1 2011-03-17 Yvan Vanhullebus <vanhu (a] netasq.com> 2 3 * src/racoon/oakley.c: fixed a memory leak in 4 oakley_append_rmconf_cr() while generating plist. patch by Roman 5 Hoog Antink <rha (a] open.ch> 6 7 * src/racoon/oakley.c: free name later, to avoid a memory use after 8 free in oakley_check_certid(). also give iph1->remote to some plog() 9 calls. patch by Roman Hoog Antink <rha (a] open.ch> 10 11 * src/racoon/oakley.c: fixed a memory leak in 12 oakley_check_certid(). patch by Roman Hoog Antink <rha (a] open.ch> 13 14 2011-03-15 Yvan Vanhullebus <vanhu (a] netasq.com> 15 16 * src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call 17 isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as 18 it is useless an can lead to memory access after free 19 20 2011-03-14 Timo Teras <timo.teras (a] iki.fi> 21 22 * src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c, 23 isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c, 24 sockmisc.h, throttle.c: Explicitly compare return value of 25 cmpsaddr() against a return value define to make it more obvious 26 what is the intended action. One more return value is also added, to 27 fix comparison of security policy descriptors. Namely, getsp() 28 should not allow wildcard matching (as the comment says, it does 29 exact matching) - otherwise we get problems when kernel has generic 30 policy with no ports, and a second similar policy with ports. 31 32 2011-03-14 Yvan Vanhullebus <vanhu (a] netasq.com> 33 34 * src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h, 35 remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some 36 memory leaks / free memory access when reloading conf and have 37 inherited config. patch from Roman Hoog Antink <rha (a] open.ch> 38 39 * src/racoon/handler.c: removed an useless comment 40 41 * src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from 42 getrmconf_by_ph1() in revalidate_ph1tree_rmconf() 43 44 2011-03-11 Yvan Vanhullebus <vanhu (a] netasq.com> 45 46 * src/racoon/: handler.c, isakmp.c: directly delete a ph1 in 47 remove_ph1-) instead of scheduling it, to avoid (completely ?) a 48 race condition when reloading configuration 49 50 2011-03-06 Timo Teras <timo.teras (a] iki.fi> 51 52 * src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing 53 checks are enabled. Reported by Stephen Clark. 54 55 2011-03-02 Yvan Vanhullebus <vanhu (a] netasq.com> 56 57 * src/racoon/session.c: flush sainfo list when closing session. 58 patch by Roman Hoog Antink <rha (a] open.ch> 59 60 * src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa 61 structures when deleting a struct rmconf. patch by Roman Hoog Antink 62 <rha (a] open.ch> 63 64 * src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec 65 when deleting a rmconf struct. patch by Roman Hoog Antink 66 <rha (a] open.ch> 67 68 * src/racoon/: remoteconf.c, session.c: fixed some memory leaks in 69 remoteconf. patch by Roman Hoog Antink <rha (a] open.ch> 70 71 * src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks 72 during configuration parsing. patch by Roman Hoog Antink 73 <rha (a] open.ch> 74 75 2011-03-01 Yvan Vanhullebus <vanhu (a] netasq.com> 76 77 * src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E 78 Andersson <debian (a] gisladisker.se> 79 80 * src/racoon/cfparse.y: reset yyerrorcount before doing parse 81 stuff. patch by Roman Hoog Antink <rha (a] open.ch> 82 83 2011-02-20 Timo Teras <timo.teras (a] iki.fi> 84 85 * src/racoon/oakley.c: From Roman Hoog Antink <rha (a] open.ch>: Fix 86 memory leak when using plain RSA key authentication. 87 88 2011-02-11 Timo Teras <timo.teras (a] iki.fi> 89 90 * src/racoon/plainrsa-gen.c: From Mats E Andersson 91 <debian (a] gisladisker.se>: Fix fprintf format specifier usage from 92 previous patch. 93 94 2011-02-10 Timo Teras <timo.teras (a] iki.fi> 95 96 * src/racoon/plainrsa-gen.c: From Mats Erik Andersson 97 <debian (a] gisladisker.se>: Implement importing of RSA keys from PEM 98 files. 99 100 * src/racoon/prsa_par.y: From M E Andersson 101 <debian (a] gisladisker.se>: Fix parsing of restricted RSA key 102 addresses. 103 104 2011-02-02 Yvan Vanhullebus <vanhu (a] netasq.com> 105 106 * src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c, 107 sainfo.h: store ph1id in an u_int32_t instead of a (signed)int. 108 Patch from Christophe Carre 109 110 2011-01-28 Timo Teras <timo.teras (a] iki.fi> 111 112 * src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog 113 Antink <rha (a] open.ch>: Clean up sainfo reloading: rename the 114 functions, and remove unneeded global variable. 115 116 * src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman 117 Hoog Antink <rha (a] open.ch>: Clean up rmconf reloading: rename the 118 functions, and remove unneeded global variable. 119 120 * src/racoon/plog.c: From Roman Hoog Antink <rha (a] open.ch>: Log 121 remote IP address if available (slightly modified by tteras) 122 123 2011-01-22 Timo Teras <timo.teras (a] iki.fi> 124 125 * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha (a] open.ch>: 126 Fixes a null pointer dereference that might occur after removing 127 peers from the config and then reloading. 128 129 2011-01-20 Yvan Vanhullebus <vanhu (a] netasq.com> 130 131 * src/libipsec/pfkey.c: fixed a typo, it will now compile when 132 KMADDRESS is defined. reported by Roman Hoog Antink (rha (at) 133 open.ch) 134 135 2010-12-28 Timo Teras <timo.teras (a] iki.fi> 136 137 * src/racoon/handler.c: From Roman Hoog Antink <rha (a] open.ch>: Fix 138 config reload to not delete too many phase 2 handles, because wrong 139 chain field is used when enumerating the handles. 140 141 2010-12-16 gdt 142 143 * src/racoon/oakley.c: When encountering a certificate where "ID 144 mismatched with ASN1 SubjectName", and verify_identifier is off, 145 don't raise an error. This makes the behavior match the man page. 146 147 Patch sent for review long ago: 148 http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html 149 with no negative feedback received to date. 150 151 2010-12-14 Timo Teras <timo.teras (a] iki.fi> 152 153 * src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha (a] open.ch>: Fix 154 possible null derefence. 155 156 2010-12-08 Timo Teras <timo.teras (a] iki.fi> 157 158 * src/racoon/admin.c: Use separate SA addresses for phase2's 159 created by admin command. The phase2 startup overwrites src/dst with 160 ISAKMP ports if they are zero and we don't want that to happen for 161 the SA ports. 162 163 2010-12-08 joerg 164 165 * src/libipsec/pfkey.c: ANSIfy 166 167 2010-12-07 Timo Teras <timo.teras (a] iki.fi> 168 169 * src/racoon/isakmp_quick.c: Fix spacing and improve wording in 170 some log messages. 171 172 2010-12-03 Timo Teras <timo.teras (a] iki.fi> 173 174 * src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux 175 per-socket policies. 176 177 * src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y, 178 setkey/setkey.8: Support GRE key as upper layer protocol 179 specifier (will be supported in Linux kernel 2.6.38). 180 181 * src/racoon/grabmyaddr.c: Netlink deletion notification does not 182 guarentee actual address deletion: it might still exist on some 183 other interface. Make sure we do not unbind unless the address is 184 really gone. 185 186 2010-11-17 Timo Teras <timo.teras (a] iki.fi> 187 188 * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my 189 previous patch to not call purge_remote() twice. Change the place 190 where purge_remote() is called. This fixes also a possible crash 191 from the same patch since ph1->remote can be NULL (when we are 192 responder and config is not yet selected). 193 194 2010-11-12 Timo Teras <timo.teras (a] iki.fi> 195 196 * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c: 197 isakmp_post_acquire is now called from admin commands too, add a 198 flag so admin commands can be used to establish even passive links 199 on demand. 200 201 * src/racoon/isakmp.c: Purge all IPsec-SA's if the last main 202 ISAKMP-SA for the node is deleted by remote request and the phase1 203 rekeying is enabled (this will also trigger the new phase1_dead 204 script hook). 205 206 * src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks 207 to allow any reply within valid sequence window to be proof of 208 livelyness. This can improves things if there's random packet 209 delays, or if racoon is not getting enough CPU time. 210 211 * src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern 212 admin protocol to allow reply packets to exceed 64kb. E.g SA dumps 213 with many established SAs can be easily over the limit. 