1: 2013-07-12 Timo Teras <timo.teras@iki.fi>
2:
3: * src/racoon/main.c: From Sven Vermeulen
4: <sven.vermeulen@siphos.be>: Moves ploginit() up, allowing logging
5: events from init_avc() to show up as well.
6:
7: 2013-06-18 Timo Teras <timo.teras@iki.fi>
8:
9: * src/racoon/ipsec_doi.c: From Paul Barker: Remove redundant memset
10: after calloc that caused compile failures with gcc 4.8 due to error:
11: argument to 'sizeof' in 'memset' call is the same expression as the
12: destination; did you mean to dereference.
13:
14: 2013-06-03 Timo Teras <timo.teras@iki.fi>
15:
16: * src/racoon/admin.c: From Alexander Sbitnev
17: <alexander.sbitnev@gmail.com>: fix admin port establish-sa for
18: tunnel mode SAs.
19:
20: 2013-05-23 Timo Teras <timo.teras@iki.fi>
21:
22: * src/include-glibc/net/pfkeyv2.h: From Rainer Weikusat
23: <rweikusat@mobileactivedefense.com>: Fix SADB_X_EALG_CASTCBC
24: definition to use system definition (which differs at least on
25: Linux).
26:
27: 2013-04-12 Timo Teras <timo.teras@iki.fi>
28:
29: * src/racoon/isakmp_cfg.c: From Rainer Weikusat
30: <rweikusat@mobileactivedefense.com>: Do not send out illegal zero
31: length MODE_CFG attributes.
32:
33: * src/racoon/: grabmyaddr.c, isakmp_inf.c: Some logging
34: improvements.
35:
36: 2013-02-05 Timo Teras <timo.teras@iki.fi>
37:
38: * src/racoon/grabmyaddr.c: Fix source port selection
39:
40: * src/racoon/isakmp_xauth.c: From Ian West <ian@niw.com.au>: Fix
41: double free of the radius info on config reload.
42:
43: 2013-01-24 Timo Teras <timo.teras@iki.fi>
44:
45: * src/racoon/isakmp_inf.c: Fix handling of deletion notification.
46:
47: 2013-01-08 tag ipsec-tools-0_8_1
48:
49: 2013-01-08 Timo Teras <timo.teras@iki.fi>
50:
51: * NEWS, configure.ac: ipsec-tools-0.8.1
52:
53: * configure.ac: Fix errors from automake 1.13
54:
55: * src/include-glibc/Makefile.am: Don't derefence the directory
56: symlink which we might be recreating.
57:
58: 2012-12-24 Timo Teras <timo.teras@iki.fi>
59:
60: * src/racoon/crypto_openssl.c: From Götz Babin-Ebell
61: <g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare.
62:
63: * configure.ac, src/racoon/crypto_openssl.c,
64: src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell
65: <g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher
66:
67: 2012-08-29 Timo Teras <timo.teras@iki.fi>
68:
69: * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
70: Accept DPD messages with cookies also in reversed order for
71: compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
72:
73: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add
74: remote's IP address to the "certificate not verified" error message.
75:
76: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not
77: print unnecessary warning about non-verified certificate when using
78: raw plain-rsa.
79:
80: * src/racoon/isakmp.c: From Rainer Weikusat
81: <rweikusat@mobileactivedefense.com>: Release unused phase2 of
82: passive remotes after acquire.
83:
84: * src/racoon/isakmp.c: From Wolfgang Schmieder
85: <wolfgang.schmieder@honeywell.com>: setup phase1 port properly.
86:
87: * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
88: remote blocks without additional remote statements to be specified
89: in a simpler way. patch by Roman Hoog Antink <rha@open.ch>
90:
91: 2012-08-23 Timo Teras <timo.teras@iki.fi>
92:
93: * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
94: memory allocation.
95:
96: 2012-01-01 Timo Teras <timo.teras@iki.fi>
97:
98: * src/racoon/isakmp_unity.c: From Rainer Weikusat
99: <rweikusat@mobileactivedefense.com>: Fix one byte too short memory
100: allocation in isakmp_unity.c:splitnet_list_2str().
101:
102: 2011-11-17 Yvan Vanhullebus <vanhu@netasq.com>
103:
104: * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
105: current element could be removed during the loop
106:
107: 2011-11-14 Timo Teras <timo.teras@iki.fi>
108:
109: * src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>:
110: do not shrink pfkey socket buffers (if system default is larger than
111: what we want as minimum)
112:
113: 2011-08-12 Timo Teras <timo.teras@iki.fi>
114:
115: * src/racoon/privsep.c: Have privilege separation child process
116: exit if the parent exits.
117:
118: * Makefile.am: Create ChangeLog for proper CVS branch.
119:
120: 2011-03-18 tag ipsec-tools-0_8_0
121:
122: 2011-03-18 Yvan Vanhullebus <vanhu@netasq.com>
123:
124: * configure.ac: Yes: 0.8.0 is out !!!
125:
126: * NEWS: updated News for 0.8 branch
127:
128: 2011-03-17 Yvan Vanhullebus <vanhu@netasq.com>
129:
130: * src/racoon/oakley.c: fixed a memory leak in
131: oakley_append_rmconf_cr() while generating plist. patch by Roman
132: Hoog Antink <rha@open.ch>
133:
134: * src/racoon/oakley.c: free name later, to avoid a memory use after
135: free in oakley_check_certid(). also give iph1->remote to some plog()
136: calls. patch by Roman Hoog Antink <rha@open.ch>
137:
138: * src/racoon/oakley.c: fixed a memory leak in
139: oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
140:
141: 2011-03-15 Yvan Vanhullebus <vanhu@netasq.com>
142:
143: * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
144: isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
145: it is useless an can lead to memory access after free
146:
147: 2011-03-14 Timo Teras <timo.teras@iki.fi>
148:
149: * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
150: isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
151: sockmisc.h, throttle.c: Explicitly compare return value of
152: cmpsaddr() against a return value define to make it more obvious
153: what is the intended action. One more return value is also added, to
154: fix comparison of security policy descriptors. Namely, getsp()
155: should not allow wildcard matching (as the comment says, it does
156: exact matching) - otherwise we get problems when kernel has generic
157: policy with no ports, and a second similar policy with ports.
158:
159: 2011-03-14 Yvan Vanhullebus <vanhu@netasq.com>
160:
161: * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
162: remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
163: memory leaks / free memory access when reloading conf and have
164: inherited config. patch from Roman Hoog Antink <rha@open.ch>
165:
166: * src/racoon/handler.c: removed an useless comment
167:
168: * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
169: getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
170:
171: 2011-03-11 Yvan Vanhullebus <vanhu@netasq.com>
172:
173: * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
174: remove_ph1-) instead of scheduling it, to avoid (completely ?) a
175: race condition when reloading configuration
176:
177: 2011-03-06 Timo Teras <timo.teras@iki.fi>
178:
179: * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
180: checks are enabled. Reported by Stephen Clark.
181:
182: 2011-03-02 Yvan Vanhullebus <vanhu@netasq.com>
183:
184: * src/racoon/session.c: flush sainfo list when closing session.
185: patch by Roman Hoog Antink <rha@open.ch>
186:
187: * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
188: structures when deleting a struct rmconf. patch by Roman Hoog Antink
189: <rha@open.ch>
190:
191: * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
192: when deleting a rmconf struct. patch by Roman Hoog Antink
193: <rha@open.ch>
194:
195: * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
196: remoteconf. patch by Roman Hoog Antink <rha@open.ch>
197:
198: * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
199: during configuration parsing. patch by Roman Hoog Antink
200: <rha@open.ch>
201:
202: 2011-03-01 Yvan Vanhullebus <vanhu@netasq.com>
203:
204: * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
205: Andersson <debian@gisladisker.se>
206:
207: * src/racoon/cfparse.y: reset yyerrorcount before doing parse
208: stuff. patch by Roman Hoog Antink <rha@open.ch>
209:
210: 2011-02-20 Timo Teras <timo.teras@iki.fi>
211:
212: * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
213: memory leak when using plain RSA key authentication.
