Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Migrate ipsec-tools CVS to cvs.netbsd.org

  • Loading branch information...
commit 2d74f24bd2f173e04bb170a42ed0195a15231537 1 parent 71ef6d7
manu authored
Showing with 20,395 additions and 2,030 deletions.
  1. +715 −190 crypto/dist/ipsec-tools/ChangeLog
  2. +2 −0  crypto/dist/ipsec-tools/Makefile.am
  3. +10 −12 crypto/dist/ipsec-tools/NEWS
  4. +10 −2 crypto/dist/ipsec-tools/bootstrap
  5. +233 −51 crypto/dist/ipsec-tools/configure.ac
  6. +2 −0  crypto/dist/ipsec-tools/src/Makefile.am
  7. +2 −2 crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
  8. +35 −1 crypto/dist/ipsec-tools/src/libipsec/key_debug.c
  9. +7 −2 crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
  10. +98 −2 crypto/dist/ipsec-tools/src/libipsec/pfkey.c
  11. +87 −3 crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
  12. +4 −3 crypto/dist/ipsec-tools/src/libipsec/policy_token.l
  13. +1 −1  crypto/dist/ipsec-tools/src/racoon/Makefile.am
  14. +62 −35 crypto/dist/ipsec-tools/src/racoon/admin.c
  15. +7 −2 crypto/dist/ipsec-tools/src/racoon/admin.h
  16. +43 −19 crypto/dist/ipsec-tools/src/racoon/algorithm.c
  17. +6 −2 crypto/dist/ipsec-tools/src/racoon/algorithm.h
  18. +2 −2 crypto/dist/ipsec-tools/src/racoon/backupsa.c
  19. +579 −53 crypto/dist/ipsec-tools/src/racoon/cfparse.y
  20. +94 −12 crypto/dist/ipsec-tools/src/racoon/cftoken.l
  21. +15 −16 crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
  22. +20 −1 crypto/dist/ipsec-tools/src/racoon/debugrm.c
  23. +10 −2 crypto/dist/ipsec-tools/src/racoon/debugrm.h
  24. +6 −3 crypto/dist/ipsec-tools/src/racoon/dnssec.c
  25. +8 −0 crypto/dist/ipsec-tools/src/racoon/doc/FAQ
  26. +2 −2 crypto/dist/ipsec-tools/src/racoon/eaytest.c
  27. +10 −3 crypto/dist/ipsec-tools/src/racoon/evt.c
  28. +4 −2 crypto/dist/ipsec-tools/src/racoon/evt.h
  29. +12 −1 crypto/dist/ipsec-tools/src/racoon/gcmalloc.h
  30. +4 −1 crypto/dist/ipsec-tools/src/racoon/getcertsbyname.c
  31. +10 −3 crypto/dist/ipsec-tools/src/racoon/grabmyaddr.c
  32. +9 −7 crypto/dist/ipsec-tools/src/racoon/gssapi.c
  33. +504 −10 crypto/dist/ipsec-tools/src/racoon/handler.c
  34. +13 −3 crypto/dist/ipsec-tools/src/racoon/handler.h
  35. +386 −78 crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
  36. +12 −5 crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
  37. +362 −253 crypto/dist/ipsec-tools/src/racoon/isakmp.c
  38. +4 −2 crypto/dist/ipsec-tools/src/racoon/isakmp.h
  39. +207 −121 crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
  40. +297 −40 crypto/dist/ipsec-tools/src/racoon/isakmp_base.c
  41. +643 −74 crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
  42. +70 −22 crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.h
  43. +3 −2 crypto/dist/ipsec-tools/src/racoon/isakmp_frag.h
  44. +219 −16 crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
  45. +336 −317 crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
  46. +5 −2 crypto/dist/ipsec-tools/src/racoon/isakmp_inf.h
  47. +49 −12 crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
  48. +235 −8 crypto/dist/ipsec-tools/src/racoon/isakmp_unity.c
  49. +26 −1 crypto/dist/ipsec-tools/src/racoon/isakmp_unity.h
  50. +4 −4 crypto/dist/ipsec-tools/src/racoon/isakmp_var.h
  51. +742 −57 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
  52. +61 −4 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
  53. +2 −2 crypto/dist/ipsec-tools/src/racoon/kmpstat.c
  54. +37 −1 crypto/dist/ipsec-tools/src/racoon/localconf.c
  55. +5 −2 crypto/dist/ipsec-tools/src/racoon/localconf.h
  56. +3 −3 crypto/dist/ipsec-tools/src/racoon/logger.c
  57. +20 −44 crypto/dist/ipsec-tools/src/racoon/main.c
  58. +16 −2 crypto/dist/ipsec-tools/src/racoon/misc.h
  59. +16 −3 crypto/dist/ipsec-tools/src/racoon/nattraversal.c
  60. +133 −40 crypto/dist/ipsec-tools/src/racoon/oakley.c
  61. +25 −3 crypto/dist/ipsec-tools/src/racoon/oakley.h
  62. +53 −20 crypto/dist/ipsec-tools/src/racoon/pfkey.c
  63. +6 −8 crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.8
  64. +2 −2 crypto/dist/ipsec-tools/src/racoon/plainrsa-gen.c
  65. +35 −6 crypto/dist/ipsec-tools/src/racoon/plog.c
  66. +9 −7 crypto/dist/ipsec-tools/src/racoon/plog.h
  67. +215 −88 crypto/dist/ipsec-tools/src/racoon/privsep.c
  68. +6 −5 crypto/dist/ipsec-tools/src/racoon/privsep.h
  69. +27 −18 crypto/dist/ipsec-tools/src/racoon/proposal.c
  70. +2 −3 crypto/dist/ipsec-tools/src/racoon/proposal.h
  71. +2 −2 crypto/dist/ipsec-tools/src/racoon/racoon.8
  72. +239 −58 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
  73. +10 −3 crypto/dist/ipsec-tools/src/racoon/racoonctl.8
  74. +79 −13 crypto/dist/ipsec-tools/src/racoon/racoonctl.c
  75. +3 −3 crypto/dist/ipsec-tools/src/racoon/racoonctl.h
  76. +64 −50 crypto/dist/ipsec-tools/src/racoon/remoteconf.c
  77. +21 −5 crypto/dist/ipsec-tools/src/racoon/remoteconf.h
  78. +3,811 −0 crypto/dist/ipsec-tools/src/racoon/rfc/rfc2367.txt
  79. +1,795 −0 crypto/dist/ipsec-tools/src/racoon/rfc/rfc2407.txt
  80. +4,819 −0 crypto/dist/ipsec-tools/src/racoon/rfc/rfc2408.txt
  81. +731 −0 crypto/dist/ipsec-tools/src/racoon/rfc/rfc3706.txt
  82. +1,011 −0 crypto/dist/ipsec-tools/src/racoon/rfc/rfc3715.txt
  83. +282 −0 crypto/dist/ipsec-tools/src/racoon/rfc/rfc4109.txt
  84. +91 −18 crypto/dist/ipsec-tools/src/racoon/sainfo.c
  85. +10 −2 crypto/dist/ipsec-tools/src/racoon/sainfo.h
  86. +1 −1  crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.in
  87. +6 −4 crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample
  88. +2 −2 crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-inherit
  89. +2 −2 crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-natt
  90. +2 −2 crypto/dist/ipsec-tools/src/racoon/samples/racoon.conf.sample-plainrsa
  91. +1 −1  crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/phase1-up.sh
  92. +1 −1  crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/client/racoon.conf
  93. +1 −1  crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf
  94. +1 −1  crypto/dist/ipsec-tools/src/racoon/samples/roadwarrior/server/racoon.conf-radius
  95. +2 −2 crypto/dist/ipsec-tools/src/racoon/schedule.c
  96. +3 −3 crypto/dist/ipsec-tools/src/racoon/schedule.h
  97. +153 −42 crypto/dist/ipsec-tools/src/racoon/session.c
  98. +24 −14 crypto/dist/ipsec-tools/src/racoon/sockmisc.c
  99. +2 −2 crypto/dist/ipsec-tools/src/racoon/sockmisc.h
  100. +127 −30 crypto/dist/ipsec-tools/src/racoon/strnames.c
  101. +6 −2 crypto/dist/ipsec-tools/src/racoon/strnames.h
  102. +9 −7 crypto/dist/ipsec-tools/src/racoon/throttle.c
  103. +8 −5 crypto/dist/ipsec-tools/src/racoon/vendorid.c
  104. +14 −3 crypto/dist/ipsec-tools/src/racoon/vendorid.h
  105. +7 −1 crypto/dist/ipsec-tools/src/racoon/vmbuf.c
  106. +7 −2 crypto/dist/ipsec-tools/src/racoon/vmbuf.h
  107. +83 −11 crypto/dist/ipsec-tools/src/setkey/parse.y
  108. +48 −6 crypto/dist/ipsec-tools/src/setkey/setkey.8
  109. +14 −6 crypto/dist/ipsec-tools/src/setkey/setkey.c
  110. +4 −2 crypto/dist/ipsec-tools/src/setkey/token.l
View
905 crypto/dist/ipsec-tools/ChangeLog
@@ -1,6 +1,333 @@
---------------------------------------------
- 0.6.3 released
+ Migration to cvs.netbsd.org
+
+2006-08-22 Emmanuel Dreyfus <manu@netbsd.org>
+
+ From Matthew Grooms:
+ * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
+ src/racoon{isdakmp_quick.c|isakmp_xauth.c|isakmp_xauth.h}
+ src/racoon/racoon.conf.5: Add a group check option
+
+2006-08-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ Patch from Matthew Grooms:
+ * src/racoon/ipsec_doi.c: fixed an ASN1 size in
+ ipsecdoi_checkid1()
+
+2006-08-11 Yvan Vanhullebus <vanhu@netasq.com>
+
+ Patch from Matthew Grooms:
+ * src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str()
+ * src/racoon/isakmp_quick.c: text fix
+ * src/racoon/pfkey.c: sainfo debug
+ * src/racoon/sainfo.c: sainfo debug
+
+2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ Reported by Matthew Grooms:
+ * src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in
+ get_sainfo_r().
+ * src/racoon/racoon.conf.5: updated man page for sainfo logic.
+
+2006-07-31 Emmanuel Dreyfus <manu@netbsd.org>
+ From Matthew Grooms <mgrooms@shrew.net>
+ * src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
+ src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support
+ becomes dynamic, bugfixes
+
+2006-07-19 Emmanuel Dreyfus <manu@netbsd.org>
+ From Peter Eisch <peter@boku.net>
+ * src/racoon/samples/roadwarrior/client/phase1-up.sh: add missing
+ netmask in network interface configuration
+
+ From Matthew Grooms <mgrooms@shrew.net>
+ * configure.ac src/racoon/isakmp_xauth.c: update the LDAP API usage
+
+ From Matthew Grooms <mgrooms@shrew.net>
+ * src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
+ src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS
+ support (server side)
+
+2006-07-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align().
+ Break reported by Matthew Grooms.
