Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Jan 9, 2000
  1. add 'question' file.

    sakane authored
  2. move 'HOW DO I DO' to doc/question.

    sakane authored
  3. removed a file.

    sakane authored
  4. don't include tcpip.h (not necessary)

    itojun authored
  5. improve libipsec lookup.

    itojun authored
  6. don't include netinet6/in6.h (not necessary

    itojun authored
  7. sync with FreeBSD-current.

    sumikawa authored
  8. forgot to add, sorry.

    sumikawa authored
  9. sync with FreeBSD-current.

    sumikawa authored
  10. sync with latest racoon directory.

    itojun authored
    XXX racoon/racoon not tested, other directories tested with freebsd2
  11. sync again

    itojun authored
  12. remove duplicated signing.o

    itojun authored
  13. adapt to new racoon directory.

    itojun authored
  14. massive clarification to racoon ISAKMP daemon.

    itojun authored
    - Merged Eric Lemiere's code for limited certificate support.
    - There are two management hander.
    	"Phase 1 handler" is to manage ISAKMP SA.  It is created when
    	phase 1 exchange on both initiator and responder side will be
    	started.
    	"Phase 2 handler" is to manage IPsec SAs.  It is created when
    	pfkey acquire message will be received, and when 1st message
    	in phase 2 will be received on responder side.
    - Vendor id will be sent after negotiating hasn algorithm.
      When we receive vendor id before negotiating it, we use default hash
      algorithm MD5 to check.
    - Post command deleted.
    - msgid_t delted.
    - don't release management handler.  do it only if retry will be
      timed up.
    - separate the function of isakmp exchange.  one is to check received
      data.  other is to reply.  the reason is for handling to resend.
    - change name "dir" to "side" in order to distinguish from policy
      direction.
    - If initiator request PFS, but responder is not ready to do that,
      responder stops the negotiation.  If initiator don't request PFS,
      but responder require it, also responder stops the negotiation.
  15. missing from merger

    itojun authored
  16. - Merged Eric Lemiere's code for limited certificate support.

    itojun authored
    - There are two management hander.
    	"Phase 1 handler" is to manage ISAKMP SA.  It is created when phase 1
    	exchange on both initiator and responder side will be started.
    	"Phase 2 handler" is to manage IPsec SAs.  It is created when pfkey
    	acquire message will be received, and when 1st message in phase 2 will
    	be received on responder side.
    - Vendor id will be sent after negotiating hasn algorithm.
      When we receive vendor id before negotiating it, we use default hash algorithm
      MD5 to check.
    - Post command deleted.
    - msgid_t delted.
    - don't release management handler.  do it only if retry will be timed up.
    - separate the function of isakmp exchange.  one is to check received data.
      other is to reply.  the reason is for handling to resend.
    - change name "dir" to "side" in order to distinguish from policy direction.
    - If initiator request PFS, but responder is not ready to do that,
      responder stops the negotiation.  If initiator don't request PFS,
      but responder require it, also responder stops the negotiation.
    
    From: sakane (with minor clarifications)
    
    XXX
    - unnecessary files should be nuked.  are isakmp_base.[ch] necessary?
    - TODO.jp needs to be incorporated into TODO (not imported).
  17. rename crypto.[ch] into crypto_openssl.[ch]

    itojun authored
  18. mv to racoon/doc/*

    itojun authored
Commits on Jan 8, 2000
  1. * freebsd3/usr.sbin/inetd: support IDENT.

    sumikawa authored
  2. Sync with FreeBSD-current.

    sumikawa authored
  3. support IDENT.

    sumikawa authored
    From: Hajimu UMEMOTO <ume@mahoroba.org>
  4. * freebsd3/ports/heimdal: upgrade to 0.2l.

    sumikawa authored
  5. Upgrade to 0.2l.

    sumikawa authored
  6. * kame/sys/netkey/key.c:

    sakane authored
      - fix kenrel crash when flushing SAD.
      - for stability, increment refcnt of SA when key_getsavbyspi() called.
      - add some error message
  7. - fix kenrel crash when flushing SAD. don't delete SA when refcnt > 1.

    sakane authored
    - for stability, increment refcnt of SA when key_getsavbyspi() called.
    - add some error message
    - fix errno at key_update().
  8. make it look like openbsd port directory.

    itojun authored
    mark it broken (this does not probe libinet6 correctly - fix committed
    to zebra repository)
  9. more use of arc4random() (instead of random()) for openbsd.

    itojun authored
    remove prototype for icmp6_ctloutput() when in case NRL inpcb is used.
    
    in sync with openbsd-current.
  10. use getaddrinfo(3) for final destination.

    itojun authored
    don't freehostent(hp) on gethostby*, they do not dynamically
    allocate the result.  only getipnodeby* allocates them dynamically.
    
    TODO: getaddrinfo(3) and getnameinfo(3) for other occasions
Commits on Jan 7, 2000
  1. * kame/sys/netinet/{frag6,ip6_input,nd6_nbr}.c:

    itojun authored
      use arc4random() on openbsd.  it should give better random value
      for initializing sequence numbers.
      From: deraadt@openbsd.org
  2. use arc4random() where exists (openbsd).

    itojun authored
  3. * */sys/netinet/udp_usrreq.c, kame/sys/netinet6/udp6_usrreq.c:

    itojun authored
      drop incoming udp packet with dst port = 0.  it is, or seems to be,
      illegal based on RFC768 (99% sure but 1% in doubt).
      with traditional 4.4BSD code, udp socket will mistakingly accept
      such packets after socket() and before first bind()/connect().
      this can be used to confuse, or de-synchronize, udp-based protocols.
  4. drop incoming udp packet with dst port = 0. it seems to be illegal

    itojun authored
    based on RFC768.
  5. drop incoming udp packet with dst port = 0. it seems to be illegal

    itojun authored
    based on RFC768.
    
    commit for other OSes will follow.
Something went wrong with that request. Please try again.