Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
df08b9e74a
NetBSD/crypto/dist/ipsec-tools/ChangeLog

1756 lines
65 KiB
Plaintext
Raw Normal View History

Add support for alrogithms with non OpenSSL default key sizes
2005-07-12 18:51:07 +04:00
2005-07-09 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto
algorithms with variable key size but not OpenSSL default key
size.
Set IKE ports to 0 in SA when NAT-T is not in use. This fixes problems when NAT-T is disabled
2005-07-12 18:14:46 +04:00
2005-07-12 Emmanuel Dreyfus <manu@netbsd.org>
Add comments on how to use the hook scripts without NAT-T
2005-07-12 20:33:27 +04:00
* src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
Add comments for using the scripts without NAT-T
Set IKE ports to 0 in SA when NAT-T is not in use. This fixes problems when NAT-T is disabled
2005-07-12 18:14:46 +04:00
* src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
used.
Don't use adminport when it is disabled
2005-07-12 18:15:39 +04:00
* src/racoon/{admin.c|session.c}: Don't use adminport if it is
disabled.
Set IKE ports to 0 in SA when NAT-T is not in use. This fixes problems when NAT-T is disabled
2005-07-12 18:14:46 +04:00
pkcs7 support
2005-07-12 18:12:20 +04:00
2005-07-01 Emmanuel Dreyfus <manu@netbsd.org>
From Uri <urimobile@optonline.net>
* src/racoon/oakley.c: pkcs7 support
NAT-T fix: We treat null ports in SPD as wildcard so that IKE ports are used instead. This was done on phase 2 initiation from the kernel (acquire message), but not on phase 2 initiation retries when the phase 2 had been queued for a phase 1.
2005-06-23 01:28:18 +04:00
2005-06-22 Emmanuel Dreyfus <manu@netbsd.org>
From Ludo Stellingwerff <ludo@protactive.nl>:
* src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as
wildcard so that IKE ports are used instead. This was done on
phase 2 initiation from the kernel (acquire message), but not
on phase 2 initiation retries when the phase 2 had been queued
for a phase 1.
Add SHA2 support
2005-07-12 20:49:52 +04:00
2005-06-19 Emmanuel Dreyfus <manu@netbsd.org>
From Uri <urimobile@optonline.net> and Larry Baird <lab@gta.com>:
* src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
Consume NAT-T packets that have already been seen through MSG_PEEK
2005-06-15 11:29:20 +04:00
2005-06-07 Emmanuel Dreyfus <manu@netbsd.org>
From Larry Baird <lab@gta.com>
* src/racoon/isakmp.c: consume NAT keepalive data already seen
with MSG_PEEK
Endianness bug fix
2005-06-05 01:55:05 +04:00
2005-06-06 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_quick.c: endianness bug fix
Fix Xauth login with PAM authentication
2005-06-05 02:09:27 +04:00
From Frederic Senault <fred@lacave.net>
* src/racoon/privsep.c: fix Xauth login with PAM authentication
Missing 0th element in rm_idtype2doi array
2005-06-04 02:27:06 +04:00
2005-05-31 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/ipsec_doi.c: Inserted missing 0th element of
rm_idtype2doi array. Bug #1199700 fix.
When altering the lifetime, don't modify to configured proposal, duplicate it instead.
2005-05-20 04:54:55 +04:00
2005-05-20 Emmanuel Dreyfus <manu@netbsd.org>
Really delete phase 1 on Xauth failure
2005-05-20 11:34:47 +04:00
From Mike Robinson <sundialservices@users.sourceforge.net>
* src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure
Fix NAT-T plus IPcomp
2005-05-20 05:28:13 +04:00
* src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp
From hgates <hgates.lists@gmail.com>
* src/racoon/proposal.c: fix SPI size test for IPcomp
When altering the lifetime, don't modify to configured proposal, duplicate it instead.
2005-05-20 04:54:55 +04:00
From Larry Baird <lab@gta.com>
* src/racoon/{handler.c|ipsec_doi.c|remoteconf.h|remoteconf.c}: When
altering lifetime, duplicate the proposal instead of modifying
the configured one.
Fix parse bug in IPsec policies
2005-05-20 04:57:33 +04:00
2005-05-14 Emmanuel Dreyfus <manu@netbsd.org>
* src/libipsec/policy_parse.y: fix parse bug in IPsec policies
- Fix a double free - For acquire messages, when NAT-T is in use, consider null port as a wildcard and use IKE port
2005-05-13 18:09:44 +04:00
2005-05-13 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
consider null port as a wildcard and use IKE port
2005-05-13 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp.c: Fixed a double ph2handler free in
isakmp_ph2begin_i().
---------------------------------------------
0.6b2 released
proposal_check fixes: - fix claim behavior in phase 1 - also check lifebyte
2005-05-10 13:23:36 +04:00
2005-05-10 Emmanuel Dreyfus <manu@netbsd.org>
Update sample config file to higher security settings
2005-05-10 14:22:03 +04:00
* src/racoon/samples/roadwarrior/client/racoon.conf
src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
src/racoon/samples/roadwarrior/README: update config files to
higher security settings. Remove now useless phase 1 down
script on server side.
proposal_check fixes: - fix claim behavior in phase 1 - also check lifebyte
2005-05-10 13:23:36 +04:00
* src/racoon/ipsec_doi.c: check for lifebyte in proposals
* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
Add two Cisco extensions for pushing PFS group and save password setting throug ISAKMP mode config
2005-05-10 13:54:43 +04:00
* src/racoon/{cfparse.y|cftoken.l|racoon.conf.5|isakmp_cfg.c}
src/racoon/{isakmp_cfg.h|isakmp_unity.c}: add Cisco extensions for
pushing PFS group and save password setting through ISAKMP mode cfg
More NAT-T fixes for the situation where racoon acts as a VPN client Flush SA and generated SP on DPD timeout and deletion payloads
2005-05-08 12:57:26 +04:00
2005-05-07 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
ISAKMP SA termination (for DPD timeouts and delete message) to
use purge_remote() so that SA and generated SPD get correctly flushed
* src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
getph2bysaddr()
* src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make
purge_remote(), setcopeid() and delete_spd() public
* src/racoon/isakmp_quick.c: remove duplicated setscopeid()
* src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
to compare with ports when ENABLE_NATT and without otherwise
* src/libipsec/{policy_parse.y|policy_token.l}
src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
endpoints, for accurate ESP over UDP matching
* src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote
ports to the hook scripts
* src/racoon/remoteconf.c: do not honour ports when looking up
a remote config, as our remote config have no port information
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
use the IKE ports supplied by racoon to set up acurate endpoints
ports in SP endpoints
From Manisha Malla <mmanisha@novell.com>: fix unsigned int checked for being negative
2005-05-04 21:23:10 +04:00
2005-05-04 Emmanuel Dreyfus <manu@netbsd.org>
From Manisha Malla <mmanisha@novell.com>
* src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative
on phase 2 acquire, lookup phase 2 by (src, dst, policy id) so that multiple SA can be used in transport mode While I'm there, patch ipsec-tools ChangeLog to reflect the changes we took from ipsec-tools-0_6-branch
2005-05-04 01:08:47 +04:00
2005-05-03 Emmanuel Dreyfus <manu@netbsd.org>
From Patrick McHardy <kaber@trash.net>
* src/racoon/{pfkey.c|handler.h|hendler.c}: on phase 2 acquire,
lookup phase 2 by (src, dst, policy id) so that multiple SA can
be used in transport mode
2005-04-26 Emmanuel Dreyfus <manu@netbsd.org>
From Larry Baird <lab@gta.com>
* src/racoon/nattraversal.c: Fix NAT-T initiator problem
2005-04-25 Emmanuel Dreyfus <manu@netbsd.org>
* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}:
src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
enable the display of ESP over UDP ports in policies.
* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
forget port numbers so that mutiple clients behind the same NAT
can work.
* src/racoon/ipsec_doi.c: fix LP64 bug
From Larry Baird <lab@gta.com>
* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
NAT-T fixes for interoperability with greenbow VPN client.
2005-04-19 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/handler.h: added a flag to identify generated policies
* src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
* src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
policy have been generated in purge_remote_spi()
* src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
generated policies
* src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
2005-04-18 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/crypto_openssl.c: fixed single DES support;
2005-04-18 Emmanuel Dreyfus <manu@netbsd.org>
From Thomas Klausner <wiz@NetBSD.org>
* src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
src/racoon/{admin.c|plainrsa-gen.8|racoon.8|racoon.conf.5|racoonctl.8}
src/racoon/samples/{racoon.conf.in|racoon.conf.sample}
src/racoon/samples/racoon.conf.sample-gssapi
src/racoon/samples/racoon.conf.sample-inherit
src/racoon/samples/racoon.conf.sample-natt
src/racoon/samples/racoon.conf.sample-plainrsa
src/racoon/samples/roadwarrior/README
src/racoon/samples/roadwarrior/server/phase1-down.sh
src/setkey/setkey.8: docmumentation fixes
From KAME
* src/racoon/ipsec_doi.c: wrong check on SA lifebyte
2005-04-10 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_agg.c: fix a memory leak when using hybrid auth
* src/libipsec/{pfkey.c|pfkey_dump.c}
src/setkey/{token.l|parse.y|setkey.8}: missing bits for TCP_MD5
support, from KAME
2005-04-04 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET
---------------------------------------------
0.6b1 released
Updated ipsec-tools: 2005-03-16 Emmanuel Dreyfus <manu@netbsd.org> * src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5} src/racoon/remoteconf.c: When running in privsep mode, check that private key and script paths match those given in the path section. 2005-03-15 Emmanuel Dreyfus <manu@netbsd.org> * src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize RADIUS accounting at startup * src/racoon/privsep.c: fix minor bug in PAM cleanup * src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used 2005-03-14 Emmanuel Dreyfus <manu@netbsd.org> * configure.ac: handle correctly dynamic libradius * src/racoon/cfparse.y: correctly initialize address pool
2005-03-17 02:51:44 +03:00
2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}
src/racoon/remoteconf.c: When running in privsep mode, check that
private key and script paths match those given in the path section.
2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize
RADIUS accounting at startup
* src/racoon/privsep.c: fix minor bug in PAM cleanup
* src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used
Import ipsec-tools ipsec-tools-0_6-20050314
2005-03-14 11:14:24 +03:00
2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac: handle correctly dynamic libradius
Updated ipsec-tools: 2005-03-16 Emmanuel Dreyfus <manu@netbsd.org> * src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5} src/racoon/remoteconf.c: When running in privsep mode, check that private key and script paths match those given in the path section. 2005-03-15 Emmanuel Dreyfus <manu@netbsd.org> * src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize RADIUS accounting at startup * src/racoon/privsep.c: fix minor bug in PAM cleanup * src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used 2005-03-14 Emmanuel Dreyfus <manu@netbsd.org> * configure.ac: handle correctly dynamic libradius * src/racoon/cfparse.y: correctly initialize address pool
2005-03-17 02:51:44 +03:00
* src/racoon/cfparse.y: correctly initialize address pool
Import ipsec-tools ipsec-tools-0_6-20050314
2005-03-14 11:14:24 +03:00
2005-03-13 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)
2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth
2005-03-02 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
* src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.
2005-03-01 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/oakley.c: fixed oakley_newiv2() when errors
Import ipsec-tools ipsec-tools-0_6-20050224
2005-02-24 23:52:25 +03:00
2005-02-24 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/privsep.c: safety check port numbers given by the
unprivilegied instance.
* src/libipsec/libpfkey.h: prefer __inline to inline
* src/racoon/racoonctl.8: display fixes in racoonctl(8)
* src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
src/racoon/racoon.conf.5: Add chroot capability
Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version according to ipsec-tools' ChangeLog: 2005-02-23 Emmanuel Dreyfus <manu@netbsd.org> * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal support for patented algorithms: IDEA and RC5. * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it is not required in the configuration * src/racoon/isakmp.c: do not reject addresses for which kernel refused UDP encapsulation, they can still be used for non NAT-T traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel) 2005-02-18 Emmanuel Dreyfus <manu@netbsd.org> * src/racoon/{main.c|eaytest.c|plairsa-gen.c} src/setkey/setkey.c: don't use fuzzy paths for package_version.h 2005-02-18 Yvan Vanhullebus <vanhu@free.fr> * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a related DELETE_SA * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire 2005-02-17 Emmanuel Dreyfus <manu@netbsd.org> From Fred Senault <fred.letter@lacave.net> * src/racoon/remoteconf.c: Fix a bug in script init 2005-02-17 Yvan Vanhullebus <vanhu@free.fr> * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks 2005-02-15 Michal Ludvig <michal@logix.cz> * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
2005-02-23 17:53:33 +03:00
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
* src/racoon/isakmp.c: do not reject addresses for which kernel
refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h
2005-02-18 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
related DELETE_SA
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
From Fred Senault <fred.letter@lacave.net>
* src/racoon/remoteconf.c: Fix a bug in script init
2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
2005-02-15 Michal Ludvig <michal@logix.cz>
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS) ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many enhancements.
2005-02-12 14:11:11 +03:00
---------------------------------------------
Branch for 0.6 created (ipsec-tools-0_6-branch)
2005-02-11 Emmanuel Dreyfus <manu@netbsd.org>
From Jason Thorpe <thorpej@netbsd.org>
* src/raccon/samples/racoon.conf.sample-gssapi
src/racoon/{cfparse.y|cftoken.l|gssapi.c|gssapi.h|ipsec_doi.c}
src/racoon/{localconf.c|localconf.h|racoon.conf.5}
configure.ac: Multiple GSSAPI fixes to get interoperability
with Microsoft IKE.
2005-02-09 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
src/racoon/{isakmp_xauth.h|main.c|privsep.c|privsep.h}
src/racoon/racoon.conf.5: Make PAM work with privilege separation
2005-02-07 Michal Ludvig <michal@logix.cz>
From Krisztian Kovacs:
* src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".
