--------------------------------------------- 0.5.1 released 2005-03-23 Michal Ludvig * configure.ac: Bump up version to 0.5.1 * NEWS: Notes about 0.5.1 2005-03-14 Emmanuel Dreyfus * configure.ac: correctly check for dynamic libradius 2005-03-13 Yvan Vanhullebus * src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398) 2005-03-02 Yvan Vanhullebus * src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public * src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD. 2005-03-01 Yvan Vanhullebus * src/racoon/oakley.c: fixed oakley_newiv2() when errors 2005-02-18 Yvan Vanhullebus * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a related DELETE_SA * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire --------------------------------------------- 0.5 released 2005-02-18 Michal Ludvig * configure.ac: Bump up version to 0.5 2005-02-18 Michal Ludvig * configure.ac, rpm/suse/ipsec-tools.spec.in, rpm/suse/Makefile.am: Distribute .spec file with resolved version string. * src/racoon/Makefile.am: Allow parallel cluster build. 2005-02-17 Yvan Vanhullebus * src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks 2005-02-15 Michal Ludvig * configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN 2005-02-07 Michal Ludvig From Krisztian Kovacs: * src/racoon/cfparse.y: Allocate correct space for "struct sockaddr". 2005-01-30 Yvan Vanhullebus * src/racoon/vmbuf.c: bugfix in vrealloc() * src/racoon/oakley.c: mem leak fix in INITDHVAL() * src/racoon/session.c: mem leak fix in check_flushsa() 2005-01-29 Yvan Vanhullebus * src/racoon/nattraversal.c: fixed draft 04 options... 2005-01-29 Emmanuel Dreyfus From Fred Senault * src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that phase2 can start. --------------------------------------------- 0.5rc2 released 2005-01-04 Michal Ludvig * NEWS: Notes for release 0.5rc2 * configure.ac: Bump up version to 0.5rc2 2005-01-26 Yvan Vanhullebus * src/racoon/isakmp_{ident|agg}.c: checks if we are out of vid_natt[] when freeing VIDs. Also sets vid_natt[0] to NULL if NATT disabled. * src/racoon/nattraversal.c: fixed vid_natt[] initialization in isakmp_plist_append_natt_vids(), and really puts VIDs from RFC to Draft 00.... 2005-01-24 Yvan Vanhullebus * src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed 2005-01-23 Yvan Vanhullebus * src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup * src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate() * src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID * src/racoon/nattraversal.[ch]: NATT cleanup, support for all drafts (disabled by default) / RFC. * src/racoon/isakmp.h: NATT cleanup for NATT RFC support * src/racoon/ipsec_doi.h: updated comments about NATT * configure.ac: enable-natt_XX options 2005-01-22 Emmanuel Dreyfus From Fred Senault * src/racoon/{cftoken.l|cfparse.y|raccon.conf.5} src/racoon/samples/roadwarrior/README: change "my_identifier login" into "xauth_login" in the config file so that we can introduce Xauth with a pre-shared key later. 2005-01-21 Emmanuel Dreyfus * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}: workaround Linux problems. This needs a better fix. 2005-01-17 Emmanuel Dreyfus * src/racoon/admin_var.h: Fix path problem for adminport socket 2005-01-13 Yvan Vanhullebus * src/racoon/ipsec_doi.c: Uses proposal_check value to check phase 1 lifetime. * src/racoon/racoon.conf.5: Updated racoon man page for phase 1 lifetime check / proposal_check. 2005-01-11 Emmanuel Dreyfus * src/racoon/isakmp_quick.c: Endianness bugfix from KAME --------------------------------------------- 0.5-rc1 released 2005-01-04 Michal Ludvig * NEWS: Notes for release 0.5-rc1 * configure.ac: Bump up version to 0.5-rc1 2005-01-03 Emmanuel Dreyfus * src/racoon/admin.c: never fork, it buys nothing an break on some operations --------------------------------------------- Branch for 0.5 created (ipsec-tools-0_5-branch) 2004-12-23 Yvan Vanhullebus * src/racoon/crypto_openssl.c: Indentation 2004-12-28 Yvan Vanhullebus * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname() when getting an IP (Bug # 1092095) 2004-12-26 Emmanuel Dreyfus * src/racoon/session.c: remove outdated comment --------------------------------------------- 0.5.beta2 released 2004-12-21 Michal Ludvig * src/racoon/pfkey.c: Fix AES vs Rijndael defines. 2004-12-20 Yvan Vanhullebus * configure.ac, src/racoon/isakmp.c, src/racoon/pfkey.c: Some FreeBSD / NATT support. 2004-12-17 Emmanuel Dreyfus * src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here. * src/racoon/pfkey.c: Restore AES support on NetBSD. 2004-12-17 Yvan Vanhullebus * src/racoon/crypto_openssl.c: Uses sprintf() instead of asprintf() in eay_get_x509subjectaltname(), because of some compilation problems reported with asprintf() on some platforms. * src/racoon/oakley.c: just take the first cert in oakley_savecert() if cert ID check is disabled. 2004-12-16 Emmanuel Dreyfus * src/racoon/crypto_openssl.c: Build again on NetBSD * src/racoon/samples/roadwarrior/server/racoon src/racoon/samples/roadwarrior/server/racoon.conf-radius src/racoon/samples/roadwarrior/README: Use DPD in sample files. 2004-12-16 Yvan Vanhullebus * src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname() when SubjectAltName contains an IP. OpenSSL code from Ludovic Flament (ludovic.flament@free.fr). --------------------------------------------- 0.5.beta1 released 2004-12-13 Michal Ludvig From Ganesan R : * src/racoon/Makefile.am, src/setkey/Makefile.am: Fix compilation with shared libraries. 2004-12-10 Yvan Vanhullebus * src/racoon/oakley.c: takes the first certificate which matches the Identity, instead of just taking the first certificate. 2004-12-07 Yvan Vanhullebus * src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK. 2004-12-04 Aidas Kasparas * src/libipsec/pfkey_dump.c: distinguish per-socket policies from general ones (Linux case); * src/racoon/pfkey.c: dito, do not negotiate policies if racoon do not listen on out tunnel's source address. 2004-12-01 Yvan Vanhullebus * src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs generation in r1send() 2004-12-01 Yvan Vanhullebus * src/racoon/remoteconf.