| 2011-03-17 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/oakley.c: fixed a memory leak in |
| oakley_append_rmconf_cr() while generating plist. patch by Roman |
| Hoog Antink <rha@open.ch> |
| |
| * src/racoon/oakley.c: free name later, to avoid a memory use after |
| free in oakley_check_certid(). also give iph1->remote to some plog() |
| calls. patch by Roman Hoog Antink <rha@open.ch> |
| |
| * src/racoon/oakley.c: fixed a memory leak in |
| oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch> |
| |
| 2011-03-15 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call |
| isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as |
| it is useless an can lead to memory access after free |
| |
| 2011-03-14 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c, |
| isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c, |
| sockmisc.h, throttle.c: Explicitly compare return value of |
| cmpsaddr() against a return value define to make it more obvious |
| what is the intended action. One more return value is also added, to |
| fix comparison of security policy descriptors. Namely, getsp() |
| should not allow wildcard matching (as the comment says, it does |
| exact matching) - otherwise we get problems when kernel has generic |
| policy with no ports, and a second similar policy with ports. |
| |
| 2011-03-14 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h, |
| remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some |
| memory leaks / free memory access when reloading conf and have |
| inherited config. patch from Roman Hoog Antink <rha@open.ch> |
| |
| * src/racoon/handler.c: removed an useless comment |
| |
| * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from |
| getrmconf_by_ph1() in revalidate_ph1tree_rmconf() |
| |
| 2011-03-11 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in |
| remove_ph1-) instead of scheduling it, to avoid (completely ?) a |
| race condition when reloading configuration |
| |
| 2011-03-06 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing |
| checks are enabled. Reported by Stephen Clark. |
| |
| 2011-03-02 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/session.c: flush sainfo list when closing session. |
| patch by Roman Hoog Antink <rha@open.ch> |
| |
| * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa |
| structures when deleting a struct rmconf. patch by Roman Hoog Antink |
| <rha@open.ch> |
| |
| * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec |
| when deleting a rmconf struct. patch by Roman Hoog Antink |
| <rha@open.ch> |
| |
| * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in |
| remoteconf. patch by Roman Hoog Antink <rha@open.ch> |
| |
| * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks |
| during configuration parsing. patch by Roman Hoog Antink |
| <rha@open.ch> |
| |
| 2011-03-01 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E |
| Andersson <debian@gisladisker.se> |
| |
| * src/racoon/cfparse.y: reset yyerrorcount before doing parse |
| stuff. patch by Roman Hoog Antink <rha@open.ch> |
| |
| 2011-02-20 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix |
| memory leak when using plain RSA key authentication. |
| |
| 2011-02-11 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/plainrsa-gen.c: From Mats E Andersson |
| <debian@gisladisker.se>: Fix fprintf format specifier usage from |
| previous patch. |
| |
| 2011-02-10 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/plainrsa-gen.c: From Mats Erik Andersson |
| <debian@gisladisker.se>: Implement importing of RSA keys from PEM |
| files. |
| |
| * src/racoon/prsa_par.y: From M E Andersson |
| <debian@gisladisker.se>: Fix parsing of restricted RSA key |
| addresses. |
| |
| 2011-02-02 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c, |
| sainfo.h: store ph1id in an u_int32_t instead of a (signed)int. |
| Patch from Christophe Carre |
| |
| 2011-01-28 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog |
| Antink <rha@open.ch>: Clean up sainfo reloading: rename the |
| functions, and remove unneeded global variable. |
| |
| * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman |
| Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the |
| functions, and remove unneeded global variable. |
| |
| * src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log |
| remote IP address if available (slightly modified by tteras) |
| |
| 2011-01-22 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>: |
| Fixes a null pointer dereference that might occur after removing |
| peers from the config and then reloading. |
| |
| 2011-01-20 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/libipsec/pfkey.c: fixed a typo, it will now compile when |
| KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) |
| open.ch) |
| |
| 2010-12-28 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix |
| config reload to not delete too many phase 2 handles, because wrong |
| chain field is used when enumerating the handles. |
| |
| 2010-12-16 gdt |
| |
| * src/racoon/oakley.c: When encountering a certificate where "ID |
| mismatched with ASN1 SubjectName", and verify_identifier is off, |
| don't raise an error. This makes the behavior match the man page. |
| |
| Patch sent for review long ago: |
| http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html |
| with no negative feedback received to date. |
| |
| 2010-12-14 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix |
| possible null derefence. |
| |
| 2010-12-08 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/admin.c: Use separate SA addresses for phase2's |
| created by admin command. The phase2 startup overwrites src/dst with |
| ISAKMP ports if they are zero and we don't want that to happen for |
| the SA ports. |
| |
| 2010-12-08 joerg |
| |
| * src/libipsec/pfkey.c: ANSIfy |
| |
| 2010-12-07 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/isakmp_quick.c: Fix spacing and improve wording in |
| some log messages. |
| |
| 2010-12-03 Timo Teras <timo.teras@iki.fi> |
| |
| * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux |
| per-socket policies. |
| |
| * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y, |
| setkey/setkey.8: Support GRE key as upper layer protocol |
| specifier (will be supported in Linux kernel 2.6.38). |
| |
| * src/racoon/grabmyaddr.c: Netlink deletion notification does not |
| guarentee actual address deletion: it might still exist on some |
| other interface. Make sure we do not unbind unless the address is |
| really gone. |
| |
| 2010-11-17 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my |
| previous patch to not call purge_remote() twice. Change the place |
| where purge_remote() is called. This fixes also a possible crash |
| from the same patch since ph1->remote can be NULL (when we are |
| responder and config is not yet selected). |
| |
| 2010-11-12 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c: |
| isakmp_post_acquire is now called from admin commands too, add a |
| flag so admin commands can be used to establish even passive links |
| on demand. |
| |
| * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main |
| ISAKMP-SA for the node is deleted by remote request and the phase1 |
| rekeying is enabled (this will also trigger the new phase1_dead |
| script hook). |
| |
| * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks |
| to allow any reply within valid sequence window to be proof of |
| livelyness. This can improves things if there's random packet |
| delays, or if racoon is not getting enough CPU time. |
| |
| * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern |
| admin protocol to allow reply packets to exceed 64kb. E.g SA dumps |
| with many established SAs can be easily over the limit. |
| |
| 2010-10-22 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring |
| to monitor local route changes. This works around a kernel bug, and |
| slightly improves behaviour on some special cases. |
| |
| 2010-10-21 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c, |
| session.c, session.h: Introduce priorities for file descriptor |
| polling mechanism and give priority to admin port. If admin port is |
| used by ISAKMP-SA hook scripts they should be preferred, other wise |
| heavy traffic can delay admin port requests considerably. This in |
| turn may cause renegotiation loop for ISAKMP-SA. This is mostly |
| useful for OpenNHRP setup, but can benefit other setups too. |
| |
| * src/racoon/: admin.c, handler.c, handler.h: Remove |
| initial-contact entry when all ISAKMP-SA are purged via adminport. |
| This will avoid stale security associations if some of the delete |
| notifications happens to get lost. |
| |
| 2010-10-20 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC |
| functions when possible: this allows openssl to perform hardware |
| acceleration if available. |
| |
| * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to |
| error log messages and a few additional error log messages to |
| improve diagnosing an error condition. |
| |
| * src/racoon/grabmyaddr.c: Fix address comparison so we actually |
| close sockets which were bound to IP-address that got deconfigured. |
| |
| 2010-10-11 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/ipsec_doi.c: report a higher encryption key length in |
| approval for OBEY / CLAIM / STRICT modes |
| |
| 2010-09-27 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by |
| fazaeli (at) sepehrs.com) |
| |
| 2010-09-24 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at) |
| gmail.com |
| |
| 2010-09-22 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/admin.c: get the correct length of username when |
| processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com |
| |
| * src/racoon/nattraversal.h: fixed a typo in macros, reported by |
| marisp (at) mt.lv |
| |
| 2010-09-21 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch |
| provided by marcin.cieslak (at) gmail.com) |
| |
| 2010-09-08 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/remoteconf.c: fixed remoteconf selection when no ID |
| specified in configuration, and added some debug to remoteconf |
| selection |
| |
| 2010-08-26 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se: |
| duplicate some dynamic values in duprmconf() |
| |
| 2010-08-04 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request |
| |
| 2010-07-30 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/doc/FAQ: updated link to NetBSD's documentation |
| |
| 2010-06-22 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Bump date for previous. |
| |
| 2010-06-22 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c, |
| racoon.conf.5, remoteconf.c, remoteconf.h: added a specific |
| script hook when a dead peer is detected |
| |
| 2010-06-04 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/setkey/setkey.8: New sentence, new line. Bump date for |
| previous. |
| |
| 2010-06-04 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/setkey/: parse.y, setkey.8, token.l: Added support for |
| spdupdate command in setkey |
| |
| 2010-04-07 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo |
| |
| 2010-04-02 Christos Zoulas <christos@netbsd.org> |
| |
| * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime |
| returning NULL. |
| |
| 2010-03-11 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of |
| the patch: iterate only on the phase2 handles that are bound by the |
| given phase1 handle. |
| |
| 2010-03-05 Timo Teras <timo.teras@iki.fi> |
| |
| * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c, |
| racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple |
| typoes and manpage formatting errors. |
| |
| 2010-03-04 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/session.c: From Pierre POMES: fixed admin port |
| initialization |
| |
| 2010-02-28 snj |
| |
| * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing |
| size of src checkouts by spelling "useful" without an extra l. |
| |
| 2010-02-09 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/: pfkey.c, proposal.h: Fix typo in comment. |
| |
| 2010-01-17 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/sainfo.c: Free strdeupped string after using it. Found |
| by cppcheck. |
| |
| * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after |
| using them. Found by cppcheck. |
| |
| 2010-01-15 joerg |
| |
| * src/setkey/setkey.8: Use .%U instead of .%O for URLs. |
| |
| 2009-12-11 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined |
| twice in the headers. Remove the redundant entry so new install tool |
| does not complain about overwriting just installed file. |
| |
| 2009-11-22 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: |
| |
| racoon uses a wrong IPsec-SA handle that is for other peer in case |
| it receives a ISAKMP message for IPsec-SA that has the same |
| message-id as the message-id that is received before. |
| |
| racoon uses message-id to find the handle of IPsec-SA. The |
| message-id is a unique number for each peer, but different peers may |
| use the same value. |
| |
| Different Windows Vista or Windows 7 peers seem to use the same |
| message-id. racoon can handle the first Windows's Phase-2, but it |
| cannot handle the second Windows. Because racoon misunderstands the |
| message for the second Windows as the message for the first Windows. |
| |
| >Category: bin >Synopsis: racoon uses a wrong IPsec-SA |
| that is for different peer >Confidential: no >Severity: |
| serious >Priority: medium >Responsible: bin-bug-people |
| >State: open >Class: sw-bug >Submitter-Id: net |
| >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator: |
| yasuoka@iij.ad.jp |
| |
| 2009-10-29 Christos Zoulas <christos@netbsd.org> |
| |
| * src/setkey/token.l: use %option noinput nounput |
| |
| 2009-10-28 Christos Zoulas <christos@netbsd.org> |
| |
| * src/setkey/token.l: no unput |
| |
| 2009-10-14 joerg |
| |
| * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround |
| ancient groff limits. |
| |
| * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient |
| groff limits. Fix markup. |
| |
| * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around |
| ancient groff limits. Set only one list type. |
| |
| 2009-09-18 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix |
| gssapi error checking. |
| |
| 2009-09-03 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: admin.c, handler.c, handler.h, isakmp.c, |
| isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to |
| negotiate phase2 as a hint to select the phase1 for rekeying the new |
| phase2. |
| |
| 2009-09-01 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check |
| nat_traversal configuration from remote configuration candidates |
| when acting as responder. Enable NAT-T if any of the remote |
| candidates have NAT-T enabled. |
| |
| * src/racoon/remoteconf.c: Change remote conf matching level to |
| matching score. This way one can override anonymous certificate |
| block config with more exact "inhereted" IP specific block. |
| |
| * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export |
| ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313). |
| |
| 2009-08-24 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/oakley.c: fixed typo: algoriym -> algorithm |
