1 ---------------------------------------------
5 2005-03-23 Michal Ludvig <michal@logix.cz>
7 * configure.ac: Bump up version to 0.5.1
8 * NEWS: Notes about 0.5.1
10 2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
12 * configure.ac: correctly check for dynamic libradius
14 2005-03-13 Yvan Vanhullebus <vanhu@free.fr>
16 * src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)
18 2005-03-02 Yvan Vanhullebus <vanhu@free.fr>
20 * src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
21 * src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.
23 2005-03-01 Yvan Vanhullebus <vanhu@free.fr>
25 * src/racoon/oakley.c: fixed oakley_newiv2() when errors
27 2005-02-18 Yvan Vanhullebus <vanhu@free.fr>
29 * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
31 * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
33 ---------------------------------------------
37 2005-02-18 Michal Ludvig <michal@logix.cz>
39 * configure.ac: Bump up version to 0.5
41 2005-02-18 Michal Ludvig <michal@logix.cz>
43 * configure.ac, rpm/suse/ipsec-tools.spec.in,
44 rpm/suse/Makefile.am: Distribute .spec file with
45 resolved version string.
46 * src/racoon/Makefile.am: Allow parallel cluster build.
48 2005-02-17 Yvan Vanhullebus <vanhu@free.fr>
50 * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
52 2005-02-15 Michal Ludvig <michal@logix.cz>
54 * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
56 2005-02-07 Michal Ludvig <michal@logix.cz>
58 From Krisztian Kovacs:
59 * src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".
61 2005-01-30 Yvan Vanhullebus <vanhu@free.fr>
63 * src/racoon/vmbuf.c: bugfix in vrealloc()
64 * src/racoon/oakley.c: mem leak fix in INITDHVAL()
65 * src/racoon/session.c: mem leak fix in check_flushsa()
67 2005-01-29 Yvan Vanhullebus <vanhu@free.fr>
69 * src/racoon/nattraversal.c: fixed draft 04 options...
71 2005-01-29 Emmanuel Dreyfus <manu@netbsd.org>
73 From Fred Senault <fred@lacave.net>
74 * src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
77 ---------------------------------------------
81 2005-01-04 Michal Ludvig <michal@logix.cz>
83 * NEWS: Notes for release 0.5rc2
84 * configure.ac: Bump up version to 0.5rc2
86 2005-01-26 Yvan Vanhullebus <vanhu@free.fr>
88 * src/racoon/isakmp_{ident|agg}.c: checks if we are out of
89 vid_natt[] when freeing VIDs. Also sets vid_natt[0] to NULL if
91 * src/racoon/nattraversal.c: fixed vid_natt[] initialization in
92 isakmp_plist_append_natt_vids(), and really puts VIDs from RFC
95 2005-01-24 Yvan Vanhullebus <vanhu@free.fr>
97 * src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed
99 2005-01-23 Yvan Vanhullebus <vanhu@free.fr>
101 * src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
102 * src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
103 * src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
104 * src/racoon/nattraversal.[ch]: NATT cleanup, support for all
105 drafts (disabled by default) / RFC.
106 * src/racoon/isakmp.h: NATT cleanup for NATT RFC support
107 * src/racoon/ipsec_doi.h: updated comments about NATT
108 * configure.ac: enable-natt_XX options
110 2005-01-22 Emmanuel Dreyfus <manu@netbsd.org>
112 From Fred Senault <fred@lacave.net>
113 * src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
114 src/racoon/samples/roadwarrior/README: change "my_identifier login"
115 into "xauth_login" in the config file so that we can introduce Xauth
116 with a pre-shared key later.
118 2005-01-21 Emmanuel Dreyfus <manu@netbsd.org>
120 * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
121 workaround Linux problems. This needs a better fix.
123 2005-01-17 Emmanuel Dreyfus <manu@netbsd.org>
125 * src/racoon/admin_var.h: Fix path problem for adminport socket
127 2005-01-13 Yvan Vanhullebus <vanhu@free.fr>
129 * src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
131 * src/racoon/racoon.conf.5: Updated racoon man page for phase 1
132 lifetime check / proposal_check.
134 2005-01-11 Emmanuel Dreyfus <manu@netbsd.org>
136 * src/racoon/isakmp_quick.c: Endianness bugfix from KAME
138 ---------------------------------------------
142 2005-01-04 Michal Ludvig <michal@logix.cz>
144 * NEWS: Notes for release 0.5-rc1
145 * configure.ac: Bump up version to 0.5-rc1
147 2005-01-03 Emmanuel Dreyfus <manu@netbsd.org>
149 * src/racoon/admin.c: never fork, it buys nothing an break on some
152 ---------------------------------------------
154 Branch for 0.5 created (ipsec-tools-0_5-branch)
156 2004-12-23 Yvan Vanhullebus <vanhu@free.fr>
158 * src/racoon/crypto_openssl.c: Indentation
160 2004-12-28 Yvan Vanhullebus <vanhu@free.fr>
162 * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
163 when getting an IP (Bug # 1092095)
166 2004-12-26 Emmanuel Dreyfus <manu@netbsd.org>
168 * src/racoon/session.c: remove outdated comment
170 ---------------------------------------------
174 2004-12-21 Michal Ludvig <michal@logix.cz>
176 * src/racoon/pfkey.c: Fix AES vs Rijndael defines.
178 2004-12-20 Yvan Vanhullebus <vanhu@free.fr>
180 * configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c:
181 Some FreeBSD / NATT support.
183 2004-12-17 Emmanuel Dreyfus <manu@netbsd.org>
185 * src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
186 * src/racoon/pfkey.c: Restore AES support on NetBSD.
188 2004-12-17 Yvan Vanhullebus <vanhu@free.fr>
190 * src/racoon/crypto_openssl.c: Uses sprintf() instead of
191 asprintf() in eay_get_x509subjectaltname(), because of some
192 compilation problems reported with asprintf() on some platforms.
193 * src/racoon/oakley.c: just take the first cert in
194 oakley_savecert() if cert ID check is disabled.
196 2004-12-16 Emmanuel Dreyfus <manu@netbsd.org>
198 * src/racoon/crypto_openssl.c: Build again on NetBSD
199 * src/racoon/samples/roadwarrior/server/racoon
200 src/racoon/samples/roadwarrior/server/racoon.conf-radius
201 src/racoon/samples/roadwarrior/README: Use DPD in sample files.
203 2004-12-16 Yvan Vanhullebus <vanhu@free.fr>
205 * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
206 when SubjectAltName contains an IP. OpenSSL code from Ludovic
207 Flament (ludovic.flament@free.fr).
209 ---------------------------------------------
213 2004-12-13 Michal Ludvig <mludvig@suse.cz>
215 From Ganesan R <rganesan@users.sourceforge.net>:
216 * src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation
217 with shared libraries.