{c|h}: DPD support option (enabled by default) * src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD parameters but compiled without ENABLE_DPD * src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD support activated in configuration 2004-11-30 Emmanuel Dreyfus * src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time, to avoid garbage pointer if admin port is disabled. * src/racoon/{throttle.c|throttle.h}: new files src/racoon/{Makefile.am|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5} configure.ac: Add a per-host throttling count. When throttling, don't sleep, schedule the answer for later instead. * src/racoon/kmpstat.c: default with no hexdump of the packet * src/racoon/admin.c: don't remove admin socket after first request, on the other hand remove on startup stale sockets left by crashed racoon. * src/racoon/samples/roadwarrior/README src/racoon/kmpstat.c: fix option parsing problem on Linux 2004-11-29 Yvan Vanhullebus * src/racoon/session.c: Only listen on pfkey socket when received shutdown signal 2004-11-28 Emmanuel Dreyfus * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h} src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle on each Xauth authentication to avoid brute force attacks 2004-11-24 Emmanuel Dreyfus * src/racoon/samples/roadwarrior/README src/racoon/samples/roadwarrior/client{phase1-up.sh|phase1-down.sh} src/racoon/samples/roadwarrior/client/{racoon.conf|racoon.conf-radius} src/racoon/samples/roadwarrior/server/{racoon.conf|phase1-down.sh}: Fill Linux gaps for hybrid auth client, Replace public IP by private and example IP in the sample config files. 2004-11-24 Emmanuel Dreyfus DPD patch from Yvan Vanhullebus * src/racoon/cfparse.y: missing bits for DPD support 2004-11-23 Aidas Kasparas * src/setkey/parse.y: generate require fwd policies for unique in policies. * src/setkey/setkey.c: made -r/-k options awailable only when system has FWD policies. * src/setkey/setkey.8: updated docs about change above. 2004-11-22 Michal Ludvig * src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to #ifdef ENABLE_ADMINPORT/#endif. 2004-11-22 Michal Ludvig Revert these changes (ludvigm, 2004-11-18): * src/racoon/Makefile.am: install sample racoon.conf and psk.txt. * src/setkey/Makefile.am: Install setkey.conf. 2004-11-22 Emmanuel Dreyfus * src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1 removal so that it's not used after been deleted. * src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c} src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more errors to racoonctl 2004-11-21 Emmanuel Dreyfus * src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on the ipsec-tools web site * src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to display all events reported by racoon: show-event * src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message with immature or dying phase 1 * src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down 2004-11-20 Emmanuel Dreyfus * src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself as Unity compliant. * src/racoon/{evt.c|evt.h}: new files src/racoon/{Makefile.am|admin.c|admin.h|isakmp.c|isakmp_cfg.c} src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for event reporting from racoon to racoonctl 2004-11-20 Aidas Kasparas * src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages when racoon is compiled with INET6 support and kernel is not. Fixed with help of Zilvinas Valinskas. * src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+ problem. 2004-11-19 Emmanuel Dreyfus * src/racoon/doc/FAQ: more options and warn about software patents. 2004-11-18 Emmanuel Dreyfus * src/racoon/vmbuf.c: don't allocate zero-length buffer * src/racoon/samples/roadwarrior/client/phase1-down.sh src/racoon/samples/roadwarrior/server/phase1-down.sh: Also flush SAD when disconnecting. * src/racoon/admin.c: Send a notification when deleting ISAKMP SA * src/racoon/samples/roadwarrior/README: accomodate the recent sysconfdir change 2004-11-18 Michal Ludvig * src/racoon/Makefile.am: Fix adminsocket dir, install sample racoon.conf and psk.txt. * src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR), not $(SYSCONFDIR)/racoon. * src/racoon/algorithm.h, src/racoon/eaytest.c, src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really strict environments. * src/setkey/setkey.conf: Yet another sample config file. * src/setkey/Makefile.am: Install setkey.conf. * rpm/suse/{ipsec-tools.spec.in,sysconfig.racoon,racoon.init}: New files. * rpm/suse/{Makefile.am,.cvsignore}: New files. * configure.ac, rpm/Makefile.am: Build in rpm/suse. 2004-11-17 Aidas Kasparas * configure.ac: paste bugfix by Zilvinas Valinskas * src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support for generated policies. Path by Patrick McHardy. 2004-11-16 Emmanuel Dreyfus * src/racoon/racoonctl.8: racoonctl man page (new file) 2004-11-16 Emmanuel Dreyfus From Ganesan * src/racoon/ipsec_doi.c: fix free'd memory access 2004-11-16 Michal Ludvig DPD patch from Yvan Vanhullebus * configure.ac, src/racoon/cfparse.y, src/racoon/cftoken.l, src/racoon/handler.c, src/racoon/handler.h, src/racoon/isakmp.c, src/racoon/isakmp.h, src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c, src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h, src/racoon/racoon.conf.5 src/racoon/remoteconf.c, src/racoon/remoteconf.h, src/racoon/vendorid.c, src/racoon/vendorid.h: Dead Peer Detection (DPD) support. 2004-11-16 Michal Ludvig * configure.ac: Remove a bash-specific construction, take II. * src/racoon/grabmyaddr.c: FreeBSD fix for headers. 2004-11-15 Michal Ludvig * configure.ac: Use correct include paths during ./configure run. * src/racoon/Makefile.am: Compile cftoken.l from $(srcdir), remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior (hint, hint, manu :-)) 2004-11-15 Emmanuel Dreyfus * README: update the docs * src/racoon/doc/FAQ: update the docs * configure.ac: Remove a bash-specific construction 2004-11-14 Aidas Kasparas * src/racoon/cfparse.y: ensure that returns from rules are initialized even on erroneous config file. * src/racoon/admin_var.h: changed management socket location * src/racoon/Makefile.am: ditto, added rule to install directory for management socket. * src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes, added generation of fwd policies for every in policy spdadd'ed. * src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs * src/setkey/policy_token.l: return something reasonable when fwd direction is parsed on systems with no forward policy support. 