2009-04-22 tag ipsec-tools-0_7_2 2009-04-22 Timo Teras * NEWS, configure.ac: Updates for 0.7.2 release * src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null pointer dereference in fragmentation code. 2009-04-20 Timo Teras * src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from Bin Li: Fix possible memory corruption in binsanitize(). * src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509 signature verification memory leak. * src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a crash with racoonctl logout user. * src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive code. * src/racoon/handler.c: From Paul Moore: Phase2 message id's should be unique wrt phase1, not globally. 2009-02-16 Timo Teras * src/libipsec/policy_parse.y: From Paul Moore: Fix a heap corruption bug (yacc return non-null terminated buffer and sprintf writes over bounds). 2009-01-20 Timo Teras * configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended * misc/cvs2cl.pl, misc/cvsusermap, Makefile.am: Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to ChangeLog.old. * misc/cvs2cl.pl: file cvs2cl.pl was added on branch ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000 * misc/cvsusermap: file cvsusermap was added on branch ipsec-tools-0_7-branch on 2009-01-20 14:36:32 +0000 2008-11-27 Yvan Vanhullebus * src/racoon/main.c: Set up a default value for Mode Config Pool size if pool address specified but pool size not specified * src/racoon/isakmp_cfg.c: Fixed pool resizing 2008-09-25 Yvan Vanhullebus * src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP marker for retransmitted packets 2008-09-17 Yvan Vanhullebus * src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs 2008-08-12 Yvan Vanhullebus * src/racoon/isakmp.c: From Krzysztof Oledzki: Remove ph1handler if we received an invalid first exchange from initiator. 2008-07-23 tag ipsec-tools-0_7_1 2008-07-23 Yvan Vanhullebus * NEWS: NEWS for 0.7.1 release 2008-07-23 Timo Teras * src/racoon/Makefile.am: Do not use GNU make specific extension. * src/: libipsec/Makefile.am, racoon/Makefile.am, setkey/Makefile.am: Do flex/bison invocation in a more standard way, and keep the generated files in the dist tarball. 2008-07-22 Yvan Vanhullebus * configure.ac: 0.7.1 coming ! * src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks, when malloc fails or when peer sends invalid proposal. 2008-07-21 Timo Teras * src/racoon/cfparse.y: Correct typo to fix the build. * src/racoon/cfparse.y: Do not set default gss id if xauth is used. 2008-07-15 Matthew Grooms * src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from building with hybrid enabled. * src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h, racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump function. 2008-07-11 Timo Teras * src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis Elsts: Fix a double memory free and a memory corruption (LIST_REMOVE() on an uninserted node) in some error handling paths. 2008-07-09 Timo Teras * src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and memory leak on configuration file reread 2008-07-02 Yvan Vanhullebus * src/racoon/isakmp_inf.c: From Timo Teras: fixed some %d to %zu (size_t values). 2008-06-18 Matthew Grooms * src/racoon/: grabmyaddr.c, admin.c, ipsec_doi.c, isakmp.c, isakmp_cfg.c, isakmp_inf.c, remoteconf.c: Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras. 2008-04-25 Yvan Vanhullebus * src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). 2008-03-06 Yvan Vanhullebus * src/racoon/oakley.c: Generates a log if cert validation has been disabled by configuration 2008-03-05 Matthew Grooms * src/racoon/cfparse.y: Properly initialize the unity network struct to prevent erroneous protocol and port info from being transmitted. * src/racoon/pfkey.c: Provide better handling for pfkey socket read errors. Submitted by Timo Teras. 2008-02-25 Emmanuel Dreyfus * src/racoon/ipsec_doi.c: From Brian Haley : There's a cut/paste error in cmp_aproppair_i(), it's supposed to be checking spi_size but it's not. I'm not sure this patch is correct, but what's there isn't either. Add fogotten entry in ChangeLog 2008-02-22 Emmanuel Dreyfus * src/racoon/isakmp.c: Fix bad address length computation, from Brian Haley. 2008-01-11 Yvan Vanhullebus * src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory. * src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc. * src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg). * src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg). * src/racoon/: handler.c, handler.h: added an 'established' arg to getph1byaddr() 2007-11-29 Yvan Vanhullebus * src/racoon/Makefile.am: From Natanael Copa: fixed a race condition when building yacc stuff. 