214:
215: 2011-02-11 Timo Teras <timo.teras@iki.fi>
216:
217: * src/racoon/plainrsa-gen.c: From Mats E Andersson
218: <debian@gisladisker.se>: Fix fprintf format specifier usage from
219: previous patch.
220:
221: 2011-02-10 Timo Teras <timo.teras@iki.fi>
222:
223: * src/racoon/plainrsa-gen.c: From Mats Erik Andersson
224: <debian@gisladisker.se>: Implement importing of RSA keys from PEM
225: files.
226:
227: * src/racoon/prsa_par.y: From M E Andersson
228: <debian@gisladisker.se>: Fix parsing of restricted RSA key
229: addresses.
230:
231: 2011-02-02 Yvan Vanhullebus <vanhu@netasq.com>
232:
233: * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
234: sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
235: Patch from Christophe Carre
236:
237: 2011-01-28 Timo Teras <timo.teras@iki.fi>
238:
239: * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
240: Antink <rha@open.ch>: Clean up sainfo reloading: rename the
241: functions, and remove unneeded global variable.
242:
243: * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
244: Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
245: functions, and remove unneeded global variable.
246:
247: * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
248: remote IP address if available (slightly modified by tteras)
249:
250: 2011-01-22 Timo Teras <timo.teras@iki.fi>
251:
252: * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
253: Fixes a null pointer dereference that might occur after removing
254: peers from the config and then reloading.
255:
256: 2011-01-20 Yvan Vanhullebus <vanhu@netasq.com>
257:
258: * src/libipsec/pfkey.c: fixed a typo, it will now compile when
259: KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
260: open.ch)
261:
262: 2010-12-28 Timo Teras <timo.teras@iki.fi>
263:
264: * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
265: config reload to not delete too many phase 2 handles, because wrong
266: chain field is used when enumerating the handles.
267:
268: 2010-12-16 gdt
269:
270: * src/racoon/oakley.c: When encountering a certificate where "ID
271: mismatched with ASN1 SubjectName", and verify_identifier is off,
272: don't raise an error. This makes the behavior match the man page.
273:
274: Patch sent for review long ago:
275: http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
276: with no negative feedback received to date.
277:
278: 2010-12-14 Timo Teras <timo.teras@iki.fi>
279:
280: * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
281: possible null derefence.
282:
283: 2010-12-08 Timo Teras <timo.teras@iki.fi>
284:
285: * src/racoon/admin.c: Use separate SA addresses for phase2's
286: created by admin command. The phase2 startup overwrites src/dst with
287: ISAKMP ports if they are zero and we don't want that to happen for
288: the SA ports.
289:
290: 2010-12-08 joerg
291:
292: * src/libipsec/pfkey.c: ANSIfy
293:
294: 2010-12-07 Timo Teras <timo.teras@iki.fi>
295:
296: * src/racoon/isakmp_quick.c: Fix spacing and improve wording in
297: some log messages.
298:
299: 2010-12-03 Timo Teras <timo.teras@iki.fi>
300:
301: * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
302: per-socket policies.
303:
304: * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
305: setkey/setkey.8: Support GRE key as upper layer protocol
306: specifier (will be supported in Linux kernel 2.6.38).
307:
308: * src/racoon/grabmyaddr.c: Netlink deletion notification does not
309: guarentee actual address deletion: it might still exist on some
310: other interface. Make sure we do not unbind unless the address is
311: really gone.
312:
313: 2010-11-17 Timo Teras <timo.teras@iki.fi>
314:
315: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
316: previous patch to not call purge_remote() twice. Change the place
317: where purge_remote() is called. This fixes also a possible crash
318: from the same patch since ph1->remote can be NULL (when we are
319: responder and config is not yet selected).
320:
321: 2010-11-12 Timo Teras <timo.teras@iki.fi>
322:
323: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
324: isakmp_post_acquire is now called from admin commands too, add a
325: flag so admin commands can be used to establish even passive links
326: on demand.
327:
328: * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
329: ISAKMP-SA for the node is deleted by remote request and the phase1
330: rekeying is enabled (this will also trigger the new phase1_dead
331: script hook).
332:
333: * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
334: to allow any reply within valid sequence window to be proof of
335: livelyness. This can improves things if there's random packet
336: delays, or if racoon is not getting enough CPU time.
337:
338: * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
339: admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
340: with many established SAs can be easily over the limit.
341:
342: 2010-10-22 Timo Teras <timo.teras@iki.fi>
343:
344: * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
345: to monitor local route changes. This works around a kernel bug, and
346: slightly improves behaviour on some special cases.
347:
348: 2010-10-21 Timo Teras <timo.teras@iki.fi>
349:
350: * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
351: session.c, session.h: Introduce priorities for file descriptor
352: polling mechanism and give priority to admin port. If admin port is
353: used by ISAKMP-SA hook scripts they should be preferred, other wise
354: heavy traffic can delay admin port requests considerably. This in
355: turn may cause renegotiation loop for ISAKMP-SA. This is mostly
356: useful for OpenNHRP setup, but can benefit other setups too.
357:
358: * src/racoon/: admin.c, handler.c, handler.h: Remove
359: initial-contact entry when all ISAKMP-SA are purged via adminport.
360: This will avoid stale security associations if some of the delete
361: notifications happens to get lost.
362:
363: 2010-10-20 Timo Teras <timo.teras@iki.fi>
364:
365: * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
366: functions when possible: this allows openssl to perform hardware
367: acceleration if available.
368:
369: * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
370: error log messages and a few additional error log messages to
371: improve diagnosing an error condition.
372:
373: * src/racoon/grabmyaddr.c: Fix address comparison so we actually
374: close sockets which were bound to IP-address that got deconfigured.
375:
376: 2010-10-11 Yvan Vanhullebus <vanhu@netasq.com>
377:
378: * src/racoon/ipsec_doi.c: report a higher encryption key length in
379: approval for OBEY / CLAIM / STRICT modes
380:
381: 2010-09-27 Yvan Vanhullebus <vanhu@netasq.com>
382:
383: * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
384: fazaeli (at) sepehrs.com)
385:
386: 2010-09-24 Yvan Vanhullebus <vanhu@netasq.com>
387:
388: * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
389: gmail.com
390:
391: 2010-09-22 Yvan Vanhullebus <vanhu@netasq.com>
392:
393: * src/racoon/admin.c: get the correct length of username when
394: processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
395:
396: * src/racoon/nattraversal.h: fixed a typo in macros, reported by
397: marisp (at) mt.lv
398:
399: 2010-09-21 Yvan Vanhullebus <vanhu@netasq.com>
400:
401: * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
402: provided by marcin.cieslak (at) gmail.com)
403:
404: 2010-09-08 Yvan Vanhullebus <vanhu@netasq.com>
405:
406: * src/racoon/remoteconf.c: fixed remoteconf selection when no ID
407: specified in configuration, and added some debug to remoteconf
408: selection
409:
410: 2010-08-26 Yvan Vanhullebus <vanhu@netasq.com>
411:
412: * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
413: duplicate some dynamic values in duprmconf()
414:
415: 2010-08-04 Yvan Vanhullebus <vanhu@netasq.com>
416:
417: * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request
418:
419: 2010-07-30 Yvan Vanhullebus <vanhu@netasq.com>
420:
421: * src/racoon/doc/FAQ: updated link to NetBSD's documentation
422:
423: 2010-06-22 Thomas Klausner <wiz@netbsd.org>
424:
425: * src/racoon/racoon.conf.5: Bump date for previous.
