1 | 2013-07-12 Timo Teras <timo.teras@iki.fi> |
---|
2 | |
---|
3 | * src/racoon/main.c: From Sven Vermeulen |
---|
4 | <sven.vermeulen@siphos.be>: Moves ploginit() up, allowing logging |
---|
5 | events from init_avc() to show up as well. |
---|
6 | |
---|
7 | 2013-06-18 Timo Teras <timo.teras@iki.fi> |
---|
8 | |
---|
9 | * src/racoon/ipsec_doi.c: From Paul Barker: Remove redundant memset |
---|
10 | after calloc that caused compile failures with gcc 4.8 due to error: |
---|
11 | argument to 'sizeof' in 'memset' call is the same expression as the |
---|
12 | destination; did you mean to dereference. |
---|
13 | |
---|
14 | 2013-06-03 Timo Teras <timo.teras@iki.fi> |
---|
15 | |
---|
16 | * src/racoon/admin.c: From Alexander Sbitnev |
---|
17 | <alexander.sbitnev@gmail.com>: fix admin port establish-sa for |
---|
18 | tunnel mode SAs. |
---|
19 | |
---|
20 | 2013-05-23 Timo Teras <timo.teras@iki.fi> |
---|
21 | |
---|
22 | * src/include-glibc/net/pfkeyv2.h: From Rainer Weikusat |
---|
23 | <rweikusat@mobileactivedefense.com>: Fix SADB_X_EALG_CASTCBC |
---|
24 | definition to use system definition (which differs at least on |
---|
25 | Linux). |
---|
26 | |
---|
27 | 2013-04-12 Timo Teras <timo.teras@iki.fi> |
---|
28 | |
---|
29 | * src/racoon/isakmp_cfg.c: From Rainer Weikusat |
---|
30 | <rweikusat@mobileactivedefense.com>: Do not send out illegal zero |
---|
31 | length MODE_CFG attributes. |
---|
32 | |
---|
33 | * src/racoon/: grabmyaddr.c, isakmp_inf.c: Some logging |
---|
34 | improvements. |
---|
35 | |
---|
36 | 2013-02-05 Timo Teras <timo.teras@iki.fi> |
---|
37 | |
---|
38 | * src/racoon/grabmyaddr.c: Fix source port selection |
---|
39 | |
---|
40 | * src/racoon/isakmp_xauth.c: From Ian West <ian@niw.com.au>: Fix |
---|
41 | double free of the radius info on config reload. |
---|
42 | |
---|
43 | 2013-01-24 Timo Teras <timo.teras@iki.fi> |
---|
44 | |
---|
45 | * src/racoon/isakmp_inf.c: Fix handling of deletion notification. |
---|
46 | |
---|
47 | 2013-01-08 tag ipsec-tools-0_8_1 |
---|
48 | |
---|
49 | 2013-01-08 Timo Teras <timo.teras@iki.fi> |
---|
50 | |
---|
51 | * NEWS, configure.ac: ipsec-tools-0.8.1 |
---|
52 | |
---|
53 | * configure.ac: Fix errors from automake 1.13 |
---|
54 | |
---|
55 | * src/include-glibc/Makefile.am: Don't derefence the directory |
---|
56 | symlink which we might be recreating. |
---|
57 | |
---|
58 | 2012-12-24 Timo Teras <timo.teras@iki.fi> |
---|
59 | |
---|
60 | * src/racoon/crypto_openssl.c: From Götz Babin-Ebell |
---|
61 | <g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare. |
---|
62 | |
---|
63 | * configure.ac, src/racoon/crypto_openssl.c, |
---|
64 | src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell |
---|
65 | <g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher |
---|
66 | |
---|
67 | 2012-08-29 Timo Teras <timo.teras@iki.fi> |
---|
68 | |
---|
69 | * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>: |
---|
70 | Accept DPD messages with cookies also in reversed order for |
---|
71 | compatiblity. At least Cisco 836 running IOS 12.3(8)T does this. |
---|
72 | |
---|
73 | * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add |
---|
74 | remote's IP address to the "certificate not verified" error message. |
---|
75 | |
---|
76 | * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not |
---|
77 | print unnecessary warning about non-verified certificate when using |
---|
78 | raw plain-rsa. |
---|
79 | |
---|
80 | * src/racoon/isakmp.c: From Rainer Weikusat |
---|
81 | <rweikusat@mobileactivedefense.com>: Release unused phase2 of |
---|
82 | passive remotes after acquire. |
---|
83 | |
---|
84 | * src/racoon/isakmp.c: From Wolfgang Schmieder |
---|
85 | <wolfgang.schmieder@honeywell.com>: setup phase1 port properly. |
---|
86 | |
---|
87 | * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited |
---|
88 | remote blocks without additional remote statements to be specified |
---|
89 | in a simpler way. patch by Roman Hoog Antink <rha@open.ch> |
---|
90 | |
---|
91 | 2012-08-23 Timo Teras <timo.teras@iki.fi> |
---|
92 | |
---|
93 | * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum |
---|
94 | memory allocation. |
---|
95 | |
---|
96 | 2012-01-01 Timo Teras <timo.teras@iki.fi> |
---|
97 | |
---|
98 | * src/racoon/isakmp_unity.c: From Rainer Weikusat |
---|
99 | <rweikusat@mobileactivedefense.com>: Fix one byte too short memory |
---|
100 | allocation in isakmp_unity.c:splitnet_list_2str(). |
---|
101 | |
---|
102 | 2011-11-17 Yvan Vanhullebus <vanhu@netasq.com> |
---|
103 | |
---|
104 | * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where |
---|
105 | current element could be removed during the loop |
---|
106 | |
---|
107 | 2011-11-14 Timo Teras <timo.teras@iki.fi> |
---|
108 | |
---|
109 | * src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>: |
---|
110 | do not shrink pfkey socket buffers (if system default is larger than |
---|
111 | what we want as minimum) |
---|
112 | |
---|
113 | 2011-08-12 Timo Teras <timo.teras@iki.fi> |
---|
114 | |
---|
115 | * src/racoon/privsep.c: Have privilege separation child process |
---|
116 | exit if the parent exits. |
---|
117 | |
---|
118 | * Makefile.am: Create ChangeLog for proper CVS branch. |
---|
119 | |
---|
120 | 2011-03-18 tag ipsec-tools-0_8_0 |
---|
121 | |
---|
122 | 2011-03-18 Yvan Vanhullebus <vanhu@netasq.com> |
---|
123 | |
---|
124 | * configure.ac: Yes: 0.8.0 is out !!! |
---|
125 | |
---|
126 | * NEWS: updated News for 0.8 branch |
---|
127 | |
---|
128 | 2011-03-17 Yvan Vanhullebus <vanhu@netasq.com> |
---|
129 | |
---|
130 | * src/racoon/oakley.c: fixed a memory leak in |
---|
131 | oakley_append_rmconf_cr() while generating plist. patch by Roman |
---|
132 | Hoog Antink <rha@open.ch> |
---|
133 | |
---|
134 | * src/racoon/oakley.c: free name later, to avoid a memory use after |
---|
135 | free in oakley_check_certid(). also give iph1->remote to some plog() |
---|
136 | calls. patch by Roman Hoog Antink <rha@open.ch> |
---|
137 | |
---|
138 | * src/racoon/oakley.c: fixed a memory leak in |
---|
139 | oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch> |
---|
140 | |
---|
141 | 2011-03-15 Yvan Vanhullebus <vanhu@netasq.com> |
---|
142 | |
---|
143 | * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call |
---|
144 | isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as |
---|
145 | it is useless an can lead to memory access after free |
---|
146 | |
---|
147 | 2011-03-14 Timo Teras <timo.teras@iki.fi> |
---|
148 | |
---|
149 | * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c, |
---|
150 | isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c, |
---|
151 | sockmisc.h, throttle.c: Explicitly compare return value of |
---|
152 | cmpsaddr() against a return value define to make it more obvious |
---|
153 | what is the intended action. One more return value is also added, to |
---|
154 | fix comparison of security policy descriptors. Namely, getsp() |
---|
155 | should not allow wildcard matching (as the comment says, it does |
---|
156 | exact matching) - otherwise we get problems when kernel has generic |
---|
157 | policy with no ports, and a second similar policy with ports. |
---|
158 | |
---|
159 | 2011-03-14 Yvan Vanhullebus <vanhu@netasq.com> |
---|
160 | |
---|
161 | * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h, |
---|
162 | remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some |
---|
163 | memory leaks / free memory access when reloading conf and have |
---|
164 | inherited config. patch from Roman Hoog Antink <rha@open.ch> |
---|
165 | |
---|
166 | * src/racoon/handler.c: removed an useless comment |
---|
167 | |
---|
168 | * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from |
---|
169 | getrmconf_by_ph1() in revalidate_ph1tree_rmconf() |
---|
170 | |
---|
171 | 2011-03-11 Yvan Vanhullebus <vanhu@netasq.com> |
---|
172 | |
---|
173 | * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in |
---|
174 | remove_ph1-) instead of scheduling it, to avoid (completely ?) a |
---|
175 | race condition when reloading configuration |
---|
176 | |
---|
177 | 2011-03-06 Timo Teras <timo.teras@iki.fi> |
---|
178 | |
---|
179 | * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing |
---|
180 | checks are enabled. Reported by Stephen Clark. |
---|
181 | |
---|
182 | 2011-03-02 Yvan Vanhullebus <vanhu@netasq.com> |
---|
183 | |
---|
184 | * src/racoon/session.c: flush sainfo list when closing session. |
---|
185 | patch by Roman Hoog Antink <rha@open.ch> |
---|
186 | |
---|
187 | * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa |
---|
188 | structures when deleting a struct rmconf. patch by Roman Hoog Antink |
---|
189 | <rha@open.ch> |
---|
190 | |
---|
191 | * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec |
---|
192 | when deleting a rmconf struct. patch by Roman Hoog Antink |
---|
193 | <rha@open.ch> |
---|
194 | |
---|
195 | * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in |
---|
196 | remoteconf. patch by Roman Hoog Antink <rha@open.ch> |
---|
197 | |
---|
198 | * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks |
---|
199 | during configuration parsing. patch by Roman Hoog Antink |
---|
200 | <rha@open.ch> |
---|
201 | |
---|
202 | 2011-03-01 Yvan Vanhullebus <vanhu@netasq.com> |
---|
203 | |
---|
204 | * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E |
---|
205 | Andersson <debian@gisladisker.se> |
---|
206 | |
---|
207 | * src/racoon/cfparse.y: reset yyerrorcount before doing parse |
---|
208 | stuff. patch by Roman Hoog Antink <rha@open.ch> |
---|
209 | |
---|
210 | 2011-02-20 Timo Teras <timo.teras@iki.fi> |
---|
211 | |
---|
212 | * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix |
---|
213 | memory leak when using plain RSA key authentication. |
---|
214 | |
---|
215 | 2011-02-11 Timo Teras <timo.teras@iki.fi> |
---|
216 | |
---|
217 | * src/racoon/plainrsa-gen.c: From Mats E Andersson |
---|
218 | <debian@gisladisker.se>: Fix fprintf format specifier usage from |
---|
219 | previous patch. |
---|
220 | |
---|
221 | 2011-02-10 Timo Teras <timo.teras@iki.fi> |
---|
222 | |
---|
223 | * src/racoon/plainrsa-gen.c: From Mats Erik Andersson |
---|
224 | <debian@gisladisker.se>: Implement importing of RSA keys from PEM |
---|
225 | files. |
---|
226 | |
---|
227 | * src/racoon/prsa_par.y: From M E Andersson |
---|
228 | <debian@gisladisker.se>: Fix parsing of restricted RSA key |
---|
229 | addresses. |
---|
230 | |
---|
231 | 2011-02-02 Yvan Vanhullebus <vanhu@netasq.com> |
---|
232 | |
---|
233 | * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c, |
---|
234 | sainfo.h: store ph1id in an u_int32_t instead of a (signed)int. |
---|
235 | Patch from Christophe Carre |
---|
236 | |
---|
237 | 2011-01-28 Timo Teras <timo.teras@iki.fi> |
---|
238 | |
---|
239 | * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog |
---|
240 | Antink <rha@open.ch>: Clean up sainfo reloading: rename the |
---|
241 | functions, and remove unneeded global variable. |
---|
242 | |
---|
243 | * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman |
---|
244 | Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the |
---|
