source: rtems-libbsd/ipsec-tools/ChangeLog @ ff36f5e

5-freebsd-12
Last change on this file since ff36f5e was ff36f5e, checked in by Christian Mauderer <christian.mauderer@…>, on May 30, 2018 at 12:27:35 PM

Import ipsec-tools 0.8.2.

Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.

  • Property mode set to 100644
File size: 66.3 KB
Line 
12013-07-12  Timo Teras <timo.teras@iki.fi>
2
3        * src/racoon/main.c: From Sven Vermeulen
4          <sven.vermeulen@siphos.be>: Moves ploginit() up, allowing logging
5          events from init_avc() to show up as well.
6
72013-06-18  Timo Teras <timo.teras@iki.fi>
8
9        * src/racoon/ipsec_doi.c: From Paul Barker: Remove redundant memset
10          after calloc that caused compile failures with gcc 4.8 due to error:
11          argument to 'sizeof' in 'memset' call is the same expression as the
12          destination; did you mean to dereference.
13
142013-06-03  Timo Teras <timo.teras@iki.fi>
15
16        * src/racoon/admin.c: From Alexander Sbitnev
17          <alexander.sbitnev@gmail.com>: fix admin port establish-sa for
18          tunnel mode SAs.
19
202013-05-23  Timo Teras <timo.teras@iki.fi>
21
22        * src/include-glibc/net/pfkeyv2.h: From Rainer Weikusat
23          <rweikusat@mobileactivedefense.com>: Fix SADB_X_EALG_CASTCBC
24          definition to use system definition (which differs at least on
25          Linux).
26
272013-04-12  Timo Teras <timo.teras@iki.fi>
28
29        * src/racoon/isakmp_cfg.c: From Rainer Weikusat
30          <rweikusat@mobileactivedefense.com>: Do not send out illegal zero
31          length MODE_CFG attributes.
32
33        * src/racoon/: grabmyaddr.c, isakmp_inf.c: Some logging
34          improvements.
35
362013-02-05  Timo Teras <timo.teras@iki.fi>
37
38        * src/racoon/grabmyaddr.c: Fix source port selection
39
40        * src/racoon/isakmp_xauth.c: From Ian West <ian@niw.com.au>: Fix
41          double free of the radius info on config reload.
42
432013-01-24  Timo Teras <timo.teras@iki.fi>
44
45        * src/racoon/isakmp_inf.c: Fix handling of deletion notification.
46
472013-01-08  tag ipsec-tools-0_8_1
48
492013-01-08  Timo Teras <timo.teras@iki.fi>
50
51        * NEWS, configure.ac: ipsec-tools-0.8.1
52
53        * configure.ac: Fix errors from automake 1.13
54
55        * src/include-glibc/Makefile.am: Don't derefence the directory
56          symlink which we might be recreating.
57
582012-12-24  Timo Teras <timo.teras@iki.fi>
59
60        * src/racoon/crypto_openssl.c: From Götz Babin-Ebell
61          <g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare.
62
63        * configure.ac, src/racoon/crypto_openssl.c,
64          src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell
65          <g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher
66
672012-08-29  Timo Teras <timo.teras@iki.fi>
68
69        * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
70          Accept DPD messages with cookies also in reversed order for
71          compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
72
73        * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add
74          remote's IP address to the "certificate not verified" error message.
75
76        * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not
77          print unnecessary warning about non-verified certificate when using
78          raw plain-rsa.
79
80        * src/racoon/isakmp.c: From Rainer Weikusat
81          <rweikusat@mobileactivedefense.com>: Release unused phase2 of
82          passive remotes after acquire.
83
84        * src/racoon/isakmp.c: From Wolfgang Schmieder
85          <wolfgang.schmieder@honeywell.com>: setup phase1 port properly.
86
87        * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
88          remote blocks without additional remote statements to be specified
89          in a simpler way. patch by Roman Hoog Antink <rha@open.ch>
90
912012-08-23  Timo Teras <timo.teras@iki.fi>
92
93        * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
94          memory allocation.
95
962012-01-01  Timo Teras <timo.teras@iki.fi>
97
98        * src/racoon/isakmp_unity.c: From Rainer Weikusat
99          <rweikusat@mobileactivedefense.com>: Fix one byte too short memory
100          allocation in isakmp_unity.c:splitnet_list_2str().
101
1022011-11-17  Yvan Vanhullebus <vanhu@netasq.com>
103
104        * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
105          current element could be removed during the loop
106
1072011-11-14  Timo Teras <timo.teras@iki.fi>
108
109        * src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>:
110          do not shrink pfkey socket buffers (if system default is larger than
111          what we want as minimum)
112
1132011-08-12  Timo Teras <timo.teras@iki.fi>
114
115        * src/racoon/privsep.c: Have privilege separation child process
116          exit if the parent exits.
117
118        * Makefile.am: Create ChangeLog for proper CVS branch.
119
1202011-03-18  tag ipsec-tools-0_8_0
121
1222011-03-18  Yvan Vanhullebus <vanhu@netasq.com>
123
124        * configure.ac: Yes: 0.8.0 is out !!!
125
126        * NEWS: updated News for 0.8 branch
127
1282011-03-17  Yvan Vanhullebus <vanhu@netasq.com>
129
130        * src/racoon/oakley.c: fixed a memory leak in
131          oakley_append_rmconf_cr() while generating plist. patch by Roman
132          Hoog Antink <rha@open.ch>
133
134        * src/racoon/oakley.c: free name later, to avoid a memory use after
135          free in oakley_check_certid(). also give iph1->remote to some plog()
136          calls. patch by Roman Hoog Antink <rha@open.ch>
137
138        * src/racoon/oakley.c: fixed a memory leak in
139          oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
140
1412011-03-15  Yvan Vanhullebus <vanhu@netasq.com>
142
143        * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
144          isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
145          it is useless an can lead to memory access after free
146
1472011-03-14  Timo Teras <timo.teras@iki.fi>
148
149        * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
150          isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
151          sockmisc.h, throttle.c: Explicitly compare return value of
152          cmpsaddr() against a return value define to make it more obvious
153          what is the intended action. One more return value is also added, to
154          fix comparison of security policy descriptors. Namely, getsp()
155          should not allow wildcard matching (as the comment says, it does
156          exact matching) - otherwise we get problems when kernel has generic
157          policy with no ports, and a second similar policy with ports.
158
1592011-03-14  Yvan Vanhullebus <vanhu@netasq.com>
160
161        * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
162          remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
163          memory leaks / free memory access when reloading conf and have
164          inherited config. patch from Roman Hoog Antink <rha@open.ch>
165
166        * src/racoon/handler.c: removed an useless comment
167
168        * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
169          getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
170
1712011-03-11  Yvan Vanhullebus <vanhu@netasq.com>
172
173        * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
174          remove_ph1-) instead of scheduling it, to avoid (completely ?) a
175          race condition when reloading configuration
176
1772011-03-06  Timo Teras <timo.teras@iki.fi>
178
179        * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
180          checks are enabled. Reported by Stephen Clark.
181
1822011-03-02  Yvan Vanhullebus <vanhu@netasq.com>
183
184        * src/racoon/session.c: flush sainfo list when closing session.
185          patch by Roman Hoog Antink <rha@open.ch>
186
187        * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
188          structures when deleting a struct rmconf. patch by Roman Hoog Antink
189          <rha@open.ch>
190
191        * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
192          when deleting a rmconf struct. patch by Roman Hoog Antink
193          <rha@open.ch>
194
195        * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
196          remoteconf. patch by Roman Hoog Antink <rha@open.ch>
197
198        * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
199          during configuration parsing. patch by Roman Hoog Antink
200          <rha@open.ch>
201
2022011-03-01  Yvan Vanhullebus <vanhu@netasq.com>
203
204        * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
205          Andersson <debian@gisladisker.se>
206
207        * src/racoon/cfparse.y: reset yyerrorcount before doing parse
208          stuff. patch by Roman Hoog Antink <rha@open.ch>
209
2102011-02-20  Timo Teras <timo.teras@iki.fi>
211
212        * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
213          memory leak when using plain RSA key authentication.
