source: rtems-libbsd/ipsec-tools/ChangeLog.old @ ff36f5e

5-freebsd-12
Last change on this file since ff36f5e was ff36f5e, checked in by Christian Mauderer <christian.mauderer@…>, on May 30, 2018 at 12:27:35 PM

Import ipsec-tools 0.8.2.

Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.

  • Property mode set to 100644
File size: 97.1 KB
Line 
1        Migration to cvs.netbsd.org
2
32006-08-22  Emmanuel Dreyfus  <manu@netbsd.org>
4       
5        From Matthew Grooms:
6        * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
7          src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h}
8          src/racoon/racoon.conf.5: Add a group check option
9
102006-08-17  Yvan Vanhullebus  <vanhu@netasq.com>
11
12        Patch from Matthew Grooms:
13        * src/racoon/ipsec_doi.c: fixed an ASN1 size in
14          ipsecdoi_checkid1()
15
162006-08-11  Yvan Vanhullebus  <vanhu@netasq.com>
17
18        Patch from Matthew Grooms:
19        * src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str()
20        * src/racoon/isakmp_quick.c: text fix
21        * src/racoon/pfkey.c: sainfo debug
22        * src/racoon/sainfo.c: sainfo debug
23
242006-07-17  Yvan Vanhullebus  <vanhu@netasq.com>
25
26        Reported by Matthew Grooms:
27        * src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in
28        get_sainfo_r().
29        * src/racoon/racoon.conf.5: updated man page for sainfo logic.
30
312006-07-31  Emmanuel Dreyfus  <manu@netbsd.org>
32        From Matthew Grooms <mgrooms@shrew.net>
33        * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
34          src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support
35          becomes dynamic, bugfixes
36
372006-07-19  Emmanuel Dreyfus  <manu@netbsd.org>
38        From Peter Eisch <peter@boku.net>
39        * src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing
40          netmask in network interface configuration
41
42        From Matthew Grooms <mgrooms@shrew.net>
43        * configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage
44
45        From Matthew Grooms <mgrooms@shrew.net>
46        * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
47          src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS
48          support (server side)
49
502006-07-17  Yvan Vanhullebus  <vanhu@netasq.com>
51
52        * src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align().
53          Break reported by Matthew Grooms.
54       
552006-07-13  Frederic Senault  <fred@lacave.net>
56
57        * src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4
58          unoperable on 64bit architectures ; add a packetdump of MODE_CFG
59          exchange in debug mode.
60
612006-07-09  Emmanuel Dreyfus  <manu@netbsd.org>
62        From Matthew Grooms <mgrooms@shrew.net>
63        * src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c}
64          src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}:
65          Group authentication for Xauth. Supports system groups and LDAP.
66
672006-07-04  Yvan Vanhullebus  <vanhu@netasq.com>
68
69        * src/racoon/nattraversal.c: fixed a malloc check in
70          natt_keepalive_add(). Patch from Bruno Wagenseil.
71
722006-06-30  Emmanuel Dreyfus  <manu@netbsd.org>
73
74        * src/racoon/{cfparse.l|cftoken.l}: meaningful error message when
75        we cannot find the configuration file.
76
772006-06-24  Emmanuel Dreyfus  <manu@netbsd.org>
78        From Matthew Grooms <mgrooms@shrew.net>
79        * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
80          src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network
81          configuration obtained from LDAP directory
82
832006-06-23  Emmanuel Dreyfus  <manu@netbsd.org>
84        From Matthew Grooms <mgrooms@shrew.net>
85        * configure.ac: build fixes
86
872006-06-22  Emmanuel Dreyfus  <manu@netbsd.org>
88        * src/racoon/evt.c: build fix
89        From Matthew Grooms <mgrooms@shrew.net>
90        * configure.ac: build fixes around libldap and libiconv search
91
922006-06-21  Emmanuel Dreyfus  <manu@netbsd.org>
93        * src/racoon/evt.c: Do not record events if admin socket is
94          disabled.
95
962006-06-20  Emmanuel Dreyfus  <manu@netbsd.org>
97
98        * configure.ac: Check for conflicts between system libiconv
99          and newer libiconv header
100        From Matthew Grooms <mgrooms@shrew.net>
101        * configure.ac src/racoon/{cfparse.y|cftoken.l}
102          src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
103          src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth
104
1052006-06-20  Yvan Vanhullebus  <vanhu@netasq.com>
106
107        * configure.ac: fixed SHA256 detection on some systems. Patch by
108          Dmitry Andrianov.
109        * src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}:
110          changed logging levels. Patch by Michal Ruzicka.
111
1122006-06-15  Emmanuel Dreyfus  <manu@netbsd.org>
113        From Matthew Grooms <mgrooms@shrew.net>
114        * src/racoon/main.c: make sure RADIUS is correctly initialized
115
1162006-06-14  Yvan Vanhullebus  <vanhu@netasq.com>
117
118        * Makefile.am, src/Makefile.am: fixed make dist on *BSD
119
1202006-06-07  Emmanuel Dreyfus  <manu@netbsd.org>
121        * src/racoon/isakmp_cfg.c: Fix build.
122
1232006-05-26  Emmanuel Dreyfus  <manu@netbsd.org>
124        From Pawel Jakub Dawidek <pjd@FreeBSD.org>
125        * src/racoon/handler.c: Fix a crash caused by a NULL pointer
126        * src/racoon/oakley.c: Typos
127        * src/racoon/isakmp_base.c: Fix uninitialized buffer
128        * src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode)
129
1302006-05-23  Emmanuel Dreyfus  <manu@netbsd.org>
131        * src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so
132          do not assume Xauth when preparing a hook script environement.
133        From chunkeey@web.de
134        * src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64
135          build warnings
136        * src/racoon/ipsec_doi.c: Don't free a referenced buffer
137        From Matthew Grooms <mgrooms@shrew.net>
138        * src/racoon/isakmp_cfg.c: Fix for unity local_lan support
139
1402006-05-07  Emmanuel Dreyfus  <manu@netbsd.org>
141        * src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do
142          not reconfigure interface sockets when running in privilege
143          separation as it will not work. Add debug for setsockopt().
144        * src/racoon/racoonctl.8: Do not tell config reload is completely
145          broken (it's only somewhat broken).
146
1472006-05-06  Emmanuel Dreyfus  <manu@netbsd.org>
148
149        * src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix
150          memory leak (Coverity)
151        * src/racoon/pfkey.c: Fix memory leak (Coverity)
152        * src/racoon/ipsec_doi.c: Fix memory leak (Coverity)
153        * src/racoon/isakmp.c: Fix memory leak (Coverity)
154        * src/racoon/dnssec.c: Fix memory leak (Coverity)
155        * src/racoon/backupsa.c: Fix memory leak (Coverity)
156        * src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL
157          allocation (Coverity)
158        * src/racoon/isakmp_quick.c: Remove dead code (Coverity)
159        * src/racoon/oakley.c: Remove dead code (Coverity)
160        * src/racoon/crypto_openssl.c: Remove dead code (Coverity)
161
1622006-05-05  Yvan Vanhullebus  <vanhu@netasq.com>
163
164        * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
165          encapsulation in pk_sendgetspi().
166
1672006-05-04  Yvan Vanhullebus  <vanhu@netasq.com>
168        From Preggna S (spreggna@novell.com)
169        * src/racoon/schedule.h: fixed gnuc.h include.
170        * src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support.
171        * src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function.
172
1732006-05-03  Yvan Vanhullebus  <vanhu@netasq.com>
174        From Joy Latten <latten@austin.ibm.com>
175        * configure.ac: security context support check
176        * src/libipsec/{pfkey.c|pfkey_dump.c}:
177          SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support
178        * src/setkey/{parse.ytoken.l}: parses optionnal security context
179        * src/setkey/setkey.8: security context syntax
180
1812006-04-27  Emmanuel Dreyfus  <manu@netbsd.org>
182
183        * src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity)
184
1852006-04-24  Yvan Vanhullebus  <vanhu@netasq.com>
186
187        * src/racoon/isakmp.c: style cleanup in delete_spd()
188
1892006-04-13  Yvan Vanhullebus  <vanhu@netasq.com>
190
191        * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
192          encapsulation in pk_sendupdate().
193
1942006-04-12  Emmanuel Dreyfus  <manu@netbsd.org>
195
196        * src/racoon/ipsec_doi.c: fix memory leaks (Coverity)
197
1982006-04-06  Emmanuel Dreyfus  <manu@netbsd.org>
199
200        * src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h}
201          src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c}
202          src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add
203          strdup in the malloc debugging framework, check for strdup failures
204          (found by Coverity)
205        * src/racoon/admin.c: Do not use an unallocated pointer (Coverity)
206        * src/racoon/schedule.c: Check for NULL pointer
207        * src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c}
208          src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check
209          that dupsaddr returns non NULL pointers (Coverity)
210        * src/racoon/isakmp_quick.c: Ignore multiple notifications in the
211          same message, and do not leak memory (Coverity)
212        * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in
213          GSSAPI code (Coverity)
214        * src/racoon/racoonctl.c: fix minor memory leak (Coverity)
215        * src/racoon/isakmp.c: fix memory leak (Coverity)
216        * src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity)
217
2182006-04-05  Emmanuel Dreyfus  <manu@netbsd.org>
219
220        * src/racoon/isakmp_xauth.c: fix unitialized variable, found by
221          Coverity
222        * src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not
223          use deleted phase 1 handler after errors, found by coverity
224        * src/racoon/main.c: tell which config file we use
225        * src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found
226          by Coverity
227        * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1
228          handler, found by Coverity
229        * src/racoon/dnssec.c: do not return a free'ed certificate, found by
230          Coverity
231        * src/racoon/oakley.c: fix stale pointer alias, found by Coverity
232        * src/racoon/throttle.c: do not free current item while walking a
233          chained list, found by Coverity
234        * src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity
235
2362006-03-18  Emmanuel Dreyfus  <manu@netbsd.org>
237       
238        From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan
239        * src/racoon/isakmp_xauth.c: fix memory leak
240       
2412006-02-25  Emmanuel Dreyfus  <manu@netbsd.org>
242
243        From Thomas Klausner <wiz@NetBSD.org>
244        * src/racoon/{cfparse.y|handler.h}: typos
245       
2462006-02-23  Emmanuel Dreyfus  <manu@netbsd.org>
247
248        * src/racoon/main.c: do not reset isakmp_cfg structure after
249          config reload.
250
2512006-02-22  Yvan Vanhullebus  <vanhu@netasq.com>
252
253        * src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not
254          be really necessary) and DPD VId hash generation
255
2562006-02-17  Yvan Vanhullebus  <vanhu@netasq.com>
257
258        * src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous"
259          sainfos.
260        * src/racoon/racoon.conf.5: updated sainfos syntax
261        * src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID
262
2632006-02-15  Yvan Vanhullebus  <vanhu@netasq.com>
264
265        * src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy
266          levels
267        * src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE
268          generate policy levels
269        * src/racoon/proposal.c: Sets optionnal reqid for generated
270          policies
271        * src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid
272          specified
273        * src/racoon/racoon.conf.5: updated generate_policy syntax
274
2752006-02-02  Yvan Vanhullebus  <vanhu@netasq.com>
276
277        * src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send()
278          fails in isakmp_ph1resend()
279
2802006-01-17  Frederic Senault  <fred@lacave.net>
281
282        * src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the
283          peers_identifier keyword.
284
285        * src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the
286          adminsock to allow for racoonctl to stop looping when the
287          vpn-connect command is used and there is no mode config exchange.
288
2892006-01-08  Emmanuel Dreyfus  <manu@netbsd.org>
290
291        * src/racoon/isakmp_cfg.c: make software behave as the documentation
292          advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to
293          avoid breaking backward compatibility.
294
2952005-12-19  Yvan Vanhullebus  <vanhu@netasq.com>
296
297        * src/racoon/session.c: Fixed / cleaned up signal handling.
298
2992005-12-13  Yvan Vanhullebus  <vanhu@netasq.com>
300
301        * src/libipsec/samples/*: replaced "obey" mode by "strict" mode.
302
3032005-12-07  Yvan Vanhullebus  <vanhu@netasq.com>
304
305        * src/libipsec/pfkey_dump.c: fixed compilation when NAT_T
306          disabled (Fred has still some CVS problems).
307        * src/racoon/session.c: Calls isakmp_cfg_init() only if
308          ENABLE_HYBRID in reload_conf().
309
3102005-12-04  Frederic Senault  <fred@lacave.net>
311
312        * src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
313          function to display SAD entries with their associated ports.
314        * src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
315          in conjunction with -D to show SADs with the port, allow both get and
316          delete commands to use bracketed ports if needed.
317
3182005-11-26  Emmanuel Dreyfus  <manu@netbsd.org>
319       
320        * src/racoon/session.c: fix possible race conditions in signal handlers
321        * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when
322          reloading configuration, do not new add mode_cfg config to the
323          existign one, overwrite it instead.
