view contrib/racoon/ChangeLog.old @ 460:bf8653674ede

Status LEDs preinit rc.d script.
author Aleksandr Rybalko <>
date Mon, 24 Sep 2012 13:59:56 +0300
parents 52ab441b5cbd
line wrap: on
line source
	Migration to

2006-08-22  Emmanuel Dreyfus  <[email protected]>
	From Matthew Grooms:
	* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
	  src/racoon/racoon.conf.5: Add a group check option

2006-08-17  Yvan Vanhullebus  <[email protected]m>

	Patch from Matthew Grooms:
	* src/racoon/ipsec_doi.c: fixed an ASN1 size in

2006-08-11  Yvan Vanhullebus  <[email protected]>

	Patch from Matthew Grooms:
	* src/racoon/ipsec_doi.[ch]: fixed and public ipsecdoi_id2str()
	* src/racoon/isakmp_quick.c: text fix
	* src/racoon/pfkey.c: sainfo debug
	* src/racoon/sainfo.c: sainfo debug

2006-07-17  Yvan Vanhullebus  <[email protected]>

	Reported by Matthew Grooms:
	* src/racoon/isakmp_quick.c: Fixed iph2->id / id_p checks in
	* src/racoon/racoon.conf.5: updated man page for sainfo logic. 

2006-07-31  Emmanuel Dreyfus  <[email protected]>
	From Matthew Grooms <[email protected]>
	* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
	  src/racoon/{isakmp_unity.c|isakmp_unity.h}: splinet support
	  becomes dynamic, bugfixes 

2006-07-19  Emmanuel Dreyfus  <[email protected]>
	From Peter Eisch <[email protected]>
	* src/racoon/samples/roadwarrior/client/ add missing
	  netmask in network interface configuration

	From Matthew Grooms <[email protected]>
	* src/racoon/isakmp_xauth.c: update the LDAP API usage

	From Matthew Grooms <[email protected]>
	* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
	  src/racoon/{isakmp_cfg.c|isakmp_unity.c|racoon.conf.5}: Split DNS
	  support (server side)

2006-07-17  Yvan Vanhullebus  <[email protected]>

	* src/libipsec/pfkey.c: Fixed SADB_X_EXT_SEC_CTX support in pfkey_align().
	  Break reported by Matthew Grooms.
2006-07-13  Frederic Senault  <[email protected]>

	* src/racoon/isakmp_cfg.c: fix a typo that rendered DNS4 / WINS4
	  unoperable on 64bit architectures ; add a packetdump of MODE_CFG
	  exchange in debug mode.

2006-07-09  Emmanuel Dreyfus  <[email protected]>
	From Matthew Grooms <[email protected]>
	* src/racoon{cfparse.y|cftoken.l|isakmp_quick.c|isakmp_xauth.c}
	  Group authentication for Xauth. Supports system groups and LDAP.

2006-07-04  Yvan Vanhullebus  <[email protected]>

	* src/racoon/nattraversal.c: fixed a malloc check in
	  natt_keepalive_add(). Patch from Bruno Wagenseil.

2006-06-30  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{cfparse.l|cftoken.l}: meaningful error message when 
	we cannot find the configuration file.

2006-06-24  Emmanuel Dreyfus  <[email protected]>
	From Matthew Grooms <[email protected]>
	* src/racoon{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
	  src/racoon/{isakmp_xauth.c|isakmp_xauth.h|racoon.conf.5}: network
	  configuration obtained from LDAP directory

2006-06-23  Emmanuel Dreyfus  <[email protected]>
	From Matthew Grooms <[email protected]>
	* build fixes 

2006-06-22  Emmanuel Dreyfus  <[email protected]>
	* src/racoon/evt.c: build fix
	From Matthew Grooms <[email protected]>
	* build fixes around libldap and libiconv search

2006-06-21  Emmanuel Dreyfus  <[email protected]>
	* src/racoon/evt.c: Do not record events if admin socket is

2006-06-20  Emmanuel Dreyfus  <[email protected]>

	* Check for conflicts between system libiconv
	  and newer libiconv header
	From Matthew Grooms <[email protected]>
	* src/racoon/{cfparse.y|cftoken.l}
	  src/racoon/{main.c|racoon.conf.5}: Use LDAP for Xauth

2006-06-20  Yvan Vanhullebus  <[email protected]>

	* fixed SHA256 detection on some systems. Patch by
	  Dmitry Andrianov.
	* src/racoon/{cfparse.y|cftoken.l|plog.[ch]|racoon.conf.5}:
	  changed logging levels. Patch by Michal Ruzicka.

2006-06-15  Emmanuel Dreyfus  <[email protected]>
	From Matthew Grooms <[email protected]>
	* src/racoon/main.c: make sure RADIUS is correctly initialized

2006-06-14  Yvan Vanhullebus  <[email protected]>

	*, src/ fixed make dist on *BSD

2006-06-07  Emmanuel Dreyfus  <[email protected]>
	* src/racoon/isakmp_cfg.c: Fix build. 

2006-05-26  Emmanuel Dreyfus  <[email protected]>
	From Pawel Jakub Dawidek <[email protected]>
	* src/racoon/handler.c: Fix a crash caused by a NULL pointer
	* src/racoon/oakley.c: Typos
	* src/racoon/isakmp_base.c: Fix uninitialized buffer
	* src/racoon/isakmp_base.c: Do send DPD VID in resp case (base mode)

2006-05-23  Emmanuel Dreyfus  <[email protected]>
	* src/racoon/isakmp_cfg.c: Mode cfg can be used without Xauth, so 
	  do not assume Xauth when preparing a hook script environement.
	From [email protected]
	* src/racoon/{algorithm.c|oakley.c|gssapi.c|ipsec_doi.c}: Fix amd64
	  build warnings
	* src/racoon/ipsec_doi.c: Don't free a referenced buffer
	From Matthew Grooms <[email protected]>
	* src/racoon/isakmp_cfg.c: Fix for unity local_lan support

2006-05-07  Emmanuel Dreyfus  <[email protected]>
	* src/racoon/{isakmp.c|session.c|sockmisc.c|racoon.conf.5}: Do 
	  not reconfigure interface sockets when running in privilege 
	  separation as it will not work. Add debug for setsockopt().
	* src/racoon/racoonctl.8: Do not tell config reload is completely 
	  broken (it's only somewhat broken).

2006-05-06  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{remoteconf.c|remoteconf.h|isakmp.c|cfparse.y}: Fix
	  memory leak (Coverity)
	* src/racoon/pfkey.c: Fix memory leak (Coverity)
	* src/racoon/ipsec_doi.c: Fix memory leak (Coverity)
	* src/racoon/isakmp.c: Fix memory leak (Coverity)
	* src/racoon/dnssec.c: Fix memory leak (Coverity)
	* src/racoon/backupsa.c: Fix memory leak (Coverity)
	* src/racoon/{nattraversal.c|isakmp.c|cfparse.y}: Check for non NULL
	  allocation (Coverity)
	* src/racoon/isakmp_quick.c: Remove dead code (Coverity)
	* src/racoon/oakley.c: Remove dead code (Coverity)
	* src/racoon/crypto_openssl.c: Remove dead code (Coverity)

2006-05-05  Yvan Vanhullebus  <[email protected]>

	* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
	  encapsulation in pk_sendgetspi().

2006-05-04  Yvan Vanhullebus  <[email protected]>
	From Preggna S ([email protected])
	* src/racoon/schedule.h: fixed gnuc.h include.
	* src/racoon/{cfparse.y|cftoken.l}: Address range sainfos support.
	* src/racoon/ipsec_doi.[ch]: ipsecdoi_sockrange2id() function.

2006-05-03  Yvan Vanhullebus  <[email protected]>
	From Joy Latten <[email protected]>
	* security context support check
	* src/libipsec/{pfkey.c|pfkey_dump.c}: 
	* src/setkey/{parse.ytoken.l}: parses optionnal security context
	* src/setkey/setkey.8: security context syntax

2006-04-27  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{remoteconf.c|proposal.c}: fix memory leak (Coverity)

2006-04-24  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: style cleanup in delete_spd()

2006-04-13  Yvan Vanhullebus  <[email protected]>

	* src/racoon/pfkey.c: Sets NAT-T ports to 0 if no NAT
	  encapsulation in pk_sendupdate().

2006-04-12  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/ipsec_doi.c: fix memory leaks (Coverity)

2006-04-06  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{admin.c|cfparse.y|cftoken.l|debugrm.c|debugrm.h}
	  src/racoon/{logger.c|misc.h|plog.c|racoonctl.c|sockmisc.c}: Add
	  strdup in the malloc debugging framework, check for strdup failures
	  (found by Coverity)
	* src/racoon/admin.c: Do not use an unallocated pointer (Coverity)
	* src/racoon/schedule.c: Check for NULL pointer
	* src/racoon/{grabmyaddr.c|handler.c|isakmp.c|isakmp_cfg.c}
	  src/racoon/{isakmp_inf.c|isakmp_quick.c|nattraversal.c}: Check 
	  that dupsaddr returns non NULL pointers (Coverity)
	* src/racoon/isakmp_quick.c: Ignore multiple notifications in the 
	  same message, and do not leak memory (Coverity)
	* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Fix memory leak in 
	  GSSAPI code (Coverity)
	* src/racoon/racoonctl.c: fix minor memory leak (Coverity)
	* src/racoon/isakmp.c: fix memory leak (Coverity)
	* src/racoon{isakmp.c|isakmp_inf.c}: fix phase 1 handler leak (Coverity)

2006-04-05  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_xauth.c: fix unitialized variable, found by 
	* src/racoon/{isakmp_cfg.c|isakmp_xauth.h|isakmp_xauth.c}: Do not
	  use deleted phase 1 handler after errors, found by coverity
	* src/racoon/main.c: tell which config file we use
	* src/racoon/isakmp_cfg.c: Do not use deleted phase 1 handler, found
	  by Coverity
	* src/racoon/{isakmp_agg.c|isakmp_ident.c}: Do not use deleted phase 1
	  handler, found by Coverity
	* src/racoon/dnssec.c: do not return a free'ed certificate, found by
	* src/racoon/oakley.c: fix stale pointer alias, found by Coverity
	* src/racoon/throttle.c: do not free current item while walking a
	  chained list, found by Coverity
	* src/racoon/vmbuf.c: handle NULL argument for vdup, found by Coverity

2006-03-18  Emmanuel Dreyfus  <[email protected]>
	From John Nemeth <[email protected]> and a Coverity scan
	* src/racoon/isakmp_xauth.c: fix memory leak
2006-02-25  Emmanuel Dreyfus  <[email protected]>

	From Thomas Klausner <[email protected]>
	* src/racoon/{cfparse.y|handler.h}: typos
2006-02-23  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/main.c: do not reset isakmp_cfg structure after
	  config reload.

2006-02-22  Yvan Vanhullebus  <[email protected]>

	* src/racoon/vendorid.c: Fixed Vendor IDs order (well, should not
	  be really necessary) and DPD VId hash generation

2006-02-17  Yvan Vanhullebus  <[email protected]>

	* src/racoon/{cfparse.y|sainfo.c}: Support for "semi anonymous"
	* src/racoon/racoon.conf.5: updated sainfos syntax
	* src/racoon/vendorid.[ch]: IPSec-Tools Vendor ID

2006-02-15  Yvan Vanhullebus  <[email protected]>

	* src/racoon/{cfparse.y|cftoken.l}: Parse new generate_policy
	* src/racoon/remoteconf.h: defines for REQUIRE/UNIQUE/NONE
	  generate policy levels
	* src/racoon/proposal.c: Sets optionnal reqid for generated
	* src/racoon/pfkey.c: sends UNIQUE policies to kernel if reqid
	* src/racoon/racoon.conf.5: updated generate_policy syntax

2006-02-02  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Fixed zombie PH1 handler when isakmp_send()
	  fails in isakmp_ph1resend()

2006-01-17  Frederic Senault  <[email protected]>

	* src/racoon/cfparse.y: Add the keyid [ (tag|file) ] semantics to the
	  peers_identifier keyword.

	* src/racoon/{evt.h|isakmp.c|racoonctl.c}: Send a message to the
	  adminsock to allow for racoonctl to stop looping when the
	  vpn-connect command is used and there is no mode config exchange.

2006-01-08  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_cfg.c: make software behave as the documentation 
	  advertise for INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to 
	  avoid breaking backward compatibility.

2005-12-19  Yvan Vanhullebus  <[email protected]>

	* src/racoon/session.c: Fixed / cleaned up signal handling.

2005-12-13  Yvan Vanhullebus  <[email protected]>

	* src/libipsec/samples/*: replaced "obey" mode by "strict" mode.

2005-12-07  Yvan Vanhullebus  <[email protected]>

	* src/libipsec/pfkey_dump.c: fixed compilation when NAT_T
	  disabled (Fred has still some CVS problems).
	* src/racoon/session.c: Calls isakmp_cfg_init() only if
	  ENABLE_HYBRID in reload_conf().

2005-12-04  Frederic Senault  <[email protected]>

	* src/libipsec/{libpfkey.h|pfkey_dump.c}: add a sadump_withports
	  function to display SAD entries with their associated ports.
	* src/setkey/{parse.y|setkey.c|setkey.8}: allow to use setkey -p flag
	  in conjunction with -D to show SADs with the port, allow both get and
	  delete commands to use bracketed ports if needed.

