and added files

[bcm963xx.git] / userapps / opensource / ipsec-tools / ChangeLog

---------------------------------------------

        0.5.1 released

2005-03-23  Michal Ludvig  <michal@logix.cz>

        * configure.ac: Bump up version to 0.5.1
        * NEWS: Notes about 0.5.1

2005-03-14  Emmanuel Dreyfus  <manu@netbsd.org>

        * configure.ac: correctly check for dynamic libradius

2005-03-13  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)

2005-03-02  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
        * src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.

2005-03-01  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/oakley.c: fixed oakley_newiv2() when errors

2005-02-18  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
          related DELETE_SA
        * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire

---------------------------------------------

        0.5 released

2005-02-18  Michal Ludvig  <michal@logix.cz>

        * configure.ac: Bump up version to 0.5

2005-02-18  Michal Ludvig  <michal@logix.cz>

        * configure.ac, rpm/suse/ipsec-tools.spec.in,
          rpm/suse/Makefile.am: Distribute .spec file with 
          resolved version string.
        * src/racoon/Makefile.am: Allow parallel cluster build.

2005-02-17  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks

2005-02-15  Michal Ludvig  <michal@logix.cz>

        * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN

2005-02-07  Michal Ludvig  <michal@logix.cz>

        From Krisztian Kovacs:
        * src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".

2005-01-30  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/vmbuf.c: bugfix in vrealloc()
        * src/racoon/oakley.c: mem leak fix in INITDHVAL()
        * src/racoon/session.c: mem leak fix in check_flushsa()

2005-01-29  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/nattraversal.c: fixed draft 04 options...

2005-01-29  Emmanuel Dreyfus  <manu@netbsd.org>

        From Fred Senault <fred@lacave.net>
        * src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
          phase2 can start.

---------------------------------------------

        0.5rc2 released

2005-01-04  Michal Ludvig  <michal@logix.cz>

        * NEWS: Notes for release 0.5rc2
        * configure.ac: Bump up version to 0.5rc2

2005-01-26  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp_{ident|agg}.c: checks if we are out of
          vid_natt[] when freeing VIDs. Also sets vid_natt[0] to NULL if
          NATT disabled.
        * src/racoon/nattraversal.c: fixed vid_natt[] initialization in
          isakmp_plist_append_natt_vids(), and really puts VIDs from RFC
          to Draft 00....

2005-01-24  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed

2005-01-23  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
        * src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
        * src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
        * src/racoon/nattraversal.[ch]: NATT cleanup, support for all
          drafts (disabled by default) / RFC.
        * src/racoon/isakmp.h: NATT cleanup for NATT RFC support
        * src/racoon/ipsec_doi.h: updated comments about NATT
        * configure.ac: enable-natt_XX options

2005-01-22  Emmanuel Dreyfus  <manu@netbsd.org>

        From Fred Senault <fred@lacave.net>
        * src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
          src/racoon/samples/roadwarrior/README: change "my_identifier login"
          into "xauth_login" in the config file so that we can introduce Xauth
          with a pre-shared key later.

2005-01-21  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
          workaround Linux problems. This needs a better fix.

2005-01-17  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/admin_var.h: Fix path problem for adminport socket

2005-01-13  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
          1 lifetime.
        * src/racoon/racoon.conf.5: Updated racoon man page for phase 1
          lifetime check / proposal_check.

2005-01-11  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/isakmp_quick.c: Endianness bugfix from KAME

---------------------------------------------

        0.5-rc1 released

2005-01-04  Michal Ludvig  <michal@logix.cz>

        * NEWS: Notes for release 0.5-rc1
        * configure.ac: Bump up version to 0.5-rc1

2005-01-03  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/admin.c: never fork, it buys nothing an break on some
          operations

---------------------------------------------

        Branch for 0.5 created (ipsec-tools-0_5-branch)

2004-12-23  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/crypto_openssl.c: Indentation

2004-12-28  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
          when getting an IP (Bug # 1092095)


2004-12-26  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/session.c: remove outdated comment

---------------------------------------------

        0.5.beta2 released

2004-12-21  Michal Ludvig  <michal@logix.cz>

        * src/racoon/pfkey.c: Fix AES vs Rijndael defines.

2004-12-20  Yvan Vanhullebus  <vanhu@free.fr>

        * configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
          Some FreeBSD / NATT support.

2004-12-17  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
        * src/racoon/pfkey.c: Restore AES support on NetBSD.

2004-12-17  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/crypto_openssl.c: Uses sprintf() instead of
          asprintf() in eay_get_x509subjectaltname(), because of some
          compilation problems reported with asprintf() on some platforms.
        * src/racoon/oakley.c: just take the first cert in
          oakley_savecert() if cert ID check is disabled.

2004-12-16  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/crypto_openssl.c: Build again on NetBSD
        * src/racoon/samples/roadwarrior/server/racoon
          src/racoon/samples/roadwarrior/server/racoon.conf-radius
          src/racoon/samples/roadwarrior/README: Use DPD in sample files.

2004-12-16  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
          when SubjectAltName contains an IP. OpenSSL code from Ludovic
          Flament (ludovic.flament@free.fr).

---------------------------------------------

        0.5.beta1 released

2004-12-13  Michal Ludvig  <mludvig@suse.cz>

        From Ganesan R <rganesan@users.sourceforge.net>:
        * src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
          with shared libraries.

2004-12-10  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/oakley.c: takes the first certificate which matches
          the Identity, instead of just taking the first certificate.

2004-12-07  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.

2004-12-04  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/libipsec/pfkey_dump.c: distinguish per-socket policies from
          general ones (Linux case);
        * src/racoon/pfkey.c: dito, do not negotiate policies if racoon
          do not listen on out tunnel's source address.