2005-01-30 Yvan Vanhullebus <vanhu@free.fr>
Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version according to ipsec-tools' ChangeLog: 2005-02-23 Emmanuel Dreyfus <manu@netbsd.org> * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal support for patented algorithms: IDEA and RC5. * src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it is not required in the configuration * src/racoon/isakmp.c: do not reject addresses for which kernel refused UDP encapsulation, they can still be used for non NAT-T traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel) 2005-02-18 Emmanuel Dreyfus <manu@netbsd.org> * src/racoon/{main.c|eaytest.c|plairsa-gen.c} src/setkey/setkey.c: don't use fuzzy paths for package_version.h 2005-02-18 Yvan Vanhullebus <vanhu@free.fr> * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a related DELETE_SA * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire 2005-02-17 Emmanuel Dreyfus <manu@netbsd.org> From Fred Senault <fred.letter@lacave.net> * src/racoon/remoteconf.c: Fix a bug in script init 2005-02-17 Yvan Vanhullebus <vanhu@free.fr> * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks 2005-02-15 Michal Ludvig <michal@logix.cz> * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
2005-02-23 17:53:33 +03:00
* src/racoon/vmbuf.c: bugfix in vrealloc()
Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS) ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many enhancements.
2005-02-12 14:11:11 +03:00
* src/racoon/oakley.c: mem leak fix in INITDHVAL()
* src/racoon/session.c: mem leak fix in check_flushsa()
2005-01-29 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
* src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
* src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
* src/racoon/nattraversal.[ch]: NATT cleanup, support for all
drafts (disabled by default) / RFC.
* src/racoon/isakmp.h: NATT cleanup for NATT RFC support
* src/racoon/ipsec_doi.h: updated comments about NATT
* configure.ac: enable-natt_XX options
* src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed
2005-01-29 Emmanuel Dreyfus <manu@netbsd.org>
From Fred Senault <fred@lacave.net>
* src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
phase2 can start.
2005-01-23 Emmanuel Dreyfus <manu@netbsd.org>
* src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's
SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD.
2005-01-22 Emmanuel Dreyfus <manu@netbsd.org>
From Fred Senault <fred@lacave.net>
* src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
src/racoon/samples/roadwarrior/README: change "my_identifier login"
into "xauth_login" in the config file so that we can introduce Xauth
with a pre-shared key later.
2005-01-21 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
workaround Linux problems. This needs a better fix.
2005-01-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/privsep.c: build without ENABLE_HYBRID
2005-01-14 Emmanuel Dreyfus <manu@netbsd.org>
* src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T)
2005-01-13 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
1 lifetime.
* src/racoon/racoon.conf.5: Updated racoon man page for phase 1
lifetime check / proposal_check.
2005-01-11 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakjmp_quick.c: endianness bugfix from KAME
2005-01-07 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c}
src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h}
src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is
now configurable (supported only on NetBSD so far).
2005-01-05 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/privsep.c: Build again on Linux with privsep
2005-01-03 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
src/racoon/{cfparse.y|cftoken.l|racoon.conf.5}
src/racoon/doc/FAQ
configure.ac: PAM support for authentication and accounting in
hybrid auth
2005-01-02 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/admin.c: never fork, it buys nothing an break on some
operations
2004-12-30 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{Makefile.am|admin.h|cfparse.y|cftoken.l|isakmp.c}
src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c}
src/racoon/{localconf.c|localconf.h|main.c|oakley.c|pfkey.c}
src/racoon/{racoon.conf.5|remoteconf.c|remoteconf.h|session.c}
src/racoon/{privsep.c|privsep.h}: new files
Privilege separation
* src/racoon/{Makefile.am|admin.h|admin_var.h|kmpstat.c}
src/racoon/{racoonctl.c|racoonctl.h}: new files
configure.ac: publically export the adminport interface so that
external program can control racoon
* src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface
versionning
* src/racoon/admin.h: make sure no / will be missing in adminsock path
---------------------------------------------
Branch for 0.5 created (ipsec-tools-0_5-branch)
2004-12-23 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/crypto_openssl.c: Indentation
2004-12-28 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
when getting an IP (Bug # 1092095)
2004-12-26 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/session.c: remove outdated comment
---------------------------------------------
0.5.beta2 released
2004-12-21 Michal Ludvig <michal@logix.cz>
* src/racoon/pfkey.c: Fix AES vs Rijndael defines.
2004-12-20 Yvan Vanhullebus <vanhu@free.fr>
* configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
Some FreeBSD / NATT support.
2004-12-17 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
* src/racoon/pfkey.c: Restore AES support on NetBSD.
2004-12-17 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/crypto_openssl.c: Uses sprintf() instead of
asprintf() in eay_get_x509subjectaltname(), because of some
compilation problems reported with asprintf() on some platforms.
* src/racoon/oakley.c: just take the first cert in
oakley_savecert() if cert ID check is disabled.
2004-12-16 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/crypto_openssl.c: Build again on NetBSD
* src/racoon/samples/roadwarrior/server/racoon
src/racoon/samples/roadwarrior/server/racoon.conf-radius
src/racoon/samples/roadwarrior/README: Use DPD in sample files.
2004-12-16 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
when SubjectAltName contains an IP. OpenSSL code from Ludovic
Flament (ludovic.flament@free.fr).
---------------------------------------------
0.5.beta1 released
2004-12-13 Michal Ludvig <mludvig@suse.cz>
From Ganesan R <rganesan@users.sourceforge.net>:
* src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
with shared libraries.
2004-12-10 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/oakley.c: takes the first certificate which matches
the Identity, instead of just taking the first certificate.
2004-12-07 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.
2004-12-04 Aidas Kasparas <a.kasparas@gmc.lt>
* src/libipsec/pfkey_dump.c: distinguish per-socket policies from
general ones (Linux case);
* src/racoon/pfkey.c: dito, do not negotiate policies if racoon
do not listen on out tunnel's source address.
2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
generation in r1send()
2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
* src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
parameters but compiled without ENABLE_DPD
* src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
support activated in configuration
2004-11-30 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time,
to avoid garbage pointer if admin port is disabled.
* src/racoon/{throttle.c|throttle.h}: new files
src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
configure.ac: Add a per-host throttling count. When throttling,
don't sleep, schedule the answer for later instead.
* src/racoon/kmpstat.c: default with no hexdump of the packet
* src/racoon/admin.c: don't remove admin socket after first request,
on the other hand remove on startup stale sockets left by
crashed racoon.
* src/racoon/samples/roadwarrior/README
src/racoon/kmpstat.c: fix option parsing problem on Linux
2004-11-29 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/session.c: Only listen on pfkey socket when received
shutdown signal
2004-11-28 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
on each Xauth authentication to avoid brute force attacks
2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/samples/roadwarrior/README
src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
Fill Linux gaps for hybrid auth client, Replace public IP by
private and example IP in the sample config files.
2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
DPD patch from Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/cfparse.y: missing bits for DPD support
2004-11-23 Aidas Kasparas <a.kasparas@gmc.lt>
* src/setkey/parse.y: generate require fwd policies for unique in
policies.
* src/setkey/setkey.c: made -r/-k options awailable only when
system has FWD policies.
* src/setkey/setkey.8: updated docs about change above.
2004-11-22 Michal Ludvig <mludvig@suse.cz>
* src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
#ifdef ENABLE_ADMINPORT/#endif.
2004-11-22 Michal Ludvig <mludvig@suse.cz>
Revert these changes (ludvigm, 2004-11-18):
* src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
* src/setkey/Makefile.am: Install setkey.conf.
2004-11-22 Emmanuel Dreyfus <manu@netbsd.org>
* src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
removal so that it's not used after been deleted.
* src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
errors to racoonctl
2004-11-21 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on
the ipsec-tools web site
* src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to
display all events reported by racoon: show-event
* src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
with immature or dying phase 1
* src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down
2004-11-20 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself
as Unity compliant.