2005-11-26  Emmanuel Dreyfus  <[email protected]>
	* src/racoon/session.c: fix possible race conditions in signal handlers
	* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|main.c|session.c}: when 
	  reloading configuration, do not new add mode_cfg config to the 
	  existign one, overwrite it instead.

2005-11-25  Emmanuel Dreyfus  <[email protected]>

	From Thomas Klausner <[email protected]>
	* src/racoon/racoon.conf.5: Style changes

2005-11-21  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_[ident|agg].c: Check if natt is available when
	  receiving a NAT_D payload from initiator. It saves a crash,
	  reported by Dave Huang to NetBSD.

2005-11-20  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_agg.c: Check that we got some needed payloads
	  from peer (could cause a DoS). Crash reported by Adrian Portelli
	  using IKE test suite from

2005-11-10  Yvan Vanhullebus  <[email protected]>

	Patches from Francis Dupont
	* src/libipsec/key_debug.c: SADB_X_EXT_PACKET support
	* src/libipsec/{libpfkey.h|pfkey.c}: pfkey_send_migrate() function
	* src/setkey/parse.y: IPPROTO_MH support
	* src/racoon/pfkey.c: fixed some logs
	* src/racoon/strnames.c: fixed a typo for SADB_X_PROMISC,
	  appropriate define for SADB_X_NAT_T_NEW_MAPPING, added

2005-11-06  Aidas Kasparas  <[email protected]>
 	* src/racoon/main.c, src/racoon/session.c: moved .pid file writing
 	  just before main loop. Thanks Stephen Thorne
 	* src/racoon/localconf.h, src/racoon/cftoken.l: introduced 
 	  path pidfile directive
 	* src/racoon/racoon.conf.5: documented above
 	* OpenSSL 0.9.8 compilation fix. Thank Ganesan 
 	* added check for strlcat function
 	* src/racoon/misc.h: define strlcat function for systems without one
 	* src/racoon/remoteconf.c: strncat -> strlcat
2005-11-01  Aidas Kasparas  <[email protected]>

	* src/racoon/isakmp_inf.c: repeated gcc-4.0 build fix. Thanks 
	Andreas Tobler

2005-10-30  Yvan Vanhullebus  <[email protected]>

	Patches from Christoph Nadig for compilation on MacOS X
	* no lcrypt for darwin
	* src/libipsec/key_debug.c: include stdint.h if HAVE_STDINT_H
	* src/racoon/isakmp_cfg.c: some includes and some %zu
	* src/racoon/isakmp_unity.c: fixed a %zu
	* src/racoon/vmbuf.h: vfree already defined for Apple

2005-10-17  Aidas Kasparas  <[email protected]>

	Introduced subnet sainfo type.
	* src/racoon/cftoken.l: new token "subnet"
	* src/racoon/cfparse.y: added address/subnet diferentiation logic
	* src/racoon/ipsec-doi.h: new constant
	* src/racoon/ipsec-doi.c: adopted to above
	* src/racoon/racoon.conf.5: documented above
2005-09-14  Emmanuel Dreyfus  <[email protected]>

	* src/libipsec/pfkey.c: One forgotten cast caddr_t -> void *

2005-10-14  Yvan Vanhullebus  <[email protected]>

	* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
	  USER_FQDNs (problem reported by Bernhard Suttner).

2005-09-10  Emmanuel Dreyfus  <[email protected]>

	* src/racoon[isakmp.c|isakmp_cfg.c|isakmp_inf.c}
	  src/racoon/doc/FAQ Add --enable-broken-natt for
	  kernel implementing NAT-T but unable to cope with IKE ports in 
	  SAD and SPD.

2005-09-05  Emmanuel Dreyfus  <[email protected]>
	From Wilfried Weissmann:
	* src/libipsec/policy_parse.y src/racoon/oakley.c
	  src/racoon/{sockmisc.c|sockmisc.h}: build fixes

2005-09-03  Emmanuel Dreyfus  <[email protected]>

	From Francis Dupont <[email protected]>
	* src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions

2005-08-26  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/evt.c: Fix memory leak when event queue overflows

2005-08-23  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
	  initialize NAT-T VID to avoid freeing unallocated stuff.

2005-08-21  Emmanuel Dreyfus  <[email protected]>

	From Matthias Scheler <[email protected]>
	* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
	  ISAKMP mode config without Xauth.

2005-08-16  Emmanuel Dreyfus  <[email protected]>

	From Thomas Klausner <[email protected]>
	* src/setkey/setkey.8: remove trailing whitespaces

2005-09-09  Yvan Vanhullebus  <[email protected]>

	* src/racoon/policy.c: Do not parse all sptree in inssp() if we
	  don't use Policies priority.

2005-08-20  Yvan Vanhullebus  <[email protected]>

	* src/racoon/handler.c: Fixed a possible crash in
	  remove_ph2(). Reported by Dietmar Eggemann.

2005-08-14  Emmanuel Dreyfus  <[email protected]>

	From Francis Dupont <[email protected]>
	* src/racoon/dnssec.c: fix bogus test on function result

2005-08-11  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Improved in/out SA addresses check in
	  purge_remote(). Reported by Patrick Ma.

2005-08-08  Emmanuel Dreyfus  <[email protected]>

	* src/libipsec/{key_debug.c|pfkey.c|pfkey_dump.c}: de-lint, warnings

2005-08-08  Yvan Vanhullebus  <[email protected]>

	* src/racoon/privsep.c: Fixed a %d -> %zu in
	port_check() (reported by Matthias Scheler).

2005-08-04  Emmanuel Dreyfus  <[email protected]>

	* correctly quote RACOON_PATH_LIBS arguments

2005-08-02  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_inf.c: First fix to
	info_recv_initialcontact(): do a basic IP check when no NAT-T.

2005-07-26  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Fixed purge_remote()

2005-07-25  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Do not purge IPSec SAs in purge_remote() if
	a new ph1handle exists (patch by Krzysztof Oledzki)

2005-07-20  Aidas Kasparas  <[email protected]>

	* disabled --enable-samode-unspec under linux

2005-07-20  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_quick.c: Ignore NATOA payloads in
	quick_r1recv() as it is done in quick_i2recv().
	* new --enable-fastquit option
	* src/racoon/session.c: new code optional code when flushing SAs,
	which is faster and should have no deadlocks. configure
	--enable-fastquit option to enable it.
2005-07-19  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Checks in isakmp_ph1begin_r() if we got the
	packet from NAT-T port, and set up the NAT_PORTS_CHANGED in that
	case (RFC 3947, sect 4, we MUST allow new phase1 negociations on
	NAT-T floated port), to correctly generate the reply.

2005-07-16  Aidas Kasparas  <[email protected]>

	* src/racoon/grabmyaddr.c: fixed file descriptor leak. Thanks to
	  Patrice Fournier
	* src/racoon/setkey.c: disabled readline's filename completion 
	  (bug 1179281 fix)
	* src/racoon/proposal.c: fixed mode selection for SAs with
	  complex_bundle on behind NAT

2005-07-14  Yvan Vanhullebus  <[email protected]>

	* src/racoon/handler.c: - Clears the DPD schedule in delph1()
	                        - Cleared up sanity checks in delph1()
	                        - Sets p->rmconf to NULL if no new
	                          remoteconf in revalidate_ph1tree_rmconf()
	* src/racoon/isakmp.c: Added sanity checks in script_hook()
	* src/racoon/oakley.c: Sanity check in save_certbuf()

2005-07-13  Emmanuel Dreyfus  <[email protected]>

	* src/setkey/ missing file in distribution

2005-07-12  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Fixed a mem leak in isakmp_send().

2005-07-12  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/pfkey.c: Set IKE ports to 0 in the SA when NAT-T is not
	* src/racoon/{crypto_openssl.c|ipsec_doi.c|oakley.c}
	  src/racoon/missing/crypto/sha2/sha2.h: Support OpenSSL-0.9.8
	* src/racoon/{admin.c|session.c}: Don't use the adminport if it is
	* src/racoon/samples/roadwarrior/client/{|}:
	  Add comments for using the scripts without NAT-T

2005-07-11  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/ipsec_doi.c More build fixes on Linux. 
	  Accomodate various libiconv versions

2005-07-10  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/ipsec_doi.c build fixes on Linux. 
	  Accomodate various libiconv versions

2005-07-09  Yvan Vanhullebus  <[email protected]>

	* src/racoon/crypto_openssl.c: Fixed evp_crypt when using crypto
	  algorithms with variable key size but not OpenSSL default key

2005-07-07  Emmanuel Dreyfus  <[email protected]>

	From Mathias Scheler <[email protected]>
	* src/racoon/raccon.conf.5: Document that aes can be used in 

2005-07-06  Frederic Senault  <[email protected]>

	* src/setkey/setkey.c: fix compilation with readline.
	* src/racoon/oakley.c: move declarations to fix compilation issues
	  with gcc 2.95.4/FreeBSD4, re-indentation and style cleanup of the
	  pkcs7 patch.

2005-07-04  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_inf.c: safety checks on informational messages
	* src/racoon/{pfkey.c|proposal.c}: IPcomp fixes

2005-07-01  Emmanuel Dreyfus  <[email protected]>

	From Uri Blumenthal <[email protected]>:
	* src/racoon/{ipsec_doi.c|}: Linux build fixes
	* src/racoon/oakley.c: pkcs7 support

2005-06-29  Emmanuel Dreyfus  <[email protected]>

	From Christos Zoulas <[email protected]>
	* src/setkey/{parse.y|setkey.c|token.l}
	  src/libipsec/{libpfkey.h|pfkey_dump.c|policy_parse.y}: de-lint, 
	  using void * instead of caddr_t and adding const where appropriate.
	* src/setkey/extern.h: new file
	* src/libipsec/{pfkey.c|pfkey_dump.c|policy_parse.y}
	  src/racoon/{sockmisc.c|sockmisc.h}: de-lint signed/unsigned, 
	  size_t/int and lint constants

2005-06-24  Yvan Vanhullebus  <[email protected]>

	* src/racoon/handler.c: Fixed phase2 enc algo check when reloading
	  conf (could flush a phase2 handler when not needed).

2005-06-19  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{admin.c|handler.c|handler.h|racoonctl.c|racoonctl.h}
	  Add a logout-user command to racoonctl to kick out all SA for a
	  given Xauth user

	From Ludo Stellingwerff <[email protected]>:
	* src/racoon/isakmp.c: NAT-T fix: We treat null ports in SPD as 
	  wildcard so that IKE ports are used instead. This was done on
	  phase 2 initiation from the kernel (acquire message), but not 
	  on phase 2 initiation retries when the phase 2 had been queued
	  for a phase 1.

	From Uri Blumenthal <[email protected]> 
	and Larry Baird <[email protected]>:
	* src/libipsec/pfkey_dump.c src/setkey/test-pfkey.c
	  src/racoon/{ipsec_doi.h|pfkey.c|strnames.c}: Add SHA2 support
	* src/setkey/setkey.8 src/racoon/racoon.conf.5: update doc for SHA2
	* src/setkey/token.l: Add aliases shaxxx for sha2_xxx

2005-06-07  Emmanuel Dreyfus  <[email protected]>

	From Larry Baird <[email protected]>
	* src/racoon/isakmp.c: consume NAT keepalive data  already seen
	  with MSG_PEEK 

2005-06-07  Frederic Senault  <[email protected]>

	* src/racoon/{cfparse.y|isakmp_cfg.h|isakmp_cfg.c}
	  src/racoon/{handler.c|privsep.c|privsep.h|racoon.conf.5}: Add
	  support for system accounting into the utmp files, with the
	  "accounting system" directive.

	* src/privsep.c: Bug fixes in the xauth password handling code.

2005-06-06  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_quick.c: endianness bug fix

2005-06-05  Emmanuel Dreyfus  <[email protected]>

	From Thomas Klausner <[email protected]>
	* src/setkey/setkey.8 src/racoon/racoon.conf.5: remove trailing
	  spaces, grammar fix

2005-05-31  Aidas Kasparas  <[email protected]>

	* src/racoon/ipsec_doi.c: Inserted missing 0th element of
	  rm_idtype2doi array. Bug #1199700 fix.

2005-05-30  Frederic Senault  <[email protected]>

	* src/racoon/oakley.h: Fix a typo in the RMAUTHMETHOD macro

	* src/racoon/isakmp_cfg.c: Fix the switch so that the phase1 script
	  is executed at the end of the mode cfg exchange ; add a debug
	  message at the script startup.

2005-05-23  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/admin.c: build fix

2005-05-20  Emmanuel Dreyfus  <[email protected]>

	From Mike Robinson <[email protected]>
	* src/racoon/isakmp_xauth.c: really delete phase 1 on Xauth failure

	* src/libipsec/pfkey.c src/racoon/ipsec_doi.c: Fix NAT-T + IPcomp

	From hgates <[email protected]>
	* src/racoon/proposal.c: fix SPI size test for IPcomp

	From Larry Baird <[email protected]>
	* src/racoon/{handler.c|ipsec_doi.c}: When altering lifetime, 
	  duplicate the proposal instead of modifying the configured one.

2005-05-19  Frederic Senault  <[email protected]>

	* src/racoon/plog.c: Fix the logging functions to work
	  around the lack of support of printf %zu in FreeBSD 4 (at least).

	* src/racoon/{isakmp.c|pfkey.c}: Put sockets in non-blocking mode to
	  fix a hangup with FreeBSD 4.

