| blob | 4bfb57c1e4ff1e70c38bb622f73225e700ff7f37 |
1 Migration to cvs.netbsd.org
3 2006-08-22 Emmanuel Dreyfus <manu@netbsd.org>
5 From Matthew Grooms:
6 * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
7 src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h}
8 src/racoon/racoon.conf.5: Add a group check option
10 2006-08-17 Yvan Vanhullebus <vanhu@netasq.com>
12 Patch from Matthew Grooms:
13 * src/racoon/ipsec_doi.c: fixed an ASN1 size in
14 ipsecdoi_checkid1()
16 2006-08-11 Yvan Vanhullebus <vanhu@netasq.com>
18 Patch from Matthew Grooms:
19 * src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str()
20 * src/racoon/isakmp_quick.c: text fix
21 * src/racoon/pfkey.c: sainfo debug
22 * src/racoon/sainfo.c: sainfo debug
24 2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
26 Reported by Matthew Grooms:
27 * src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in
28 get_sainfo_r().
29 * src/racoon/racoon.conf.5: updated man page for sainfo logic.
31 2006-07-31 Emmanuel Dreyfus <manu@netbsd.org>
32 From Matthew Grooms <mgrooms@shrew.net>
33 * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
34 src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support
35 becomes dynamic, bugfixes
37 2006-07-19 Emmanuel Dreyfus <manu@netbsd.org>
38 From Peter Eisch <peter@boku.net>
39 * src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing
40 netmask in network interface configuration
42 From Matthew Grooms <mgrooms@shrew.net>
43 * configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage
45 From Matthew Grooms <mgrooms@shrew.net>
46 * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
47 src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS
48 support (server side)
50 2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
52 * src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align().
53 Break reported by Matthew Grooms.
55 2006-07-13 Frederic Senault <fred@lacave.net>
57 * src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4
58 unoperable on 64bit architectures ; add a packetdump of MODE_CFG
59 exchange in debug mode.
61 2006-07-09 Emmanuel Dreyfus <manu@netbsd.org>
62 From Matthew Grooms <mgrooms@shrew.net>
63 * src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c}
64 src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}:
65 Group authentication for Xauth. Supports system groups and LDAP.
67 2006-07-04 Yvan Vanhullebus <vanhu@netasq.com>
69 * src/racoon/nattraversal.c: fixed a malloc check in
70 natt_keepalive_add(). Patch from Bruno Wagenseil.
72 2006-06-30 Emmanuel Dreyfus <manu@netbsd.org>
74 * src/racoon/{cfparse.l|cftoken.l}: meaningful error message when
75 we cannot find the configuration file.
77 2006-06-24 Emmanuel Dreyfus <manu@netbsd.org>
78 From Matthew Grooms <mgrooms@shrew.net>
79 * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
80 src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network
81 configuration obtained from LDAP directory
83 2006-06-23 Emmanuel Dreyfus <manu@netbsd.org>
84 From Matthew Grooms <mgrooms@shrew.net>
85 * configure.ac: build fixes
87 2006-06-22 Emmanuel Dreyfus <manu@netbsd.org>
88 * src/racoon/evt.c: build fix
89 From Matthew Grooms <mgrooms@shrew.net>
90 * configure.ac: build fixes around libldap and libiconv search
92 2006-06-21 Emmanuel Dreyfus <manu@netbsd.org>
93 * src/racoon/evt.c: Do not record events if admin socket is
94 disabled.
96 2006-06-20 Emmanuel Dreyfus <manu@netbsd.org>
98 * configure.ac: Check for conflicts between system libiconv
99 and newer libiconv header
100 From Matthew Grooms <mgrooms@shrew.net>
101 * configure.ac src/racoon/{cfparse.y|cftoken.l}
102 src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
103 src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth
105 2006-06-20 Yvan Vanhullebus <vanhu@netasq.com>
107 * configure.ac: fixed SHA256 detection on some systems. Patch by
108 Dmitry Andrianov.
109 * src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}:
110 changed logging levels. Patch by Michal Ruzicka.
112 2006-06-15 Emmanuel Dreyfus <manu@netbsd.org>
113 From Matthew Grooms <mgrooms@shrew.net>
114 * src/racoon/main.c: make sure RADIUS is correctly initialized
116 2006-06-14 Yvan Vanhullebus <vanhu@netasq.com>
118 * Makefile.am, src/Makefile.am: fixed make dist on *BSD
120 2006-06-07 Emmanuel Dreyfus <manu@netbsd.org>
121 * src/racoon/isakmp_cfg.c: Fix build.
123 2006-05-26 Emmanuel Dreyfus <manu@netbsd.org>
124 From Pawel Jakub Dawidek <pjd@FreeBSD.org>
125 * src/racoon/handler.c: Fix a crash caused by a NULL pointer
126 * src/racoon/oakley.c: Typos
127 * src/racoon/isakmp_base.c: Fix uninitialized buffer
128 * src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode)
130 2006-05-23 Emmanuel Dreyfus <manu@netbsd.org>
131 * src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so
132 do not assume Xauth when preparing a hook script environement.
133 From chunkeey@web.de
134 * src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64
135 build warnings
136 * src/racoon/ipsec_doi.c: Don't free a referenced buffer
137 From Matthew Grooms <mgrooms@shrew.net>
138 * src/racoon/isakmp_cfg.c: Fix for unity local_lan support
140 2006-05-07 Emmanuel Dreyfus <manu@netbsd.org>
141 * src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do
142 not reconfigure interface sockets when running in privilege
143 separation as it will not work. Add debug for setsockopt().
144 * src/racoon/racoonctl.8: Do not tell config reload is completely
145 broken (it's only somewhat broken).
147 2006-05-06 Emmanuel Dreyfus <manu@netbsd.org>
149 * src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix
150 memory leak (Coverity)
151 * src/racoon/pfkey.c: Fix memory leak (Coverity)
152 * src/racoon/ipsec_doi.c: Fix memory leak (Coverity)
153 * src/racoon/isakmp.c: Fix memory leak (Coverity)
154 * src/racoon/dnssec.c: Fix memory leak (Coverity)
155 * src/racoon/backupsa.c: Fix memory leak (Coverity)
156 * src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL
157 allocation (Coverity)
158 * src/racoon/isakmp_quick.c: Remove dead code (Coverity)
159 * src/racoon/oakley.c: Remove dead code (Coverity)
160 * src/racoon/crypto_openssl.c: Remove dead code (Coverity)
162 2006-05-05 Yvan Vanhullebus <vanhu@netasq.com>
164 * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
165 encapsulation in pk_sendgetspi().
167 2006-05-04 Yvan Vanhullebus <vanhu@netasq.com>
168 From Preggna S (spreggna@novell.com)
169 * src/racoon/schedule.h: fixed gnuc.h include.
170 * src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support.
171 * src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function.
173 2006-05-03 Yvan Vanhullebus <vanhu@netasq.com>
174 From Joy Latten <latten@austin.ibm.com>
175 * configure.ac: security context support check
176 * src/libipsec/{pfkey.c|pfkey_dump.c}:
177 SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support
178 * src/setkey/{parse.ytoken.l}: parses optionnal security context
179 * src/setkey/setkey.8: security context syntax
181 2006-04-27 Emmanuel Dreyfus <manu@netbsd.org>
183 * src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity)
185 2006-04-24 Yvan Vanhullebus <vanhu@netasq.com>
187 * src/racoon/isakmp.c: style cleanup in delete_spd()
189 2006-04-13 Yvan Vanhullebus <vanhu@netasq.com>
191 * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
192 encapsulation in pk_sendupdate().
194 2006-04-12 Emmanuel Dreyfus <manu@netbsd.org>
196 * src/racoon/ipsec_doi.c: fix memory leaks (Coverity)
198 2006-04-06 Emmanuel Dreyfus <manu@netbsd.org>
200 * src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h}
201 src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c}
202 src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add
203 strdup in the malloc debugging framework, check for strdup failures
204 (found by Coverity)
205 * src/racoon/admin.c: Do not use an unallocated pointer (Coverity)
206 * src/racoon/schedule.c: Check for NULL pointer
207 * src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c}
208 src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check
209 that dupsaddr returns non NULL pointers (Coverity)
210 * src/racoon/isakmp_quick.c: Ignore multiple notifications in the
211 same message, and do not leak memory (Coverity)
212 * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in
213 GSSAPI code (Coverity)
214 * src/racoon/racoonctl.c: fix minor memory leak (Coverity)
215 * src/racoon/isakmp.c: fix memory leak (Coverity)
216 * src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity)
218 2006-04-05 Emmanuel Dreyfus <manu@netbsd.org>
220 * src/racoon/isakmp_xauth.c: fix unitialized variable, found by
221 Coverity
222 * src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not
223 use deleted phase 1 handler after errors, found by coverity
224 * src/racoon/main.c: tell which config file we use
225 * src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found
226 by Coverity
227 * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1
228 handler, found by Coverity
229 * src/racoon/dnssec.c: do not return a free'ed certificate, found by
230 Coverity
231 * src/racoon/oakley.c: fix stale pointer alias, found by Coverity
232 * src/racoon/throttle.c: do not free current item while walking a
233 chained list, found by Coverity
234 * src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity
236 2006-03-18 Emmanuel Dreyfus <manu@netbsd.org>
238 From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan
239 * src/racoon/isakmp_xauth.c: fix memory leak
241 2006-02-25 Emmanuel Dreyfus <manu@netbsd.org>
243 From Thomas Klausner <wiz@NetBSD.org>
244 * src/racoon/{cfparse.y|handler.h}: typos
246 2006-02-23 Emmanuel Dreyfus <manu@netbsd.org>
248 * src/racoon/main.c: do not reset isakmp_cfg structure after
249 config reload.
251 2006-02-22 Yvan Vanhullebus <vanhu@netasq.com>
253 * src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not
254 be really necessary) and DPD VId hash generation
256 2006-02-17 Yvan Vanhullebus <vanhu@netasq.com>
258 * src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous"
259 sainfos.
260 * src/racoon/racoon.conf.5: updated sainfos syntax
261 * src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID
263 2006-02-15 Yvan Vanhullebus <vanhu@netasq.com>
265 * src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy
266 levels
267 * src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE
268 generate policy levels
269 * src/racoon/proposal.c: Sets optionnal reqid for generated
270 policies
271 * src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid
272 specified
273 * src/racoon/racoon.conf.5: updated generate_policy syntax
275 2006-02-02 Yvan Vanhullebus <vanhu@netasq.com>
277 * src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send()
278 fails in isakmp_ph1resend()
280 2006-01-17 Frederic Senault <fred@lacave.net>
282 * src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the
283 peers_identifier keyword.
285 * src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the
286 adminsock to allow for racoonctl to stop looping when the
287 vpn-connect command is used and there is no mode config exchange.
289 2006-01-08 Emmanuel Dreyfus <manu@netbsd.org>
291 * src/racoon/isakmp_cfg.c: make software behave as the documentation
292 advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to
293 avoid breaking backward compatibility.
295 2005-12-19 Yvan Vanhullebus <vanhu@netasq.com>
297 * src/racoon/session.c: Fixed / cleaned up signal handling.
299 2005-12-13 Yvan Vanhullebus <vanhu@netasq.com>
301 * src/libipsec/samples/*: replaced "obey" mode by "strict" mode.
303 2005-12-07 Yvan Vanhullebus <vanhu@netasq.com>
305 * src/libipsec/pfkey_dump.c: fixed compilation when NAT_T
306 disabled (Fred has still some CVS problems).
307 * src/racoon/session.c: Calls isakmp_cfg_init() only if
308 ENABLE_HYBRID in reload_conf().
310 2005-12-04 Frederic Senault <fred@lacave.net>
312 * src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
313 function to display SAD entries with their associated ports.
314 * src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
315 in conjunction with -D to show SADs with the port, allow both get and
316 delete commands to use bracketed ports if needed.
318 2005-11-26 Emmanuel Dreyfus <manu@netbsd.org>
320 * src/racoon/session.c: fix possible race conditions in signal handlers
321 * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when
322 reloading configuration, do not new add mode_cfg config to the
323 existign one, overwrite it instead.