219 2004-12-10 Yvan Vanhullebus <vanhu@free.fr>
221 * src/racoon/oakley.c: takes the first certificate which matches
222 the Identity, instead of just taking the first certificate.
224 2004-12-07 Yvan Vanhullebus <vanhu@free.fr>
226 * src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.
228 2004-12-04 Aidas Kasparas <a.kasparas@gmc.lt>
230 * src/libipsec/pfkey_dump.c: distinguish per-socket policies from
231 general ones (Linux case);
232 * src/racoon/pfkey.c: dito, do not negotiate policies if racoon
233 do not listen on out tunnel's source address.
235 2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
237 * src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
238 generation in r1send()
240 2004-12-01 Yvan Vanhullebus <vanhu@free.fr>
242 * src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
243 * src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
244 parameters but compiled without ENABLE_DPD
245 * src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
246 support activated in configuration
248 2004-11-30 Emmanuel Dreyfus <manu@netbsd.org>
250 * src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time,
251 to avoid garbage pointer if admin port is disabled.
252 * src/racoon/{throttle.c|throttle.h}: new files
253 src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5}
254 configure.ac: Add a per-host throttling count. When throttling,
255 don't sleep, schedule the answer for later instead.
256 * src/racoon/kmpstat.c: default with no hexdump of the packet
257 * src/racoon/admin.c: don't remove admin socket after first request,
258 on the other hand remove on startup stale sockets left by
260 * src/racoon/samples/roadwarrior/README
261 src/racoon/kmpstat.c: fix option parsing problem on Linux
263 2004-11-29 Yvan Vanhullebus <vanhu@free.fr>
265 * src/racoon/session.c: Only listen on pfkey socket when received
268 2004-11-28 Emmanuel Dreyfus <manu@netbsd.org>
270 * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
271 src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
272 on each Xauth authentication to avoid brute force attacks
274 2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
276 * src/racoon/samples/roadwarrior/README
277 src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh}
278 src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius}
279 src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}:
280 Fill Linux gaps for hybrid auth client, Replace public IP by
281 private and example IP in the sample config files.
283 2004-11-24 Emmanuel Dreyfus <manu@netbsd.org>
285 DPD patch from Yvan Vanhullebus <vanhu@free.fr>
286 * src/racoon/cfparse.y: missing bits for DPD support
288 2004-11-23 Aidas Kasparas <a.kasparas@gmc.lt>
290 * src/setkey/parse.y: generate require fwd policies for unique in
292 * src/setkey/setkey.c: made -r/-k options awailable only when
293 system has FWD policies.
294 * src/setkey/setkey.8: updated docs about change above.
296 2004-11-22 Michal Ludvig <mludvig@suse.cz>
298 * src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
299 #ifdef ENABLE_ADMINPORT/#endif.
301 2004-11-22 Michal Ludvig <mludvig@suse.cz>
303 Revert these changes (ludvigm, 2004-11-18):
304 * src/racoon/Makefile.am: install sample racoon.conf and psk.txt.
305 * src/setkey/Makefile.am: Install setkey.conf.
307 2004-11-22 Emmanuel Dreyfus <manu@netbsd.org>
309 * src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
310 removal so that it's not used after been deleted.
311 * src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
312 src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
315 2004-11-21 Emmanuel Dreyfus <manu@netbsd.org>
317 * src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on
318 the ipsec-tools web site
319 * src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to
320 display all events reported by racoon: show-event
321 * src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
322 with immature or dying phase 1
323 * src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down
325 2004-11-20 Emmanuel Dreyfus <manu@netbsd.org>
327 * src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself
329 * src/racoon/{evt.c|evt.h}: new files
330 src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c}
331 src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
332 event reporting from racoon to racoonctl
334 2004-11-20 Aidas Kasparas <a.kasparas@gmc.lt>
336 * src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
337 when racoon is compiled with INET6 support and kernel is not.
338 Fixed with help of Zilvinas Valinskas.
339 * src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
342 2004-11-19 Emmanuel Dreyfus <manu@netbsd.org>
344 * src/racoon/doc/FAQ: more options and warn about software patents.
346 2004-11-18 Emmanuel Dreyfus <manu@netbsd.org>
348 * src/racoon/vmbuf.c: don't allocate zero-length buffer
349 * src/racoon/samples/roadwarrior/client/phase1-down.sh
350 src/racoon/samples/roadwarrior/server/phase1-down.sh: Also
351 flush SAD when disconnecting.
352 * src/racoon/admin.c: Send a notification when deleting ISAKMP SA
353 * src/racoon/samples/roadwarrior/README: accomodate the recent
356 2004-11-18 Michal Ludvig <mludvig@suse.cz>
358 * src/racoon/Makefile.am: Fix adminsocket dir, install sample
359 racoon.conf and psk.txt.
360 * src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
361 not $(SYSCONFDIR)/racoon.
362 * src/racoon/algorithm.h, src/racoon/eaytest.c,
363 src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really
365 * src/setkey/setkey.conf: Yet another sample config file.
366 * src/setkey/Makefile.am: Install setkey.conf.
367 * rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New
369 * rpm/suse/{Makefile.am,.cvsignore}: New files.
370 * configure.ac, rpm/Makefile.am: Build in rpm/suse.
372 2004-11-17 Aidas Kasparas <a.kasparas@gmc.lt>
374 * configure.ac: paste bugfix by Zilvinas Valinskas
375 * src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
376 for generated policies. Path by Patrick McHardy.
378 2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
380 * src/racoon/racoonctl.8: racoonctl man page (new file)
382 2004-11-16 Emmanuel Dreyfus <manu@netbsd.org>
384 From Ganesan <rganesan@users.sourceforge.net>
385 * src/racoon/ipsec_doi.c: fix free'd memory access
387 2004-11-16 Michal Ludvig <mludvig@suse.cz>
389 DPD patch from Yvan Vanhullebus <vanhu@free.fr>
390 * configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l,
391 src/racoon/handler.c, src/racoon/handler.h,
392 src/racoon/isakmp.c, src/racoon/isakmp.h,
393 src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
394 src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
395 src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
396 src/racoon/remoteconf.h, src/racoon/vendorid.c,
397 src/racoon/vendorid.h: Dead Peer Detection (DPD) support.
399 2004-11-16 Michal Ludvig <mludvig@suse.cz>
401 * configure.ac: Remove a bash-specific construction, take II.
402 * src/racoon/grabmyaddr.c: FreeBSD fix for headers.
404 2004-11-15 Michal Ludvig <mludvig@suse.cz>
406 * configure.ac: Use correct include paths during ./configure run.
407 * src/racoon/Makefile.am: Compile cftoken.l from $(srcdir),
408 remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
409 (hint, hint, manu :-))
411 2004-11-15 Emmanuel Dreyfus <manu@netbsd.org>
413 * README: update the docs
414 * src/racoon/doc/FAQ: update the docs
415 * configure.ac: Remove a bash-specific construction
417 2004-11-14 Aidas Kasparas <a.kasparas@gmc.lt>
419 * src/racoon/cfparse.y: ensure that returns from rules are
420 initialized even on erroneous config file.
