diff options
Diffstat (limited to 'ipsec-tools/ChangeLog')
-rw-r--r-- | ipsec-tools/ChangeLog | 1931 |
1 files changed, 1931 insertions, 0 deletions
diff --git a/ipsec-tools/ChangeLog b/ipsec-tools/ChangeLog new file mode 100644 index 00000000..c31fc5f1 --- /dev/null +++ b/ipsec-tools/ChangeLog @@ -0,0 +1,1931 @@ +2013-07-12 Timo Teras <timo.teras@iki.fi> + + * src/racoon/main.c: From Sven Vermeulen + <sven.vermeulen@siphos.be>: Moves ploginit() up, allowing logging + events from init_avc() to show up as well. + +2013-06-18 Timo Teras <timo.teras@iki.fi> + + * src/racoon/ipsec_doi.c: From Paul Barker: Remove redundant memset + after calloc that caused compile failures with gcc 4.8 due to error: + argument to 'sizeof' in 'memset' call is the same expression as the + destination; did you mean to dereference. + +2013-06-03 Timo Teras <timo.teras@iki.fi> + + * src/racoon/admin.c: From Alexander Sbitnev + <alexander.sbitnev@gmail.com>: fix admin port establish-sa for + tunnel mode SAs. + +2013-05-23 Timo Teras <timo.teras@iki.fi> + + * src/include-glibc/net/pfkeyv2.h: From Rainer Weikusat + <rweikusat@mobileactivedefense.com>: Fix SADB_X_EALG_CASTCBC + definition to use system definition (which differs at least on + Linux). + +2013-04-12 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_cfg.c: From Rainer Weikusat + <rweikusat@mobileactivedefense.com>: Do not send out illegal zero + length MODE_CFG attributes. + + * src/racoon/: grabmyaddr.c, isakmp_inf.c: Some logging + improvements. + +2013-02-05 Timo Teras <timo.teras@iki.fi> + + * src/racoon/grabmyaddr.c: Fix source port selection + + * src/racoon/isakmp_xauth.c: From Ian West <ian@niw.com.au>: Fix + double free of the radius info on config reload. + +2013-01-24 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_inf.c: Fix handling of deletion notification. + +2013-01-08 tag ipsec-tools-0_8_1 + +2013-01-08 Timo Teras <timo.teras@iki.fi> + + * NEWS, configure.ac: ipsec-tools-0.8.1 + + * configure.ac: Fix errors from automake 1.13 + + * src/include-glibc/Makefile.am: Don't derefence the directory + symlink which we might be recreating. + +2012-12-24 Timo Teras <timo.teras@iki.fi> + + * src/racoon/crypto_openssl.c: From Götz Babin-Ebell + <g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare. + + * configure.ac, src/racoon/crypto_openssl.c, + src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell + <g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher + +2012-08-29 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>: + Accept DPD messages with cookies also in reversed order for + compatiblity. At least Cisco 836 running IOS 12.3(8)T does this. + + * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add + remote's IP address to the "certificate not verified" error message. + + * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not + print unnecessary warning about non-verified certificate when using + raw plain-rsa. + + * src/racoon/isakmp.c: From Rainer Weikusat + <rweikusat@mobileactivedefense.com>: Release unused phase2 of + passive remotes after acquire. + + * src/racoon/isakmp.c: From Wolfgang Schmieder + <wolfgang.schmieder@honeywell.com>: setup phase1 port properly. + + * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited + remote blocks without additional remote statements to be specified + in a simpler way. patch by Roman Hoog Antink <rha@open.ch> + +2012-08-23 Timo Teras <timo.teras@iki.fi> + + * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum + memory allocation. + +2012-01-01 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_unity.c: From Rainer Weikusat + <rweikusat@mobileactivedefense.com>: Fix one byte too short memory + allocation in isakmp_unity.c:splitnet_list_2str(). + +2011-11-17 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where + current element could be removed during the loop + +2011-11-14 Timo Teras <timo.teras@iki.fi> + + * src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>: + do not shrink pfkey socket buffers (if system default is larger than + what we want as minimum) + +2011-08-12 Timo Teras <timo.teras@iki.fi> + + * src/racoon/privsep.c: Have privilege separation child process + exit if the parent exits. + + * Makefile.am: Create ChangeLog for proper CVS branch. + +2011-03-18 tag ipsec-tools-0_8_0 + +2011-03-18 Yvan Vanhullebus <vanhu@netasq.com> + + * configure.ac: Yes: 0.8.0 is out !!! + + * NEWS: updated News for 0.8 branch + +2011-03-17 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/oakley.c: fixed a memory leak in + oakley_append_rmconf_cr() while generating plist. patch by Roman + Hoog Antink <rha@open.ch> + + * src/racoon/oakley.c: free name later, to avoid a memory use after + free in oakley_check_certid(). also give iph1->remote to some plog() + calls. patch by Roman Hoog Antink <rha@open.ch> + + * src/racoon/oakley.c: fixed a memory leak in + oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch> + +2011-03-15 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call + isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as + it is useless an can lead to memory access after free + +2011-03-14 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c, + isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c, + sockmisc.h, throttle.c: Explicitly compare return value of + cmpsaddr() against a return value define to make it more obvious + what is the intended action. One more return value is also added, to + fix comparison of security policy descriptors. Namely, getsp() + should not allow wildcard matching (as the comment says, it does + exact matching) - otherwise we get problems when kernel has generic + policy with no ports, and a second similar policy with ports. + +2011-03-14 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h, + remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some + memory leaks / free memory access when reloading conf and have + inherited config. patch from Roman Hoog Antink <rha@open.ch> + + * src/racoon/handler.c: removed an useless comment + + * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from + getrmconf_by_ph1() in revalidate_ph1tree_rmconf() + +2011-03-11 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in + remove_ph1-) instead of scheduling it, to avoid (completely ?) a + race condition when reloading configuration + +2011-03-06 Timo Teras <timo.teras@iki.fi> + + * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing + checks are enabled. Reported by Stephen Clark. + +2011-03-02 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/session.c: flush sainfo list when closing session. + patch by Roman Hoog Antink <rha@open.ch> + + * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa + structures when deleting a struct rmconf. patch by Roman Hoog Antink + <rha@open.ch> + + * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec + when deleting a rmconf struct. patch by Roman Hoog Antink + <rha@open.ch> + + * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in + remoteconf. patch by Roman Hoog Antink <rha@open.ch> + + * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks + during configuration parsing. patch by Roman Hoog Antink + <rha@open.ch> + +2011-03-01 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E + Andersson <debian@gisladisker.se> + + * src/racoon/cfparse.y: reset yyerrorcount before doing parse + stuff. patch by Roman Hoog Antink <rha@open.ch> + +2011-02-20 Timo Teras <timo.teras@iki.fi> + + * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix + memory leak when using plain RSA key authentication. + +2011-02-11 Timo Teras <timo.teras@iki.fi> + + * src/racoon/plainrsa-gen.c: From Mats E Andersson + <debian@gisladisker.se>: Fix fprintf format specifier usage from + previous patch. + +2011-02-10 Timo Teras <timo.teras@iki.fi> + + * src/racoon/plainrsa-gen.c: From Mats Erik Andersson + <debian@gisladisker.se>: Implement importing of RSA keys from PEM + files. + + * src/racoon/prsa_par.y: From M E Andersson + <debian@gisladisker.se>: Fix parsing of restricted RSA key + addresses. + +2011-02-02 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c, + sainfo.h: store ph1id in an u_int32_t instead of a (signed)int. + Patch from Christophe Carre + +2011-01-28 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog + Antink <rha@open.ch>: Clean up sainfo reloading: rename the + functions, and remove unneeded global variable. + + * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman + Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the + functions, and remove unneeded global variable. + + * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log + remote IP address if available (slightly modified by tteras) + +2011-01-22 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>: + Fixes a null pointer dereference that might occur after removing + peers from the config and then reloading. + +2011-01-20 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/pfkey.c: fixed a typo, it will now compile when + KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) + open.ch) + +2010-12-28 Timo Teras <timo.teras@iki.fi> + + * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix + config reload to not delete too many phase 2 handles, because wrong + chain field is used when enumerating the handles. + +2010-12-16 gdt + + * src/racoon/oakley.c: When encountering a certificate where "ID + mismatched with ASN1 SubjectName", and verify_identifier is off, + don't raise an error. This makes the behavior match the man page. + + Patch sent for review long ago: + http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html + with no negative feedback received to date. + +2010-12-14 Timo Teras <timo.teras@iki.fi> + + * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix + possible null derefence. + +2010-12-08 Timo Teras <timo.teras@iki.fi> + + * src/racoon/admin.c: Use separate SA addresses for phase2's + created by admin command. The phase2 startup overwrites src/dst with + ISAKMP ports if they are zero and we don't want that to happen for + the SA ports. + +2010-12-08 joerg + + * src/libipsec/pfkey.c: ANSIfy + +2010-12-07 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_quick.c: Fix spacing and improve wording in + some log messages. + +2010-12-03 Timo Teras <timo.teras@iki.fi> + + * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux + per-socket policies. + + * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y, + setkey/setkey.8: Support GRE key as upper layer protocol + specifier (will be supported in Linux kernel 2.6.38). + + * src/racoon/grabmyaddr.c: Netlink deletion notification does not + guarentee actual address deletion: it might still exist on some + other interface. Make sure we do not unbind unless the address is + really gone. + +2010-11-17 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my + previous patch to not call purge_remote() twice. Change the place + where purge_remote() is called. This fixes also a possible crash + from the same patch since ph1->remote can be NULL (when we are + responder and config is not yet selected). + +2010-11-12 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c: + isakmp_post_acquire is now called from admin commands too, add a + flag so admin commands can be used to establish even passive links + on demand. + + * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main + ISAKMP-SA for the node is deleted by remote request and the phase1 + rekeying is enabled (this will also trigger the new phase1_dead + script hook). + + * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks + to allow any reply within valid sequence window to be proof of + livelyness. This can improves things if there's random packet + delays, or if racoon is not getting enough CPU time. + + * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern + admin protocol to allow reply packets to exceed 64kb. E.g SA dumps + with many established SAs can be easily over the limit. + +2010-10-22 Timo Teras <timo.teras@iki.fi> + + * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring + to monitor local route changes. This works around a kernel bug, and + slightly improves behaviour on some special cases. + +2010-10-21 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c, + session.c, session.h: Introduce priorities for file descriptor + polling mechanism and give priority to admin port. If admin port is + used by ISAKMP-SA hook scripts they should be preferred, other wise + heavy traffic can delay admin port requests considerably. This in + turn may cause renegotiation loop for ISAKMP-SA. This is mostly + useful for OpenNHRP setup, but can benefit other setups too. + + * src/racoon/: admin.c, handler.c, handler.h: Remove + initial-contact entry when all ISAKMP-SA are purged via adminport. + This will avoid stale security associations if some of the delete + notifications happens to get lost. + +2010-10-20 Timo Teras <timo.teras@iki.fi> + + * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC + functions when possible: this allows openssl to perform hardware + acceleration if available. + + * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to + error log messages and a few additional error log messages to + improve diagnosing an error condition. + + * src/racoon/grabmyaddr.c: Fix address comparison so we actually + close sockets which were bound to IP-address that got deconfigured. + +2010-10-11 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/ipsec_doi.c: report a higher encryption key length in + approval for OBEY / CLAIM / STRICT modes + +2010-09-27 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by + fazaeli (at) sepehrs.com) + +2010-09-24 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at) + gmail.com + +2010-09-22 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/admin.c: get the correct length of username when + processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com + + * src/racoon/nattraversal.h: fixed a typo in macros, reported by + marisp (at) mt.lv + +2010-09-21 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch + provided by marcin.cieslak (at) gmail.com) + +2010-09-08 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/remoteconf.c: fixed remoteconf selection when no ID + specified in configuration, and added some debug to remoteconf + selection + +2010-08-26 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se: + duplicate some dynamic values in duprmconf() + +2010-08-04 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request + +2010-07-30 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/doc/FAQ: updated link to NetBSD's documentation + +2010-06-22 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Bump date for previous. + +2010-06-22 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c, + racoon.conf.5, remoteconf.c, remoteconf.h: added a specific + script hook when a dead peer is detected + +2010-06-04 Thomas Klausner <wiz@netbsd.org> + + * src/setkey/setkey.8: New sentence, new line. Bump date for + previous. + +2010-06-04 Yvan Vanhullebus <vanhu@netasq.com> + + * src/setkey/: parse.y, setkey.8, token.l: Added support for + spdupdate command in setkey + +2010-04-07 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo + +2010-04-02 Christos Zoulas <christos@netbsd.org> + + * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime + returning NULL. + +2010-03-11 Christos Zoulas <christos@netbsd.org> + + * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of + the patch: iterate only on the phase2 handles that are bound by the + given phase1 handle. + +2010-03-05 Timo Teras <timo.teras@iki.fi> + + * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c, + racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple + typoes and manpage formatting errors. + +2010-03-04 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/session.c: From Pierre POMES: fixed admin port + initialization + +2010-02-28 snj + + * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing + size of src checkouts by spelling "useful" without an extra l. + +2010-02-09 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/: pfkey.c, proposal.h: Fix typo in comment. + +2010-01-17 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/sainfo.c: Free strdeupped string after using it. Found + by cppcheck. + + * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after + using them. Found by cppcheck. + +2010-01-15 joerg + + * src/setkey/setkey.8: Use .