+
+2006-07-13 Frederic Senault <fred@lacave.net>
+
+ * src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4
+ unoperable on 64bit architectures ; add a packetdump of MODE_CFG
+ exchange in debug mode.
+
+2006-07-09 Emmanuel Dreyfus <manu@netbsd.org>
+ From Matthew Grooms <mgrooms@shrew.net>
+ * src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c}
+ src/racoon{isakmp_xauth.h|racoon.conf.5|sainfo.c|sainfo.h}:
+ Group authentication for Xauth. Supports system groups and LDAP.
+
+2006-07-04 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/nattraversal.c: fixed a malloc check in
+ natt_keepalive_add(). Patch from Bruno Wagenseil.
+
+2006-06-30 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/{cfparse.l|cftoken.l}: meaningful error message when
+ we cannot find the configuration file.
+
+2006-06-24 Emmanuel Dreyfus <manu@netbsd.org>
+ From Matthew Grooms <mgrooms@shrew.net>
+ * src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
+ src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network
+ configuration obtained from LDAP directory
+
+2006-06-23 Emmanuel Dreyfus <manu@netbsd.org>
+ From Matthew Grooms <mgrooms@shrew.net>
+ * configure.ac: build fixes
+
+2006-06-22 Emmanuel Dreyfus <manu@netbsd.org>
+ * src/racoon/evt.c: build fix
+ From Matthew Grooms <mgrooms@shrew.net>
+ * configure.ac: build fixes around libldap and libiconv search
+
+2006-06-21 Emmanuel Dreyfus <manu@netbsd.org>
+ * src/racoon/evt.c: Do not record events if admin socket is
+ disabled.
+
+2006-06-20 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * configure.ac: Check for conflicts between system libiconv
+ and newer libiconv header
+ From Matthew Grooms <mgrooms@shrew.net>
+ * configure.ac src/racoon/{cfparse.y|cftoken.l}
+ src/racoon/{isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
+ src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth
+
+2006-06-20 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * configure.ac: fixed SHA256 detection on some systems. Patch by
+ Dmitry Andrianov.
+ * src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}:
+ changed logging levels. Patch by Michal Ruzicka.
+
+2006-06-15 Emmanuel Dreyfus <manu@netbsd.org>
+ From Matthew Grooms <mgrooms@shrew.net>
+ * src/racoon/main.c: make sure RADIUS is correctly initialized
+
+2006-06-14 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * Makefile.am, src/Makefile.am: fixed make dist on *BSD
+
+2006-06-07 Emmanuel Dreyfus <manu@netbsd.org>
+ * src/racoon/isakmp_cfg.c: Fix build.
+
+2006-05-26 Emmanuel Dreyfus <manu@netbsd.org>
+ From Pawel Jakub Dawidek <pjd@FreeBSD.org>
+ * src/racoon/handler.c: Fix a crash caused by a NULL pointer
+ * src/racoon/oakley.c: Typos
+ * src/racoon/isakmp_base.c: Fix uninitialized buffer
+ * src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode)
+
+2006-05-23 Emmanuel Dreyfus <manu@netbsd.org>
+ * src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so
+ do not assume Xauth when preparing a hook script environement.
+ From chunkeey@web.de
+ * src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64
+ build warnings
+ * src/racoon/ipsec_doi.c: Don't free a referenced buffer
+ From Matthew Grooms <mgrooms@shrew.net>
+ * src/racoon/isakmp_cfg.c: Fix for unity local_lan support
+
+2006-05-07 Emmanuel Dreyfus <manu@netbsd.org>
+ * src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do
+ not reconfigure interface sockets when running in privilege
+ separation as it will not work. Add debug for setsockopt().
+ * src/racoon/racoonctl.8: Do not tell config reload is completely
+ broken (it's only somewhat broken).
+
+2006-05-06 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix
+ memory leak (Coverity)
+ * src/racoon/pfkey.c: Fix memory leak (Coverity)
+ * src/racoon/ipsec_doi.c: Fix memory leak (Coverity)
+ * src/racoon/isakmp.c: Fix memory leak (Coverity)
+ * src/racoon/dnssec.c: Fix memory leak (Coverity)
+ * src/racoon/backupsa.c: Fix memory leak (Coverity)
+ * src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL
+ allocation (Coverity)
+ * src/racoon/isakmp_quick.c: Remove dead code (Coverity)
+ * src/racoon/oakley.c: Remove dead code (Coverity)
+ * src/racoon/crypto_openssl.c: Remove dead code (Coverity)
+
+2006-05-05 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
+ encapsulation in pk_sendgetspi().
+
+2006-05-04 Yvan Vanhullebus <vanhu@netasq.com>
+ From Preggna S (spreggna@novell.com)
+ * src/racoon/schedule.h: fixed gnuc.h include.
+ * src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support.
+ * src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function.
+
+2006-05-03 Yvan Vanhullebus <vanhu@netasq.com>
+ From Joy Latten <latten@austin.ibm.com>
+ * configure.ac: security context support check
+ * src/libipsec/{pfkey.c|pfkey_dump.c}:
+ SADB_X_EXT_PACKET / SADB_X_EXT_SEC_CTX support
+ * src/setkey/{parse.ytoken.l}: parses optionnal security context
+ * src/setkey/setkey.8: security context syntax
+
+2006-04-27 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity)
+
+2006-04-24 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp.c: style cleanup in delete_spd()
+
+2006-04-13 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
+ encapsulation in pk_sendupdate().
+
+2006-04-12 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/ipsec_doi.c: fix memory leaks (Coverity)
+
+2006-04-06 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h}
+ src/racoon/{gcmalloc.h|isakmp.c|isakmp_inf.c|isakmp_xauth.c}
+ src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add
+ strdup in the malloc debugging framework, check for strdup failures
+ (found by Coverity)
+ * src/racoon/admin.c: Do not use an unallocated pointer (Coverity)
+ * src/racoon/schedule.c: Check for NULL pointer
+ * src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c}
+ src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check
+ that dupsaddr returns non NULL pointers (Coverity)
+ * src/racoon/isakmp_quick.c: Ignore multiple notifications in the
+ same message, and do not leak memory (Coverity)
+ * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in
+ GSSAPI code (Coverity)
+ * src/racoon/racoonctl.c: fix minor memory leak (Coverity)
+ * src/racoon/isakmp.c: fix memory leak (Coverity)
+ * src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity)
+
+2006-04-05 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_xauth.c: fix unitialized variable, found by
+ Coverity
+ * src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not
+ use deleted phase 1 handler after errors, found by coverity
+ * src/racoon/main.c: tell which config file we use
+ * src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found
+ by Coverity
+ * src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1
+ handler, found by Coverity
+ * src/racoon/dnssec.c: do not return a free'ed certificate, found by
+ Coverity
+ * src/racoon/oakley.c: fix stale pointer alias, found by Coverity
+ * src/racoon/throttle.c: do not free current item while walking a
+ chained list, found by Coverity
+ * src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity
+
+2006-03-18 Emmanuel Dreyfus <manu@netbsd.org>
+
+ From John Nemeth <jnemeth@victoria.tc.ca> and a Coverity scan
+ * src/racoon/isakmp_xauth.c: fix memory leak
+
+2006-02-25 Emmanuel Dreyfus <manu@netbsd.org>
+
+ From Thomas Klausner <wiz@NetBSD.org>
+ * src/racoon/{cfparse.y|handler.h}: typos
+
+2006-02-23 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/main.c: do not reset isakmp_cfg structure after
+ config reload.
+
+2006-02-22 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not
+ be really necessary) and DPD VId hash generation
+
+2006-02-17 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous"
+ sainfos.
+ * src/racoon/racoon.conf.5: updated sainfos syntax
+ * src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID
+
+2006-02-15 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy
+ levels
+ * src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE
+ generate policy levels
+ * src/racoon/proposal.c: Sets optionnal reqid for generated
+ policies
+ * src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid
+ specified
+ * src/racoon/racoon.conf.5: updated generate_policy syntax
+
+2006-02-02 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send()
+ fails in isakmp_ph1resend()
+
+2006-01-17 Frederic Senault <fred@lacave.net>
+
+ * src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the
+ peers_identifier keyword.
+
+ * src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the
+ adminsock to allow for racoonctl to stop looping when the
+ vpn-connect command is used and there is no mode config exchange.
+
+2006-01-08 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_cfg.c: make software behave as the documentation
+ advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to
+ avoid breaking backward compatibility.
+
+2005-12-19 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/racoon/session.c: Fixed / cleaned up signal handling.
+
+2005-12-13 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/samples/*: replaced "obey" mode by "strict" mode.
+
+2005-12-07 Yvan Vanhullebus <vanhu@netasq.com>
+
+ * src/libipsec/pfkey_dump.c: fixed compilation when NAT_T
+ disabled (Fred has still some CVS problems).
+ * src/racoon/session.c: Calls isakmp_cfg_init() only if
+ ENABLE_HYBRID in reload_conf().
+
+2005-12-04 Frederic Senault <fred@lacave.net>
+
+ * src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
+ function to display SAD entries with their associated ports.
+ * src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
+ in conjunction with -D to show SADs with the port, allow both get and
+ delete commands to use bracketed ports if needed.
+
+2005-11-26 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/session.c: fix possible race conditions in signal handlers
+ * src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when
+ reloading configuration, do not new add mode_cfg config to the
+ existign one, overwrite it instead.
+
+2005-11-25 Emmanuel Dreyfus <manu@netbsd.org>
+
+ From Thomas Klausner <wiz@netbsd.org>
+ * src/racoon/racoon.conf.5: Style changes
2005-11-21 Yvan Vanhullebus <vanhu@netasq.com>
@@ -15,18 +342,43 @@
using IKE test suite from
http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/
-2005-11-06 Aidas Kasparas <a.kasparas@gmc.lt>
+2005-11-10 Yvan Vanhullebus <vanhu@free.fr>
- * src/racoon/main.c, src/racoon/session.c: moved .pid file writing
- just before main loop. Thanks Stephen Thorne
- * src/racoon/localconf.h, src/racoon/cftoken.l: introduced
- path pidfile directive
- * src/racoon/racoon.conf.5: documented above
- * configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan
- Rajagopal
- * configure.ac: added check for strlcat function
- * src/racoon/misc.h: define strlcat function for systems without one
- * src/racoon/remoteconf.c: strncat -> strlcat
+ Patches from Francis Dupont
+ * src/libipsec/key_debug.c: SADB_X_EXT_PACKET support
+ * src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function
+ * src/setkey/parse.y: IPPROTO_MH support
+ * src/racoon/pfkey.c: fixed some logs
+ * src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC,
+ appropriate define for SADB_X_NAT_T_NEW_MAPPING, added
+ SADB_X_MIGRATE
+
+2005-11-06 Aidas Kasparas <a.kasparas@gmc.lt>
+
+ * src/racoon/main.c, src/racoon/session.c: moved .pid file writing
+ just before main loop. Thanks Stephen Thorne
+ * src/racoon/localconf.h, src/racoon/cftoken.l: introduced
+ path pidfile directive
+ * src/racoon/racoon.conf.5: documented above
+ * configure.ac: OpenSSL 0.9.8 compilation fix. Thank Ganesan
+ Rajagopal
+ * configure.ac: added check for strlcat function
+ * src/racoon/misc.h: define strlcat function for systems without one
+ * src/racoon/remoteconf.c: strncat -> strlcat
+
+2005-11-01 Aidas Kasparas <a.kasparas@gmc.lt>
+
+ * src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks
+ Andreas Tobler
+
+2005-10-30 Yvan Vanhullebus <vanhu@netasq.com>
+
+ Patches from Christoph Nadig for compilation on MacOS X
+ * configure.ac: no lcrypt for darwin
+ * src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H
+ * src/racoon/isakmp_cfg.c: some includes and some %zu
+ * src/racoon/isakmp_unity.c: fixed a %zu
+ * src/racoon/vmbuf.h: vfree already defined for Apple
2005-10-17 Aidas Kasparas <a.kasparas@gmc.lt>
@@ -37,41 +389,28 @@
* src/racoon/ipsec-doi.c: adopted to above
* src/racoon/racoon.conf.5: documented above
-2005-10-14 Emmanuel Dreyfus <manu@netbsd.org>
+2005-09-14 Emmanuel Dreyfus <manu@netbsd.org>
* src/libipsec/pfkey.c: One forgotten cast caddr_t -> void *
----------------------------------------------
-
- 0.6.2 released
-
2005-10-14 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
USER_FQDNs (problem reported by Bernhard Suttner).
