summaryrefslogtreecommitdiff
path: root/keyexchange/isakmpd-20041012/debian/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'keyexchange/isakmpd-20041012/debian/ChangeLog')
-rw-r--r--keyexchange/isakmpd-20041012/debian/ChangeLog1668
1 files changed, 1668 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/debian/ChangeLog b/keyexchange/isakmpd-20041012/debian/ChangeLog
new file mode 100644
index 0000000..bae602d
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/debian/ChangeLog
@@ -0,0 +1,1668 @@
+End of changelog debian package isakmpd.20041012-1
+--------------------------------------------------
+
+2004-10-08 17:18 hshoexer
+
+ * sysdep/common/libsysdep/arc4random.c: pull in some changes from
+ libc arc4random (only relevant for non-OpenBSD systems): ansify,
+ discard first 256 output bytes, make key schedule more arc4
+ stream ciper like.
+
+ ok djm ho
+
+2004-10-01 06:08 jsg
+
+ * monitor_fdpass.c: add some missing $, ok djm@ 'That looks fine to
+ me' millert@
+
+2004-09-24 15:31 ho
+
+ * udp_encap.c: Don't process NAT-T keepalives. Noted by Kamel
+ Messaoudi. hshoexer@ ok
+
+2004-09-20 23:36 hshoexer
+
+ * virtual.c: compile cleanly with -Wsign-compare ok ho
+
+2004-09-20 23:35 hshoexer
+
+ * monitor_fdpass.c: Remove __func__ ok ho deraadt
+
+2004-09-17 16:54 hshoexer
+
+ * isakmpd.c: avoid signal race.
+
+ ok ho@ otto@
+
+2004-09-17 15:53 ho
+
+ * exchange.c, ike_quick_mode.c, ipsec.c, key.c, pf_key_v2.c:
+ Missing #ifdefs.
+
+2004-09-17 15:46 ho
+
+ * init.c: #include <stdlib.h> for srandom().
+
+2004-09-17 15:45 ho
+
+ * message.c: Permit next payload type NAT-OA. Noted by Kamel
+ Messaoudi.
+
+2004-08-23 13:53 ho
+
+ * exchange.c: We need to set sa->initiator before checking if the
+ newly created SA replaces an old one, or the id_i/id_r check will
+ mismatch. Previous behaviour was mostly harmless, but wasted some
+ resources (until normal SA expiration). hshoexer@ "haven't tried,
+ but think it's ok"
+
+2004-08-23 13:16 ho
+
+ * Makefile: Default enable DPD (Dead Peer Detection) support.
+ hshoexer@ ok
+
+2004-08-23 13:13 ho
+
+ * exchange.h: Indent nit.
+
+2004-08-17 16:48 hshoexer
+
+ * message.c: check for msg->isakmpg_sa being NULL before
+ referencing ok ho@
+
+2004-08-14 15:29 hshoexer
+
+ * ike_quick_mode.c: When using -K (keynote disabled), check peers'
+ proposal against isakmpd.conf.
+
+ ok ho@ henning@
+
+2004-08-13 04:51 djm
+
+ * monitor_fdpass.c: extra check for no message case; ok markus,
+ deraadt, hshoexer, henning
+
+2004-08-12 13:21 hshoexer
+
+ * monitor.c: Fix compiler warning on alpha. Noted by and ok ho@
+
+2004-08-12 13:08 ho
+
+ * pf_key_v2.c: Avoid memleak on error (Linux/KAME). Found by
+ Benjamin Pineau.
+
+2004-08-10 21:21 deraadt
+
+ * virtual.c, x509.c: spacing
+
+2004-08-10 17:59 ho
+
+ * dpd.c, dpd.h, exchange.c, ipsec.c, isakmp_num.cst,
+ isakmpd.conf.5, message.c, message.h, pf_key_v2.c, pf_key_v2.h,
+ sa.c, sa.h, sysdep.h, udp_encap.c, sysdep/bsdi/sysdep.c,
+ sysdep/darwin/sysdep.c, sysdep/freebsd/sysdep.c,
+ sysdep/freeswan/sysdep.c, sysdep/linux/sysdep.c,
+ sysdep/netbsd/sysdep.c, sysdep/openbsd/sysdep.c: Better
+ implementation of the Dead Peer Detection protocol, RFC 3706.
+ hshoexer@ ok.
+
+2004-08-10 11:49 ho
+
+ * sysdep/linux/GNUmakefile.sysdep: Linux has AES (and DES). From
+ Benjamin Pineau.
+
+2004-08-10 11:47 ho
+
+ * sysdep/common/libsysdep/arc4random.c: If opening /dev/arandom
+ fails, try /dev/random. Suggested by Benjamin Pineau.
+
+2004-08-08 21:11 deraadt
+
+ * GNUmakefile, conf.c, dpd.c, exchange.c, ike_auth.c,
+ ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, log.c,
+ message.c, monitor.c, nat_traversal.c, pf_key_v2.c, policy.c,
+ sa.c, sysdep.h, transport.c, udp.c, udp_encap.c, ui.c, util.c,
+ virtual.c, x509.c: spacing
+
+2004-08-03 12:54 ho
+
+ * nat_traversal.c, transport.c, udp.c, udp.h, udp_encap.c,
+ virtual.c: Rewrite the transport reference count code to avoid
+ leaks. hshoexer@ ok.
+
+2004-08-02 17:48 hshoexer
+
+ * sa.c: Do not expire unestablished phase 2 SAs on SIGHUP.
+
+ ok ho@
+
+2004-08-02 17:30 ho
+
+ * GNUmakefile: Missed to add virtual.c here. Noted by Benjamin
+ Pineau.
+
+2004-07-30 12:45 ho
+
+ * Makefile, sysdep.h, util.c: Style.
+
+2004-07-29 22:02 ho
+
+ * conf.c: Less noise while debugging.
+
+2004-07-29 10:54 ho
+
+ * ike_aggressive.c, ike_phase_1.c, nat_traversal.c: Repair NAT-T
+ using Aggressive mode, NAT-D checks were in the wrong place.
+ Noted by Yvan VANHULLEBUS.
+
+2004-07-09 18:06 deraadt
+
+ * doi.c, exchange.c: ansi
+
+2004-07-08 21:53 hshoexer
+
+ * virtual.c: free() and close() in error path.
+
+ ok ho@
+
+2004-07-08 12:37 jmc
+
+ * isakmpd.8, isakmpd.conf.5: typo, and line adjustment;
+
+2004-07-08 00:25 hshoexer
+
+ * isakmpd.8, isakmpd.conf.5: document -a/-K and
+ "Acquire-Only"/"Use-Keynote".
+
+ ok markus@ henning@ ho@ english polish and mdoc help and ok jmc@
+
+2004-07-07 11:16 hshoexer
+
+ * message.c: plug memleak when receiving an
+ INVALID_HASH_INFORMATION notify. Found by Patrick Latifi,
+ thanks!
+
+ ok ho@
+
+2004-07-07 11:13 hshoexer
+
+ * udp_encap.c: compile cleanly with -Wsign-compare; while around,
+ kill a space
+
+ ok ho@
+
+2004-07-05 19:33 pvalchev
+
+ * ike_phase_1.c: %lu and cast to unsigned long to print a size_t;
+ ok ho
+
+2004-06-30 12:07 hshoexer
+
+ * nat_traversal.c: Compile cleanly with gcc3.3.2.