324
3252005-11-25  Emmanuel Dreyfus  <manu@netbsd.org>
326
327        From Thomas Klausner <wiz@netbsd.org>
328        * src/racoon/racoon.conf.5: Style changes
329
3302005-11-21  Yvan Vanhullebus  <vanhu@netasq.com>
331
332        * src/racoon/isakmp_[ident|agg].c: Check if natt is available when
333          receiving a NAT_D payload from initiator. It saves a crash,
334          reported by Dave Huang to NetBSD.
335
3362005-11-20  Yvan Vanhullebus  <vanhu@netasq.com>
337
338        * src/racoon/isakmp_agg.c: Check that we got some needed payloads
339          from peer (could cause a DoS). Crash reported by Adrian Portelli
340          using IKE test suite from
341          http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/
342
3432005-11-10  Yvan Vanhullebus  <vanhu@free.fr>
344
345        Patches from Francis Dupont
346        * src/libipsec/key_debug.c: SADB_X_EXT_PACKET support
347        * src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function
348        * src/setkey/parse.y: IPPROTO_MH support
349        * src/racoon/pfkey.c: fixed some logs
350        * src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC,
351          appropriate define for SADB_X_NAT_T_NEW_MAPPING, added
352          SADB_X_MIGRATE
353
3542005-11-06  Aidas Kasparas  <a.kasparas@gmc.lt>
355 
356        * src/racoon/main.c, src/racoon/session.c: moved .pid file writing
357          just before main loop. Thanks Stephen Thorne
358        * src/racoon/localconf.h, src/racoon/cftoken.l: introduced
359          path pidfile directive
360        * src/racoon/racoon.conf.5: documented above
361        * configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan
362          Rajagopal
363        * configure.ac: added check for strlcat function
364        * src/racoon/misc.h: define strlcat function for systems without one
365        * src/racoon/remoteconf.c: strncat -> strlcat
366 
3672005-11-01  Aidas Kasparas  <a.kasparas@gmc.lt>
368
369        * src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks
370        Andreas Tobler
371
3722005-10-30  Yvan Vanhullebus  <vanhu@netasq.com>
373
374        Patches from Christoph Nadig for compilation on MacOS X
375        * configure.ac: no lcrypt for darwin
376        * src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H
377        * src/racoon/isakmp_cfg.c: some includes and some %zu
378        * src/racoon/isakmp_unity.c: fixed a %zu
379        * src/racoon/vmbuf.h: vfree already defined for Apple
380
3812005-10-17  Aidas Kasparas  <a.kasparas@gmc.lt>
382
383        Introduced subnet sainfo type.
384        * src/racoon/cftoken.l: new token "subnet"
385        * src/racoon/cfparse.y: added address/subnet diferentiation logic
386        * src/racoon/ipsec-doi.h: new constant
387        * src/racoon/ipsec-doi.c: adopted to above
388        * src/racoon/racoon.conf.5: documented above
389       
3902005-09-14  Emmanuel Dreyfus  <manu@netbsd.org>
391
392        * src/libipsec/pfkey.c: One forgotten cast caddr_t -> void *
393
3942005-10-14  Yvan Vanhullebus  <vanhu@netasq.com>
395
396        * src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
397          USER_FQDNs (problem reported by Bernhard Suttner).
398
3992005-09-10  Emmanuel Dreyfus  <manu@netbsd.org>
400
401        * src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c}
402          src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for
403          kernel implementing NAT-T but unable to cope with IKE ports in
404          SAD and SPD.
405
4062005-09-05  Emmanuel Dreyfus  <manu@netbsd.org>
407       
408        From Wilfried Weissmann:
409        * src/libipsec/policy_parse.y src/racoon/oakley.c
410          src/racoon/{sockmisc.c|sockmisc.h}: build fixes
411
412
4132005-09-03  Emmanuel Dreyfus  <manu@netbsd.org>
414
415        From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
416        * src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions
417
4182005-08-26  Emmanuel Dreyfus  <manu@netbsd.org>
419
420        * src/racoon/evt.c: Fix memory leak when event queue overflows
421
4222005-08-23  Emmanuel Dreyfus  <manu@netbsd.org>
423
424        * src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
425          initialize NAT-T VID to avoid freeing unallocated stuff.
426
4272005-08-21  Emmanuel Dreyfus  <manu@netbsd.org>
428
429        From Matthias Scheler <matthias.scheler@tadpole.com>
430        * src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
431          ISAKMP mode config without Xauth.
432
4332005-08-16  Emmanuel Dreyfus  <manu@netbsd.org>
434
435        From Thomas Klausner <wiz@netbsd.org>
436        * src/setkey/setkey.8: remove trailing whitespaces
437
4382005-09-09  Yvan Vanhullebus  <vanhu@free.fr>
439
440        * src/racoon/policy.c: Do not parse all sptree in inssp() if we
441          don't use Policies priority.
442
4432005-08-20  Yvan Vanhullebus  <vanhu@free.fr>
444
445        * src/racoon/handler.c: Fixed a possible crash in
446          remove_ph2(). Reported by Dietmar Eggemann.
447
4482005-08-14  Emmanuel Dreyfus  <manu@netbsd.org>
449
450        From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
451        * src/racoon/dnssec.c: fix bogus test on function result
452
4532005-08-11  Yvan Vanhullebus  <vanhu@free.fr>
454
455        * src/racoon/isakmp.c: Improved in/out SA addresses check in
456          purge_remote(). Reported by Patrick Ma.
457
4582005-08-08  Emmanuel Dreyfus  <manu@netbsd.org>
459
460        * src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings
461
4622005-08-08  Yvan Vanhullebus  <vanhu@free.fr>
463
464        * src/racoon/privsep.c: Fixed a %d -> %zu in
465        port_check() (reported by Matthias Scheler).
466
4672005-08-04  Emmanuel Dreyfus  <manu@netbsd.org>
468
469        * configure.ac: correctly quote RACOON_PATH_LIBS arguments
470
4712005-08-02  Yvan Vanhullebus  <vanhu@free.fr>
472
473        * src/racoon/isakmp_inf.c: First fix to
474        info_recv_initialcontact(): do a basic IP check when no NAT-T.
475
4762005-07-26  Yvan Vanhullebus  <vanhu@free.fr>
477
478        * src/racoon/isakmp.c: Fixed purge_remote()
479
4802005-07-25  Yvan Vanhullebus  <vanhu@free.fr>
481
482        * src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
483        a new ph1handle exists (patch by Krzysztof Oledzki)
484
4852005-07-20  Aidas Kasparas  <a.kasparas@gmc.lt>
486
487        * configure.ac: disabled --enable-samode-unspec under linux
488
4892005-07-20  Yvan Vanhullebus  <vanhu@free.fr>
490
491        * src/racoon/isakmp_quick.c: Ignore NATOA payloads in
492        quick_r1recv() as it is done in quick_i2recv().
493        * configure.ac: new --enable-fastquit option
494        * src/racoon/session.c: new code optional code when flushing SAs,
495        which is faster and should have no deadlocks. configure
496        --enable-fastquit option to enable it.
497       
4982005-07-19  Yvan Vanhullebus  <vanhu@free.fr>
499
500        * src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
501        packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that
502        case (RFC 3947, sect 4, we MUST allow new phase1 negociations on
503        NAT-T floated port), to correctly generate the reply.
504
5052005-07-16  Aidas Kasparas  <a.kasparas@gmc.lt>
506
507        * src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
508          Patrice Fournier
509        * src/racoon/setkey.c: disabled readline's filename completion
510          (bug 1179281 fix)
511        * src/racoon/proposal.c: fixed mode selection for SAs with
512          complex_bundle on behind NAT
513
5142005-07-14  Yvan Vanhullebus  <vanhu@free.fr>
515
516        * src/racoon/handler.c: - Clears the DPD schedule in delph1()
517                                - Cleared up sanity checks in delph1()
518                                - Sets p->rmconf to NULL if no new
519                                  remoteconf in revalidate_ph1tree_rmconf()
520        * src/racoon/isakmp.c: Added sanity checks in script_hook()
521        * src/racoon/oakley.c: Sanity check in save_certbuf()
522
523       
5242005-07-13  Emmanuel Dreyfus  <manu@netbsd.org>
525
526        * src/setkey/Makefile.am: missing file in distribution
527
5282005-07-12  Yvan Vanhullebus  <vanhu@free.fr>
529
530        * src/racoon/isakmp.c: Fixed a mem leak in isakmp_send().
531
5322005-07-12  Emmanuel Dreyfus  <manu@netbsd.org>
533
534        * src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
535          used.
536        * src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c} configure.ac
537          src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8
538        * src/racoon/{admin.c|session.c}: Don't use the adminport if it is
539          disabled
540        * src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
541          Add comments for using the scripts without NAT-T
542
5432005-07-11  Emmanuel Dreyfus  <manu@netbsd.org>
544
545        * src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux.
546          Accomodate various libiconv versions
547
5482005-07-10  Emmanuel Dreyfus  <manu@netbsd.org>
549
550        * src/racoon/ipsec_doi.c configure.ac: build fixes on Linux.
551          Accomodate various libiconv versions
552
5532005-07-09  Yvan Vanhullebus  <vanhu@free.fr>
554
555        * src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto
556          algorithms with variable key size but not OpenSSL default key
557          size.
558
5592005-07-07  Emmanuel Dreyfus  <manu@netbsd.org>
560
561        From Mathias Scheler <tron@netbsd.org>
562        * src/racoon/raccon.conf.5: Document that aes can be used in
563          racoon.conf
564
5652005-07-06  Frederic Senault  <fred@lacave.net>
566
567        * src/setkey/setkey.c: fix compilation with readline.
568        * src/racoon/oakley.c: move declarations to fix compilation issues
569          with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the
570          pkcs7 patch.
571
5722005-07-04  Emmanuel Dreyfus  <manu@netbsd.org>
573
574        * src/racoon/isakmp_inf.c: safety checks on informational messages
575        * src/racoon/{pfkey.c|proposal.c}: IPcomp fixes
576
5772005-07-01  Emmanuel Dreyfus  <manu@netbsd.org>
578
579        From Uri Blumenthal <urimobile@optonline.net>:
580        * src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes
581        * src/racoon/oakley.c: pkcs7 support
582
5832005-06-29  Emmanuel Dreyfus  <manu@netbsd.org>
584
585        From Christos Zoulas <christos@zoulas.com>
586        * configure.ac src/setkey/{parse.y|setkey.c|token.l}
587          src/libipsec/{ipsec_dump_policy.c|ipsec_get_policylen.c|key_debug.c}
588          src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint,
589          using void * instead of caddr_t and adding const where appropriate.
590        * src/setkey/extern.h: new file
591        * src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y}
592          src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned,
593          size_t/int and lint constants
594
5952005-06-24  Yvan Vanhullebus  <vanhu@free.fr>
596
597        * src/racoon/handler.c: Fixed phase2 enc algo check when reloading
598          conf (could flush a phase2 handler when not needed).
599
6002005-06-19  Emmanuel Dreyfus  <manu@netbsd.org>
601
602        * src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h}
603          src/racoon/racoonctl.8:
604          Add a logout-user command to racoonctl to kick out all SA for a
605          given Xauth user
606
607        From Ludo Stellingwerff <ludo@protactive.nl>:
608        * src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as
609          wildcard so that IKE ports are used instead. This was done on
610          phase 2 initiation from the kernel (acquire message), but not
611          on phase 2 initiation retries when the phase 2 had been queued
612          for a phase 1.
613
614        From Uri Blumenthal <urimobile@optonline.net>
615        and Larry Baird <lab@gta.com>:
616        * src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
617          src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
618          src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
619        * src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2
620        * src/setkey/token.l: Add aliases shaxxx for sha2_xxx
621
6222005-06-07  Emmanuel Dreyfus  <manu@netbsd.org>
623
624        From Larry Baird <lab@gta.com>
625        * src/racoon/isakmp.c: consume NAT keepalive data  already seen
626          with MSG_PEEK
627
6282005-06-07  Frederic Senault  <fred@lacave.net>
629
630        * configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c}
631          src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add
632          support for system accounting into the utmp files, with the
633          "accounting system" directive.
634
635        * src/privsep.c: Bug fixes in the xauth password handling code.
636
6372005-06-06  Emmanuel Dreyfus  <manu@netbsd.org>
638
639        * src/racoon/isakmp_quick.c: endianness bug fix
640
6412005-06-05  Emmanuel Dreyfus  <manu@netbsd.org>
642
643        From Thomas Klausner <wiz@netbsd.org>
644        * src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing
645          spaces, grammar fix
646
6472005-05-31  Aidas Kasparas  <a.kasparas@gmc.lt>
648
649        * src/racoon/ipsec_doi.c: Inserted missing 0th element of
650          rm_idtype2doi array. Bug #1199700 fix.
651
6522005-05-30  Frederic Senault  <fred@lacave.net>
653
654        * src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro
655          definition.