214 215 2010-10-22 Timo Teras <timo.teras (a] iki.fi> 216 217 * src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring 218 to monitor local route changes. This works around a kernel bug, and 219 slightly improves behaviour on some special cases. 220 221 2010-10-21 Timo Teras <timo.teras (a] iki.fi> 222 223 * src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c, 224 session.c, session.h: Introduce priorities for file descriptor 225 polling mechanism and give priority to admin port. If admin port is 226 used by ISAKMP-SA hook scripts they should be preferred, other wise 227 heavy traffic can delay admin port requests considerably. This in 228 turn may cause renegotiation loop for ISAKMP-SA. This is mostly 229 useful for OpenNHRP setup, but can benefit other setups too. 230 231 * src/racoon/: admin.c, handler.c, handler.h: Remove 232 initial-contact entry when all ISAKMP-SA are purged via adminport. 233 This will avoid stale security associations if some of the delete 234 notifications happens to get lost. 235 236 2010-10-20 Timo Teras <timo.teras (a] iki.fi> 237 238 * src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC 239 functions when possible: this allows openssl to perform hardware 240 acceleration if available. 241 242 * src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to 243 error log messages and a few additional error log messages to 244 improve diagnosing an error condition. 245 246 * src/racoon/grabmyaddr.c: Fix address comparison so we actually 247 close sockets which were bound to IP-address that got deconfigured. 248 249 2010-10-11 Yvan Vanhullebus <vanhu (a] netasq.com> 250 251 * src/racoon/ipsec_doi.c: report a higher encryption key length in 252 approval for OBEY / CLAIM / STRICT modes 253 254 2010-09-27 Yvan Vanhullebus <vanhu (a] netasq.com> 255 256 * src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by 257 fazaeli (at) sepehrs.com) 258 259 2010-09-24 Yvan Vanhullebus <vanhu (a] netasq.com> 260 261 * src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at) 262 gmail.com 263 264 2010-09-22 Yvan Vanhullebus <vanhu (a] netasq.com> 265 266 * src/racoon/admin.c: get the correct length of username when 267 processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com 268 269 * src/racoon/nattraversal.h: fixed a typo in macros, reported by 270 marisp (at) mt.lv 271 272 2010-09-21 Yvan Vanhullebus <vanhu (a] netasq.com> 273 274 * src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch 275 provided by marcin.cieslak (at) gmail.com) 276 277 2010-09-08 Yvan Vanhullebus <vanhu (a] netasq.com> 278 279 * src/racoon/remoteconf.c: fixed remoteconf selection when no ID 280 specified in configuration, and added some debug to remoteconf 281 selection 282 283 2010-08-26 Yvan Vanhullebus <vanhu (a] netasq.com> 284 285 * src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se: 286 duplicate some dynamic values in duprmconf() 287 288 2010-08-04 Yvan Vanhullebus <vanhu (a] netasq.com> 289 290 * src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request 291 292 2010-07-30 Yvan Vanhullebus <vanhu (a] netasq.com> 293 294 * src/racoon/doc/FAQ: updated link to NetBSD's documentation 295 296 2010-06-22 Thomas Klausner <wiz (a] netbsd.org> 297 298 * src/racoon/racoon.conf.5: Bump date for previous. 299 300 2010-06-22 Yvan Vanhullebus <vanhu (a] netasq.com> 301 302 * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c, 303 racoon.conf.5, remoteconf.c, remoteconf.h: added a specific 304 script hook when a dead peer is detected 305 306 2010-06-04 Thomas Klausner <wiz (a] netbsd.org> 307 308 * src/setkey/setkey.8: New sentence, new line. Bump date for 309 previous. 310 311 2010-06-04 Yvan Vanhullebus <vanhu (a] netasq.com> 312 313 * src/setkey/: parse.y, setkey.8, token.l: Added support for 314 spdupdate command in setkey 315 316 2010-04-07 Yvan Vanhullebus <vanhu (a] netasq.com> 317 318 * src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo 319 320 2010-04-02 Christos Zoulas <christos (a] netbsd.org> 321 322 * src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime 323 returning NULL. 324 325 2010-03-11 Christos Zoulas <christos (a] netbsd.org> 326 327 * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of 328 the patch: iterate only on the phase2 handles that are bound by the 329 given phase1 handle. 330 331 2010-03-05 Timo Teras <timo.teras (a] iki.fi> 332 333 * src/: libipsec/ipsec_set_policy.3, racoon/privsep.c, 334 racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple 335 typoes and manpage formatting errors. 336 337 2010-03-04 Yvan Vanhullebus <vanhu (a] netasq.com> 338 339 * src/racoon/session.c: From Pierre POMES: fixed admin port 340 initialization 341 342 2010-02-28 snj 343 344 * src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing 345 size of src checkouts by spelling "useful" without an extra l. 346 347 2010-02-09 Thomas Klausner <wiz (a] netbsd.org> 348 349 * src/racoon/: pfkey.c, proposal.h: Fix typo in comment. 350 351 2010-01-17 Thomas Klausner <wiz (a] netbsd.org> 352 353 * src/racoon/sainfo.c: Free strdeupped string after using it. Found 354 by cppcheck. 355 356 * src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after 357 using them. Found by cppcheck. 358 359 2010-01-15 joerg 360 361 * src/setkey/setkey.8: Use .%U instead of .%O for URLs. 362 363 2009-12-11 Timo Teras <timo.teras (a] iki.fi> 364 365 * src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined 366 twice in the headers. Remove the redundant entry so new install tool 367 does not complain about overwriting just installed file. 368 369 2009-11-22 Christos Zoulas <christos (a] netbsd.org> 370 371 * src/racoon/handler.c: PR/42363: Yasuoka Masahiko: 372 373 racoon uses a wrong IPsec-SA handle that is for other peer in case 374 it receives a ISAKMP message for IPsec-SA that has the same 375 message-id as the message-id that is received before. 376 377 racoon uses message-id to find the handle of IPsec-SA. The 378 message-id is a unique number for each peer, but different peers may 379 use the same value. 380 381 Different Windows Vista or Windows 7 peers seem to use the same 382 message-id. racoon can handle the first Windows's Phase-2, but it 383 cannot handle the second Windows. Because racoon misunderstands the 384 message for the second Windows as the message for the first Windows. 385 386 >Category: bin >Synopsis: racoon uses a wrong IPsec-SA 387 that is for different peer >Confidential: no >Severity: 388 serious >Priority: medium >Responsible: bin-bug-people 389 >State: open >Class: sw-bug >Submitter-Id: net 390 >Arrival-Date: Sun Nov 22 18:25:00 +0000 2009 >Originator: 391 yasuoka (a] iij.ad.jp 392 393 2009-10-29 Christos Zoulas <christos (a] netbsd.org> 394 395 * src/setkey/token.l: use %option noinput nounput 396 397 2009-10-28 Christos Zoulas <christos (a] netbsd.org> 398 399 * src/setkey/token.l: no unput 400 401 2009-10-14 joerg 402 403 * src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround 404 ancient groff limits. 405 406 * src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient 407 groff limits. Fix markup. 408 409 * src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around 410 ancient groff limits. Set only one list type. 411 412 2009-09-18 Timo Teras <timo.teras (a] iki.fi> 413 414 * src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix 415 gssapi error checking. 416 417 2009-09-03 Timo Teras <timo.teras (a] iki.fi> 418 419 * src/racoon/: admin.c, handler.c, handler.h, isakmp.c, 420 isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to 421 negotiate phase2 as a hint to select the phase1 for rekeying the new 422 phase2. 423 424 2009-09-01 Timo Teras <timo.teras (a] iki.fi> 425 426 * src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check 427 nat_traversal configuration from remote configuration candidates 428 when acting as responder. Enable NAT-T if any of the remote 429 candidates have NAT-T enabled. 430 431 * src/racoon/remoteconf.c: Change remote conf matching level to 432 matching score. This way one can override anonymous certificate 433 block config with more exact "inhereted" IP specific block. 434 435 * src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export 436 ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313). 437 438 2009-08-24 Yvan Vanhullebus <vanhu (a] netasq.com> 439 440 * src/racoon/oakley.c: fixed typo: algoriym -> algorithm 441 442 2009-08-19 Yvan Vanhullebus <vanhu (a] netasq.com> 443 444 * src/racoon/remoteconf.c: fixed address check in 445 rmconf_match_type(), just check address with wildcard port 446 447 2009-08-19 Timo Teras <timo.teras (a] iki.fi> 448 449 * src/racoon/remoteconf.c: Have an enum for rmconf_match_type() 450 return values to make the code a bit more readable. 