426:
427: 2010-06-22 Yvan Vanhullebus <vanhu@netasq.com>
428:
429: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
430: racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
431: script hook when a dead peer is detected
432:
433: 2010-06-04 Thomas Klausner <wiz@netbsd.org>
434:
435: * src/setkey/setkey.8: New sentence, new line. Bump date for
436: previous.
437:
438: 2010-06-04 Yvan Vanhullebus <vanhu@netasq.com>
439:
440: * src/setkey/: parse.y, setkey.8, token.l: Added support for
441: spdupdate command in setkey
442:
443: 2010-04-07 Yvan Vanhullebus <vanhu@netasq.com>
444:
445: * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo
446:
447: 2010-04-02 Christos Zoulas <christos@netbsd.org>
448:
449: * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
450: returning NULL.
451:
452: 2010-03-11 Christos Zoulas <christos@netbsd.org>
453:
454: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
455: the patch: iterate only on the phase2 handles that are bound by the
456: given phase1 handle.
457:
458: 2010-03-05 Timo Teras <timo.teras@iki.fi>
459:
460: * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
461: racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
462: typoes and manpage formatting errors.
463:
464: 2010-03-04 Yvan Vanhullebus <vanhu@netasq.com>
465:
466: * src/racoon/session.c: From Pierre POMES: fixed admin port
467: initialization
468:
469: 2010-02-28 snj
470:
471: * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
472: size of src checkouts by spelling "useful" without an extra l.
473:
474: 2010-02-09 Thomas Klausner <wiz@netbsd.org>
475:
476: * src/racoon/: pfkey.c, proposal.h: Fix typo in comment.
477:
478: 2010-01-17 Thomas Klausner <wiz@netbsd.org>
479:
480: * src/racoon/sainfo.c: Free strdeupped string after using it. Found
481: by cppcheck.
482:
483: * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
484: using them. Found by cppcheck.
485:
486: 2010-01-15 joerg
487:
488: * src/setkey/setkey.8: Use .%U instead of .%O for URLs.
489:
490: 2009-12-11 Timo Teras <timo.teras@iki.fi>
491:
492: * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
493: twice in the headers. Remove the redundant entry so new install tool
494: does not complain about overwriting just installed file.
495:
496: 2009-11-22 Christos Zoulas <christos@netbsd.org>
497:
498: * src/racoon/handler.c: PR/42363: Yasuoka Masahiko:
499:
500: racoon uses a wrong IPsec-SA handle that is for other peer in case
501: it receives a ISAKMP message for IPsec-SA that has the same
502: message-id as the message-id that is received before.
503:
504: racoon uses message-id to find the handle of IPsec-SA. The
505: message-id is a unique number for each peer, but different peers may
506: use the same value.
507:
508: Different Windows Vista or Windows 7 peers seem to use the same
509: message-id. racoon can handle the first Windows's Phase-2, but it
510: cannot handle the second Windows. Because racoon misunderstands the
511: message for the second Windows as the message for the first Windows.
512:
513: >Category: bin >Synopsis: racoon uses a wrong IPsec-SA
514: that is for different peer >Confidential: no >Severity:
515: serious >Priority: medium >Responsible: bin-bug-people
516: >State: open >Class: sw-bug >Submitter-Id: net
517: >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator:
518: yasuoka@iij.ad.jp
519:
520: 2009-10-29 Christos Zoulas <christos@netbsd.org>
521:
522: * src/setkey/token.l: use %option noinput nounput
523:
524: 2009-10-28 Christos Zoulas <christos@netbsd.org>
525:
526: * src/setkey/token.l: no unput
527:
528: 2009-10-14 joerg
529:
530: * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
531: ancient groff limits.
532:
533: * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
534: groff limits. Fix markup.
535:
536: * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
537: ancient groff limits. Set only one list type.
538:
539: 2009-09-18 Timo Teras <timo.teras@iki.fi>
540:
541: * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
542: gssapi error checking.
543:
544: 2009-09-03 Timo Teras <timo.teras@iki.fi>
545:
546: * src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
547: isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
548: negotiate phase2 as a hint to select the phase1 for rekeying the new
549: phase2.
550:
551: 2009-09-01 Timo Teras <timo.teras@iki.fi>
552:
553: * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
554: nat_traversal configuration from remote configuration candidates
555: when acting as responder. Enable NAT-T if any of the remote
556: candidates have NAT-T enabled.
557:
558: * src/racoon/remoteconf.c: Change remote conf matching level to
559: matching score. This way one can override anonymous certificate
560: block config with more exact "inhereted" IP specific block.
561:
562: * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
563: ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).
564:
565: 2009-08-24 Yvan Vanhullebus <vanhu@netasq.com>
566:
567: * src/racoon/oakley.c: fixed typo: algoriym -> algorithm
568:
569: 2009-08-19 Yvan Vanhullebus <vanhu@netasq.com>
570:
571: * src/racoon/remoteconf.c: fixed address check in
572: rmconf_match_type(), just check address with wildcard port
573:
574: 2009-08-19 Timo Teras <timo.teras@iki.fi>
575:
576: * src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
577: return values to make the code a bit more readable.
578:
579: 2009-08-18 Yvan Vanhullebus <vanhu@netasq.com>
580:
581: * src/racoon/oakley.c: typo: algoritym -> algorithm
582:
583: 2009-08-17 Yvan Vanhullebus <vanhu@netasq.com>
584:
585: * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
586: check system support for NAT-T, as at least FreeBSD doesn't have
587: this define anymore
588:
589: * src/racoon/schedule.h: include stddef.h so we have a chance to
590: get the system offsetof if present
591:
592: * src/racoon/crypto_openssl.h: removed a self include
593:
594: 2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
595:
596: * src/racoon/oakley.c: fixed a potential DoS in
597: oakley_do_decrypt(), reported by Orange Labs
598:
599: 2009-08-10 Timo Teras <timo.teras@iki.fi>
600:
601: * src/racoon/pfkey.c: Don't print EAGAIN error from
602: pfkey_handler(), it can occur normally under some code paths and is
603: not a hard error in any case.
604:
605: 2009-08-06 Timo Teras <timo.teras@iki.fi>
606:
607: * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
608: setkey to make gcc happy.
609:
610: 2009-08-05 Timo Teras <timo.teras@iki.fi>
611:
612: * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
613: security associations that got broke during NAT-T fixes.
614:
615: 2009-07-07 Timo Teras <timo.teras@iki.fi>
616:
617: * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
618: uninitialized local variable (not sure if any code path triggers
619: this, but this makes compiler happy).
620:
621: 2009-07-03 Timo Teras <timo.teras@iki.fi>
622:
623: * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
624: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
625: nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
626: sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
627: macro. Trac #295.
628:
629: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
630: racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
631: Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
632: NAT-T port information. This might break compatibility with some
633: kernels, but as discussed this is the proper way to pass NAT-T ports
634: and the broken kernels need to be fixed.
635:
636: 2009-06-24 Timo Teras <timo.teras@iki.fi>
637:
638: * src/racoon/session.c: Fix a call to null pointer: in some cases,
639: the unmonitor_fd can be called from another fd's callback. That
640: could lead to still have callback pending after unmonitoring the fd
641: resulting in a call to null pointer. This is fixed by making
642: unmonitor_fd now clear the pending fd_set too. Bug was introduced
643: by my commit in 2008-12-23.
644:
645: 2009-05-20 Yvan Vanhullebus <vanhu@netasq.com>
646:
647: * src/racoon/isakmp.h: typo
648:
649: 2009-05-19 Timo Teras <timo.teras@iki.fi>
650:
651: * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
652: of typos from previous commit.
