1 Migration to cvs.netbsd.org 2 32006-08-22 Emmanuel Dreyfus <manu@netbsd.org> 4 5 From Matthew Grooms: 6 * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} 7 src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h} 8 src/racoon/racoon.conf.5: Add a group check option 9 102006-08-17 Yvan Vanhullebus <vanhu@netasq.com> 11 12 Patch from Matthew Grooms: 13 * src/racoon/ipsec_doi.c: fixed an ASN1 size in 14 ipsecdoi_checkid1() 15 162006-08-11 Yvan Vanhullebus <vanhu@netasq.com> 17 18 Patch from Matthew Grooms: 19 * src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str() 20 * src/racoon/isakmp_quick.c: text fix 21 * src/racoon/pfkey.c: sainfo debug 22 * src/racoon/sainfo.c: sainfo debug 23 242006-07-17 Yvan Vanhullebus <vanhu@netasq.com> 25 26 Reported by Matthew Grooms: 27 * src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in 28 get_sainfo_r(). 29 * src/racoon/racoon.conf.5: updated man page for sainfo logic. 30 312006-07-31 Emmanuel Dreyfus <manu@netbsd.org> 32 From Matthew Grooms <mgrooms@shrew.net> 33 * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h} 34 src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support 35 becomes dynamic, bugfixes 36 372006-07-19 Emmanuel Dreyfus <manu@netbsd.org> 38 From Peter Eisch <peter@boku.net> 39 * src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing 40 netmask in network interface configuration 41 42 From Matthew Grooms <mgrooms@shrew.net> 43 * configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage 44 45 From Matthew Grooms <mgrooms@shrew.net> 46 * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} 47 src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS 48 support (server side) 49 502006-07-17 Yvan Vanhullebus <vanhu@netasq.com> 51 52 * src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align(). 53 Break reported by Matthew Grooms. 54 552006-07-13 Frederic Senault <fred@lacave.net> 56 57 * src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4 58 unoperable on 64bit architectures ; add a packetdump of MODE_CFG 59 exchange in debug mode. 60 612006-07-09 Emmanuel Dreyfus <manu@netbsd.org> 62 From Matthew Grooms <mgrooms@shrew.net> 63 * src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c} 64 src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}: 65 Group authentication for Xauth. Supports system groups and LDAP. 66 672006-07-04 Yvan Vanhullebus <vanhu@netasq.com> 68 69 * src/racoon/nattraversal.c: fixed a malloc check in 70 natt_keepalive_add(). Patch from Bruno Wagenseil. 71 722006-06-30 Emmanuel Dreyfus <manu@netbsd.org> 73 74 * src/racoon/{cfparse.l|cftoken.l}: meaningful error message when 75 we cannot find the configuration file. 76 772006-06-24 Emmanuel Dreyfus <manu@netbsd.org> 78 From Matthew Grooms <mgrooms@shrew.net> 79 * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} 80 src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network 81 configuration obtained from LDAP directory 82 832006-06-23 Emmanuel Dreyfus <manu@netbsd.org> 84 From Matthew Grooms <mgrooms@shrew.net> 85 * configure.ac: build fixes 86 872006-06-22 Emmanuel Dreyfus <manu@netbsd.org> 88 * src/racoon/evt.c: build fix 89 From Matthew Grooms <mgrooms@shrew.net> 90 * configure.ac: build fixes around libldap and libiconv search 91 922006-06-21 Emmanuel Dreyfus <manu@netbsd.org> 93 * src/racoon/evt.c: Do not record events if admin socket is 94 disabled. 95 962006-06-20 Emmanuel Dreyfus <manu@netbsd.org> 97 98 * configure.ac: Check for conflicts between system libiconv 99 and newer libiconv header 100 From Matthew Grooms <mgrooms@shrew.net> 101 * configure.ac src/racoon/{cfparse.y|cftoken.l} 102 src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h} 103 src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth 104 1052006-06-20 Yvan Vanhullebus <vanhu@netasq.com> 106 107 * configure.ac: fixed SHA256 detection on some systems. Patch by 108 Dmitry Andrianov. 109 * src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}: 110 changed logging levels. Patch by Michal Ruzicka. 111 1122006-06-15 Emmanuel Dreyfus <manu@netbsd.org> 113 From Matthew Grooms <mgrooms@shrew.net> 114 * src/racoon/main.c: make sure RADIUS is correctly initialized 115 1162006-06-14 Yvan Vanhullebus <vanhu@netasq.com> 117 118 * Makefile.am, src/Makefile.am: fixed make dist on *BSD 119 1202006-06-07 Emmanuel Dreyfus <manu@netbsd.org> 121 * src/racoon/isakmp_cfg.c: Fix build. 122 1232006-05-26 Emmanuel Dreyfus <manu@netbsd.org> 124 From Pawel Jakub Dawidek <pjd@FreeBSD.org> 125 * src/racoon/handler.c: Fix a crash caused by a NULL pointer 126 * src/racoon/oakley.c: Typos 127 * src/racoon/isakmp_base.c: Fix uninitialized buffer 128 * src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode) 129 1302006-05-23 Emmanuel Dreyfus <manu@netbsd.org> 131 * src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so 132 do not assume Xauth when preparing a hook script environement. 133 From chunkeey@web.de 134 * src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64 135 build warnings 136 * src/racoon/ipsec_doi.c: Don't free a referenced buffer 137 From Matthew Grooms <mgrooms@shrew.net> 138 * src/racoon/isakmp_cfg.c: Fix for unity local_lan support 139 1402006-05-07 Emmanuel Dreyfus <manu@netbsd.org> 141 * src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do 142 not reconfigure interface sockets when running in privilege 143 separation as it will not work. Add debug for setsockopt(). 144 * src/racoon/racoonctl.8: Do not tell config reload is completely 145 broken (it's only somewhat broken). 146 1472006-05-06 Emmanuel Dreyfus <manu@netbsd.org> 148 149 * src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix 150 memory leak (Coverity) 151 * src/racoon/pfkey.c: Fix memory leak (Coverity) 152 * src/racoon/ipsec_doi.c: Fix memory leak (Coverity) 153 * src/racoon/isakmp.c: Fix memory leak (Coverity) 154 * src/racoon/dnssec.c: Fix memory leak (Coverity) 155 * src/racoon/backupsa.c: Fix memory leak (Coverity) 156 * src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL 157 allocation (Coverity) 158 * src/racoon/isakmp_quick.c: Remove dead code (Coverity) 159 * src/racoon/oakley.c: Remove dead code (Coverity) 160 * src/racoon/crypto_openssl.c: Remove dead code (Coverity) 161 1622006-05-05 Yvan Vanhullebus <vanhu@netasq.com> 163 164 * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT 165 encapsulation in pk_sendgetspi(). 166 1672006-05-04 Yvan Vanhullebus <vanhu@netasq.com> 168 From Preggna S (spreggna@novell.com) 169 * src/racoon/schedule.h: fixed gnuc.h include. 170 * src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support. 171 * src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function. 172 1732006-05-03 Yvan Vanhullebus <vanhu@netasq.com> 174 From Joy Latten <latten@austin.ibm.com> 175 * configure.ac: security context support check 176 * src/libipsec/{pfkey.c|pfkey_dump.c}: 177 SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support 178 * src/setkey/{parse.ytoken.l}: parses optionnal security context 179 * src/setkey/setkey.8: security context syntax 180 1812006-04-27 Emmanuel Dreyfus <manu@netbsd.org> 182 183 * src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity) 184 1852006-04-24 Yvan Vanhullebus <vanhu@netasq.com> 186 187 * src/racoon/isakmp.c: style cleanup in delete_spd() 188 1892006-04-13 Yvan Vanhullebus <vanhu@netasq.com> 190 191 * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT 192 encapsulation in pk_sendupdate(). 193 1942006-04-12 Emmanuel Dreyfus <manu@netbsd.org> 195 196 * src/racoon/ipsec_doi.c: fix memory leaks (Coverity) 197 1982006-04-06 Emmanuel Dreyfus <manu@netbsd.org> 199 200 * src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h} 201 src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c} 202 src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add 203 strdup in the malloc debugging framework, check for strdup failures 204 (found by Coverity) 205 * src/racoon/admin.c: Do not use an unallocated pointer (Coverity) 206 * src/racoon/schedule.c: Check for NULL pointer 207 * src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c} 208 src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check 209 that dupsaddr returns non NULL pointers (Coverity) 210 * src/racoon/isakmp_quick.c: Ignore multiple notifications in the 211 same message, and do not leak memory (Coverity) 212 * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in 213 GSSAPI code (Coverity) 214 * src/racoon/racoonctl.c: fix minor memory leak (Coverity) 215 * src/racoon/isakmp.c: fix memory leak (Coverity) 216 * src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity) 217 2182006-04-05 Emmanuel Dreyfus <manu@netbsd.org> 219 220 * src/racoon/isakmp_xauth.c: fix unitialized variable, found by 221 Coverity 222 * src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not 223 use deleted phase 1 handler after errors, found by coverity 224 * src/racoon/main.c: tell which config file we use 225 * src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found 226 by Coverity 227 * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1 228 handler, found by Coverity 229 * src/racoon/dnssec.c: do not return a free'ed certificate, found by 230 Coverity 231 * src/racoon/oakley.c: fix stale pointer alias, found by Coverity 232 * src/racoon/throttle.c: do not free current item while walking a 233 chained list, found by Coverity 234 * src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity 235 2362006-03-18 Emmanuel Dreyfus <manu@netbsd.org> 237 238 From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan 239 * src/racoon/isakmp_xauth.c: fix memory leak 240 2412006-02-25 Emmanuel Dreyfus <manu@netbsd.org> 242 243 From Thomas Klausner <wiz@NetBSD.org> 244 * src/racoon/{cfparse.y|handler.h}: typos 245 2462006-02-23 Emmanuel Dreyfus <manu@netbsd.org> 247 248 * src/racoon/main.c: do not reset isakmp_cfg structure after 249 config reload. 250 2512006-02-22 Yvan Vanhullebus <vanhu@netasq.com> 252 253 * src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not 254 be really necessary) and DPD VId hash generation 255 2562006-02-17 Yvan Vanhullebus <vanhu@netasq.com> 257 258 * src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous" 259 sainfos. 260 * src/racoon/racoon.conf.5: updated sainfos syntax 261 * src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID 262 2632006-02-15 Yvan Vanhullebus <vanhu@netasq.com> 264 265 * src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy 266 levels 267 * src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE 268 generate policy levels 269 * src/racoon/proposal.c: Sets optionnal reqid for generated 270 policies 271 * src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid 272 specified 273 * src/racoon/racoon.conf.5: updated generate_policy syntax 274 2752006-02-02 Yvan Vanhullebus <vanhu@netasq.com> 276 277 * src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send() 278 fails in isakmp_ph1resend() 279 2802006-01-17 Frederic Senault <fred@lacave.net> 281 282 * src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the 283 peers_identifier keyword. 284 285 * src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the 286 adminsock to allow for racoonctl to stop looping when the 287 vpn-connect command is used and there is no mode config exchange. 288 2892006-01-08 Emmanuel Dreyfus <manu@netbsd.org> 290 291 * src/racoon/isakmp_cfg.c: make software behave as the documentation 292 advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to 293 avoid breaking backward compatibility. 294 2952005-12-19 Yvan Vanhullebus <vanhu@netasq.com> 296 297 * src/racoon/session.c: Fixed / cleaned up signal handling. 298 2992005-12-13 Yvan Vanhullebus <vanhu@netasq.com> 300 301 * src/libipsec/samples/*: replaced "obey" mode by "strict" mode. 302 3032005-12-07 Yvan Vanhullebus <vanhu@netasq.com> 304 305 * src/libipsec/pfkey_dump.c: fixed compilation when NAT_T 306 disabled (Fred has still some CVS problems). 307 * src/racoon/session.c: Calls isakmp_cfg_init() only if 308 ENABLE_HYBRID in reload_conf(). 309 3102005-12-04 Frederic Senault <fred@lacave.net> 311 312 * src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports 313 function to display SAD entries with their associated ports. 314 * src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag 315 in conjunction with -D to show SADs with the port, allow both get and 316 delete commands to use bracketed ports if needed. 317 3182005-11-26 Emmanuel Dreyfus <manu@netbsd.org> 319 320 * src/racoon/session.c: fix possible race conditions in signal handlers 321 * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when 322 reloading configuration, do not new add mode_cfg config to the 323 existign one, overwrite it instead. 324 3252005-11-25 Emmanuel Dreyfus <manu@netbsd.org> 326 327 From Thomas Klausner <wiz@netbsd.org> 328 * src/racoon/racoon.conf.5: Style changes 329 3302005-11-21 Yvan Vanhullebus <vanhu@netasq.com> 331 332 * src/racoon/isakmp_[ident|agg].c: Check if natt is available when 333 receiving a NAT_D payload from initiator. It saves a crash, 334 reported by Dave Huang to NetBSD. 