325 2005-11-25 Emmanuel Dreyfus <manu@netbsd.org>
327 From Thomas Klausner <wiz@netbsd.org>
328 * src/racoon/racoon.conf.5: Style changes
330 2005-11-21 Yvan Vanhullebus <vanhu@netasq.com>
332 * src/racoon/isakmp_[ident|agg].c: Check if natt is available when
333 receiving a NAT_D payload from initiator. It saves a crash,
334 reported by Dave Huang to NetBSD.
336 2005-11-20 Yvan Vanhullebus <vanhu@netasq.com>
338 * src/racoon/isakmp_agg.c: Check that we got some needed payloads
339 from peer (could cause a DoS). Crash reported by Adrian Portelli
340 using IKE test suite from
341 http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/
343 2005-11-10 Yvan Vanhullebus <vanhu@free.fr>
345 Patches from Francis Dupont
346 * src/libipsec/key_debug.c: SADB_X_EXT_PACKET support
347 * src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function
348 * src/setkey/parse.y: IPPROTO_MH support
349 * src/racoon/pfkey.c: fixed some logs
350 * src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC,
351 appropriate define for SADB_X_NAT_T_NEW_MAPPING, added
352 SADB_X_MIGRATE
354 2005-11-06 Aidas Kasparas <a.kasparas@gmc.lt>
356 * src/racoon/main.c, src/racoon/session.c: moved .pid file writing
357 just before main loop. Thanks Stephen Thorne
358 * src/racoon/localconf.h, src/racoon/cftoken.l: introduced
359 path pidfile directive
360 * src/racoon/racoon.conf.5: documented above
361 * configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan
362 Rajagopal
363 * configure.ac: added check for strlcat function
364 * src/racoon/misc.h: define strlcat function for systems without one
365 * src/racoon/remoteconf.c: strncat -> strlcat
367 2005-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
369 * src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks
370 Andreas Tobler
372 2005-10-30 Yvan Vanhullebus <vanhu@netasq.com>
374 Patches from Christoph Nadig for compilation on MacOS X
375 * configure.ac: no lcrypt for darwin
376 * src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H
377 * src/racoon/isakmp_cfg.c: some includes and some %zu
378 * src/racoon/isakmp_unity.c: fixed a %zu
379 * src/racoon/vmbuf.h: vfree already defined for Apple
381 2005-10-17 Aidas Kasparas <a.kasparas@gmc.lt>
383 Introduced subnet sainfo type.
384 * src/racoon/cftoken.l: new token "subnet"
385 * src/racoon/cfparse.y: added address/subnet diferentiation logic
386 * src/racoon/ipsec-doi.h: new constant
387 * src/racoon/ipsec-doi.c: adopted to above
388 * src/racoon/racoon.conf.5: documented above
390 2005-09-14 Emmanuel Dreyfus <manu@netbsd.org>
392 * src/libipsec/pfkey.c: One forgotten cast caddr_t -> void *
394 2005-10-14 Yvan Vanhullebus <vanhu@netasq.com>
396 * src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
397 USER_FQDNs (problem reported by Bernhard Suttner).
399 2005-09-10 Emmanuel Dreyfus <manu@netbsd.org>
401 * src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c}
402 src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for
403 kernel implementing NAT-T but unable to cope with IKE ports in
404 SAD and SPD.
406 2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
408 From Wilfried Weissmann:
409 * src/libipsec/policy_parse.y src/racoon/oakley.c
410 src/racoon/{sockmisc.c|sockmisc.h}: build fixes
413 2005-09-03 Emmanuel Dreyfus <manu@netbsd.org>
415 From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
416 * src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions
418 2005-08-26 Emmanuel Dreyfus <manu@netbsd.org>
420 * src/racoon/evt.c: Fix memory leak when event queue overflows
422 2005-08-23 Emmanuel Dreyfus <manu@netbsd.org>
424 * src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
425 initialize NAT-T VID to avoid freeing unallocated stuff.
427 2005-08-21 Emmanuel Dreyfus <manu@netbsd.org>
429 From Matthias Scheler <matthias.scheler@tadpole.com>
430 * src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
431 ISAKMP mode config without Xauth.
433 2005-08-16 Emmanuel Dreyfus <manu@netbsd.org>
435 From Thomas Klausner <wiz@netbsd.org>
436 * src/setkey/setkey.8: remove trailing whitespaces
438 2005-09-09 Yvan Vanhullebus <vanhu@free.fr>
440 * src/racoon/policy.c: Do not parse all sptree in inssp() if we
441 don't use Policies priority.
443 2005-08-20 Yvan Vanhullebus <vanhu@free.fr>
445 * src/racoon/handler.c: Fixed a possible crash in
446 remove_ph2(). Reported by Dietmar Eggemann.
448 2005-08-14 Emmanuel Dreyfus <manu@netbsd.org>
450 From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
451 * src/racoon/dnssec.c: fix bogus test on function result
453 2005-08-11 Yvan Vanhullebus <vanhu@free.fr>
455 * src/racoon/isakmp.c: Improved in/out SA addresses check in
456 purge_remote(). Reported by Patrick Ma.
458 2005-08-08 Emmanuel Dreyfus <manu@netbsd.org>
460 * src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings
462 2005-08-08 Yvan Vanhullebus <vanhu@free.fr>
464 * src/racoon/privsep.c: Fixed a %d -> %zu in
465 port_check() (reported by Matthias Scheler).
467 2005-08-04 Emmanuel Dreyfus <manu@netbsd.org>
469 * configure.ac: correctly quote RACOON_PATH_LIBS arguments
471 2005-08-02 Yvan Vanhullebus <vanhu@free.fr>
473 * src/racoon/isakmp_inf.c: First fix to
474 info_recv_initialcontact(): do a basic IP check when no NAT-T.
476 2005-07-26 Yvan Vanhullebus <vanhu@free.fr>
478 * src/racoon/isakmp.c: Fixed purge_remote()
480 2005-07-25 Yvan Vanhullebus <vanhu@free.fr>
482 * src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
483 a new ph1handle exists (patch by Krzysztof Oledzki)
485 2005-07-20 Aidas Kasparas <a.kasparas@gmc.lt>
487 * configure.ac: disabled --enable-samode-unspec under linux
489 2005-07-20 Yvan Vanhullebus <vanhu@free.fr>
491 * src/racoon/isakmp_quick.c: Ignore NATOA payloads in
492 quick_r1recv() as it is done in quick_i2recv().
493 * configure.ac: new --enable-fastquit option
494 * src/racoon/session.c: new code optional code when flushing SAs,
495 which is faster and should have no deadlocks. configure
496 --enable-fastquit option to enable it.
498 2005-07-19 Yvan Vanhullebus <vanhu@free.fr>
500 * src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
501 packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that
502 case (RFC 3947, sect 4, we MUST allow new phase1 negociations on
503 NAT-T floated port), to correctly generate the reply.
505 2005-07-16 Aidas Kasparas <a.kasparas@gmc.lt>
507 * src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
508 Patrice Fournier
509 * src/racoon/setkey.c: disabled readline's filename completion
510 (bug 1179281 fix)
511 * src/racoon/proposal.c: fixed mode selection for SAs with
512 complex_bundle on behind NAT
514 2005-07-14 Yvan Vanhullebus <vanhu@free.fr>
516 * src/racoon/handler.c: - Clears the DPD schedule in delph1()
517 - Cleared up sanity checks in delph1()
518 - Sets p->rmconf to NULL if no new
519 remoteconf in revalidate_ph1tree_rmconf()
520 * src/racoon/isakmp.c: Added sanity checks in script_hook()
521 * src/racoon/oakley.c: Sanity check in save_certbuf()
524 2005-07-13 Emmanuel Dreyfus <manu@netbsd.org>
526 * src/setkey/Makefile.am: missing file in distribution
528 2005-07-12 Yvan Vanhullebus <vanhu@free.fr>
530 * src/racoon/isakmp.c: Fixed a mem leak in isakmp_send().
532 2005-07-12 Emmanuel Dreyfus <manu@netbsd.org>
534 * src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
535 used.
536 * src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c} configure.ac
537 src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8
538 * src/racoon/{admin.c|session.c}: Don't use the adminport if it is
539 disabled
540 * src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
541 Add comments for using the scripts without NAT-T
543 2005-07-11 Emmanuel Dreyfus <manu@netbsd.org>
545 * src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux.
546 Accomodate various libiconv versions
548 2005-07-10 Emmanuel Dreyfus <manu@netbsd.org>
550 * src/racoon/ipsec_doi.c configure.ac: build fixes on Linux.
551 Accomodate various libiconv versions
553 2005-07-09 Yvan Vanhullebus <vanhu@free.fr>
555 * src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto
556 algorithms with variable key size but not OpenSSL default key
557 size.
559 2005-07-07 Emmanuel Dreyfus <manu@netbsd.org>
561 From Mathias Scheler <tron@netbsd.org>
562 * src/racoon/raccon.conf.5: Document that aes can be used in
563 racoon.conf
565 2005-07-06 Frederic Senault <fred@lacave.net>
567 * src/setkey/setkey.c: fix compilation with readline.
568 * src/racoon/oakley.c: move declarations to fix compilation issues
569 with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the
570 pkcs7 patch.
572 2005-07-04 Emmanuel Dreyfus <manu@netbsd.org>
574 * src/racoon/isakmp_inf.c: safety checks on informational messages
575 * src/racoon/{pfkey.c|proposal.c}: IPcomp fixes
577 2005-07-01 Emmanuel Dreyfus <manu@netbsd.org>
579 From Uri Blumenthal <urimobile@optonline.net>:
580 * src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes
581 * src/racoon/oakley.c: pkcs7 support
583 2005-06-29 Emmanuel Dreyfus <manu@netbsd.org>
585 From Christos Zoulas <christos@zoulas.com>
586 * configure.ac src/setkey/{parse.y|setkey.c|token.l}
587 src/libipsec/{ipsec_dump_policy.c|ipsec_get_policylen.c|key_debug.c}
588 src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint,
589 using void * instead of caddr_t and adding const where appropriate.
590 * src/setkey/extern.h: new file
591 * src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y}
592 src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned,
593 size_t/int and lint constants
595 2005-06-24 Yvan Vanhullebus <vanhu@free.fr>
597 * src/racoon/handler.c: Fixed phase2 enc algo check when reloading
598 conf (could flush a phase2 handler when not needed).
600 2005-06-19 Emmanuel Dreyfus <manu@netbsd.org>
602 * src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h}
603 src/racoon/racoonctl.8:
604 Add a logout-user command to racoonctl to kick out all SA for a
605 given Xauth user
607 From Ludo Stellingwerff <ludo@protactive.nl>:
608 * src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as
609 wildcard so that IKE ports are used instead. This was done on
610 phase 2 initiation from the kernel (acquire message), but not
611 on phase 2 initiation retries when the phase 2 had been queued
612 for a phase 1.
614 From Uri Blumenthal <urimobile@optonline.net>
615 and Larry Baird <lab@gta.com>:
616 * src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
617 src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
618 src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
619 * src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2
620 * src/setkey/token.l: Add aliases shaxxx for sha2_xxx
622 2005-06-07 Emmanuel Dreyfus <manu@netbsd.org>
624 From Larry Baird <lab@gta.com>
625 * src/racoon/isakmp.c: consume NAT keepalive data already seen
626 with MSG_PEEK
628 2005-06-07 Frederic Senault <fred@lacave.net>
630 * configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c}
631 src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add
632 support for system accounting into the utmp files, with the
633 "accounting system" directive.
635 * src/privsep.c: Bug fixes in the xauth password handling code.
637 2005-06-06 Emmanuel Dreyfus <manu@netbsd.org>
639 * src/racoon/isakmp_quick.c: endianness bug fix
641 2005-06-05 Emmanuel Dreyfus <manu@netbsd.org>
643 From Thomas Klausner <wiz@netbsd.org>
644 * src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing
645 spaces, grammar fix
647 2005-05-31 Aidas Kasparas <a.kasparas@gmc.lt>
649 * src/racoon/ipsec_doi.c: Inserted missing 0th element of
650 rm_idtype2doi array. Bug #1199700 fix.
652 2005-05-30 Frederic Senault <fred@lacave.net>
654 * src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro
655 definition.
