Home | History | Annotate | Download | only in ipsec-tools
      1 2009-08-13  tag ipsec-tools-0_7_3
      2 
      3 2009-08-13  Yvan Vanhullebus <vanhu (a] netasq.com>
      4 
      5 	* NEWS, configure.ac: 0.7.3 release
      6 
      7 	* src/racoon/oakley.c: fixed a potential DoS in
      8 	  oakley_do_decrypt(), reported by Orange Labs
      9 
     10 2009-08-06  Timo Teras <timo.teras (a] iki.fi>
     11 
     12 	* src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
     13 	  setkey to make gcc happy.
     14 
     15 2009-06-19  Timo Teras <timo.teras (a] iki.fi>
     16 
     17 	* src/racoon/ipsec_doi.c: Backport S.P.Zeidler's fix to IPv6
     18 	  address related stack smashing in ipsecdoi_id2str() from CVS HEAD.
     19 
     20 2009-05-18  Timo Teras <timo.teras (a] iki.fi>
     21 
     22 	* src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
     23 	  not really used; only referenced while uninitialized causing
     24 	  valgrind error.
     25 
     26 	* src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.
     27 
     28 2009-04-29  Timo Teras <timo.teras (a] iki.fi>
     29 
     30 	* src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
     31 	  X509 certificate validation.
     32 
     33 2009-04-22  tag ipsec-tools-0_7_2
     34 
     35 2009-04-22  Timo Teras <timo.teras (a] iki.fi>
     36 
     37 	* NEWS, configure.ac: Updates for 0.7.2 release
     38 
     39 	* src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
     40 	  pointer dereference in fragmentation code.
     41 
     42 2009-04-20  Timo Teras <timo.teras (a] iki.fi>
     43 
     44 	* src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
     45 	  Bin Li: Fix possible memory corruption in binsanitize().
     46 
     47 	* src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
     48 	  signature verification memory leak.
     49 
     50 	* src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
     51 	  crash with racoonctl logout user.
     52 
     53 	* src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
     54 	  code.
     55 
     56 	* src/racoon/handler.c: From Paul Moore: Phase2 message id's should
     57 	  be unique wrt phase1, not globally.
     58 
     59 2009-02-16  Timo Teras <timo.teras (a] iki.fi>
     60 
     61 	* src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
     62 	  corruption bug (yacc return non-null terminated buffer and sprintf
     63 	  writes over bounds).
     64 
     65 2009-01-20  Timo Teras <timo.teras (a] iki.fi>
     66 
     67 	* configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended
     68 
     69 	* misc/cvs2cl.pl, misc/cvsusermap, Makefile.am: Autogenerate
     70 	  ChangeLog from NetBSD CVS. Put sourceforge.net changes to
     71 	  ChangeLog.old.
     72 
     73 	* misc/cvs2cl.pl: file cvs2cl.pl was added on branch
     74 	  ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000
     75 
     76 	* misc/cvsusermap: file cvsusermap was added on branch
     77 	  ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000
     78 
     79 2008-11-27  Yvan Vanhullebus <vanhu (a] netasq.com>
     80 
     81 	* src/racoon/main.c: Set up a default value for Mode Config Pool
     82 	  size if pool address specified but pool size not specified
     83 
     84 	* src/racoon/isakmp_cfg.c: Fixed pool resizing
     85 
     86 2008-09-25  Yvan Vanhullebus <vanhu (a] netasq.com>
     87 
     88 	* src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
     89 	  marker for retransmitted packets
     90 
     91 2008-09-17  Yvan Vanhullebus <vanhu (a] netasq.com>
     92 
     93 	* src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
     94 	  when NAT-T enabled and trying to purge non NAT-T SAs
     95 
     96 2008-08-12  Yvan Vanhullebus <vanhu (a] netasq.com>
     97 
     98 	* src/racoon/isakmp.c: From Krzysztof Oledzki: Remove ph1handler if
     99 	  we received an invalid first exchange from initiator.