214
2152011-02-11  Timo Teras <timo.teras@iki.fi>
216
217        * src/racoon/plainrsa-gen.c: From Mats E Andersson
218          <debian@gisladisker.se>: Fix fprintf format specifier usage from
219          previous patch.
220
2212011-02-10  Timo Teras <timo.teras@iki.fi>
222
223        * src/racoon/plainrsa-gen.c: From Mats Erik Andersson
224          <debian@gisladisker.se>: Implement importing of RSA keys from PEM
225          files.
226
227        * src/racoon/prsa_par.y: From M E Andersson
228          <debian@gisladisker.se>: Fix parsing of restricted RSA key
229          addresses.
230
2312011-02-02  Yvan Vanhullebus <vanhu@netasq.com>
232
233        * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
234          sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
235          Patch from Christophe Carre
236
2372011-01-28  Timo Teras <timo.teras@iki.fi>
238
239        * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
240          Antink <rha@open.ch>: Clean up sainfo reloading: rename the
241          functions, and remove unneeded global variable.
242
243        * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
244          Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
245          functions, and remove unneeded global variable.
246
247        * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
248          remote IP address if available (slightly modified by tteras)
249
2502011-01-22  Timo Teras <timo.teras@iki.fi>
251
252        * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
253          Fixes a null pointer dereference that might occur after removing
254          peers from the config and then reloading.
255
2562011-01-20  Yvan Vanhullebus <vanhu@netasq.com>
257
258        * src/libipsec/pfkey.c: fixed a typo, it will now compile when
259          KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
260          open.ch)
261
2622010-12-28  Timo Teras <timo.teras@iki.fi>
263
264        * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
265          config reload to not delete too many phase 2 handles, because wrong
266          chain field is used when enumerating the handles.
267
2682010-12-16  gdt
269
270        * src/racoon/oakley.c: When encountering a certificate where "ID
271          mismatched with ASN1 SubjectName", and verify_identifier is off,
272          don't raise an error.  This makes the behavior match the man page.
273
274          Patch sent for review long ago:
275            http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
276          with no negative feedback received to date.
277
2782010-12-14  Timo Teras <timo.teras@iki.fi>
279
280        * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
281          possible null derefence.
282
2832010-12-08  Timo Teras <timo.teras@iki.fi>
284
285        * src/racoon/admin.c: Use separate SA addresses for phase2's
286          created by admin command. The phase2 startup overwrites src/dst with
287          ISAKMP ports if they are zero and we don't want that to happen for
288          the SA ports.
289
2902010-12-08  joerg
291
292        * src/libipsec/pfkey.c: ANSIfy
293
2942010-12-07  Timo Teras <timo.teras@iki.fi>
295
296        * src/racoon/isakmp_quick.c: Fix spacing and improve wording in
297          some log messages.
298
2992010-12-03  Timo Teras <timo.teras@iki.fi>
300
301        * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
302          per-socket policies.
303
304        * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
305          setkey/setkey.8: Support GRE key as upper layer protocol
306          specifier (will be supported in Linux kernel 2.6.38).
307
308        * src/racoon/grabmyaddr.c: Netlink deletion notification does not
309          guarentee actual address deletion: it might still exist on some
310          other interface. Make sure we do not unbind unless the address is
311          really gone.
312
3132010-11-17  Timo Teras <timo.teras@iki.fi>
314
315        * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
316          previous patch to not call purge_remote() twice. Change the place
317          where purge_remote() is called. This fixes also a possible crash
318          from the same patch since ph1->remote can be NULL (when we are
319          responder and config is not yet selected).
320
3212010-11-12  Timo Teras <timo.teras@iki.fi>
322
323        * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
324          isakmp_post_acquire is now called from admin commands too, add a
325          flag so admin commands can be used to establish even passive links
326          on demand.
327
328        * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
329          ISAKMP-SA for the node is deleted by remote request and the phase1
330          rekeying is enabled (this will also trigger the new phase1_dead
331          script hook).
332
333        * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
334          to allow any reply within valid sequence window to be proof of
335          livelyness. This can improves things if there's random packet
336          delays, or if racoon is not getting enough CPU time.
337
338        * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
339          admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
340          with many established SAs can be easily over the limit.
341
3422010-10-22  Timo Teras <timo.teras@iki.fi>
343
344        * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
345          to monitor local route changes.  This works around a kernel bug, and
346          slightly improves behaviour on some special cases.
347
3482010-10-21  Timo Teras <timo.teras@iki.fi>
349
350        * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
351          session.c, session.h: Introduce priorities for file descriptor
352          polling mechanism and give priority to admin port. If admin port is
353          used by ISAKMP-SA hook scripts they should be preferred, other wise
354          heavy traffic can delay admin port requests considerably. This in
355          turn may cause renegotiation loop for ISAKMP-SA. This is mostly
356          useful for OpenNHRP setup, but can benefit other setups too.
357
358        * src/racoon/: admin.c, handler.c, handler.h: Remove
359          initial-contact entry when all ISAKMP-SA are purged via adminport.
360          This will avoid stale security associations if some of the delete
361          notifications happens to get lost.
362
3632010-10-20  Timo Teras <timo.teras@iki.fi>
364
365        * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
366          functions when possible: this allows openssl to perform hardware
367          acceleration if available.
368
369        * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
370          error log messages and a few additional error log messages to
371          improve diagnosing an error condition.
372
373        * src/racoon/grabmyaddr.c: Fix address comparison so we actually
374          close sockets which were bound to IP-address that got deconfigured.
375
3762010-10-11  Yvan Vanhullebus <vanhu@netasq.com>
377
378        * src/racoon/ipsec_doi.c: report a higher encryption key length in
379          approval for OBEY / CLAIM / STRICT modes
380
3812010-09-27  Yvan Vanhullebus <vanhu@netasq.com>
382
383        * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
384          fazaeli (at) sepehrs.com)
385
3862010-09-24  Yvan Vanhullebus <vanhu@netasq.com>
387
388        * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
389          gmail.com
390
3912010-09-22  Yvan Vanhullebus <vanhu@netasq.com>
392
393        * src/racoon/admin.c: get the correct length of username when
394          processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
395
396        * src/racoon/nattraversal.h: fixed a typo in macros, reported by
397          marisp (at) mt.lv
398
3992010-09-21  Yvan Vanhullebus <vanhu@netasq.com>
400
401        * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
402          provided by marcin.cieslak (at) gmail.com)
403
4042010-09-08  Yvan Vanhullebus <vanhu@netasq.com>
405
406        * src/racoon/remoteconf.c: fixed remoteconf selection when no ID
407          specified in configuration, and added some debug to remoteconf
408          selection
409
4102010-08-26  Yvan Vanhullebus <vanhu@netasq.com>
411
412        * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
413          duplicate some dynamic values in duprmconf()
414
4152010-08-04  Yvan Vanhullebus <vanhu@netasq.com>
416
417        * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request
418
4192010-07-30  Yvan Vanhullebus <vanhu@netasq.com>
420
421        * src/racoon/doc/FAQ: updated link to NetBSD's documentation
422
4232010-06-22  Thomas Klausner <wiz@netbsd.org>
424
425        * src/racoon/racoon.conf.5: Bump date for previous.
426
4272010-06-22  Yvan Vanhullebus <vanhu@netasq.com>
428
429        * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
430          racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
431          script hook when a dead peer is detected
432
4332010-06-04  Thomas Klausner <wiz@netbsd.org>
434
435        * src/setkey/setkey.8: New sentence, new line. Bump date for
436          previous.
437
4382010-06-04  Yvan Vanhullebus <vanhu@netasq.com>
439
440        * src/setkey/: parse.y, setkey.8, token.l: Added support for
441          spdupdate command in setkey
442
4432010-04-07  Yvan Vanhullebus <vanhu@netasq.com>
444
445        * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo
446
4472010-04-02  Christos Zoulas <christos@netbsd.org>
448
449        * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
450          returning NULL.