2004-12-01  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
          generation in r1send()

2004-12-01  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
        * src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
          parameters but compiled without ENABLE_DPD
        * src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
          support activated in configuration

2004-11-30  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time, 
          to avoid garbage pointer if admin port is disabled.
        * src/racoon/{throttle.c|throttle.h}: new files
          src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
          configure.ac: Add a per-host throttling count. When throttling, 
          don't sleep, schedule the answer for later instead.
        * src/racoon/kmpstat.c: default with no hexdump of the packet
        * src/racoon/admin.c: don't remove admin socket after first request,
          on the other hand remove on startup stale sockets left by 
          crashed racoon.
        *  src/racoon/samples/roadwarrior/README
           src/racoon/kmpstat.c: fix option parsing problem on Linux

2004-11-29  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/session.c: Only listen on pfkey socket when received
          shutdown signal

2004-11-28  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
          src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
          on each Xauth authentication to avoid brute force attacks

2004-11-24  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/samples/roadwarrior/README
          src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
          src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
          src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
          Fill Linux gaps for hybrid auth client, Replace public IP by 
          private and example IP in the sample config files.

2004-11-24  Emmanuel Dreyfus  <manu@netbsd.org>

        DPD patch from Yvan Vanhullebus <vanhu@free.fr>
        * src/racoon/cfparse.y: missing bits for DPD support

2004-11-23  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/setkey/parse.y: generate require fwd policies for unique in
          policies.
        * src/setkey/setkey.c: made -r/-k options awailable only when
          system has FWD policies.
        * src/setkey/setkey.8: updated docs about change above.

2004-11-22  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
          #ifdef ENABLE_ADMINPORT/#endif.

2004-11-22  Michal Ludvig  <mludvig@suse.cz>

        Revert these changes (ludvigm, 2004-11-18):
        * src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
        * src/setkey/Makefile.am: Install setkey.conf.

2004-11-22  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
          removal so that it's not used after been deleted.
        * src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
          src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
          errors to racoonctl

2004-11-21  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on 
          the ipsec-tools web site
        * src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to 
          display all events reported by racoon: show-event
        * src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
          with immature or dying phase 1 
        * src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down

2004-11-20  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself 
          as Unity compliant.
        * src/racoon/{evt.c|evt.h}: new files 
          src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
          src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
          event reporting from racoon to racoonctl

2004-11-20  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
          when racoon is compiled with INET6 support and kernel is not.
          Fixed with help of Zilvinas Valinskas.
        * src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
          problem.
        
2004-11-19  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/doc/FAQ: more options and warn about software patents.

2004-11-18  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/vmbuf.c: don't allocate zero-length buffer
        * src/racoon/samples/roadwarrior/client/phase1-down.sh
          src/racoon/samples/roadwarrior/server/phase1-down.sh: Also 
          flush SAD when disconnecting.
        * src/racoon/admin.c: Send a notification when deleting ISAKMP SA
        * src/racoon/samples/roadwarrior/README: accomodate the recent
          sysconfdir change

2004-11-18  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/Makefile.am: Fix adminsocket dir, install sample 
          racoon.conf and psk.txt.
        * src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
          not $(SYSCONFDIR)/racoon.
        * src/racoon/algorithm.h, src/racoon/eaytest.c,
          src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really 
          strict environments.
        * src/setkey/setkey.conf: Yet another sample config file.
        * src/setkey/Makefile.am: Install setkey.conf.
        * rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
          files.
        * rpm/suse/{Makefile.am,.cvsignore}: New files.
        * configure.ac, rpm/Makefile.am: Build in rpm/suse.

2004-11-17  Aidas Kasparas  <a.kasparas@gmc.lt>

        * configure.ac: paste bugfix by Zilvinas Valinskas
        * src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
          for generated policies. Path by Patrick McHardy.

2004-11-16  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/racoonctl.8: racoonctl man page (new file)

2004-11-16  Emmanuel Dreyfus  <manu@netbsd.org>

        From Ganesan <rganesan@users.sourceforge.net>
        * src/racoon/ipsec_doi.c: fix free'd memory access

2004-11-16  Michal Ludvig  <mludvig@suse.cz>

        DPD patch from Yvan Vanhullebus <vanhu@free.fr>
        * configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
          src/racoon/handler.c, src/racoon/handler.h,
          src/racoon/isakmp.c, src/racoon/isakmp.h,
          src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
          src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
          src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
          src/racoon/remoteconf.h, src/racoon/vendorid.c,
          src/racoon/vendorid.h: Dead Peer Detection (DPD) support.

2004-11-16  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Remove a bash-specific construction, take II.
        * src/racoon/grabmyaddr.c: FreeBSD fix for headers.

2004-11-15  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Use correct include paths during ./configure run.
        * src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
          remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
          (hint, hint, manu :-))

2004-11-15  Emmanuel Dreyfus  <manu@netbsd.org>

        * README: update the docs
        * src/racoon/doc/FAQ: update the docs
        * configure.ac: Remove a bash-specific construction

2004-11-14  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/cfparse.y: ensure that returns from rules are 
          initialized even on erroneous config file.
        * src/racoon/admin_var.h: changed management socket location
        * src/racoon/Makefile.am: ditto, added rule to install directory
          for management socket.
        * src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes, 
          added generation of fwd policies for every in policy spdadd'ed.
        * src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
        * src/setkey/policy_token.l: return something reasonable when 
          fwd direction is parsed on systems with no forward policy
          support.

2004-11-14  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
        * src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
          src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings 
        * configure.ac src/racoon/{admin.c|admin_var.h}
          src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
          src/racoon/samples/roadwarrior/client/racoon.conf: make the default
          mode for the admin socket more secure. 