	* src/racoon/{isakmp_inf.c|isakmp_unity.h|strnames.c}: Recognize a
	  unity-specific heartbeat message.
	* src/racoon/isakmp_inf.c: Reorganize switch statement in

2005-05-17  Yvan Vanhullebus  <[email protected]>

	* src/racoon/handler.c: Fixed exchange type check in
	* src/racoon/pfkey.c: changed includes order to fix compilation.

2005-05-14  Emmanuel Dreyfus  <[email protected]>

	* src/libipsec/policy_parse.y: Fix parse problem

2005-05-14  Aidas Kasparas  <[email protected]>

	* src/racoon/sockmisc.c: Debug message said it will send to
	  source address insted of destination.

2005-05-13  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_inf.c: fix build problem

2005-05-13  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Fixed a double ph2handler free in

2005-05-12  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_quick.c: fix build problem on some platforms

	* src/racoon/isakmp.c: For acquire messages, when NAT-T is in use, 
	  consider null port as a wildcard and use IKE ports.

2005-05-10  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/samples/roadwarrior/server/{racoon.conf|racoon.conf-radius}
	  src/racoon/samples/roadwarrior/server/ removed file
	  src/racoon/samples/roadwarrior/client/racoon.conf: update config 
	  files to higher security settings. Remove now useless phase 1 down 
	  script on server side.
	* Update README to reflect server/ removal

2005-05-09  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{cftoken.l|cfparse.y|isakmp_cfg.c|isakmp_cfg.h}
	  src/racoon/{isakmp_unity.c|racoon.conf.5}: Add PFS group and
	  save password extensions from Cisco in ISAKMP mode config.

2005-05-08  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{handler.c|ipsec_doi.c|proposal.c}: check for lifebyte
	  in proposals
	* src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
	* src/racoon/handler.c: style

	* src/racoon/isakmp_xauth.c: fix build with shadow passwords

2005-05-07  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_xauth.c: support shadow passwords
	* src/racoon/{isakmp_inf.c|isakmp_inf.h}: missing prototype
	* src/racoon/{handler.h|isakmp_inf.c|isakmp_quick.c|isakmp_var.h}
	  src/racoon/pfkey.c: Move purge_remote() and delete_spd() prototypes
	  to the right header file

2005-05-06  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various 
	  ISAKMP SA termination (for DPD timeouts and delete message) to
	  use purge_remote() so that SA and generated SPD get correctly flushed
	* src/racoon/{handler.c|handler.h}: Introduce getph1byaddrwop() and
	* src/racoon/{isakmp.c|isakmp_var.h|isakmp_inf.c|isakmp_inf.h}: make
	  purge_remote(), setcopeid() and delete_spd() public
	* src/racoon/isakmp_quick.c: remove duplicated setscopeid()
	* src/racoon/{sockmisc.c|sockmisc.h} introduce a CMPSADDR() macro
	  to compare with ports when ENABLE_NATT and without otherwise

2005-05-06  Frederic Senault  <[email protected]>

	* src/racoon/isakmp_inf.c: Only print the contents of an informative
	  message if the payload indicates an error ; transmit the return
	  values from the DPD functions.

2005-05-06  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_inf.c: Fix a bug causing informational message
	  payloads to be ignored

2005-05-05  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_inf.c: Fixed some potential crashes in
	  purge_remote() and purge_ipsec_spi().

2005-05-05  Emmanuel Dreyfus  <[email protected]>

	* src/libipsec/{policy_parse.y|policy_token.l}
	  src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
	  endpoints, for accurate ESP over UDP matching
	* src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote
	  ports to the hook scripts
	* src/racoon/remoteconf.c: do not honour ports when looking up
	  a remote config, as our remote config have no port information
	* src/racoon/samples/roadwarrior/client/{|}:
	  use the IKE ports supplied by racoon to set up acurate endpoints
	  ports in SP endpoints

2005-05-04  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated
	  policies are now also removed when DPD purge.

2005-05-04  Emmanuel Dreyfus  <[email protected]>

	From Manisha Malla <[email protected]>
	* src/racoon/isakmp_cfg.c: fix unsigned int checked for being negative

	From Ludo Stellingwerff <[email protected]>
	* src/setkey/{parse.y|token.l}: build on system that do not have
	  TCP-MD5 support

2005-05-04  Michal Ludvig  <[email protected]>

	* Revert GLIBC_BUGS change from 2005-04-15

2005-05-03  Frederic Senault  <[email protected]>

	* src/racoon/{cfparse.y|cftoken.l|isakmp_inf.c|racoon.conf.5}
	  src/racoon/{remoteconf.c|remoteconf.h}: Add a weak_phase1_check
	  option to enable the handling of unencrypted delete payloads.

	* src/racoon/plog.c: Use of isgraph in binsanitize.

	* src/racoon/rfc/rfc3706.txt: new file: Dead Peer Detection RFC.

	* src/racoon/isakmp_inf.c: Unused code cleanup.

2005-04-26  Emmanuel Dreyfus  <[email protected]>

	* bootstrap: Darwin support

	From Larry Baird <[email protected]>
	* src/racoon/nattraversal.c: Fix NAT-T for initiator

	From Andreas Tobler <[email protected]>:
	* src/racoon/{misc.h|throttle.c|remoteconf.c|sockmisc.c|privsep.c}
	  src/racoon/ src/libipsec/policy_token.l
	  src/setkey/token.l: Build on Darwin

2005-04-25  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/handler.h: ifdef DPD and NAT-T data in data structures

	* src/libipsec/{ipsec_dump_policy.c|pfkey_dump.c|libpfkey.h}
	  src/setkey/{setkey.8|setkey.c}: add a -p option to setkey to
	  enable the display of ESP over UDP ports in policies.

	* src/racoon/ipsec_doi.c: fix LP64 bug
	From Ludo Stellingwerff <[email protected]>:
	* src/racoon/isakmp.c: build without NAT-T

	From F. Senault <[email protected]>
	* src/racoon/{evt.h|isakmp.h|isakmp_inf.c|plog.c|plog.h|racoonctl.c}
	  src/racoon/isakmp_xauth.c: Take into account payloads bundled after
	  an ISAKMP informationnal message.

	From Patrick McHardy <[email protected]>
	* src/racoon/{handler.c|handler.h|pfkey.c}: When handling acquire
	  message, lookup phase 2 by (src, dst, id) instead of only id.

2005-04-23  Emmanuel Dreyfus  <[email protected]>

	* src/libipsec/ipsec_dump_policy.c: display port numbers in policies 
	* src/racoon/{isakmp.c|isakmp_cfg.c|isakmp_inf.c|pfkey.c}: don't
	  forget port numbers so that mutiple clients behind the same NAT 
	  can work. 

	From Larry Baird <[email protected]>
	* src/racoon/{isakmp.c|nattraversal.c|isakmp_quick.c|nattraversal.h}:
	NAT-T fixes for interoperability with greenbow VPN client.

2005-04-21  Aidas Kasparas  <[email protected]>

	* src/libipsec/policy.parse.y, src/racoon/cfparse.y,
	  src/libipsec/policy_parse.y, src/racoon/cfparse.y,
	  src/racoon/cftoken.l, src/racoon/crypto_openssl.c,
	  src/racoon/getcertsbyname.c, src/racoon/grabmyaddr.c, 
	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
	  src/racoon/isakmp_inf.c, src/racoon/pfkey.c,
	  src/racoon/plainrsa-gen.c, src/racoon/sockmisc.c,
	  src/racoon/sockmisc.h, src/racoon/racoonctl.c: made compile 
	  with gcc-4.0 (20050410 prerelease)

2005-04-20  Aidas Kasparas  <[email protected]>

	From: Ganesan Rajagopal <[email protected]>
	* fix --enable-ipv6 logic

2005-04-19  Yvan Vanhullebus  <[email protected]>

	* src/racoon/remoteconf.c: fixed dupisakmpsa() and dhgroup.

2005-04-18  Aidas Kasparas  <[email protected]>

	* src/racoon/crypto_openssl.c: fixed single DES support;
	* NEWS: noted fix

2005-04-18  Emmanuel Dreyfus  <[email protected]>
	* src/racoon/isakmp_base.c: DPD support, fix memory leak

	From Thomas Klausner <[email protected]>
	* src/libipsec/{ipsec_set_policy.3|ipsec_strerror.3}
	  src/setkey/setkey.8: docmumentation fixes

	From KAME
	* src/racoon/ipsec_doi.c: wrong check on SA lifebyte

	From Fred Senault <[email protected]>
	* src/racoon/{cfparse.y|cftoken.l} drop split_net_type directive, 
	  which is now incoprated into split_net_tunnels
	* src/raccon/{isakmp.c|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
	  src/racoon/isakmp_xauth.h: support login and password sent 
	  in different packets during the Xauth exchange. This makes racoon
	  interoperable with SecureComputing's sidewinder 
	* src/racoon/{strnames.c|strnames.h}: more debug strings for Xauth

2005-04-17  Yvan Vanhullebus  <[email protected]>

	* src/racoon/handler.c: Configuration reload validation code
	* src/racoon/handler.h:revalidate_ph12() function
	* src/racoon/ipsec_doi.c: duplicates iph1->approval in
	  get_ph1approval(), some fields sets to NULL when needed
	* src/racoon/isakmp_inf.[ch]: purge_ipsec_spi() is now public
	* src/racoon/localconf.[ch]: save/restore_params() functions
	* src/racoon/main.c: moved restore_params functions to localconf
	* src/racoon/remoteconf.c: save_rmconf() functions, dupisakmpsa()
	  function, some values set to NULL when needed
	* src/racoon/remoteconf.h: save_rmconf() functions, dupisakmpsa()
	* src/racoon/sainfo.[ch]: save_sainfotree() functions
	* src/racoon/session.c: Reloads conf on a SIGHUP without loosing
	  existing tunnels

2005-04-15  Aidas Kasparas  <[email protected]>

	From Zilvinas Valinskas <[email protected]>:
	  - cross-compile type fix (patch 1);
	  - --enable-{frag|hybrid}=no fixes (patches 6,7);
	  - support for --with-flex, --with-flexlib (patch 11);
	  - GLIBC_BUGS assignment correction (patch 14 with mods).
	* src/racoon/isakmp.c: fix compilation when hybrid disabled.

2005-04-11  Emmanuel Dreyfus <[email protected]>

	* src/racoon/rfc/{rfc2407.txt|rfc2408.txt: new files
	  RFC for IPsec DOI and ISAKMP

2005-04-10  Emmanuel Dreyfus <[email protected]>

	* src/racoon/isakmp_base.c: resurect RSASIG support
	* src/racoon/isakmp_ident.c: missing support for hybrid auth
	* src/racoon/{isakmp_base.c|oakley.c}: missing bits for hybrid/base mode

2005-04-09  Emmanuel Dreyfus <[email protected]>

	* src/racoon/{algorithm.c|algorithm.h|cftoken.l|ipsec_doi.c}
	  Add Xauth + RSASIG, for client and server. Add all Xauth and 
	  IKE fragmentation logic to base and ident mode.
	* src/libipsec/{pfkey.c|pfkey_dump.c}
	  src/setkey/parse.y: more missing TCP_MD5 bits from KAME

2005-04-08  Emmanuel Dreyfus <[email protected]>

	* src/racoon/cfparse.y: a list of network can be specified for split
	* src/racoon/{isakmp_cfg.c|racoon.conf.5}: add INTERNAL_CIDR4, the 
	  netmask in CIDR notation, to the hook script environement.
	* src/setkey/{token.l|parse.y|setkey.8}: KAME backport of missing 
	  bits for TCP_MD5 support.

	From Fred Senault <[email protected]>
	* src/racoon/{cfparse.y|cftoken.l|ipsec_doi.c|ipsec_doi.h}
	  src/racoon/racoon.conf.5: KEYID identifier can be taken from
	  a file or from a quoted string

2005-04-05  Emmanuel Dreyfus <[email protected]>

	From Fred Senault <[email protected]>
	* src/racoon/admin.c: fix the admin interface that was left behind
	  after recent Xauth changes
	* src/racoon/{cfparse.y|isakmp_xauth.c|isakmp_xauth.h|oakley.c}
	  src/racoon/{remoteconf.c|remoteconf.h}: factor Xauth info in 
	  remote conf within a single structure.
	* src/racoon/{isakmp.c|isakmp_cfg.c}: on client side, do not run 
	  phase1-up script before ISAKMP mode config is done
	* src/racoon/isakmp_inf.c: log a buggy condition
	* src/racoon/{isakmp.c|isakmp_agg.c|isakmp_base.c|isakmp_ident.c}
	  src/racoon/{oakley.c|oakley.h}: Use the AUTHMETHOD macro to 
	  distinguish between XAUTH PSK and Kerberos authentications
	* src/racoon/{oakley.c|remoteconf.c}: set a default for certificate 
	* src/racoon/isakmp_xauth.c: Fix serious security bug introduced 
	  on 2005-03-09: Xauth validation was required for phase 2 on the 
	  client (thus blocking phase 2), but not on the server (thus 
	  making it open regardless of Xauth exchange). 
	* src/racoon/vendorid.c: dump unknown VIDs

2005-04-06  Yvan Vanhullebus  <[email protected]>

	* src/racoon/crypto_openssl.c: Disable OpenSSL padding in
	evp_crypt(), because it may cause some interoperability problems.
	Solution reported by Ganesan Rajagopal.