245 | functions, and remove unneeded global variable. |
---|
246 | |
---|
247 | * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log |
---|
248 | remote IP address if available (slightly modified by tteras) |
---|
249 | |
---|
250 | 2011-01-22 Timo Teras <timo.teras@iki.fi> |
---|
251 | |
---|
252 | * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>: |
---|
253 | Fixes a null pointer dereference that might occur after removing |
---|
254 | peers from the config and then reloading. |
---|
255 | |
---|
256 | 2011-01-20 Yvan Vanhullebus <vanhu@netasq.com> |
---|
257 | |
---|
258 | * src/libipsec/pfkey.c: fixed a typo, it will now compile when |
---|
259 | KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) |
---|
260 | open.ch) |
---|
261 | |
---|
262 | 2010-12-28 Timo Teras <timo.teras@iki.fi> |
---|
263 | |
---|
264 | * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix |
---|
265 | config reload to not delete too many phase 2 handles, because wrong |
---|
266 | chain field is used when enumerating the handles. |
---|
267 | |
---|
268 | 2010-12-16 gdt |
---|
269 | |
---|
270 | * src/racoon/oakley.c: When encountering a certificate where "ID |
---|
271 | mismatched with ASN1 SubjectName", and verify_identifier is off, |
---|
272 | don't raise an error. This makes the behavior match the man page. |
---|
273 | |
---|
274 | Patch sent for review long ago: |
---|
275 | http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html |
---|
276 | with no negative feedback received to date. |
---|
277 | |
---|
278 | 2010-12-14 Timo Teras <timo.teras@iki.fi> |
---|
279 | |
---|
280 | * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix |
---|
281 | possible null derefence. |
---|
282 | |
---|
283 | 2010-12-08 Timo Teras <timo.teras@iki.fi> |
---|
284 | |
---|
285 | * src/racoon/admin.c: Use separate SA addresses for phase2's |
---|
286 | created by admin command. The phase2 startup overwrites src/dst with |
---|
287 | ISAKMP ports if they are zero and we don't want that to happen for |
---|
288 | the SA ports. |
---|
289 | |
---|
290 | 2010-12-08 joerg |
---|
291 | |
---|
292 | * src/libipsec/pfkey.c: ANSIfy |
---|
293 | |
---|
294 | 2010-12-07 Timo Teras <timo.teras@iki.fi> |
---|
295 | |
---|
296 | * src/racoon/isakmp_quick.c: Fix spacing and improve wording in |
---|
297 | some log messages. |
---|
298 | |
---|
299 | 2010-12-03 Timo Teras <timo.teras@iki.fi> |
---|
300 | |
---|
301 | * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux |
---|
302 | per-socket policies. |
---|
303 | |
---|
304 | * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y, |
---|
305 | setkey/setkey.8: Support GRE key as upper layer protocol |
---|
306 | specifier (will be supported in Linux kernel 2.6.38). |
---|
307 | |
---|
308 | * src/racoon/grabmyaddr.c: Netlink deletion notification does not |
---|
309 | guarentee actual address deletion: it might still exist on some |
---|
310 | other interface. Make sure we do not unbind unless the address is |
---|
311 | really gone. |
---|
312 | |
---|
313 | 2010-11-17 Timo Teras <timo.teras@iki.fi> |
---|
314 | |
---|
315 | * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my |
---|
316 | previous patch to not call purge_remote() twice. Change the place |
---|
317 | where purge_remote() is called. This fixes also a possible crash |
---|
318 | from the same patch since ph1->remote can be NULL (when we are |
---|
319 | responder and config is not yet selected). |
---|
320 | |
---|
321 | 2010-11-12 Timo Teras <timo.teras@iki.fi> |
---|
322 | |
---|
323 | * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c: |
---|
324 | isakmp_post_acquire is now called from admin commands too, add a |
---|
325 | flag so admin commands can be used to establish even passive links |
---|
326 | on demand. |
---|
327 | |
---|
328 | * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main |
---|
329 | ISAKMP-SA for the node is deleted by remote request and the phase1 |
---|
330 | rekeying is enabled (this will also trigger the new phase1_dead |
---|
331 | script hook). |
---|
332 | |
---|
333 | * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks |
---|
334 | to allow any reply within valid sequence window to be proof of |
---|
335 | livelyness. This can improves things if there's random packet |
---|
336 | delays, or if racoon is not getting enough CPU time. |
---|
337 | |
---|
338 | * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern |
---|
339 | admin protocol to allow reply packets to exceed 64kb. E.g SA dumps |
---|
340 | with many established SAs can be easily over the limit. |
---|
341 | |
---|
342 | 2010-10-22 Timo Teras <timo.teras@iki.fi> |
---|
343 | |
---|
344 | * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring |
---|
345 | to monitor local route changes. This works around a kernel bug, and |
---|
346 | slightly improves behaviour on some special cases. |
---|
347 | |
---|
348 | 2010-10-21 Timo Teras <timo.teras@iki.fi> |
---|
349 | |
---|
350 | * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c, |
---|
351 | session.c, session.h: Introduce priorities for file descriptor |
---|
352 | polling mechanism and give priority to admin port. If admin port is |
---|
353 | used by ISAKMP-SA hook scripts they should be preferred, other wise |
---|
354 | heavy traffic can delay admin port requests considerably. This in |
---|
355 | turn may cause renegotiation loop for ISAKMP-SA. This is mostly |
---|
356 | useful for OpenNHRP setup, but can benefit other setups too. |
---|
357 | |
---|
358 | * src/racoon/: admin.c, handler.c, handler.h: Remove |
---|
359 | initial-contact entry when all ISAKMP-SA are purged via adminport. |
---|
360 | This will avoid stale security associations if some of the delete |
---|
361 | notifications happens to get lost. |
---|
362 | |
---|
363 | 2010-10-20 Timo Teras <timo.teras@iki.fi> |
---|
364 | |
---|
365 | * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC |
---|
366 | functions when possible: this allows openssl to perform hardware |
---|
367 | acceleration if available. |
---|
368 | |
---|
369 | * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to |
---|
370 | error log messages and a few additional error log messages to |
---|
371 | improve diagnosing an error condition. |
---|
372 | |
---|
373 | * src/racoon/grabmyaddr.c: Fix address comparison so we actually |
---|
374 | close sockets which were bound to IP-address that got deconfigured. |
---|
375 | |
---|
376 | 2010-10-11 Yvan Vanhullebus <vanhu@netasq.com> |
---|
377 | |
---|
378 | * src/racoon/ipsec_doi.c: report a higher encryption key length in |
---|
379 | approval for OBEY / CLAIM / STRICT modes |
---|
380 | |
---|
381 | 2010-09-27 Yvan Vanhullebus <vanhu@netasq.com> |
---|
382 | |
---|
383 | * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by |
---|
384 | fazaeli (at) sepehrs.com) |
---|
385 | |
---|
386 | 2010-09-24 Yvan Vanhullebus <vanhu@netasq.com> |
---|
387 | |
---|
388 | * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at) |
---|
389 | gmail.com |
---|
390 | |
---|
391 | 2010-09-22 Yvan Vanhullebus <vanhu@netasq.com> |
---|
392 | |
---|
393 | * src/racoon/admin.c: get the correct length of username when |
---|
394 | processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com |
---|
395 | |
---|
396 | * src/racoon/nattraversal.h: fixed a typo in macros, reported by |
---|
397 | marisp (at) mt.lv |
---|
398 | |
---|
399 | 2010-09-21 Yvan Vanhullebus <vanhu@netasq.com> |
---|
400 | |
---|
401 | * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch |
---|
402 | provided by marcin.cieslak (at) gmail.com) |
---|
403 | |
---|
404 | 2010-09-08 Yvan Vanhullebus <vanhu@netasq.com> |
---|
405 | |
---|
406 | * src/racoon/remoteconf.c: fixed remoteconf selection when no ID |
---|
407 | specified in configuration, and added some debug to remoteconf |
---|
408 | selection |
---|
409 | |
---|
410 | 2010-08-26 Yvan Vanhullebus <vanhu@netasq.com> |
---|
411 | |
---|
412 | * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se: |
---|
413 | duplicate some dynamic values in duprmconf() |
---|
414 | |
---|
415 | 2010-08-04 Yvan Vanhullebus <vanhu@netasq.com> |
---|
416 | |
---|
417 | * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request |
---|
418 | |
---|
419 | 2010-07-30 Yvan Vanhullebus <vanhu@netasq.com> |
---|
420 | |
---|
421 | * src/racoon/doc/FAQ: updated link to NetBSD's documentation |
---|
422 | |
---|
423 | 2010-06-22 Thomas Klausner <wiz@netbsd.org> |
---|
424 | |
---|
425 | * src/racoon/racoon.conf.5: Bump date for previous. |
---|
426 | |
---|
427 | 2010-06-22 Yvan Vanhullebus <vanhu@netasq.com> |
---|
428 | |
---|
429 | * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c, |
---|
430 | racoon.conf.5, remoteconf.c, remoteconf.h: added a specific |
---|
431 | script hook when a dead peer is detected |
---|
432 | |
---|
433 | 2010-06-04 Thomas Klausner <wiz@netbsd.org> |
---|
434 | |
---|
435 | * src/setkey/setkey.8: New sentence, new line. Bump date for |
---|
436 | previous. |
---|
437 | |
---|
438 | 2010-06-04 Yvan Vanhullebus <vanhu@netasq.com> |
---|
439 | |
---|
440 | * src/setkey/: parse.y, setkey.8, token.l: Added support for |
---|
441 | spdupdate command in setkey |
---|
442 | |
---|
443 | 2010-04-07 Yvan Vanhullebus <vanhu@netasq.com> |
---|
444 | |
---|
445 | * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo |
---|
446 | |
---|
447 | 2010-04-02 Christos Zoulas <christos@netbsd.org> |
---|
448 | |
---|
449 | * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime |
---|
450 | returning NULL. |
---|
451 | |
---|
452 | 2010-03-11 Christos Zoulas <christos@netbsd.org> |
---|
453 | |
---|
454 | * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of |
---|
455 | the patch: iterate only on the phase2 handles that are bound by the |
---|
456 | given phase1 handle. |
---|
457 | |
---|
458 | 2010-03-05 Timo Teras <timo.teras@iki.fi> |
---|
459 | |
---|
460 | * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c, |
---|
461 | racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple |
---|
462 | typoes and manpage formatting errors. |
---|
463 | |
---|
464 | 2010-03-04 Yvan Vanhullebus <vanhu@netasq.com> |
---|
465 | |
---|
466 | * src/racoon/session.c: From Pierre POMES: fixed admin port |
---|
467 | initialization |
---|
468 | |
---|
469 | 2010-02-28 snj |
---|
470 | |
---|
471 | * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing |
---|
472 | size of src checkouts by spelling "useful" without an extra l. |
---|
473 | |
---|
474 | 2010-02-09 Thomas Klausner <wiz@netbsd.org> |
---|
475 | |
---|
476 | * src/racoon/: pfkey.c, proposal.h: Fix typo in comment. |
---|
477 | |
---|
478 | 2010-01-17 Thomas Klausner <wiz@netbsd.org> |
---|
479 | |
---|
480 | * src/racoon/sainfo.c: Free strdeupped string after using it. Found |
---|
481 | by cppcheck. |
---|
482 | |
---|
483 | * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after |
---|
484 | using them. Found by cppcheck. |
---|
485 | |
---|
486 | 2010-01-15 joerg |
---|
487 | |
---|
488 | * src/setkey/setkey.8: Use .%U instead of .%O for URLs. |
---|
489 | |
---|
490 | 2009-12-11 Timo Teras <timo.teras@iki.fi> |
---|
491 | |