335 3362005-11-20 Yvan Vanhullebus <vanhu@netasq.com> 337 338 * src/racoon/isakmp_agg.c: Check that we got some needed payloads 339 from peer (could cause a DoS). Crash reported by Adrian Portelli 340 using IKE test suite from 341 http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/ 342 3432005-11-10 Yvan Vanhullebus <vanhu@free.fr> 344 345 Patches from Francis Dupont 346 * src/libipsec/key_debug.c: SADB_X_EXT_PACKET support 347 * src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function 348 * src/setkey/parse.y: IPPROTO_MH support 349 * src/racoon/pfkey.c: fixed some logs 350 * src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC, 351 appropriate define for SADB_X_NAT_T_NEW_MAPPING, added 352 SADB_X_MIGRATE 353 3542005-11-06 Aidas Kasparas <a.kasparas@gmc.lt> 355 356 * src/racoon/main.c, src/racoon/session.c: moved .pid file writing 357 just before main loop. Thanks Stephen Thorne 358 * src/racoon/localconf.h, src/racoon/cftoken.l: introduced 359 path pidfile directive 360 * src/racoon/racoon.conf.5: documented above 361 * configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan 362 Rajagopal 363 * configure.ac: added check for strlcat function 364 * src/racoon/misc.h: define strlcat function for systems without one 365 * src/racoon/remoteconf.c: strncat -> strlcat 366 3672005-11-01 Aidas Kasparas <a.kasparas@gmc.lt> 368 369 * src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks 370 Andreas Tobler 371 3722005-10-30 Yvan Vanhullebus <vanhu@netasq.com> 373 374 Patches from Christoph Nadig for compilation on MacOS X 375 * configure.ac: no lcrypt for darwin 376 * src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H 377 * src/racoon/isakmp_cfg.c: some includes and some %zu 378 * src/racoon/isakmp_unity.c: fixed a %zu 379 * src/racoon/vmbuf.h: vfree already defined for Apple 380 3812005-10-17 Aidas Kasparas <a.kasparas@gmc.lt> 382 383 Introduced subnet sainfo type. 384 * src/racoon/cftoken.l: new token "subnet" 385 * src/racoon/cfparse.y: added address/subnet diferentiation logic 386 * src/racoon/ipsec-doi.h: new constant 387 * src/racoon/ipsec-doi.c: adopted to above 388 * src/racoon/racoon.conf.5: documented above 389 3902005-09-14 Emmanuel Dreyfus <manu@netbsd.org> 391 392 * src/libipsec/pfkey.c: One forgotten cast caddr_t -> void * 393 3942005-10-14 Yvan Vanhullebus <vanhu@netasq.com> 395 396 * src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or 397 USER_FQDNs (problem reported by Bernhard Suttner). 398 3992005-09-10 Emmanuel Dreyfus <manu@netbsd.org> 400 401 * src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c} 402 src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for 403 kernel implementing NAT-T but unable to cope with IKE ports in 404 SAD and SPD. 405 4062005-09-05 Emmanuel Dreyfus <manu@netbsd.org> 407 408 From Wilfried Weissmann: 409 * src/libipsec/policy_parse.y src/racoon/oakley.c 410 src/racoon/{sockmisc.c|sockmisc.h}: build fixes 411 412 4132005-09-03 Emmanuel Dreyfus <manu@netbsd.org> 414 415 From Francis Dupont <Francis.Dupont@enst-bretagne.fr> 416 * src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions 417 4182005-08-26 Emmanuel Dreyfus <manu@netbsd.org> 419 420 * src/racoon/evt.c: Fix memory leak when event queue overflows 421 4222005-08-23 Emmanuel Dreyfus <manu@netbsd.org> 423 424 * src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly 425 initialize NAT-T VID to avoid freeing unallocated stuff. 426 4272005-08-21 Emmanuel Dreyfus <manu@netbsd.org> 428 429 From Matthias Scheler <matthias.scheler@tadpole.com> 430 * src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of 431 ISAKMP mode config without Xauth. 432 4332005-08-16 Emmanuel Dreyfus <manu@netbsd.org> 434 435 From Thomas Klausner <wiz@netbsd.org> 436 * src/setkey/setkey.8: remove trailing whitespaces 437 4382005-09-09 Yvan Vanhullebus <vanhu@free.fr> 439 440 * src/racoon/policy.c: Do not parse all sptree in inssp() if we 441 don't use Policies priority. 442 4432005-08-20 Yvan Vanhullebus <vanhu@free.fr> 444 445 * src/racoon/handler.c: Fixed a possible crash in 446 remove_ph2(). Reported by Dietmar Eggemann. 447 4482005-08-14 Emmanuel Dreyfus <manu@netbsd.org> 449 450 From Francis Dupont <Francis.Dupont@enst-bretagne.fr> 451 * src/racoon/dnssec.c: fix bogus test on function result 452 4532005-08-11 Yvan Vanhullebus <vanhu@free.fr> 454 455 * src/racoon/isakmp.c: Improved in/out SA addresses check in 456 purge_remote(). Reported by Patrick Ma. 457 4582005-08-08 Emmanuel Dreyfus <manu@netbsd.org> 459 460 * src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings 461 4622005-08-08 Yvan Vanhullebus <vanhu@free.fr> 463 464 * src/racoon/privsep.c: Fixed a %d -> %zu in 465 port_check() (reported by Matthias Scheler). 466 4672005-08-04 Emmanuel Dreyfus <manu@netbsd.org> 468 469 * configure.ac: correctly quote RACOON_PATH_LIBS arguments 470 4712005-08-02 Yvan Vanhullebus <vanhu@free.fr> 472 473 * src/racoon/isakmp_inf.c: First fix to 474 info_recv_initialcontact(): do a basic IP check when no NAT-T. 475 4762005-07-26 Yvan Vanhullebus <vanhu@free.fr> 477 478 * src/racoon/isakmp.c: Fixed purge_remote() 479 4802005-07-25 Yvan Vanhullebus <vanhu@free.fr> 481 482 * src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if 483 a new ph1handle exists (patch by Krzysztof Oledzki) 484 4852005-07-20 Aidas Kasparas <a.kasparas@gmc.lt> 486 487 * configure.ac: disabled --enable-samode-unspec under linux 488 4892005-07-20 Yvan Vanhullebus <vanhu@free.fr> 490 491 * src/racoon/isakmp_quick.c: Ignore NATOA payloads in 492 quick_r1recv() as it is done in quick_i2recv(). 493 * configure.ac: new --enable-fastquit option 494 * src/racoon/session.c: new code optional code when flushing SAs, 495 which is faster and should have no deadlocks. configure 496 --enable-fastquit option to enable it. 497 4982005-07-19 Yvan Vanhullebus <vanhu@free.fr> 499 500 * src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the 501 packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that 502 case (RFC 3947, sect 4, we MUST allow new phase1 negociations on 503 NAT-T floated port), to correctly generate the reply. 504 5052005-07-16 Aidas Kasparas <a.kasparas@gmc.lt> 506 507 * src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to 508 Patrice Fournier 509 * src/racoon/setkey.c: disabled readline's filename completion 510 (bug 1179281 fix) 511 * src/racoon/proposal.c: fixed mode selection for SAs with 512 complex_bundle on behind NAT 513 5142005-07-14 Yvan Vanhullebus <vanhu@free.fr> 515 516 * src/racoon/handler.c: - Clears the DPD schedule in delph1() 517 - Cleared up sanity checks in delph1() 518 - Sets p->rmconf to NULL if no new 519 remoteconf in revalidate_ph1tree_rmconf() 520 * src/racoon/isakmp.c: Added sanity checks in script_hook() 521 * src/racoon/oakley.c: Sanity check in save_certbuf() 522 523 5242005-07-13 Emmanuel Dreyfus <manu@netbsd.org> 525 526 * src/setkey/Makefile.am: missing file in distribution 527 5282005-07-12 Yvan Vanhullebus <vanhu@free.fr> 529 530 * src/racoon/isakmp.c: Fixed a mem leak in isakmp_send(). 531 5322005-07-12 Emmanuel Dreyfus <manu@netbsd.org> 533 534 * src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not 535 used. 536 * src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c} configure.ac 537 src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8 538 * src/racoon/{admin.c|session.c}: Don't use the adminport if it is 539 disabled 540 * src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}: 541 Add comments for using the scripts without NAT-T 542 5432005-07-11 Emmanuel Dreyfus <manu@netbsd.org> 544 545 * src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux. 546 Accomodate various libiconv versions 547 5482005-07-10 Emmanuel Dreyfus <manu@netbsd.org> 549 550 * src/racoon/ipsec_doi.c configure.ac: build fixes on Linux. 551 Accomodate various libiconv versions 552 5532005-07-09 Yvan Vanhullebus <vanhu@free.fr> 554 555 * src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto 556 algorithms with variable key size but not OpenSSL default key 557 size. 558 5592005-07-07 Emmanuel Dreyfus <manu@netbsd.org> 560 561 From Mathias Scheler <tron@netbsd.org> 562 * src/racoon/raccon.conf.5: Document that aes can be used in 563 racoon.conf 564 5652005-07-06 Frederic Senault <fred@lacave.net> 566 567 * src/setkey/setkey.c: fix compilation with readline. 568 * src/racoon/oakley.c: move declarations to fix compilation issues 569 with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the 570 pkcs7 patch. 571 5722005-07-04 Emmanuel Dreyfus <manu@netbsd.org> 573 574 * src/racoon/isakmp_inf.c: safety checks on informational messages 575 * src/racoon/{pfkey.c|proposal.c}: IPcomp fixes 576 5772005-07-01 Emmanuel Dreyfus <manu@netbsd.org> 578 579 From Uri Blumenthal <urimobile@optonline.net>: 580 * src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes 581 * src/racoon/oakley.c: pkcs7 support 582 5832005-06-29 Emmanuel Dreyfus <manu@netbsd.org> 584 585 From Christos Zoulas <christos@zoulas.com> 586 * configure.ac src/setkey/{parse.y|setkey.c|token.l} 587 src/libipsec/{ipsec_dump_policy.c|ipsec_get_policylen.c|key_debug.c} 588 src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint, 589 using void * instead of caddr_t and adding const where appropriate. 590 * src/setkey/extern.h: new file 591 * src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y} 592 src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned, 593 size_t/int and lint constants 594 5952005-06-24 Yvan Vanhullebus <vanhu@free.fr> 596 597 * src/racoon/handler.c: Fixed phase2 enc algo check when reloading 598 conf (could flush a phase2 handler when not needed). 599 6002005-06-19 Emmanuel Dreyfus <manu@netbsd.org> 601 602 * src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h} 603 src/racoon/racoonctl.8: 604 Add a logout-user command to racoonctl to kick out all SA for a 605 given Xauth user 606 607 From Ludo Stellingwerff <ludo@protactive.nl>: 608 * src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as 609 wildcard so that IKE ports are used instead. This was done on 610 phase 2 initiation from the kernel (acquire message), but not 611 on phase 2 initiation retries when the phase 2 had been queued 612 for a phase 1. 613 614 From Uri Blumenthal <urimobile@optonline.net> 615 and Larry Baird <lab@gta.com>: 616 * src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c 617 src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c} 618 src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support 619 * src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2 620 * src/setkey/token.l: Add aliases shaxxx for sha2_xxx 621 6222005-06-07 Emmanuel Dreyfus <manu@netbsd.org> 623 624 From Larry Baird <lab@gta.com> 625 * src/racoon/isakmp.c: consume NAT keepalive data already seen 626 with MSG_PEEK 627 6282005-06-07 Frederic Senault <fred@lacave.net> 629 630 * configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c} 631 src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add 632 support for system accounting into the utmp files, with the 633 "accounting system" directive. 634 635 * src/privsep.c: Bug fixes in the xauth password handling code. 636 6372005-06-06 Emmanuel Dreyfus <manu@netbsd.org> 638 639 * src/racoon/isakmp_quick.c: endianness bug fix 640 6412005-06-05 Emmanuel Dreyfus <manu@netbsd.org> 642 643 From Thomas Klausner <wiz@netbsd.org> 644 * src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing 645 spaces, grammar fix 646 6472005-05-31 Aidas Kasparas <a.kasparas@gmc.lt> 648 649 * src/racoon/ipsec_doi.c: Inserted missing 0th element of 650 rm_idtype2doi array. Bug #1199700 fix. 651 6522005-05-30 Frederic Senault <fred@lacave.net> 653 654 * src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro 655 definition. 656 657 * src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script 658 is executed at the end of the mode cfg exchange ; add a debug 659 message at the script startup. 660 6612005-05-23 Emmanuel Dreyfus <manu@netbsd.org> 662 663 * src/racoon/admin.c: build fix 664 6652005-05-20 Emmanuel Dreyfus <manu@netbsd.org> 666 667 From Mike Robinson <sundialservices@users.sourceforge.net> 668 * src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure 669 670 * src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp 671 672 From hgates <hgates.lists@gmail.com> 673 * src/racoon/proposal.c: fix SPI size test for IPcomp 674 675 From Larry Baird <lab@gta.com> 676 * src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime, 677 duplicate the proposal instead of modifying the configured one. 678 6792005-05-19 Frederic Senault <fred@lacave.net> 680 681 * configure.ac src/racoon/plog.c: Fix the logging functions to work 682 around the lack of support of printf %zu in FreeBSD 4 (at least). 683 684 * src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to 685 fix a hangup with FreeBSD 4. 686 687 * src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a 688 unity-specific heartbeat message. 689 * src/racoon/isakmp_inf.c: Reorganize switch statement in 690 isakmp_check_notify. 691 6922005-05-17 Yvan Vanhullebus <vanhu@free.fr> 693 694 * src/racoon/handler.c: Fixed exchange type check in 695 revalidate_ph1(). 696 * src/racoon/pfkey.c: changed includes order to fix compilation. 