| |
| 2009-08-19 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/remoteconf.c: fixed address check in |
| rmconf_match_type(), just check address with wildcard port |
| |
| 2009-08-19 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/remoteconf.c: Have an enum for rmconf_match_type() |
| return values to make the code a bit more readable. |
| |
| 2009-08-18 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/oakley.c: typo: algoritym -> algorithm |
| |
| 2009-08-17 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to |
| check system support for NAT-T, as at least FreeBSD doesn't have |
| this define anymore |
| |
| * src/racoon/schedule.h: include stddef.h so we have a chance to |
| get the system offsetof if present |
| |
| * src/racoon/crypto_openssl.h: removed a self include |
| |
| 2009-08-13 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/oakley.c: fixed a potential DoS in |
| oakley_do_decrypt(), reported by Orange Labs |
| |
| 2009-08-10 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/pfkey.c: Don't print EAGAIN error from |
| pfkey_handler(), it can occur normally under some code paths and is |
| not a hard error in any case. |
| |
| 2009-08-06 Timo Teras <timo.teras@iki.fi> |
| |
| * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in |
| setkey to make gcc happy. |
| |
| 2009-08-05 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port |
| security associations that got broke during NAT-T fixes. |
| |
| 2009-07-07 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of |
| uninitialized local variable (not sure if any code path triggers |
| this, but this makes compiler happy). |
| |
| 2009-07-03 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h, |
| isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, |
| nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h, |
| sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR |
| macro. Trac #295. |
| |
| * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c, |
| racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan |
| Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the |
| NAT-T port information. This might break compatibility with some |
| kernels, but as discussed this is the proper way to pass NAT-T ports |
| and the broken kernels need to be fixed. |
| |
| 2009-06-24 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/session.c: Fix a call to null pointer: in some cases, |
| the unmonitor_fd can be called from another fd's callback. That |
| could lead to still have callback pending after unmonitoring the fd |
| resulting in a call to null pointer. This is fixed by making |
| unmonitor_fd now clear the pending fd_set too. Bug was introduced |
| by my commit in 2008-12-23. |
| |
| 2009-05-20 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp.h: typo |
| |
| 2009-05-19 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple |
| of typos from previous commit. |
| |
| 2009-05-18 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From |
| Tomas Mraz: Introduce union sockaddr_any and use it to make code |
| more readable. Related to trac #293. |
| |
| * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is |
| not really used; only referenced while uninitialized causing |
| valgrind error. |
| |
| * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check. |
| |
| 2009-05-04 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Remove superfluous spaces around |
| parentheses. |
| |
| 2009-04-29 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in |
| X509 certificate validation. |
| |
| 2009-04-28 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/handler.c: Reset nat_oa variables too when reusing |
| phase two handler. Otherwise phase2 rekeying might fail in some |
| scenarios. |
| |
| 2009-04-22 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null |
| pointer dereference in fragmentation code. |
| |
| 2009-04-21 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix |
| strict_address to work again. The lists needs to be initialized |
| before configuration is read, which happens before my_addr_init() |
| call. |
| |
| 2009-04-20 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak |
| in certificate request generation. |
| |
| * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from |
| Bin Li: Fix possible memory corruption in binsanitize(). |
| |
| * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509 |
| signature verification memory leak. |
| |
| * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a |
| crash with racoonctl logout user. |
| |
| * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive |
| code. |
| |
| * src/racoon/handler.c: From Paul Moore: Phase2 message id's should |
| be unique wrt phase1, not globally. |
| |
| 2009-03-13 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix |
| couple of problems with previous commit. |
| |
| 2009-03-12 he |
| |
| * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a |
| pointer to an integral type (a bad practice, if you ask me), you |
| need to cast via intptr_t for portability. |
| |
| 2009-03-12 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking |
| up punctuation. |
| |
| * src/racoon/racoonctl.8: Bump date for previous. Sort options to |
| establish-sa. Stop using Xo/Xc. |
| |
| 2009-03-12 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c, |
| crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h, |
| ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c, |
| isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c, |
| isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5, |
| racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c, |
| vendorid.c: Support multiple anonymous remotes and decide |
| remoteconf based on identity, received certificates and other |
| information. General code clean up. |
| |
| 2009-03-06 Timo Teras <timo.teras@iki.fi> |
| |
| * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall |
| in Linux |
| |
| Linux requires SADB_DELETE message to have SPI. So send a |
| SADB_DELETE message for each matching SA. Trac #284. |
| |
| From: Gabriel Somlo <somlo@cmu.edu> |
| |
| 2009-02-16 Timo Teras <timo.teras@iki.fi> |
| |
| * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap |
| corruption bug (yacc return non-null terminated buffer and sprintf |
| writes over bounds). |
| |
| 2009-02-11 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed |
| IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on |
| tunnel |
| |
| 2009-02-03 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment |
| variables with IPv6 addresses. |
| |
| 2009-01-26 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/main.c: Argument parsing needs lcconf initialized. |
| |
| 2009-01-24 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoonctl.c: Sort options in usage. |
| |
| * src/racoon/racoonctl.8: Sort options. New sentence, new line. |
| |
| * src/racoon/racoon.8: Sort options. |
| |
| 2009-01-23 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage |
| for racoonctl. |
| |
| * src/racoon/: main.c, racoon.8: Racoon -v to print version and |
| compilation information. Update usage message. |
| |
| * NEWS: Update NEWS with major changes since 0.7 release. |
| |
| * src/racoon/schedule.c: Fix monotonic scheduler change, to not |
| refresh 'now' before exit. Otherwise we can return negative timeout |
| after spending time handling other events. |
| |
| * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle |
| reception of MIGRATE message during Phase 1 and Phase 2 negotiation. |
| Also corrects some debugging statements. |
| |
| * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for |
| instance), there is a need to not only migrate local and remote |
| addresses of Phase 1 that match previous addresses but also the |
| local and remote addresses of a Phase 1 *associated* with a migrated |
| Phase 2. For instance, we have that need when receiving the first |
| MIGRATE/KMADDRESS message because the old addresses are still the |
| HoA and the address of the HA (while the peer has contacted us using |
| the CoA and we have negotiated this address as src attribute in |
| Phase 2). The patch fixes that by having migrate_ph1_ike_addresses() |
| called from migrate_ph2_ike_addresses() callback. |
| |
| * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid |
| when acting as responder. |
| |
| * configure.ac, src/racoon/handler.c, src/racoon/handler.h, |
| src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c, |
| src/racoon/schedule.c, src/racoon/schedule.h, |
| src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic |
| system clock is available, and use it for relative time measurements |
| to avoid complite hang if time jumps backwards. |
| |
| * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c, |
| isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c, |
| oakley.c, oakley.h: Fix authentication method ambiguity by |
| internally using unique ID and setting/interpreting the wire format |
| based on received vendor ID:s. Fixes trac #280. |
| |
| * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c, |
| isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid |
| bitmask that can be used otherwhere to detect peer capabilities. |
| |
| * configure.ac, src/racoon/admin.c, src/racoon/evt.c, |
| src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c, |
| src/racoon/session.c, src/racoon/session.h: Remove "fastquit" |
| configure option and make it the default behaviour. The previous |
| normal behaviour is buggy, as after flush kernel can immediately |
| create larval SA:s which would prevent exit. |
| |
| 2009-01-20 Timo Teras <timo.teras@iki.fi> |
| |
| * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate |
| ChangeLog from NetBSD CVS. Put sourceforge.net changes to |
| ChangeLog.old. |
| |
| 2009-01-10 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper |
| escape for backslash ('\e'). |
| |
| 2009-01-10 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman: |
| Accept RFC2253 compliant escaped special characters for asn1dn |
| identifier. |
| |
| 2009-01-09 Timo Teras <timo.teras@iki.fi> |
| |
| * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended |
| |
| 2009-01-05 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete |
| configuration options, fix radius configuration block and add GRE as |
| recognized protocol. |
| |
| * src/racoon/session.c: Do not use counting in signal handling as |
| it was unsafe by not using atomic functions (post increment is not |
| necessarily atomic). Instead reap all children on SIGCHLD as that |
| was the only signal needing signal counting. |
| |
| 2008-12-30 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/session.c: schedular() call can now modify fd mask so |
| make the working copy just before calling select(); otherwise it can |
| contain bad file descriptors |
| |
| 2008-12-29 Michael van Elst <mlelstv@netbsd.org> |
| |
| * src/setkey/parse.y: support icmp codes. Fixes PR 39056. |
| |
| 2008-12-24 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have |
| it. From Timo Teras. |
| |
| * src/racoon/grabmyaddr.c: I was wrong. addr is actually set. |
| |
| * src/racoon/grabmyaddr.c: |
| - make this compile by zeroing out the whole structure not just |
| bogus fields. |
| - set length field of sockets appropriately. |
| - mark bogus no-op code (I don't understand what the author intended |
| here). |
| |
| 2008-12-23 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Bump date for identity configuration |
| option removal. |
| |
| 2008-12-23 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c, |
| localconf.h, racoon.conf.5: Remove the obsoleted global identity |
| configuration option. |
| |
| * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c, |
| evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c, |
| isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c, |
| nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c, |
| session.h: rewrite local address detection make some functions |
| static that arr not needed globally rework how fd_set is |
| construction for the main loop select() |
| |
| 2008-12-18 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles |
| when expire with hard lifetime received |
| |
| 2008-12-16 Timo Teras <timo.teras@iki.fi> |
| |
| * README: Update README |
| |
| * src/racoon/pfkey.c: Fix transport mode address selection in |
| acquire handling. Some earlier fixes got lost on 2008-12-05 commit. |
| |
| 2008-12-11 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO |
| and RTM_OIFINFO stuff) |
| |
| * src/racoon/isakmp.c: Fixed compilation when DPD support is |
| disabled |
| |
| 2008-12-08 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey |
| sockets: it might cause to not handle some pfkey events when |
| select() has marked pfkey socket readable, but a timer callback |
| first calls pfkey_dump_sadb(). |
| |
| 2008-12-05 Timo Teras <timo.teras@iki.fi> |
| |
| * src/: libipsec/key_debug.c, libipsec/libpfkey.h, |
| libipsec/pfkey.c, racoon/handler.c, racoon/handler.h, |
| racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c, |
| racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud |
| Ebalard: Improved Mobile IPv6 support per |
| draft-ebalard-mext-pfkey-enhanced-migrate. |
| |
| 2008-12-04 Christoph Badura <bad@netbsd.org> |
| |
| * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I |
| intended. |
| |
| 2008-12-02 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action |
| on Linux is terminate. |
| |
| 2008-11-28 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New |
| sentence, new line. |
| |
| 2008-11-27 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/main.c: Set up a default value for Mode Config Pool |
| size if pool address specified but pool size not specified |
| |
| * src/racoon/isakmp_cfg.c: Fixed pool resizing |
| |
| 2008-11-27 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA |
| weirdness. It's probably meant for bundle support which is not done. |
| When someone actually writes bundle support, the nested SA stuff |
| would probably be reworked too anyway. |
| |
| * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y, |
| racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h, |
| racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer |
| Ability to set pfkey socket buffer size via configuration file |
| directive. (Indentation and minor fixes by me.) |
| |
| 2008-11-25 Christoph Badura <bad@netbsd.org> |
| |
| * src/racoon/: evt.c, privsep.c, session.c: Avoid using |
| MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE |
| instead. |
| |
| * src/racoon/grabmyaddr.c: Ignore unspecified and looback |
| addresses. Ignoring unspecified addresses prevents racoon from |
| trying to bind to the wildcard address and specific addresses |
| simultaneously after e.g. dhclient has changed an interface's |
| address to 0.0.0.0. |
| |
| * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry |
| info for added or deleted addresses. Ignore them silently. |
| |
| * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an |
| error. Therefore log it as informational. Make it clear from the |
| log message that a route message is not interesting. |