451
4522010-03-11  Christos Zoulas <christos@netbsd.org>
453
454        * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
455          the patch: iterate only on the phase2 handles that are bound by the
456          given phase1 handle.
457
4582010-03-05  Timo Teras <timo.teras@iki.fi>
459
460        * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
461          racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
462          typoes and manpage formatting errors.
463
4642010-03-04  Yvan Vanhullebus <vanhu@netasq.com>
465
466        * src/racoon/session.c: From Pierre POMES: fixed admin port
467          initialization
468
4692010-02-28  snj
470
471        * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
472          size of src checkouts by spelling "useful" without an extra l.
473
4742010-02-09  Thomas Klausner <wiz@netbsd.org>
475
476        * src/racoon/: pfkey.c, proposal.h: Fix typo in comment.
477
4782010-01-17  Thomas Klausner <wiz@netbsd.org>
479
480        * src/racoon/sainfo.c: Free strdeupped string after using it. Found
481          by cppcheck.
482
483        * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
484          using them. Found by cppcheck.
485
4862010-01-15  joerg
487
488        * src/setkey/setkey.8: Use .%U instead of .%O for URLs.
489
4902009-12-11  Timo Teras <timo.teras@iki.fi>
491
492        * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
493          twice in the headers. Remove the redundant entry so new install tool
494          does not complain about overwriting just installed file.
495
4962009-11-22  Christos Zoulas <christos@netbsd.org>
497
498        * src/racoon/handler.c: PR/42363: Yasuoka Masahiko:
499
500          racoon uses a wrong IPsec-SA handle that is for other peer in case
501          it receives a ISAKMP message for IPsec-SA that has the same
502          message-id as the message-id that is received before.
503
504          racoon uses message-id to find the handle of IPsec-SA.  The
505          message-id is a unique number for each peer, but different peers may
506          use the same value.
507
508          Different Windows Vista or Windows 7 peers seem to use the same
509          message-id.  racoon can handle the first Windows's Phase-2, but it
510          cannot handle the second Windows.  Because racoon misunderstands the
511          message for the second Windows as the message for the first Windows.
512
513          >Category:       bin >Synopsis:       racoon uses a wrong IPsec-SA
514          that is for different peer >Confidential:   no >Severity:
515          serious >Priority:       medium >Responsible:    bin-bug-people
516          >State:          open >Class:          sw-bug >Submitter-Id:   net
517          >Arrival-Date:   Sun Nov 22 18:25:00 +0000 2009 >Originator:
518          yasuoka@iij.ad.jp
519
5202009-10-29  Christos Zoulas <christos@netbsd.org>
521
522        * src/setkey/token.l: use %option noinput nounput
523
5242009-10-28  Christos Zoulas <christos@netbsd.org>
525
526        * src/setkey/token.l: no unput
527
5282009-10-14  joerg
529
530        * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
531          ancient groff limits.
532
533        * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
534          groff limits.  Fix markup.
535
536        * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
537          ancient groff limits.  Set only one list type.
538
5392009-09-18  Timo Teras <timo.teras@iki.fi>
540
541        * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
542          gssapi error checking.
543
5442009-09-03  Timo Teras <timo.teras@iki.fi>
545
546        * src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
547          isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
548          negotiate phase2 as a hint to select the phase1 for rekeying the new
549          phase2.
550
5512009-09-01  Timo Teras <timo.teras@iki.fi>
552
553        * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
554          nat_traversal configuration from remote configuration candidates
555          when acting as responder. Enable NAT-T if any of the remote
556          candidates have NAT-T enabled.
557
558        * src/racoon/remoteconf.c: Change remote conf matching level to
559          matching score. This way one can override anonymous certificate
560          block config with more exact "inhereted" IP specific block.
561
562        * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
563          ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).
564
5652009-08-24  Yvan Vanhullebus <vanhu@netasq.com>
566
567        * src/racoon/oakley.c: fixed typo: algoriym -> algorithm
568
5692009-08-19  Yvan Vanhullebus <vanhu@netasq.com>
570
571        * src/racoon/remoteconf.c: fixed address check in
572          rmconf_match_type(), just check address with wildcard port
573
5742009-08-19  Timo Teras <timo.teras@iki.fi>
575
576        * src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
577          return values to make the code a bit more readable.
578
5792009-08-18  Yvan Vanhullebus <vanhu@netasq.com>
580
581        * src/racoon/oakley.c: typo: algoritym -> algorithm
582
5832009-08-17  Yvan Vanhullebus <vanhu@netasq.com>
584
585        * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
586          check system support for NAT-T, as at least FreeBSD doesn't have
587          this define anymore
588
589        * src/racoon/schedule.h: include stddef.h so we have a chance to
590          get the system offsetof if present
591
592        * src/racoon/crypto_openssl.h: removed a self include
593
5942009-08-13  Yvan Vanhullebus <vanhu@netasq.com>
595
596        * src/racoon/oakley.c: fixed a potential DoS in
597          oakley_do_decrypt(), reported by Orange Labs
598
5992009-08-10  Timo Teras <timo.teras@iki.fi>
600
601        * src/racoon/pfkey.c: Don't print EAGAIN error from
602          pfkey_handler(), it can occur normally under some code paths and is
603          not a hard error in any case.
604
6052009-08-06  Timo Teras <timo.teras@iki.fi>
606
607        * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
608          setkey to make gcc happy.
609
6102009-08-05  Timo Teras <timo.teras@iki.fi>
611
612        * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
613          security associations that got broke during NAT-T fixes.
614
6152009-07-07  Timo Teras <timo.teras@iki.fi>
616
617        * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
618          uninitialized local variable (not sure if any code path triggers
619          this, but this makes compiler happy).
620
6212009-07-03  Timo Teras <timo.teras@iki.fi>
622
623        * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
624          isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
625          nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
626          sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
627          macro. Trac #295.
628
629        * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
630          racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
631          Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
632          NAT-T port information. This might break compatibility with some
633          kernels, but as discussed this is the proper way to pass NAT-T ports
634          and the broken kernels need to be fixed.
635
6362009-06-24  Timo Teras <timo.teras@iki.fi>
637
638        * src/racoon/session.c: Fix a call to null pointer: in some cases,
639          the unmonitor_fd can be called from another fd's callback. That
640          could lead to still have callback pending after unmonitoring the fd
641          resulting in a call to null pointer.  This is fixed by making
642          unmonitor_fd now clear the pending fd_set too.  Bug was introduced
643          by my commit in 2008-12-23.
644
6452009-05-20  Yvan Vanhullebus <vanhu@netasq.com>
646
647        * src/racoon/isakmp.h: typo
648
6492009-05-19  Timo Teras <timo.teras@iki.fi>
650
651        * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
652          of typos from previous commit.
653
6542009-05-18  Timo Teras <timo.teras@iki.fi>
655
656        * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
657          Tomas Mraz: Introduce union sockaddr_any and use it to make code
658          more readable. Related to trac #293.
659
660        * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
661          not really used; only referenced while uninitialized causing
662          valgrind error.
663
664        * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
665
6662009-05-04  Thomas Klausner <wiz@netbsd.org>
667
668        * src/racoon/racoon.conf.5: Remove superfluous spaces around
669          parentheses.
670
6712009-04-29  Timo Teras <timo.teras@iki.fi>
672
673        * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
674          X509 certificate validation.
675
6762009-04-28  Timo Teras <timo.teras@iki.fi>
677
678        * src/racoon/handler.c: Reset nat_oa variables too when reusing
679          phase two handler. Otherwise phase2 rekeying might fail in some
680          scenarios.
681
6822009-04-22  Timo Teras <timo.teras@iki.fi>
683
684        * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
685          pointer dereference in fragmentation code.
686
6872009-04-21  Timo Teras <timo.teras@iki.fi>
688
689        * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
690          strict_address to work again. The lists needs to be initialized
691          before configuration is read, which happens before my_addr_init()
692          call.