657 * src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script
658 is executed at the end of the mode cfg exchange ; add a debug
659 message at the script startup.
661 2005-05-23 Emmanuel Dreyfus <manu@netbsd.org>
663 * src/racoon/admin.c: build fix
665 2005-05-20 Emmanuel Dreyfus <manu@netbsd.org>
667 From Mike Robinson <sundialservices@users.sourceforge.net>
668 * src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure
670 * src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp
672 From hgates <hgates.lists@gmail.com>
673 * src/racoon/proposal.c: fix SPI size test for IPcomp
675 From Larry Baird <lab@gta.com>
676 * src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime,
677 duplicate the proposal instead of modifying the configured one.
679 2005-05-19 Frederic Senault <fred@lacave.net>
681 * configure.ac src/racoon/plog.c: Fix the logging functions to work
682 around the lack of support of printf %zu in FreeBSD 4 (at least).
684 * src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
685 fix a hangup with FreeBSD 4.
687 * src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a
688 unity-specific heartbeat message.
689 * src/racoon/isakmp_inf.c: Reorganize switch statement in
690 isakmp_check_notify.
692 2005-05-17 Yvan Vanhullebus <vanhu@free.fr>
694 * src/racoon/handler.c: Fixed exchange type check in
695 revalidate_ph1().
696 * src/racoon/pfkey.c: changed includes order to fix compilation.
698 2005-05-14 Emmanuel Dreyfus <manu@netbsd.org>
700 * src/libipsec/policy_parse.y: Fix parse problem
702 2005-05-14 Aidas Kasparas <a.kasparas@gmc.lt>
704 * src/racoon/sockmisc.c: Debug message said it will send to
705 source address insted of destination.
707 2005-05-13 Emmanuel Dreyfus <manu@netbsd.org>
709 * src/racoon/isakmp_inf.c: fix build problem
711 2005-05-13 Yvan Vanhullebus <vanhu@free.fr>
713 * src/racoon/isakmp.c: Fixed a double ph2handler free in
714 isakmp_ph2begin_i().
716 2005-05-12 Emmanuel Dreyfus <manu@netbsd.org>
718 * src/racoon/isakmp_quick.c: fix build problem on some platforms
720 * src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
721 consider null port as a wildcard and use IKE ports.
723 2005-05-10 Emmanuel Dreyfus <manu@netbsd.org>
725 * src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
726 src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
727 src/racoon/samples/roadwarrior/client/racoon.conf: update config
728 files to higher security settings. Remove now useless phase 1 down
729 script on server side.
730 * Update README to reflect server/phase1-down.sh removal
732 2005-05-09 Emmanuel Dreyfus <manu@netbsd.org>
734 * src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
735 src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and
736 save password extensions from Cisco in ISAKMP mode config.
738 2005-05-08 Emmanuel Dreyfus <manu@netbsd.org>
740 * src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte
741 in proposals
742 * src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
743 * src/racoon/handler.c: style
745 * src/racoon/isakmp_xauth.c: fix build with shadow passwords
747 2005-05-07 Emmanuel Dreyfus <manu@netbsd.org>
749 * configure.ac src/racoon/isakmp_xauth.c: support shadow passwords
750 * src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype
751 * src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h}
752 src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes
753 to the right header file
755 2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
757 * src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
758 ISAKMP SA termination (for DPD timeouts and delete message) to
759 use purge_remote() so that SA and generated SPD get correctly flushed
760 * src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
761 getph2bysaddr()
762 * src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make
763 purge_remote(), setcopeid() and delete_spd() public
764 * src/racoon/isakmp_quick.c: remove duplicated setscopeid()
765 * src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
766 to compare with ports when ENABLE_NATT and without otherwise
768 2005-05-06 Frederic Senault <fred@lacave.net>
770 * src/racoon/isakmp_inf.c: Only print the contents of an informative
771 message if the payload indicates an error ; transmit the return
772 values from the DPD functions.
774 2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
776 * src/racoon/isakmp_inf.c: Fix a bug causing informational message
777 payloads to be ignored
779 2005-05-05 Yvan Vanhullebus <vanhu@free.fr>
781 * src/racoon/isakmp_inf.c: Fixed some potential crashes in
782 purge_remote() and purge_ipsec_spi().
784 2005-05-05 Emmanuel Dreyfus <manu@netbsd.org>
786 * src/libipsec/{policy_parse.y|policy_token.l}
787 src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
788 endpoints, for accurate ESP over UDP matching
789 * src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote
790 ports to the hook scripts
791 * src/racoon/remoteconf.c: do not honour ports when looking up
792 a remote config, as our remote config have no port information
793 * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
794 use the IKE ports supplied by racoon to set up acurate endpoints
795 ports in SP endpoints
797 2005-05-04 Yvan Vanhullebus <vanhu@free.fr>
799 * src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated
800 policies are now also removed when DPD purge.
802 2005-05-04 Emmanuel Dreyfus <manu@netbsd.org>
804 From Manisha Malla <mmanisha@novell.com>
805 * src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative
807 From Ludo Stellingwerff <ludo@protactive.nl>
808 * src/setkey/{parse.y|token.l}: build on system that do not have
809 TCP-MD5 support
811 2005-05-04 Michal Ludvig <michal@logix.cz>
813 * configure.ac: Revert GLIBC_BUGS change from 2005-04-15
815 2005-05-03 Frederic Senault <fred@lacave.net>
817 * src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5}
818 src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check
819 option to enable the handling of unencrypted delete payloads.
821 * src/racoon/plog.c: Use of isgraph in binsanitize.
823 * src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC.
825 * src/racoon/isakmp_inf.c: Unused code cleanup.
827 2005-04-26 Emmanuel Dreyfus <manu@netbsd.org>
829 * bootstrap: Darwin support
831 From Larry Baird <lab@gta.com>
832 * src/racoon/nattraversal.c: Fix NAT-T for initiator
834 From Andreas Tobler <toa@pop.agri.ch>:
835 * src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c}
836 src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c}
837 src/racoon/configure.ac src/libipsec/policy_token.l
838 src/setkey/token.l: Build on Darwin
840 2005-04-25 Emmanuel Dreyfus <manu@netbsd.org>
842 * src/racoon/handler.h: ifdef DPD and NAT-T data in data structures
844 * src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}
845 src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
846 enable the display of ESP over UDP ports in policies.
848 * src/racoon/ipsec_doi.c: fix LP64 bug
850 From Ludo Stellingwerff <ludo@protactive.nl>:
851 * src/racoon/isakmp.c: build without NAT-T
853 From F. Senault <fred.letter@lacave.net>
854 * src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c}
855 src/racoon/isakmp_xauth.c: Take into account payloads bundled after
856 an ISAKMP informationnal message.
858 From Patrick McHardy <kaber@trash.net>
859 * src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire
860 message, lookup phase 2 by (src, dst, id) instead of only id.
862 2005-04-23 Emmanuel Dreyfus <manu@netbsd.org>
864 * src/libipsec/ipsec_dump_policy.c: display port numbers in policies
865 * src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
866 forget port numbers so that mutiple clients behind the same NAT
867 can work.
869 From Larry Baird <lab@gta.com>
870 * src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
871 NAT-T fixes for interoperability with greenbow VPN client.
873 2005-04-21 Aidas Kasparas <a.kasparas@gmc.lt>
875 * src/libipsec/policy.parse.y, src/racoon/cfparse.y,
876 src/libipsec/policy_parse.y, src/racoon/cfparse.y,
877 src/racoon/cftoken.l, src/racoon/crypto_openssl.c,
878 src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c,
879 src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
880 src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
881 src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
882 src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile
883 with gcc-4.0 (20050410 prerelease)
885 2005-04-20 Aidas Kasparas <a.kasparas@gmc.lt>
887 From: Ganesan Rajagopal <rganesan@users.sourceforge.net>
888 * configure.ac: fix --enable-ipv6 logic
890 2005-04-19 Yvan Vanhullebus <vanhu@free.fr>
892 * src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup.
894 2005-04-18 Aidas Kasparas <a.kasparas@gmc.lt>
896 * src/racoon/crypto_openssl.c: fixed single DES support;
897 * NEWS: noted fix
899 2005-04-18 Emmanuel Dreyfus <manu@netbsd.org>
901 * src/racoon/isakmp_base.c: DPD support, fix memory leak
903 From Thomas Klausner <wiz@NetBSD.org>
904 * src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
905 src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8}
906 src/racoon/samples/{racoon.conf.in|racoon.conf.sample}
907 src/racoon/samples/racoon.conf.sample-gssapi
908 src/racoon/samples/racoon.conf.sample-inherit
909 src/racoon/samples/racoon.conf.sample-natt
910 src/racoon/samples/racoon.conf.sample-plainrsa
911 src/racoon/samples/roadwarrior/README
912 src/racoon/samples/roadwarrior/server/phase1-down.sh
913 src/setkey/setkey.8: docmumentation fixes
915 From KAME
916 * src/racoon/ipsec_doi.c: wrong check on SA lifebyte
918 From Fred Senault <fred.letter@lacave.net>
919 * src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive,
920 which is now incoprated into split_net_tunnels
921 * src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
922 src/racoon/isakmp_xauth.h: support login and password sent
923 in different packets during the Xauth exchange. This makes racoon
924 interoperable with SecureComputing's sidewinder
925 * src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth
927 2005-04-17 Yvan Vanhullebus <vanhu@free.fr>
929 * src/racoon/handler.c: Configuration reload validation code
930 * src/racoon/handler.h:revalidate_ph12() function
931 * src/racoon/ipsec_doi.c: duplicates iph1->approval in
932 get_ph1approval(), some fields sets to NULL when needed
933 * src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public
934 * src/racoon/localconf.[ch]: save/restore_params() functions
935 * src/racoon/main.c: moved restore_params functions to localconf
936 * src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa()
937 function, some values set to NULL when needed
938 * src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa()
939 function
940 * src/racoon/sainfo.[ch]: save_sainfotree() functions
941 * src/racoon/session.c: Reloads conf on a SIGHUP without loosing
942 existing tunnels
944 2005-04-15 Aidas Kasparas <a.kasparas@gmc.lt>
946 From Zilvinas Valinskas <zilvinas@gemtek.lt>:
947 * configure.ac:
948 - cross-compile type fix (patch 1);
949 - --enable-{frag|hybrid}=no fixes (patches 6,7);
950 - support for --with-flex, --with-flexlib (patch 11);
951 - GLIBC_BUGS assignment correction (patch 14 with mods).
952 * src/racoon/isakmp.c: fix compilation when hybrid disabled.
954 2005-04-11 Emmanuel Dreyfus <manu@netbsd.org>
956 * src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files
957 RFC for IPsec DOI and ISAKMP
959 2005-04-10 Emmanuel Dreyfus <manu@netbsd.org>
961 * src/racoon/isakmp_base.c: resurect RSASIG support
962 * src/racoon/isakmp_ident.c: missing support for hybrid auth
963 * src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode
965 2005-04-09 Emmanuel Dreyfus <manu@netbsd.org>
967 * src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c}
968 src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c}
969 src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}:
970 Add Xauth + RSASIG, for client and server. Add all Xauth and
971 IKE fragmentation logic to base and ident mode.
972 * src/libipsec/{pfkey.c|pfkey_dump.c}
973 src/setkey/parse.y: more missing TCP_MD5 bits from KAME
975 2005-04-08 Emmanuel Dreyfus <manu@netbsd.org>
977 * src/racoon/cfparse.y: a list of network can be specified for split
978 tunnelling
979 * src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the
980 netmask in CIDR notation, to the hook script environement.
981 * src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing
982 bits for TCP_MD5 support.
984 From Fred Senault <fred.letter@lacave.net>
985 * src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h}
986 src/racoon/racoon.conf.5: KEYID identifier can be taken from
987 a file or from a quoted string
989 2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
991 From Fred Senault <fred.letter@lacave.net>
992 * src/racoon/admin.c: fix the admin interface that was left behind
993 after recent Xauth changes
994 * src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c}
995 src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in
996 remote conf within a single structure.