| |
| * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding |
| it. |
| |
| * src/racoon/isakmp.c: Do not return erroneously from isakmp_open() |
| when setting IPV6_USE_MIN_MTU fails. |
| |
| * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when |
| no socket is opened. |
| |
| 2008-11-08 Christoph Badura <bad@netbsd.org> |
| |
| * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
| phase1-up.sh: Preserve owner and permissions of original |
| /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or |
| world writable. |
| |
| * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
| phase1-up.sh: Print and check INTERNAL_NETMASK4. |
| |
| * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
| phase1-up.sh: Make the handling of NAT-T SPD entries automatic. |
| |
| * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
| phase1-up.sh: Ensure that the determination of the default |
| gateway and the corresponding interface don't get confused by |
| multiple, possibly non-IPv4 default routes. Bring the NetBSD case |
| of deleting the VPN routes and address in line with the Linux case |
| and delete the address after deleting the VPN routes. |
| |
| 2008-11-06 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when |
| iddst's value is SAINFO_CLIENTADDR |
| |
| 2008-10-29 S.P.Zeidler <spz@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str(): |
| |
| struct sockaddr -> struct sockaddr_storage fixes a stack overflow |
| |
| For non-linklocal addresses the value in 'scope' is garbage and gets |
| set to zero instead. |
| |
| 2008-10-27 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to |
| error path |
| |
| * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud |
| Ebalard): recognize RTM_IFANNOUNCE |
| |
| * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation |
| issues for readability |
| |
| * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be |
| called only if monitored file descriptor numbers have changed |
| |
| * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate |
| declaration |
| |
| 2008-10-23 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: privsep.c, session.c, session.h: From Krzysztof |
| Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the |
| problem those changes address are already handled in a sensible way |
| by Cyrus Rahman's patch from 2008-03-06. |
| |
| 2008-10-09 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove |
| unnecessary unbindph12() call which is now done in remph2() |
| |
| 2008-09-25 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP |
| marker for retransmitted packets |
| |
| 2008-09-19 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: New sentence, new line. |
| |
| 2008-09-19 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h, |
| isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, |
| isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5, |
| remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying |
| configurable with rekey {on|off|force} option in remote conf. |
| |
| * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c, |
| isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h, |
| nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h, |
| session.c: Change struct sched to be allocated be the caller to |
| avoid some memory allocations. Optimize scheduling algorithm to not |
| scan all entries in the main loop. |
| |
| 2008-09-17 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi() |
| when NAT-T enabled and trying to purge non NAT-T SAs |
| |
| 2008-09-09 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/pfkey.c: Some calls to set_port() were not correctly |
| updated in the previous commit |
| |
| 2008-09-03 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in |
| pk_sendxxx functions, as they may be altered for NAT-T stuff. |
| |
| 2008-09-03 Timo Teras <timo.teras@iki.fi> |
| |
| * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c: |
| - Fix reloading of SPD (Linux satype check, handling of SPD dump |
| responses) |
| - Remove some spurious error log message from extract_port() |
| |
| 2008-08-29 Gregory McGarry <gmcgarry@netbsd.org> |
| |
| * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty |
| structures. |
| |
| * src/racoon/evt.h: Eliminate superfluous semicolon. |
| |
| * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of |
| unnamed structures added recently. |
| |
| 2008-08-12 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove |
| ph1handler if we received an invalid first exchange from initiator. |
| |
| 2008-08-06 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: privsep.c, session.c, session.h: From Krzysztof |
| Piotr Oledzki: Make privileged process exit if unprivileged process |
| is terminated and some spelling fixes. |
| |
| 2008-07-23 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: cfparse.y, session.c: Add some missing ifdefs |
| required for non-radius enabled builds. |
| |
| 2008-07-23 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/Makefile.am: Do not use GNU make specific extension. |
| |
| * src/: libipsec/Makefile.am, racoon/Makefile.am, |
| setkey/Makefile.am: Do flex/bison invocation in a more standard |
| way, and keep the generated files in the dist tarball. |
| |
| 2008-07-22 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks, |
| when malloc fails or when peer sends invalid proposal. |
| |
| 2008-07-22 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c, |
| isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional |
| radius configuration section to the racoon.conf file. This is |
| similar to the the LDAP configuration section and overrides settings |
| in the system radius configuration file. |
| |
| 2008-07-21 Matthias Scheler <tron@netbsd.org> |
| |
| * src/racoon/cfparse.y: Correct typo to fix the build. |
| |
| 2008-07-21 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c, |
| vendorid.c, vendorid.h: Separate generic vendor id handling to a |
| new function and use it. |
| |
| * src/racoon/cfparse.y: Do not set default gss id if xauth is used, |
| otherwise gss-id attribute might be sent even if it was not |
| requested. |
| |
| 2008-07-15 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from |
| building with hybrid enabled. |
| |
| * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h, |
| racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump |
| function. |
| |
| 2008-07-14 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c, |
| pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode. |
| |
| * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c, |
| isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up |
| notification payload handling. Handle INITIAL-CONTACT notification |
| in last main mode exchange (delayed) and during quick mode |
| exchanges. |
| |
| 2008-07-11 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis |
| Elsts: Fix a double memory free and a memory corruption |
| (LIST_REMOVE() on an uninserted node) in some error handling paths. |
| |
| 2008-07-09 Timo Teras <timo.teras@iki.fi> |
| |
| * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and |
| memory leak on configuration file reread |
| |
| 2008-07-02 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu |
| (size_t values) |
| |
| 2008-06-18 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoonctl.8: Bump date for previous. |
| |
| 2008-06-18 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an |
| admin port command to retrieve the peer certificate. Submitted by |
| Timo Teras. |
| |
| * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set |