---|
492 | * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined |
---|
493 | twice in the headers. Remove the redundant entry so new install tool |
---|
494 | does not complain about overwriting just installed file. |
---|
495 | |
---|
496 | 2009-11-22 Christos Zoulas <christos@netbsd.org> |
---|
497 | |
---|
498 | * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: |
---|
499 | |
---|
500 | racoon uses a wrong IPsec-SA handle that is for other peer in case |
---|
501 | it receives a ISAKMP message for IPsec-SA that has the same |
---|
502 | message-id as the message-id that is received before. |
---|
503 | |
---|
504 | racoon uses message-id to find the handle of IPsec-SA. The |
---|
505 | message-id is a unique number for each peer, but different peers may |
---|
506 | use the same value. |
---|
507 | |
---|
508 | Different Windows Vista or Windows 7 peers seem to use the same |
---|
509 | message-id. racoon can handle the first Windows's Phase-2, but it |
---|
510 | cannot handle the second Windows. Because racoon misunderstands the |
---|
511 | message for the second Windows as the message for the first Windows. |
---|
512 | |
---|
513 | >Category: bin >Synopsis: racoon uses a wrong IPsec-SA |
---|
514 | that is for different peer >Confidential: no >Severity: |
---|
515 | serious >Priority: medium >Responsible: bin-bug-people |
---|
516 | >State: open >Class: sw-bug >Submitter-Id: net |
---|
517 | >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator: |
---|
518 | yasuoka@iij.ad.jp |
---|
519 | |
---|
520 | 2009-10-29 Christos Zoulas <christos@netbsd.org> |
---|
521 | |
---|
522 | * src/setkey/token.l: use %option noinput nounput |
---|
523 | |
---|
524 | 2009-10-28 Christos Zoulas <christos@netbsd.org> |
---|
525 | |
---|
526 | * src/setkey/token.l: no unput |
---|
527 | |
---|
528 | 2009-10-14 joerg |
---|
529 | |
---|
530 | * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround |
---|
531 | ancient groff limits. |
---|
532 | |
---|
533 | * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient |
---|
534 | groff limits. Fix markup. |
---|
535 | |
---|
536 | * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around |
---|
537 | ancient groff limits. Set only one list type. |
---|
538 | |
---|
539 | 2009-09-18 Timo Teras <timo.teras@iki.fi> |
---|
540 | |
---|
541 | * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix |
---|
542 | gssapi error checking. |
---|
543 | |
---|
544 | 2009-09-03 Timo Teras <timo.teras@iki.fi> |
---|
545 | |
---|
546 | * src/racoon/: admin.c, handler.c, handler.h, isakmp.c, |
---|
547 | isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to |
---|
548 | negotiate phase2 as a hint to select the phase1 for rekeying the new |
---|
549 | phase2. |
---|
550 | |
---|
551 | 2009-09-01 Timo Teras <timo.teras@iki.fi> |
---|
552 | |
---|
553 | * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check |
---|
554 | nat_traversal configuration from remote configuration candidates |
---|
555 | when acting as responder. Enable NAT-T if any of the remote |
---|
556 | candidates have NAT-T enabled. |
---|
557 | |
---|
558 | * src/racoon/remoteconf.c: Change remote conf matching level to |
---|
559 | matching score. This way one can override anonymous certificate |
---|
560 | block config with more exact "inhereted" IP specific block. |
---|
561 | |
---|
562 | * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export |
---|
563 | ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313). |
---|
564 | |
---|
565 | 2009-08-24 Yvan Vanhullebus <vanhu@netasq.com> |
---|
566 | |
---|
567 | * src/racoon/oakley.c: fixed typo: algoriym -> algorithm |
---|
568 | |
---|
569 | 2009-08-19 Yvan Vanhullebus <vanhu@netasq.com> |
---|
570 | |
---|
571 | * src/racoon/remoteconf.c: fixed address check in |
---|
572 | rmconf_match_type(), just check address with wildcard port |
---|
573 | |
---|
574 | 2009-08-19 Timo Teras <timo.teras@iki.fi> |
---|
575 | |
---|
576 | * src/racoon/remoteconf.c: Have an enum for rmconf_match_type() |
---|
577 | return values to make the code a bit more readable. |
---|
578 | |
---|
579 | 2009-08-18 Yvan Vanhullebus <vanhu@netasq.com> |
---|
580 | |
---|
581 | * src/racoon/oakley.c: typo: algoritym -> algorithm |
---|
582 | |
---|
583 | 2009-08-17 Yvan Vanhullebus <vanhu@netasq.com> |
---|
584 | |
---|
585 | * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to |
---|
586 | check system support for NAT-T, as at least FreeBSD doesn't have |
---|
587 | this define anymore |
---|
588 | |
---|
589 | * src/racoon/schedule.h: include stddef.h so we have a chance to |
---|
590 | get the system offsetof if present |
---|
591 | |
---|
592 | * src/racoon/crypto_openssl.h: removed a self include |
---|
593 | |
---|
594 | 2009-08-13 Yvan Vanhullebus <vanhu@netasq.com> |
---|
595 | |
---|
596 | * src/racoon/oakley.c: fixed a potential DoS in |
---|
597 | oakley_do_decrypt(), reported by Orange Labs |
---|
598 | |
---|
599 | 2009-08-10 Timo Teras <timo.teras@iki.fi> |
---|
600 | |
---|
601 | * src/racoon/pfkey.c: Don't print EAGAIN error from |
---|
602 | pfkey_handler(), it can occur normally under some code paths and is |
---|
603 | not a hard error in any case. |
---|
604 | |
---|
605 | 2009-08-06 Timo Teras <timo.teras@iki.fi> |
---|
606 | |
---|
607 | * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in |
---|
608 | setkey to make gcc happy. |
---|
609 | |
---|
610 | 2009-08-05 Timo Teras <timo.teras@iki.fi> |
---|
611 | |
---|
612 | * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port |
---|
613 | security associations that got broke during NAT-T fixes. |
---|
614 | |
---|
615 | 2009-07-07 Timo Teras <timo.teras@iki.fi> |
---|
616 | |
---|
617 | * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of |
---|
618 | uninitialized local variable (not sure if any code path triggers |
---|
619 | this, but this makes compiler happy). |
---|
620 | |
---|
621 | 2009-07-03 Timo Teras <timo.teras@iki.fi> |
---|
622 | |
---|
623 | * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h, |
---|
624 | isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, |
---|
625 | nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h, |
---|
626 | sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR |
---|
627 | macro. Trac #295. |
---|
628 | |
---|
629 | * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c, |
---|
630 | racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan |
---|
631 | Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the |
---|
632 | NAT-T port information. This might break compatibility with some |
---|
633 | kernels, but as discussed this is the proper way to pass NAT-T ports |
---|
634 | and the broken kernels need to be fixed. |
---|
635 | |
---|
636 | 2009-06-24 Timo Teras <timo.teras@iki.fi> |
---|
637 | |
---|
638 | * src/racoon/session.c: Fix a call to null pointer: in some cases, |
---|
639 | the unmonitor_fd can be called from another fd's callback. That |
---|
640 | could lead to still have callback pending after unmonitoring the fd |
---|
641 | resulting in a call to null pointer. This is fixed by making |
---|
642 | unmonitor_fd now clear the pending fd_set too. Bug was introduced |
---|
643 | by my commit in 2008-12-23. |
---|
644 | |
---|
645 | 2009-05-20 Yvan Vanhullebus <vanhu@netasq.com> |
---|
646 | |
---|
647 | * src/racoon/isakmp.h: typo |
---|
648 | |
---|
649 | 2009-05-19 Timo Teras <timo.teras@iki.fi> |
---|
650 | |
---|
651 | * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple |
---|
652 | of typos from previous commit. |
---|
653 | |
---|
654 | 2009-05-18 Timo Teras <timo.teras@iki.fi> |
---|
655 | |
---|
656 | * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From |
---|
657 | Tomas Mraz: Introduce union sockaddr_any and use it to make code |
---|
658 | more readable. Related to trac #293. |
---|
659 | |
---|
660 | * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is |
---|
661 | not really used; only referenced while uninitialized causing |
---|
662 | valgrind error. |
---|
663 | |
---|
664 | * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check. |
---|
665 | |
---|
666 | 2009-05-04 Thomas Klausner <wiz@netbsd.org> |
---|
667 | |
---|
668 | * src/racoon/racoon.conf.5: Remove superfluous spaces around |
---|
669 | parentheses. |
---|
670 | |
---|
671 | 2009-04-29 Timo Teras <timo.teras@iki.fi> |
---|
672 | |
---|
673 | * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in |
---|
674 | X509 certificate validation. |
---|
675 | |
---|
676 | 2009-04-28 Timo Teras <timo.teras@iki.fi> |
---|
677 | |
---|
678 | * src/racoon/handler.c: Reset nat_oa variables too when reusing |
---|
679 | phase two handler. Otherwise phase2 rekeying might fail in some |
---|
680 | scenarios. |
---|
681 | |
---|
682 | 2009-04-22 Timo Teras <timo.teras@iki.fi> |
---|
683 | |
---|
684 | * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null |
---|
685 | pointer dereference in fragmentation code. |
---|
686 | |
---|
687 | 2009-04-21 Timo Teras <timo.teras@iki.fi> |
---|
688 | |
---|
689 | * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix |
---|
690 | strict_address to work again. The lists needs to be initialized |
---|
691 | before configuration is read, which happens before my_addr_init() |
---|
692 | call. |
---|
693 | |
---|
694 | 2009-04-20 Timo Teras <timo.teras@iki.fi> |
---|
695 | |
---|
696 | * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak |
---|
697 | in certificate request generation. |
---|
698 | |
---|
699 | * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from |
---|
700 | Bin Li: Fix possible memory corruption in binsanitize(). |
---|
701 | |
---|
702 | * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509 |
---|
703 | signature verification memory leak. |
---|
704 | |
---|
705 | * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a |
---|
706 | crash with racoonctl logout user. |
---|
707 | |
---|
708 | * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive |
---|
709 | code. |
---|
710 | |
---|
711 | * src/racoon/handler.c: From Paul Moore: Phase2 message id's should |
---|
712 | be unique wrt phase1, not globally. |
---|
713 | |
---|
714 | 2009-03-13 Timo Teras <timo.teras@iki.fi> |
---|
715 | |
---|
716 | * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix |
---|
717 | couple of problems with previous commit. |
---|
718 | |
---|
719 | 2009-03-12 he |
---|
720 | |
---|
721 | * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a |
---|
722 | pointer to an integral type (a bad practice, if you ask me), you |
---|
723 | need to cast via intptr_t for portability. |
---|
724 | |
---|
725 | 2009-03-12 Thomas Klausner <wiz@netbsd.org> |
---|
726 | |
---|
727 | * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking |
---|
728 | up punctuation. |
---|
729 | |
---|
730 | * src/racoon/racoonctl.8: Bump date for previous. Sort options to |
---|
731 | establish-sa. Stop using Xo/Xc. |
---|
732 | |
---|
733 | 2009-03-12 Timo Teras <timo.teras@iki.fi> |
---|
734 | |
---|
735 | * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c, |
---|
736 | crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h, |
---|