997 * src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run
998 phase1-up script before ISAKMP mode config is done
999 * src/racoon/isakmp_inf.c: log a buggy condition
1000 * src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c}
1001 src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to
1002 distinguish between XAUTH PSK and Kerberos authentications
1003 * src/racoon/{oakley.c|remoteconf.c}: set a default for certificate
1004 requests
1005 * src/racoon/isakmp_xauth.c: Fix serious security bug introduced
1006 on 2005-03-09: Xauth validation was required for phase 2 on the
1007 client (thus blocking phase 2), but not on the server (thus
1008 making it open regardless of Xauth exchange).
1009 * src/racoon/vendorid.c: dump unknown VIDs
1012 2005-04-06 Yvan Vanhullebus <vanhu@free.fr>
1014 * src/racoon/crypto_openssl.c: Disable OpenSSL padding in
1015 evp_crypt(), because it may cause some interoperability problems.
1016 Solution reported by Ganesan Rajagopal.
1018 2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
1020 * src/racoon/main.c: build with hybrid but without libradius
1022 2005-04-05 Yvan Vanhullebus <vanhu@free.fr>
1024 * src/racoon/handler.h: added a flag to identify generated policies
1025 * src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
1026 * src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
1027 policy have been generated in purge_remote_spi()
1028 * src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
1029 generated policies
1030 * src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
1032 2005-04-04 Emmanuel Dreyfus <manu@netbsd.org>
1034 * src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET
1036 2005-03-30 Michal Ludvig <michal@logix.cz>
1038 * configure.ac: Don't compile with NAT-T by default (according to
1039 documentation, finally :-)
1041 2005-03-27 Michal Ludvig <michal@logix.cz>
1043 From Zilvinas Valinskas <zilvinas@gemtek.lt>:
1044 * configure.ac:
1045 - Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE.
1046 - Fix OpenSSL check for cross-compilation.
1047 * acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.
1048 (RACOON_CHECK_BUGGY_GETADDRINFO): Ditto.
1050 2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
1052 * src/racoon/privsep.c: check for NULL path in unsafe_path()
1053 * src/racoon/privsep.c: missing space
1055 2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
1057 * src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h}
1058 src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c}
1059 src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h}
1060 src/racoon/main.c: Remove most of config dependency from
1061 privilegied instance for upcoming config reload patch.
1062 * src/racoon/isakmp_cfg.h: fix the application version for Xauth
1063 * src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used
1065 2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
1067 * configure.ac: handle correctly dynamic libradius
1068 * src/racoon/cfparse.y: correctly initialize address pool
1070 2005-03-13 Yvan Vanhullebus <vanhu@free.fr>
1072 * src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)
1074 2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
1076 From Fred Senault <fred.letter@lacave.net>
1077 * src/racoon/cfparse.y: endainness bugfix
1078 * src/racoon/isakmp_xauth.c: off by one bugs in strings
1079 * src/racoon/oakley.h: missing parenthesis causing bugs
1081 2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
1083 * src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth
1085 2005-03-07 Emmanuel Dreyfus <manu@netbsd.org>
1087 From Fred Senault <fred.letter@lacave.net>
1088 * src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l}
1089 src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c}
1090 src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h}
1091 src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c}
1092 src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c}
1093 src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5}
1094 src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c}
1095 src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split
1096 tunnelling, multiple DNS & WINS in ISAKMP mode config.
1098 2005-03-02 Yvan Vanhullebus <vanhu@free.fr>
1100 * src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
1101 * src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.
1103 2005-03-01 Yvan Vanhullebus <vanhu@free.fr>
1105 * src/racoon/oakley.c: fixed oakley_newiv2() when errors
1107 2005-02-24 Emmanuel Dreyfus <manu@netbsd.org>
1109 * src/racoon/privsep.c: safety check port numbers given by the
1110 unprivilegied instance.
1111 * src/racoon/racoonctl.8: display fixes in racoonctl(8)
1113 2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
1115 * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
1116 support for patented algorithms: IDEA and RC5.
1117 * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
1118 is not required in the configuration
1119 * src/racoon/isakmp.c: do not reject addresses for which kernel
1120 refused UDP encapsulation, they can still be used for non NAT-T
1121 traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
1122 * src/libipsec/libpfkey.h: prefer __inline to inline
1123 * src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
1124 src/racoon/racoon.conf.5: Add chroot capability
1126 2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
1128 * src/racoon/{main.c|eaytest.c|plairsa-gen.c}
1129 src/setkey/setkey.c: don't use fuzzy paths for package_version.h
1131 2005-02-18 Michal Ludvig <michal@logix.cz>
1133 * configure.ac, rpm/suse/ipsec-tools.spec.in,
1134 rpm/suse/Makefile.am: Distribute .spec file with
1135 resolved version string.
1136 * src/racoon/Makefile.am: Allow parallel cluster build.
1138 2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
1140 From Fred Senault <fred.letter@lacave.net>
1141 * src/racoon/remoteconf.c: Fix a bug in script init
1143 2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
1145 * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
1147 2005-02-16 Yvan Vanhullebus <vanhu@free.fr>
1149 * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
1150 related DELETE_SA
1151 * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
1153 2005-02-15 Michal Ludvig <michal@logix.cz>
1155 * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
1157 ---------------------------------------------
1159 Branch for 0.6 created (ipsec-tools-0_6-branch)
1161 2005-02-11 Emmanuel Dreyfus <manu@netbsd.org>
1163 From Jason Thorpe <thorpej@netbsd.org>
1164 * src/raccon/samples/racoon.conf.sample-gssapi
1165 src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c}
1166 src/racoon/{localconf.c|localconf.h|racoon.conf.5}
1167 configure.ac: Multiple GSSAPI fixes to get interoperability
1168 with Microsoft IKE.
1170 2005-02-09 Emmanuel Dreyfus <manu@netbsd.org>
1172 * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
1173 src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h}
1174 src/racoon/racoon.conf.5: Make PAM work with privilege separation
1176 2005-02-07 Michal Ludvig <michal@logix.cz>
1178 From Krisztian Kovacs:
1179 * src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".
1181 2005-01-30 Yvan Vanhullebus <vanhu@free.fr>
1183 * src/racoon/vmbuf.c: bugfix in vrealloc()
1184 * src/racoon/oakley.c: mem leak fix in INITDHVAL()
1185 * src/racoon/session.c: mem leak fix in check_flushsa()
1187 2005-01-29 Yvan Vanhullebus <vanhu@free.fr>
1189 * src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
1190 * src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
1191 * src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
1192 * src/racoon/nattraversal.[ch]: NATT cleanup, support for all
1193 drafts (disabled by default) / RFC.
1194 * src/racoon/isakmp.h: NATT cleanup for NATT RFC support
1195 * src/racoon/ipsec_doi.h: updated comments about NATT
1196 * configure.ac: enable-natt_XX options
1197 * src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed
1200 2005-01-29 Emmanuel Dreyfus <manu@netbsd.org>
1202 From Fred Senault <fred@lacave.net>
1203 * src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
1204 phase2 can start.
1206 2005-01-23 Emmanuel Dreyfus <manu@netbsd.org>
1208 * src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's
1209 SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD.
1211 2005-01-22 Emmanuel Dreyfus <manu@netbsd.org>
1213 From Fred Senault <fred@lacave.net>
1214 * src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
1215 src/racoon/samples/roadwarrior/README: change "my_identifier login"
1216 into "xauth_login" in the config file so that we can introduce Xauth
1217 with a pre-shared key later.
1219 2005-01-21 Emmanuel Dreyfus <manu@netbsd.org>
1221 * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
1222 workaround Linux problems. This needs a better fix.
1224 2005-01-18 Emmanuel Dreyfus <manu@netbsd.org>
1226 * src/racoon/privsep.c: build without ENABLE_HYBRID
1228 2005-01-14 Emmanuel Dreyfus <manu@netbsd.org>
1230 * src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T)
1232 2005-01-13 Yvan Vanhullebus <vanhu@free.fr>
1234 * src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
1235 1 lifetime.
1236 * src/racoon/racoon.conf.5: Updated racoon man page for phase 1
1237 lifetime check / proposal_check.
1239 2005-01-11 Emmanuel Dreyfus <manu@netbsd.org>
1241 * src/racoon/isakjmp_quick.c: endianness bugfix from KAME
1243 2005-01-07 Emmanuel Dreyfus <manu@netbsd.org>
1245 * src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c}
1246 src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h}
1247 src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is
1248 now configurable (supported only on NetBSD so far).
1250 2005-01-05 Emmanuel Dreyfus <manu@netbsd.org>
1252 * src/racoon/privsep.c: Build again on Linux with privsep
1254 2005-01-03 Emmanuel Dreyfus <manu@netbsd.org>
1256 * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
1257 src/racoon/{cfparse.y|cftoken.l|racoon.conf.5}
1258 src/racoon/doc/FAQ
1259 configure.ac: PAM support for authentication and accounting in
1260 hybrid auth
1262 2005-01-02 Emmanuel Dreyfus <manu@netbsd.org>
1264 * src/racoon/admin.c: never fork, it buys nothing an break on some
1265 operations
1267 2004-12-30 Emmanuel Dreyfus <manu@netbsd.org>
1269 * src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c}
1270 src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c}
1271 src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c}
1272 src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c}
1273 src/racoon/{privsep.c|privsep.h}: new files
1274 Privilege separation
1276 * src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c}
1277 src/racoon/{racoonctl.c|racoonctl.h}: new files
1278 configure.ac: publically export the adminport interface so that
1279 external program can control racoon
1281 * src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface
1282 versionning
1284 * src/racoon/admin.h: make sure no / will be missing in adminsock path
1286 ---------------------------------------------
1288 Branch for 0.5 created (ipsec-tools-0_5-branch)
1290 2004-12-23 Yvan Vanhullebus <vanhu@free.fr>
1292 * src/racoon/crypto_openssl.c: Indentation
1294 2004-12-28 Yvan Vanhullebus <vanhu@free.fr>
1296 * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1297 when getting an IP (Bug # 1092095)
1300 2004-12-26 Emmanuel Dreyfus <manu@netbsd.org>
1302 * src/racoon/session.c: remove outdated comment
1304 ---------------------------------------------
1306 0.5.beta2 released
1308 2004-12-21 Michal Ludvig <michal@logix.cz>
1310 * src/racoon/pfkey.c: Fix AES vs Rijndael defines.
1312 2004-12-20 Yvan Vanhullebus <vanhu@free.fr>
1314 * configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
1315 Some FreeBSD / NATT support.
1317 2004-12-17 Emmanuel Dreyfus <manu@netbsd.org>
1319 * src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
1320 * src/racoon/pfkey.c: Restore AES support on NetBSD.
1322 2004-12-17 Yvan Vanhullebus <vanhu@free.fr>
1324 * src/racoon/crypto_openssl.c: Uses sprintf() instead of
1325 asprintf() in eay_get_x509subjectaltname(), because of some
1326 compilation problems reported with asprintf() on some platforms.
1327 * src/racoon/oakley.c: just take the first cert in
1328 oakley_savecert() if cert ID check is disabled.
1330 2004-12-16 Emmanuel Dreyfus <manu@netbsd.org>
1332 * src/racoon/crypto_openssl.c: Build again on NetBSD
1333 * src/racoon/samples/roadwarrior/server/racoon
1334 src/racoon/samples/roadwarrior/server/racoon.conf-radius
1335 src/racoon/samples/roadwarrior/README: Use DPD in sample files.
1337 2004-12-16 Yvan Vanhullebus <vanhu@free.fr>
1339 * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1340 when SubjectAltName contains an IP. OpenSSL code from Ludovic
1341 Flament (ludovic.flament@free.fr).
1343 ---------------------------------------------
1345 0.5.beta1 released
1347 2004-12-13 Michal Ludvig <mludvig@suse.cz>
1349 From Ganesan R <rganesan@users.sourceforge.net>:
1350 * src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
1351 with shared libraries.
1353 2004-12-10 Yvan Vanhullebus <vanhu@free.fr>
1355 * src/racoon/oakley.c: takes the first certificate which matches
1356 the Identity, instead of just taking the first certificate.
1358 2004-12-07 Yvan Vanhullebus <vanhu@free.fr>
1360 * src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.