693
6942009-04-20  Timo Teras <timo.teras@iki.fi>
695
696        * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
697          in certificate request generation.
698
699        * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
700          Bin Li: Fix possible memory corruption in binsanitize().
701
702        * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
703          signature verification memory leak.
704
705        * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
706          crash with racoonctl logout user.
707
708        * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
709          code.
710
711        * src/racoon/handler.c: From Paul Moore: Phase2 message id's should
712          be unique wrt phase1, not globally.
713
7142009-03-13  Timo Teras <timo.teras@iki.fi>
715
716        * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
717          couple of problems with previous commit.
718
7192009-03-12  he
720
721        * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
722          pointer to an integral type (a bad practice, if you ask me), you
723          need to cast via intptr_t for portability.
724
7252009-03-12  Thomas Klausner <wiz@netbsd.org>
726
727        * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
728          up punctuation.
729
730        * src/racoon/racoonctl.8: Bump date for previous. Sort options to
731          establish-sa.  Stop using Xo/Xc.
732
7332009-03-12  Timo Teras <timo.teras@iki.fi>
734
735        * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
736          crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
737          ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
738          isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
739          isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
740          racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
741          vendorid.c: Support multiple anonymous remotes and decide
742          remoteconf based on identity, received certificates and other
743          information. General code clean up.
744
7452009-03-06  Timo Teras <timo.teras@iki.fi>
746
747        * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
748          in Linux
749
750          Linux requires SADB_DELETE message to have SPI. So send a
751          SADB_DELETE message for each matching SA. Trac #284.
752
753          From: Gabriel Somlo <somlo@cmu.edu>
754
7552009-02-16  Timo Teras <timo.teras@iki.fi>
756
757        * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
758          corruption bug (yacc return non-null terminated buffer and sprintf
759          writes over bounds).
760
7612009-02-11  Yvan Vanhullebus <vanhu@netasq.com>
762
763        * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
764          IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
765          tunnel
766
7672009-02-03  Timo Teras <timo.teras@iki.fi>
768
769        * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
770          variables with IPv6 addresses.
771
7722009-01-26  Timo Teras <timo.teras@iki.fi>
773
774        * src/racoon/main.c: Argument parsing needs lcconf initialized.
775
7762009-01-24  Thomas Klausner <wiz@netbsd.org>
777
778        * src/racoon/racoonctl.c: Sort options in usage.
779
780        * src/racoon/racoonctl.8: Sort options. New sentence, new line.
781
782        * src/racoon/racoon.8: Sort options.
783
7842009-01-23  Timo Teras <timo.teras@iki.fi>
785
786        * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
787          for racoonctl.
788
789        * src/racoon/: main.c, racoon.8: Racoon -v to print version and
790          compilation information. Update usage message.
791
792        * NEWS: Update NEWS with major changes since 0.7 release.
793
794        * src/racoon/schedule.c: Fix monotonic scheduler change, to not
795          refresh 'now' before exit. Otherwise we can return negative timeout
796          after spending time handling other events.
797
798        * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
799          reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
800          Also corrects some debugging statements.
801
802        * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
803          instance), there is a need to not only migrate local and remote
804          addresses of Phase 1 that match previous addresses but also the
805          local and remote addresses of a Phase 1 *associated* with a migrated
806          Phase 2. For instance, we have that need when receiving the first
807          MIGRATE/KMADDRESS message because the old addresses are still the
808          HoA and the address of the HA (while the peer has contacted us using
809          the CoA and we have negotiated this address as src attribute in
810          Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
811          called from migrate_ph2_ike_addresses() callback.
812
813        * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
814          when acting as responder.
815
816        * configure.ac, src/racoon/handler.c, src/racoon/handler.h,
817          src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
818          src/racoon/schedule.c, src/racoon/schedule.h,
819          src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
820          system clock is available, and use it for relative time measurements
821          to avoid complite hang if time jumps backwards.
822
823        * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
824          isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
825          oakley.c, oakley.h: Fix authentication method ambiguity by
826          internally using unique ID and setting/interpreting the wire format
827          based on received vendor ID:s. Fixes trac #280.
828
829        * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
830          isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
831          bitmask that can be used otherwhere to detect peer capabilities.
832
833        * configure.ac, src/racoon/admin.c, src/racoon/evt.c,
834          src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
835          src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
836          configure option and make it the default behaviour. The previous
837          normal behaviour is buggy, as after flush kernel can immediately
838          create larval SA:s which would prevent exit.
839
8402009-01-20  Timo Teras <timo.teras@iki.fi>
841
842        * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
843          ChangeLog from NetBSD CVS. Put sourceforge.net changes to
844          ChangeLog.old.
845
8462009-01-10  Thomas Klausner <wiz@netbsd.org>
847
848        * src/racoon/racoon.conf.5: Make ready for HTML output.  Use proper
849          escape for backslash ('\e').
850
8512009-01-10  Timo Teras <timo.teras@iki.fi>
852
853        * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
854          Accept RFC2253 compliant escaped special characters for asn1dn
855          identifier.
856
8572009-01-09  Timo Teras <timo.teras@iki.fi>
858
859        * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
860
8612009-01-05  Timo Teras <timo.teras@iki.fi>
862
863        * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
864          configuration options, fix radius configuration block and add GRE as
865          recognized protocol.
866
867        * src/racoon/session.c: Do not use counting in signal handling as
868          it was unsafe by not using atomic functions (post increment is not
869          necessarily atomic).  Instead reap all children on SIGCHLD as that
870          was the only signal needing signal counting.
871
8722008-12-30  Timo Teras <timo.teras@iki.fi>
873
874        * src/racoon/session.c: schedular() call can now modify fd mask so
875          make the working copy just before calling select(); otherwise it can
876          contain bad file descriptors
877
8782008-12-29  Michael van Elst <mlelstv@netbsd.org>
879
880        * src/setkey/parse.y: support icmp codes. Fixes PR 39056.
881
8822008-12-24  Christos Zoulas <christos@netbsd.org>
883
884        * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
885          it. From Timo Teras.
886
887        * src/racoon/grabmyaddr.c: I was wrong. addr is actually set.
888
889        * src/racoon/grabmyaddr.c:
890          - make this compile by zeroing out the whole structure not just
891          bogus fields.
892          - set length field of sockets appropriately.
893          - mark bogus no-op code (I don't understand what the author intended
894          here).
895
8962008-12-23  Thomas Klausner <wiz@netbsd.org>
897
898        * src/racoon/racoon.conf.5: Bump date for identity configuration
899          option removal.
900
9012008-12-23  Timo Teras <timo.teras@iki.fi>
902
903        * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
904          localconf.h, racoon.conf.5: Remove the obsoleted global identity
905          configuration option.
906
907        * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
908          evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
909          isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
910          nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
911          session.h: rewrite local address detection make some functions
912          static that arr not needed globally rework how fd_set is
913          construction for the main loop select()
914
9152008-12-18  Timo Teras <timo.teras@iki.fi>
916
917        * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
918          when expire with hard lifetime received
919
9202008-12-16  Timo Teras <timo.teras@iki.fi>
921
922        * README: Update README
923
924        * src/racoon/pfkey.c: Fix transport mode address selection in
925          acquire handling.  Some earlier fixes got lost on 2008-12-05 commit.
926
9272008-12-11  Yvan Vanhullebus <vanhu@netasq.com>
928
929        * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
930          and RTM_OIFINFO stuff)
931
932        * src/racoon/isakmp.c: Fixed compilation when DPD support is
933          disabled
934
9352008-12-08  Timo Teras <timo.teras@iki.fi>
936
937        * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
938          sockets: it might cause to not handle some pfkey events when
939          select() has marked pfkey socket readable, but a timer callback
940          first calls pfkey_dump_sadb().