421 * src/racoon/admin_var.h: changed management socket location
422 * src/racoon/Makefile.am: ditto, added rule to install directory
423 for management socket.
424 * src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes,
425 added generation of fwd policies for every in policy spdadd'ed.
426 * src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
427 * src/setkey/policy_token.l: return something reasonable when
428 fwd direction is parsed on systems with no forward policy
431 2004-11-14 Emmanuel Dreyfus <manu@netbsd.org>
433 * src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
434 * src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
435 src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings
436 * configure.ac src/racoon/{admin.c|admin_var.h}
437 src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
438 src/racoon/samples/roadwarrior/client/racoon.conf: make the default
439 mode for the admin socket more secure.
441 2004-11-13 Emmanuel Dreyfus <manu@netbsd.org>
443 * src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
444 src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h}
445 src/racoon/samples/roadwarrior/README
446 src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
447 certificate authority location per-peer and configurable.
448 * src/racoon/isakmp_frag.c: fix unallocated memory access
449 * src/racoon/isakmp_agg.c: fix incorrect queue deallocation
450 * src/racoon/remoteconf.c: fix uninitialized data
451 * src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access
453 2004-11-12 Emmanuel Dreyfus <manu@netbsd.org>
455 * src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd
456 commands IPv6 friendly.
457 * src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}:
458 Add an admin message to flush all the SA for a given peer.
459 Convert racoonctl vd to use it.
460 * src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y}
461 src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
462 administrator to choose the admin socket path, ownership and mode.
463 * src/racoon/sample/roadwarrior: complete config files for
464 road warriors using hybrid authentication.
466 2004-11-12 Michal Ludvig <mludvig@suse.cz>
468 * configure.ac: Config option --enable-natt=kernel
469 * src/racoon/Makefile.am: Distribute only yacc/lex source files,
470 not the preprocessed .c files.
472 2004-11-11 Emmanuel Dreyfus <manu@netbsd.org>
474 * src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
475 and comments in the VPN concentrator setup for the Cisco VPN client
476 * src/racoon/racoon.conf.5: fix documentation
477 * src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
478 hooks event if we are a server.
480 2004-11-10 Emmanuel Dreyfus <manu@netbsd.org>
482 * src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems
484 2004-11-09 Michal Ludvig <mludvig@suse.cz>
486 * Makefile.am: Remove aclocal-related lines.
487 * src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS
488 * configure.ac: Cleanup, define INET6 if IPv6 shoud be supported,
489 better handling of KRB5 and NAT-T.
490 * src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
491 FreeBSD happy with includes (Arrgh...&^#$^@!!!)
493 2004-11-08 Michal Ludvig <mludvig@suse.cz>
495 * src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
496 * src/libipsec/policy_token.l, src/racoon/kmpstat.c,
497 src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
498 fixes to support FreeBSD (tested with 4.10).
500 2004-11-05 Michal Ludvig <mludvig@suse.cz>
502 * configure.ac: Add --with-readline switch.
503 * src/setkey/setkey.c(stdin_loop): Fix newlines and comments
504 when compiled without readline.
506 2004-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
508 * src/racoon/isakmp_quick.c: generated policy refresh patch
511 2004-10-29 Michal Ludvig <mludvig@suse.cz>
513 * configure.ac: Check for IPSEC_DIR_FWD and eventually define
515 * src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use
516 HAVE_POLICY_FWD in ifdefs.
517 * NEWS: Mention the fix.
518 * src/racoon/kmpstat.c: Fix compilation on Linux.
519 * src/racoon/ipsec_doi.h: Ditto.
520 * src/racoon/Makefile.am, src/setkey/Makefile.am: Update
521 explicit dependencies.
523 2004-10-29 Emmanuel Dreyfus <manu@netbsd.org>
525 * src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
526 do not reconfigure internal addresses obtained through ISAKMP
528 * src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
529 failure, kill the phase 1 and log the failure. Do not run the sa_up
531 * src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
532 Add -u user to racoonctl establish-sa, prompt for the PSK from
533 the terminal, and add a vpn-connect target with simplified syntax
534 for establishing a SA in the road warrior case.
535 * src/racoon/{admin.c,kmpstat.c}: implement delete-sa and
536 vpn-disconnect commands of racoonctl
537 * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
538 src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
539 Remove sa_up and sa_down and replace them by a more general
540 script hook framework.
542 2004-10-27 Emmanuel Dreyfus <manu@netbsd.org>
544 * src/racoon/nattraversal.c: Use macros instead of magic numbers
545 * src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
546 can actually establish a SA
547 * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
548 src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}:
549 Shell script hooks for ISAKMP SA creation and removal
551 2004-10-26 Emmanuel Dreyfus <manu@netbsd.org>
553 * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
554 src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
555 src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
556 src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
557 Update to the latest drafts
559 2004-10-25 Emmanuel Dreyfus <manu@netbsd.org>
561 * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
562 src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
563 src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
564 drafts documenting ISAKMP mode config, Xauth and hybrid auth
565 * src/racoon/cftoken.l: fix build problem, add an error message
566 when using hybrid auth options while hybrid auth is not built
567 * src/racoon/isakmp_cfg.c: build without RADIUS support too
569 2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
571 * src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
572 src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c}
573 src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h}
574 src/racoon/{oakley.c,oakley.h,racoon.conf.5}
575 src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
576 of hybrid auth and ISAKMP mode config
578 2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
580 * src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
581 src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h}
582 src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}:
583 Receiver-side of IKE fragmentation
585 2004-10-24 Emmanuel Dreyfus <manu@netbsd.org>
587 * src/racoon/isakmp_cfg.c: Fix read buffer overflow
588 * src/racoon/isakmp_xauth.c: Fix weak authentication
589 * src/racoon/{oakley.c,oakley.h}: Fix weak authentication
591 2004-10-21 Michal Ludvig <mludvig@suse.cz>
593 From Emmanuel Dreyfus:
594 * src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
595 * src/racoon/isakmp_cfg.c: Fix endianness.
597 2004-10-20 Michal Ludvig <mludvig@suse.cz>
599 From Emmanuel Dreyfus:
600 * src/racoon/{cfparse.y,cftoken.l,handler.c},
601 src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c},
602 src/racoon/racoon.conf.5: RADIUS IP addresses allocation
603 and RADIUS accounting.
605 src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h},
606 src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c},
607 src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.
609 2004-10-08 Michal Ludvig <mludvig@suse.cz>
611 * src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.