737 | ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c, |
---|
738 | isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c, |
---|
739 | isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5, |
---|
740 | racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c, |
---|
741 | vendorid.c: Support multiple anonymous remotes and decide |
---|
742 | remoteconf based on identity, received certificates and other |
---|
743 | information. General code clean up. |
---|
744 | |
---|
745 | 2009-03-06 Timo Teras <timo.teras@iki.fi> |
---|
746 | |
---|
747 | * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall |
---|
748 | in Linux |
---|
749 | |
---|
750 | Linux requires SADB_DELETE message to have SPI. So send a |
---|
751 | SADB_DELETE message for each matching SA. Trac #284. |
---|
752 | |
---|
753 | From: Gabriel Somlo <somlo@cmu.edu> |
---|
754 | |
---|
755 | 2009-02-16 Timo Teras <timo.teras@iki.fi> |
---|
756 | |
---|
757 | * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap |
---|
758 | corruption bug (yacc return non-null terminated buffer and sprintf |
---|
759 | writes over bounds). |
---|
760 | |
---|
761 | 2009-02-11 Yvan Vanhullebus <vanhu@netasq.com> |
---|
762 | |
---|
763 | * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed |
---|
764 | IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on |
---|
765 | tunnel |
---|
766 | |
---|
767 | 2009-02-03 Timo Teras <timo.teras@iki.fi> |
---|
768 | |
---|
769 | * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment |
---|
770 | variables with IPv6 addresses. |
---|
771 | |
---|
772 | 2009-01-26 Timo Teras <timo.teras@iki.fi> |
---|
773 | |
---|
774 | * src/racoon/main.c: Argument parsing needs lcconf initialized. |
---|
775 | |
---|
776 | 2009-01-24 Thomas Klausner <wiz@netbsd.org> |
---|
777 | |
---|
778 | * src/racoon/racoonctl.c: Sort options in usage. |
---|
779 | |
---|
780 | * src/racoon/racoonctl.8: Sort options. New sentence, new line. |
---|
781 | |
---|
782 | * src/racoon/racoon.8: Sort options. |
---|
783 | |
---|
784 | 2009-01-23 Timo Teras <timo.teras@iki.fi> |
---|
785 | |
---|
786 | * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage |
---|
787 | for racoonctl. |
---|
788 | |
---|
789 | * src/racoon/: main.c, racoon.8: Racoon -v to print version and |
---|
790 | compilation information. Update usage message. |
---|
791 | |
---|
792 | * NEWS: Update NEWS with major changes since 0.7 release. |
---|
793 | |
---|
794 | * src/racoon/schedule.c: Fix monotonic scheduler change, to not |
---|
795 | refresh 'now' before exit. Otherwise we can return negative timeout |
---|
796 | after spending time handling other events. |
---|
797 | |
---|
798 | * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle |
---|
799 | reception of MIGRATE message during Phase 1 and Phase 2 negotiation. |
---|
800 | Also corrects some debugging statements. |
---|
801 | |
---|
802 | * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for |
---|
803 | instance), there is a need to not only migrate local and remote |
---|
804 | addresses of Phase 1 that match previous addresses but also the |
---|
805 | local and remote addresses of a Phase 1 *associated* with a migrated |
---|
806 | Phase 2. For instance, we have that need when receiving the first |
---|
807 | MIGRATE/KMADDRESS message because the old addresses are still the |
---|
808 | HoA and the address of the HA (while the peer has contacted us using |
---|
809 | the CoA and we have negotiated this address as src attribute in |
---|
810 | Phase 2). The patch fixes that by having migrate_ph1_ike_addresses() |
---|
811 | called from migrate_ph2_ike_addresses() callback. |
---|
812 | |
---|
813 | * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid |
---|
814 | when acting as responder. |
---|
815 | |
---|
816 | * configure.ac, src/racoon/handler.c, src/racoon/handler.h, |
---|
817 | src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c, |
---|
818 | src/racoon/schedule.c, src/racoon/schedule.h, |
---|
819 | src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic |
---|
820 | system clock is available, and use it for relative time measurements |
---|
821 | to avoid complite hang if time jumps backwards. |
---|
822 | |
---|
823 | * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c, |
---|
824 | isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c, |
---|
825 | oakley.c, oakley.h: Fix authentication method ambiguity by |
---|
826 | internally using unique ID and setting/interpreting the wire format |
---|
827 | based on received vendor ID:s. Fixes trac #280. |
---|
828 | |
---|
829 | * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c, |
---|
830 | isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid |
---|
831 | bitmask that can be used otherwhere to detect peer capabilities. |
---|
832 | |
---|
833 | * configure.ac, src/racoon/admin.c, src/racoon/evt.c, |
---|
834 | src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c, |
---|
835 | src/racoon/session.c, src/racoon/session.h: Remove "fastquit" |
---|
836 | configure option and make it the default behaviour. The previous |
---|
837 | normal behaviour is buggy, as after flush kernel can immediately |
---|
838 | create larval SA:s which would prevent exit. |
---|
839 | |
---|
840 | 2009-01-20 Timo Teras <timo.teras@iki.fi> |
---|
841 | |
---|
842 | * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate |
---|
843 | ChangeLog from NetBSD CVS. Put sourceforge.net changes to |
---|
844 | ChangeLog.old. |
---|
845 | |
---|
846 | 2009-01-10 Thomas Klausner <wiz@netbsd.org> |
---|
847 | |
---|
848 | * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper |
---|
849 | escape for backslash ('\e'). |
---|
850 | |
---|
851 | 2009-01-10 Timo Teras <timo.teras@iki.fi> |
---|
852 | |
---|
853 | * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman: |
---|
854 | Accept RFC2253 compliant escaped special characters for asn1dn |
---|
855 | identifier. |
---|
856 | |
---|
857 | 2009-01-09 Timo Teras <timo.teras@iki.fi> |
---|
858 | |
---|
859 | * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended |
---|
860 | |
---|
861 | 2009-01-05 Timo Teras <timo.teras@iki.fi> |
---|
862 | |
---|
863 | * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete |
---|
864 | configuration options, fix radius configuration block and add GRE as |
---|
865 | recognized protocol. |
---|
866 | |
---|
867 | * src/racoon/session.c: Do not use counting in signal handling as |
---|
868 | it was unsafe by not using atomic functions (post increment is not |
---|
869 | necessarily atomic). Instead reap all children on SIGCHLD as that |
---|
870 | was the only signal needing signal counting. |
---|
871 | |
---|
872 | 2008-12-30 Timo Teras <timo.teras@iki.fi> |
---|
873 | |
---|
874 | * src/racoon/session.c: schedular() call can now modify fd mask so |
---|
875 | make the working copy just before calling select(); otherwise it can |
---|
876 | contain bad file descriptors |
---|
877 | |
---|
878 | 2008-12-29 Michael van Elst <mlelstv@netbsd.org> |
---|
879 | |
---|
880 | * src/setkey/parse.y: support icmp codes. Fixes PR 39056. |
---|
881 | |
---|
882 | 2008-12-24 Christos Zoulas <christos@netbsd.org> |
---|
883 | |
---|
884 | * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have |
---|
885 | it. From Timo Teras. |
---|
886 | |
---|
887 | * src/racoon/grabmyaddr.c: I was wrong. addr is actually set. |
---|
888 | |
---|
889 | * src/racoon/grabmyaddr.c: |
---|
890 | - make this compile by zeroing out the whole structure not just |
---|
891 | bogus fields. |
---|
892 | - set length field of sockets appropriately. |
---|
893 | - mark bogus no-op code (I don't understand what the author intended |
---|
894 | here). |
---|
895 | |
---|
896 | 2008-12-23 Thomas Klausner <wiz@netbsd.org> |
---|
897 | |
---|
898 | * src/racoon/racoon.conf.5: Bump date for identity configuration |
---|
899 | option removal. |
---|
900 | |
---|
901 | 2008-12-23 Timo Teras <timo.teras@iki.fi> |
---|
902 | |
---|
903 | * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c, |
---|
904 | localconf.h, racoon.conf.5: Remove the obsoleted global identity |
---|
905 | configuration option. |
---|
906 | |
---|
907 | * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c, |
---|
908 | evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c, |
---|
909 | isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c, |
---|
910 | nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c, |
---|
911 | session.h: rewrite local address detection make some functions |
---|
912 | static that arr not needed globally rework how fd_set is |
---|
913 | construction for the main loop select() |
---|
914 | |
---|
915 | 2008-12-18 Timo Teras <timo.teras@iki.fi> |
---|
916 | |
---|
917 | * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles |
---|
918 | when expire with hard lifetime received |
---|
919 | |
---|
920 | 2008-12-16 Timo Teras <timo.teras@iki.fi> |
---|
921 | |
---|
922 | * README: Update README |
---|
923 | |
---|
924 | * src/racoon/pfkey.c: Fix transport mode address selection in |
---|
925 | acquire handling. Some earlier fixes got lost on 2008-12-05 commit. |
---|
926 | |
---|
927 | 2008-12-11 Yvan Vanhullebus <vanhu@netasq.com> |
---|
928 | |
---|
929 | * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO |
---|
930 | and RTM_OIFINFO stuff) |
---|
931 | |
---|
932 | * src/racoon/isakmp.c: Fixed compilation when DPD support is |
---|
933 | disabled |
---|
934 | |
---|
935 | 2008-12-08 Timo Teras <timo.teras@iki.fi> |
---|
936 | |
---|
937 | * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey |
---|
938 | sockets: it might cause to not handle some pfkey events when |
---|
939 | select() has marked pfkey socket readable, but a timer callback |
---|
940 | first calls pfkey_dump_sadb(). |
---|
941 | |
---|
942 | 2008-12-05 Timo Teras <timo.teras@iki.fi> |
---|
943 | |
---|
944 | * src/: libipsec/key_debug.c, libipsec/libpfkey.h, |
---|
945 | libipsec/pfkey.c, racoon/handler.c, racoon/handler.h, |
---|
946 | racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c, |
---|
947 | racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud |
---|
948 | Ebalard: Improved Mobile IPv6 support per |
---|
949 | draft-ebalard-mext-pfkey-enhanced-migrate. |
---|
950 | |
---|
951 | 2008-12-04 Christoph Badura <bad@netbsd.org> |
---|
952 | |
---|
953 | * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I |
---|
954 | intended. |
---|
955 | |
---|
956 | 2008-12-02 Timo Teras <timo.teras@iki.fi> |
---|
957 | |
---|
958 | * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action |
---|
959 | on Linux is terminate. |
---|
960 | |
---|
961 | 2008-11-28 Thomas Klausner <wiz@netbsd.org> |
---|
962 | |
---|
963 | * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New |
---|
964 | sentence, new line. |
---|
965 | |
---|
966 | 2008-11-27 Yvan Vanhullebus <vanhu@netasq.com> |
---|
967 | |
---|
968 | * src/racoon/main.c: Set up a default value for Mode Config Pool |
---|
969 | size if pool address specified but pool size not specified |
---|
970 | |
---|
971 | * src/racoon/isakmp_cfg.c: Fixed pool resizing |
---|
972 | |
---|
973 | 2008-11-27 Timo Teras <timo.teras@iki.fi> |
