2013-01-08 tag ipsec-tools-0_8_1
2013-01-08 Timo Teras <timo.teras@iki.fi>
* NEWS, configure.ac: ipsec-tools-0.8.1
* configure.ac: Fix errors from automake 1.13
* src/include-glibc/Makefile.am: Don't derefence the directory
symlink which we might be recreating.
2012-12-24 Timo Teras <timo.teras@iki.fi>
* src/racoon/crypto_openssl.c: From Götz Babin-Ebell
<g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare.
* configure.ac, src/racoon/crypto_openssl.c,
src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell
<g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher
2012-08-29 Timo Teras <timo.teras@iki.fi>
* src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
Accept DPD messages with cookies also in reversed order for
compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
* src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add
remote's IP address to the "certificate not verified" error message.
* src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not
print unnecessary warning about non-verified certificate when using
raw plain-rsa.
* src/racoon/isakmp.c: From Rainer Weikusat
<rweikusat@mobileactivedefense.com>: Release unused phase2 of
passive remotes after acquire.
* src/racoon/isakmp.c: From Wolfgang Schmieder
<wolfgang.schmieder@honeywell.com>: setup phase1 port properly.
* src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
remote blocks without additional remote statements to be specified
in a simpler way. patch by Roman Hoog Antink <rha@open.ch>
2012-08-23 Timo Teras <timo.teras@iki.fi>
* src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
memory allocation.
2012-01-01 Timo Teras <timo.teras@iki.fi>
* src/racoon/isakmp_unity.c: From Rainer Weikusat
<rweikusat@mobileactivedefense.com>: Fix one byte too short memory
allocation in isakmp_unity.c:splitnet_list_2str().
2011-11-17 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
current element could be removed during the loop
2011-11-14 Timo Teras <timo.teras@iki.fi>
* src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>:
do not shrink pfkey socket buffers (if system default is larger than
what we want as minimum)
2011-08-12 Timo Teras <timo.teras@iki.fi>
* src/racoon/privsep.c: Have privilege separation child process
exit if the parent exits.
* Makefile.am: Create ChangeLog for proper CVS branch.
2011-03-18 tag ipsec-tools-0_8_0
2011-03-18 Yvan Vanhullebus <vanhu@netasq.com>
* configure.ac: Yes: 0.8.0 is out !!!
* NEWS: updated News for 0.8 branch
2011-03-17 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/oakley.c: fixed a memory leak in
oakley_append_rmconf_cr() while generating plist. patch by Roman
Hoog Antink <rha@open.ch>
* src/racoon/oakley.c: free name later, to avoid a memory use after
free in oakley_check_certid(). also give iph1->remote to some plog()
calls. patch by Roman Hoog Antink <rha@open.ch>
* src/racoon/oakley.c: fixed a memory leak in
oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
2011-03-15 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
it is useless an can lead to memory access after free
2011-03-14 Timo Teras <timo.teras@iki.fi>
* src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
sockmisc.h, throttle.c: Explicitly compare return value of
cmpsaddr() against a return value define to make it more obvious
what is the intended action. One more return value is also added, to
fix comparison of security policy descriptors. Namely, getsp()
should not allow wildcard matching (as the comment says, it does
exact matching) - otherwise we get problems when kernel has generic
policy with no ports, and a second similar policy with ports.
2011-03-14 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
memory leaks / free memory access when reloading conf and have
inherited config. patch from Roman Hoog Antink <rha@open.ch>
* src/racoon/handler.c: removed an useless comment
* src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
2011-03-11 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
remove_ph1-) instead of scheduling it, to avoid (completely ?) a
race condition when reloading configuration
2011-03-06 Timo Teras <timo.teras@iki.fi>
* src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
checks are enabled. Reported by Stephen Clark.
2011-03-02 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/session.c: flush sainfo list when closing session.
patch by Roman Hoog Antink <rha@open.ch>
* src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
structures when deleting a struct rmconf. patch by Roman Hoog Antink
<rha@open.ch>
* src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
when deleting a rmconf struct. patch by Roman Hoog Antink
<rha@open.ch>
* src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
remoteconf. patch by Roman Hoog Antink <rha@open.ch>
* src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
during configuration parsing. patch by Roman Hoog Antink
<rha@open.ch>
2011-03-01 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
Andersson <debian@gisladisker.se>
* src/racoon/cfparse.y: reset yyerrorcount before doing parse
stuff. patch by Roman Hoog Antink <rha@open.ch>
2011-02-20 Timo Teras <timo.teras@iki.fi>
* src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
memory leak when using plain RSA key authentication.
2011-02-11 Timo Teras <timo.teras@iki.fi>
* src/racoon/plainrsa-gen.c: From Mats E Andersson
<debian@gisladisker.se>: Fix fprintf format specifier usage from
previous patch.
2011-02-10 Timo Teras <timo.teras@iki.fi>
* src/racoon/plainrsa-gen.c: From Mats Erik Andersson
<debian@gisladisker.se>: Implement importing of RSA keys from PEM
files.
* src/racoon/prsa_par.y: From M E Andersson
<debian@gisladisker.se>: Fix parsing of restricted RSA key
addresses.