* src/racoon/{evt.c|evt.h}: new files
src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
event reporting from racoon to racoonctl
2004-11-20 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
when racoon is compiled with INET6 support and kernel is not.
Fixed with help of Zilvinas Valinskas.
* src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
problem.
2004-11-19 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/doc/FAQ: more options and warn about software patents.
2004-11-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/vmbuf.c: don't allocate zero-length buffer
* src/racoon/samples/roadwarrior/client/phase1-down.sh
src/racoon/samples/roadwarrior/server/phase1-down.sh: Also
flush SAD when disconnecting.
* src/racoon/admin.c: Send a notification when deleting ISAKMP SA
* src/racoon/samples/roadwarrior/README: accomodate the recent
sysconfdir change
2004-11-18 Michal Ludvig <mludvig@suse.cz>
* src/racoon/Makefile.am: Fix adminsocket dir, install sample
racoon.conf and psk.txt.
* src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
not $(SYSCONFDIR)/racoon.
* src/racoon/algorithm.h, src/racoon/eaytest.c,
src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really
strict environments.
* src/setkey/setkey.conf: Yet another sample config file.
* src/setkey/Makefile.am: Install setkey.conf.
* rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
files.
* rpm/suse/{Makefile.am,.cvsignore}: New files.
* configure.ac, rpm/Makefile.am: Build in rpm/suse.
2004-11-17 Aidas Kasparas <a.kasparas@gmc.lt>
* configure.ac: paste bugfix by Zilvinas Valinskas
* src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
for generated policies. Path by Patrick McHardy.
2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/racoonctl.8: racoonctl man page (new file)
2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
From Ganesan <rganesan@users.sourceforge.net>
* src/racoon/ipsec_doi.c: fix free'd memory access
2004-11-16 Michal Ludvig <mludvig@suse.cz>
DPD patch from Yvan Vanhullebus <vanhu@free.fr>
* configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
src/racoon/handler.c, src/racoon/handler.h,
src/racoon/isakmp.c, src/racoon/isakmp.h,
src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
src/racoon/remoteconf.h, src/racoon/vendorid.c,
src/racoon/vendorid.h: Dead Peer Detection (DPD) support.
2004-11-16 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Remove a bash-specific construction, take II.
* src/racoon/grabmyaddr.c: FreeBSD fix for headers.
2004-11-15 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Use correct include paths during ./configure run.
* src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
(hint, hint, manu :-))
2004-11-15 Emmanuel Dreyfus <manu@netbsd.org>
* README: update the docs
* src/racoon/doc/FAQ: update the docs
* configure.ac: Remove a bash-specific construction
2004-11-14 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/cfparse.y: ensure that returns from rules are
initialized even on erroneous config file.
* src/racoon/admin_var.h: changed management socket location
* src/racoon/Makefile.am: ditto, added rule to install directory
for management socket.
* src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes,
added generation of fwd policies for every in policy spdadd'ed.
* src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
* src/setkey/policy_token.l: return something reasonable when
fwd direction is parsed on systems with no forward policy
support.
2004-11-14 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
* src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings
* configure.ac src/racoon/{admin.c|admin_var.h}
src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
src/racoon/samples/roadwarrior/client/racoon.conf: make the default
mode for the admin socket more secure.
2004-11-13 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
src/racoon/samples/roadwarrior/README
src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
certificate authority location per-peer and configurable.
* src/racoon/isakmp_frag.c: fix unallocated memory access
* src/racoon/isakmp_agg.c: fix incorrect queue deallocation
* src/racoon/remoteconf.c: fix uninitialized data
* src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access
2004-11-12 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd
commands IPv6 friendly.
* src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}:
Add an admin message to flush all the SA for a given peer.
Convert racoonctl vd to use it.
* src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y}
src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
administrator to choose the admin socket path, ownership and mode.
* src/racoon/sample/roadwarrior: complete config files for
road warriors using hybrid authentication.
2004-11-12 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Config option --enable-natt=kernel
* src/racoon/Makefile.am: Distribute only yacc/lex source files,
not the preprocessed .c files.
2004-11-11 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
and comments in the VPN concentrator setup for the Cisco VPN client
* src/racoon/racoon.conf.5: fix documentation
* src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
hooks event if we are a server.
2004-11-10 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems
2004-11-09 Michal Ludvig <mludvig@suse.cz>
* Makefile.am: Remove aclocal-related lines.
* src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
* configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
better handling of KRB5 and NAT-T.
* src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
FreeBSD happy with includes (Arrgh...&^#$^@!!!)
2004-11-08 Michal Ludvig <mludvig@suse.cz>
* src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
* src/libipsec/policy_token.l, src/racoon/kmpstat.c,
src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
fixes to support FreeBSD (tested with 4.10).
2004-11-05 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Add --with-readline switch.
* src/setkey/setkey.c(stdin_loop): Fix newlines and comments
when compiled without readline.
2004-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/isakmp_quick.c: generated policy refresh patch
by Yvan Vanhullebus
2004-10-29 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Check for IPSEC_DIR_FWD and eventually define
HAVE_POLICY_FWD.
* src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use
HAVE_POLICY_FWD in ifdefs.
* NEWS: Mention the fix.
* src/racoon/kmpstat.c: Fix compilation on Linux.
* src/racoon/ipsec_doi.h: Ditto.
* src/racoon/Makefile.am, src/setkey/Makefile.am: Update
explicit dependencies.
2004-10-29 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
do not reconfigure internal addresses obtained through ISAKMP
mode config.
* src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
failure, kill the phase 1 and log the failure. Do not run the sa_up
script in this case.
* src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
Add -u user to racoonctl establish-sa, prompt for the PSK from
the terminal, and add a vpn-connect target with simplified syntax
for establishing a SA in the road warrior case.
* src/racoon/{admin.c,kmpstat.c}: implement delete-sa and
vpn-disconnect commands of racoonctl
* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
Remove sa_up and sa_down and replace them by a more general
script hook framework.
2004-10-27 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/nattraversal.c: Use macros instead of magic numbers
* src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
can actually establish a SA
* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
Shell script hooks for ISAKMP SA creation and removal
2004-10-26 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
Update to the latest drafts
2004-10-25 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
drafts documenting ISAKMP mode config, Xauth and hybrid auth
* src/racoon/cftoken.l: fix build problem, add an error message
when using hybrid auth options while hybrid auth is not built
* src/racoon/isakmp_cfg.c: build without RADIUS support too
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
src/racoon/{oakley.c,oakley.h,racoon.conf.5}
src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
of hybrid auth and ISAKMP mode config
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
Receiver-side of IKE fragmentation
2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_cfg.c: Fix read buffer overflow
* src/racoon/isakmp_xauth.c: Fix weak authentication
* src/racoon/{oakley.c,oakley.h}: Fix weak authentication
2004-10-21 Michal Ludvig <mludvig@suse.cz>
From Emmanuel Dreyfus:
* src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
* src/racoon/isakmp_cfg.c: Fix endianness.
2004-10-20 Michal Ludvig <mludvig@suse.cz>
From Emmanuel Dreyfus:
* src/racoon/{cfparse.y,cftoken.l,handler.c},
src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
src/racoon/racoon.conf.5: RADIUS IP addresses allocation
and RADIUS accounting.
* configure.ac,
src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.
2004-10-08 Michal Ludvig <mludvig@suse.cz>
* src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.