451 452 2009-08-18 Yvan Vanhullebus <vanhu (a] netasq.com> 453 454 * src/racoon/oakley.c: typo: algoritym -> algorithm 455 456 2009-08-17 Yvan Vanhullebus <vanhu (a] netasq.com> 457 458 * src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to 459 check system support for NAT-T, as at least FreeBSD doesn't have 460 this define anymore 461 462 * src/racoon/schedule.h: include stddef.h so we have a chance to 463 get the system offsetof if present 464 465 * src/racoon/crypto_openssl.h: removed a self include 466 467 2009-08-13 Yvan Vanhullebus <vanhu (a] netasq.com> 468 469 * src/racoon/oakley.c: fixed a potential DoS in 470 oakley_do_decrypt(), reported by Orange Labs 471 472 2009-08-10 Timo Teras <timo.teras (a] iki.fi> 473 474 * src/racoon/pfkey.c: Don't print EAGAIN error from 475 pfkey_handler(), it can occur normally under some code paths and is 476 not a hard error in any case. 477 478 2009-08-06 Timo Teras <timo.teras (a] iki.fi> 479 480 * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in 481 setkey to make gcc happy. 482 483 2009-08-05 Timo Teras <timo.teras (a] iki.fi> 484 485 * src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port 486 security associations that got broke during NAT-T fixes. 487 488 2009-07-07 Timo Teras <timo.teras (a] iki.fi> 489 490 * src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of 491 uninitialized local variable (not sure if any code path triggers 492 this, but this makes compiler happy). 493 494 2009-07-03 Timo Teras <timo.teras (a] iki.fi> 495 496 * src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h, 497 isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, 498 nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h, 499 sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR 500 macro. Trac #295. 501 502 * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c, 503 racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan 504 Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the 505 NAT-T port information. This might break compatibility with some 506 kernels, but as discussed this is the proper way to pass NAT-T ports 507 and the broken kernels need to be fixed. 508 509 2009-06-24 Timo Teras <timo.teras (a] iki.fi> 510 511 * src/racoon/session.c: Fix a call to null pointer: in some cases, 512 the unmonitor_fd can be called from another fd's callback. That 513 could lead to still have callback pending after unmonitoring the fd 514 resulting in a call to null pointer. This is fixed by making 515 unmonitor_fd now clear the pending fd_set too. Bug was introduced 516 by my commit in 2008-12-23. 517 518 2009-05-20 Yvan Vanhullebus <vanhu (a] netasq.com> 519 520 * src/racoon/isakmp.h: typo 521 522 2009-05-19 Timo Teras <timo.teras (a] iki.fi> 523 524 * src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple 525 of typos from previous commit. 526 527 2009-05-18 Timo Teras <timo.teras (a] iki.fi> 528 529 * src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From 530 Tomas Mraz: Introduce union sockaddr_any and use it to make code 531 more readable. Related to trac #293. 532 533 * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is 534 not really used; only referenced while uninitialized causing 535 valgrind error. 536 537 * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check. 538 539 2009-05-04 Thomas Klausner <wiz (a] netbsd.org> 540 541 * src/racoon/racoon.conf.5: Remove superfluous spaces around 542 parentheses. 543 544 2009-04-29 Timo Teras <timo.teras (a] iki.fi> 545 546 * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in 547 X509 certificate validation. 548 549 2009-04-28 Timo Teras <timo.teras (a] iki.fi> 550 551 * src/racoon/handler.c: Reset nat_oa variables too when reusing 552 phase two handler. Otherwise phase2 rekeying might fail in some 553 scenarios. 554 555 2009-04-22 Timo Teras <timo.teras (a] iki.fi> 556 557 * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null 558 pointer dereference in fragmentation code. 559 560 2009-04-21 Timo Teras <timo.teras (a] iki.fi> 561 562 * src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix 563 strict_address to work again. The lists needs to be initialized 564 before configuration is read, which happens before my_addr_init() 565 call. 566 567 2009-04-20 Timo Teras <timo.teras (a] iki.fi> 568 569 * src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak 570 in certificate request generation. 571 572 * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from 573 Bin Li: Fix possible memory corruption in binsanitize(). 574 575 * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509 576 signature verification memory leak. 577 578 * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a 579 crash with racoonctl logout user. 580 581 * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive 582 code. 583 584 * src/racoon/handler.c: From Paul Moore: Phase2 message id's should 585 be unique wrt phase1, not globally. 586 587 2009-03-13 Timo Teras <timo.teras (a] iki.fi> 588 589 * src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix 590 couple of problems with previous commit. 591 592 2009-03-12 he 593 594 * src/racoon/: isakmp.c, remoteconf.c: When casting to/from a 595 pointer to an integral type (a bad practice, if you ask me), you 596 need to cast via intptr_t for portability. 597 598 2009-03-12 Thomas Klausner <wiz (a] netbsd.org> 599 600 * src/racoon/racoon.conf.5: New sentence, new line. Avoid marking 601 up punctuation. 602 603 * src/racoon/racoonctl.8: Bump date for previous. Sort options to 604 establish-sa. Stop using Xo/Xc. 605 606 2009-03-12 Timo Teras <timo.teras (a] iki.fi> 607 608 * src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c, 609 crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h, 610 ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c, 611 isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c, 612 isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5, 613 racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c, 614 vendorid.c: Support multiple anonymous remotes and decide 615 remoteconf based on identity, received certificates and other 616 information. General code clean up. 617 618 2009-03-06 Timo Teras <timo.teras (a] iki.fi> 619 620 * src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall 621 in Linux 622 623 Linux requires SADB_DELETE message to have SPI. So send a 624 SADB_DELETE message for each matching SA. Trac #284. 625 626 From: Gabriel Somlo <somlo (a] cmu.edu> 627 628 2009-02-16 Timo Teras <timo.teras (a] iki.fi> 629 630 * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap 631 corruption bug (yacc return non-null terminated buffer and sprintf 632 writes over bounds). 633 634 2009-02-11 Yvan Vanhullebus <vanhu (a] netasq.com> 635 636 * src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed 637 IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on 638 tunnel 639 640 2009-02-03 Timo Teras <timo.teras (a] iki.fi> 641 642 * src/racoon/isakmp.c: From: Phil Sutter. Fix script environment 643 variables with IPv6 addresses. 644 645 2009-01-26 Timo Teras <timo.teras (a] iki.fi> 646 647 * src/racoon/main.c: Argument parsing needs lcconf initialized. 648 649 2009-01-24 Thomas Klausner <wiz (a] netbsd.org> 650 651 * src/racoon/racoonctl.c: Sort options in usage. 652 653 * src/racoon/racoonctl.8: Sort options. New sentence, new line. 654 655 * src/racoon/racoon.8: Sort options. 656 657 2009-01-23 Timo Teras <timo.teras (a] iki.fi> 658 659 * src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage 660 for racoonctl. 661 662 * src/racoon/: main.c, racoon.8: Racoon -v to print version and 663 compilation information. Update usage message. 664 665 * NEWS: Update NEWS with major changes since 0.7 release. 666 667 * src/racoon/schedule.c: Fix monotonic scheduler change, to not 668 refresh 'now' before exit. Otherwise we can return negative timeout 669 after spending time handling other events. 670 671 * src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle 672 reception of MIGRATE message during Phase 1 and Phase 2 negotiation. 673 Also corrects some debugging statements. 674 675 * src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for 676 instance), there is a need to not only migrate local and remote 677 addresses of Phase 1 that match previous addresses but also the 678 local and remote addresses of a Phase 1 *associated* with a migrated 679 Phase 2. For instance, we have that need when receiving the first 680 MIGRATE/KMADDRESS message because the old addresses are still the 681 HoA and the address of the HA (while the peer has contacted us using 682 the CoA and we have negotiated this address as src attribute in 683 Phase 2). The patch fixes that by having migrate_ph1_ike_addresses() 684 called from migrate_ph2_ike_addresses() callback. 