%U instead of .%O for URLs. + +2009-12-11 Timo Teras <timo.teras@iki.fi> + + * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined + twice in the headers. Remove the redundant entry so new install tool + does not complain about overwriting just installed file. + +2009-11-22 Christos Zoulas <christos@netbsd.org> + + * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: + + racoon uses a wrong IPsec-SA handle that is for other peer in case + it receives a ISAKMP message for IPsec-SA that has the same + message-id as the message-id that is received before. + + racoon uses message-id to find the handle of IPsec-SA. The + message-id is a unique number for each peer, but different peers may + use the same value. + + Different Windows Vista or Windows 7 peers seem to use the same + message-id. racoon can handle the first Windows's Phase-2, but it + cannot handle the second Windows. Because racoon misunderstands the + message for the second Windows as the message for the first Windows. + + >Category: bin >Synopsis: racoon uses a wrong IPsec-SA + that is for different peer >Confidential: no >Severity: + serious >Priority: medium >Responsible: bin-bug-people + >State: open >Class: sw-bug >Submitter-Id: net + >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator: + yasuoka@iij.ad.jp + +2009-10-29 Christos Zoulas <christos@netbsd.org> + + * src/setkey/token.l: use %option noinput nounput + +2009-10-28 Christos Zoulas <christos@netbsd.org> + + * src/setkey/token.l: no unput + +2009-10-14 joerg + + * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround + ancient groff limits. + + * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient + groff limits. Fix markup. + + * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around + ancient groff limits. Set only one list type. + +2009-09-18 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix + gssapi error checking. + +2009-09-03 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: admin.c, handler.c, handler.h, isakmp.c, + isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to + negotiate phase2 as a hint to select the phase1 for rekeying the new + phase2. + +2009-09-01 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check + nat_traversal configuration from remote configuration candidates + when acting as responder. Enable NAT-T if any of the remote + candidates have NAT-T enabled. + + * src/racoon/remoteconf.c: Change remote conf matching level to + matching score. This way one can override anonymous certificate + block config with more exact "inhereted" IP specific block. + + * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export + ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313). + +2009-08-24 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/oakley.c: fixed typo: algoriym -> algorithm + +2009-08-19 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/remoteconf.c: fixed address check in + rmconf_match_type(), just check address with wildcard port + +2009-08-19 Timo Teras <timo.teras@iki.fi> + + * src/racoon/remoteconf.c: Have an enum for rmconf_match_type() + return values to make the code a bit more readable. + +2009-08-18 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/oakley.c: typo: algoritym -> algorithm + +2009-08-17 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to + check system support for NAT-T, as at least FreeBSD doesn't have + this define anymore + + * src/racoon/schedule.h: include stddef.h so we have a chance to + get the system offsetof if present + + * src/racoon/crypto_openssl.h: removed a self include + +2009-08-13 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/oakley.c: fixed a potential DoS in + oakley_do_decrypt(), reported by Orange Labs + +2009-08-10 Timo Teras <timo.teras@iki.fi> + + * src/racoon/pfkey.c: Don't print EAGAIN error from + pfkey_handler(), it can occur normally under some code paths and is + not a hard error in any case. + +2009-08-06 Timo Teras <timo.teras@iki.fi> + + * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in + setkey to make gcc happy. + +2009-08-05 Timo Teras <timo.teras@iki.fi> + + * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port + security associations that got broke during NAT-T fixes. + +2009-07-07 Timo Teras <timo.teras@iki.fi> + + * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of + uninitialized local variable (not sure if any code path triggers + this, but this makes compiler happy). + +2009-07-03 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h, + isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, + nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h, + sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR + macro. Trac #295. + + * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c, + racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan + Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the + NAT-T port information. This might break compatibility with some + kernels, but as discussed this is the proper way to pass NAT-T ports + and the broken kernels need to be fixed. + +2009-06-24 Timo Teras <timo.teras@iki.fi> + + * src/racoon/session.c: Fix a call to null pointer: in some cases, + the unmonitor_fd can be called from another fd's callback. That + could lead to still have callback pending after unmonitoring the fd + resulting in a call to null pointer. This is fixed by making + unmonitor_fd now clear the pending fd_set too. Bug was introduced + by my commit in 2008-12-23. + +2009-05-20 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp.h: typo + +2009-05-19 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple + of typos from previous commit. + +2009-05-18 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From + Tomas Mraz: Introduce union sockaddr_any and use it to make code + more readable. Related to trac #293. + + * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is + not really used; only referenced while uninitialized causing + valgrind error. + + * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check. + +2009-05-04 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Remove superfluous spaces around + parentheses. + +2009-04-29 Timo Teras <timo.teras@iki.fi> + + * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in + X509 certificate validation. + +2009-04-28 Timo Teras <timo.teras@iki.fi> + + * src/racoon/handler.c: Reset nat_oa variables too when reusing + phase two handler. Otherwise phase2 rekeying might fail in some + scenarios. + +2009-04-22 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null + pointer dereference in fragmentation code. + +2009-04-21 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix + strict_address to work again. The lists needs to be initialized + before configuration is read, which happens before my_addr_init() + call. + +2009-04-20 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak + in certificate request generation. + + * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from + Bin Li: Fix possible memory corruption in binsanitize(). + + * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509 + signature verification memory