941
9422008-12-05  Timo Teras <timo.teras@iki.fi>
943
944        * src/: libipsec/key_debug.c, libipsec/libpfkey.h,
945          libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
946          racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
947          racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
948          Ebalard: Improved Mobile IPv6 support per
949          draft-ebalard-mext-pfkey-enhanced-migrate.
950
9512008-12-04  Christoph Badura <bad@netbsd.org>
952
953        * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
954          intended.
955
9562008-12-02  Timo Teras <timo.teras@iki.fi>
957
958        * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
959          on Linux is terminate.
960
9612008-11-28  Thomas Klausner <wiz@netbsd.org>
962
963        * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
964          sentence, new line.
965
9662008-11-27  Yvan Vanhullebus <vanhu@netasq.com>
967
968        * src/racoon/main.c: Set up a default value for Mode Config Pool
969          size if pool address specified but pool size not specified
970
971        * src/racoon/isakmp_cfg.c: Fixed pool resizing
972
9732008-11-27  Timo Teras <timo.teras@iki.fi>
974
975        * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
976          weirdness. It's probably meant for bundle support which is not done.
977          When someone actually writes bundle support, the nested SA stuff
978          would probably be reworked too anyway.
979
980        * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
981          racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
982          racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
983          Ability to set pfkey socket buffer size via configuration file
984          directive.  (Indentation and minor fixes by me.)
985
9862008-11-25  Christoph Badura <bad@netbsd.org>
987
988        * src/racoon/: evt.c, privsep.c, session.c: Avoid using
989          MSG_NOSIGNAL as it is not available everywhere.  Ignore SIGPIPE
990          instead.
991
992        * src/racoon/grabmyaddr.c: Ignore unspecified and looback
993          addresses.  Ignoring unspecified addresses prevents racoon from
994          trying to bind to the wildcard address and specific addresses
995          simultaneously after e.g. dhclient has changed an interface's
996          address to 0.0.0.0.
997
998        * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
999          info for added or deleted addresses.  Ignore them silently.
1000
1001        * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
1002          error.  Therefore log it as informational.  Make it clear from the
1003          log message that a route message is not interesting.
1004
1005        * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
1006          it.
1007
1008        * src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
1009          when setting IPV6_USE_MIN_MTU fails.
1010
1011        * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
1012          no socket is opened.
1013
10142008-11-08  Christoph Badura <bad@netbsd.org>
1015
1016        * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1017          phase1-up.sh: Preserve owner and permissions of original
1018          /etc/resolv.conf.  Ensure that new /etc/resolv.conf isn't group or
1019          world writable.
1020
1021        * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1022          phase1-up.sh: Print and check INTERNAL_NETMASK4.
1023
1024        * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1025          phase1-up.sh: Make the handling of NAT-T SPD entries automatic.
1026
1027        * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1028          phase1-up.sh: Ensure that the determination of the default
1029          gateway and the corresponding interface don't get confused by
1030          multiple, possibly non-IPv4  default routes.  Bring the NetBSD case
1031          of deleting the VPN routes and address in line with the Linux case
1032          and delete the address after deleting the VPN routes.
1033
10342008-11-06  Yvan Vanhullebus <vanhu@netasq.com>
1035
1036        * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
1037          iddst's value is SAINFO_CLIENTADDR
1038
10392008-10-29  S.P.Zeidler <spz@netbsd.org>
1040
1041        * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():
1042
1043          struct sockaddr -> struct sockaddr_storage fixes a stack overflow
1044
1045          For non-linklocal addresses the value in 'scope' is garbage and gets
1046          set to zero instead.
1047
10482008-10-27  Timo Teras <timo.teras@iki.fi>
1049
1050        * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
1051          error path
1052
1053        * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
1054          Ebalard): recognize RTM_IFANNOUNCE
1055
1056        * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
1057          issues for readability
1058
1059        * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
1060          called only if monitored file descriptor numbers have changed
1061
1062        * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
1063          declaration
1064
10652008-10-23  Timo Teras <timo.teras@iki.fi>
1066
1067        * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
1068          Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
1069          problem those changes address are already handled in a sensible way
1070          by Cyrus Rahman's patch from 2008-03-06.
1071
10722008-10-09  Timo Teras <timo.teras@iki.fi>
1073
1074        * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
1075          unnecessary unbindph12() call which is now done in remph2()
1076
10772008-09-25  Yvan Vanhullebus <vanhu@netasq.com>
1078
1079        * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
1080          marker for retransmitted packets
1081
10822008-09-19  Thomas Klausner <wiz@netbsd.org>
1083
1084        * src/racoon/racoon.conf.5: New sentence, new line.
1085
10862008-09-19  Timo Teras <timo.teras@iki.fi>
1087
1088        * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
1089          isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
1090          isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
1091          remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
1092          configurable with rekey {on|off|force} option in remote conf.
1093
1094        * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
1095          isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
1096          nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
1097          session.c: Change struct sched to be allocated be the caller to
1098          avoid some memory allocations. Optimize scheduling algorithm to not
1099          scan all entries in the main loop.
1100
11012008-09-17  Yvan Vanhullebus <vanhu@netasq.com>
1102
1103        * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
1104          when NAT-T enabled and trying to purge non NAT-T SAs
1105
11062008-09-09  Yvan Vanhullebus <vanhu@netasq.com>
1107
1108        * src/racoon/pfkey.c: Some calls to set_port() were not correctly
1109          updated in the previous commit
1110
11112008-09-03  Yvan Vanhullebus <vanhu@netasq.com>
1112
1113        * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
1114          pk_sendxxx functions, as they may be altered for NAT-T stuff.
1115
11162008-09-03  Timo Teras <timo.teras@iki.fi>
1117
1118        * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
1119          - Fix reloading of SPD (Linux satype check, handling of SPD dump
1120          responses)
1121          - Remove some spurious error log message from extract_port()
1122
11232008-08-29  Gregory McGarry <gmcgarry@netbsd.org>
1124
1125        * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
1126          structures.
1127
1128        * src/racoon/evt.h: Eliminate superfluous semicolon.
1129
1130        * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
1131          unnamed structures added recently.
1132
11332008-08-12  Yvan Vanhullebus <vanhu@netasq.com>
1134
1135        * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
1136          ph1handler if we received an invalid first exchange from initiator.
1137
11382008-08-06  Timo Teras <timo.teras@iki.fi>
1139
1140        * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
1141          Piotr Oledzki: Make privileged process exit if unprivileged process
1142          is terminated and some spelling fixes.
1143
11442008-07-23  Matthew Grooms <mgrooms@shrew.net>
1145
1146        * src/racoon/: cfparse.y, session.c: Add some missing ifdefs
1147          required for non-radius enabled builds.
1148
11492008-07-23  Timo Teras <timo.teras@iki.fi>
1150
1151        * src/racoon/Makefile.am: Do not use GNU make specific extension.
1152
1153        * src/: libipsec/Makefile.am, racoon/Makefile.am,
1154          setkey/Makefile.am: Do flex/bison invocation in a more standard
1155          way, and keep the generated files in the dist tarball.
1156
11572008-07-22  Yvan Vanhullebus <vanhu@netasq.com>
1158
1159        * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
1160          when malloc fails or when peer sends invalid proposal.
1161
11622008-07-22  Matthew Grooms <mgrooms@shrew.net>
1163
1164        * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
1165          isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
1166          radius configuration section to the racoon.conf file. This is
1167          similar to the the LDAP configuration section and overrides settings
1168          in the system radius configuration file.
1169
11702008-07-21  Matthias Scheler <tron@netbsd.org>
1171
1172        * src/racoon/cfparse.y: Correct typo to fix the build.
1173
11742008-07-21  Timo Teras <timo.teras@iki.fi>
1175
1176        * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
1177          vendorid.c, vendorid.h: Separate generic vendor id handling to a
1178          new function and use it.
1179
1180        * src/racoon/cfparse.y: Do not set default gss id if xauth is used,
1181          otherwise gss-id attribute might be sent even if it was not
1182          requested.
1183
11842008-07-15  Matthew Grooms <mgrooms@shrew.net>
1185
1186        * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
1187          building with hybrid enabled.