----------------------------------------------
-
- 0.6.2.beta3 released
+2005-09-10 Emmanuel Dreyfus <manu@netbsd.org>
-2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
+ * src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c}
+ src/racoon/doc/FAQ configure.ac: Add --enable-broken-natt for
+ kernel implementing NAT-T but unable to cope with IKE ports in
+ SAD and SPD.
- From Andreas Hasenack <ahasenack@terra.com.br>
- * configure.ac: More build fixes for Linux
-
----------------------------------------------
-
- 0.6.2.beta2 released
-
-2005-09-04 Emmanuel Dreyfus <manu@netbsd.org>
-
- From Wilfried Weissmann
- * src/libipsec/policy_parse.y src/racoon/{ipsec_doi.c|oakley.c}
+2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
+
+ From Wilfried Weissmann:
+ * src/libipsec/policy_parse.y src/racoon/oakley.c
src/racoon/{sockmisc.c|sockmisc.h}: build fixes
----------------------------------------------
-
- 0.6.2.beta1 released
2005-09-03 Emmanuel Dreyfus <manu@netbsd.org>
@@ -80,10 +419,6 @@
2005-08-26 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/cfparse.y: handle xauth_login correctly
- * src/racoon/isakmp.c: catch internal error
- * src/raccon/isakmp_agg.c: fix racoon as Xauth client
- * src/raccon/{isakmp_agg.c|isakmp_base.c}: Proposal safety checks
* src/racoon/evt.c: Fix memory leak when event queue overflows
2005-08-23 Emmanuel Dreyfus <manu@netbsd.org>
@@ -97,19 +432,20 @@
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
ISAKMP mode config without Xauth.
-2005-09-16 Yvan Vanhullebus <vanhu@free.fr>
+2005-08-16 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/policy.c: Do not parse all sptree in inssp() if we
- don't use Policies priority.
+ From Thomas Klausner <wiz@netbsd.org>
+ * src/setkey/setkey.8: remove trailing whitespaces
-2005-08-15 Emmanuel Dreyfus <manu@netbsd.org>
+2005-09-09 Yvan Vanhullebus <vanhu@free.fr>
- From: Thomas Klausner <wiz@netbsd.org>
- src/setkey/setkey.8: Drop trailing spaces
+ * src/racoon/policy.c: Do not parse all sptree in inssp() if we
+ don't use Policies priority.
----------------------------------------------
+2005-08-20 Yvan Vanhullebus <vanhu@free.fr>
- 0.6.1 released
+ * src/racoon/handler.c: Fixed a possible crash in
+ remove_ph2(). Reported by Dietmar Eggemann.
2005-08-14 Emmanuel Dreyfus <manu@netbsd.org>
@@ -130,10 +466,6 @@
* src/racoon/privsep.c: Fixed a %d -> %zu in
port_check() (reported by Matthias Scheler).
----------------------------------------------
-
- 0.6.1.rc1 released
-
2005-08-04 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac: correctly quote RACOON_PATH_LIBS arguments
@@ -143,10 +475,6 @@
* src/racoon/isakmp_inf.c: First fix to
info_recv_initialcontact(): do a basic IP check when no NAT-T.
-2005-07-28 Emmanuel Dreyfus <manu@netbsd.org>
-
- * src/racoon/{pfkey.c|proposal.c}: IPcomp CPI size fixes
-
2005-07-26 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp.c: Fixed purge_remote()
@@ -156,19 +484,19 @@
* src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
a new ph1handle exists (patch by Krzysztof Oledzki)
----------------------------------------------
-
- 0.6.1.beta3 released
-
2005-07-20 Aidas Kasparas <a.kasparas@gmc.lt>
- * configure.ac: disabled --enable-samode-unspec for linux
+ * configure.ac: disabled --enable-samode-unspec under linux
2005-07-20 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_quick.c: Ignore NATOA payloads in
quick_r1recv() as it is done in quick_i2recv().
-
+ * configure.ac: new --enable-fastquit option
+ * src/racoon/session.c: new code optional code when flushing SAs,
+ which is faster and should have no deadlocks. configure
+ --enable-fastquit option to enable it.
+
2005-07-19 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
@@ -180,27 +508,24 @@
* src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
Patrice Fournier
- * src/setkey/setkey.c: disabled readline's filename completion.
- Fixed bug 1179281.
+ * src/racoon/setkey.c: disabled readline's filename completion
+ (bug 1179281 fix)
* src/racoon/proposal.c: fixed mode selection for SAs with
- complex_bundle on behind NAT.
+ complex_bundle on behind NAT
2005-07-14 Yvan Vanhullebus <vanhu@free.fr>
- * src/racoon/handler.c: Clears the DPD schedule in delph1()
-
----------------------------------------------
-
- 0.6.1.beta2 released
+ * src/racoon/handler.c: - Clears the DPD schedule in delph1()
+ - Cleared up sanity checks in delph1()
+ - Sets p->rmconf to NULL if no new
+ remoteconf in revalidate_ph1tree_rmconf()
+ * src/racoon/isakmp.c: Added sanity checks in script_hook()
+ * src/racoon/oakley.c: Sanity check in save_certbuf()
+
2005-07-13 Emmanuel Dreyfus <manu@netbsd.org>
* src/setkey/Makefile.am: missing file in distribution
- * src/racoon/isakmp_inf.c: build fix
-
----------------------------------------------
-
- 0.6.1.beta1 released
2005-07-12 Yvan Vanhullebus <vanhu@free.fr>
@@ -217,14 +542,15 @@
* src/racoon/samples/roadwarrior/client/{pahse1-up.sh|phase1-down.sh}:
Add comments for using the scripts without NAT-T
-2005-07-04 Emmanuel Dreyfus <manu@netbsd.org>
+2005-07-11 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/isakmp_inf.c: safety checks on informational messages
+ * src/racoon/ipsec_doi.c configure.ac: More build fixes on Linux.
+ Accomodate various libiconv versions
-2005-07-11 Emmanuel Dreyfus <manu@netbsd.org>
+2005-07-10 Emmanuel Dreyfus <manu@netbsd.org>
- * configure.ac: build fixes on Linux. Accomodate various libiconv
- versions
+ * src/racoon/ipsec_doi.c configure.ac: build fixes on Linux.
+ Accomodate various libiconv versions
2005-07-09 Yvan Vanhullebus <vanhu@free.fr>
@@ -238,20 +564,21 @@
* src/racoon/raccon.conf.5: Document that aes can be used in
racoon.conf
-2005-07-06 Emmanuel Dreyfus <manu@netbsd.org>
-
- * src/setkey/extern.h: new file (was missing in previous commit)
-
2005-07-06 Frederic Senault <fred@lacave.net>
* src/setkey/setkey.c: fix compilation with readline.
- * src/racoon/oakley.c: move declarations to the top of the function
- to fix compilation issues with gcc 2.95.4/FreeBSD4, re-indentation
- and style cleanup of the pkcs7 patch.
+ * src/racoon/oakley.c: move declarations to fix compilation issues
+ with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the
+ pkcs7 patch.
+
+2005-07-04 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_inf.c: safety checks on informational messages
+ * src/racoon/{pfkey.c|proposal.c}: IPcomp fixes
2005-07-01 Emmanuel Dreyfus <manu@netbsd.org>
- From Uri <urimobile@optonline.net>:
+ From Uri Blumenthal <urimobile@optonline.net>:
* src/racoon/{ipsec_doi.c|Makefile.am}: Linux build fixes
* src/racoon/oakley.c: pkcs7 support
@@ -267,18 +594,17 @@
src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned,
size_t/int and lint constants
-2005-06-29 Emmanuel Dreyfus <manu@netbsd.org>
+2005-06-24 Yvan Vanhullebus <vanhu@free.fr>
- From Uri <urimobile@optonline.net> and Larry Baird <lab@gta.com>:
- * src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
- src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
- src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
+ * src/racoon/handler.c: Fixed phase2 enc algo check when reloading
+ conf (could flush a phase2 handler when not needed).
----------------------------------------------
-
- 0.6 released
+2005-06-19 Emmanuel Dreyfus <manu@netbsd.org>
-2005-06-22 Emmanuel Dreyfus <manu@netbsd.org>
+ * src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h}
+ src/racoon/racoonctl.8:
+ Add a logout-user command to racoonctl to kick out all SA for a
+ given Xauth user
From Ludo Stellingwerff <ludo@protactive.nl>:
* src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as
@@ -287,23 +613,33 @@
on phase 2 initiation retries when the phase 2 had been queued
for a phase 1.
----------------------------------------------
-
- 0.6rc1 released
+ From Uri Blumenthal <urimobile@optonline.net>
+ and Larry Baird <lab@gta.com>:
+ * src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
+ src/racoon/{algorithm.c|cftoken.l|eaytest.c|ipsec_doi.c}
+ src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
+ * src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2
+ * src/setkey/token.l: Add aliases shaxxx for sha2_xxx
-2005-06-15 Emmanuel Dreyfus <manu@netbsd.org>
+2005-06-07 Emmanuel Dreyfus <manu@netbsd.org>
From Larry Baird <lab@gta.com>
* src/racoon/isakmp.c: consume NAT keepalive data already seen
with MSG_PEEK
+2005-06-07 Frederic Senault <fred@lacave.net>
+
+ * configure.ac src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c}
+ src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add
+ support for system accounting into the utmp files, with the
+ "accounting system" directive.
+
+ * src/privsep.c: Bug fixes in the xauth password handling code.
