1 2009-08-13 tag ipsec-tools-0_7_3 2 3 2009-08-13 Yvan Vanhullebus <vanhu (a] netasq.com> 4 5 * NEWS, configure.ac: 0.7.3 release 6 7 * src/racoon/oakley.c: fixed a potential DoS in 8 oakley_do_decrypt(), reported by Orange Labs 9 10 2009-08-06 Timo Teras <timo.teras (a] iki.fi> 11 12 * src/setkey/setkey.c: From Paul Wenau: Check fgets return value in 13 setkey to make gcc happy. 14 15 2009-06-19 Timo Teras <timo.teras (a] iki.fi> 16 17 * src/racoon/ipsec_doi.c: Backport S.P.Zeidler's fix to IPv6 18 address related stack smashing in ipsecdoi_id2str() from CVS HEAD. 19 20 2009-05-18 Timo Teras <timo.teras (a] iki.fi> 21 22 * src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is 23 not really used; only referenced while uninitialized causing 24 valgrind error. 25 26 * src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check. 27 28 2009-04-29 Timo Teras <timo.teras (a] iki.fi> 29 30 * src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in 31 X509 certificate validation. 32 33 2009-04-22 tag ipsec-tools-0_7_2 34 35 2009-04-22 Timo Teras <timo.teras (a] iki.fi> 36 37 * NEWS, configure.ac: Updates for 0.7.2 release 38 39 * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null 40 pointer dereference in fragmentation code. 41 42 2009-04-20 Timo Teras <timo.teras (a] iki.fi> 43 44 * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from 45 Bin Li: Fix possible memory corruption in binsanitize(). 46 47 * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509 48 signature verification memory leak. 49 50 * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a 51 crash with racoonctl logout user. 52 53 * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive 54 code. 55 56 * src/racoon/handler.c: From Paul Moore: Phase2 message id's should 57 be unique wrt phase1, not globally. 58 59 2009-02-16 Timo Teras <timo.teras (a] iki.fi> 60 61 * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap 62 corruption bug (yacc return non-null terminated buffer and sprintf 63 writes over bounds). 64 65 2009-01-20 Timo Teras <timo.teras (a] iki.fi> 66 67 * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended 68 69 * misc/cvs2cl.pl, misc/cvsusermap, Makefile.am: Autogenerate 70 ChangeLog from NetBSD CVS. Put sourceforge.net changes to 71 ChangeLog.old. 72 73 * misc/cvs2cl.pl: file cvs2cl.pl was added on branch 74 ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000 75 76 * misc/cvsusermap: file cvsusermap was added on branch 77 ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000 78 79 2008-11-27 Yvan Vanhullebus <vanhu (a] netasq.com> 80 81 * src/racoon/main.c: Set up a default value for Mode Config Pool 82 size if pool address specified but pool size not specified 83 84 * src/racoon/isakmp_cfg.c: Fixed pool resizing 85 86 2008-09-25 Yvan Vanhullebus <vanhu (a] netasq.com> 87 88 * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP 89 marker for retransmitted packets 90 91 2008-09-17 Yvan Vanhullebus <vanhu (a] netasq.com> 92 93 * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi() 94 when NAT-T enabled and trying to purge non NAT-T SAs 95 96 2008-08-12 Yvan Vanhullebus <vanhu (a] netasq.com> 97 98 * src/racoon/isakmp.c: From Krzysztof Oledzki: Remove ph1handler if 99 we received an invalid first exchange from initiator. 100 101 2008-07-23 tag ipsec-tools-0_7_1 102 103 2008-07-23 Yvan Vanhullebus <vanhu (a] netasq.com> 104 105 * NEWS: NEWS for 0.7.1 release 106 107 2008-07-23 Timo Teras <timo.teras (a] iki.fi> 108 109 * src/racoon/Makefile.am: Do not use GNU make specific extension. 110 111 * src/: libipsec/Makefile.am, racoon/Makefile.am, 112 setkey/Makefile.am: Do flex/bison invocation in a more standard 113 way, and keep the generated files in the dist tarball. 114 115 2008-07-22 Yvan Vanhullebus <vanhu (a] netasq.com> 116 117 * configure.ac: 0.7.1 coming ! 118 119 * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks, 120 when malloc fails or when peer sends invalid proposal. 121 122 2008-07-21 Timo Teras <timo.teras (a] iki.fi> 123 124 * src/racoon/cfparse.y: Correct typo to fix the build. 125 126 * src/racoon/cfparse.y: Do not set default gss id if xauth is used. 127 128 2008-07-15 Matthew Grooms <mgrooms (a] shrew.net> 129 130 * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from 131 building with hybrid enabled. 