1188
1189        * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
1190          racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
1191          function.
1192
11932008-07-14  Timo Teras <timo.teras@iki.fi>
1194
1195        * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
1196          pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.
1197
1198        * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
1199          isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
1200          notification payload handling. Handle INITIAL-CONTACT notification
1201          in last main mode exchange (delayed) and during quick mode
1202          exchanges.
1203
12042008-07-11  Timo Teras <timo.teras@iki.fi>
1205
1206        * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
1207          Elsts: Fix a double memory free and a memory corruption
1208          (LIST_REMOVE() on an uninserted node) in some error handling paths.
1209
12102008-07-09  Timo Teras <timo.teras@iki.fi>
1211
1212        * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
1213          memory leak on configuration file reread
1214
12152008-07-02  Yvan Vanhullebus <vanhu@netasq.com>
1216
1217        * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
1218          (size_t values)
1219
12202008-06-18  Thomas Klausner <wiz@netbsd.org>
1221
1222        * src/racoon/racoonctl.8: Bump date for previous.
1223
12242008-06-18  Matthew Grooms <mgrooms@shrew.net>
1225
1226        * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
1227          admin port command to retrieve the peer certificate. Submitted by
1228          Timo Teras.
1229
1230        * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
1231          sockets to be closed on exec to avoid potential file descriptor
1232          inheritance issues. Submitted by Timo Teras.
1233
1234        * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
1235          isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
1236          functions to evaluate and manipulate network port values. No
1237          functional changes. Submitted by Timo Teras.
1238
1239        * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
1240          functional changes. Submitted by Timo Teras.
1241
1242        * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
1243          Timo Teras.
1244
12452008-05-24  Christos Zoulas <christos@netbsd.org>
1246
1247        * src/racoon/privsep.c: Coverity CID 5018: Fix double frees.
1248
12492008-05-08  Emmanuel Dreyfus <manu@netbsd.org>
1250
1251        * configure.ac: From Christian Hohnstaedt: allow out of tree
1252          building
1253
12542008-04-30  Martin Husemann <martin@netbsd.org>
1255
1256        * netbsd-import.sh: Convert TNF licenses to new 2 clause variant
1257
12582008-04-25  Yvan Vanhullebus <vanhu@netasq.com>
1259
1260        * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
1261          from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
1262
12632008-04-13  Christos Zoulas <christos@netbsd.org>
1264
1265        * src/racoon/privsep.c: for symmetry set controllen the same way we
1266          set it on the receiving side.
1267
12682008-04-02  Emmanuel Dreyfus <manu@netbsd.org>
1269
1270        * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build
1271
12722008-03-28  Christos Zoulas <christos@netbsd.org>
1273
1274        * src/racoon/privsep.c: properly fix the variable stack allocation
1275          code.
1276
12772008-03-28  Emmanuel Dreyfus <manu@netbsd.org>
1278
1279        * src/racoon/privsep.c: Still from Cyrus Rahman: fix file
1280          descriptor leak introduced by previous commit.
1281
1282        * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
1283          privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
1284          Allow interface reconfiguration when running in privilege separation
1285          mode, document privilege separation
1286
12872008-03-06  Yvan Vanhullebus <vanhu@netasq.com>
1288
1289        * src/racoon/oakley.c: Generates a log if cert validation has been
1290          disabled by configuration
1291
12922008-03-06  Emmanuel Dreyfus <manu@netbsd.org>
1293
1294        * src/racoon/: privsep.c, session.c: From Cyrus Rahman
1295          <crahman@gmail.com> privilegied instance exit when unprivilegied one
1296          terminates. Save PID in real root, not in chroot
1297
12982008-03-06  Matthew Grooms <mgrooms@shrew.net>
1299
1300        * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
1301          racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
1302          negotiations using the admin socket.  Submitted by Timo Teras.
1303
1304        * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
1305          handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
1306          isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
1307          racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
1308          protocol to be less error prone. Backwards compatibility is
1309          provided. Submitted by Timo Teras.
1310
13112008-03-05  Matthew Grooms <mgrooms@shrew.net>
1312
1313        * src/racoon/cfparse.y: Properly initialize the unity network
1314          struct to prevent erroneous protocol and port info from being
1315          transmitted.
1316
1317        * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
1318          adminport reload. Also provide better handling for pfkey socket read
1319          errors. Submitted by Timo Teras.
1320
13212008-02-25  Emmanuel Dreyfus <manu@netbsd.org>
1322
1323        * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
1324          There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
1325          checking spi_size but it's not.  I'm not sure this patch is correct,
1326          but what's there isn't either.
1327
13282008-02-22  Emmanuel Dreyfus <manu@netbsd.org>
1329
1330        * src/racoon/isakmp.c: Fix address length, from Brian Haley
1331
13322008-02-10  S.P.Zeidler <spz@netbsd.org>
1333
1334        * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
1335          opposition ( :) ) on ipsec-tools-devel
1336
13372008-01-11  Yvan Vanhullebus <vanhu@netasq.com>
1338
1339        * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
1340          the scheduler's callback, to avoid access to freed memory.
1341
1342        * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
1343          compilation with IDEA and recent gcc.
1344
1345        * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
1346          details to some logs (also reported new getph1byaddr() arg).
1347
1348        * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
1349          established ph1 handles in DPD (also reported new getph1byaddr()
1350          arg).
1351
1352        * src/racoon/: handler.c, handler.h: added an 'established' arg to
1353          getph1byaddr()
1354
13552007-12-31  Matthew Grooms <mgrooms@shrew.net>
1356
1357        * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
1358          number to racoonctl. Correct id wildcard matching for transport
1359          mode. Submitted by Timo Teras.
1360
13612007-12-12  Matthew Grooms <mgrooms@shrew.net>
1362
1363        * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
1364          follow up patch for the nat-t oa support.
1365
1366        * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
1367          support for nat-t oa payload handling. Submitted by Timo Teras.
1368
13692007-12-04  Matthew Grooms <mgrooms@shrew.net>
1370
1371        * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
1372          ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
1373          prefix length. Correct a memory leak in phase2. Both submitted by
1374          Timo Teras.
1375
13762007-12-01  Thomas Klausner <wiz@netbsd.org>
1377
1378        * src/racoon/racoon.conf.5: Fix typos. New sentence, new line.
1379
13802007-11-29  Yvan Vanhullebus <vanhu@netasq.com>
1381
1382        * src/racoon/Makefile.am: From Natanael Copa: fixed a race
1383          condition when building yacc stuff.
1384
13852007-11-09  Yvan Vanhullebus <vanhu@netasq.com>
1386
1387        * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
1388          pk_recv()
1389
1390        * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
1391          entries in getsp_r().
1392
1393        * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
1394          in get_proposal_r().
1395
13962007-10-19  Emmanuel Dreyfus <manu@netbsd.org>
1397
1398        * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
1399          racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
1400
14012007-10-15  Yvan Vanhullebus <vanhu@netasq.com>
1402
1403        * src/libipsec/pfkey.c: Try to increase the buffer size of the
1404          pfkey socket, this may help things when we have a huge SPD
1405
14062007-10-02  Yvan Vanhullebus <vanhu@netasq.com>
1407
1408        * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
1409          work with the new plog macro.
1410
1411        * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
1412          work with new plog macro
1413
1414        * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
1415
14162007-09-19  Matthew Grooms <mgrooms@shrew.net>
1417
1418        * src/racoon/isakmp.c: Set REUSE option on sockets to prevent
1419          failures associated with closing and immediately re-opening.
1420          Submitted by Gabriel Somlo.
1421
1422        * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
1423          list. Submitted by Gabriel Somlo.
1424
14252007-09-13  Matthew Grooms <mgrooms@shrew.net>
1426
1427        * configure.ac: Fix autoconf check for selinux support. Submitted
1428          by Joy Latten.
1429
14302007-09-12  Matthew Grooms <mgrooms@shrew.net>
1431
1432        * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
1433          pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
1434          sainfo remote id option and refine the sainfo man page syntax.