653:
654: 2009-05-18 Timo Teras <timo.teras@iki.fi>
655:
656: * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
657: Tomas Mraz: Introduce union sockaddr_any and use it to make code
658: more readable. Related to trac #293.
659:
660: * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
661: not really used; only referenced while uninitialized causing
662: valgrind error.
663:
664: * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
665:
666: 2009-05-04 Thomas Klausner <wiz@netbsd.org>
667:
668: * src/racoon/racoon.conf.5: Remove superfluous spaces around
669: parentheses.
670:
671: 2009-04-29 Timo Teras <timo.teras@iki.fi>
672:
673: * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
674: X509 certificate validation.
675:
676: 2009-04-28 Timo Teras <timo.teras@iki.fi>
677:
678: * src/racoon/handler.c: Reset nat_oa variables too when reusing
679: phase two handler. Otherwise phase2 rekeying might fail in some
680: scenarios.
681:
682: 2009-04-22 Timo Teras <timo.teras@iki.fi>
683:
684: * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
685: pointer dereference in fragmentation code.
686:
687: 2009-04-21 Timo Teras <timo.teras@iki.fi>
688:
689: * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
690: strict_address to work again. The lists needs to be initialized
691: before configuration is read, which happens before my_addr_init()
692: call.
693:
694: 2009-04-20 Timo Teras <timo.teras@iki.fi>
695:
696: * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
697: in certificate request generation.
698:
699: * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
700: Bin Li: Fix possible memory corruption in binsanitize().
701:
702: * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
703: signature verification memory leak.
704:
705: * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
706: crash with racoonctl logout user.
707:
708: * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
709: code.
710:
711: * src/racoon/handler.c: From Paul Moore: Phase2 message id's should
712: be unique wrt phase1, not globally.
713:
714: 2009-03-13 Timo Teras <timo.teras@iki.fi>
715:
716: * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
717: couple of problems with previous commit.
718:
719: 2009-03-12 he
720:
721: * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
722: pointer to an integral type (a bad practice, if you ask me), you
723: need to cast via intptr_t for portability.
724:
725: 2009-03-12 Thomas Klausner <wiz@netbsd.org>
726:
727: * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
728: up punctuation.
729:
730: * src/racoon/racoonctl.8: Bump date for previous. Sort options to
731: establish-sa. Stop using Xo/Xc.
732:
733: 2009-03-12 Timo Teras <timo.teras@iki.fi>
734:
735: * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
736: crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
737: ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
738: isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
739: isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
740: racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
741: vendorid.c: Support multiple anonymous remotes and decide
742: remoteconf based on identity, received certificates and other
743: information. General code clean up.
744:
745: 2009-03-06 Timo Teras <timo.teras@iki.fi>
746:
747: * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
748: in Linux
749:
750: Linux requires SADB_DELETE message to have SPI. So send a
751: SADB_DELETE message for each matching SA. Trac #284.
752:
753: From: Gabriel Somlo <somlo@cmu.edu>
754:
755: 2009-02-16 Timo Teras <timo.teras@iki.fi>
756:
757: * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
758: corruption bug (yacc return non-null terminated buffer and sprintf
759: writes over bounds).
760:
761: 2009-02-11 Yvan Vanhullebus <vanhu@netasq.com>
762:
763: * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
764: IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
765: tunnel
766:
767: 2009-02-03 Timo Teras <timo.teras@iki.fi>
768:
769: * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
770: variables with IPv6 addresses.
771:
772: 2009-01-26 Timo Teras <timo.teras@iki.fi>
773:
774: * src/racoon/main.c: Argument parsing needs lcconf initialized.
775:
776: 2009-01-24 Thomas Klausner <wiz@netbsd.org>
777:
778: * src/racoon/racoonctl.c: Sort options in usage.
779:
780: * src/racoon/racoonctl.8: Sort options. New sentence, new line.
781:
782: * src/racoon/racoon.8: Sort options.
783:
784: 2009-01-23 Timo Teras <timo.teras@iki.fi>
785:
786: * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
787: for racoonctl.
788:
789: * src/racoon/: main.c, racoon.8: Racoon -v to print version and
790: compilation information. Update usage message.
791:
792: * NEWS: Update NEWS with major changes since 0.7 release.
793:
794: * src/racoon/schedule.c: Fix monotonic scheduler change, to not
795: refresh 'now' before exit. Otherwise we can return negative timeout
796: after spending time handling other events.
797:
798: * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
799: reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
800: Also corrects some debugging statements.
801:
802: * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
803: instance), there is a need to not only migrate local and remote
804: addresses of Phase 1 that match previous addresses but also the
805: local and remote addresses of a Phase 1 *associated* with a migrated
806: Phase 2. For instance, we have that need when receiving the first
807: MIGRATE/KMADDRESS message because the old addresses are still the
808: HoA and the address of the HA (while the peer has contacted us using
809: the CoA and we have negotiated this address as src attribute in
810: Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
811: called from migrate_ph2_ike_addresses() callback.
812:
813: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
814: when acting as responder.
815:
816: * configure.ac, src/racoon/handler.c, src/racoon/handler.h,
817: src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
818: src/racoon/schedule.c, src/racoon/schedule.h,
819: src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
820: system clock is available, and use it for relative time measurements
821: to avoid complite hang if time jumps backwards.
822:
823: * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
824: isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
825: oakley.c, oakley.h: Fix authentication method ambiguity by
826: internally using unique ID and setting/interpreting the wire format
827: based on received vendor ID:s. Fixes trac #280.
828:
829: * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
830: isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
831: bitmask that can be used otherwhere to detect peer capabilities.
832:
833: * configure.ac, src/racoon/admin.c, src/racoon/evt.c,
834: src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
835: src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
836: configure option and make it the default behaviour. The previous
837: normal behaviour is buggy, as after flush kernel can immediately
838: create larval SA:s which would prevent exit.
839:
840: 2009-01-20 Timo Teras <timo.teras@iki.fi>
841:
842: * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
843: ChangeLog from NetBSD CVS. Put sourceforge.net changes to
844: ChangeLog.old.
845:
846: 2009-01-10 Thomas Klausner <wiz@netbsd.org>
847:
848: * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper
849: escape for backslash ('\e').
850:
851: 2009-01-10 Timo Teras <timo.teras@iki.fi>
852:
853: * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
854: Accept RFC2253 compliant escaped special characters for asn1dn
855: identifier.
856:
857: 2009-01-09 Timo Teras <timo.teras@iki.fi>
858:
859: * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
860:
861: 2009-01-05 Timo Teras <timo.teras@iki.fi>
862:
863: * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
864: configuration options, fix radius configuration block and add GRE as
865: recognized protocol.
866:
867: * src/racoon/session.c: Do not use counting in signal handling as
868: it was unsafe by not using atomic functions (post increment is not
869: necessarily atomic). Instead reap all children on SIGCHLD as that
870: was the only signal needing signal counting.
871:
872: 2008-12-30 Timo Teras <timo.teras@iki.fi>
873:
874: * src/racoon/session.c: schedular() call can now modify fd mask so
875: make the working copy just before calling select(); otherwise it can
876: contain bad file descriptors
877:
878: 2008-12-29 Michael van Elst <mlelstv@netbsd.org>
879:
880: * src/setkey/parse.y: support icmp codes. Fixes PR 39056.
881:
882: 2008-12-24 Christos Zoulas <christos@netbsd.org>
883:
884: * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
885: it. From Timo Teras.
886:
887: * src/racoon/grabmyaddr.c: I was wrong. addr is actually set.
888:
889: * src/racoon/grabmyaddr.c:
890: - make this compile by zeroing out the whole structure not just
891: bogus fields.
892: - set length field of sockets appropriately.
893: - mark bogus no-op code (I don't understand what the author intended
894: here).