132 133 * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h, 134 racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump 135 function. 136 137 2008-07-11 Timo Teras <timo.teras (a] iki.fi> 138 139 * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis 140 Elsts: Fix a double memory free and a memory corruption 141 (LIST_REMOVE() on an uninserted node) in some error handling paths. 142 143 2008-07-09 Timo Teras <timo.teras (a] iki.fi> 144 145 * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and 146 memory leak on configuration file reread 147 148 2008-07-02 Yvan Vanhullebus <vanhu (a] netasq.com> 149 150 * src/racoon/isakmp_inf.c: From Timo Teras: fixed some %d to %zu 151 (size_t values). 152 153 2008-06-18 Matthew Grooms <mgrooms (a] shrew.net> 154 155 * src/racoon/: grabmyaddr.c, admin.c, ipsec_doi.c, isakmp.c, 156 isakmp_cfg.c, isakmp_inf.c, remoteconf.c: Use utility functions 157 to evaluate and manipulate network port values. No functional 158 changes. Submitted by Timo Teras. 159 160 2008-04-25 Yvan Vanhullebus <vanhu (a] netasq.com> 161 162 * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers 163 from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). 164 165 2008-03-06 Yvan Vanhullebus <vanhu (a] netasq.com> 166 167 * src/racoon/oakley.c: Generates a log if cert validation has been 168 disabled by configuration 169 170 2008-03-05 Matthew Grooms <mgrooms (a] shrew.net> 171 172 * src/racoon/cfparse.y: Properly initialize the unity network 173 struct to prevent erroneous protocol and port info from being 174 transmitted. 175 176 * src/racoon/pfkey.c: Provide better handling for pfkey socket read 177 errors. Submitted by Timo Teras. 178 179 2008-02-25 Emmanuel Dreyfus <manu (a] netbsd.org> 180 181 * src/racoon/ipsec_doi.c: From Brian Haley <brian.haley (a] hp.com>: 182 There's a cut/paste error in cmp_aproppair_i(), it's supposed to be 183 checking spi_size but it's not. I'm not sure this patch is correct, 184 but what's there isn't either. 185 186 Add fogotten entry in ChangeLog 187 188 2008-02-22 Emmanuel Dreyfus <manu (a] netbsd.org> 189 190 * src/racoon/isakmp.c: Fix bad address length computation, from 191 Brian Haley. 192 193 2008-01-11 Yvan Vanhullebus <vanhu (a] netasq.com> 194 195 * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in 196 the scheduler's callback, to avoid access to freed memory. 197 198 * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix 199 compilation with IDEA and recent gcc. 200 201 * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some 202 details to some logs (also reported new getph1byaddr() arg). 203 204 * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for 205 established ph1 handles in DPD (also reported new getph1byaddr() 206 arg). 207 208 * src/racoon/: handler.c, handler.h: added an 'established' arg to 209 getph1byaddr() 210 211 2007-11-29 Yvan Vanhullebus <vanhu (a] netasq.com> 212 213 * src/racoon/Makefile.am: From Natanael Copa: fixed a race 214 condition when building yacc stuff. 215 216 2007-11-06 Yvan Vanhullebus <vanhu (a] netasq.com> 217 218 * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to 219 work with the new plog macro. 220 221 * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to 222 work with new plog macro 223 224 * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro. 225 226 2007-10-15 Yvan Vanhullebus <vanhu (a] netasq.com> 227 228 * src/libipsec/pfkey.c: Try to increase the buffer size of the 229 pfkey socket, this may help things when we have a huge SPD 230 231 2007-09-19 Matthew Grooms <mgrooms (a] shrew.net> 232 233 * configure.ac: Fix autoconf check for selinux support. Submitted 234 by Joy Latten. 235 236 2007-09-03 Matthew Grooms <mgrooms (a] shrew.net> 237 238 * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for 239 wins4 in the man page and add nbns4 as an alias. Pointed out by 240 Claas Langbehn. 