summaryrefslogtreecommitdiffstats
path: root/ipsec-tools/ChangeLog
diff options
context:
space:
mode:
authorChristian Mauderer <christian.mauderer@embedded-brains.de>2018-05-30 14:27:35 +0200
committerChristian Mauderer <christian.mauderer@embedded-brains.de>2018-08-01 09:55:27 +0200
commitff36f5e409707ada66506eefd4ac0a396cb28055 (patch)
tree9594b2a1aeb06b4ecaaae02644a65525adaf5bb5 /ipsec-tools/ChangeLog
parentif_ipsec: Port and add to everything-buildset. (diff)
downloadrtems-libbsd-ff36f5e409707ada66506eefd4ac0a396cb28055.tar.bz2
Import ipsec-tools 0.8.2.
Import unchanged ipsec-tools sources in the release version 0.8.2. The homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The sources can be obtained from there.
Diffstat (limited to 'ipsec-tools/ChangeLog')
-rw-r--r--ipsec-tools/ChangeLog1931
1 files changed, 1931 insertions, 0 deletions
diff --git a/ipsec-tools/ChangeLog b/ipsec-tools/ChangeLog
new file mode 100644
index 00000000..c31fc5f1
--- /dev/null
+++ b/ipsec-tools/ChangeLog
@@ -0,0 +1,1931 @@
+2013-07-12 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/main.c: From Sven Vermeulen
+ <sven.vermeulen@siphos.be>: Moves ploginit() up, allowing logging
+ events from init_avc() to show up as well.
+
+2013-06-18 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/ipsec_doi.c: From Paul Barker: Remove redundant memset
+ after calloc that caused compile failures with gcc 4.8 due to error:
+ argument to 'sizeof' in 'memset' call is the same expression as the
+ destination; did you mean to dereference.
+
+2013-06-03 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/admin.c: From Alexander Sbitnev
+ <alexander.sbitnev@gmail.com>: fix admin port establish-sa for
+ tunnel mode SAs.
+
+2013-05-23 Timo Teras <timo.teras@iki.fi>
+
+ * src/include-glibc/net/pfkeyv2.h: From Rainer Weikusat
+ <rweikusat@mobileactivedefense.com>: Fix SADB_X_EALG_CASTCBC
+ definition to use system definition (which differs at least on
+ Linux).
+
+2013-04-12 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_cfg.c: From Rainer Weikusat
+ <rweikusat@mobileactivedefense.com>: Do not send out illegal zero
+ length MODE_CFG attributes.
+
+ * src/racoon/: grabmyaddr.c, isakmp_inf.c: Some logging
+ improvements.
+
+2013-02-05 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/grabmyaddr.c: Fix source port selection
+
+ * src/racoon/isakmp_xauth.c: From Ian West <ian@niw.com.au>: Fix
+ double free of the radius info on config reload.
+
+2013-01-24 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_inf.c: Fix handling of deletion notification.
+
+2013-01-08 tag ipsec-tools-0_8_1
+
+2013-01-08 Timo Teras <timo.teras@iki.fi>
+
+ * NEWS, configure.ac: ipsec-tools-0.8.1
+
+ * configure.ac: Fix errors from automake 1.13
+
+ * src/include-glibc/Makefile.am: Don't derefence the directory
+ symlink which we might be recreating.
+
+2012-12-24 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/crypto_openssl.c: From Götz Babin-Ebell
+ <g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare.
+
+ * configure.ac, src/racoon/crypto_openssl.c,
+ src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell
+ <g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher
+
+2012-08-29 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
+ Accept DPD messages with cookies also in reversed order for
+ compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.
+
+ * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add
+ remote's IP address to the "certificate not verified" error message.
+
+ * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not
+ print unnecessary warning about non-verified certificate when using
+ raw plain-rsa.
+
+ * src/racoon/isakmp.c: From Rainer Weikusat
+ <rweikusat@mobileactivedefense.com>: Release unused phase2 of
+ passive remotes after acquire.
+
+ * src/racoon/isakmp.c: From Wolfgang Schmieder
+ <wolfgang.schmieder@honeywell.com>: setup phase1 port properly.
+
+ * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
+ remote blocks without additional remote statements to be specified
+ in a simpler way. patch by Roman Hoog Antink <rha@open.ch>
+
+2012-08-23 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
+ memory allocation.
+
+2012-01-01 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_unity.c: From Rainer Weikusat
+ <rweikusat@mobileactivedefense.com>: Fix one byte too short memory
+ allocation in isakmp_unity.c:splitnet_list_2str().
+
+2011-11-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
+ current element could be removed during the loop
+
+2011-11-14 Timo Teras <timo.teras@iki.fi>
+
+ * src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>:
+ do not shrink pfkey socket buffers (if system default is larger than
+ what we want as minimum)
+
+2011-08-12 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/privsep.c: Have privilege separation child process
+ exit if the parent exits.
+
+ * Makefile.am: Create ChangeLog for proper CVS branch.
+
+2011-03-18 tag ipsec-tools-0_8_0
+
+2011-03-18 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * configure.ac: Yes: 0.8.0 is out !!!
+
+ * NEWS: updated News for 0.8 branch
+
+2011-03-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/oakley.c: fixed a memory leak in
+ oakley_append_rmconf_cr() while generating plist. patch by Roman
+ Hoog Antink <rha@open.ch>
+
+ * src/racoon/oakley.c: free name later, to avoid a memory use after
+ free in oakley_check_certid(). also give iph1->remote to some plog()
+ calls. patch by Roman Hoog Antink <rha@open.ch>
+
+ * src/racoon/oakley.c: fixed a memory leak in
+ oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>
+
+2011-03-15 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
+ isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
+ it is useless an can lead to memory access after free
+
+2011-03-14 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
+ isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
+ sockmisc.h, throttle.c: Explicitly compare return value of
+ cmpsaddr() against a return value define to make it more obvious
+ what is the intended action. One more return value is also added, to
+ fix comparison of security policy descriptors. Namely, getsp()
+ should not allow wildcard matching (as the comment says, it does
+ exact matching) - otherwise we get problems when kernel has generic
+ policy with no ports, and a second similar policy with ports.