895:
896: 2008-12-23 Thomas Klausner <wiz@netbsd.org>
897:
898: * src/racoon/racoon.conf.5: Bump date for identity configuration
899: option removal.
900:
901: 2008-12-23 Timo Teras <timo.teras@iki.fi>
902:
903: * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
904: localconf.h, racoon.conf.5: Remove the obsoleted global identity
905: configuration option.
906:
907: * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
908: evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
909: isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
910: nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
911: session.h: rewrite local address detection make some functions
912: static that arr not needed globally rework how fd_set is
913: construction for the main loop select()
914:
915: 2008-12-18 Timo Teras <timo.teras@iki.fi>
916:
917: * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
918: when expire with hard lifetime received
919:
920: 2008-12-16 Timo Teras <timo.teras@iki.fi>
921:
922: * README: Update README
923:
924: * src/racoon/pfkey.c: Fix transport mode address selection in
925: acquire handling. Some earlier fixes got lost on 2008-12-05 commit.
926:
927: 2008-12-11 Yvan Vanhullebus <vanhu@netasq.com>
928:
929: * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
930: and RTM_OIFINFO stuff)
931:
932: * src/racoon/isakmp.c: Fixed compilation when DPD support is
933: disabled
934:
935: 2008-12-08 Timo Teras <timo.teras@iki.fi>
936:
937: * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
938: sockets: it might cause to not handle some pfkey events when
939: select() has marked pfkey socket readable, but a timer callback
940: first calls pfkey_dump_sadb().
941:
942: 2008-12-05 Timo Teras <timo.teras@iki.fi>
943:
944: * src/: libipsec/key_debug.c, libipsec/libpfkey.h,
945: libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
946: racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
947: racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
948: Ebalard: Improved Mobile IPv6 support per
949: draft-ebalard-mext-pfkey-enhanced-migrate.
950:
951: 2008-12-04 Christoph Badura <bad@netbsd.org>
952:
953: * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
954: intended.
955:
956: 2008-12-02 Timo Teras <timo.teras@iki.fi>
957:
958: * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
959: on Linux is terminate.
960:
961: 2008-11-28 Thomas Klausner <wiz@netbsd.org>
962:
963: * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
964: sentence, new line.
965:
966: 2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
967:
968: * src/racoon/main.c: Set up a default value for Mode Config Pool
969: size if pool address specified but pool size not specified
970:
971: * src/racoon/isakmp_cfg.c: Fixed pool resizing
972:
973: 2008-11-27 Timo Teras <timo.teras@iki.fi>
974:
975: * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
976: weirdness. It's probably meant for bundle support which is not done.
977: When someone actually writes bundle support, the nested SA stuff
978: would probably be reworked too anyway.
979:
980: * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
981: racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
982: racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
983: Ability to set pfkey socket buffer size via configuration file
984: directive. (Indentation and minor fixes by me.)
985:
986: 2008-11-25 Christoph Badura <bad@netbsd.org>
987:
988: * src/racoon/: evt.c, privsep.c, session.c: Avoid using
989: MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE
990: instead.
991:
992: * src/racoon/grabmyaddr.c: Ignore unspecified and looback
993: addresses. Ignoring unspecified addresses prevents racoon from
994: trying to bind to the wildcard address and specific addresses
995: simultaneously after e.g. dhclient has changed an interface's
996: address to 0.0.0.0.
997:
998: * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
999: info for added or deleted addresses. Ignore them silently.
1000:
1001: * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
1002: error. Therefore log it as informational. Make it clear from the
1003: log message that a route message is not interesting.
1004:
1005: * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
1006: it.
1007:
1008: * src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
1009: when setting IPV6_USE_MIN_MTU fails.
1010:
1011: * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
1012: no socket is opened.
1013:
1014: 2008-11-08 Christoph Badura <bad@netbsd.org>
1015:
1016: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1017: phase1-up.sh: Preserve owner and permissions of original
1018: /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or
1019: world writable.
1020:
1021: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1022: phase1-up.sh: Print and check INTERNAL_NETMASK4.
1023:
1024: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1025: phase1-up.sh: Make the handling of NAT-T SPD entries automatic.
1026:
1027: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1028: phase1-up.sh: Ensure that the determination of the default
1029: gateway and the corresponding interface don't get confused by
1030: multiple, possibly non-IPv4 default routes. Bring the NetBSD case
1031: of deleting the VPN routes and address in line with the Linux case
1032: and delete the address after deleting the VPN routes.
1033:
1034: 2008-11-06 Yvan Vanhullebus <vanhu@netasq.com>
1035:
1036: * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
1037: iddst's value is SAINFO_CLIENTADDR
1038:
1039: 2008-10-29 S.P.Zeidler <spz@netbsd.org>
1040:
1041: * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():
1042:
1043: struct sockaddr -> struct sockaddr_storage fixes a stack overflow
1044:
1045: For non-linklocal addresses the value in 'scope' is garbage and gets
1046: set to zero instead.
1047:
1048: 2008-10-27 Timo Teras <timo.teras@iki.fi>
1049:
1050: * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
1051: error path
1052:
1053: * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
1054: Ebalard): recognize RTM_IFANNOUNCE
1055:
1056: * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
1057: issues for readability
1058:
1059: * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
1060: called only if monitored file descriptor numbers have changed
1061:
1062: * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
1063: declaration
1064:
1065: 2008-10-23 Timo Teras <timo.teras@iki.fi>
1066:
1067: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
1068: Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
1069: problem those changes address are already handled in a sensible way
1070: by Cyrus Rahman's patch from 2008-03-06.
1071:
1072: 2008-10-09 Timo Teras <timo.teras@iki.fi>
1073:
1074: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
1075: unnecessary unbindph12() call which is now done in remph2()
1076:
1077: 2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
1078:
1079: * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
1080: marker for retransmitted packets
1081:
1082: 2008-09-19 Thomas Klausner <wiz@netbsd.org>
1083:
1084: * src/racoon/racoon.conf.5: New sentence, new line.
1085:
1086: 2008-09-19 Timo Teras <timo.teras@iki.fi>
1087:
1088: * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
1089: isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
1090: isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
1091: remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
1092: configurable with rekey {on|off|force} option in remote conf.
1093:
1094: * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
1095: isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
1096: nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
1097: session.c: Change struct sched to be allocated be the caller to
1098: avoid some memory allocations. Optimize scheduling algorithm to not
1099: scan all entries in the main loop.
1100:
1101: 2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
1102:
1103: * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
1104: when NAT-T enabled and trying to purge non NAT-T SAs
1105:
1106: 2008-09-09 Yvan Vanhullebus <vanhu@netasq.com>
1107:
1108: * src/racoon/pfkey.c: Some calls to set_port() were not correctly
1109: updated in the previous commit
1110:
1111: 2008-09-03 Yvan Vanhullebus <vanhu@netasq.com>
1112:
1113: * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
1114: pk_sendxxx functions, as they may be altered for NAT-T stuff.
1115:
1116: 2008-09-03 Timo Teras <timo.teras@iki.fi>
1117:
1118: * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
1119: - Fix reloading of SPD (Linux satype check, handling of SPD dump
1120: responses)
1121: - Remove some spurious error log message from extract_port()
1122:
1123: 2008-08-29 Gregory McGarry <gmcgarry@netbsd.org>
1124:
1125: * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
1126: structures.
1127:
1128: * src/racoon/evt.h: Eliminate superfluous semicolon.
1129:
1130: * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
1131: unnamed structures added recently.
1132:
1133: 2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
1134:
1135: * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
1136: ph1handler if we received an invalid first exchange from initiator.
1137:
1138: 2008-08-06 Timo Teras <timo.teras@iki.fi>
1139:
1140: * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
1141: Piotr Oledzki: Make privileged process exit if unprivileged process
1142: is terminated and some spelling fixes.