1362 2004-12-04 Aidas Kasparas <a.kasparas@gmc.lt>
1364 * src/libipsec/pfkey_dump.c: distinguish per-socket policies from
1365 general ones (Linux case);
1366 * src/racoon/pfkey.c: dito, do not negotiate policies if racoon
1367 do not listen on out tunnel's source address.
1369 2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
1371 * src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
1372 generation in r1send()
1374 2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
1376 * src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
1377 * src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
1378 parameters but compiled without ENABLE_DPD
1379 * src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
1380 support activated in configuration
1382 2004-11-30 Emmanuel Dreyfus <manu@netbsd.org>
1384 * src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time,
1385 to avoid garbage pointer if admin port is disabled.
1386 * src/racoon/{throttle.c|throttle.h}: new files
1387 src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
1388 configure.ac: Add a per-host throttling count. When throttling,
1389 don't sleep, schedule the answer for later instead.
1390 * src/racoon/kmpstat.c: default with no hexdump of the packet
1391 * src/racoon/admin.c: don't remove admin socket after first request,
1392 on the other hand remove on startup stale sockets left by
1393 crashed racoon.
1394 * src/racoon/samples/roadwarrior/README
1395 src/racoon/kmpstat.c: fix option parsing problem on Linux
1397 2004-11-29 Yvan Vanhullebus <vanhu@free.fr>
1399 * src/racoon/session.c: Only listen on pfkey socket when received
1400 shutdown signal
1402 2004-11-28 Emmanuel Dreyfus <manu@netbsd.org>
1404 * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
1405 src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
1406 on each Xauth authentication to avoid brute force attacks
1408 2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
1410 * src/racoon/samples/roadwarrior/README
1411 src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
1412 src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
1413 src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
1414 Fill Linux gaps for hybrid auth client, Replace public IP by
1415 private and example IP in the sample config files.
1417 2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
1419 DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1420 * src/racoon/cfparse.y: missing bits for DPD support
1422 2004-11-23 Aidas Kasparas <a.kasparas@gmc.lt>
1424 * src/setkey/parse.y: generate require fwd policies for unique in
1425 policies.
1426 * src/setkey/setkey.c: made -r/-k options awailable only when
1427 system has FWD policies.
1428 * src/setkey/setkey.8: updated docs about change above.
1430 2004-11-22 Michal Ludvig <mludvig@suse.cz>
1432 * src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
1433 #ifdef ENABLE_ADMINPORT/#endif.
1435 2004-11-22 Michal Ludvig <mludvig@suse.cz>
1437 Revert these changes (ludvigm, 2004-11-18):
1438 * src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
1439 * src/setkey/Makefile.am: Install setkey.conf.
1441 2004-11-22 Emmanuel Dreyfus <manu@netbsd.org>
1443 * src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
1444 removal so that it's not used after been deleted.
1445 * src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
1446 src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
1447 errors to racoonctl
1449 2004-11-21 Emmanuel Dreyfus <manu@netbsd.org>
1451 * src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on
1452 the ipsec-tools web site
1453 * src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to
1454 display all events reported by racoon: show-event
1455 * src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
1456 with immature or dying phase 1
1457 * src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down
1459 2004-11-20 Emmanuel Dreyfus <manu@netbsd.org>
1461 * src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself
1462 as Unity compliant.
1463 * src/racoon/{evt.c|evt.h}: new files
1464 src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
1465 src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
1466 event reporting from racoon to racoonctl
1468 2004-11-20 Aidas Kasparas <a.kasparas@gmc.lt>
1470 * src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
1471 when racoon is compiled with INET6 support and kernel is not.
1472 Fixed with help of Zilvinas Valinskas.
1473 * src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
1474 problem.
1476 2004-11-19 Emmanuel Dreyfus <manu@netbsd.org>
1478 * src/racoon/doc/FAQ: more options and warn about software patents.
1480 2004-11-18 Emmanuel Dreyfus <manu@netbsd.org>
1482 * src/racoon/vmbuf.c: don't allocate zero-length buffer
1483 * src/racoon/samples/roadwarrior/client/phase1-down.sh
1484 src/racoon/samples/roadwarrior/server/phase1-down.sh: Also
1485 flush SAD when disconnecting.
1486 * src/racoon/admin.c: Send a notification when deleting ISAKMP SA
1487 * src/racoon/samples/roadwarrior/README: accomodate the recent
1488 sysconfdir change
1490 2004-11-18 Michal Ludvig <mludvig@suse.cz>
1492 * src/racoon/Makefile.am: Fix adminsocket dir, install sample
1493 racoon.conf and psk.txt.
1494 * src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
1495 not $(SYSCONFDIR)/racoon.
1496 * src/racoon/algorithm.h, src/racoon/eaytest.c,
1497 src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really
1498 strict environments.
1499 * src/setkey/setkey.conf: Yet another sample config file.
1500 * src/setkey/Makefile.am: Install setkey.conf.
1501 * rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
1502 files.
1503 * rpm/suse/{Makefile.am,.cvsignore}: New files.
1504 * configure.ac, rpm/Makefile.am: Build in rpm/suse.
1506 2004-11-17 Aidas Kasparas <a.kasparas@gmc.lt>
1508 * configure.ac: paste bugfix by Zilvinas Valinskas
1509 * src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
1510 for generated policies. Path by Patrick McHardy.
1512 2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
1514 * src/racoon/racoonctl.8: racoonctl man page (new file)
1516 2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
1518 From Ganesan <rganesan@users.sourceforge.net>
1519 * src/racoon/ipsec_doi.c: fix free'd memory access
1521 2004-11-16 Michal Ludvig <mludvig@suse.cz>
1523 DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1524 * configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
1525 src/racoon/handler.c, src/racoon/handler.h,
1526 src/racoon/isakmp.c, src/racoon/isakmp.h,
1527 src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
1528 src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
1529 src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
1530 src/racoon/remoteconf.h, src/racoon/vendorid.c,
1531 src/racoon/vendorid.h: Dead Peer Detection (DPD) support.
1533 2004-11-16 Michal Ludvig <mludvig@suse.cz>
1535 * configure.ac: Remove a bash-specific construction, take II.
1536 * src/racoon/grabmyaddr.c: FreeBSD fix for headers.
1538 2004-11-15 Michal Ludvig <mludvig@suse.cz>
1540 * configure.ac: Use correct include paths during ./configure run.
1541 * src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
1542 remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
1543 (hint, hint, manu :-))
1545 2004-11-15 Emmanuel Dreyfus <manu@netbsd.org>
1547 * README: update the docs
1548 * src/racoon/doc/FAQ: update the docs
1549 * configure.ac: Remove a bash-specific construction
1551 2004-11-14 Aidas Kasparas <a.kasparas@gmc.lt>
1553 * src/racoon/cfparse.y: ensure that returns from rules are
1554 initialized even on erroneous config file.
1555 * src/racoon/admin_var.h: changed management socket location
1556 * src/racoon/Makefile.am: ditto, added rule to install directory
1557 for management socket.
1558 * src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes,
1559 added generation of fwd policies for every in policy spdadd'ed.
1560 * src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
1561 * src/setkey/policy_token.l: return something reasonable when
1562 fwd direction is parsed on systems with no forward policy
1563 support.
1565 2004-11-14 Emmanuel Dreyfus <manu@netbsd.org>
1567 * src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
1568 * src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
1569 src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings
1570 * configure.ac src/racoon/{admin.c|admin_var.h}
1571 src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
1572 src/racoon/samples/roadwarrior/client/racoon.conf: make the default
1573 mode for the admin socket more secure.
1575 2004-11-13 Emmanuel Dreyfus <manu@netbsd.org>
1577 * src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
1578 src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
1579 src/racoon/samples/roadwarrior/README
1580 src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
1581 certificate authority location per-peer and configurable.
1582 * src/racoon/isakmp_frag.c: fix unallocated memory access
1583 * src/racoon/isakmp_agg.c: fix incorrect queue deallocation
1584 * src/racoon/remoteconf.c: fix uninitialized data
1585 * src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access
1587 2004-11-12 Emmanuel Dreyfus <manu@netbsd.org>
1589 * src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd
1590 commands IPv6 friendly.
1591 * src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}:
1592 Add an admin message to flush all the SA for a given peer.
1593 Convert racoonctl vd to use it.
1594 * src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y}
1595 src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
1596 administrator to choose the admin socket path, ownership and mode.
1597 * src/racoon/sample/roadwarrior: complete config files for
1598 road warriors using hybrid authentication.
1600 2004-11-12 Michal Ludvig <mludvig@suse.cz>
1602 * configure.ac: Config option --enable-natt=kernel
1603 * src/racoon/Makefile.am: Distribute only yacc/lex source files,
1604 not the preprocessed .c files.
1606 2004-11-11 Emmanuel Dreyfus <manu@netbsd.org>
1608 * src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
1609 and comments in the VPN concentrator setup for the Cisco VPN client
1610 * src/racoon/racoon.conf.5: fix documentation
1611 * src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
1612 hooks event if we are a server.
1614 2004-11-10 Emmanuel Dreyfus <manu@netbsd.org>
1616 * src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems
1618 2004-11-09 Michal Ludvig <mludvig@suse.cz>
1620 * Makefile.am: Remove aclocal-related lines.
1621 * src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
1622 * configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
1623 better handling of KRB5 and NAT-T.
1624 * src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
1625 FreeBSD happy with includes (Arrgh...&^#$^@!!!)
1627 2004-11-08 Michal Ludvig <mludvig@suse.cz>
1629 * src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
1630 * src/libipsec/policy_token.l, src/racoon/kmpstat.c,
1631 src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
1632 fixes to support FreeBSD (tested with 4.10).
1634 2004-11-05 Michal Ludvig <mludvig@suse.cz>
1636 * configure.ac: Add --with-readline switch.
1637 * src/setkey/setkey.c(stdin_loop): Fix newlines and comments
1638 when compiled without readline.
1640 2004-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
1642 * src/racoon/isakmp_quick.c: generated policy refresh patch
1643 by Yvan Vanhullebus
1645 2004-10-29 Michal Ludvig <mludvig@suse.cz>
1647 * configure.ac: Check for IPSEC_DIR_FWD and eventually define
1648 HAVE_POLICY_FWD.
1649 * src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use
1650 HAVE_POLICY_FWD in ifdefs.
1651 * NEWS: Mention the fix.
1652 * src/racoon/kmpstat.c: Fix compilation on Linux.
1653 * src/racoon/ipsec_doi.h: Ditto.
1654 * src/racoon/Makefile.am, src/setkey/Makefile.am: Update
1655 explicit dependencies.
1657 2004-10-29 Emmanuel Dreyfus <manu@netbsd.org>
1659 * src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
1660 do not reconfigure internal addresses obtained through ISAKMP
1661 mode config.
1662 * src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
1663 failure, kill the phase 1 and log the failure. Do not run the sa_up
1664 script in this case.
1665 * src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
1666 Add -u user to racoonctl establish-sa, prompt for the PSK from
1667 the terminal, and add a vpn-connect target with simplified syntax
1668 for establishing a SA in the road warrior case.
1669 * src/racoon/{admin.c,kmpstat.c}: implement delete-sa and
1670 vpn-disconnect commands of racoonctl
1671 * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
1672 src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
1673 Remove sa_up and sa_down and replace them by a more general
1674 script hook framework.
1676 2004-10-27 Emmanuel Dreyfus <manu@netbsd.org>
1678 * src/racoon/nattraversal.c: Use macros instead of magic numbers
1679 * src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
1680 can actually establish a SA
1681 * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
1682 src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
1683 Shell script hooks for ISAKMP SA creation and removal
1685 2004-10-26 Emmanuel Dreyfus <manu@netbsd.org>
1687 * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
1688 src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
1689 src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
1690 src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
1691 Update to the latest drafts
1693 2004-10-25 Emmanuel Dreyfus <manu@netbsd.org>
1695 * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
1696 src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
1697 src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
1698 drafts documenting ISAKMP mode config, Xauth and hybrid auth
1699 * src/racoon/cftoken.l: fix build problem, add an error message
1700 when using hybrid auth options while hybrid auth is not built
1701 * src/racoon/isakmp_cfg.c: build without RADIUS support too
1703 2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
1705 * src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
1706 src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
1707 src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
1708 src/racoon/{oakley.c,oakley.h,racoon.conf.5}
1709 src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
1710 of hybrid auth and ISAKMP mode config
1712 2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
1714 * src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
1715 src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
1716 src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
1717 Receiver-side of IKE fragmentation
1719 2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
1721 * src/racoon/isakmp_cfg.c: Fix read buffer overflow
1722 * src/racoon/isakmp_xauth.c: Fix weak authentication
1723 * src/racoon/{oakley.c,oakley.h}: Fix weak authentication
1725 2004-10-21 Michal Ludvig <mludvig@suse.cz>
1727 From Emmanuel Dreyfus:
1728 * src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
1729 * src/racoon/isakmp_cfg.c: Fix endianness.