656
657        * src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script
658          is executed at the end of the mode cfg exchange ; add a debug
659          message at the script startup.
660
6612005-05-23  Emmanuel Dreyfus  <manu@netbsd.org>
662
663        * src/racoon/admin.c: build fix
664
6652005-05-20  Emmanuel Dreyfus  <manu@netbsd.org>
666
667        From Mike Robinson <sundialservices@users.sourceforge.net>
668        * src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure
669
670        * src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp
671
672        From hgates <hgates.lists@gmail.com>
673        * src/racoon/proposal.c: fix SPI size test for IPcomp
674
675        From Larry Baird <lab@gta.com>
676        * src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime,
677          duplicate the proposal instead of modifying the configured one.
678
6792005-05-19  Frederic Senault  <fred@lacave.net>
680
681        * configure.ac src/racoon/plog.c: Fix the logging functions to work
682          around the lack of support of printf %zu in FreeBSD 4 (at least).
683
684        * src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
685          fix a hangup with FreeBSD 4.
686
687        * src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a
688          unity-specific heartbeat message.
689        * src/racoon/isakmp_inf.c: Reorganize switch statement in
690          isakmp_check_notify.
691
6922005-05-17  Yvan Vanhullebus  <vanhu@free.fr>
693
694        * src/racoon/handler.c: Fixed exchange type check in
695          revalidate_ph1().
696        * src/racoon/pfkey.c: changed includes order to fix compilation.
697
6982005-05-14  Emmanuel Dreyfus  <manu@netbsd.org>
699
700        * src/libipsec/policy_parse.y: Fix parse problem
701
7022005-05-14  Aidas Kasparas  <a.kasparas@gmc.lt>
703
704        * src/racoon/sockmisc.c: Debug message said it will send to
705          source address insted of destination.
706
7072005-05-13  Emmanuel Dreyfus  <manu@netbsd.org>
708
709        * src/racoon/isakmp_inf.c: fix build problem
710
7112005-05-13  Yvan Vanhullebus  <vanhu@free.fr>
712
713        * src/racoon/isakmp.c: Fixed a double ph2handler free in
714          isakmp_ph2begin_i().
715
7162005-05-12  Emmanuel Dreyfus  <manu@netbsd.org>
717
718        * src/racoon/isakmp_quick.c: fix build problem on some platforms
719
720        * src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
721          consider null port as a wildcard and use IKE ports.
722
7232005-05-10  Emmanuel Dreyfus  <manu@netbsd.org>
724
725        * src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
726          src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
727          src/racoon/samples/roadwarrior/client/racoon.conf: update config
728          files to higher security settings. Remove now useless phase 1 down
729          script on server side.
730        * Update README to reflect server/phase1-down.sh removal
731
7322005-05-09  Emmanuel Dreyfus  <manu@netbsd.org>
733
734        * src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
735          src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and
736          save password extensions from Cisco in ISAKMP mode config.
737
7382005-05-08  Emmanuel Dreyfus  <manu@netbsd.org>
739
740        * src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte
741          in proposals
742        * src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
743        * src/racoon/handler.c: style
744
745        * src/racoon/isakmp_xauth.c: fix build with shadow passwords
746
7472005-05-07  Emmanuel Dreyfus  <manu@netbsd.org>
748
749        * configure.ac src/racoon/isakmp_xauth.c: support shadow passwords
750        * src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype
751        * src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h}
752          src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes
753          to the right header file
754
7552005-05-06  Emmanuel Dreyfus  <manu@netbsd.org>
756
757        * src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
758          ISAKMP SA termination (for DPD timeouts and delete message) to
759          use purge_remote() so that SA and generated SPD get correctly flushed
760        * src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
761          getph2bysaddr()
762        * src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make
763          purge_remote(), setcopeid() and delete_spd() public
764        * src/racoon/isakmp_quick.c: remove duplicated setscopeid()
765        * src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
766          to compare with ports when ENABLE_NATT and without otherwise
767
7682005-05-06  Frederic Senault  <fred@lacave.net>
769
770        * src/racoon/isakmp_inf.c: Only print the contents of an informative
771          message if the payload indicates an error ; transmit the return
772          values from the DPD functions.
773
7742005-05-06  Emmanuel Dreyfus  <manu@netbsd.org>
775
776        * src/racoon/isakmp_inf.c: Fix a bug causing informational message
777          payloads to be ignored
778
7792005-05-05  Yvan Vanhullebus  <vanhu@free.fr>
780
781        * src/racoon/isakmp_inf.c: Fixed some potential crashes in
782          purge_remote() and purge_ipsec_spi().
783
7842005-05-05  Emmanuel Dreyfus  <manu@netbsd.org>
785
786        * src/libipsec/{policy_parse.y|policy_token.l}
787          src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
788          endpoints, for accurate ESP over UDP matching
789        * src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote
790          ports to the hook scripts
791        * src/racoon/remoteconf.c: do not honour ports when looking up
792          a remote config, as our remote config have no port information
793        * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
794          use the IKE ports supplied by racoon to set up acurate endpoints
795          ports in SP endpoints
796
7972005-05-04  Yvan Vanhullebus  <vanhu@free.fr>
798
799        * src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated
800          policies are now also removed when DPD purge.
801
8022005-05-04  Emmanuel Dreyfus  <manu@netbsd.org>
803
804        From Manisha Malla <mmanisha@novell.com>
805        * src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative
806
807        From Ludo Stellingwerff <ludo@protactive.nl>
808        * src/setkey/{parse.y|token.l}: build on system that do not have
809          TCP-MD5 support
810
8112005-05-04  Michal Ludvig  <michal@logix.cz>
812
813        * configure.ac: Revert GLIBC_BUGS change from 2005-04-15
814
8152005-05-03  Frederic Senault  <fred@lacave.net>
816
817        * src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5}
818          src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check
819          option to enable the handling of unencrypted delete payloads.
820
821        * src/racoon/plog.c: Use of isgraph in binsanitize.
822
823        * src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC.
824
825        * src/racoon/isakmp_inf.c: Unused code cleanup.
826
8272005-04-26  Emmanuel Dreyfus  <manu@netbsd.org>
828
829        * bootstrap: Darwin support
830
831        From Larry Baird <lab@gta.com>
832        * src/racoon/nattraversal.c: Fix NAT-T for initiator
833
834        From Andreas Tobler <toa@pop.agri.ch>:
835        * src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c}
836          src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c}
837          src/racoon/configure.ac src/libipsec/policy_token.l
838          src/setkey/token.l: Build on Darwin
839
8402005-04-25  Emmanuel Dreyfus  <manu@netbsd.org>
841
842        * src/racoon/handler.h: ifdef DPD and NAT-T data in data structures
843
844        * src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}
845          src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
846          enable the display of ESP over UDP ports in policies.
847
848        * src/racoon/ipsec_doi.c: fix LP64 bug
849         
850        From Ludo Stellingwerff <ludo@protactive.nl>:
851        * src/racoon/isakmp.c: build without NAT-T
852
853        From F. Senault <fred.letter@lacave.net>
854        * src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c}
855          src/racoon/isakmp_xauth.c: Take into account payloads bundled after
856          an ISAKMP informationnal message.
857
858        From Patrick McHardy <kaber@trash.net>
859        * src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire
860          message, lookup phase 2 by (src, dst, id) instead of only id.
861
8622005-04-23  Emmanuel Dreyfus  <manu@netbsd.org>
863
864        * src/libipsec/ipsec_dump_policy.c: display port numbers in policies
865        * src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
866          forget port numbers so that mutiple clients behind the same NAT
867          can work.
868
869        From Larry Baird <lab@gta.com>
870        * src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
871        NAT-T fixes for interoperability with greenbow VPN client.
872
8732005-04-21  Aidas Kasparas  <a.kasparas@gmc.lt>
874
875        * src/libipsec/policy.parse.y, src/racoon/cfparse.y,
876          src/libipsec/policy_parse.y, src/racoon/cfparse.y,
877          src/racoon/cftoken.l, src/racoon/crypto_openssl.c,
878          src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c,
879          src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
880          src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
881          src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
882          src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile
883          with gcc-4.0 (20050410 prerelease)
884
8852005-04-20  Aidas Kasparas  <a.kasparas@gmc.lt>
886
887        From: Ganesan Rajagopal <rganesan@users.sourceforge.net>
888        * configure.ac: fix --enable-ipv6 logic
889
8902005-04-19  Yvan Vanhullebus  <vanhu@free.fr>
891
892        * src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup.
893
8942005-04-18  Aidas Kasparas  <a.kasparas@gmc.lt>
895
896        * src/racoon/crypto_openssl.c: fixed single DES support;
897        * NEWS: noted fix
898
8992005-04-18  Emmanuel Dreyfus  <manu@netbsd.org>
900       
901        * src/racoon/isakmp_base.c: DPD support, fix memory leak
902
903        From Thomas Klausner <wiz@NetBSD.org>
904        * src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
905          src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8}
906          src/racoon/samples/{racoon.conf.in|racoon.conf.sample}
907          src/racoon/samples/racoon.conf.sample-gssapi
908          src/racoon/samples/racoon.conf.sample-inherit
909          src/racoon/samples/racoon.conf.sample-natt
910          src/racoon/samples/racoon.conf.sample-plainrsa
911          src/racoon/samples/roadwarrior/README
912          src/racoon/samples/roadwarrior/server/phase1-down.sh
913          src/setkey/setkey.8: docmumentation fixes
914
915        From KAME
916        * src/racoon/ipsec_doi.c: wrong check on SA lifebyte
917
918        From Fred Senault <fred.letter@lacave.net>
919        * src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive,
920          which is now incoprated into split_net_tunnels
921        * src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
922          src/racoon/isakmp_xauth.h: support login and password sent
923          in different packets during the Xauth exchange. This makes racoon
924          interoperable with SecureComputing's sidewinder
925        * src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth
926
9272005-04-17  Yvan Vanhullebus  <vanhu@free.fr>
928
929        * src/racoon/handler.c: Configuration reload validation code
930        * src/racoon/handler.h:revalidate_ph12() function
931        * src/racoon/ipsec_doi.c: duplicates iph1->approval in
932          get_ph1approval(), some fields sets to NULL when needed
933        * src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public
934        * src/racoon/localconf.[ch]: save/restore_params() functions
935        * src/racoon/main.c: moved restore_params functions to localconf
936        * src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa()
937          function, some values set to NULL when needed
938        * src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa()
939          function
940        * src/racoon/sainfo.[ch]: save_sainfotree() functions
941        * src/racoon/session.c: Reloads conf on a SIGHUP without loosing
942          existing tunnels
943
9442005-04-15  Aidas Kasparas  <a.kasparas@gmc.lt>
945
946        From Zilvinas Valinskas <zilvinas@gemtek.lt>:
947        * configure.ac:
948          - cross-compile type fix (patch 1);
949          - --enable-{frag|hybrid}=no fixes (patches 6,7);
950          - support for --with-flex, --with-flexlib (patch 11);
951          - GLIBC_BUGS assignment correction (patch 14 with mods).
952        * src/racoon/isakmp.c: fix compilation when hybrid disabled.
953
9542005-04-11  Emmanuel Dreyfus <manu@netbsd.org>
955
956        * src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files
957          RFC for IPsec DOI and ISAKMP
958
9592005-04-10  Emmanuel Dreyfus <manu@netbsd.org>
960
961        * src/racoon/isakmp_base.c: resurect RSASIG support
962        * src/racoon/isakmp_ident.c: missing support for hybrid auth
963        * src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode
964
9652005-04-09  Emmanuel Dreyfus <manu@netbsd.org>
966
967        * src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c}
968          src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c}
969          src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}:
970          Add Xauth + RSASIG, for client and server. Add all Xauth and
971          IKE fragmentation logic to base and ident mode.
972        * src/libipsec/{pfkey.c|pfkey_dump.c}
973          src/setkey/parse.y: more missing TCP_MD5 bits from KAME
974
9752005-04-08  Emmanuel Dreyfus <manu@netbsd.org>
976
977        * src/racoon/cfparse.y: a list of network can be specified for split
978          tunnelling
979        * src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the
980          netmask in CIDR notation, to the hook script environement.
981        * src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing
982          bits for TCP_MD5 support.
983
984        From Fred Senault <fred.letter@lacave.net>
985        * src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h}
986          src/racoon/racoon.conf.5: KEYID identifier can be taken from
987          a file or from a quoted string
988
9892005-04-05  Emmanuel Dreyfus <manu@netbsd.org>
990
991        From Fred Senault <fred.letter@lacave.net>
992        * src/racoon/admin.c: fix the admin interface that was left behind
993          after recent Xauth changes
994        * src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c}
995          src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in
996          remote conf within a single structure.