    100 
    101 2008-07-23  tag ipsec-tools-0_7_1
    102 
    103 2008-07-23  Yvan Vanhullebus <vanhu (a] netasq.com>
    104 
    105 	* NEWS: NEWS for 0.7.1 release
    106 
    107 2008-07-23  Timo Teras <timo.teras (a] iki.fi>
    108 
    109 	* src/racoon/Makefile.am: Do not use GNU make specific extension.
    110 
    111 	* src/: libipsec/Makefile.am, racoon/Makefile.am,
    112 	  setkey/Makefile.am: Do flex/bison invocation in a more standard
    113 	  way, and keep the generated files in the dist tarball.
    114 
    115 2008-07-22  Yvan Vanhullebus <vanhu (a] netasq.com>
    116 
    117 	* configure.ac: 0.7.1 coming !
    118 
    119 	* src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
    120 	  when malloc fails or when peer sends invalid proposal.
    121 
    122 2008-07-21  Timo Teras <timo.teras (a] iki.fi>
    123 
    124 	* src/racoon/cfparse.y: Correct typo to fix the build.
    125 
    126 	* src/racoon/cfparse.y: Do not set default gss id if xauth is used.
    127 
    128 2008-07-15  Matthew Grooms <mgrooms (a] shrew.net>
    129 
    130 	* src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
    131 	  building with hybrid enabled.
    132 
    133 	* src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
    134 	  racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
    135 	  function.
    136 
    137 2008-07-11  Timo Teras <timo.teras (a] iki.fi>
    138 
    139 	* src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
    140 	  Elsts: Fix a double memory free and a memory corruption
    141 	  (LIST_REMOVE() on an uninserted node) in some error handling paths.
    142 
    143 2008-07-09  Timo Teras <timo.teras (a] iki.fi>
    144 
    145 	* src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
    146 	  memory leak on configuration file reread
    147 
    148 2008-07-02  Yvan Vanhullebus <vanhu (a] netasq.com>
    149 
    150 	* src/racoon/isakmp_inf.c: From Timo Teras: fixed some %d to %zu
    151 	  (size_t values).
    152 
    153 2008-06-18  Matthew Grooms <mgrooms (a] shrew.net>
    154 
    155 	* src/racoon/: grabmyaddr.c, admin.c, ipsec_doi.c, isakmp.c,
    156 	  isakmp_cfg.c, isakmp_inf.c, remoteconf.c: Use utility functions
    157 	  to evaluate and manipulate network port values. No functional
    158 	  changes. Submitted by Timo Teras.
    159 
    160 2008-04-25  Yvan Vanhullebus <vanhu (a] netasq.com>
    161 
    162 	* src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
    163 	  from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
    164 
    165 2008-03-06  Yvan Vanhullebus <vanhu (a] netasq.com>
    166 
    167 	* src/racoon/oakley.c: Generates a log if cert validation has been
    168 	  disabled by configuration
    169 
    170 2008-03-05  Matthew Grooms <mgrooms (a] shrew.net>
    171 
    172 	* src/racoon/cfparse.y: Properly initialize the unity network
    173 	  struct to prevent erroneous protocol and port info from being
    174 	  transmitted.
    175 
    176 	* src/racoon/pfkey.c: Provide better handling for pfkey socket read
    177 	  errors. Submitted by Timo Teras.
    178 
    179 2008-02-25  Emmanuel Dreyfus <manu (a] netbsd.org>
    180 
    181 	* src/racoon/ipsec_doi.c: From Brian Haley <brian.haley (a] hp.com>:
    182 	  There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
    183 	  checking spi_size but it's not.  I'm not sure this patch is correct,
    184 	  but what's there isn't either.
    185 
    186 	  Add fogotten entry in ChangeLog
    187 
    188 2008-02-22  Emmanuel Dreyfus <manu (a] netbsd.org>
    189 
    190 	* src/racoon/isakmp.c: Fix bad address length computation, from
    191 	  Brian Haley.
    192 
    193 2008-01-11  Yvan Vanhullebus <vanhu (a] netasq.com>
    194 
    195 	* src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
    196 	  the scheduler's callback, to avoid access to freed memory.
    197 
    198 	* src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
    199 	  compilation with IDEA and recent gcc.
    200 
    201 	* src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
    202 	  details to some logs (also reported new getph1byaddr() arg).