---|
974 | |
---|
975 | * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA |
---|
976 | weirdness. It's probably meant for bundle support which is not done. |
---|
977 | When someone actually writes bundle support, the nested SA stuff |
---|
978 | would probably be reworked too anyway. |
---|
979 | |
---|
980 | * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y, |
---|
981 | racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h, |
---|
982 | racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer |
---|
983 | Ability to set pfkey socket buffer size via configuration file |
---|
984 | directive. (Indentation and minor fixes by me.) |
---|
985 | |
---|
986 | 2008-11-25 Christoph Badura <bad@netbsd.org> |
---|
987 | |
---|
988 | * src/racoon/: evt.c, privsep.c, session.c: Avoid using |
---|
989 | MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE |
---|
990 | instead. |
---|
991 | |
---|
992 | * src/racoon/grabmyaddr.c: Ignore unspecified and looback |
---|
993 | addresses. Ignoring unspecified addresses prevents racoon from |
---|
994 | trying to bind to the wildcard address and specific addresses |
---|
995 | simultaneously after e.g. dhclient has changed an interface's |
---|
996 | address to 0.0.0.0. |
---|
997 | |
---|
998 | * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry |
---|
999 | info for added or deleted addresses. Ignore them silently. |
---|
1000 | |
---|
1001 | * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an |
---|
1002 | error. Therefore log it as informational. Make it clear from the |
---|
1003 | log message that a route message is not interesting. |
---|
1004 | |
---|
1005 | * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding |
---|
1006 | it. |
---|
1007 | |
---|
1008 | * src/racoon/isakmp.c: Do not return erroneously from isakmp_open() |
---|
1009 | when setting IPV6_USE_MIN_MTU fails. |
---|
1010 | |
---|
1011 | * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when |
---|
1012 | no socket is opened. |
---|
1013 | |
---|
1014 | 2008-11-08 Christoph Badura <bad@netbsd.org> |
---|
1015 | |
---|
1016 | * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
---|
1017 | phase1-up.sh: Preserve owner and permissions of original |
---|
1018 | /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or |
---|
1019 | world writable. |
---|
1020 | |
---|
1021 | * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
---|
1022 | phase1-up.sh: Print and check INTERNAL_NETMASK4. |
---|
1023 | |
---|
1024 | * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
---|
1025 | phase1-up.sh: Make the handling of NAT-T SPD entries automatic. |
---|
1026 | |
---|
1027 | * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
---|
1028 | phase1-up.sh: Ensure that the determination of the default |
---|
1029 | gateway and the corresponding interface don't get confused by |
---|
1030 | multiple, possibly non-IPv4 default routes. Bring the NetBSD case |
---|
1031 | of deleting the VPN routes and address in line with the Linux case |
---|
1032 | and delete the address after deleting the VPN routes. |
---|
1033 | |
---|
1034 | 2008-11-06 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1035 | |
---|
1036 | * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when |
---|
1037 | iddst's value is SAINFO_CLIENTADDR |
---|
1038 | |
---|
1039 | 2008-10-29 S.P.Zeidler <spz@netbsd.org> |
---|
1040 | |
---|
1041 | * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str(): |
---|
1042 | |
---|
1043 | struct sockaddr -> struct sockaddr_storage fixes a stack overflow |
---|
1044 | |
---|
1045 | For non-linklocal addresses the value in 'scope' is garbage and gets |
---|
1046 | set to zero instead. |
---|
1047 | |
---|
1048 | 2008-10-27 Timo Teras <timo.teras@iki.fi> |
---|
1049 | |
---|
1050 | * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to |
---|
1051 | error path |
---|
1052 | |
---|
1053 | * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud |
---|
1054 | Ebalard): recognize RTM_IFANNOUNCE |
---|
1055 | |
---|
1056 | * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation |
---|
1057 | issues for readability |
---|
1058 | |
---|
1059 | * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be |
---|
1060 | called only if monitored file descriptor numbers have changed |
---|
1061 | |
---|
1062 | * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate |
---|
1063 | declaration |
---|
1064 | |
---|
1065 | 2008-10-23 Timo Teras <timo.teras@iki.fi> |
---|
1066 | |
---|
1067 | * src/racoon/: privsep.c, session.c, session.h: From Krzysztof |
---|
1068 | Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the |
---|
1069 | problem those changes address are already handled in a sensible way |
---|
1070 | by Cyrus Rahman's patch from 2008-03-06. |
---|
1071 | |
---|
1072 | 2008-10-09 Timo Teras <timo.teras@iki.fi> |
---|
1073 | |
---|
1074 | * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove |
---|
1075 | unnecessary unbindph12() call which is now done in remph2() |
---|
1076 | |
---|
1077 | 2008-09-25 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1078 | |
---|
1079 | * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP |
---|
1080 | marker for retransmitted packets |
---|
1081 | |
---|
1082 | 2008-09-19 Thomas Klausner <wiz@netbsd.org> |
---|
1083 | |
---|
1084 | * src/racoon/racoon.conf.5: New sentence, new line. |
---|
1085 | |
---|
1086 | 2008-09-19 Timo Teras <timo.teras@iki.fi> |
---|
1087 | |
---|
1088 | * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h, |
---|
1089 | isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, |
---|
1090 | isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5, |
---|
1091 | remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying |
---|
1092 | configurable with rekey {on|off|force} option in remote conf. |
---|
1093 | |
---|
1094 | * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c, |
---|
1095 | isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h, |
---|
1096 | nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h, |
---|
1097 | session.c: Change struct sched to be allocated be the caller to |
---|
1098 | avoid some memory allocations. Optimize scheduling algorithm to not |
---|
1099 | scan all entries in the main loop. |
---|
1100 | |
---|
1101 | 2008-09-17 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1102 | |
---|
1103 | * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi() |
---|
1104 | when NAT-T enabled and trying to purge non NAT-T SAs |
---|
1105 | |
---|
1106 | 2008-09-09 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1107 | |
---|
1108 | * src/racoon/pfkey.c: Some calls to set_port() were not correctly |
---|
1109 | updated in the previous commit |
---|
1110 | |
---|
1111 | 2008-09-03 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1112 | |
---|
1113 | * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in |
---|
1114 | pk_sendxxx functions, as they may be altered for NAT-T stuff. |
---|
1115 | |
---|
1116 | 2008-09-03 Timo Teras <timo.teras@iki.fi> |
---|
1117 | |
---|
1118 | * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c: |
---|
1119 | - Fix reloading of SPD (Linux satype check, handling of SPD dump |
---|
1120 | responses) |
---|
1121 | - Remove some spurious error log message from extract_port() |
---|
1122 | |
---|
1123 | 2008-08-29 Gregory McGarry <gmcgarry@netbsd.org> |
---|
1124 | |
---|
1125 | * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty |
---|
1126 | structures. |
---|
1127 | |
---|
1128 | * src/racoon/evt.h: Eliminate superfluous semicolon. |
---|
1129 | |
---|
1130 | * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of |
---|
1131 | unnamed structures added recently. |
---|
1132 | |
---|
1133 | 2008-08-12 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1134 | |
---|
1135 | * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove |
---|
1136 | ph1handler if we received an invalid first exchange from initiator. |
---|
1137 | |
---|
1138 | 2008-08-06 Timo Teras <timo.teras@iki.fi> |
---|
1139 | |
---|
1140 | * src/racoon/: privsep.c, session.c, session.h: From Krzysztof |
---|
1141 | Piotr Oledzki: Make privileged process exit if unprivileged process |
---|
1142 | is terminated and some spelling fixes. |
---|
1143 | |
---|
1144 | 2008-07-23 Matthew Grooms <mgrooms@shrew.net> |
---|
1145 | |
---|
1146 | * src/racoon/: cfparse.y, session.c: Add some missing ifdefs |
---|
1147 | required for non-radius enabled builds. |
---|
1148 | |
---|
1149 | 2008-07-23 Timo Teras <timo.teras@iki.fi> |
---|
1150 | |
---|
1151 | * src/racoon/Makefile.am: Do not use GNU make specific extension. |
---|
1152 | |
---|
1153 | * src/: libipsec/Makefile.am, racoon/Makefile.am, |
---|
1154 | setkey/Makefile.am: Do flex/bison invocation in a more standard |
---|
1155 | way, and keep the generated files in the dist tarball. |
---|
1156 | |
---|
1157 | 2008-07-22 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1158 | |
---|
1159 | * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks, |
---|
1160 | when malloc fails or when peer sends invalid proposal. |
---|
1161 | |
---|
1162 | 2008-07-22 Matthew Grooms <mgrooms@shrew.net> |
---|
1163 | |
---|
1164 | * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c, |
---|
1165 | isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional |
---|
1166 | radius configuration section to the racoon.conf file. This is |
---|
1167 | similar to the the LDAP configuration section and overrides settings |
---|
1168 | in the system radius configuration file. |
---|
1169 | |
---|
1170 | 2008-07-21 Matthias Scheler <tron@netbsd.org> |
---|
1171 | |
---|
1172 | * src/racoon/cfparse.y: Correct typo to fix the build. |
---|
1173 | |
---|
1174 | 2008-07-21 Timo Teras <timo.teras@iki.fi> |
---|
1175 | |
---|
1176 | * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c, |
---|
1177 | vendorid.c, vendorid.h: Separate generic vendor id handling to a |
---|
1178 | new function and use it. |
---|
1179 | |
---|
1180 | * src/racoon/cfparse.y: Do not set default gss id if xauth is used, |
---|
1181 | otherwise gss-id attribute might be sent even if it was not |
---|
1182 | requested. |
---|
1183 | |
---|
1184 | 2008-07-15 Matthew Grooms <mgrooms@shrew.net> |
---|
1185 | |
---|
1186 | * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from |
---|
1187 | building with hybrid enabled. |
---|
1188 | |
---|
1189 | * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h, |
---|
1190 | racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump |
---|
1191 | function. |
---|
1192 | |
---|
1193 | 2008-07-14 Timo Teras <timo.teras@iki.fi> |
---|
1194 | |
---|
1195 | * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c, |
---|
1196 | pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode. |
---|
1197 | |
---|
1198 | * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c, |
---|
1199 | isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up |
---|
1200 | notification payload handling. Handle INITIAL-CONTACT notification |
---|
1201 | in last main mode exchange (delayed) and during quick mode |
---|
1202 | exchanges. |
---|
1203 | |
---|