+
+2011-03-14 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
+ remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
+ memory leaks / free memory access when reloading conf and have
+ inherited config. patch from Roman Hoog Antink <rha@open.ch>
+
+ * src/racoon/handler.c: removed an useless comment
+
+ * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
+ getrmconf_by_ph1() in revalidate_ph1tree_rmconf()
+
+2011-03-11 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
+ remove_ph1-) instead of scheduling it, to avoid (completely ?) a
+ race condition when reloading configuration
+
+2011-03-06 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
+ checks are enabled. Reported by Stephen Clark.
+
+2011-03-02 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/session.c: flush sainfo list when closing session.
+ patch by Roman Hoog Antink <rha@open.ch>
+
+ * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
+ structures when deleting a struct rmconf. patch by Roman Hoog Antink
+ <rha@open.ch>
+
+ * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
+ when deleting a rmconf struct. patch by Roman Hoog Antink
+ <rha@open.ch>
+
+ * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
+ remoteconf. patch by Roman Hoog Antink <rha@open.ch>
+
+ * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
+ during configuration parsing. patch by Roman Hoog Antink
+ <rha@open.ch>
+
+2011-03-01 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
+ Andersson <debian@gisladisker.se>
+
+ * src/racoon/cfparse.y: reset yyerrorcount before doing parse
+ stuff. patch by Roman Hoog Antink <rha@open.ch>
+
+2011-02-20 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
+ memory leak when using plain RSA key authentication.
+
+2011-02-11 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/plainrsa-gen.c: From Mats E Andersson
+ <debian@gisladisker.se>: Fix fprintf format specifier usage from
+ previous patch.
+
+2011-02-10 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/plainrsa-gen.c: From Mats Erik Andersson
+ <debian@gisladisker.se>: Implement importing of RSA keys from PEM
+ files.
+
+ * src/racoon/prsa_par.y: From M E Andersson
+ <debian@gisladisker.se>: Fix parsing of restricted RSA key
+ addresses.
+
+2011-02-02 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
+ sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
+ Patch from Christophe Carre
+
+2011-01-28 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
+ Antink <rha@open.ch>: Clean up sainfo reloading: rename the
+ functions, and remove unneeded global variable.
+
+ * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
+ Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
+ functions, and remove unneeded global variable.
+
+ * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
+ remote IP address if available (slightly modified by tteras)
+
+2011-01-22 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
+ Fixes a null pointer dereference that might occur after removing
+ peers from the config and then reloading.
+
+2011-01-20 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/pfkey.c: fixed a typo, it will now compile when
+ KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
+ open.ch)
+
+2010-12-28 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
+ config reload to not delete too many phase 2 handles, because wrong
+ chain field is used when enumerating the handles.
+
+2010-12-16 gdt
+
+ * src/racoon/oakley.c: When encountering a certificate where "ID
+ mismatched with ASN1 SubjectName", and verify_identifier is off,
+ don't raise an error. This makes the behavior match the man page.
+
+ Patch sent for review long ago:
+ http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
+ with no negative feedback received to date.
+
+2010-12-14 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
+ possible null derefence.
+
+2010-12-08 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/admin.c: Use separate SA addresses for phase2's
+ created by admin command. The phase2 startup overwrites src/dst with
+ ISAKMP ports if they are zero and we don't want that to happen for
+ the SA ports.
+
+2010-12-08 joerg
+
+ * src/libipsec/pfkey.c: ANSIfy
+
+2010-12-07 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_quick.c: Fix spacing and improve wording in
+ some log messages.
+
+2010-12-03 Timo Teras <timo.teras@iki.fi>
+
+ * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
+ per-socket policies.
+
+ * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
+ setkey/setkey.8: Support GRE key as upper layer protocol
+ specifier (will be supported in Linux kernel 2.6.38).
+
+ * src/racoon/grabmyaddr.c: Netlink deletion notification does not
+ guarentee actual address deletion: it might still exist on some
+ other interface. Make sure we do not unbind unless the address is
+ really gone.
+
+2010-11-17 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
+ previous patch to not call purge_remote() twice. Change the place
+ where purge_remote() is called. This fixes also a possible crash
+ from the same patch since ph1->remote can be NULL (when we are
+ responder and config is not yet selected).
+
+2010-11-12 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
+ isakmp_post_acquire is now called from admin commands too, add a
+ flag so admin commands can be used to establish even passive links
+ on demand.
+
+ * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
+ ISAKMP-SA for the node is deleted by remote request and the phase1
+ rekeying is enabled (this will also trigger the new phase1_dead
+ script hook).
+
+ * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
+ to allow any reply within valid sequence window to be proof of
+ livelyness. This can improves things if there's random packet
+ delays, or if racoon is not getting enough CPU time.
+
+ * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
+ admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
+ with many established SAs can be easily over the limit.
+
+2010-10-22 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
+ to monitor local route changes. This works around a kernel bug, and
+ slightly improves behaviour on some special cases.
+
+2010-10-21 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
+ session.c, session.h: Introduce priorities for file descriptor
+ polling mechanism and give priority to admin port. If admin port is
+ used by ISAKMP-SA hook scripts they should be preferred, other wise
+ heavy traffic can delay admin port requests considerably. This in
+ turn may cause renegotiation loop for ISAKMP-SA. This is mostly
+ useful for OpenNHRP setup, but can benefit other setups too.
+
+ * src/racoon/: admin.c, handler.c, handler.h: Remove
+ initial-contact entry when all ISAKMP-SA are purged via adminport.
+ This will avoid stale security associations if some of the delete
+ notifications happens to get lost.
+
+2010-10-20 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
+ functions when possible: this allows openssl to perform hardware
+ acceleration if available.
+
+ * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
+ error log messages and a few additional error log messages to
+ improve diagnosing an error condition.