2004-11-14 Emmanuel Dreyfus * src/racoon/isakmp.c: avoid a double free when using IKE fragmentation * src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c} src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings * configure.ac src/racoon/{admin.c|admin_var.h} src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README src/racoon/samples/roadwarrior/client/racoon.conf: make the default mode for the admin socket more secure. 2004-11-13 Emmanuel Dreyfus * src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h} src/racoon/{eaytest.c|oakley.c|racoon.conf.5|cftoken.l|remoteconf.h} src/racoon/samples/roadwarrior/README src/racoon/samples/roadwarrior/client/racoon.conf: Make the root certificate authority location per-peer and configurable. * src/racoon/isakmp_frag.c: fix unallocated memory access * src/racoon/isakmp_agg.c: fix incorrect queue deallocation * src/racoon/remoteconf.c: fix uninitialized data * src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access 2004-11-12 Emmanuel Dreyfus * src/racoon/{Makefile.am|kmpstat.c}: Make racoonctl vc and vd commands IPv6 friendly. * src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}: Add an admin message to flush all the SA for a given peer. Convert racoonctl vd to use it. * src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y} src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the administrator to choose the admin socket path, ownership and mode. * src/racoon/sample/roadwarrior: complete config files for road warriors using hybrid authentication. 2004-11-12 Michal Ludvig * configure.ac: Config option --enable-natt=kernel * src/racoon/Makefile.am: Distribute only yacc/lex source files, not the preprocessed .c files. 2004-11-11 Emmanuel Dreyfus * src/racoon/samples/racoon.conf.sample-cvpn: more complete setup and comments in the VPN concentrator setup for the Cisco VPN client * src/racoon/racoon.conf.5: fix documentation * src/racoon/isakmp_cfg.c: get the internal IPv4 address in script hooks event if we are a server. 2004-11-10 Emmanuel Dreyfus * src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems 2004-11-09 Michal Ludvig * Makefile.am: Remove aclocal-related lines. * src/racoon/Makefile.am: Add isakmp_frag.h into noints_HEADERS * configure.ac: Cleanup, define INET6 if IPv6 shoud be supported, better handling of KRB5 and NAT-T. * src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make FreeBSD happy with includes (Arrgh...&^#$^@!!!) 2004-11-08 Michal Ludvig * src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN. * src/libipsec/policy_token.l, src/racoon/kmpstat.c, src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small fixes to support FreeBSD (tested with 4.10). 2004-11-05 Michal Ludvig * configure.ac: Add --with-readline switch. * src/setkey/setkey.c(stdin_loop): Fix newlines and comments when compiled without readline. 2004-11-01 Aidas Kasparas * src/racoon/isakmp_quick.c: generated policy refresh patch by Yvan Vanhullebus 2004-10-29 Michal Ludvig * configure.ac: Check for IPSEC_DIR_FWD and eventually define HAVE_POLICY_FWD. * src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use HAVE_POLICY_FWD in ifdefs. * NEWS: Mention the fix. * src/racoon/kmpstat.c: Fix compilation on Linux. * src/racoon/ipsec_doi.h: Ditto. * src/racoon/Makefile.am, src/setkey/Makefile.am: Update explicit dependencies. 2004-10-29 Emmanuel Dreyfus * src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}: do not reconfigure internal addresses obtained through ISAKMP mode config. * src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication failure, kill the phase 1 and log the failure. Do not run the sa_up script in this case. * src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}: Add -u user to racoonctl establish-sa, prompt for the PSK from the terminal, and add a vpn-connect target with simplified syntax for establishing a SA in the road warrior case. * src/racoon/{admin.c,kmpstat.c}: implement delete-sa and vpn-disconnect commands of racoonctl * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c} src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}: Remove sa_up and sa_down and replace them by a more general script hook framework. 2004-10-27 Emmanuel Dreyfus * src/racoon/nattraversal.c: Use macros instead of magic numbers * src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl can actually establish a SA * src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c} src/racoon/{isakmp_var.h,racoon.conf.5,remoteconf.c,remoteconf.h}: Shell script hooks for ISAKMP SA creation and removal 2004-10-26 Emmanuel Dreyfus * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file Update to the latest drafts 2004-10-25 Emmanuel Dreyfus * src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file drafts documenting ISAKMP mode config, Xauth and hybrid auth * src/racoon/cftoken.l: fix build problem, add an error message when using hybrid auth options while hybrid auth is not built * src/racoon/isakmp_cfg.c: build without RADIUS support too 2004-10-24 Emmanuel Dreyfus * src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l} src/racoon/{ipsec_doi.c,ipsec_doi.h,isakmp.c,isakmp_agg.c} src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c,isakmp_xauth.h} src/racoon/{oakley.c,oakley.h,racoon.conf.5} src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side of hybrid auth and ISAKMP mode config 2004-10-24 Emmanuel Dreyfus * src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c} src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_frag.c,isakmp_frag.h} src/racoon/{isakmp_inf.c,racoon.conf.5,remoteconf.c,remoteconf.h}: Receiver-side of IKE fragmentation 2004-10-24 Emmanuel Dreyfus * src/racoon/isakmp_cfg.c: Fix read buffer overflow * src/racoon/isakmp_xauth.c: Fix weak authentication * src/racoon/{oakley.c,oakley.h}: Fix weak authentication 2004-10-21 Michal Ludvig From Emmanuel Dreyfus: * src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files. * src/racoon/isakmp_cfg.c: Fix endianness. 