+
2005-06-06 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/isakmp_quick.c: endianness bug fix
- From Frederic Senault <fred@lacave.net>
- * src/racoon/privsep.c: fix Xauth login with PAM authentication
-
2005-06-05 Emmanuel Dreyfus <manu@netbsd.org>
From Thomas Klausner <wiz@netbsd.org>
@@ -315,13 +651,18 @@
* src/racoon/ipsec_doi.c: Inserted missing 0th element of
rm_idtype2doi array. Bug #1199700 fix.
-2005-05-23 Emmanuel Dreyfus <manu@netbsd.org>
+2005-05-30 Frederic Senault <fred@lacave.net>
- * src/racoon/admin.c: build fix
+ * src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro
+ definition.
----------------------------------------------
+ * src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script
+ is executed at the end of the mode cfg exchange ; add a debug
+ message at the script startup.
- 0.6b3 released
+2005-05-23 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/admin.c: build fix
2005-05-20 Emmanuel Dreyfus <manu@netbsd.org>
@@ -334,17 +675,31 @@
* src/racoon/proposal.c: fix SPI size test for IPcomp
From Larry Baird <lab@gta.com>
- * src/racoon/{handler.c|ipsec_doi.c|remoteconf.h|remoteconf.c}: When
- altering lifetime, duplicate the proposal instead of modifying
- the configured one.
+ * src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime,
+ duplicate the proposal instead of modifying the configured one.
+
+2005-05-19 Frederic Senault <fred@lacave.net>
+
+ * configure.ac src/racoon/plog.c: Fix the logging functions to work
+ around the lack of support of printf %zu in FreeBSD 4 (at least).
- From Frederic Senault <fred@lacave.net>
* src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
fix a hangup with FreeBSD 4.
+ * src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a
+ unity-specific heartbeat message.
+ * src/racoon/isakmp_inf.c: Reorganize switch statement in
+ isakmp_check_notify.
+
+2005-05-17 Yvan Vanhullebus <vanhu@free.fr>
+
+ * src/racoon/handler.c: Fixed exchange type check in
+ revalidate_ph1().
+ * src/racoon/pfkey.c: changed includes order to fix compilation.
+
2005-05-14 Emmanuel Dreyfus <manu@netbsd.org>
- * src/libipsec/policy_parse.y: fix parse bug in IPsec policies
+ * src/libipsec/policy_parse.y: Fix parse problem
2005-05-14 Aidas Kasparas <a.kasparas@gmc.lt>
@@ -353,10 +708,7 @@
2005-05-13 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
- consider null port as a wildcard and use IKE port
-
- * src/racoon/isakmp.c: Build fix
+ * src/racoon/isakmp_inf.c: fix build problem
2005-05-13 Yvan Vanhullebus <vanhu@free.fr>
@@ -365,37 +717,46 @@
2005-05-12 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/{proposal.c|proposal.h|isakmp_quick.c}: fix build problem
-
----------------------------------------------
+ * src/racoon/isakmp_quick.c: fix build problem on some platforms
- 0.6b2 released
+ * src/racoon/isakmp.c: For acquire messages, when NAT-T is in use,
+ consider null port as a wildcard and use IKE ports.
2005-05-10 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/samples/roadwarrior/client/racoon.conf
- src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
+ * src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
src/racoon/samples/roadwarrior/server/phase1-down.sh: removed file
- src/racoon/samples/roadwarrior/README: update config files to
- higher security settings. Remove now useless phase 1 down
+ src/racoon/samples/roadwarrior/client/racoon.conf: update config
+ files to higher security settings. Remove now useless phase 1 down
script on server side.
+ * Update README to reflect server/phase1-down.sh removal
-2005-05-10 Emmanuel Dreyfus <manu@netbsd.org>
+2005-05-09 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/ipsec_doi.c: check for lifebyte in proposals
- * src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
-
- * src/racoon/{cfparse.y|cftoken.l|racoon.conf.5|isakmp_cfg.c}
- src/racoon/{isakmp_cfg.h|isakmp_unity.c}: add Cisco extensions for
- sending PFS group and save password through ISAKMP mode config.
+ * src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
+ src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and
+ save password extensions from Cisco in ISAKMP mode config.
2005-05-08 Emmanuel Dreyfus <manu@netbsd.org>
- * configure.ac src/racoon/isakmp_xauth.c: Support shadow passwords
+ * src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte
+ in proposals
+ * src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
+ * src/racoon/handler.c: style
+
+ * src/racoon/isakmp_xauth.c: fix build with shadow passwords
2005-05-07 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
+ * configure.ac src/racoon/isakmp_xauth.c: support shadow passwords
+ * src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype
+ * src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h}
+ src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes
+ to the right header file
+
+2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
ISAKMP SA termination (for DPD timeouts and delete message) to
use purge_remote() so that SA and generated SPD get correctly flushed
* src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
@@ -406,6 +767,24 @@
* src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
to compare with ports when ENABLE_NATT and without otherwise
+2005-05-06 Frederic Senault <fred@lacave.net>
+
+ * src/racoon/isakmp_inf.c: Only print the contents of an informative
+ message if the payload indicates an error ; transmit the return
+ values from the DPD functions.
+
+2005-05-06 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_inf.c: Fix a bug causing informational message
+ payloads to be ignored
+
+2005-05-05 Yvan Vanhullebus <vanhu@free.fr>
+
+ * src/racoon/isakmp_inf.c: Fixed some potential crashes in
+ purge_remote() and purge_ipsec_spi().
+
+2005-05-05 Emmanuel Dreyfus <manu@netbsd.org>
+
* src/libipsec/{policy_parse.y|policy_token.l}
src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
endpoints, for accurate ESP over UDP matching
@@ -417,6 +796,11 @@
use the IKE ports supplied by racoon to set up acurate endpoints
ports in SP endpoints
+2005-05-04 Yvan Vanhullebus <vanhu@free.fr>
+
+ * src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated
+ policies are now also removed when DPD purge.
+
2005-05-04 Emmanuel Dreyfus <manu@netbsd.org>
From Manisha Malla <mmanisha@novell.com>
@@ -430,33 +814,63 @@
* configure.ac: Revert GLIBC_BUGS change from 2005-04-15
-2005-05-03 Emmanuel Dreyfus <manu@netbsd.org>
+2005-05-03 Frederic Senault <fred@lacave.net>
- From Patrick McHardy <kaber@trash.net>
- * src/racoon/{pfkey.c|handler.h|hendler.c}: on phase 2 acquire,
- lookup phase 2 by (src, dst, policy id) so that multiple SA can
- be used in transport mode
+ * src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5}
+ src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check
+ option to enable the handling of unencrypted delete payloads.
+
+ * src/racoon/plog.c: Use of isgraph in binsanitize.
+
+ * src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC.
+
+ * src/racoon/isakmp_inf.c: Unused code cleanup.
2005-04-26 Emmanuel Dreyfus <manu@netbsd.org>
+ * bootstrap: Darwin support
+
From Larry Baird <lab@gta.com>
- * src/racoon/nattraversal.c: Fix NAT-T initiator problem
+ * src/racoon/nattraversal.c: Fix NAT-T for initiator
+
+ From Andreas Tobler <toa@pop.agri.ch>:
+ * src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c}
+ src/racoon/{pfkey.c|isakmp.c|grabmyaddr.c|getcertsbyname.c}
+ src/racoon/configure.ac src/libipsec/policy_token.l
+ src/setkey/token.l: Build on Darwin
2005-04-25 Emmanuel Dreyfus <manu@netbsd.org>
- * src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}:
+ * src/racoon/handler.h: ifdef DPD and NAT-T data in data structures
+
+ * src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}
src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
enable the display of ESP over UDP ports in policies.
-
- * src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
- forget port numbers so that mutiple clients behind the same NAT
- can work.
* src/racoon/ipsec_doi.c: fix LP64 bug
-
+
+ From Ludo Stellingwerff <ludo@protactive.nl>:
+ * src/racoon/isakmp.c: build without NAT-T
+
+ From F. Senault <fred.letter@lacave.net>
+ * src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c}
+ src/racoon/isakmp_xauth.c: Take into account payloads bundled after
+ an ISAKMP informationnal message.
+
+ From Patrick McHardy <kaber@trash.net>
+ * src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire
+ message, lookup phase 2 by (src, dst, id) instead of only id.
+
+2005-04-23 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/libipsec/ipsec_dump_policy.c: display port numbers in policies
+ * src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
+ forget port numbers so that mutiple clients behind the same NAT
+ can work.
+
From Larry Baird <lab@gta.com>
* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
- NAT-T fixes for interoperability with greenbow VPN client.
+ NAT-T fixes for interoperability with greenbow VPN client.
2005-04-21 Aidas Kasparas <a.kasparas@gmc.lt>
@@ -467,8 +881,8 @@
src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
- src/racoon/sockmisc.h, src/racoon/racoonctl.c: made
- compile with gcc-4.0 (20050410 prerelease)
+ src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile
+ with gcc-4.0 (20050410 prerelease)
2005-04-20 Aidas Kasparas <a.kasparas@gmc.lt>
@@ -477,13 +891,7 @@
2005-04-19 Yvan Vanhullebus <vanhu@free.fr>
- * src/racoon/handler.h: added a flag to identify generated policies
- * src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
- * src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
- policy have been generated in purge_remote_spi()
- * src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
- generated policies
- * src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
+ * src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup.
2005-04-18 Aidas Kasparas <a.kasparas@gmc.lt>
@@ -491,6 +899,8 @@
* NEWS: noted fix
2005-04-18 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/isakmp_base.c: DPD support, fix memory leak
From Thomas Klausner <wiz@NetBSD.org>
* src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
@@ -507,6 +917,32 @@
From KAME
* src/racoon/ipsec_doi.c: wrong check on SA lifebyte
+ From Fred Senault <fred.letter@lacave.net>
+ * src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive,
+ which is now incoprated into split_net_tunnels
+ * src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
+ src/racoon/isakmp_xauth.h: support login and password sent
+ in different packets during the Xauth exchange. This makes racoon
+ interoperable with SecureComputing's sidewinder
+ * src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth
+
+2005-04-17 Yvan Vanhullebus <vanhu@free.fr>
+
+ * src/racoon/handler.c: Configuration reload validation code
+ * src/racoon/handler.h:revalidate_ph12() function
+ * src/racoon/ipsec_doi.c: duplicates iph1->approval in
+ get_ph1approval(), some fields sets to NULL when needed
+ * src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public
+ * src/racoon/localconf.[ch]: save/restore_params() functions
+ * src/racoon/main.c: moved restore_params functions to localconf
+ * src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa()
+ function, some values set to NULL when needed
+ * src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa()
+ function
+ * src/racoon/sainfo.[ch]: save_sainfotree() functions
+ * src/racoon/session.c: Reloads conf on a SIGHUP without loosing
+ existing tunnels
+
2005-04-15 Aidas Kasparas <a.kasparas@gmc.lt>
From Zilvinas Valinskas <zilvinas@gemtek.lt>:
@@ -515,13 +951,85 @@
- --enable-{frag|hybrid}=no fixes (patches 6,7);
- support for --with-flex, --with-flexlib (patch 11);
- GLIBC_BUGS assignment correction (patch 14 with mods).