2005-04-05  Emmanuel Dreyfus <[email protected]>

	* src/racoon/main.c: build with hybrid but without libradius
2005-04-05  Yvan Vanhullebus  <[email protected]>

	* src/racoon/handler.h: added a flag to identify generated policies
	* src/racoon/isakmp.c: changed logging in isakmp_ph1expire()
	* src/racoon/isakmp_inf.c: use iph2->generated_spidx to check if
	  policy have been generated in purge_remote_spi()
	* src/racoon/isakmp_quick.c: sets iph2->generated_spidx for
	  generated policies
	* src/racoon/pfkey.c: reactivated the unbindph12() in pk_recvupdate()

2005-04-04  Emmanuel Dreyfus <[email protected]>

	* src/racoon/isakmp_cfg.c: fix a buffer overrun in mode config SET

2005-03-30  Michal Ludvig  <[email protected]>

	* Don't compile with NAT-T by default (according to 
	  documentation, finally :-)

2005-03-27  Michal Ludvig  <[email protected]>

	From Zilvinas Valinskas <[email protected]>:
	  - Use AC_CHECK_HEADER for kernel headers instead of AC_CHECK_FILE.
	  - Fix OpenSSL check for cross-compilation.
	* acracoon.m4(RACOON_CHECK_VA_COPY): Allow cross-compilation.

2005-03-16  Emmanuel Dreyfus <[email protected]>

	* src/racoon/privsep.c: check for NULL path in unsafe_path()
	* src/racoon/privsep.c: missing space

2005-03-15  Emmanuel Dreyfus <[email protected]>

	* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_cfg.c|isakmp_cfg.h}
	  src/racoon/main.c: Remove most of config dependency from 
	  privilegied instance for upcoming config reload patch.
	* src/racoon/isakmp_cfg.h: fix the application version for Xauth
	* src/racoon/isakmp_cfg.c: only call cleanup_pam when PAM is used

2005-03-14  Emmanuel Dreyfus <[email protected]>

	* handle correctly dynamic libradius
	* src/racoon/cfparse.y: correctly initialize address pool

2005-03-13  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp.c: Fixed a buffer underrun (CAN-2005-0398)

2005-03-09  Emmanuel Dreyfus <[email protected]>

	From Fred Senault <[email protected]>
	* src/racoon/cfparse.y: endainness bugfix
	* src/racoon/isakmp_xauth.c: off by one bugs in strings
	* src/racoon/oakley.h: missing parenthesis causing bugs

2005-03-09  Emmanuel Dreyfus <[email protected]>

	* src/racoon/isakmp_xauth.c: fix a crash when using RADIUS auth

2005-03-07  Emmanuel Dreyfus <[email protected]>

	From Fred Senault <[email protected]>
	* src/racoon/{algorithm.c|algorithm.h|cfparse.y|cftoken.l}
	  src/racoon/{strnames.h|throttle.c}: Support plain Xauth, split
	  tunnelling, multiple DNS & WINS in ISAKMP mode config.

2005-03-02  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_quick.c: tunnel_mode_prop() is now public
	* src/racoon/isakmp_inf.c: fixed compilation if HAVE_POLICY_FWD.

2005-03-01  Yvan Vanhullebus  <[email protected]>

	* src/racoon/oakley.c: fixed oakley_newiv2() when errors

2005-02-24  Emmanuel Dreyfus <[email protected]>
	* src/racoon/privsep.c: safety check port numbers given by the 
	  unprivilegied instance.
	* src/racoon/racoonctl.8: display fixes in racoonctl(8)

2005-02-23  Emmanuel Dreyfus <[email protected]>

	*, src/racoon/{|crypto_openssl.c}: optionnal
	  support for patented algorithms: IDEA and RC5.
	* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
	  is not required in the configuration
	* src/racoon/isakmp.c: do not reject addresses for which kernel 
	  refused UDP encapsulation, they can still be used for non NAT-T 
	  traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)
	* src/libipsec/libpfkey.h: prefer __inline to inline
	* src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
	  src/racoon/racoon.conf.5: Add chroot capability

2005-02-18  Emmanuel Dreyfus <[email protected]>

	* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
	  src/setkey/setkey.c: don't use fuzzy paths for package_version.h

2005-02-18  Michal Ludvig  <[email protected]>

	*, rpm/suse/,
	  rpm/suse/ Distribute .spec file with 
	  resolved version string.
	* src/racoon/ Allow parallel cluster build.

2005-02-17  Emmanuel Dreyfus <[email protected]>

	From Fred Senault <[email protected]>
	* src/racoon/remoteconf.c: Fix a bug in script init

2005-02-17  Yvan Vanhullebus  <[email protected]>

	* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks

2005-02-16  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
	  related DELETE_SA
	* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire

2005-02-15  Michal Ludvig  <[email protected]>

	* Changed --enable-natt_NN to --enable-natt-versions=NN,NN


	Branch for 0.6 created (ipsec-tools-0_6-branch)

2005-02-11  Emmanuel Dreyfus <[email protected]>

	From Jason Thorpe  <[email protected]>
	* src/raccon/samples/racoon.conf.sample-gssapi
	  src/racoon/{localconf.c|localconf.h|racoon.conf.5} Multiple GSSAPI fixes to get interoperability 
	  with Microsoft IKE. 

2005-02-09  Emmanuel Dreyfus <[email protected]>

	* src/racoon/{cfparse.y|isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}
	  src/racoon/racoon.conf.5: Make PAM work with privilege separation

2005-02-07  Michal Ludvig  <[email protected]>

	From Krisztian Kovacs:
	* src/racoon/cfparse.y: Allocate correct space for "struct sockaddr".

2005-01-30  Yvan Vanhullebus  <[email protected]>

	* src/racoon/vmbuf.c: bugfix in vrealloc()
	* src/racoon/oakley.c: mem leak fix in INITDHVAL()
	* src/racoon/session.c: mem leak fix in check_flushsa()

2005-01-29  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_{ident|agg}.c: NAT-T cleanup
	* src/racoon/pfkey.c: Uses NATT encaps_type in pk_sendupdate()
	* src/racoon/vendorid.[ch]: NAT-T cleanup, NATT_01 VID
	* src/racoon/nattraversal.[ch]: NATT cleanup, support for all
	  drafts (disabled by default) / RFC.
	* src/racoon/isakmp.h: NATT cleanup for NATT RFC support
	* src/racoon/ipsec_doi.h: updated comments about NATT
	* enable-natt_XX options
	* src/racoon/isakmp.c: set UDP_ENCAPS_ESPINUDP_NON_IKE option when needed

2005-01-29  Emmanuel Dreyfus  <[email protected]>

	From Fred Senault <[email protected]>
	* src/racoon/pfkey.c: Update SAD even if NAT-T is disabled, so that
	  phase2 can start.

2005-01-23  Emmanuel Dreyfus  <[email protected]>

	* src/setkey/{sekkey.8|setkey.c|token.l|parse.y}: implement NetBSD's
	  SADB_X_AALG_TCP_MD5. Resurrect setkey -h meaning on NetBSD.

2005-01-22  Emmanuel Dreyfus  <[email protected]>

	From Fred Senault <[email protected]>
	* src/racoon/{cftoken.l|cfparse.y|raccon.conf.5}
	  src/racoon/samples/roadwarrior/README: change "my_identifier login"
	  into "xauth_login" in the config file so that we can introduce Xauth
	  with a pre-shared key later.

2005-01-21  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/samples/roadwarrior/client/{|}:
	  workaround Linux problems. This needs a better fix.

2005-01-18  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/privsep.c: build without ENABLE_HYBRID

2005-01-14  Emmanuel Dreyfus  <[email protected]>

	* src/raccon/rfc/{rfc3947.txt|rfc3948.txt}: new files (NAT-T)

2005-01-13  Yvan Vanhullebus  <[email protected]>

	* src/racoon/ipsec_doi.c: Uses proposal_check value to check phase
	  1 lifetime.
	* src/racoon/racoon.conf.5: Updated racoon man page for phase 1
	  lifetime check / proposal_check.

2005-01-11  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakjmp_quick.c: endianness bugfix from KAME

2005-01-07  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{cfparse.y|cftoken.l|nattraversal.h|pfkey.c}
	  src/libipsec/{libpfkey.h|pfkey.c}: ESP fragmentation size is
	  now configurable (supported only on NetBSD so far).

2005-01-05  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/privsep.c: Build again on Linux with privsep

2005-01-03  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c|isakmp_xauth.h}
	  src/racoon/doc/FAQ PAM support for authentication and accounting in 
	  hybrid auth

2005-01-02  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/admin.c: never fork, it buys nothing an break on some

2004-12-30  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{|admin.h|cfparse.y|cftoken.l|isakmp.c}
	  src/racoon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_var.h| isakmp_xauth.c}
	  src/racoon/{privsep.c|privsep.h}: new files
	  Privilege separation

	* src/racoon/{|admin.h|admin_var.h|kmpstat.c}
	  src/racoon/{racoonctl.c|racoonctl.h}: new files publically export the adminport interface so that
	  external program can control racoon
	* src/racoon/{racoonctl.c|racoonctl.h|kmpstat.c}: Add interface

	* src/racoon/admin.h: make sure no / will be missing in adminsock path


	Branch for 0.5 created (ipsec-tools-0_5-branch)

2004-12-23  Yvan Vanhullebus  <[email protected]>

	* src/racoon/crypto_openssl.c: Indentation

2004-12-28  Yvan Vanhullebus  <[email protected]>

	* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
	  when getting an IP (Bug # 1092095)

2004-12-26  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/session.c: remove outdated comment


	0.5.beta2 released

2004-12-21  Michal Ludvig  <[email protected]>

	* src/racoon/pfkey.c: Fix AES vs Rijndael defines.

2004-12-20  Yvan Vanhullebus  <[email protected]>

	*, src/racoon/isakmp.c, src/racoon/pfkey.c:
	  Some FreeBSD / NATT support.

2004-12-17  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp.c: only IPv4 NAT-T is supported, so skip IPv6 here.
	* src/racoon/pfkey.c: Restore AES support on NetBSD.

2004-12-17  Yvan Vanhullebus  <[email protected]>

	* src/racoon/crypto_openssl.c: Uses sprintf() instead of
	  asprintf() in eay_get_x509subjectaltname(), because of some
	  compilation problems reported with asprintf() on some platforms.
	* src/racoon/oakley.c: just take the first cert in
	  oakley_savecert() if cert ID check is disabled.

2004-12-16  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/crypto_openssl.c: Build again on NetBSD
	* src/racoon/samples/roadwarrior/server/racoon
	  src/racoon/samples/roadwarrior/README: Use DPD in sample files.

2004-12-16  Yvan Vanhullebus  <[email protected]>

	* src/racoon/crypto_openssl.c: Fixed eay_get_x509subjectaltname()
	  when SubjectAltName contains an IP. OpenSSL code from Ludovic
	  Flament ([email protected]).


	0.5.beta1 released

2004-12-13  Michal Ludvig  <[email protected]>

	From Ganesan R <[email protected]>:
	* src/racoon/, src/setkey/ Fix compilation
	  with shared libraries.

2004-12-10  Yvan Vanhullebus  <[email protected]>

	* src/racoon/oakley.c: takes the first certificate which matches
	  the Identity, instead of just taking the first certificate.

2004-12-07  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_inf.c: Set spi_size for R-U-THERE/R-U-THERE-ACK.

2004-12-04  Aidas Kasparas  <[email protected]>

	* src/libipsec/pfkey_dump.c: distinguish per-socket policies from
	  general ones (Linux case);
	* src/racoon/pfkey.c: dito, do not negotiate policies if racoon
	  do not listen on out tunnel's source address.

2004-12-01  Yvan Vanhullebus  <[email protected]>

	* src/racoon/isakmp_agg.c: code cleanup in NATT / DPD VIDs
	  generation in r1send()

2004-12-01  Yvan Vanhullebus  <[email protected]>

	* src/racoon/remoteconf.{c|h}: DPD support option (enabled by default)
	* src/racoon/{cfparse.y|cftoken.l}: DPD token, yyerror if DPD
	  parameters but compiled without ENABLE_DPD
	* src/racoon/isakmp_{agg|ident}.c: Send DPD VID only if DPD
	  support activated in configuration

2004-11-30  Emmanuel Dreyfus  <[email protected]>

	* src/racoon{evt.c|evt.h|admin.c}: init event queue at compile time, 
	  to avoid garbage pointer if admin port is disabled.
	* src/racoon/{throttle.c|throttle.h}: new files
	  src/racoon/{|isakmp_cfg.c|isakmp_xauth.c|racoon.conf.5} Add a per-host throttling count. When throttling, 
	  don't sleep, schedule the answer for later instead.
	* src/racoon/kmpstat.c: default with no hexdump of the packet
	* src/racoon/admin.c: don't remove admin socket after first request,
	  on the other hand remove on startup stale sockets left by 
	  crashed racoon.
	*  src/racoon/samples/roadwarrior/README
	   src/racoon/kmpstat.c: fix option parsing problem on Linux

2004-11-29  Yvan Vanhullebus  <[email protected]>

	* src/racoon/session.c: Only listen on pfkey socket when received
	  shutdown signal

2004-11-28  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{cfparse.y|cftoken.l|isakmp_cfg.c|isakmp_cfg.h}
	  src/racoon/{isakmp_xauth.c|racoon.conf.5}: Add a one second throttle
	  on each Xauth authentication to avoid brute force attacks

2004-11-24  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/samples/roadwarrior/README
	  Fill Linux gaps for hybrid auth client, Replace public IP by 
	  private and example IP in the sample config files.