997        * src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run
998          phase1-up script before ISAKMP mode config is done
999        * src/racoon/isakmp_inf.c: log a buggy condition
1000        * src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c}
1001          src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to
1002          distinguish between XAUTH PSK and Kerberos authentications
1003        * src/racoon/{oakley.c|remoteconf.c}: set a default for certificate
1004          requests
1005        * src/racoon/isakmp_xauth.c: Fix serious security bug introduced
1006          on 2005-03-09: Xauth validation was required for phase 2 on the
1007          client (thus blocking phase 2), but not on the server (thus
1008          making it open regardless of Xauth exchange).
1009        * src/racoon/vendorid.c: dump unknown VIDs
1010         
1011
10122005-04-06  Yvan Vanhullebus  <vanhu@free.fr>
1013
1014        * src/racoon/crypto_openssl.c: Disable OpenSSL padding in
1015        evp_crypt(), because it may cause some interoperability problems.
1016        Solution reported by Ganesan Rajagopal.
1017
10182005-04-05  Emmanuel Dreyfus <manu@netbsd.org>
1019
1020        * src/racoon/main.c: build with hybrid but without libradius
1021       
10222005-04-05  Yvan Vanhullebus  <vanhu@free.fr>
1023
1024        * src/racoon/handler.h: added a flag to identify generated policies
1025        * src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
1026        * src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
1027          policy have been generated in purge_remote_spi()
1028        * src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
1029          generated policies
1030        * src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
1031
10322005-04-04  Emmanuel Dreyfus <manu@netbsd.org>
1033
1034        * src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET
1035
10362005-03-30  Michal Ludvig  <michal@logix.cz>
1037
1038        * configure.ac: Don't compile with NAT-T by default (according to
1039          documentation, finally :-)
1040
10412005-03-27  Michal Ludvig  <michal@logix.cz>
1042
1043        From Zilvinas Valinskas <zilvinas@gemtek.lt>:
1044        * configure.ac:
1045          - Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE.
1046          - Fix OpenSSL check for cross-compilation.
1047        * acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.
1048          (RACOON_CHECK_BUGGY_GETADDRINFO): Ditto.
1049
10502005-03-16  Emmanuel Dreyfus <manu@netbsd.org>
1051
1052        * src/racoon/privsep.c: check for NULL path in unsafe_path()
1053        * src/racoon/privsep.c: missing space
1054
10552005-03-15  Emmanuel Dreyfus <manu@netbsd.org>
1056
1057        * src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h}
1058          src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c}
1059          src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h}
1060          src/racoon/main.c: Remove most of config dependency from
1061          privilegied instance for upcoming config reload patch.
1062        * src/racoon/isakmp_cfg.h: fix the application version for Xauth
1063        * src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used
1064
10652005-03-14  Emmanuel Dreyfus <manu@netbsd.org>
1066
1067        * configure.ac: handle correctly dynamic libradius
1068        * src/racoon/cfparse.y: correctly initialize address pool
1069
10702005-03-13  Yvan Vanhullebus  <vanhu@free.fr>
1071
1072        * src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)
1073
10742005-03-09  Emmanuel Dreyfus <manu@netbsd.org>
1075
1076        From Fred Senault <fred.letter@lacave.net>
1077        * src/racoon/cfparse.y: endainness bugfix
1078        * src/racoon/isakmp_xauth.c: off by one bugs in strings
1079        * src/racoon/oakley.h: missing parenthesis causing bugs
1080
10812005-03-09  Emmanuel Dreyfus <manu@netbsd.org>
1082
1083        * src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth
1084
10852005-03-07  Emmanuel Dreyfus <manu@netbsd.org>
1086
1087        From Fred Senault <fred.letter@lacave.net>
1088        * src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l}
1089          src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c}
1090          src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h}
1091          src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c}
1092          src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c}
1093          src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5}
1094          src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c}
1095          src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split
1096          tunnelling, multiple DNS & WINS in ISAKMP mode config.
1097
10982005-03-02  Yvan Vanhullebus  <vanhu@free.fr>
1099
1100        * src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
1101        * src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.
1102
11032005-03-01  Yvan Vanhullebus  <vanhu@free.fr>
1104
1105        * src/racoon/oakley.c: fixed oakley_newiv2() when errors
1106
11072005-02-24  Emmanuel Dreyfus <manu@netbsd.org>
1108       
1109        * src/racoon/privsep.c: safety check port numbers given by the
1110          unprivilegied instance.
1111        * src/racoon/racoonctl.8: display fixes in racoonctl(8)
1112
11132005-02-23  Emmanuel Dreyfus <manu@netbsd.org>
1114
1115        * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
1116          support for patented algorithms: IDEA and RC5.
1117        * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
1118          is not required in the configuration
1119        * src/racoon/isakmp.c: do not reject addresses for which kernel
1120          refused UDP encapsulation, they can still be used for non NAT-T
1121          traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
1122        * src/libipsec/libpfkey.h: prefer __inline to inline
1123        * src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
1124          src/racoon/racoon.conf.5: Add chroot capability
1125
11262005-02-18  Emmanuel Dreyfus <manu@netbsd.org>
1127
1128        * src/racoon/{main.c|eaytest.c|plairsa-gen.c}
1129          src/setkey/setkey.c: don't use fuzzy paths for package_version.h
1130
11312005-02-18  Michal Ludvig  <michal@logix.cz>
1132
1133        * configure.ac, rpm/suse/ipsec-tools.spec.in,
1134          rpm/suse/Makefile.am: Distribute .spec file with
1135          resolved version string.
1136        * src/racoon/Makefile.am: Allow parallel cluster build.
1137
11382005-02-17  Emmanuel Dreyfus <manu@netbsd.org>
1139
1140        From Fred Senault <fred.letter@lacave.net>
1141        * src/racoon/remoteconf.c: Fix a bug in script init
1142
11432005-02-17  Yvan Vanhullebus  <vanhu@free.fr>
1144
1145        * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
1146
11472005-02-16  Yvan Vanhullebus  <vanhu@free.fr>
1148
1149        * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
1150          related DELETE_SA
1151        * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
1152
11532005-02-15  Michal Ludvig  <michal@logix.cz>
1154
1155        * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
1156
1157---------------------------------------------
1158
1159        Branch for 0.6 created (ipsec-tools-0_6-branch)
1160
11612005-02-11  Emmanuel Dreyfus <manu@netbsd.org>
1162
1163        From Jason Thorpe  <thorpej@netbsd.org>
1164        * src/raccon/samples/racoon.conf.sample-gssapi
1165          src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c}
1166          src/racoon/{localconf.c|localconf.h|racoon.conf.5}
1167          configure.ac: Multiple GSSAPI fixes to get interoperability
1168          with Microsoft IKE.
1169
11702005-02-09  Emmanuel Dreyfus <manu@netbsd.org>
1171
1172        * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
1173          src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h}
1174          src/racoon/racoon.conf.5: Make PAM work with privilege separation
1175
11762005-02-07  Michal Ludvig  <michal@logix.cz>
1177
1178        From Krisztian Kovacs:
1179        * src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".
1180
11812005-01-30  Yvan Vanhullebus  <vanhu@free.fr>
1182
1183        * src/racoon/vmbuf.c: bugfix in vrealloc()
1184        * src/racoon/oakley.c: mem leak fix in INITDHVAL()
1185        * src/racoon/session.c: mem leak fix in check_flushsa()
1186
11872005-01-29  Yvan Vanhullebus  <vanhu@free.fr>
1188
1189        * src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
1190        * src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
1191        * src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
1192        * src/racoon/nattraversal.[ch]: NATT cleanup, support for all
1193          drafts (disabled by default) / RFC.
1194        * src/racoon/isakmp.h: NATT cleanup for NATT RFC support
1195        * src/racoon/ipsec_doi.h: updated comments about NATT
1196        * configure.ac: enable-natt_XX options
1197        * src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed
1198
1199
12002005-01-29  Emmanuel Dreyfus  <manu@netbsd.org>
1201
1202        From Fred Senault <fred@lacave.net>
1203        * src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
1204          phase2 can start.
1205
12062005-01-23  Emmanuel Dreyfus  <manu@netbsd.org>
1207
1208        * src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's
1209          SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD.
1210
12112005-01-22  Emmanuel Dreyfus  <manu@netbsd.org>
1212
1213        From Fred Senault <fred@lacave.net>
1214        * src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
1215          src/racoon/samples/roadwarrior/README: change "my_identifier login"
1216          into "xauth_login" in the config file so that we can introduce Xauth
1217          with a pre-shared key later.
1218
12192005-01-21  Emmanuel Dreyfus  <manu@netbsd.org>
1220
1221        * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
1222          workaround Linux problems. This needs a better fix.
1223
12242005-01-18  Emmanuel Dreyfus  <manu@netbsd.org>
1225
1226        * src/racoon/privsep.c: build without ENABLE_HYBRID
1227
12282005-01-14  Emmanuel Dreyfus  <manu@netbsd.org>
1229
1230        * src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T)
1231
12322005-01-13  Yvan Vanhullebus  <vanhu@free.fr>
1233
1234        * src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
1235          1 lifetime.
1236        * src/racoon/racoon.conf.5: Updated racoon man page for phase 1
1237          lifetime check / proposal_check.
1238
12392005-01-11  Emmanuel Dreyfus  <manu@netbsd.org>
1240
1241        * src/racoon/isakjmp_quick.c: endianness bugfix from KAME
1242
12432005-01-07  Emmanuel Dreyfus  <manu@netbsd.org>
1244
1245        * src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c}
1246          src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h}
1247          src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is
1248          now configurable (supported only on NetBSD so far).
1249
12502005-01-05  Emmanuel Dreyfus  <manu@netbsd.org>
1251
1252        * src/racoon/privsep.c: Build again on Linux with privsep
1253
12542005-01-03  Emmanuel Dreyfus  <manu@netbsd.org>
1255
1256        * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
1257          src/racoon/{cfparse.y|cftoken.l|racoon.conf.5}
1258          src/racoon/doc/FAQ
1259          configure.ac: PAM support for authentication and accounting in
1260          hybrid auth
1261
12622005-01-02  Emmanuel Dreyfus  <manu@netbsd.org>
1263
1264        * src/racoon/admin.c: never fork, it buys nothing an break on some
1265          operations
1266
12672004-12-30  Emmanuel Dreyfus  <manu@netbsd.org>
1268
1269        * src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c}
1270          src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c}
1271          src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c}
1272          src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c}
1273          src/racoon/{privsep.c|privsep.h}: new files
1274          Privilege separation
1275
1276        * src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c}
1277          src/racoon/{racoonctl.c|racoonctl.h}: new files
1278          configure.ac: publically export the adminport interface so that
1279          external program can control racoon
1280       
1281        * src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface
1282          versionning
1283
1284        * src/racoon/admin.h: make sure no / will be missing in adminsock path
1285
1286---------------------------------------------
1287
1288        Branch for 0.5 created (ipsec-tools-0_5-branch)
1289
12902004-12-23  Yvan Vanhullebus  <vanhu@free.fr>
1291
1292        * src/racoon/crypto_openssl.c: Indentation
1293
12942004-12-28  Yvan Vanhullebus  <vanhu@free.fr>
1295
1296        * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1297          when getting an IP (Bug # 1092095)
1298
1299
13002004-12-26  Emmanuel Dreyfus  <manu@netbsd.org>
1301
1302        * src/racoon/session.c: remove outdated comment
1303
1304---------------------------------------------
1305
1306        0.5.beta2 released
1307
13082004-12-21  Michal Ludvig  <michal@logix.cz>
1309
1310        * src/racoon/pfkey.c: Fix AES vs Rijndael defines.
1311
13122004-12-20  Yvan Vanhullebus  <vanhu@free.fr>
1313
1314        * configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
1315          Some FreeBSD / NATT support.
1316
13172004-12-17  Emmanuel Dreyfus  <manu@netbsd.org>
1318
1319        * src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
1320        * src/racoon/pfkey.c: Restore AES support on NetBSD.
1321
13222004-12-17  Yvan Vanhullebus  <vanhu@free.fr>
1323
1324        * src/racoon/crypto_openssl.c: Uses sprintf() instead of
1325          asprintf() in eay_get_x509subjectaltname(), because of some
1326          compilation problems reported with asprintf() on some platforms.
1327        * src/racoon/oakley.c: just take the first cert in
1328          oakley_savecert() if cert ID check is disabled.
1329
13302004-12-16  Emmanuel Dreyfus  <manu@netbsd.org>
1331
1332        * src/racoon/crypto_openssl.c: Build again on NetBSD
1333        * src/racoon/samples/roadwarrior/server/racoon
1334          src/racoon/samples/roadwarrior/server/racoon.conf-radius
1335          src/racoon/samples/roadwarrior/README: Use DPD in sample files.
1336
13372004-12-16  Yvan Vanhullebus  <vanhu@free.fr>
1338
1339        * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
1340          when SubjectAltName contains an IP. OpenSSL code from Ludovic
1341          Flament (ludovic.flament@free.fr).
1342
1343---------------------------------------------
1344
1345        0.5.beta1 released
1346
13472004-12-13  Michal Ludvig  <mludvig@suse.cz>
1348
1349        From Ganesan R <rganesan@users.sourceforge.net>:
1350        * src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
1351          with shared libraries.