2007-11-06 Yvan Vanhullebus * src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to work with the new plog macro. * src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to work with new plog macro * src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro. 2007-10-15 Yvan Vanhullebus * src/libipsec/pfkey.c: Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD 2007-09-19 Matthew Grooms * configure.ac: Fix autoconf check for selinux support. Submitted by Joy Latten. 2007-09-03 Matthew Grooms * src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for wins4 in the man page and add nbns4 as an alias. Pointed out by Claas Langbehn. 2007-08-09 tag ipsec-tools-0_7 2007-08-09 Matthew Grooms * NEWS, configure.ac: Prepare for 0.7 release tag. 2007-08-07 Emmanuel Dreyfus * src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and authorization ports. Allow interoperability with freeradius 2007-08-01 Yvan Vanhullebus * configure.ac, src/libipsec/ipsec_dump_policy.c, src/libipsec/ipsec_get_policylen.c, src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c, src/libipsec/libpfkey.h, src/libipsec/pfkey.c, src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y, src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c, src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y, src/racoon/cftoken.l, src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/proposal.c, src/racoon/remoteconf.c, src/racoon/sainfo.c, src/racoon/session.c, src/racoon/sockmisc.c, src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c, src/setkey/token.l: use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues 2007-07-24 Matthew Grooms * NEWS: Update NEWS file with additional 0.7 improvements. 2007-07-18 Matthew Grooms * src/racoon/racoon.conf.5: Various racoon configuration manpage updates. 2007-07-16 Yvan Vanhullebus * src/racoon/grabmyaddr.c: fixed a socket leak 2007-06-12 tag ipsec-tools-0_7-RC1 2007-06-12 tag ipsec-tools-0_7-rc1 2007-06-12 Emmanuel Dreyfus * configure.ac: ipsec-tools used to use tags in lower case 2007-06-12 Yvan Vanhullebus * configure.ac: 0.7-RC1 2007-06-07 Emmanuel Dreyfus * src/racoon/: main.c, policy.h, security.c: From Joy Latten Fix file descriptor shortage when using labeled IPsec. * src/racoon/isakmp_cfg.c: From Paul Winder Fix ignored INTERNAL_DNS4_LIST 2007-06-06 Yvan Vanhullebus * src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation with gcc 4.2 2007-06-06 Emmanuel Dreyfus * src/racoon/kmpstat.c: From Jianli Liu : Use the specified socket path instead of the default location 2007-06-06 Yvan Vanhullebus * src/racoon/session.c: From Jianli Liu: speed up interfaces update when they change. * src/racoon/handler.c: ignore obsolete lifebyte when validating reloaded configuration 2007-05-04 Yvan Vanhullebus * src/racoon/handler.c: search a ph1 by address if iph2->ph1 is NULL when validating the new config * src/racoon/handler.c: added some debug in getph1byaddr() to track some port matching problems with NAT-T * src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to track some port matching problems with NAT-T * src/racoon/isakmp_inf.c: added some debug for DELETE_SA process * src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if NAT_T support, to solve some port match problems with the first IPSec SAs negociated as initiator 2007-04-04 Yvan Vanhullebus * src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids() * src/racoon/oakley.c: dumps peer's ID and peer's certificate subject /subjectaltname if they don't match 2007-03-29 tag ipsec-tools-0_7-beta3 2007-03-29 Emmanuel Dreyfus * configure.ac: Bump to 0.7beta3 2007-03-26 Yvan Vanhullebus * src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code 2007-03-23 Yvan Vanhullebus * src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a segfault when using security labels between 32bit and 64bit host. * src/racoon/handler.c: expire zombie handlers in getph2byid(), to avoid situations where we'll never negociate a phase2 again * src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give more details about what is checked when using certificates to authenticate 2007-03-22 Yvan Vanhullebus * src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to generate IPV4_ADDRESS when needed in sockaddr2id() 2007-03-21 Yvan Vanhullebus * src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL sched check is now done in SCHED_KILL * src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL 2007-03-15 Yvan Vanhullebus * src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable monitoring of ipv6 address changes on Linux. * src/racoon/isakmp.c: Consider a negociation timeout when retry_counter is <=0 instead of < 0 2007-03-06 tag ipsec-tools-0_7-beta2 2007-03-06 Emmanuel Dreyfus * configure.ac: Bump to 0.7beta2 2007-03-01 Matthew Grooms * src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be matched to ip subnet ids when appropriate. 