1435
14362007-09-05  Matthew Grooms <mgrooms@shrew.net>
1437
1438        * src/racoon/sainfo.c: Sort sainfo sections on insert and improve
1439          matching logic.
1440
14412007-09-03  Matthew Grooms <mgrooms@shrew.net>
1442
1443        * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
1444          wins4 in the man page and add nbns4 as an alias. Pointed out by
1445          Claas Langbehn.
1446
14472007-08-07  Emmanuel Dreyfus <manu@netbsd.org>
1448
1449        * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
1450          up RADIUS authentication and authorization ports. Allow
1451          interoperability with freeradius
1452
14532007-07-24  Matthew Grooms <mgrooms@shrew.net>
1454
1455        * NEWS: Update NEWS file with additional 0.7 improvements.
1456
14572007-07-18  Matthew Grooms <mgrooms@shrew.net>
1458
1459        * src/racoon/racoon.conf.5: Various racoon configuration manpage
1460          updates.
1461
14622007-07-18  Yvan Vanhullebus <vanhu@netasq.com>
1463
1464        * configure.ac, src/libipsec/ipsec_dump_policy.c,
1465          src/libipsec/ipsec_get_policylen.c,
1466          src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
1467          src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1468          src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
1469          src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
1470          src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
1471          src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
1472          src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
1473          src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
1474          src/racoon/policy.c, src/racoon/proposal.c,
1475          src/racoon/remoteconf.c, src/racoon/sainfo.c,
1476          src/racoon/session.c, src/racoon/sockmisc.c,
1477          src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
1478          src/setkey/token.l: use a single PATH_IPSEC_H to fix some
1479          path_to_ipsec.h issues
1480
14812007-07-16  Yvan Vanhullebus <vanhu@netasq.com>
1482
1483        * src/racoon/grabmyaddr.c: fixed a socket leak
1484
1485        * src/racoon/proposal.c: indentation
1486
14872007-06-07  Emmanuel Dreyfus <manu@netbsd.org>
1488
1489        * src/racoon/isakmp_cfg.c: From Paul Winder
1490          <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST
1491
14922007-06-06  Yvan Vanhullebus <vanhu@netasq.com>
1493
1494        * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
1495          with gcc 4.2
1496
1497        * src/racoon/session.c: From Jianli Liu: speed up interfaces update
1498          when they change.
1499
1500        * src/racoon/handler.c: ignore obsolete lifebyte when validating
1501          reloaded configuration
1502
15032007-05-31  Emmanuel Dreyfus <manu@netbsd.org>
1504
1505        * src/racoon/: main.c, policy.h, security.c: From Joy Latten
1506          <latten@austin.ibm.com> Fix file descriptor shortage when using
1507          labeled IPsec.
1508
15092007-05-30  Emmanuel Dreyfus <manu@netbsd.org>
1510
1511        * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
1512          racoonctl, use the specified socket path instead of the default
1513          location
1514
15152007-05-16  Christos Zoulas <christos@netbsd.org>
1516
1517        * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
1518          return, so we proceed to de-reference NULL. Make it return -1
1519          instead like in other places.
1520
1521        * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
1522          return, so we proceed to de-reference NULL. Make it return -1
1523          instead like in other places.
1524
15252007-05-04  Yvan Vanhullebus <vanhu@netasq.com>
1526
1527        * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
1528          NULL when validating the new config
1529
1530        * src/racoon/handler.c: added some debug in getph1byaddr() to track
1531          some port matching problems with NAT-T
1532
1533        * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
1534          track some port matching problems with NAT-T
1535
1536        * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
1537
1538        * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
1539          NAT_T support, to solve some port match problems with the first
1540          IPSec SAs negociated as initiator
1541
15422007-04-04  Yvan Vanhullebus <vanhu@netasq.com>
1543
1544        * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
1545
1546        * src/racoon/oakley.c: dumps peer's ID and peer's certificate
1547          subject /subjectaltname if they don't match
1548
15492007-03-26  Yvan Vanhullebus <vanhu@netasq.com>
1550
1551        * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
1552          handler, to be able to cancel it when removing the handler, and some
1553          minor cleanups in DPD code
1554
15552007-03-24  Christos Zoulas <christos@netbsd.org>
1556
1557        * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
1558          work with pam_group Set RUSER.
1559
15602007-03-23  Yvan Vanhullebus <vanhu@netasq.com>
1561
1562        * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
1563          segfault when using security labels between 32bit and 64bit host.
1564
1565        * src/racoon/handler.c: expire zombie handlers in getph2byid(), to
1566          avoid situations where we'll never negociate a phase2 again
1567
1568        * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
1569          more details about what is checked when using certificates to
1570          authenticate
1571
15722007-03-22  Yvan Vanhullebus <vanhu@netasq.com>
1573
1574        * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
1575          generate IPV4_ADDRESS when needed in sockaddr2id()
1576
15772007-03-21  Yvan Vanhullebus <vanhu@netasq.com>
1578
1579        * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
1580          sched check is now done in SCHED_KILL
1581
1582        * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
1583
15842007-03-15  Yvan Vanhullebus <vanhu@netasq.com>
1585
1586        * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
1587          monitoring of ipv6 address changes on Linux.
1588
1589        * src/racoon/isakmp.c: Consider a negociation timeout when
1590          retry_counter is <=0 instead of < 0
1591
15922007-02-28  Matthew Grooms <mgrooms@shrew.net>
1593
1594        * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
1595          matched to ip subnet ids when appropriate.
1596
15972007-02-21  Yvan Vanhullebus <vanhu@netasq.com>
1598
1599        * src/racoon/ipsec_doi.c: block variable declaration before code in
1600          ipsecdoi_id2str()
1601
16022007-02-20  Yvan Vanhullebus <vanhu@netasq.com>
1603
1604        * src/racoon/isakmp_inf.c: Removed a debug printf....
1605
1606        * src/racoon/isakmp.c: Only delete a generated SPD if it's creation
1607          date matches the creation date of the SA we are currently deleting
1608
1609        * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
1610
1611        * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
1612          generated SPDs
1613
1614        * src/racoon/policy.h: added 'created' var
1615
16162007-02-19  Yvan Vanhullebus <vanhu@netasq.com>
1617
1618        * src/racoon/isakmp.c: Removed a debug printf....
1619
16202007-02-16  Yvan Vanhullebus <vanhu@netasq.com>
1621
1622        * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
1623          printf.
1624
16252007-02-15  Emmanuel Dreyfus <manu@netbsd.org>
1626
1627        * src/racoon/security.c: Missing SELinux file
1628
1629        * configure.ac: Missing stuff for SELinux
1630
16312007-02-15  Yvan Vanhullebus <vanhu@netasq.com>
1632
1633        * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
1634          expire a ph1 handle when receiving a DELETE-SA instead of calling
1635          purge_remote().
1636
1637        * src/racoon/isakmp.c: Fixed the way phase1/2 messages are
1638          sent/resent, to avoid zombie handles and acces to freed memory
1639
16402007-02-02  Yvan Vanhullebus <vanhu@netasq.com>
1641
1642        * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
1643
16442007-02-01  Yvan Vanhullebus <vanhu@netasq.com>
1645
1646        * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
1647          receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
1648          deleted from payload instead of just deleting the ISAKMP SA used to
1649          protect the informational exchange.
1650
16512006-12-26  Arnaud Lacombe <alc@netbsd.org>
1652
1653        * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
1654          NULL'
1655
16562006-12-23  Thomas Klausner <wiz@netbsd.org>
1657
1658        * src/racoon/racoon.conf.5: Use even more macros.
1659
1660        * src/racoon/racoon.conf.5: Use more macros.
1661
1662        * src/racoon/racoon.conf.5: Serial comma, and bump date for
1663          previous.