685 686 * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid 687 when acting as responder. 688 689 * configure.ac, src/racoon/handler.c, src/racoon/handler.h, 690 src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c, 691 src/racoon/schedule.c, src/racoon/schedule.h, 692 src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic 693 system clock is available, and use it for relative time measurements 694 to avoid complite hang if time jumps backwards. 695 696 * src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c, 697 isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c, 698 oakley.c, oakley.h: Fix authentication method ambiguity by 699 internally using unique ID and setting/interpreting the wire format 700 based on received vendor ID:s. Fixes trac #280. 701 702 * src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c, 703 isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid 704 bitmask that can be used otherwhere to detect peer capabilities. 705 706 * configure.ac, src/racoon/admin.c, src/racoon/evt.c, 707 src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c, 708 src/racoon/session.c, src/racoon/session.h: Remove "fastquit" 709 configure option and make it the default behaviour. The previous 710 normal behaviour is buggy, as after flush kernel can immediately 711 create larval SA:s which would prevent exit. 712 713 2009-01-20 Timo Teras <timo.teras (a] iki.fi> 714 715 * Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate 716 ChangeLog from NetBSD CVS. Put sourceforge.net changes to 717 ChangeLog.old. 718 719 2009-01-10 Thomas Klausner <wiz (a] netbsd.org> 720 721 * src/racoon/racoon.conf.5: Make ready for HTML output. Use proper 722 escape for backslash ('\e'). 723 724 2009-01-10 Timo Teras <timo.teras (a] iki.fi> 725 726 * src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman: 727 Accept RFC2253 compliant escaped special characters for asn1dn 728 identifier. 729 730 2009-01-09 Timo Teras <timo.teras (a] iki.fi> 731 732 * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended 733 734 2009-01-05 Timo Teras <timo.teras (a] iki.fi> 735 736 * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete 737 configuration options, fix radius configuration block and add GRE as 738 recognized protocol. 739 740 * src/racoon/session.c: Do not use counting in signal handling as 741 it was unsafe by not using atomic functions (post increment is not 742 necessarily atomic). Instead reap all children on SIGCHLD as that 743 was the only signal needing signal counting. 744 745 2008-12-30 Timo Teras <timo.teras (a] iki.fi> 746 747 * src/racoon/session.c: schedular() call can now modify fd mask so 748 make the working copy just before calling select(); otherwise it can 749 contain bad file descriptors 750 751 2008-12-29 Michael van Elst <mlelstv (a] netbsd.org> 752 753 * src/setkey/parse.y: support icmp codes. Fixes PR 39056. 754 755 2008-12-24 Christos Zoulas <christos (a] netbsd.org> 756 757 * src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have 758 it. From Timo Teras. 759 760 * src/racoon/grabmyaddr.c: I was wrong. addr is actually set. 761 762 * src/racoon/grabmyaddr.c: 763 - make this compile by zeroing out the whole structure not just 764 bogus fields. 765 - set length field of sockets appropriately. 766 - mark bogus no-op code (I don't understand what the author intended 767 here). 768 769 2008-12-23 Thomas Klausner <wiz (a] netbsd.org> 770 771 * src/racoon/racoon.conf.5: Bump date for identity configuration 772 option removal. 773 774 2008-12-23 Timo Teras <timo.teras (a] iki.fi> 775 776 * src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c, 777 localconf.h, racoon.conf.5: Remove the obsoleted global identity 778 configuration option. 779 780 * src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c, 781 evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c, 782 isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c, 783 nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c, 784 session.h: rewrite local address detection make some functions 785 static that arr not needed globally rework how fd_set is 786 construction for the main loop select() 787 788 2008-12-18 Timo Teras <timo.teras (a] iki.fi> 789 790 * src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles 791 when expire with hard lifetime received 792 793 2008-12-16 Timo Teras <timo.teras (a] iki.fi> 794 795 * README: Update README 796 797 * src/racoon/pfkey.c: Fix transport mode address selection in 798 acquire handling. Some earlier fixes got lost on 2008-12-05 commit. 799 800 2008-12-11 Yvan Vanhullebus <vanhu (a] netasq.com> 801 802 * src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO 803 and RTM_OIFINFO stuff) 804 805 * src/racoon/isakmp.c: Fixed compilation when DPD support is 806 disabled 807 808 2008-12-08 Timo Teras <timo.teras (a] iki.fi> 809 810 * src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey 811 sockets: it might cause to not handle some pfkey events when 812 select() has marked pfkey socket readable, but a timer callback 813 first calls pfkey_dump_sadb(). 814 815 2008-12-05 Timo Teras <timo.teras (a] iki.fi> 816 817 * src/: libipsec/key_debug.c, libipsec/libpfkey.h, 818 libipsec/pfkey.c, racoon/handler.c, racoon/handler.h, 819 racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c, 820 racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud 821 Ebalard: Improved Mobile IPv6 support per 822 draft-ebalard-mext-pfkey-enhanced-migrate. 823 824 2008-12-04 Christoph Badura <bad (a] netbsd.org> 825 826 * src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I 827 intended. 828 829 2008-12-02 Timo Teras <timo.teras (a] iki.fi> 830 831 * src/racoon/session.c: Explicitly ignore SIGPIPE. Default action 832 on Linux is terminate. 833 834 2008-11-28 Thomas Klausner <wiz (a] netbsd.org> 835 836 * src/racoon/racoon.conf.5: Remove empty line. Fix typo. New 837 sentence, new line. 838 839 2008-11-27 Yvan Vanhullebus <vanhu (a] netasq.com> 840 841 * src/racoon/main.c: Set up a default value for Mode Config Pool 842 size if pool address specified but pool size not specified 843 844 * src/racoon/isakmp_cfg.c: Fixed pool resizing 845 846 2008-11-27 Timo Teras <timo.teras (a] iki.fi> 847 848 * src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA 849 weirdness. It's probably meant for bundle support which is not done. 850 When someone actually writes bundle support, the nested SA stuff 851 would probably be reworked too anyway. 852 853 * src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y, 854 racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h, 855 racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer 856 Ability to set pfkey socket buffer size via configuration file 857 directive. (Indentation and minor fixes by me.) 858 859 2008-11-25 Christoph Badura <bad (a] netbsd.org> 860 861 * src/racoon/: evt.c, privsep.c, session.c: Avoid using 862 MSG_NOSIGNAL as it is not available everywhere. Ignore SIGPIPE 863 instead. 864 865 * src/racoon/grabmyaddr.c: Ignore unspecified and looback 866 addresses. Ignoring unspecified addresses prevents racoon from 867 trying to bind to the wildcard address and specific addresses 868 simultaneously after e.g. dhclient has changed an interface's 869 address to 0.0.0.0. 870 871 * src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry 872 info for added or deleted addresses. Ignore them silently. 873 874 * src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an 875 error. Therefore log it as informational. Make it clear from the 876 log message that a route message is not interesting. 877 878 * src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding 879 it. 880 881 * src/racoon/isakmp.c: Do not return erroneously from isakmp_open() 882 when setting IPV6_USE_MIN_MTU fails. 883 884 * src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when 885 no socket is opened. 886 887 2008-11-08 Christoph Badura <bad (a] netbsd.org> 888 889 * src/racoon/samples/roadwarrior/client/: phase1-down.sh, 890 phase1-up.sh: Preserve owner and permissions of original 891 /etc/resolv.conf. Ensure that new /etc/resolv.conf isn't group or 892 world writable. 893 894 * src/racoon/samples/roadwarrior/client/: phase1-down.sh, 895 phase1-up.sh: Print and check INTERNAL_NETMASK4. 