2011-02-02 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
Patch from Christophe Carre
2011-01-28 Timo Teras <timo.teras@iki.fi>
* src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
Antink <rha@open.ch>: Clean up sainfo reloading: rename the
functions, and remove unneeded global variable.
* src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
functions, and remove unneeded global variable.
* src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
remote IP address if available (slightly modified by tteras)
2011-01-22 Timo Teras <timo.teras@iki.fi>
* src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
Fixes a null pointer dereference that might occur after removing
peers from the config and then reloading.
2011-01-20 Yvan Vanhullebus <vanhu@netasq.com>
* src/libipsec/pfkey.c: fixed a typo, it will now compile when
KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
open.ch)
2010-12-28 Timo Teras <timo.teras@iki.fi>
* src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
config reload to not delete too many phase 2 handles, because wrong
chain field is used when enumerating the handles.
2010-12-16 gdt
* src/racoon/oakley.c: When encountering a certificate where "ID
mismatched with ASN1 SubjectName", and verify_identifier is off,
don't raise an error. This makes the behavior match the man page.
Patch sent for review long ago:
http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
with no negative feedback received to date.
2010-12-14 Timo Teras <timo.teras@iki.fi>
* src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
possible null derefence.
2010-12-08 Timo Teras <timo.teras@iki.fi>
* src/racoon/admin.c: Use separate SA addresses for phase2's
created by admin command. The phase2 startup overwrites src/dst with
ISAKMP ports if they are zero and we don't want that to happen for
the SA ports.
2010-12-08 joerg
* src/libipsec/pfkey.c: ANSIfy
2010-12-07 Timo Teras <timo.teras@iki.fi>
* src/racoon/isakmp_quick.c: Fix spacing and improve wording in
some log messages.
2010-12-03 Timo Teras <timo.teras@iki.fi>
* src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
per-socket policies.
* src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
setkey/setkey.8: Support GRE key as upper layer protocol
specifier (will be supported in Linux kernel 2.6.38).
* src/racoon/grabmyaddr.c: Netlink deletion notification does not
guarentee actual address deletion: it might still exist on some
other interface. Make sure we do not unbind unless the address is
really gone.
2010-11-17 Timo Teras <timo.teras@iki.fi>
* src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash
from the same patch since ph1->remote can be NULL (when we are
responder and config is not yet selected).
2010-11-12 Timo Teras <timo.teras@iki.fi>
* src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
isakmp_post_acquire is now called from admin commands too, add a
flag so admin commands can be used to establish even passive links
on demand.
* src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
ISAKMP-SA for the node is deleted by remote request and the phase1
rekeying is enabled (this will also trigger the new phase1_dead
script hook).
* src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
to allow any reply within valid sequence window to be proof of
livelyness. This can improves things if there's random packet
delays, or if racoon is not getting enough CPU time.
* src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
with many established SAs can be easily over the limit.
2010-10-22 Timo Teras <timo.teras@iki.fi>
* src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
to monitor local route changes. This works around a kernel bug, and
slightly improves behaviour on some special cases.
2010-10-21 Timo Teras <timo.teras@iki.fi>
* src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
session.c, session.h: Introduce priorities for file descriptor
polling mechanism and give priority to admin port. If admin port is
used by ISAKMP-SA hook scripts they should be preferred, other wise
heavy traffic can delay admin port requests considerably. This in
turn may cause renegotiation loop for ISAKMP-SA. This is mostly
useful for OpenNHRP setup, but can benefit other setups too.
* src/racoon/: admin.c, handler.c, handler.h: Remove
initial-contact entry when all ISAKMP-SA are purged via adminport.
This will avoid stale security associations if some of the delete
notifications happens to get lost.
2010-10-20 Timo Teras <timo.teras@iki.fi>
* src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
functions when possible: this allows openssl to perform hardware
acceleration if available.
* src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
error log messages and a few additional error log messages to
improve diagnosing an error condition.
* src/racoon/grabmyaddr.c: Fix address comparison so we actually
close sockets which were bound to IP-address that got deconfigured.
2010-10-11 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: report a higher encryption key length in
approval for OBEY / CLAIM / STRICT modes
2010-09-27 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
fazaeli (at) sepehrs.com)
2010-09-24 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
gmail.com
2010-09-22 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/admin.c: get the correct length of username when
processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
* src/racoon/nattraversal.h: fixed a typo in macros, reported by
marisp (at) mt.lv
2010-09-21 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
provided by marcin.cieslak (at) gmail.com)
2010-09-08 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/remoteconf.c: fixed remoteconf selection when no ID
specified in configuration, and added some debug to remoteconf
selection
2010-08-26 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
duplicate some dynamic values in duprmconf()
2010-08-04 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request
2010-07-30 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/doc/FAQ: updated link to NetBSD's documentation
2010-06-22 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Bump date for previous.
2010-06-22 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
script hook when a dead peer is detected
2010-06-04 Thomas Klausner <wiz@netbsd.org>
* src/setkey/setkey.8: New sentence, new line. Bump date for
previous.