2004-11-13  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
          src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
          src/racoon/samples/roadwarrior/README
          src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
          certificate authority location per-peer and configurable.
        * src/racoon/isakmp_frag.c: fix unallocated memory access
        * src/racoon/isakmp_agg.c: fix incorrect queue deallocation
        * src/racoon/remoteconf.c: fix uninitialized data
        * src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access

2004-11-12  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd 
          commands IPv6 friendly.
        * src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}: 
          Add an admin message to flush all the SA for a given peer.
          Convert racoonctl vd to use it.
        * src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y} 
          src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
          administrator to choose the admin socket path, ownership and mode.
        * src/racoon/sample/roadwarrior: complete config files for 
          road warriors using hybrid authentication. 

2004-11-12  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Config option --enable-natt=kernel
        * src/racoon/Makefile.am: Distribute only yacc/lex source files, 
          not the preprocessed .c files.

2004-11-11  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
          and comments in the VPN concentrator setup for the Cisco VPN client
        * src/racoon/racoon.conf.5: fix documentation
        * src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
          hooks event if we are a server.

2004-11-10  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems

2004-11-09  Michal Ludvig  <mludvig@suse.cz>

        * Makefile.am: Remove aclocal-related lines.
        * src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
        * configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
          better handling of KRB5 and NAT-T.
        * src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
          FreeBSD happy with includes (Arrgh...&^#$^@!!!)

2004-11-08  Michal Ludvig  <mludvig@suse.cz>

        * src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
        * src/libipsec/policy_token.l, src/racoon/kmpstat.c,
          src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
          fixes to support FreeBSD (tested with 4.10).

2004-11-05  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Add --with-readline switch.
        * src/setkey/setkey.c(stdin_loop): Fix newlines and comments
          when compiled without readline.

2004-11-01  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/isakmp_quick.c: generated policy refresh patch
          by Yvan Vanhullebus

2004-10-29  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Check for IPSEC_DIR_FWD and eventually define
          HAVE_POLICY_FWD.
        * src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use 
          HAVE_POLICY_FWD in ifdefs.
        * NEWS: Mention the fix.
        * src/racoon/kmpstat.c: Fix compilation on Linux.
        * src/racoon/ipsec_doi.h: Ditto.
        * src/racoon/Makefile.am, src/setkey/Makefile.am: Update
          explicit dependencies.

2004-10-29  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
          do not reconfigure internal addresses obtained through ISAKMP
          mode config.
        * src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
          failure, kill the phase 1 and log the failure. Do not run the sa_up
          script in this case.
        * src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
          Add -u user to racoonctl establish-sa, prompt for the PSK from
          the terminal, and add a vpn-connect target with simplified syntax 
          for establishing a SA in the road warrior case.
        * src/racoon/{admin.c,kmpstat.c}: implement delete-sa and 
          vpn-disconnect commands of racoonctl
        * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
          src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
          Remove sa_up and sa_down and replace them by a more general
          script hook framework. 

2004-10-27  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/nattraversal.c: Use macros instead of magic numbers
        * src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
          can actually establish a SA
        * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
          src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
          Shell script hooks for ISAKMP SA creation and removal

2004-10-26  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
          src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
          src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
          src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
          Update to the latest drafts

2004-10-25  Emmanuel Dreyfus  <manu@netbsd.org>

        *  src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
           src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
           src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
           drafts documenting ISAKMP mode config, Xauth and hybrid auth
        *  src/racoon/cftoken.l: fix build problem, add an error message
           when using hybrid auth options while hybrid auth is not built
        *  src/racoon/isakmp_cfg.c: build without RADIUS support too

2004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
          src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
          src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
          src/racoon/{oakley.c,oakley.h,racoon.conf.5}
          src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
          of hybrid auth and ISAKMP mode config

2004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
          src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
          src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
          Receiver-side of IKE fragmentation

2004-10-24  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/isakmp_cfg.c: Fix read buffer overflow
        * src/racoon/isakmp_xauth.c: Fix weak authentication
        * src/racoon/{oakley.c,oakley.h}: Fix weak authentication

2004-10-21  Michal Ludvig  <mludvig@suse.cz>

        From Emmanuel Dreyfus:
        * src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
        * src/racoon/isakmp_cfg.c: Fix endianness.

2004-10-20  Michal Ludvig  <mludvig@suse.cz>

        From Emmanuel Dreyfus:
        * src/racoon/{cfparse.y,cftoken.l,handler.c},
          src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
          src/racoon/racoon.conf.5: RADIUS IP addresses allocation 
          and RADIUS accounting.
        * configure.ac,
          src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
          src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
          src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.

2004-10-08  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.

2004-10-06  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
          to duplicate dynamically allocatd structures; duprmconf() - call
          these functions to produce private copy of inherited id and etype
          structures.
        * src/racoon/remoteconf.c: declaration for dupetypes().

2004-10-04  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/cfparse.y: check inherited_from dereferencing
        * src/racoon/crypto_openssl.c: prevent crash on incorect DNs

2004-09-27  Michal Ludvig  <mludvig@suse.cz>

        From KOVACS Krisztian <hidden@balabit.hu>:
        * src/racoon/sockmisc.c(sendfromto): Set src address.