697 6982005-05-14 Emmanuel Dreyfus <manu@netbsd.org> 699 700 * src/libipsec/policy_parse.y: Fix parse problem 701 7022005-05-14 Aidas Kasparas <a.kasparas@gmc.lt> 703 704 * src/racoon/sockmisc.c: Debug message said it will send to 705 source address insted of destination. 706 7072005-05-13 Emmanuel Dreyfus <manu@netbsd.org> 708 709 * src/racoon/isakmp_inf.c: fix build problem 710 7112005-05-13 Yvan Vanhullebus <vanhu@free.fr> 712 713 * src/racoon/isakmp.c: Fixed a double ph2handler free in 714 isakmp_ph2begin_i(). 715 7162005-05-12 Emmanuel Dreyfus <manu@netbsd.org> 717 718 * src/racoon/isakmp_quick.c: fix build problem on some platforms 719 720 * src/racoon/isakmp.c: For acquire messages, when NAT-T is in use, 721 consider null port as a wildcard and use IKE ports. 722 7232005-05-10 Emmanuel Dreyfus <manu@netbsd.org> 724 725 * src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius} 726 src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file 727 src/racoon/samples/roadwarrior/client/racoon.conf: update config 728 files to higher security settings. Remove now useless phase 1 down 729 script on server side. 730 * Update README to reflect server/phase1-down.sh removal 731 7322005-05-09 Emmanuel Dreyfus <manu@netbsd.org> 733 734 * src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h} 735 src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and 736 save password extensions from Cisco in ISAKMP mode config. 737 7382005-05-08 Emmanuel Dreyfus <manu@netbsd.org> 739 740 * src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte 741 in proposals 742 * src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1 743 * src/racoon/handler.c: style 744 745 * src/racoon/isakmp_xauth.c: fix build with shadow passwords 746 7472005-05-07 Emmanuel Dreyfus <manu@netbsd.org> 748 749 * configure.ac src/racoon/isakmp_xauth.c: support shadow passwords 750 * src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype 751 * src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h} 752 src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes 753 to the right header file 754 7552005-05-06 Emmanuel Dreyfus <manu@netbsd.org> 756 757 * src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various 758 ISAKMP SA termination (for DPD timeouts and delete message) to 759 use purge_remote() so that SA and generated SPD get correctly flushed 760 * src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and 761 getph2bysaddr() 762 * src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make 763 purge_remote(), setcopeid() and delete_spd() public 764 * src/racoon/isakmp_quick.c: remove duplicated setscopeid() 765 * src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro 766 to compare with ports when ENABLE_NATT and without otherwise 767 7682005-05-06 Frederic Senault <fred@lacave.net> 769 770 * src/racoon/isakmp_inf.c: Only print the contents of an informative 771 message if the payload indicates an error ; transmit the return 772 values from the DPD functions. 773 7742005-05-06 Emmanuel Dreyfus <manu@netbsd.org> 775 776 * src/racoon/isakmp_inf.c: Fix a bug causing informational message 777 payloads to be ignored 778 7792005-05-05 Yvan Vanhullebus <vanhu@free.fr> 780 781 * src/racoon/isakmp_inf.c: Fixed some potential crashes in 782 purge_remote() and purge_ipsec_spi(). 783 7842005-05-05 Emmanuel Dreyfus <manu@netbsd.org> 785 786 * src/libipsec/{policy_parse.y|policy_token.l} 787 src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP 788 endpoints, for accurate ESP over UDP matching 789 * src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote 790 ports to the hook scripts 791 * src/racoon/remoteconf.c: do not honour ports when looking up 792 a remote config, as our remote config have no port information 793 * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}: 794 use the IKE ports supplied by racoon to set up acurate endpoints 795 ports in SP endpoints 796 7972005-05-04 Yvan Vanhullebus <vanhu@free.fr> 798 799 * src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated 800 policies are now also removed when DPD purge. 801 8022005-05-04 Emmanuel Dreyfus <manu@netbsd.org> 803 804 From Manisha Malla <mmanisha@novell.com> 805 * src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative 806 807 From Ludo Stellingwerff <ludo@protactive.nl> 808 * src/setkey/{parse.y|token.l}: build on system that do not have 809 TCP-MD5 support 810 8112005-05-04 Michal Ludvig <michal@logix.cz> 812 813 * configure.ac: Revert GLIBC_BUGS change from 2005-04-15 814 8152005-05-03 Frederic Senault <fred@lacave.net> 816 817 * src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5} 818 src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check 819 option to enable the handling of unencrypted delete payloads. 820 821 * src/racoon/plog.c: Use of isgraph in binsanitize. 822 823 * src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC. 824 825 * src/racoon/isakmp_inf.c: Unused code cleanup. 826 8272005-04-26 Emmanuel Dreyfus <manu@netbsd.org> 828 829 * bootstrap: Darwin support 830 831 From Larry Baird <lab@gta.com> 832 * src/racoon/nattraversal.c: Fix NAT-T for initiator 833 834 From Andreas Tobler <toa@pop.agri.ch>: 835 * src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c} 836 src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c} 837 src/racoon/configure.ac src/libipsec/policy_token.l 838 src/setkey/token.l: Build on Darwin 839 8402005-04-25 Emmanuel Dreyfus <manu@netbsd.org> 841 842 * src/racoon/handler.h: ifdef DPD and NAT-T data in data structures 843 844 * src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h} 845 src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to 846 enable the display of ESP over UDP ports in policies. 847 848 * src/racoon/ipsec_doi.c: fix LP64 bug 849 850 From Ludo Stellingwerff <ludo@protactive.nl>: 851 * src/racoon/isakmp.c: build without NAT-T 852 853 From F. Senault <fred.letter@lacave.net> 854 * src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c} 855 src/racoon/isakmp_xauth.c: Take into account payloads bundled after 856 an ISAKMP informationnal message. 857 858 From Patrick McHardy <kaber@trash.net> 859 * src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire 860 message, lookup phase 2 by (src, dst, id) instead of only id. 861 8622005-04-23 Emmanuel Dreyfus <manu@netbsd.org> 863 864 * src/libipsec/ipsec_dump_policy.c: display port numbers in policies 865 * src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't 866 forget port numbers so that mutiple clients behind the same NAT 867 can work. 868 869 From Larry Baird <lab@gta.com> 870 * src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}: 871 NAT-T fixes for interoperability with greenbow VPN client. 872 8732005-04-21 Aidas Kasparas <a.kasparas@gmc.lt> 874 875 * src/libipsec/policy.parse.y, src/racoon/cfparse.y, 876 src/libipsec/policy_parse.y, src/racoon/cfparse.y, 877 src/racoon/cftoken.l, src/racoon/crypto_openssl.c, 878 src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c, 879 src/racoon/ipsec_doi.c, src/racoon/isakmp.c, 880 src/racoon/isakmp_inf.c, src/racoon/pfkey.c, 881 src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c, 882 src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile 883 with gcc-4.0 (20050410 prerelease) 884 8852005-04-20 Aidas Kasparas <a.kasparas@gmc.lt> 886 887 From: Ganesan Rajagopal <rganesan@users.sourceforge.net> 888 * configure.ac: fix --enable-ipv6 logic 889 8902005-04-19 Yvan Vanhullebus <vanhu@free.fr> 891 892 * src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup. 893 8942005-04-18 Aidas Kasparas <a.kasparas@gmc.lt> 895 896 * src/racoon/crypto_openssl.c: fixed single DES support; 897 * NEWS: noted fix 898 8992005-04-18 Emmanuel Dreyfus <manu@netbsd.org> 900 901 * src/racoon/isakmp_base.c: DPD support, fix memory leak 902 903 From Thomas Klausner <wiz@NetBSD.org> 904 * src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3} 905 src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8} 906 src/racoon/samples/{racoon.conf.in|racoon.conf.sample} 907 src/racoon/samples/racoon.conf.sample-gssapi 908 src/racoon/samples/racoon.conf.sample-inherit 909 src/racoon/samples/racoon.conf.sample-natt 910 src/racoon/samples/racoon.conf.sample-plainrsa 911 src/racoon/samples/roadwarrior/README 912 src/racoon/samples/roadwarrior/server/phase1-down.sh 913 src/setkey/setkey.8: docmumentation fixes 914 915 From KAME 916 * src/racoon/ipsec_doi.c: wrong check on SA lifebyte 917 918 From Fred Senault <fred.letter@lacave.net> 919 * src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive, 920 which is now incoprated into split_net_tunnels 921 * src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c} 922 src/racoon/isakmp_xauth.h: support login and password sent 923 in different packets during the Xauth exchange. This makes racoon 924 interoperable with SecureComputing's sidewinder 925 * src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth 926 9272005-04-17 Yvan Vanhullebus <vanhu@free.fr> 928 929 * src/racoon/handler.c: Configuration reload validation code 930 * src/racoon/handler.h:revalidate_ph12() function 931 * src/racoon/ipsec_doi.c: duplicates iph1->approval in 932 get_ph1approval(), some fields sets to NULL when needed 933 * src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public 934 * src/racoon/localconf.[ch]: save/restore_params() functions 935 * src/racoon/main.c: moved restore_params functions to localconf 936 * src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa() 937 function, some values set to NULL when needed 938 * src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa() 939 function 940 * src/racoon/sainfo.[ch]: save_sainfotree() functions 941 * src/racoon/session.c: Reloads conf on a SIGHUP without loosing 942 existing tunnels 943 9442005-04-15 Aidas Kasparas <a.kasparas@gmc.lt> 945 946 From Zilvinas Valinskas <zilvinas@gemtek.lt>: 947 * configure.ac: 948 - cross-compile type fix (patch 1); 949 - --enable-{frag|hybrid}=no fixes (patches 6,7); 950 - support for --with-flex, --with-flexlib (patch 11); 951 - GLIBC_BUGS assignment correction (patch 14 with mods). 952 * src/racoon/isakmp.c: fix compilation when hybrid disabled. 953 9542005-04-11 Emmanuel Dreyfus <manu@netbsd.org> 955 956 * src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files 957 RFC for IPsec DOI and ISAKMP 958 9592005-04-10 Emmanuel Dreyfus <manu@netbsd.org> 960 961 * src/racoon/isakmp_base.c: resurect RSASIG support 962 * src/racoon/isakmp_ident.c: missing support for hybrid auth 963 * src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode 964 9652005-04-09 Emmanuel Dreyfus <manu@netbsd.org> 966 967 * src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c} 968 src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c} 969 src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}: 970 Add Xauth + RSASIG, for client and server. Add all Xauth and 971 IKE fragmentation logic to base and ident mode. 972 * src/libipsec/{pfkey.c|pfkey_dump.c} 973 src/setkey/parse.y: more missing TCP_MD5 bits from KAME 974 9752005-04-08 Emmanuel Dreyfus <manu@netbsd.org> 976 977 * src/racoon/cfparse.y: a list of network can be specified for split 978 tunnelling 979 * src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the 980 netmask in CIDR notation, to the hook script environement. 981 * src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing 982 bits for TCP_MD5 support. 983 984 From Fred Senault <fred.letter@lacave.net> 985 * src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h} 986 src/racoon/racoon.conf.5: KEYID identifier can be taken from 987 a file or from a quoted string 988 9892005-04-05 Emmanuel Dreyfus <manu@netbsd.org> 990 991 From Fred Senault <fred.letter@lacave.net> 992 * src/racoon/admin.c: fix the admin interface that was left behind 993 after recent Xauth changes 994 * src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c} 995 src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in 996 remote conf within a single structure. 997 * src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run 998 phase1-up script before ISAKMP mode config is done 999 * src/racoon/isakmp_inf.c: log a buggy condition 1000 * src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c} 1001 src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to 1002 distinguish between XAUTH PSK and Kerberos authentications 1003 * src/racoon/{oakley.c|remoteconf.c}: set a default for certificate 1004 requests 1005 * src/racoon/isakmp_xauth.c: Fix serious security bug introduced 1006 on 2005-03-09: Xauth validation was required for phase 2 on the 1007 client (thus blocking phase 2), but not on the server (thus 1008 making it open regardless of Xauth exchange). 1009 * src/racoon/vendorid.c: dump unknown VIDs 1010 1011 10122005-04-06 Yvan Vanhullebus <vanhu@free.fr> 1013 1014 * src/racoon/crypto_openssl.c: Disable OpenSSL padding in 1015 evp_crypt(), because it may cause some interoperability problems. 1016 Solution reported by Ganesan Rajagopal. 