2010-06-04 Yvan Vanhullebus <vanhu@netasq.com>
* src/setkey/: parse.y, setkey.8, token.l: Added support for
spdupdate command in setkey
2010-04-07 Yvan Vanhullebus <vanhu@netasq.com>
* src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo
2010-04-02 Christos Zoulas <christos@netbsd.org>
* src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
returning NULL.
2010-03-11 Christos Zoulas <christos@netbsd.org>
* src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
the patch: iterate only on the phase2 handles that are bound by the
given phase1 handle.
2010-03-05 Timo Teras <timo.teras@iki.fi>
* src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
typoes and manpage formatting errors.
2010-03-04 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/session.c: From Pierre POMES: fixed admin port
initialization
2010-02-28 snj
* src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
size of src checkouts by spelling "useful" without an extra l.
2010-02-09 Thomas Klausner <wiz@netbsd.org>
* src/racoon/: pfkey.c, proposal.h: Fix typo in comment.
2010-01-17 Thomas Klausner <wiz@netbsd.org>
* src/racoon/sainfo.c: Free strdeupped string after using it. Found
by cppcheck.
* src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
using them. Found by cppcheck.
2010-01-15 joerg
* src/setkey/setkey.8: Use .%U instead of .%O for URLs.
2009-12-11 Timo Teras <timo.teras@iki.fi>
* src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
twice in the headers. Remove the redundant entry so new install tool
does not complain about overwriting just installed file.
2009-11-22 Christos Zoulas <christos@netbsd.org>
* src/racoon/handler.c: PR/42363: Yasuoka Masahiko:
racoon uses a wrong IPsec-SA handle that is for other peer in case
it receives a ISAKMP message for IPsec-SA that has the same
message-id as the message-id that is received before.
racoon uses message-id to find the handle of IPsec-SA. The
message-id is a unique number for each peer, but different peers may
use the same value.
Different Windows Vista or Windows 7 peers seem to use the same
message-id. racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows. Because racoon misunderstands the
message for the second Windows as the message for the first Windows.
>Category: bin >Synopsis: racoon uses a wrong IPsec-SA
that is for different peer >Confidential: no >Severity:
serious >Priority: medium >Responsible: bin-bug-people
>State: open >Class: sw-bug >Submitter-Id: net
>Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator:
yasuoka@iij.ad.jp
2009-10-29 Christos Zoulas <christos@netbsd.org>
* src/setkey/token.l: use %option noinput nounput
2009-10-28 Christos Zoulas <christos@netbsd.org>
* src/setkey/token.l: no unput
2009-10-14 joerg
* src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
ancient groff limits.
* src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
groff limits. Fix markup.
* src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
ancient groff limits. Set only one list type.
2009-09-18 Timo Teras <timo.teras@iki.fi>
* src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
gssapi error checking.
2009-09-03 Timo Teras <timo.teras@iki.fi>
* src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
negotiate phase2 as a hint to select the phase1 for rekeying the new
phase2.
2009-09-01 Timo Teras <timo.teras@iki.fi>
* src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
nat_traversal configuration from remote configuration candidates
when acting as responder. Enable NAT-T if any of the remote
candidates have NAT-T enabled.
* src/racoon/remoteconf.c: Change remote conf matching level to
matching score. This way one can override anonymous certificate
block config with more exact "inhereted" IP specific block.
* src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).
2009-08-24 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/oakley.c: fixed typo: algoriym -> algorithm
2009-08-19 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/remoteconf.c: fixed address check in
rmconf_match_type(), just check address with wildcard port
2009-08-19 Timo Teras <timo.teras@iki.fi>
* src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
return values to make the code a bit more readable.
2009-08-18 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/oakley.c: typo: algoritym -> algorithm
2009-08-17 Yvan Vanhullebus <vanhu@netasq.com>
* src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
check system support for NAT-T, as at least FreeBSD doesn't have
this define anymore
* src/racoon/schedule.h: include stddef.h so we have a chance to
get the system offsetof if present
* src/racoon/crypto_openssl.h: removed a self include
2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/oakley.c: fixed a potential DoS in
oakley_do_decrypt(), reported by Orange Labs
2009-08-10 Timo Teras <timo.teras@iki.fi>
* src/racoon/pfkey.c: Don't print EAGAIN error from
pfkey_handler(), it can occur normally under some code paths and is
not a hard error in any case.
2009-08-06 Timo Teras <timo.teras@iki.fi>
* src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
setkey to make gcc happy.
2009-08-05 Timo Teras <timo.teras@iki.fi>
* src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
security associations that got broke during NAT-T fixes.
2009-07-07 Timo Teras <timo.teras@iki.fi>
* src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
uninitialized local variable (not sure if any code path triggers
this, but this makes compiler happy).
2009-07-03 Timo Teras <timo.teras@iki.fi>
* src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
macro. Trac #295.
* src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
NAT-T port information. This might break compatibility with some
kernels, but as discussed this is the proper way to pass NAT-T ports
and the broken kernels need to be fixed.
2009-06-24 Timo Teras <timo.teras@iki.fi>
* src/racoon/session.c: Fix a call to null pointer: in some cases,
the unmonitor_fd can be called from another fd's callback. That
could lead to still have callback pending after unmonitoring the fd
resulting in a call to null pointer. This is fixed by making
unmonitor_fd now clear the pending fd_set too. Bug was introduced
by my commit in 2008-12-23.
2009-05-20 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp.h: typo
2009-05-19 Timo Teras <timo.teras@iki.fi>
* src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
of typos from previous commit.
2009-05-18 Timo Teras <timo.teras@iki.fi>
* src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
Tomas Mraz: Introduce union sockaddr_any and use it to make code
more readable. Related to trac #293.
* src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
not really used; only referenced while uninitialized causing
valgrind error.
* src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
2009-05-04 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Remove superfluous spaces around
parentheses.
2009-04-29 Timo Teras <timo.teras@iki.fi>
* src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
X509 certificate validation.
2009-04-28 Timo Teras <timo.teras@iki.fi>
* src/racoon/handler.c: Reset nat_oa variables too when reusing
phase two handler. Otherwise phase2 rekeying might fail in some
scenarios.
2009-04-22 Timo Teras <timo.teras@iki.fi>
* src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
pointer dereference in fragmentation code.
2009-04-21 Timo Teras <timo.teras@iki.fi>
* src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
strict_address to work again. The lists needs to be initialized
before configuration is read, which happens before my_addr_init()
call.
2009-04-20 Timo Teras <timo.teras@iki.fi>
* src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
in certificate request generation.
* src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
Bin Li: Fix possible memory corruption in binsanitize().
* src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
signature verification memory leak.
* src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
crash with racoonctl logout user.
* src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
code.
* src/racoon/handler.c: From Paul Moore: Phase2 message id's should
be unique wrt phase1, not globally.
2009-03-13 Timo Teras <timo.teras@iki.fi>
* src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
couple of problems with previous commit.
2009-03-12 he
* src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
pointer to an integral type (a bad practice, if you ask me), you
need to cast via intptr_t for portability.
2009-03-12 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
up punctuation.
* src/racoon/racoonctl.8: Bump date for previous. Sort options to
establish-sa. Stop using Xo/Xc.
2009-03-12 Timo Teras <timo.teras@iki.fi>
* src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
vendorid.c: Support multiple anonymous remotes and decide
remoteconf based on identity, received certificates and other
information. General code clean up.
2009-03-06 Timo Teras <timo.teras@iki.fi>
* src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
in Linux
Linux requires SADB_DELETE message to have SPI. So send a
SADB_DELETE message for each matching SA. Trac #284.
From: Gabriel Somlo <somlo@cmu.edu>
2009-02-16 Timo Teras <timo.teras@iki.fi>
* src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
corruption bug (yacc return non-null terminated buffer and sprintf
writes over bounds).
2009-02-11 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
tunnel
2009-02-03 Timo Teras <timo.teras@iki.fi>
* src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
variables with IPv6 addresses.
2009-01-26 Timo Teras <timo.teras@iki.fi>
* src/racoon/main.c: Argument parsing needs lcconf initialized.
2009-01-24 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoonctl.c: Sort options in usage.
* src/racoon/racoonctl.8: Sort options. New sentence, new line.
* src/racoon/racoon.8: Sort options.
2009-01-23 Timo Teras <timo.teras@iki.fi>
* src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
for racoonctl.
* src/racoon/: main.c, racoon.8: Racoon -v to print version and
compilation information. Update usage message.
* NEWS: Update NEWS with major changes since 0.7 release.
* src/racoon/schedule.c: Fix monotonic scheduler change, to not
refresh 'now' before exit. Otherwise we can return negative timeout
after spending time handling other events.
* src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
* src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
instance), there is a need to not only migrate local and remote
addresses of Phase 1 that match previous addresses but also the
local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the
HoA and the address of the HA (while the peer has contacted us using
the CoA and we have negotiated this address as src attribute in
Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
called from migrate_ph2_ike_addresses() callback.
* src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
when acting as responder.
* configure.ac, src/racoon/handler.c, src/racoon/handler.h,
src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
src/racoon/schedule.c, src/racoon/schedule.h,
src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
system clock is available, and use it for relative time measurements
to avoid complite hang if time jumps backwards.
* src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
oakley.c, oakley.h: Fix authentication method ambiguity by
internally using unique ID and setting/interpreting the wire format
based on received vendor ID:s. Fixes trac #280.
* src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
bitmask that can be used otherwhere to detect peer capabilities.
* configure.ac, src/racoon/admin.c, src/racoon/evt.c,
src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
configure option and make it the default behaviour. The previous
normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
2009-01-20 Timo Teras <timo.teras@iki.fi>
* Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
ChangeLog from NetBSD CVS. Put sourceforge.net changes to
ChangeLog.old.
2009-01-10 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Make ready for HTML output. Use proper
escape for backslash ('\e').
2009-01-10 Timo Teras <timo.teras@iki.fi>
* src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
Accept RFC2253 compliant escaped special characters for asn1dn
identifier.
2009-01-09 Timo Teras <timo.teras@iki.fi>
* configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
2009-01-05 Timo Teras <timo.teras@iki.fi>
* src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
configuration options, fix radius configuration block and add GRE as
recognized protocol.
* src/racoon/session.c: Do not use counting in signal handling as
it was unsafe by not using atomic functions (post increment is not
necessarily atomic). Instead reap all children on SIGCHLD as that
was the only signal needing signal counting.
2008-12-30 Timo Teras <timo.teras@iki.fi>
* src/racoon/session.c: schedular() call can now modify fd mask so
make the working copy just before calling select(); otherwise it can
contain bad file descriptors
2008-12-29 Michael van Elst <mlelstv@netbsd.org>
* src/setkey/parse.y: support icmp codes. Fixes PR 39056.
2008-12-24 Christos Zoulas <christos@netbsd.org>
* src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
it. From Timo Teras.
* src/racoon/grabmyaddr.c: I was wrong. addr is actually set.
* src/racoon/grabmyaddr.c:
- make this compile by zeroing out the whole structure not just
bogus fields.
- set length field of sockets appropriately.
- mark bogus no-op code (I don't understand what the author intended
here).
2008-12-23 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Bump date for identity configuration
option removal.
2008-12-23 Timo Teras <timo.teras@iki.fi>
* src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
localconf.h, racoon.conf.5: Remove the obsoleted global identity
configuration option.
* src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
session.h: rewrite local address detection make some functions
static that arr not needed globally rework how fd_set is
construction for the main loop select()
2008-12-18 Timo Teras <timo.teras@iki.fi>
* src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
when expire with hard lifetime received
2008-12-16 Timo Teras <timo.teras@iki.fi>
* README: Update README
* src/racoon/pfkey.c: Fix transport mode address selection in
acquire handling. Some earlier fixes got lost on 2008-12-05 commit.
2008-12-11 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
and RTM_OIFINFO stuff)
* src/racoon/isakmp.c: Fixed compilation when DPD support is
disabled
2008-12-08 Timo Teras <timo.teras@iki.fi>
* src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
sockets: it might cause to not handle some pfkey events when
select() has marked pfkey socket readable, but a timer callback
first calls pfkey_dump_sadb().
2008-12-05 Timo Teras <timo.teras@iki.fi>
* src/: libipsec/key_debug.c, libipsec/libpfkey.h,
libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
Ebalard: Improved Mobile IPv6 support per
draft-ebalard-mext-pfkey-enhanced-migrate.
2008-12-04 Christoph Badura <bad@netbsd.org>
* src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
intended.
2008-12-02 Timo Teras <timo.teras@iki.fi>
* src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
on Linux is terminate.
2008-11-28 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
sentence, new line.
2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/main.c: Set up a default value for Mode Config Pool
size if pool address specified but pool size not specified
* src/racoon/isakmp_cfg.c: Fixed pool resizing
2008-11-27 Timo Teras <timo.teras@iki.fi>
* src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
weirdness. It's probably meant for bundle support which is not done.
When someone actually writes bundle support, the nested SA stuff
would probably be reworked too anyway.
* src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
Ability to set pfkey socket buffer size via configuration file
directive. (Indentation and minor fixes by me.)
2008-11-25 Christoph Badura <bad@netbsd.org>
* src/racoon/: evt.c, privsep.c, session.c: Avoid using
MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE
instead.
* src/racoon/grabmyaddr.c: Ignore unspecified and looback
addresses. Ignoring unspecified addresses prevents racoon from
trying to bind to the wildcard address and specific addresses
simultaneously after e.g. dhclient has changed an interface's
address to 0.0.0.0.
* src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
info for added or deleted addresses. Ignore them silently.
* src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
error. Therefore log it as informational. Make it clear from the
log message that a route message is not interesting.
* src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
it.
* src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
when setting IPV6_USE_MIN_MTU fails.
* src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
no socket is opened.
2008-11-08 Christoph Badura <bad@netbsd.org>
* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
phase1-up.sh: Preserve owner and permissions of original
/etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or
world writable.
* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
phase1-up.sh: Print and check INTERNAL_NETMASK4.
* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
phase1-up.sh: Make the handling of NAT-T SPD entries automatic.
* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
phase1-up.sh: Ensure that the determination of the default
gateway and the corresponding interface don't get confused by
multiple, possibly non-IPv4 default routes. Bring the NetBSD case
of deleting the VPN routes and address in line with the Linux case
and delete the address after deleting the VPN routes.
2008-11-06 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
iddst's value is SAINFO_CLIENTADDR
2008-10-29 S.P.Zeidler <spz@netbsd.org>
* src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():
struct sockaddr -> struct sockaddr_storage fixes a stack overflow
For non-linklocal addresses the value in 'scope' is garbage and gets
set to zero instead.
2008-10-27 Timo Teras <timo.teras@iki.fi>
* src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
error path
* src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
Ebalard): recognize RTM_IFANNOUNCE
* src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
issues for readability
* src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
called only if monitored file descriptor numbers have changed
* src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
declaration
2008-10-23 Timo Teras <timo.teras@iki.fi>
* src/racoon/: privsep.c, session.c, session.h: From Krzysztof
Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
problem those changes address are already handled in a sensible way
by Cyrus Rahman's patch from 2008-03-06.
2008-10-09 Timo Teras <timo.teras@iki.fi>
* src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
unnecessary unbindph12() call which is now done in remph2()
2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
marker for retransmitted packets
2008-09-19 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: New sentence, new line.
2008-09-19 Timo Teras <timo.teras@iki.fi>
* src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
configurable with rekey {on|off|force} option in remote conf.
* src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
session.c: Change struct sched to be allocated be the caller to
avoid some memory allocations. Optimize scheduling algorithm to not
scan all entries in the main loop.
2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
when NAT-T enabled and trying to purge non NAT-T SAs
2008-09-09 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/pfkey.c: Some calls to set_port() were not correctly
updated in the previous commit
2008-09-03 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
pk_sendxxx functions, as they may be altered for NAT-T stuff.
2008-09-03 Timo Teras <timo.teras@iki.fi>
* src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
- Fix reloading of SPD (Linux satype check, handling of SPD dump
responses)
- Remove some spurious error log message from extract_port()
2008-08-29 Gregory McGarry <gmcgarry@netbsd.org>
* src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
structures.
* src/racoon/evt.h: Eliminate superfluous semicolon.
* src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
unnamed structures added recently.
2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
ph1handler if we received an invalid first exchange from initiator.
2008-08-06 Timo Teras <timo.teras@iki.fi>
* src/racoon/: privsep.c, session.c, session.h: From Krzysztof
Piotr Oledzki: Make privileged process exit if unprivileged process
is terminated and some spelling fixes.
2008-07-23 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: cfparse.y, session.c: Add some missing ifdefs
required for non-radius enabled builds.
2008-07-23 Timo Teras <timo.teras@iki.fi>
* src/racoon/Makefile.am: Do not use GNU make specific extension.
* src/: libipsec/Makefile.am, racoon/Makefile.am,
setkey/Makefile.am: Do flex/bison invocation in a more standard
way, and keep the generated files in the dist tarball.
2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
when malloc fails or when peer sends invalid proposal.
2008-07-22 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
radius configuration section to the racoon.conf file. This is
similar to the the LDAP configuration section and overrides settings
in the system radius configuration file.
2008-07-21 Matthias Scheler <tron@netbsd.org>
* src/racoon/cfparse.y: Correct typo to fix the build.
2008-07-21 Timo Teras <timo.teras@iki.fi>
* src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
vendorid.c, vendorid.h: Separate generic vendor id handling to a
new function and use it.
* src/racoon/cfparse.y: Do not set default gss id if xauth is used,
otherwise gss-id attribute might be sent even if it was not
requested.
2008-07-15 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
building with hybrid enabled.
* src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
function.
2008-07-14 Timo Teras <timo.teras@iki.fi>
* src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.
* src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
notification payload handling. Handle INITIAL-CONTACT notification
in last main mode exchange (delayed) and during quick mode
exchanges.
2008-07-11 Timo Teras <timo.teras@iki.fi>
* src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
Elsts: Fix a double memory free and a memory corruption
(LIST_REMOVE() on an uninserted node) in some error handling paths.
2008-07-09 Timo Teras <timo.teras@iki.fi>
* src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
memory leak on configuration file reread
2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
(size_t values)
2008-06-18 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoonctl.8: Bump date for previous.
2008-06-18 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
admin port command to retrieve the peer certificate. Submitted by
Timo Teras.
* src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
sockets to be closed on exec to avoid potential file descriptor
inheritance issues. Submitted by Timo Teras.
* src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
functions to evaluate and manipulate network port values. No
functional changes. Submitted by Timo Teras.
* src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
functional changes. Submitted by Timo Teras.
* src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
Timo Teras.
2008-05-24 Christos Zoulas <christos@netbsd.org>
* src/racoon/privsep.c: Coverity CID 5018: Fix double frees.
2008-05-08 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac: From Christian Hohnstaedt: allow out of tree
building
2008-04-30 Martin Husemann <martin@netbsd.org>
* netbsd-import.sh: Convert TNF licenses to new 2 clause variant
2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
2008-04-13 Christos Zoulas <christos@netbsd.org>
* src/racoon/privsep.c: for symmetry set controllen the same way we
set it on the receiving side.
2008-04-02 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build
2008-03-28 Christos Zoulas <christos@netbsd.org>
* src/racoon/privsep.c: properly fix the variable stack allocation
code.
2008-03-28 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/privsep.c: Still from Cyrus Rahman: fix file
descriptor leak introduced by previous commit.
* src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
Allow interface reconfiguration when running in privilege separation
mode, document privilege separation
2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/oakley.c: Generates a log if cert validation has been
disabled by configuration
2008-03-06 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/: privsep.c, session.c: From Cyrus Rahman
<crahman@gmail.com> privilegied instance exit when unprivilegied one
terminates. Save PID in real root, not in chroot
2008-03-06 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
negotiations using the admin socket. Submitted by Timo Teras.
* src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
protocol to be less error prone. Backwards compatibility is
provided. Submitted by Timo Teras.
2008-03-05 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/cfparse.y: Properly initialize the unity network
struct to prevent erroneous protocol and port info from being
transmitted.
* src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
adminport reload. Also provide better handling for pfkey socket read
errors. Submitted by Timo Teras.
2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
checking spi_size but it's not. I'm not sure this patch is correct,
but what's there isn't either.