2004-09-24  Aidas Kasparas  <a.kasparas@gmc.lt>

        * configure.ac: added check for linux-gnu, as my box reports
        * src/racoon/grabmyaddr.c: added missing <linux/types.h> include

2004-09-21  Michal Ludvig  <mludvig@suse.cz>

        Merged 'autoconf' branch to mainline:
        * .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
          src/racoon/.cvsignore, src/racoon/cfparse.y, 
          src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, 
          src/racoon/ipsec_doi.c, src/racoon/isakmp.c, 
          src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 
          src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c, 
          src/racoon/isakmp_unity.c, src/racoon/main.c, 
          src/racoon/nattraversal.c, src/racoon/oakley.c, 
          src/racoon/oakley.h, src/racoon/sockmisc.c, 
          src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
          in 'autoconf' branch for details).
        * acracoon.m4, src/racoon/Makefile.am: New files.
        * src/racoon/Makefile.in, src/racoon/aclocal.m4, 
          src/racoon/client-puzzle.c, src/racoon/config.guess, 
          src/racoon/config.sub, src/racoon/configure.in, 
          src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp, 
          src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp, 
          src/racoon/doc/pattern, src/racoon/doc/question, 
          src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt, 
          src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en, 
          src/racoon/doc/sandiego-result.jp, 
          src/racoon/doc/sandiego0009-result.en, 
          src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c, 
          src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile, 
          src/racoon/samples/sandiego.pl: Removed.

2004-09-17  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/vendorid.[ch]: Rewrote the VendorID handling. 
          We don't use the array with fixed offsets anymore, instead 
          a generally unordered structure with ID, string and 
          precomputed MD5 hashes.
        * src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
          src/racoon/nattraversal.c: Updated to the new VID model.
        * src/racoon/main.c(main): Precompute VendorIDs.
        * src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
          Files removed. Function arc4random() renamed to eay_random()
          and moved to crypto_openssl.c.
        * src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
          src/racoon/isakmp.c: Updated to the above change.
        * src/racoon/Makefile.in, src/racoon/configure.in: Remove
          arc4random() from building.
        * src/racoon/crypto_openssl.[ch](eay_random): New function.
        * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, 
          src/racoon/isakmp_xauth.c: Cleaned up headers.

2004-09-16  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/crypto_openssl.c (base64_encode): Terminate
          the result with '\0'.

2004-09-15  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: How about calling the next version 0.5?
        * src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
          _BSD_SOURCE and don't require <linux/types.h>
        * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
          src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
        * src/racoon/Makefile.in: Add new files to distribution.
        * src/racoon/configure.in: Fix linux kernel NATT detection.
        * src/setkey/parse.y: Fix types.
        * src/racoon/backupsa.c, src/racoon/ipsec_doi.c, 
          src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
          src/racoon/pfkey.c, src/racoon/remoteconf.c,
          src/racoon/session.c, src/racoon/sockmisc.c: Fix headers 
          ordering, use HAVE_NETINET6_IPSEC.
        * src/racoon/isakmp_cfg.c: Use %z for size_t.
        * src/racoon/configure.in: Clean up IPv6 stack check.

2004-09-15  Michal Ludvig  <mludvig@suse.cz>

        Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
        * src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
          src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
          src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
          src/racoon/samples/racoon.conf.sample-cvpn: New files.
        * src/racoon/algorithm.c, src/racoon/algorithm.h,
          src/racoon/cfparse.y, src/racoon/cftoken.l,
          src/racoon/handler.c, src/racoon/handler.h,
          src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
          src/racoon/isakmp.h, src/racoon/isakmp_agg.c, 
          src/racoon/isakmp_inf.c, src/racoon/oakley.c,
          src/racoon/oakley.h, src/racoon/strnames.c,
          src/racoon/vendorid.c, src/racoon/vendorid.h: Added
          code for XAUTH support.
        * src/racoon/racoon.conf.5: Documentation for XAUTH.
        * src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
          src/racoon/nattraversal.c: Added NATT VID "02\n"
        * src/racoon/configure.in: New config option --enable-hybrid

2004-09-14  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Preset CFLAGS
        * src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
          Check if printf() accepts "%z" modifiers.
        * src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
        * src/setkey/parse.y(fix_portstr): Init 'p2'.
        * src/setkey/setkey.c: Add required prototypes.

2004-09-14  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.

2004-09-14  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/configure.in: Check for NetBSD NAT-T kernel support.

2004-09-13  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/configure.in: Check for <openssl/engine.h>
        * src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
        * src/racoon/plainrsa-gen.c: Ditto.

2004-09-13  Michal Ludvig  <mludvig@suse.cz>

        NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
        * Makefile.am: build in rpm/ only on Linux
        * configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
        * src/Makefile.am: Build include-glibc only on Linux
        * src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
          ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
          policy_parse.y,policy_token.l,test-policy-priority.c},
          src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
          nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
          proposal.c,sainfo.c,schedule.c,strnames.c},
          src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
          ifdefs.
        * src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
        * src/racoon/configure.in: Check for kernel NAT-T support,
          fix libipsec.a linkage path.
        * src/racoon/eaytest.c(certtest): Use %z for size_t.
        
2004-09-12  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/grabmyaddr.c: improoved socket selection algorithm for
          case when link-local addresses comes w/o sin6_scope_id set.
          
2004-09-07  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/session.c: fix for SIGHUP handler for case when config
          file contains listen directives.

2004-09-01  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/grabmyaddr.c: added scope id handling for link-local
          IPv6 addresses. Now racoon will not err on such addresses.
          