1143:
1144: 2008-07-23 Matthew Grooms <mgrooms@shrew.net>
1145:
1146: * src/racoon/: cfparse.y, session.c: Add some missing ifdefs
1147: required for non-radius enabled builds.
1148:
1149: 2008-07-23 Timo Teras <timo.teras@iki.fi>
1150:
1151: * src/racoon/Makefile.am: Do not use GNU make specific extension.
1152:
1153: * src/: libipsec/Makefile.am, racoon/Makefile.am,
1154: setkey/Makefile.am: Do flex/bison invocation in a more standard
1155: way, and keep the generated files in the dist tarball.
1156:
1157: 2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
1158:
1159: * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
1160: when malloc fails or when peer sends invalid proposal.
1161:
1162: 2008-07-22 Matthew Grooms <mgrooms@shrew.net>
1163:
1164: * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
1165: isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
1166: radius configuration section to the racoon.conf file. This is
1167: similar to the the LDAP configuration section and overrides settings
1168: in the system radius configuration file.
1169:
1170: 2008-07-21 Matthias Scheler <tron@netbsd.org>
1171:
1172: * src/racoon/cfparse.y: Correct typo to fix the build.
1173:
1174: 2008-07-21 Timo Teras <timo.teras@iki.fi>
1175:
1176: * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
1177: vendorid.c, vendorid.h: Separate generic vendor id handling to a
1178: new function and use it.
1179:
1180: * src/racoon/cfparse.y: Do not set default gss id if xauth is used,
1181: otherwise gss-id attribute might be sent even if it was not
1182: requested.
1183:
1184: 2008-07-15 Matthew Grooms <mgrooms@shrew.net>
1185:
1186: * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
1187: building with hybrid enabled.
1188:
1189: * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
1190: racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
1191: function.
1192:
1193: 2008-07-14 Timo Teras <timo.teras@iki.fi>
1194:
1195: * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
1196: pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.
1197:
1198: * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
1199: isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
1200: notification payload handling. Handle INITIAL-CONTACT notification
1201: in last main mode exchange (delayed) and during quick mode
1202: exchanges.
1203:
1204: 2008-07-11 Timo Teras <timo.teras@iki.fi>
1205:
1206: * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
1207: Elsts: Fix a double memory free and a memory corruption
1208: (LIST_REMOVE() on an uninserted node) in some error handling paths.
1209:
1210: 2008-07-09 Timo Teras <timo.teras@iki.fi>
1211:
1212: * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
1213: memory leak on configuration file reread
1214:
1215: 2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
1216:
1217: * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
1218: (size_t values)
1219:
1220: 2008-06-18 Thomas Klausner <wiz@netbsd.org>
1221:
1222: * src/racoon/racoonctl.8: Bump date for previous.
1223:
1224: 2008-06-18 Matthew Grooms <mgrooms@shrew.net>
1225:
1226: * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
1227: admin port command to retrieve the peer certificate. Submitted by
1228: Timo Teras.
1229:
1230: * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
1231: sockets to be closed on exec to avoid potential file descriptor
1232: inheritance issues. Submitted by Timo Teras.
1233:
1234: * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
1235: isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
1236: functions to evaluate and manipulate network port values. No
1237: functional changes. Submitted by Timo Teras.
1238:
1239: * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
1240: functional changes. Submitted by Timo Teras.
1241:
1242: * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
1243: Timo Teras.
1244:
1245: 2008-05-24 Christos Zoulas <christos@netbsd.org>
1246:
1247: * src/racoon/privsep.c: Coverity CID 5018: Fix double frees.
1248:
1249: 2008-05-08 Emmanuel Dreyfus <manu@netbsd.org>
1250:
1251: * configure.ac: From Christian Hohnstaedt: allow out of tree
1252: building
1253:
1254: 2008-04-30 Martin Husemann <martin@netbsd.org>
1255:
1256: * netbsd-import.sh: Convert TNF licenses to new 2 clause variant
1257:
1258: 2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
1259:
1260: * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
1261: from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
1262:
1263: 2008-04-13 Christos Zoulas <christos@netbsd.org>
1264:
1265: * src/racoon/privsep.c: for symmetry set controllen the same way we
1266: set it on the receiving side.
1267:
1268: 2008-04-02 Emmanuel Dreyfus <manu@netbsd.org>
1269:
1270: * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build
1271:
1272: 2008-03-28 Christos Zoulas <christos@netbsd.org>
1273:
1274: * src/racoon/privsep.c: properly fix the variable stack allocation
1275: code.
1276:
1277: 2008-03-28 Emmanuel Dreyfus <manu@netbsd.org>
1278:
1279: * src/racoon/privsep.c: Still from Cyrus Rahman: fix file
1280: descriptor leak introduced by previous commit.
1281:
1282: * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
1283: privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
1284: Allow interface reconfiguration when running in privilege separation
1285: mode, document privilege separation
1286:
1287: 2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
1288:
1289: * src/racoon/oakley.c: Generates a log if cert validation has been
1290: disabled by configuration
1291:
1292: 2008-03-06 Emmanuel Dreyfus <manu@netbsd.org>
1293:
1294: * src/racoon/: privsep.c, session.c: From Cyrus Rahman
1295: <crahman@gmail.com> privilegied instance exit when unprivilegied one
1296: terminates. Save PID in real root, not in chroot
1297:
1298: 2008-03-06 Matthew Grooms <mgrooms@shrew.net>
1299:
1300: * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
1301: racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
1302: negotiations using the admin socket. Submitted by Timo Teras.
1303:
1304: * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
1305: handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
1306: isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
1307: racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
1308: protocol to be less error prone. Backwards compatibility is
1309: provided. Submitted by Timo Teras.
1310:
1311: 2008-03-05 Matthew Grooms <mgrooms@shrew.net>
1312:
1313: * src/racoon/cfparse.y: Properly initialize the unity network
1314: struct to prevent erroneous protocol and port info from being
1315: transmitted.
1316:
1317: * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
1318: adminport reload. Also provide better handling for pfkey socket read
1319: errors. Submitted by Timo Teras.
1320:
1321: 2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
1322:
1323: * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
1324: There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
1325: checking spi_size but it's not. I'm not sure this patch is correct,
1326: but what's there isn't either.
1327:
1328: 2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
1329:
1330: * src/racoon/isakmp.c: Fix address length, from Brian Haley
1331:
1332: 2008-02-10 S.P.Zeidler <spz@netbsd.org>
1333:
1334: * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
1335: opposition ( :) ) on ipsec-tools-devel
1336:
1337: 2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
1338:
1339: * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
1340: the scheduler's callback, to avoid access to freed memory.
1341:
1342: * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
1343: compilation with IDEA and recent gcc.
1344:
1345: * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
1346: details to some logs (also reported new getph1byaddr() arg).
1347:
1348: * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
1349: established ph1 handles in DPD (also reported new getph1byaddr()
1350: arg).
1351:
1352: * src/racoon/: handler.c, handler.h: added an 'established' arg to
1353: getph1byaddr()
1354:
1355: 2007-12-31 Matthew Grooms <mgrooms@shrew.net>
1356:
1357: * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
1358: number to racoonctl. Correct id wildcard matching for transport
1359: mode. Submitted by Timo Teras.
1360:
1361: 2007-12-12 Matthew Grooms <mgrooms@shrew.net>
1362:
1363: * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
1364: follow up patch for the nat-t oa support.
1365:
1366: * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
1367: support for nat-t oa payload handling. Submitted by Timo Teras.
1368:
1369: 2007-12-04 Matthew Grooms <mgrooms@shrew.net>
1370:
1371: * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
1372: ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
1373: prefix length. Correct a memory leak in phase2. Both submitted by
1374: Timo Teras.