2007-02-21 Yvan Vanhullebus * src/racoon/ipsec_doi.c: block variable declaration before code in ipsecdoi_id2str() 2007-02-20 Yvan Vanhullebus * src/racoon/isakmp_inf.c: Removed a debug printf.... * src/racoon/isakmp.c: Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting * src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls * src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of generated SPDs * src/racoon/policy.h: added 'created' var 2007-02-19 Yvan Vanhullebus * src/racoon/isakmp.c: Removed a debug printf.... 2007-02-16 tag ipsec-tools-0_7-beta1 2007-02-16 Emmanuel Dreyfus * configure.ac: Bump to 0.7beta1 2007-02-16 Yvan Vanhullebus * src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a printf. 2007-02-15 Emmanuel Dreyfus * src/racoon/security.c: Missing file for SELinux * configure.ac: Missing stuff for SELinux 2007-02-15 Yvan Vanhullebus * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote(). * src/racoon/isakmp.c: Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory 2007-02-02 Yvan Vanhullebus * src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec 2007-02-01 Yvan Vanhullebus * src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange. 2006-12-18 Yvan Vanhullebus * src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak 2006-12-10 tag ipsec-tools-0_7-base 2006-12-10 Emmanuel Dreyfus * src/: libipsec/Makefile.am, libipsec/libpfkey.h, libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y, racoon/pfkey.c: Bring back API and ABI backward compatibility with previous libipsec before recent interface change. Bump libipsec minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid ABI compatibility lossage. Add a capability flags to detect missing optional feature in libipsec * src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten: README.plainrsa documenting plain RSA auth 2006-12-09 Emmanuel Dreyfus * configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c, src/racoon/Makefile.am, src/racoon/backupsa.c, src/racoon/backupsa.h, src/racoon/cftoken.l, src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c, src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h, src/racoon/proposal.c, src/racoon/proposal.h, src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux security contexts. Also cleanup the libipsec interface for adding and updating security associations. * src/racoon/racoon.conf.5: From Simon Chang: More hints about plain RSA authentication 2006-12-05 Yvan Vanhullebus * src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys length regarding proposal_check level 2006-11-16 Matthew Grooms * src/racoon/sainfo.c: Correct issues associated with anonymous sainfo selection in racoon. 2006-11-09 Christos Zoulas * src/racoon/crypto_openssl.c: eliminate the only variable stack array allocation. 2006-10-31 Christian Biere * src/racoon/sockmisc.c: Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs in the future just in case that the numeric value of the socket option is ever recycled. 2006-10-22 Yvan Vanhullebus * src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix typos 2006-10-19 Yvan Vanhullebus * src/racoon/sainfo.c: From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). * src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added ipsecdoi_chkcmpids() function. 2006-10-09 Emmanuel Dreyfus * src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437) * src/racoon/isakmp_unity.c: Correctly check read() return value: it's signed (Coverity 1251) 2006-10-06 Emmanuel Dreyfus * configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c, src/racoon/algorithm.h, src/racoon/cftoken.l, src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, src/racoon/eaytest.c, src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c, src/racoon/racoon.conf.5, src/racoon/strnames.c, src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l: Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki 2006-10-03 Emmanuel Dreyfus * src/racoon/admin.c: fix endianness issue introduced yesterday 2006-10-03 Yvan Vanhullebus * src/racoon/racoon.conf.5: Added remoteid/ph1id syntax * src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values * src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses remoteid/ph1id values * src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values 2006-10-02 Emmanuel Dreyfus * src/racoon/isakmp_base.c: avoid reusing free'd pointer (Coverity 2613) * src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175) * src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451) * src/racoon/algorithm.c: Fix array overrun (Coverity 4172) * src/racoon/admin.c: Fix memory leak (Coverity 2002) * src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak (Coverity 2001), refactor the code to use port get/set functions * src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200) * src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443), reformat to 80 char/line 2006-10-02 Tom Spindler * src/racoon/ipsec_doi.c: If you're going to initialize a pointer, you have to init it with a pointer type, not an int. 2006-10-02 Emmanuel Dreyfus * src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439) * src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334) * src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944) * src/racoon/proposal.c: Don't use NULL pointer (Coverity 941) * src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942) * src/racoon/sockmisc.c: Don't use null pointer (Coverity 863) 2006-10-01 Emmanuel Dreyfus * src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181) * src/racoon/isakmp.c: Check that iph1->remote is not NULL before using it (Coverity 3436) 2006-09-30 Emmanuel Dreyfus * src/racoon/isakmp_agg.c: emove dead code (Coverity 4165) * src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179) * src/racoon/samples/roadwarrior/client/: phase1-down.sh, phase1-up.sh: update the scripts for wrorking around routing problems on NetBSD * src/racoon/session.c: Reuse existing code for closing IKE sockets, and avoid screwing things by setting p->sock = -1, which is not expected (Coverity 4173). * src/racoon/admin.c: Do not free id and key, as they are used later 2006-09-29 Emmanuel Dreyfus * src/racoon/racoonctl.c: Fix the fix: handle_recv closes the socket, so we must call com_init before sending any data. 2006-09-28 Emmanuel Dreyfus * src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176, 4174) * src/racoon/racoonctl.c: Fix access after free (Coverity 4178) 2006-09-26 Emmanuel Dreyfus * src/racoon/cfparse.y: Fix memory leak (Coverity) * src/racoon/backupsa.c: Fix memory leak (Coverity) * src/racoon/admin.c: Remove dead code (Coverity) * src/racoon/admin.c: Fix memory leak (Coverity) * src/racoon/admin.c: One more memory leak * src/racoon/admin.c: Fix memory leak in racoonctl (coverity) * src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA bundle fix was contributed by Jeff Bailey, not Matthew Grooms. Matthew updated the patch for current code, though. * src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for negotiating ESP+IPcomp) 2006-09-25 Yvan Vanhullebus * src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct iphdr for Linux 2006-09-25 Emmanuel Dreyfus * src/racoon/isakmp.c: style (mostly for testing ipsec-tools-commits@netbsd.org) * src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms 2006-09-21 Yvan Vanhullebus * src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on Linux 2006-09-19 Thomas Klausner * src/racoon/racoon.conf.5: Bump date for ike_frag force. * src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new line. * src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing whitespace. 2006-09-19 Yvan Vanhullebus * src/racoon/proposal.c: From Yves-Alexis Perez: fixes default value for encmodesv in set_proposal_from_policy() * src/racoon/isakmp.c: always include some headers, as they are required even without NAT-T * src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed * src/racoon/crypto_openssl.c: From Larry Baird: some printf() -> plog() 2006-09-18 Emmanuel Dreyfus * src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h, isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms: ike_frag force option to force the use of IKE on first packet exchange (prior to peer consent) 2006-09-18 Yvan Vanhullebus * rpm/suse/ipsec-tools.spec, src/racoon/prsa_tok.c: removed generated files from the CVS * src/racoon/prsa_par.c: removed generated files from the CVS * src/racoon/: cfparse.c, cftoken.c: removed generated files from the CVS 2006-09-18 Emmanuel Dreyfus * src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in the first packet. That should not normally happen, as the initiator does not know yet if the responder can handle IKE frag. However, in some setups, the first packet is too big to get through, and assuming the peer supports IKE frag is the only way to go. racoon should have a setting in the remote section to do taht (something like ike_frag force) 2006-09-16 Emmanuel Dreyfus * src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2 conformance, from Matthew Grooms 2006-09-15 Emmanuel Dreyfus * src/racoon/ipsec_doi.c: Fix build on Linux For older changes see ChangeLog.old