2004-10-20 Michal Ludvig From Emmanuel Dreyfus: * src/racoon/{cfparse.y,cftoken.l,handler.c}, src/racoon/{isakmp_cfg.c,isakmp_cfg.h,isakmp_xauth.c}, src/racoon/racoon.conf.5: RADIUS IP addresses allocation and RADIUS accounting. * configure.ac, src/racoon/{Makefile.am,handler.h,isakmp.c,isakmp.h}, src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_inf.c}, src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch. 2004-10-08 Michal Ludvig * src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus. 2004-10-06 Aidas Kasparas * src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions to duplicate dynamically allocatd structures; duprmconf() - call these functions to produce private copy of inherited id and etype structures. * src/racoon/remoteconf.c: declaration for dupetypes(). 2004-10-04 Aidas Kasparas * src/racoon/cfparse.y: check inherited_from dereferencing * src/racoon/crypto_openssl.c: prevent crash on incorect DNs 2004-09-27 Michal Ludvig From KOVACS Krisztian : * src/racoon/sockmisc.c(sendfromto): Set src address. 2004-09-24 Aidas Kasparas * configure.ac: added check for linux-gnu, as my box reports * src/racoon/grabmyaddr.c: added missing include 2004-09-21 Michal Ludvig Merged 'autoconf' branch to mainline: * .cvsignore, ChangeLog, Makefile.am, bootstrap, configure.ac, src/racoon/.cvsignore, src/racoon/cfparse.y, src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c, src/racoon/isakmp_unity.c, src/racoon/main.c, src/racoon/nattraversal.c, src/racoon/oakley.c, src/racoon/oakley.h, src/racoon/sockmisc.c, src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog in 'autoconf' branch for details). * acracoon.m4, src/racoon/Makefile.am: New files. * src/racoon/Makefile.in, src/racoon/aclocal.m4, src/racoon/client-puzzle.c, src/racoon/config.guess, src/racoon/config.sub, src/racoon/configure.in, src/racoon/install-sh, src/racoon/doc/SantaBarbara-result.jp, src/racoon/doc/helsinki-result.jp, src/racoon/doc/ibm-result.jp, src/racoon/doc/pattern, src/racoon/doc/question, src/racoon/doc/racoonquestion.sh, src/racoon/doc/redmond.txt, src/racoon/doc/rules.jp, src/racoon/doc/sandiego-result.en, src/racoon/doc/sandiego-result.jp, src/racoon/doc/sandiego0009-result.en, src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c, src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile, src/racoon/samples/sandiego.pl: Removed. 2004-09-17 Michal Ludvig * src/racoon/vendorid.[ch]: Rewrote the VendorID handling. We don't use the array with fixed offsets anymore, instead a generally unordered structure with ID, string and precomputed MD5 hashes. * src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c}, src/racoon/nattraversal.c: Updated to the new VID model. * src/racoon/main.c(main): Precompute VendorIDs. * src/racoon/arc4random.h, src/racoon/missing/arc4random.c: Files removed. Function arc4random() renamed to eay_random() and moved to crypto_openssl.c. * src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c, src/racoon/isakmp.c: Updated to the above change. * src/racoon/Makefile.in, src/racoon/configure.in: Remove arc4random() from building. * src/racoon/crypto_openssl.[ch](eay_random): New function. * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, src/racoon/isakmp_xauth.c: Cleaned up headers. 2004-09-16 Michal Ludvig * src/racoon/crypto_openssl.c (base64_encode): Terminate the result with '\0'. 2004-09-15 Michal Ludvig * configure.ac: How about calling the next version 0.5? * src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE _BSD_SOURCE and don't require * src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, src/racoon/isakmp_xauth.c: Don't include * src/racoon/Makefile.in: Add new files to distribution. * src/racoon/configure.in: Fix linux kernel NATT detection. * src/setkey/parse.y: Fix types. * src/racoon/backupsa.c, src/racoon/ipsec_doi.c, src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, src/racoon/pfkey.c, src/racoon/remoteconf.c, src/racoon/session.c, src/racoon/sockmisc.c: Fix headers ordering, use HAVE_NETINET6_IPSEC. * src/racoon/isakmp_cfg.c: Use %z for size_t. * src/racoon/configure.in: Clean up IPv6 stack check. 2004-09-15 Michal Ludvig Merged "Hybrid XAUTH" support from Emmanuel Dreyfus: * src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h, src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h, src/racoon/samples/racoon.conf.sample-cvpn: New files. * src/racoon/algorithm.c, src/racoon/algorithm.h, src/racoon/cfparse.y, src/racoon/cftoken.l, src/racoon/handler.c, src/racoon/handler.h, src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp.h, src/racoon/isakmp_agg.c, src/racoon/isakmp_inf.c, src/racoon/oakley.c, src/racoon/oakley.h, src/racoon/strnames.c, src/racoon/vendorid.c, src/racoon/vendorid.h: Added code for XAUTH support. * src/racoon/racoon.conf.5: Documentation for XAUTH. * src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c, src/racoon/nattraversal.c: Added NATT VID "02\n" * src/racoon/configure.in: New config option --enable-hybrid 2004-09-14 Michal Ludvig * configure.ac: Preset CFLAGS * src/racoon/configure.in: Preset LDFLAGS instead of CFLAGS on NetBSD, Check if printf() accepts "%z" modifiers. * src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly. * src/setkey/parse.y(fix_portstr): Init 'p2'. * src/setkey/setkey.c: Add required prototypes. 2004-09-14 Aidas Kasparas * src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas. 2004-09-14 Michal Ludvig * src/racoon/configure.in: Check for NetBSD NAT-T kernel support. 2004-09-13 Michal Ludvig * src/racoon/configure.in: Check for * src/racoon/crypto_openssl.c: Only use OpenSSL engines if available. * src/racoon/plainrsa-gen.c: Ditto. 