1017 10182005-04-05 Emmanuel Dreyfus <manu@netbsd.org> 1019 1020 * src/racoon/main.c: build with hybrid but without libradius 1021 10222005-04-05 Yvan Vanhullebus <vanhu@free.fr> 1023 1024 * src/racoon/handler.h: added a flag to identify generated policies 1025 * src/racoon/isakmp.c: changed logging in isakmp_ph1expire() 1026 * src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if 1027 policy have been generated in purge_remote_spi() 1028 * src/racoon/isakmp_quick.c: sets iph2->generated_spidx for 1029 generated policies 1030 * src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate() 1031 10322005-04-04 Emmanuel Dreyfus <manu@netbsd.org> 1033 1034 * src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET 1035 10362005-03-30 Michal Ludvig <michal@logix.cz> 1037 1038 * configure.ac: Don't compile with NAT-T by default (according to 1039 documentation, finally :-) 1040 10412005-03-27 Michal Ludvig <michal@logix.cz> 1042 1043 From Zilvinas Valinskas <zilvinas@gemtek.lt>: 1044 * configure.ac: 1045 - Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE. 1046 - Fix OpenSSL check for cross-compilation. 1047 * acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation. 1048 (RACOON_CHECK_BUGGY_GETADDRINFO): Ditto. 1049 10502005-03-16 Emmanuel Dreyfus <manu@netbsd.org> 1051 1052 * src/racoon/privsep.c: check for NULL path in unsafe_path() 1053 * src/racoon/privsep.c: missing space 1054 10552005-03-15 Emmanuel Dreyfus <manu@netbsd.org> 1056 1057 * src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h} 1058 src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c} 1059 src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h} 1060 src/racoon/main.c: Remove most of config dependency from 1061 privilegied instance for upcoming config reload patch. 1062 * src/racoon/isakmp_cfg.h: fix the application version for Xauth 1063 * src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used 1064 10652005-03-14 Emmanuel Dreyfus <manu@netbsd.org> 1066 1067 * configure.ac: handle correctly dynamic libradius 1068 * src/racoon/cfparse.y: correctly initialize address pool 1069 10702005-03-13 Yvan Vanhullebus <vanhu@free.fr> 1071 1072 * src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398) 1073 10742005-03-09 Emmanuel Dreyfus <manu@netbsd.org> 1075 1076 From Fred Senault <fred.letter@lacave.net> 1077 * src/racoon/cfparse.y: endainness bugfix 1078 * src/racoon/isakmp_xauth.c: off by one bugs in strings 1079 * src/racoon/oakley.h: missing parenthesis causing bugs 1080 10812005-03-09 Emmanuel Dreyfus <manu@netbsd.org> 1082 1083 * src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth 1084 10852005-03-07 Emmanuel Dreyfus <manu@netbsd.org> 1086 1087 From Fred Senault <fred.letter@lacave.net> 1088 * src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l} 1089 src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c} 1090 src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h} 1091 src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c} 1092 src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c} 1093 src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5} 1094 src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c} 1095 src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split 1096 tunnelling, multiple DNS & WINS in ISAKMP mode config. 1097 10982005-03-02 Yvan Vanhullebus <vanhu@free.fr> 1099 1100 * src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public 1101 * src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD. 1102 11032005-03-01 Yvan Vanhullebus <vanhu@free.fr> 1104 1105 * src/racoon/oakley.c: fixed oakley_newiv2() when errors 1106 11072005-02-24 Emmanuel Dreyfus <manu@netbsd.org> 1108 1109 * src/racoon/privsep.c: safety check port numbers given by the 1110 unprivilegied instance. 1111 * src/racoon/racoonctl.8: display fixes in racoonctl(8) 1112 11132005-02-23 Emmanuel Dreyfus <manu@netbsd.org> 1114 1115 * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal 1116 support for patented algorithms: IDEA and RC5. 1117 * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it 1118 is not required in the configuration 1119 * src/racoon/isakmp.c: do not reject addresses for which kernel 1120 refused UDP encapsulation, they can still be used for non NAT-T 1121 traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel) 1122 * src/libipsec/libpfkey.h: prefer __inline to inline 1123 * src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c} 1124 src/racoon/racoon.conf.5: Add chroot capability 1125 11262005-02-18 Emmanuel Dreyfus <manu@netbsd.org> 1127 1128 * src/racoon/{main.c|eaytest.c|plairsa-gen.c} 1129 src/setkey/setkey.c: don't use fuzzy paths for package_version.h 1130 11312005-02-18 Michal Ludvig <michal@logix.cz> 1132 1133 * configure.ac, rpm/suse/ipsec-tools.spec.in, 1134 rpm/suse/Makefile.am: Distribute .spec file with 1135 resolved version string. 1136 * src/racoon/Makefile.am: Allow parallel cluster build. 1137 11382005-02-17 Emmanuel Dreyfus <manu@netbsd.org> 1139 1140 From Fred Senault <fred.letter@lacave.net> 1141 * src/racoon/remoteconf.c: Fix a bug in script init 1142 11432005-02-17 Yvan Vanhullebus <vanhu@free.fr> 1144 1145 * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks 1146 11472005-02-16 Yvan Vanhullebus <vanhu@free.fr> 1148 1149 * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a 1150 related DELETE_SA 1151 * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire 1152 11532005-02-15 Michal Ludvig <michal@logix.cz> 1154 1155 * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN 1156 1157--------------------------------------------- 1158 1159 Branch for 0.6 created (ipsec-tools-0_6-branch) 1160 11612005-02-11 Emmanuel Dreyfus <manu@netbsd.org> 1162 1163 From Jason Thorpe <thorpej@netbsd.org> 1164 * src/raccon/samples/racoon.conf.sample-gssapi 1165 src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c} 1166 src/racoon/{localconf.c|localconf.h|racoon.conf.5} 1167 configure.ac: Multiple GSSAPI fixes to get interoperability 1168 with Microsoft IKE. 1169 11702005-02-09 Emmanuel Dreyfus <manu@netbsd.org> 1171 1172 * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c} 1173 src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h} 1174 src/racoon/racoon.conf.5: Make PAM work with privilege separation 1175 11762005-02-07 Michal Ludvig <michal@logix.cz> 1177 1178 From Krisztian Kovacs: 1179 * src/racoon/cfparse.y: Allocate correct space for "struct sockaddr". 1180 11812005-01-30 Yvan Vanhullebus <vanhu@free.fr> 1182 1183 * src/racoon/vmbuf.c: bugfix in vrealloc() 1184 * src/racoon/oakley.c: mem leak fix in INITDHVAL() 1185 * src/racoon/session.c: mem leak fix in check_flushsa() 1186 11872005-01-29 Yvan Vanhullebus <vanhu@free.fr> 1188 1189 * src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup 1190 * src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate() 1191 * src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID 1192 * src/racoon/nattraversal.[ch]: NATT cleanup, support for all 1193 drafts (disabled by default) / RFC. 1194 * src/racoon/isakmp.h: NATT cleanup for NATT RFC support 1195 * src/racoon/ipsec_doi.h: updated comments about NATT 1196 * configure.ac: enable-natt_XX options 1197 * src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed 1198 1199 12002005-01-29 Emmanuel Dreyfus <manu@netbsd.org> 1201 1202 From Fred Senault <fred@lacave.net> 1203 * src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that 1204 phase2 can start. 1205 12062005-01-23 Emmanuel Dreyfus <manu@netbsd.org> 1207 1208 * src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's 1209 SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD. 1210 12112005-01-22 Emmanuel Dreyfus <manu@netbsd.org> 1212 1213 From Fred Senault <fred@lacave.net> 1214 * src/racoon/{cftoken.l|cfparse.y|raccon.conf.5} 1215 src/racoon/samples/roadwarrior/README: change "my_identifier login" 1216 into "xauth_login" in the config file so that we can introduce Xauth 1217 with a pre-shared key later. 1218 12192005-01-21 Emmanuel Dreyfus <manu@netbsd.org> 1220 1221 * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}: 1222 workaround Linux problems. This needs a better fix. 1223 12242005-01-18 Emmanuel Dreyfus <manu@netbsd.org> 1225 1226 * src/racoon/privsep.c: build without ENABLE_HYBRID 1227 12282005-01-14 Emmanuel Dreyfus <manu@netbsd.org> 1229 1230 * src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T) 1231 12322005-01-13 Yvan Vanhullebus <vanhu@free.fr> 1233 1234 * src/racoon/ipsec_doi.c: Uses proposal_check value to check phase 1235 1 lifetime. 1236 * src/racoon/racoon.conf.5: Updated racoon man page for phase 1 1237 lifetime check / proposal_check. 1238 12392005-01-11 Emmanuel Dreyfus <manu@netbsd.org> 1240 1241 * src/racoon/isakjmp_quick.c: endianness bugfix from KAME 1242 12432005-01-07 Emmanuel Dreyfus <manu@netbsd.org> 1244 1245 * src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c} 1246 src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h} 1247 src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is 1248 now configurable (supported only on NetBSD so far). 1249 12502005-01-05 Emmanuel Dreyfus <manu@netbsd.org> 1251 1252 * src/racoon/privsep.c: Build again on Linux with privsep 1253 12542005-01-03 Emmanuel Dreyfus <manu@netbsd.org> 1255 1256 * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h} 1257 src/racoon/{cfparse.y|cftoken.l|racoon.conf.5} 1258 src/racoon/doc/FAQ 1259 configure.ac: PAM support for authentication and accounting in 1260 hybrid auth 1261 12622005-01-02 Emmanuel Dreyfus <manu@netbsd.org> 1263 1264 * src/racoon/admin.c: never fork, it buys nothing an break on some 1265 operations 1266 12672004-12-30 Emmanuel Dreyfus <manu@netbsd.org> 1268 1269 * src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c} 1270 src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c} 1271 src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c} 1272 src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c} 1273 src/racoon/{privsep.c|privsep.h}: new files 1274 Privilege separation 1275 1276 * src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c} 1277 src/racoon/{racoonctl.c|racoonctl.h}: new files 1278 configure.ac: publically export the adminport interface so that 1279 external program can control racoon 1280 1281 * src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface 1282 versionning 1283 1284 * src/racoon/admin.h: make sure no / will be missing in adminsock path 1285 1286--------------------------------------------- 1287 1288 Branch for 0.5 created (ipsec-tools-0_5-branch) 1289 12902004-12-23 Yvan Vanhullebus <vanhu@free.fr> 1291 1292 * src/racoon/crypto_openssl.c: Indentation 1293 12942004-12-28 Yvan Vanhullebus <vanhu@free.fr> 1295 1296 * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname() 1297 when getting an IP (Bug # 1092095) 1298 1299 13002004-12-26 Emmanuel Dreyfus <manu@netbsd.org> 1301 1302 * src/racoon/session.c: remove outdated comment 1303 1304--------------------------------------------- 1305 1306 0.5.beta2 released 1307 13082004-12-21 Michal Ludvig <michal@logix.cz> 1309 1310 * src/racoon/pfkey.c: Fix AES vs Rijndael defines. 1311 13122004-12-20 Yvan Vanhullebus <vanhu@free.fr> 1313 1314 * configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c: 1315 Some FreeBSD / NATT support. 1316 13172004-12-17 Emmanuel Dreyfus <manu@netbsd.org> 1318 1319 * src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here. 1320 * src/racoon/pfkey.c: Restore AES support on NetBSD. 1321 13222004-12-17 Yvan Vanhullebus <vanhu@free.fr> 1323 1324 * src/racoon/crypto_openssl.c: Uses sprintf() instead of 1325 asprintf() in eay_get_x509subjectaltname(), because of some 1326 compilation problems reported with asprintf() on some platforms. 1327 * src/racoon/oakley.c: just take the first cert in 1328 oakley_savecert() if cert ID check is disabled. 1329 13302004-12-16 Emmanuel Dreyfus <manu@netbsd.org> 1331 1332 * src/racoon/crypto_openssl.c: Build again on NetBSD 1333 * src/racoon/samples/roadwarrior/server/racoon 1334 src/racoon/samples/roadwarrior/server/racoon.conf-radius 1335 src/racoon/samples/roadwarrior/README: Use DPD in sample files. 1336 13372004-12-16 Yvan Vanhullebus <vanhu@free.fr> 1338 1339 * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname() 1340 when SubjectAltName contains an IP. OpenSSL code from Ludovic 1341 Flament (ludovic.flament@free.fr). 1342 1343--------------------------------------------- 1344 1345 0.5.beta1 released 1346 13472004-12-13 Michal Ludvig <mludvig@suse.cz> 1348 1349 From Ganesan R <rganesan@users.sourceforge.net>: 1350 * src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation 1351 with shared libraries. 1352 13532004-12-10 Yvan Vanhullebus <vanhu@free.fr> 1354 1355 * src/racoon/oakley.c: takes the first certificate which matches 1356 the Identity, instead of just taking the first certificate. 1357 13582004-12-07 Yvan Vanhullebus <vanhu@free.fr> 1359 1360 * src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK. 1361 13622004-12-04 Aidas Kasparas <a.kasparas@gmc.lt> 1363 1364 * src/libipsec/pfkey_dump.c: distinguish per-socket policies from 1365 general ones (Linux case); 1366 * src/racoon/pfkey.c: dito, do not negotiate policies if racoon 1367 do not listen on out tunnel's source address. 