613 2004-10-06 Aidas Kasparas <a.kasparas@gmc.lt>
615 * src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
616 to duplicate dynamically allocatd structures; duprmconf() - call
617 these functions to produce private copy of inherited id and etype
619 * src/racoon/remoteconf.c: declaration for dupetypes().
621 2004-10-04 Aidas Kasparas <a.kasparas@gmc.lt>
623 * src/racoon/cfparse.y: check inherited_from dereferencing
624 * src/racoon/crypto_openssl.c: prevent crash on incorect DNs
626 2004-09-27 Michal Ludvig <mludvig@suse.cz>
628 From KOVACS Krisztian <hidden@balabit.hu>:
629 * src/racoon/sockmisc.c(sendfromto): Set src address.
631 2004-09-24 Aidas Kasparas <a.kasparas@gmc.lt>
633 * configure.ac: added check for linux-gnu, as my box reports
634 * src/racoon/grabmyaddr.c: added missing <linux/types.h> include
636 2004-09-21 Michal Ludvig <mludvig@suse.cz>
638 Merged 'autoconf' branch to mainline:
639 * .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac,
640 src/racoon/.cvsignore, src/racoon/cfparse.y,
641 src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
642 src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
643 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
644 src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c,
645 src/racoon/isakmp_unity.c, src/racoon/main.c,
646 src/racoon/nattraversal.c, src/racoon/oakley.c,
647 src/racoon/oakley.h, src/racoon/sockmisc.c,
648 src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
649 in 'autoconf' branch for details).
650 * acracoon.m4, src/racoon/Makefile.am: New files.
651 * src/racoon/Makefile.in, src/racoon/aclocal.m4,
652 src/racoon/client-puzzle.c, src/racoon/config.guess,
653 src/racoon/config.sub, src/racoon/configure.in,
654 src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp,
655 src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp,
656 src/racoon/doc/pattern, src/racoon/doc/question,
657 src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt,
658 src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en,
659 src/racoon/doc/sandiego-result.jp,
660 src/racoon/doc/sandiego0009-result.en,
661 src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c,
662 src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile,
663 src/racoon/samples/sandiego.pl: Removed.
665 2004-09-17 Michal Ludvig <mludvig@suse.cz>
667 * src/racoon/vendorid.[ch]: Rewrote the VendorID handling.
668 We don't use the array with fixed offsets anymore, instead
669 a generally unordered structure with ID, string and
670 precomputed MD5 hashes.
671 * src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
672 src/racoon/nattraversal.c: Updated to the new VID model.
673 * src/racoon/main.c(main): Precompute VendorIDs.
674 * src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
675 Files removed. Function arc4random() renamed to eay_random()
676 and moved to crypto_openssl.c.
677 * src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
678 src/racoon/isakmp.c: Updated to the above change.
679 * src/racoon/Makefile.in, src/racoon/configure.in: Remove
680 arc4random() from building.
681 * src/racoon/crypto_openssl.[ch](eay_random): New function.
682 * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
683 src/racoon/isakmp_xauth.c: Cleaned up headers.
685 2004-09-16 Michal Ludvig <mludvig@suse.cz>
687 * src/racoon/crypto_openssl.c (base64_encode): Terminate
688 the result with '\0'.
690 2004-09-15 Michal Ludvig <mludvig@suse.cz>
692 * configure.ac: How about calling the next version 0.5?
693 * src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
694 _BSD_SOURCE and don't require <linux/types.h>
695 * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
696 src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
697 * src/racoon/Makefile.in: Add new files to distribution.
698 * src/racoon/configure.in: Fix linux kernel NATT detection.
699 * src/setkey/parse.y: Fix types.
700 * src/racoon/backupsa.c, src/racoon/ipsec_doi.c,
701 src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
702 src/racoon/pfkey.c, src/racoon/remoteconf.c,
703 src/racoon/session.c, src/racoon/sockmisc.c: Fix headers
704 ordering, use HAVE_NETINET6_IPSEC.
705 * src/racoon/isakmp_cfg.c: Use %z for size_t.
706 * src/racoon/configure.in: Clean up IPv6 stack check.
708 2004-09-15 Michal Ludvig <mludvig@suse.cz>
710 Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
711 * src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
712 src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
713 src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
714 src/racoon/samples/racoon.conf.sample-cvpn: New files.
715 * src/racoon/algorithm.c, src/racoon/algorithm.h,
716 src/racoon/cfparse.y, src/racoon/cftoken.l,
717 src/racoon/handler.c, src/racoon/handler.h,
718 src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
719 src/racoon/isakmp.h, src/racoon/isakmp_agg.c,
720 src/racoon/isakmp_inf.c, src/racoon/oakley.c,
721 src/racoon/oakley.h, src/racoon/strnames.c,
722 src/racoon/vendorid.c, src/racoon/vendorid.h: Added
723 code for XAUTH support.
724 * src/racoon/racoon.conf.5: Documentation for XAUTH.
725 * src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
726 src/racoon/nattraversal.c: Added NATT VID "02\n"
727 * src/racoon/configure.in: New config option --enable-hybrid
729 2004-09-14 Michal Ludvig <mludvig@suse.cz>
731 * configure.ac: Preset CFLAGS
732 * src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD,
733 Check if printf() accepts "%z" modifiers.
734 * src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
735 * src/setkey/parse.y(fix_portstr): Init 'p2'.
736 * src/setkey/setkey.c: Add required prototypes.
738 2004-09-14 Aidas Kasparas <a.kasparas@gmc.lt>
740 * src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.
742 2004-09-14 Michal Ludvig <mludvig@suse.cz>
744 * src/racoon/configure.in: Check for NetBSD NAT-T kernel support.
746 2004-09-13 Michal Ludvig <mludvig@suse.cz>
748 * src/racoon/configure.in: Check for <openssl/engine.h>
749 * src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
750 * src/racoon/plainrsa-gen.c: Ditto.
752 2004-09-13 Michal Ludvig <mludvig@suse.cz>
754 NetBSD fixes from Emmanuel Dreyfus <manu@netbsd.org>:
755 * Makefile.am: build in rpm/ only on Linux
756 * configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h
757 * src/Makefile.am: Build include-glibc only on Linux
758 * src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
759 ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c,
760 policy_parse.y,policy_token.l,test-policy-priority.c},
761 src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c,
762 nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c,
763 proposal.c,sainfo.c,schedule.c,strnames.c},
764 src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
766 * src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
767 * src/racoon/configure.in: Check for kernel NAT-T support,
768 fix libipsec.a linkage path.
769 * src/racoon/eaytest.c(certtest): Use %z for size_t.
771 2004-09-12 Aidas Kasparas <a.kasparas@gmc.lt>
773 * src/racoon/grabmyaddr.c: improoved socket selection algorithm for
774 case when link-local addresses comes w/o sin6_scope_id set.
776 2004-09-07 Aidas Kasparas <a.kasparas@gmc.lt>
778 * src/racoon/session.c: fix for SIGHUP handler for case when config
779 file contains listen directives.