+
+ ok ho@
+
+2004-06-26 13:32 jmc
+
+ * isakmpd.conf.5: new sentence, new line;
+
+2004-06-26 08:07 hshoexer
+
+ * monitor.c, monitor.h, pf_key_v2.c, pf_key_v2.h,
+ sysdep/openbsd/sysdep.c: Narrow down privsep interface. Move
+ pf_key_v2_open() to monitor.
+
+ Work in progress.
+
+ ok ho@
+
+2004-06-26 05:40 mcbride
+
+ * sysdep/: bsdi/Makefile.sysdep, darwin/GNUmakefile.sysdep,
+ darwin/Makefile.sysdep, freebsd/GNUmakefile.sysdep,
+ freebsd/Makefile.sysdep, linux/GNUmakefile.sysdep,
+ netbsd/GNUmakefile.sysdep, netbsd/Makefile.sysdep,
+ openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep: Remove
+ -DHAVE_GETNAMEINFO frome makefiles.
+
+ Pointed out by ho@
+
+2004-06-25 22:25 hshoexer
+
+ * conf.c, conf.h, ike_quick_mode.c, isakmpd.c, policy.c, policy.h:
+ Keynote policy checking can now be disabled by "-K" switch and
+ config tag "Use-Keynote". Default is to use keynote.
+
+ ok henning@ ho@
+
+2004-06-25 21:42 mcbride
+
+ * udp.c, util.c: Remove HAVE_GETNAMEINFO alternate code. Compiled
+ binary is unchanged.
+
+ ok msf@ hshoexer@ itojun@ ho@
+
+2004-06-25 02:58 hshoexer
+
+ * init.c, log.c, monitor.c, monitor.h, ui.c: Narrow down privsep
+ interface. Remove ui_init to monitor. So we can get rid of
+ monitor_mkfifo.
+
+ Work in progress.
+
+ ok ho@
+
+2004-06-24 19:02 hshoexer
+
+ * monitor.c: Remove some unused code. Fix handling of sigchild.
+ Now it's possible to sigstop/sigcont isakmpd correclty.
+
+ ok ho@
+
+2004-06-24 17:58 hshoexer
+
+ * policy.c: Also handle keys from x509-certificates embedded in
+ keynote credentials.
+
+ with msf@ ok ho@
+
+2004-06-24 01:36 ho
+
+ * pf_key_v2.c: Print corrent prefix. Found and tested by alex at
+ vbone.net.
+
+2004-06-23 05:01 hshoexer
+
+ * ike_auth.c, util.c, util.h: Avoid stat before open. Do open and
+ fstat instead. Remove check_file_secrecy() as it is obsoleted be
+ check_file_secrecy_fd().
+
+ ok ho@
+
+2004-06-23 03:17 ho
+
+ * Makefile, sysdep.h, util.c: Make compiling with Boehm's gc
+ possible again.
+
+2004-06-23 02:56 ho
+
+ * ike_phase_1.c: Support IPV{4,6}_ADDR_SUBNET IDs in Phase 1, just
+ like the man page says we do. Noted and tested by alex at
+ vbone.net. Also avoid a potential SEGV here. hshoexer@ok
+
+2004-06-23 02:55 hshoexer
+
+ * ipsec.c, isakmpd.c: Add commandline switch -a / config tag
+ "Acquire-Only" to tell isakmpd to not touch flows.
+
+ initial work by markus ok markus@ ho@ henning@
+
+2004-06-22 20:22 hshoexer
+
+ * ike_auth.c: kn_get_string() may return NULL on failure. Handle
+ this corrctly.
+
+ with msf@, ok ho@ markus@
+
+2004-06-22 05:44 ho
+
+ * virtual.c: The NAT-T drafts suggest we should drop incoming
+ messages arriving on the old port (500) after we've switched to
+ the new one.
+
+2004-06-22 01:42 ho
+
+ * isakmpd.conf.5: Describe the [Default]:NAT-T-Keepalive
+ configuration parameter.
+
+2004-06-22 01:28 ho
+
+ * Makefile: Enable NAT-T support.
+
+2004-06-22 01:27 ho
+
+ * ipsec.c, nat_traversal.c, nat_traversal.h, sa.c, sa.h,
+ udp_encap.c: Implement NAT-T keepalive messages.
+
+2004-06-21 20:41 ho
+
+ * pf_key_v2.c: udpencap_port should be taken from dst transport
+
+2004-06-21 20:40 ho
+
+ * virtual.c: When switching from main to encap transport, copy dst
+ port if translated (NAT).
+
+2004-06-21 20:34 ho
+
+ * monitor.c: Strip away umask bits in monitor_fopen(). hshoexer@
+ ok.
+
+2004-06-21 20:29 ho
+
+ * ipsec.c: style nit
+
+2004-06-21 19:02 markus
+
+ * features/nat_traversal: undo double-patch; Dries Schellekens
+
+2004-06-21 18:37 ho
+
+ * log.c: Don't write too much IKE data in packet capture
+
+2004-06-21 18:01 ho
+
+ * log.c, message.c: Packet capture should add the ESP-marker when
+ NAT-T is active.
+
+2004-06-21 17:15 ho
+
+ * pf_key_v2.c: Tell the kernel to enable ESP-in-UDP encapsulation
+ when we have SAs negotiated with NAT-T.
+
+2004-06-21 15:09 ho
+
+ * exchange.c, sa.h, transport.c, udp.c, udp_encap.c, virtual.c:
+ Port floating (500->4500) for p1 and p2 exchanges.
+
+2004-06-20 19:44 ho
+
+ * message.c: message_parse_payloads should accept payloads in the
+ private range. While here, also cleanup some messages.
+
+2004-06-20 19:17 ho
+
+ * dpd.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c,
+ init.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, message.c,
+ message.h, nat_traversal.c: Make the payload array in struct
+ message dynamic, since we need to handle payloads in the private
+ range, such as the pre-RFC NAT-D/NAT-OA. Replace
+ TAILQ_FIRST(&msg->payload[i]) instances with function calls.
+
+2004-06-20 17:24 ho
+
+ * Makefile, exchange.h, ike_phase_1.c, init.c, ipsec.c, isakmp.h,
+ isakmp_fld.fld, message.c, nat_traversal.c, nat_traversal.h,
+ policy.c, transport.c, transport.h, udp.c, udp.h, udp_encap.c,
+ udp_encap.h, util.c, util.h, virtual.c, virtual.h,
+ features/nat_traversal: NAT-Traversal for isakmpd. Work in
+ progress... hshoexer@ ok.
+
+2004-06-20 17:20 ho
+
+ * dpd.c, dpd.h, exchange.c, isakmp_num.cst, sa.h, features/dpd: A
+ start towards Dead Peer Detection (DPD) support, as specified in
+ RFC 3706
+
+2004-06-20 17:11 ho
+
+ * message.c: Some vendors send the last Aggressive Mode message
+ unencrypted, which we should accept. Problem noted by alex at
+ vbone.net. hshoexer@ ok.
+
+2004-06-20 17:03 ho
+
+ * isakmpd.c, monitor.c, monitor.h: To make debugging the
+ unprivileged child process easier, make 'isakmpd -dd' pause just
+ after privsep; print the PIDs and wait for SIGCONT. hshoexer@ ok
+
+2004-06-17 21:39 hshoexer
+
+ * ipsec.c: Yet another bunch of memleask found and fixed by Patrick
+ Latifi. Thanks!
+
+ ok ho@
+
+2004-06-17 21:36 hshoexer
+
+ * udp.c: Plug a memleak. Found and fixed (and some cleanup) by
+ Patrick Latifi. Thanks!
+
+ ok ho@
+
+2004-06-17 21:32 hshoexer
+
+ * x509.c: Evaluate result of X509_verify_cert() more carefully.