| sockets to be closed on exec to avoid potential file descriptor |
| inheritance issues. Submitted by Timo Teras. |
| |
| * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c, |
| isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility |
| functions to evaluate and manipulate network port values. No |
| functional changes. Submitted by Timo Teras. |
| |
| * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No |
| functional changes. Submitted by Timo Teras. |
| |
| * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by |
| Timo Teras. |
| |
| 2008-05-24 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/privsep.c: Coverity CID 5018: Fix double frees. |
| |
| 2008-05-08 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * configure.ac: From Christian Hohnstaedt: allow out of tree |
| building |
| |
| 2008-04-30 Martin Husemann <martin@netbsd.org> |
| |
| * netbsd-import.sh: Convert TNF licenses to new 2 clause variant |
| |
| 2008-04-25 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers |
| from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). |
| |
| 2008-04-13 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/privsep.c: for symmetry set controllen the same way we |
| set it on the receiving side. |
| |
| 2008-04-02 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build |
| |
| 2008-03-28 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/privsep.c: properly fix the variable stack allocation |
| code. |
| |
| 2008-03-28 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/privsep.c: Still from Cyrus Rahman: fix file |
| descriptor leak introduced by previous commit. |
| |
| * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c, |
| privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman: |
| Allow interface reconfiguration when running in privilege separation |
| mode, document privilege separation |
| |
| 2008-03-06 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/oakley.c: Generates a log if cert validation has been |
| disabled by configuration |
| |
| 2008-03-06 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/: privsep.c, session.c: From Cyrus Rahman |
| <crahman@gmail.com> privilegied instance exit when unprivilegied one |
| terminates. Save PID in real root, not in chroot |
| |
| 2008-03-06 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c, |
| racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA |
| negotiations using the admin socket. Submitted by Timo Teras. |
| |
| * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c, |
| handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c, |
| isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c, |
| racoonctl.8, racoonctl.c, session.c: Refactor admin socket event |
| protocol to be less error prone. Backwards compatibility is |
| provided. Submitted by Timo Teras. |
| |
| 2008-03-05 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/cfparse.y: Properly initialize the unity network |
| struct to prevent erroneous protocol and port info from being |
| transmitted. |
| |
| * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or |
| adminport reload. Also provide better handling for pfkey socket read |
| errors. Submitted by Timo Teras. |
| |
| 2008-02-25 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com> |
| There's a cut/paste error in cmp_aproppair_i(), it's supposed to be |
| checking spi_size but it's not. I'm not sure this patch is correct, |
| but what's there isn't either. |
| |
| 2008-02-22 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp.c: Fix address length, from Brian Haley |
| |
| 2008-02-10 S.P.Zeidler <spz@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent |
| opposition ( :) ) on ipsec-tools-devel |
| |
| 2008-01-11 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in |
| the scheduler's callback, to avoid access to freed memory. |
| |
| * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix |
| compilation with IDEA and recent gcc. |
| |
| * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some |
| details to some logs (also reported new getph1byaddr() arg). |
| |
| * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for |
| established ph1 handles in DPD (also reported new getph1byaddr() |
| arg). |
| |
| * src/racoon/: handler.c, handler.h: added an 'established' arg to |
| getph1byaddr() |
| |
| 2007-12-31 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol |
| number to racoonctl. Correct id wildcard matching for transport |
| mode. Submitted by Timo Teras. |
| |
| 2007-12-12 Matthew Grooms <mgrooms@shrew.net> |
| |
| * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a |
| follow up patch for the nat-t oa support. |
| |
| * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add |
| support for nat-t oa payload handling. Submitted by Timo Teras. |
| |
| 2007-12-04 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify |
| ipsecdoi_sockaddr2id() to obtain an id without specifying the exact |
| prefix length. Correct a memory leak in phase2. Both submitted by |
| Timo Teras. |
| |
| 2007-12-01 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Fix typos. New sentence, new line. |
| |
| 2007-11-29 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/Makefile.am: From Natanael Copa: fixed a race |
| condition when building yacc stuff. |
| |
| 2007-11-09 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in |
| pk_recv() |
| |
| * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD |
| entries in getsp_r(). |
| |
| * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug |
| in get_proposal_r(). |
| |
| 2007-10-19 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h, |
| racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts |
| |
| 2007-10-15 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/libipsec/pfkey.c: Try to increase the buffer size of the |
| pfkey socket, this may help things when we have a huge SPD |
| |
| 2007-10-02 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to |
| work with the new plog macro. |
| |
| * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to |
| work with new plog macro |
| |
| * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro. |
| |
| 2007-09-19 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/isakmp.c: Set REUSE option on sockets to prevent |
| failures associated with closing and immediately re-opening. |
| Submitted by Gabriel Somlo. |
| |
| * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet |
| list. Submitted by Gabriel Somlo. |
| |
| 2007-09-13 Matthew Grooms <mgrooms@shrew.net> |
| |
| * configure.ac: Fix autoconf check for selinux support. Submitted |
| by Joy Latten. |
| |
| 2007-09-12 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c, |
| pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr |
| sainfo remote id option and refine the sainfo man page syntax. |
| |
| 2007-09-05 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/sainfo.c: Sort sainfo sections on insert and improve |
| matching logic. |
| |
| 2007-09-03 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for |
| wins4 in the man page and add nbns4 as an alias. Pointed out by |
| Claas Langbehn. |
| |
| 2007-08-07 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix |
| up RADIUS authentication and authorization ports. Allow |
| interoperability with freeradius |
| |
| 2007-07-24 Matthew Grooms <mgrooms@shrew.net> |
| |
| * NEWS: Update NEWS file with additional 0.7 improvements. |
| |
| 2007-07-18 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/racoon.conf.5: Various racoon configuration manpage |
| updates. |
| |