    203 
    204 	* src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
    205 	  established ph1 handles in DPD (also reported new getph1byaddr()
    206 	  arg).
    207 
    208 	* src/racoon/: handler.c, handler.h: added an 'established' arg to
    209 	  getph1byaddr()
    210 
    211 2007-11-29  Yvan Vanhullebus <vanhu (a] netasq.com>
    212 
    213 	* src/racoon/Makefile.am: From Natanael Copa: fixed a race
    214 	  condition when building yacc stuff.
    215 
    216 2007-11-06  Yvan Vanhullebus <vanhu (a] netasq.com>
    217 
    218 	* src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
    219 	  work with the new plog macro.
    220 
    221 	* src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
    222 	  work with new plog macro
    223 
    224 	* src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.
    225 
    226 2007-10-15  Yvan Vanhullebus <vanhu (a] netasq.com>
    227 
    228 	* src/libipsec/pfkey.c: Try to increase the buffer size of the
    229 	  pfkey socket, this may help things when we have a huge SPD
    230 
    231 2007-09-19  Matthew Grooms <mgrooms (a] shrew.net>
    232 
    233 	* configure.ac: Fix autoconf check for selinux support. Submitted
    234 	  by Joy Latten.
    235 
    236 2007-09-03  Matthew Grooms <mgrooms (a] shrew.net>
    237 
    238 	* src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
    239 	  wins4 in the man page and add nbns4 as an alias. Pointed out by
    240 	  Claas Langbehn.
    241 
    242 2007-08-09  tag ipsec-tools-0_7
    243 
    244 2007-08-09  Matthew Grooms <mgrooms (a] shrew.net>
    245 
    246 	* NEWS, configure.ac: Prepare for 0.7 release tag.
    247 
    248 2007-08-07  Emmanuel Dreyfus <manu (a] netbsd.org>
    249 
    250 	* src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
    251 	  authorization ports. Allow interoperability with freeradius
    252 
    253 2007-08-01  Yvan Vanhullebus <vanhu (a] netasq.com>
    254 
    255 	* configure.ac, src/libipsec/ipsec_dump_policy.c,
    256 	  src/libipsec/ipsec_get_policylen.c,
    257 	  src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
    258 	  src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
    259 	  src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
    260 	  src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
    261 	  src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
    262 	  src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
    263 	  src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
    264 	  src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
    265 	  src/racoon/policy.c, src/racoon/proposal.c,
    266 	  src/racoon/remoteconf.c, src/racoon/sainfo.c,
    267 	  src/racoon/session.c, src/racoon/sockmisc.c,
    268 	  src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
    269 	  src/setkey/token.l: use a single PATH_IPSEC_H to fix some
    270 	  path_to_ipsec.h issues
    271 
    272 2007-07-24  Matthew Grooms <mgrooms (a] shrew.net>
    273 
    274 	* NEWS: Update NEWS file with additional 0.7 improvements.
    275 
    276 2007-07-18  Matthew Grooms <mgrooms (a] shrew.net>
    277 
    278 	* src/racoon/racoon.conf.5: Various racoon configuration manpage
    279 	  updates.
    280 
    281 2007-07-16  Yvan Vanhullebus <vanhu (a] netasq.com>
    282 
    283 	* src/racoon/grabmyaddr.c: fixed a socket leak
    284 
    285 2007-06-12  tag ipsec-tools-0_7-RC1
    286 
    287 2007-06-12  tag ipsec-tools-0_7-rc1
    288 
    289 2007-06-12  Emmanuel Dreyfus <manu (a] netbsd.org>
    290 
    291 	* configure.ac: ipsec-tools used to use tags in lower case
    292 
    293 2007-06-12  Yvan Vanhullebus <vanhu (a] netasq.com>
    294 
    295 	* configure.ac: 0.7-RC1
    296 
    297 2007-06-07  Emmanuel Dreyfus <manu (a] netbsd.org>
    298 
    299 	* src/racoon/: main.c, policy.h, security.c: From Joy Latten
    300 	  <latten (a] austin.ibm.com> Fix file descriptor shortage when using
    301 	  labeled IPsec.