781 2004-09-01 Aidas Kasparas <a.kasparas@gmc.lt>
783 * src/racoon/grabmyaddr.c: added scope id handling for link-local
784 IPv6 addresses. Now racoon will not err on such addresses.
786 2004-08-19 Aidas Kasparas <a.kasparas@gmc.lt>
788 * src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
789 * src/racoon/eaytest.c: eay_init_error() -> eay_init() due to
790 2004-06-01 changes in src/racoon/crypto_openssl.c
792 2004-08-15 Aidas Kasparas <a.kasparas@gmc.lt>
794 * src/racoon/cfparse.y src/racoon/crypto_openssl.c
795 src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
796 src/racoon/racoon.conf.5 src/racoon/remoteconf.c
797 src/racoon/remoteconf.h: peers_identifier wildcard and
798 list patch by James Matheson
800 ---------------------------------------------
804 2004-08-09 Michal Ludvig <mludvig@suse.cz>
806 * NEWS: Notes for release 0.4rc1
807 * configure.ac: Bump up version to 0.4rc1
809 2004-07-12 Michal Ludvig <mludvig@suse.cz>
812 See ChangeLog.prsa from the 'plainrsa' branch for details.
813 * src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
814 * src/racoon/genlist.c src/racoon/genlist.h
815 src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c
816 src/racoon/prsa_par.y src/racoon/prsa_tok.l
817 src/racoon/rsalist.c src/racoon/rsalist.h
818 src/racoon/samples/racoon.conf.sample-plainrsa: New files.
819 * src/racoon/Makefile.in src/racoon/configure.in
820 src/racoon/cfparse.y src/racoon/cftoken.l
821 src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
822 src/racoon/handler.h src/racoon/ipsec_doi.c
823 src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c
824 src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c
825 src/racoon/remoteconf.h src/racoon/sockmisc.c
826 src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.
828 2004-07-12 Michal Ludvig <mludvig@suse.cz>
830 * src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
831 f_foreground to plog.c.
832 * src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode
834 * src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
835 src/racoon/oakley.c: Fix typos, newlines and printf() format strings.
837 2004-06-16 Aidas Kasparas <a.kasparas@gmc.lt>
839 * src/racoon/crypto_openssl.c (eay_get_x509cert): small memory
840 leak fix. Noticed B.Buesker, patch L.Stellingwerff
841 * src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt):
842 small memory leaks fixed.
844 2004-06-15 Aidas Kasparas <a.kasparas@gmc.lt>
847 * src/racoon/crypto_openssl.[ch] (cb_check_cert_local,
848 cb_check_cert_remote): split cb_check_cert() due to stricter
849 requirements for certificates received from network.
850 * src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
851 local to specify how strict cert check should be
852 * src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
854 2004-06-11 Michal Ludvig <mludvig@suse.cz>
856 * src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support
857 for all known NAT-T versions.
860 2004-06-08 Michal Ludvig <mludvig@suse.cz>
862 * src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
863 * src/racoon/Makefile.in: Compile stringlist.o.
865 2004-06-07 Michal Ludvig <mludvig@suse.cz>
867 * configure.ac: Set version to 'cvs'.
868 * src/{racoon,setkey,libipsec}/*.h: Wrap headers between
869 #ifndef/#define/#endif to allow multiple inclusions of the
871 * plog.h (plog): Attribute __printf__ for automatic checking
872 of the parameters' validity.
873 * cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
874 isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
875 sockmisc.c: Fix warnings/errors in the plog() parameters with
878 2004-06-05 Aidas Kasparas <a.kasparas@gmc.lt>
880 * src/setkey/setkey.c: -n (no action) support.
881 Thanks Thomas Habets.
882 * src/setkey/setkey.8: Documentation for above.
883 * src/racoon/doc/README.certificate: updated link to more recent
884 version of document. Debian bug #252513 by Jose Luis Domingo Lopez
886 2004-06-01 Michal Ludvig <mludvig@suse.cz>
888 * src/racoon/algorithm.c: Enable compilation without SHA2 support.
889 * src/racoon/crypto_openssl.c: Ditto.
891 2004-06-01 Michal Ludvig <mludvig@suse.cz>
893 * src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
895 (eay_init): New function.
896 (eay_init_error, eay_check_pkcs7sign): Removed.
897 * src/racoon/crypto_openssl.h: Reflect the above changes.
898 * src/racoon/main.c: Call eay_init() instead of eay_init_error().
900 2004-05-27 Michal Ludvig <mludvig@suse.cz>
902 Support for inheritance of 'remote' statements:
903 * src/racoon/cftoken.l: New keyword 'inherit'.
904 * src/racoon/cfparse.y: Support for 'inherit', remove
905 global 'prhead', use cur_rmconf->prhead instead.
906 * src/racoon/remoteconf.c (rmtree): Changed from
907 LIST queue to TAILQ queue.
908 (getrmconf): Renamed to getrmconf_strict().
909 (copyrmconf, duprmconf)
910 (dump_rmconf_single, dumprmconf): New functions.
912 * src/racoon/remoteconf.h: Prototypes for the above.
913 (struct remoteconf): New fields 'inherited_from' and 'prhead'.
914 * src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
915 * src/racoon/algorithm.c (alg_oakley_encdef_name)
916 (alg_oakley_hashdef_name, alg_oakley_dhdef_name)
917 (alg_oakley_authdef_name): New functions.
918 * src/racoon/algorithm.h: Prototpes for the above.
919 * src/racoon/strnames.c (num2str): Make extern.
920 (s_doi, s_etype, s_idtype, s_switch): New functions.
921 * src/racoon/strnames.h: Prototpes for the above.
922 * src/racoon/main.c: New parameter -C for dumping the parsed config.
923 * src/racoon/racoon.conf.5: Document inheritance.
924 * src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
925 * src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit
927 2004-05-24 Michal Ludvig <mludvig@suse.cz>
929 * configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c,
930 isakmp_quick.c, pfkey.c, remoteconf.c, session.c,
931 sockmisc.c: Allow compilation with --disable-ipv6
933 2004-05-21 Michal Ludvig <mludvig@suse.cz>
935 * src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of
936 algorithm specific functions.
938 2004-05-20 Aidas Kasparas <a.kasparas@gmc.lt>
940 Manual page updates. Thanks Brian
941 * src/libipsec/ipsec_set_policy.3
942 * src/setkey/setkey.8
943 * src/libipsec/test-policy-priority.c: new file from policy
944 priority patch, which I forgot to add
946 2004-05-18 Aidas Kasparas <a.kasparas@gmc.lt>
948 Policy priority integer handling fixes by Brian Buesker.
949 * src/libipsec/ipsec_strerror.c
950 * src/libipsec/ipsec_strerror.h
951 * src/libipsec/libpfkey.h
952 * src/libipsec/policy_parse.y
953 * src/libipsec/test-policy-priority.c
954 Manual page corrections by me
955 * src/libipsec/ipsec_set_policy.3
956 * src/setkey/setkey.8
958 2004-05-15 Aidas Kasparas <a.kasparas@gmc.lt>
960 Policy priority support patch from Brian Buesker. Applied as is
961 except src/libipsec/Makefile.am is modified instead of
962 src/libipsec/Makefile.in as found in the patch.