+
+ * src/racoon/grabmyaddr.c: Fix address comparison so we actually
+ close sockets which were bound to IP-address that got deconfigured.
+
+2010-10-11 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/ipsec_doi.c: report a higher encryption key length in
+ approval for OBEY / CLAIM / STRICT modes
+
+2010-09-27 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
+ fazaeli (at) sepehrs.com)
+
+2010-09-24 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
+ gmail.com
+
+2010-09-22 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/admin.c: get the correct length of username when
+ processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com
+
+ * src/racoon/nattraversal.h: fixed a typo in macros, reported by
+ marisp (at) mt.lv
+
+2010-09-21 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
+ provided by marcin.cieslak (at) gmail.com)
+
+2010-09-08 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/remoteconf.c: fixed remoteconf selection when no ID
+ specified in configuration, and added some debug to remoteconf
+ selection
+
+2010-08-26 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
+ duplicate some dynamic values in duprmconf()
+
+2010-08-04 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request
+
+2010-07-30 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/doc/FAQ: updated link to NetBSD's documentation
+
+2010-06-22 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Bump date for previous.
+
+2010-06-22 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
+ racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
+ script hook when a dead peer is detected
+
+2010-06-04 Thomas Klausner <wiz@netbsd.org>
+
+ * src/setkey/setkey.8: New sentence, new line. Bump date for
+ previous.
+
+2010-06-04 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/setkey/: parse.y, setkey.8, token.l: Added support for
+ spdupdate command in setkey
+
+2010-04-07 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo
+
+2010-04-02 Christos Zoulas <christos@netbsd.org>
+
+ * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
+ returning NULL.
+
+2010-03-11 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
+ the patch: iterate only on the phase2 handles that are bound by the
+ given phase1 handle.
+
+2010-03-05 Timo Teras <timo.teras@iki.fi>
+
+ * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
+ racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
+ typoes and manpage formatting errors.
+
+2010-03-04 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/session.c: From Pierre POMES: fixed admin port
+ initialization
+
+2010-02-28 snj
+
+ * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
+ size of src checkouts by spelling "useful" without an extra l.
+
+2010-02-09 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/: pfkey.c, proposal.h: Fix typo in comment.
+
+2010-01-17 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/sainfo.c: Free strdeupped string after using it. Found
+ by cppcheck.
+
+ * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
+ using them. Found by cppcheck.
+
+2010-01-15 joerg
+
+ * src/setkey/setkey.8: Use .%U instead of .%O for URLs.
+
+2009-12-11 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
+ twice in the headers. Remove the redundant entry so new install tool
+ does not complain about overwriting just installed file.
+
+2009-11-22 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/handler.c: PR/42363: Yasuoka Masahiko:
+
+ racoon uses a wrong IPsec-SA handle that is for other peer in case
+ it receives a ISAKMP message for IPsec-SA that has the same
+ message-id as the message-id that is received before.
+
+ racoon uses message-id to find the handle of IPsec-SA. The
+ message-id is a unique number for each peer, but different peers may
+ use the same value.
+
+ Different Windows Vista or Windows 7 peers seem to use the same
+ message-id. racoon can handle the first Windows's Phase-2, but it
+ cannot handle the second Windows. Because racoon misunderstands the
+ message for the second Windows as the message for the first Windows.
+
+ >Category: bin >Synopsis: racoon uses a wrong IPsec-SA
+ that is for different peer >Confidential: no >Severity:
+ serious >Priority: medium >Responsible: bin-bug-people
+ >State: open >Class: sw-bug >Submitter-Id: net
+ >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator:
+ yasuoka@iij.ad.jp
+
+2009-10-29 Christos Zoulas <christos@netbsd.org>
+
+ * src/setkey/token.l: use %option noinput nounput
+
+2009-10-28 Christos Zoulas <christos@netbsd.org>
+
+ * src/setkey/token.l: no unput
+
+2009-10-14 joerg
+
+ * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
+ ancient groff limits.
+
+ * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
+ groff limits. Fix markup.
+
+ * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
+ ancient groff limits. Set only one list type.
+
+2009-09-18 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
+ gssapi error checking.
+
+2009-09-03 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
+ isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
+ negotiate phase2 as a hint to select the phase1 for rekeying the new
+ phase2.
+
+2009-09-01 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
+ nat_traversal configuration from remote configuration candidates
+ when acting as responder. Enable NAT-T if any of the remote
+ candidates have NAT-T enabled.
+
+ * src/racoon/remoteconf.c: Change remote conf matching level to
+ matching score. This way one can override anonymous certificate
+ block config with more exact "inhereted" IP specific block.
+
+ * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
+ ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).
+
+2009-08-24 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/oakley.c: fixed typo: algoriym -> algorithm
+
+2009-08-19 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/remoteconf.c: fixed address check in
+ rmconf_match_type(), just check address with wildcard port
+
+2009-08-19 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
+ return values to make the code a bit more readable.
+
+2009-08-18 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/oakley.c: typo: algoritym -> algorithm
+
+2009-08-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
+ check system support for NAT-T, as at least FreeBSD doesn't have
+ this define anymore
+
+ * src/racoon/schedule.h: include stddef.h so we have a chance to
+ get the system offsetof if present
+
+ * src/racoon/crypto_openssl.h: removed a self include
+
+2009-08-13 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/oakley.c: fixed a potential DoS in
+ oakley_do_decrypt(), reported by Orange Labs
+
+2009-08-10 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/pfkey.c: Don't print EAGAIN error from
+ pfkey_handler(), it can occur normally under some code paths and is
+ not a hard error in any case.
+
+2009-08-06 Timo Teras <timo.teras@iki.fi>
+
+ * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
+ setkey to make gcc happy.
+
+2009-08-05 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
+ security associations that got broke during NAT-T fixes.
+
+2009-07-07 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
+ uninitialized local variable (not sure if any code path triggers
+ this, but this makes compiler happy).
+
+2009-07-03 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
+ isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
+ nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
+ sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
+ macro. Trac #295.