2004-09-13 Michal Ludvig NetBSD fixes from Emmanuel Dreyfus : * Makefile.am: build in rpm/ only on Linux * configure.ac: Check for netinet6/ipsec.h instead of netinet/ipsec.h * src/Makefile.am: Build include-glibc only on Linux * src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c, ipsec_strerror.c,key_debug.c,pfkey.c,pfkey_dump.c, policy_parse.y,policy_token.l,test-policy-priority.c}, src/racoon/{cfparse.y,cftoken.l,grabmyaddr.c,isakmp.c, nattraversal.c,pfkey.c,plainrsa-gen.c,policy.c, proposal.c,sainfo.c,schedule.c,strnames.c}, src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some ifdefs. * src/racoon/sockmisc.c(sendfromto): Wrap for Linux only. * src/racoon/configure.in: Check for kernel NAT-T support, fix libipsec.a linkage path. * src/racoon/eaytest.c(certtest): Use %z for size_t. 2004-09-12 Aidas Kasparas * src/racoon/grabmyaddr.c: improoved socket selection algorithm for case when link-local addresses comes w/o sin6_scope_id set. 2004-09-07 Aidas Kasparas * src/racoon/session.c: fix for SIGHUP handler for case when config file contains listen directives. 2004-09-01 Aidas Kasparas * src/racoon/grabmyaddr.c: added scope id handling for link-local IPv6 addresses. Now racoon will not err on such addresses. 2004-08-19 Aidas Kasparas * src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan * src/racoon/eaytest.c: eay_init_error() -> eay_init() due to 2004-06-01 changes in src/racoon/crypto_openssl.c 2004-08-15 Aidas Kasparas * src/racoon/cfparse.y src/racoon/crypto_openssl.c src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c src/racoon/racoon.conf.5 src/racoon/remoteconf.c src/racoon/remoteconf.h: peers_identifier wildcard and list patch by James Matheson --------------------------------------------- 0.4rc1 released 2004-08-09 Michal Ludvig * NEWS: Notes for release 0.4rc1 * configure.ac: Bump up version to 0.4rc1 2004-07-12 Michal Ludvig PlainRSA support. See ChangeLog.prsa from the 'plainrsa' branch for details. * src/racoon/stringlist.c src/racoon/stringlist.h: Removed. * src/racoon/genlist.c src/racoon/genlist.h src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c src/racoon/prsa_par.y src/racoon/prsa_tok.l src/racoon/rsalist.c src/racoon/rsalist.h src/racoon/samples/racoon.conf.sample-plainrsa: New files. * src/racoon/Makefile.in src/racoon/configure.in src/racoon/cfparse.y src/racoon/cftoken.l src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h src/racoon/handler.h src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c src/racoon/remoteconf.h src/racoon/sockmisc.c src/racoon/sockmisc.h src/racoon/eaytest.c: Updated. 2004-07-12 Michal Ludvig * src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move f_foreground to plog.c. * src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode adjusting. * src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c, src/racoon/oakley.c: Fix typos, newlines and printf() format strings. 2004-06-16 Aidas Kasparas * src/racoon/crypto_openssl.c (eay_get_x509cert): small memory leak fix. Noticed B.Buesker, patch L.Stellingwerff * src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt): small memory leaks fixed. 2004-06-15 Aidas Kasparas SECURITY * src/racoon/crypto_openssl.[ch] (cb_check_cert_local, cb_check_cert_remote): split cb_check_cert() due to stricter requirements for certificates received from network. * src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter local to specify how strict cert check should be * src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above 2004-06-11 Michal Ludvig * src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support for all known NAT-T versions. * vendorid.h: Ditto. 2004-06-08 Michal Ludvig * src/racoon/stringlist.c, src/racoon/stringlist.h: New files. * src/racoon/Makefile.in: Compile stringlist.o. 2004-06-07 Michal Ludvig * configure.ac: Set version to 'cvs'. * src/{racoon,setkey,libipsec}/*.h: Wrap headers between #ifndef/#define/#endif to allow multiple inclusions of the same file. * plog.h (plog): Attribute __printf__ for automatic checking of the parameters' validity. * cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c, isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c, sockmisc.c: Fix warnings/errors in the plog() parameters with the above change. 2004-06-05 Aidas Kasparas * src/setkey/setkey.c: -n (no action) support. Thanks Thomas Habets. * src/setkey/setkey.8: Documentation for above. * src/racoon/doc/README.certificate: updated link to more recent version of document. Debian bug #252513 by Jose Luis Domingo Lopez 2004-06-01 Michal Ludvig * src/racoon/algorithm.c: Enable compilation without SHA2 support. * src/racoon/crypto_openssl.c: Ditto. 2004-06-01 Michal Ludvig * src/racoon/crypto_openssl.c: Remove unneeded workarounds for older OpenSSLs. (eay_init): New function. (eay_init_error, eay_check_pkcs7sign): Removed. * src/racoon/crypto_openssl.h: Reflect the above changes. * src/racoon/main.c: Call eay_init() instead of eay_init_error(). 2004-05-27 Michal Ludvig Support for inheritance of 'remote' statements: * src/racoon/cftoken.l: New keyword 'inherit'. * src/racoon/cfparse.y: Support for 'inherit', remove global 'prhead', use cur_rmconf->prhead instead. * src/racoon/remoteconf.c (rmtree): Changed from LIST queue to TAILQ queue. (getrmconf): Renamed to getrmconf_strict(). (copyrmconf, duprmconf) (dump_rmconf_single, dumprmconf): New functions. (rm2str): Deleted. * src/racoon/remoteconf.h: Prototypes for the above. (struct remoteconf): New fields 'inherited_from' and 'prhead'. * src/racoon/sockmisc.c (saddr2str): Can print anonymous entries. * src/racoon/algorithm.c (alg_oakley_encdef_name) (alg_oakley_hashdef_name, alg_oakley_dhdef_name) (alg_oakley_authdef_name): New functions. * src/racoon/algorithm.h: Prototpes for the above. * src/racoon/strnames.c (num2str): Make extern. (s_doi, s_etype, s_idtype, s_switch): New functions. * src/racoon/strnames.h: Prototpes for the above. * src/racoon/main.c: New parameter -C for dumping the parsed config. * src/racoon/racoon.conf.5: Document inheritance. * src/racoon/samples/racoon.conf.sample-inherit: Sample config file. * src/racoon/Makefile.in: Distribute racoon.conf.sample-inherit 2004-05-24 Michal Ludvig * configure.in, backupsa.c, ipsec_doi.c, isakmp_inf.c, isakmp_quick.c, pfkey.c, remoteconf.c, session.c, sockmisc.c: Allow compilation with --disable-ipv6 2004-05-21 Michal Ludvig * src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of algorithm specific functions. 