1368 13692004-12-01 Yvan Vanhullebus <vanhu@free.fr> 1370 1371 * src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs 1372 generation in r1send() 1373 13742004-12-01 Yvan Vanhullebus <vanhu@free.fr> 1375 1376 * src/racoon/remoteconf.{c|h}: DPD support option (enabled by default) 1377 * src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD 1378 parameters but compiled without ENABLE_DPD 1379 * src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD 1380 support activated in configuration 1381 13822004-11-30 Emmanuel Dreyfus <manu@netbsd.org> 1383 1384 * src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time, 1385 to avoid garbage pointer if admin port is disabled. 1386 * src/racoon/{throttle.c|throttle.h}: new files 1387 src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5} 1388 configure.ac: Add a per-host throttling count. When throttling, 1389 don't sleep, schedule the answer for later instead. 1390 * src/racoon/kmpstat.c: default with no hexdump of the packet 1391 * src/racoon/admin.c: don't remove admin socket after first request, 1392 on the other hand remove on startup stale sockets left by 1393 crashed racoon. 1394 * src/racoon/samples/roadwarrior/README 1395 src/racoon/kmpstat.c: fix option parsing problem on Linux 1396 13972004-11-29 Yvan Vanhullebus <vanhu@free.fr> 1398 1399 * src/racoon/session.c: Only listen on pfkey socket when received 1400 shutdown signal 1401 14022004-11-28 Emmanuel Dreyfus <manu@netbsd.org> 1403 1404 * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} 1405 src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle 1406 on each Xauth authentication to avoid brute force attacks 1407 14082004-11-24 Emmanuel Dreyfus <manu@netbsd.org> 1409 1410 * src/racoon/samples/roadwarrior/README 1411 src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh} 1412 src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius} 1413 src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}: 1414 Fill Linux gaps for hybrid auth client, Replace public IP by 1415 private and example IP in the sample config files. 1416 14172004-11-24 Emmanuel Dreyfus <manu@netbsd.org> 1418 1419 DPD patch from Yvan Vanhullebus <vanhu@free.fr> 1420 * src/racoon/cfparse.y: missing bits for DPD support 1421 14222004-11-23 Aidas Kasparas <a.kasparas@gmc.lt> 1423 1424 * src/setkey/parse.y: generate require fwd policies for unique in 1425 policies. 1426 * src/setkey/setkey.c: made -r/-k options awailable only when 1427 system has FWD policies. 1428 * src/setkey/setkey.8: updated docs about change above. 1429 14302004-11-22 Michal Ludvig <mludvig@suse.cz> 1431 1432 * src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to 1433 #ifdef ENABLE_ADMINPORT/#endif. 1434 14352004-11-22 Michal Ludvig <mludvig@suse.cz> 1436 1437 Revert these changes (ludvigm, 2004-11-18): 1438 * src/racoon/Makefile.am: install sample racoon.conf and psk.txt. 1439 * src/setkey/Makefile.am: Install setkey.conf. 1440 14412004-11-22 Emmanuel Dreyfus <manu@netbsd.org> 1442 1443 * src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1 1444 removal so that it's not used after been deleted. 1445 * src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c} 1446 src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more 1447 errors to racoonctl 1448 14492004-11-21 Emmanuel Dreyfus <manu@netbsd.org> 1450 1451 * src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on 1452 the ipsec-tools web site 1453 * src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to 1454 display all events reported by racoon: show-event 1455 * src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message 1456 with immature or dying phase 1 1457 * src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down 1458 14592004-11-20 Emmanuel Dreyfus <manu@netbsd.org> 1460 1461 * src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself 1462 as Unity compliant. 1463 * src/racoon/{evt.c|evt.h}: new files 1464 src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c} 1465 src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for 1466 event reporting from racoon to racoonctl 1467 14682004-11-20 Aidas Kasparas <a.kasparas@gmc.lt> 1469 1470 * src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages 1471 when racoon is compiled with INET6 support and kernel is not. 1472 Fixed with help of Zilvinas Valinskas. 1473 * src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+ 1474 problem. 1475 14762004-11-19 Emmanuel Dreyfus <manu@netbsd.org> 1477 1478 * src/racoon/doc/FAQ: more options and warn about software patents. 1479 14802004-11-18 Emmanuel Dreyfus <manu@netbsd.org> 1481 1482 * src/racoon/vmbuf.c: don't allocate zero-length buffer 1483 * src/racoon/samples/roadwarrior/client/phase1-down.sh 1484 src/racoon/samples/roadwarrior/server/phase1-down.sh: Also 1485 flush SAD when disconnecting. 1486 * src/racoon/admin.c: Send a notification when deleting ISAKMP SA 1487 * src/racoon/samples/roadwarrior/README: accomodate the recent 1488 sysconfdir change 1489 14902004-11-18 Michal Ludvig <mludvig@suse.cz> 1491 1492 * src/racoon/Makefile.am: Fix adminsocket dir, install sample 1493 racoon.conf and psk.txt. 1494 * src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR), 1495 not $(SYSCONFDIR)/racoon. 1496 * src/racoon/algorithm.h, src/racoon/eaytest.c, 1497 src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really 1498 strict environments. 1499 * src/setkey/setkey.conf: Yet another sample config file. 1500 * src/setkey/Makefile.am: Install setkey.conf. 1501 * rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New 1502 files. 1503 * rpm/suse/{Makefile.am,.cvsignore}: New files. 1504 * configure.ac, rpm/Makefile.am: Build in rpm/suse. 1505 15062004-11-17 Aidas Kasparas <a.kasparas@gmc.lt> 1507 1508 * configure.ac: paste bugfix by Zilvinas Valinskas 1509 * src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support 1510 for generated policies. Path by Patrick McHardy. 1511 15122004-11-16 Emmanuel Dreyfus <manu@netbsd.org> 1513 1514 * src/racoon/racoonctl.8: racoonctl man page (new file) 1515 15162004-11-16 Emmanuel Dreyfus <manu@netbsd.org> 1517 1518 From Ganesan <rganesan@users.sourceforge.net> 1519 * src/racoon/ipsec_doi.c: fix free'd memory access 1520 15212004-11-16 Michal Ludvig <mludvig@suse.cz> 1522 1523 DPD patch from Yvan Vanhullebus <vanhu@free.fr> 1524 * configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l, 1525 src/racoon/handler.c, src/racoon/handler.h, 1526 src/racoon/isakmp.c, src/racoon/isakmp.h, 1527 src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c, 1528 src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h, 1529 src/racoon/racoon.conf.5 src/racoon/remoteconf.c, 1530 src/racoon/remoteconf.h, src/racoon/vendorid.c, 1531 src/racoon/vendorid.h: Dead Peer Detection (DPD) support. 1532 15332004-11-16 Michal Ludvig <mludvig@suse.cz> 1534 1535 * configure.ac: Remove a bash-specific construction, take II. 1536 * src/racoon/grabmyaddr.c: FreeBSD fix for headers. 1537 15382004-11-15 Michal Ludvig <mludvig@suse.cz> 1539 1540 * configure.ac: Use correct include paths during ./configure run. 1541 * src/racoon/Makefile.am: Compile cftoken.l from $(srcdir), 1542 remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior 1543 (hint, hint, manu :-)) 1544 15452004-11-15 Emmanuel Dreyfus <manu@netbsd.org> 1546 1547 * README: update the docs 1548 * src/racoon/doc/FAQ: update the docs 1549 * configure.ac: Remove a bash-specific construction 1550 15512004-11-14 Aidas Kasparas <a.kasparas@gmc.lt> 1552 1553 * src/racoon/cfparse.y: ensure that returns from rules are 1554 initialized even on erroneous config file. 1555 * src/racoon/admin_var.h: changed management socket location 1556 * src/racoon/Makefile.am: ditto, added rule to install directory 1557 for management socket. 1558 * src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes, 1559 added generation of fwd policies for every in policy spdadd'ed. 1560 * src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs 1561 * src/setkey/policy_token.l: return something reasonable when 1562 fwd direction is parsed on systems with no forward policy 1563 support. 1564 15652004-11-14 Emmanuel Dreyfus <manu@netbsd.org> 1566 1567 * src/racoon/isakmp.c: avoid a double free when using IKE fragmentation 1568 * src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c} 1569 src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings 1570 * configure.ac src/racoon/{admin.c|admin_var.h} 1571 src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README 1572 src/racoon/samples/roadwarrior/client/racoon.conf: make the default 1573 mode for the admin socket more secure. 1574 15752004-11-13 Emmanuel Dreyfus <manu@netbsd.org> 1576 1577 * src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h} 1578 src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h} 1579 src/racoon/samples/roadwarrior/README 1580 src/racoon/samples/roadwarrior/client/racoon.conf: Make the root 1581 certificate authority location per-peer and configurable. 1582 * src/racoon/isakmp_frag.c: fix unallocated memory access 1583 * src/racoon/isakmp_agg.c: fix incorrect queue deallocation 1584 * src/racoon/remoteconf.c: fix uninitialized data 1585 * src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access 1586 15872004-11-12 Emmanuel Dreyfus <manu@netbsd.org> 1588 1589 * src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd 1590 commands IPv6 friendly. 1591 * src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}: 1592 Add an admin message to flush all the SA for a given peer. 1593 Convert racoonctl vd to use it. 1594 * src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y} 1595 src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the 1596 administrator to choose the admin socket path, ownership and mode. 1597 * src/racoon/sample/roadwarrior: complete config files for 1598 road warriors using hybrid authentication. 1599 16002004-11-12 Michal Ludvig <mludvig@suse.cz> 1601 1602 * configure.ac: Config option --enable-natt=kernel 1603 * src/racoon/Makefile.am: Distribute only yacc/lex source files, 1604 not the preprocessed .c files. 1605 16062004-11-11 Emmanuel Dreyfus <manu@netbsd.org> 1607 1608 * src/racoon/samples/racoon.conf.sample-cvpn: more complete setup 1609 and comments in the VPN concentrator setup for the Cisco VPN client 1610 * src/racoon/racoon.conf.5: fix documentation 1611 * src/racoon/isakmp_cfg.c: get the internal IPv4 address in script 1612 hooks event if we are a server. 1613 16142004-11-10 Emmanuel Dreyfus <manu@netbsd.org> 1615 1616 * src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems 1617 16182004-11-09 Michal Ludvig <mludvig@suse.cz> 1619 1620 * Makefile.am: Remove aclocal-related lines. 1621 * src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS 1622 * configure.ac: Cleanup, define INET6 if IPv6 shoud be supported, 1623 better handling of KRB5 and NAT-T. 1624 * src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make 1625 FreeBSD happy with includes (Arrgh...&^#$^@!!!) 1626 16272004-11-08 Michal Ludvig <mludvig@suse.cz> 1628 1629 * src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN. 1630 * src/libipsec/policy_token.l, src/racoon/kmpstat.c, 1631 src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small 1632 fixes to support FreeBSD (tested with 4.10). 1633 16342004-11-05 Michal Ludvig <mludvig@suse.cz> 1635 1636 * configure.ac: Add --with-readline switch. 1637 * src/setkey/setkey.c(stdin_loop): Fix newlines and comments 1638 when compiled without readline. 1639 16402004-11-01 Aidas Kasparas <a.kasparas@gmc.lt> 1641 1642 * src/racoon/isakmp_quick.c: generated policy refresh patch 1643 by Yvan Vanhullebus 1644 16452004-10-29 Michal Ludvig <mludvig@suse.cz> 1646 1647 * configure.ac: Check for IPSEC_DIR_FWD and eventually define 1648 HAVE_POLICY_FWD. 1649 * src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use 1650 HAVE_POLICY_FWD in ifdefs. 1651 * NEWS: Mention the fix. 1652 * src/racoon/kmpstat.c: Fix compilation on Linux. 1653 * src/racoon/ipsec_doi.h: Ditto. 1654 * src/racoon/Makefile.am, src/setkey/Makefile.am: Update 1655 explicit dependencies. 1656 16572004-10-29 Emmanuel Dreyfus <manu@netbsd.org> 1658 1659 * src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}: 1660 do not reconfigure internal addresses obtained through ISAKMP 1661 mode config. 1662 * src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication 1663 failure, kill the phase 1 and log the failure. Do not run the sa_up 1664 script in this case. 1665 * src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}: 1666 Add -u user to racoonctl establish-sa, prompt for the PSK from 1667 the terminal, and add a vpn-connect target with simplified syntax 1668 for establishing a SA in the road warrior case. 1669 * src/racoon/{admin.c,kmpstat.c}: implement delete-sa and 1670 vpn-disconnect commands of racoonctl 1671 * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c} 1672 src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}: 1673 Remove sa_up and sa_down and replace them by a more general 1674 script hook framework. 