+
+ ok cloder@
+
+2004-06-16 17:08 hshoexer
+
+ * util.c: Fix wrong pointer dereference and plug memleak. Found
+ and patch by Patrick Latifi. Thanks!
+
+ ok ho@
+
+2004-06-16 17:05 hshoexer
+
+ * ipsec.c: fix ipv6-address and ipv6-address-mask mixup. Found by
+ Patrick Latifi. Thanks!
+
+ ok ho@
+
+2004-06-15 17:53 hshoexer
+
+ * ike_quick_mode.c, isakmp_cfg.c: also use MSG_AUTHENTICATED flag.
+
+ ok ho@
+
+2004-06-14 15:53 hshoexer
+
+ * conf.c, ike_auth.c, x509.c: avoid stat before open
+
+ ok ho@
+
+2004-06-14 12:04 hshoexer
+
+ * message.c: added a missing message_free().
+
+ ok ho@
+
+2004-06-14 11:55 ho
+
+ * cert.c, conf.c, connection.c, crypto.c, dnssec.c, exchange.c,
+ field.c, hash.c, if.c, ike_auth.c, ike_main_mode.c,
+ ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c,
+ isakmp_doi.c, isakmpd.c, key.c, log.c, math_2n.c, math_group.c,
+ message.c, monitor.c, pf_key_v2.c, policy.c, timer.c,
+ transport.c, udp.c, util.c, x509.c: KNF, style, 80c, etc.
+ hshoexer@ ok
+
+2004-06-11 12:17 brad
+
+ * message.c: typo in comment
+
+2004-06-11 05:08 brad
+
+ * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h:
+ MFC: Fix by hshoexer@
+
+ Mark authenticated messages explicitly. Better check for
+ authentication before deleteing SAs.
+
+ This fix is needed to solve the problems reported by Thomas
+ Walpuski, previous diff was not sufficient. Pointed out by
+ Thomas. Thanks!
+
+2004-06-11 04:34 brad
+
+ * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h:
+ MFC: Fix by hshoexer@
+
+ Mark authenticated messages explicitly. Better check for
+ authentication before deleteing SAs.
+
+ This fix is needed to solve the problems reported by Thomas
+ Walpuski, previous diff was not sufficient. Pointed out by
+ Thomas. Thanks!
+
+2004-06-10 14:54 hshoexer
+
+ * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h:
+ Mark authenticated messages explicitly. Better check for
+ authentication before deleteing SAs.
+
+ This fix is needed to solve the problems reported by Thomas
+ Walpuski, previous diff was not sufficient. Pointed out by
+ Thomas. Thanks!
+
+ ok ho@ niklas@, testing and spellcheck by todd@ msf@
+
+2004-06-09 23:15 brad
+
+ * message.c: MFC: Fix by hshoexer@
+
+ only accept DELETEs during an authenticated INFORMATIONAL
+ exchange. Fix for recent problem disclosed by Thomas Walpuski.
+
+2004-06-09 22:48 brad
+
+ * message.c: MFC: Fix by hshoexer@
+
+ only accept DELETEs during an authenticated INFORMATIONAL
+ exchange. Fix for recent problem disclosed by Thomas Walpuski.
+
+2004-06-09 16:02 ho
+
+ * conf.c, exchange.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c,
+ isakmp_cfg.c, message.c, pf_key_v2.c, transport.c, udp.c: Style
+ nits. hshoexer@ ok
+
+2004-06-09 14:59 hshoexer
+
+ * message.c: only accept DELETEs during an authenticated
+ INFORMATIONAL exchange. Fix for recent problem disclosed by
+ Thomas Walpuski.
+
+ ok ho@
+
+2004-06-06 15:05 ho
+
+ * ike_phase_1.c: Style (KNF, 80c). No binary change.
+
+2004-06-02 18:19 hshoexer
+
+ * ike_auth.c, x509.c: remove unused BIO-functions.
+
+ ok markus@ ho@
+
+2004-05-27 00:17 hshoexer
+
+ * ike_auth.c: do not leak fd on error path.
+
+ ok ho@
+
+2004-05-24 16:54 hshoexer
+
+ * util.c: Use correct function names in log messages. Kill some
+ spaces.
+
+ ok deraadt@ ho@
+
+2004-05-23 20:17 hshoexer
+
+ * field.c, field.h, hash.c, if.c, ike_aggressive.c,
+ ike_aggressive.h, ike_auth.c, ike_main_mode.c, ike_main_mode.h,
+ ipsec.c, ipsec.h, isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c,
+ isakmpd.c, key.c, log.c, log.h, math_2n.c, math_ec2n.c,
+ math_ec2n.h, math_group.c, message.c, message.h, monitor.c,
+ monitor_fdpass.c, pf_key_v2.h, policy.c, prf.c, sa.c, sa.h,
+ timer.c, timer.h, udp.c, ui.c, util.c, x509.c, x509.h: More KNF.
+ Mainly spaces and line-wraps, no binary change.
+
+ ok ho@
+
+2004-05-23 18:14 deraadt
+
+ * if.c, udp.c: remove excessive monitor_ prefixes
+
+2004-05-23 18:14 deraadt
+
+ * policy.c, util.c, util.h: stat before open is flawed
+
+2004-05-23 18:13 deraadt
+
+ * key.c: greater care with arguments
+
+2004-05-19 16:30 ho
+
+ * ipsec.c, isakmpd.c: Permit symbolic protocol and service names,
+ such as "Protocol= tcp", in the <IPsec-ID> sections. hshoexer@ ok
+
+2004-05-14 10:42 hshoexer
+
+ * attribute.c, attribute.h, cert.c, cert.h, conf.c, conf.h,
+ connection.c, cookie.c, cookie.h, crypto.c, crypto.h, dh.h,
+ dnssec.c, dnssec.h, doi.c, doi.h: Some more KNF, no binary
+ change.
+
+ ok ho@
+
+2004-05-13 08:56 ho
+
+ * connection.c, isakmpd.8, sa.c, sa.h, ui.c, ui.h: Extensions to
+ the FIFO interface: "C get [section]:tag" fetches a configuration
+ value. "C add [section]:tag=value" adds 'value' to a list,
+ typically for the [Phase 2]:Connections tag. FIFO "S" command
+ destination file changed. Various KNF cleanups. hshoexer@ ok.
+
+2004-05-10 20:34 deraadt
+
+ * monitor.c: 64bit gcc saw missing cast
+
+2004-05-06 12:40 ho
+
+ * exchange.c: KNF cleanup. hshoexer@ ok
+
+2004-05-03 23:23 hshoexer
+
+ * exchange.c, exchange.h: KNF. ok ho@
+
+2004-04-30 00:36 hshoexer
+
+ * message.c: Better checking of minimum payload lengths. Drop out
+ safely when an unknown payload type is encountered. While
+ around, do some KNF.
+
+ ok ho@
+
+2004-04-28 22:20 hshoexer
+
+ * ike_quick_mode.c, policy.c, policy.h: remove unused variable and
+ shorten names of two other. Removed some spaces while around.
+
+ ok ho@ markus@
+
+2004-04-28 16:40 ho
+
+ * ipsec_num.cst, isakmp_num.cst: Reserve some payload numbers for
+ RFC 3547 and the earlier NAT-T drafts. hshoexer@ ok.
+
+2004-04-23 16:15 ho
+
+ * conf.c, conf.h: Make sure KEY_LENGTH attribute is present when
+ checking AES proposals, required when acting as responder to
+ SafeNet peers. Also make conf_load_defaults() readable again
+ (KNF). hshoexer@ ok.