2004-05-20 Aidas Kasparas Manual page updates. Thanks Brian * src/libipsec/ipsec_set_policy.3 * src/setkey/setkey.8 * src/libipsec/test-policy-priority.c: new file from policy priority patch, which I forgot to add 2004-05-18 Aidas Kasparas Policy priority integer handling fixes by Brian Buesker. * src/libipsec/ipsec_strerror.c * src/libipsec/ipsec_strerror.h * src/libipsec/libpfkey.h * src/libipsec/policy_parse.y * src/libipsec/test-policy-priority.c Manual page corrections by me * src/libipsec/ipsec_set_policy.3 * src/setkey/setkey.8 2004-05-15 Aidas Kasparas Policy priority support patch from Brian Buesker. Applied as is except src/libipsec/Makefile.am is modified instead of src/libipsec/Makefile.in as found in the patch. 2004-05-10 Michal Ludvig From Heiko Hund, approved by the copyright holder: * src/racoon/gssapi.[ch]: Update to 3-clause BSD license. 2004-04-27 Michal Ludvig From Heiko Hund: * src/include-glibc/sys/queue.h: Update to 3-clause BSD license. 2004-04-26 Aidas Kasparas * src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to send notifications about changed interfaces. 2004-04-24 Aidas Kasparas * src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send information about interfaces. Thanks Steve Grubb and Bill Nottingham. Affects users with glibc w/o getifaddrs(). Users with glibc earlier than 2003-11-14 should upgrade their glibc. 2004-04-19 Michal Ludvig * src/racoon/isakmp.c (isakmp_handler): Reject too big packets (CAN-2004-0403). --------------------------------------------- 0.3 released 2004-04-14 Michal Ludvig * NEWS: Notes for release 0.3 * configure.ac: Bump up version to 0.3 * src/racoon/Makefile.in: Use install-sh instead of mkinstalldirs. * src/racoon/remoteconf.c (foreachrmconf): Avoid warning about uninitialised variable. * src/racoon/samples/racoon.conf.in: Cleaned up to work with Linux and FreeSWAN. 2004-04-13 Michal Ludvig * src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are not suitable. 2004-04-09 Michal Ludvig * src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found. * src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog(). * src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id mismatch to LLV_WARNING. * src/libipsec/pfkey_dump.c, src/racoon/algorithm.c src/racoon/algorithm.h src/racoon/cftoken.l src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c src/setkey/token.l: Renamed Rijndael to AES. * src/setkey/token.l: Recognize exit/quit/bye tokens. * src/setkey/parse.y (exit_command): New. * src/setkey/setkey.c (stdin_loop): Exit when exit_now is set in exit_command. 2004-04-08 Michal Ludvig * src/setkey/setkey.c (main): Call get_supported() in interactive mode. (stdin_loop): Concat multiline input into a single line before parsing. 2004-04-07 Michal Ludvig * src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA with level DEBUG. Having it with level INFO only pollutes logfiles. 2004-04-06 Michal Ludvig * src/racoon/Makefile.in: eaytest now links plog.o * src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif surrounding plog(). * src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now verifying both good and bad signatures. --------------------------------------------- 0.3rc5 released 2004-04-05 Michal Ludvig * NEWS: Notes for release 0.3rc5 * configure.ac: Bump up version to 0.3rc5 2004-04-05 Michal Ludvig Fix for a security bug found by Ralf Spenneberg: * src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate 'evp' instead of 'pubkey'. (eay_rsa_sign): Use the above. * src/racoon/crypto_openssl.h: Update prototypes for the above. * src/racoon/eaytest.c: Disabled RSA tests because of the API change. 2004-04-05 Michal Ludvig * src/racoon/pfkey.c (pfkey_handler): Safety check before accessing the array (thx to Ren.J.Y for report). (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now). * src/racoon/strnames.c (name_pfkey_type): Ditto. 2004-04-02 Michal Ludvig * src/racoon/eaytest.c (ciphertest_1): Correct padlen. 2004-04-01 Michal Ludvig * src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode update from here ... (ipsecdoi_setph2proposal): ... to here. Hopefully this is a better place to do the update. 2004-03-30 Michal Ludvig * src/racoon/crypto_openssl.c (eay_3des_expand_key): New function. (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary. * src/racoon/eaytest.c (ciphertest_1): New function. (ciphertest): Simplified to simple calls of ciphertest_1(). 2004-03-29 Michal Ludvig * README: Rewritten. Mentioned where to report bugs. 2004-03-26 Michal Ludvig * configure.ac: Check for readline.h and libreadline. * src/setkey/setkey.c: Call stdin_loop() when '-c' was given. (stdin_loop): Read user input and parse it line-by-line. * src/setkey/token.l (parse_string): New function. --------------------------------------------- 0.3rc4 released 2004-03-25 Michal Ludvig * configure.ac: Bump up version to 0.3rc4 * NEWS: Notes for release 0.3rc4 * src/racoon/cfparse.y (algorithm): Hint about missing module. * src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key length only with old API. (eay_des_encrypt): Ditto. * src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with non-zero error code if any of the tests fail. (main): Print banner with version. * src/racoon/Makefile.in: Run eaytest in 'make check'. 2004-03-23 Michal Ludvig * src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before comparing NAT-D payloads. (thx to Gaurav Kansal for report). * src/racoon/crypto_openssl.c: Avoid type-punned warnings. * src/racoon/eaytest.c: Disable 'cert' tests. * src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check for strict length. (eay_aes_encrypt): Keylength is in bits, not bytes. 