1204 | 2008-07-11 Timo Teras <timo.teras@iki.fi> |
---|
1205 | |
---|
1206 | * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis |
---|
1207 | Elsts: Fix a double memory free and a memory corruption |
---|
1208 | (LIST_REMOVE() on an uninserted node) in some error handling paths. |
---|
1209 | |
---|
1210 | 2008-07-09 Timo Teras <timo.teras@iki.fi> |
---|
1211 | |
---|
1212 | * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and |
---|
1213 | memory leak on configuration file reread |
---|
1214 | |
---|
1215 | 2008-07-02 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1216 | |
---|
1217 | * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu |
---|
1218 | (size_t values) |
---|
1219 | |
---|
1220 | 2008-06-18 Thomas Klausner <wiz@netbsd.org> |
---|
1221 | |
---|
1222 | * src/racoon/racoonctl.8: Bump date for previous. |
---|
1223 | |
---|
1224 | 2008-06-18 Matthew Grooms <mgrooms@shrew.net> |
---|
1225 | |
---|
1226 | * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an |
---|
1227 | admin port command to retrieve the peer certificate. Submitted by |
---|
1228 | Timo Teras. |
---|
1229 | |
---|
1230 | * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set |
---|
1231 | sockets to be closed on exec to avoid potential file descriptor |
---|
1232 | inheritance issues. Submitted by Timo Teras. |
---|
1233 | |
---|
1234 | * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c, |
---|
1235 | isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility |
---|
1236 | functions to evaluate and manipulate network port values. No |
---|
1237 | functional changes. Submitted by Timo Teras. |
---|
1238 | |
---|
1239 | * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No |
---|
1240 | functional changes. Submitted by Timo Teras. |
---|
1241 | |
---|
1242 | * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by |
---|
1243 | Timo Teras. |
---|
1244 | |
---|
1245 | 2008-05-24 Christos Zoulas <christos@netbsd.org> |
---|
1246 | |
---|
1247 | * src/racoon/privsep.c: Coverity CID 5018: Fix double frees. |
---|
1248 | |
---|
1249 | 2008-05-08 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1250 | |
---|
1251 | * configure.ac: From Christian Hohnstaedt: allow out of tree |
---|
1252 | building |
---|
1253 | |
---|
1254 | 2008-04-30 Martin Husemann <martin@netbsd.org> |
---|
1255 | |
---|
1256 | * netbsd-import.sh: Convert TNF licenses to new 2 clause variant |
---|
1257 | |
---|
1258 | 2008-04-25 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1259 | |
---|
1260 | * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers |
---|
1261 | from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). |
---|
1262 | |
---|
1263 | 2008-04-13 Christos Zoulas <christos@netbsd.org> |
---|
1264 | |
---|
1265 | * src/racoon/privsep.c: for symmetry set controllen the same way we |
---|
1266 | set it on the receiving side. |
---|
1267 | |
---|
1268 | 2008-04-02 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1269 | |
---|
1270 | * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build |
---|
1271 | |
---|
1272 | 2008-03-28 Christos Zoulas <christos@netbsd.org> |
---|
1273 | |
---|
1274 | * src/racoon/privsep.c: properly fix the variable stack allocation |
---|
1275 | code. |
---|
1276 | |
---|
1277 | 2008-03-28 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1278 | |
---|
1279 | * src/racoon/privsep.c: Still from Cyrus Rahman: fix file |
---|
1280 | descriptor leak introduced by previous commit. |
---|
1281 | |
---|
1282 | * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c, |
---|
1283 | privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman: |
---|
1284 | Allow interface reconfiguration when running in privilege separation |
---|
1285 | mode, document privilege separation |
---|
1286 | |
---|
1287 | 2008-03-06 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1288 | |
---|
1289 | * src/racoon/oakley.c: Generates a log if cert validation has been |
---|
1290 | disabled by configuration |
---|
1291 | |
---|
1292 | 2008-03-06 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1293 | |
---|
1294 | * src/racoon/: privsep.c, session.c: From Cyrus Rahman |
---|
1295 | <crahman@gmail.com> privilegied instance exit when unprivilegied one |
---|
1296 | terminates. Save PID in real root, not in chroot |
---|
1297 | |
---|
1298 | 2008-03-06 Matthew Grooms <mgrooms@shrew.net> |
---|
1299 | |
---|
1300 | * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c, |
---|
1301 | racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA |
---|
1302 | negotiations using the admin socket. Submitted by Timo Teras. |
---|
1303 | |
---|
1304 | * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c, |
---|
1305 | handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c, |
---|
1306 | isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c, |
---|
1307 | racoonctl.8, racoonctl.c, session.c: Refactor admin socket event |
---|
1308 | protocol to be less error prone. Backwards compatibility is |
---|
1309 | provided. Submitted by Timo Teras. |
---|
1310 | |
---|
1311 | 2008-03-05 Matthew Grooms <mgrooms@shrew.net> |
---|
1312 | |
---|
1313 | * src/racoon/cfparse.y: Properly initialize the unity network |
---|
1314 | struct to prevent erroneous protocol and port info from being |
---|
1315 | transmitted. |
---|
1316 | |
---|
1317 | * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or |
---|
1318 | adminport reload. Also provide better handling for pfkey socket read |
---|
1319 | errors. Submitted by Timo Teras. |
---|
1320 | |
---|
1321 | 2008-02-25 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1322 | |
---|
1323 | * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com> |
---|
1324 | There's a cut/paste error in cmp_aproppair_i(), it's supposed to be |
---|
1325 | checking spi_size but it's not. I'm not sure this patch is correct, |
---|
1326 | but what's there isn't either. |
---|
1327 | |
---|
1328 | 2008-02-22 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1329 | |
---|
1330 | * src/racoon/isakmp.c: Fix address length, from Brian Haley |
---|
1331 | |
---|
1332 | 2008-02-10 S.P.Zeidler <spz@netbsd.org> |
---|
1333 | |
---|
1334 | * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent |
---|
1335 | opposition ( :) ) on ipsec-tools-devel |
---|
1336 | |
---|
1337 | 2008-01-11 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1338 | |
---|
1339 | * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in |
---|
1340 | the scheduler's callback, to avoid access to freed memory. |
---|
1341 | |
---|
1342 | * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix |
---|
1343 | compilation with IDEA and recent gcc. |
---|
1344 | |
---|
1345 | * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some |
---|
1346 | details to some logs (also reported new getph1byaddr() arg). |
---|
1347 | |
---|
1348 | * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for |
---|
1349 | established ph1 handles in DPD (also reported new getph1byaddr() |
---|
1350 | arg). |
---|
1351 | |
---|
1352 | * src/racoon/: handler.c, handler.h: added an 'established' arg to |
---|
1353 | getph1byaddr() |
---|
1354 | |
---|
1355 | 2007-12-31 Matthew Grooms <mgrooms@shrew.net> |
---|
1356 | |
---|
1357 | * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol |
---|
1358 | number to racoonctl. Correct id wildcard matching for transport |
---|
1359 | mode. Submitted by Timo Teras. |
---|
1360 | |
---|
1361 | 2007-12-12 Matthew Grooms <mgrooms@shrew.net> |
---|
1362 | |
---|
1363 | * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a |
---|
1364 | follow up patch for the nat-t oa support. |
---|
1365 | |
---|
1366 | * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add |
---|
1367 | support for nat-t oa payload handling. Submitted by Timo Teras. |
---|
1368 | |
---|
1369 | 2007-12-04 Matthew Grooms <mgrooms@shrew.net> |
---|
1370 | |
---|
1371 | * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify |
---|
1372 | ipsecdoi_sockaddr2id() to obtain an id without specifying the exact |
---|
1373 | prefix length. Correct a memory leak in phase2. Both submitted by |
---|
1374 | Timo Teras. |
---|
1375 | |
---|
1376 | 2007-12-01 Thomas Klausner <wiz@netbsd.org> |
---|
1377 | |
---|
1378 | * src/racoon/racoon.conf.5: Fix typos. New sentence, new line. |
---|
1379 | |
---|
1380 | 2007-11-29 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1381 | |
---|
1382 | * src/racoon/Makefile.am: From Natanael Copa: fixed a race |
---|
1383 | condition when building yacc stuff. |
---|
1384 | |
---|
1385 | 2007-11-09 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1386 | |
---|
1387 | * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in |
---|
1388 | pk_recv() |
---|
1389 | |
---|
1390 | * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD |
---|
1391 | entries in getsp_r(). |
---|
1392 | |
---|
1393 | * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug |
---|
1394 | in get_proposal_r(). |
---|
1395 | |
---|
1396 | 2007-10-19 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1397 | |
---|
1398 | * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h, |
---|
1399 | racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts |
---|
1400 | |
---|
1401 | 2007-10-15 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1402 | |
---|
1403 | * src/libipsec/pfkey.c: Try to increase the buffer size of the |
---|
1404 | pfkey socket, this may help things when we have a huge SPD |
---|
1405 | |
---|
1406 | 2007-10-02 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1407 | |
---|
1408 | * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to |
---|
1409 | work with the new plog macro. |
---|
1410 | |
---|
1411 | * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to |
---|
1412 | work with new plog macro |
---|
1413 | |
---|
1414 | * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro. |
---|
1415 | |
---|
1416 | 2007-09-19 Matthew Grooms <mgrooms@shrew.net> |
---|
1417 | |
---|
1418 | * src/racoon/isakmp.c: Set REUSE option on sockets to prevent |
---|
1419 | failures associated with closing and immediately re-opening. |
---|
1420 | Submitted by Gabriel Somlo. |
---|
1421 | |
---|
1422 | * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet |
---|
1423 | list. Submitted by Gabriel Somlo. |
---|
1424 | |
---|
1425 | 2007-09-13 Matthew Grooms <mgrooms@shrew.net> |
---|
1426 | |
---|
1427 | * configure.ac: Fix autoconf check for selinux support. Submitted |
---|
1428 | by Joy Latten. |
---|
1429 | |
---|
1430 | 2007-09-12 Matthew Grooms <mgrooms@shrew.net> |
---|
1431 | |
---|
1432 | * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c, |
---|
1433 | pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr |
---|
1434 | sainfo remote id option and refine the sainfo man page syntax. |
---|
1435 | |
---|
1436 | 2007-09-05 Matthew Grooms <mgrooms@shrew.net> |
---|
1437 | |
---|
1438 | * src/racoon/sainfo.c: Sort sainfo sections on insert and improve |
---|
1439 | matching logic. |
---|
1440 | |
---|
1441 | 2007-09-03 Matthew Grooms <mgrooms@shrew.net> |
---|
1442 | |
---|
1443 | * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for |
---|
1444 | wins4 in the man page and add nbns4 as an alias. Pointed out by |