    302 
    303 	* src/racoon/isakmp_cfg.c: From Paul Winder
    304 	  <Paul.Winder (a] tadpole.com> Fix ignored INTERNAL_DNS4_LIST
    305 
    306 2007-06-06  Yvan Vanhullebus <vanhu (a] netasq.com>
    307 
    308 	* src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
    309 	  with gcc 4.2
    310 
    311 2007-06-06  Emmanuel Dreyfus <manu (a] netbsd.org>
    312 
    313 	* src/racoon/kmpstat.c: From Jianli Liu <jlliu (a] nortel.com>: Use the
    314 	  specified socket path instead of the default location
    315 
    316 2007-06-06  Yvan Vanhullebus <vanhu (a] netasq.com>
    317 
    318 	* src/racoon/session.c: From Jianli Liu: speed up interfaces update
    319 	  when they change.
    320 
    321 	* src/racoon/handler.c: ignore obsolete lifebyte when validating
    322 	  reloaded configuration
    323 
    324 2007-05-04  Yvan Vanhullebus <vanhu (a] netasq.com>
    325 
    326 	* src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
    327 	  NULL when validating the new config
    328 
    329 	* src/racoon/handler.c: added some debug in getph1byaddr() to track
    330 	  some port matching problems with NAT-T
    331 
    332 	* src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
    333 	  track some port matching problems with NAT-T
    334 
    335 	* src/racoon/isakmp_inf.c: added some debug for DELETE_SA process
    336 
    337 	* src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
    338 	  NAT_T support, to solve some port match problems with the first
    339 	  IPSec SAs negociated as initiator
    340 
    341 2007-04-04  Yvan Vanhullebus <vanhu (a] netasq.com>
    342 
    343 	* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()
    344 
    345 	* src/racoon/oakley.c: dumps peer's ID and peer's certificate
    346 	  subject /subjectaltname if they don't match
    347 
    348 2007-03-29  tag ipsec-tools-0_7-beta3
    349 
    350 2007-03-29  Emmanuel Dreyfus <manu (a] netbsd.org>
    351 
    352 	* configure.ac: Bump to 0.7beta3
    353 
    354 2007-03-26  Yvan Vanhullebus <vanhu (a] netasq.com>
    355 
    356 	* src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
    357 	  handler, to be able to cancel it when removing the handler, and some
    358 	  minor cleanups in DPD code
    359 
    360 2007-03-23  Yvan Vanhullebus <vanhu (a] netasq.com>
    361 
    362 	* src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
    363 	  segfault when using security labels between 32bit and 64bit host.
    364 
    365 	* src/racoon/handler.c: expire zombie handlers in getph2byid(), to
    366 	  avoid situations where we'll never negociate a phase2 again
    367 
    368 	* src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
    369 	  more details about what is checked when using certificates to
    370 	  authenticate
    371 
    372 2007-03-22  Yvan Vanhullebus <vanhu (a] netasq.com>
    373 
    374 	* src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
    375 	  generate IPV4_ADDRESS when needed in sockaddr2id()
    376 
    377 2007-03-21  Yvan Vanhullebus <vanhu (a] netasq.com>
    378 
    379 	* src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
    380 	  sched check is now done in SCHED_KILL
    381 
    382 	* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL
    383 
    384 2007-03-15  Yvan Vanhullebus <vanhu (a] netasq.com>
    385 
    386 	* src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
    387 	  monitoring of ipv6 address changes on Linux.
    388 
    389 	* src/racoon/isakmp.c: Consider a negociation timeout when
    390 	  retry_counter is <=0 instead of < 0
    391 
    392 2007-03-06  tag ipsec-tools-0_7-beta2
    393 
    394 2007-03-06  Emmanuel Dreyfus <manu (a] netbsd.org>
    395 
    396 	* configure.ac: Bump to 0.7beta2
    397 
    398 2007-03-01  Matthew Grooms <mgrooms (a] shrew.net>
    399 
    400 	* src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
    401 	  matched to ip subnet ids when appropriate.
