diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/debian')
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/ChangeLog | 1668 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/README.Debian | 17 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/changelog | 153 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/control | 17 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/copyright | 21 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/isakmpd.dirs | 13 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/isakmpd.init | 32 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/isakmpd.lintian | 3 | ||||
-rwxr-xr-x | keyexchange/isakmpd-20041012/debian/rules | 73 |
9 files changed, 1997 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/debian/ChangeLog b/keyexchange/isakmpd-20041012/debian/ChangeLog new file mode 100644 index 0000000..bae602d --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/ChangeLog @@ -0,0 +1,1668 @@ +End of changelog debian package isakmpd.20041012-1 +-------------------------------------------------- + +2004-10-08 17:18 hshoexer + + * sysdep/common/libsysdep/arc4random.c: pull in some changes from + libc arc4random (only relevant for non-OpenBSD systems): ansify, + discard first 256 output bytes, make key schedule more arc4 + stream ciper like. + + ok djm ho + +2004-10-01 06:08 jsg + + * monitor_fdpass.c: add some missing $, ok djm@ 'That looks fine to + me' millert@ + +2004-09-24 15:31 ho + + * udp_encap.c: Don't process NAT-T keepalives. Noted by Kamel + Messaoudi. hshoexer@ ok + +2004-09-20 23:36 hshoexer + + * virtual.c: compile cleanly with -Wsign-compare ok ho + +2004-09-20 23:35 hshoexer + + * monitor_fdpass.c: Remove __func__ ok ho deraadt + +2004-09-17 16:54 hshoexer + + * isakmpd.c: avoid signal race. + + ok ho@ otto@ + +2004-09-17 15:53 ho + + * exchange.c, ike_quick_mode.c, ipsec.c, key.c, pf_key_v2.c: + Missing #ifdefs. + +2004-09-17 15:46 ho + + * init.c: #include <stdlib.h> for srandom(). + +2004-09-17 15:45 ho + + * message.c: Permit next payload type NAT-OA. Noted by Kamel + Messaoudi. + +2004-08-23 13:53 ho + + * exchange.c: We need to set sa->initiator before checking if the + newly created SA replaces an old one, or the id_i/id_r check will + mismatch. Previous behaviour was mostly harmless, but wasted some + resources (until normal SA expiration). hshoexer@ "haven't tried, + but think it's ok" + +2004-08-23 13:16 ho + + * Makefile: Default enable DPD (Dead Peer Detection) support. + hshoexer@ ok + +2004-08-23 13:13 ho + + * exchange.h: Indent nit. + +2004-08-17 16:48 hshoexer + + * message.c: check for msg->isakmpg_sa being NULL before + referencing ok ho@ + +2004-08-14 15:29 hshoexer + + * ike_quick_mode.c: When using -K (keynote disabled), check peers' + proposal against isakmpd.conf. + + ok ho@ henning@ + +2004-08-13 04:51 djm + + * monitor_fdpass.c: extra check for no message case; ok markus, + deraadt, hshoexer, henning + +2004-08-12 13:21 hshoexer + + * monitor.c: Fix compiler warning on alpha. Noted by and ok ho@ + +2004-08-12 13:08 ho + + * pf_key_v2.c: Avoid memleak on error (Linux/KAME). Found by + Benjamin Pineau. + +2004-08-10 21:21 deraadt + + * virtual.c, x509.c: spacing + +2004-08-10 17:59 ho + + * dpd.c, dpd.h, exchange.c, ipsec.c, isakmp_num.cst, + isakmpd.conf.5, message.c, message.h, pf_key_v2.c, pf_key_v2.h, + sa.c, sa.h, sysdep.h, udp_encap.c, sysdep/bsdi/sysdep.c, + sysdep/darwin/sysdep.c, sysdep/freebsd/sysdep.c, + sysdep/freeswan/sysdep.c, sysdep/linux/sysdep.c, + sysdep/netbsd/sysdep.c, sysdep/openbsd/sysdep.c: Better + implementation of the Dead Peer Detection protocol, RFC 3706. + hshoexer@ ok. + +2004-08-10 11:49 ho + + * sysdep/linux/GNUmakefile.sysdep: Linux has AES (and DES). From + Benjamin Pineau. + +2004-08-10 11:47 ho + + * sysdep/common/libsysdep/arc4random.c: If opening /dev/arandom + fails, try /dev/random. Suggested by Benjamin Pineau. + +2004-08-08 21:11 deraadt + + * GNUmakefile, conf.c, dpd.c, exchange.c, ike_auth.c, + ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, log.c, + message.c, monitor.c, nat_traversal.c, pf_key_v2.c, policy.c, + sa.c, sysdep.h, transport.c, udp.c, udp_encap.c, ui.c, util.c, + virtual.c, x509.c: spacing + +2004-08-03 12:54 ho + + * nat_traversal.c, transport.c, udp.c, udp.h, udp_encap.c, + virtual.c: Rewrite the transport reference count code to avoid + leaks. hshoexer@ ok. + +2004-08-02 17:48 hshoexer + + * sa.c: Do not expire unestablished phase 2 SAs on SIGHUP. + + ok ho@ + +2004-08-02 17:30 ho + + * GNUmakefile: Missed to add virtual.c here. Noted by Benjamin + Pineau. + +2004-07-30 12:45 ho + + * Makefile, sysdep.h, util.c: Style. + +2004-07-29 22:02 ho + + * conf.c: Less noise while debugging. + +2004-07-29 10:54 ho + + * ike_aggressive.c, ike_phase_1.c, nat_traversal.c: Repair NAT-T + using Aggressive mode, NAT-D checks were in the wrong place. + Noted by Yvan VANHULLEBUS. + +2004-07-09 18:06 deraadt + + * doi.c, exchange.c: ansi + +2004-07-08 21:53 hshoexer + + * virtual.c: free() and close() in error path. + + ok ho@ + +2004-07-08 12:37 jmc + + * isakmpd.8, isakmpd.conf.5: typo, and line adjustment; + +2004-07-08 00:25 hshoexer + + * isakmpd.8, isakmpd.conf.5: document -a/-K and + "Acquire-Only"/"Use-Keynote". + + ok markus@ henning@ ho@ english polish and mdoc help and ok jmc@ + +2004-07-07 11:16 hshoexer + + * message.c: plug memleak when receiving an + INVALID_HASH_INFORMATION notify. Found by Patrick Latifi, + thanks! + + ok ho@ + +2004-07-07 11:13 hshoexer + + * udp_encap.c: compile cleanly with -Wsign-compare; while around, + kill a space + + ok ho@ + +2004-07-05 19:33 pvalchev + + * ike_phase_1.c: %lu and cast to unsigned long to print a size_t; + ok ho + +2004-06-30 12:07 hshoexer + + * nat_traversal.c: Compile cleanly with gcc3.3.2. + + ok ho@ + +2004-06-26 13:32 jmc + + * isakmpd.conf.5: new sentence, new line; + +2004-06-26 08:07 hshoexer + + * monitor.c, monitor.h, pf_key_v2.c, pf_key_v2.h, + sysdep/openbsd/sysdep.c: Narrow down privsep interface. Move + pf_key_v2_open() to monitor. + + Work in progress. + + ok ho@ + +2004-06-26 05:40 mcbride + + * sysdep/: bsdi/Makefile.sysdep, darwin/GNUmakefile.sysdep, + darwin/Makefile.sysdep, freebsd/GNUmakefile.sysdep, + freebsd/Makefile.sysdep, linux/GNUmakefile.sysdep, + netbsd/GNUmakefile.sysdep, netbsd/Makefile.sysdep, + openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep: Remove + -DHAVE_GETNAMEINFO frome makefiles. + + Pointed out by ho@ + +2004-06-25 22:25 hshoexer + + * conf.c, conf.h, ike_quick_mode.c, isakmpd.c, policy.c, policy.h: + Keynote policy checking can now be disabled by "-K" switch and + config tag "Use-Keynote". Default is to use keynote. + + ok henning@ ho@ + +2004-06-25 21:42 mcbride + + * udp.c, util.c: Remove HAVE_GETNAMEINFO alternate code. Compiled + binary is unchanged. + + ok msf@ hshoexer@ itojun@ ho@ + +2004-06-25 02:58 hshoexer + + * init.c, log.c, monitor.c, monitor.h, ui.c: Narrow down privsep + interface. Remove ui_init to monitor. So we can get rid of + monitor_mkfifo. + + Work