---|
1445 | Claas Langbehn. |
---|
1446 | |
---|
1447 | 2007-08-07 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1448 | |
---|
1449 | * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix |
---|
1450 | up RADIUS authentication and authorization ports. Allow |
---|
1451 | interoperability with freeradius |
---|
1452 | |
---|
1453 | 2007-07-24 Matthew Grooms <mgrooms@shrew.net> |
---|
1454 | |
---|
1455 | * NEWS: Update NEWS file with additional 0.7 improvements. |
---|
1456 | |
---|
1457 | 2007-07-18 Matthew Grooms <mgrooms@shrew.net> |
---|
1458 | |
---|
1459 | * src/racoon/racoon.conf.5: Various racoon configuration manpage |
---|
1460 | updates. |
---|
1461 | |
---|
1462 | 2007-07-18 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1463 | |
---|
1464 | * configure.ac, src/libipsec/ipsec_dump_policy.c, |
---|
1465 | src/libipsec/ipsec_get_policylen.c, |
---|
1466 | src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c, |
---|
1467 | src/libipsec/libpfkey.h, src/libipsec/pfkey.c, |
---|
1468 | src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y, |
---|
1469 | src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c, |
---|
1470 | src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y, |
---|
1471 | src/racoon/cftoken.l, src/racoon/ipsec_doi.c, |
---|
1472 | src/racoon/isakmp.c, src/racoon/isakmp_inf.c, |
---|
1473 | src/racoon/isakmp_quick.c, src/racoon/pfkey.c, |
---|
1474 | src/racoon/policy.c, src/racoon/proposal.c, |
---|
1475 | src/racoon/remoteconf.c, src/racoon/sainfo.c, |
---|
1476 | src/racoon/session.c, src/racoon/sockmisc.c, |
---|
1477 | src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c, |
---|
1478 | src/setkey/token.l: use a single PATH_IPSEC_H to fix some |
---|
1479 | path_to_ipsec.h issues |
---|
1480 | |
---|
1481 | 2007-07-16 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1482 | |
---|
1483 | * src/racoon/grabmyaddr.c: fixed a socket leak |
---|
1484 | |
---|
1485 | * src/racoon/proposal.c: indentation |
---|
1486 | |
---|
1487 | 2007-06-07 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1488 | |
---|
1489 | * src/racoon/isakmp_cfg.c: From Paul Winder |
---|
1490 | <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST |
---|
1491 | |
---|
1492 | 2007-06-06 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1493 | |
---|
1494 | * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation |
---|
1495 | with gcc 4.2 |
---|
1496 | |
---|
1497 | * src/racoon/session.c: From Jianli Liu: speed up interfaces update |
---|
1498 | when they change. |
---|
1499 | |
---|
1500 | * src/racoon/handler.c: ignore obsolete lifebyte when validating |
---|
1501 | reloaded configuration |
---|
1502 | |
---|
1503 | 2007-05-31 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1504 | |
---|
1505 | * src/racoon/: main.c, policy.h, security.c: From Joy Latten |
---|
1506 | <latten@austin.ibm.com> Fix file descriptor shortage when using |
---|
1507 | labeled IPsec. |
---|
1508 | |
---|
1509 | 2007-05-30 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1510 | |
---|
1511 | * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In |
---|
1512 | racoonctl, use the specified socket path instead of the default |
---|
1513 | location |
---|
1514 | |
---|
1515 | 2007-05-16 Christos Zoulas <christos@netbsd.org> |
---|
1516 | |
---|
1517 | * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not |
---|
1518 | return, so we proceed to de-reference NULL. Make it return -1 |
---|
1519 | instead like in other places. |
---|
1520 | |
---|
1521 | * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not |
---|
1522 | return, so we proceed to de-reference NULL. Make it return -1 |
---|
1523 | instead like in other places. |
---|
1524 | |
---|
1525 | 2007-05-04 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1526 | |
---|
1527 | * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is |
---|
1528 | NULL when validating the new config |
---|
1529 | |
---|
1530 | * src/racoon/handler.c: added some debug in getph1byaddr() to track |
---|
1531 | some port matching problems with NAT-T |
---|
1532 | |
---|
1533 | * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to |
---|
1534 | track some port matching problems with NAT-T |
---|
1535 | |
---|
1536 | * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process |
---|
1537 | |
---|
1538 | * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if |
---|
1539 | NAT_T support, to solve some port match problems with the first |
---|
1540 | IPSec SAs negociated as initiator |
---|
1541 | |
---|
1542 | 2007-04-04 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1543 | |
---|
1544 | * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids() |
---|
1545 | |
---|
1546 | * src/racoon/oakley.c: dumps peer's ID and peer's certificate |
---|
1547 | subject /subjectaltname if they don't match |
---|
1548 | |
---|
1549 | 2007-03-26 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1550 | |
---|
1551 | * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1 |
---|
1552 | handler, to be able to cancel it when removing the handler, and some |
---|
1553 | minor cleanups in DPD code |
---|
1554 | |
---|
1555 | 2007-03-24 Christos Zoulas <christos@netbsd.org> |
---|
1556 | |
---|
1557 | * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't |
---|
1558 | work with pam_group Set RUSER. |
---|
1559 | |
---|
1560 | 2007-03-23 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1561 | |
---|
1562 | * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a |
---|
1563 | segfault when using security labels between 32bit and 64bit host. |
---|
1564 | |
---|
1565 | * src/racoon/handler.c: expire zombie handlers in getph2byid(), to |
---|
1566 | avoid situations where we'll never negociate a phase2 again |
---|
1567 | |
---|
1568 | * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give |
---|
1569 | more details about what is checked when using certificates to |
---|
1570 | authenticate |
---|
1571 | |
---|
1572 | 2007-03-22 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1573 | |
---|
1574 | * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to |
---|
1575 | generate IPV4_ADDRESS when needed in sockaddr2id() |
---|
1576 | |
---|
1577 | 2007-03-21 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1578 | |
---|
1579 | * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL |
---|
1580 | sched check is now done in SCHED_KILL |
---|
1581 | |
---|
1582 | * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL |
---|
1583 | |
---|
1584 | 2007-03-15 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1585 | |
---|
1586 | * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable |
---|
1587 | monitoring of ipv6 address changes on Linux. |
---|
1588 | |
---|
1589 | * src/racoon/isakmp.c: Consider a negociation timeout when |
---|
1590 | retry_counter is <=0 instead of < 0 |
---|
1591 | |
---|
1592 | 2007-02-28 Matthew Grooms <mgrooms@shrew.net> |
---|
1593 | |
---|
1594 | * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be |
---|
1595 | matched to ip subnet ids when appropriate. |
---|
1596 | |
---|
1597 | 2007-02-21 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1598 | |
---|
1599 | * src/racoon/ipsec_doi.c: block variable declaration before code in |
---|
1600 | ipsecdoi_id2str() |
---|
1601 | |
---|
1602 | 2007-02-20 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1603 | |
---|
1604 | * src/racoon/isakmp_inf.c: Removed a debug printf.... |
---|
1605 | |
---|
1606 | * src/racoon/isakmp.c: Only delete a generated SPD if it's creation |
---|
1607 | date matches the creation date of the SA we are currently deleting |
---|
1608 | |
---|
1609 | * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls |
---|
1610 | |
---|
1611 | * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of |
---|
1612 | generated SPDs |
---|
1613 | |
---|
1614 | * src/racoon/policy.h: added 'created' var |
---|
1615 | |
---|
1616 | 2007-02-19 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1617 | |
---|
1618 | * src/racoon/isakmp.c: Removed a debug printf.... |
---|
1619 | |
---|
1620 | 2007-02-16 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1621 | |
---|
1622 | * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a |
---|
1623 | printf. |
---|
1624 | |
---|
1625 | 2007-02-15 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1626 | |
---|
1627 | * src/racoon/security.c: Missing SELinux file |
---|
1628 | |
---|
1629 | * configure.ac: Missing stuff for SELinux |
---|
1630 | |
---|
1631 | 2007-02-15 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1632 | |
---|
1633 | * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just |
---|
1634 | expire a ph1 handle when receiving a DELETE-SA instead of calling |
---|
1635 | purge_remote(). |
---|
1636 | |
---|
1637 | * src/racoon/isakmp.c: Fixed the way phase1/2 messages are |
---|
1638 | sent/resent, to avoid zombie handles and acces to freed memory |
---|
1639 | |
---|
1640 | 2007-02-02 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1641 | |
---|
1642 | * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec |
---|
1643 | |
---|
1644 | 2007-02-01 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1645 | |
---|
1646 | * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When |
---|
1647 | receiving an ISAKMP DELETE_SA, get the cookie of the SA to be |
---|
1648 | deleted from payload instead of just deleting the ISAKMP SA used to |
---|
1649 | protect the informational exchange. |
---|
1650 | |
---|
1651 | 2006-12-26 Arnaud Lacombe <alc@netbsd.org> |
---|
1652 | |
---|
1653 | * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval != |
---|
1654 | NULL' |
---|
1655 | |
---|
1656 | 2006-12-23 Thomas Klausner <wiz@netbsd.org> |
---|
1657 | |
---|
1658 | * src/racoon/racoon.conf.5: Use even more macros. |
---|
1659 | |
---|
1660 | * src/racoon/racoon.conf.5: Use more macros. |
---|
1661 | |
---|
1662 | * src/racoon/racoon.conf.5: Serial comma, and bump date for |
---|
1663 | previous. |
---|
1664 | |
---|
1665 | 2006-12-18 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1666 | |
---|
1667 | * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak |
---|
1668 | |
---|
1669 | 2006-12-10 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1670 | |
---|
1671 | * src/: libipsec/Makefile.am, libipsec/libpfkey.h, |
---|
1672 | libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y, |
---|
1673 | racoon/pfkey.c: Bring back API and ABI backward compatibility |
---|
1674 | with previous libipsec before recent interface change. Bump libipsec |
---|
1675 | minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid |
---|
1676 | ABI compatibility lossage. Add a capability flags to detect missing |
---|
1677 | optional feature in libipsec |
---|
1678 | |
---|
1679 | * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten: |
---|
1680 | README.plainrsa documenting plain RSA auth |
---|
1681 | |
---|
1682 | 2006-12-09 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1683 | |
---|
1684 | * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c, |
---|
1685 | src/racoon/Makefile.am, src/racoon/backupsa.c, |