1375:
1376: 2007-12-01 Thomas Klausner <wiz@netbsd.org>
1377:
1378: * src/racoon/racoon.conf.5: Fix typos. New sentence, new line.
1379:
1380: 2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
1381:
1382: * src/racoon/Makefile.am: From Natanael Copa: fixed a race
1383: condition when building yacc stuff.
1384:
1385: 2007-11-09 Yvan Vanhullebus <vanhu@netasq.com>
1386:
1387: * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
1388: pk_recv()
1389:
1390: * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
1391: entries in getsp_r().
1392:
1393: * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
1394: in get_proposal_r().
1395:
1396: 2007-10-19 Emmanuel Dreyfus <manu@netbsd.org>
1397:
1398: * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
1399: racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
1400:
1401: 2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
1402:
1403: * src/libipsec/pfkey.c: Try to increase the buffer size of the
1404: pfkey socket, this may help things when we have a huge SPD
1405:
1406: 2007-10-02 Yvan Vanhullebus <vanhu@netasq.com>
1407:
1408: * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
1409: work with the new plog macro.
1410:
1411: * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
1412: work with new plog macro
1413:
1414: * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
1415:
1416: 2007-09-19 Matthew Grooms <mgrooms@shrew.net>
1417:
1418: * src/racoon/isakmp.c: Set REUSE option on sockets to prevent
1419: failures associated with closing and immediately re-opening.
1420: Submitted by Gabriel Somlo.
1421:
1422: * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
1423: list. Submitted by Gabriel Somlo.
1424:
1425: 2007-09-13 Matthew Grooms <mgrooms@shrew.net>
1426:
1427: * configure.ac: Fix autoconf check for selinux support. Submitted
1428: by Joy Latten.
1429:
1430: 2007-09-12 Matthew Grooms <mgrooms@shrew.net>
1431:
1432: * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
1433: pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
1434: sainfo remote id option and refine the sainfo man page syntax.
1435:
1436: 2007-09-05 Matthew Grooms <mgrooms@shrew.net>
1437:
1438: * src/racoon/sainfo.c: Sort sainfo sections on insert and improve
1439: matching logic.
1440:
1441: 2007-09-03 Matthew Grooms <mgrooms@shrew.net>
1442:
1443: * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
1444: wins4 in the man page and add nbns4 as an alias. Pointed out by
1445: Claas Langbehn.
1446:
1447: 2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
1448:
1449: * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
1450: up RADIUS authentication and authorization ports. Allow
1451: interoperability with freeradius
1452:
1453: 2007-07-24 Matthew Grooms <mgrooms@shrew.net>
1454:
1455: * NEWS: Update NEWS file with additional 0.7 improvements.
1456:
1457: 2007-07-18 Matthew Grooms <mgrooms@shrew.net>
1458:
1459: * src/racoon/racoon.conf.5: Various racoon configuration manpage
1460: updates.
1461:
1462: 2007-07-18 Yvan Vanhullebus <vanhu@netasq.com>
1463:
1464: * configure.ac, src/libipsec/ipsec_dump_policy.c,
1465: src/libipsec/ipsec_get_policylen.c,
1466: src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
1467: src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1468: src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
1469: src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
1470: src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
1471: src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
1472: src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
1473: src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
1474: src/racoon/policy.c, src/racoon/proposal.c,
1475: src/racoon/remoteconf.c, src/racoon/sainfo.c,
1476: src/racoon/session.c, src/racoon/sockmisc.c,
1477: src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
1478: src/setkey/token.l: use a single PATH_IPSEC_H to fix some
1479: path_to_ipsec.h issues
1480:
1481: 2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
1482:
1483: * src/racoon/grabmyaddr.c: fixed a socket leak
1484:
1485: * src/racoon/proposal.c: indentation
1486:
1487: 2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
1488:
1489: * src/racoon/isakmp_cfg.c: From Paul Winder
1490: <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST
1491:
1492: 2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
1493:
1494: * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
1495: with gcc 4.2
1496:
1497: * src/racoon/session.c: From Jianli Liu: speed up interfaces update
1498: when they change.
1499:
1500: * src/racoon/handler.c: ignore obsolete lifebyte when validating
1501: reloaded configuration
1502:
1503: 2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
1504:
1505: * src/racoon/: main.c, policy.h, security.c: From Joy Latten
1506: <latten@austin.ibm.com> Fix file descriptor shortage when using
1507: labeled IPsec.
1508:
1509: 2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
1510:
1511: * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
1512: racoonctl, use the specified socket path instead of the default
1513: location
1514:
1515: 2007-05-16 Christos Zoulas <christos@netbsd.org>
1516:
1517: * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
1518: return, so we proceed to de-reference NULL. Make it return -1
1519: instead like in other places.
1520:
1521: * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
1522: return, so we proceed to de-reference NULL. Make it return -1
1523: instead like in other places.
1524:
1525: 2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
1526:
1527: * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
1528: NULL when validating the new config
1529:
1530: * src/racoon/handler.c: added some debug in getph1byaddr() to track
1531: some port matching problems with NAT-T
1532:
1533: * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
1534: track some port matching problems with NAT-T
1535:
1536: * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
1537:
1538: * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
1539: NAT_T support, to solve some port match problems with the first
1540: IPSec SAs negociated as initiator
1541:
1542: 2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
1543:
1544: * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
1545:
1546: * src/racoon/oakley.c: dumps peer's ID and peer's certificate
1547: subject /subjectaltname if they don't match
1548:
1549: 2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
1550:
1551: * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
1552: handler, to be able to cancel it when removing the handler, and some
1553: minor cleanups in DPD code
1554:
1555: 2007-03-24 Christos Zoulas <christos@netbsd.org>
1556:
1557: * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
1558: work with pam_group Set RUSER.
1559:
1560: 2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
1561:
1562: * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
1563: segfault when using security labels between 32bit and 64bit host.
1564:
1565: * src/racoon/handler.c: expire zombie handlers in getph2byid(), to
1566: avoid situations where we'll never negociate a phase2 again
1567:
1568: * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
1569: more details about what is checked when using certificates to
1570: authenticate
1571:
1572: 2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
1573:
1574: * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
1575: generate IPV4_ADDRESS when needed in sockaddr2id()
1576:
1577: 2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
1578:
1579: * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
1580: sched check is now done in SCHED_KILL
1581:
1582: * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
1583:
1584: 2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
1585:
1586: * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
1587: monitoring of ipv6 address changes on Linux.
1588:
1589: * src/racoon/isakmp.c: Consider a negociation timeout when
1590: retry_counter is <=0 instead of < 0
1591:
1592: 2007-02-28 Matthew Grooms <mgrooms@shrew.net>
1593:
1594: * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
1595: matched to ip subnet ids when appropriate.
1596:
1597: 2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
1598:
1599: * src/racoon/ipsec_doi.c: block variable declaration before code in
1600: ipsecdoi_id2str()
1601:
1602: 2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
1603:
1604: * src/racoon/isakmp_inf.c: Removed a debug printf....
1605:
1606: * src/racoon/isakmp.c: Only delete a generated SPD if it's creation
1607: date matches the creation date of the SA we are currently deleting
1608:
1609: * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
1610:
1611: * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
1612: generated SPDs
1613:
1614: * src/racoon/policy.h: added 'created' var
1615:
1616: 2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
1617:
1618: * src/racoon/isakmp.c: Removed a debug printf....
1619:
1620: 2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
1621:
1622: * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
1623: printf.
1624:
1625: 2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
1626:
1627: * src/racoon/security.c: Missing SELinux file
1628:
1629: * configure.ac: Missing stuff for SELinux
1630:
1631: 2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
1632:
1633: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
1634: expire a ph1 handle when receiving a DELETE-SA instead of calling
1635: purge_remote().