| 2007-07-18 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * configure.ac, src/libipsec/ipsec_dump_policy.c, |
| src/libipsec/ipsec_get_policylen.c, |
| src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c, |
| src/libipsec/libpfkey.h, src/libipsec/pfkey.c, |
| src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y, |
| src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c, |
| src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y, |
| src/racoon/cftoken.l, src/racoon/ipsec_doi.c, |
| src/racoon/isakmp.c, src/racoon/isakmp_inf.c, |
| src/racoon/isakmp_quick.c, src/racoon/pfkey.c, |
| src/racoon/policy.c, src/racoon/proposal.c, |
| src/racoon/remoteconf.c, src/racoon/sainfo.c, |
| src/racoon/session.c, src/racoon/sockmisc.c, |
| src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c, |
| src/setkey/token.l: use a single PATH_IPSEC_H to fix some |
| path_to_ipsec.h issues |
| |
| 2007-07-16 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/grabmyaddr.c: fixed a socket leak |
| |
| * src/racoon/proposal.c: indentation |
| |
| 2007-06-07 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp_cfg.c: From Paul Winder |
| <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST |
| |
| 2007-06-06 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation |
| with gcc 4.2 |
| |
| * src/racoon/session.c: From Jianli Liu: speed up interfaces update |
| when they change. |
| |
| * src/racoon/handler.c: ignore obsolete lifebyte when validating |
| reloaded configuration |
| |
| 2007-05-31 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/: main.c, policy.h, security.c: From Joy Latten |
| <latten@austin.ibm.com> Fix file descriptor shortage when using |
| labeled IPsec. |
| |
| 2007-05-30 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In |
| racoonctl, use the specified socket path instead of the default |
| location |
| |
| 2007-05-16 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not |
| return, so we proceed to de-reference NULL. Make it return -1 |
| instead like in other places. |
| |
| * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not |
| return, so we proceed to de-reference NULL. Make it return -1 |
| instead like in other places. |
| |
| 2007-05-04 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is |
| NULL when validating the new config |
| |
| * src/racoon/handler.c: added some debug in getph1byaddr() to track |
| some port matching problems with NAT-T |
| |
| * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to |
| track some port matching problems with NAT-T |
| |
| * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process |
| |
| * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if |
| NAT_T support, to solve some port match problems with the first |
| IPSec SAs negociated as initiator |
| |
| 2007-04-04 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids() |
| |
| * src/racoon/oakley.c: dumps peer's ID and peer's certificate |
| subject /subjectaltname if they don't match |
| |
| 2007-03-26 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1 |
| handler, to be able to cancel it when removing the handler, and some |
| minor cleanups in DPD code |
| |
| 2007-03-24 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't |
| work with pam_group Set RUSER. |
| |
| 2007-03-23 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a |
| segfault when using security labels between 32bit and 64bit host. |
| |
| * src/racoon/handler.c: expire zombie handlers in getph2byid(), to |
| avoid situations where we'll never negociate a phase2 again |
| |
| * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give |
| more details about what is checked when using certificates to |
| authenticate |
| |
| 2007-03-22 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to |
| generate IPV4_ADDRESS when needed in sockaddr2id() |
| |
| 2007-03-21 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL |
| sched check is now done in SCHED_KILL |
| |
| * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL |
| |
| 2007-03-15 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable |
| monitoring of ipv6 address changes on Linux. |
| |
| * src/racoon/isakmp.c: Consider a negociation timeout when |
| retry_counter is <=0 instead of < 0 |
| |
| 2007-02-28 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be |
| matched to ip subnet ids when appropriate. |
| |
| 2007-02-21 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/ipsec_doi.c: block variable declaration before code in |
| ipsecdoi_id2str() |
| |
| 2007-02-20 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: Removed a debug printf.... |
| |
| * src/racoon/isakmp.c: Only delete a generated SPD if it's creation |
| date matches the creation date of the SA we are currently deleting |
| |
| * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls |
| |
| * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of |
| generated SPDs |
| |
| * src/racoon/policy.h: added 'created' var |
| |
| 2007-02-19 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp.c: Removed a debug printf.... |
| |
| 2007-02-16 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a |
| printf. |
| |
| 2007-02-15 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/security.c: Missing SELinux file |
| |
| * configure.ac: Missing stuff for SELinux |
| |
| 2007-02-15 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just |
| expire a ph1 handle when receiving a DELETE-SA instead of calling |
| purge_remote(). |
| |
| * src/racoon/isakmp.c: Fixed the way phase1/2 messages are |
| sent/resent, to avoid zombie handles and acces to freed memory |
| |
| 2007-02-02 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec |
| |
| 2007-02-01 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When |
| receiving an ISAKMP DELETE_SA, get the cookie of the SA to be |
| deleted from payload instead of just deleting the ISAKMP SA used to |
| protect the informational exchange. |
| |
| 2006-12-26 Arnaud Lacombe <alc@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval != |
| NULL' |
| |
| 2006-12-23 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Use even more macros. |
| |
| * src/racoon/racoon.conf.5: Use more macros. |
| |
| * src/racoon/racoon.conf.5: Serial comma, and bump date for |
| previous. |
| |
| 2006-12-18 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak |
| |
| 2006-12-10 tag ipsec-tools-0_7-base |
| |
| 2006-12-10 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/: libipsec/Makefile.am, libipsec/libpfkey.h, |
| libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y, |
| racoon/pfkey.c: Bring back API and ABI backward compatibility |
| with previous libipsec before recent interface change. Bump libipsec |
| minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid |
| ABI compatibility lossage. Add a capability flags to detect missing |
| optional feature in libipsec |
| |
| * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten: |
| README.plainrsa documenting plain RSA auth |
| |
| 2006-12-09 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c, |
| src/racoon/Makefile.am, src/racoon/backupsa.c, |
| src/racoon/backupsa.h, src/racoon/cftoken.l, |
| src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, |
| src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, |
| src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h, |
| src/racoon/proposal.c, src/racoon/proposal.h, |
| src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux |
| security contexts. Also cleanup the libipsec interface for adding |
| and updating security associations. |
| |
| * src/racoon/racoon.conf.5: From Simon Chang: More hints about |