964 2004-05-10 Michal Ludvig <mludvig@suse.cz>
966 From Heiko Hund, approved by the copyright holder:
967 * src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
969 2004-04-27 Michal Ludvig <mludvig@suse.cz>
972 * src/include-glibc/sys/queue.h: Update to 3-clause BSD license.
974 2004-04-26 Aidas Kasparas <a.kasparas@gmc.lt>
976 * src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to
977 send notifications about changed interfaces.
979 2004-04-24 Aidas Kasparas <a.kasparas@gmc.lt>
981 * src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
982 information about interfaces. Thanks Steve Grubb and Bill
983 Nottingham. Affects users with glibc w/o getifaddrs(). Users
984 with glibc earlier than 2003-11-14 should upgrade their glibc.
986 2004-04-19 Michal Ludvig <mludvig@suse.cz>
988 * src/racoon/isakmp.c (isakmp_handler): Reject too big
989 packets (CAN-2004-0403).
991 ---------------------------------------------
995 2004-04-14 Michal Ludvig <mludvig@suse.cz>
997 * NEWS: Notes for release 0.3
998 * configure.ac: Bump up version to 0.3
999 * src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs.
1000 * src/racoon/remoteconf.c (foreachrmconf): Avoid warning about
1001 uninitialised variable.
1002 * src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux
1005 2004-04-13 Michal Ludvig <mludvig@suse.cz>
1007 * src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
1010 2004-04-09 Michal Ludvig <mludvig@suse.cz>
1012 * src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
1013 * src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
1014 * src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
1015 mismatch to LLV_WARNING.
1016 * src/libipsec/pfkey_dump.c, src/racoon/algorithm.c
1017 src/racoon/algorithm.h src/racoon/cftoken.l
1018 src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h
1019 src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c
1020 src/setkey/token.l: Renamed Rijndael to AES.
1021 * src/setkey/token.l: Recognize exit/quit/bye tokens.
1022 * src/setkey/parse.y (exit_command): New.
1023 * src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
1026 2004-04-08 Michal Ludvig <mludvig@suse.cz>
1028 * src/setkey/setkey.c (main): Call get_supported() in interactive mode.
1029 (stdin_loop): Concat multiline input into a single line before parsing.
1031 2004-04-07 Michal Ludvig <mludvig@suse.cz>
1033 * src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA
1034 with level DEBUG. Having it with level INFO only pollutes logfiles.
1036 2004-04-06 Michal Ludvig <mludvig@suse.cz>
1038 * src/racoon/Makefile.in: eaytest now links plog.o
1039 * src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
1041 * src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now
1042 verifying both good and bad signatures.
1044 ---------------------------------------------
1048 2004-04-05 Michal Ludvig <mludvig@suse.cz>
1050 * NEWS: Notes for release 0.3rc5
1051 * configure.ac: Bump up version to 0.3rc5
1053 2004-04-05 Michal Ludvig <mludvig@suse.cz>
1055 Fix for a security bug found by Ralf Spenneberg:
1056 * src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate
1057 'evp' instead of 'pubkey'.
1058 (eay_rsa_sign): Use the above.
1059 * src/racoon/crypto_openssl.h: Update prototypes for the above.
1060 * src/racoon/eaytest.c: Disabled RSA tests because of the API change.
1062 2004-04-05 Michal Ludvig <mludvig@suse.cz>
1064 * src/racoon/pfkey.c (pfkey_handler): Safety check before accessing
1065 the array (thx to Ren.J.Y for report).
1066 (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
1067 * src/racoon/strnames.c (name_pfkey_type): Ditto.
1069 2004-04-02 Michal Ludvig <mludvig@suse.cz>
1071 * src/racoon/eaytest.c (ciphertest_1): Correct padlen.
1073 2004-04-01 Michal Ludvig <mludvig@suse.cz>
1075 * src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
1076 update from here ...
1077 (ipsecdoi_setph2proposal): ... to here. Hopefully this is a
1078 better place to do the update.
1080 2004-03-30 Michal Ludvig <mludvig@suse.cz>
1082 * src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
1083 (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
1084 * src/racoon/eaytest.c (ciphertest_1): New function.
1085 (ciphertest): Simplified to simple calls of ciphertest_1().
1087 2004-03-29 Michal Ludvig <mludvig@suse.cz>
1089 * README: Rewritten. Mentioned where to report bugs.
1091 2004-03-26 Michal Ludvig <mludvig@suse.cz>
1093 * configure.ac: Check for readline.h and libreadline.
1094 * src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
1095 (stdin_loop): Read user input and parse it line-by-line.
1096 * src/setkey/token.l (parse_string): New function.
1098 ---------------------------------------------
1102 2004-03-25 Michal Ludvig <mludvig@suse.cz>
1104 * configure.ac: Bump up version to 0.3rc4
1105 * NEWS: Notes for release 0.3rc4
1106 * src/racoon/cfparse.y (algorithm): Hint about missing module.
1107 * src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key
1108 length only with old API.
1109 (eay_des_encrypt): Ditto.
1110 * src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
1111 non-zero error code if any of the tests fail.
1112 (main): Print banner with version.
1113 * src/racoon/Makefile.in: Run eaytest in 'make check'.
1115 2004-03-23 Michal Ludvig <mludvig@suse.cz>
1117 * src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before
1118 comparing NAT-D payloads. (thx to Gaurav Kansal for report).
1119 * src/racoon/crypto_openssl.c: Avoid type-punned warnings.
1120 * src/racoon/eaytest.c: Disable 'cert' tests.
1121 * src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check
1123 (eay_aes_encrypt): Keylength is in bits, not bytes.
1125 2004-03-22 Michal Ludvig <mludvig@suse.cz>
1127 * src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key
1128 instead of NULL and check for availability.
1130 ---------------------------------------------
1134 2004-03-19 Michal Ludvig <mludvig@suse.cz>
1136 * configure.ac: Bump up version to 0.3rc3
1137 * NEWS: Notes for release 0.3rc3
1138 * src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
1139 * src/racoon/proposal.c (cmpsatrns): New parameter proto_id,
1140 better diagnostic output when trns_id don't match.
1141 * src/racoon/proposal.h (cmpsatrns): Update prototype.
1142 * src/setkey/setkey.c: Change option -h to -H (for hexdump), new
1143 options -h (help) and -V (version).
1144 * src/setkey/setkey.8: Document the above changes.
1145 * src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...
1147 2004-03-15 Michal Ludvig <mludvig@suse.cz>
1149 * src/racoon/configure.in: Prevent compilation error with
1152 ---------------------------------------------
1156 2004-03-11 Michal Ludvig <mludvig@suse.cz>
1158 * configure.ac: Bump up version to 0.3rc2
1159 * NEWS: Notes for release 0.3rc2
1160 * src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
1161 * src/racoon/configure.in: Call RACOON_CHECK_VA_COPY
1162 * src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
1163 * src/racoon/racoon.conf.5: Note that NAT-T support is a compile
1166 2004-03-10 Michal Ludvig <mludvig@suse.cz>
1168 * src/racoon/racoon.conf.5: Document nat_traversal option.
1169 * src/racoon/racoon.8: DOcument new options (-L and -P).
1171 2004-03-09 Michal Ludvig <mludvig@suse.cz>
1173 * src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
1174 UDP-Encap ports if NAT-T is enabled.
1175 (dupmyaddr): New function.
1176 * src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
1177 * src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but
1178 no port for UDP-Encap was open.
1179 * src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
1180 * src/racoon/localconf.c, src/racoon/localconf.h: Define and setup
1181 lcconf->port_isakmp_natt.
1182 * src/racoon/main.c (main): Print nicer banner,
1183 (usage): Document new options (-L and -P).
1184 (parse): Recognise the above.
1185 * src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded
1186 constants for float_port.
1187 (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
1188 * src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
1189 * src/racoon/plog.c: Don't print source:line:function by default.
1190 * src/racoon/remoteconf.c (foreachrmconf): New helper function.
1191 * src/racoon/remoteconf.h: Prototype for the above.
1192 * package_version.h: Define strings for use in banners.
1193 * configure.ac: Fill up the above header.
1195 2004-03-09 Michal Ludvig <mludvig@suse.cz>
1197 * src/racoon/configure.in: Don't put -O into OPTFLAGS,
1198 add new option --disable-natt.
1199 * src/racoon/cfparse.y, src/racoon/handler.c,
1200 src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
1201 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
1202 src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
1203 src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
1205 * src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.
1207 2004-03-06 Aidas Kasparas <a.kasparas@gmc.lt>
1209 * configure.ac: Refuse to continue if lexer library (yywrap()
1210 function) is missing. Should prevent bugs like #892067, #908758
1211 * src/racoon/configure.in: renamed --with-ssleay to --with-openssl.
1212 Users should not be given false idea that they require both OpenSSL
1213 and SSLeay to compile racoon. (See bug #902197)
1215 ---------------------------------------------
1219 2004-03-04 Michal Ludvig <mludvig@suse.cz>
1221 * configure.ac: Bump up version to 0.3rc1
1222 * NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
1224 * src/racoon/samples/racoon.conf.sample-natt: New sample config file.
1225 * src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy,
1226 enabled NATT by default (will become a config option later).
1228 2004-03-04 Michal Ludvig <mludvig@suse.cz>
1230 Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
1232 * src/racoon/Makefile.in, src/racoon/cfparse.y,
1233 src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
1234 src/racoon/grabmyaddr.h, src/racoon/handler.c,
1235 src/racoon/handler.h, src/racoon/ipsec_doi.c,
1236 src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
1237 src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
1238 src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
1239 src/racoon/localconf.c, src/racoon/localconf.h,
1240 src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
1241 src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
1242 src/racoon/remoteconf.h, src/racoon/session.c,
1243 src/racoon/strnames.c, src/racoon/vendorid.h
1244 src/libipsec/pfkey.c,
1245 src/racoon/nattraversal.c, src/racoon/nattraversal.h,
1246 src/racoon/sockmisc.c: Affected files.
1248 2004-02-27 Michal Ludvig <mludvig@suse.cz>
1250 * src/racoon/isakmp.c (set_isakmp_header1): Renamed from
1251 set_isakmp_header().
1252 (set_isakmp_header): New function common for set_isakmp_header1()
1253 and set_isakmp_header2().
1254 (copy_ph1addresses): Obey original port.
1255 (isakmp_plist_append, isakmp_plist_set_all): New helper functions.
1256 * src/racoon/isakmp_var.h: Prototypes for the above.
1257 * src/racoon/isakmp.h (struct payload_list): New structure.
1258 * src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
1259 src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.
1261 2004-02-03 Michal Ludvig <mludvig@suse.cz>
1263 * src/racoon/Makefile.in: Fix install to $(sbindir)
1264 * src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).
1266 2004-01-19 Michal Ludvig <mludvig@suse.cz>
1268 * rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
1269 (thanks to Kimmo Koivisto <kimmo.koivisto@surfeu.fi>)
1271 2004-01-17 Aidas Kasparas <a.kasparas@gmc.lt>
1273 * src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team
1275 2004-01-15 Michal Ludvig <mludvig@suse.cz>
1277 * src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
1278 (reported on bugtraq, fixed by iij seil team).
1279 * src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.
1281 2004-01-14 Michal Ludvig <mludvig@suse.cz>
1283 * src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used
1285 * configure.ac: Don't build shared libipsec by default (can be
1286 enabled by --enable-shared).
1287 * bootstrap: Don't run automake for racoon.
1289 2004-01-12 Michal Ludvig <mludvig@suse.cz>
1291 * src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy,
1292 use config.h for defines instead of -DHAVE_* gcc options,
1293 fix CRYPTOBJS to include missing rijndael libraries only once,
1294 checking for AES support in OpenSSL now (hopefully) finally
1295 works on both OpenSSL 0.9.6 and 0.9.7.
1296 * src/racoon/*.[cyl]: Include autogenerated "config.h"
1297 * src/racoon/missing/crypto/*/*.c: Ditto.
1298 * src/racoon/.cvsignore: Add config.h, config.h.in
1300 2004-01-09 Michal Ludvig <mludvig@suse.cz>
1302 * src/racoon/.cvsignore: Add "autom4te.cache" and "configure".