+
+ * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
+ racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
+ Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
+ NAT-T port information. This might break compatibility with some
+ kernels, but as discussed this is the proper way to pass NAT-T ports
+ and the broken kernels need to be fixed.
+
+2009-06-24 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/session.c: Fix a call to null pointer: in some cases,
+ the unmonitor_fd can be called from another fd's callback. That
+ could lead to still have callback pending after unmonitoring the fd
+ resulting in a call to null pointer. This is fixed by making
+ unmonitor_fd now clear the pending fd_set too. Bug was introduced
+ by my commit in 2008-12-23.
+
+2009-05-20 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp.h: typo
+
+2009-05-19 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
+ of typos from previous commit.
+
+2009-05-18 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
+ Tomas Mraz: Introduce union sockaddr_any and use it to make code
+ more readable. Related to trac #293.
+
+ * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
+ not really used; only referenced while uninitialized causing
+ valgrind error.
+
+ * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
+
+2009-05-04 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Remove superfluous spaces around
+ parentheses.
+
+2009-04-29 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
+ X509 certificate validation.
+
+2009-04-28 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/handler.c: Reset nat_oa variables too when reusing
+ phase two handler. Otherwise phase2 rekeying might fail in some
+ scenarios.
+
+2009-04-22 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
+ pointer dereference in fragmentation code.
+
+2009-04-21 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
+ strict_address to work again. The lists needs to be initialized
+ before configuration is read, which happens before my_addr_init()
+ call.
+
+2009-04-20 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
+ in certificate request generation.
+
+ * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
+ Bin Li: Fix possible memory corruption in binsanitize().
+
+ * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
+ signature verification memory leak.
+
+ * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
+ crash with racoonctl logout user.
+
+ * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
+ code.
+
+ * src/racoon/handler.c: From Paul Moore: Phase2 message id's should
+ be unique wrt phase1, not globally.
+
+2009-03-13 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
+ couple of problems with previous commit.
+
+2009-03-12 he
+
+ * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
+ pointer to an integral type (a bad practice, if you ask me), you
+ need to cast via intptr_t for portability.
+
+2009-03-12 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
+ up punctuation.
+
+ * src/racoon/racoonctl.8: Bump date for previous. Sort options to
+ establish-sa. Stop using Xo/Xc.
+
+2009-03-12 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
+ crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
+ ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
+ isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
+ isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
+ racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
+ vendorid.c: Support multiple anonymous remotes and decide
+ remoteconf based on identity, received certificates and other
+ information. General code clean up.
+
+2009-03-06 Timo Teras <timo.teras@iki.fi>
+
+ * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
+ in Linux
+
+ Linux requires SADB_DELETE message to have SPI. So send a
+ SADB_DELETE message for each matching SA. Trac #284.
+
+ From: Gabriel Somlo <somlo@cmu.edu>
+
+2009-02-16 Timo Teras <timo.teras@iki.fi>
+
+ * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
+ corruption bug (yacc return non-null terminated buffer and sprintf
+ writes over bounds).
+
+2009-02-11 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
+ IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
+ tunnel
+
+2009-02-03 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
+ variables with IPv6 addresses.
+
+2009-01-26 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/main.c: Argument parsing needs lcconf initialized.
+
+2009-01-24 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoonctl.c: Sort options in usage.
+
+ * src/racoon/racoonctl.8: Sort options. New sentence, new line.
+
+ * src/racoon/racoon.8: Sort options.
+
+2009-01-23 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
+ for racoonctl.
+
+ * src/racoon/: main.c, racoon.8: Racoon -v to print version and
+ compilation information. Update usage message.
+
+ * NEWS: Update NEWS with major changes since 0.7 release.
+
+ * src/racoon/schedule.c: Fix monotonic scheduler change, to not
+ refresh 'now' before exit. Otherwise we can return negative timeout
+ after spending time handling other events.
+
+ * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
+ reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
+ Also corrects some debugging statements.
+
+ * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
+ instance), there is a need to not only migrate local and remote
+ addresses of Phase 1 that match previous addresses but also the
+ local and remote addresses of a Phase 1 *associated* with a migrated
+ Phase 2. For instance, we have that need when receiving the first
+ MIGRATE/KMADDRESS message because the old addresses are still the
+ HoA and the address of the HA (while the peer has contacted us using
+ the CoA and we have negotiated this address as src attribute in
+ Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
+ called from migrate_ph2_ike_addresses() callback.
+
+ * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
+ when acting as responder.
+
+ * configure.ac, src/racoon/handler.c, src/racoon/handler.h,
+ src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
+ src/racoon/schedule.c, src/racoon/schedule.h,
+ src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
+ system clock is available, and use it for relative time measurements
+ to avoid complite hang if time jumps backwards.
+
+ * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
+ isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
+ oakley.c, oakley.h: Fix authentication method ambiguity by
+ internally using unique ID and setting/interpreting the wire format
+ based on received vendor ID:s. Fixes trac #280.
+
+ * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
+ isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
+ bitmask that can be used otherwhere to detect peer capabilities.
+
+ * configure.ac, src/racoon/admin.c, src/racoon/evt.c,
+ src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
+ src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
+ configure option and make it the default behaviour. The previous
+ normal behaviour is buggy, as after flush kernel can immediately
+ create larval SA:s which would prevent exit.
+
+2009-01-20 Timo Teras <timo.teras@iki.fi>
+
+ * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
+ ChangeLog from NetBSD CVS. Put sourceforge.net changes to
+ ChangeLog.old.
+
+2009-01-10 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper
+ escape for backslash ('\e').
+
+2009-01-10 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
+ Accept RFC2253 compliant escaped special characters for asn1dn
+ identifier.
+
+2009-01-09 Timo Teras <timo.teras@iki.fi>
+
+ * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
+
+2009-01-05 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
+ configuration options, fix radius configuration block and add GRE as
+ recognized protocol.
+
+ * src/racoon/session.c: Do not use counting in signal handling as
+ it was unsafe by not using atomic functions (post increment is not
+ necessarily atomic). Instead reap all children on SIGCHLD as that
+ was the only signal needing signal counting.