+ * src/racoon/isakmp.c: fix compilation when hybrid disabled.
+
+2005-04-11 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files
+ RFC for IPsec DOI and ISAKMP
2005-04-10 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/isakmp_agg.c: fix a memory leak when using hybrid auth
- * src/libipsec/{pfkey.c|pfkey_dump.c}
- src/setkey/{token.l|parse.y|setkey.8}: missing bits for TCP_MD5
- support, from KAME
+ * src/racoon/isakmp_base.c: resurect RSASIG support
+ * src/racoon/isakmp_ident.c: missing support for hybrid auth
+ * src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode
+
+2005-04-09 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c}
+ src/racoon/{isakmp.c|isakmp_agg.c|isakmp_ident.c|isakmp_base.c}
+ src/racoon/{isakmp_frag.h|isakmp_xauth.c|oakley.c|racoon.conf.5}:
+ Add Xauth + RSASIG, for client and server. Add all Xauth and
+ IKE fragmentation logic to base and ident mode.
+ * src/libipsec/{pfkey.c|pfkey_dump.c}
+ src/setkey/parse.y: more missing TCP_MD5 bits from KAME
+
+2005-04-08 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/cfparse.y: a list of network can be specified for split
+ tunnelling
+ * src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the
+ netmask in CIDR notation, to the hook script environement.
+ * src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing
+ bits for TCP_MD5 support.
+
+ From Fred Senault <fred.letter@lacave.net>
+ * src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h}
+ src/racoon/racoon.conf.5: KEYID identifier can be taken from
+ a file or from a quoted string
+
+2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
+
+ From Fred Senault <fred.letter@lacave.net>
+ * src/racoon/admin.c: fix the admin interface that was left behind
+ after recent Xauth changes
+ * src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c}
+ src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in
+ remote conf within a single structure.
+ * src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run
+ phase1-up script before ISAKMP mode config is done
+ * src/racoon/isakmp_inf.c: log a buggy condition
+ * src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c}
+ src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to
+ distinguish between XAUTH PSK and Kerberos authentications
+ * src/racoon/{oakley.c|remoteconf.c}: set a default for certificate
+ requests
+ * src/racoon/isakmp_xauth.c: Fix serious security bug introduced
+ on 2005-03-09: Xauth validation was required for phase 2 on the
+ client (thus blocking phase 2), but not on the server (thus
+ making it open regardless of Xauth exchange).
+ * src/racoon/vendorid.c: dump unknown VIDs
+
+
+2005-04-06 Yvan Vanhullebus <vanhu@free.fr>
+
+ * src/racoon/crypto_openssl.c: Disable OpenSSL padding in
+ evp_crypt(), because it may cause some interoperability problems.
+ Solution reported by Ganesan Rajagopal.
+
+2005-04-05 Emmanuel Dreyfus <manu@netbsd.org>
+
+ * src/racoon/main.c: build with hybrid but without libradius
+
+2005-04-05 Yvan Vanhullebus <vanhu@free.fr>
+
+ * src/racoon/handler.h: added a flag to identify generated policies
+ * src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
+ * src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
+ policy have been generated in purge_remote_spi()
+ * src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
+ generated policies
+ * src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()
2005-04-04 Emmanuel Dreyfus <manu@netbsd.org>
@@ -531,10 +1039,6 @@
* configure.ac: Don't compile with NAT-T by default (according to
documentation, finally :-)
- * configure.ac, rpm/suse/ipsec-tools.spec.in,
- rpm/suse/Makefile.am: Distribute .spec file with
- resolved version string.
- * src/racoon/Makefile.am: Allow parallel cluster build.
2005-03-27 Michal Ludvig <michal@logix.cz>
@@ -545,26 +1049,20 @@
* acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.
(RACOON_CHECK_BUGGY_GETADDRINFO): Ditto.
----------------------------------------------
-
- 0.6b1 released
-
-2005-03-22 Emmanuel Dreyfus <manu@netbsd.org>
-
- * src/racoon/privsep.c: fix the build without --with-libpam
-
2005-03-16 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/{cftoken.l|localconf.h|privsep.c|racoon.conf.5}
- src/racoon/remoteconf.c: When running in privsep mode, check that
- private key and script paths match those given in the path section.
+ * src/racoon/privsep.c: check for NULL path in unsafe_path()
+ * src/racoon/privsep.c: missing space
2005-03-15 Emmanuel Dreyfus <manu@netbsd.org>
- * src/racoon/{isakmp_cfg|isakmp_cfg.h|isakmp_xauth.c}: initialize
- RADIUS accounting at startup
- * src/racoon/privsep.c: fix minor bug in PAM cleanup
- * src/racoon/isakmp_cfg.c: only call cleanup_pam if PAM is used
+ * src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h}
+ src/racoon/{isakmp_var.h|isakmp_xauth.c|localconf.h|privsep.c}
+ src/racoon/{privsep.h|racoon.conf.5|remoteconf.c|remoteconf.h}
+ src/racoon/main.c: Remove most of config dependency from
+ privilegied instance for upcoming config reload patch.
+ * src/racoon/isakmp_cfg.h: fix the application version for Xauth
+ * src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used
2005-03-14 Emmanuel Dreyfus <manu@netbsd.org>
@@ -577,8 +1075,28 @@
2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
+ From Fred Senault <fred.letter@lacave.net>
+ * src/racoon/cfparse.y: endainness bugfix
+ * src/racoon/isakmp_xauth.c: off by one bugs in strings
+ * src/racoon/oakley.h: missing parenthesis causing bugs
+
+2005-03-09 Emmanuel Dreyfus <manu@netbsd.org>
+
* src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth
+2005-03-07 Emmanuel Dreyfus <manu@netbsd.org>
+
+ From Fred Senault <fred.letter@lacave.net>
+ * src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l}
+ src/racoon/{handler.c|ipsec_doi.c|ipsec_doi.h|isakmp.c}
+ src/racoon/{isakmp_agg.c|isakmp_base.c|isakmp_cfg.c|isakmp_cfg.h}
+ src/racoon/{isakmp_ident.c|isakmp_inf.c|isakmp_quick.c}
+ src/racoon/{isakmp_unity.c|isakmp_xauth.c|kmpstat.c|oakley.c}
+ src/racoon/{oakley.h|plainrsa-gen.8|privsep.c|racoon.conf.5}
+ src/racoon/{racoonctl.c|remoteconf.c|remoteconf.h|strnames.c}
+ src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split
+ tunnelling, multiple DNS & WINS in ISAKMP mode config.
+
2005-03-02 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
@@ -589,34 +1107,35 @@
* src/racoon/oakley.c: fixed oakley_newiv2() when errors
2005-02-24 Emmanuel Dreyfus <manu@netbsd.org>
-
- * src/racoon/privsep.c: safety check port numbers given by the
+
+ * src/racoon/privsep.c: safety check port numbers given by the
unprivilegied instance.
- * src/libipsec/libpfkey.h: prefer __inline to inline
* src/racoon/racoonctl.8: display fixes in racoonctl(8)
- * src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
- src/racoon/racoon.conf.5: Add chroot capability
-
+
2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
- * src/racoon/isakmp.c: do not reject addresses for which kernel
- refused UDP encapsulation, they can still be used for non NAT-T
+ * src/racoon/isakmp.c: do not reject addresses for which kernel
+ refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
+ * src/libipsec/libpfkey.h: prefer __inline to inline
+ * src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
+ src/racoon/racoon.conf.5: Add chroot capability
2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h
-2005-02-18 Yvan Vanhullebus <vanhu@free.fr>
+2005-02-18 Michal Ludvig <michal@logix.cz>
- * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
- related DELETE_SA
- * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
+ * configure.ac, rpm/suse/ipsec-tools.spec.in,
+ rpm/suse/Makefile.am: Distribute .spec file with
+ resolved version string.
+ * src/racoon/Makefile.am: Allow parallel cluster build.
2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>
@@ -627,6 +1146,12 @@
* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks
+2005-02-16 Yvan Vanhullebus <vanhu@free.fr>
+
+ * src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
+ related DELETE_SA
+ * src/racoon/pfkey.c: do NOT unbindph12() when SA acquire
+
2005-02-15 Michal Ludvig <michal@logix.cz>
* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN
View
2  crypto/dist/ipsec-tools/Makefile.am
@@ -1,3 +1,5 @@
SUBDIRS = src @RPM@
+DIST_SUBDIRS = src rpm
+
EXTRA_DIST = bootstrap README NEWS depcomp
View
22 crypto/dist/ipsec-tools/NEWS
@@ -1,17 +1,15 @@
Version history:
----------------
-0.6.3 - 21 November 2005
- o Various bug fixes
-
-0.6.2 - 14 October 2005
- o ISAKMP mode config works without Xauth
-
-0.6.1 - 10 august 2005
- o NAT-T fixes for situations where NAT-T is not used
- o OpenSSL 0.9.8 support
- o keys are not restricted to OpenSSL default size anymore
- o PKCS7 support
+0.7??? - ??
+ o Xauth with pre-shared key PSK
+ o Xauth with certificates
o SHA2 support
+ o pkcs7 support
+ o system accounting (utmp)
+ o Darwin support
+ o configuration can be reloaded
+ o support for UNIQUE generated policies
+ o support for semi anonymous sainfos
0.6 - 27 June 2005
o Generated policies are now correctly flushed
@@ -23,7 +21,7 @@ Version history:
o ESP fragmentation in tunnel mode can be tunned (NetBSD only)
o racoon admin interface is exported (header and library) to
help building control programs for racoon (think GUI)
- o Fixed single DES support; single DES users MUST UPGRADE
+ o Fixed single DES support; single DES users MUST UPGRADE.
0.5 - 10 April 2005
o Rewritten buildsystem. Now completely autoconfed, automaked,
View
12 crypto/dist/ipsec-tools/bootstrap
@@ -2,12 +2,20 @@
set -x
+case `uname -s` in
+Darwin)
+ LIBTOOLIZE=glibtoolize
+ ;;
+*)
+ LIBTOOLIZE=libtoolize
+ ;;
+esac
+
# Remove autoconf 2.5x's cache directory
-
rm -rf autom4te*.cache
aclocal -I . || exit 1
autoheader || exit 1
-libtoolize --force --copy || exit 1
+${LIBTOOLIZE} --force --copy || exit 1
automake --foreign --add-missing --copy || exit 1
autoconf || exit 1
View
284 crypto/dist/ipsec-tools/configure.ac
@@ -1,8 +1,8 @@
dnl -*- mode: m4 -*-
-dnl Id: configure.ac,v 1.47.2.31 2005/11/21 11:11:41 manubsd Exp
+dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp
AC_PREREQ(2.52)
-AC_INIT(ipsec-tools, 0.6.3)
+AC_INIT(ipsec-tools, CVS)
AC_CONFIG_SRCDIR([configure.ac])
AM_CONFIG_HEADER(config.h)
@@ -34,6 +34,9 @@ case $host in
AC_SUBST(INCLUDE_GLIBC)
AC_SUBST(RPM)
;;
+*darwin*)
+ LIBS="$LIBS -lresolv"
+ ;;
esac
# Look up some IPsec-related headers
@@ -122,7 +125,10 @@ AC_TRY_COMPILE([
printf("%zu\n", (size_t)-1);
],
[AC_MSG_RESULT(yes)],
- [AC_MSG_RESULT(no); CFLAGS_ADD="$CFLAGS_ADD -Wno-format"])
+ [AC_MSG_RESULT(no);
+ CFLAGS_ADD="$CFLAGS_ADD -Wno-format";
+ AC_DEFINE(BROKEN_PRINTF, [], [If printf doesn't support %zu.])