2004-11-24  Emmanuel Dreyfus  <[email protected]>

	DPD patch from Yvan Vanhullebus <[email protected]>
	* src/racoon/cfparse.y: missing bits for DPD support

2004-11-23  Aidas Kasparas  <a.k[email protected]>

	* src/setkey/parse.y: generate require fwd policies for unique in
	* src/setkey/setkey.c: made -r/-k options awailable only when
	  system has FWD policies.
	* src/setkey/setkey.8: updated docs about change above.

2004-11-22  Michal Ludvig  <[email protected]>

	* src/racoon/{admin.c,pfkey.c}: Wrap adminport-parts to
	  #ifdef ENABLE_ADMINPORT/#endif.

2004-11-22  Michal Ludvig  <[email protected]>

	Revert these changes (ludvigm, 2004-11-18):
	* src/racoon/ install sample racoon.conf and psk.txt.
	* src/setkey/ Install setkey.conf.

2004-11-22  Emmanuel Dreyfus  <[email protected]>

	* src/raccon/{isakmp_cfg.c|isakmp_cfg.h|isakmp_xauth.c}: defer phase 1
	  removal so that it's not used after been deleted.
	* src/racoon/{evt.h|isakmp.c|isakmp_agg.c|isakmp_base.c|session.c}
	  src/racoon/{isakmp_ident.c|isakmp_inf.c|kmpstat.c}: report more
	  errors to racoonctl

2004-11-21  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/doc/FAQ: NAT-T kernel patch for NetBSD is now on 
	  the ipsec-tools web site
	* src/racoon/{kmpstat.c|racoonctl.8}: New racoonctl command to 
	  display all events reported by racoon: show-event
	* src/racoon/isakmp_cfg.c: don't send ISAKMP mode config message
	  with immature or dying phase 1 
	* src/racoon/kmpstat.c: racoonctl vd awaits phase 1 to get down

2004-11-20  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_agg.c: for hybrid auth client, advertise ourself 
	  as Unity compliant.
	* src/racoon/{evt.c|evt.h}: new files 
	  src/racoon/{isakmp_xauth.c|kmpstat.c|pfkey.c}: framework for
	  event reporting from racoon to racoonctl

2004-11-20  Aidas Kasparas  <[email protected]>

	* src/racoon/grabmyaddr.c: Prevent doubling addresses and error messages
	  when racoon is compiled with INET6 support and kernel is not.
	  Fixed with help of Zilvinas Valinskas.
	* src/racoon/{var.h|sockmisc.c}: Fixed compilation with gcc-3.4.2+
2004-11-19  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/doc/FAQ: more options and warn about software patents.

2004-11-18  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/vmbuf.c: don't allocate zero-length buffer
	* src/racoon/samples/roadwarrior/client/
	  src/racoon/samples/roadwarrior/server/ Also 
	  flush SAD when disconnecting.
	* src/racoon/admin.c: Send a notification when deleting ISAKMP SA
	* src/racoon/samples/roadwarrior/README: accomodate the recent
	  sysconfdir change

2004-11-18  Michal Ludvig  <[email protected]>

	* src/racoon/ Fix adminsocket dir, install sample 
	  racoon.conf and psk.txt.
	* src/racoon/localconf.h: Look for racoon.conf in $(SYSCONFDIR),
	  not $(SYSCONFDIR)/racoon.
	* src/racoon/algorithm.h, src/racoon/eaytest.c,
	  src/racoon/schedule.h, src/racoon/gnuc.h: Build fixes for really 
	  strict environments.
	* src/setkey/setkey.conf: Yet another sample config file.
	* src/setkey/ Install setkey.conf.
	* rpm/suse/{,sysconfig.racoon,racoon.init}: New
	* rpm/suse/{,.cvsignore}: New files.
	*, rpm/ Build in rpm/suse.

2004-11-17  Aidas Kasparas  <[email protected]>

	* paste bugfix by Zilvinas Valinskas
	* src/racon/{isakmp_quick.c|policy.c|strnames.c}: fwd policy support
	  for generated policies. Path by Patrick McHardy.

2004-11-16  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/racoonctl.8: racoonctl man page (new file)

2004-11-16  Emmanuel Dreyfus  <[email protected]>

	From Ganesan <[email protected]>
	* src/racoon/ipsec_doi.c: fix free'd memory access

2004-11-16  Michal Ludvig  <[email protected]>

	DPD patch from Yvan Vanhullebus <[email protected]>
	*, src/racoon/cfparse.y, src/racoon/cftoken.l,
	  src/racoon/handler.c, src/racoon/handler.h,
	  src/racoon/isakmp.c, src/racoon/isakmp.h,
	  src/racoon/isakmp_agg.c, src/racoon/isakmp_ident.c,
	  src/racoon/isakmp_inf.c, src/racoon/isakmp_inf.h,
	  src/racoon/racoon.conf.5 src/racoon/remoteconf.c,
	  src/racoon/remoteconf.h, src/racoon/vendorid.c,
	  src/racoon/vendorid.h: Dead Peer Detection (DPD) support.

2004-11-16  Michal Ludvig  <[email protected]>

	* Remove a bash-specific construction, take II.
	* src/racoon/grabmyaddr.c: FreeBSD fix for headers.

2004-11-15  Michal Ludvig  <[email protected]>

	* Use correct include paths during ./configure run.
	* src/racoon/ Compile cftoken.l from $(srcdir),
	  remove samples/racoon.conf.sample-cvpn, added samples/roadwarrior
	  (hint, hint, manu :-))

2004-11-15  Emmanuel Dreyfus  <[email protected]>

	* README: update the docs
	* src/racoon/doc/FAQ: update the docs
	* Remove a bash-specific construction

2004-11-14  Aidas Kasparas  <[email protected]>

	* src/racoon/cfparse.y: ensure that returns from rules are 
	  initialized even on erroneous config file.
	* src/racoon/admin_var.h: changed management socket location
	* src/racoon/ ditto, added rule to install directory
	  for management socket.
	* src/setkey/{setkey.c|parse.y}: introduced rfc/kernel modes, 
	  added generation of fwd policies for every in policy spdadd'ed.
	* src/setkey/setkey.8,src/libipsec/ipsec_set_policy.3: updated docs
	* src/setkey/policy_token.l: return something reasonable when 
	  fwd direction is parsed on systems with no forward policy

2004-11-14  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp.c: avoid a double free when using IKE fragmentation
	* src/racoon/{backupsa.c|ipsec_doi.c|localconf.c|str2val.c}
	  src/{libipsec/key_debug.c|setkey/parse.y}: fix build warnings 
	* src/racoon/{admin.c|admin_var.h}
	  src/racoon/racoon.conf.5 src/racoon/samples/roadwarrior/README
	  src/racoon/samples/roadwarrior/client/racoon.conf: make the default
	  mode for the admin socket more secure. 

2004-11-13  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{cfparse.y|remoteconf.c|crypto_openssl.c|crypto_openssl.h}
	  src/racoon/samples/roadwarrior/client/racoon.conf: Make the root
	  certificate authority location per-peer and configurable.
	* src/racoon/isakmp_frag.c: fix unallocated memory access
	* src/racoon/isakmp_agg.c: fix incorrect queue deallocation
	* src/racoon/remoteconf.c: fix uninitialized data
	* src/racoon/{admin.c|isakmp_xauth.c}: fix free'ed memory access

2004-11-12  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{|kmpstat.c}: Make racoonctl vc and vd 
	  commands IPv6 friendly.
	* src/racoon/{admin.c|admin.h|handler.c|handler.h|kmpstat.c}: 
	  Add an admin message to flush all the SA for a given peer.
	  Convert racoonctl vd to use it.
	* src/racoon/{admin.c|kmpstat.c|cftoken.l|cfparse.y} 
	  src/racoon/{admin_var.h|admin.h|raccon.conf.5}: Enable the
	  administrator to choose the admin socket path, ownership and mode.
	* src/racoon/sample/roadwarrior: complete config files for 
	  road warriors using hybrid authentication. 

2004-11-12  Michal Ludvig  <[email protected]>

	* Config option --enable-natt=kernel
	* src/racoon/ Distribute only yacc/lex source files, 
	  not the preprocessed .c files.

2004-11-11  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/samples/racoon.conf.sample-cvpn: more complete setup
	  and comments in the VPN concentrator setup for the Cisco VPN client
	* src/racoon/racoon.conf.5: fix documentation
	* src/racoon/isakmp_cfg.c: get the internal IPv4 address in script
	  hooks event if we are a server.

2004-11-10  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{ipsec_doi.c|remoteconf.c}: fix LP64 problems

2004-11-09  Michal Ludvig  <[email protected]>

	* Remove aclocal-related lines.
	* src/racoon/ Add isakmp_frag.h into noints_HEADERS
	* Cleanup, define INET6 if IPv6 shoud be supported,
	  better handling of KRB5 and NAT-T.
	* src/racoon/{isakmp_cfg.c,isakmp_frag.c,isakmp_unity.c}: Make
	  FreeBSD happy with includes (Arrgh...&^#$^@!!!)

2004-11-08  Michal Ludvig  <[email protected]>

	* src/libipsec/policy_parse.y: Define INT32_MAX/INT32_MIN.
	* src/libipsec/policy_token.l, src/racoon/kmpstat.c,
	  src/racoon/{pfkey.c,prsa_par.y,rsalist.c,token.l}: Small
	  fixes to support FreeBSD (tested with 4.10).

2004-11-05  Michal Ludvig  <[email protected]>

	* Add --with-readline switch.
	* src/setkey/setkey.c(stdin_loop): Fix newlines and comments
	  when compiled without readline.

2004-11-01  Aidas Kasparas  <[email protected]>

	* src/racoon/isakmp_quick.c: generated policy refresh patch
	  by Yvan Vanhullebus

2004-10-29  Michal Ludvig  <[email protected]>

	* Check for IPSEC_DIR_FWD and eventually define
	* src/libipsec/{ipsec_dump_policy.c,policy_token.l}: Use 
	  HAVE_POLICY_FWD in ifdefs.
	* NEWS: Mention the fix.
	* src/racoon/kmpstat.c: Fix compilation on Linux.
	* src/racoon/ipsec_doi.h: Ditto.
	* src/racoon/, src/setkey/ Update
	  explicit dependencies.

2004-10-29  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{isakmp_cfg.h,grabmyaddr.c,handler.c,handler.h}:
	  do not reconfigure internal addresses obtained through ISAKMP
	  mode config.
	* src/racoon/{isakmp.c,isakmp_cfg.c,isakmp_xauth.c}: On authentication
	  failure, kill the phase 1 and log the failure. Do not run the sa_up
	  script in this case.
	* src/racoon/{admin.c,admin.h,isakmp_xauth.c,kmpstat.c,remoteconf.h}:
	  Add -u user to racoonctl establish-sa, prompt for the PSK from
	  the terminal, and add a vpn-connect target with simplified syntax 
	  for establishing a SA in the road warrior case.
	* src/racoon/{admin.c,kmpstat.c}: implement delete-sa and 
	  vpn-disconnect commands of racoonctl
	* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
	  Remove sa_up and sa_down and replace them by a more general
	  script hook framework. 

2004-10-27  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/nattraversal.c: Use macros instead of magic numbers
	* src/racoon/kmpstat.c: pull up fixes from KAME so that racoonctl
	  can actually establish a SA
	* src/racoon/{cfparse.y,cftoken.l,handler.c,isakmp.c,isakmp_cfg.c}
	  Shell script hooks for ISAKMP SA creation and removal

2004-10-26  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: removed
	  src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: removed
	  src/racoon/rfc/draft-beaulieu-ike-xauth-02.txt: new file
	  src/racoon/rfc/draft-dukes-ike-mode-cfg-02.txt: new file
	  Update to the latest drafts

2004-10-25  Emmanuel Dreyfus  <[email protected]>

	*  src/racoon/rfc/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt: new file
	   src/racoon/rfc/draft-ietf-ipsec-isakmp-mode-cfg-04.txt: new file
	   src/racoon/rfc/draft-ietf-ipsec-isakmp-xauth-07.txt: new file
	   drafts documenting ISAKMP mode config, Xauth and hybrid auth
	*  src/racoon/cftoken.l: fix build problem, add an error message
	   when using hybrid auth options while hybrid auth is not built
	*  src/racoon/isakmp_cfg.c: build without RADIUS support too

2004-10-24  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{algorithm.c,algorithm.h,cfparse.y,cftoken.l}
	  src/racoon/{remoteconf.c,remoteconf.h,strnames.c}: Client side
	  of hybrid auth and ISAKMP mode config

2004-10-24  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/{cfparse.y,cftoken.l,handler.h,isakmp.c}
	  Receiver-side of IKE fragmentation

2004-10-24  Emmanuel Dreyfus  <[email protected]>

	* src/racoon/isakmp_cfg.c: Fix read buffer overflow
	* src/racoon/isakmp_xauth.c: Fix weak authentication
	* src/racoon/{oakley.c,oakley.h}: Fix weak authentication

2004-10-21  Michal Ludvig  <[email protected]>

	From Emmanuel Dreyfus:
	* src/racoon/{isakmp_frag.c,isakmp_frag.h}: New files.
	* src/racoon/isakmp_cfg.c: Fix endianness.