896 897 * src/racoon/samples/roadwarrior/client/: phase1-down.sh, 898 phase1-up.sh: Make the handling of NAT-T SPD entries automatic. 899 900 * src/racoon/samples/roadwarrior/client/: phase1-down.sh, 901 phase1-up.sh: Ensure that the determination of the default 902 gateway and the corresponding interface don't get confused by 903 multiple, possibly non-IPv4 default routes. Bring the NetBSD case 904 of deleting the VPN routes and address in line with the Linux case 905 and delete the address after deleting the VPN routes. 906 907 2008-11-06 Yvan Vanhullebus <vanhu (a] netasq.com> 908 909 * src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when 910 iddst's value is SAINFO_CLIENTADDR 911 912 2008-10-29 S.P.Zeidler <spz (a] netbsd.org> 913 914 * src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str(): 915 916 struct sockaddr -> struct sockaddr_storage fixes a stack overflow 917 918 For non-linklocal addresses the value in 'scope' is garbage and gets 919 set to zero instead. 920 921 2008-10-27 Timo Teras <timo.teras (a] iki.fi> 922 923 * src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to 924 error path 925 926 * src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud 927 Ebalard): recognize RTM_IFANNOUNCE 928 929 * src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation 930 issues for readability 931 932 * src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be 933 called only if monitored file descriptor numbers have changed 934 935 * src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate 936 declaration 937 938 2008-10-23 Timo Teras <timo.teras (a] iki.fi> 939 940 * src/racoon/: privsep.c, session.c, session.h: From Krzysztof 941 Piotr Oledzki <olel (a] ans.pl>: Revert parts of 2008-08-06 commit; the 942 problem those changes address are already handled in a sensible way 943 by Cyrus Rahman's patch from 2008-03-06. 944 945 2008-10-09 Timo Teras <timo.teras (a] iki.fi> 946 947 * src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove 948 unnecessary unbindph12() call which is now done in remph2() 949 950 2008-09-25 Yvan Vanhullebus <vanhu (a] netasq.com> 951 952 * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP 953 marker for retransmitted packets 954 955 2008-09-19 Thomas Klausner <wiz (a] netbsd.org> 956 957 * src/racoon/racoon.conf.5: New sentence, new line. 958 959 2008-09-19 Timo Teras <timo.teras (a] iki.fi> 960 961 * src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h, 962 isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c, 963 isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5, 964 remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying 965 configurable with rekey {on|off|force} option in remote conf. 966 967 * src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c, 968 isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h, 969 nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h, 970 session.c: Change struct sched to be allocated be the caller to 971 avoid some memory allocations. Optimize scheduling algorithm to not 972 scan all entries in the main loop. 973 974 2008-09-17 Yvan Vanhullebus <vanhu (a] netasq.com> 975 976 * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi() 977 when NAT-T enabled and trying to purge non NAT-T SAs 978 979 2008-09-09 Yvan Vanhullebus <vanhu (a] netasq.com> 980 981 * src/racoon/pfkey.c: Some calls to set_port() were not correctly 982 updated in the previous commit 983 984 2008-09-03 Yvan Vanhullebus <vanhu (a] netasq.com> 985 986 * src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in 987 pk_sendxxx functions, as they may be altered for NAT-T stuff. 988 989 2008-09-03 Timo Teras <timo.teras (a] iki.fi> 990 991 * src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c: 992 - Fix reloading of SPD (Linux satype check, handling of SPD dump 993 responses) 994 - Remove some spurious error log message from extract_port() 995 996 2008-08-29 Gregory McGarry <gmcgarry (a] netbsd.org> 997 998 * src/racoon/isakmp.c: Eliminate gcc-specific feature of empty 999 structures. 1000 1001 * src/racoon/evt.h: Eliminate superfluous semicolon. 1002 1003 * src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of 1004 unnamed structures added recently. 1005 1006 2008-08-12 Yvan Vanhullebus <vanhu (a] netasq.com> 1007 1008 * src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove 1009 ph1handler if we received an invalid first exchange from initiator. 1010 1011 2008-08-06 Timo Teras <timo.teras (a] iki.fi> 1012 1013 * src/racoon/: privsep.c, session.c, session.h: From Krzysztof 1014 Piotr Oledzki: Make privileged process exit if unprivileged process 1015 is terminated and some spelling fixes. 1016 1017 2008-07-23 Matthew Grooms <mgrooms (a] shrew.net> 1018 1019 * src/racoon/: cfparse.y, session.c: Add some missing ifdefs 1020 required for non-radius enabled builds. 1021 1022 2008-07-23 Timo Teras <timo.teras (a] iki.fi> 1023 1024 * src/racoon/Makefile.am: Do not use GNU make specific extension. 1025 1026 * src/: libipsec/Makefile.am, racoon/Makefile.am, 1027 setkey/Makefile.am: Do flex/bison invocation in a more standard 1028 way, and keep the generated files in the dist tarball. 1029 1030 2008-07-22 Yvan Vanhullebus <vanhu (a] netasq.com> 1031 1032 * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks, 1033 when malloc fails or when peer sends invalid proposal. 1034 1035 2008-07-22 Matthew Grooms <mgrooms (a] shrew.net> 1036 1037 * src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c, 1038 isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional 1039 radius configuration section to the racoon.conf file. This is 1040 similar to the the LDAP configuration section and overrides settings 1041 in the system radius configuration file. 1042 1043 2008-07-21 Matthias Scheler <tron (a] netbsd.org> 1044 1045 * src/racoon/cfparse.y: Correct typo to fix the build. 1046 1047 2008-07-21 Timo Teras <timo.teras (a] iki.fi> 1048 1049 * src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c, 1050 vendorid.c, vendorid.h: Separate generic vendor id handling to a 1051 new function and use it. 1052 1053 * src/racoon/cfparse.y: Do not set default gss id if xauth is used, 1054 otherwise gss-id attribute might be sent even if it was not 1055 requested. 1056 1057 2008-07-15 Matthew Grooms <mgrooms (a] shrew.net> 1058 1059 * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from 1060 building with hybrid enabled. 1061 1062 * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h, 1063 racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump 1064 function. 1065 1066 2008-07-14 Timo Teras <timo.teras (a] iki.fi> 1067 1068 * src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c, 1069 pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode. 1070 1071 * src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c, 1072 isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up 1073 notification payload handling. Handle INITIAL-CONTACT notification 1074 in last main mode exchange (delayed) and during quick mode 1075 exchanges. 1076 1077 2008-07-11 Timo Teras <timo.teras (a] iki.fi> 1078 1079 * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis 1080 Elsts: Fix a double memory free and a memory corruption 1081 (LIST_REMOVE() on an uninserted node) in some error handling paths. 1082 1083 2008-07-09 Timo Teras <timo.teras (a] iki.fi> 1084 1085 * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and 1086 memory leak on configuration file reread 1087 1088 2008-07-02 Yvan Vanhullebus <vanhu (a] netasq.com> 1089 1090 * src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu 1091 (size_t values) 1092 1093 2008-06-18 Thomas Klausner <wiz (a] netbsd.org> 1094 1095 * src/racoon/racoonctl.8: Bump date for previous. 1096 1097 2008-06-18 Matthew Grooms <mgrooms (a] shrew.net> 1098 1099 * src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an 1100 admin port command to retrieve the peer certificate. Submitted by 1101 Timo Teras. 1102 1103 * src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set 1104 sockets to be closed on exec to avoid potential file descriptor 1105 inheritance issues. Submitted by Timo Teras. 1106 1107 * src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c, 1108 isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility 1109 functions to evaluate and manipulate network port values. No 1110 functional changes. Submitted by Timo Teras. 1111 1112 * src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No 1113 functional changes. Submitted by Timo Teras. 1114 1115 * src/racoon/pfkey.c: Correct a phase2 status event. Submitted by 1116 Timo Teras. 