2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp.c: Fix address length, from Brian Haley
2008-02-10 S.P.Zeidler <spz@netbsd.org>
* src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
opposition ( :) ) on ipsec-tools-devel
2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
the scheduler's callback, to avoid access to freed memory.
* src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
compilation with IDEA and recent gcc.
* src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
details to some logs (also reported new getph1byaddr() arg).
* src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
established ph1 handles in DPD (also reported new getph1byaddr()
arg).
* src/racoon/: handler.c, handler.h: added an 'established' arg to
getph1byaddr()
2007-12-31 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
number to racoonctl. Correct id wildcard matching for transport
mode. Submitted by Timo Teras.
2007-12-12 Matthew Grooms <mgrooms@shrew.net>
* NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
follow up patch for the nat-t oa support.
* src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
support for nat-t oa payload handling. Submitted by Timo Teras.
2007-12-04 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
prefix length. Correct a memory leak in phase2. Both submitted by
Timo Teras.
2007-12-01 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Fix typos. New sentence, new line.
2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/Makefile.am: From Natanael Copa: fixed a race
condition when building yacc stuff.
2007-11-09 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
pk_recv()
* src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
entries in getsp_r().
* src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
in get_proposal_r().
2007-10-19 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
* src/libipsec/pfkey.c: Try to increase the buffer size of the
pfkey socket, this may help things when we have a huge SPD
2007-10-02 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
work with the new plog macro.
* src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
work with new plog macro
* src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
2007-09-19 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/isakmp.c: Set REUSE option on sockets to prevent
failures associated with closing and immediately re-opening.
Submitted by Gabriel Somlo.
* src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
list. Submitted by Gabriel Somlo.
2007-09-13 Matthew Grooms <mgrooms@shrew.net>
* configure.ac: Fix autoconf check for selinux support. Submitted
by Joy Latten.
2007-09-12 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
sainfo remote id option and refine the sainfo man page syntax.
2007-09-05 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/sainfo.c: Sort sainfo sections on insert and improve
matching logic.
2007-09-03 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
wins4 in the man page and add nbns4 as an alias. Pointed out by
Claas Langbehn.
2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
up RADIUS authentication and authorization ports. Allow
interoperability with freeradius
2007-07-24 Matthew Grooms <mgrooms@shrew.net>
* NEWS: Update NEWS file with additional 0.7 improvements.
2007-07-18 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/racoon.conf.5: Various racoon configuration manpage
updates.
2007-07-18 Yvan Vanhullebus <vanhu@netasq.com>
* configure.ac, src/libipsec/ipsec_dump_policy.c,
src/libipsec/ipsec_get_policylen.c,
src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
src/racoon/policy.c, src/racoon/proposal.c,
src/racoon/remoteconf.c, src/racoon/sainfo.c,
src/racoon/session.c, src/racoon/sockmisc.c,
src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
src/setkey/token.l: use a single PATH_IPSEC_H to fix some
path_to_ipsec.h issues
2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/grabmyaddr.c: fixed a socket leak
* src/racoon/proposal.c: indentation
2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_cfg.c: From Paul Winder
<Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST
2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
with gcc 4.2
* src/racoon/session.c: From Jianli Liu: speed up interfaces update
when they change.
* src/racoon/handler.c: ignore obsolete lifebyte when validating
reloaded configuration
2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/: main.c, policy.h, security.c: From Joy Latten
<latten@austin.ibm.com> Fix file descriptor shortage when using
labeled IPsec.
2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
racoonctl, use the specified socket path instead of the default
location
2007-05-16 Christos Zoulas <christos@netbsd.org>
* src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
return, so we proceed to de-reference NULL. Make it return -1
instead like in other places.
* src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
return, so we proceed to de-reference NULL. Make it return -1
instead like in other places.
2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
NULL when validating the new config
* src/racoon/handler.c: added some debug in getph1byaddr() to track
some port matching problems with NAT-T
* src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
track some port matching problems with NAT-T
* src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
* src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
NAT_T support, to solve some port match problems with the first
IPSec SAs negociated as initiator
2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
* src/racoon/oakley.c: dumps peer's ID and peer's certificate
subject /subjectaltname if they don't match
2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
handler, to be able to cancel it when removing the handler, and some
minor cleanups in DPD code
2007-03-24 Christos Zoulas <christos@netbsd.org>
* src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
work with pam_group Set RUSER.
2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
segfault when using security labels between 32bit and 64bit host.
* src/racoon/handler.c: expire zombie handlers in getph2byid(), to
avoid situations where we'll never negociate a phase2 again
* src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
more details about what is checked when using certificates to
authenticate
2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
generate IPV4_ADDRESS when needed in sockaddr2id()
2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
sched check is now done in SCHED_KILL
* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
monitoring of ipv6 address changes on Linux.
* src/racoon/isakmp.c: Consider a negociation timeout when
retry_counter is <=0 instead of < 0
2007-02-28 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
matched to ip subnet ids when appropriate.
2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: block variable declaration before code in
ipsecdoi_id2str()
2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: Removed a debug printf....
* src/racoon/isakmp.c: Only delete a generated SPD if it's creation
date matches the creation date of the SA we are currently deleting
* src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
* src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
generated SPDs
* src/racoon/policy.h: added 'created' var
2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp.c: Removed a debug printf....