2004-10-20  Michal Ludvig  <[email protected]>

	From Emmanuel Dreyfus:
	* src/racoon/{cfparse.y,cftoken.l,handler.c},
	  src/racoon/racoon.conf.5: RADIUS IP addresses allocation 
	  and RADIUS accounting.
	  src/racoon/{vendorid.c,vendorid.h}: IKE Fragmentation patch.

2004-10-08  Michal Ludvig  <[email protected]>

	* src/racoon/isakmp_cfg.c: Fixes from Emmanuel Dreyfus.

2004-10-06  Aidas Kasparas  <[email protected]>

	* src/racoon/remoteconf.c: dupidvl(), dupetypes() - new functions
	  to duplicate dynamically allocatd structures; duprmconf() - call
	  these functions to produce private copy of inherited id and etype
	* src/racoon/remoteconf.c: declaration for dupetypes().

2004-10-04  Aidas Kasparas  <[email protected]>

	* src/racoon/cfparse.y: check inherited_from dereferencing
	* src/racoon/crypto_openssl.c: prevent crash on incorect DNs

2004-09-27  Michal Ludvig  <[email protected]>

	From KOVACS Krisztian <[email protected]>:
	* src/racoon/sockmisc.c(sendfromto): Set src address.

2004-09-24  Aidas Kasparas  <[email protected]>

	* added check for linux-gnu, as my box reports
	* src/racoon/grabmyaddr.c: added missing <linux/types.h> include

2004-09-21  Michal Ludvig  <[email protected]>

	Merged 'autoconf' branch to mainline:
	* .cvsignore, ChangeLog,, bootstrap,,
	  src/racoon/.cvsignore, src/racoon/cfparse.y, 
	  src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h, 
	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c, 
	  src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 
	  src/racoon/isakmp_cfg.c, src/racoon/isakmp_ident.c, 
	  src/racoon/isakmp_unity.c, src/racoon/main.c, 
	  src/racoon/nattraversal.c, src/racoon/oakley.c, 
	  src/racoon/oakley.h, src/racoon/sockmisc.c, 
	  src/racoon/missing/crypto/sha2/sha2.c: Modified (see ChangeLog
	  in 'autoconf' branch for details).
	* acracoon.m4, src/racoon/ New files.
	* src/racoon/, src/racoon/aclocal.m4, 
	  src/racoon/client-puzzle.c, src/racoon/config.guess, 
	  src/racoon/config.sub, src/racoon/, 
	  src/racoon/install-sh, src/racoon/doc/, 
	  src/racoon/doc/, src/racoon/doc/, 
	  src/racoon/doc/pattern, src/racoon/doc/question, 
	  src/racoon/doc/, src/racoon/doc/redmond.txt, 
	  src/racoon/doc/, src/racoon/doc/sandiego-result.en, 
	  src/racoon/missing/addrinfo.h, src/racoon/missing/getaddrinfo.c, 
	  src/racoon/missing/getnameinfo.c, src/racoon/samples/Makefile, 
	  src/racoon/samples/ Removed.

2004-09-17  Michal Ludvig  <[email protected]>

	* src/racoon/vendorid.[ch]: Rewrote the VendorID handling. 
	  We don't use the array with fixed offsets anymore, instead 
	  a generally unordered structure with ID, string and 
	  precomputed MD5 hashes.
	* src/racoon/{isakmp_agg.c,isakmp_base.c,isakmp_ident.c},
	  src/racoon/nattraversal.c: Updated to the new VID model.
	* src/racoon/main.c(main): Precompute VendorIDs.
	* src/racoon/arc4random.h, src/racoon/missing/arc4random.c:
	  Files removed. Function arc4random() renamed to eay_random()
	  and moved to crypto_openssl.c.
	* src/racoon/pfkey.c, src/racoon/oakley.c, src/racoon/main.c,
	  src/racoon/isakmp.c: Updated to the above change.
	* src/racoon/, src/racoon/ Remove
	  arc4random() from building.
	* src/racoon/crypto_openssl.[ch](eay_random): New function.
	* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c, 
	  src/racoon/isakmp_xauth.c: Cleaned up headers.

2004-09-16  Michal Ludvig  <[email protected]>

	* src/racoon/crypto_openssl.c (base64_encode): Terminate
	  the result with '\0'.

2004-09-15  Michal Ludvig  <[email protected]>

	* How about calling the next version 0.5?
	* src/include-glibc/glibc-bugs.h: Define _XOPEN_SOURCE
	  _BSD_SOURCE and don't require <linux/types.h>
	* src/racoon/isakmp_cfg.c, src/racoon/isakmp_unity.c,
	  src/racoon/isakmp_xauth.c: Don't include <netkey/key_var.h>
	* src/racoon/ Add new files to distribution.
	* src/racoon/ Fix linux kernel NATT detection.
	* src/setkey/parse.y: Fix types.
	* src/racoon/backupsa.c, src/racoon/ipsec_doi.c, 
	  src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
	  src/racoon/pfkey.c, src/racoon/remoteconf.c,
	  src/racoon/session.c, src/racoon/sockmisc.c: Fix headers 
	  ordering, use HAVE_NETINET6_IPSEC.
	* src/racoon/isakmp_cfg.c: Use %z for size_t.
	* src/racoon/ Clean up IPv6 stack check.

2004-09-15  Michal Ludvig  <[email protected]>

	Merged "Hybrid XAUTH" support from Emmanuel Dreyfus:
	* src/racoon/isakmp_cfg.h, src/racoon/isakmp_cfg.c,
	  src/racoon/isakmp_unity.c, src/racoon/isakmp_unity.h,
	  src/racoon/isakmp_xauth.c, src/racoon/isakmp_xauth.h,
	  src/racoon/samples/racoon.conf.sample-cvpn: New files.
	* src/racoon/algorithm.c, src/racoon/algorithm.h,
	  src/racoon/cfparse.y, src/racoon/cftoken.l,
	  src/racoon/handler.c, src/racoon/handler.h,
	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
	  src/racoon/isakmp.h, src/racoon/isakmp_agg.c, 
	  src/racoon/isakmp_inf.c, src/racoon/oakley.c,
	  src/racoon/oakley.h, src/racoon/strnames.c,
	  src/racoon/vendorid.c, src/racoon/vendorid.h: Added
	  code for XAUTH support.
	* src/racoon/racoon.conf.5: Documentation for XAUTH.
	* src/racoon/isakmp_base.c, src/racoon/isakmp_ident.c,
	  src/racoon/nattraversal.c: Added NATT VID "02\n"
	* src/racoon/ New config option --enable-hybrid

2004-09-14  Michal Ludvig  <[email protected]>

	* Preset CFLAGS
	* src/racoon/ Preset LDFLAGS instead of CFLAGS on NetBSD,
	  Check if printf() accepts "%z" modifiers.
	* src/racoon/isakmp_agg.c(agg_i1send): Place #endif correctly.
	* src/setkey/parse.y(fix_portstr): Init 'p2'.
	* src/setkey/setkey.c: Add required prototypes.

2004-09-14  Aidas Kasparas  <[email protected]>

	* src/racoon/gssapi.c: sa_len -> sysdep_sa_len. Patch by Andreas.

2004-09-14  Michal Ludvig  <[email protected]>

	* src/racoon/ Check for NetBSD NAT-T kernel support.

2004-09-13  Michal Ludvig  <[email protected]>

	* src/racoon/ Check for <openssl/engine.h>
	* src/racoon/crypto_openssl.c: Only use OpenSSL engines if available.
	* src/racoon/plainrsa-gen.c: Ditto.

2004-09-13  Michal Ludvig  <[email protected]>

	NetBSD fixes from Emmanuel Dreyfus <[email protected]>:
	* build in rpm/ only on Linux
	* Check for netinet6/ipsec.h instead of netinet/ipsec.h
	* src/ Build include-glibc only on Linux
	* src/libipsec/{ipsec_dump_policy.c,ipsec_get_policylen.c,
	  src/setkey/{parse.y,setkey.c,token.l}: Fix headers and some
	* src/racoon/sockmisc.c(sendfromto): Wrap for Linux only.
	* src/racoon/ Check for kernel NAT-T support,
	  fix libipsec.a linkage path.
	* src/racoon/eaytest.c(certtest): Use %z for size_t.
2004-09-12  Aidas Kasparas  <[email protected]>

	* src/racoon/grabmyaddr.c: improoved socket selection algorithm for
	  case when link-local addresses comes w/o sin6_scope_id set.
2004-09-07  Aidas Kasparas  <[email protected]>

	* src/racoon/session.c: fix for SIGHUP handler for case when config
	  file contains listen directives.

2004-09-01  Aidas Kasparas  <a.ka[email protected]>

	* src/racoon/grabmyaddr.c: added scope id handling for link-local
	  IPv6 addresses. Now racoon will not err on such addresses.
2004-08-19  Aidas Kasparas  <[email protected]>

	* src/racoon/crypto_openssl.c: hmac memory leak fix by R. Ganesan
	* src/racoon/eaytest.c: eay_init_error() -> eay_init() due to 
	  2004-06-01 changes in src/racoon/crypto_openssl.c

2004-08-15  Aidas Kasparas  <[email protected]>

	* src/racoon/cfparse.y src/racoon/crypto_openssl.c
	  src/racoon/eaytest.c src/racoon/genlist.h src/racoon/ipsec_doi.c
	  src/racoon/racoon.conf.5 src/racoon/remoteconf.c
	  src/racoon/remoteconf.h: peers_identifier wildcard and 
	  list patch by James Matheson


	0.4rc1 released

2004-08-09  Michal Ludvig  <[email protected]>

	* NEWS: Notes for release 0.4rc1
	* Bump up version to 0.4rc1

2004-07-12  Michal Ludvig  <[email protected]>

	PlainRSA support.
	See ChangeLog.prsa from the 'plainrsa' branch for details.
	* src/racoon/stringlist.c src/racoon/stringlist.h: Removed.
	* src/racoon/genlist.c src/racoon/genlist.h 
	  src/racoon/plainrsa-gen.8 src/racoon/plainrsa-gen.c 
	  src/racoon/prsa_par.y src/racoon/prsa_tok.l 
	  src/racoon/rsalist.c src/racoon/rsalist.h 
	  src/racoon/samples/racoon.conf.sample-plainrsa: New files.
	* src/racoon/ src/racoon/
	  src/racoon/cfparse.y src/racoon/cftoken.l 
	  src/racoon/crypto_openssl.c src/racoon/crypto_openssl.h
	  src/racoon/handler.h src/racoon/ipsec_doi.c 
	  src/racoon/ipsec_doi.h src/racoon/isakmp.h src/racoon/main.c 
	  src/racoon/oakley.c src/racoon/plog.c src/racoon/remoteconf.c 
	  src/racoon/remoteconf.h src/racoon/sockmisc.c 
	  src/racoon/sockmisc.h src/racoon/eaytest.c: Updated.

2004-07-12  Michal Ludvig  <[email protected]>

	* src/racoon/main.c, src/racoon/eaytest.c, src/racoon/plog.c: Move
	  f_foreground to plog.c.
	* src/racoon/proposal.c (cmpsaprop_alloc): Fix printing of encmode 
	* src/racoon/ipsec_doi.c, src/racoon/isakmp.c, src/racoon/isakmp_quick.c,
	  src/racoon/oakley.c: Fix typos, newlines and printf() format strings.

2004-06-16  Aidas Kasparas  <[email protected]>

	* src/racoon/crypto_openssl.c (eay_get_x509cert): small memory 
	  leak fix. Noticed B.Buesker, patch L.Stellingwerff
	* src/racoon/crypto_openssl.c (eay_aes_{en|de}crypt, evp_crypt): 
	  small memory leaks fixed.

2004-06-15  Aidas Kasparas  <[email protected]>

	* src/racoon/crypto_openssl.[ch] (cb_check_cert_local, 
	  cb_check_cert_remote): split cb_check_cert() due to stricter
	  requirements for certificates received from network.
	* src/racoon/crypto_openssl.[ch] (eay_check_x509cert): new parameter
	  local to specify how strict cert check should be
	* src/racoon/oakley.c, src/racoon/eaytest.c: adjust to use above
2004-06-11  Michal Ludvig  <[email protected]>

	* src/racoon/nattraversal.c (natt_vendorid, natt_fill_options): Support 
	  for all known NAT-T versions.
	* vendorid.h: Ditto.

2004-06-08  Michal Ludvig  <[email protected]>

	* src/racoon/stringlist.c, src/racoon/stringlist.h: New files.
	* src/racoon/ Compile stringlist.o.

2004-06-07  Michal Ludvig  <[email protected]>

	* Set version to 'cvs'.
	* src/{racoon,setkey,libipsec}/*.h: Wrap headers between
	  #ifndef/#define/#endif to allow multiple inclusions of the
	  same file.
	* plog.h (plog): Attribute __printf__ for automatic checking 
	  of the parameters' validity.
	* cftoken.l, crypto_openssl.c, grabmyaddr.c, ipsec_doi.c,
	  isakmp.c, isakmp_quick.c, oakley.c, pfkey.c, proposal.c,
	  sockmisc.c: Fix warnings/errors in the plog() parameters with 
	  the above change.