2004-10-06 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
to duplicate dynamically allocatd structures; duprmconf() - call
these functions to produce private copy of inherited id and etype
structures.
* src/racoon/remoteconf.c: declaration for dupetypes().
2004-10-04 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/cfparse.y: check inherited_from dereferencing
* src/racoon/crypto_openssl.c: prevent crash on incorect DNs
2004-09-27 Michal Ludvig <mludvig@suse.cz>
From KOVACS Krisztian <hidden@balabit.hu>:
* src/racoon/sockmisc.c(sendfromto): Set src address.
2004-09-24 Aidas Kasparas <a.kasparas@gmc.lt>
* configure.ac: added check for linux-gnu, as my box reports
* src/racoon/grabmyaddr.c: added missing <linux/types.h> include
2004-09-21 Michal Ludvig <mludvig@suse.cz>
Merged 'autoconf' branch to mainline:
* .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
src/racoon/.cvsignore, src/racoon/cfparse.y,
src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c,
src/racoon/isakmp_unity.c, src/racoon/main.c,
src/racoon/nattraversal.c, src/racoon/oakley.c,
src/racoon/oakley.h, src/racoon/sockmisc.c,
src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
in 'autoconf' branch for details).
* acracoon.m4, src/racoon/Makefile.am: New files.
* src/racoon/Makefile.in, src/racoon/aclocal.m4,
src/racoon/client-puzzle.c, src/racoon/config.guess,
src/racoon/config.sub, src/racoon/configure.in,
src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp,
src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp,
src/racoon/doc/pattern, src/racoon/doc/question,
src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt,
src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en,
src/racoon/doc/sandiego-result.jp,
src/racoon/doc/sandiego0009-result.en,
src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c,
src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile,
src/racoon/samples/sandiego.pl: Removed.
2004-09-17 Michal Ludvig <mludvig@suse.cz>
* src/racoon/vendorid.[ch]: Rewrote the VendorID handling.
We don't use the array with fixed offsets anymore, instead
a generally unordered structure with ID, string and
precomputed MD5 hashes.
* src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
src/racoon/nattraversal.c: Updated to the new VID model.
* src/racoon/main.c(main): Precompute VendorIDs.
* src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
Files removed. Function arc4random() renamed to eay_random()
and moved to crypto_openssl.c.
* src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
src/racoon/isakmp.c: Updated to the above change.
* src/racoon/Makefile.in, src/racoon/configure.in: Remove
arc4random() from building.
* src/racoon/crypto_openssl.[ch](eay_random): New function.
* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
src/racoon/isakmp_xauth.c: Cleaned up headers.
2004-09-16 Michal Ludvig <mludvig@suse.cz>
* src/racoon/crypto_openssl.c (base64_encode): Terminate
the result with '\0'.
2004-09-15 Michal Ludvig <mludvig@suse.cz>
* configure.ac: How about calling the next version 0.5?
* src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
_BSD_SOURCE and don't require <linux/types.h>
* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
* src/racoon/Makefile.in: Add new files to distribution.
* src/racoon/configure.in: Fix linux kernel NATT detection.
* src/setkey/parse.y: Fix types.
* src/racoon/backupsa.c, src/racoon/ipsec_doi.c,
src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
src/racoon/pfkey.c, src/racoon/remoteconf.c,
src/racoon/session.c, src/racoon/sockmisc.c: Fix headers
ordering, use HAVE_NETINET6_IPSEC.
* src/racoon/isakmp_cfg.c: Use %z for size_t.
* src/racoon/configure.in: Clean up IPv6 stack check.
2004-09-15 Michal Ludvig <mludvig@suse.cz>
Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
* src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
src/racoon/samples/racoon.conf.sample-cvpn: New files.
* src/racoon/algorithm.c, src/racoon/algorithm.h,
src/racoon/cfparse.y, src/racoon/cftoken.l,
src/racoon/handler.c, src/racoon/handler.h,
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
src/racoon/isakmp.h, src/racoon/isakmp_agg.c,
src/racoon/isakmp_inf.c, src/racoon/oakley.c,
src/racoon/oakley.h, src/racoon/strnames.c,
src/racoon/vendorid.c, src/racoon/vendorid.h: Added
code for XAUTH support.
* src/racoon/racoon.conf.5: Documentation for XAUTH.
* src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
src/racoon/nattraversal.c: Added NATT VID "02\n"
* src/racoon/configure.in: New config option --enable-hybrid
2004-09-14 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Preset CFLAGS
* src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
Check if printf() accepts "%z" modifiers.
* src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
* src/setkey/parse.y(fix_portstr): Init 'p2'.
* src/setkey/setkey.c: Add required prototypes.
2004-09-14 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.
2004-09-14 Michal Ludvig <mludvig@suse.cz>
* src/racoon/configure.in: Check for NetBSD NAT-T kernel support.
2004-09-13 Michal Ludvig <mludvig@suse.cz>
* src/racoon/configure.in: Check for <openssl/engine.h>
* src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
* src/racoon/plainrsa-gen.c: Ditto.
2004-09-13 Michal Ludvig <mludvig@suse.cz>
NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
* Makefile.am: build in rpm/ only on Linux
* configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
* src/Makefile.am: Build include-glibc only on Linux
* src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
policy_parse.y,policy_token.l,test-policy-priority.c},
src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
proposal.c,sainfo.c,schedule.c,strnames.c},
src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
ifdefs.
* src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
* src/racoon/configure.in: Check for kernel NAT-T support,
fix libipsec.a linkage path.
* src/racoon/eaytest.c(certtest): Use %z for size_t.
2004-09-12 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/grabmyaddr.c: improoved socket selection algorithm for
case when link-local addresses comes w/o sin6_scope_id set.
2004-09-07 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/session.c: fix for SIGHUP handler for case when config
file contains listen directives.
2004-09-01 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/grabmyaddr.c: added scope id handling for link-local
IPv6 addresses. Now racoon will not err on such addresses.
2004-08-19 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
* src/racoon/eaytest.c: eay_init_error() -> eay_init() due to
2004-06-01 changes in src/racoon/crypto_openssl.c
2004-08-15 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/cfparse.y src/racoon/crypto_openssl.c
src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
src/racoon/racoon.conf.5 src/racoon/remoteconf.c
src/racoon/remoteconf.h: peers_identifier wildcard and
list patch by James Matheson
---------------------------------------------
0.4rc1 released
2004-08-09 Michal Ludvig <mludvig@suse.cz>
* NEWS: Notes for release 0.4rc1
* configure.ac: Bump up version to 0.4rc1
2004-07-12 Michal Ludvig <mludvig@suse.cz>
PlainRSA support.
See ChangeLog.prsa from the 'plainrsa' branch for details.
* src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
* src/racoon/genlist.c src/racoon/genlist.h
src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c
src/racoon/prsa_par.y src/racoon/prsa_tok.l
src/racoon/rsalist.c src/racoon/rsalist.h
src/racoon/samples/racoon.conf.sample-plainrsa: New files.
* src/racoon/Makefile.in src/racoon/configure.in
src/racoon/cfparse.y src/racoon/cftoken.l
src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
src/racoon/handler.h src/racoon/ipsec_doi.c
src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c
src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c
src/racoon/remoteconf.h src/racoon/sockmisc.c
src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.
2004-07-12 Michal Ludvig <mludvig@suse.cz>
* src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
f_foreground to plog.c.