+ ])
CFLAGS=$saved_CFLAGS
# Can we use __func__ macro?
@@ -208,6 +214,9 @@ AC_MSG_RESULT(yes)
AC_CHECK_HEADER(openssl/sha2.h, [], [
AC_MSG_CHECKING(if sha2 is defined in openssl/sha.h)
AC_TRY_COMPILE([
+ #ifdef HAVE_SYS_TYPES_H
+ #include <sys/types.h>
+ #endif
#include <openssl/sha.h>
], [
SHA256_CTX ctx;
@@ -263,54 +272,33 @@ AC_SUBST(EXTRA_CRYPTO)
# For dynamic libradius
RACOON_PATH_LIBS([MD5_Init], [crypto])
-# Check for Kerberos5 support
-AC_MSG_CHECKING(if --enable-gssapi option is specified)
-AC_ARG_ENABLE(gssapi,
- [ --enable-gssapi enable GSS-API authentication],
- [], [enable_gssapi=no])
-AC_MSG_RESULT($enable_gssapi)
-AC_PATH_PROG(KRB5_CONFIG,krb5-config,no)
-if test "x$enable_gssapi" = "xyes"; then
- if test "$KRB5_CONFIG" != "no"; then
- krb5_incdir="`$KRB5_CONFIG --cflags gssapi`"
- krb5_libs="`$KRB5_CONFIG --libs gssapi`"
+# Check if we need -lutil for login(3)
+RACOON_PATH_LIBS([login], [util])
+
+# Specify libiconv prefix
+AC_MSG_CHECKING(if --with-libiconv option is specified)
+AC_ARG_WITH(libiconv,
+ [ --with-libiconv=DIR specify libiconv path (like/usr/pkg)],
+ [libiconv_dir=$withval],
+ [libiconv_dir=no])
+AC_MSG_RESULT($libiconv_dir)
+if test "$libiconv_dir" != "no"; then
+ if test "$libiconv_dir" = "yes" ; then
+ libiconv_dir="";
+ fi;
+ if test "x$libiconv_dir" = "x"; then
+ RACOON_PATH_LIBS([iconv_open], [iconv])
else
- # No krb5-config; let's make some assumptions based on
- # the OS.
- case $host_os in
- netbsd*)
- krb5_incdir="-I/usr/include/krb5"
- krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1"
- ;;
- *)
- AC_MSG_ERROR([krb5-config not found, but needed for GSSAPI support. Aborting.])
- ;;
- esac
+ if test -d "$libiconv_dir/lib" -a \
+ -d "$libiconv_dir/include" ; then
+ RACOON_PATH_LIBS([iconv_open], [iconv], ["$libiconv_dir/lib"])
+ CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libiconv_dir/include"
+ else
+ AC_MSG_ERROR([ICONV libs or includes not found. Aborting.])
+ fi
fi
- LIBS="$LIBS $krb5_libs"
- CPPFLAGS_ADD="$krb5_incdir $CPPFLAGS_ADD"
- AC_DEFINE([HAVE_GSSAPI], [], [Enable GSS API])
-
- # Check if iconv 2nd argument needs const
- AC_CHECK_HEADER([iconv.h], [], [AC_MSG_ERROR([iconv.h not found, but needed for GSSAPI support. Aborting.])])
- AC_MSG_CHECKING([if iconv second argument needs const])
- saved_CFLAGS=$CFLAGS
- CFLAGS="$CFLAGS -Wall -Werror"
- AC_TRY_COMPILE([
- #include <iconv.h>
- #include <stdio.h>
- ], [
- iconv_t cd = NULL;
- const char **src = NULL;
- size_t *srcleft = NULL;
- char **dst = NULL;
- size_t *dstleft = NULL;
-
- (void)iconv(cd, src, srcleft, dst, dstleft);
- ], [AC_MSG_RESULT(yes)
- AC_DEFINE([HAVE_ICONV_2ND_CONST], [], [Have iconv using const])
- ], [AC_MSG_RESULT(no)])
- CFLAGS=$saved_CFLAGS
+ LIBS="$LIBS -L$libiconv_dir/lib -R$libiconv_dir/lib -liconv"
+ AC_CHECK_FUNCS(iconv_open)
fi
AC_MSG_CHECKING([if --enable-hybrid option is specified])
@@ -320,7 +308,13 @@ AC_ARG_ENABLE(hybrid,
AC_MSG_RESULT($enable_hybrid)
if test "x$enable_hybrid" = "xyes"; then
- LIBS="$LIBS -lcrypt";
+ case $host in
+ *darwin*)
+ ;;
+ *)
+ LIBS="$LIBS -lcrypt";
+ ;;
+ esac
HYBRID_OBJS="isakmp_xauth.o isakmp_cfg.o isakmp_unity.o throttle.o"
AC_SUBST(HYBRID_OBJS)
AC_DEFINE([ENABLE_HYBRID], [], [Hybrid authentication support])
@@ -333,7 +327,13 @@ AC_ARG_ENABLE(frag,
AC_MSG_RESULT($enable_frag)
if test "x$enable_frag" = "xyes"; then
- LIBS="$LIBS -lcrypt";
+ case $host in
+ *darwin*)
+ ;;
+ *)
+ LIBS="$LIBS -lcrypt";
+ ;;
+ esac
FRAG_OBJS="isakmp_frag.o"
AC_SUBST(FRAG_OBJS)
AC_DEFINE([ENABLE_FRAG], [], [IKE fragmentation support])
@@ -391,6 +391,135 @@ if test "$libpam_dir" != "no"; then
AC_CHECK_FUNCS(pam_start)
fi
+AC_MSG_CHECKING(if --with-libldap option is specified)
+AC_ARG_WITH(libldap,
+ [ --with-libldap=DIR specify libldap path (like/usr/pkg)],
+ [libldap_dir=$withval],
+ [libldap_dir=no])
+AC_MSG_RESULT($libldap_dir)
+if test "$libldap_dir" != "no"; then
+ if test "$libldap_dir" = "yes" ; then
+ libldap_dir="";
+ fi;
+ if test "x$libldap_dir" = "x"; then
+ RACOON_PATH_LIBS([ldap_init], [ldap])
+ else
+ if test -d "$libldap_dir/lib" -a \
+ -d "$libldap_dir/include" ; then
+ RACOON_PATH_LIBS([ldap_init], [ldap], ["$libldap_dir/lib"])
+ CPPFLAGS_ADD="$CPPFLAGS_ADD -I$libldap_dir/include"
+ else
+ AC_MSG_ERROR([LDAP libs or includes not found. Aborting.])
+ fi
+ fi
+ AC_DEFINE([HAVE_LIBLDAP], [], [Hybrid authentication uses LDAP])
+ LIBS="$LIBS -L$libldap_dir/lib -R$libldap_dir/lib -lldap"
+
+ saved_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS -Wall -Werror"
+ saved_CPPFLAGS=$CPPFLAGS
+ CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
+ AC_TRY_COMPILE(
+ [#include <ldap.h>],
+ [
+ #if LDAP_API_VERSION < 2004
+ #error OpenLDAP version is too old ...
+ #endif
+ ],
+ [AC_MSG_RESULT([ok])],
+ [
+ AC_MSG_RESULT(too old)
+ AC_MSG_ERROR([OpenLDAP version must be 2.0 or higher. Aborting.])
+ ])
+ CFLAGS=$saved_CFLAGS
+ CPPFLAGS=$saved_CPPFLAGS
+fi
+
+# Check for Kerberos5 support
+# XXX This must come after all --with-* tests, else the
+# -liconv checks will not work
+AC_MSG_CHECKING(if --enable-gssapi option is specified)
+AC_ARG_ENABLE(gssapi,
+ [ --enable-gssapi enable GSS-API authentication],
+ [], [enable_gssapi=no])
+AC_MSG_RESULT($enable_gssapi)
+AC_PATH_PROG(KRB5_CONFIG,krb5-config,no)
+if test "x$enable_gssapi" = "xyes"; then
+ if test "$KRB5_CONFIG" != "no"; then
+ krb5_incdir="`$KRB5_CONFIG --cflags gssapi`"
+ krb5_libs="`$KRB5_CONFIG --libs gssapi`"
+ else
+ # No krb5-config; let's make some assumptions based on
+ # the OS.
+ case $host_os in
+ netbsd*)
+ krb5_incdir="-I/usr/include/krb5"
+ krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1"
+ ;;
+ *)
+ AC_MSG_ERROR([krb5-config not found, but needed for GSSAPI support. Aborting.])
+ ;;
+ esac
+ fi
+ LIBS="$LIBS $krb5_libs"
+ CPPFLAGS_ADD="$krb5_incdir $CPPFLAGS_ADD"
+ AC_DEFINE([HAVE_GSSAPI], [], [Enable GSS API])
+
+ # Check if iconv 2nd argument needs const
+ saved_CFLAGS=$CFLAGS
+ CFLAGS="$CFLAGS -Wall -Werror"
+ saved_CPPFLAGS=$CPPFLAGS
+ CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
+ AC_CHECK_HEADER([iconv.h], [], [AC_MSG_ERROR([iconv.h not found, but needed for GSSAPI support. Aborting.])])