2004-06-05  Aidas Kasparas  <[email protected]>

	* src/setkey/setkey.c: -n (no action) support. 
	  Thanks Thomas Habets.
	* src/setkey/setkey.8: Documentation for above.
	* src/racoon/doc/README.certificate: updated link to more recent
	  version of document. Debian bug #252513 by Jose Luis Domingo Lopez

2004-06-01  Michal Ludvig  <[email protected]>

	* src/racoon/algorithm.c: Enable compilation without SHA2 support.
	* src/racoon/crypto_openssl.c: Ditto.

2004-06-01  Michal Ludvig  <[email protected]>

	* src/racoon/crypto_openssl.c: Remove unneeded workarounds for older
	  (eay_init): New function.
	  (eay_init_error, eay_check_pkcs7sign): Removed.
	* src/racoon/crypto_openssl.h: Reflect the above changes.
	* src/racoon/main.c: Call eay_init() instead of eay_init_error().

2004-05-27  Michal Ludvig  <[email protected]>

	Support for inheritance of 'remote' statements:
	* src/racoon/cftoken.l: New keyword 'inherit'.
	* src/racoon/cfparse.y: Support for 'inherit', remove
	  global 'prhead', use cur_rmconf->prhead instead.
	* src/racoon/remoteconf.c (rmtree): Changed from
	  LIST queue to TAILQ queue.
	  (getrmconf): Renamed to getrmconf_strict().
	  (copyrmconf, duprmconf)
	  (dump_rmconf_single, dumprmconf): New functions.
	  (rm2str): Deleted.
	* src/racoon/remoteconf.h: Prototypes for the above.
	  (struct remoteconf): New fields 'inherited_from' and 'prhead'.
	* src/racoon/sockmisc.c (saddr2str): Can print anonymous entries.
	* src/racoon/algorithm.c (alg_oakley_encdef_name)
	  (alg_oakley_hashdef_name, alg_oakley_dhdef_name)
	  (alg_oakley_authdef_name): New functions.
	* src/racoon/algorithm.h: Prototpes for the above.
	* src/racoon/strnames.c (num2str): Make extern.
	  (s_doi, s_etype, s_idtype, s_switch): New functions.
	* src/racoon/strnames.h: Prototpes for the above.
	* src/racoon/main.c: New parameter -C for dumping the parsed config.
	* src/racoon/racoon.conf.5: Document inheritance.
	* src/racoon/samples/racoon.conf.sample-inherit: Sample config file.
	* src/racoon/ Distribute racoon.conf.sample-inherit

2004-05-24  Michal Ludvig  <[email protected]>

	*, backupsa.c, ipsec_doi.c, isakmp_inf.c, 
	isakmp_quick.c, pfkey.c, remoteconf.c, session.c, 
	sockmisc.c: Allow compilation with --disable-ipv6
2004-05-21  Michal Ludvig  <[email protected]>

	* src/racoon/crypto_openssl.[ch]: Use EVP_*() instead of 
	  algorithm specific functions.

2004-05-20  Aidas Kasparas  <[email protected]>

	Manual page updates. Thanks Brian
	* src/libipsec/ipsec_set_policy.3
	* src/setkey/setkey.8
	* src/libipsec/test-policy-priority.c: new file from policy 
	  priority patch, which I forgot to add

2004-05-18  Aidas Kasparas  <[email protected]>

	Policy priority integer handling fixes by Brian Buesker.
	* src/libipsec/ipsec_strerror.c
	* src/libipsec/ipsec_strerror.h
	* src/libipsec/libpfkey.h
	* src/libipsec/policy_parse.y
	* src/libipsec/test-policy-priority.c
	Manual page corrections by me
	* src/libipsec/ipsec_set_policy.3
	* src/setkey/setkey.8

2004-05-15  Aidas Kasparas  <[email protected]>

	Policy priority support patch from Brian Buesker. Applied as is
	except src/libipsec/ is modified instead of 
	src/libipsec/ as found in the patch.

2004-05-10  Michal Ludvig  <[email protected]>

	From Heiko Hund, approved by the copyright holder:
	* src/racoon/gssapi.[ch]: Update to 3-clause BSD license.
2004-04-27  Michal Ludvig  <[email protected]>

	From Heiko Hund:
	* src/include-glibc/sys/queue.h: Update to 3-clause BSD license.

2004-04-26  Aidas Kasparas  <[email protected]>

	* src/racoon/grabmyaddr.c (update_myaddrs): Only trust kernel to 
	  send notifications about changed interfaces.
2004-04-24  Aidas Kasparas  <[email protected]>

	* src/racoon/grabmyaddr.c (recvaddrs): Only trust kernel to send
	  information about interfaces. Thanks Steve Grubb and Bill
	  Nottingham. Affects users with glibc w/o getifaddrs(). Users 
	  with glibc earlier than 2003-11-14 should upgrade their glibc.

2004-04-19  Michal Ludvig  <[email protected]>

	* src/racoon/isakmp.c (isakmp_handler): Reject too big 
	  packets (CAN-2004-0403).


	0.3 released

2004-04-14  Michal Ludvig  <[email protected]>

	* NEWS: Notes for release 0.3
	* Bump up version to 0.3
	* src/racoon/ Use install-sh instead of mkinstalldirs.
	* src/racoon/remoteconf.c (foreachrmconf): Avoid warning about 
	  uninitialised variable.
	* src/racoon/samples/ Cleaned up to work with Linux
	  and FreeSWAN.

2004-04-13  Michal Ludvig  <[email protected]>

	* src/racoon/grabmyaddr.c (suitable_ifaddr6): Anycast addresses are
	  not suitable.

2004-04-09  Michal Ludvig  <[email protected]>

	* src/racoon/crypto_openssl.c (cb_check_cert): Warn if no CRL is found.
	* src/racoon/isakmp_ident.c (ident_r2recv): Removed debug plog().
	* src/racoon/proposal.c (cmpsatrns): Downgrade severity of trns_id
	  mismatch to LLV_WARNING.
	* src/libipsec/pfkey_dump.c, src/racoon/algorithm.c 
	  src/racoon/algorithm.h src/racoon/cftoken.l 
	  src/racoon/ipsec_doi.c src/racoon/ipsec_doi.h 
	  src/racoon/oakley.h src/racoon/pfkey.c src/racoon/strnames.c 
	  src/setkey/token.l: Renamed Rijndael to AES.
	* src/setkey/token.l: Recognize exit/quit/bye tokens.
	* src/setkey/parse.y (exit_command): New.
	* src/setkey/setkey.c (stdin_loop): Exit when exit_now is set
	  in exit_command.

2004-04-08  Michal Ludvig  <[email protected]>

	* src/setkey/setkey.c (main): Call get_supported() in interactive mode.
	  (stdin_loop): Concat multiline input into a single line before parsing.

2004-04-07  Michal Ludvig  <[email protected]>

	* src/racoon/nattraversal.c (natt_keepalive_send): Log sending KA 
	  with level DEBUG. Having it with level INFO only pollutes logfiles.

2004-04-06  Michal Ludvig  <[email protected]>

	* src/racoon/ eaytest now links plog.o
	* src/racoon/crypto_openssl.c: Remove all #ifdef EAYDEBUG/#endif
	  surrounding plog().
	* src/racoon/eaytest.c (rsatest): Enabled RSA tests again, now 
	  verifying both good and bad signatures.


	0.3rc5 released

2004-04-05  Michal Ludvig  <[email protected]>

	* NEWS: Notes for release 0.3rc5
	* Bump up version to 0.3rc5

2004-04-05  Michal Ludvig  <[email protected]>

	Fix for a security bug found by Ralf Spenneberg:
	* src/racoon/crypto_openssl.c (eay_check_x509sign): Directly generate 
	  'evp' instead of 'pubkey'.
	  (eay_rsa_sign): Use the above.
	* src/racoon/crypto_openssl.h: Update prototypes for the above.
	* src/racoon/eaytest.c: Disabled RSA tests because of the API change.

2004-04-05  Michal Ludvig  <[email protected]>

	* src/racoon/pfkey.c (pfkey_handler): Safety check before accessing 
	  the array (thx to Ren.J.Y for report).
	  (pkrecvf): Added entry for SADB_X_NAT_T_NEW_MAPPING (NULL for now).
	* src/racoon/strnames.c (name_pfkey_type): Ditto.

2004-04-02  Michal Ludvig  <[email protected]>

	* src/racoon/eaytest.c (ciphertest_1): Correct padlen.

2004-04-01  Michal Ludvig  <[email protected]>

	* src/racoon/ipsec_doi.c (setph2proposal0): Move proposal encmode
	  update from here ...
	  (ipsecdoi_setph2proposal): ... to here. Hopefully this is a 
	  better place to do the update.

2004-03-30  Michal Ludvig  <[email protected]>

	* src/racoon/crypto_openssl.c (eay_3des_expand_key): New function.
	  (eay_3des_encrypt, eay_3des_decrypt): Expand key if necessary.
	* src/racoon/eaytest.c (ciphertest_1): New function.
	  (ciphertest): Simplified to simple calls of ciphertest_1().

2004-03-29  Michal Ludvig  <[email protected]>

	* README: Rewritten. Mentioned where to report bugs.

2004-03-26  Michal Ludvig  <[email protected]>

	* Check for readline.h and libreadline.
	* src/setkey/setkey.c: Call stdin_loop() when '-c' was given.
	  (stdin_loop): Read user input and parse it line-by-line.
	* src/setkey/token.l (parse_string): New function.


	0.3rc4 released

2004-03-25  Michal Ludvig  <[email protected]>

	* Bump up version to 0.3rc4
	* NEWS: Notes for release 0.3rc4
	* src/racoon/cfparse.y (algorithm): Hint about missing module.
	* src/racoon/crypto_openssl.c (eay_3des_*): Check for strict key 
	  length only with old API.
	  (eay_des_encrypt): Ditto.
	* src/racoon/eaytest.c: Make the testsuite usefull, i.e. exit with
	  non-zero error code if any of the tests fail.
	  (main): Print banner with version.
	* src/racoon/ Run eaytest in 'make check'.

2004-03-23  Michal Ludvig  <[email protected]>

	* src/racoon/isakmp_agg.c (agg_i2recv): Copy remote cookie before 
	  comparing NAT-D payloads. (thx to Gaurav Kansal for report).
	* src/racoon/crypto_openssl.c: Avoid type-punned warnings.
	* src/racoon/eaytest.c: Disable 'cert' tests.
	* src/racoon/crypto_openssl.c (eay_des_encrypt): No need to check 
	  for strict length.
	  (eay_aes_encrypt): Keylength is in bits, not bytes.

2004-03-22  Michal Ludvig  <[email protected]>

	* src/setkey/parse.y (ALG_ENC_NOKEY, ALG_ENC_OLD): Use "" for key 
	  instead of NULL and check for availability.


	0.3rc3 released

2004-03-19  Michal Ludvig  <[email protected]>

	* Bump up version to 0.3rc3
	* NEWS: Notes for release 0.3rc3
	* src/racoon/cftoken.l: Add 'null' as an alias for 'null_enc'.
	* src/racoon/proposal.c (cmpsatrns): New parameter proto_id, 
	  better diagnostic output when trns_id don't match.
	* src/racoon/proposal.h (cmpsatrns): Update prototype.
	* src/setkey/setkey.c: Change option -h to -H (for hexdump), new
	  options -h (help) and -V (version).
	* src/setkey/setkey.8: Document the above changes.
	* src/racoon/rfc/*: Many standards related to IPsec/IKE/NAT-T/...

2004-03-15  Michal Ludvig  <[email protected]>

	* src/racoon/ Prevent compilation error with


	0.3rc2 released

2004-03-11  Michal Ludvig  <[email protected]>

	* Bump up version to 0.3rc2
	* NEWS: Notes for release 0.3rc2
	* src/racoon/aclocal.m4 (RACOON_CHECK_VA_COPY): New test.
	* src/racoon/ Call RACOON_CHECK_VA_COPY
	* src/racoon/plog.c (plogv): Replace va_copy() with VA_COPY.
	* src/racoon/racoon.conf.5: Note that NAT-T support is a compile 
	  time option.

2004-03-10  Michal Ludvig  <[email protected]>

	* src/racoon/racoon.conf.5: Document nat_traversal option.
	* src/racoon/racoon.8: DOcument new options (-L and -P).

2004-03-09  Michal Ludvig  <[email protected]>

	* src/racoon/grabmyaddr.c (autoconf_myaddrsport): Prepare addrs for
	  UDP-Encap ports if NAT-T is enabled.
	  (dupmyaddr): New function.
	* src/racoon/grabmyaddr.h: Prototype for dupmyaddr().
	* src/racoon/isakmp.c (isakmp_open): Complain if NAT-T is enabled, but 
	  no port for UDP-Encap was open.
	* src/racoon/isakmp_var.h (PORT_ISAKMP_NATT): New define.
	* src/racoon/localconf.c, src/racoon/localconf.h: Define and setup 
	* src/racoon/main.c (main): Print nicer banner,
	  (usage): Document new options (-L and -P).
	  (parse): Recognise the above.
	* src/racoon/nattraversal.c (natt_fill_options): Don't use hardcoded 
	  constants for float_port.
	  (natt_enabled_in_rmconf, natt_enabled_in_rmconf_stub): New functions.
	* src/racoon/nattraversal.h: Prototype for natt_enabled_in_rmconf().
	* src/racoon/plog.c: Don't print source:line:function by default.
	* src/racoon/remoteconf.c (foreachrmconf): New helper function.
	* src/racoon/remoteconf.h: Prototype for the above.
	* package_version.h: Define strings for use in banners.
	* Fill up the above header.