leak. + + * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a + crash with racoonctl logout user. + + * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive + code. + + * src/racoon/handler.c: From Paul Moore: Phase2 message id's should + be unique wrt phase1, not globally. + +2009-03-13 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix + couple of problems with previous commit. + +2009-03-12 he + + * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a + pointer to an integral type (a bad practice, if you ask me), you + need to cast via intptr_t for portability. + +2009-03-12 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking + up punctuation. + + * src/racoon/racoonctl.8: Bump date for previous. Sort options to + establish-sa. Stop using Xo/Xc. + +2009-03-12 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c, + crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h, + ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c, + isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c, + isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5, + racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c, + vendorid.c: Support multiple anonymous remotes and decide + remoteconf based on identity, received certificates and other + information. General code clean up. + +2009-03-06 Timo Teras <timo.teras@iki.fi> + + * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall + in Linux + + Linux requires SADB_DELETE message to have SPI. So send a + SADB_DELETE message for each matching SA. Trac #284. + + From: Gabriel Somlo <somlo@cmu.edu> + +2009-02-16 Timo Teras <timo.teras@iki.fi> + + * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap + corruption bug (yacc return non-null terminated buffer and sprintf + writes over bounds). + +2009-02-11 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed + IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on + tunnel + +2009-02-03 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment + variables with IPv6 addresses. + +2009-01-26 Timo Teras <timo.teras@iki.fi> + + * src/racoon/main.c: Argument parsing needs lcconf initialized. + +2009-01-24 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoonctl.c: Sort options in usage. + + * src/racoon/racoonctl.8: Sort options. New sentence, new line. + + * src/racoon/racoon.8: Sort options. + +2009-01-23 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage + for racoonctl. + + * src/racoon/: main.c, racoon.8: Racoon -v to print version and + compilation information. Update usage message. + + * NEWS: Update NEWS with major changes since 0.7 release. + + * src/racoon/schedule.c: Fix monotonic scheduler change, to not + refresh 'now' before exit. Otherwise we can return negative timeout + after spending time handling other events. + + * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle + reception of MIGRATE message during Phase 1 and Phase 2 negotiation. + Also corrects some debugging statements. + + * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for + instance), there is a need to not only migrate local and remote + addresses of Phase 1 that match previous addresses but also the + local and remote addresses of a Phase 1 *associated* with a migrated + Phase 2. For instance, we have that need when receiving the first + MIGRATE/KMADDRESS message because the old addresses are still the + HoA and the address of the HA (while the peer has contacted us using + the CoA and we have negotiated this address as src attribute in + Phase 2). The patch fixes that by having migrate_ph1_ike_addresses() + called from migrate_ph2_ike_addresses() callback. + + * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid + when acting as responder. + + * configure.ac, src/racoon/handler.c, src/racoon/handler.h, + src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c, + src/racoon/schedule.c, src/racoon/schedule.h, + src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic + system clock is available, and use it for relative time measurements + to avoid complite hang if time jumps backwards. + + * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c, + isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c, + oakley.c, oakley.h: Fix authentication method ambiguity by + internally using unique ID and setting/interpreting the wire format + based on received vendor ID:s. Fixes trac #280. + + * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c, + isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid + bitmask that can be used otherwhere to detect peer capabilities. + + * configure.ac, src/racoon/admin.c, src/racoon/evt.c, + src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c, + src/racoon/session.c, src/racoon/session.h: Remove "fastquit" + configure option and make it the default behaviour. The previous + normal behaviour is buggy, as after flush kernel can immediately + create larval SA:s which would prevent exit. + +2009-01-20 Timo Teras <timo.teras@iki.fi> + + * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate + ChangeLog from NetBSD CVS. Put sourceforge.net changes to + ChangeLog.old. + +2009-01-10 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper + escape for backslash ('\e'). + +2009-01-10 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman: + Accept RFC2253 compliant escaped special characters for asn1dn + identifier. + +2009-01-09 Timo Teras <timo.teras@iki.fi> + + * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended + +2009-01-05 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete + configuration options, fix radius configuration block and add GRE as + recognized protocol. + + * src/racoon/session.c: Do not use counting in signal handling as + it was unsafe by not using atomic functions (post increment is not + necessarily atomic). Instead reap all children on SIGCHLD as that + was the only signal needing signal counting. + +2008-12-30 Timo Teras <timo.teras@iki.fi> + + * src/racoon/session.c: schedular() call can now modify fd mask so + make the working copy just before calling select(); otherwise it can + contain bad file descriptors + +2008-12-29 Michael van Elst <mlelstv@netbsd.org> + + * src/setkey/parse.y: support icmp codes. Fixes PR 39056. + +2008-12-24 Christos Zoulas <christos@netbsd.org> + + * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have + it. From Timo Teras. + + * src/racoon/grabmyaddr.c: I was wrong. addr is actually set. + + * src/racoon/grabmyaddr.c: + - make this compile by zeroing out the whole structure not just + bogus fields. + - set length field of sockets appropriately. + - mark bogus no-op code (I don't understand what the author intended + here). + +2008-12-23 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Bump date for identity configuration + option removal. + +2008-12-23 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c, + localconf.h, racoon.conf.5: Remove the obsoleted global identity + configuration option. + + * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c, + evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c, + isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c, + nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c, + session.h: rewrite local address detection make some functions + static that arr not needed globally rework how fd_set is + construction for the main loop select() + +2008-12-18 Timo Teras <timo.teras@iki.fi> + + * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles + when expire with hard lifetime received + +2008-12-16 Timo Teras <timo.teras@iki.fi> + + * README: Update README + + * src/racoon/pfkey.c: Fix transport mode address selection in + acquire handling. Some earlier fixes got lost on 2008-12-05 commit. + +2008-12-11 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO + and RTM_OIFINFO stuff) + + * src/racoon/isakmp.c: Fixed compilation when DPD support is + disabled + +2008-12-08 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey + sockets: it might cause to not handle some pfkey events when + select() has marked pfkey socket readable, but a timer callback + first calls pfkey_dump_sadb(). + +2008-12-05 Timo Teras <timo.teras@iki.fi> + + * src/: libipsec/key_debug.c, libipsec/libpfkey.h, + libipsec/pfkey.c, racoon/handler.c, racoon/handler.h, + racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c, + racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud + Ebalard: Improved Mobile IPv6 support per + draft-ebalard-mext-pfkey-enhanced-migrate. + +2008-12-04 Christoph Badura <bad@netbsd.org> + + * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I + intended. + +2008-12-02 Timo Teras <timo.teras@iki.fi> + + * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action + on Linux is terminate. + +2008-11-28 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New + sentence, new line. + +2008-11-27 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/main.c: Set up a default value for Mode Config Pool + size if pool address specified but pool size not specified + + * src/racoon/isakmp_cfg.c: Fixed pool resizing + +2008-11-27 Timo Teras <timo.teras@iki.fi> + + * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA + weirdness. It's probably meant for bundle support which is not done. + When someone actually writes bundle support, the nested SA stuff + would probably be reworked too anyway. + + * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y, + racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h, + racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer + Ability to set pfkey socket buffer size via configuration file + directive. (Indentation and minor fixes by me.) + +2008-11-25 Christoph Badura <bad@netbsd.org> + + * src/racoon/: evt.c, privsep.c, session.c: Avoid using + MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE + instead. + + * src/racoon/grabmyaddr.c: Ignore unspecified and looback + addresses. Ignoring unspecified addresses prevents racoon from + trying to bind to the wildcard address and specific addresses + simultaneously after e.g. dhclient has changed an interface's + address to 0.0.0.0. + + * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry + info for added or deleted addresses. Ignore them silently. + + * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an + error. Therefore log it as informational. Make it clear from the + log message that a route message is not interesting. + + * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding + it. + + * src/racoon/isakmp.c: Do not return erroneously from isakmp_open() + when setting IPV6_USE_MIN_MTU fails. + + * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when + no socket is opened. + +2008-11-08 Christoph Badura <bad@netbsd.org> + + * src/racoon/samples/roadwarrior/client/: phase1-down.sh, + phase1-up.sh: Preserve owner and permissions of original + /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or + world writable. + + * src/racoon/samples/roadwarrior/client/: phase1-down.sh, + phase1-up.sh: Print and check INTERNAL_NETMASK4. + + * src/racoon/samples/roadwarrior/client/: phase1-down.sh, + phase1-up.sh: Make the handling of NAT-T SPD entries automatic. + + * src/racoon/samples/roadwarrior/client/: phase1-down.sh, + phase1-up.sh: Ensure that the determination of the default + gateway and the corresponding interface don't get confused by + multiple, possibly non-IPv4 default routes. Bring the NetBSD case + of deleting the VPN routes and address in line with the Linux case + and delete the address after deleting the VPN routes. + +2008-11-06 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when + iddst's value is SAINFO_CLIENTADDR + +2008-10-29 S.P.Zeidler <spz@netbsd.org> + + * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str(): + + struct sockaddr -> struct sockaddr_storage fixes a stack overflow + + For non-linklocal addresses the value in 'scope' is garbage and gets + set to zero instead. + +2008-10-27 Timo Teras <timo.teras@iki.fi> + + * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to + error path + + * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud + Ebalard): recognize RTM_IFANNOUNCE + + * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation + issues for readability + + * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be + called only if monitored file descriptor numbers have changed + + * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate + declaration + +2008-10-23 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: privsep.c, session.c, session.h: From Krzysztof + Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the + problem those changes address are already handled in a sensible way + by Cyrus Rahman's patch from 2008-03-06. + +2008-10-09 Timo Teras <timo.teras@iki.fi> + + * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove + unnecessary unbindph12() call which is now done in remph2() + +2008-09-25 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP + marker for retransmitted packets + +2008-09-19 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: New sentence, new line. + +2008-09-19 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h, + isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, + isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5, + remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying + configurable with rekey {on|off|force} option in remote conf. + + * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c, + isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h, + nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h, + session.c: Change struct sched to be allocated be the caller to + avoid some memory allocations. Optimize scheduling algorithm to not + scan all entries in the main loop. + +2008-09-17 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi() + when NAT-T enabled and trying to purge non NAT-T SAs + +2008-09-09 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/pfkey.c: Some calls to set_port() were not correctly + updated in the previous commit + +2008-09-03 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in + pk_sendxxx functions, as they may be altered for NAT-T stuff. + +2008-09-03 Timo Teras <timo.teras@iki.fi> + + * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c: + - Fix reloading of SPD (Linux satype check, handling of SPD dump + responses) + - Remove some spurious error log message from extract_port() + +2008-08-29 Gregory McGarry <gmcgarry@netbsd.org> + + * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty + structures. + + * src/racoon/evt.h: Eliminate superfluous semicolon. + + * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of + unnamed structures added recently. + +2008-08-12 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove + ph1handler if we received an invalid first exchange from initiator. + +2008-08-06 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: privsep.c, session.c, session.h: From Krzysztof + Piotr Oledzki: Make privileged process exit if unprivileged process + is terminated and some spelling fixes. + +2008-07-23 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: cfparse.y, session.c: Add some missing ifdefs + required for non-radius enabled builds. + +2008-07-23 Timo Teras <timo.teras@iki.fi> + + * src/racoon/Makefile.am: Do not use GNU make specific extension. + + * src/: libipsec/Makefile.am, racoon/Makefile.am, + setkey/Makefile.am: Do flex/bison invocation in a more standard + way, and keep the generated files in the dist tarball. + +2008-07-22 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks, + when malloc fails or when peer sends invalid proposal. + +2008-07-22 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c, + isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional + radius configuration section to the racoon.conf file. This is + similar to the the LDAP configuration section and overrides settings + in the system radius configuration file. + +2008-07-21 Matthias Scheler <tron@netbsd.org> + + * src/racoon/cfparse.y: Correct typo to fix the build. + +2008-07-21 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c, + vendorid.c, vendorid.h: Separate generic vendor id handling to a + new function and use it. + + * src/racoon/cfparse.y: Do not set default gss id if xauth is used, + otherwise gss-id attribute might be sent even if it was not + requested. + +2008-07-15 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from + building with hybrid enabled. + + * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h, + racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump + function. + +2008-07-14 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c, + pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode. + + * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c, + isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up + notification payload handling. Handle INITIAL-CONTACT notification + in last main mode exchange (delayed) and during quick mode + exchanges. + +2008-07-11 Timo Teras <timo.teras@iki.fi> + + * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis + Elsts: Fix a double memory free and a memory corruption + (LIST_REMOVE() on an uninserted node) in some error handling paths. + +2008-07-09 Timo Teras <timo.teras@iki.fi> + + * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and + memory leak on configuration file reread + +2008-07-02 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu + (size_t values) + +2008-06-18 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoonctl.8: Bump date for previous. + +2008-06-18 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an + admin port command to retrieve the peer certificate. Submitted by + Timo Teras. + + * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set + sockets to be closed on exec to avoid potential file descriptor + inheritance issues. Submitted by Timo Teras. + + * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c, + isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility + functions to evaluate and manipulate network port values. No + functional changes. Submitted by Timo Teras. + + * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No + functional changes. Submitted by Timo Teras. + + * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by + Timo Teras. + +2008-05-24 Christos Zoulas <christos@netbsd.org> + + * src/racoon/privsep.c: Coverity CID 5018: Fix double frees. + +2008-05-08 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac: From Christian Hohnstaedt: allow out of tree + building + +2008-04-30 Martin Husemann <martin@netbsd.org> + + * netbsd-import.sh: Convert TNF licenses to new 2 clause variant + +2008-04-25 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers + from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). + +2008-04-13 Christos Zoulas <christos@netbsd.org> + + * src/racoon/privsep.c: for symmetry set controllen the same way we + set it on the receiving side. + +2008-04-02 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build + +2008-03-28 Christos Zoulas <christos@netbsd.org> + + * src/racoon/privsep.c: properly fix the variable stack allocation + code. + +2008-03-28 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/privsep.c: Still from Cyrus Rahman: fix file + descriptor leak introduced by previous commit. + + * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c, + privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman: + Allow interface reconfiguration when running in privilege separation + mode, document privilege separation + +2008-03-06 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/oakley.c: Generates a log if cert validation has been + disabled by configuration + +2008-03-06 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/: privsep.c, session.c: From Cyrus Rahman + <crahman@gmail.com> privilegied instance exit when unprivilegied one + terminates. Save PID in real root, not in chroot + +2008-03-06 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c, + racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA + negotiations using the admin socket. Submitted by Timo Teras. + + * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c, + handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c, + isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c, + racoonctl.8, racoonctl.c, session.c: Refactor admin socket event + protocol to be less error prone. Backwards compatibility is + provided. Submitted by Timo Teras. + +2008-03-05 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/cfparse.y: Properly initialize the unity network + struct to prevent erroneous protocol and port info from being + transmitted. + + * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or + adminport reload. Also provide better handling for pfkey socket read + errors. Submitted by Timo Teras. + +2008-02-25 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com> + There's a cut/paste error in cmp_aproppair_i(), it's supposed to be + checking spi_size but it's not. I'm not sure this patch is correct, + but what's there isn't either. + +2008-02-22 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp.c: Fix address length, from Brian Haley + +2008-02-10 S.P.Zeidler <spz@netbsd.org> + + * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent + opposition ( :) ) on ipsec-tools-devel + +2008-01-11 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in + the scheduler's callback, to avoid access to freed memory. + + * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix + compilation with IDEA and recent gcc. + + * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some + details to some logs (also reported new getph1byaddr() arg). + + * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for + established ph1 handles in DPD (also reported new getph1byaddr() + arg). + + * src/racoon/: handler.c, handler.h: added an 'established' arg to + getph1byaddr() + +2007-12-31 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol + number to racoonctl. Correct id wildcard matching for transport + mode. Submitted by Timo Teras. + +2007-12-12 Matthew Grooms <mgrooms@shrew.net> + + * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a + follow up patch for the nat-t oa support. + + * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add + support for nat-t oa payload handling. Submitted by Timo Teras. + +2007-12-04 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify + ipsecdoi_sockaddr2id() to obtain an id without specifying the exact + prefix length. Correct a memory leak in phase2. Both submitted by + Timo Teras. + +2007-12-01 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Fix typos. New sentence, new line. + +2007-11-29 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/Makefile.am: From Natanael Copa: fixed a race + condition when building yacc stuff. + +2007-11-09 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in + pk_recv() + + * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD + entries in getsp_r(). + + * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug + in get_proposal_r(). + +2007-10-19 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h, + racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts + +2007-10-15 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/pfkey.c: Try to increase the buffer size of the + pfkey socket, this may help things when we have a huge SPD + +2007-10-02 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to + work with the new plog macro. + + * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to + work with new plog macro + + * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro. + +2007-09-19 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/isakmp.c: Set REUSE option on sockets to prevent + failures associated with closing and immediately re-opening. + Submitted by Gabriel Somlo. + + * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet + list. Submitted by Gabriel Somlo. + +2007-09-13 Matthew Grooms <mgrooms@shrew.net> + + * configure.ac: Fix autoconf check for selinux support. Submitted + by Joy Latten. + +2007-09-12 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c, + pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr + sainfo remote id option and refine the sainfo man page syntax. + +2007-09-05 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/sainfo.c: Sort sainfo sections on insert and improve + matching logic. + +2007-09-03 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for + wins4 in the man page and add nbns4 as an alias. Pointed out by + Claas Langbehn. + +2007-08-07 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix + up RADIUS authentication and authorization ports. Allow + interoperability with freeradius + +2007-07-24 Matthew Grooms <mgrooms@shrew.net> + + * NEWS: Update NEWS file with additional 0.7 improvements. + +2007-07-18 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/racoon.conf.5: Various racoon configuration manpage + updates. + +2007-07-18 Yvan Vanhullebus <vanhu@netasq.com> + + * configure.ac, src/libipsec/ipsec_dump_policy.c, + src/libipsec/ipsec_get_policylen.c, + src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c, + src/libipsec/libpfkey.h, src/libipsec/pfkey.c, + src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y, + src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c, + src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y, + src/racoon/cftoken.l, src/racoon/ipsec_doi.c, + src/racoon/isakmp.c, src/racoon/isakmp_inf.c, + src/racoon/isakmp_quick.c, src/racoon/pfkey.c, + src/racoon/policy.c, src/racoon/proposal.c, + src/racoon/remoteconf.c, src/racoon/sainfo.c, + src/racoon/session.c, src/racoon/sockmisc.c, + src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c, + src/setkey/token.l: use a single PATH_IPSEC_H to fix some + path_to_ipsec.h issues + +2007-07-16 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/grabmyaddr.c: fixed a socket leak + + * src/racoon/proposal.c: indentation + +2007-06-07 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_cfg.c: From Paul Winder + <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST + +2007-06-06 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation + with gcc 4.2 + + * src/racoon/session.c: From Jianli Liu: speed up interfaces update + when they change. + + * src/racoon/handler.c: ignore obsolete lifebyte when validating + reloaded configuration + +2007-05-31 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/: main.c, policy.h, security.c: From Joy Latten + <latten@austin.ibm.com> Fix file descriptor shortage when using + labeled IPsec. + +2007-05-30 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In + racoonctl, use the specified socket path instead of the default + location + +2007-05-16 Christos Zoulas <christos@netbsd.org> + + * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not + return, so we proceed to de-reference NULL. Make it return -1 + instead like in other places. + + * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not + return, so we proceed to de-reference NULL. Make it return -1 + instead like in other places. + +2007-05-04 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is + NULL when validating the new config + + * src/racoon/handler.c: added some debug in getph1byaddr() to track + some port matching problems with NAT-T + + * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to + track some port matching problems with NAT-T + + * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process + + * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if + NAT_T support, to solve some port match problems with the first + IPSec SAs negociated as initiator + +2007-04-04 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids() + + * src/racoon/oakley.c: dumps peer's ID and peer's certificate + subject /subjectaltname if they don't match + +2007-03-26 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1 + handler, to be able to cancel it when removing the handler, and some + minor cleanups in DPD code + +2007-03-24 Christos Zoulas <christos@netbsd.org> + + * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't + work with pam_group Set RUSER. + +2007-03-23 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a + segfault when using security labels between 32bit and 64bit host. + + * src/racoon/handler.c: expire zombie handlers in getph2byid(), to + avoid situations where we'll never negociate a phase2 again + + * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give + more details about what is checked when using certificates to + authenticate + +2007-03-22 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to + generate IPV4_ADDRESS when needed in sockaddr2id() + +2007-03-21 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL + sched check is now done in SCHED_KILL + + * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL + +2007-03-15 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable + monitoring of ipv6 address changes on Linux. + + * src/racoon/isakmp.c: Consider a negociation timeout when + retry_counter is <=0 instead of < 0 + +2007-02-28 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be + matched to ip subnet ids when appropriate. + +2007-02-21 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/ipsec_doi.c: block variable declaration before code in + ipsecdoi_id2str() + +2007-02-20 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: Removed a debug printf.... + + * src/racoon/isakmp.c: Only delete a generated SPD if it's creation + date matches the creation date of the SA we are currently deleting + + * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls + + * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of + generated SPDs + + * src/racoon/policy.h: added 'created' var + +2007-02-19 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp.c: Removed a debug printf.... + +2007-02-16 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a + printf. + +2007-02-15 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/security.c: Missing SELinux file + + * configure.ac: Missing stuff for SELinux + +2007-02-15 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just + expire a ph1 handle when receiving a DELETE-SA instead of calling + purge_remote(). + + * src/racoon/isakmp.c: Fixed the way phase1/2 messages are + sent/resent, to avoid zombie handles and acces to freed memory + +2007-02-02 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec + +2007-02-01 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When + receiving an ISAKMP DELETE_SA, get the cookie of the SA to be + deleted from payload instead of just deleting the ISAKMP SA used to + protect the informational exchange. + +2006-12-26 Arnaud Lacombe <alc@netbsd.org> + + * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval != + NULL' + +2006-12-23 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Use even more macros. + + * src/racoon/racoon.conf.5: Use more macros. + + * src/racoon/racoon.conf.5: Serial comma, and bump date for + previous. + +2006-12-18 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak + +2006-12-10 Emmanuel Dreyfus <manu@netbsd.org> + + * src/: libipsec/Makefile.am, libipsec/libpfkey.h, + libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y, + racoon/pfkey.c: Bring back API and ABI backward compatibility + with previous libipsec before recent interface change. Bump libipsec + minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid + ABI compatibility lossage. Add a capability flags to detect missing + optional feature in libipsec + + * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten: + README.plainrsa documenting plain RSA auth + +2006-12-09 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c, + src/racoon/Makefile.am, src/racoon/backupsa.c, + src/racoon/backupsa.h, src/racoon/cftoken.l, + src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, + src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, + src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h, + src/racoon/proposal.c, src/racoon/proposal.h, + src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux + security contexts. Also cleanup the libipsec interface for adding + and updating security associations. + + * src/racoon/racoon.conf.5: From Simon Chang: More hints about + plain RSA authentication + +2006-12-05 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys + length regarding proposal_check level + +2006-11-16 Matthew Grooms <mgrooms@shrew.net> + + * src/racoon/sainfo.c: Correct issues associated with anonymous + sainfo selection in racoon. + +2006-11-09 Christos Zoulas <christos@netbsd.org> + + * src/racoon/crypto_openssl.c: eliminate the only variable stack + array allocation. + +2006-10-31 Christian Biere <cbiere@netbsd.org> + + * src/racoon/sockmisc.c: Don't define the deprecated + IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because + IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs + in the future just in case that the numeric value of the socket + option is ever recycled. + +2006-10-22 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix + typos + +2006-10-19 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/sainfo.c: From Matthew Grooms: use + ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). + + * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added + ipsecdoi_chkcmpids() function. + +2006-10-09 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437) + + * src/racoon/isakmp_unity.c: Correctly check read() return value: + it's signed (Coverity 1251) + +2006-10-06 Emmanuel Dreyfus <manu@netbsd.org> + + * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c, + src/racoon/algorithm.h, src/racoon/cftoken.l, + src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, + src/racoon/eaytest.c, src/racoon/ipsec_doi.c, + src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c, + src/racoon/racoon.conf.5, src/racoon/strnames.c, + src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l: + Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki + <okazaki@kick.gr.jp> + +2006-10-03 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/admin.c: fix endianness issue introduced yesterday + +2006-10-03 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax + + * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values + + * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses + remoteid/ph1id values + + * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values + +2006-10-02 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_base.c: + avoid reusing free'd pointer (Coverity 2613) + + * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175) + + * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451) + + * src/racoon/algorithm.c: Fix array overrun (Coverity 4172) + + * src/racoon/admin.c: Fix memory leak (Coverity 2002) + + * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak + (Coverity 2001), refactor the code to use port get/set functions + + * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200) + + * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443), + reformat to 80 char/line + +2006-10-02 Tom Spindler <dogcow@netbsd.org> + + * src/racoon/ipsec_doi.c: If you're going to initialize a pointer, + you have to init it with a pointer type, not an int. + +2006-10-02 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439) + + * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334) + + * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944) + + * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941) + + * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942) + + * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863) + +2006-10-01 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181) + + * src/racoon/isakmp.c: Check that iph1->remote is not NULL before + using it (Coverity 3436) + +2006-09-30 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165) + + * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179) + + * src/racoon/samples/roadwarrior/client/: phase1-down.sh, + phase1-up.sh: update the scripts for wrorking around routing + problems on NetBSD + + * src/racoon/session.c: Reuse existing code for closing IKE + sockets, and avoid screwing things by setting p->sock = -1, which is + not expected (Coverity 4173). + + * src/racoon/admin.c: Do not free id and key, as they are used + later + +2006-09-29 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the + socket, so we must call com_init before sending any data. + +2006-09-28 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176, + 4174) + + * src/racoon/racoonctl.c: Fix access after free (Coverity 4178) + +2006-09-26 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/cfparse.y: Fix memory leak (Coverity) + + * src/racoon/backupsa.c: Fix memory leak (Coverity) + + * src/racoon/admin.c: Remove dead code (Coverity) + + * src/racoon/admin.c: Fix memory leak (Coverity) + + * src/racoon/admin.c: One more memory leak + + * src/racoon/admin.c: Fix memory leak in racoonctl (coverity) + + * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA + bundle fix was contributed by Jeff Bailey, not Matthew Grooms. + Matthew updated the patch for current code, though. + + * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for + negotiating ESP+IPcomp) + +2006-09-25 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct + iphdr for Linux + +2006-09-25 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/isakmp.c: style (mostly for testing + ipsec-tools-commits@netbsd.org) + + * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms + +2006-09-21 Yvan Vanhullebus <vanhu@netasq.com> + + * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on + Linux + +2006-09-19 Thomas Klausner <wiz@netbsd.org> + + * src/racoon/racoon.conf.5: Bump date for ike_frag force. + + * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new + line. + + * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing + whitespace. + +2006-09-19 Yvan Vanhullebus <vanhu@netasq.com> + + * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default + value for encmodesv in set_proposal_from_policy() + + * src/racoon/isakmp.c: always include some headers, as they are + required even without NAT-T + + * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird: + define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed + + * src/racoon/crypto_openssl.c: From Larry Baird: some printf() -> + plog() + +2006-09-18 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h, + isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms: + ike_frag force option to force the use of IKE on first packet + exchange (prior to peer consent) + + * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in + the first packet. That should not normally happen, as the initiator + does not know yet if the responder can handle IKE frag. However, in + some setups, the first packet is too big to get through, and + assuming the peer supports IKE frag is the only way to go. + + racoon should have a setting in the remote section to do taht + (something like ike_frag force) + +2006-09-16 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 + conformance, from Matthew Grooms + +2006-09-15 Emmanuel Dreyfus <manu@netbsd.org> + + * src/racoon/ipsec_doi.c: Fix build on Linux + +For older changes see ChangeLog.old |