Permalink
Commits on Jan 9, 2000
  1. If there was no phase 2 negotiation under phase 1, phase 1 will be ne…

    sakane
    sakane committed Jan 9, 2000
    …gotiated
    
    only one time.  But the next time is deleted.
  2. the commit bit on Phase 1 is forbidden.

    sakane
    sakane committed Jan 9, 2000
    respond notify message with INVALID-FLAGS.
  3. added base mode. (not tested)

    sakane
    sakane committed Jan 9, 2000
    delete isakmp_kn2isa().
    alternatively added isakmp_p2ph() to copy payload buffer without isakmp_gen header.
  4. s/-DSSLVERNUM/-DSSLVER/

    itojun
    itojun committed Jan 9, 2000
  5. add 'question' file.

    sakane
    sakane committed Jan 9, 2000
  6. move 'HOW DO I DO' to doc/question.

    sakane
    sakane committed Jan 9, 2000
  7. removed a file.

    sakane
    sakane committed Jan 9, 2000
  8. don't include tcpip.h (not necessary)

    itojun
    itojun committed Jan 9, 2000
  9. improve libipsec lookup.

    itojun
    itojun committed Jan 9, 2000
  10. don't include netinet6/in6.h (not necessary

    itojun
    itojun committed Jan 9, 2000
  11. sync with FreeBSD-current.

    sumikawa
    sumikawa committed Jan 9, 2000
  12. forgot to add, sorry.

    sumikawa
    sumikawa committed Jan 9, 2000
  13. sync with FreeBSD-current.

    sumikawa
    sumikawa committed Jan 9, 2000
  14. sync with latest racoon directory.

    itojun
    itojun committed Jan 9, 2000
    XXX racoon/racoon not tested, other directories tested with freebsd2
  15. sync again

    itojun
    itojun committed Jan 9, 2000
  16. remove duplicated signing.o

    itojun
    itojun committed Jan 9, 2000
  17. adapt to new racoon directory.

    itojun
    itojun committed Jan 9, 2000
  18. massive clarification to racoon ISAKMP daemon.

    itojun
    itojun committed Jan 9, 2000
    - Merged Eric Lemiere's code for limited certificate support.
    - There are two management hander.
    	"Phase 1 handler" is to manage ISAKMP SA.  It is created when
    	phase 1 exchange on both initiator and responder side will be
    	started.
    	"Phase 2 handler" is to manage IPsec SAs.  It is created when
    	pfkey acquire message will be received, and when 1st message
    	in phase 2 will be received on responder side.
    - Vendor id will be sent after negotiating hasn algorithm.
      When we receive vendor id before negotiating it, we use default hash
      algorithm MD5 to check.
    - Post command deleted.
    - msgid_t delted.
    - don't release management handler.  do it only if retry will be
      timed up.
    - separate the function of isakmp exchange.  one is to check received
      data.  other is to reply.  the reason is for handling to resend.
    - change name "dir" to "side" in order to distinguish from policy
      direction.
    - If initiator request PFS, but responder is not ready to do that,
      responder stops the negotiation.  If initiator don't request PFS,
      but responder require it, also responder stops the negotiation.
  19. missing from merger

    itojun
    itojun committed Jan 9, 2000
  20. - Merged Eric Lemiere's code for limited certificate support.

    itojun
    itojun committed Jan 9, 2000
    - There are two management hander.
    	"Phase 1 handler" is to manage ISAKMP SA.  It is created when phase 1
    	exchange on both initiator and responder side will be started.
    	"Phase 2 handler" is to manage IPsec SAs.  It is created when pfkey
    	acquire message will be received, and when 1st message in phase 2 will
    	be received on responder side.
    - Vendor id will be sent after negotiating hasn algorithm.
      When we receive vendor id before negotiating it, we use default hash algorithm
      MD5 to check.
    - Post command deleted.
    - msgid_t delted.
    - don't release management handler.  do it only if retry will be timed up.
    - separate the function of isakmp exchange.  one is to check received data.
      other is to reply.  the reason is for handling to resend.
    - change name "dir" to "side" in order to distinguish from policy direction.
    - If initiator request PFS, but responder is not ready to do that,
      responder stops the negotiation.  If initiator don't request PFS,
      but responder require it, also responder stops the negotiation.
    
    From: sakane (with minor clarifications)
    
    XXX
    - unnecessary files should be nuked.  are isakmp_base.[ch] necessary?
    - TODO.jp needs to be incorporated into TODO (not imported).
  21. rename crypto.[ch] into crypto_openssl.[ch]

    itojun
    itojun committed Jan 9, 2000
  22. mv to racoon/doc/*

    itojun
    itojun committed Jan 9, 2000
Commits on Jan 8, 2000
  1. * freebsd3/usr.sbin/inetd: support IDENT.

    sumikawa
    sumikawa committed Jan 8, 2000
  2. Sync with FreeBSD-current.

    sumikawa
    sumikawa committed Jan 8, 2000
  3. support IDENT.

    sumikawa
    sumikawa committed Jan 8, 2000
    From: Hajimu UMEMOTO <ume@mahoroba.org>
  4. * freebsd3/ports/heimdal: upgrade to 0.2l.

    sumikawa
    sumikawa committed Jan 8, 2000
  5. Upgrade to 0.2l.

    sumikawa
    sumikawa committed Jan 8, 2000
  6. * kame/sys/netkey/key.c:

    sakane
    sakane committed Jan 8, 2000
      - fix kenrel crash when flushing SAD.
      - for stability, increment refcnt of SA when key_getsavbyspi() called.
      - add some error message
  7. - fix kenrel crash when flushing SAD. don't delete SA when refcnt > 1.

    sakane
    sakane committed Jan 8, 2000
    - for stability, increment refcnt of SA when key_getsavbyspi() called.
    - add some error message
    - fix errno at key_update().
  8. make it look like openbsd port directory.

    itojun
    itojun committed Jan 8, 2000
    mark it broken (this does not probe libinet6 correctly - fix committed
    to zebra repository)
  9. more use of arc4random() (instead of random()) for openbsd.

    itojun
    itojun committed Jan 8, 2000
    remove prototype for icmp6_ctloutput() when in case NRL inpcb is used.
    
    in sync with openbsd-current.
  10. use getaddrinfo(3) for final destination.

    itojun
    itojun committed Jan 8, 2000
    don't freehostent(hp) on gethostby*, they do not dynamically
    allocate the result.  only getipnodeby* allocates them dynamically.
    
    TODO: getaddrinfo(3) and getnameinfo(3) for other occasions
Commits on Jan 7, 2000
  1. * kame/sys/netinet/{frag6,ip6_input,nd6_nbr}.c:

    itojun
    itojun committed Jan 7, 2000
      use arc4random() on openbsd.  it should give better random value
      for initializing sequence numbers.
      From: deraadt@openbsd.org