1636:
1637: * src/racoon/isakmp.c: Fixed the way phase1/2 messages are
1638: sent/resent, to avoid zombie handles and acces to freed memory
1639:
1640: 2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
1641:
1642: * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
1643:
1644: 2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
1645:
1646: * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
1647: receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
1648: deleted from payload instead of just deleting the ISAKMP SA used to
1649: protect the informational exchange.
1650:
1651: 2006-12-26 Arnaud Lacombe <alc@netbsd.org>
1652:
1653: * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
1654: NULL'
1655:
1656: 2006-12-23 Thomas Klausner <wiz@netbsd.org>
1657:
1658: * src/racoon/racoon.conf.5: Use even more macros.
1659:
1660: * src/racoon/racoon.conf.5: Use more macros.
1661:
1662: * src/racoon/racoon.conf.5: Serial comma, and bump date for
1663: previous.
1664:
1665: 2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
1666:
1667: * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
1668:
1669: 2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
1670:
1671: * src/: libipsec/Makefile.am, libipsec/libpfkey.h,
1672: libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
1673: racoon/pfkey.c: Bring back API and ABI backward compatibility
1674: with previous libipsec before recent interface change. Bump libipsec
1675: minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
1676: ABI compatibility lossage. Add a capability flags to detect missing
1677: optional feature in libipsec
1678:
1679: * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
1680: README.plainrsa documenting plain RSA auth
1681:
1682: 2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
1683:
1684: * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1685: src/racoon/Makefile.am, src/racoon/backupsa.c,
1686: src/racoon/backupsa.h, src/racoon/cftoken.l,
1687: src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
1688: src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
1689: src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
1690: src/racoon/proposal.c, src/racoon/proposal.h,
1691: src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
1692: security contexts. Also cleanup the libipsec interface for adding
1693: and updating security associations.
1694:
1695: * src/racoon/racoon.conf.5: From Simon Chang: More hints about
1696: plain RSA authentication
1697:
1698: 2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
1699:
1700: * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
1701: length regarding proposal_check level
1702:
1703: 2006-11-16 Matthew Grooms <mgrooms@shrew.net>
1704:
1705: * src/racoon/sainfo.c: Correct issues associated with anonymous
1706: sainfo selection in racoon.
1707:
1708: 2006-11-09 Christos Zoulas <christos@netbsd.org>
1709:
1710: * src/racoon/crypto_openssl.c: eliminate the only variable stack
1711: array allocation.
1712:
1713: 2006-10-31 Christian Biere <cbiere@netbsd.org>
1714:
1715: * src/racoon/sockmisc.c: Don't define the deprecated
1716: IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
1717: IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
1718: in the future just in case that the numeric value of the socket
1719: option is ever recycled.
1720:
1721: 2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
1722:
1723: * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
1724: typos
1725:
1726: 2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
1727:
1728: * src/racoon/sainfo.c: From Matthew Grooms: use
1729: ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
1730:
1731: * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
1732: ipsecdoi_chkcmpids() function.
1733:
1734: 2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
1735:
1736: * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
1737:
1738: * src/racoon/isakmp_unity.c: Correctly check read() return value:
1739: it's signed (Coverity 1251)
1740:
1741: 2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
1742:
1743: * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
1744: src/racoon/algorithm.h, src/racoon/cftoken.l,
1745: src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
1746: src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
1747: src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
1748: src/racoon/racoon.conf.5, src/racoon/strnames.c,
1749: src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
1750: Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
1751: <okazaki@kick.gr.jp>
1752:
1753: 2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
1754:
1755: * src/racoon/admin.c: fix endianness issue introduced yesterday
1756:
1757: 2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
1758:
1759: * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
1760:
1761: * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
1762:
1763: * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
1764: remoteid/ph1id values
1765:
1766: * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
1767:
1768: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
1769:
1770: * src/racoon/isakmp_base.c:
1771: avoid reusing free'd pointer (Coverity 2613)
1772:
1773: * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
1774:
1775: * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
1776:
1777: * src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
1778:
1779: * src/racoon/admin.c: Fix memory leak (Coverity 2002)
1780:
1781: * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
1782: (Coverity 2001), refactor the code to use port get/set functions
1783:
1784: * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
1785:
1786: * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
1787: reformat to 80 char/line
1788:
1789: 2006-10-02 Tom Spindler <dogcow@netbsd.org>
1790:
1791: * src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
1792: you have to init it with a pointer type, not an int.
1793:
1794: 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
1795:
1796: * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
1797:
1798: * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
1799:
1800: * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
1801:
1802: * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
1803:
1804: * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
1805:
1806: * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
1807:
1808: 2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
1809:
1810: * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
1811:
1812: * src/racoon/isakmp.c: Check that iph1->remote is not NULL before
1813: using it (Coverity 3436)
1814:
1815: 2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
1816:
1817: * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
1818:
1819: * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
1820:
1821: * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1822: phase1-up.sh: update the scripts for wrorking around routing
1823: problems on NetBSD
1824:
1825: * src/racoon/session.c: Reuse existing code for closing IKE
1826: sockets, and avoid screwing things by setting p->sock = -1, which is
1827: not expected (Coverity 4173).
1828:
1829: * src/racoon/admin.c: Do not free id and key, as they are used
1830: later
1831:
1832: 2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
1833:
1834: * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
1835: socket, so we must call com_init before sending any data.
1836:
1837: 2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
1838:
1839: * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
1840: 4174)
1841:
1842: * src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
1843:
1844: 2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
1845:
1846: * src/racoon/cfparse.y: Fix memory leak (Coverity)
1847:
1848: * src/racoon/backupsa.c: Fix memory leak (Coverity)
1849:
1850: * src/racoon/admin.c: Remove dead code (Coverity)
1851:
1852: * src/racoon/admin.c: Fix memory leak (Coverity)
1853:
1854: * src/racoon/admin.c: One more memory leak
1855:
1856: * src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
1857:
1858: * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
1859: bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
1860: Matthew updated the patch for current code, though.
1861:
1862: * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
1863: negotiating ESP+IPcomp)
1864:
1865: 2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
1866:
1867: * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
1868: iphdr for Linux
1869:
1870: 2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
1871:
1872: * src/racoon/isakmp.c: style (mostly for testing
1873: ipsec-tools-commits@netbsd.org)
1874:
1875: * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
1876:
1877: 2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
1878:
1879: * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
1880: Linux
1881:
1882: 2006-09-19 Thomas Klausner <wiz@netbsd.org>
1883:
1884: * src/racoon/racoon.conf.5: Bump date for ike_frag force.
1885:
1886: * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
1887: line.
1888:
1889: * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
1890: whitespace.
1891:
1892: 2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
1893:
1894: * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
1895: value for encmodesv in set_proposal_from_policy()
1896:
1897: * src/racoon/isakmp.c: always include some headers, as they are
1898: required even without NAT-T
1899:
1900: * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
1901: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
1902:
1903: * src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
1904: plog()
1905:
1906: 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
1907:
1908: * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
1909: isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
1910: ike_frag force option to force the use of IKE on first packet
1911: exchange (prior to peer consent)
1912:
1913: * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
1914: the first packet. That should not normally happen, as the initiator
1915: does not know yet if the responder can handle IKE frag. However, in
1916: some setups, the first packet is too big to get through, and
1917: assuming the peer supports IKE frag is the only way to go.
1918:
1919: racoon should have a setting in the remote section to do taht
1920: (something like ike_frag force)
1921:
1922: 2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
1923:
1924: * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
1925: conformance, from Matthew Grooms
1926:
1927: 2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
1928:
1929: * src/racoon/ipsec_doi.c: Fix build on Linux
1930:
1931: For older changes see ChangeLog.old
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ChangeLog CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools