diff options
author | Christian Mauderer <christian.mauderer@embedded-brains.de> | 2018-05-30 14:27:35 +0200 |
---|---|---|
committer | Christian Mauderer <christian.mauderer@embedded-brains.de> | 2018-08-01 09:55:27 +0200 |
commit | ff36f5e409707ada66506eefd4ac0a396cb28055 (patch) | |
tree | 9594b2a1aeb06b4ecaaae02644a65525adaf5bb5 /ipsec-tools/ChangeLog.old | |
parent | if_ipsec: Port and add to everything-buildset. (diff) | |
download | rtems-libbsd-ff36f5e409707ada66506eefd4ac0a396cb28055.tar.bz2 |
Import ipsec-tools 0.8.2.
Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.
Diffstat (limited to 'ipsec-tools/ChangeLog.old')
-rw-r--r-- | ipsec-tools/ChangeLog.old | 2626 |
1 files changed, 2626 insertions, 0 deletions
diff --git a/ipsec-tools/ChangeLog.old b/ipsec-tools/ChangeLog.old new file mode 100644 index 00000000..0277b740 --- /dev/null +++ b/ipsec-tools/ChangeLog.old @@ -0,0 +1,2626 @@ + Migration to cvs.netbsd.org + +2006-08-22 Emmanuel Dreyfus <manu@netbsd.org> + + From Matthew Grooms: + * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} + src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h} + src/racoon/racoon.conf.5: Add a group check option + +2006-08-17 Yvan Vanhullebus <vanhu@netasq.com> + + Patch from Matthew Grooms: + * src/racoon/ipsec_doi.c: fixed an ASN1 size in + ipsecdoi_checkid1() + +2006-08-11 Yvan Vanhullebus <vanhu@netasq.com> + + Patch from Matthew Grooms: + * src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str() + * src/racoon/isakmp_quick.c: text fix + * src/racoon/pfkey.c: sainfo debug + * src/racoon/sainfo.c: sainfo debug + +2006-07-17 Yvan Vanhullebus <vanhu@netasq.com> + + Reported by Matthew Grooms: + * src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in + get_sainfo_r(). + * src/racoon/racoon.conf.5: updated man page for sainfo logic. + +2006-07-31 Emmanuel Dreyfus <manu@netbsd.org> + From Matthew Grooms <mgrooms@shrew.net> + * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h} + src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support + becomes dynamic, bugfixes + +2006-07-19 Emmanuel Dreyfus <manu@netbsd.org> + From Peter Eisch <peter@boku.net> + * src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing + netmask in network interface configuration + + From Matthew Grooms <mgrooms@shrew.net> + * configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage + + From Matthew Grooms <mgrooms@shrew.net> + * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} + src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS + support (server side) + +2006-07-17 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align(). + Break reported by Matthew Grooms. + +2006-07-13 Frederic Senault <fred@lacave.net> + + * src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4 + unoperable on 64bit architectures ; add a packetdump of MODE_CFG + exchange in debug mode. + +2006-07-09 Emmanuel Dreyfus <manu@netbsd.org> + From Matthew Grooms <mgrooms@shrew.net> + * src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c} + src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}: + Group authentication for Xauth. Supports system groups and LDAP. + +2006-07-04 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/nattraversal.c: fixed a malloc check in + natt_keepalive_add(). Patch from Bruno Wagenseil. + +2006-06-30 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cfparse.l|cftoken.l}: meaningful error message when + we cannot find the configuration file. + +2006-06-24 Emmanuel Dreyfus <manu@netbsd.org> + From Matthew Grooms <mgrooms@shrew.net> + * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} + src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network + configuration obtained from LDAP directory + +2006-06-23 Emmanuel Dreyfus <manu@netbsd.org> + From Matthew Grooms <mgrooms@shrew.net> + * configure.ac: build fixes + +2006-06-22 Emmanuel Dreyfus <manu@netbsd.org> + * src/racoon/evt.c: build fix + From Matthew Grooms <mgrooms@shrew.net> + * configure.ac: build fixes around libldap and libiconv search + +2006-06-21 Emmanuel Dreyfus <manu@netbsd.org> + * src/racoon/evt.c: Do not record events if admin socket is + disabled. + +2006-06-20 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac: Check for conflicts between system libiconv + and newer libiconv header + From Matthew Grooms <mgrooms@shrew.net> + * configure.ac src/racoon/{cfparse.y|cftoken.l} + src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h} + src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth + +2006-06-20 Yvan Vanhullebus <vanhu@netasq.com> + + * configure.ac: fixed SHA256 detection on some systems. Patch by + Dmitry Andrianov. + * src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}: + changed logging levels. Patch by Michal Ruzicka. + +2006-06-15 Emmanuel Dreyfus <manu@netbsd.org> + From Matthew Grooms <mgrooms@shrew.net> + * src/racoon/main.c: make sure RADIUS is correctly initialized + +2006-06-14 Yvan Vanhullebus <vanhu@netasq.com> + + * Makefile.am, src/Makefile.am: fixed make dist on *BSD + +2006-06-07 Emmanuel Dreyfus <manu@netbsd.org> + * src/racoon/isakmp_cfg.c: Fix build. + +2006-05-26 Emmanuel Dreyfus <manu@netbsd.org> + From Pawel Jakub Dawidek <pjd@FreeBSD.org> + * src/racoon/handler.c: Fix a crash caused by a NULL pointer + * src/racoon/oakley.c: Typos + * src/racoon/isakmp_base.c: Fix uninitialized buffer + * src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode) + +2006-05-23 Emmanuel Dreyfus <manu@netbsd.org> + * src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so + do not assume Xauth when preparing a hook script environement. + From chunkeey@web.de + * src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64 + build warnings + * src/racoon/ipsec_doi.c: Don't free a referenced buffer + From Matthew Grooms <mgrooms@shrew.net> + * src/racoon/isakmp_cfg.c: Fix for unity local_lan support + +2006-05-07 Emmanuel Dreyfus <manu@netbsd.org> + * src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do + not reconfigure interface sockets when running in privilege + separation as it will not work. Add debug for setsockopt(). + * src/racoon/racoonctl.8: Do not tell config reload is completely + broken (it's only somewhat broken). + +2006-05-06 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix + memory leak (Coverity) + * src/racoon/pfkey.c: Fix memory leak (Coverity) + * src/racoon/ipsec_doi.c: Fix memory leak (Coverity) + * src/racoon/isakmp.c: Fix memory leak (Coverity) + * src/racoon/dnssec.c: Fix memory leak (Coverity) + * src/racoon/backupsa.c: Fix memory leak (Coverity) + * src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL + allocation (Coverity) + * src/racoon/isakmp_quick.c: Remove dead code (Coverity) + * src/racoon/oakley.c: Remove dead code (Coverity) + * src/racoon/crypto_openssl.c: Remove dead code (Coverity) + +2006-05-05 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT + encapsulation in pk_sendgetspi(). + +2006-05-04 Yvan Vanhullebus <vanhu@netasq.com> + From Preggna S (spreggna@novell.com) + * src/racoon/schedule.h: fixed gnuc.h include. + * src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support. + * src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function. + +2006-05-03 Yvan Vanhullebus <vanhu@netasq.com> + From Joy Latten <latten@austin.ibm.com> + * configure.ac: security context support check + * src/libipsec/{pfkey.c|pfkey_dump.c}: + SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support + * src/setkey/{parse.ytoken.l}: parses optionnal security context + * src/setkey/setkey.8: security context syntax + +2006-04-27 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity) + +2006-04-24 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp.c: style cleanup in delete_spd() + +2006-04-13 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT + encapsulation in pk_sendupdate(). + +2006-04-12 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/ipsec_doi.c: fix memory leaks (Coverity) + +2006-04-06 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h} + src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c} + src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add + strdup in the malloc debugging framework, check for strdup failures + (found by Coverity) + * src/racoon/admin.c: Do not use an unallocated pointer (Coverity) + * src/racoon/schedule.c: Check for NULL pointer + * src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c} + src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check + that dupsaddr returns non NULL pointers (Coverity) + * src/racoon/isakmp_quick.c: Ignore multiple notifications in the + same message, and do not leak memory (Coverity) + * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in + GSSAPI code (Coverity) + * src/racoon/racoonctl.c: fix minor memory leak (Coverity) + * src/racoon/isakmp.c: fix memory leak (Coverity) + * src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity) + +2006-04-05 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_xauth.c: fix unitialized variable, found by + Coverity + * src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not + use deleted phase 1 handler after errors, found by coverity + * src/racoon/main.c: tell which config file we use + * src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found + by Coverity + * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1 + handler, found by Coverity + * src/racoon/dnssec.c: do not return a free'ed certificate, found by + Coverity + * src/racoon/oakley.c: fix stale pointer alias, found by Coverity + * src/racoon/throttle.c: do not free current item while walking a + chained list, found by Coverity + * src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity + +2006-03-18 Emmanuel Dreyfus <manu@netbsd.org> + + From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan + * src/racoon/isakmp_xauth.c: fix memory leak + +2006-02-25 Emmanuel Dreyfus <manu@netbsd.org> + + From Thomas Klausner <wiz@NetBSD.org> + * src/racoon/{cfparse.y|handler.h}: typos + +2006-02-23 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/main.c: do not reset isakmp_cfg structure after + config reload. + +2006-02-22 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not + be really necessary) and DPD VId hash generation + +2006-02-17 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous" + sainfos. + * src/racoon/racoon.conf.5: updated sainfos syntax + * src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID + +2006-02-15 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy + levels + * src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE + generate policy levels + * src/racoon/proposal.c: Sets optionnal reqid for generated + policies + * src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid + specified + * src/racoon/racoon.conf.5: updated generate_policy syntax + +2006-02-02 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send() + fails in isakmp_ph1resend() + +2006-01-17 Frederic Senault <fred@lacave.net> + + * src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the + peers_identifier keyword. + + * src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the + adminsock to allow for racoonctl to stop looping when the + vpn-connect command is used and there is no mode config exchange. + +2006-01-08 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_cfg.c: make software behave as the documentation + advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to + avoid breaking backward compatibility. + +2005-12-19 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/session.c: Fixed / cleaned up signal handling. + +2005-12-13 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/samples/*: replaced "obey" mode by "strict" mode. + +2005-12-07 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/pfkey_dump.c: fixed compilation when NAT_T + disabled (Fred has still some CVS problems). + * src/racoon/session.c: Calls isakmp_cfg_init() only if + ENABLE_HYBRID in reload_conf(). + +2005-12-04 Frederic Senault <fred@lacave.net> + + * src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports + function to display SAD entries with their associated ports. + * src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag + in conjunction with -D to show SADs with the port, allow both get and + delete commands to use bracketed ports if needed. + +2005-11-26 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/session.c: fix possible race conditions in signal handlers + * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when + reloading configuration, do not new add mode_cfg config to the + existign one, overwrite it instead. + +2005-11-25 Emmanuel Dreyfus <manu@netbsd.org> + + From Thomas Klausner <wiz@netbsd.org> + * src/racoon/racoon.conf.5: Style changes + +2005-11-21 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_[ident|agg].c: Check if natt is available when + receiving a NAT_D payload from initiator. It saves a crash, + reported by Dave Huang to NetBSD. + +2005-11-20 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_agg.c: Check that we got some needed payloads + from peer (could cause a DoS). Crash reported by Adrian Portelli + using IKE test suite from + http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/ + +2005-11-10 Yvan Vanhullebus <vanhu@free.fr> + + Patches from Francis Dupont + * src/libipsec/key_debug.c: SADB_X_EXT_PACKET support + * src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function + * src/setkey/parse.y: IPPROTO_MH support + * src/racoon/pfkey.c: fixed some logs + * src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC, + appropriate define for SADB_X_NAT_T_NEW_MAPPING, added + SADB_X_MIGRATE + +2005-11-06 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/main.c, src/racoon/session.c: moved .pid file writing + just before main loop. Thanks Stephen Thorne + * src/racoon/localconf.h, src/racoon/cftoken.l: introduced + path pidfile directive + * src/racoon/racoon.conf.5: documented above + * configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan + Rajagopal + * configure.ac: added check for strlcat function + * src/racoon/misc.h: define strlcat function for systems without one + * src/racoon/remoteconf.c: strncat -> strlcat + +2005-11-01 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks + Andreas Tobler + +2005-10-30 Yvan Vanhullebus <vanhu@netasq.com> + + Patches from Christoph Nadig for compilation on MacOS X + * configure.ac: no lcrypt for darwin + * src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H + * src/racoon/isakmp_cfg.c: some includes and some %zu + * src/racoon/isakmp_unity.c: fixed a %zu + * src/racoon/vmbuf.h: vfree already defined for Apple + +2005-10-17 Aidas Kasparas <a.kasparas@gmc.lt> + + Introduced subnet sainfo type. + * src/racoon/cftoken.l: new token "subnet" + * src/racoon/cfparse.y: added address/subnet diferentiation logic + * src/racoon/ipsec-doi.h: new constant + * src/racoon/ipsec-doi.c: adopted to above + * src/racoon/racoon.conf.5: documented above + +2005-09-14 Emmanuel Dreyfus <manu@netbsd.org> + + * src/libipsec/pfkey.c: One forgotten cast caddr_t -> void * + +2005-10-14 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or + USER_FQDNs (problem reported by Bernhard Suttner). + +2005-09-10 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c} + src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for + kernel implementing NAT-T but unable to cope with IKE ports in + SAD and SPD. + +2005-09-05 Emmanuel Dreyfus <manu@netbsd.org> + + From Wilfried Weissmann: + * src/libipsec/policy_parse.y src/racoon/oakley.c + src/racoon/{sockmisc.c|sockmisc.h}: build fixes + + +2005-09-03 Emmanuel Dreyfus <manu@netbsd.org> + + From Francis Dupont <Francis.Dupont@enst-bretagne.fr> + * src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions + +2005-08-26 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/evt.c: Fix memory leak when event queue overflows + +2005-08-23 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly + initialize NAT-T VID to avoid freeing unallocated stuff. + +2005-08-21 Emmanuel Dreyfus <manu@netbsd.org> + + From Matthias Scheler <matthias.scheler@tadpole.com> + * src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of + ISAKMP mode config without Xauth. + +2005-08-16 Emmanuel Dreyfus <manu@netbsd.org> + + From Thomas Klausner <wiz@netbsd.org> + * src/setkey/setkey.8: remove trailing whitespaces + +2005-09-09 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/policy.c: Do not parse all sptree in inssp() if we + don't use Policies priority. + +2005-08-20 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/handler.c: Fixed a possible crash in + remove_ph2(). Reported by Dietmar Eggemann. + +2005-08-14 Emmanuel Dreyfus <manu@netbsd.org> + + From Francis Dupont <Francis.Dupont@enst-bretagne.fr> + * src/racoon/dnssec.c: fix bogus test on function result + +2005-08-11 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp.c: Improved in/out SA addresses check in + purge_remote(). Reported by Patrick Ma. + +2005-08-08 Emmanuel Dreyfus <manu@netbsd.org> + + * src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings + +2005-08-08 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/privsep.c: Fixed a %d -> %zu in + port_check() (reported by Matthias Scheler). + +2005-08-04 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac: correctly quote RACOON_PATH_LIBS arguments + +2005-08-02 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_inf.c: First fix to + info_recv_initialcontact(): do a basic IP check when no NAT-T. + +2005-07-26 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp.c: Fixed purge_remote() + +2005-07-25 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if + a new ph1handle exists (patch by Krzysztof Oledzki) + +2005-07-20 Aidas Kasparas <a.kasparas@gmc.lt> + + * configure.ac: disabled --enable-samode-unspec under linux + +2005-07-20 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_quick.c: Ignore NATOA payloads in + quick_r1recv() as it is done in quick_i2recv(). + * configure.ac: new --enable-fastquit option + * src/racoon/session.c: new code optional code when flushing SAs, + which is faster and should have no deadlocks. configure + --enable-fastquit option to enable it. + +2005-07-19 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the + packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that + case (RFC 3947, sect 4, we MUST allow new phase1 negociations on + NAT-T floated port), to correctly generate the reply. + +2005-07-16 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to + Patrice Fournier + * src/racoon/setkey.c: disabled readline's filename completion + (bug 1179281 fix) + * src/racoon/proposal.c: fixed mode selection for SAs with + complex_bundle on behind NAT + +2005-07-14 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/handler.c: - Clears the DPD schedule in delph1() + - Cleared up sanity checks in delph1() + - Sets p->rmconf to NULL if no new + remoteconf in revalidate_ph1tree_rmconf() + * src/racoon/isakmp.c: Added sanity checks in script_hook() + * src/racoon/oakley.c: Sanity check in save_certbuf() + + +2005-07-13 Emmanuel Dreyfus <manu@netbsd.org> + + * src/setkey/Makefile.am: missing file in distribution + +2005-07-12 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp.c: Fixed a mem leak in isakmp_send(). + +2005-07-12 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not + used. + * src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c} configure.ac + src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8 + * src/racoon/{admin.c|session.c}: Don't use the adminport if it is + disabled + * src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}: + Add comments for using the scripts without NAT-T + +2005-07-11 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux. + Accomodate various libiconv versions + +2005-07-10 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/ipsec_doi.c configure.ac: build fixes on Linux. + Accomodate various libiconv versions + +2005-07-09 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto + algorithms with variable key size but not OpenSSL default key + size. + +2005-07-07 Emmanuel Dreyfus <manu@netbsd.org> + + From Mathias Scheler <tron@netbsd.org> + * src/racoon/raccon.conf.5: Document that aes can be used in + racoon.conf + +2005-07-06 Frederic Senault <fred@lacave.net> + + * src/setkey/setkey.c: fix compilation with readline. + * src/racoon/oakley.c: move declarations to fix compilation issues + with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the + pkcs7 patch. + +2005-07-04 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_inf.c: safety checks on informational messages + * src/racoon/{pfkey.c|proposal.c}: IPcomp fixes + +2005-07-01 Emmanuel Dreyfus <manu@netbsd.org> + + From Uri Blumenthal <urimobile@optonline.net>: + * src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes + * src/racoon/oakley.c: pkcs7 support + +2005-06-29 Emmanuel Dreyfus <manu@netbsd.org> + + From Christos Zoulas <christos@zoulas.com> + * configure.ac src/setkey/{parse.y|setkey.c|token.l} + src/libipsec/{ipsec_dump_policy.c|ipsec_get_policylen.c|key_debug.c} + src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint, + using void * instead of caddr_t and adding const where appropriate. + * src/setkey/extern.h: new file + * src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y} + src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned, + size_t/int and lint constants + +2005-06-24 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/handler.c: Fixed phase2 enc algo check when reloading + conf (could flush a phase2 handler when not needed). + +2005-06-19 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h} + src/racoon/racoonctl.8: + Add a logout-user command to racoonctl to kick out all SA for a + given Xauth user + + From Ludo Stellingwerff <ludo@protactive.nl>: + * src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as + wildcard so that IKE ports are used instead. This was done on + phase 2 initiation from the kernel (acquire message), but not + on phase 2 initiation retries when the phase 2 had been queued + for a phase 1. + + From Uri Blumenthal <urimobile@optonline.net> + and Larry Baird <lab@gta.com>: + * src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c + src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c} + src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support + * src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2 + * src/setkey/token.l: Add aliases shaxxx for sha2_xxx + +2005-06-07 Emmanuel Dreyfus <manu@netbsd.org> + + From Larry Baird <lab@gta.com> + * src/racoon/isakmp.c: consume NAT keepalive data already seen + with MSG_PEEK + +2005-06-07 Frederic Senault <fred@lacave.net> + + * configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c} + src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add + support for system accounting into the utmp files, with the + "accounting system" directive. + + * src/privsep.c: Bug fixes in the xauth password handling code. + +2005-06-06 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_quick.c: endianness bug fix + +2005-06-05 Emmanuel Dreyfus <manu@netbsd.org> + + From Thomas Klausner <wiz@netbsd.org> + * src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing + spaces, grammar fix + +2005-05-31 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/ipsec_doi.c: Inserted missing 0th element of + rm_idtype2doi array. Bug #1199700 fix. + +2005-05-30 Frederic Senault <fred@lacave.net> + + * src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro + definition. + + * src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script + is executed at the end of the mode cfg exchange ; add a debug + message at the script startup. + +2005-05-23 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/admin.c: build fix + +2005-05-20 Emmanuel Dreyfus <manu@netbsd.org> + + From Mike Robinson <sundialservices@users.sourceforge.net> + * src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure + + * src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp + + From hgates <hgates.lists@gmail.com> + * src/racoon/proposal.c: fix SPI size test for IPcomp + + From Larry Baird <lab@gta.com> + * src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime, + duplicate the proposal instead of modifying the configured one. + +2005-05-19 Frederic Senault <fred@lacave.net> + + * configure.ac src/racoon/plog.c: Fix the logging functions to work + around the lack of support of printf %zu in FreeBSD 4 (at least). + + * src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to + fix a hangup with FreeBSD 4. + + * src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a + unity-specific heartbeat message. + * src/racoon/isakmp_inf.c: Reorganize switch statement in + isakmp_check_notify. + +2005-05-17 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/handler.c: Fixed exchange type check in + revalidate_ph1(). + * src/racoon/pfkey.c: changed includes order to fix compilation. + +2005-05-14 Emmanuel Dreyfus <manu@netbsd.org> + + * src/libipsec/policy_parse.y: Fix parse problem + +2005-05-14 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/sockmisc.c: Debug message said it will send to + source address insted of destination. + +2005-05-13 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_inf.c: fix build problem + +2005-05-13 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp.c: Fixed a double ph2handler free in + isakmp_ph2begin_i(). + +2005-05-12 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_quick.c: fix build problem on some platforms + + * src/racoon/isakmp.c: For acquire messages, when NAT-T is in use, + consider null port as a wildcard and use IKE ports. + +2005-05-10 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius} + src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file + src/racoon/samples/roadwarrior/client/racoon.conf: update config + files to higher security settings. Remove now useless phase 1 down + script on server side. + * Update README to reflect server/phase1-down.sh removal + +2005-05-09 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h} + src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and + save password extensions from Cisco in ISAKMP mode config. + +2005-05-08 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte + in proposals + * src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1 + * src/racoon/handler.c: style + + * src/racoon/isakmp_xauth.c: fix build with shadow passwords + +2005-05-07 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac src/racoon/isakmp_xauth.c: support shadow passwords + * src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype + * src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h} + src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes + to the right header file + +2005-05-06 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various + ISAKMP SA termination (for DPD timeouts and delete message) to + use purge_remote() so that SA and generated SPD get correctly flushed + * src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and + getph2bysaddr() + * src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make + purge_remote(), setcopeid() and delete_spd() public + * src/racoon/isakmp_quick.c: remove duplicated setscopeid() + * src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro + to compare with ports when ENABLE_NATT and without otherwise + +2005-05-06 Frederic Senault <fred@lacave.net> + + * src/racoon/isakmp_inf.c: Only print the contents of an informative + message if the payload indicates an error ; transmit the return + values from the DPD functions. + +2005-05-06 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_inf.c: Fix a bug causing informational message + payloads to be ignored + +2005-05-05 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_inf.c: Fixed some potential crashes in + purge_remote() and purge_ipsec_spi(). + +2005-05-05 Emmanuel Dreyfus <manu@netbsd.org> + + * src/libipsec/{policy_parse.y|policy_token.l} + src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP + endpoints, for accurate ESP over UDP matching + * src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote + ports to the hook scripts + * src/racoon/remoteconf.c: do not honour ports when looking up + a remote config, as our remote config have no port information + * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}: + use the IKE ports supplied by racoon to set up acurate endpoints + ports in SP endpoints + +2005-05-04 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated + policies are now also removed when DPD purge. + +2005-05-04 Emmanuel Dreyfus <manu@netbsd.org> + + From Manisha Malla <mmanisha@novell.com> + * src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative + + From Ludo Stellingwerff <ludo@protactive.nl> + * src/setkey/{parse.y|token.l}: build on system that do not have + TCP-MD5 support + +2005-05-04 Michal Ludvig <michal@logix.cz> + + * configure.ac: Revert GLIBC_BUGS change from 2005-04-15 + +2005-05-03 Frederic Senault <fred@lacave.net> + + * src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5} + src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check + option to enable the handling of unencrypted delete payloads. + + * src/racoon/plog.c: Use of isgraph in binsanitize. + + * src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC. + + * src/racoon/isakmp_inf.c: Unused code cleanup. + +2005-04-26 Emmanuel Dreyfus <manu@netbsd.org> + + * bootstrap: Darwin support + + From Larry Baird <lab@gta.com> + * src/racoon/nattraversal.c: Fix NAT-T for initiator + + From Andreas Tobler <toa@pop.agri.ch>: + * src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c} + src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c} + src/racoon/configure.ac src/libipsec/policy_token.l + src/setkey/token.l: Build on Darwin + +2005-04-25 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/handler.h: ifdef DPD and NAT-T data in data structures + + * src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h} + src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to + enable the display of ESP over UDP ports in policies. + + * src/racoon/ipsec_doi.c: fix LP64 bug + + From Ludo Stellingwerff <ludo@protactive.nl>: + * src/racoon/isakmp.c: build without NAT-T + + From F. Senault <fred.letter@lacave.net> + * src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c} + src/racoon/isakmp_xauth.c: Take into account payloads bundled after + an ISAKMP informationnal message. + + From Patrick McHardy <kaber@trash.net> + * src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire + message, lookup phase 2 by (src, dst, id) instead of only id. + +2005-04-23 Emmanuel Dreyfus <manu@netbsd.org> + + * src/libipsec/ipsec_dump_policy.c: display port numbers in policies + * src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't + forget port numbers so that mutiple clients behind the same NAT + can work. + + From Larry Baird <lab@gta.com> + * src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}: + NAT-T fixes for interoperability with greenbow VPN client. + +2005-04-21 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/libipsec/policy.parse.y, src/racoon/cfparse.y, + src/libipsec/policy_parse.y, src/racoon/cfparse.y, + src/racoon/cftoken.l, src/racoon/crypto_openssl.c, + src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c, + src/racoon/ipsec_doi.c, src/racoon/isakmp.c, + src/racoon/isakmp_inf.c, src/racoon/pfkey.c, + src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c, + src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile + with gcc-4.0 (20050410 prerelease) + +2005-04-20 Aidas Kasparas <a.kasparas@gmc.lt> + + From: Ganesan Rajagopal <rganesan@users.sourceforge.net> + * configure.ac: fix --enable-ipv6 logic + +2005-04-19 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup. + +2005-04-18 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/crypto_openssl.c: fixed single DES support; + * NEWS: noted fix + +2005-04-18 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_base.c: DPD support, fix memory leak + + From Thomas Klausner <wiz@NetBSD.org> + * src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3} + src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8} + src/racoon/samples/{racoon.conf.in|racoon.conf.sample} + src/racoon/samples/racoon.conf.sample-gssapi + src/racoon/samples/racoon.conf.sample-inherit + src/racoon/samples/racoon.conf.sample-natt + src/racoon/samples/racoon.conf.sample-plainrsa + src/racoon/samples/roadwarrior/README + src/racoon/samples/roadwarrior/server/phase1-down.sh + src/setkey/setkey.8: docmumentation fixes + + From KAME + * src/racoon/ipsec_doi.c: wrong check on SA lifebyte + + From Fred Senault <fred.letter@lacave.net> + * src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive, + which is now incoprated into split_net_tunnels + * src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c} + src/racoon/isakmp_xauth.h: support login and password sent + in different packets during the Xauth exchange. This makes racoon + interoperable with SecureComputing's sidewinder + * src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth + +2005-04-17 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/handler.c: Configuration reload validation code + * src/racoon/handler.h:revalidate_ph12() function + * src/racoon/ipsec_doi.c: duplicates iph1->approval in + get_ph1approval(), some fields sets to NULL when needed + * src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public + * src/racoon/localconf.[ch]: save/restore_params() functions + * src/racoon/main.c: moved restore_params functions to localconf + * src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa() + function, some values set to NULL when needed + * src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa() + function + * src/racoon/sainfo.[ch]: save_sainfotree() functions + * src/racoon/session.c: Reloads conf on a SIGHUP without loosing + existing tunnels + +2005-04-15 Aidas Kasparas <a.kasparas@gmc.lt> + + From Zilvinas Valinskas <zilvinas@gemtek.lt>: + * configure.ac: + - cross-compile type fix (patch 1); + - --enable-{frag|hybrid}=no fixes (patches 6,7); + - support for --with-flex, --with-flexlib (patch 11); + - GLIBC_BUGS assignment correction (patch 14 with mods). + * src/racoon/isakmp.c: fix compilation when hybrid disabled. + +2005-04-11 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files + RFC for IPsec DOI and ISAKMP + +2005-04-10 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_base.c: resurect RSASIG support + * src/racoon/isakmp_ident.c: missing support for hybrid auth + * src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode + +2005-04-09 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c} + src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c} + src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}: + Add Xauth + RSASIG, for client and server. Add all Xauth and + IKE fragmentation logic to base and ident mode. + * src/libipsec/{pfkey.c|pfkey_dump.c} + src/setkey/parse.y: more missing TCP_MD5 bits from KAME + +2005-04-08 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/cfparse.y: a list of network can be specified for split + tunnelling + * src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the + netmask in CIDR notation, to the hook script environement. + * src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing + bits for TCP_MD5 support. + + From Fred Senault <fred.letter@lacave.net> + * src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h} + src/racoon/racoon.conf.5: KEYID identifier can be taken from + a file or from a quoted string + +2005-04-05 Emmanuel Dreyfus <manu@netbsd.org> + + From Fred Senault <fred.letter@lacave.net> + * src/racoon/admin.c: fix the admin interface that was left behind + after recent Xauth changes + * src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c} + src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in + remote conf within a single structure. + * src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run + phase1-up script before ISAKMP mode config is done + * src/racoon/isakmp_inf.c: log a buggy condition + * src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c} + src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to + distinguish between XAUTH PSK and Kerberos authentications + * src/racoon/{oakley.c|remoteconf.c}: set a default for certificate + requests + * src/racoon/isakmp_xauth.c: Fix serious security bug introduced + on 2005-03-09: Xauth validation was required for phase 2 on the + client (thus blocking phase 2), but not on the server (thus + making it open regardless of Xauth exchange). + * src/racoon/vendorid.c: dump unknown VIDs + + +2005-04-06 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/crypto_openssl.c: Disable OpenSSL padding in + evp_crypt(), because it may cause some interoperability problems. + Solution reported by Ganesan Rajagopal. + +2005-04-05 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/main.c: build with hybrid but without libradius + +2005-04-05 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/handler.h: added a flag to identify generated policies + * src/racoon/isakmp.c: changed logging in isakmp_ph1expire() + * src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if + policy have been generated in purge_remote_spi() + * src/racoon/isakmp_quick.c: sets iph2->generated_spidx for + generated policies + * src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate() + +2005-04-04 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET + +2005-03-30 Michal Ludvig <michal@logix.cz> + + * configure.ac: Don't compile with NAT-T by default (according to + documentation, finally :-) + +2005-03-27 Michal Ludvig <michal@logix.cz> + + From Zilvinas Valinskas <zilvinas@gemtek.lt>: + * configure.ac: + - Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE. + - Fix OpenSSL check for cross-compilation. + * acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation. + (RACOON_CHECK_BUGGY_GETADDRINFO): Ditto. + +2005-03-16 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/privsep.c: check for NULL path in unsafe_path() + * src/racoon/privsep.c: missing space + +2005-03-15 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h} + src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c} + src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h} + src/racoon/main.c: Remove most of config dependency from + privilegied instance for upcoming config reload patch. + * src/racoon/isakmp_cfg.h: fix the application version for Xauth + * src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used + +2005-03-14 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac: handle correctly dynamic libradius + * src/racoon/cfparse.y: correctly initialize address pool + +2005-03-13 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398) + +2005-03-09 Emmanuel Dreyfus <manu@netbsd.org> + + From Fred Senault <fred.letter@lacave.net> + * src/racoon/cfparse.y: endainness bugfix + * src/racoon/isakmp_xauth.c: off by one bugs in strings + * src/racoon/oakley.h: missing parenthesis causing bugs + +2005-03-09 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth + +2005-03-07 Emmanuel Dreyfus <manu@netbsd.org> + + From Fred Senault <fred.letter@lacave.net> + * src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l} + src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c} + src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h} + src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c} + src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c} + src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5} + src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c} + src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split + tunnelling, multiple DNS & WINS in ISAKMP mode config. + +2005-03-02 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public + * src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD. + +2005-03-01 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/oakley.c: fixed oakley_newiv2() when errors + +2005-02-24 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/privsep.c: safety check port numbers given by the + unprivilegied instance. + * src/racoon/racoonctl.8: display fixes in racoonctl(8) + +2005-02-23 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal + support for patented algorithms: IDEA and RC5. + * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it + is not required in the configuration + * src/racoon/isakmp.c: do not reject addresses for which kernel + refused UDP encapsulation, they can still be used for non NAT-T + traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel) + * src/libipsec/libpfkey.h: prefer __inline to inline + * src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c} + src/racoon/racoon.conf.5: Add chroot capability + +2005-02-18 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{main.c|eaytest.c|plairsa-gen.c} + src/setkey/setkey.c: don't use fuzzy paths for package_version.h + +2005-02-18 Michal Ludvig <michal@logix.cz> + + * configure.ac, rpm/suse/ipsec-tools.spec.in, + rpm/suse/Makefile.am: Distribute .spec file with + resolved version string. + * src/racoon/Makefile.am: Allow parallel cluster build. + +2005-02-17 Emmanuel Dreyfus <manu@netbsd.org> + + From Fred Senault <fred.letter@lacave.net> + * src/racoon/remoteconf.c: Fix a bug in script init + +2005-02-17 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks + +2005-02-16 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a + related DELETE_SA + * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire + +2005-02-15 Michal Ludvig <michal@logix.cz> + + * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN + +--------------------------------------------- + + Branch for 0.6 created (ipsec-tools-0_6-branch) + +2005-02-11 Emmanuel Dreyfus <manu@netbsd.org> + + From Jason Thorpe <thorpej@netbsd.org> + * src/raccon/samples/racoon.conf.sample-gssapi + src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c} + src/racoon/{localconf.c|localconf.h|racoon.conf.5} + configure.ac: Multiple GSSAPI fixes to get interoperability + with Microsoft IKE. + +2005-02-09 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c} + src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h} + src/racoon/racoon.conf.5: Make PAM work with privilege separation + +2005-02-07 Michal Ludvig <michal@logix.cz> + + From Krisztian Kovacs: + * src/racoon/cfparse.y: Allocate correct space for "struct sockaddr". + +2005-01-30 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/vmbuf.c: bugfix in vrealloc() + * src/racoon/oakley.c: mem leak fix in INITDHVAL() + * src/racoon/session.c: mem leak fix in check_flushsa() + +2005-01-29 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup + * src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate() + * src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID + * src/racoon/nattraversal.[ch]: NATT cleanup, support for all + drafts (disabled by default) / RFC. + * src/racoon/isakmp.h: NATT cleanup for NATT RFC support + * src/racoon/ipsec_doi.h: updated comments about NATT + * configure.ac: enable-natt_XX options + * src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed + + +2005-01-29 Emmanuel Dreyfus <manu@netbsd.org> + + From Fred Senault <fred@lacave.net> + * src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that + phase2 can start. + +2005-01-23 Emmanuel Dreyfus <manu@netbsd.org> + + * src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's + SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD. + +2005-01-22 Emmanuel Dreyfus <manu@netbsd.org> + + From Fred Senault <fred@lacave.net> + * src/racoon/{cftoken.l|cfparse.y|raccon.conf.5} + src/racoon/samples/roadwarrior/README: change "my_identifier login" + into "xauth_login" in the config file so that we can introduce Xauth + with a pre-shared key later. + +2005-01-21 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}: + workaround Linux problems. This needs a better fix. + +2005-01-18 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/privsep.c: build without ENABLE_HYBRID + +2005-01-14 Emmanuel Dreyfus <manu@netbsd.org> + + * src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T) + +2005-01-13 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/ipsec_doi.c: Uses proposal_check value to check phase + 1 lifetime. + * src/racoon/racoon.conf.5: Updated racoon man page for phase 1 + lifetime check / proposal_check. + +2005-01-11 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakjmp_quick.c: endianness bugfix from KAME + +2005-01-07 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c} + src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h} + src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is + now configurable (supported only on NetBSD so far). + +2005-01-05 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/privsep.c: Build again on Linux with privsep + +2005-01-03 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h} + src/racoon/{cfparse.y|cftoken.l|racoon.conf.5} + src/racoon/doc/FAQ + configure.ac: PAM support for authentication and accounting in + hybrid auth + +2005-01-02 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/admin.c: never fork, it buys nothing an break on some + operations + +2004-12-30 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c} + src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c} + src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c} + src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c} + src/racoon/{privsep.c|privsep.h}: new files + Privilege separation + + * src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c} + src/racoon/{racoonctl.c|racoonctl.h}: new files + configure.ac: publically export the adminport interface so that + external program can control racoon + + * src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface + versionning + + * src/racoon/admin.h: make sure no / will be missing in adminsock path + +--------------------------------------------- + + Branch for 0.5 created (ipsec-tools-0_5-branch) + +2004-12-23 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/crypto_openssl.c: Indentation + +2004-12-28 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname() + when getting an IP (Bug # 1092095) + + +2004-12-26 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/session.c: remove outdated comment + +--------------------------------------------- + + 0.5.beta2 released + +2004-12-21 Michal Ludvig <michal@logix.cz> + + * src/racoon/pfkey.c: Fix AES vs Rijndael defines. + +2004-12-20 Yvan Vanhullebus <vanhu@free.fr> + + * configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c: + Some FreeBSD / NATT support. + +2004-12-17 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here. + * src/racoon/pfkey.c: Restore AES support on NetBSD. + +2004-12-17 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/crypto_openssl.c: Uses sprintf() instead of + asprintf() in eay_get_x509subjectaltname(), because of some + compilation problems reported with asprintf() on some platforms. + * src/racoon/oakley.c: just take the first cert in + oakley_savecert() if cert ID check is disabled. + +2004-12-16 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/crypto_openssl.c: Build again on NetBSD + * src/racoon/samples/roadwarrior/server/racoon + src/racoon/samples/roadwarrior/server/racoon.conf-radius + src/racoon/samples/roadwarrior/README: Use DPD in sample files. + +2004-12-16 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname() + when SubjectAltName contains an IP. OpenSSL code from Ludovic + Flament (ludovic.flament@free.fr). + +--------------------------------------------- + + 0.5.beta1 released + +2004-12-13 Michal Ludvig <mludvig@suse.cz> + + From Ganesan R <rganesan@users.sourceforge.net>: + * src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation + with shared libraries. + +2004-12-10 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/oakley.c: takes the first certificate which matches + the Identity, instead of just taking the first certificate. + +2004-12-07 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK. + +2004-12-04 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/libipsec/pfkey_dump.c: distinguish per-socket policies from + general ones (Linux case); + * src/racoon/pfkey.c: dito, do not negotiate policies if racoon + do not listen on out tunnel's source address. + +2004-12-01 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs + generation in r1send() + +2004-12-01 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/remoteconf.{c|h}: DPD support option (enabled by default) + * src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD + parameters but compiled without ENABLE_DPD + * src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD + support activated in configuration + +2004-11-30 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time, + to avoid garbage pointer if admin port is disabled. + * src/racoon/{throttle.c|throttle.h}: new files + src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5} + configure.ac: Add a per-host throttling count. When throttling, + don't sleep, schedule the answer for later instead. + * src/racoon/kmpstat.c: default with no hexdump of the packet + * src/racoon/admin.c: don't remove admin socket after first request, + on the other hand remove on startup stale sockets left by + crashed racoon. + * src/racoon/samples/roadwarrior/README + src/racoon/kmpstat.c: fix option parsing problem on Linux + +2004-11-29 Yvan Vanhullebus <vanhu@free.fr> + + * src/racoon/session.c: Only listen on pfkey socket when received + shutdown signal + +2004-11-28 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} + src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle + on each Xauth authentication to avoid brute force attacks + +2004-11-24 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/samples/roadwarrior/README + src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh} + src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius} + src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}: + Fill Linux gaps for hybrid auth client, Replace public IP by + private and example IP in the sample config files. + +2004-11-24 Emmanuel Dreyfus <manu@netbsd.org> + + DPD patch from Yvan Vanhullebus <vanhu@free.fr> + * src/racoon/cfparse.y: missing bits for DPD support + +2004-11-23 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/setkey/parse.y: generate require fwd policies for unique in + policies. + * src/setkey/setkey.c: made -r/-k options awailable only when + system has FWD policies. + * src/setkey/setkey.8: updated docs about change above. + +2004-11-22 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to + #ifdef ENABLE_ADMINPORT/#endif. + +2004-11-22 Michal Ludvig <mludvig@suse.cz> + + Revert these changes (ludvigm, 2004-11-18): + * src/racoon/Makefile.am: install sample racoon.conf and psk.txt. + * src/setkey/Makefile.am: Install setkey.conf. + +2004-11-22 Emmanuel Dreyfus <manu@netbsd.org> + + * src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1 + removal so that it's not used after been deleted. + * src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c} + src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more + errors to racoonctl + +2004-11-21 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on + the ipsec-tools web site + * src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to + display all events reported by racoon: show-event + * src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message + with immature or dying phase 1 + * src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down + +2004-11-20 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself + as Unity compliant. + * src/racoon/{evt.c|evt.h}: new files + src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c} + src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for + event reporting from racoon to racoonctl + +2004-11-20 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages + when racoon is compiled with INET6 support and kernel is not. + Fixed with help of Zilvinas Valinskas. + * src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+ + problem. + +2004-11-19 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/doc/FAQ: more options and warn about software patents. + +2004-11-18 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/vmbuf.c: don't allocate zero-length buffer + * src/racoon/samples/roadwarrior/client/phase1-down.sh + src/racoon/samples/roadwarrior/server/phase1-down.sh: Also + flush SAD when disconnecting. + * src/racoon/admin.c: Send a notification when deleting ISAKMP SA + * src/racoon/samples/roadwarrior/README: accomodate the recent + sysconfdir change + +2004-11-18 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/Makefile.am: Fix adminsocket dir, install sample + racoon.conf and psk.txt. + * src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR), + not $(SYSCONFDIR)/racoon. + * src/racoon/algorithm.h, src/racoon/eaytest.c, + src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really + strict environments. + * src/setkey/setkey.conf: Yet another sample config file. + * src/setkey/Makefile.am: Install setkey.conf. + * rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New + files. + * rpm/suse/{Makefile.am,.cvsignore}: New files. + * configure.ac, rpm/Makefile.am: Build in rpm/suse. + +2004-11-17 Aidas Kasparas <a.kasparas@gmc.lt> + + * configure.ac: paste bugfix by Zilvinas Valinskas + * src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support + for generated policies. Path by Patrick McHardy. + +2004-11-16 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/racoonctl.8: racoonctl man page (new file) + +2004-11-16 Emmanuel Dreyfus <manu@netbsd.org> + + From Ganesan <rganesan@users.sourceforge.net> + * src/racoon/ipsec_doi.c: fix free'd memory access + +2004-11-16 Michal Ludvig <mludvig@suse.cz> + + DPD patch from Yvan Vanhullebus <vanhu@free.fr> + * configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l, + src/racoon/handler.c, src/racoon/handler.h, + src/racoon/isakmp.c, src/racoon/isakmp.h, + src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c, + src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h, + src/racoon/racoon.conf.5 src/racoon/remoteconf.c, + src/racoon/remoteconf.h, src/racoon/vendorid.c, + src/racoon/vendorid.h: Dead Peer Detection (DPD) support. + +2004-11-16 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Remove a bash-specific construction, take II. + * src/racoon/grabmyaddr.c: FreeBSD fix for headers. + +2004-11-15 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Use correct include paths during ./configure run. + * src/racoon/Makefile.am: Compile cftoken.l from $(srcdir), + remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior + (hint, hint, manu :-)) + +2004-11-15 Emmanuel Dreyfus <manu@netbsd.org> + + * README: update the docs + * src/racoon/doc/FAQ: update the docs + * configure.ac: Remove a bash-specific construction + +2004-11-14 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/cfparse.y: ensure that returns from rules are + initialized even on erroneous config file. + * src/racoon/admin_var.h: changed management socket location + * src/racoon/Makefile.am: ditto, added rule to install directory + for management socket. + * src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes, + added generation of fwd policies for every in policy spdadd'ed. + * src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs + * src/setkey/policy_token.l: return something reasonable when + fwd direction is parsed on systems with no forward policy + support. + +2004-11-14 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp.c: avoid a double free when using IKE fragmentation + * src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c} + src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings + * configure.ac src/racoon/{admin.c|admin_var.h} + src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README + src/racoon/samples/roadwarrior/client/racoon.conf: make the default + mode for the admin socket more secure. + +2004-11-13 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h} + src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h} + src/racoon/samples/roadwarrior/README + src/racoon/samples/roadwarrior/client/racoon.conf: Make the root + certificate authority location per-peer and configurable. + * src/racoon/isakmp_frag.c: fix unallocated memory access + * src/racoon/isakmp_agg.c: fix incorrect queue deallocation + * src/racoon/remoteconf.c: fix uninitialized data + * src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access + +2004-11-12 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd + commands IPv6 friendly. + * src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}: + Add an admin message to flush all the SA for a given peer. + Convert racoonctl vd to use it. + * src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y} + src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the + administrator to choose the admin socket path, ownership and mode. + * src/racoon/sample/roadwarrior: complete config files for + road warriors using hybrid authentication. + +2004-11-12 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Config option --enable-natt=kernel + * src/racoon/Makefile.am: Distribute only yacc/lex source files, + not the preprocessed .c files. + +2004-11-11 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/samples/racoon.conf.sample-cvpn: more complete setup + and comments in the VPN concentrator setup for the Cisco VPN client + * src/racoon/racoon.conf.5: fix documentation + * src/racoon/isakmp_cfg.c: get the internal IPv4 address in script + hooks event if we are a server. + +2004-11-10 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems + +2004-11-09 Michal Ludvig <mludvig@suse.cz> + + * Makefile.am: Remove aclocal-related lines. + * src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS + * configure.ac: Cleanup, define INET6 if IPv6 shoud be supported, + better handling of KRB5 and NAT-T. + * src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make + FreeBSD happy with includes (Arrgh...&^#$^@!!!) + +2004-11-08 Michal Ludvig <mludvig@suse.cz> + + * src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN. + * src/libipsec/policy_token.l, src/racoon/kmpstat.c, + src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small + fixes to support FreeBSD (tested with 4.10). + +2004-11-05 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Add --with-readline switch. + * src/setkey/setkey.c(stdin_loop): Fix newlines and comments + when compiled without readline. + +2004-11-01 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/isakmp_quick.c: generated policy refresh patch + by Yvan Vanhullebus + +2004-10-29 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Check for IPSEC_DIR_FWD and eventually define + HAVE_POLICY_FWD. + * src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use + HAVE_POLICY_FWD in ifdefs. + * NEWS: Mention the fix. + * src/racoon/kmpstat.c: Fix compilation on Linux. + * src/racoon/ipsec_doi.h: Ditto. + * src/racoon/Makefile.am, src/setkey/Makefile.am: Update + explicit dependencies. + +2004-10-29 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}: + do not reconfigure internal addresses obtained through ISAKMP + mode config. + * src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication + failure, kill the phase 1 and log the failure. Do not run the sa_up + script in this case. + * src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}: + Add -u user to racoonctl establish-sa, prompt for the PSK from + the terminal, and add a vpn-connect target with simplified syntax + for establishing a SA in the road warrior case. + * src/racoon/{admin.c,kmpstat.c}: implement delete-sa and + vpn-disconnect commands of racoonctl + * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c} + src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}: + Remove sa_up and sa_down and replace them by a more general + script hook framework. + +2004-10-27 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/nattraversal.c: Use macros instead of magic numbers + * src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl + can actually establish a SA + * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c} + src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}: + Shell script hooks for ISAKMP SA creation and removal + +2004-10-26 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed + src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed + src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file + src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file + Update to the latest drafts + +2004-10-25 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file + src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file + src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file + drafts documenting ISAKMP mode config, Xauth and hybrid auth + * src/racoon/cftoken.l: fix build problem, add an error message + when using hybrid auth options while hybrid auth is not built + * src/racoon/isakmp_cfg.c: build without RADIUS support too + +2004-10-24 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l} + src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c} + src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h} + src/racoon/{oakley.c,oakley.h,racoon.conf.5} + src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side + of hybrid auth and ISAKMP mode config + +2004-10-24 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c} + src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h} + src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}: + Receiver-side of IKE fragmentation + +2004-10-24 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_cfg.c: Fix read buffer overflow + * src/racoon/isakmp_xauth.c: Fix weak authentication + * src/racoon/{oakley.c,oakley.h}: Fix weak authentication + +2004-10-21 Michal Ludvig <mludvig@suse.cz> + + From Emmanuel Dreyfus: + * src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files. + * src/racoon/isakmp_cfg.c: Fix endianness. + +2004-10-20 Michal Ludvig <mludvig@suse.cz> + + From Emmanuel Dreyfus: + * src/racoon/{cfparse.y,cftoken.l,handler.c}, + src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c}, + src/racoon/racoon.conf.5: RADIUS IP addresses allocation + and RADIUS accounting. + * configure.ac, + src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h}, + src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c}, + src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch. + +2004-10-08 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus. + +2004-10-06 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions + to duplicate dynamically allocatd structures; duprmconf() - call + these functions to produce private copy of inherited id and etype + structures. + * src/racoon/remoteconf.c: declaration for dupetypes(). + +2004-10-04 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/cfparse.y: check inherited_from dereferencing + * src/racoon/crypto_openssl.c: prevent crash on incorect DNs + +2004-09-27 Michal Ludvig <mludvig@suse.cz> + + From KOVACS Krisztian <hidden@balabit.hu>: + * src/racoon/sockmisc.c(sendfromto): Set src address. + +2004-09-24 Aidas Kasparas <a.kasparas@gmc.lt> + + * configure.ac: added check for linux-gnu, as my box reports + * src/racoon/grabmyaddr.c: added missing <linux/types.h> include + +2004-09-21 Michal Ludvig <mludvig@suse.cz> + + Merged 'autoconf' branch to mainline: + * .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac, + src/racoon/.cvsignore, src/racoon/cfparse.y, + src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, + src/racoon/ipsec_doi.c, src/racoon/isakmp.c, + src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, + src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c, + src/racoon/isakmp_unity.c, src/racoon/main.c, + src/racoon/nattraversal.c, src/racoon/oakley.c, + src/racoon/oakley.h, src/racoon/sockmisc.c, + src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog + in 'autoconf' branch for details). + * acracoon.m4, src/racoon/Makefile.am: New files. + * src/racoon/Makefile.in, src/racoon/aclocal.m4, + src/racoon/client-puzzle.c, src/racoon/config.guess, + src/racoon/config.sub, src/racoon/configure.in, + src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp, + src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp, + src/racoon/doc/pattern, src/racoon/doc/question, + src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt, + src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en, + src/racoon/doc/sandiego-result.jp, + src/racoon/doc/sandiego0009-result.en, + src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c, + src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile, + src/racoon/samples/sandiego.pl: Removed. + +2004-09-17 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/vendorid.[ch]: Rewrote the VendorID handling. + We don't use the array with fixed offsets anymore, instead + a generally unordered structure with ID, string and + precomputed MD5 hashes. + * src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c}, + src/racoon/nattraversal.c: Updated to the new VID model. + * src/racoon/main.c(main): Precompute VendorIDs. + * src/racoon/arc4random.h, src/racoon/missing/arc4random.c: + Files removed. Function arc4random() renamed to eay_random() + and moved to crypto_openssl.c. + * src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c, + src/racoon/isakmp.c: Updated to the above change. + * src/racoon/Makefile.in, src/racoon/configure.in: Remove + arc4random() from building. + * src/racoon/crypto_openssl.[ch](eay_random): New function. + * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, + src/racoon/isakmp_xauth.c: Cleaned up headers. + +2004-09-16 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/crypto_openssl.c (base64_encode): Terminate + the result with '\0'. + +2004-09-15 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: How about calling the next version 0.5? + * src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE + _BSD_SOURCE and don't require <linux/types.h> + * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, + src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h> + * src/racoon/Makefile.in: Add new files to distribution. + * src/racoon/configure.in: Fix linux kernel NATT detection. + * src/setkey/parse.y: Fix types. + * src/racoon/backupsa.c, src/racoon/ipsec_doi.c, + src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, + src/racoon/pfkey.c, src/racoon/remoteconf.c, + src/racoon/session.c, src/racoon/sockmisc.c: Fix headers + ordering, use HAVE_NETINET6_IPSEC. + * src/racoon/isakmp_cfg.c: Use %z for size_t. + * src/racoon/configure.in: Clean up IPv6 stack check. + +2004-09-15 Michal Ludvig <mludvig@suse.cz> + + Merged "Hybrid XAUTH" support from Emmanuel Dreyfus: + * src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c, + src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h, + src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h, + src/racoon/samples/racoon.conf.sample-cvpn: New files. + * src/racoon/algorithm.c, src/racoon/algorithm.h, + src/racoon/cfparse.y, src/racoon/cftoken.l, + src/racoon/handler.c, src/racoon/handler.h, + src/racoon/ipsec_doi.c, src/racoon/isakmp.c, + src/racoon/isakmp.h, src/racoon/isakmp_agg.c, + src/racoon/isakmp_inf.c, src/racoon/oakley.c, + src/racoon/oakley.h, src/racoon/strnames.c, + src/racoon/vendorid.c, src/racoon/vendorid.h: Added + code for XAUTH support. + * src/racoon/racoon.conf.5: Documentation for XAUTH. + * src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c, + src/racoon/nattraversal.c: Added NATT VID "02\n" + * src/racoon/configure.in: New config option --enable-hybrid + +2004-09-14 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Preset CFLAGS + * src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD, + Check if printf() accepts "%z" modifiers. + * src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly. + * src/setkey/parse.y(fix_portstr): Init 'p2'. + * src/setkey/setkey.c: Add required prototypes. + +2004-09-14 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas. + +2004-09-14 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/configure.in: Check for NetBSD NAT-T kernel support. + +2004-09-13 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/configure.in: Check for <openssl/engine.h> + * src/racoon/crypto_openssl.c: Only use OpenSSL engines if available. + * src/racoon/plainrsa-gen.c: Ditto. + +2004-09-13 Michal Ludvig <mludvig@suse.cz> + + NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>: + * Makefile.am: build in rpm/ only on Linux + * configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h + * src/Makefile.am: Build include-glibc only on Linux + * src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c, + ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c, + policy_parse.y,policy_token.l,test-policy-priority.c}, + src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c, + nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c, + proposal.c,sainfo.c,schedule.c,strnames.c}, + src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some + ifdefs. + * src/racoon/sockmisc.c(sendfromto): Wrap for Linux only. + * src/racoon/configure.in: Check for kernel NAT-T support, + fix libipsec.a linkage path. + * src/racoon/eaytest.c(certtest): Use %z for size_t. + +2004-09-12 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/grabmyaddr.c: improoved socket selection algorithm for + case when link-local addresses comes w/o sin6_scope_id set. + +2004-09-07 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/session.c: fix for SIGHUP handler for case when config + file contains listen directives. + +2004-09-01 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/grabmyaddr.c: added scope id handling for link-local + IPv6 addresses. Now racoon will not err on such addresses. + +2004-08-19 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan + * src/racoon/eaytest.c: eay_init_error() -> eay_init() due to + 2004-06-01 changes in src/racoon/crypto_openssl.c + +2004-08-15 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/cfparse.y src/racoon/crypto_openssl.c + src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c + src/racoon/racoon.conf.5 src/racoon/remoteconf.c + src/racoon/remoteconf.h: peers_identifier wildcard and + list patch by James Matheson + +--------------------------------------------- + + 0.4rc1 released + +2004-08-09 Michal Ludvig <mludvig@suse.cz> + + * NEWS: Notes for release 0.4rc1 + * configure.ac: Bump up version to 0.4rc1 + +2004-07-12 Michal Ludvig <mludvig@suse.cz> + + PlainRSA support. + See ChangeLog.prsa from the 'plainrsa' branch for details. + * src/racoon/stringlist.c src/racoon/stringlist.h: Removed. + * src/racoon/genlist.c src/racoon/genlist.h + src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c + src/racoon/prsa_par.y src/racoon/prsa_tok.l + src/racoon/rsalist.c src/racoon/rsalist.h + src/racoon/samples/racoon.conf.sample-plainrsa: New files. + * src/racoon/Makefile.in src/racoon/configure.in + src/racoon/cfparse.y src/racoon/cftoken.l + src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h + src/racoon/handler.h src/racoon/ipsec_doi.c + src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c + src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c + src/racoon/remoteconf.h src/racoon/sockmisc.c + src/racoon/sockmisc.h src/racoon/eaytest.c: Updated. + +2004-07-12 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move + f_foreground to plog.c. + * src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode + adjusting. + * src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c, + src/racoon/oakley.c: Fix typos, newlines and printf() format strings. + +2004-06-16 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/crypto_openssl.c (eay_get_x509cert): small memory + leak fix. Noticed B.Buesker, patch L.Stellingwerff + * src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt): + small memory leaks fixed. + +2004-06-15 Aidas Kasparas <a.kasparas@gmc.lt> + + SECURITY + * src/racoon/crypto_openssl.