* src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode
adjusting.
* src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
src/racoon/oakley.c: Fix typos, newlines and printf() format strings.
2004-06-16 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/crypto_openssl.c (eay_get_x509cert): small memory
leak fix. Noticed B.Buesker, patch L.Stellingwerff
* src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt):
small memory leaks fixed.
2004-06-15 Aidas Kasparas <a.kasparas@gmc.lt>
SECURITY
* src/racoon/crypto_openssl.[ch] (cb_check_cert_local,
cb_check_cert_remote): split cb_check_cert() due to stricter
requirements for certificates received from network.
* src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
local to specify how strict cert check should be
* src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
2004-06-11 Michal Ludvig <mludvig@suse.cz>
* src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support
for all known NAT-T versions.
* vendorid.h: Ditto.
2004-06-08 Michal Ludvig <mludvig@suse.cz>
* src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
* src/racoon/Makefile.in: Compile stringlist.o.
2004-06-07 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Set version to 'cvs'.
* src/{racoon,setkey,libipsec}/*.h: Wrap headers between
#ifndef/#define/#endif to allow multiple inclusions of the
same file.
* plog.h (plog): Attribute __printf__ for automatic checking
of the parameters' validity.
* cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
sockmisc.c: Fix warnings/errors in the plog() parameters with
the above change.
2004-06-05 Aidas Kasparas <a.kasparas@gmc.lt>
* src/setkey/setkey.c: -n (no action) support.
Thanks Thomas Habets.
* src/setkey/setkey.8: Documentation for above.
* src/racoon/doc/README.certificate: updated link to more recent
version of document. Debian bug #252513 by Jose Luis Domingo Lopez
2004-06-01 Michal Ludvig <mludvig@suse.cz>
* src/racoon/algorithm.c: Enable compilation without SHA2 support.
* src/racoon/crypto_openssl.c: Ditto.
2004-06-01 Michal Ludvig <mludvig@suse.cz>
* src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
OpenSSLs.
(eay_init): New function.
(eay_init_error, eay_check_pkcs7sign): Removed.
* src/racoon/crypto_openssl.h: Reflect the above changes.
* src/racoon/main.c: Call eay_init() instead of eay_init_error().
2004-05-27 Michal Ludvig <mludvig@suse.cz>
Support for inheritance of 'remote' statements:
* src/racoon/cftoken.l: New keyword 'inherit'.
* src/racoon/cfparse.y: Support for 'inherit', remove
global 'prhead', use cur_rmconf->prhead instead.
* src/racoon/remoteconf.c (rmtree): Changed from
LIST queue to TAILQ queue.
(getrmconf): Renamed to getrmconf_strict().
(copyrmconf, duprmconf)
(dump_rmconf_single, dumprmconf): New functions.
(rm2str): Deleted.
* src/racoon/remoteconf.h: Prototypes for the above.
(struct remoteconf): New fields 'inherited_from' and 'prhead'.
* src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
* src/racoon/algorithm.c (alg_oakley_encdef_name)
(alg_oakley_hashdef_name, alg_oakley_dhdef_name)
(alg_oakley_authdef_name): New functions.
* src/racoon/algorithm.h: Prototpes for the above.
* src/racoon/strnames.c (num2str): Make extern.
(s_doi, s_etype, s_idtype, s_switch): New functions.
* src/racoon/strnames.h: Prototpes for the above.
* src/racoon/main.c: New parameter -C for dumping the parsed config.
* src/racoon/racoon.conf.5: Document inheritance.
* src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
* src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit
2004-05-24 Michal Ludvig <mludvig@suse.cz>
* configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c,
isakmp_quick.c, pfkey.c, remoteconf.c, session.c,
sockmisc.c: Allow compilation with --disable-ipv6
2004-05-21 Michal Ludvig <mludvig@suse.cz>
* src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of
algorithm specific functions.
2004-05-20 Aidas Kasparas <a.kasparas@gmc.lt>
Manual page updates. Thanks Brian
* src/libipsec/ipsec_set_policy.3
* src/setkey/setkey.8
* src/libipsec/test-policy-priority.c: new file from policy
priority patch, which I forgot to add
2004-05-18 Aidas Kasparas <a.kasparas@gmc.lt>
Policy priority integer handling fixes by Brian Buesker.
* src/libipsec/ipsec_strerror.c
* src/libipsec/ipsec_strerror.h
* src/libipsec/libpfkey.h
* src/libipsec/policy_parse.y
* src/libipsec/test-policy-priority.c
Manual page corrections by me
* src/libipsec/ipsec_set_policy.3
* src/setkey/setkey.8
2004-05-15 Aidas Kasparas <a.kasparas@gmc.lt>
Policy priority support patch from Brian Buesker. Applied as is
except src/libipsec/Makefile.am is modified instead of
src/libipsec/Makefile.in as found in the patch.
2004-05-10 Michal Ludvig <mludvig@suse.cz>
From Heiko Hund, approved by the copyright holder:
* src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
2004-04-27 Michal Ludvig <mludvig@suse.cz>
From Heiko Hund:
* src/include-glibc/sys/queue.h: Update to 3-clause BSD license.
2004-04-26 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to
send notifications about changed interfaces.
2004-04-24 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
information about interfaces. Thanks Steve Grubb and Bill
Nottingham. Affects users with glibc w/o getifaddrs(). Users
with glibc earlier than 2003-11-14 should upgrade their glibc.
2004-04-19 Michal Ludvig <mludvig@suse.cz>
* src/racoon/isakmp.c (isakmp_handler): Reject too big
packets (CAN-2004-0403).
---------------------------------------------
0.3 released
2004-04-14 Michal Ludvig <mludvig@suse.cz>
* NEWS: Notes for release 0.3
* configure.ac: Bump up version to 0.3
* src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
* src/racoon/remoteconf.c (foreachrmconf): Avoid warning about
uninitialised variable.
* src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
and FreeSWAN.
2004-04-13 Michal Ludvig <mludvig@suse.cz>
* src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
not suitable.
2004-04-09 Michal Ludvig <mludvig@suse.cz>
* src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
* src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
* src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
mismatch to LLV_WARNING.
* src/libipsec/pfkey_dump.c, src/racoon/algorithm.c
src/racoon/algorithm.h src/racoon/cftoken.l
src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h
src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c
src/setkey/token.l: Renamed Rijndael to AES.
* src/setkey/token.l: Recognize exit/quit/bye tokens.
* src/setkey/parse.y (exit_command): New.
* src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
in exit_command.
2004-04-08 Michal Ludvig <mludvig@suse.cz>
* src/setkey/setkey.c (main): Call get_supported() in interactive mode.
(stdin_loop): Concat multiline input into a single line before parsing.
2004-04-07 Michal Ludvig <mludvig@suse.cz>
* src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA
with level DEBUG. Having it with level INFO only pollutes logfiles.
2004-04-06 Michal Ludvig <mludvig@suse.cz>
* src/racoon/Makefile.in: eaytest now links plog.o
* src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
surrounding plog().
* src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now
verifying both good and bad signatures.
---------------------------------------------
0.3rc5 released
2004-04-05 Michal Ludvig <mludvig@suse.cz>
* NEWS: Notes for release 0.3rc5
* configure.ac: Bump up version to 0.3rc5
2004-04-05 Michal Ludvig <mludvig@suse.cz>
Fix for a security bug found by Ralf Spenneberg:
* src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate
'evp' instead of 'pubkey'.