| plain RSA authentication |
| |
| 2006-12-05 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys |
| length regarding proposal_check level |
| |
| 2006-11-16 Matthew Grooms <mgrooms@shrew.net> |
| |
| * src/racoon/sainfo.c: Correct issues associated with anonymous |
| sainfo selection in racoon. |
| |
| 2006-11-09 Christos Zoulas <christos@netbsd.org> |
| |
| * src/racoon/crypto_openssl.c: eliminate the only variable stack |
| array allocation. |
| |
| 2006-10-31 Christian Biere <cbiere@netbsd.org> |
| |
| * src/racoon/sockmisc.c: Don't define the deprecated |
| IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because |
| IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs |
| in the future just in case that the numeric value of the socket |
| option is ever recycled. |
| |
| 2006-10-22 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix |
| typos |
| |
| 2006-10-19 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/sainfo.c: From Matthew Grooms: use |
| ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). |
| |
| * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added |
| ipsecdoi_chkcmpids() function. |
| |
| 2006-10-09 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437) |
| |
| * src/racoon/isakmp_unity.c: Correctly check read() return value: |
| it's signed (Coverity 1251) |
| |
| 2006-10-06 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c, |
| src/racoon/algorithm.h, src/racoon/cftoken.l, |
| src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, |
| src/racoon/eaytest.c, src/racoon/ipsec_doi.c, |
| src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c, |
| src/racoon/racoon.conf.5, src/racoon/strnames.c, |
| src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l: |
| Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki |
| <okazaki@kick.gr.jp> |
| |
| 2006-10-03 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/admin.c: fix endianness issue introduced yesterday |
| |
| 2006-10-03 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax |
| |
| * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values |
| |
| * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses |
| remoteid/ph1id values |
| |
| * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values |
| |
| 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp_base.c: |
| avoid reusing free'd pointer (Coverity 2613) |
| |
| * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175) |
| |
| * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451) |
| |
| * src/racoon/algorithm.c: Fix array overrun (Coverity 4172) |
| |
| * src/racoon/admin.c: Fix memory leak (Coverity 2002) |
| |
| * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak |
| (Coverity 2001), refactor the code to use port get/set functions |
| |
| * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200) |
| |
| * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443), |
| reformat to 80 char/line |
| |
| 2006-10-02 Tom Spindler <dogcow@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: If you're going to initialize a pointer, |
| you have to init it with a pointer type, not an int. |
| |
| 2006-10-02 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439) |
| |
| * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334) |
| |
| * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944) |
| |
| * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941) |
| |
| * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942) |
| |
| * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863) |
| |
| 2006-10-01 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181) |
| |
| * src/racoon/isakmp.c: Check that iph1->remote is not NULL before |
| using it (Coverity 3436) |
| |
| 2006-09-30 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165) |
| |
| * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179) |
| |
| * src/racoon/samples/roadwarrior/client/: phase1-down.sh, |
| phase1-up.sh: update the scripts for wrorking around routing |
| problems on NetBSD |
| |
| * src/racoon/session.c: Reuse existing code for closing IKE |
| sockets, and avoid screwing things by setting p->sock = -1, which is |
| not expected (Coverity 4173). |
| |
| * src/racoon/admin.c: Do not free id and key, as they are used |
| later |
| |
| 2006-09-29 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the |
| socket, so we must call com_init before sending any data. |
| |
| 2006-09-28 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176, |
| 4174) |
| |
| * src/racoon/racoonctl.c: Fix access after free (Coverity 4178) |
| |
| 2006-09-26 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/cfparse.y: Fix memory leak (Coverity) |
| |
| * src/racoon/backupsa.c: Fix memory leak (Coverity) |
| |
| * src/racoon/admin.c: Remove dead code (Coverity) |
| |
| * src/racoon/admin.c: Fix memory leak (Coverity) |
| |
| * src/racoon/admin.c: One more memory leak |
| |
| * src/racoon/admin.c: Fix memory leak in racoonctl (coverity) |
| |
| * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA |
| bundle fix was contributed by Jeff Bailey, not Matthew Grooms. |
| Matthew updated the patch for current code, though. |
| |
| * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for |
| negotiating ESP+IPcomp) |
| |
| 2006-09-25 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct |
| iphdr for Linux |
| |
| 2006-09-25 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp.c: style (mostly for testing |
| ipsec-tools-commits@netbsd.org) |
| |
| * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms |
| |
| 2006-09-21 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on |
| Linux |
| |
| 2006-09-19 Thomas Klausner <wiz@netbsd.org> |
| |
| * src/racoon/racoon.conf.5: Bump date for ike_frag force. |
| |
| * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new |
| line. |
| |
| * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing |
| whitespace. |
| |
| 2006-09-19 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default |
| value for encmodesv in set_proposal_from_policy() |
| |
| * src/racoon/isakmp.c: always include some headers, as they are |
| required even without NAT-T |
| |
| * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird: |
| define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed |
| |
| * src/racoon/crypto_openssl.c: From Larry Baird: some printf() -> |
| plog() |
| |
| 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h, |
| isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms: |
| ike_frag force option to force the use of IKE on first packet |
| exchange (prior to peer consent) |
| |
| 2006-09-18 Yvan Vanhullebus <vanhu@netasq.com> |
| |
| * rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed |
| generated files from the CVS |
| |
| * src/racoon/prsa_par.c: removed generated files from the CVS |
| |
| * src/racoon/: cfparse.c, cftoken.c: removed generated files from |
| the CVS |
| |
| 2006-09-18 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in |
| the first packet. That should not normally happen, as the initiator |
| does not know yet if the responder can handle IKE frag. However, in |
| some setups, the first packet is too big to get through, and |
| assuming the peer supports IKE frag is the only way to go. |
| |
| racoon should have a setting in the remote section to do taht |
| (something like ike_frag force) |
| |
| 2006-09-16 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 |
| conformance, from Matthew Grooms |
| |
| 2006-09-15 Emmanuel Dreyfus <manu@netbsd.org> |
| |
| * src/racoon/ipsec_doi.c: Fix build on Linux |
| |
| For older changes see ChangeLog.old |