241 242 2007-08-09 tag ipsec-tools-0_7 243 244 2007-08-09 Matthew Grooms <mgrooms (a] shrew.net> 245 246 * NEWS, configure.ac: Prepare for 0.7 release tag. 247 248 2007-08-07 Emmanuel Dreyfus <manu (a] netbsd.org> 249 250 * src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and 251 authorization ports. Allow interoperability with freeradius 252 253 2007-08-01 Yvan Vanhullebus <vanhu (a] netasq.com> 254 255 * configure.ac, src/libipsec/ipsec_dump_policy.c, 256 src/libipsec/ipsec_get_policylen.c, 257 src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c, 258 src/libipsec/libpfkey.h, src/libipsec/pfkey.c, 259 src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y, 260 src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c, 261 src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y, 262 src/racoon/cftoken.l, src/racoon/ipsec_doi.c, 263 src/racoon/isakmp.c, src/racoon/isakmp_inf.c, 264 src/racoon/isakmp_quick.c, src/racoon/pfkey.c, 265 src/racoon/policy.c, src/racoon/proposal.c, 266 src/racoon/remoteconf.c, src/racoon/sainfo.c, 267 src/racoon/session.c, src/racoon/sockmisc.c, 268 src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c, 269 src/setkey/token.l: use a single PATH_IPSEC_H to fix some 270 path_to_ipsec.h issues 271 272 2007-07-24 Matthew Grooms <mgrooms (a] shrew.net> 273 274 * NEWS: Update NEWS file with additional 0.7 improvements. 275 276 2007-07-18 Matthew Grooms <mgrooms (a] shrew.net> 277 278 * src/racoon/racoon.conf.5: Various racoon configuration manpage 279 updates. 280 281 2007-07-16 Yvan Vanhullebus <vanhu (a] netasq.com> 282 283 * src/racoon/grabmyaddr.c: fixed a socket leak 284 285 2007-06-12 tag ipsec-tools-0_7-RC1 286 287 2007-06-12 tag ipsec-tools-0_7-rc1 288 289 2007-06-12 Emmanuel Dreyfus <manu (a] netbsd.org> 290 291 * configure.ac: ipsec-tools used to use tags in lower case 292 293 2007-06-12 Yvan Vanhullebus <vanhu (a] netasq.com> 294 295 * configure.ac: 0.7-RC1 296 297 2007-06-07 Emmanuel Dreyfus <manu (a] netbsd.org> 298 299 * src/racoon/: main.c, policy.h, security.c: From Joy Latten 300 <latten (a] austin.ibm.com> Fix file descriptor shortage when using 301 labeled IPsec. 302 303 * src/racoon/isakmp_cfg.c: From Paul Winder 304 <Paul.Winder (a] tadpole.com> Fix ignored INTERNAL_DNS4_LIST 305 306 2007-06-06 Yvan Vanhullebus <vanhu (a] netasq.com> 307 308 * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation 309 with gcc 4.2 310 311 2007-06-06 Emmanuel Dreyfus <manu (a] netbsd.org> 312 313 * src/racoon/kmpstat.c: From Jianli Liu <jlliu (a] nortel.com>: Use the 314 specified socket path instead of the default location 315 316 2007-06-06 Yvan Vanhullebus <vanhu (a] netasq.com> 317 318 * src/racoon/session.c: From Jianli Liu: speed up interfaces update 319 when they change. 320 321 * src/racoon/handler.c: ignore obsolete lifebyte when validating 322 reloaded configuration 323 324 2007-05-04 Yvan Vanhullebus <vanhu (a] netasq.com> 325 326 * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is 327 NULL when validating the new config 328 329 * src/racoon/handler.c: added some debug in getph1byaddr() to track 330 some port matching problems with NAT-T 331 332 * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to 333 track some port matching problems with NAT-T 334 335 * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process 336 337 * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if 338 NAT_T support, to solve some port match problems with the first 339 IPSec SAs negociated as initiator 340 341 2007-04-04 Yvan Vanhullebus <vanhu (a] netasq.com> 342 343 * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids() 344 345 * src/racoon/oakley.c: dumps peer's ID and peer's certificate 346 subject /subjectaltname if they don't match 347 348 2007-03-29 tag ipsec-tools-0_7-beta3 349 350 2007-03-29 Emmanuel Dreyfus <manu (a] netbsd.org> 351 352 * configure.ac: Bump to 0.7beta3 353 354 2007-03-26 Yvan Vanhullebus <vanhu (a] netasq.com> 355 356 * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1 357 handler, to be able to cancel it when removing the handler, and some 358 minor cleanups in DPD code 359 360 2007-03-23 Yvan Vanhullebus <vanhu (a] netasq.com> 361 362 * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a 363 segfault when using security labels between 32bit and 64bit host. 364 365 * src/racoon/handler.c: expire zombie handlers in getph2byid(), to 366 avoid situations where we'll never negociate a phase2 again 367 368 * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give 369 more details about what is checked when using certificates to 370 authenticate 371 372 2007-03-22 Yvan Vanhullebus <vanhu (a] netasq.com> 373 374 * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to 375 generate IPV4_ADDRESS when needed in sockaddr2id() 376 377 2007-03-21 Yvan Vanhullebus <vanhu (a] netasq.com> 378 379 * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL 380 sched check is now done in SCHED_KILL 381 382 * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL 383 384 2007-03-15 Yvan Vanhullebus <vanhu (a] netasq.com> 385 386 * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable 387 monitoring of ipv6 address changes on Linux. 