(eay_rsa_sign): Use the above.
* src/racoon/crypto_openssl.h: Update prototypes for the above.
* src/racoon/eaytest.c: Disabled RSA tests because of the API change.
2004-04-05 Michal Ludvig <mludvig@suse.cz>
* src/racoon/pfkey.c (pfkey_handler): Safety check before accessing
the array (thx to Ren.J.Y for report).
(pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
* src/racoon/strnames.c (name_pfkey_type): Ditto.
2004-04-02 Michal Ludvig <mludvig@suse.cz>
* src/racoon/eaytest.c (ciphertest_1): Correct padlen.
2004-04-01 Michal Ludvig <mludvig@suse.cz>
* src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
update from here ...
(ipsecdoi_setph2proposal): ... to here. Hopefully this is a
better place to do the update.
2004-03-30 Michal Ludvig <mludvig@suse.cz>
* src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
(eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
* src/racoon/eaytest.c (ciphertest_1): New function.
(ciphertest): Simplified to simple calls of ciphertest_1().
2004-03-29 Michal Ludvig <mludvig@suse.cz>
* README: Rewritten. Mentioned where to report bugs.
2004-03-26 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Check for readline.h and libreadline.
* src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
(stdin_loop): Read user input and parse it line-by-line.
* src/setkey/token.l (parse_string): New function.
---------------------------------------------
0.3rc4 released
2004-03-25 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Bump up version to 0.3rc4
* NEWS: Notes for release 0.3rc4
* src/racoon/cfparse.y (algorithm): Hint about missing module.
* src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key
length only with old API.
(eay_des_encrypt): Ditto.
* src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
non-zero error code if any of the tests fail.
(main): Print banner with version.
* src/racoon/Makefile.in: Run eaytest in 'make check'.
2004-03-23 Michal Ludvig <mludvig@suse.cz>
* src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before
comparing NAT-D payloads. (thx to Gaurav Kansal for report).
* src/racoon/crypto_openssl.c: Avoid type-punned warnings.
* src/racoon/eaytest.c: Disable 'cert' tests.
* src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check
for strict length.
(eay_aes_encrypt): Keylength is in bits, not bytes.
2004-03-22 Michal Ludvig <mludvig@suse.cz>
* src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key
instead of NULL and check for availability.
---------------------------------------------
0.3rc3 released
2004-03-19 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Bump up version to 0.3rc3
* NEWS: Notes for release 0.3rc3
* src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
* src/racoon/proposal.c (cmpsatrns): New parameter proto_id,
better diagnostic output when trns_id don't match.
* src/racoon/proposal.h (cmpsatrns): Update prototype.
* src/setkey/setkey.c: Change option -h to -H (for hexdump), new
options -h (help) and -V (version).
* src/setkey/setkey.8: Document the above changes.
* src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...
2004-03-15 Michal Ludvig <mludvig@suse.cz>
* src/racoon/configure.in: Prevent compilation error with
--enable-yydebug.
---------------------------------------------
0.3rc2 released
2004-03-11 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Bump up version to 0.3rc2
* NEWS: Notes for release 0.3rc2
* src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
* src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
* src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
* src/racoon/racoon.conf.5: Note that NAT-T support is a compile
time option.
2004-03-10 Michal Ludvig <mludvig@suse.cz>
* src/racoon/racoon.conf.5: Document nat_traversal option.
* src/racoon/racoon.8: DOcument new options (-L and -P).
2004-03-09 Michal Ludvig <mludvig@suse.cz>
* src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
UDP-Encap ports if NAT-T is enabled.
(dupmyaddr): New function.
* src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
* src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but
no port for UDP-Encap was open.
* src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
* src/racoon/localconf.c, src/racoon/localconf.h: Define and setup
lcconf->port_isakmp_natt.
* src/racoon/main.c (main): Print nicer banner,
(usage): Document new options (-L and -P).
(parse): Recognise the above.
* src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded
constants for float_port.
(natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
* src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
* src/racoon/plog.c: Don't print source:line:function by default.
* src/racoon/remoteconf.c (foreachrmconf): New helper function.
* src/racoon/remoteconf.h: Prototype for the above.
* package_version.h: Define strings for use in banners.
* configure.ac: Fill up the above header.
2004-03-09 Michal Ludvig <mludvig@suse.cz>
* src/racoon/configure.in: Don't put -O into OPTFLAGS,
add new option --disable-natt.
* src/racoon/cfparse.y, src/racoon/handler.c,
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
with ENABLE_NATT.
* src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.
2004-03-06 Aidas Kasparas <a.kasparas@gmc.lt>
* configure.ac: Refuse to continue if lexer library (yywrap()
function) is missing. Should prevent bugs like #892067, #908758
* src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
Users should not be given false idea that they require both OpenSSL
and SSLeay to compile racoon. (See bug #902197)
---------------------------------------------
0.3rc1 released
2004-03-04 Michal Ludvig <mludvig@suse.cz>
* configure.ac: Bump up version to 0.3rc1
* NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
from 0.2 branch).
* src/racoon/samples/racoon.conf.sample-natt: New sample config file.
* src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
enabled NATT by default (will become a config option later).
2004-03-04 Michal Ludvig <mludvig@suse.cz>
Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
to racoon.
* src/racoon/Makefile.in, src/racoon/cfparse.y,
src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
src/racoon/grabmyaddr.h, src/racoon/handler.c,
src/racoon/handler.h, src/racoon/ipsec_doi.c,
src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
src/racoon/localconf.c, src/racoon/localconf.h,
src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
src/racoon/remoteconf.h, src/racoon/session.c,
src/racoon/strnames.c, src/racoon/vendorid.h
src/libipsec/pfkey.c,
src/racoon/nattraversal.c, src/racoon/nattraversal.h,
src/racoon/sockmisc.c: Affected files.
2004-02-27 Michal Ludvig <mludvig@suse.cz>
* src/racoon/isakmp.c (set_isakmp_header1): Renamed from
set_isakmp_header().
(set_isakmp_header): New function common for set_isakmp_header1()
and set_isakmp_header2().
(copy_ph1addresses): Obey original port.
(isakmp_plist_append, isakmp_plist_set_all): New helper functions.
* src/racoon/isakmp_var.h: Prototypes for the above.
* src/racoon/isakmp.h (struct payload_list): New structure.
* src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.
2004-02-03 Michal Ludvig <mludvig@suse.cz>
* src/racoon/Makefile.in: Fix install to $(sbindir)
* src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).
2004-01-19 Michal Ludvig <mludvig@suse.cz>
* rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
(thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)
2004-01-17 Aidas Kasparas <a.kasparas@gmc.lt>
* src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team
2004-01-15 Michal Ludvig <mludvig@suse.cz>
* src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
(reported on bugtraq, fixed by iij seil team).
* src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.
2004-01-14 Michal Ludvig <mludvig@suse.cz>
* src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used
only once).
* configure.ac: Don't build shared libipsec by default (can be
enabled by --enable-shared).
* bootstrap: Don't run automake for racoon.
2004-01-12 Michal Ludvig <mludvig@suse.cz>
* src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
use config.h for defines instead of -DHAVE_* gcc options,
fix CRYPTOBJS to include missing rijndael libraries only once,
checking for AES support in OpenSSL now (hopefully) finally
works on both OpenSSL 0.9.6 and 0.9.7.