+ AC_MSG_CHECKING([if iconv second argument needs const])
+ AC_TRY_COMPILE([
+ #include <iconv.h>
+ #include <stdio.h>
+ ], [
+ iconv_t cd = NULL;
+ const char **src = NULL;
+ size_t *srcleft = NULL;
+ char **dst = NULL;
+ size_t *dstleft = NULL;
+
+ (void)iconv(cd, src, srcleft, dst, dstleft);
+ ], [AC_MSG_RESULT(yes)
+ AC_DEFINE([HAVE_ICONV_2ND_CONST], [], [Have iconv using const])
+ ], [AC_MSG_RESULT(no)])
+ CFLAGS=$saved_CFLAGS
+ CPPFLAGS=$saved_CPPFLAGS
+
+ # libiconv is often integrated into libc. If a with-* option
+ # caused a non libc-based iconv.h to be catched instead of
+ # the libc-based iconv.h, then we need to link with -liconv
+ AC_MSG_CHECKING(if -liconv is required)
+ saved_CPPFLAGS=$CPPFLAGS
+ saved_LIBS=$LIBS
+ CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
+ AC_TRY_LINK([
+ #include <iconv.h>
+ ], [
+ (void)iconv_open("ascii", "ascii");
+ ],
+ [AC_MSG_RESULT(no)],
+ [
+ LIBS="$LIBS -liconv"
+ AC_TRY_LINK([
+ #include <iconv.h>
+ ], [
+ (void)iconv_open("ascii", "ascii");
+ ],
+ [
+ AC_MSG_RESULT(yes)
+ saved_LIBS=$LIBS
+ ], [
+ AC_MSG_ERROR([cannot use iconv])
+ ])
+ ])
+ CPPFLAGS=$saved_CPPFLAGS
+ LIBS=$saved_LIBS
+fi
+
AC_MSG_CHECKING(if --enable-stats option is specified)
AC_ARG_ENABLE(stats,
[ --enable-stats enable statistics logging function],
@@ -409,6 +538,15 @@ if test "x$enable_dpd" = "xyes"; then
fi
AC_MSG_RESULT($enable_dpd)
+AC_MSG_CHECKING(if --enable-fastquit option is specified)
+AC_ARG_ENABLE(fastquit,
+ [ --enable-fastquit enable new faster code to flush SAs when stopping racoon],
+ [], [enable_fastquit=no])
+if test "x$enable_fastquit" = "xyes"; then
+ AC_DEFINE([ENABLE_FASTQUIT], [], [Enable fast SA flush code])
+fi
+AC_MSG_RESULT($enable_fastquit)
+
AC_MSG_CHECKING(if --enable-samode-unspec option is specified)
AC_ARG_ENABLE(samode-unspec,
@@ -559,6 +697,15 @@ else
AC_MSG_RESULT([none])
fi
+AC_MSG_CHECKING(if --enable-broken-natt option is specified)
+AC_ARG_ENABLE(broken-natt,
+ [ --enable-broken-natt broken in-kernel NAT-T],
+ [], [enable_broken_natt=no])
+if test "x$enable_broken_natt" = "xyes"; then
+ AC_DEFINE([BROKEN_NATT], [], [in-kernel NAT-T is broken])
+fi
+AC_MSG_RESULT($enable_broken_natt)
+
AC_MSG_CHECKING(whether we support FWD policy)
case $host in
*linux*)
@@ -585,6 +732,41 @@ AC_CHECK_TYPE([ipsec_policy_t],
#include <netinet6/ipsec.h>
])
+# Check if kernel support is available for Security Context, defaults to no.
+kernel_secctx="no"
+
+AC_MSG_CHECKING(kernel Security Context support)
+case $host_os in
+linux*)
+# Linux kernel Security Context check
+AC_EGREP_CPP(yes,
+[#include <linux/pfkeyv2.h>
+#ifdef SADB_X_EXT_SEC_CTX
+yes
+#endif
+], [kernel_secctx="yes"])
+ ;;
+esac
+AC_MSG_RESULT($kernel_secctx)
+
+AC_MSG_CHECKING(whether to support Security Context)
+AC_ARG_ENABLE(security-context,
+ [ --enable-security-context enable Security Context(yes/no/kernel)],
+ [if test "$enable_security-context" = "kernel"; then
+ enable_security_context=$kernel_secctx; fi],
+ [enable_security_context=$kernel_secctx])
+AC_MSG_RESULT($enable_security_context)
+
+if test "$enable_security_context" = "yes"; then
+ if test "$kernel_secctx" = "no" ; then
+ AC_MSG_ERROR([Security Context requested, but no kernel support! Aborting.])
+ else
+ AC_DEFINE([HAVE_SECCTX], [], [Enable Security Context])
+ SECCTX_OBJS="security.o"
+ AC_SUBST(SECCTX_OBJS)
+ fi
+fi
+
CFLAGS="$CFLAGS $CFLAGS_ADD"
CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
View
2  crypto/dist/ipsec-tools/src/Makefile.am
@@ -1 +1,3 @@
SUBDIRS = @INCLUDE_GLIBC@ libipsec setkey racoon
+
+DIST_SUBDIRS = include-glibc libipsec setkey racoon
View
4 crypto/dist/ipsec-tools/src/libipsec/ipsec_dump_policy.c
@@ -1,6 +1,6 @@
-/* $NetBSD: ipsec_dump_policy.c,v 1.1.1.3 2005/08/07 08:49:16 manu Exp $ */
+/* $NetBSD: ipsec_dump_policy.c,v 1.1.1.4 2006/09/09 16:11:30 manu Exp $ */
-/* Id: ipsec_dump_policy.c,v 1.7.4.2 2005/06/29 13:01:27 manubsd Exp */
+/* Id: ipsec_dump_policy.c,v 1.10 2005/06/29 09:12:37 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
View
36 crypto/dist/ipsec-tools/src/libipsec/key_debug.c
@@ -1,4 +1,4 @@
-/* $NetBSD: key_debug.c,v 1.1.1.4 2005/08/20 00:40:53 manu Exp $ */
+/* $NetBSD: key_debug.c,v 1.1.1.5 2006/09/09 16:11:34 manu Exp $ */
/* $KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $ */
@@ -46,6 +46,10 @@
#endif
#endif
+#if HAVE_STDINT_H
+#include <stdint.h>
+#endif
+
#include <sys/types.h>
#include <sys/param.h>
#ifdef _KERNEL
@@ -87,6 +91,10 @@ static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext));
static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext));
#endif
+#ifdef SADB_X_EXT_PACKET
+static void kdebug_sadb_x_packet __P((struct sadb_ext *));
+#endif
+
#ifdef _KERNEL
static void kdebug_secreplay __P((struct secreplay *));
#endif
@@ -185,6 +193,11 @@ kdebug_sadb(base)
kdebug_sadb_address(ext);
break;
#endif
+#ifdef SADB_X_EXT_PACKET
+ case SADB_X_EXT_PACKET:
+ kdebug_sadb_x_packet(ext);
+ break;
+#endif
default:
printf("kdebug_sadb: invalid ext_type %u was passed.\n",
ext->sadb_ext_type);
@@ -527,6 +540,27 @@ kdebug_sadb_x_nat_t_port(struct sadb_ext *ext)
}
#endif
+#ifdef SADB_X_EXT_PACKET
+static void
+kdebug_sadb_x_packet(ext)
+ struct sadb_ext *ext;
+{
+ struct sadb_x_packet *pkt = (struct sadb_x_packet *)ext;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_x_packet: NULL pointer was passed.\n");
+
+ printf("sadb_x_packet{ copylen=%u\n", pkt->sadb_x_packet_copylen);
+ printf(" packet=");
+ ipsec_hexdump((caddr_t)pkt + sizeof(struct sadb_x_packet),
+ pkt->sadb_x_packet_copylen);
+ printf(" }\n");
+ return;
+}
+#endif
+
+
#ifdef _KERNEL
/* %%%: about SPD and SAD */
void
View
9 crypto/dist/ipsec-tools/src/libipsec/libpfkey.h
@@ -1,6 +1,6 @@
-/* $NetBSD: libpfkey.h,v 1.1.1.4 2005/08/07 08:49:20 manu Exp $ */
+/* $NetBSD: libpfkey.h,v 1.1.1.5 2006/09/09 16:11:34 manu Exp $ */
-/* Id: libpfkey.h,v 1.8.2.3 2005/06/29 13:01:28 manubsd Exp */
+/* Id: libpfkey.h,v 1.13 2005/12/04 20:26:43 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -46,6 +46,7 @@
struct sadb_msg;
extern void pfkey_sadump __P((struct sadb_msg *));
+extern void pfkey_sadump_withports __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
extern void pfkey_spdump_withports __P((struct sadb_msg *));
@@ -134,6 +135,10 @@ int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdflush __P((int));
int pfkey_send_spddump __P((int));
+#ifdef SADB_X_MIGRATE
+int pfkey_send_migrate __P((int, struct sockaddr *, u_int,
+ struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+#endif
int pfkey_open __P((void));
void pfkey_close __P((int));
View
100 crypto/dist/ipsec-tools/src/libipsec/pfkey.c
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey.c,v 1.1.1.6 2005/11/21 14:12:18 manu Exp $ */
+/* $NetBSD: pfkey.c,v 1.1.1.7 2006/09/09 16:11:33 manu Exp $ */
/* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */
@@ -1198,6 +1198,100 @@ pfkey_send_spddump(so)
return len;
}
+
+#ifdef SADB_X_MIGRATE
+/*
+ * sending SADB_X_MIGRATE message to the kernel.
+ * OUT:
+ * positive: success and return length sent.
+ * -1 : error occured, and set errno.