    402 
    403 2007-02-21  Yvan Vanhullebus <vanhu (a] netasq.com>
    404 
    405 	* src/racoon/ipsec_doi.c: block variable declaration before code in
    406 	  ipsecdoi_id2str()
    407 
    408 2007-02-20  Yvan Vanhullebus <vanhu (a] netasq.com>
    409 
    410 	* src/racoon/isakmp_inf.c: Removed a debug printf....
    411 
    412 	* src/racoon/isakmp.c: Only delete a generated SPD if it's creation
    413 	  date matches the creation date of the SA we are currently deleting
    414 
    415 	* src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls
    416 
    417 	* src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
    418 	  generated SPDs
    419 
    420 	* src/racoon/policy.h: added 'created' var
    421 
    422 2007-02-19  Yvan Vanhullebus <vanhu (a] netasq.com>
    423 
    424 	* src/racoon/isakmp.c: Removed a debug printf....
    425 
    426 2007-02-16  tag ipsec-tools-0_7-beta1
    427 
    428 2007-02-16  Emmanuel Dreyfus <manu (a] netbsd.org>
    429 
    430 	* configure.ac: Bump to 0.7beta1
    431 
    432 2007-02-16  Yvan Vanhullebus <vanhu (a] netasq.com>
    433 
    434 	* src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
    435 	  printf.
    436 
    437 2007-02-15  Emmanuel Dreyfus <manu (a] netbsd.org>
    438 
    439 	* src/racoon/security.c: Missing file for SELinux
    440 
    441 	* configure.ac: Missing stuff for SELinux
    442 
    443 2007-02-15  Yvan Vanhullebus <vanhu (a] netasq.com>
    444 
    445 	* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
    446 	  expire a ph1 handle when receiving a DELETE-SA instead of calling
    447 	  purge_remote().
    448 
    449 	* src/racoon/isakmp.c: Fixed the way phase1/2 messages are
    450 	  sent/resent, to avoid zombie handles and acces to freed memory
    451 
    452 2007-02-02  Yvan Vanhullebus <vanhu (a] netasq.com>
    453 
    454 	* src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec
    455 
    456 2007-02-01  Yvan Vanhullebus <vanhu (a] netasq.com>
    457 
    458 	* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
    459 	  receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
    460 	  deleted from payload instead of just deleting the ISAKMP SA used to
    461 	  protect the informational exchange.
    462 
    463 2006-12-18  Yvan Vanhullebus <vanhu (a] netasq.com>
    464 
    465 	* src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak
    466 
    467 2006-12-10  tag ipsec-tools-0_7-base
    468 
    469 2006-12-10  Emmanuel Dreyfus <manu (a] netbsd.org>
    470 
    471 	* src/: libipsec/Makefile.am, libipsec/libpfkey.h,
    472 	  libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
    473 	  racoon/pfkey.c: Bring back API and ABI backward compatibility
    474 	  with previous libipsec before recent interface change. Bump libipsec
    475 	  minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
    476 	  ABI compatibility lossage.  Add a capability flags to detect missing
    477 	  optional feature in libipsec
    478 
    479 	* src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
    480 	  README.plainrsa documenting plain RSA auth
    481 
    482 2006-12-09  Emmanuel Dreyfus <manu (a] netbsd.org>
    483 
    484 	* configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
    485 	  src/racoon/Makefile.am, src/racoon/backupsa.c,
    486 	  src/racoon/backupsa.h, src/racoon/cftoken.l,
    487 	  src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
    488 	  src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
    489 	  src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
    490 	  src/racoon/proposal.c, src/racoon/proposal.h,
    491 	  src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
    492 	  security contexts. Also cleanup the libipsec interface for adding
    493 	  and updating security associations.
    494 
    495 	* src/racoon/racoon.conf.5: From Simon Chang: More hints about
    496 	  plain RSA authentication
    497 
    498 2006-12-05  Yvan Vanhullebus <vanhu (a] netasq.com>
    499 
    500 	* src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
    501 	  length regarding proposal_check level
    502 
    503 2006-11-16  Matthew Grooms <mgrooms (a] shrew.net>
    504 
    505 	* src/racoon/sainfo.c: Correct issues associated with anonymous
    506 	  sainfo selection in racoon.