2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
printf.
2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/security.c: Missing SELinux file
* configure.ac: Missing stuff for SELinux
2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
expire a ph1 handle when receiving a DELETE-SA instead of calling
purge_remote().
* src/racoon/isakmp.c: Fixed the way phase1/2 messages are
sent/resent, to avoid zombie handles and acces to freed memory
2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
deleted from payload instead of just deleting the ISAKMP SA used to
protect the informational exchange.
2006-12-26 Arnaud Lacombe <alc@netbsd.org>
* src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
NULL'
2006-12-23 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Use even more macros.
* src/racoon/racoon.conf.5: Use more macros.
* src/racoon/racoon.conf.5: Serial comma, and bump date for
previous.
2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
* src/: libipsec/Makefile.am, libipsec/libpfkey.h,
libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
racoon/pfkey.c: Bring back API and ABI backward compatibility
with previous libipsec before recent interface change. Bump libipsec
minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
ABI compatibility lossage. Add a capability flags to detect missing
optional feature in libipsec
* src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
README.plainrsa documenting plain RSA auth
2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
src/racoon/Makefile.am, src/racoon/backupsa.c,
src/racoon/backupsa.h, src/racoon/cftoken.l,
src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
src/racoon/proposal.c, src/racoon/proposal.h,
src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
security contexts. Also cleanup the libipsec interface for adding
and updating security associations.
* src/racoon/racoon.conf.5: From Simon Chang: More hints about
plain RSA authentication
2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
length regarding proposal_check level
2006-11-16 Matthew Grooms <mgrooms@shrew.net>
* src/racoon/sainfo.c: Correct issues associated with anonymous
sainfo selection in racoon.
2006-11-09 Christos Zoulas <christos@netbsd.org>
* src/racoon/crypto_openssl.c: eliminate the only variable stack
array allocation.
2006-10-31 Christian Biere <cbiere@netbsd.org>
* src/racoon/sockmisc.c: Don't define the deprecated
IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
in the future just in case that the numeric value of the socket
option is ever recycled.
2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
typos
2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/sainfo.c: From Matthew Grooms: use
ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
* src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
ipsecdoi_chkcmpids() function.
2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
* src/racoon/isakmp_unity.c: Correctly check read() return value:
it's signed (Coverity 1251)
2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
src/racoon/algorithm.h, src/racoon/cftoken.l,
src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
src/racoon/racoon.conf.5, src/racoon/strnames.c,
src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
<okazaki@kick.gr.jp>
2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/admin.c: fix endianness issue introduced yesterday
2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
* src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
* src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
remoteid/ph1id values
* src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_base.c:
avoid reusing free'd pointer (Coverity 2613)
* src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
* src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
* src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
* src/racoon/admin.c: Fix memory leak (Coverity 2002)
* src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
(Coverity 2001), refactor the code to use port get/set functions
* src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
* src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
reformat to 80 char/line
2006-10-02 Tom Spindler <dogcow@netbsd.org>
* src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
you have to init it with a pointer type, not an int.
2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
* src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
* src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
* src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
* src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
* src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
* src/racoon/isakmp.c: Check that iph1->remote is not NULL before
using it (Coverity 3436)
2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
* src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
phase1-up.sh: update the scripts for wrorking around routing
problems on NetBSD
* src/racoon/session.c: Reuse existing code for closing IKE
sockets, and avoid screwing things by setting p->sock = -1, which is
not expected (Coverity 4173).
* src/racoon/admin.c: Do not free id and key, as they are used
later
2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
socket, so we must call com_init before sending any data.
2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
4174)
* src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/cfparse.y: Fix memory leak (Coverity)
* src/racoon/backupsa.c: Fix memory leak (Coverity)
* src/racoon/admin.c: Remove dead code (Coverity)
* src/racoon/admin.c: Fix memory leak (Coverity)
* src/racoon/admin.c: One more memory leak
* src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
* src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
Matthew updated the patch for current code, though.
* src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
negotiating ESP+IPcomp)
2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
iphdr for Linux
2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp.c: style (mostly for testing
ipsec-tools-commits@netbsd.org)
* src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
* src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
Linux
2006-09-19 Thomas Klausner <wiz@netbsd.org>
* src/racoon/racoon.conf.5: Bump date for ike_frag force.
* src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
line.
* src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
whitespace.
2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
value for encmodesv in set_proposal_from_policy()
* src/racoon/isakmp.c: always include some headers, as they are
required even without NAT-T
* src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
* src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
plog()
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
ike_frag force option to force the use of IKE on first packet
exchange (prior to peer consent)
* src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
the first packet. That should not normally happen, as the initiator
does not know yet if the responder can handle IKE frag. However, in
some setups, the first packet is too big to get through, and
assuming the peer supports IKE frag is the only way to go.
racoon should have a setting in the remote section to do taht
(something like ike_frag force)
2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
conformance, from Matthew Grooms
2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/ipsec_doi.c: Fix build on Linux
For older changes see ChangeLog.old
distrib
>
Mageia
>
5
>
i586
>
media
>
core-release
>
by-pkgid
>
3c23b5f3f0bc9f56e505ba7858af4dcf
>
files
>
15