2004-08-19  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
        * src/racoon/eaytest.c: eay_init_error() -> eay_init() due to 
          2004-06-01 changes in src/racoon/crypto_openssl.c

2004-08-15  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/cfparse.y src/racoon/crypto_openssl.c
          src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
          src/racoon/racoon.conf.5 src/racoon/remoteconf.c
          src/racoon/remoteconf.h: peers_identifier wildcard and 
          list patch by James Matheson

---------------------------------------------

        0.4rc1 released

2004-08-09  Michal Ludvig  <mludvig@suse.cz>

        * NEWS: Notes for release 0.4rc1
        * configure.ac: Bump up version to 0.4rc1

2004-07-12  Michal Ludvig  <mludvig@suse.cz>

        PlainRSA support.
        See ChangeLog.prsa from the 'plainrsa' branch for details.
        * src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
        * src/racoon/genlist.c src/racoon/genlist.h 
          src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c 
          src/racoon/prsa_par.y src/racoon/prsa_tok.l 
          src/racoon/rsalist.c src/racoon/rsalist.h 
          src/racoon/samples/racoon.conf.sample-plainrsa: New files.
        * src/racoon/Makefile.in src/racoon/configure.in
          src/racoon/cfparse.y src/racoon/cftoken.l 
          src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
          src/racoon/handler.h src/racoon/ipsec_doi.c 
          src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c 
          src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c 
          src/racoon/remoteconf.h src/racoon/sockmisc.c 
          src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.

2004-07-12  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
          f_foreground to plog.c.
        * src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode 
          adjusting.
        * src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
          src/racoon/oakley.c: Fix typos, newlines and printf() format strings.

2004-06-16  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/crypto_openssl.c (eay_get_x509cert): small memory 
          leak fix. Noticed B.Buesker, patch L.Stellingwerff
        * src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt): 
          small memory leaks fixed.

2004-06-15  Aidas Kasparas  <a.kasparas@gmc.lt>

        SECURITY
        * src/racoon/crypto_openssl.[ch] (cb_check_cert_local, 
          cb_check_cert_remote): split cb_check_cert() due to stricter
          requirements for certificates received from network.
        * src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
          local to specify how strict cert check should be
        * src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
        
2004-06-11  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support 
          for all known NAT-T versions.
        * vendorid.h: Ditto.

2004-06-08  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
        * src/racoon/Makefile.in: Compile stringlist.o.

2004-06-07  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Set version to 'cvs'.
        * src/{racoon,setkey,libipsec}/*.h: Wrap headers between
          #ifndef/#define/#endif to allow multiple inclusions of the
          same file.
        * plog.h (plog): Attribute __printf__ for automatic checking 
          of the parameters' validity.
        * cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
          isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
          sockmisc.c: Fix warnings/errors in the plog() parameters with 
          the above change.

2004-06-05  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/setkey/setkey.c: -n (no action) support. 
          Thanks Thomas Habets.
        * src/setkey/setkey.8: Documentation for above.
        * src/racoon/doc/README.certificate: updated link to more recent
          version of document. Debian bug #252513 by Jose Luis Domingo Lopez

2004-06-01  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/algorithm.c: Enable compilation without SHA2 support.
        * src/racoon/crypto_openssl.c: Ditto.

2004-06-01  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
          OpenSSLs.
          (eay_init): New function.
          (eay_init_error, eay_check_pkcs7sign): Removed.
        * src/racoon/crypto_openssl.h: Reflect the above changes.
        * src/racoon/main.c: Call eay_init() instead of eay_init_error().

2004-05-27  Michal Ludvig  <mludvig@suse.cz>

        Support for inheritance of 'remote' statements:
        * src/racoon/cftoken.l: New keyword 'inherit'.
        * src/racoon/cfparse.y: Support for 'inherit', remove
          global 'prhead', use cur_rmconf->prhead instead.
        * src/racoon/remoteconf.c (rmtree): Changed from
          LIST queue to TAILQ queue.
          (getrmconf): Renamed to getrmconf_strict().
          (copyrmconf, duprmconf)
          (dump_rmconf_single, dumprmconf): New functions.
          (rm2str): Deleted.
        * src/racoon/remoteconf.h: Prototypes for the above.
          (struct remoteconf): New fields 'inherited_from' and 'prhead'.
        * src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
        * src/racoon/algorithm.c (alg_oakley_encdef_name)
          (alg_oakley_hashdef_name, alg_oakley_dhdef_name)
          (alg_oakley_authdef_name): New functions.
        * src/racoon/algorithm.h: Prototpes for the above.
        * src/racoon/strnames.c (num2str): Make extern.
          (s_doi, s_etype, s_idtype, s_switch): New functions.
        * src/racoon/strnames.h: Prototpes for the above.
        * src/racoon/main.c: New parameter -C for dumping the parsed config.
        * src/racoon/racoon.conf.5: Document inheritance.
        * src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
        * src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit

2004-05-24  Michal Ludvig  <mludvig@suse.cz>

        * configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c, 
        isakmp_quick.c, pfkey.c, remoteconf.c, session.c, 
        sockmisc.c: Allow compilation with --disable-ipv6
        
2004-05-21  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of 
          algorithm specific functions.

2004-05-20  Aidas Kasparas  <a.kasparas@gmc.lt>

        Manual page updates. Thanks Brian
        * src/libipsec/ipsec_set_policy.3
        * src/setkey/setkey.8
        * src/libipsec/test-policy-priority.c: new file from policy 
          priority patch, which I forgot to add

2004-05-18  Aidas Kasparas  <a.kasparas@gmc.lt>

        Policy priority integer handling fixes by Brian Buesker.
        * src/libipsec/ipsec_strerror.c
        * src/libipsec/ipsec_strerror.h
        * src/libipsec/libpfkey.h
        * src/libipsec/policy_parse.y
        * src/libipsec/test-policy-priority.c
        Manual page corrections by me
        * src/libipsec/ipsec_set_policy.3
        * src/setkey/setkey.8

2004-05-15  Aidas Kasparas  <a.kasparas@gmc.lt>

        Policy priority support patch from Brian Buesker. Applied as is
        except src/libipsec/Makefile.am is modified instead of 
        src/libipsec/Makefile.in as found in the patch.