+
+2004-04-15 22:20 deraadt
+
+ * conf.c: more knf; ok hshoexer
+
+2004-04-15 20:53 deraadt
+
+ * conf.c: knf
+
+2004-04-15 20:39 deraadt
+
+ * app.c, app.h, attribute.c, attribute.h, cert.c, cert.h, conf.c,
+ conf.h, connection.c, connection.h, constants.c, constants.h,
+ cookie.c, cookie.h, crypto.c, crypto.h, dh.c, dh.h, dnssec.c,
+ dnssec.h, doi.c, doi.h, exchange.h, field.c, field.h,
+ genconstants.sh, genfields.sh, gmp_util.c, gmp_util.h, hash.c,
+ hash.h, if.c, if.h, ike_aggressive.c, ike_aggressive.h,
+ ike_auth.c, ike_auth.h, ike_main_mode.c, ike_main_mode.h,
+ ike_phase_1.c, ike_phase_1.h, ike_quick_mode.c, ike_quick_mode.h,
+ init.c, init.h, ipsec.c, ipsec.h, ipsec_doi.h, isakmp.h,
+ isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h,
+ isakmpd.c, key.c, key.h, libcrypto.c, libcrypto.h, log.c, log.h,
+ math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c,
+ math_group.h, math_mp.h, message.c, message.h, monitor.c,
+ monitor.h, monitor_fdpass.c, pf_key_v2.c, pf_key_v2.h, policy.c,
+ policy.h, prf.c, prf.h, sa.c, sa.h, sysdep.h, timer.c, timer.h,
+ transport.c, transport.h, udp.c, udp.h, ui.c, ui.h, util.c,
+ util.h, x509.c, x509.h, sysdep/openbsd/keynote_compat.c,
+ sysdep/openbsd/sysdep.c: partial move to KNF. More to come.
+ This has happened because there are a raft of source code
+ auditors who are willing to help improve this code only if this
+ is done, and hey, isakmpd does need our standard auditing
+ process. ok ho hshoexer
+
+2004-04-15 02:27 deraadt
+
+ * isakmpd.8: spaces
+
+2004-04-13 23:48 hshoexer
+
+ * if.c: Add missing #include. Found by Stefan Paletta.
+
+ ok henning@ ho@
+
+2004-04-08 18:08 henning
+
+ * sysdep/linux/sys/queue.h: swap the last two parameters to
+ TAILQ_FOREACH_REVERSE. matches what FreeBSD and NetBSD do. ok
+ millert@ mcbride@ markus@ ho@, checked to not affect ports by
+ naddy@
+
+2004-04-08 12:05 hshoexer
+
+ * init.c, isakmpd.c: Set timezone before privsep, child uses now
+ correct timezone. Noticed by david@
+
+ ok ho@ david@
+
+2004-04-08 00:45 ho
+
+ * conf.h, exchange.h, ike_auth.c, ike_phase_1.c, ike_quick_mode.c,
+ ipsec.c, log.c, math_2n.c, math_group.c, math_group.h, message.c,
+ monitor.c, pf_key_v2.c, policy.c, sa.c, udp.c, ui.c, util.c,
+ x509.c, regress/crypto/cryptotest.c: -Wsign-compare nits.
+ hshoexer@ ok.
+
+2004-04-08 00:45 ho
+
+ * key.c: Reset *data in case of unknown key types
+
+2004-04-08 00:43 ho
+
+ * Makefile: -Wmissing-declarations
+
+2004-04-07 22:04 ho
+
+ * sa.c: More careful when walking LIST queues. hshoexer@, david@
+ ok.
+
+2004-03-31 12:54 ho
+
+ * cert.c, crypto.c, exchange.c, hash.c, ike_auth.c: -Wsign-compare
+ nits. hshoexer@ ok.
+
+2004-03-31 12:53 ho
+
+ * monitor.c: Use sysdep_sa_len() instead of sa->sa_len, also
+ correct a log_fatal() message. hshoexer@ ok.
+
+2004-03-31 12:47 ho
+
+ * isakmpd.c, sysdep/openbsd/Makefile.sysdep: Don't assume
+ closefrom(2) exists everywhere. hshoexer@, markus@ ok.
+
+2004-03-29 19:07 deraadt
+
+ * monitor.c: use malloc (oops)
+
+2004-03-29 18:32 deraadt
+
+ * monitor.c: wrong FD_ZERO(); from ho, hshoexer, markus
+
+2004-03-29 18:32 deraadt
+
+ * udp.c: memory mishandling; from ho
+
+2004-03-24 17:44 hshoexer
+
+ * isakmpd.8: Add some notes about privsep to manpage.
+
+ ok ho@ jmc@ deraadt@
+
+2004-03-23 19:20 hshoexer
+
+ * monitor.c: Remove erroneous null termination.
+
+ ok ho@ deraadt@
+
+2004-03-19 15:04 hshoexer
+
+ * Makefile, conf.c, conf.h, if.c, ike_auth.c, isakmpd.c, log.c,
+ monitor.c, monitor.h, policy.c, sa.c, udp.c, ui.c, x509.c: Add
+ missing bits to make already present privsep code work. Enable
+ privsep.
+
+ ok ho@ deraadt@ markus@
+
+2004-03-17 16:05 brad
+
+ * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c,
+ message.c, util.h: MFC: Fix by hshoexer@
+
+ Fix payload handling flaws found by cloder@. Based on initial
+ patch by cloder@.
+
+ ok deraadt@ hshoexer@
+
+2004-03-17 15:59 brad
+
+ * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c,
+ message.c, util.h: MFC: Fix by hshoexer@
+
+ Fix payload handling flaws found by cloder@. Based on initial
+ patch by cloder@.
+
+ ok deraadt@ hshoexer@
+
+2004-03-17 12:10 ho
+
+ * ike_auth.c: For consistency and to avoid a rare memory leak, the
+ result from ike_auth_get_key() should always be released after
+ use. Found and ok hshoexer@.
+
+2004-03-15 17:34 hshoexer
+
+ * monitor.c: Properly check succes of chroot().
+
+ ok ho@
+
+2004-03-15 17:29 hshoexer
+
+ * monitor.c, monitor.h: Remove unused code.
+
+ ok ho@
+
+2004-03-11 17:56 hshoexer
+
+ * isakmp_cfg.c: Fix a memleak.
+
+ ok ho@
+
+2004-03-11 00:08 hshoexer
+
+ * doi.h, ipsec.c, isakmp_doi.c, message.c, util.h: Fix payload
+ handling flaws found by cloder@. Based on initial patch by
+ cloder@. Testing by markus@ cloder@ hshoexer@.
+
+ ok ho@
+
+2004-03-10 17:10 hshoexer
+
+ * message.c: Plug up memory leak.
+
+ ok ho@
+
+2004-03-10 12:17 hshoexer
+
+ * message.c: Reduce some noise on receipt of an invalid spi.
+
+ ok ho@
+
+2004-03-10 10:28 ho
+
+ * pf_key_v2.c: Fix for PR2429, from Clemens Wittinger.
+
+2004-03-09 22:42 hshoexer
+
+ * message.c: Plug memleaks, found by cloder@.
+
+ ok ho@
+
+2004-02-27 20:14 hshoexer
+
+ * ipsec.c: Remove dead code.
+
+ ok ho@
+
+2004-02-27 20:07 hshoexer
+
+ * conf.c, isakmpd.conf.5: Add group 14 (modp2048) to predefined
+ suites. Manpage also updated. ok ho@
+
+2004-02-27 11:16 ho
+
+ * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: (C)-2004
+
+2004-02-27 10:01 ho
+
+ * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: Follow RFC 2408 more
+ closely regarding how to better check the proposal returned by
+ the other peer (the responder). Some implementations (notably the
+ Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC.