+
+2008-12-30 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/session.c: schedular() call can now modify fd mask so
+ make the working copy just before calling select(); otherwise it can
+ contain bad file descriptors
+
+2008-12-29 Michael van Elst <mlelstv@netbsd.org>
+
+ * src/setkey/parse.y: support icmp codes. Fixes PR 39056.
+
+2008-12-24 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
+ it. From Timo Teras.
+
+ * src/racoon/grabmyaddr.c: I was wrong. addr is actually set.
+
+ * src/racoon/grabmyaddr.c:
+ - make this compile by zeroing out the whole structure not just
+ bogus fields.
+ - set length field of sockets appropriately.
+ - mark bogus no-op code (I don't understand what the author intended
+ here).
+
+2008-12-23 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Bump date for identity configuration
+ option removal.
+
+2008-12-23 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
+ localconf.h, racoon.conf.5: Remove the obsoleted global identity
+ configuration option.
+
+ * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
+ evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
+ isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
+ nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
+ session.h: rewrite local address detection make some functions
+ static that arr not needed globally rework how fd_set is
+ construction for the main loop select()
+
+2008-12-18 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
+ when expire with hard lifetime received
+
+2008-12-16 Timo Teras <timo.teras@iki.fi>
+
+ * README: Update README
+
+ * src/racoon/pfkey.c: Fix transport mode address selection in
+ acquire handling. Some earlier fixes got lost on 2008-12-05 commit.
+
+2008-12-11 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
+ and RTM_OIFINFO stuff)
+
+ * src/racoon/isakmp.c: Fixed compilation when DPD support is
+ disabled
+
+2008-12-08 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
+ sockets: it might cause to not handle some pfkey events when
+ select() has marked pfkey socket readable, but a timer callback
+ first calls pfkey_dump_sadb().
+
+2008-12-05 Timo Teras <timo.teras@iki.fi>
+
+ * src/: libipsec/key_debug.c, libipsec/libpfkey.h,
+ libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
+ racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
+ racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
+ Ebalard: Improved Mobile IPv6 support per
+ draft-ebalard-mext-pfkey-enhanced-migrate.
+
+2008-12-04 Christoph Badura <bad@netbsd.org>
+
+ * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
+ intended.
+
+2008-12-02 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
+ on Linux is terminate.
+
+2008-11-28 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
+ sentence, new line.
+
+2008-11-27 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/main.c: Set up a default value for Mode Config Pool
+ size if pool address specified but pool size not specified
+
+ * src/racoon/isakmp_cfg.c: Fixed pool resizing
+
+2008-11-27 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
+ weirdness. It's probably meant for bundle support which is not done.
+ When someone actually writes bundle support, the nested SA stuff
+ would probably be reworked too anyway.
+
+ * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
+ racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
+ racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
+ Ability to set pfkey socket buffer size via configuration file
+ directive. (Indentation and minor fixes by me.)
+
+2008-11-25 Christoph Badura <bad@netbsd.org>
+
+ * src/racoon/: evt.c, privsep.c, session.c: Avoid using
+ MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE
+ instead.
+
+ * src/racoon/grabmyaddr.c: Ignore unspecified and looback
+ addresses. Ignoring unspecified addresses prevents racoon from
+ trying to bind to the wildcard address and specific addresses
+ simultaneously after e.g. dhclient has changed an interface's
+ address to 0.0.0.0.
+
+ * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
+ info for added or deleted addresses. Ignore them silently.
+
+ * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
+ error. Therefore log it as informational. Make it clear from the
+ log message that a route message is not interesting.
+
+ * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
+ it.
+
+ * src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
+ when setting IPV6_USE_MIN_MTU fails.
+
+ * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
+ no socket is opened.
+
+2008-11-08 Christoph Badura <bad@netbsd.org>
+
+ * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
+ phase1-up.sh: Preserve owner and permissions of original
+ /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or
+ world writable.
+
+ * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
+ phase1-up.sh: Print and check INTERNAL_NETMASK4.
+
+ * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
+ phase1-up.sh: Make the handling of NAT-T SPD entries automatic.
+
+ * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
+ phase1-up.sh: Ensure that the determination of the default
+ gateway and the corresponding interface don't get confused by
+ multiple, possibly non-IPv4 default routes. Bring the NetBSD case
+ of deleting the VPN routes and address in line with the Linux case
+ and delete the address after deleting the VPN routes.
+
+2008-11-06 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
+ iddst's value is SAINFO_CLIENTADDR
+
+2008-10-29 S.P.Zeidler <spz@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():
+
+ struct sockaddr -> struct sockaddr_storage fixes a stack overflow
+
+ For non-linklocal addresses the value in 'scope' is garbage and gets
+ set to zero instead.
+
+2008-10-27 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
+ error path
+
+ * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
+ Ebalard): recognize RTM_IFANNOUNCE
+
+ * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
+ issues for readability
+
+ * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
+ called only if monitored file descriptor numbers have changed
+
+ * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
+ declaration
+
+2008-10-23 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
+ Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
+ problem those changes address are already handled in a sensible way
+ by Cyrus Rahman's patch from 2008-03-06.
+
+2008-10-09 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
+ unnecessary unbindph12() call which is now done in remph2()
+
+2008-09-25 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
+ marker for retransmitted packets
+
+2008-09-19 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: New sentence, new line.
+
+2008-09-19 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
+ isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
+ isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
+ remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
+ configurable with rekey {on|off|force} option in remote conf.
+
+ * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
+ isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
+ nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
+ session.c: Change struct sched to be allocated be the caller to
+ avoid some memory allocations. Optimize scheduling algorithm to not
+ scan all entries in the main loop.
+
+2008-09-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
+ when NAT-T enabled and trying to purge non NAT-T SAs
+
+2008-09-09 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/pfkey.c: Some calls to set_port() were not correctly
+ updated in the previous commit
+
+2008-09-03 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
+ pk_sendxxx functions, as they may be altered for NAT-T stuff.