1352
13532004-12-10  Yvan Vanhullebus  <vanhu@free.fr>
1354
1355        * src/racoon/oakley.c: takes the first certificate which matches
1356          the Identity, instead of just taking the first certificate.
1357
13582004-12-07  Yvan Vanhullebus  <vanhu@free.fr>
1359
1360        * src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.
1361
13622004-12-04  Aidas Kasparas  <a.kasparas@gmc.lt>
1363
1364        * src/libipsec/pfkey_dump.c: distinguish per-socket policies from
1365          general ones (Linux case);
1366        * src/racoon/pfkey.c: dito, do not negotiate policies if racoon
1367          do not listen on out tunnel's source address.
1368
13692004-12-01  Yvan Vanhullebus  <vanhu@free.fr>
1370
1371        * src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
1372          generation in r1send()
1373
13742004-12-01  Yvan Vanhullebus  <vanhu@free.fr>
1375
1376        * src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
1377        * src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
1378          parameters but compiled without ENABLE_DPD
1379        * src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
1380          support activated in configuration
1381
13822004-11-30  Emmanuel Dreyfus  <manu@netbsd.org>
1383
1384        * src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time,
1385          to avoid garbage pointer if admin port is disabled.
1386        * src/racoon/{throttle.c|throttle.h}: new files
1387          src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
1388          configure.ac: Add a per-host throttling count. When throttling,
1389          don't sleep, schedule the answer for later instead.
1390        * src/racoon/kmpstat.c: default with no hexdump of the packet
1391        * src/racoon/admin.c: don't remove admin socket after first request,
1392          on the other hand remove on startup stale sockets left by
1393          crashed racoon.
1394        *  src/racoon/samples/roadwarrior/README
1395           src/racoon/kmpstat.c: fix option parsing problem on Linux
1396
13972004-11-29  Yvan Vanhullebus  <vanhu@free.fr>
1398
1399        * src/racoon/session.c: Only listen on pfkey socket when received
1400          shutdown signal
1401
14022004-11-28  Emmanuel Dreyfus  <manu@netbsd.org>
1403
1404        * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
1405          src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
1406          on each Xauth authentication to avoid brute force attacks
1407
14082004-11-24  Emmanuel Dreyfus  <manu@netbsd.org>
1409
1410        * src/racoon/samples/roadwarrior/README
1411          src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
1412          src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
1413          src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
1414          Fill Linux gaps for hybrid auth client, Replace public IP by
1415          private and example IP in the sample config files.
1416
14172004-11-24  Emmanuel Dreyfus  <manu@netbsd.org>
1418
1419        DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1420        * src/racoon/cfparse.y: missing bits for DPD support
1421
14222004-11-23  Aidas Kasparas  <a.kasparas@gmc.lt>
1423
1424        * src/setkey/parse.y: generate require fwd policies for unique in
1425          policies.
1426        * src/setkey/setkey.c: made -r/-k options awailable only when
1427          system has FWD policies.
1428        * src/setkey/setkey.8: updated docs about change above.
1429
14302004-11-22  Michal Ludvig  <mludvig@suse.cz>
1431
1432        * src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
1433          #ifdef ENABLE_ADMINPORT/#endif.
1434
14352004-11-22  Michal Ludvig  <mludvig@suse.cz>
1436
1437        Revert these changes (ludvigm, 2004-11-18):
1438        * src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
1439        * src/setkey/Makefile.am: Install setkey.conf.
1440
14412004-11-22  Emmanuel Dreyfus  <manu@netbsd.org>
1442
1443        * src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
1444          removal so that it's not used after been deleted.
1445        * src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
1446          src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
1447          errors to racoonctl
1448
14492004-11-21  Emmanuel Dreyfus  <manu@netbsd.org>
1450
1451        * src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on
1452          the ipsec-tools web site
1453        * src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to
1454          display all events reported by racoon: show-event
1455        * src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
1456          with immature or dying phase 1
1457        * src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down
1458
14592004-11-20  Emmanuel Dreyfus  <manu@netbsd.org>
1460
1461        * src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself
1462          as Unity compliant.
1463        * src/racoon/{evt.c|evt.h}: new files
1464          src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
1465          src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
1466          event reporting from racoon to racoonctl
1467
14682004-11-20  Aidas Kasparas  <a.kasparas@gmc.lt>
1469
1470        * src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
1471          when racoon is compiled with INET6 support and kernel is not.
1472          Fixed with help of Zilvinas Valinskas.
1473        * src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
1474          problem.
1475       
14762004-11-19  Emmanuel Dreyfus  <manu@netbsd.org>
1477
1478        * src/racoon/doc/FAQ: more options and warn about software patents.
1479
14802004-11-18  Emmanuel Dreyfus  <manu@netbsd.org>
1481
1482        * src/racoon/vmbuf.c: don't allocate zero-length buffer
1483        * src/racoon/samples/roadwarrior/client/phase1-down.sh
1484          src/racoon/samples/roadwarrior/server/phase1-down.sh: Also
1485          flush SAD when disconnecting.
1486        * src/racoon/admin.c: Send a notification when deleting ISAKMP SA
1487        * src/racoon/samples/roadwarrior/README: accomodate the recent
1488          sysconfdir change
1489
14902004-11-18  Michal Ludvig  <mludvig@suse.cz>
1491
1492        * src/racoon/Makefile.am: Fix adminsocket dir, install sample
1493          racoon.conf and psk.txt.
1494        * src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
1495          not $(SYSCONFDIR)/racoon.
1496        * src/racoon/algorithm.h, src/racoon/eaytest.c,
1497          src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really
1498          strict environments.
1499        * src/setkey/setkey.conf: Yet another sample config file.
1500        * src/setkey/Makefile.am: Install setkey.conf.
1501        * rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
1502          files.
1503        * rpm/suse/{Makefile.am,.cvsignore}: New files.
1504        * configure.ac, rpm/Makefile.am: Build in rpm/suse.
1505
15062004-11-17  Aidas Kasparas  <a.kasparas@gmc.lt>
1507
1508        * configure.ac: paste bugfix by Zilvinas Valinskas
1509        * src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
1510          for generated policies. Path by Patrick McHardy.
1511
15122004-11-16  Emmanuel Dreyfus  <manu@netbsd.org>
1513
1514        * src/racoon/racoonctl.8: racoonctl man page (new file)
1515
15162004-11-16  Emmanuel Dreyfus  <manu@netbsd.org>
1517
1518        From Ganesan <rganesan@users.sourceforge.net>
1519        * src/racoon/ipsec_doi.c: fix free'd memory access
1520
15212004-11-16  Michal Ludvig  <mludvig@suse.cz>
1522
1523        DPD patch from Yvan Vanhullebus <vanhu@free.fr>
1524        * configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
1525          src/racoon/handler.c, src/racoon/handler.h,
1526          src/racoon/isakmp.c, src/racoon/isakmp.h,
1527          src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
1528          src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
1529          src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
1530          src/racoon/remoteconf.h, src/racoon/vendorid.c,
1531          src/racoon/vendorid.h: Dead Peer Detection (DPD) support.
1532
15332004-11-16  Michal Ludvig  <mludvig@suse.cz>
1534
1535        * configure.ac: Remove a bash-specific construction, take II.
1536        * src/racoon/grabmyaddr.c: FreeBSD fix for headers.
1537
15382004-11-15  Michal Ludvig  <mludvig@suse.cz>
1539
1540        * configure.ac: Use correct include paths during ./configure run.
1541        * src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
1542          remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
1543          (hint, hint, manu :-))
1544
15452004-11-15  Emmanuel Dreyfus  <manu@netbsd.org>
1546
1547        * README: update the docs
1548        * src/racoon/doc/FAQ: update the docs
1549        * configure.ac: Remove a bash-specific construction
1550
15512004-11-14  Aidas Kasparas  <a.kasparas@gmc.lt>
1552
1553        * src/racoon/cfparse.y: ensure that returns from rules are
1554          initialized even on erroneous config file.
1555        * src/racoon/admin_var.h: changed management socket location
1556        * src/racoon/Makefile.am: ditto, added rule to install directory
1557          for management socket.
1558        * src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes,
1559          added generation of fwd policies for every in policy spdadd'ed.
1560        * src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
1561        * src/setkey/policy_token.l: return something reasonable when
1562          fwd direction is parsed on systems with no forward policy
1563          support.
1564
15652004-11-14  Emmanuel Dreyfus  <manu@netbsd.org>
1566
1567        * src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
1568        * src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
1569          src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings
1570        * configure.ac src/racoon/{admin.c|admin_var.h}
1571          src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
1572          src/racoon/samples/roadwarrior/client/racoon.conf: make the default
1573          mode for the admin socket more secure.
1574
15752004-11-13  Emmanuel Dreyfus  <manu@netbsd.org>
1576
1577        * src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
1578          src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
1579          src/racoon/samples/roadwarrior/README
1580          src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
1581          certificate authority location per-peer and configurable.
1582        * src/racoon/isakmp_frag.c: fix unallocated memory access
1583        * src/racoon/isakmp_agg.c: fix incorrect queue deallocation
1584        * src/racoon/remoteconf.c: fix uninitialized data
1585        * src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access
1586
15872004-11-12  Emmanuel Dreyfus  <manu@netbsd.org>
1588
1589        * src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd
1590          commands IPv6 friendly.
1591        * src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}:
1592          Add an admin message to flush all the SA for a given peer.
1593          Convert racoonctl vd to use it.
1594        * src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y}
1595          src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
1596          administrator to choose the admin socket path, ownership and mode.
1597        * src/racoon/sample/roadwarrior: complete config files for
1598          road warriors using hybrid authentication.
1599
16002004-11-12  Michal Ludvig  <mludvig@suse.cz>
1601
1602        * configure.ac: Config option --enable-natt=kernel
1603        * src/racoon/Makefile.am: Distribute only yacc/lex source files,
1604          not the preprocessed .c files.
1605
16062004-11-11  Emmanuel Dreyfus  <manu@netbsd.org>
1607
1608        * src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
1609          and comments in the VPN concentrator setup for the Cisco VPN client
1610        * src/racoon/racoon.conf.5: fix documentation
1611        * src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
1612          hooks event if we are a server.
1613
16142004-11-10  Emmanuel Dreyfus  <manu@netbsd.org>
1615
1616        * src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems
1617
16182004-11-09  Michal Ludvig  <mludvig@suse.cz>
1619
1620        * Makefile.am: Remove aclocal-related lines.
1621        * src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
1622        * configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
1623          better handling of KRB5 and NAT-T.
1624        * src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
1625          FreeBSD happy with includes (Arrgh...&^#$^@!!!)
1626
16272004-11-08  Michal Ludvig  <mludvig@suse.cz>
1628
1629        * src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
1630        * src/libipsec/policy_token.l, src/racoon/kmpstat.c,
1631          src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
1632          fixes to support FreeBSD (tested with 4.10).
1633
16342004-11-05  Michal Ludvig  <mludvig@suse.cz>
1635
1636        * configure.ac: Add --with-readline switch.
1637        * src/setkey/setkey.c(stdin_loop): Fix newlines and comments
1638          when compiled without readline.
1639
16402004-11-01  Aidas Kasparas  <a.kasparas@gmc.lt>
1641
1642        * src/racoon/isakmp_quick.c: generated policy refresh patch
1643          by Yvan Vanhullebus
1644
16452004-10-29  Michal Ludvig  <mludvig@suse.cz>
1646
1647        * configure.ac: Check for IPSEC_DIR_FWD and eventually define
1648          HAVE_POLICY_FWD.
1649        * src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use
1650          HAVE_POLICY_FWD in ifdefs.
1651        * NEWS: Mention the fix.
1652        * src/racoon/kmpstat.c: Fix compilation on Linux.
1653        * src/racoon/ipsec_doi.h: Ditto.
1654        * src/racoon/Makefile.am, src/setkey/Makefile.am: Update
1655          explicit dependencies.
1656
16572004-10-29  Emmanuel Dreyfus  <manu@netbsd.org>
1658
1659        * src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
1660          do not reconfigure internal addresses obtained through ISAKMP
1661          mode config.
1662        * src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
1663          failure, kill the phase 1 and log the failure. Do not run the sa_up
1664          script in this case.
1665        * src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
1666          Add -u user to racoonctl establish-sa, prompt for the PSK from
1667          the terminal, and add a vpn-connect target with simplified syntax
1668          for establishing a SA in the road warrior case.
1669        * src/racoon/{admin.c,kmpstat.c}: implement delete-sa and
1670          vpn-disconnect commands of racoonctl
1671        * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
1672          src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
1673          Remove sa_up and sa_down and replace them by a more general
1674          script hook framework.