+ With certain proposal combinations this caused us to setup the
+ wrong SA resulting in us being unable to process incoming IPsec
+ traffic (over this tunnel).
+
+ Tested against a number of different IKE implementations.
+ hshoexer@ ok.
+
+2004-02-26 16:27 hshoexer
+
+ * regress/rsakeygen/rsakeygen.c: remove unused code. noticed by
+ ho@ ok ho@
+
+2004-02-26 06:52 jmc
+
+ * isakmpd.conf.5: tweak; ok hshoexer@
+
+2004-02-25 17:01 hshoexer
+
+ * init.c, isakmpd.conf.5, log.c, log.h, regress/b2n/Makefile,
+ regress/crypto/Makefile, regress/crypto/cryptotest.c,
+ regress/dh/Makefile, regress/ec2n/Makefile,
+ regress/group/Makefile, regress/prf/Makefile,
+ regress/rsakeygen/Makefile, regress/rsakeygen/rsakeygen.c,
+ regress/util/Makefile: Add and document configuration options
+ Logverbose and Loglevel. As log.c now depends on conf.c and some
+ regression tests use log.c, add conf.c to Makefiles where
+ necessary.
+
+ ok ho@
+
+2004-02-20 12:31 hshoexer
+
+ * ike_quick_mode.c: More small adjustments of log messages.
+
+2004-02-20 10:46 hshoexer
+
+ * ike_quick_mode.c: Fix some double free errors. While around,
+ adjust a log message. ok ho@
+
+2004-02-19 16:35 hshoexer
+
+ * isakmpd.c: small cleanup of log messages. ok ho@
+
+2004-02-19 10:54 ho
+
+ * isakmpd.c, log.c, log.h: With -d, SIGINT should do a clean
+ shutdown. Without -d, logs should be sent to syslog, level
+ LOG_INFO.
+
+2004-02-19 10:46 ho
+
+ * isakmpd.c: Cleanup.
+
+2004-02-16 21:40 markus
+
+ * exchange.c: check for isakmp_sa->transport != NULL; noticed by
+ bluhm at genua.de ok hshoexer@
+
+2004-02-11 09:55 jmc
+
+ * samples/VPN-3way-template.conf: typo; from Olivier Cherrier;
+
+2004-02-05 12:01 hshoexer
+
+ * exchange.c: small logging cleanup and improvement requested by
+ markus ok ho@ markus@
+
+2004-01-26 15:56 niklas
+
+ * regress/exchange/run.pl: Added 2-clause license
+
+2004-01-24 00:08 jmc
+
+ * isakmpd.8: `Ns' implies `No', so `Ns No' -> `Ns'; (even simpler
+ in adduser(8)) discussed with todd@
+
+2004-01-16 11:51 hshoexer
+
+ * exchange.c, ike_quick_mode.c, isakmpd.8, isakmpd.c, log.c, log.h:
+ Added -v option. Enables logging of successful exchange
+ completion. ok ho@
+
+2004-01-16 01:00 brad
+
+ * exchange.c, ipsec.c, message.c: Fixes a few message handling
+ flaws in isakmpd as reported by Thomas Walpuski.
+
+ ok deraadt@ hshoexer@
+
+2004-01-13 23:50 brad
+
+ * crypto.c, crypto.h, exchange.c, ipsec.c, message.c: Fixes a few
+ message handling flaws in isakmpd as reported by Thomas Walpuski.
+
+ ok deraadt@ hshoexer@
+
+2004-01-09 11:03 hshoexer
+
+ * regress/exchange/run.sh: call nc correctly (nc has changed a
+ while ago). ok markus@
+
+2004-01-06 01:22 hshoexer
+
+ * conf.c, sa.c: small typos fixed.
+
+ ok markus@
+
+2004-01-06 01:09 hshoexer
+
+ * x509.c: Remove redundant test for file types. Noted by Stefan
+ Paletta. While around, fix typos in log messages.
+
+ Both ok markus@
+
+2004-01-03 17:38 ho
+
+ * ipsec.c: Be more careful with INITIAL-CONTACT and do not delete
+ SPIs when getting an INVALID-SPI notification. Issues noted by
+ Thomas Walpuski. markus@ ok.
+
+2003-12-22 19:13 markus
+
+ * crypto.h: use AES_BLOCK_SIZE only for USE_AES; report
+ martti.kuparinen@iki.fi; ok ho@
+
+2003-12-18 03:03 ho
+
+ * transport.c: Mention the exchange name when giving up on a
+ message. Suggested by Michael Coulter.
+
+2003-12-15 11:06 hshoexer
+
+ * ipsec.c, ipsec_num.cst, math_group.c, math_group.h: Support for
+ groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs
+ 14 to 18).
+
+ ok ho@
+
+2003-12-14 15:50 ho
+
+ * log.c, util.c, util.h: Log the actual port for src and dst, don't
+ assume it's always 500.
+
+2003-12-14 15:34 ho
+
+ * sysdep/linux/sysdep.c: Make isakmpd work on big endian linux
+ machines. From Sebastian Klemke. Also, a few style nits and a
+ better error message text.
+
+2003-12-05 14:17 ho
+
+ * message.c: Style nits
+
+2003-12-04 23:44 hshoexer
+
+ * message.c: Validate SPIs presented in DELETE messages of the
+ informational exchange. ok markus@
+
+2003-12-04 22:13 miod
+
+ * ike_phase_1.c, isakmp_cfg.c: Typos
+
+2003-11-20 12:23 jmc
+
+ * isakmpd.8: use .Dv for AF_INET and AF_INET6 (kills ugly line
+ break); spotted by Alexey E. Suslikov;
+
+ also kill some .Pp's before displays/lists for better PostScript
+ output;
+
+2003-11-08 20:17 jmc
+
+ * init.c: typos from Jonathon Gray;
+
+2003-11-07 11:16 jmc
+
+ * x509.c, samples/VPN-3way-template.conf: adress -> address, and a
+ few more; all from Jonathon Gray;
+
+ (mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok
+ ho@
+End of changelog debian package isakmpd.20031107-1
+--------------------------------------------------
+
+2003-11-06 17:12 ho
+
+ * dnssec.c, exchange.c, field.c, if.c, ike_auth.c, ipsec.c, key.c,
+ log.c, message.c, message.h, monitor_fdpass.c, pf_key_v2.c,
+ policy.c, ui.c, x509.c, x509.h: Style nits.
+
+2003-11-06 16:55 ho
+
+ * exchange.c, message.c: Require encrypted messages are soon as we
+ have the keystate for it. Require DELETE payloads to be
+ accompanied by HASHes, and add validation for HASH payloads
+ without active exchanges. From Hans-Joerg Hoexer with various
+ modifications and suggestions from me and markus@. Ok markus@.
+
+2003-11-06 16:50 ho
+
+ * ipsec.c: spis[] type tweak. From Hans-Joerg Hoexer.
+
+2003-11-05 13:55 jmc
+
+ * isakmpd.conf.5: PFS: Perfect Forward Secrecy (RFC 2409); from
+ misc@ and ok markus@
+
+2003-11-05 13:31 jmc
+
+ * QUESTIONS: updated URL from Jared Yanovich;
+
+2003-10-25 22:47 mcbride
+
+ * isakmpd.policy.5: OpenSSL generates DNs with emailAddress, not
+ Email.