1731 2004-10-20 Michal Ludvig <mludvig@suse.cz>
1733 From Emmanuel Dreyfus:
1734 * src/racoon/{cfparse.y,cftoken.l,handler.c},
1735 src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
1736 src/racoon/racoon.conf.5: RADIUS IP addresses allocation
1737 and RADIUS accounting.
1738 * configure.ac,
1739 src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
1740 src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
1741 src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.
1743 2004-10-08 Michal Ludvig <mludvig@suse.cz>
1745 * src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.
1747 2004-10-06 Aidas Kasparas <a.kasparas@gmc.lt>
1749 * src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
1750 to duplicate dynamically allocatd structures; duprmconf() - call
1751 these functions to produce private copy of inherited id and etype
1752 structures.
1753 * src/racoon/remoteconf.c: declaration for dupetypes().
1755 2004-10-04 Aidas Kasparas <a.kasparas@gmc.lt>
1757 * src/racoon/cfparse.y: check inherited_from dereferencing
1758 * src/racoon/crypto_openssl.c: prevent crash on incorect DNs
1760 2004-09-27 Michal Ludvig <mludvig@suse.cz>
1762 From KOVACS Krisztian <hidden@balabit.hu>:
1763 * src/racoon/sockmisc.c(sendfromto): Set src address.
1765 2004-09-24 Aidas Kasparas <a.kasparas@gmc.lt>
1767 * configure.ac: added check for linux-gnu, as my box reports
1768 * src/racoon/grabmyaddr.c: added missing <linux/types.h> include
1770 2004-09-21 Michal Ludvig <mludvig@suse.cz>
1772 Merged 'autoconf' branch to mainline:
1773 * .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
1774 src/racoon/.cvsignore, src/racoon/cfparse.y,
1775 src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
1776 src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
1777 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
1778 src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c,
1779 src/racoon/isakmp_unity.c, src/racoon/main.c,
1780 src/racoon/nattraversal.c, src/racoon/oakley.c,
1781 src/racoon/oakley.h, src/racoon/sockmisc.c,
1782 src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
1783 in 'autoconf' branch for details).
1784 * acracoon.m4, src/racoon/Makefile.am: New files.
1785 * src/racoon/Makefile.in, src/racoon/aclocal.m4,
1786 src/racoon/client-puzzle.c, src/racoon/config.guess,
1787 src/racoon/config.sub, src/racoon/configure.in,
1788 src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp,
1789 src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp,
1790 src/racoon/doc/pattern, src/racoon/doc/question,
1791 src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt,
1792 src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en,
1793 src/racoon/doc/sandiego-result.jp,
1794 src/racoon/doc/sandiego0009-result.en,
1795 src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c,
1796 src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile,
1797 src/racoon/samples/sandiego.pl: Removed.
1799 2004-09-17 Michal Ludvig <mludvig@suse.cz>
1801 * src/racoon/vendorid.[ch]: Rewrote the VendorID handling.
1802 We don't use the array with fixed offsets anymore, instead
1803 a generally unordered structure with ID, string and
1804 precomputed MD5 hashes.
1805 * src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
1806 src/racoon/nattraversal.c: Updated to the new VID model.
1807 * src/racoon/main.c(main): Precompute VendorIDs.
1808 * src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
1809 Files removed. Function arc4random() renamed to eay_random()
1810 and moved to crypto_openssl.c.
1811 * src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
1812 src/racoon/isakmp.c: Updated to the above change.
1813 * src/racoon/Makefile.in, src/racoon/configure.in: Remove
1814 arc4random() from building.
1815 * src/racoon/crypto_openssl.[ch](eay_random): New function.
1816 * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
1817 src/racoon/isakmp_xauth.c: Cleaned up headers.
1819 2004-09-16 Michal Ludvig <mludvig@suse.cz>
1821 * src/racoon/crypto_openssl.c (base64_encode): Terminate
1822 the result with '\0'.
1824 2004-09-15 Michal Ludvig <mludvig@suse.cz>
1826 * configure.ac: How about calling the next version 0.5?
1827 * src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
1828 _BSD_SOURCE and don't require <linux/types.h>
1829 * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
1830 src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
1831 * src/racoon/Makefile.in: Add new files to distribution.
1832 * src/racoon/configure.in: Fix linux kernel NATT detection.
1833 * src/setkey/parse.y: Fix types.
1834 * src/racoon/backupsa.c, src/racoon/ipsec_doi.c,
1835 src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
1836 src/racoon/pfkey.c, src/racoon/remoteconf.c,
1837 src/racoon/session.c, src/racoon/sockmisc.c: Fix headers
1838 ordering, use HAVE_NETINET6_IPSEC.
1839 * src/racoon/isakmp_cfg.c: Use %z for size_t.
1840 * src/racoon/configure.in: Clean up IPv6 stack check.
1842 2004-09-15 Michal Ludvig <mludvig@suse.cz>
1844 Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
1845 * src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
1846 src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
1847 src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
1848 src/racoon/samples/racoon.conf.sample-cvpn: New files.
1849 * src/racoon/algorithm.c, src/racoon/algorithm.h,
1850 src/racoon/cfparse.y, src/racoon/cftoken.l,
1851 src/racoon/handler.c, src/racoon/handler.h,
1852 src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
1853 src/racoon/isakmp.h, src/racoon/isakmp_agg.c,
1854 src/racoon/isakmp_inf.c, src/racoon/oakley.c,
1855 src/racoon/oakley.h, src/racoon/strnames.c,
1856 src/racoon/vendorid.c, src/racoon/vendorid.h: Added
1857 code for XAUTH support.
1858 * src/racoon/racoon.conf.5: Documentation for XAUTH.
1859 * src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
1860 src/racoon/nattraversal.c: Added NATT VID "02\n"
1861 * src/racoon/configure.in: New config option --enable-hybrid
1863 2004-09-14 Michal Ludvig <mludvig@suse.cz>
1865 * configure.ac: Preset CFLAGS
1866 * src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
1867 Check if printf() accepts "%z" modifiers.
1868 * src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
1869 * src/setkey/parse.y(fix_portstr): Init 'p2'.
1870 * src/setkey/setkey.c: Add required prototypes.
1872 2004-09-14 Aidas Kasparas <a.kasparas@gmc.lt>
1874 * src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.
1876 2004-09-14 Michal Ludvig <mludvig@suse.cz>
1878 * src/racoon/configure.in: Check for NetBSD NAT-T kernel support.
1880 2004-09-13 Michal Ludvig <mludvig@suse.cz>
1882 * src/racoon/configure.in: Check for <openssl/engine.h>
1883 * src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
1884 * src/racoon/plainrsa-gen.c: Ditto.
1886 2004-09-13 Michal Ludvig <mludvig@suse.cz>
1888 NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
1889 * Makefile.am: build in rpm/ only on Linux
1890 * configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
1891 * src/Makefile.am: Build include-glibc only on Linux
1892 * src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
1893 ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
1894 policy_parse.y,policy_token.l,test-policy-priority.c},
1895 src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
1896 nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
1897 proposal.c,sainfo.c,schedule.c,strnames.c},
1898 src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
1899 ifdefs.
1900 * src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
1901 * src/racoon/configure.in: Check for kernel NAT-T support,
1902 fix libipsec.a linkage path.
1903 * src/racoon/eaytest.c(certtest): Use %z for size_t.
1905 2004-09-12 Aidas Kasparas <a.kasparas@gmc.lt>
1907 * src/racoon/grabmyaddr.c: improoved socket selection algorithm for
1908 case when link-local addresses comes w/o sin6_scope_id set.
1910 2004-09-07 Aidas Kasparas <a.kasparas@gmc.lt>
1912 * src/racoon/session.c: fix for SIGHUP handler for case when config
1913 file contains listen directives.
1915 2004-09-01 Aidas Kasparas <a.kasparas@gmc.lt>
1917 * src/racoon/grabmyaddr.c: added scope id handling for link-local
1918 IPv6 addresses. Now racoon will not err on such addresses.
1920 2004-08-19 Aidas Kasparas <a.kasparas@gmc.lt>
1922 * src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
1923 * src/racoon/eaytest.c: eay_init_error() -> eay_init() due to
1924 2004-06-01 changes in src/racoon/crypto_openssl.c
1926 2004-08-15 Aidas Kasparas <a.kasparas@gmc.lt>
1928 * src/racoon/cfparse.y src/racoon/crypto_openssl.c
1929 src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
1930 src/racoon/racoon.conf.5 src/racoon/remoteconf.c
1931 src/racoon/remoteconf.h: peers_identifier wildcard and
1932 list patch by James Matheson
1934 ---------------------------------------------
1936 0.4rc1 released
1938 2004-08-09 Michal Ludvig <mludvig@suse.cz>
1940 * NEWS: Notes for release 0.4rc1
1941 * configure.ac: Bump up version to 0.4rc1
1943 2004-07-12 Michal Ludvig <mludvig@suse.cz>
1945 PlainRSA support.
1946 See ChangeLog.prsa from the 'plainrsa' branch for details.
1947 * src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
1948 * src/racoon/genlist.c src/racoon/genlist.h
1949 src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c
1950 src/racoon/prsa_par.y src/racoon/prsa_tok.l
1951 src/racoon/rsalist.c src/racoon/rsalist.h
1952 src/racoon/samples/racoon.conf.sample-plainrsa: New files.
1953 * src/racoon/Makefile.in src/racoon/configure.in
1954 src/racoon/cfparse.y src/racoon/cftoken.l
1955 src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
1956 src/racoon/handler.h src/racoon/ipsec_doi.c
1957 src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c
1958 src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c
1959 src/racoon/remoteconf.h src/racoon/sockmisc.c
1960 src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.
1962 2004-07-12 Michal Ludvig <mludvig@suse.cz>
1964 * src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
1965 f_foreground to plog.c.
1966 * src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode
1967 adjusting.
1968 * src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
1969 src/racoon/oakley.c: Fix typos, newlines and printf() format strings.
1971 2004-06-16 Aidas Kasparas <a.kasparas@gmc.lt>
1973 * src/racoon/crypto_openssl.c (eay_get_x509cert): small memory
1974 leak fix. Noticed B.Buesker, patch L.Stellingwerff
1975 * src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt):
1976 small memory leaks fixed.
1978 2004-06-15 Aidas Kasparas <a.kasparas@gmc.lt>
1980 SECURITY
1981 * src/racoon/crypto_openssl.[ch] (cb_check_cert_local,
1982 cb_check_cert_remote): split cb_check_cert() due to stricter
1983 requirements for certificates received from network.
1984 * src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
1985 local to specify how strict cert check should be
1986 * src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
1988 2004-06-11 Michal Ludvig <mludvig@suse.cz>
1990 * src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support
1991 for all known NAT-T versions.
1992 * vendorid.h: Ditto.
1994 2004-06-08 Michal Ludvig <mludvig@suse.cz>
1996 * src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
1997 * src/racoon/Makefile.in: Compile stringlist.o.
1999 2004-06-07 Michal Ludvig <mludvig@suse.cz>
2001 * configure.ac: Set version to 'cvs'.
2002 * src/{racoon,setkey,libipsec}/*.h: Wrap headers between
2003 #ifndef/#define/#endif to allow multiple inclusions of the
2004 same file.
2005 * plog.h (plog): Attribute __printf__ for automatic checking
2006 of the parameters' validity.
2007 * cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
2008 isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
2009 sockmisc.c: Fix warnings/errors in the plog() parameters with
2010 the above change.