    507 
    508 2006-11-09  Christos Zoulas <christos (a] netbsd.org>
    509 
    510 	* src/racoon/crypto_openssl.c: eliminate the only variable stack
    511 	  array allocation.
    512 
    513 2006-10-31  Christian Biere <cbiere (a] netbsd.org>
    514 
    515 	* src/racoon/sockmisc.c: Don't define the deprecated
    516 	  IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
    517 	  IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
    518 	  in the future just in case that the numeric value of the socket
    519 	  option is ever recycled.
    520 
    521 2006-10-22  Yvan Vanhullebus <vanhu (a] netasq.com>
    522 
    523 	* src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
    524 	  typos
    525 
    526 2006-10-19  Yvan Vanhullebus <vanhu (a] netasq.com>
    527 
    528 	* src/racoon/sainfo.c: From Matthew Grooms: use
    529 	  ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
    530 
    531 	* src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
    532 	  ipsecdoi_chkcmpids() function.
    533 
    534 2006-10-09  Emmanuel Dreyfus <manu (a] netbsd.org>
    535 
    536 	* src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)
    537 
    538 	* src/racoon/isakmp_unity.c: Correctly check read() return value:
    539 	  it's signed (Coverity 1251)
    540 
    541 2006-10-06  Emmanuel Dreyfus <manu (a] netbsd.org>
    542 
    543 	* configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
    544 	  src/racoon/algorithm.h, src/racoon/cftoken.l,
    545 	  src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
    546 	  src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
    547 	  src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
    548 	  src/racoon/racoon.conf.5, src/racoon/strnames.c,
    549 	  src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
    550 	  Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
    551 	  <okazaki (a] kick.gr.jp>
    552 
    553 2006-10-03  Emmanuel Dreyfus <manu (a] netbsd.org>
    554 
    555 	* src/racoon/admin.c: fix endianness issue introduced yesterday
    556 
    557 2006-10-03  Yvan Vanhullebus <vanhu (a] netasq.com>
    558 
    559 	* src/racoon/racoon.conf.5: Added remoteid/ph1id syntax
    560 
    561 	* src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values
    562 
    563 	* src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
    564 	  remoteid/ph1id values
    565 
    566 	* src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values
    567 
    568 2006-10-02  Emmanuel Dreyfus <manu (a] netbsd.org>
    569 
    570 	* src/racoon/isakmp_base.c:
    571 	   avoid reusing free'd pointer (Coverity 2613)
    572 
    573 	* src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)
    574 
    575 	* src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)
    576 
    577 	* src/racoon/algorithm.c: Fix array overrun (Coverity 4172)
    578 
    579 	* src/racoon/admin.c: Fix memory leak (Coverity 2002)
    580 
    581 	* src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
    582 	  (Coverity 2001), refactor the code to use port get/set functions
    583 
    584 	* src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)
    585 
    586 	* src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
    587 	  reformat to 80 char/line
    588 
    589 2006-10-02  Tom Spindler <dogcow (a] netbsd.org>
    590 
    591 	* src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
    592 	  you have to init it with a pointer type, not an int.
    593 
    594 2006-10-02  Emmanuel Dreyfus <manu (a] netbsd.org>
    595 
    596 	* src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)
    597 
    598 	* src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)
    599 
    600 	* src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)
    601 
    602 	* src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)
    603 
    604 	* src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)
    605 
    606 	* src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)
    607 
    608 2006-10-01  Emmanuel Dreyfus <manu (a] netbsd.org>
    609 
    610 	* src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)
    611 
    612 	* src/racoon/isakmp.c: Check that iph1->remote is not NULL before
    613 	  using it (Coverity 3436)
    614 
    615 2006-09-30  Emmanuel Dreyfus <manu (a] netbsd.org>
    616 
    617 	* src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)
    618 
    619 	* src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)
    620 
    621 	* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
    622 	  phase1-up.sh: update the scripts for wrorking around routing
    623 	  problems on NetBSD
    624 
    625 	* src/racoon/session.c: Reuse existing code for closing IKE
    626 	  sockets, and avoid screwing things by setting p->sock = -1, which is
    627 	  not expected (Coverity 4173).
