http://mail-index.netbsd.org/tech-net/2004/11/05/0004.html
Slightly modified to differentiate the version string from a stock racoon.
* auth_gssapi.h (GSSAPI_DEF_NAME): Change from "ike" to "host".
(gssapi_get_default_id): Rename to gssapi_get_id.
(gssapi_get_default_gss_id): New prototype.
* cfparse.y (GSSAPI_ID): Rename to GSS_ID.
(GSS_ID_ENC, GSS_ID_ENCTYPE): New tokens.
(gssenc_statement): New statement.
(isakmpproposal_spec): Use GSS_ID token.
(expand_isakmpspec): Fill in gssid in the new proposal only
if authmethod is OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB. If the
GSS ID is not provided, call gssapi_get_default_gss_id() to
place the default ID in the proposal.
* cftoken.l (S_GSSENC): New start condition.
(<S_RMTP>gss_id): New, return the GSS_ID token.
(<S_RMTP>gssapi_id): Return the GSS_ID token.
(<S_INI>gss_id_enc, <S_GSSENC>latin1, <S_GSSENC>utf-16le)
(<S_GSSENC>{semi}): New, tokenize the "gss_id_enc enctype;"
statement.
* gssapi.c: Include <unistd.h>.
(gssapi_get_default_gss_id): New function.
(gssapi_init): Disable a broken debugging message. Make
printf formats consistent in their handling of non-NUL-terminated
strings.
(gssapi_get_default_id): Rename to...
(gssapi_get_id): ...this. If the proposal has a gssid, vdup()
that and return it. Disable a broken debugging message. Make
printf formats consistent in their handling of non-NUL-terminated
strings.
* ipsec_doi.c: Include <iconv.h>.
(get_ph1approval): Make printf formats consistent in their handling
of non-NUL-terminated strings. Call gssapi_get_id() instead of
gssapi_get_default_id(), and remove some complexity that has been
pushed into that function.
(t2isakmpsa): When parsing the OAKLEY_ATTR_GSS_ID attribute,
check convert the attribute from UTF-16LE to ISO-Latin-1, unless
we are configured to assume the attribute is already ISO-Latin-1
encoded.
(setph1attr): When setting the OAKLEY_ATTR_GSS_ID attribute,
convert the attribute from ISO-Latin-1 to UTF-16LE, unless we
are configured to encode the attribute in ISO-Latin-1.
* localconf.c (setdefault): Set the default GSS ID encoding type
to UTF-16LE.
* localconf.h (LC_GSSENC_UTF16LE, LC_GSSENC_LATIN1)
(LC_GSSENC_MAX): New constants.
(struct localconf): Add gss_id_enc member.
* main.c (RACOON_VERSION): Append " - NetBSD 20041110" to the
version string.
* racoon.conf.5: Document changes to GSS ID encoding and default
GSS ID computation. Document "gss_id_enc enctype;" statement.
* samples/racoon.conf.sample-gssapi: Update and add comments to
provide more information.
Changes in release 0.6.3
* fix vulnerabilities in ftpd
* support for linux AFS /proc "syscalls"
* support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
kpasswdd
* fix possible KDC denial of service
* bug fixes
1) It's not documented anywhere.
2) The problem it's attempting to warn about is not documented anywhere.
3) There are no example configs (or any I found with Google) that use the
"listen" directive.
4) In any event, it's poorly worded and unclear what it's talking about.
(lha@NetBSD.ORG), to incorporate contemporary (last-year-ish)
set-password and change-password extensions derived RFC-3244
(Microsoft set-password/change-password extensions), and the
subsequent MIT-KRB5 APIs for changing and setting passwords.
Required for compatibility with recent (2002/2003-ish) open-source
code which uses the MIT KRB5 APIs for setting passwords, or for
joining Microsoft domains as a "computer account".
Modified files (for pullup tracking purposes):
lib/libasn1/Makefile
crypto/dist/heimdal/lib/asn1/k5.asn1
crypto/dist/heimdal/lib/krb5/changepw.c
crypto/dist/heimdal/lib/krb5/krb5-protos.h
crypto/dist/heimdal/lib/krb5/krb5.h
and without Kerberos 4 & 5 (MKKERBEROS=no). Previously checkflist
complained of missing files.
* move kerberos- and kerberos 4-only files into new flists,
distrib/sets/lists/*/krb.*
* make the flist generators grok MKKERBEROS{,4} variables
* fix Makefiles which treat MKKERBEROS=no as MKKERBEROS5=no.
9 out of 10 experts agree that it is ludicrous to build w/
KERBEROS4 and w/o KERBEROS5.
* fix header files, also, which treat MKKERBEROS=no as MKKERBEROS5=no.
* omit some Kerberos-only subdirectories from the build as
MKKERBEROS{,4} indicate
(I acknowledge the sentiment that flists are the wrong way to go,
and that the makefiles should produce the metalog directly. That
sounds to me like the right way to go, but I am not prepared to do
revamp all the makefiles. While my approach is expedient, it fits
painlessly within the current build architecture until we are
delivered from flist purgatory, and it does not postpone our
delivery. Fair enough?)
(per kernel policy) for crypto transforms for which hardware
acceleration is available. Affects:
crypto/dist/openssl/crypto/engine/eng_all.c
crypto/dist/openssl/crypto/engine/hw_cryptodev.c
crypto/dist/openssl/crypto/evp/c_all.c
as posted to tech-crypto for review/comment on 2003-08-21.
thorpej