+
+2003-10-25 09:47 jmc
+
+ * isakmpd.8: receiveing -> receiving; from Jared Yanovich;
+
+2003-10-14 16:29 ho
+
+ * exchange.c, ike_auth.c, ike_phase_1.c, ipsec.c, isakmp_doi.c:
+ constant_lookup() to constant_name() cleanup. markus@ ok.
+
+2003-10-13 15:57 ho
+
+ * isakmpd.8, log.h, ui.c: Add a UI FIFO debug class. ok markus@
+ plus I think henning@
+
+2003-10-04 19:29 cloder
+
+ * ike_phase_1.c: Avoid crash on invalid config file (missing value
+ for LIFE_DURATION). OK ho@
+
+2003-09-26 17:59 aaron
+
+ * sysdep/freeswan/klips.c: Fix off-by-ones in format string for 's'
+ specifier; millert@, deraadt@ ok
+
+2003-09-26 13:29 cedric
+
+ * udp.c: don't listen to INADDR_ANY if Listen-on is specified.
+ patch from markus@, ok ho@
+
+2003-09-26 00:28 aaron
+
+ * monitor.c: Fix off-by-one out-of-bounds write; millert@ ok
+
+2003-09-25 16:15 cloder
+
+ * exchange.c, if.c: Fix one case of set length before realloc. Fix
+ another case of foo = realloc(foo...) and avoid possible memory
+ leaks. Avoid leaving things pointing to freed memory on failure.
+
+2003-09-24 13:12 markus
+
+ * crypto.c, crypto.h, regress/crypto/cryptotest.c: re-add AES, but
+ without using EVP; patch from Hans-Joerg.Hoexer at
+ yerbouti.franken.de; ok ho@ (interops with isakmpd+AES in OpenBSD
+ 3.4)
+
+2003-09-24 12:13 markus
+
+ * crypto.c, crypto.h, regress/crypto/cryptotest.c: back out EVP
+ change; causes fd leaks; ok cedric@
+
+End of changelog debian package isakmpd.20030907-1
+--------------------------------------------------
+
+2003-09-05 09:50 tedu
+
+ * monitor.c: socket leak on error paths. from Patrick Latifi. ok
+ deraadt@ ho@
+
+2003-09-02 20:15 ho
+
+ * conf.c, ipsec.c: A couple of nits. deraadt@ ok.
+
+2003-09-02 20:14 ho
+
+ * message.c: Require ISAKMP_FLAGS_ENC on phase 2 messages. ok
+ markus@, deraadt@.
+
+2003-09-02 20:11 ho
+
+ * sysdep/linux/: bitstring.h, sys/queue.h: For easier compilation
+ on linux systems. Requested by Thomas Walpuski.
+
+2003-08-28 16:43 markus
+
+ * Makefile, TO-DO, conf.c, crypto.c, crypto.h, isakmpd.conf.5,
+ regress/crypto/Makefile, regress/crypto/cryptotest.c: support AES
+ in phase 1, too. switch to OpenSSL EVP interface; with
+ Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@
+
+2003-08-20 16:43 ho
+
+ * samples/singlehost-west.conf: Zap an old "Identification" tag in
+ this sample config. I have no idea what it was supposed to do and
+ in any case there is no reference to this tag in current code.
+ Pointed out by Fridtjof Busse.
+
+2003-08-20 14:25 ho
+
+ * isakmpd.8: certpatch(8) can be used to create FQDN X509v3
+ extensions too. From Fridtjof Busse, via henning@. Thanks.
+
+
+End of changelog debian package isakmpd.20030820-1
+--------------------------------------------------
+
+2003-07-09 10:16 jmc
+
+ * isakmpd.conf.5, isakmpd.policy.5: - remove some .Ss's that worked
+ around the old blank line bug - remove some unnecessary .Pp's -
+ mdoc a list
+
+ ok ho@
+
+2003-06-20 11:14 ho
+
+ * transport.c: Be a bit more verbose when we give up on ever seeing
+ a response to the last message we sent out. In case we initiated
+ the exchange, one possible and common reason is a network level
+ problem (pf, routing, whatnot), if we're the responder, there is
+ also the possibility we were scanned by something like ike-scan.
+ markus@ ok.
+
+2003-06-17 23:56 millert
+
+ * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Sync with
+ share/misc/license.template and add missing DARPA credit where
+ applicable.
+
+2003-06-15 12:32 ho
+
+ * exchange.c: ID copying should happen earlier in exchange_finalize
+ so that we won't lose data during rekeying. From Jean-Francois
+ Dive.
+
+2003-06-14 13:47 ho
+
+ * message.c: allocate payload_node with calloc instead of malloc
+
+2003-06-13 05:50 brad
+
+ * ipsec.c: MFC: Fix from ho@
+
+ Do not crash on unsupported IPSec ID types, as noted by Eric
+ Boudrand.
+
+ deraadt@ millert@ ok
+
+2003-06-13 05:34 brad
+
+ * ipsec.c: MFC: Fix from ho@
+
+ Do not crash on unsupported IPSec ID types, as noted by Eric
+ Boudrand.
+
+ deraadt@ millert@ ok
+
+2003-06-10 18:41 deraadt
+
+ * conf.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c,
+ isakmp_cfg.c, log.c, monitor.c, monitor.h, pf_key_v2.c, policy.c,
+ transport.c, udp.c, x509.c: boring cleanups
+
+2003-06-10 14:21 ho
+
+ * ipsec.c: Do not crash on unsupported IPSec ID types, as noted by
+ Eric Boudrand.
+
+2003-06-04 09:31 ho
+
+ * exchange.c, ike_aggressive.c, ike_auth.c, ike_phase_1.c,
+ ike_quick_mode.c, init.c, ipsec.c, ipsec.h, isakmpd.8, isakmpd.c,
+ isakmpd.policy.5, libcrypto.c, libcrypto.h, message.c, message.h,
+ pf_key_v2.c, policy.c, policy.h, sa.c, sa.h, udp.c, x509.c,
+ x509.h, apps/certpatch/certpatch.8, apps/certpatch/certpatch.c,
+ regress/ec2n/ec2ntest.c, regress/hmac/hmactest.c: Remove the rest
+ of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D.
+ Keromytis and Niels Provos.
+
+2003-06-04 09:27 ho
+
+ * DESIGN-NOTES: Remove 3 and 4 from the "license to use"
+
+2003-06-03 17:20 ho
+
+ * sysdep/linux/: GNUmakefile.sysdep, sysdep-os.h, sysdep.c: Remove
+ clause 3. Approved by niklas@ and Thomas Walpuski.
+
+2003-06-03 17:02 ho
+
+ * sysdep/linux/README: Obsolete.
+
+2003-06-03 16:53 ho
+
+ * sysdep/: bsdi/GNUmakefile.sysdep, bsdi/Makefile.sysdep,
+ bsdi/sysdep-os.h, bsdi/sysdep.c, darwin/GNUmakefile.sysdep,
+ darwin/Makefile.sysdep, darwin/sysdep-os.h, darwin/sysdep.c,
+ freebsd/GNUmakefile.sysdep, freebsd/Makefile.sysdep,
+ freebsd/sysdep-os.h, freebsd/sysdep.c,
+ freeswan/GNUmakefile.sysdep, freeswan/Makefile.sysdep,
+ freeswan/klips.c, freeswan/klips.h, freeswan/sysdep-os.h,
+ freeswan/sysdep.c, netbsd/GNUmakefile.sysdep,
+ netbsd/Makefile.sysdep, netbsd/sysdep-os.h, netbsd/sysdep.c,
+ openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep,
+ openbsd/keynote_compat.c, openbsd/sysdep-os.h, openbsd/sysdep.c:
+ Remove clauses 3 and 4. Approved by markus@ and niklas@.
