1783: * src/racoon/admin.c: Do not free id and key, as they are used
1784: later
1785:
1786: 2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
1787:
1788: * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
1789: socket, so we must call com_init before sending any data.
1790:
1791: 2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
1792:
1793: * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
1794: 4174)
1795:
1796: * src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
1797:
1798: 2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
1799:
1800: * src/racoon/cfparse.y: Fix memory leak (Coverity)
1801:
1802: * src/racoon/backupsa.c: Fix memory leak (Coverity)
1803:
1804: * src/racoon/admin.c: Remove dead code (Coverity)
1805:
1806: * src/racoon/admin.c: Fix memory leak (Coverity)
1807:
1808: * src/racoon/admin.c: One more memory leak
1809:
1810: * src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
1811:
1812: * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
1813: bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
1814: Matthew updated the patch for current code, though.
1815:
1816: * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
1817: negotiating ESP+IPcomp)
1818:
1819: 2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
1820:
1821: * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
1822: iphdr for Linux
1823:
1824: 2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
1825:
1826: * src/racoon/isakmp.c: style (mostly for testing
1827: ipsec-tools-commits@netbsd.org)
1828:
1829: * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
1830:
1831: 2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
1832:
1833: * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
1834: Linux
1835:
1836: 2006-09-19 Thomas Klausner <wiz@netbsd.org>
1837:
1838: * src/racoon/racoon.conf.5: Bump date for ike_frag force.
1839:
1840: * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
1841: line.
1842:
1843: * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
1844: whitespace.
1845:
1846: 2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
1847:
1848: * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
1849: value for encmodesv in set_proposal_from_policy()
1850:
1851: * src/racoon/isakmp.c: always include some headers, as they are
1852: required even without NAT-T
1853:
1854: * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
1855: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
1856:
1857: * src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
1858: plog()
1859:
1860: 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
1861:
1862: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
1863: isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
1864: ike_frag force option to force the use of IKE on first packet
1865: exchange (prior to peer consent)
1866:
1867: * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
1868: the first packet. That should not normally happen, as the initiator
1869: does not know yet if the responder can handle IKE frag. However, in
1870: some setups, the first packet is too big to get through, and
1871: assuming the peer supports IKE frag is the only way to go.
1872:
1873: racoon should have a setting in the remote section to do taht
1874: (something like ike_frag force)
1875:
1876: 2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
1877:
1878: * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
1879: conformance, from Matthew Grooms
1880:
1881: 2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
1882:
1883: * src/racoon/ipsec_doi.c: Fix build on Linux
1884:
1885: For older changes see ChangeLog.old
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>