2004-05-10  Michal Ludvig  <mludvig@suse.cz>

        From Heiko Hund, approved by the copyright holder:
        * src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
        
2004-04-27  Michal Ludvig  <mludvig@suse.cz>

        From Heiko Hund:
        * src/include-glibc/sys/queue.h: Update to 3-clause BSD license.

2004-04-26  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to 
          send notifications about changed interfaces.
          
2004-04-24  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
          information about interfaces. Thanks Steve Grubb and Bill
          Nottingham. Affects users with glibc w/o getifaddrs(). Users 
          with glibc earlier than 2003-11-14 should upgrade their glibc.

2004-04-19  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/isakmp.c (isakmp_handler): Reject too big 
          packets (CAN-2004-0403).

---------------------------------------------

        0.3 released

2004-04-14  Michal Ludvig  <mludvig@suse.cz>

        * NEWS: Notes for release 0.3
        * configure.ac: Bump up version to 0.3
        * src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
        * src/racoon/remoteconf.c (foreachrmconf): Avoid warning about 
          uninitialised variable.
        * src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
          and FreeSWAN.

2004-04-13  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
          not suitable.

2004-04-09  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
        * src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
        * src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
          mismatch to LLV_WARNING.
        * src/libipsec/pfkey_dump.c, src/racoon/algorithm.c 
          src/racoon/algorithm.h src/racoon/cftoken.l 
          src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h 
          src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c 
          src/setkey/token.l: Renamed Rijndael to AES.
        * src/setkey/token.l: Recognize exit/quit/bye tokens.
        * src/setkey/parse.y (exit_command): New.
        * src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
          in exit_command.

2004-04-08  Michal Ludvig  <mludvig@suse.cz>

        * src/setkey/setkey.c (main): Call get_supported() in interactive mode.
          (stdin_loop): Concat multiline input into a single line before parsing.

2004-04-07  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA 
          with level DEBUG. Having it with level INFO only pollutes logfiles.

2004-04-06  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/Makefile.in: eaytest now links plog.o
        * src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
          surrounding plog().
        * src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now 
          verifying both good and bad signatures.

---------------------------------------------

        0.3rc5 released

2004-04-05  Michal Ludvig  <mludvig@suse.cz>

        * NEWS: Notes for release 0.3rc5
        * configure.ac: Bump up version to 0.3rc5

2004-04-05  Michal Ludvig  <mludvig@suse.cz>

        Fix for a security bug found by Ralf Spenneberg:
        * src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate 
          'evp' instead of 'pubkey'.
          (eay_rsa_sign): Use the above.
        * src/racoon/crypto_openssl.h: Update prototypes for the above.
        * src/racoon/eaytest.c: Disabled RSA tests because of the API change.

2004-04-05  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/pfkey.c (pfkey_handler): Safety check before accessing 
          the array (thx to Ren.J.Y for report).
          (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
        * src/racoon/strnames.c (name_pfkey_type): Ditto.

2004-04-02  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/eaytest.c (ciphertest_1): Correct padlen.

2004-04-01  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
          update from here ...
          (ipsecdoi_setph2proposal): ... to here. Hopefully this is a 
          better place to do the update.

2004-03-30  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
          (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
        * src/racoon/eaytest.c (ciphertest_1): New function.
          (ciphertest): Simplified to simple calls of ciphertest_1().

2004-03-29  Michal Ludvig  <mludvig@suse.cz>

        * README: Rewritten. Mentioned where to report bugs.

2004-03-26  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Check for readline.h and libreadline.
        * src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
          (stdin_loop): Read user input and parse it line-by-line.
        * src/setkey/token.l (parse_string): New function.

---------------------------------------------

        0.3rc4 released

2004-03-25  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Bump up version to 0.3rc4
        * NEWS: Notes for release 0.3rc4
        * src/racoon/cfparse.y (algorithm): Hint about missing module.
        * src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key 
          length only with old API.
          (eay_des_encrypt): Ditto.
        * src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
          non-zero error code if any of the tests fail.
          (main): Print banner with version.
        * src/racoon/Makefile.in: Run eaytest in 'make check'.

2004-03-23  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before 
          comparing NAT-D payloads. (thx to Gaurav Kansal for report).
        * src/racoon/crypto_openssl.c: Avoid type-punned warnings.
        * src/racoon/eaytest.c: Disable 'cert' tests.
        * src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check 
          for strict length.
          (eay_aes_encrypt): Keylength is in bits, not bytes.

2004-03-22  Michal Ludvig  <mludvig@suse.cz>

        * src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key 
          instead of NULL and check for availability.

---------------------------------------------

        0.3rc3 released

2004-03-19  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Bump up version to 0.3rc3
        * NEWS: Notes for release 0.3rc3
        * src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
        * src/racoon/proposal.c (cmpsatrns): New parameter proto_id, 
          better diagnostic output when trns_id don't match.
        * src/racoon/proposal.h (cmpsatrns): Update prototype.
        * src/setkey/setkey.c: Change option -h to -H (for hexdump), new
          options -h (help) and -V (version).
        * src/setkey/setkey.8: Document the above changes.
        * src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...

2004-03-15  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/configure.in: Prevent compilation error with
          --enable-yydebug.

---------------------------------------------

        0.3rc2 released

2004-03-11  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Bump up version to 0.3rc2
        * NEWS: Notes for release 0.3rc2
        * src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
        * src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
        * src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
        * src/racoon/racoon.conf.5: Note that NAT-T support is a compile 
          time option.

2004-03-10  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/racoon.conf.5: Document nat_traversal option.
        * src/racoon/racoon.8: DOcument new options (-L and -P).