1117 1118 2008-05-24 Christos Zoulas <christos (a] netbsd.org> 1119 1120 * src/racoon/privsep.c: Coverity CID 5018: Fix double frees. 1121 1122 2008-05-08 Emmanuel Dreyfus <manu (a] netbsd.org> 1123 1124 * configure.ac: From Christian Hohnstaedt: allow out of tree 1125 building 1126 1127 2008-04-30 Martin Husemann <martin (a] netbsd.org> 1128 1129 * netbsd-import.sh: Convert TNF licenses to new 2 clause variant 1130 1131 2008-04-25 Yvan Vanhullebus <vanhu (a] netasq.com> 1132 1133 * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers 1134 from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). 1135 1136 2008-04-13 Christos Zoulas <christos (a] netbsd.org> 1137 1138 * src/racoon/privsep.c: for symmetry set controllen the same way we 1139 set it on the receiving side. 1140 1141 2008-04-02 Emmanuel Dreyfus <manu (a] netbsd.org> 1142 1143 * src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build 1144 1145 2008-03-28 Christos Zoulas <christos (a] netbsd.org> 1146 1147 * src/racoon/privsep.c: properly fix the variable stack allocation 1148 code. 1149 1150 2008-03-28 Emmanuel Dreyfus <manu (a] netbsd.org> 1151 1152 * src/racoon/privsep.c: Still from Cyrus Rahman: fix file 1153 descriptor leak introduced by previous commit. 1154 1155 * src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c, 1156 privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman: 1157 Allow interface reconfiguration when running in privilege separation 1158 mode, document privilege separation 1159 1160 2008-03-06 Yvan Vanhullebus <vanhu (a] netasq.com> 1161 1162 * src/racoon/oakley.c: Generates a log if cert validation has been 1163 disabled by configuration 1164 1165 2008-03-06 Emmanuel Dreyfus <manu (a] netbsd.org> 1166 1167 * src/racoon/: privsep.c, session.c: From Cyrus Rahman 1168 <crahman (a] gmail.com> privilegied instance exit when unprivilegied one 1169 terminates. Save PID in real root, not in chroot 1170 1171 2008-03-06 Matthew Grooms <mgrooms (a] shrew.net> 1172 1173 * src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c, 1174 racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA 1175 negotiations using the admin socket. Submitted by Timo Teras. 1176 1177 * src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c, 1178 handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c, 1179 isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c, 1180 racoonctl.8, racoonctl.c, session.c: Refactor admin socket event 1181 protocol to be less error prone. Backwards compatibility is 1182 provided. Submitted by Timo Teras. 1183 1184 2008-03-05 Matthew Grooms <mgrooms (a] shrew.net> 1185 1186 * src/racoon/cfparse.y: Properly initialize the unity network 1187 struct to prevent erroneous protocol and port info from being 1188 transmitted. 1189 1190 * src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or 1191 adminport reload. Also provide better handling for pfkey socket read 1192 errors. Submitted by Timo Teras. 1193 1194 2008-02-25 Emmanuel Dreyfus <manu (a] netbsd.org> 1195 1196 * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley (a] hp.com> 1197 There's a cut/paste error in cmp_aproppair_i(), it's supposed to be 1198 checking spi_size but it's not. I'm not sure this patch is correct, 1199 but what's there isn't either. 1200 1201 2008-02-22 Emmanuel Dreyfus <manu (a] netbsd.org> 1202 1203 * src/racoon/isakmp.c: Fix address length, from Brian Haley 1204 1205 2008-02-10 S.P.Zeidler <spz (a] netbsd.org> 1206 1207 * src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent 1208 opposition ( :) ) on ipsec-tools-devel 1209 1210 2008-01-11 Yvan Vanhullebus <vanhu (a] netasq.com> 1211 1212 * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in 1213 the scheduler's callback, to avoid access to freed memory. 1214 1215 * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix 1216 compilation with IDEA and recent gcc. 1217 1218 * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some 1219 details to some logs (also reported new getph1byaddr() arg). 1220 1221 * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for 1222 established ph1 handles in DPD (also reported new getph1byaddr() 1223 arg). 1224 1225 * src/racoon/: handler.c, handler.h: added an 'established' arg to 1226 getph1byaddr() 1227 1228 2007-12-31 Matthew Grooms <mgrooms (a] shrew.net> 1229 1230 * src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol 1231 number to racoonctl. Correct id wildcard matching for transport 1232 mode. Submitted by Timo Teras. 1233 1234 2007-12-12 Matthew Grooms <mgrooms (a] shrew.net> 1235 1236 * NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a 1237 follow up patch for the nat-t oa support. 1238 1239 * src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add 1240 support for nat-t oa payload handling. Submitted by Timo Teras. 1241 1242 2007-12-04 Matthew Grooms <mgrooms (a] shrew.net> 1243 1244 * src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify 1245 ipsecdoi_sockaddr2id() to obtain an id without specifying the exact 1246 prefix length. Correct a memory leak in phase2. Both submitted by 1247 Timo Teras. 1248 1249 2007-12-01 Thomas Klausner <wiz (a] netbsd.org> 1250 1251 * src/racoon/racoon.conf.5: Fix typos. New sentence, new line. 1252 1253 2007-11-29 Yvan Vanhullebus <vanhu (a] netasq.com> 1254 1255 * src/racoon/Makefile.am: From Natanael Copa: fixed a race 1256 condition when building yacc stuff. 1257 1258 2007-11-09 Yvan Vanhullebus <vanhu (a] netasq.com> 1259 1260 * src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in 1261 pk_recv() 1262 1263 * src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD 1264 entries in getsp_r(). 1265 1266 * src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug 1267 in get_proposal_r(). 1268 1269 2007-10-19 Emmanuel Dreyfus <manu (a] netbsd.org> 1270 1271 * src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h, 1272 racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts 1273 1274 2007-10-15 Yvan Vanhullebus <vanhu (a] netasq.com> 1275 1276 * src/libipsec/pfkey.c: Try to increase the buffer size of the 1277 pfkey socket, this may help things when we have a huge SPD 1278 1279 2007-10-02 Yvan Vanhullebus <vanhu (a] netasq.com> 1280 1281 * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to 1282 work with the new plog macro. 1283 1284 * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to 1285 work with new plog macro 1286 1287 * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro. 1288 1289 2007-09-19 Matthew Grooms <mgrooms (a] shrew.net> 1290 1291 * src/racoon/isakmp.c: Set REUSE option on sockets to prevent 1292 failures associated with closing and immediately re-opening. 1293 Submitted by Gabriel Somlo. 1294 1295 * src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet 1296 list. Submitted by Gabriel Somlo. 1297 1298 2007-09-13 Matthew Grooms <mgrooms (a] shrew.net> 1299 1300 * configure.ac: Fix autoconf check for selinux support. Submitted 1301 by Joy Latten. 1302 1303 2007-09-12 Matthew Grooms <mgrooms (a] shrew.net> 1304 1305 * src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c, 1306 pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr 1307 sainfo remote id option and refine the sainfo man page syntax. 1308 1309 2007-09-05 Matthew Grooms <mgrooms (a] shrew.net> 1310 1311 * src/racoon/sainfo.c: Sort sainfo sections on insert and improve 1312 matching logic. 1313 1314 2007-09-03 Matthew Grooms <mgrooms (a] shrew.net> 1315 1316 * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for 1317 wins4 in the man page and add nbns4 as an alias. Pointed out by 1318 Claas Langbehn. 1319 1320 2007-08-07 Emmanuel Dreyfus <manu (a] netbsd.org> 1321 1322 * src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix 1323 up RADIUS authentication and authorization ports. Allow 1324 interoperability with freeradius 1325 1326 2007-07-24 Matthew Grooms <mgrooms (a] shrew.net> 1327 1328 * NEWS: Update NEWS file with additional 0.7 improvements. 1329 1330 2007-07-18 Matthew Grooms <mgrooms (a] shrew.net> 1331 1332 * src/racoon/racoon.conf.5: Various racoon configuration manpage 1333 updates. 