2004-03-09  Michal Ludvig  <[email protected]>

	* src/racoon/ Don't put -O into OPTFLAGS,
	  add new option --disable-natt.
	* src/racoon/cfparse.y, src/racoon/handler.c,
	  src/racoon/ipsec_doi.c, src/racoon/isakmp.c,
	  src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
	  src/racoon/isakmp_ident.c, src/racoon/pfkey.c,
	  src/racoon/proposal.c, src/racoon/session.c: Replace WITH_NATT
	  with ENABLE_NATT.
	* src/racoon/crypto_openssl.c: Replace %d with %zd for size_t arguments.

2004-03-06  Aidas Kasparas  <[email protected]>

	* Refuse to continue if lexer library (yywrap() 
	  function) is missing. Should prevent bugs like #892067, #908758
	* src/racoon/ renamed --with-ssleay to --with-openssl.
	  Users should not be given false idea that they require both OpenSSL
	  and SSLeay to compile racoon. (See bug #902197)


	0.3rc1 released

2004-03-04  Michal Ludvig  <[email protected]>

	* Bump up version to 0.3rc1
	* NEWS: Mention release 0.3rc1 (and copy 0.2.3 and 0.2.4 notes
	  from 0.2 branch).
	* src/racoon/samples/racoon.conf.sample-natt: New sample config file.
	* src/racoon/ Tweak file lists to make 'distcheck' happy,
	  enabled NATT by default (will become a config option later).

2004-03-04  Michal Ludvig  <[email protected]>

	Merge with 'nat-t_branch' to bring NAT-T (NAT traversal) support
	to racoon.
	* src/racoon/, src/racoon/cfparse.y,
	  src/racoon/cftoken.l, src/racoon/grabmyaddr.c,
	  src/racoon/grabmyaddr.h, src/racoon/handler.c,
	  src/racoon/handler.h, src/racoon/ipsec_doi.c,
	  src/racoon/ipsec_doi.h, src/racoon/isakmp.c, src/racoon/isakmp.h,
	  src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c,
	  src/racoon/isakmp_ident.c, src/racoon/isakmp_quick.c,
	  src/racoon/localconf.c, src/racoon/localconf.h,
	  src/racoon/pfkey.c, src/racoon/proposal.c, src/racoon/proposal.h,
	  src/racoon/racoon.conf.5, src/racoon/remoteconf.c,
	  src/racoon/remoteconf.h, src/racoon/session.c,
	  src/racoon/strnames.c, src/racoon/vendorid.h
	  src/racoon/nattraversal.c, src/racoon/nattraversal.h,
	  src/racoon/sockmisc.c: Affected files.

2004-02-27  Michal Ludvig  <[email protected]>

	* src/racoon/isakmp.c (set_isakmp_header1): Renamed from
	  (set_isakmp_header): New function common for set_isakmp_header1() 
	  and set_isakmp_header2().
	  (copy_ph1addresses): Obey original port.
	  (isakmp_plist_append, isakmp_plist_set_all): New helper functions.
	* src/racoon/isakmp_var.h: Prototypes for the above.
	* src/racoon/isakmp.h (struct payload_list): New structure.
	* src/racoon/isakmp_agg.c, src/racoon/isakmp_base.c, 
	  src/racoon/isakmp_ident.c: Use isakmp_plist_* functions.

2004-02-03  Michal Ludvig  <[email protected]>

	* src/racoon/ Fix install to $(sbindir)
	* src/setkey/parse.y: Avoid GCC 3.3 warning (type-punned pointer).

2004-01-19  Michal Ludvig  <[email protected]>

	* rpm/ipsec-tools.FC1: Startup script for Fedora Core 1
	  (thanks to Kimmo Koivisto <[email protected]>)

2004-01-17  Aidas Kasparas  <[email protected]>

	* src/racoon/isakmp_inf.c: endian mismatch fix. From iij seil team

2004-01-15  Michal Ludvig  <[email protected]>

	* src/racoon/isakmp_inf.c: Prevent unauthorized deletion of SA
	(reported on bugtraq, fixed by iij seil team).
	* src/racoon/isakmp.c: Don't try to bind to IPv6 multicast addresses.

2004-01-14  Michal Ludvig  <[email protected]>

	* src/racoon/plog.c: Fix segfault on AMD64 (va_list can be used 
	only once).
	* Don't build shared libipsec by default (can be
	enabled by --enable-shared).
	* bootstrap: Don't run automake for racoon.

2004-01-12  Michal Ludvig  <[email protected]>

	* src/racoon/ Fix AC_DEFINEs to make autoheader happy,
	  use config.h for defines instead of -DHAVE_* gcc options,
	  fix CRYPTOBJS to include missing rijndael libraries only once, 
	  checking for AES support in OpenSSL now (hopefully) finally 
	  works on both OpenSSL 0.9.6 and 0.9.7.
	* src/racoon/*.[cyl]: Include autogenerated "config.h"
	* src/racoon/missing/crypto/*/*.c: Ditto.
	* src/racoon/.cvsignore: Add config.h,

2004-01-09  Michal Ludvig  <[email protected]>

	* src/racoon/.cvsignore: Add "autom4te.cache" and "configure".

2004-01-09  Aidas Kasparas  <[email protected]>

	Sync with KAME 2004-01-07
	* src/libipsec/pfkey.c: memory leak fix; comment typo fixes
	* src/libipsec/{pfkey.c,pfkey_dump.c}: allow compilation even 
	  no SADB_X_EXT_TAG defined
	* src/libipsec/pfkey_dump.c: information about algorithms 
	  ripemd160, aes-xcbc, aes-ctr; bigger buffers; <tag> support
	* src/libipsec/policy_parse.y: memory leak
	* src/libipsec/policy_token.l: memory leak
	* src/libipsec/test-policy.c: unneeded \n removed
	* src/racoon/ $(sbindir) support
	* src/racoon/admin.c: interface changes due to proxy support 
	* src/racoon/algorithm.c: SHA2 #ifdefs
	* src/racoon/{cfparse.y,cftoken.l}: license text added
	* src/racoon/cfparse.y: mip6 obsoleted by proxy support
	* src/racoon/cfparse.y: from directive support; new algorithms
	* src/racoon/cftoken.l: support for globbing of include files
	* src/racoon/ more verbose information about problems 
	  with SHA2
	* src/racoon/crypto_openssl.c: use new DES API if supported; algorithm 
	  key size fixes
	* src/racoon/eaytest.c: SHA2 #ifdefs; keysize len check
	* src/racoon/ipsec_doi.c: use VPTRINIT; ESP parameter validity checks;
	  style change
	* src/racoon/isakmp.c: use VPTRINIT; interface changes due to
	  mip6->proxy; typo
	* src/racoon/isakmp_inf.c: use VPTRINIT
	* src/racoon/isakmp_quick.c: mip6->proxy
	* src/racoon/kmpstat.c: not used variables removed
	* src/racoon/pfkey.c: mip6->proxy; schedule leak
	* src/racoon/proposal.c: style
	* src/racoon/remoteconf.c: mip6->proxy
	* src/racoon/sainfo.c: from directive support
	* src/racoon/sockmisc.c: side correction; addrinfo leak
	* src/racoon/strnames.c: typo in descriptions; wrong upper bound check
	* src/racoon/missing/crypto/sha2/sha2.c: wrong size
	* src/setkey/parse.y: extra algorithms; tagged; not needed periods
	  removed; memory shortage checks
	* src/setkey/setkey.8: typos; tagged; new algorithms
	* src/setkey/setkey.c: standard argument names for main(); hexdump
	  support; info in file support
	* src/setkey/token.l: new algorithms; memory shortage checks
	  Parts not taken from KAME:
	* kernelfs stuff;
	* sysctl stuff

2004-01-08  Michal Ludvig  <[email protected]>

	* src/racoon/config.{sub,guess}: Update from automake 1.7.

2004-01-08  Michal Ludvig  <[email protected]>

	Patch from Kostadin Karaivanov <[email protected]>:
	* src/racoon/ Check for openssl/aes.h.
	* src/racoon/crypto_openssl.c: Use OpenSSL AES functions if available.

2004-01-08  Michal Ludvig  <[email protected]>

	* src/racoon/configure: Remove, should be regenerated by bootstrap.

2004-01-02  Michal Ludvig  <[email protected]>

	* src/racoon/crypto_openssl.c: Update to work with OpenSSL 0.9.7
	  (by Brian Buesker <[email protected]>
	   and Christophe Saout <[email protected]>)
	* src/racoon/proposal.c: Be more verbose. (Michal Ludvig)
	* src/libipsec/ipsec_dump_policy.c: Dump FWD policies correctly
	  (by Michal Ludvig).
	* src/setkey/token.l, src/setkey/parse.y: Add support for lifetime 
	  specified in bytes (by Michal Ludvig).
	* src/setkey/setkey.8: Document -bh/-bs options for the above feature.
	* src/libipsec/pfkey.c: Don't include 'sadb_key' in SADB_UPDATE 
	  message for IPcomp SA. (by Brian Buesker <[email protected]>)
	* src/racoon/cfparse.y: Flush SA on SIGHUP
	  (by Brian Buesker <[email protected]>)
	* src/racoon/pfkey.c: IPcomp fixes
	  (by Brian Buesker <[email protected]>)
	* src/racoon/proposal.c: Fix typo lifebyte -> lifetime.
	* src/racoon/grabmyaddr.c: Prevent segfault if getifaddrs() returns
	  an entry with NULL ifa_addr (Michal Ludvig).
	* Change path to kernel headers 
	  from /usr/src/devel-2.5/devel to /usr/src/linux
	* bootstrap: Use default tools, reconfigure src/racoon
	* src/racoon/ Change LIBOBJS -> AC_LIBOBJ,
	  changed comments from 'dnl' to '#'.

2003-06-20  Derek Atkins  <[email protected]>

	* src/racoon/aclocal.m4:
	* src/racoon/configure:
	  Don't execute "for i in $3" if "$3" doesn't exist.
	  Fixes bug #721296.
2003-03-31  Derek Atkins  <[email protected]>

	* src/setkey/parse.y: change the NAT-T Type to use UDP_ENCAP_ESPINUDP
	  (which is value '2')

2003-03-27  Derek Atkins  <[email protected]>

	* src/libipsec/key_debug.c: use ntohs() before printing port
	* src/libipsec/pfkey.c: convert port# to network byte order
	* src/libipsec/pfkey_dump.c: use ntohs() before printing ports
	* src/setkey/parse.y: convert port#'s to network byte order
2003-03-24  Derek Atkins  <[email protected]>

	* src/libipsec/pfkey.c: Don't switch off NAT-T extensions
	  if they don't exist in the kernel.

	* src/racoon/sockmisc.c: use '34' for IPV6_IPSEC_POLICY,
	  as per Tom Lendacky <[email protected]>.  Also move the
	  setting of IPV6_IPSEC_POLICY to the top of the file.
2003-03-13  Derek Atkins  <[email protected]>

	Add initial support for NAT-T PFKey Extensions:
	* src/libipsec/key_debug.c: add support to print information
	  about NAT-T extension packets.
	* src/libipsec/libpfkey.h: add two new APIs to support NAT-T
	  for add and update as part of the SADB.
	* src/libipsec/pfkey.c:
	  - Implement extended APIs to support NAT-T for add and update
	    of the SADB.
	  - Add APIs to fill a buffer with NAT-T packet types
	* src/libipsec/pfkey_dump.c: Extend the SADB output to include
	  PFKey packets.  Put port numbers with the source and dest
	  addresses, add an 'esp-udp' SA-type, and add a printout for
	  the NAT-OA.
	* src/setkey/parse.y:
	  - Extend setkey to create an ESP-UDP SA.
	  - default UDP port is 4500
	  - extend 'add' to allow <ip-addr>[<portnum>] for source and dest
	    (the portnum specification requires the [] characters)
	  - add an ESPUDP "protocol" from the lexer.  This will use
	    ESP and allow an optional Original Address setting.
	  - add a function to get a udp port from a struct sockaddr *
	  - pass the NAT-T extentions into PFKey
	* src/setkey/token.l: add "esp-udp" token
	* rpm/ Bill Nottingham's SPEC-file patch:
	  This switches it to use %{_lib} (for /lib64 systems such as
	  x86-64 and s390x, and has it own the /etc/racoon directory in
	  the package as well.


	0.2.2 released

2003-03-13  Derek Atkins  <[email protected]>

	*, NEWS:
	  Update for 0.2.2 release

	* distribute depcomp
2003-03-10  Derek Atkins  <[email protected]>

	* src/racoon/ add @[email protected] to the LIBS line to make
	  sure we link against the lexer library when necessary.
2003-03-07  Derek Atkins  <[email protected]>

	* rpm/
	* rpm/
	  Added RPM SPEC to CVS

	0.2.1 released

2003-03-07  Derek Atkins  <[email protected]>

	* src/racoon/  change "CFLAGS" to "CPPFLAGS" for
	  ssl include directory, to make sure the other tests work properly.

2003-03-06  Derek Atkins  <[email protected]>

	* src/racoon/kmpstat.c:  fix gcc-3.2.2 compiler warning

	* src/racoon/  look for krb5-config and don't
	  use it if it's not found.  Fixes a configure-time warning.

	0.2 Released