2004-03-09  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
          UDP-Encap ports if NAT-T is enabled.
          (dupmyaddr): New function.
        * src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
        * src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but 
          no port for UDP-Encap was open.
        * src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
        * src/racoon/localconf.c, src/racoon/localconf.h: Define and setup 
          lcconf->port_isakmp_natt.
        * src/racoon/main.c (main): Print nicer banner,
          (usage): Document new options (-L and -P).
          (parse): Recognise the above.
        * src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded 
          constants for float_port.
          (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
        * src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
        * src/racoon/plog.c: Don't print source:line:function by default.
        * src/racoon/remoteconf.c (foreachrmconf): New helper function.
        * src/racoon/remoteconf.h: Prototype for the above.
        * package_version.h: Define strings for use in banners.
        * configure.ac: Fill up the above header.

2004-03-09  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/configure.in: Don't put -O into OPTFLAGS,
          add new option --disable-natt.
        * src/racoon/cfparse.y, src/racoon/handler.c,
          src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
          src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
          src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
          src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
          with ENABLE_NATT.
        * src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.

2004-03-06  Aidas Kasparas  <a.kasparas@gmc.lt>

        * configure.ac: Refuse to continue if lexer library (yywrap() 
          function) is missing. Should prevent bugs like #892067, #908758
        * src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
          Users should not be given false idea that they require both OpenSSL
          and SSLeay to compile racoon. (See bug #902197)

---------------------------------------------

        0.3rc1 released

2004-03-04  Michal Ludvig  <mludvig@suse.cz>

        * configure.ac: Bump up version to 0.3rc1
        * NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
          from 0.2 branch).
        * src/racoon/samples/racoon.conf.sample-natt: New sample config file.
        * src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
          enabled NATT by default (will become a config option later).

2004-03-04  Michal Ludvig  <mludvig@suse.cz>

        Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
        to racoon.
        * src/racoon/Makefile.in, src/racoon/cfparse.y,
          src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
          src/racoon/grabmyaddr.h, src/racoon/handler.c,
          src/racoon/handler.h, src/racoon/ipsec_doi.c,
          src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
          src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
          src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
          src/racoon/localconf.c, src/racoon/localconf.h,
          src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
          src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
          src/racoon/remoteconf.h, src/racoon/session.c,
          src/racoon/strnames.c, src/racoon/vendorid.h
          src/libipsec/pfkey.c,
          src/racoon/nattraversal.c, src/racoon/nattraversal.h,
          src/racoon/sockmisc.c: Affected files.

2004-02-27  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/isakmp.c (set_isakmp_header1): Renamed from
          set_isakmp_header().
          (set_isakmp_header): New function common for set_isakmp_header1() 
          and set_isakmp_header2().
          (copy_ph1addresses): Obey original port.
          (isakmp_plist_append, isakmp_plist_set_all): New helper functions.
        * src/racoon/isakmp_var.h: Prototypes for the above.
        * src/racoon/isakmp.h (struct payload_list): New structure.
        * src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 
          src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.

2004-02-03  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/Makefile.in: Fix install to $(sbindir)
        * src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).

2004-01-19  Michal Ludvig  <mludvig@suse.cz>

        * rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
          (thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)

2004-01-17  Aidas Kasparas  <a.kasparas@gmc.lt>

        * src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team

2004-01-15  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
        (reported on bugtraq, fixed by iij seil team).
        * src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.

2004-01-14  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used 
        only once).
        * configure.ac: Don't build shared libipsec by default (can be
        enabled by --enable-shared).
        * bootstrap: Don't run automake for racoon.

2004-01-12  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
          use config.h for defines instead of -DHAVE_* gcc options,
          fix CRYPTOBJS to include missing rijndael libraries only once, 
          checking for AES support in OpenSSL now (hopefully) finally 
          works on both OpenSSL 0.9.6 and 0.9.7.
        * src/racoon/*.[cyl]: Include autogenerated "config.h"
        * src/racoon/missing/crypto/*/*.c: Ditto.
        * src/racoon/.cvsignore: Add config.h, config.h.in

2004-01-09  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/.cvsignore: Add "autom4te.cache" and "configure".

2004-01-09  Aidas Kasparas  <a.kasparas@gmc.lt>

        Sync with KAME 2004-01-07
        * src/libipsec/pfkey.c: memory leak fix; comment typo fixes
        * src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even 
          no SADB_X_EXT_TAG defined
        * src/libipsec/pfkey_dump.c: information about algorithms 
          ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
        * src/libipsec/policy_parse.y: memory leak
        * src/libipsec/policy_token.l: memory leak
        * src/libipsec/test-policy.c: unneeded \n removed
        * src/racoon/Makefile.in: $(sbindir) support
        * src/racoon/admin.c: interface changes due to proxy support 
        * src/racoon/algorithm.c: SHA2 #ifdefs
        * src/racoon/{cfparse.y,cftoken.l}: license text added
        * src/racoon/cfparse.y: mip6 obsoleted by proxy support
        * src/racoon/cfparse.y: from directive support; new algorithms
        * src/racoon/cftoken.l: support for globbing of include files
        * src/racoon/configure.in: more verbose information about problems 
          with SHA2
        * src/racoon/crypto_openssl.c: use new DES API if supported; algorithm 
          key size fixes
        * src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
        * src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
          style change
        * src/racoon/isakmp.c: use VPTRINIT; interface changes due to
          mip6->proxy; typo
        * src/racoon/isakmp_inf.c: use VPTRINIT
        * src/racoon/isakmp_quick.c: mip6->proxy
        * src/racoon/kmpstat.c: not used variables removed
        * src/racoon/pfkey.c: mip6->proxy; schedule leak
        * src/racoon/proposal.c: style
        * src/racoon/remoteconf.c: mip6->proxy
        * src/racoon/sainfo.c: from directive support
        * src/racoon/sockmisc.c: side correction; addrinfo leak
        * src/racoon/strnames.c: typo in descriptions; wrong upper bound check
        * src/racoon/missing/crypto/sha2/sha2.c: wrong size
        * src/setkey/parse.y: extra algorithms; tagged; not needed periods
          removed; memory shortage checks
        * src/setkey/setkey.8: typos; tagged; new algorithms
        * src/setkey/setkey.c: standard argument names for main(); hexdump
          support; info in file support
        * src/setkey/token.l: new algorithms; memory shortage checks
          Parts not taken from KAME:
        * kernelfs stuff;
        * sysctl stuff

2004-01-08  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/config.{sub,guess}: Update from automake 1.7.