---|
1686 | src/racoon/backupsa.h, src/racoon/cftoken.l, |
---|
1687 | src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, |
---|
1688 | src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, |
---|
1689 | src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h, |
---|
1690 | src/racoon/proposal.c, src/racoon/proposal.h, |
---|
1691 | src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux |
---|
1692 | security contexts. Also cleanup the libipsec interface for adding |
---|
1693 | and updating security associations. |
---|
1694 | |
---|
1695 | * src/racoon/racoon.conf.5: From Simon Chang: More hints about |
---|
1696 | plain RSA authentication |
---|
1697 | |
---|
1698 | 2006-12-05 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1699 | |
---|
1700 | * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys |
---|
1701 | length regarding proposal_check level |
---|
1702 | |
---|
1703 | 2006-11-16 Matthew Grooms <mgrooms@shrew.net> |
---|
1704 | |
---|
1705 | * src/racoon/sainfo.c: Correct issues associated with anonymous |
---|
1706 | sainfo selection in racoon. |
---|
1707 | |
---|
1708 | 2006-11-09 Christos Zoulas <christos@netbsd.org> |
---|
1709 | |
---|
1710 | * src/racoon/crypto_openssl.c: eliminate the only variable stack |
---|
1711 | array allocation. |
---|
1712 | |
---|
1713 | 2006-10-31 Christian Biere <cbiere@netbsd.org> |
---|
1714 | |
---|
1715 | * src/racoon/sockmisc.c: Don't define the deprecated |
---|
1716 | IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because |
---|
1717 | IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs |
---|
1718 | in the future just in case that the numeric value of the socket |
---|
1719 | option is ever recycled. |
---|
1720 | |
---|
1721 | 2006-10-22 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1722 | |
---|
1723 | * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix |
---|
1724 | typos |
---|
1725 | |
---|
1726 | 2006-10-19 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1727 | |
---|
1728 | * src/racoon/sainfo.c: From Matthew Grooms: use |
---|
1729 | ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). |
---|
1730 | |
---|
1731 | * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added |
---|
1732 | ipsecdoi_chkcmpids() function. |
---|
1733 | |
---|
1734 | 2006-10-09 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1735 | |
---|
1736 | * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437) |
---|
1737 | |
---|
1738 | * src/racoon/isakmp_unity.c: Correctly check read() return value: |
---|
1739 | it's signed (Coverity 1251) |
---|
1740 | |
---|
1741 | 2006-10-06 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1742 | |
---|
1743 | * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c, |
---|
1744 | src/racoon/algorithm.h, src/racoon/cftoken.l, |
---|
1745 | src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, |
---|
1746 | src/racoon/eaytest.c, src/racoon/ipsec_doi.c, |
---|
1747 | src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c, |
---|
1748 | src/racoon/racoon.conf.5, src/racoon/strnames.c, |
---|
1749 | src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l: |
---|
1750 | Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki |
---|
1751 | <okazaki@kick.gr.jp> |
---|
1752 | |
---|
1753 | 2006-10-03 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1754 | |
---|
1755 | * src/racoon/admin.c: fix endianness issue introduced yesterday |
---|
1756 | |
---|
1757 | 2006-10-03 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1758 | |
---|
1759 | * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax |
---|
1760 | |
---|
1761 | * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values |
---|
1762 | |
---|
1763 | * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses |
---|
1764 | remoteid/ph1id values |
---|
1765 | |
---|
1766 | * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values |
---|
1767 | |
---|
1768 | 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1769 | |
---|
1770 | * src/racoon/isakmp_base.c: |
---|
1771 | avoid reusing free'd pointer (Coverity 2613) |
---|
1772 | |
---|
1773 | * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175) |
---|
1774 | |
---|
1775 | * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451) |
---|
1776 | |
---|
1777 | * src/racoon/algorithm.c: Fix array overrun (Coverity 4172) |
---|
1778 | |
---|
1779 | * src/racoon/admin.c: Fix memory leak (Coverity 2002) |
---|
1780 | |
---|
1781 | * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak |
---|
1782 | (Coverity 2001), refactor the code to use port get/set functions |
---|
1783 | |
---|
1784 | * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200) |
---|
1785 | |
---|
1786 | * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443), |
---|
1787 | reformat to 80 char/line |
---|
1788 | |
---|
1789 | 2006-10-02 Tom Spindler <dogcow@netbsd.org> |
---|
1790 | |
---|
1791 | * src/racoon/ipsec_doi.c: If you're going to initialize a pointer, |
---|
1792 | you have to init it with a pointer type, not an int. |
---|
1793 | |
---|
1794 | 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1795 | |
---|
1796 | * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439) |
---|
1797 | |
---|
1798 | * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334) |
---|
1799 | |
---|
1800 | * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944) |
---|
1801 | |
---|
1802 | * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941) |
---|
1803 | |
---|
1804 | * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942) |
---|
1805 | |
---|
1806 | * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863) |
---|
1807 | |
---|
1808 | 2006-10-01 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1809 | |
---|
1810 | * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181) |
---|
1811 | |
---|
1812 | * src/racoon/isakmp.c: Check that iph1->remote is not NULL before |
---|
1813 | using it (Coverity 3436) |
---|
1814 | |
---|
1815 | 2006-09-30 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1816 | |
---|
1817 | * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165) |
---|
1818 | |
---|
1819 | * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179) |
---|
1820 | |
---|
1821 | * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
---|
1822 | phase1-up.sh: update the scripts for wrorking around routing |
---|
1823 | problems on NetBSD |
---|
1824 | |
---|
1825 | * src/racoon/session.c: Reuse existing code for closing IKE |
---|
1826 | sockets, and avoid screwing things by setting p->sock = -1, which is |
---|
1827 | not expected (Coverity 4173). |
---|
1828 | |
---|
1829 | * src/racoon/admin.c: Do not free id and key, as they are used |
---|
1830 | later |
---|
1831 | |
---|
1832 | 2006-09-29 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1833 | |
---|
1834 | * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the |
---|
1835 | socket, so we must call com_init before sending any data. |
---|
1836 | |
---|
1837 | 2006-09-28 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1838 | |
---|
1839 | * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176, |
---|
1840 | 4174) |
---|
1841 | |
---|
1842 | * src/racoon/racoonctl.c: Fix access after free (Coverity 4178) |
---|
1843 | |
---|
1844 | 2006-09-26 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1845 | |
---|
1846 | * src/racoon/cfparse.y: Fix memory leak (Coverity) |
---|
1847 | |
---|
1848 | * src/racoon/backupsa.c: Fix memory leak (Coverity) |
---|
1849 | |
---|
1850 | * src/racoon/admin.c: Remove dead code (Coverity) |
---|
1851 | |
---|
1852 | * src/racoon/admin.c: Fix memory leak (Coverity) |
---|
1853 | |
---|
1854 | * src/racoon/admin.c: One more memory leak |
---|
1855 | |
---|
1856 | * src/racoon/admin.c: Fix memory leak in racoonctl (coverity) |
---|
1857 | |
---|
1858 | * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA |
---|
1859 | bundle fix was contributed by Jeff Bailey, not Matthew Grooms. |
---|
1860 | Matthew updated the patch for current code, though. |
---|
1861 | |
---|
1862 | * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for |
---|
1863 | negotiating ESP+IPcomp) |
---|
1864 | |
---|
1865 | 2006-09-25 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1866 | |
---|
1867 | * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct |
---|
1868 | iphdr for Linux |
---|
1869 | |
---|
1870 | 2006-09-25 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1871 | |
---|
1872 | * src/racoon/isakmp.c: style (mostly for testing |
---|
1873 | ipsec-tools-commits@netbsd.org) |
---|
1874 | |
---|
1875 | * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms |
---|
1876 | |
---|
1877 | 2006-09-21 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1878 | |
---|
1879 | * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on |
---|
1880 | Linux |
---|
1881 | |
---|
1882 | 2006-09-19 Thomas Klausner <wiz@netbsd.org> |
---|
1883 | |
---|
1884 | * src/racoon/racoon.conf.5: Bump date for ike_frag force. |
---|
1885 | |
---|
1886 | * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new |
---|
1887 | line. |
---|
1888 | |
---|
1889 | * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing |
---|
1890 | whitespace. |
---|
1891 | |
---|
1892 | 2006-09-19 Yvan Vanhullebus <vanhu@netasq.com> |
---|
1893 | |
---|
1894 | * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default |
---|
1895 | value for encmodesv in set_proposal_from_policy() |
---|
1896 | |
---|
1897 | * src/racoon/isakmp.c: always include some headers, as they are |
---|
1898 | required even without NAT-T |
---|
1899 | |
---|
1900 | * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird: |
---|
1901 | define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed |
---|
1902 | |
---|
1903 | * src/racoon/crypto_openssl.c: From Larry Baird: some printf() -> |
---|
1904 | plog() |
---|
1905 | |
---|
1906 | 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1907 | |
---|
1908 | * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h, |
---|
1909 | isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms: |
---|
1910 | ike_frag force option to force the use of IKE on first packet |
---|
1911 | exchange (prior to peer consent) |
---|
1912 | |
---|
1913 | * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in |
---|
1914 | the first packet. That should not normally happen, as the initiator |
---|
1915 | does not know yet if the responder can handle IKE frag. However, in |
---|
1916 | some setups, the first packet is too big to get through, and |
---|
1917 | assuming the peer supports IKE frag is the only way to go. |
---|
1918 | |
---|
1919 | racoon should have a setting in the remote section to do taht |
---|
1920 | (something like ike_frag force) |
---|
1921 | |
---|
1922 | 2006-09-16 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1923 | |
---|
1924 | * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 |
---|
1925 | conformance, from Matthew Grooms |
---|
1926 | |
---|
1927 | 2006-09-15 Emmanuel Dreyfus <manu@netbsd.org> |
---|
1928 | |
---|
1929 | * src/racoon/ipsec_doi.c: Fix build on Linux |
---|
1930 | |
---|
1931 | For older changes see ChangeLog.old |
---|