+
+2003-06-03 16:52 ho
+
+ * sysdep/common/: blf.h, libsysdep/GNUmakefile, libsysdep/Makefile,
+ libsysdep/blowfish.c: Remove clauses 3 and 4. Approved by Niklas
+ Hallqvist and Niels Provos.
+
+2003-06-03 16:39 ho
+
+ * regress/Makefile, regress/check.sh, regress/b2n/b2ntest.c,
+ regress/crypto/cryptotest.c, regress/dh/dhtest.c,
+ regress/exchange/Makefile, regress/exchange/run.sh,
+ samples/Makefile, regress/group/grouptest.c,
+ regress/prf/prftest.c, regress/rsakeygen/Makefile,
+ regress/rsakeygen/rsakeygen.c, regress/util/utiltest.c,
+ regress/x509/Makefile, regress/x509/x509test.c: Remove clauses 3
+ and 4. Approved by Niklas Hallqvist and Niels Provos.
+
+2003-06-03 16:35 ho
+
+ * apps/: Makefile, certpatch/Makefile: Remove clauses 3 and 4.
+ Approved by Niklas Hallqvist and Niels Provos.
+
+2003-06-03 16:34 ho
+
+ * apps/keyconv/: Makefile, keyconv.8, keyconv.c, keyvalues.h:
+ Remove clause 3.
+
+2003-06-03 16:29 ho
+
+ * features/: aggressive, dnssec, ec, isakmp_cfg, policy, privsep,
+ x509: Remove clause 3. Approved by niklas@
+
+2003-06-03 16:28 ho
+
+ * GNUmakefile, Makefile, app.c, app.h, attribute.c, attribute.h,
+ cert.c, cert.h, conf.c, conf.h, connection.c, connection.h,
+ constants.c, constants.h, cookie.c, cookie.h, crypto.c, crypto.h,
+ dh.c, dh.h, dnssec.c, dnssec.h, doi.c, doi.h, exchange.h,
+ exchange_num.cst, field.c, field.h, genconstants.sh,
+ genfields.sh, gmp_util.c, gmp_util.h, hash.c, hash.h, if.c, if.h,
+ ike_aggressive.h, ike_auth.c, ike_auth.h, ike_main_mode.c,
+ ike_main_mode.h, ike_phase_1.h, ike_quick_mode.h, init.c, init.h,
+ ipsec_doi.h, ipsec_fld.fld, ipsec_num.cst, isakmp.h,
+ isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h,
+ isakmp_fld.fld, isakmp_num.cst, isakmpd.conf.5, log.c, log.h,
+ math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c,
+ math_group.h, math_mp.h, monitor.c, monitor.h, pf_key_v2.h,
+ prf.c, prf.h, sysdep.h, timer.c, timer.h, transport.c,
+ transport.h, udp.h, ui.c, ui.h, util.c, util.h: Remove clauses 3
+ and 4. With approval from Niklas Hallqvist and Niels Provos.
+
+2003-06-03 15:16 jmc
+
+ * isakmpd.8, isakmpd.conf.5, isakmpd.policy.5: - section reorder -
+ some mdoc fixes
+
+2003-06-03 14:51 ho
+
+ * conf.c, constants.c, dnssec.c, exchange.c, ike_auth.c,
+ ike_phase_1.c, ike_quick_mode.c, ipsec.c, log.c, message.c,
+ policy.c, sa.c, udp.c, x509.c: Cleanup. Use 'sizeof variable'
+ instead of magic constants.
+
+2003-06-03 03:52 millert
+
+ * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Use an ISC-tyle
+ license for all my code; it is simpler and more permissive.
+
+2003-06-02 22:06 millert
+
+ * sysdep/freeswan/sys/queue.h: Remove the advertising clause in the
+ UCB license which Berkeley rescinded 22 July 1999. Proofed by
+ myself and Theo.
+
+2003-05-18 23:26 ho
+
+ * monitor.c: Add some path sanitation; only permit write operations
+ to /tmp, /var/tmp and /var/run. Opens in /etc/isakmpd/ are
+ read-only. Any other path is invalid. markus@ ok.
+
+2003-05-18 22:46 ho
+
+ * init.c: Style tweak.
+
+2003-05-18 22:39 ho
+
+ * sa.c: Add a debug message to sa_reinit() to indicate when we
+ renegotiate active connections.
+
+2003-05-18 22:09 ho
+
+ * monitor_fdpass.c: Forgot to remove a couple of debug messages
+
+2003-05-18 22:06 ho
+
+ * udp.c: struct sockaddr is not large enough in itself to contain
+ the address value. Switching to sockaddr_storage makes interface
+ rescanning work properly. niklas@ ok.
+
+2003-05-18 21:37 ho
+
+ * conf.c, ike_auth.c, isakmpd.c, log.c, monitor.c, monitor.h,
+ monitor_fdpass.c, pf_key_v2.c, policy.c: More isakmpd privsep
+ work. X509 private keys are now kept in the privileged process
+ only. Various cleanup and bugfixes. markus@ ok
+
+2003-05-18 20:16 ho
+
+ * GNUmakefile, pf_key_v2.c, udp.c, sysdep/linux/GNUmakefile.sysdep,
+ sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Sysdep for
+ native Linux IPSec, 2.5 and later. From Thomas Walpuski, with
+ various tweaks by me. niklas@ ok.
+
+2003-05-17 19:39 ho
+
+ * monitor.h, monitor_fdpass.c: Better return codes from mm_send_fd
+ and mm_receive_fd
+
+2003-05-17 19:32 ho
+
+ * monitor_fdpass.c: Use log_error(), not log_fatal(). Style.
+
+2003-05-17 19:26 jmc
+
+ * isakmpd.conf.5: tweak; ok ho@
+
+2003-05-16 22:31 ho
+
+ * init.c, isakmpd.conf.5, sa.c, sa.h: If the "Renegotiate-on-HUP"
+ tag is defined in the [General] section, a HUP signal (or "R" to
+ the FIFO) will also renegotiate all Phase 2 SAs, i.e all
+ connections. ok niklas@, tested and ok kjell@.
+
+2003-05-15 05:20 ho
+
+ * ike_auth.c: Correct a two year old typo, which might actually
+ make setsockopt(..., IP_IPSEC_LOCAL_AUTH, ...) start working.
+
+2003-05-15 04:28 ho
+
+ * exchange.c, ike_auth.c, sa.c, sa.h: Cleanup. Do not store the
+ private key in either the exchange or sa structs.
+
+2003-05-15 04:08 ho
+
+ * ike_auth.c: Work around some OpenSSL BIO "features" to read the
+ key correctly.
+
+2003-05-15 04:04 ho
+
+ * monitor.c: Proper exit of the monitor process.
+
+2003-05-15 03:51 ho
+
+ * monitor.c: wait() for the child process
+
+2003-05-15 02:28 ho
+
+ * Makefile, conf.c, conf.h, ike_auth.c, init.c, isakmpd.c, log.c,
+ monitor.c, monitor.h, monitor_fdpass.c, pf_key_v2.c, policy.c,
+ udp.c, ui.c, util.c, features/privsep, sysdep/openbsd/sysdep.c:
+ Start of privilege separation for isakmpd. There are some kinks
+ left, so keep it default disabled for now. markus@ says ok to
+ commit.