388 389 * src/racoon/isakmp.c: Consider a negociation timeout when 390 retry_counter is <=0 instead of < 0 391 392 2007-03-06 tag ipsec-tools-0_7-beta2 393 394 2007-03-06 Emmanuel Dreyfus <manu (a] netbsd.org> 395 396 * configure.ac: Bump to 0.7beta2 397 398 2007-03-01 Matthew Grooms <mgrooms (a] shrew.net> 399 400 * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be 401 matched to ip subnet ids when appropriate. 402 403 2007-02-21 Yvan Vanhullebus <vanhu (a] netasq.com> 404 405 * src/racoon/ipsec_doi.c: block variable declaration before code in 406 ipsecdoi_id2str() 407 408 2007-02-20 Yvan Vanhullebus <vanhu (a] netasq.com> 409 410 * src/racoon/isakmp_inf.c: Removed a debug printf.... 411 412 * src/racoon/isakmp.c: Only delete a generated SPD if it's creation 413 date matches the creation date of the SA we are currently deleting 414 415 * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls 416 417 * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of 418 generated SPDs 419 420 * src/racoon/policy.h: added 'created' var 421 422 2007-02-19 Yvan Vanhullebus <vanhu (a] netasq.com> 423 424 * src/racoon/isakmp.c: Removed a debug printf.... 425 426 2007-02-16 tag ipsec-tools-0_7-beta1 427 428 2007-02-16 Emmanuel Dreyfus <manu (a] netbsd.org> 429 430 * configure.ac: Bump to 0.7beta1 431 432 2007-02-16 Yvan Vanhullebus <vanhu (a] netasq.com> 433 434 * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a 435 printf. 436 437 2007-02-15 Emmanuel Dreyfus <manu (a] netbsd.org> 438 439 * src/racoon/security.c: Missing file for SELinux 440 441 * configure.ac: Missing stuff for SELinux 442 443 2007-02-15 Yvan Vanhullebus <vanhu (a] netasq.com> 444 445 * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just 446 expire a ph1 handle when receiving a DELETE-SA instead of calling 447 purge_remote(). 448 449 * src/racoon/isakmp.c: Fixed the way phase1/2 messages are 450 sent/resent, to avoid zombie handles and acces to freed memory 451 452 2007-02-02 Yvan Vanhullebus <vanhu (a] netasq.com> 453 454 * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec 455 456 2007-02-01 Yvan Vanhullebus <vanhu (a] netasq.com> 457 458 * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When 459 receiving an ISAKMP DELETE_SA, get the cookie of the SA to be 460 deleted from payload instead of just deleting the ISAKMP SA used to 461 protect the informational exchange. 462 463 2006-12-18 Yvan Vanhullebus <vanhu (a] netasq.com> 464 465 * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak 466 467 2006-12-10 tag ipsec-tools-0_7-base 468 469 2006-12-10 Emmanuel Dreyfus <manu (a] netbsd.org> 470 471 * src/: libipsec/Makefile.am, libipsec/libpfkey.h, 472 libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y, 473 racoon/pfkey.c: Bring back API and ABI backward compatibility 474 with previous libipsec before recent interface change. Bump libipsec 475 minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid 476 ABI compatibility lossage. Add a capability flags to detect missing 477 optional feature in libipsec 478 479 * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten: 480 README.plainrsa documenting plain RSA auth 481 482 2006-12-09 Emmanuel Dreyfus <manu (a] netbsd.org> 483 484 * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c, 485 src/racoon/Makefile.am, src/racoon/backupsa.c, 486 src/racoon/backupsa.h, src/racoon/cftoken.l, 487 src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, 488 src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, 489 src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h, 490 src/racoon/proposal.c, src/racoon/proposal.h, 491 src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux 492 security contexts. Also cleanup the libipsec interface for adding 493 and updating security associations. 494 495 * src/racoon/racoon.conf.5: From Simon Chang: More hints about 496 plain RSA authentication 497 498 2006-12-05 Yvan Vanhullebus <vanhu (a] netasq.com> 499 500 * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys 501 length regarding proposal_check level 502 503 2006-11-16 Matthew Grooms <mgrooms (a] shrew.net> 504 505 * src/racoon/sainfo.c: Correct issues associated with anonymous 506 sainfo selection in racoon. 507 508 2006-11-09 Christos Zoulas <christos (a] netbsd.org> 509 510 * src/racoon/crypto_openssl.c: eliminate the only variable stack 511 array allocation. 512 513 2006-10-31 Christian Biere <cbiere (a] netbsd.org> 514 515 * src/racoon/sockmisc.c: Don't define the deprecated 516 IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because 517 IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs 518 in the future just in case that the numeric value of the socket 519 option is ever recycled. 520 521 2006-10-22 Yvan Vanhullebus <vanhu (a] netasq.com> 522 523 * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix 524 typos 525 526 2006-10-19 Yvan Vanhullebus <vanhu (a] netasq.com> 527 528 * src/racoon/sainfo.c: From Matthew Grooms: use 529 ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). 530 531 * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added 532 ipsecdoi_chkcmpids() function. 533 534 2006-10-09 Emmanuel Dreyfus <manu (a] netbsd.org> 535 536 * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437) 537 538 * src/racoon/isakmp_unity.c: Correctly check read() return value: 539 it's signed (Coverity 1251) 540 541 2006-10-06 Emmanuel Dreyfus <manu (a] netbsd.org> 542 543 * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c, 544 src/racoon/algorithm.h, src/racoon/cftoken.l, 545 src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, 546 src/racoon/eaytest.c, src/racoon/ipsec_doi.c, 547 src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c, 548 src/racoon/racoon.conf.5, src/racoon/strnames.c, 549 src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l: 550 Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki 551 <okazaki (a] kick.gr.jp> 552 553 2006-10-03 Emmanuel Dreyfus <manu (a] netbsd.org> 554 555 * src/racoon/admin.c: fix endianness issue introduced yesterday 556 557 2006-10-03 Yvan Vanhullebus <vanhu (a] netasq.com> 558 559 * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax 560 561 * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values 562 563 * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses 564 remoteid/ph1id values 565 566 * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values 567 568 2006-10-02 Emmanuel Dreyfus <manu (a] netbsd.org> 569 570 * src/racoon/isakmp_base.c: 571 avoid reusing free'd pointer (Coverity 2613) 572 573 * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175) 574 575 * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451) 576 577 * src/racoon/algorithm.c: Fix array overrun (Coverity 4172) 578 579 * src/racoon/admin.c: Fix memory leak (Coverity 2002) 580 581 * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak 582 (Coverity 2001), refactor the code to use port get/set functions 583 584 * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200) 585 586 * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443), 587 reformat to 80 char/line 588 589 2006-10-02 Tom Spindler <dogcow (a] netbsd.org> 590 591 * src/racoon/ipsec_doi.c: If you're going to initialize a pointer, 592 you have to init it with a pointer type, not an int. 593 594 2006-10-02 Emmanuel Dreyfus <manu (a] netbsd.org> 595 596 * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439) 597 598 * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334) 599 600 * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944) 601 602 * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941) 603 604 * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942) 605 606 * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863) 607 608 2006-10-01 Emmanuel Dreyfus <manu (a] netbsd.org> 609 610 * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181) 611 612 * src/racoon/isakmp.c: Check that iph1->remote is not NULL before 613 using it (Coverity 3436) 614 615 2006-09-30 Emmanuel Dreyfus <manu (a] netbsd.org> 616 617 * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165) 618 619 * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179) 620 621 * src/racoon/samples/roadwarrior/client/: phase1-down.sh, 622 phase1-up.sh: update the scripts for wrorking around routing 623 problems on NetBSD 624 625 * src/racoon/session.c: Reuse existing code for closing IKE 626 sockets, and avoid screwing things by setting p->sock = -1, which is 627 not expected (Coverity 4173). 