2012 2004-06-05 Aidas Kasparas <a.kasparas@gmc.lt>
2014 * src/setkey/setkey.c: -n (no action) support.
2015 Thanks Thomas Habets.
2016 * src/setkey/setkey.8: Documentation for above.
2017 * src/racoon/doc/README.certificate: updated link to more recent
2018 version of document. Debian bug #252513 by Jose Luis Domingo Lopez
2020 2004-06-01 Michal Ludvig <mludvig@suse.cz>
2022 * src/racoon/algorithm.c: Enable compilation without SHA2 support.
2023 * src/racoon/crypto_openssl.c: Ditto.
2025 2004-06-01 Michal Ludvig <mludvig@suse.cz>
2027 * src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
2028 OpenSSLs.
2029 (eay_init): New function.
2030 (eay_init_error, eay_check_pkcs7sign): Removed.
2031 * src/racoon/crypto_openssl.h: Reflect the above changes.
2032 * src/racoon/main.c: Call eay_init() instead of eay_init_error().
2034 2004-05-27 Michal Ludvig <mludvig@suse.cz>
2036 Support for inheritance of 'remote' statements:
2037 * src/racoon/cftoken.l: New keyword 'inherit'.
2038 * src/racoon/cfparse.y: Support for 'inherit', remove
2039 global 'prhead', use cur_rmconf->prhead instead.
2040 * src/racoon/remoteconf.c (rmtree): Changed from
2041 LIST queue to TAILQ queue.
2042 (getrmconf): Renamed to getrmconf_strict().
2043 (copyrmconf, duprmconf)
2044 (dump_rmconf_single, dumprmconf): New functions.
2045 (rm2str): Deleted.
2046 * src/racoon/remoteconf.h: Prototypes for the above.
2047 (struct remoteconf): New fields 'inherited_from' and 'prhead'.
2048 * src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
2049 * src/racoon/algorithm.c (alg_oakley_encdef_name)
2050 (alg_oakley_hashdef_name, alg_oakley_dhdef_name)
2051 (alg_oakley_authdef_name): New functions.
2052 * src/racoon/algorithm.h: Prototpes for the above.
2053 * src/racoon/strnames.c (num2str): Make extern.
2054 (s_doi, s_etype, s_idtype, s_switch): New functions.
2055 * src/racoon/strnames.h: Prototpes for the above.
2056 * src/racoon/main.c: New parameter -C for dumping the parsed config.
2057 * src/racoon/racoon.conf.5: Document inheritance.
2058 * src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
2059 * src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit
2061 2004-05-24 Michal Ludvig <mludvig@suse.cz>
2063 * configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c,
2064 isakmp_quick.c, pfkey.c, remoteconf.c, session.c,
2065 sockmisc.c: Allow compilation with --disable-ipv6
2067 2004-05-21 Michal Ludvig <mludvig@suse.cz>
2069 * src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of
2070 algorithm specific functions.
2072 2004-05-20 Aidas Kasparas <a.kasparas@gmc.lt>
2074 Manual page updates. Thanks Brian
2075 * src/libipsec/ipsec_set_policy.3
2076 * src/setkey/setkey.8
2077 * src/libipsec/test-policy-priority.c: new file from policy
2078 priority patch, which I forgot to add
2080 2004-05-18 Aidas Kasparas <a.kasparas@gmc.lt>
2082 Policy priority integer handling fixes by Brian Buesker.
2083 * src/libipsec/ipsec_strerror.c
2084 * src/libipsec/ipsec_strerror.h
2085 * src/libipsec/libpfkey.h
2086 * src/libipsec/policy_parse.y
2087 * src/libipsec/test-policy-priority.c
2088 Manual page corrections by me
2089 * src/libipsec/ipsec_set_policy.3
2090 * src/setkey/setkey.8
2092 2004-05-15 Aidas Kasparas <a.kasparas@gmc.lt>
2094 Policy priority support patch from Brian Buesker. Applied as is
2095 except src/libipsec/Makefile.am is modified instead of
2096 src/libipsec/Makefile.in as found in the patch.
2098 2004-05-10 Michal Ludvig <mludvig@suse.cz>
2100 From Heiko Hund, approved by the copyright holder:
2101 * src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
2103 2004-04-27 Michal Ludvig <mludvig@suse.cz>
2105 From Heiko Hund:
2106 * src/include-glibc/sys/queue.h: Update to 3-clause BSD license.
2108 2004-04-26 Aidas Kasparas <a.kasparas@gmc.lt>
2110 * src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to
2111 send notifications about changed interfaces.
2113 2004-04-24 Aidas Kasparas <a.kasparas@gmc.lt>
2115 * src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
2116 information about interfaces. Thanks Steve Grubb and Bill
2117 Nottingham. Affects users with glibc w/o getifaddrs(). Users
2118 with glibc earlier than 2003-11-14 should upgrade their glibc.
2120 2004-04-19 Michal Ludvig <mludvig@suse.cz>
2122 * src/racoon/isakmp.c (isakmp_handler): Reject too big
2123 packets (CAN-2004-0403).
2125 ---------------------------------------------
2127 0.3 released
2129 2004-04-14 Michal Ludvig <mludvig@suse.cz>
2131 * NEWS: Notes for release 0.3
2132 * configure.ac: Bump up version to 0.3
2133 * src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
2134 * src/racoon/remoteconf.c (foreachrmconf): Avoid warning about
2135 uninitialised variable.
2136 * src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
2137 and FreeSWAN.
2139 2004-04-13 Michal Ludvig <mludvig@suse.cz>
2141 * src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
2142 not suitable.
2144 2004-04-09 Michal Ludvig <mludvig@suse.cz>
2146 * src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
2147 * src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
2148 * src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
2149 mismatch to LLV_WARNING.
2150 * src/libipsec/pfkey_dump.c, src/racoon/algorithm.c
2151 src/racoon/algorithm.h src/racoon/cftoken.l
2152 src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h
2153 src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c
2154 src/setkey/token.l: Renamed Rijndael to AES.
2155 * src/setkey/token.l: Recognize exit/quit/bye tokens.
2156 * src/setkey/parse.y (exit_command): New.
2157 * src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
2158 in exit_command.
2160 2004-04-08 Michal Ludvig <mludvig@suse.cz>
2162 * src/setkey/setkey.c (main): Call get_supported() in interactive mode.
2163 (stdin_loop): Concat multiline input into a single line before parsing.
2165 2004-04-07 Michal Ludvig <mludvig@suse.cz>
2167 * src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA
2168 with level DEBUG. Having it with level INFO only pollutes logfiles.
2170 2004-04-06 Michal Ludvig <mludvig@suse.cz>
2172 * src/racoon/Makefile.in: eaytest now links plog.o
2173 * src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
2174 surrounding plog().
2175 * src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now
2176 verifying both good and bad signatures.
2178 ---------------------------------------------
2180 0.3rc5 released
2182 2004-04-05 Michal Ludvig <mludvig@suse.cz>
2184 * NEWS: Notes for release 0.3rc5
2185 * configure.ac: Bump up version to 0.3rc5
2187 2004-04-05 Michal Ludvig <mludvig@suse.cz>
2189 Fix for a security bug found by Ralf Spenneberg:
2190 * src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate
2191 'evp' instead of 'pubkey'.
2192 (eay_rsa_sign): Use the above.
2193 * src/racoon/crypto_openssl.h: Update prototypes for the above.
2194 * src/racoon/eaytest.c: Disabled RSA tests because of the API change.
2196 2004-04-05 Michal Ludvig <mludvig@suse.cz>
2198 * src/racoon/pfkey.c (pfkey_handler): Safety check before accessing
2199 the array (thx to Ren.J.Y for report).
2200 (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
2201 * src/racoon/strnames.c (name_pfkey_type): Ditto.
2203 2004-04-02 Michal Ludvig <mludvig@suse.cz>
2205 * src/racoon/eaytest.c (ciphertest_1): Correct padlen.
2207 2004-04-01 Michal Ludvig <mludvig@suse.cz>
2209 * src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
2210 update from here ...
2211 (ipsecdoi_setph2proposal): ... to here. Hopefully this is a
2212 better place to do the update.
2214 2004-03-30 Michal Ludvig <mludvig@suse.cz>
2216 * src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
2217 (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
2218 * src/racoon/eaytest.c (ciphertest_1): New function.
2219 (ciphertest): Simplified to simple calls of ciphertest_1().
2221 2004-03-29 Michal Ludvig <mludvig@suse.cz>
2223 * README: Rewritten. Mentioned where to report bugs.
2225 2004-03-26 Michal Ludvig <mludvig@suse.cz>
2227 * configure.ac: Check for readline.h and libreadline.
2228 * src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
2229 (stdin_loop): Read user input and parse it line-by-line.
2230 * src/setkey/token.l (parse_string): New function.
2232 ---------------------------------------------
2234 0.3rc4 released
2236 2004-03-25 Michal Ludvig <mludvig@suse.cz>
2238 * configure.ac: Bump up version to 0.3rc4
2239 * NEWS: Notes for release 0.3rc4
2240 * src/racoon/cfparse.y (algorithm): Hint about missing module.
2241 * src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key
2242 length only with old API.
2243 (eay_des_encrypt): Ditto.
2244 * src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
2245 non-zero error code if any of the tests fail.
2246 (main): Print banner with version.
2247 * src/racoon/Makefile.in: Run eaytest in 'make check'.
2249 2004-03-23 Michal Ludvig <mludvig@suse.cz>
2251 * src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before
2252 comparing NAT-D payloads. (thx to Gaurav Kansal for report).
2253 * src/racoon/crypto_openssl.c: Avoid type-punned warnings.
2254 * src/racoon/eaytest.c: Disable 'cert' tests.
2255 * src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check
2256 for strict length.
2257 (eay_aes_encrypt): Keylength is in bits, not bytes.
2259 2004-03-22 Michal Ludvig <mludvig@suse.cz>
2261 * src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key
2262 instead of NULL and check for availability.
2264 ---------------------------------------------
2266 0.3rc3 released
2268 2004-03-19 Michal Ludvig <mludvig@suse.cz>
2270 * configure.ac: Bump up version to 0.3rc3
2271 * NEWS: Notes for release 0.3rc3
2272 * src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
2273 * src/racoon/proposal.c (cmpsatrns): New parameter proto_id,
2274 better diagnostic output when trns_id don't match.
2275 * src/racoon/proposal.h (cmpsatrns): Update prototype.
2276 * src/setkey/setkey.c: Change option -h to -H (for hexdump), new
2277 options -h (help) and -V (version).
2278 * src/setkey/setkey.8: Document the above changes.
2279 * src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...
2281 2004-03-15 Michal Ludvig <mludvig@suse.cz>
2283 * src/racoon/configure.in: Prevent compilation error with
2284 --enable-yydebug.
2286 ---------------------------------------------
2288 0.3rc2 released
2290 2004-03-11 Michal Ludvig <mludvig@suse.cz>
2292 * configure.ac: Bump up version to 0.3rc2
2293 * NEWS: Notes for release 0.3rc2
2294 * src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
2295 * src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
2296 * src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
2297 * src/racoon/racoon.conf.5: Note that NAT-T support is a compile
2298 time option.
2300 2004-03-10 Michal Ludvig <mludvig@suse.cz>
2302 * src/racoon/racoon.conf.5: Document nat_traversal option.
2303 * src/racoon/racoon.8: DOcument new options (-L and -P).
2305 2004-03-09 Michal Ludvig <mludvig@suse.cz>
2307 * src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
2308 UDP-Encap ports if NAT-T is enabled.
2309 (dupmyaddr): New function.
2310 * src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
2311 * src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but
2312 no port for UDP-Encap was open.
2313 * src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
2314 * src/racoon/localconf.c, src/racoon/localconf.h: Define and setup
2315 lcconf->port_isakmp_natt.
2316 * src/racoon/main.c (main): Print nicer banner,
2317 (usage): Document new options (-L and -P).
2318 (parse): Recognise the above.
2319 * src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded
2320 constants for float_port.
2321 (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
2322 * src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
2323 * src/racoon/plog.c: Don't print source:line:function by default.
2324 * src/racoon/remoteconf.c (foreachrmconf): New helper function.
2325 * src/racoon/remoteconf.h: Prototype for the above.