* src/racoon/*.[cyl]: Include autogenerated "config.h"
* src/racoon/missing/crypto/*/*.c: Ditto.
* src/racoon/.cvsignore: Add config.h, config.h.in
2004-01-09 Michal Ludvig <mludvig@suse.cz>
* src/racoon/.cvsignore: Add "autom4te.cache" and "configure".
2004-01-09 Aidas Kasparas <a.kasparas@gmc.lt>
Sync with KAME 2004-01-07
* src/libipsec/pfkey.c: memory leak fix; comment typo fixes
* src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even
no SADB_X_EXT_TAG defined
* src/libipsec/pfkey_dump.c: information about algorithms
ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
* src/libipsec/policy_parse.y: memory leak
* src/libipsec/policy_token.l: memory leak
* src/libipsec/test-policy.c: unneeded \n removed
* src/racoon/Makefile.in: $(sbindir) support
* src/racoon/admin.c: interface changes due to proxy support
* src/racoon/algorithm.c: SHA2 #ifdefs
* src/racoon/{cfparse.y,cftoken.l}: license text added
* src/racoon/cfparse.y: mip6 obsoleted by proxy support
* src/racoon/cfparse.y: from directive support; new algorithms
* src/racoon/cftoken.l: support for globbing of include files
* src/racoon/configure.in: more verbose information about problems
with SHA2
* src/racoon/crypto_openssl.c: use new DES API if supported; algorithm
key size fixes
* src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
* src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
style change
* src/racoon/isakmp.c: use VPTRINIT; interface changes due to
mip6->proxy; typo
* src/racoon/isakmp_inf.c: use VPTRINIT
* src/racoon/isakmp_quick.c: mip6->proxy
* src/racoon/kmpstat.c: not used variables removed
* src/racoon/pfkey.c: mip6->proxy; schedule leak
* src/racoon/proposal.c: style
* src/racoon/remoteconf.c: mip6->proxy
* src/racoon/sainfo.c: from directive support
* src/racoon/sockmisc.c: side correction; addrinfo leak
* src/racoon/strnames.c: typo in descriptions; wrong upper bound check
* src/racoon/missing/crypto/sha2/sha2.c: wrong size
* src/setkey/parse.y: extra algorithms; tagged; not needed periods
removed; memory shortage checks
* src/setkey/setkey.8: typos; tagged; new algorithms
* src/setkey/setkey.c: standard argument names for main(); hexdump
support; info in file support
* src/setkey/token.l: new algorithms; memory shortage checks
Parts not taken from KAME:
* kernelfs stuff;
* sysctl stuff
2004-01-08 Michal Ludvig <mludvig@suse.cz>
* src/racoon/config.{sub,guess}: Update from automake 1.7.
2004-01-08 Michal Ludvig <mludvig@suse.cz>
Patch from Kostadin Karaivanov <larry@minfin.bg>:
* src/racoon/configure.in: Check for openssl/aes.h.
* src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.
2004-01-08 Michal Ludvig <mludvig@suse.cz>
* src/racoon/configure: Remove, should be regenerated by bootstrap.
2004-01-02 Michal Ludvig <michal@logix.cz>
* src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
(by Brian Buesker <bbuesker@qualcomm.com>
and Christophe Saout <christophe@saout.de>)
* src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
* src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
(by Michal Ludvig).
* src/setkey/token.l, src/setkey/parse.y: Add support for lifetime
specified in bytes (by Michal Ludvig).
* src/setkey/setkey.8: Document -bh/-bs options for the above feature.
* src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE
message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
* src/racoon/cfparse.y: Flush SA on SIGHUP
(by Brian Buesker <bbuesker@qualcomm.com>)
* src/racoon/pfkey.c: IPcomp fixes
(by Brian Buesker <bbuesker@qualcomm.com>)
* src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
* src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
an entry with NULL ifa_addr (Michal Ludvig).
* configure.ac: Change path to kernel headers
from /usr/src/devel-2.5/devel to /usr/src/linux
* bootstrap: Use default tools, reconfigure src/racoon
* src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
changed comments from 'dnl' to '#'.
2003-06-20 Derek Atkins <derek@ihtfp.com>
* src/racoon/aclocal.m4:
* src/racoon/configure:
Don't execute "for i in $3" if "$3" doesn't exist.
Fixes bug #721296.
2003-03-31 Derek Atkins <derek@ihtfp.com>
* src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
(which is value '2')
2003-03-27 Derek Atkins <derek@ihtfp.com>
* src/libipsec/key_debug.c: use ntohs() before printing port
* src/libipsec/pfkey.c: convert port# to network byte order
* src/libipsec/pfkey_dump.c: use ntohs() before printing ports
* src/setkey/parse.y: convert port#'s to network byte order
2003-03-24 Derek Atkins <derek@ihtfp.com>
* src/libipsec/pfkey.c: Don't switch off NAT-T extensions
if they don't exist in the kernel.
* src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
as per Tom Lendacky <toml@us.ibm.com>. Also move the
setting of IPV6_IPSEC_POLICY to the top of the file.
2003-03-13 Derek Atkins <derek@ihtfp.com>
Add initial support for NAT-T PFKey Extensions:
* src/libipsec/key_debug.c: add support to print information
about NAT-T extension packets.
* src/libipsec/libpfkey.h: add two new APIs to support NAT-T
for add and update as part of the SADB.
* src/libipsec/pfkey.c:
- Implement extended APIs to support NAT-T for add and update
of the SADB.
- Add APIs to fill a buffer with NAT-T packet types
* src/libipsec/pfkey_dump.c: Extend the SADB output to include
PFKey packets. Put port numbers with the source and dest
addresses, add an 'esp-udp' SA-type, and add a printout for
the NAT-OA.
* src/setkey/parse.y:
- Extend setkey to create an ESP-UDP SA.
- default UDP port is 4500
- extend 'add' to allow <ip-addr>[<portnum>] for source and dest
(the portnum specification requires the [] characters)
- add an ESPUDP "protocol" from the lexer. This will use
ESP and allow an optional Original Address setting.
- add a function to get a udp port from a struct sockaddr *
- pass the NAT-T extentions into PFKey
* src/setkey/token.l: add "esp-udp" token
* rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
This switches it to use %{_lib} (for /lib64 systems such as
x86-64 and s390x, and has it own the /etc/racoon directory in
the package as well.
---------------------------------------------
0.2.2 released
2003-03-13 Derek Atkins <derek@ihtfp.com>
* configure.am, NEWS:
Update for 0.2.2 release
* Makefile.am: distribute depcomp
2003-03-10 Derek Atkins <derek@ihtfp.com>
* src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
sure we link against the lexer library when necessary.
2003-03-07 Derek Atkins <derek@ihtfp.com>
* configure.am:
* Makefile.am:
* rpm/Makefile.am:
* rpm/ipsec-tools.spec.in:
Added RPM SPEC to CVS
---------------------------------------------
0.2.1 released
2003-03-07 Derek Atkins <derek@ihtfp.com>
* src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for
ssl include directory, to make sure the other tests work properly.
2003-03-06 Derek Atkins <derek@ihtfp.com>
* src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning
* src/racoon/configure.in: look for krb5-config and don't
use it if it's not found. Fixes a configure-time warning.
--------------------------------------------
0.2 Released
Reference in New Issue Copy Permalink