1664
16652006-12-18  Yvan Vanhullebus <vanhu@netasq.com>
1666
1667        * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
1668
16692006-12-10  Emmanuel Dreyfus <manu@netbsd.org>
1670
1671        * src/: libipsec/Makefile.am, libipsec/libpfkey.h,
1672          libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
1673          racoon/pfkey.c: Bring back API and ABI backward compatibility
1674          with previous libipsec before recent interface change. Bump libipsec
1675          minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
1676          ABI compatibility lossage.  Add a capability flags to detect missing
1677          optional feature in libipsec
1678
1679        * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
1680          README.plainrsa documenting plain RSA auth
1681
16822006-12-09  Emmanuel Dreyfus <manu@netbsd.org>
1683
1684        * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
1685          src/racoon/Makefile.am, src/racoon/backupsa.c,
1686          src/racoon/backupsa.h, src/racoon/cftoken.l,
1687          src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
1688          src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
1689          src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
1690          src/racoon/proposal.c, src/racoon/proposal.h,
1691          src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
1692          security contexts. Also cleanup the libipsec interface for adding
1693          and updating security associations.
1694
1695        * src/racoon/racoon.conf.5: From Simon Chang: More hints about
1696          plain RSA authentication
1697
16982006-12-05  Yvan Vanhullebus <vanhu@netasq.com>
1699
1700        * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
1701          length regarding proposal_check level
1702
17032006-11-16  Matthew Grooms <mgrooms@shrew.net>
1704
1705        * src/racoon/sainfo.c: Correct issues associated with anonymous
1706          sainfo selection in racoon.
1707
17082006-11-09  Christos Zoulas <christos@netbsd.org>
1709
1710        * src/racoon/crypto_openssl.c: eliminate the only variable stack
1711          array allocation.
1712
17132006-10-31  Christian Biere <cbiere@netbsd.org>
1714
1715        * src/racoon/sockmisc.c: Don't define the deprecated
1716          IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
1717          IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
1718          in the future just in case that the numeric value of the socket
1719          option is ever recycled.
1720
17212006-10-22  Yvan Vanhullebus <vanhu@netasq.com>
1722
1723        * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
1724          typos
1725
17262006-10-19  Yvan Vanhullebus <vanhu@netasq.com>
1727
1728        * src/racoon/sainfo.c: From Matthew Grooms: use
1729          ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
1730
1731        * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
1732          ipsecdoi_chkcmpids() function.
1733
17342006-10-09  Emmanuel Dreyfus <manu@netbsd.org>
1735
1736        * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
1737
1738        * src/racoon/isakmp_unity.c: Correctly check read() return value:
1739          it's signed (Coverity 1251)
1740
17412006-10-06  Emmanuel Dreyfus <manu@netbsd.org>
1742
1743        * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
1744          src/racoon/algorithm.h, src/racoon/cftoken.l,
1745          src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
1746          src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
1747          src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
1748          src/racoon/racoon.conf.5, src/racoon/strnames.c,
1749          src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
1750          Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
1751          <okazaki@kick.gr.jp>
1752
17532006-10-03  Emmanuel Dreyfus <manu@netbsd.org>
1754
1755        * src/racoon/admin.c: fix endianness issue introduced yesterday
1756
17572006-10-03  Yvan Vanhullebus <vanhu@netasq.com>
1758
1759        * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
1760
1761        * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
1762
1763        * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
1764          remoteid/ph1id values
1765
1766        * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
1767
17682006-10-02  Emmanuel Dreyfus <manu@netbsd.org>
1769
1770        * src/racoon/isakmp_base.c:
1771           avoid reusing free'd pointer (Coverity 2613)
1772
1773        * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
1774
1775        * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
1776
1777        * src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
1778
1779        * src/racoon/admin.c: Fix memory leak (Coverity 2002)
1780
1781        * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
1782          (Coverity 2001), refactor the code to use port get/set functions
1783
1784        * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
1785
1786        * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
1787          reformat to 80 char/line
1788
17892006-10-02  Tom Spindler <dogcow@netbsd.org>
1790
1791        * src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
1792          you have to init it with a pointer type, not an int.
1793
17942006-10-02  Emmanuel Dreyfus <manu@netbsd.org>
1795
1796        * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
1797
1798        * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
1799
1800        * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
1801
1802        * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
1803
1804        * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
1805
1806        * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
1807
18082006-10-01  Emmanuel Dreyfus <manu@netbsd.org>
1809
1810        * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
1811
1812        * src/racoon/isakmp.c: Check that iph1->remote is not NULL before
1813          using it (Coverity 3436)
1814
18152006-09-30  Emmanuel Dreyfus <manu@netbsd.org>
1816
1817        * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
1818
1819        * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
1820
1821        * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
1822          phase1-up.sh: update the scripts for wrorking around routing
1823          problems on NetBSD
1824
1825        * src/racoon/session.c: Reuse existing code for closing IKE
1826          sockets, and avoid screwing things by setting p->sock = -1, which is
1827          not expected (Coverity 4173).
1828
1829        * src/racoon/admin.c: Do not free id and key, as they are used
1830          later
1831
18322006-09-29  Emmanuel Dreyfus <manu@netbsd.org>
1833
1834        * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
1835          socket, so we must call com_init before sending any data.
1836
18372006-09-28  Emmanuel Dreyfus <manu@netbsd.org>
1838
1839        * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
1840          4174)
1841
1842        * src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
1843
18442006-09-26  Emmanuel Dreyfus <manu@netbsd.org>
1845
1846        * src/racoon/cfparse.y: Fix memory leak (Coverity)
1847
1848        * src/racoon/backupsa.c: Fix memory leak (Coverity)
1849
1850        * src/racoon/admin.c: Remove dead code (Coverity)
1851
1852        * src/racoon/admin.c: Fix memory leak (Coverity)
1853
1854        * src/racoon/admin.c: One more memory leak
1855
1856        * src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
1857
1858        * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
1859          bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
1860          Matthew updated the patch for current code, though.
1861
1862        * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
1863          negotiating ESP+IPcomp)
1864
18652006-09-25  Yvan Vanhullebus <vanhu@netasq.com>
1866
1867        * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
1868          iphdr for Linux
1869
18702006-09-25  Emmanuel Dreyfus <manu@netbsd.org>
1871
1872        * src/racoon/isakmp.c: style (mostly for testing
1873          ipsec-tools-commits@netbsd.org)
1874
1875        * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
1876
18772006-09-21  Yvan Vanhullebus <vanhu@netasq.com>
1878
1879        * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
1880          Linux
1881
18822006-09-19  Thomas Klausner <wiz@netbsd.org>
1883
1884        * src/racoon/racoon.conf.5: Bump date for ike_frag force.
1885
1886        * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
1887          line.
1888
1889        * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
1890          whitespace.
1891
18922006-09-19  Yvan Vanhullebus <vanhu@netasq.com>
1893
1894        * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
1895          value for encmodesv in set_proposal_from_policy()
1896
1897        * src/racoon/isakmp.c: always include some headers, as they are
1898          required even without NAT-T
1899
1900        * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
1901          define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
1902
1903        * src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
1904          plog()
1905
19062006-09-18  Emmanuel Dreyfus <manu@netbsd.org>
1907
1908        * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
1909          isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
1910          ike_frag force option to force the use of IKE on first packet
1911          exchange (prior to peer consent)
1912
1913        * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
1914          the first packet. That should not normally happen, as the initiator
1915          does not know yet if the responder can handle IKE frag.  However, in
1916          some setups, the first packet is too big to get through, and
1917          assuming the peer supports IKE frag is the only way to go.
1918
1919          racoon should have a setting in the remote section to do taht
1920          (something like ike_frag force)
1921
19222006-09-16  Emmanuel Dreyfus <manu@netbsd.org>
1923
1924        * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
1925          conformance, from Matthew Grooms
1926
19272006-09-15  Emmanuel Dreyfus <manu@netbsd.org>
1928
1929        * src/racoon/ipsec_doi.c: Fix build on Linux
1930
1931For older changes see ChangeLog.old
Note: See TracBrowser for help on using the repository browser.