+
+2008-09-03 Timo Teras <timo.teras@iki.fi>
+
+ * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
+ - Fix reloading of SPD (Linux satype check, handling of SPD dump
+ responses)
+ - Remove some spurious error log message from extract_port()
+
+2008-08-29 Gregory McGarry <gmcgarry@netbsd.org>
+
+ * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
+ structures.
+
+ * src/racoon/evt.h: Eliminate superfluous semicolon.
+
+ * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
+ unnamed structures added recently.
+
+2008-08-12 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
+ ph1handler if we received an invalid first exchange from initiator.
+
+2008-08-06 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: privsep.c, session.c, session.h: From Krzysztof
+ Piotr Oledzki: Make privileged process exit if unprivileged process
+ is terminated and some spelling fixes.
+
+2008-07-23 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: cfparse.y, session.c: Add some missing ifdefs
+ required for non-radius enabled builds.
+
+2008-07-23 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/Makefile.am: Do not use GNU make specific extension.
+
+ * src/: libipsec/Makefile.am, racoon/Makefile.am,
+ setkey/Makefile.am: Do flex/bison invocation in a more standard
+ way, and keep the generated files in the dist tarball.
+
+2008-07-22 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
+ when malloc fails or when peer sends invalid proposal.
+
+2008-07-22 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
+ isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
+ radius configuration section to the racoon.conf file. This is
+ similar to the the LDAP configuration section and overrides settings
+ in the system radius configuration file.
+
+2008-07-21 Matthias Scheler <tron@netbsd.org>
+
+ * src/racoon/cfparse.y: Correct typo to fix the build.
+
+2008-07-21 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
+ vendorid.c, vendorid.h: Separate generic vendor id handling to a
+ new function and use it.
+
+ * src/racoon/cfparse.y: Do not set default gss id if xauth is used,
+ otherwise gss-id attribute might be sent even if it was not
+ requested.
+
+2008-07-15 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
+ building with hybrid enabled.
+
+ * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
+ racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
+ function.
+
+2008-07-14 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
+ pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.
+
+ * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
+ isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
+ notification payload handling. Handle INITIAL-CONTACT notification
+ in last main mode exchange (delayed) and during quick mode
+ exchanges.
+
+2008-07-11 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
+ Elsts: Fix a double memory free and a memory corruption
+ (LIST_REMOVE() on an uninserted node) in some error handling paths.
+
+2008-07-09 Timo Teras <timo.teras@iki.fi>
+
+ * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
+ memory leak on configuration file reread
+
+2008-07-02 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
+ (size_t values)
+
+2008-06-18 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoonctl.8: Bump date for previous.
+
+2008-06-18 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
+ admin port command to retrieve the peer certificate. Submitted by
+ Timo Teras.
+
+ * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
+ sockets to be closed on exec to avoid potential file descriptor
+ inheritance issues. Submitted by Timo Teras.
+
+ * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
+ isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
+ functions to evaluate and manipulate network port values. No
+ functional changes. Submitted by Timo Teras.
+
+ * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
+ functional changes. Submitted by Timo Teras.
+
+ * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
+ Timo Teras.
+
+2008-05-24 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/privsep.c: Coverity CID 5018: Fix double frees.
+
+2008-05-08 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * configure.ac: From Christian Hohnstaedt: allow out of tree
+ building
+
+2008-04-30 Martin Husemann <martin@netbsd.org>
+
+ * netbsd-import.sh: Convert TNF licenses to new 2 clause variant
+
+2008-04-25 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
+ from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
+
+2008-04-13 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/privsep.c: for symmetry set controllen the same way we
+ set it on the receiving side.
+
+2008-04-02 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build
+
+2008-03-28 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/privsep.c: properly fix the variable stack allocation
+ code.
+
+2008-03-28 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/privsep.c: Still from Cyrus Rahman: fix file
+ descriptor leak introduced by previous commit.
+
+ * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
+ privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
+ Allow interface reconfiguration when running in privilege separation
+ mode, document privilege separation
+
+2008-03-06 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/oakley.c: Generates a log if cert validation has been
+ disabled by configuration
+
+2008-03-06 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/: privsep.c, session.c: From Cyrus Rahman
+ <crahman@gmail.com> privilegied instance exit when unprivilegied one
+ terminates. Save PID in real root, not in chroot
+
+2008-03-06 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
+ racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
+ negotiations using the admin socket. Submitted by Timo Teras.
+
+ * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
+ handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
+ isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
+ racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
+ protocol to be less error prone. Backwards compatibility is
+ provided. Submitted by Timo Teras.
+
+2008-03-05 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/cfparse.y: Properly initialize the unity network
+ struct to prevent erroneous protocol and port info from being
+ transmitted.
+
+ * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
+ adminport reload. Also provide better handling for pfkey socket read
+ errors. Submitted by Timo Teras.
+
+2008-02-25 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
+ There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
+ checking spi_size but it's not. I'm not sure this patch is correct,
+ but what's there isn't either.
+
+2008-02-22 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp.c: Fix address length, from Brian Haley
+
+2008-02-10 S.P.Zeidler <spz@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
+ opposition ( :) ) on ipsec-tools-devel
+
+2008-01-11 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
+ the scheduler's callback, to avoid access to freed memory.
+
+ * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
+ compilation with IDEA and recent gcc.
+
+ * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
+ details to some logs (also reported new getph1byaddr() arg).
+
+ * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
+ established ph1 handles in DPD (also reported new getph1byaddr()
+ arg).
+
+ * src/racoon/: handler.c, handler.h: added an 'established' arg to
+ getph1byaddr()
+
+2007-12-31 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
+ number to racoonctl. Correct id wildcard matching for transport
+ mode. Submitted by Timo Teras.
+
+2007-12-12 Matthew Grooms <mgrooms@shrew.net>
+
+ * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
+ follow up patch for the nat-t oa support.
+
+ * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
+ support for nat-t oa payload handling. Submitted by Timo Teras.