2004-03-22 Michal Ludvig * src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key instead of NULL and check for availability. --------------------------------------------- 0.3rc3 released 2004-03-19 Michal Ludvig * configure.ac: Bump up version to 0.3rc3 * NEWS: Notes for release 0.3rc3 * src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'. * src/racoon/proposal.c (cmpsatrns): New parameter proto_id, better diagnostic output when trns_id don't match. * src/racoon/proposal.h (cmpsatrns): Update prototype. * src/setkey/setkey.c: Change option -h to -H (for hexdump), new options -h (help) and -V (version). * src/setkey/setkey.8: Document the above changes. * src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/... 2004-03-15 Michal Ludvig * src/racoon/configure.in: Prevent compilation error with --enable-yydebug. --------------------------------------------- 0.3rc2 released 2004-03-11 Michal Ludvig * configure.ac: Bump up version to 0.3rc2 * NEWS: Notes for release 0.3rc2 * src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test. * src/racoon/configure.in: Call RACOON_CHECK_VA_COPY * src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY. * src/racoon/racoon.conf.5: Note that NAT-T support is a compile time option. 2004-03-10 Michal Ludvig * src/racoon/racoon.conf.5: Document nat_traversal option. * src/racoon/racoon.8: DOcument new options (-L and -P). 2004-03-09 Michal Ludvig * src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for UDP-Encap ports if NAT-T is enabled. (dupmyaddr): New function. * src/racoon/grabmyaddr.h: Prototype for dupmyaddr(). * src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but no port for UDP-Encap was open. * src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define. * src/racoon/localconf.c, src/racoon/localconf.h: Define and setup lcconf->port_isakmp_natt. * src/racoon/main.c (main): Print nicer banner, (usage): Document new options (-L and -P). (parse): Recognise the above. * src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded constants for float_port. (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions. * src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf(). * src/racoon/plog.c: Don't print source:line:function by default. * src/racoon/remoteconf.c (foreachrmconf): New helper function. * src/racoon/remoteconf.h: Prototype for the above. * package_version.h: Define strings for use in banners. * configure.ac: Fill up the above header. 2004-03-09 Michal Ludvig * src/racoon/configure.in: Don't put -O into OPTFLAGS, add new option --disable-natt. * src/racoon/cfparse.y, src/racoon/handler.c, src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c, src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT with ENABLE_NATT. * src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments. 2004-03-06 Aidas Kasparas * configure.ac: Refuse to continue if lexer library (yywrap() function) is missing. Should prevent bugs like #892067, #908758 * src/racoon/configure.in: renamed --with-ssleay to --with-openssl. Users should not be given false idea that they require both OpenSSL and SSLeay to compile racoon. (See bug #902197) --------------------------------------------- 0.3rc1 released 2004-03-04 Michal Ludvig * configure.ac: Bump up version to 0.3rc1 * NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes from 0.2 branch). * src/racoon/samples/racoon.conf.sample-natt: New sample config file. * src/racoon/Makefile.in: Tweak file lists to make 'distcheck' happy, enabled NATT by default (will become a config option later). 2004-03-04 Michal Ludvig Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support to racoon. * src/racoon/Makefile.in, src/racoon/cfparse.y, src/racoon/cftoken.l, src/racoon/grabmyaddr.c, src/racoon/grabmyaddr.h, src/racoon/handler.c, src/racoon/handler.h, src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h, src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c, src/racoon/localconf.c, src/racoon/localconf.h, src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h, src/racoon/racoon.conf.5, src/racoon/remoteconf.c, src/racoon/remoteconf.h, src/racoon/session.c, src/racoon/strnames.c, src/racoon/vendorid.h src/libipsec/pfkey.c, src/racoon/nattraversal.c, src/racoon/nattraversal.h, src/racoon/sockmisc.c: Affected files. 2004-02-27 Michal Ludvig * src/racoon/isakmp.c (set_isakmp_header1): Renamed from set_isakmp_header(). (set_isakmp_header): New function common for set_isakmp_header1() and set_isakmp_header2(). (copy_ph1addresses): Obey original port. (isakmp_plist_append, isakmp_plist_set_all): New helper functions. * src/racoon/isakmp_var.h: Prototypes for the above. * src/racoon/isakmp.h (struct payload_list): New structure. * src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c: Use isakmp_plist_* functions. 2004-02-03 Michal Ludvig * src/racoon/Makefile.in: Fix install to $(sbindir) * src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer). 2004-01-19 Michal Ludvig * rpm/ipsec-tools.FC1: Startup script for Fedora Core 1 (thanks to Kimmo Koivisto ) 2004-01-17 Aidas Kasparas * src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team 2004-01-15 Michal Ludvig * src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA (reported on bugtraq, fixed by iij seil team). * src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses. 2004-01-14 Michal Ludvig * src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used only once). * configure.ac: Don't build shared libipsec by default (can be enabled by --enable-shared). * bootstrap: Don't run automake for racoon. 2004-01-12 Michal Ludvig * src/racoon/configure.in: Fix AC_DEFINEs to make autoheader happy, use config.h for defines instead of -DHAVE_* gcc options, fix CRYPTOBJS to include missing rijndael libraries only once, checking for AES support in OpenSSL now (hopefully) finally works on both OpenSSL 0.9.6 and 0.9.7. * src/racoon/*.[cyl]: Include autogenerated "config.h" * src/racoon/missing/crypto/*/*.c: Ditto. * src/racoon/.cvsignore: Add config.h, config.h.in 2004-01-09 Michal Ludvig * src/racoon/.cvsignore: Add "autom4te.cache" and "configure". 