1675
16762004-10-27  Emmanuel Dreyfus  <manu@netbsd.org>
1677
1678        * src/racoon/nattraversal.c: Use macros instead of magic numbers
1679        * src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
1680          can actually establish a SA
1681        * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
1682          src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
1683          Shell script hooks for ISAKMP SA creation and removal
1684
16852004-10-26  Emmanuel Dreyfus  <manu@netbsd.org>
1686
1687        * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
1688          src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
1689          src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
1690          src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
1691          Update to the latest drafts
1692
16932004-10-25  Emmanuel Dreyfus  <manu@netbsd.org>
1694
1695        *  src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
1696           src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
1697           src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
1698           drafts documenting ISAKMP mode config, Xauth and hybrid auth
1699        *  src/racoon/cftoken.l: fix build problem, add an error message
1700           when using hybrid auth options while hybrid auth is not built
1701        *  src/racoon/isakmp_cfg.c: build without RADIUS support too
1702
17032004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>
1704
1705        * src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
1706          src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
1707          src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
1708          src/racoon/{oakley.c,oakley.h,racoon.conf.5}
1709          src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
1710          of hybrid auth and ISAKMP mode config
1711
17122004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>
1713
1714        * src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
1715          src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
1716          src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
1717          Receiver-side of IKE fragmentation
1718
17192004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>
1720
1721        * src/racoon/isakmp_cfg.c: Fix read buffer overflow
1722        * src/racoon/isakmp_xauth.c: Fix weak authentication
1723        * src/racoon/{oakley.c,oakley.h}: Fix weak authentication
1724
17252004-10-21  Michal Ludvig  <mludvig@suse.cz>
1726
1727        From Emmanuel Dreyfus:
1728        * src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
1729        * src/racoon/isakmp_cfg.c: Fix endianness.
1730
17312004-10-20  Michal Ludvig  <mludvig@suse.cz>
1732
1733        From Emmanuel Dreyfus:
1734        * src/racoon/{cfparse.y,cftoken.l,handler.c},
1735          src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
1736          src/racoon/racoon.conf.5: RADIUS IP addresses allocation
1737          and RADIUS accounting.
1738        * configure.ac,
1739          src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
1740          src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
1741          src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.
1742
17432004-10-08  Michal Ludvig  <mludvig@suse.cz>
1744
1745        * src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.
1746
17472004-10-06  Aidas Kasparas  <a.kasparas@gmc.lt>
1748
1749        * src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
1750          to duplicate dynamically allocatd structures; duprmconf() - call
1751          these functions to produce private copy of inherited id and etype
1752          structures.
1753        * src/racoon/remoteconf.c: declaration for dupetypes().
1754
17552004-10-04  Aidas Kasparas  <a.kasparas@gmc.lt>
1756
1757        * src/racoon/cfparse.y: check inherited_from dereferencing
1758        * src/racoon/crypto_openssl.c: prevent crash on incorect DNs
1759
17602004-09-27  Michal Ludvig  <mludvig@suse.cz>
1761
1762        From KOVACS Krisztian <hidden@balabit.hu>:
1763        * src/racoon/sockmisc.c(sendfromto): Set src address.
1764
17652004-09-24  Aidas Kasparas  <a.kasparas@gmc.lt>
1766
1767        * configure.ac: added check for linux-gnu, as my box reports
1768        * src/racoon/grabmyaddr.c: added missing <linux/types.h> include
1769
17702004-09-21  Michal Ludvig  <mludvig@suse.cz>
1771
1772        Merged 'autoconf' branch to mainline:
1773        * .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
1774          src/racoon/.cvsignore, src/racoon/cfparse.y,
1775          src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
1776          src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
1777          src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
1778          src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c,
1779          src/racoon/isakmp_unity.c, src/racoon/main.c,
1780          src/racoon/nattraversal.c, src/racoon/oakley.c,
1781          src/racoon/oakley.h, src/racoon/sockmisc.c,
1782          src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
1783          in 'autoconf' branch for details).
1784        * acracoon.m4, src/racoon/Makefile.am: New files.
1785        * src/racoon/Makefile.in, src/racoon/aclocal.m4,
1786          src/racoon/client-puzzle.c, src/racoon/config.guess,
1787          src/racoon/config.sub, src/racoon/configure.in,
1788          src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp,
1789          src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp,
1790          src/racoon/doc/pattern, src/racoon/doc/question,
1791          src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt,
1792          src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en,
1793          src/racoon/doc/sandiego-result.jp,
1794          src/racoon/doc/sandiego0009-result.en,
1795          src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c,
1796          src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile,
1797          src/racoon/samples/sandiego.pl: Removed.
1798
17992004-09-17  Michal Ludvig  <mludvig@suse.cz>
1800
1801        * src/racoon/vendorid.[ch]: Rewrote the VendorID handling.
1802          We don't use the array with fixed offsets anymore, instead
1803          a generally unordered structure with ID, string and
1804          precomputed MD5 hashes.
1805        * src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
1806          src/racoon/nattraversal.c: Updated to the new VID model.
1807        * src/racoon/main.c(main): Precompute VendorIDs.
1808        * src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
1809          Files removed. Function arc4random() renamed to eay_random()
1810          and moved to crypto_openssl.c.
1811        * src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
1812          src/racoon/isakmp.c: Updated to the above change.
1813        * src/racoon/Makefile.in, src/racoon/configure.in: Remove
1814          arc4random() from building.
1815        * src/racoon/crypto_openssl.[ch](eay_random): New function.
1816        * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
1817          src/racoon/isakmp_xauth.c: Cleaned up headers.
1818
18192004-09-16  Michal Ludvig  <mludvig@suse.cz>
1820
1821        * src/racoon/crypto_openssl.c (base64_encode): Terminate
1822          the result with '\0'.
1823
18242004-09-15  Michal Ludvig  <mludvig@suse.cz>
1825
1826        * configure.ac: How about calling the next version 0.5?
1827        * src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
1828          _BSD_SOURCE and don't require <linux/types.h>
1829        * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
1830          src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
1831        * src/racoon/Makefile.in: Add new files to distribution.
1832        * src/racoon/configure.in: Fix linux kernel NATT detection.
1833        * src/setkey/parse.y: Fix types.
1834        * src/racoon/backupsa.c, src/racoon/ipsec_doi.c,
1835          src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
1836          src/racoon/pfkey.c, src/racoon/remoteconf.c,
1837          src/racoon/session.c, src/racoon/sockmisc.c: Fix headers
1838          ordering, use HAVE_NETINET6_IPSEC.
1839        * src/racoon/isakmp_cfg.c: Use %z for size_t.
1840        * src/racoon/configure.in: Clean up IPv6 stack check.
1841
18422004-09-15  Michal Ludvig  <mludvig@suse.cz>
1843
1844        Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
1845        * src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
1846          src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
1847          src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
1848          src/racoon/samples/racoon.conf.sample-cvpn: New files.
1849        * src/racoon/algorithm.c, src/racoon/algorithm.h,
1850          src/racoon/cfparse.y, src/racoon/cftoken.l,
1851          src/racoon/handler.c, src/racoon/handler.h,
1852          src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
1853          src/racoon/isakmp.h, src/racoon/isakmp_agg.c,
1854          src/racoon/isakmp_inf.c, src/racoon/oakley.c,
1855          src/racoon/oakley.h, src/racoon/strnames.c,
1856          src/racoon/vendorid.c, src/racoon/vendorid.h: Added
1857          code for XAUTH support.
1858        * src/racoon/racoon.conf.5: Documentation for XAUTH.
1859        * src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
1860          src/racoon/nattraversal.c: Added NATT VID "02\n"
1861        * src/racoon/configure.in: New config option --enable-hybrid
1862
18632004-09-14  Michal Ludvig  <mludvig@suse.cz>
1864
1865        * configure.ac: Preset CFLAGS
1866        * src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
1867          Check if printf() accepts "%z" modifiers.
1868        * src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
1869        * src/setkey/parse.y(fix_portstr): Init 'p2'.
1870        * src/setkey/setkey.c: Add required prototypes.
1871
18722004-09-14  Aidas Kasparas  <a.kasparas@gmc.lt>
1873
1874        * src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.
1875
18762004-09-14  Michal Ludvig  <mludvig@suse.cz>
1877
1878        * src/racoon/configure.in: Check for NetBSD NAT-T kernel support.
1879
18802004-09-13  Michal Ludvig  <mludvig@suse.cz>
1881
1882        * src/racoon/configure.in: Check for <openssl/engine.h>
1883        * src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
1884        * src/racoon/plainrsa-gen.c: Ditto.
1885
18862004-09-13  Michal Ludvig  <mludvig@suse.cz>
1887
1888        NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
1889        * Makefile.am: build in rpm/ only on Linux
1890        * configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
1891        * src/Makefile.am: Build include-glibc only on Linux
1892        * src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
1893          ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
1894          policy_parse.y,policy_token.l,test-policy-priority.c},
1895          src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
1896          nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
1897          proposal.c,sainfo.c,schedule.c,strnames.c},
1898          src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
1899          ifdefs.
1900        * src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
1901        * src/racoon/configure.in: Check for kernel NAT-T support,
1902          fix libipsec.a linkage path.
1903        * src/racoon/eaytest.c(certtest): Use %z for size_t.
1904       
19052004-09-12  Aidas Kasparas  <a.kasparas@gmc.lt>
1906
1907        * src/racoon/grabmyaddr.c: improoved socket selection algorithm for
1908          case when link-local addresses comes w/o sin6_scope_id set.
1909         
19102004-09-07  Aidas Kasparas  <a.kasparas@gmc.lt>
1911
1912        * src/racoon/session.c: fix for SIGHUP handler for case when config
1913          file contains listen directives.
1914
19152004-09-01  Aidas Kasparas  <a.kasparas@gmc.lt>
1916
1917        * src/racoon/grabmyaddr.c: added scope id handling for link-local
1918          IPv6 addresses. Now racoon will not err on such addresses.
1919         
19202004-08-19  Aidas Kasparas  <a.kasparas@gmc.lt>
1921
1922        * src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
1923        * src/racoon/eaytest.c: eay_init_error() -> eay_init() due to
1924          2004-06-01 changes in src/racoon/crypto_openssl.c
1925
19262004-08-15  Aidas Kasparas  <a.kasparas@gmc.lt>
1927
1928        * src/racoon/cfparse.y src/racoon/crypto_openssl.c
1929          src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
1930          src/racoon/racoon.conf.5 src/racoon/remoteconf.c
1931          src/racoon/remoteconf.h: peers_identifier wildcard and
1932          list patch by James Matheson
1933
1934---------------------------------------------
1935
1936        0.4rc1 released
1937
19382004-08-09  Michal Ludvig  <mludvig@suse.cz>
1939
1940        * NEWS: Notes for release 0.4rc1
1941        * configure.ac: Bump up version to 0.4rc1
1942
19432004-07-12  Michal Ludvig  <mludvig@suse.cz>
1944
1945        PlainRSA support.
1946        See ChangeLog.prsa from the 'plainrsa' branch for details.
1947        * src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
1948        * src/racoon/genlist.c src/racoon/genlist.h
1949          src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c
1950          src/racoon/prsa_par.y src/racoon/prsa_tok.l
1951          src/racoon/rsalist.c src/racoon/rsalist.h
1952          src/racoon/samples/racoon.conf.sample-plainrsa: New files.
1953        * src/racoon/Makefile.in src/racoon/configure.in
1954          src/racoon/cfparse.y src/racoon/cftoken.l
1955          src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
1956          src/racoon/handler.h src/racoon/ipsec_doi.c
1957          src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c
1958          src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c
1959          src/racoon/remoteconf.h src/racoon/sockmisc.c
1960          src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.
1961
19622004-07-12  Michal Ludvig  <mludvig@suse.cz>
1963
1964        * src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
1965          f_foreground to plog.c.
1966        * src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode
1967          adjusting.
1968        * src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
1969          src/racoon/oakley.c: Fix typos, newlines and printf() format strings.
1970
19712004-06-16  Aidas Kasparas  <a.kasparas@gmc.lt>
1972
1973        * src/racoon/crypto_openssl.c (eay_get_x509cert): small memory
1974          leak fix. Noticed B.Buesker, patch L.Stellingwerff
1975        * src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt):
1976          small memory leaks fixed.
1977
19782004-06-15  Aidas Kasparas  <a.kasparas@gmc.lt>
1979
1980        SECURITY
1981        * src/racoon/crypto_openssl.[ch] (cb_check_cert_local,
1982          cb_check_cert_remote): split cb_check_cert() due to stricter
1983          requirements for certificates received from network.
1984        * src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
1985          local to specify how strict cert check should be
1986        * src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
1987       
19882004-06-11  Michal Ludvig  <mludvig@suse.cz>
1989
1990        * src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support
1991          for all known NAT-T versions.
1992        * vendorid.h: Ditto.
1993
19942004-06-08  Michal Ludvig  <mludvig@suse.cz>
1995
1996        * src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
1997        * src/racoon/Makefile.in: Compile stringlist.o.
1998
19992004-06-07  Michal Ludvig  <mludvig@suse.cz>
2000
2001        * configure.ac: Set version to 'cvs'.