+
+2007-12-04 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
+ ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
+ prefix length. Correct a memory leak in phase2. Both submitted by
+ Timo Teras.
+
+2007-12-01 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Fix typos. New sentence, new line.
+
+2007-11-29 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/Makefile.am: From Natanael Copa: fixed a race
+ condition when building yacc stuff.
+
+2007-11-09 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
+ pk_recv()
+
+ * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
+ entries in getsp_r().
+
+ * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
+ in get_proposal_r().
+
+2007-10-19 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
+ racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
+
+2007-10-15 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/pfkey.c: Try to increase the buffer size of the
+ pfkey socket, this may help things when we have a huge SPD
+
+2007-10-02 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
+ work with the new plog macro.
+
+ * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
+ work with new plog macro
+
+ * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
+
+2007-09-19 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/isakmp.c: Set REUSE option on sockets to prevent
+ failures associated with closing and immediately re-opening.
+ Submitted by Gabriel Somlo.
+
+ * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
+ list. Submitted by Gabriel Somlo.
+
+2007-09-13 Matthew Grooms <mgrooms@shrew.net>
+
+ * configure.ac: Fix autoconf check for selinux support. Submitted
+ by Joy Latten.
+
+2007-09-12 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
+ pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
+ sainfo remote id option and refine the sainfo man page syntax.
+
+2007-09-05 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/sainfo.c: Sort sainfo sections on insert and improve
+ matching logic.
+
+2007-09-03 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
+ wins4 in the man page and add nbns4 as an alias. Pointed out by
+ Claas Langbehn.
+
+2007-08-07 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
+ up RADIUS authentication and authorization ports. Allow
+ interoperability with freeradius
+
+2007-07-24 Matthew Grooms <mgrooms@shrew.net>
+
+ * NEWS: Update NEWS file with additional 0.7 improvements.
+
+2007-07-18 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/racoon.conf.5: Various racoon configuration manpage
+ updates.
+
+2007-07-18 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * configure.ac, src/libipsec/ipsec_dump_policy.c,
+ src/libipsec/ipsec_get_policylen.c,
+ src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
+ src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
+ src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
+ src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
+ src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
+ src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
+ src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
+ src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
+ src/racoon/policy.c, src/racoon/proposal.c,
+ src/racoon/remoteconf.c, src/racoon/sainfo.c,
+ src/racoon/session.c, src/racoon/sockmisc.c,
+ src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
+ src/setkey/token.l: use a single PATH_IPSEC_H to fix some
+ path_to_ipsec.h issues
+
+2007-07-16 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/grabmyaddr.c: fixed a socket leak
+
+ * src/racoon/proposal.c: indentation
+
+2007-06-07 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_cfg.c: From Paul Winder
+ <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST
+
+2007-06-06 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
+ with gcc 4.2
+
+ * src/racoon/session.c: From Jianli Liu: speed up interfaces update
+ when they change.
+
+ * src/racoon/handler.c: ignore obsolete lifebyte when validating
+ reloaded configuration
+
+2007-05-31 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/: main.c, policy.h, security.c: From Joy Latten
+ <latten@austin.ibm.com> Fix file descriptor shortage when using
+ labeled IPsec.
+
+2007-05-30 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
+ racoonctl, use the specified socket path instead of the default
+ location
+
+2007-05-16 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
+ return, so we proceed to de-reference NULL. Make it return -1
+ instead like in other places.
+
+ * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
+ return, so we proceed to de-reference NULL. Make it return -1
+ instead like in other places.
+
+2007-05-04 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
+ NULL when validating the new config
+
+ * src/racoon/handler.c: added some debug in getph1byaddr() to track
+ some port matching problems with NAT-T
+
+ * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
+ track some port matching problems with NAT-T
+
+ * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
+
+ * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
+ NAT_T support, to solve some port match problems with the first
+ IPSec SAs negociated as initiator
+
+2007-04-04 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
+
+ * src/racoon/oakley.c: dumps peer's ID and peer's certificate
+ subject /subjectaltname if they don't match
+
+2007-03-26 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
+ handler, to be able to cancel it when removing the handler, and some
+ minor cleanups in DPD code
+
+2007-03-24 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
+ work with pam_group Set RUSER.
+
+2007-03-23 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
+ segfault when using security labels between 32bit and 64bit host.
+
+ * src/racoon/handler.c: expire zombie handlers in getph2byid(), to
+ avoid situations where we'll never negociate a phase2 again
+
+ * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
+ more details about what is checked when using certificates to
+ authenticate
+
+2007-03-22 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
+ generate IPV4_ADDRESS when needed in sockaddr2id()
+
+2007-03-21 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
+ sched check is now done in SCHED_KILL
+
+ * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
+
+2007-03-15 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
+ monitoring of ipv6 address changes on Linux.
+
+ * src/racoon/isakmp.c: Consider a negociation timeout when
+ retry_counter is <=0 instead of < 0
+
+2007-02-28 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
+ matched to ip subnet ids when appropriate.
+
+2007-02-21 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/ipsec_doi.c: block variable declaration before code in
+ ipsecdoi_id2str()
+
+2007-02-20 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: Removed a debug printf....
+
+ * src/racoon/isakmp.c: Only delete a generated SPD if it's creation
+ date matches the creation date of the SA we are currently deleting
+
+ * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
+
+ * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
+ generated SPDs
+
+ * src/racoon/policy.h: added 'created' var
+
+2007-02-19 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp.c: Removed a debug printf....
+
+2007-02-16 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
+ printf.
+
+2007-02-15 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/security.c: Missing SELinux file
+
+ * configure.ac: Missing stuff for SELinux
+
+2007-02-15 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
+ expire a ph1 handle when receiving a DELETE-SA instead of calling
+ purge_remote().
+
+ * src/racoon/isakmp.c: Fixed the way phase1/2 messages are
+ sent/resent, to avoid zombie handles and acces to freed memory
+
+2007-02-02 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
+
+2007-02-01 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
+ receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
+ deleted from payload instead of just deleting the ISAKMP SA used to
+ protect the informational exchange.