1675 16762004-10-27 Emmanuel Dreyfus <manu@netbsd.org> 1677 1678 * src/racoon/nattraversal.c: Use macros instead of magic numbers 1679 * src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl 1680 can actually establish a SA 1681 * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c} 1682 src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}: 1683 Shell script hooks for ISAKMP SA creation and removal 1684 16852004-10-26 Emmanuel Dreyfus <manu@netbsd.org> 1686 1687 * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed 1688 src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed 1689 src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file 1690 src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file 1691 Update to the latest drafts 1692 16932004-10-25 Emmanuel Dreyfus <manu@netbsd.org> 1694 1695 * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file 1696 src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file 1697 src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file 1698 drafts documenting ISAKMP mode config, Xauth and hybrid auth 1699 * src/racoon/cftoken.l: fix build problem, add an error message 1700 when using hybrid auth options while hybrid auth is not built 1701 * src/racoon/isakmp_cfg.c: build without RADIUS support too 1702 17032004-10-24 Emmanuel Dreyfus <manu@netbsd.org> 1704 1705 * src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l} 1706 src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c} 1707 src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h} 1708 src/racoon/{oakley.c,oakley.h,racoon.conf.5} 1709 src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side 1710 of hybrid auth and ISAKMP mode config 1711 17122004-10-24 Emmanuel Dreyfus <manu@netbsd.org> 1713 1714 * src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c} 1715 src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h} 1716 src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}: 1717 Receiver-side of IKE fragmentation 1718 17192004-10-24 Emmanuel Dreyfus <manu@netbsd.org> 1720 1721 * src/racoon/isakmp_cfg.c: Fix read buffer overflow 1722 * src/racoon/isakmp_xauth.c: Fix weak authentication 1723 * src/racoon/{oakley.c,oakley.h}: Fix weak authentication 1724 17252004-10-21 Michal Ludvig <mludvig@suse.cz> 1726 1727 From Emmanuel Dreyfus: 1728 * src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files. 1729 * src/racoon/isakmp_cfg.c: Fix endianness. 1730 17312004-10-20 Michal Ludvig <mludvig@suse.cz> 1732 1733 From Emmanuel Dreyfus: 1734 * src/racoon/{cfparse.y,cftoken.l,handler.c}, 1735 src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c}, 1736 src/racoon/racoon.conf.5: RADIUS IP addresses allocation 1737 and RADIUS accounting. 1738 * configure.ac, 1739 src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h}, 1740 src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c}, 1741 src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch. 1742 17432004-10-08 Michal Ludvig <mludvig@suse.cz> 1744 1745 * src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus. 1746 17472004-10-06 Aidas Kasparas <a.kasparas@gmc.lt> 1748 1749 * src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions 1750 to duplicate dynamically allocatd structures; duprmconf() - call 1751 these functions to produce private copy of inherited id and etype 1752 structures. 1753 * src/racoon/remoteconf.c: declaration for dupetypes(). 1754 17552004-10-04 Aidas Kasparas <a.kasparas@gmc.lt> 1756 1757 * src/racoon/cfparse.y: check inherited_from dereferencing 1758 * src/racoon/crypto_openssl.c: prevent crash on incorect DNs 1759 17602004-09-27 Michal Ludvig <mludvig@suse.cz> 1761 1762 From KOVACS Krisztian <hidden@balabit.hu>: 1763 * src/racoon/sockmisc.c(sendfromto): Set src address. 1764 17652004-09-24 Aidas Kasparas <a.kasparas@gmc.lt> 1766 1767 * configure.ac: added check for linux-gnu, as my box reports 1768 * src/racoon/grabmyaddr.c: added missing <linux/types.h> include 1769 17702004-09-21 Michal Ludvig <mludvig@suse.cz> 1771 1772 Merged 'autoconf' branch to mainline: 1773 * .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac, 1774 src/racoon/.cvsignore, src/racoon/cfparse.y, 1775 src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, 1776 src/racoon/ipsec_doi.c, src/racoon/isakmp.c, 1777 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 1778 src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c, 1779 src/racoon/isakmp_unity.c, src/racoon/main.c, 1780 src/racoon/nattraversal.c, src/racoon/oakley.c, 1781 src/racoon/oakley.h, src/racoon/sockmisc.c, 1782 src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog 1783 in 'autoconf' branch for details). 1784 * acracoon.m4, src/racoon/Makefile.am: New files. 1785 * src/racoon/Makefile.in, src/racoon/aclocal.m4, 1786 src/racoon/client-puzzle.c, src/racoon/config.guess, 1787 src/racoon/config.sub, src/racoon/configure.in, 1788 src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp, 1789 src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp, 1790 src/racoon/doc/pattern, src/racoon/doc/question, 1791 src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt, 1792 src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en, 1793 src/racoon/doc/sandiego-result.jp, 1794 src/racoon/doc/sandiego0009-result.en, 1795 src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c, 1796 src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile, 1797 src/racoon/samples/sandiego.pl: Removed. 1798 17992004-09-17 Michal Ludvig <mludvig@suse.cz> 1800 1801 * src/racoon/vendorid.[ch]: Rewrote the VendorID handling. 1802 We don't use the array with fixed offsets anymore, instead 1803 a generally unordered structure with ID, string and 1804 precomputed MD5 hashes. 1805 * src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c}, 1806 src/racoon/nattraversal.c: Updated to the new VID model. 1807 * src/racoon/main.c(main): Precompute VendorIDs. 1808 * src/racoon/arc4random.h, src/racoon/missing/arc4random.c: 1809 Files removed. Function arc4random() renamed to eay_random() 1810 and moved to crypto_openssl.c. 1811 * src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c, 1812 src/racoon/isakmp.c: Updated to the above change. 1813 * src/racoon/Makefile.in, src/racoon/configure.in: Remove 1814 arc4random() from building. 1815 * src/racoon/crypto_openssl.[ch](eay_random): New function. 1816 * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, 1817 src/racoon/isakmp_xauth.c: Cleaned up headers. 1818 18192004-09-16 Michal Ludvig <mludvig@suse.cz> 1820 1821 * src/racoon/crypto_openssl.c (base64_encode): Terminate 1822 the result with '\0'. 1823 18242004-09-15 Michal Ludvig <mludvig@suse.cz> 1825 1826 * configure.ac: How about calling the next version 0.5? 1827 * src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE 1828 _BSD_SOURCE and don't require <linux/types.h> 1829 * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, 1830 src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h> 1831 * src/racoon/Makefile.in: Add new files to distribution. 1832 * src/racoon/configure.in: Fix linux kernel NATT detection. 1833 * src/setkey/parse.y: Fix types. 1834 * src/racoon/backupsa.c, src/racoon/ipsec_doi.c, 1835 src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, 1836 src/racoon/pfkey.c, src/racoon/remoteconf.c, 1837 src/racoon/session.c, src/racoon/sockmisc.c: Fix headers 1838 ordering, use HAVE_NETINET6_IPSEC. 1839 * src/racoon/isakmp_cfg.c: Use %z for size_t. 1840 * src/racoon/configure.in: Clean up IPv6 stack check. 1841 18422004-09-15 Michal Ludvig <mludvig@suse.cz> 1843 1844 Merged "Hybrid XAUTH" support from Emmanuel Dreyfus: 1845 * src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c, 1846 src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h, 1847 src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h, 1848 src/racoon/samples/racoon.conf.sample-cvpn: New files. 1849 * src/racoon/algorithm.c, src/racoon/algorithm.h, 1850 src/racoon/cfparse.y, src/racoon/cftoken.l, 1851 src/racoon/handler.c, src/racoon/handler.h, 1852 src/racoon/ipsec_doi.c, src/racoon/isakmp.c, 1853 src/racoon/isakmp.h, src/racoon/isakmp_agg.c, 1854 src/racoon/isakmp_inf.c, src/racoon/oakley.c, 1855 src/racoon/oakley.h, src/racoon/strnames.c, 1856 src/racoon/vendorid.c, src/racoon/vendorid.h: Added 1857 code for XAUTH support. 1858 * src/racoon/racoon.conf.5: Documentation for XAUTH. 1859 * src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c, 1860 src/racoon/nattraversal.c: Added NATT VID "02\n" 1861 * src/racoon/configure.in: New config option --enable-hybrid 1862 18632004-09-14 Michal Ludvig <mludvig@suse.cz> 1864 1865 * configure.ac: Preset CFLAGS 1866 * src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD, 1867 Check if printf() accepts "%z" modifiers. 1868 * src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly. 1869 * src/setkey/parse.y(fix_portstr): Init 'p2'. 1870 * src/setkey/setkey.c: Add required prototypes. 1871 18722004-09-14 Aidas Kasparas <a.kasparas@gmc.lt> 1873 1874 * src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas. 1875 18762004-09-14 Michal Ludvig <mludvig@suse.cz> 1877 1878 * src/racoon/configure.in: Check for NetBSD NAT-T kernel support. 1879 18802004-09-13 Michal Ludvig <mludvig@suse.cz> 1881 1882 * src/racoon/configure.in: Check for <openssl/engine.h> 1883 * src/racoon/crypto_openssl.c: Only use OpenSSL engines if available. 1884 * src/racoon/plainrsa-gen.c: Ditto. 1885 18862004-09-13 Michal Ludvig <mludvig@suse.cz> 1887 1888 NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>: 1889 * Makefile.am: build in rpm/ only on Linux 1890 * configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h 1891 * src/Makefile.am: Build include-glibc only on Linux 1892 * src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c, 1893 ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c, 1894 policy_parse.y,policy_token.l,test-policy-priority.c}, 1895 src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c, 1896 nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c, 1897 proposal.c,sainfo.c,schedule.c,strnames.c}, 1898 src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some 1899 ifdefs. 1900 * src/racoon/sockmisc.c(sendfromto): Wrap for Linux only. 1901 * src/racoon/configure.in: Check for kernel NAT-T support, 1902 fix libipsec.a linkage path. 1903 * src/racoon/eaytest.c(certtest): Use %z for size_t. 1904 19052004-09-12 Aidas Kasparas <a.kasparas@gmc.lt> 1906 1907 * src/racoon/grabmyaddr.c: improoved socket selection algorithm for 1908 case when link-local addresses comes w/o sin6_scope_id set. 1909 19102004-09-07 Aidas Kasparas <a.kasparas@gmc.lt> 1911 1912 * src/racoon/session.c: fix for SIGHUP handler for case when config 1913 file contains listen directives. 1914 19152004-09-01 Aidas Kasparas <a.kasparas@gmc.lt> 1916 1917 * src/racoon/grabmyaddr.c: added scope id handling for link-local 1918 IPv6 addresses. Now racoon will not err on such addresses. 1919 19202004-08-19 Aidas Kasparas <a.kasparas@gmc.lt> 1921 1922 * src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan 1923 * src/racoon/eaytest.c: eay_init_error() -> eay_init() due to 1924 2004-06-01 changes in src/racoon/crypto_openssl.c 1925 19262004-08-15 Aidas Kasparas <a.kasparas@gmc.lt> 1927 1928 * src/racoon/cfparse.y src/racoon/crypto_openssl.c 1929 src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c 1930 src/racoon/racoon.conf.5 src/racoon/remoteconf.c 1931 src/racoon/remoteconf.h: peers_identifier wildcard and 1932 list patch by James Matheson 1933 1934--------------------------------------------- 1935 1936 0.4rc1 released 1937 19382004-08-09 Michal Ludvig <mludvig@suse.cz> 1939 1940 * NEWS: Notes for release 0.4rc1 1941 * configure.ac: Bump up version to 0.4rc1 1942 19432004-07-12 Michal Ludvig <mludvig@suse.cz> 1944 1945 PlainRSA support. 1946 See ChangeLog.prsa from the 'plainrsa' branch for details. 1947 * src/racoon/stringlist.c src/racoon/stringlist.h: Removed. 1948 * src/racoon/genlist.c src/racoon/genlist.h 1949 src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c 1950 src/racoon/prsa_par.y src/racoon/prsa_tok.l 1951 src/racoon/rsalist.c src/racoon/rsalist.h 1952 src/racoon/samples/racoon.conf.sample-plainrsa: New files. 1953 * src/racoon/Makefile.in src/racoon/configure.in 1954 src/racoon/cfparse.y src/racoon/cftoken.l 1955 src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h 1956 src/racoon/handler.h src/racoon/ipsec_doi.c 1957 src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c 1958 src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c 1959 src/racoon/remoteconf.h src/racoon/sockmisc.c 1960 src/racoon/sockmisc.h src/racoon/eaytest.c: Updated. 1961 19622004-07-12 Michal Ludvig <mludvig@suse.cz> 1963 1964 * src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move 1965 f_foreground to plog.c. 1966 * src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode 1967 adjusting. 1968 * src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c, 1969 src/racoon/oakley.c: Fix typos, newlines and printf() format strings. 1970 19712004-06-16 Aidas Kasparas <a.kasparas@gmc.lt> 1972 1973 * src/racoon/crypto_openssl.c (eay_get_x509cert): small memory 1974 leak fix. Noticed B.Buesker, patch L.Stellingwerff 1975 * src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt): 1976 small memory leaks fixed. 