1304 2004-01-09 Aidas Kasparas <a.kasparas@gmc.lt>
1306 Sync with KAME 2004-01-07
1307 * src/libipsec/pfkey.c: memory leak fix; comment typo fixes
1308 * src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even
1309 no SADB_X_EXT_TAG defined
1310 * src/libipsec/pfkey_dump.c: information about algorithms
1311 ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
1312 * src/libipsec/policy_parse.y: memory leak
1313 * src/libipsec/policy_token.l: memory leak
1314 * src/libipsec/test-policy.c: unneeded \n removed
1315 * src/racoon/Makefile.in: $(sbindir) support
1316 * src/racoon/admin.c: interface changes due to proxy support
1317 * src/racoon/algorithm.c: SHA2 #ifdefs
1318 * src/racoon/{cfparse.y,cftoken.l}: license text added
1319 * src/racoon/cfparse.y: mip6 obsoleted by proxy support
1320 * src/racoon/cfparse.y: from directive support; new algorithms
1321 * src/racoon/cftoken.l: support for globbing of include files
1322 * src/racoon/configure.in: more verbose information about problems
1324 * src/racoon/crypto_openssl.c: use new DES API if supported; algorithm
1326 * src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
1327 * src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
1329 * src/racoon/isakmp.c: use VPTRINIT; interface changes due to
1331 * src/racoon/isakmp_inf.c: use VPTRINIT
1332 * src/racoon/isakmp_quick.c: mip6->proxy
1333 * src/racoon/kmpstat.c: not used variables removed
1334 * src/racoon/pfkey.c: mip6->proxy; schedule leak
1335 * src/racoon/proposal.c: style
1336 * src/racoon/remoteconf.c: mip6->proxy
1337 * src/racoon/sainfo.c: from directive support
1338 * src/racoon/sockmisc.c: side correction; addrinfo leak
1339 * src/racoon/strnames.c: typo in descriptions; wrong upper bound check
1340 * src/racoon/missing/crypto/sha2/sha2.c: wrong size
1341 * src/setkey/parse.y: extra algorithms; tagged; not needed periods
1342 removed; memory shortage checks
1343 * src/setkey/setkey.8: typos; tagged; new algorithms
1344 * src/setkey/setkey.c: standard argument names for main(); hexdump
1345 support; info in file support
1346 * src/setkey/token.l: new algorithms; memory shortage checks
1347 Parts not taken from KAME:
1351 2004-01-08 Michal Ludvig <mludvig@suse.cz>
1353 * src/racoon/config.{sub,guess}: Update from automake 1.7.
1355 2004-01-08 Michal Ludvig <mludvig@suse.cz>
1357 Patch from Kostadin Karaivanov <larry@minfin.bg>:
1358 * src/racoon/configure.in: Check for openssl/aes.h.
1359 * src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.
1361 2004-01-08 Michal Ludvig <mludvig@suse.cz>
1363 * src/racoon/configure: Remove, should be regenerated by bootstrap.
1365 2004-01-02 Michal Ludvig <michal@logix.cz>
1367 * src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
1368 (by Brian Buesker <bbuesker@qualcomm.com>
1369 and Christophe Saout <christophe@saout.de>)
1370 * src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
1371 * src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
1373 * src/setkey/token.l, src/setkey/parse.y: Add support for lifetime
1374 specified in bytes (by Michal Ludvig).
1375 * src/setkey/setkey.8: Document -bh/-bs options for the above feature.
1376 * src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE
1377 message for IPcomp SA. (by Brian Buesker <bbuesker@qualcomm.com>)
1378 * src/racoon/cfparse.y: Flush SA on SIGHUP
1379 (by Brian Buesker <bbuesker@qualcomm.com>)
1380 * src/racoon/pfkey.c: IPcomp fixes
1381 (by Brian Buesker <bbuesker@qualcomm.com>)
1382 * src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
1383 * src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
1384 an entry with NULL ifa_addr (Michal Ludvig).
1385 * configure.ac: Change path to kernel headers
1386 from /usr/src/devel-2.5/devel to /usr/src/linux
1387 * bootstrap: Use default tools, reconfigure src/racoon
1388 * src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ,
1389 changed comments from 'dnl' to '#'.
1391 2003-06-20 Derek Atkins <derek@ihtfp.com>
1393 * src/racoon/aclocal.m4:
1394 * src/racoon/configure:
1395 Don't execute "for i in $3" if "$3" doesn't exist.
1398 2003-03-31 Derek Atkins <derek@ihtfp.com>
1400 * src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
1401 (which is value '2')
1403 2003-03-27 Derek Atkins <derek@ihtfp.com>
1405 * src/libipsec/key_debug.c: use ntohs() before printing port
1406 * src/libipsec/pfkey.c: convert port# to network byte order
1407 * src/libipsec/pfkey_dump.c: use ntohs() before printing ports
1408 * src/setkey/parse.y: convert port#'s to network byte order
1410 2003-03-24 Derek Atkins <derek@ihtfp.com>
1412 * src/libipsec/pfkey.c: Don't switch off NAT-T extensions
1413 if they don't exist in the kernel.
1415 * src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
1416 as per Tom Lendacky <toml@us.ibm.com>. Also move the
1417 setting of IPV6_IPSEC_POLICY to the top of the file.
1419 2003-03-13 Derek Atkins <derek@ihtfp.com>
1421 Add initial support for NAT-T PFKey Extensions:
1422 * src/libipsec/key_debug.c: add support to print information
1423 about NAT-T extension packets.
1424 * src/libipsec/libpfkey.h: add two new APIs to support NAT-T
1425 for add and update as part of the SADB.
1426 * src/libipsec/pfkey.c:
1427 - Implement extended APIs to support NAT-T for add and update
1429 - Add APIs to fill a buffer with NAT-T packet types
1430 * src/libipsec/pfkey_dump.c: Extend the SADB output to include
1431 PFKey packets. Put port numbers with the source and dest
1432 addresses, add an 'esp-udp' SA-type, and add a printout for
1434 * src/setkey/parse.y:
1435 - Extend setkey to create an ESP-UDP SA.
1436 - default UDP port is 4500
1437 - extend 'add' to allow <ip-addr>[<portnum>] for source and dest
1438 (the portnum specification requires the [] characters)
1439 - add an ESPUDP "protocol" from the lexer. This will use
1440 ESP and allow an optional Original Address setting.
1441 - add a function to get a udp port from a struct sockaddr *
1442 - pass the NAT-T extentions into PFKey
1443 * src/setkey/token.l: add "esp-udp" token
1445 * rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch:
1446 This switches it to use %{_lib} (for /lib64 systems such as
1447 x86-64 and s390x, and has it own the /etc/racoon directory in
1448 the package as well.
1450 ---------------------------------------------
1454 2003-03-13 Derek Atkins <derek@ihtfp.com>
1456 * configure.am, NEWS:
1457 Update for 0.2.2 release
1459 * Makefile.am: distribute depcomp
1461 2003-03-10 Derek Atkins <derek@ihtfp.com>
1463 * src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make
1464 sure we link against the lexer library when necessary.
1466 2003-03-07 Derek Atkins <derek@ihtfp.com>
1471 * rpm/ipsec-tools.spec.in:
1472 Added RPM SPEC to CVS
1474 ---------------------------------------------
1478 2003-03-07 Derek Atkins <derek@ihtfp.com>
1480 * src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for
1481 ssl include directory, to make sure the other tests work properly.
1483 2003-03-06 Derek Atkins <derek@ihtfp.com>
1485 * src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning
1487 * src/racoon/configure.in: look for krb5-config and don't
1488 use it if it's not found. Fixes a configure-time warning.
1490 --------------------------------------------