+ */
+int
+pfkey_send_migrate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
+ int so;
+ struct sockaddr *src, *dst;
+ u_int prefs, prefd, proto;
+ caddr_t policy;
+ int policylen;
+ u_int32_t seq;
+{
+ struct sadb_msg *newmsg;
+ int len;
+ caddr_t p;
+ int plen;
+ caddr_t ep;
+
+ /* validity check */
+ if (src == NULL || dst == NULL) {
+ __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
+ return -1;
+ }
+ if (src->sa_family != dst->sa_family) {
+ __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
+ return -1;
+ }
+
+ switch (src->sa_family) {
+ case AF_INET:
+ plen = sizeof(struct in_addr) << 3;
+ break;
+ case AF_INET6:
+ plen = sizeof(struct in6_addr) << 3;
+ break;
+ default:
+ __ipsec_errcode = EIPSEC_INVAL_FAMILY;
+ return -1;
+ }
+ if (prefs > plen || prefd > plen) {
+ __ipsec_errcode = EIPSEC_INVAL_PREFIXLEN;
+ return -1;
+ }
+
+ /* create new sadb_msg to reply. */
+ len = sizeof(struct sadb_msg)
+ + sizeof(struct sadb_address)
+ + PFKEY_ALIGN8(src->sa_len)
+ + sizeof(struct sadb_address)
+ + PFKEY_ALIGN8(src->sa_len)
+ + policylen;
+
+ if ((newmsg = CALLOC(len, struct sadb_msg *)) == NULL) {
+ __ipsec_set_strerror(strerror(errno));
+ return -1;
+ }
+ ep = ((caddr_t)newmsg) + len;
+
+ p = pfkey_setsadbmsg((caddr_t)newmsg, ep, SADB_X_MIGRATE, (u_int)len,
+ SADB_SATYPE_UNSPEC, seq, getpid());
+ if (!p) {
+ free(newmsg);
+ return -1;
+ }
+ p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, prefs, proto);
+ if (!p) {
+ free(newmsg);
+ return -1;
+ }
+ p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, prefd, proto);
+ if (!p || p + policylen != ep) {
+ free(newmsg);
+ return -1;
+ }
+ memcpy(p, policy, policylen);
+
+ /* send message */
+ len = pfkey_send(so, newmsg, len);
+ free(newmsg);
+
+ if (len < 0)
+ return -1;
+
+ __ipsec_errcode = EIPSEC_NO_ERROR;
+ return len;
+}
+#endif
+
+
/* sending SADB_ADD or SADB_UPDATE message to the kernel */
static int
pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
@@ -1971,7 +2065,9 @@ pfkey_align(msg, mhp)
#ifdef SADB_X_EXT_PACKET
case SADB_X_EXT_PACKET:
#endif
-
+#ifdef SADB_X_EXT_SEC_CTX
+ case SADB_X_EXT_SEC_CTX:
+#endif
mhp[ext->sadb_ext_type] = (void *)ext;
break;
default:
View
90 crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey_dump.c,v 1.1.1.5 2005/10/14 13:21:44 manu Exp $ */
+/* $NetBSD: pfkey_dump.c,v 1.1.1.6 2006/09/09 16:11:31 manu Exp $ */
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
@@ -107,10 +107,12 @@ do { \
} while (/*CONSTCOND*/0)
static char *str_ipaddr __P((struct sockaddr *));
+static char *str_ipport __P((struct sockaddr *));
static char *str_prefport __P((u_int, u_int, u_int, u_int));
static void str_upperspec __P((u_int, u_int, u_int));
static char *str_time __P((time_t));
static void str_lifetime_byte __P((struct sadb_lifetime *, char *));
+static void pfkey_sadump1(struct sadb_msg *, int);
static void pfkey_spdump1(struct sadb_msg *, int);
struct val2str {
@@ -210,10 +212,26 @@ static struct val2str str_alg_comp[] = {
/*
* dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
*/
+
void
pfkey_sadump(m)
struct sadb_msg *m;
{
+ pfkey_sadump1(m, 0);
+}
+
+void
+pfkey_sadump_withports(m)
+ struct sadb_msg *m;
+{
+ pfkey_sadump1(m, 1);
+}
+
+void
+pfkey_sadump1(m, withports)
+ struct sadb_msg *m;
+ int withports;
+{
caddr_t mhp[SADB_EXT_MAX + 1];
struct sadb_sa *m_sa;
struct sadb_x_sa2 *m_sa2;
@@ -227,6 +245,9 @@ pfkey_sadump(m)
struct sadb_ident *m_sid, *m_did;
struct sadb_sens *m_sens;
#endif
+#ifdef SADB_X_EXT_SEC_CTX
+ struct sadb_x_sec_ctx *m_sec_ctx;
+#endif
#ifdef SADB_X_EXT_NAT_T_TYPE
struct sadb_x_nat_t_type *natt_type;
struct sadb_x_nat_t_port *natt_sport, *natt_dport;
@@ -234,6 +255,7 @@ pfkey_sadump(m)
int use_natt = 0;
#endif
+ struct sockaddr *sa;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
@@ -262,6 +284,9 @@ pfkey_sadump(m)
m_did = (void *)mhp[SADB_EXT_IDENTITY_DST];
m_sens = (void *)mhp[SADB_EXT_SENSITIVITY];
#endif
+#ifdef SADB_X_EXT_SEC_CTX
+ m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+#endif
#ifdef SADB_X_EXT_NAT_T_TYPE
natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
natt_sport = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
@@ -276,7 +301,11 @@ pfkey_sadump(m)
printf("no ADDRESS_SRC extension.\n");
return;
}
- printf("%s", str_ipaddr((void *)(m_saddr + 1)));
+ sa = (void *)(m_saddr + 1);
+ if (withports)
+ printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
+ else
+ printf("%s", str_ipaddr(sa));
#ifdef SADB_X_EXT_NAT_T_TYPE
if (use_natt && natt_sport)
printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
@@ -288,7 +317,11 @@ pfkey_sadump(m)
printf(" no ADDRESS_DST extension.\n");
return;
}
- printf("%s", str_ipaddr((void *)(m_daddr + 1)));
+ sa = (void *)(m_daddr + 1);
+ if (withports)
+ printf("%s[%s]", str_ipaddr(sa), str_ipport(sa));
+ else
+ printf("%s", str_ipaddr(sa));
#ifdef SADB_X_EXT_NAT_T_TYPE
if (use_natt && natt_dport)
printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
@@ -408,6 +441,19 @@ pfkey_sadump(m)
0 : m_lfts->sadb_lifetime_allocations));
}
+#ifdef SADB_X_EXT_SEC_CTX
+ if (m_sec_ctx != NULL) {
+ printf("\tsecurity context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+ printf("\tsecurity context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ printf("\tsecurity context length: %u\n",
+ m_sec_ctx->sadb_x_ctx_len);
+ printf("\tsecurity context: %s\n",
+ (char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx));
+ }
+#endif
+
printf("\tsadb_seq=%lu pid=%lu ",
(u_long)m->sadb_msg_seq,
(u_long)m->sadb_msg_pid);
@@ -445,6 +491,9 @@ pfkey_spdump1(m, withports)
#endif
struct sadb_x_policy *m_xpl;
struct sadb_lifetime *m_lftc = NULL, *m_lfth = NULL;
+#ifdef SADB_X_EXT_SEC_CTX
+ struct sadb_x_sec_ctx *m_sec_ctx;
+#endif
struct sockaddr *sa;
u_int16_t sport = 0, dport = 0;
@@ -467,6 +516,9 @@ pfkey_spdump1(m, withports)
m_lftc = (void *)mhp[SADB_EXT_LIFETIME_CURRENT];
m_lfth = (void *)mhp[SADB_EXT_LIFETIME_HARD];
+#ifdef SADB_X_EXT_SEC_CTX
+ m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+#endif
#ifdef __linux__
/* *bsd indicates per-socket policies by omiting src and dst
* extensions. Linux always includes them, but we can catch it
@@ -571,6 +623,18 @@ pfkey_spdump1(m, withports)
(u_long)m_lfth->sadb_lifetime_usetime);
}
+#ifdef SADB_X_EXT_SEC_CTX
+ if (m_sec_ctx != NULL) {
+ printf("\tsecurity context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+ printf("\tsecurity context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ printf("\tsecurity context length: %u\n",
+ m_sec_ctx->sadb_x_ctx_len);
+ printf("\tsecurity context: %s\n",
+ (char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx));
+ }
+#endif
printf("\tspid=%ld seq=%ld pid=%ld\n",
(u_long)m_xpl->sadb_x_policy_id,
@@ -603,6 +667,26 @@ str_ipaddr(sa)
}
/*
+ * set "port" to buffer.
+ */
+static char *
+str_ipport(sa)
+ struct sockaddr *sa;
+{
+ static char buf[NI_MAXHOST];
+ const int niflag = NI_NUMERICSERV;
+
+ if (sa == NULL)
+ return "";
+
+ if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL, 0,
+ buf, sizeof(buf), niflag) == 0)
+ return buf;
+ return NULL;
+}
+
+
+/*
* set "/prefix[port number]" to buffer.
*/
static char *
View
7 crypto/dist/ipsec-tools/src/libipsec/policy_token.l
@@ -1,6 +1,6 @@
-/* $NetBSD: policy_token.l,v 1.1.1.3 2005/08/07 08:49:25 manu Exp $ */
+/* $NetBSD: policy_token.l,v 1.1.1.4 2006/09/09 16:11:35 manu Exp $ */
-/* Id: policy_token.l,v 1.10.4.1 2005/05/07 14:30:38 manubsd Exp */
+/* Id: policy_token.l,v 1.12 2005/05/05 12:32:18 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -55,7 +55,8 @@
#include "libpfkey.h"
-#if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__)
+#if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__) && \
+!defined(__APPLE__) && !defined(__MACH__)
#include "y.tab.h"
#else
#include "policy_parse.h"
View
2  crypto/dist/ipsec-tools/src/racoon/Makefile.am
@@ -1,4 +1,4 @@
-# Id: Makefile.am,v 1.19.2.4 2005/07/01 09:11:59 manubsd Exp
+# Id: Makefile.am,v 1.23 2005/07/01 08:57:50 manubsd Exp
sbin_PROGRAMS = racoon racoonctl plainrsa-gen
noinst_PROGRAMS = eaytest
View
97 crypto/dist/ipsec-tools/src/racoon/admin.c
@@ -1,6 +1,6 @@
-/* $NetBSD: admin.c,v 1.1.1.3 2005/08/07 08:46:18 manu Exp $ */
+/* $NetBSD: admin.c,v 1.1.1.4 2006/09/09 16:11:36 manu Exp $ */
-/* Id: admin.c,v 1.17.2.4 2005/07/12 11:49:44 manubsd Exp */
+/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -58,6 +58,9 @@
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
+#ifdef ENABLE_HYBRID
+#include <resolv.h>
+#endif
#include "var.h"
#include "misc.h"
@@ -80,6 +83,9 @@
#include "admin.h"
#include "admin_var.h"
#include "isakmp_inf.h"
+#ifdef ENABLE_HYBRID
+#include "isakmp_cfg.h"
+#endif
#include "session.h"
#include "gcmalloc.h"
@@ -193,13 +199,18 @@ admin_process(so2, combuf)
{
caddr_t p;
int len;
- if (sched_dump(&p, &len) == -1)
+ if (sched_dump(&p, &len) == -1) {
com->ac_errno = -1;
+ break;
+ }
+
buf = vmalloc(len);
- if (buf == NULL)
+ if (buf == NULL) {
com->ac_errno = -1;
- else
- memcpy(buf->v, p, len);
+ break;
+ }
+
+ memcpy(buf->v, p, len);
}
break;
@@ -280,16 +291,10 @@ admin_process(so2, combuf)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
- if ((loc = strdup(saddrwop2str(src))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory\n");
- break;
- }
- if ((rem = strdup(saddrwop2str(dst))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory\n");
- break;
- }
+ loc = racoon_strdup(saddrwop2str(src));
+ rem = racoon_strdup(saddrwop2str(dst));
+ STRDUP_FATAL(loc);
+ STRDUP_FATAL(rem);
if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
@@ -306,6 +311,27 @@ admin_process(so2, combuf)
break;
}
+#ifdef ENABLE_HYBRID
+ case ADMIN_LOGOUT_USER: {
+ struct ph1handle *iph1;
+ char *user;
+ int found = 0;
+
+ if (com->ac_len > sizeof(com) + LOGINLEN + 1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "malformed message (login too long)\n");
+ break;
+ }
+
+ user = (char *)(com + 1);
+ found = purgeph1bylogin(user);
+ plog(LLV_INFO, LOCATION, NULL,
+ "deleted %d SA for user \"%s\"\n", found, user);
+
+ break;
+ }
+#endif
+
case ADMIN_DELETE_ALL_SA_DST: {
struct ph1handle *iph1;
struct sockaddr *dst;
@@ -315,21 +341,15 @@ admin_process(so2, combuf)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
- if ((rem = strdup(saddrwop2str(dst))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory\n");
- break;
- }
+ rem = racoon_strdup(saddrwop2str(dst));
+ STRDUP_FATAL(rem);
plog(LLV_INFO, LOCATION, NULL,
"Flushing all SAs for peer %s\n", rem);
while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
- if ((loc = strdup(saddrwop2str(iph1->local))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory\n");
- break;
- }
+ loc = racoon_strdup(saddrwop2str(iph1->local));
+ STRDUP_FATAL(loc);