1334 1335 2007-07-18 Yvan Vanhullebus <vanhu (a] netasq.com> 1336 1337 * configure.ac, src/libipsec/ipsec_dump_policy.c, 1338 src/libipsec/ipsec_get_policylen.c, 1339 src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c, 1340 src/libipsec/libpfkey.h, src/libipsec/pfkey.c, 1341 src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y, 1342 src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c, 1343 src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y, 1344 src/racoon/cftoken.l, src/racoon/ipsec_doi.c, 1345 src/racoon/isakmp.c, src/racoon/isakmp_inf.c, 1346 src/racoon/isakmp_quick.c, src/racoon/pfkey.c, 1347 src/racoon/policy.c, src/racoon/proposal.c, 1348 src/racoon/remoteconf.c, src/racoon/sainfo.c, 1349 src/racoon/session.c, src/racoon/sockmisc.c, 1350 src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c, 1351 src/setkey/token.l: use a single PATH_IPSEC_H to fix some 1352 path_to_ipsec.h issues 1353 1354 2007-07-16 Yvan Vanhullebus <vanhu (a] netasq.com> 1355 1356 * src/racoon/grabmyaddr.c: fixed a socket leak 1357 1358 * src/racoon/proposal.c: indentation 1359 1360 2007-06-07 Emmanuel Dreyfus <manu (a] netbsd.org> 1361 1362 * src/racoon/isakmp_cfg.c: From Paul Winder 1363 <Paul.Winder (a] tadpole.com>: Fix ignored INTERNAL_DNS4_LIST 1364 1365 2007-06-06 Yvan Vanhullebus <vanhu (a] netasq.com> 1366 1367 * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation 1368 with gcc 4.2 1369 1370 * src/racoon/session.c: From Jianli Liu: speed up interfaces update 1371 when they change. 1372 1373 * src/racoon/handler.c: ignore obsolete lifebyte when validating 1374 reloaded configuration 1375 1376 2007-05-31 Emmanuel Dreyfus <manu (a] netbsd.org> 1377 1378 * src/racoon/: main.c, policy.h, security.c: From Joy Latten 1379 <latten (a] austin.ibm.com> Fix file descriptor shortage when using 1380 labeled IPsec. 1381 1382 2007-05-30 Emmanuel Dreyfus <manu (a] netbsd.org> 1383 1384 * src/racoon/kmpstat.c: From Jianli Liu <jlliu (a] nortel.com>: In 1385 racoonctl, use the specified socket path instead of the default 1386 location 1387 1388 2007-05-16 Christos Zoulas <christos (a] netbsd.org> 1389 1390 * src/racoon/cfparse.y: coverity CID 4168: yyerror() does not 1391 return, so we proceed to de-reference NULL. Make it return -1 1392 instead like in other places. 1393 1394 * src/racoon/cfparse.y: coverity CID 4170: yyerror() does not 1395 return, so we proceed to de-reference NULL. Make it return -1 1396 instead like in other places. 1397 1398 2007-05-04 Yvan Vanhullebus <vanhu (a] netasq.com> 1399 1400 * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is 1401 NULL when validating the new config 1402 1403 * src/racoon/handler.c: added some debug in getph1byaddr() to track 1404 some port matching problems with NAT-T 1405 1406 * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to 1407 track some port matching problems with NAT-T 1408 1409 * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process 1410 1411 * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if 1412 NAT_T support, to solve some port match problems with the first 1413 IPSec SAs negociated as initiator 1414 1415 2007-04-04 Yvan Vanhullebus <vanhu (a] netasq.com> 1416 1417 * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids() 1418 1419 * src/racoon/oakley.c: dumps peer's ID and peer's certificate 1420 subject /subjectaltname if they don't match 1421 1422 2007-03-26 Yvan Vanhullebus <vanhu (a] netasq.com> 1423 1424 * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1 1425 handler, to be able to cancel it when removing the handler, and some 1426 minor cleanups in DPD code 1427 1428 2007-03-24 Christos Zoulas <christos (a] netbsd.org> 1429 1430 * src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't 1431 work with pam_group Set RUSER. 1432 1433 2007-03-23 Yvan Vanhullebus <vanhu (a] netasq.com> 1434 1435 * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a 1436 segfault when using security labels between 32bit and 64bit host. 1437 1438 * src/racoon/handler.c: expire zombie handlers in getph2byid(), to 1439 avoid situations where we'll never negociate a phase2 again 1440 1441 * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give 1442 more details about what is checked when using certificates to 1443 authenticate 1444 1445 2007-03-22 Yvan Vanhullebus <vanhu (a] netasq.com> 1446 1447 * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to 1448 generate IPV4_ADDRESS when needed in sockaddr2id() 1449 1450 2007-03-21 Yvan Vanhullebus <vanhu (a] netasq.com> 1451 1452 * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL 1453 sched check is now done in SCHED_KILL 1454 1455 * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL 1456 1457 2007-03-15 Yvan Vanhullebus <vanhu (a] netasq.com> 1458 1459 * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable 1460 monitoring of ipv6 address changes on Linux. 1461 1462 * src/racoon/isakmp.c: Consider a negociation timeout when 1463 retry_counter is <=0 instead of < 0 1464 1465 2007-02-28 Matthew Grooms <mgrooms (a] shrew.net> 1466 1467 * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be 1468 matched to ip subnet ids when appropriate. 1469 1470 2007-02-21 Yvan Vanhullebus <vanhu (a] netasq.com> 1471 1472 * src/racoon/ipsec_doi.c: block variable declaration before code in 1473 ipsecdoi_id2str() 1474 1475 2007-02-20 Yvan Vanhullebus <vanhu (a] netasq.com> 1476 1477 * src/racoon/isakmp_inf.c: Removed a debug printf.... 1478 1479 * src/racoon/isakmp.c: Only delete a generated SPD if it's creation 1480 date matches the creation date of the SA we are currently deleting 1481 1482 * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls 1483 1484 * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of 1485 generated SPDs 1486 1487 * src/racoon/policy.h: added 'created' var 1488 1489 2007-02-19 Yvan Vanhullebus <vanhu (a] netasq.com> 1490 1491 * src/racoon/isakmp.c: Removed a debug printf.... 1492 1493 2007-02-16 Yvan Vanhullebus <vanhu (a] netasq.com> 1494 1495 * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a 1496 printf. 1497 1498 2007-02-15 Emmanuel Dreyfus <manu (a] netbsd.org> 1499 1500 * src/racoon/security.c: Missing SELinux file 1501 1502 * configure.ac: Missing stuff for SELinux 1503 1504 2007-02-15 Yvan Vanhullebus <vanhu (a] netasq.com> 1505 1506 * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just 1507 expire a ph1 handle when receiving a DELETE-SA instead of calling 1508 purge_remote(). 1509 1510 * src/racoon/isakmp.c: Fixed the way phase1/2 messages are 1511 sent/resent, to avoid zombie handles and acces to freed memory 1512 1513 2007-02-02 Yvan Vanhullebus <vanhu (a] netasq.com> 1514 1515 * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec 1516 1517 2007-02-01 Yvan Vanhullebus <vanhu (a] netasq.com> 1518 1519 * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When 1520 receiving an ISAKMP DELETE_SA, get the cookie of the SA to be 1521 deleted from payload instead of just deleting the ISAKMP SA used to 1522 protect the informational exchange. 1523 1524 2006-12-26 Arnaud Lacombe <alc (a] netbsd.org> 1525 1526 * src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval != 1527 NULL' 1528 1529 2006-12-23 Thomas Klausner <wiz (a] netbsd.org> 1530 1531 * src/racoon/racoon.conf.5: Use even more macros. 1532 1533 * src/racoon/racoon.conf.5: Use more macros. 1534 1535 * src/racoon/racoon.conf.5: Serial comma, and bump date for 1536 previous. 1537 1538 2006-12-18 Yvan Vanhullebus <vanhu (a] netasq.com> 1539 1540 * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak 1541 1542 2006-12-10 tag ipsec-tools-0_7-base 1543 1544 2006-12-10 Emmanuel Dreyfus <manu (a] netbsd.org> 1545 1546 * src/: libipsec/Makefile.am, libipsec/libpfkey.h, 1547 libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y, 1548 racoon/pfkey.c: Bring back API and ABI backward compatibility 1549 with previous libipsec before recent interface change. Bump libipsec 1550 minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid 1551 ABI compatibility lossage. Add a capability flags to detect missing 1552 optional feature in libipsec 1553 1554 * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten: 1555 README.plainrsa documenting plain RSA auth 1556 1557 2006-12-09 Emmanuel Dreyfus <manu (a] netbsd.org> 1558 1559 * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c, 1560 src/racoon/Makefile.am, src/racoon/backupsa.c, 1561 src/racoon/backupsa.h, src/racoon/cftoken.l, 1562 src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, 1563 src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, 1564 src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h, 1565 src/racoon/proposal.c, src/racoon/proposal.h, 1566 src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux 1567 security contexts. Also cleanup the libipsec interface for adding 1568 and updating security associations. 