2004-01-09 Aidas Kasparas Sync with KAME 2004-01-07 * src/libipsec/pfkey.c: memory leak fix; comment typo fixes * src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even no SADB_X_EXT_TAG defined * src/libipsec/pfkey_dump.c: information about algorithms ripemd160, aes-xcbc, aes-ctr; bigger buffers; support * src/libipsec/policy_parse.y: memory leak * src/libipsec/policy_token.l: memory leak * src/libipsec/test-policy.c: unneeded \n removed * src/racoon/Makefile.in: $(sbindir) support * src/racoon/admin.c: interface changes due to proxy support * src/racoon/algorithm.c: SHA2 #ifdefs * src/racoon/{cfparse.y,cftoken.l}: license text added * src/racoon/cfparse.y: mip6 obsoleted by proxy support * src/racoon/cfparse.y: from directive support; new algorithms * src/racoon/cftoken.l: support for globbing of include files * src/racoon/configure.in: more verbose information about problems with SHA2 * src/racoon/crypto_openssl.c: use new DES API if supported; algorithm key size fixes * src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check * src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks; style change * src/racoon/isakmp.c: use VPTRINIT; interface changes due to mip6->proxy; typo * src/racoon/isakmp_inf.c: use VPTRINIT * src/racoon/isakmp_quick.c: mip6->proxy * src/racoon/kmpstat.c: not used variables removed * src/racoon/pfkey.c: mip6->proxy; schedule leak * src/racoon/proposal.c: style * src/racoon/remoteconf.c: mip6->proxy * src/racoon/sainfo.c: from directive support * src/racoon/sockmisc.c: side correction; addrinfo leak * src/racoon/strnames.c: typo in descriptions; wrong upper bound check * src/racoon/missing/crypto/sha2/sha2.c: wrong size * src/setkey/parse.y: extra algorithms; tagged; not needed periods removed; memory shortage checks * src/setkey/setkey.8: typos; tagged; new algorithms * src/setkey/setkey.c: standard argument names for main(); hexdump support; info in file support * src/setkey/token.l: new algorithms; memory shortage checks Parts not taken from KAME: * kernelfs stuff; * sysctl stuff 2004-01-08 Michal Ludvig * src/racoon/config.{sub,guess}: Update from automake 1.7. 2004-01-08 Michal Ludvig Patch from Kostadin Karaivanov : * src/racoon/configure.in: Check for openssl/aes.h. * src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available. 2004-01-08 Michal Ludvig * src/racoon/configure: Remove, should be regenerated by bootstrap. 2004-01-02 Michal Ludvig * src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7 (by Brian Buesker and Christophe Saout ) * src/racoon/proposal.c: Be more verbose. (Michal Ludvig) * src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly (by Michal Ludvig). * src/setkey/token.l, src/setkey/parse.y: Add support for lifetime specified in bytes (by Michal Ludvig). * src/setkey/setkey.8: Document -bh/-bs options for the above feature. * src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE message for IPcomp SA. (by Brian Buesker ) * src/racoon/cfparse.y: Flush SA on SIGHUP (by Brian Buesker ) * src/racoon/pfkey.c: IPcomp fixes (by Brian Buesker ) * src/racoon/proposal.c: Fix typo lifebyte -> lifetime. * src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns an entry with NULL ifa_addr (Michal Ludvig). * configure.ac: Change path to kernel headers from /usr/src/devel-2.5/devel to /usr/src/linux * bootstrap: Use default tools, reconfigure src/racoon * src/racoon/configure.in: Change LIBOBJS -> AC_LIBOBJ, changed comments from 'dnl' to '#'. 2003-06-20 Derek Atkins * src/racoon/aclocal.m4: * src/racoon/configure: Don't execute "for i in $3" if "$3" doesn't exist. Fixes bug #721296. 2003-03-31 Derek Atkins * src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP (which is value '2') 2003-03-27 Derek Atkins * src/libipsec/key_debug.c: use ntohs() before printing port * src/libipsec/pfkey.c: convert port# to network byte order * src/libipsec/pfkey_dump.c: use ntohs() before printing ports * src/setkey/parse.y: convert port#'s to network byte order 2003-03-24 Derek Atkins * src/libipsec/pfkey.c: Don't switch off NAT-T extensions if they don't exist in the kernel. * src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY, as per Tom Lendacky . Also move the setting of IPV6_IPSEC_POLICY to the top of the file. 2003-03-13 Derek Atkins Add initial support for NAT-T PFKey Extensions: * src/libipsec/key_debug.c: add support to print information about NAT-T extension packets. * src/libipsec/libpfkey.h: add two new APIs to support NAT-T for add and update as part of the SADB. * src/libipsec/pfkey.c: - Implement extended APIs to support NAT-T for add and update of the SADB. - Add APIs to fill a buffer with NAT-T packet types * src/libipsec/pfkey_dump.c: Extend the SADB output to include PFKey packets. Put port numbers with the source and dest addresses, add an 'esp-udp' SA-type, and add a printout for the NAT-OA. * src/setkey/parse.y: - Extend setkey to create an ESP-UDP SA. - default UDP port is 4500 - extend 'add' to allow [] for source and dest (the portnum specification requires the [] characters) - add an ESPUDP "protocol" from the lexer. This will use ESP and allow an optional Original Address setting. - add a function to get a udp port from a struct sockaddr * - pass the NAT-T extentions into PFKey * src/setkey/token.l: add "esp-udp" token * rpm/ipsec-tools.spec.in: Bill Nottingham's SPEC-file patch: This switches it to use %{_lib} (for /lib64 systems such as x86-64 and s390x, and has it own the /etc/racoon directory in the package as well. --------------------------------------------- 0.2.2 released 2003-03-13 Derek Atkins * configure.am, NEWS: Update for 0.2.2 release * Makefile.am: distribute depcomp 2003-03-10 Derek Atkins * src/racoon/Makefile.in: add @LEXLIB@ to the LIBS line to make sure we link against the lexer library when necessary. 2003-03-07 Derek Atkins * configure.am: * Makefile.am: * rpm/Makefile.am: * rpm/ipsec-tools.spec.in: Added RPM SPEC to CVS --------------------------------------------- 0.2.1 released 2003-03-07 Derek Atkins * src/racoon/configure.in: change "CFLAGS" to "CPPFLAGS" for ssl include directory, to make sure the other tests work properly. 2003-03-06 Derek Atkins * src/racoon/kmpstat.c: fix gcc-3.2.2 compiler warning * src/racoon/configure.in: look for krb5-config and don't use it if it's not found. Fixes a configure-time warning. -------------------------------------------- 0.2 Released