2004-01-08  Michal Ludvig  <mludvig@suse.cz>

        Patch from Kostadin Karaivanov <larry@minfin.bg>:
        * src/racoon/configure.in: Check for openssl/aes.h.
        * src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.

2004-01-08  Michal Ludvig  <mludvig@suse.cz>

        * src/racoon/configure: Remove, should be regenerated by bootstrap.

2004-01-02  Michal Ludvig  <michal@logix.cz>

        * src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
          (by Brian Buesker <bbuesker@qualcomm.com>
           and Christophe Saout <christophe@saout.de>)
        * src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
        * src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
          (by Michal Ludvig).
        * src/setkey/token.l, src/setkey/parse.y: Add support for lifetime 
          specified in bytes (by Michal Ludvig).
        * src/setkey/setkey.8: Document -bh/-bs options for the above feature.
        * src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE 
          message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
        * src/racoon/cfparse.y: Flush SA on SIGHUP
          (by Brian Buesker <bbuesker@qualcomm.com>)
        * src/racoon/pfkey.c: IPcomp fixes
          (by Brian Buesker <bbuesker@qualcomm.com>)
        * src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
        * src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
          an entry with NULL ifa_addr (Michal Ludvig).
        * configure.ac: Change path to kernel headers 
          from /usr/src/devel-2.5/devel to /usr/src/linux
        * bootstrap: Use default tools, reconfigure src/racoon
        * src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
          changed comments from 'dnl' to '#'.

2003-06-20  Derek Atkins  <derek@ihtfp.com>

        * src/racoon/aclocal.m4:
        * src/racoon/configure:
          Don't execute "for i in $3" if "$3" doesn't exist.
          Fixes bug #721296.
        
2003-03-31  Derek Atkins  <derek@ihtfp.com>

        * src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
          (which is value '2')

2003-03-27  Derek Atkins  <derek@ihtfp.com>

        * src/libipsec/key_debug.c: use ntohs() before printing port
        * src/libipsec/pfkey.c: convert port# to network byte order
        * src/libipsec/pfkey_dump.c: use ntohs() before printing ports
        * src/setkey/parse.y: convert port#'s to network byte order
        
2003-03-24  Derek Atkins  <derek@ihtfp.com>

        * src/libipsec/pfkey.c: Don't switch off NAT-T extensions
          if they don't exist in the kernel.

        * src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
          as per Tom Lendacky <toml@us.ibm.com>.  Also move the
          setting of IPV6_IPSEC_POLICY to the top of the file.
        
2003-03-13  Derek Atkins  <derek@ihtfp.com>

        Add initial support for NAT-T PFKey Extensions:
        * src/libipsec/key_debug.c: add support to print information
          about NAT-T extension packets.
        * src/libipsec/libpfkey.h: add two new APIs to support NAT-T
          for add and update as part of the SADB.
        * src/libipsec/pfkey.c:
          - Implement extended APIs to support NAT-T for add and update
            of the SADB.
          - Add APIs to fill a buffer with NAT-T packet types
        * src/libipsec/pfkey_dump.c: Extend the SADB output to include
          PFKey packets.  Put port numbers with the source and dest
          addresses, add an 'esp-udp' SA-type, and add a printout for
          the NAT-OA.
        * src/setkey/parse.y:
          - Extend setkey to create an ESP-UDP SA.
          - default UDP port is 4500
          - extend 'add' to allow <ip-addr>[<portnum>] for source and dest
            (the portnum specification requires the [] characters)
          - add an ESPUDP "protocol" from the lexer.  This will use
            ESP and allow an optional Original Address setting.
          - add a function to get a udp port from a struct sockaddr *
          - pass the NAT-T extentions into PFKey
        * src/setkey/token.l: add "esp-udp" token
        
        * rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
          This switches it to use %{_lib} (for /lib64 systems such as
          x86-64 and s390x, and has it own the /etc/racoon directory in
          the package as well.

---------------------------------------------

        0.2.2 released

2003-03-13  Derek Atkins  <derek@ihtfp.com>

        * configure.am, NEWS:
          Update for 0.2.2 release

        * Makefile.am: distribute depcomp
        
2003-03-10  Derek Atkins  <derek@ihtfp.com>

        * src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
          sure we link against the lexer library when necessary.
        
2003-03-07  Derek Atkins  <derek@ihtfp.com>

        * configure.am:
        * Makefile.am:
        * rpm/Makefile.am:
        * rpm/ipsec-tools.spec.in:
          Added RPM SPEC to CVS
        
---------------------------------------------

        0.2.1 released

2003-03-07  Derek Atkins  <derek@ihtfp.com>

        * src/racoon/configure.in:  change "CFLAGS" to "CPPFLAGS" for
          ssl include directory, to make sure the other tests work properly.

2003-03-06  Derek Atkins  <derek@ihtfp.com>

        * src/racoon/kmpstat.c:  fix gcc-3.2.2 compiler warning

        * src/racoon/configure.in:  look for krb5-config and don't
          use it if it's not found.  Fixes a configure-time warning.
        
--------------------------------------------

        0.2 Released