1569 1570 * src/racoon/racoon.conf.5: From Simon Chang: More hints about 1571 plain RSA authentication 1572 1573 2006-12-05 Yvan Vanhullebus <vanhu (a] netasq.com> 1574 1575 * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys 1576 length regarding proposal_check level 1577 1578 2006-11-16 Matthew Grooms <mgrooms (a] shrew.net> 1579 1580 * src/racoon/sainfo.c: Correct issues associated with anonymous 1581 sainfo selection in racoon. 1582 1583 2006-11-09 Christos Zoulas <christos (a] netbsd.org> 1584 1585 * src/racoon/crypto_openssl.c: eliminate the only variable stack 1586 array allocation. 1587 1588 2006-10-31 Christian Biere <cbiere (a] netbsd.org> 1589 1590 * src/racoon/sockmisc.c: Don't define the deprecated 1591 IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because 1592 IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs 1593 in the future just in case that the numeric value of the socket 1594 option is ever recycled. 1595 1596 2006-10-22 Yvan Vanhullebus <vanhu (a] netasq.com> 1597 1598 * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix 1599 typos 1600 1601 2006-10-19 Yvan Vanhullebus <vanhu (a] netasq.com> 1602 1603 * src/racoon/sainfo.c: From Matthew Grooms: use 1604 ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). 1605 1606 * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added 1607 ipsecdoi_chkcmpids() function. 1608 1609 2006-10-09 Emmanuel Dreyfus <manu (a] netbsd.org> 1610 1611 * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437) 1612 1613 * src/racoon/isakmp_unity.c: Correctly check read() return value: 1614 it's signed (Coverity 1251) 1615 1616 2006-10-06 Emmanuel Dreyfus <manu (a] netbsd.org> 1617 1618 * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c, 1619 src/racoon/algorithm.h, src/racoon/cftoken.l, 1620 src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, 1621 src/racoon/eaytest.c, src/racoon/ipsec_doi.c, 1622 src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c, 1623 src/racoon/racoon.conf.5, src/racoon/strnames.c, 1624 src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l: 1625 Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki 1626 <okazaki (a] kick.gr.jp> 1627 1628 2006-10-03 Emmanuel Dreyfus <manu (a] netbsd.org> 1629 1630 * src/racoon/admin.c: fix endianness issue introduced yesterday 1631 1632 2006-10-03 Yvan Vanhullebus <vanhu (a] netasq.com> 1633 1634 * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax 1635 1636 * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values 1637 1638 * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses 1639 remoteid/ph1id values 1640 1641 * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values 1642 1643 2006-10-02 Emmanuel Dreyfus <manu (a] netbsd.org> 1644 1645 * src/racoon/isakmp_base.c: 1646 avoid reusing free'd pointer (Coverity 2613) 1647 1648 * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175) 1649 1650 * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451) 1651 1652 * src/racoon/algorithm.c: Fix array overrun (Coverity 4172) 1653 1654 * src/racoon/admin.c: Fix memory leak (Coverity 2002) 1655 1656 * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak 1657 (Coverity 2001), refactor the code to use port get/set functions 1658 1659 * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200) 1660 1661 * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443), 1662 reformat to 80 char/line 1663 1664 2006-10-02 Tom Spindler <dogcow (a] netbsd.org> 1665 1666 * src/racoon/ipsec_doi.c: If you're going to initialize a pointer, 1667 you have to init it with a pointer type, not an int. 1668 1669 2006-10-02 Emmanuel Dreyfus <manu (a] netbsd.org> 1670 1671 * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439) 1672 1673 * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334) 1674 1675 * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944) 1676 1677 * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941) 1678 1679 * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942) 1680 1681 * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863) 1682 1683 2006-10-01 Emmanuel Dreyfus <manu (a] netbsd.org> 1684 1685 * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181) 1686 1687 * src/racoon/isakmp.c: Check that iph1->remote is not NULL before 1688 using it (Coverity 3436) 1689 1690 2006-09-30 Emmanuel Dreyfus <manu (a] netbsd.org> 1691 1692 * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165) 1693 1694 * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179) 1695 1696 * src/racoon/samples/roadwarrior/client/: phase1-down.sh, 1697 phase1-up.sh: update the scripts for wrorking around routing 1698 problems on NetBSD 1699 1700 * src/racoon/session.c: Reuse existing code for closing IKE 1701 sockets, and avoid screwing things by setting p->sock = -1, which is 1702 not expected (Coverity 4173). 1703 1704 * src/racoon/admin.c: Do not free id and key, as they are used 1705 later 1706 1707 2006-09-29 Emmanuel Dreyfus <manu (a] netbsd.org> 1708 1709 * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the 1710 socket, so we must call com_init before sending any data. 1711 1712 2006-09-28 Emmanuel Dreyfus <manu (a] netbsd.org> 1713 1714 * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176, 1715 4174) 1716 1717 * src/racoon/racoonctl.c: Fix access after free (Coverity 4178) 1718 1719 2006-09-26 Emmanuel Dreyfus <manu (a] netbsd.org> 1720 1721 * src/racoon/cfparse.y: Fix memory leak (Coverity) 1722 1723 * src/racoon/backupsa.c: Fix memory leak (Coverity) 1724 1725 * src/racoon/admin.c: Remove dead code (Coverity) 1726 1727 * src/racoon/admin.c: Fix memory leak (Coverity) 1728 1729 * src/racoon/admin.c: One more memory leak 1730 1731 * src/racoon/admin.c: Fix memory leak in racoonctl (coverity) 1732 1733 * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA 1734 bundle fix was contributed by Jeff Bailey, not Matthew Grooms. 1735 Matthew updated the patch for current code, though. 1736 1737 * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for 1738 negotiating ESP+IPcomp) 1739 1740 2006-09-25 Yvan Vanhullebus <vanhu (a] netasq.com> 1741 1742 * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct 1743 iphdr for Linux 1744 1745 2006-09-25 Emmanuel Dreyfus <manu (a] netbsd.org> 1746 1747 * src/racoon/isakmp.c: style (mostly for testing 1748 ipsec-tools-commits (a] netbsd.org) 1749 1750 * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms 1751 1752 2006-09-21 Yvan Vanhullebus <vanhu (a] netasq.com> 1753 1754 * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on 1755 Linux 1756 1757 2006-09-19 Thomas Klausner <wiz (a] netbsd.org> 1758 1759 * src/racoon/racoon.conf.5: Bump date for ike_frag force. 1760 1761 * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new 1762 line. 1763 1764 * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing 1765 whitespace. 1766 1767 2006-09-19 Yvan Vanhullebus <vanhu (a] netasq.com> 1768 1769 * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default 1770 value for encmodesv in set_proposal_from_policy() 1771 1772 * src/racoon/isakmp.c: always include some headers, as they are 1773 required even without NAT-T 1774 1775 * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird: 1776 define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed 1777 1778 * src/racoon/crypto_openssl.c: From Larry Baird: some printf() -> 1779 plog() 1780 1781 2006-09-18 Emmanuel Dreyfus <manu (a] netbsd.org> 1782 1783 * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h, 1784 isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms: 1785 ike_frag force option to force the use of IKE on first packet 1786 exchange (prior to peer consent) 1787 1788 2006-09-18 Yvan Vanhullebus <vanhu (a] netasq.com> 1789 1790 * rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed 1791 generated files from the CVS 1792 1793 * src/racoon/prsa_par.c: removed generated files from the CVS 1794 1795 * src/racoon/: cfparse.c, cftoken.c: removed generated files from 1796 the CVS 1797 1798 2006-09-18 Emmanuel Dreyfus <manu (a] netbsd.org> 1799 1800 * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in 1801 the first packet. That should not normally happen, as the initiator 1802 does not know yet if the responder can handle IKE frag. However, in 1803 some setups, the first packet is too big to get through, and 1804 assuming the peer supports IKE frag is the only way to go. 1805 1806 racoon should have a setting in the remote section to do taht 1807 (something like ike_frag force) 1808 1809 2006-09-16 Emmanuel Dreyfus <manu (a] netbsd.org> 1810 1811 * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 1812 conformance, from Matthew Grooms 1813 1814 2006-09-15 Emmanuel Dreyfus <manu (a] netbsd.org> 1815 1816 * src/racoon/ipsec_doi.c: Fix build on Linux 1817 1818 For older changes see ChangeLog.old 1819