    628 
    629 	* src/racoon/admin.c: Do not free id and key, as they are used
    630 	  later
    631 
    632 2006-09-29  Emmanuel Dreyfus <manu (a] netbsd.org>
    633 
    634 	* src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
    635 	  socket, so we must call com_init before sending any data.
    636 
    637 2006-09-28  Emmanuel Dreyfus <manu (a] netbsd.org>
    638 
    639 	* src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
    640 	  4174)
    641 
    642 	* src/racoon/racoonctl.c: Fix access after free (Coverity 4178)
    643 
    644 2006-09-26  Emmanuel Dreyfus <manu (a] netbsd.org>
    645 
    646 	* src/racoon/cfparse.y: Fix memory leak (Coverity)
    647 
    648 	* src/racoon/backupsa.c: Fix memory leak (Coverity)
    649 
    650 	* src/racoon/admin.c: Remove dead code (Coverity)
    651 
    652 	* src/racoon/admin.c: Fix memory leak (Coverity)
    653 
    654 	* src/racoon/admin.c: One more memory leak
    655 
    656 	* src/racoon/admin.c: Fix memory leak in racoonctl (coverity)
    657 
    658 	* src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
    659 	  bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
    660 	  Matthew updated the patch for current code, though.
    661 
    662 	* src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
    663 	  negotiating ESP+IPcomp)
    664 
    665 2006-09-25  Yvan Vanhullebus <vanhu (a] netasq.com>
    666 
    667 	* src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
    668 	  iphdr for Linux
    669 
    670 2006-09-25  Emmanuel Dreyfus <manu (a] netbsd.org>
    671 
    672 	* src/racoon/isakmp.c: style (mostly for testing
    673 	  ipsec-tools-commits (a] netbsd.org)
    674 
    675 	* src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms
    676 
    677 2006-09-21  Yvan Vanhullebus <vanhu (a] netasq.com>
    678 
    679 	* src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
    680 	  Linux
    681 
    682 2006-09-19  Thomas Klausner <wiz (a] netbsd.org>
    683 
    684 	* src/racoon/racoon.conf.5: Bump date for ike_frag force.
    685 
    686 	* src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
    687 	  line.
    688 
    689 	* src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
    690 	  whitespace.
    691 
    692 2006-09-19  Yvan Vanhullebus <vanhu (a] netasq.com>
    693 
    694 	* src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
    695 	  value for encmodesv in set_proposal_from_policy()
    696 
    697 	* src/racoon/isakmp.c: always include some headers, as they are
    698 	  required even without NAT-T
    699 
    700 	* src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
    701 	  define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
    702 
    703 	* src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
    704 	  plog()
    705 
    706 2006-09-18  Emmanuel Dreyfus <manu (a] netbsd.org>
    707 
    708 	* src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
    709 	  isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
    710 	  ike_frag force option to force the use of IKE on first packet
    711 	  exchange (prior to peer consent)
    712 
    713 2006-09-18  Yvan Vanhullebus <vanhu (a] netasq.com>
    714 
    715 	* rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed
    716 	  generated files from the CVS
    717 
    718 	* src/racoon/prsa_par.c: removed generated files from the CVS
    719 
    720 	* src/racoon/: cfparse.c, cftoken.c: removed generated files from
    721 	  the CVS
    722 
    723 2006-09-18  Emmanuel Dreyfus <manu (a] netbsd.org>
    724 
    725 	* src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
    726 	  the first packet. That should not normally happen, as the initiator
    727 	  does not know yet if the responder can handle IKE frag.  However, in
    728 	  some setups, the first packet is too big to get through, and
    729 	  assuming the peer supports IKE frag is the only way to go.
    730 
    731 	  racoon should have a setting in the remote section to do taht
    732 	  (something like ike_frag force)
    733 
    734 2006-09-16  Emmanuel Dreyfus <manu (a] netbsd.org>
    735 
    736 	* src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
    737 	  conformance, from Matthew Grooms
    738 
    739 2006-09-15  Emmanuel Dreyfus <manu (a] netbsd.org>
    740 
    741 	* src/racoon/ipsec_doi.c: Fix build on Linux
    742 
    743 For older changes see ChangeLog.old
    744