2002        * src/{racoon,setkey,libipsec}/*.h: Wrap headers between
2003          #ifndef/#define/#endif to allow multiple inclusions of the
2004          same file.
2005        * plog.h (plog): Attribute __printf__ for automatic checking
2006          of the parameters' validity.
2007        * cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
2008          isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
2009          sockmisc.c: Fix warnings/errors in the plog() parameters with
2010          the above change.
2011
20122004-06-05  Aidas Kasparas  <a.kasparas@gmc.lt>
2013
2014        * src/setkey/setkey.c: -n (no action) support.
2015          Thanks Thomas Habets.
2016        * src/setkey/setkey.8: Documentation for above.
2017        * src/racoon/doc/README.certificate: updated link to more recent
2018          version of document. Debian bug #252513 by Jose Luis Domingo Lopez
2019
20202004-06-01  Michal Ludvig  <mludvig@suse.cz>
2021
2022        * src/racoon/algorithm.c: Enable compilation without SHA2 support.
2023        * src/racoon/crypto_openssl.c: Ditto.
2024
20252004-06-01  Michal Ludvig  <mludvig@suse.cz>
2026
2027        * src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
2028          OpenSSLs.
2029          (eay_init): New function.
2030          (eay_init_error, eay_check_pkcs7sign): Removed.
2031        * src/racoon/crypto_openssl.h: Reflect the above changes.
2032        * src/racoon/main.c: Call eay_init() instead of eay_init_error().
2033
20342004-05-27  Michal Ludvig  <mludvig@suse.cz>
2035
2036        Support for inheritance of 'remote' statements:
2037        * src/racoon/cftoken.l: New keyword 'inherit'.
2038        * src/racoon/cfparse.y: Support for 'inherit', remove
2039          global 'prhead', use cur_rmconf->prhead instead.
2040        * src/racoon/remoteconf.c (rmtree): Changed from
2041          LIST queue to TAILQ queue.
2042          (getrmconf): Renamed to getrmconf_strict().
2043          (copyrmconf, duprmconf)
2044          (dump_rmconf_single, dumprmconf): New functions.
2045          (rm2str): Deleted.
2046        * src/racoon/remoteconf.h: Prototypes for the above.
2047          (struct remoteconf): New fields 'inherited_from' and 'prhead'.
2048        * src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
2049        * src/racoon/algorithm.c (alg_oakley_encdef_name)
2050          (alg_oakley_hashdef_name, alg_oakley_dhdef_name)
2051          (alg_oakley_authdef_name): New functions.
2052        * src/racoon/algorithm.h: Prototpes for the above.
2053        * src/racoon/strnames.c (num2str): Make extern.
2054          (s_doi, s_etype, s_idtype, s_switch): New functions.
2055        * src/racoon/strnames.h: Prototpes for the above.
2056        * src/racoon/main.c: New parameter -C for dumping the parsed config.
2057        * src/racoon/racoon.conf.5: Document inheritance.
2058        * src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
2059        * src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit
2060
20612004-05-24  Michal Ludvig  <mludvig@suse.cz>
2062
2063        * configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c,
2064        isakmp_quick.c, pfkey.c, remoteconf.c, session.c,
2065        sockmisc.c: Allow compilation with --disable-ipv6
2066       
20672004-05-21  Michal Ludvig  <mludvig@suse.cz>
2068
2069        * src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of
2070          algorithm specific functions.
2071
20722004-05-20  Aidas Kasparas  <a.kasparas@gmc.lt>
2073
2074        Manual page updates. Thanks Brian
2075        * src/libipsec/ipsec_set_policy.3
2076        * src/setkey/setkey.8
2077        * src/libipsec/test-policy-priority.c: new file from policy
2078          priority patch, which I forgot to add
2079
20802004-05-18  Aidas Kasparas  <a.kasparas@gmc.lt>
2081
2082        Policy priority integer handling fixes by Brian Buesker.
2083        * src/libipsec/ipsec_strerror.c
2084        * src/libipsec/ipsec_strerror.h
2085        * src/libipsec/libpfkey.h
2086        * src/libipsec/policy_parse.y
2087        * src/libipsec/test-policy-priority.c
2088        Manual page corrections by me
2089        * src/libipsec/ipsec_set_policy.3
2090        * src/setkey/setkey.8
2091
20922004-05-15  Aidas Kasparas  <a.kasparas@gmc.lt>
2093
2094        Policy priority support patch from Brian Buesker. Applied as is
2095        except src/libipsec/Makefile.am is modified instead of
2096        src/libipsec/Makefile.in as found in the patch.
2097
20982004-05-10  Michal Ludvig  <mludvig@suse.cz>
2099
2100        From Heiko Hund, approved by the copyright holder:
2101        * src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
2102       
21032004-04-27  Michal Ludvig  <mludvig@suse.cz>
2104
2105        From Heiko Hund:
2106        * src/include-glibc/sys/queue.h: Update to 3-clause BSD license.
2107
21082004-04-26  Aidas Kasparas  <a.kasparas@gmc.lt>
2109
2110        * src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to
2111          send notifications about changed interfaces.
2112         
21132004-04-24  Aidas Kasparas  <a.kasparas@gmc.lt>
2114
2115        * src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
2116          information about interfaces. Thanks Steve Grubb and Bill
2117          Nottingham. Affects users with glibc w/o getifaddrs(). Users
2118          with glibc earlier than 2003-11-14 should upgrade their glibc.
2119
21202004-04-19  Michal Ludvig  <mludvig@suse.cz>
2121
2122        * src/racoon/isakmp.c (isakmp_handler): Reject too big
2123          packets (CAN-2004-0403).
2124
2125---------------------------------------------
2126
2127        0.3 released
2128
21292004-04-14  Michal Ludvig  <mludvig@suse.cz>
2130
2131        * NEWS: Notes for release 0.3
2132        * configure.ac: Bump up version to 0.3
2133        * src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
2134        * src/racoon/remoteconf.c (foreachrmconf): Avoid warning about
2135          uninitialised variable.
2136        * src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
2137          and FreeSWAN.
2138
21392004-04-13  Michal Ludvig  <mludvig@suse.cz>
2140
2141        * src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
2142          not suitable.
2143
21442004-04-09  Michal Ludvig  <mludvig@suse.cz>
2145
2146        * src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
2147        * src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
2148        * src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
2149          mismatch to LLV_WARNING.
2150        * src/libipsec/pfkey_dump.c, src/racoon/algorithm.c
2151          src/racoon/algorithm.h src/racoon/cftoken.l
2152          src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h
2153          src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c
2154          src/setkey/token.l: Renamed Rijndael to AES.
2155        * src/setkey/token.l: Recognize exit/quit/bye tokens.
2156        * src/setkey/parse.y (exit_command): New.
2157        * src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
2158          in exit_command.
2159
21602004-04-08  Michal Ludvig  <mludvig@suse.cz>
2161
2162        * src/setkey/setkey.c (main): Call get_supported() in interactive mode.
2163          (stdin_loop): Concat multiline input into a single line before parsing.
2164
21652004-04-07  Michal Ludvig  <mludvig@suse.cz>
2166
2167        * src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA
2168          with level DEBUG. Having it with level INFO only pollutes logfiles.
2169
21702004-04-06  Michal Ludvig  <mludvig@suse.cz>
2171
2172        * src/racoon/Makefile.in: eaytest now links plog.o
2173        * src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
2174          surrounding plog().
2175        * src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now
2176          verifying both good and bad signatures.
2177
2178---------------------------------------------
2179
2180        0.3rc5 released
2181
21822004-04-05  Michal Ludvig  <mludvig@suse.cz>
2183
2184        * NEWS: Notes for release 0.3rc5
2185        * configure.ac: Bump up version to 0.3rc5
2186
21872004-04-05  Michal Ludvig  <mludvig@suse.cz>
2188
2189        Fix for a security bug found by Ralf Spenneberg:
2190        * src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate
2191          'evp' instead of 'pubkey'.
2192          (eay_rsa_sign): Use the above.
2193        * src/racoon/crypto_openssl.h: Update prototypes for the above.
2194        * src/racoon/eaytest.c: Disabled RSA tests because of the API change.
2195
21962004-04-05  Michal Ludvig  <mludvig@suse.cz>
2197
2198        * src/racoon/pfkey.c (pfkey_handler): Safety check before accessing
2199          the array (thx to Ren.J.Y for report).
2200          (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
2201        * src/racoon/strnames.c (name_pfkey_type): Ditto.
2202
22032004-04-02  Michal Ludvig  <mludvig@suse.cz>
2204
2205        * src/racoon/eaytest.c (ciphertest_1): Correct padlen.
2206
22072004-04-01  Michal Ludvig  <mludvig@suse.cz>
2208
2209        * src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
2210          update from here ...
2211          (ipsecdoi_setph2proposal): ... to here. Hopefully this is a
2212          better place to do the update.
2213
22142004-03-30  Michal Ludvig  <mludvig@suse.cz>
2215
2216        * src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
2217          (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
2218        * src/racoon/eaytest.c (ciphertest_1): New function.
2219          (ciphertest): Simplified to simple calls of ciphertest_1().
2220
22212004-03-29  Michal Ludvig  <mludvig@suse.cz>
2222
2223        * README: Rewritten. Mentioned where to report bugs.
2224
22252004-03-26  Michal Ludvig  <mludvig@suse.cz>
2226
2227        * configure.ac: Check for readline.h and libreadline.
2228        * src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
2229          (stdin_loop): Read user input and parse it line-by-line.
2230        * src/setkey/token.l (parse_string): New function.
2231
2232---------------------------------------------
2233
2234        0.3rc4 released
2235
22362004-03-25  Michal Ludvig  <mludvig@suse.cz>
2237
2238        * configure.ac: Bump up version to 0.3rc4
2239        * NEWS: Notes for release 0.3rc4
2240        * src/racoon/cfparse.y (algorithm): Hint about missing module.
2241        * src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key
2242          length only with old API.
2243          (eay_des_encrypt): Ditto.
2244        * src/racoon/eaytest.c: Make the testsuite useful, i.e. exit with
2245          non-zero error code if any of the tests fail.
2246          (main): Print banner with version.
2247        * src/racoon/Makefile.in: Run eaytest in 'make check'.
2248
22492004-03-23  Michal Ludvig  <mludvig@suse.cz>
2250
2251        * src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before
2252          comparing NAT-D payloads. (thx to Gaurav Kansal for report).
2253        * src/racoon/crypto_openssl.c: Avoid type-punned warnings.
2254        * src/racoon/eaytest.c: Disable 'cert' tests.
2255        * src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check
2256          for strict length.
2257          (eay_aes_encrypt): Keylength is in bits, not bytes.
2258
22592004-03-22  Michal Ludvig  <mludvig@suse.cz>
2260
2261        * src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key
2262          instead of NULL and check for availability.
2263
2264---------------------------------------------
2265
2266        0.3rc3 released
2267
22682004-03-19  Michal Ludvig  <mludvig@suse.cz>
2269
2270        * configure.ac: Bump up version to 0.3rc3
2271        * NEWS: Notes for release 0.3rc3
2272        * src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
2273        * src/racoon/proposal.c (cmpsatrns): New parameter proto_id,
2274          better diagnostic output when trns_id don't match.
2275        * src/racoon/proposal.h (cmpsatrns): Update prototype.
2276        * src/setkey/setkey.c: Change option -h to -H (for hexdump), new
2277          options -h (help) and -V (version).
2278        * src/setkey/setkey.8: Document the above changes.
2279        * src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...
2280
22812004-03-15  Michal Ludvig  <mludvig@suse.cz>
2282
2283        * src/racoon/configure.in: Prevent compilation error with
2284          --enable-yydebug.
2285
2286---------------------------------------------
2287
2288        0.3rc2 released
2289
22902004-03-11  Michal Ludvig  <mludvig@suse.cz>
2291
2292        * configure.ac: Bump up version to 0.3rc2
2293        * NEWS: Notes for release 0.3rc2
2294        * src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
2295        * src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
2296        * src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
2297        * src/racoon/racoon.conf.5: Note that NAT-T support is a compile
2298          time option.
2299
23002004-03-10  Michal Ludvig  <mludvig@suse.cz>
2301
2302        * src/racoon/racoon.conf.5: Document nat_traversal option.
2303        * src/racoon/racoon.8: DOcument new options (-L and -P).
2304
23052004-03-09  Michal Ludvig  <mludvig@suse.cz>
2306
2307        * src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
2308          UDP-Encap ports if NAT-T is enabled.
2309          (dupmyaddr): New function.
2310        * src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
2311        * src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but
2312          no port for UDP-Encap was open.
2313        * src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
2314        * src/racoon/localconf.c, src/racoon/localconf.h: Define and setup
2315          lcconf->port_isakmp_natt.
2316        * src/racoon/main.c (main): Print nicer banner,
2317          (usage): Document new options (-L and -P).
2318          (parse): Recognise the above.
2319        * src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded
2320          constants for float_port.
2321          (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
2322        * src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
2323        * src/racoon/plog.c: Don't print source:line:function by default.