+
+2003-05-15 02:24 ho
+
+ * log.h: (c)
+
+2003-05-15 01:44 kjell
+
+ * pf_key_v2.c: properly terminate debug string (levels >=40) Use
+ "%.*s" as suggested by Niklas. ok ho@. Lost by kjell. oked ho@.
+ lost by kjell again. oked ho@
+
+2003-05-15 01:29 ho
+
+ * features/policy: Remove the .if/.endif stuff that gmake does not
+ understand. Replace with a comment about needing keynote for
+ policy.
+
+2003-05-14 22:49 ho
+
+ * GNUmakefile, Makefile, sysdep/freeswan/GNUmakefile.sysdep,
+ sysdep/freeswan/Makefile.sysdep, sysdep/freeswan/README,
+ sysdep/freeswan/klips.c, sysdep/freeswan/klips.h,
+ sysdep/freeswan/sysdep-os.h, sysdep/freeswan/sysdep.c,
+ sysdep/freeswan/sys/queue.h, sysdep/linux/GNUmakefile.sysdep,
+ sysdep/linux/Makefile.sysdep, sysdep/linux/README,
+ sysdep/linux/klips.c, sysdep/linux/klips.h,
+ sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Call the
+ FreeS/WAN sysdep 'freeswan'. The 'linux' sysdep will be native
+ Linux IPSec.
+
+2003-05-14 20:11 ho
+
+ * conf.c, conf.h, ike_auth.c: Default public key directory
+ definition sanity.
+
+2003-05-14 20:10 ho
+
+ * policy.c, policy.h: Policy file default defined twice, kill the
+ local copy.
+
+2003-05-14 20:08 ho
+
+ * isakmpd.c: Fix a typo (in unused code).
+
+2003-05-14 19:37 ho
+
+ * ipsec.c, ipsec_num.cst, pf_key_v2.c, policy.c, sa.c: I did not
+ test this enough. Unbreak.
+
+2003-05-12 23:48 ho
+
+ * isakmp_num.cst: Update with some data for NAT-T specific payload
+ types, IKEv2 notifications, ISAKMP EAP code and types, plus fix
+ an old typo.
+
+2003-05-12 23:43 ho
+
+ * ipsec.c, pf_key_v2.c, policy.c, sa.c: AES -> AES_128_CBC
+
+2003-05-12 23:42 ho
+
+ * ipsec_num.cst: Add two more encapsulation types (UDP encap,
+ potential future NAT-T) Add BLOCK_SIZE attribute Rename
+ IPSEC_ESP_AES -> IPSEC_ESP_AES_128_CBC.
+
+2003-05-12 01:17 ho
+
+ * genconstants.sh: Slight style fix for .cst files. Permit comments
+ also after a definition.
+
+2003-05-11 04:16 markus
+
+ * pf_key_v2.c: fix ID-type for ipv6; ok niklas; report fries
+
+2003-05-10 23:13 jmc
+
+ * isakmpd.8, isakmpd.conf.5: typos;
+
+2003-04-30 17:15 jason
+
+ * conf.c: cast size_t to unsigned long and use %lu;ok ho
+
+2003-04-27 13:17 ho
+
+ * isakmpd.8: Describe the 'C set' FIFO command better. (PR#3148,
+ also)
+
+2003-04-27 13:16 ho
+
+ * ui.c: Make the 'C set' FIFO command work as expected. PR#3148.
+
+2003-04-14 15:08 ho
+
+ * isakmpd.c: Unlink FIFO and pid files on clean shutdown. PR#3199
+
+2003-04-14 12:22 ho
+
+ * pf_key_v2.c: More snprintf style
+
+2003-04-14 12:14 ho
+
+ * pf_key_v2.c: A "%d" is 12 chars, not 10. Use sizeof num instead
+ of '10' in snprintf. From Theo.
+
+2003-04-09 17:46 ho
+
+ * x509.c: Less noise for missing crl dir, demoted to debug message.
+
+2003-03-21 16:13 markus
+
+ * isakmpd.conf.5: document [initiator-id] section;
+ richb@timestone.com.au; ok ho@, jmc@
+
+2003-03-20 20:39 margarida
+
+ * isakmp_cfg.c: Pull patch from current: Fix by ho@. Proper
+ id_string for SET/ACK responder, plus attr payload fixes.
+
+ ok millert@ markus@ ho@
+
+2003-03-16 09:13 matthieu
+
+ * samples/: VPN-east.conf, VPN-west.conf: secrity -> security. Ok
+ ho@
+
+2003-03-14 15:49 ho
+
+ * math_group.c, transport.c, sysdep/common/blf.h,
+ sysdep/common/libsysdep/blowfish.c: Spelling fixes from david@.
+ jmc@ ok.
+
+2003-03-13 14:24 ho
+
+ * ike_auth.c: Might as well do blinding here too.
+
+2003-03-13 11:31 ho
+
+ * util.c: Avoid "j += snprintf()". niklas@ ok.
+
+2003-03-06 21:29 jmc
+
+ * isakmpd.conf.5, isakmpd.policy.5: .Xr typos;
+
+ ok deraadt@
+
+2003-03-06 15:22 cedric
+
+ * util.c: fix text2sockaddr() when HAVE_GETNAMEINFO is false and
+ port is NULL. ok ho@
+
+2003-03-06 14:48 cedric
+
+ * field.c: "len" is decremented too early, so the second argument
+ of the snprintf call is too small on last run of the loop. ok
+ ho@
+
+2003-03-06 14:32 ho
+
+ * exchange.c: Bad cut'n'paste msg plus style fixes.
+
+2003-03-06 10:56 ho
+
+ * util.c: Less ambiguous l-value usage. Noted by cedric@
+
+2003-03-06 05:07 david
+
+ * apps/keyconv/keyconv.8: date should be written formally: .Dd
+ Month day, year ok henning@ jmc@
+
+2003-03-03 17:51 ho
+
+ * isakmpd.conf.5: Re-add the BUGS section; the RFCs still do not
+ permit differing DH groups in the same proposal. This time,
+ mention that this also applies to mixing PFS and non-PFS suites.
+
+2003-02-26 23:55 ho
+
+ * samples/VPN-west.conf: Typo/pasto. Spotted by Tim Donahue.
+
+2003-02-26 09:17 david
+
+ * exchange.c: IPsec is written ``IPsec'', not ``IPSec''. ok ho@
+
+2003-02-24 13:01 markus
+
+ * pf_key_v2.c: pf_key_v2_flow: typo in debug msg (KAME)
+
+2003-02-22 07:57 kjell
+
+ * README: typo: noneheless->nontheless
+
+2003-02-22 07:56 kjell
+
+ * isakmpd.8, isakmpd.conf.5: Clarify some language, grammar. ho@
+ okayed this many moons ago, and I forgot all about it.
+
+2003-02-12 16:11 markus
+
+ * if.c, if.h, udp.c: better error checking on bind(); from
+ Alexander_Bluhm at genua.de; ok ho@
+
+2003-02-05 11:29 jmc
+
+ * isakmpd.8: typos; isakmpd(8) ok niklas@, mailwrapper(8) help
+ kjell@
+
+2003-02-04 21:02 markus
+
+ * conf.c: don't set the Transform for Default-phase-1-configuration
+ twice, ok ho@
+
+2003-02-04 21:02 markus
+
+ * conf.h: default to 3DES-SHA-RSA_SIG (same as in OpenBSD 3.2); ok
+ ho@
+
+2003-01-22 16:13 ho
+
+ * ike_auth.c: Typo.
+
+2003-01-20 20:52 deraadt
+
+ * isakmpd.policy.5: typos; alan@alanday.com
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-16 08:06:15 +0000