1977 19782004-06-15 Aidas Kasparas <a.kasparas@gmc.lt> 1979 1980 SECURITY 1981 * src/racoon/crypto_openssl.[ch] (cb_check_cert_local, 1982 cb_check_cert_remote): split cb_check_cert() due to stricter 1983 requirements for certificates received from network. 1984 * src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter 1985 local to specify how strict cert check should be 1986 * src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above 1987 19882004-06-11 Michal Ludvig <mludvig@suse.cz> 1989 1990 * src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support 1991 for all known NAT-T versions. 1992 * vendorid.h: Ditto. 1993 19942004-06-08 Michal Ludvig <mludvig@suse.cz> 1995 1996 * src/racoon/stringlist.c, src/racoon/stringlist.h: New files. 1997 * src/racoon/Makefile.in: Compile stringlist.o. 1998 19992004-06-07 Michal Ludvig <mludvig@suse.cz> 2000 2001 * configure.ac: Set version to 'cvs'. 2002 * src/{racoon,setkey,libipsec}/*.h: Wrap headers between 2003 #ifndef/#define/#endif to allow multiple inclusions of the 2004 same file. 2005 * plog.h (plog): Attribute __printf__ for automatic checking 2006 of the parameters' validity. 2007 * cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c, 2008 isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c, 2009 sockmisc.c: Fix warnings/errors in the plog() parameters with 2010 the above change. 2011 20122004-06-05 Aidas Kasparas <a.kasparas@gmc.lt> 2013 2014 * src/setkey/setkey.c: -n (no action) support. 2015 Thanks Thomas Habets. 2016 * src/setkey/setkey.8: Documentation for above. 2017 * src/racoon/doc/README.certificate: updated link to more recent 2018 version of document. Debian bug #252513 by Jose Luis Domingo Lopez 2019 20202004-06-01 Michal Ludvig <mludvig@suse.cz> 2021 2022 * src/racoon/algorithm.c: Enable compilation without SHA2 support. 2023 * src/racoon/crypto_openssl.c: Ditto. 2024 20252004-06-01 Michal Ludvig <mludvig@suse.cz> 2026 2027 * src/racoon/crypto_openssl.c: Remove unneeded workarounds for older 2028 OpenSSLs. 2029 (eay_init): New function. 2030 (eay_init_error, eay_check_pkcs7sign): Removed. 2031 * src/racoon/crypto_openssl.h: Reflect the above changes. 2032 * src/racoon/main.c: Call eay_init() instead of eay_init_error(). 2033 20342004-05-27 Michal Ludvig <mludvig@suse.cz> 2035 2036 Support for inheritance of 'remote' statements: 2037 * src/racoon/cftoken.l: New keyword 'inherit'. 2038 * src/racoon/cfparse.y: Support for 'inherit', remove 2039 global 'prhead', use cur_rmconf->prhead instead. 2040 * src/racoon/remoteconf.c (rmtree): Changed from 2041 LIST queue to TAILQ queue. 2042 (getrmconf): Renamed to getrmconf_strict(). 2043 (copyrmconf, duprmconf) 2044 (dump_rmconf_single, dumprmconf): New functions. 2045 (rm2str): Deleted. 2046 * src/racoon/remoteconf.h: Prototypes for the above. 2047 (struct remoteconf): New fields 'inherited_from' and 'prhead'. 2048 * src/racoon/sockmisc.c (saddr2str): Can print anonymous entries. 2049 * src/racoon/algorithm.c (alg_oakley_encdef_name) 2050 (alg_oakley_hashdef_name, alg_oakley_dhdef_name) 2051 (alg_oakley_authdef_name): New functions. 2052 * src/racoon/algorithm.h: Prototpes for the above. 2053 * src/racoon/strnames.c (num2str): Make extern. 2054 (s_doi, s_etype, s_idtype, s_switch): New functions. 2055 * src/racoon/strnames.h: Prototpes for the above. 2056 * src/racoon/main.c: New parameter -C for dumping the parsed config. 2057 * src/racoon/racoon.conf.5: Document inheritance. 2058 * src/racoon/samples/racoon.conf.sample-inherit: Sample config file. 2059 * src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit 2060 20612004-05-24 Michal Ludvig <mludvig@suse.cz> 2062 2063 * configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c, 2064 isakmp_quick.c, pfkey.c, remoteconf.c, session.c, 2065 sockmisc.c: Allow compilation with --disable-ipv6 2066 20672004-05-21 Michal Ludvig <mludvig@suse.cz> 2068 2069 * src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of 2070 algorithm specific functions. 2071 20722004-05-20 Aidas Kasparas <a.kasparas@gmc.lt> 2073 2074 Manual page updates. Thanks Brian 2075 * src/libipsec/ipsec_set_policy.3 2076 * src/setkey/setkey.8 2077 * src/libipsec/test-policy-priority.c: new file from policy 2078 priority patch, which I forgot to add 2079 20802004-05-18 Aidas Kasparas <a.kasparas@gmc.lt> 2081 2082 Policy priority integer handling fixes by Brian Buesker. 2083 * src/libipsec/ipsec_strerror.c 2084 * src/libipsec/ipsec_strerror.h 2085 * src/libipsec/libpfkey.h 2086 * src/libipsec/policy_parse.y 2087 * src/libipsec/test-policy-priority.c 2088 Manual page corrections by me 2089 * src/libipsec/ipsec_set_policy.3 2090 * src/setkey/setkey.8 2091 20922004-05-15 Aidas Kasparas <a.kasparas@gmc.lt> 2093 2094 Policy priority support patch from Brian Buesker. Applied as is 2095 except src/libipsec/Makefile.am is modified instead of 2096 src/libipsec/Makefile.in as found in the patch. 2097 20982004-05-10 Michal Ludvig <mludvig@suse.cz> 2099 2100 From Heiko Hund, approved by the copyright holder: 2101 * src/racoon/gssapi.[ch]: Update to 3-clause BSD license. 2102 21032004-04-27 Michal Ludvig <mludvig@suse.cz> 2104 2105 From Heiko Hund: 2106 * src/include-glibc/sys/queue.h: Update to 3-clause BSD license. 2107 21082004-04-26 Aidas Kasparas <a.kasparas@gmc.lt> 2109 2110 * src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to 2111 send notifications about changed interfaces. 2112 21132004-04-24 Aidas Kasparas <a.kasparas@gmc.lt> 2114 2115 * src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send 2116 information about interfaces. Thanks Steve Grubb and Bill 2117 Nottingham. Affects users with glibc w/o getifaddrs(). Users 2118 with glibc earlier than 2003-11-14 should upgrade their glibc. 2119 21202004-04-19 Michal Ludvig <mludvig@suse.cz> 2121 2122 * src/racoon/isakmp.c (isakmp_handler): Reject too big 2123 packets (CAN-2004-0403). 2124 2125--------------------------------------------- 2126 2127 0.3 released 2128 21292004-04-14 Michal Ludvig <mludvig@suse.cz> 2130 2131 * NEWS: Notes for release 0.3 2132 * configure.ac: Bump up version to 0.3 2133 * src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs. 2134 * src/racoon/remoteconf.c (foreachrmconf): Avoid warning about 2135 uninitialised variable. 2136 * src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux 2137 and FreeSWAN. 2138 21392004-04-13 Michal Ludvig <mludvig@suse.cz> 2140 2141 * src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are 2142 not suitable. 2143 21442004-04-09 Michal Ludvig <mludvig@suse.cz> 2145 2146 * src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found. 2147 * src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog(). 2148 * src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id 2149 mismatch to LLV_WARNING. 2150 * src/libipsec/pfkey_dump.c, src/racoon/algorithm.c 2151 src/racoon/algorithm.h src/racoon/cftoken.l 2152 src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h 2153 src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c 2154 src/setkey/token.l: Renamed Rijndael to AES. 2155 * src/setkey/token.l: Recognize exit/quit/bye tokens. 2156 * src/setkey/parse.y (exit_command): New. 2157 * src/setkey/setkey.c (stdin_loop): Exit when exit_now is set 2158 in exit_command. 2159 21602004-04-08 Michal Ludvig <mludvig@suse.cz> 2161 2162 * src/setkey/setkey.c (main): Call get_supported() in interactive mode. 2163 (stdin_loop): Concat multiline input into a single line before parsing. 2164 21652004-04-07 Michal Ludvig <mludvig@suse.cz> 2166 2167 * src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA 2168 with level DEBUG. Having it with level INFO only pollutes logfiles. 2169 21702004-04-06 Michal Ludvig <mludvig@suse.cz> 2171 2172 * src/racoon/Makefile.in: eaytest now links plog.o 2173 * src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif 2174 surrounding plog(). 2175 * src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now 2176 verifying both good and bad signatures. 2177 2178--------------------------------------------- 2179 2180 0.3rc5 released 2181 21822004-04-05 Michal Ludvig <mludvig@suse.cz> 2183 2184 * NEWS: Notes for release 0.3rc5 2185 * configure.ac: Bump up version to 0.3rc5 2186 21872004-04-05 Michal Ludvig <mludvig@suse.cz> 2188 2189 Fix for a security bug found by Ralf Spenneberg: 2190 * src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate 2191 'evp' instead of 'pubkey'. 2192 (eay_rsa_sign): Use the above. 2193 * src/racoon/crypto_openssl.h: Update prototypes for the above. 2194 * src/racoon/eaytest.c: Disabled RSA tests because of the API change. 2195 21962004-04-05 Michal Ludvig <mludvig@suse.cz> 2197 2198 * src/racoon/pfkey.c (pfkey_handler): Safety check before accessing 2199 the array (thx to Ren.J.Y for report). 2200 (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now). 2201 * src/racoon/strnames.c (name_pfkey_type): Ditto. 2202 22032004-04-02 Michal Ludvig <mludvig@suse.cz> 2204 2205 * src/racoon/eaytest.c (ciphertest_1): Correct padlen. 2206 22072004-04-01 Michal Ludvig <mludvig@suse.cz> 2208 2209 * src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode 2210 update from here ... 2211 (ipsecdoi_setph2proposal): ... to here. Hopefully this is a 2212 better place to do the update. 2213 22142004-03-30 Michal Ludvig <mludvig@suse.cz> 2215 2216 * src/racoon/crypto_openssl.c (eay_3des_expand_key): New function. 2217 (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary. 2218 * src/racoon/eaytest.c (ciphertest_1): New function. 2219 (ciphertest): Simplified to simple calls of ciphertest_1(). 2220 22212004-03-29 Michal Ludvig <mludvig@suse.cz> 2222 2223 * README: Rewritten. Mentioned where to report bugs. 2224 22252004-03-26 Michal Ludvig <mludvig@suse.cz> 2226 2227 * configure.ac: Check for readline.h and libreadline. 2228 * src/setkey/setkey.c: Call stdin_loop() when '-c' was given. 2229 (stdin_loop): Read user input and parse it line-by-line. 2230 * src/setkey/token.l (parse_string): New function. 2231 2232--------------------------------------------- 2233 2234 0.3rc4 released 2235 22362004-03-25 Michal Ludvig <mludvig@suse.cz> 2237 2238 * configure.ac: Bump up version to 0.3rc4 2239 * NEWS: Notes for release 0.3rc4 2240 * src/racoon/cfparse.y (algorithm): Hint about missing module. 2241 * src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key 2242 length only with old API. 2243 (eay_des_encrypt): Ditto. 2244 * src/racoon/eaytest.c: Make the testsuite useful, i.e. exit with 2245 non-zero error code if any of the tests fail. 2246 (main): Print banner with version. 2247 * src/racoon/Makefile.in: Run eaytest in 'make check'. 2248 22492004-03-23 Michal Ludvig <mludvig@suse.cz> 2250 2251 * src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before 2252 comparing NAT-D payloads. (thx to Gaurav Kansal for report). 2253 * src/racoon/crypto_openssl.c: Avoid type-punned warnings. 2254 * src/racoon/eaytest.c: Disable 'cert' tests. 2255 * src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check 2256 for strict length. 2257 (eay_aes_encrypt): Keylength is in bits, not bytes. 2258 22592004-03-22 Michal Ludvig <mludvig@suse.cz> 2260 2261 * src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key 2262 instead of NULL and check for availability. 2263 2264--------------------------------------------- 2265 2266 0.3rc3 released 2267 22682004-03-19 Michal Ludvig <mludvig@suse.cz> 2269 2270 * configure.ac: Bump up version to 0.3rc3 2271 * NEWS: Notes for release 0.3rc3 2272 * src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'. 2273 * src/racoon/proposal.c (cmpsatrns): New parameter proto_id, 2274 better diagnostic output when trns_id don't match. 2275 * src/racoon/proposal.h (cmpsatrns): Update prototype. 2276 * src/setkey/setkey.c: Change option -h to -H (for hexdump), new 2277 options -h (help) and -V (version). 2278 * src/setkey/setkey.8: Document the above changes. 2279 * src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/... 2280 22812004-03-15 Michal Ludvig <mludvig@suse.cz> 2282 2283 * src/racoon/configure.in: Prevent compilation error with 2284 --enable-yydebug. 2285 2286--------------------------------------------- 2287 2288 0.3rc2 released 2289 22902004-03-11 Michal Ludvig <mludvig@suse.cz> 2291 2292 * configure.ac: Bump up version to 0.3rc2 2293 * NEWS: Notes for release 0.3rc2 2294 * src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test. 2295 * src/racoon/configure.in: Call RACOON_CHECK_VA_COPY 2296 * src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY. 2297 * src/racoon/racoon.conf.5: Note that NAT-T support is a compile 2298 time option. 2299 23002004-03-10 Michal Ludvig <mludvig@suse.cz> 2301 2302 * src/racoon/racoon.conf.5: Document nat_traversal option. 2303 * src/racoon/racoon.8: DOcument new options (-L and -P). 2304 23052004-03-09 Michal Ludvig <mludvig@suse.cz> 2306 2307 * src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for 2308 UDP-Encap ports if NAT-T is enabled. 2309 (dupmyaddr): New function. 2310 * src/racoon/grabmyaddr.h: Prototype for dupmyaddr(). 2311 * src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but 2312 no port for UDP-Encap was open. 2313 * src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define. 