2326 * package_version.h: Define strings for use in banners.
2327 * configure.ac: Fill up the above header.
2329 2004-03-09 Michal Ludvig <mludvig@suse.cz>
2331 * src/racoon/configure.in: Don't put -O into OPTFLAGS,
2332 add new option --disable-natt.
2333 * src/racoon/cfparse.y, src/racoon/handler.c,
2334 src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2335 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2336 src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
2337 src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
2338 with ENABLE_NATT.
2339 * src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.
2341 2004-03-06 Aidas Kasparas <a.kasparas@gmc.lt>
2343 * configure.ac: Refuse to continue if lexer library (yywrap()
2344 function) is missing. Should prevent bugs like #892067, #908758
2345 * src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
2346 Users should not be given false idea that they require both OpenSSL
2347 and SSLeay to compile racoon. (See bug #902197)
2349 ---------------------------------------------
2351 0.3rc1 released
2353 2004-03-04 Michal Ludvig <mludvig@suse.cz>
2355 * configure.ac: Bump up version to 0.3rc1
2356 * NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
2357 from 0.2 branch).
2358 * src/racoon/samples/racoon.conf.sample-natt: New sample config file.
2359 * src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
2360 enabled NATT by default (will become a config option later).
2362 2004-03-04 Michal Ludvig <mludvig@suse.cz>
2364 Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
2365 to racoon.
2366 * src/racoon/Makefile.in, src/racoon/cfparse.y,
2367 src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
2368 src/racoon/grabmyaddr.h, src/racoon/handler.c,
2369 src/racoon/handler.h, src/racoon/ipsec_doi.c,
2370 src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
2371 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2372 src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
2373 src/racoon/localconf.c, src/racoon/localconf.h,
2374 src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
2375 src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
2376 src/racoon/remoteconf.h, src/racoon/session.c,
2377 src/racoon/strnames.c, src/racoon/vendorid.h
2378 src/libipsec/pfkey.c,
2379 src/racoon/nattraversal.c, src/racoon/nattraversal.h,
2380 src/racoon/sockmisc.c: Affected files.
2382 2004-02-27 Michal Ludvig <mludvig@suse.cz>
2384 * src/racoon/isakmp.c (set_isakmp_header1): Renamed from
2385 set_isakmp_header().
2386 (set_isakmp_header): New function common for set_isakmp_header1()
2387 and set_isakmp_header2().
2388 (copy_ph1addresses): Obey original port.
2389 (isakmp_plist_append, isakmp_plist_set_all): New helper functions.
2390 * src/racoon/isakmp_var.h: Prototypes for the above.
2391 * src/racoon/isakmp.h (struct payload_list): New structure.
2392 * src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2393 src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.
2395 2004-02-03 Michal Ludvig <mludvig@suse.cz>
2397 * src/racoon/Makefile.in: Fix install to $(sbindir)
2398 * src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).
2400 2004-01-19 Michal Ludvig <mludvig@suse.cz>
2402 * rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
2403 (thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)
2405 2004-01-17 Aidas Kasparas <a.kasparas@gmc.lt>
2407 * src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team
2409 2004-01-15 Michal Ludvig <mludvig@suse.cz>
2411 * src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
2412 (reported on bugtraq, fixed by iij seil team).
2413 * src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.
2415 2004-01-14 Michal Ludvig <mludvig@suse.cz>
2417 * src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used
2418 only once).
2419 * configure.ac: Don't build shared libipsec by default (can be
2420 enabled by --enable-shared).
2421 * bootstrap: Don't run automake for racoon.
2423 2004-01-12 Michal Ludvig <mludvig@suse.cz>
2425 * src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
2426 use config.h for defines instead of -DHAVE_* gcc options,
2427 fix CRYPTOBJS to include missing rijndael libraries only once,
2428 checking for AES support in OpenSSL now (hopefully) finally
2429 works on both OpenSSL 0.9.6 and 0.9.7.
2430 * src/racoon/*.[cyl]: Include autogenerated "config.h"
2431 * src/racoon/missing/crypto/*/*.c: Ditto.
2432 * src/racoon/.cvsignore: Add config.h, config.h.in
2434 2004-01-09 Michal Ludvig <mludvig@suse.cz>
2436 * src/racoon/.cvsignore: Add "autom4te.cache" and "configure".
2438 2004-01-09 Aidas Kasparas <a.kasparas@gmc.lt>
2440 Sync with KAME 2004-01-07
2441 * src/libipsec/pfkey.c: memory leak fix; comment typo fixes
2442 * src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even
2443 no SADB_X_EXT_TAG defined
2444 * src/libipsec/pfkey_dump.c: information about algorithms
2445 ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
2446 * src/libipsec/policy_parse.y: memory leak
2447 * src/libipsec/policy_token.l: memory leak
2448 * src/libipsec/test-policy.c: unneeded \n removed
2449 * src/racoon/Makefile.in: $(sbindir) support
2450 * src/racoon/admin.c: interface changes due to proxy support
2451 * src/racoon/algorithm.c: SHA2 #ifdefs
2452 * src/racoon/{cfparse.y,cftoken.l}: license text added
2453 * src/racoon/cfparse.y: mip6 obsoleted by proxy support
2454 * src/racoon/cfparse.y: from directive support; new algorithms
2455 * src/racoon/cftoken.l: support for globbing of include files
2456 * src/racoon/configure.in: more verbose information about problems
2457 with SHA2
2458 * src/racoon/crypto_openssl.c: use new DES API if supported; algorithm
2459 key size fixes
2460 * src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
2461 * src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
2462 style change
2463 * src/racoon/isakmp.c: use VPTRINIT; interface changes due to
2464 mip6->proxy; typo
2465 * src/racoon/isakmp_inf.c: use VPTRINIT
2466 * src/racoon/isakmp_quick.c: mip6->proxy
2467 * src/racoon/kmpstat.c: not used variables removed
2468 * src/racoon/pfkey.c: mip6->proxy; schedule leak
2469 * src/racoon/proposal.c: style
2470 * src/racoon/remoteconf.c: mip6->proxy
2471 * src/racoon/sainfo.c: from directive support
2472 * src/racoon/sockmisc.c: side correction; addrinfo leak
2473 * src/racoon/strnames.c: typo in descriptions; wrong upper bound check
2474 * src/racoon/missing/crypto/sha2/sha2.c: wrong size
2475 * src/setkey/parse.y: extra algorithms; tagged; not needed periods
2476 removed; memory shortage checks
2477 * src/setkey/setkey.8: typos; tagged; new algorithms
2478 * src/setkey/setkey.c: standard argument names for main(); hexdump
2479 support; info in file support
2480 * src/setkey/token.l: new algorithms; memory shortage checks
2481 Parts not taken from KAME:
2482 * kernelfs stuff;
2483 * sysctl stuff
2485 2004-01-08 Michal Ludvig <mludvig@suse.cz>
2487 * src/racoon/config.{sub,guess}: Update from automake 1.7.
2489 2004-01-08 Michal Ludvig <mludvig@suse.cz>
2491 Patch from Kostadin Karaivanov <larry@minfin.bg>:
2492 * src/racoon/configure.in: Check for openssl/aes.h.
2493 * src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.
2495 2004-01-08 Michal Ludvig <mludvig@suse.cz>
2497 * src/racoon/configure: Remove, should be regenerated by bootstrap.
2499 2004-01-02 Michal Ludvig <michal@logix.cz>
2501 * src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
2502 (by Brian Buesker <bbuesker@qualcomm.com>
2503 and Christophe Saout <christophe@saout.de>)
2504 * src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
2505 * src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
2506 (by Michal Ludvig).
2507 * src/setkey/token.l, src/setkey/parse.y: Add support for lifetime
2508 specified in bytes (by Michal Ludvig).
2509 * src/setkey/setkey.8: Document -bh/-bs options for the above feature.
2510 * src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE
2511 message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
2512 * src/racoon/cfparse.y: Flush SA on SIGHUP
2513 (by Brian Buesker <bbuesker@qualcomm.com>)
2514 * src/racoon/pfkey.c: IPcomp fixes
2515 (by Brian Buesker <bbuesker@qualcomm.com>)
2516 * src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
2517 * src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
2518 an entry with NULL ifa_addr (Michal Ludvig).
2519 * configure.ac: Change path to kernel headers
2520 from /usr/src/devel-2.5/devel to /usr/src/linux
2521 * bootstrap: Use default tools, reconfigure src/racoon
2522 * src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
2523 changed comments from 'dnl' to '#'.
2525 2003-06-20 Derek Atkins <derek@ihtfp.com>
2527 * src/racoon/aclocal.m4:
2528 * src/racoon/configure:
2529 Don't execute "for i in $3" if "$3" doesn't exist.
2530 Fixes bug #721296.
2532 2003-03-31 Derek Atkins <derek@ihtfp.com>
2534 * src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
2535 (which is value '2')
2537 2003-03-27 Derek Atkins <derek@ihtfp.com>
2539 * src/libipsec/key_debug.c: use ntohs() before printing port
2540 * src/libipsec/pfkey.c: convert port# to network byte order
2541 * src/libipsec/pfkey_dump.c: use ntohs() before printing ports
2542 * src/setkey/parse.y: convert port#'s to network byte order
2544 2003-03-24 Derek Atkins <derek@ihtfp.com>
2546 * src/libipsec/pfkey.c: Don't switch off NAT-T extensions
2547 if they don't exist in the kernel.
2549 * src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
2550 as per Tom Lendacky <toml@us.ibm.com>. Also move the
2551 setting of IPV6_IPSEC_POLICY to the top of the file.
2553 2003-03-13 Derek Atkins <derek@ihtfp.com>
2555 Add initial support for NAT-T PFKey Extensions:
2556 * src/libipsec/key_debug.c: add support to print information
2557 about NAT-T extension packets.
2558 * src/libipsec/libpfkey.h: add two new APIs to support NAT-T
2559 for add and update as part of the SADB.
2560 * src/libipsec/pfkey.c:
2561 - Implement extended APIs to support NAT-T for add and update
2562 of the SADB.
2563 - Add APIs to fill a buffer with NAT-T packet types
2564 * src/libipsec/pfkey_dump.c: Extend the SADB output to include
2565 PFKey packets. Put port numbers with the source and dest
2566 addresses, add an 'esp-udp' SA-type, and add a printout for
2567 the NAT-OA.
2568 * src/setkey/parse.y:
2569 - Extend setkey to create an ESP-UDP SA.
2570 - default UDP port is 4500
2571 - extend 'add' to allow <ip-addr>[<portnum>] for source and dest
2572 (the portnum specification requires the [] characters)
2573 - add an ESPUDP "protocol" from the lexer. This will use
2574 ESP and allow an optional Original Address setting.
2575 - add a function to get a udp port from a struct sockaddr *
2576 - pass the NAT-T extentions into PFKey
2577 * src/setkey/token.l: add "esp-udp" token
2579 * rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
2580 This switches it to use %{_lib} (for /lib64 systems such as
2581 x86-64 and s390x, and has it own the /etc/racoon directory in
2582 the package as well.
2584 ---------------------------------------------
2586 0.2.2 released
2588 2003-03-13 Derek Atkins <derek@ihtfp.com>
2590 * configure.am, NEWS:
2591 Update for 0.2.2 release
2593 * Makefile.am: distribute depcomp
2595 2003-03-10 Derek Atkins <derek@ihtfp.com>
2597 * src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
2598 sure we link against the lexer library when necessary.
2600 2003-03-07 Derek Atkins <derek@ihtfp.com>
2602 * configure.am:
2603 * Makefile.am:
2604 * rpm/Makefile.am:
2605 * rpm/ipsec-tools.spec.in:
2606 Added RPM SPEC to CVS
2608 ---------------------------------------------
2610 0.2.1 released
2612 2003-03-07 Derek Atkins <derek@ihtfp.com>
2614 * src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for
2615 ssl include directory, to make sure the other tests work properly.
2617 2003-03-06 Derek Atkins <derek@ihtfp.com>
2619 * src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning
2621 * src/racoon/configure.in: look for krb5-config and don't
2622 use it if it's not found. Fixes a configure-time warning.
2624 --------------------------------------------
2626 0.2 Released