628 629 * src/racoon/admin.c: Do not free id and key, as they are used 630 later 631 632 2006-09-29 Emmanuel Dreyfus <manu (a] netbsd.org> 633 634 * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the 635 socket, so we must call com_init before sending any data. 636 637 2006-09-28 Emmanuel Dreyfus <manu (a] netbsd.org> 638 639 * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176, 640 4174) 641 642 * src/racoon/racoonctl.c: Fix access after free (Coverity 4178) 643 644 2006-09-26 Emmanuel Dreyfus <manu (a] netbsd.org> 645 646 * src/racoon/cfparse.y: Fix memory leak (Coverity) 647 648 * src/racoon/backupsa.c: Fix memory leak (Coverity) 649 650 * src/racoon/admin.c: Remove dead code (Coverity) 651 652 * src/racoon/admin.c: Fix memory leak (Coverity) 653 654 * src/racoon/admin.c: One more memory leak 655 656 * src/racoon/admin.c: Fix memory leak in racoonctl (coverity) 657 658 * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA 659 bundle fix was contributed by Jeff Bailey, not Matthew Grooms. 660 Matthew updated the patch for current code, though. 661 662 * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for 663 negotiating ESP+IPcomp) 664 665 2006-09-25 Yvan Vanhullebus <vanhu (a] netasq.com> 666 667 * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct 668 iphdr for Linux 669 670 2006-09-25 Emmanuel Dreyfus <manu (a] netbsd.org> 671 672 * src/racoon/isakmp.c: style (mostly for testing 673 ipsec-tools-commits (a] netbsd.org) 674 675 * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms 676 677 2006-09-21 Yvan Vanhullebus <vanhu (a] netasq.com> 678 679 * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on 680 Linux 681 682 2006-09-19 Thomas Klausner <wiz (a] netbsd.org> 683 684 * src/racoon/racoon.conf.5: Bump date for ike_frag force. 685 686 * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new 687 line. 688 689 * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing 690 whitespace. 691 692 2006-09-19 Yvan Vanhullebus <vanhu (a] netasq.com> 693 694 * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default 695 value for encmodesv in set_proposal_from_policy() 696 697 * src/racoon/isakmp.c: always include some headers, as they are 698 required even without NAT-T 699 700 * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird: 701 define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed 702 703 * src/racoon/crypto_openssl.c: From Larry Baird: some printf() -> 704 plog() 705 706 2006-09-18 Emmanuel Dreyfus <manu (a] netbsd.org> 707 708 * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h, 709 isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms: 710 ike_frag force option to force the use of IKE on first packet 711 exchange (prior to peer consent) 712 713 2006-09-18 Yvan Vanhullebus <vanhu (a] netasq.com> 714 715 * rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed 716 generated files from the CVS 717 718 * src/racoon/prsa_par.c: removed generated files from the CVS 719 720 * src/racoon/: cfparse.c, cftoken.c: removed generated files from 721 the CVS 722 723 2006-09-18 Emmanuel Dreyfus <manu (a] netbsd.org> 724 725 * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in 726 the first packet. That should not normally happen, as the initiator 727 does not know yet if the responder can handle IKE frag. However, in 728 some setups, the first packet is too big to get through, and 729 assuming the peer supports IKE frag is the only way to go. 730 731 racoon should have a setting in the remote section to do taht 732 (something like ike_frag force) 733 734 2006-09-16 Emmanuel Dreyfus <manu (a] netbsd.org> 735 736 * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 737 conformance, from Matthew Grooms 738 739 2006-09-15 Emmanuel Dreyfus <manu (a] netbsd.org> 740 741 * src/racoon/ipsec_doi.c: Fix build on Linux 742 743 For older changes see ChangeLog.old 744