2314 * src/racoon/localconf.c, src/racoon/localconf.h: Define and setup 2315 lcconf->port_isakmp_natt. 2316 * src/racoon/main.c (main): Print nicer banner, 2317 (usage): Document new options (-L and -P). 2318 (parse): Recognise the above. 2319 * src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded 2320 constants for float_port. 2321 (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions. 2322 * src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf(). 2323 * src/racoon/plog.c: Don't print source:line:function by default. 2324 * src/racoon/remoteconf.c (foreachrmconf): New helper function. 2325 * src/racoon/remoteconf.h: Prototype for the above. 2326 * package_version.h: Define strings for use in banners. 2327 * configure.ac: Fill up the above header. 2328 23292004-03-09 Michal Ludvig <mludvig@suse.cz> 2330 2331 * src/racoon/configure.in: Don't put -O into OPTFLAGS, 2332 add new option --disable-natt. 2333 * src/racoon/cfparse.y, src/racoon/handler.c, 2334 src/racoon/ipsec_doi.c, src/racoon/isakmp.c, 2335 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 2336 src/racoon/isakmp_ident.c, src/racoon/pfkey.c, 2337 src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT 2338 with ENABLE_NATT. 2339 * src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments. 2340 23412004-03-06 Aidas Kasparas <a.kasparas@gmc.lt> 2342 2343 * configure.ac: Refuse to continue if lexer library (yywrap() 2344 function) is missing. Should prevent bugs like #892067, #908758 2345 * src/racoon/configure.in: renamed --with-ssleay to --with-openssl. 2346 Users should not be given false idea that they require both OpenSSL 2347 and SSLeay to compile racoon. (See bug #902197) 2348 2349--------------------------------------------- 2350 2351 0.3rc1 released 2352 23532004-03-04 Michal Ludvig <mludvig@suse.cz> 2354 2355 * configure.ac: Bump up version to 0.3rc1 2356 * NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes 2357 from 0.2 branch). 2358 * src/racoon/samples/racoon.conf.sample-natt: New sample config file. 2359 * src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy, 2360 enabled NATT by default (will become a config option later). 2361 23622004-03-04 Michal Ludvig <mludvig@suse.cz> 2363 2364 Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support 2365 to racoon. 2366 * src/racoon/Makefile.in, src/racoon/cfparse.y, 2367 src/racoon/cftoken.l, src/racoon/grabmyaddr.c, 2368 src/racoon/grabmyaddr.h, src/racoon/handler.c, 2369 src/racoon/handler.h, src/racoon/ipsec_doi.c, 2370 src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h, 2371 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 2372 src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c, 2373 src/racoon/localconf.c, src/racoon/localconf.h, 2374 src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h, 2375 src/racoon/racoon.conf.5, src/racoon/remoteconf.c, 2376 src/racoon/remoteconf.h, src/racoon/session.c, 2377 src/racoon/strnames.c, src/racoon/vendorid.h 2378 src/libipsec/pfkey.c, 2379 src/racoon/nattraversal.c, src/racoon/nattraversal.h, 2380 src/racoon/sockmisc.c: Affected files. 2381 23822004-02-27 Michal Ludvig <mludvig@suse.cz> 2383 2384 * src/racoon/isakmp.c (set_isakmp_header1): Renamed from 2385 set_isakmp_header(). 2386 (set_isakmp_header): New function common for set_isakmp_header1() 2387 and set_isakmp_header2(). 2388 (copy_ph1addresses): Obey original port. 2389 (isakmp_plist_append, isakmp_plist_set_all): New helper functions. 2390 * src/racoon/isakmp_var.h: Prototypes for the above. 2391 * src/racoon/isakmp.h (struct payload_list): New structure. 2392 * src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 2393 src/racoon/isakmp_ident.c: Use isakmp_plist_* functions. 2394 23952004-02-03 Michal Ludvig <mludvig@suse.cz> 2396 2397 * src/racoon/Makefile.in: Fix install to $(sbindir) 2398 * src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer). 2399 24002004-01-19 Michal Ludvig <mludvig@suse.cz> 2401 2402 * rpm/ipsec-tools.FC1: Startup script for Fedora Core 1 2403 (thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>) 2404 24052004-01-17 Aidas Kasparas <a.kasparas@gmc.lt> 2406 2407 * src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team 2408 24092004-01-15 Michal Ludvig <mludvig@suse.cz> 2410 2411 * src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA 2412 (reported on bugtraq, fixed by iij seil team). 2413 * src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses. 2414 24152004-01-14 Michal Ludvig <mludvig@suse.cz> 2416 2417 * src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used 2418 only once). 2419 * configure.ac: Don't build shared libipsec by default (can be 2420 enabled by --enable-shared). 2421 * bootstrap: Don't run automake for racoon. 2422 24232004-01-12 Michal Ludvig <mludvig@suse.cz> 2424 2425 * src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy, 2426 use config.h for defines instead of -DHAVE_* gcc options, 2427 fix CRYPTOBJS to include missing rijndael libraries only once, 2428 checking for AES support in OpenSSL now (hopefully) finally 2429 works on both OpenSSL 0.9.6 and 0.9.7. 2430 * src/racoon/*.[cyl]: Include autogenerated "config.h" 2431 * src/racoon/missing/crypto/*/*.c: Ditto. 2432 * src/racoon/.cvsignore: Add config.h, config.h.in 2433 24342004-01-09 Michal Ludvig <mludvig@suse.cz> 2435 2436 * src/racoon/.cvsignore: Add "autom4te.cache" and "configure". 2437 24382004-01-09 Aidas Kasparas <a.kasparas@gmc.lt> 2439 2440 Sync with KAME 2004-01-07 2441 * src/libipsec/pfkey.c: memory leak fix; comment typo fixes 2442 * src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even 2443 no SADB_X_EXT_TAG defined 2444 * src/libipsec/pfkey_dump.c: information about algorithms 2445 ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support 2446 * src/libipsec/policy_parse.y: memory leak 2447 * src/libipsec/policy_token.l: memory leak 2448 * src/libipsec/test-policy.c: unneeded \n removed 2449 * src/racoon/Makefile.in: $(sbindir) support 2450 * src/racoon/admin.c: interface changes due to proxy support 2451 * src/racoon/algorithm.c: SHA2 #ifdefs 2452 * src/racoon/{cfparse.y,cftoken.l}: license text added 2453 * src/racoon/cfparse.y: mip6 obsoleted by proxy support 2454 * src/racoon/cfparse.y: from directive support; new algorithms 2455 * src/racoon/cftoken.l: support for globbing of include files 2456 * src/racoon/configure.in: more verbose information about problems 2457 with SHA2 2458 * src/racoon/crypto_openssl.c: use new DES API if supported; algorithm 2459 key size fixes 2460 * src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check 2461 * src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks; 2462 style change 2463 * src/racoon/isakmp.c: use VPTRINIT; interface changes due to 2464 mip6->proxy; typo 2465 * src/racoon/isakmp_inf.c: use VPTRINIT 2466 * src/racoon/isakmp_quick.c: mip6->proxy 2467 * src/racoon/kmpstat.c: not used variables removed 2468 * src/racoon/pfkey.c: mip6->proxy; schedule leak 2469 * src/racoon/proposal.c: style 2470 * src/racoon/remoteconf.c: mip6->proxy 2471 * src/racoon/sainfo.c: from directive support 2472 * src/racoon/sockmisc.c: side correction; addrinfo leak 2473 * src/racoon/strnames.c: typo in descriptions; wrong upper bound check 2474 * src/racoon/missing/crypto/sha2/sha2.c: wrong size 2475 * src/setkey/parse.y: extra algorithms; tagged; not needed periods 2476 removed; memory shortage checks 2477 * src/setkey/setkey.8: typos; tagged; new algorithms 2478 * src/setkey/setkey.c: standard argument names for main(); hexdump 2479 support; info in file support 2480 * src/setkey/token.l: new algorithms; memory shortage checks 2481 Parts not taken from KAME: 2482 * kernelfs stuff; 2483 * sysctl stuff 2484 24852004-01-08 Michal Ludvig <mludvig@suse.cz> 2486 2487 * src/racoon/config.{sub,guess}: Update from automake 1.7. 2488 24892004-01-08 Michal Ludvig <mludvig@suse.cz> 2490 2491 Patch from Kostadin Karaivanov <larry@minfin.bg>: 2492 * src/racoon/configure.in: Check for openssl/aes.h. 2493 * src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available. 2494 24952004-01-08 Michal Ludvig <mludvig@suse.cz> 2496 2497 * src/racoon/configure: Remove, should be regenerated by bootstrap. 2498 24992004-01-02 Michal Ludvig <michal@logix.cz> 2500 2501 * src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7 2502 (by Brian Buesker <bbuesker@qualcomm.com> 2503 and Christophe Saout <christophe@saout.de>) 2504 * src/racoon/proposal.c: Be more verbose. (Michal Ludvig) 2505 * src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly 2506 (by Michal Ludvig). 2507 * src/setkey/token.l, src/setkey/parse.y: Add support for lifetime 2508 specified in bytes (by Michal Ludvig). 2509 * src/setkey/setkey.8: Document -bh/-bs options for the above feature. 2510 * src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE 2511 message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>) 2512 * src/racoon/cfparse.y: Flush SA on SIGHUP 2513 (by Brian Buesker <bbuesker@qualcomm.com>) 2514 * src/racoon/pfkey.c: IPcomp fixes 2515 (by Brian Buesker <bbuesker@qualcomm.com>) 2516 * src/racoon/proposal.c: Fix typo lifebyte -> lifetime. 2517 * src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns 2518 an entry with NULL ifa_addr (Michal Ludvig). 2519 * configure.ac: Change path to kernel headers 2520 from /usr/src/devel-2.5/devel to /usr/src/linux 2521 * bootstrap: Use default tools, reconfigure src/racoon 2522 * src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ, 2523 changed comments from 'dnl' to '#'. 2524 25252003-06-20 Derek Atkins <derek@ihtfp.com> 2526 2527 * src/racoon/aclocal.m4: 2528 * src/racoon/configure: 2529 Don't execute "for i in $3" if "$3" doesn't exist. 2530 Fixes bug #721296. 2531 25322003-03-31 Derek Atkins <derek@ihtfp.com> 2533 2534 * src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP 2535 (which is value '2') 2536 25372003-03-27 Derek Atkins <derek@ihtfp.com> 2538 2539 * src/libipsec/key_debug.c: use ntohs() before printing port 2540 * src/libipsec/pfkey.c: convert port# to network byte order 2541 * src/libipsec/pfkey_dump.c: use ntohs() before printing ports 2542 * src/setkey/parse.y: convert port#'s to network byte order 2543 25442003-03-24 Derek Atkins <derek@ihtfp.com> 2545 2546 * src/libipsec/pfkey.c: Don't switch off NAT-T extensions 2547 if they don't exist in the kernel. 2548 2549 * src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY, 2550 as per Tom Lendacky <toml@us.ibm.com>. Also move the 2551 setting of IPV6_IPSEC_POLICY to the top of the file. 2552 25532003-03-13 Derek Atkins <derek@ihtfp.com> 2554 2555 Add initial support for NAT-T PFKey Extensions: 2556 * src/libipsec/key_debug.c: add support to print information 2557 about NAT-T extension packets. 2558 * src/libipsec/libpfkey.h: add two new APIs to support NAT-T 2559 for add and update as part of the SADB. 2560 * src/libipsec/pfkey.c: 2561 - Implement extended APIs to support NAT-T for add and update 2562 of the SADB. 2563 - Add APIs to fill a buffer with NAT-T packet types 2564 * src/libipsec/pfkey_dump.c: Extend the SADB output to include 2565 PFKey packets. Put port numbers with the source and dest 2566 addresses, add an 'esp-udp' SA-type, and add a printout for 2567 the NAT-OA. 2568 * src/setkey/parse.y: 2569 - Extend setkey to create an ESP-UDP SA. 2570 - default UDP port is 4500 2571 - extend 'add' to allow <ip-addr>[<portnum>] for source and dest 2572 (the portnum specification requires the [] characters) 2573 - add an ESPUDP "protocol" from the lexer. This will use 2574 ESP and allow an optional Original Address setting. 2575 - add a function to get a udp port from a struct sockaddr * 2576 - pass the NAT-T extentions into PFKey 2577 * src/setkey/token.l: add "esp-udp" token 2578 2579 * rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch: 2580 This switches it to use %{_lib} (for /lib64 systems such as 2581 x86-64 and s390x, and has it own the /etc/racoon directory in 2582 the package as well. 2583 2584--------------------------------------------- 2585 2586 0.2.2 released 2587 25882003-03-13 Derek Atkins <derek@ihtfp.com> 2589 2590 * configure.am, NEWS: 2591 Update for 0.2.2 release 2592 2593 * Makefile.am: distribute depcomp 2594 25952003-03-10 Derek Atkins <derek@ihtfp.com> 2596 2597 * src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make 2598 sure we link against the lexer library when necessary. 2599 26002003-03-07 Derek Atkins <derek@ihtfp.com> 2601 2602 * configure.am: 2603 * Makefile.am: 2604 * rpm/Makefile.am: 2605 * rpm/ipsec-tools.spec.in: 2606 Added RPM SPEC to CVS 2607 2608--------------------------------------------- 2609 2610 0.2.1 released 2611 26122003-03-07 Derek Atkins <derek@ihtfp.com> 2613 2614 * src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for 2615 ssl include directory, to make sure the other tests work properly. 2616 26172003-03-06 Derek Atkins <derek@ihtfp.com> 2618 2619 * src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning 2620 2621 * src/racoon/configure.in: look for krb5-config and don't 2622 use it if it's not found. Fixes a configure-time warning. 2623 2624-------------------------------------------- 2625 2626 0.2 Released 2627