2324        * src/racoon/remoteconf.c (foreachrmconf): New helper function.
2325        * src/racoon/remoteconf.h: Prototype for the above.
2326        * package_version.h: Define strings for use in banners.
2327        * configure.ac: Fill up the above header.
2328
23292004-03-09  Michal Ludvig  <mludvig@suse.cz>
2330
2331        * src/racoon/configure.in: Don't put -O into OPTFLAGS,
2332          add new option --disable-natt.
2333        * src/racoon/cfparse.y, src/racoon/handler.c,
2334          src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
2335          src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2336          src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
2337          src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
2338          with ENABLE_NATT.
2339        * src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.
2340
23412004-03-06  Aidas Kasparas  <a.kasparas@gmc.lt>
2342
2343        * configure.ac: Refuse to continue if lexer library (yywrap()
2344          function) is missing. Should prevent bugs like #892067, #908758
2345        * src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
2346          Users should not be given false idea that they require both OpenSSL
2347          and SSLeay to compile racoon. (See bug #902197)
2348
2349---------------------------------------------
2350
2351        0.3rc1 released
2352
23532004-03-04  Michal Ludvig  <mludvig@suse.cz>
2354
2355        * configure.ac: Bump up version to 0.3rc1
2356        * NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
2357          from 0.2 branch).
2358        * src/racoon/samples/racoon.conf.sample-natt: New sample config file.
2359        * src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
2360          enabled NATT by default (will become a config option later).
2361
23622004-03-04  Michal Ludvig  <mludvig@suse.cz>
2363
2364        Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
2365        to racoon.
2366        * src/racoon/Makefile.in, src/racoon/cfparse.y,
2367          src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
2368          src/racoon/grabmyaddr.h, src/racoon/handler.c,
2369          src/racoon/handler.h, src/racoon/ipsec_doi.c,
2370          src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
2371          src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2372          src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
2373          src/racoon/localconf.c, src/racoon/localconf.h,
2374          src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
2375          src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
2376          src/racoon/remoteconf.h, src/racoon/session.c,
2377          src/racoon/strnames.c, src/racoon/vendorid.h
2378          src/libipsec/pfkey.c,
2379          src/racoon/nattraversal.c, src/racoon/nattraversal.h,
2380          src/racoon/sockmisc.c: Affected files.
2381
23822004-02-27  Michal Ludvig  <mludvig@suse.cz>
2383
2384        * src/racoon/isakmp.c (set_isakmp_header1): Renamed from
2385          set_isakmp_header().
2386          (set_isakmp_header): New function common for set_isakmp_header1()
2387          and set_isakmp_header2().
2388          (copy_ph1addresses): Obey original port.
2389          (isakmp_plist_append, isakmp_plist_set_all): New helper functions.
2390        * src/racoon/isakmp_var.h: Prototypes for the above.
2391        * src/racoon/isakmp.h (struct payload_list): New structure.
2392        * src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
2393          src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.
2394
23952004-02-03  Michal Ludvig  <mludvig@suse.cz>
2396
2397        * src/racoon/Makefile.in: Fix install to $(sbindir)
2398        * src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).
2399
24002004-01-19  Michal Ludvig  <mludvig@suse.cz>
2401
2402        * rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
2403          (thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)
2404
24052004-01-17  Aidas Kasparas  <a.kasparas@gmc.lt>
2406
2407        * src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team
2408
24092004-01-15  Michal Ludvig  <mludvig@suse.cz>
2410
2411        * src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
2412        (reported on bugtraq, fixed by iij seil team).
2413        * src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.
2414
24152004-01-14  Michal Ludvig  <mludvig@suse.cz>
2416
2417        * src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used
2418        only once).
2419        * configure.ac: Don't build shared libipsec by default (can be
2420        enabled by --enable-shared).
2421        * bootstrap: Don't run automake for racoon.
2422
24232004-01-12  Michal Ludvig  <mludvig@suse.cz>
2424
2425        * src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
2426          use config.h for defines instead of -DHAVE_* gcc options,
2427          fix CRYPTOBJS to include missing rijndael libraries only once,
2428          checking for AES support in OpenSSL now (hopefully) finally
2429          works on both OpenSSL 0.9.6 and 0.9.7.
2430        * src/racoon/*.[cyl]: Include autogenerated "config.h"
2431        * src/racoon/missing/crypto/*/*.c: Ditto.
2432        * src/racoon/.cvsignore: Add config.h, config.h.in
2433
24342004-01-09  Michal Ludvig  <mludvig@suse.cz>
2435
2436        * src/racoon/.cvsignore: Add "autom4te.cache" and "configure".
2437
24382004-01-09  Aidas Kasparas  <a.kasparas@gmc.lt>
2439
2440        Sync with KAME 2004-01-07
2441        * src/libipsec/pfkey.c: memory leak fix; comment typo fixes
2442        * src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even
2443          no SADB_X_EXT_TAG defined
2444        * src/libipsec/pfkey_dump.c: information about algorithms
2445          ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
2446        * src/libipsec/policy_parse.y: memory leak
2447        * src/libipsec/policy_token.l: memory leak
2448        * src/libipsec/test-policy.c: unneeded \n removed
2449        * src/racoon/Makefile.in: $(sbindir) support
2450        * src/racoon/admin.c: interface changes due to proxy support
2451        * src/racoon/algorithm.c: SHA2 #ifdefs
2452        * src/racoon/{cfparse.y,cftoken.l}: license text added
2453        * src/racoon/cfparse.y: mip6 obsoleted by proxy support
2454        * src/racoon/cfparse.y: from directive support; new algorithms
2455        * src/racoon/cftoken.l: support for globbing of include files
2456        * src/racoon/configure.in: more verbose information about problems
2457          with SHA2
2458        * src/racoon/crypto_openssl.c: use new DES API if supported; algorithm
2459          key size fixes
2460        * src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
2461        * src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
2462          style change
2463        * src/racoon/isakmp.c: use VPTRINIT; interface changes due to
2464          mip6->proxy; typo
2465        * src/racoon/isakmp_inf.c: use VPTRINIT
2466        * src/racoon/isakmp_quick.c: mip6->proxy
2467        * src/racoon/kmpstat.c: not used variables removed
2468        * src/racoon/pfkey.c: mip6->proxy; schedule leak
2469        * src/racoon/proposal.c: style
2470        * src/racoon/remoteconf.c: mip6->proxy
2471        * src/racoon/sainfo.c: from directive support
2472        * src/racoon/sockmisc.c: side correction; addrinfo leak
2473        * src/racoon/strnames.c: typo in descriptions; wrong upper bound check
2474        * src/racoon/missing/crypto/sha2/sha2.c: wrong size
2475        * src/setkey/parse.y: extra algorithms; tagged; not needed periods
2476          removed; memory shortage checks
2477        * src/setkey/setkey.8: typos; tagged; new algorithms
2478        * src/setkey/setkey.c: standard argument names for main(); hexdump
2479          support; info in file support
2480        * src/setkey/token.l: new algorithms; memory shortage checks
2481          Parts not taken from KAME:
2482        * kernelfs stuff;
2483        * sysctl stuff
2484
24852004-01-08  Michal Ludvig  <mludvig@suse.cz>
2486
2487        * src/racoon/config.{sub,guess}: Update from automake 1.7.
2488
24892004-01-08  Michal Ludvig  <mludvig@suse.cz>
2490
2491        Patch from Kostadin Karaivanov <larry@minfin.bg>:
2492        * src/racoon/configure.in: Check for openssl/aes.h.
2493        * src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.
2494
24952004-01-08  Michal Ludvig  <mludvig@suse.cz>
2496
2497        * src/racoon/configure: Remove, should be regenerated by bootstrap.
2498
24992004-01-02  Michal Ludvig  <michal@logix.cz>
2500
2501        * src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
2502          (by Brian Buesker <bbuesker@qualcomm.com>
2503           and Christophe Saout <christophe@saout.de>)
2504        * src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
2505        * src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
2506          (by Michal Ludvig).
2507        * src/setkey/token.l, src/setkey/parse.y: Add support for lifetime
2508          specified in bytes (by Michal Ludvig).
2509        * src/setkey/setkey.8: Document -bh/-bs options for the above feature.
2510        * src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE
2511          message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
2512        * src/racoon/cfparse.y: Flush SA on SIGHUP
2513          (by Brian Buesker <bbuesker@qualcomm.com>)
2514        * src/racoon/pfkey.c: IPcomp fixes
2515          (by Brian Buesker <bbuesker@qualcomm.com>)
2516        * src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
2517        * src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
2518          an entry with NULL ifa_addr (Michal Ludvig).
2519        * configure.ac: Change path to kernel headers
2520          from /usr/src/devel-2.5/devel to /usr/src/linux
2521        * bootstrap: Use default tools, reconfigure src/racoon
2522        * src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
2523          changed comments from 'dnl' to '#'.
2524
25252003-06-20  Derek Atkins  <derek@ihtfp.com>
2526
2527        * src/racoon/aclocal.m4:
2528        * src/racoon/configure:
2529          Don't execute "for i in $3" if "$3" doesn't exist.
2530          Fixes bug #721296.
2531       
25322003-03-31  Derek Atkins  <derek@ihtfp.com>
2533
2534        * src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
2535          (which is value '2')
2536
25372003-03-27  Derek Atkins  <derek@ihtfp.com>
2538
2539        * src/libipsec/key_debug.c: use ntohs() before printing port
2540        * src/libipsec/pfkey.c: convert port# to network byte order
2541        * src/libipsec/pfkey_dump.c: use ntohs() before printing ports
2542        * src/setkey/parse.y: convert port#'s to network byte order
2543       
25442003-03-24  Derek Atkins  <derek@ihtfp.com>
2545
2546        * src/libipsec/pfkey.c: Don't switch off NAT-T extensions
2547          if they don't exist in the kernel.
2548
2549        * src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
2550          as per Tom Lendacky <toml@us.ibm.com>.  Also move the
2551          setting of IPV6_IPSEC_POLICY to the top of the file.
2552       
25532003-03-13  Derek Atkins  <derek@ihtfp.com>
2554
2555        Add initial support for NAT-T PFKey Extensions:
2556        * src/libipsec/key_debug.c: add support to print information
2557          about NAT-T extension packets.
2558        * src/libipsec/libpfkey.h: add two new APIs to support NAT-T
2559          for add and update as part of the SADB.
2560        * src/libipsec/pfkey.c:
2561          - Implement extended APIs to support NAT-T for add and update
2562            of the SADB.
2563          - Add APIs to fill a buffer with NAT-T packet types
2564        * src/libipsec/pfkey_dump.c: Extend the SADB output to include
2565          PFKey packets.  Put port numbers with the source and dest
2566          addresses, add an 'esp-udp' SA-type, and add a printout for
2567          the NAT-OA.
2568        * src/setkey/parse.y:
2569          - Extend setkey to create an ESP-UDP SA.
2570          - default UDP port is 4500
2571          - extend 'add' to allow <ip-addr>[<portnum>] for source and dest
2572            (the portnum specification requires the [] characters)
2573          - add an ESPUDP "protocol" from the lexer.  This will use
2574            ESP and allow an optional Original Address setting.
2575          - add a function to get a udp port from a struct sockaddr *
2576          - pass the NAT-T extentions into PFKey
2577        * src/setkey/token.l: add "esp-udp" token
2578       
2579        * rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
2580          This switches it to use %{_lib} (for /lib64 systems such as
2581          x86-64 and s390x, and has it own the /etc/racoon directory in
2582          the package as well.
2583
2584---------------------------------------------
2585
2586        0.2.2 released
2587
25882003-03-13  Derek Atkins  <derek@ihtfp.com>
2589
2590        * configure.am, NEWS:
2591          Update for 0.2.2 release
2592
2593        * Makefile.am: distribute depcomp
2594       
25952003-03-10  Derek Atkins  <derek@ihtfp.com>
2596
2597        * src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
2598          sure we link against the lexer library when necessary.
2599       
26002003-03-07  Derek Atkins  <derek@ihtfp.com>
2601
2602        * configure.am:
2603        * Makefile.am:
2604        * rpm/Makefile.am:
2605        * rpm/ipsec-tools.spec.in:
2606          Added RPM SPEC to CVS
2607       
2608---------------------------------------------
2609
2610        0.2.1 released
2611
26122003-03-07  Derek Atkins  <derek@ihtfp.com>
2613
2614        * src/racoon/configure.in:  change "CFLAGS" to "CPPFLAGS" for
2615          ssl include directory, to make sure the other tests work properly.
2616
26172003-03-06  Derek Atkins  <derek@ihtfp.com>
2618
2619        * src/racoon/kmpstat.c:  fix gcc-3.2.2 compiler warning
2620
2621        * src/racoon/configure.in:  look for krb5-config and don't
2622          use it if it's not found.  Fixes a configure-time warning.
2623       
2624--------------------------------------------
2625
2626        0.2 Released
Note: See TracBrowser for help on using the repository browser.