+
+2006-12-26 Arnaud Lacombe <alc@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
+ NULL'
+
+2006-12-23 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Use even more macros.
+
+ * src/racoon/racoon.conf.5: Use more macros.
+
+ * src/racoon/racoon.conf.5: Serial comma, and bump date for
+ previous.
+
+2006-12-18 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
+
+2006-12-10 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/: libipsec/Makefile.am, libipsec/libpfkey.h,
+ libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
+ racoon/pfkey.c: Bring back API and ABI backward compatibility
+ with previous libipsec before recent interface change. Bump libipsec
+ minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
+ ABI compatibility lossage. Add a capability flags to detect missing
+ optional feature in libipsec
+
+ * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
+ README.plainrsa documenting plain RSA auth
+
+2006-12-09 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
+ src/racoon/Makefile.am, src/racoon/backupsa.c,
+ src/racoon/backupsa.h, src/racoon/cftoken.l,
+ src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
+ src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
+ src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
+ src/racoon/proposal.c, src/racoon/proposal.h,
+ src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
+ security contexts. Also cleanup the libipsec interface for adding
+ and updating security associations.
+
+ * src/racoon/racoon.conf.5: From Simon Chang: More hints about
+ plain RSA authentication
+
+2006-12-05 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
+ length regarding proposal_check level
+
+2006-11-16 Matthew Grooms <mgrooms@shrew.net>
+
+ * src/racoon/sainfo.c: Correct issues associated with anonymous
+ sainfo selection in racoon.
+
+2006-11-09 Christos Zoulas <christos@netbsd.org>
+
+ * src/racoon/crypto_openssl.c: eliminate the only variable stack
+ array allocation.
+
+2006-10-31 Christian Biere <cbiere@netbsd.org>
+
+ * src/racoon/sockmisc.c: Don't define the deprecated
+ IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
+ IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
+ in the future just in case that the numeric value of the socket
+ option is ever recycled.
+
+2006-10-22 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
+ typos
+
+2006-10-19 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/sainfo.c: From Matthew Grooms: use
+ ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
+
+ * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
+ ipsecdoi_chkcmpids() function.
+
+2006-10-09 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
+
+ * src/racoon/isakmp_unity.c: Correctly check read() return value:
+ it's signed (Coverity 1251)
+
+2006-10-06 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
+ src/racoon/algorithm.h, src/racoon/cftoken.l,
+ src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
+ src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
+ src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
+ src/racoon/racoon.conf.5, src/racoon/strnames.c,
+ src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
+ Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
+ <okazaki@kick.gr.jp>
+
+2006-10-03 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/admin.c: fix endianness issue introduced yesterday
+
+2006-10-03 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
+
+ * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
+
+ * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
+ remoteid/ph1id values
+
+ * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
+
+2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_base.c:
+ avoid reusing free'd pointer (Coverity 2613)
+
+ * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
+
+ * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
+
+ * src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
+
+ * src/racoon/admin.c: Fix memory leak (Coverity 2002)
+
+ * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
+ (Coverity 2001), refactor the code to use port get/set functions
+
+ * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
+
+ * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
+ reformat to 80 char/line
+
+2006-10-02 Tom Spindler <dogcow@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
+ you have to init it with a pointer type, not an int.
+
+2006-10-02 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
+
+ * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
+
+ * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
+
+ * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
+
+ * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
+
+ * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
+
+2006-10-01 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
+
+ * src/racoon/isakmp.c: Check that iph1->remote is not NULL before
+ using it (Coverity 3436)
+
+2006-09-30 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
+
+ * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
+
+ * src/racoon/samples/roadwarrior/client/: phase1-down.sh,
+ phase1-up.sh: update the scripts for wrorking around routing
+ problems on NetBSD
+
+ * src/racoon/session.c: Reuse existing code for closing IKE
+ sockets, and avoid screwing things by setting p->sock = -1, which is
+ not expected (Coverity 4173).
+
+ * src/racoon/admin.c: Do not free id and key, as they are used
+ later
+
+2006-09-29 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
+ socket, so we must call com_init before sending any data.
+
+2006-09-28 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
+ 4174)
+
+ * src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
+
+2006-09-26 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/cfparse.y: Fix memory leak (Coverity)
+
+ * src/racoon/backupsa.c: Fix memory leak (Coverity)
+
+ * src/racoon/admin.c: Remove dead code (Coverity)
+
+ * src/racoon/admin.c: Fix memory leak (Coverity)
+
+ * src/racoon/admin.c: One more memory leak
+
+ * src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
+
+ * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
+ bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
+ Matthew updated the patch for current code, though.
+
+ * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
+ negotiating ESP+IPcomp)
+
+2006-09-25 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
+ iphdr for Linux
+
+2006-09-25 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp.c: style (mostly for testing
+ ipsec-tools-commits@netbsd.org)
+
+ * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
+
+2006-09-21 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
+ Linux
+
+2006-09-19 Thomas Klausner <wiz@netbsd.org>
+
+ * src/racoon/racoon.conf.5: Bump date for ike_frag force.
+
+ * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
+ line.
+
+ * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
+ whitespace.
+
+2006-09-19 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
+ value for encmodesv in set_proposal_from_policy()
+
+ * src/racoon/isakmp.c: always include some headers, as they are
+ required even without NAT-T
+
+ * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
+ define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
+
+ * src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
+ plog()
+
+2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
+ isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
+ ike_frag force option to force the use of IKE on first packet
+ exchange (prior to peer consent)
+
+ * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
+ the first packet. That should not normally happen, as the initiator
+ does not know yet if the responder can handle IKE frag. However, in
+ some setups, the first packet is too big to get through, and
+ assuming the peer supports IKE frag is the only way to go.
+
+ racoon should have a setting in the remote section to do taht
+ (something like ike_frag force)
+
+2006-09-16 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
+ conformance, from Matthew Grooms
+
+2006-09-15 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: Fix build on Linux
+
+For older changes see ChangeLog.old
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-03 17:30:18 +0000