[ch] (cb_check_cert_local, + cb_check_cert_remote): split cb_check_cert() due to stricter + requirements for certificates received from network. + * src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter + local to specify how strict cert check should be + * src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above + +2004-06-11 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support + for all known NAT-T versions. + * vendorid.h: Ditto. + +2004-06-08 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/stringlist.c, src/racoon/stringlist.h: New files. + * src/racoon/Makefile.in: Compile stringlist.o. + +2004-06-07 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Set version to 'cvs'. + * src/{racoon,setkey,libipsec}/*.h: Wrap headers between + #ifndef/#define/#endif to allow multiple inclusions of the + same file. + * plog.h (plog): Attribute __printf__ for automatic checking + of the parameters' validity. + * cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c, + isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c, + sockmisc.c: Fix warnings/errors in the plog() parameters with + the above change. + +2004-06-05 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/setkey/setkey.c: -n (no action) support. + Thanks Thomas Habets. + * src/setkey/setkey.8: Documentation for above. + * src/racoon/doc/README.certificate: updated link to more recent + version of document. Debian bug #252513 by Jose Luis Domingo Lopez + +2004-06-01 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/algorithm.c: Enable compilation without SHA2 support. + * src/racoon/crypto_openssl.c: Ditto. + +2004-06-01 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/crypto_openssl.c: Remove unneeded workarounds for older + OpenSSLs. + (eay_init): New function. + (eay_init_error, eay_check_pkcs7sign): Removed. + * src/racoon/crypto_openssl.h: Reflect the above changes. + * src/racoon/main.c: Call eay_init() instead of eay_init_error(). + +2004-05-27 Michal Ludvig <mludvig@suse.cz> + + Support for inheritance of 'remote' statements: + * src/racoon/cftoken.l: New keyword 'inherit'. + * src/racoon/cfparse.y: Support for 'inherit', remove + global 'prhead', use cur_rmconf->prhead instead. + * src/racoon/remoteconf.c (rmtree): Changed from + LIST queue to TAILQ queue. + (getrmconf): Renamed to getrmconf_strict(). + (copyrmconf, duprmconf) + (dump_rmconf_single, dumprmconf): New functions. + (rm2str): Deleted. + * src/racoon/remoteconf.h: Prototypes for the above. + (struct remoteconf): New fields 'inherited_from' and 'prhead'. + * src/racoon/sockmisc.c (saddr2str): Can print anonymous entries. + * src/racoon/algorithm.c (alg_oakley_encdef_name) + (alg_oakley_hashdef_name, alg_oakley_dhdef_name) + (alg_oakley_authdef_name): New functions. + * src/racoon/algorithm.h: Prototpes for the above. + * src/racoon/strnames.c (num2str): Make extern. + (s_doi, s_etype, s_idtype, s_switch): New functions. + * src/racoon/strnames.h: Prototpes for the above. + * src/racoon/main.c: New parameter -C for dumping the parsed config. + * src/racoon/racoon.conf.5: Document inheritance. + * src/racoon/samples/racoon.conf.sample-inherit: Sample config file. + * src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit + +2004-05-24 Michal Ludvig <mludvig@suse.cz> + + * configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c, + isakmp_quick.c, pfkey.c, remoteconf.c, session.c, + sockmisc.c: Allow compilation with --disable-ipv6 + +2004-05-21 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of + algorithm specific functions. + +2004-05-20 Aidas Kasparas <a.kasparas@gmc.lt> + + Manual page updates. Thanks Brian + * src/libipsec/ipsec_set_policy.3 + * src/setkey/setkey.8 + * src/libipsec/test-policy-priority.c: new file from policy + priority patch, which I forgot to add + +2004-05-18 Aidas Kasparas <a.kasparas@gmc.lt> + + Policy priority integer handling fixes by Brian Buesker. + * src/libipsec/ipsec_strerror.c + * src/libipsec/ipsec_strerror.h + * src/libipsec/libpfkey.h + * src/libipsec/policy_parse.y + * src/libipsec/test-policy-priority.c + Manual page corrections by me + * src/libipsec/ipsec_set_policy.3 + * src/setkey/setkey.8 + +2004-05-15 Aidas Kasparas <a.kasparas@gmc.lt> + + Policy priority support patch from Brian Buesker. Applied as is + except src/libipsec/Makefile.am is modified instead of + src/libipsec/Makefile.in as found in the patch. + +2004-05-10 Michal Ludvig <mludvig@suse.cz> + + From Heiko Hund, approved by the copyright holder: + * src/racoon/gssapi.[ch]: Update to 3-clause BSD license. + +2004-04-27 Michal Ludvig <mludvig@suse.cz> + + From Heiko Hund: + * src/include-glibc/sys/queue.h: Update to 3-clause BSD license. + +2004-04-26 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to + send notifications about changed interfaces. + +2004-04-24 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send + information about interfaces. Thanks Steve Grubb and Bill + Nottingham. Affects users with glibc w/o getifaddrs(). Users + with glibc earlier than 2003-11-14 should upgrade their glibc. + +2004-04-19 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/isakmp.c (isakmp_handler): Reject too big + packets (CAN-2004-0403). + +--------------------------------------------- + + 0.3 released + +2004-04-14 Michal Ludvig <mludvig@suse.cz> + + * NEWS: Notes for release 0.3 + * configure.ac: Bump up version to 0.3 + * src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs. + * src/racoon/remoteconf.c (foreachrmconf): Avoid warning about + uninitialised variable. + * src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux + and FreeSWAN. + +2004-04-13 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are + not suitable. + +2004-04-09 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found. + * src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog(). + * src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id + mismatch to LLV_WARNING. + * src/libipsec/pfkey_dump.c, src/racoon/algorithm.c + src/racoon/algorithm.h src/racoon/cftoken.l + src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h + src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c + src/setkey/token.l: Renamed Rijndael to AES. + * src/setkey/token.l: Recognize exit/quit/bye tokens. + * src/setkey/parse.y (exit_command): New. + * src/setkey/setkey.c (stdin_loop): Exit when exit_now is set + in exit_command. + +2004-04-08 Michal Ludvig <mludvig@suse.cz> + + * src/setkey/setkey.c (main): Call get_supported() in interactive mode. + (stdin_loop): Concat multiline input into a single line before parsing. + +2004-04-07 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA + with level DEBUG. Having it with level INFO only pollutes logfiles. + +2004-04-06 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/Makefile.in: eaytest now links plog.o + * src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif + surrounding plog(). + * src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now + verifying both good and bad signatures. + +--------------------------------------------- + + 0.3rc5 released + +2004-04-05 Michal Ludvig <mludvig@suse.cz> + + * NEWS: Notes for release 0.3rc5 + * configure.ac: Bump up version to 0.3rc5 + +2004-04-05 Michal Ludvig <mludvig@suse.cz> + + Fix for a security bug found by Ralf Spenneberg: + * src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate + 'evp' instead of 'pubkey'. + (eay_rsa_sign): Use the above. + * src/racoon/crypto_openssl.h: Update prototypes for the above. + * src/racoon/eaytest.c: Disabled RSA tests because of the API change. + +2004-04-05 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/pfkey.c (pfkey_handler): Safety check before accessing + the array (thx to Ren.J.Y for report). + (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now). + * src/racoon/strnames.c (name_pfkey_type): Ditto. + +2004-04-02 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/eaytest.c (ciphertest_1): Correct padlen. + +2004-04-01 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode + update from here ... + (ipsecdoi_setph2proposal): ... to here. Hopefully this is a + better place to do the update. + +2004-03-30 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/crypto_openssl.c (eay_3des_expand_key): New function. + (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary. + * src/racoon/eaytest.c (ciphertest_1): New function. + (ciphertest): Simplified to simple calls of ciphertest_1(). + +2004-03-29 Michal Ludvig <mludvig@suse.cz> + + * README: Rewritten. Mentioned where to report bugs. + +2004-03-26 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Check for readline.h and libreadline. + * src/setkey/setkey.c: Call stdin_loop() when '-c' was given. + (stdin_loop): Read user input and parse it line-by-line. + * src/setkey/token.l (parse_string): New function. + +--------------------------------------------- + + 0.3rc4 released + +2004-03-25 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Bump up version to 0.3rc4 + * NEWS: Notes for release 0.3rc4 + * src/racoon/cfparse.y (algorithm): Hint about missing module. + * src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key + length only with old API. + (eay_des_encrypt): Ditto. + * src/racoon/eaytest.c: Make the testsuite useful, i.e. exit with + non-zero error code if any of the tests fail. + (main): Print banner with version. + * src/racoon/Makefile.in: Run eaytest in 'make check'. + +2004-03-23 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before + comparing NAT-D payloads. (thx to Gaurav Kansal for report). + * src/racoon/crypto_openssl.c: Avoid type-punned warnings. + * src/racoon/eaytest.c: Disable 'cert' tests. + * src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check + for strict length. + (eay_aes_encrypt): Keylength is in bits, not bytes. + +2004-03-22 Michal Ludvig <mludvig@suse.cz> + + * src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key + instead of NULL and check for availability. + +--------------------------------------------- + + 0.3rc3 released + +2004-03-19 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Bump up version to 0.3rc3 + * NEWS: Notes for release 0.3rc3 + * src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'. + * src/racoon/proposal.c (cmpsatrns): New parameter proto_id, + better diagnostic output when trns_id don't match. + * src/racoon/proposal.h (cmpsatrns): Update prototype. + * src/setkey/setkey.c: Change option -h to -H (for hexdump), new + options -h (help) and -V (version). + * src/setkey/setkey.8: Document the above changes. + * src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/... + +2004-03-15 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/configure.in: Prevent compilation error with + --enable-yydebug. + +--------------------------------------------- + + 0.3rc2 released + +2004-03-11 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Bump up version to 0.3rc2 + * NEWS: Notes for release 0.3rc2 + * src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test. + * src/racoon/configure.in: Call RACOON_CHECK_VA_COPY + * src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY. + * src/racoon/racoon.conf.5: Note that NAT-T support is a compile + time option. + +2004-03-10 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/racoon.conf.5: Document nat_traversal option. + * src/racoon/racoon.8: DOcument new options (-L and -P). + +2004-03-09 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for + UDP-Encap ports if NAT-T is enabled. + (dupmyaddr): New function. + * src/racoon/grabmyaddr.h: Prototype for dupmyaddr(). + * src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but + no port for UDP-Encap was open. + * src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define. + * src/racoon/localconf.c, src/racoon/localconf.h: Define and setup + lcconf->port_isakmp_natt. + * src/racoon/main.c (main): Print nicer banner, + (usage): Document new options (-L and -P). + (parse): Recognise the above. + * src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded + constants for float_port. + (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions. + * src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf(). + * src/racoon/plog.c: Don't print source:line:function by default. + * src/racoon/remoteconf.c (foreachrmconf): New helper function. + * src/racoon/remoteconf.h: Prototype for the above. + * package_version.h: Define strings for use in banners. + * configure.ac: Fill up the above header. + +2004-03-09 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/configure.in: Don't put -O into OPTFLAGS, + add new option --disable-natt. + * src/racoon/cfparse.y, src/racoon/handler.c, + src/racoon/ipsec_doi.c, src/racoon/isakmp.c, + src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, + src/racoon/isakmp_ident.c, src/racoon/pfkey.c, + src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT + with ENABLE_NATT. + * src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments. + +2004-03-06 Aidas Kasparas <a.kasparas@gmc.lt> + + * configure.ac: Refuse to continue if lexer library (yywrap() + function) is missing. Should prevent bugs like #892067, #908758 + * src/racoon/configure.in: renamed --with-ssleay to --with-openssl. + Users should not be given false idea that they require both OpenSSL + and SSLeay to compile racoon. (See bug #902197) + +--------------------------------------------- + + 0.3rc1 released + +2004-03-04 Michal Ludvig <mludvig@suse.cz> + + * configure.ac: Bump up version to 0.3rc1 + * NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes + from 0.2 branch). + * src/racoon/samples/racoon.conf.sample-natt: New sample config file. + * src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy, + enabled NATT by default (will become a config option later). + +2004-03-04 Michal Ludvig <mludvig@suse.cz> + + Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support + to racoon. + * src/racoon/Makefile.in, src/racoon/cfparse.y, + src/racoon/cftoken.l, src/racoon/grabmyaddr.c, + src/racoon/grabmyaddr.h, src/racoon/handler.c, + src/racoon/handler.h, src/racoon/ipsec_doi.c, + src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h, + src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, + src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c, + src/racoon/localconf.c, src/racoon/localconf.h, + src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h, + src/racoon/racoon.conf.5, src/racoon/remoteconf.c, + src/racoon/remoteconf.h, src/racoon/session.c, + src/racoon/strnames.c, src/racoon/vendorid.h + src/libipsec/pfkey.c, + src/racoon/nattraversal.c, src/racoon/nattraversal.h, + src/racoon/sockmisc.c: Affected files. + +2004-02-27 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/isakmp.c (set_isakmp_header1): Renamed from + set_isakmp_header(). + (set_isakmp_header): New function common for set_isakmp_header1() + and set_isakmp_header2(). + (copy_ph1addresses): Obey original port. + (isakmp_plist_append, isakmp_plist_set_all): New helper functions. + * src/racoon/isakmp_var.h: Prototypes for the above. + * src/racoon/isakmp.h (struct payload_list): New structure. + * src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, + src/racoon/isakmp_ident.c: Use isakmp_plist_* functions. + +2004-02-03 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/Makefile.in: Fix install to $(sbindir) + * src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer). + +2004-01-19 Michal Ludvig <mludvig@suse.cz> + + * rpm/ipsec-tools.FC1: Startup script for Fedora Core 1 + (thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>) + +2004-01-17 Aidas Kasparas <a.kasparas@gmc.lt> + + * src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team + +2004-01-15 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA + (reported on bugtraq, fixed by iij seil team). + * src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses. + +2004-01-14 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used + only once). + * configure.ac: Don't build shared libipsec by default (can be + enabled by --enable-shared). + * bootstrap: Don't run automake for racoon. + +2004-01-12 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy, + use config.h for defines instead of -DHAVE_* gcc options, + fix CRYPTOBJS to include missing rijndael libraries only once, + checking for AES support in OpenSSL now (hopefully) finally + works on both OpenSSL 0.9.6 and 0.9.7. + * src/racoon/*.[cyl]: Include autogenerated "config.h" + * src/racoon/missing/crypto/*/*.c: Ditto. + * src/racoon/.cvsignore: Add config.h, config.h.in + +2004-01-09 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/.cvsignore: Add "autom4te.cache" and "configure". + +2004-01-09 Aidas Kasparas <a.kasparas@gmc.lt> + + Sync with KAME 2004-01-07 + * src/libipsec/pfkey.c: memory leak fix; comment typo fixes + * src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even + no SADB_X_EXT_TAG defined + * src/libipsec/pfkey_dump.c: information about algorithms + ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support + * src/libipsec/policy_parse.y: memory leak + * src/libipsec/policy_token.l: memory leak + * src/libipsec/test-policy.c: unneeded \n removed + * src/racoon/Makefile.in: $(sbindir) support + * src/racoon/admin.c: interface changes due to proxy support + * src/racoon/algorithm.c: SHA2 #ifdefs + * src/racoon/{cfparse.y,cftoken.l}: license text added + * src/racoon/cfparse.y: mip6 obsoleted by proxy support + * src/racoon/cfparse.y: from directive support; new algorithms + * src/racoon/cftoken.l: support for globbing of include files + * src/racoon/configure.in: more verbose information about problems + with SHA2 + * src/racoon/crypto_openssl.c: use new DES API if supported; algorithm + key size fixes + * src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check + * src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks; + style change + * src/racoon/isakmp.c: use VPTRINIT; interface changes due to + mip6->proxy; typo + * src/racoon/isakmp_inf.c: use VPTRINIT + * src/racoon/isakmp_quick.c: mip6->proxy + * src/racoon/kmpstat.c: not used variables removed + * src/racoon/pfkey.c: mip6->proxy; schedule leak + * src/racoon/proposal.c: style + * src/racoon/remoteconf.c: mip6->proxy + * src/racoon/sainfo.c: from directive support + * src/racoon/sockmisc.c: side correction; addrinfo leak + * src/racoon/strnames.c: typo in descriptions; wrong upper bound check + * src/racoon/missing/crypto/sha2/sha2.c: wrong size + * src/setkey/parse.y: extra algorithms; tagged; not needed periods + removed; memory shortage checks + * src/setkey/setkey.8: typos; tagged; new algorithms + * src/setkey/setkey.c: standard argument names for main(); hexdump + support; info in file support + * src/setkey/token.l: new algorithms; memory shortage checks + Parts not taken from KAME: + * kernelfs stuff; + * sysctl stuff + +2004-01-08 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/config.{sub,guess}: Update from automake 1.7. + +2004-01-08 Michal Ludvig <mludvig@suse.cz> + + Patch from Kostadin Karaivanov <larry@minfin.bg>: + * src/racoon/configure.in: Check for openssl/aes.h. + * src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available. + +2004-01-08 Michal Ludvig <mludvig@suse.cz> + + * src/racoon/configure: Remove, should be regenerated by bootstrap. + +2004-01-02 Michal Ludvig <michal@logix.cz> + + * src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7 + (by Brian Buesker <bbuesker@qualcomm.com> + and Christophe Saout <christophe@saout.de>) + * src/racoon/proposal.c: Be more verbose. (Michal Ludvig) + * src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly + (by Michal Ludvig). + * src/setkey/token.l, src/setkey/parse.y: Add support for lifetime + specified in bytes (by Michal Ludvig). + * src/setkey/setkey.8: Document -bh/-bs options for the above feature. + * src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE + message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>) + * src/racoon/cfparse.y: Flush SA on SIGHUP + (by Brian Buesker <bbuesker@qualcomm.com>) + * src/racoon/pfkey.c: IPcomp fixes + (by Brian Buesker <bbuesker@qualcomm.com>) + * src/racoon/proposal.c: Fix typo lifebyte -> lifetime. + * src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns + an entry with NULL ifa_addr (Michal Ludvig). + * configure.ac: Change path to kernel headers + from /usr/src/devel-2.5/devel to /usr/src/linux + * bootstrap: Use default tools, reconfigure src/racoon + * src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ, + changed comments from 'dnl' to '#'. + +2003-06-20 Derek Atkins <derek@ihtfp.com> + + * src/racoon/aclocal.m4: + * src/racoon/configure: + Don't execute "for i in $3" if "$3" doesn't exist. + Fixes bug #721296. + +2003-03-31 Derek Atkins <derek@ihtfp.com> + + * src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP + (which is value '2') + +2003-03-27 Derek Atkins <derek@ihtfp.com> + + * src/libipsec/key_debug.c: use ntohs() before printing port + * src/libipsec/pfkey.c: convert port# to network byte order + * src/libipsec/pfkey_dump.c: use ntohs() before printing ports + * src/setkey/parse.y: convert port#'s to network byte order + +2003-03-24 Derek Atkins <derek@ihtfp.com> + + * src/libipsec/pfkey.c: Don't switch off NAT-T extensions + if they don't exist in the kernel. + + * src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY, + as per Tom Lendacky <toml@us.ibm.com>. Also move the + setting of IPV6_IPSEC_POLICY to the top of the file. + +2003-03-13 Derek Atkins <derek@ihtfp.com> + + Add initial support for NAT-T PFKey Extensions: + * src/libipsec/key_debug.c: add support to print information + about NAT-T extension packets. + * src/libipsec/libpfkey.h: add two new APIs to support NAT-T + for add and update as part of the SADB. + * src/libipsec/pfkey.c: + - Implement extended APIs to support NAT-T for add and update + of the SADB. + - Add APIs to fill a buffer with NAT-T packet types + * src/libipsec/pfkey_dump.c: Extend the SADB output to include + PFKey packets. Put port numbers with the source and dest + addresses, add an 'esp-udp' SA-type, and add a printout for + the NAT-OA. + * src/setkey/parse.y: + - Extend setkey to create an ESP-UDP SA. + - default UDP port is 4500 + - extend 'add' to allow <ip-addr>[<portnum>] for source and dest + (the portnum specification requires the [] characters) + - add an ESPUDP "protocol" from the lexer. This will use + ESP and allow an optional Original Address setting. + - add a function to get a udp port from a struct sockaddr * + - pass the NAT-T extentions into PFKey + * src/setkey/token.l: add "esp-udp" token + + * rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch: + This switches it to use %{_lib} (for /lib64 systems such as + x86-64 and s390x, and has it own the /etc/racoon directory in + the package as well. + +--------------------------------------------- + + 0.2.2 released + +2003-03-13 Derek Atkins <derek@ihtfp.com> + + * configure.am, NEWS: + Update for 0.2.2 release + + * Makefile.am: distribute depcomp + +2003-03-10 Derek Atkins <derek@ihtfp.com> + + * src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make + sure we link against the lexer library when necessary. + +2003-03-07 Derek Atkins <derek@ihtfp.com> + + * configure.am: + * Makefile.am: + * rpm/Makefile.am: + * rpm/ipsec-tools.spec.in: + Added RPM SPEC to CVS + +--------------------------------------------- + + 0.2.1 released + +2003-03-07 Derek Atkins <derek@ihtfp.com> + + * src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for + ssl include directory, to make sure the other tests work properly. + +2003-03-06 Derek Atkins <derek@ihtfp.com> + + * src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning + + * src/racoon/configure.in: look for krb5-config and don't + use it if it's not found. Fixes a configure-time warning. + +-------------------------------------------- + + 0.2 Released |