in progress. + + ok ho@ + +2004-06-24 19:02 hshoexer + + * monitor.c: Remove some unused code. Fix handling of sigchild. + Now it's possible to sigstop/sigcont isakmpd correclty. + + ok ho@ + +2004-06-24 17:58 hshoexer + + * policy.c: Also handle keys from x509-certificates embedded in + keynote credentials. + + with msf@ ok ho@ + +2004-06-24 01:36 ho + + * pf_key_v2.c: Print corrent prefix. Found and tested by alex at + vbone.net. + +2004-06-23 05:01 hshoexer + + * ike_auth.c, util.c, util.h: Avoid stat before open. Do open and + fstat instead. Remove check_file_secrecy() as it is obsoleted be + check_file_secrecy_fd(). + + ok ho@ + +2004-06-23 03:17 ho + + * Makefile, sysdep.h, util.c: Make compiling with Boehm's gc + possible again. + +2004-06-23 02:56 ho + + * ike_phase_1.c: Support IPV{4,6}_ADDR_SUBNET IDs in Phase 1, just + like the man page says we do. Noted and tested by alex at + vbone.net. Also avoid a potential SEGV here. hshoexer@ok + +2004-06-23 02:55 hshoexer + + * ipsec.c, isakmpd.c: Add commandline switch -a / config tag + "Acquire-Only" to tell isakmpd to not touch flows. + + initial work by markus ok markus@ ho@ henning@ + +2004-06-22 20:22 hshoexer + + * ike_auth.c: kn_get_string() may return NULL on failure. Handle + this corrctly. + + with msf@, ok ho@ markus@ + +2004-06-22 05:44 ho + + * virtual.c: The NAT-T drafts suggest we should drop incoming + messages arriving on the old port (500) after we've switched to + the new one. + +2004-06-22 01:42 ho + + * isakmpd.conf.5: Describe the [Default]:NAT-T-Keepalive + configuration parameter. + +2004-06-22 01:28 ho + + * Makefile: Enable NAT-T support. + +2004-06-22 01:27 ho + + * ipsec.c, nat_traversal.c, nat_traversal.h, sa.c, sa.h, + udp_encap.c: Implement NAT-T keepalive messages. + +2004-06-21 20:41 ho + + * pf_key_v2.c: udpencap_port should be taken from dst transport + +2004-06-21 20:40 ho + + * virtual.c: When switching from main to encap transport, copy dst + port if translated (NAT). + +2004-06-21 20:34 ho + + * monitor.c: Strip away umask bits in monitor_fopen(). hshoexer@ + ok. + +2004-06-21 20:29 ho + + * ipsec.c: style nit + +2004-06-21 19:02 markus + + * features/nat_traversal: undo double-patch; Dries Schellekens + +2004-06-21 18:37 ho + + * log.c: Don't write too much IKE data in packet capture + +2004-06-21 18:01 ho + + * log.c, message.c: Packet capture should add the ESP-marker when + NAT-T is active. + +2004-06-21 17:15 ho + + * pf_key_v2.c: Tell the kernel to enable ESP-in-UDP encapsulation + when we have SAs negotiated with NAT-T. + +2004-06-21 15:09 ho + + * exchange.c, sa.h, transport.c, udp.c, udp_encap.c, virtual.c: + Port floating (500->4500) for p1 and p2 exchanges. + +2004-06-20 19:44 ho + + * message.c: message_parse_payloads should accept payloads in the + private range. While here, also cleanup some messages. + +2004-06-20 19:17 ho + + * dpd.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, + init.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, message.c, + message.h, nat_traversal.c: Make the payload array in struct + message dynamic, since we need to handle payloads in the private + range, such as the pre-RFC NAT-D/NAT-OA. Replace + TAILQ_FIRST(&msg->payload[i]) instances with function calls. + +2004-06-20 17:24 ho + + * Makefile, exchange.h, ike_phase_1.c, init.c, ipsec.c, isakmp.h, + isakmp_fld.fld, message.c, nat_traversal.c, nat_traversal.h, + policy.c, transport.c, transport.h, udp.c, udp.h, udp_encap.c, + udp_encap.h, util.c, util.h, virtual.c, virtual.h, + features/nat_traversal: NAT-Traversal for isakmpd. Work in + progress... hshoexer@ ok. + +2004-06-20 17:20 ho + + * dpd.c, dpd.h, exchange.c, isakmp_num.cst, sa.h, features/dpd: A + start towards Dead Peer Detection (DPD) support, as specified in + RFC 3706 + +2004-06-20 17:11 ho + + * message.c: Some vendors send the last Aggressive Mode message + unencrypted, which we should accept. Problem noted by alex at + vbone.net. hshoexer@ ok. + +2004-06-20 17:03 ho + + * isakmpd.c, monitor.c, monitor.h: To make debugging the + unprivileged child process easier, make 'isakmpd -dd' pause just + after privsep; print the PIDs and wait for SIGCONT. hshoexer@ ok + +2004-06-17 21:39 hshoexer + + * ipsec.c: Yet another bunch of memleask found and fixed by Patrick + Latifi. Thanks! + + ok ho@ + +2004-06-17 21:36 hshoexer + + * udp.c: Plug a memleak. Found and fixed (and some cleanup) by + Patrick Latifi. Thanks! + + ok ho@ + +2004-06-17 21:32 hshoexer + + * x509.c: Evaluate result of X509_verify_cert() more carefully. + + ok cloder@ + +2004-06-16 17:08 hshoexer + + * util.c: Fix wrong pointer dereference and plug memleak. Found + and patch by Patrick Latifi. Thanks! + + ok ho@ + +2004-06-16 17:05 hshoexer + + * ipsec.c: fix ipv6-address and ipv6-address-mask mixup. Found by + Patrick Latifi. Thanks! + + ok ho@ + +2004-06-15 17:53 hshoexer + + * ike_quick_mode.c, isakmp_cfg.c: also use MSG_AUTHENTICATED flag. + + ok ho@ + +2004-06-14 15:53 hshoexer + + * conf.c, ike_auth.c, x509.c: avoid stat before open + + ok ho@ + +2004-06-14 12:04 hshoexer + + * message.c: added a missing message_free(). + + ok ho@ + +2004-06-14 11:55 ho + + * cert.c, conf.c, connection.c, crypto.c, dnssec.c, exchange.c, + field.c, hash.c, if.c, ike_auth.c, ike_main_mode.c, + ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, + isakmp_doi.c, isakmpd.c, key.c, log.c, math_2n.c, math_group.c, + message.c, monitor.c, pf_key_v2.c, policy.c, timer.c, + transport.c, udp.c, util.c, x509.c: KNF, style, 80c, etc. + hshoexer@ ok + +2004-06-11 12:17 brad + + * message.c: typo in comment + +2004-06-11 05:08 brad + + * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: + MFC: Fix by hshoexer@ + + Mark authenticated messages explicitly. Better check for + authentication before deleteing SAs. + + This fix is needed to solve the problems reported by Thomas + Walpuski, previous diff was not sufficient. Pointed out by + Thomas. Thanks! + +2004-06-11 04:34 brad + + * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: + MFC: Fix by hshoexer@ + + Mark authenticated messages explicitly. Better check for + authentication before deleteing SAs. + + This fix is needed to solve the problems reported by Thomas + Walpuski, previous diff was not sufficient. Pointed out by + Thomas. Thanks! + +2004-06-10 14:54 hshoexer + + * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: + Mark authenticated messages explicitly. Better check for + authentication before deleteing SAs. + + This fix is needed to solve the problems reported by Thomas + Walpuski, previous diff was not sufficient. Pointed out by + Thomas. Thanks! + + ok ho@ niklas@, testing and spellcheck by todd@ msf@ + +2004-06-09 23:15 brad + + * message.c: MFC: Fix by hshoexer@ + + only accept DELETEs during an authenticated INFORMATIONAL + exchange. Fix for recent problem disclosed by Thomas Walpuski. + +2004-06-09 22:48 brad + + * message.c: MFC: Fix by hshoexer@ + + only accept DELETEs during an authenticated INFORMATIONAL + exchange. Fix for recent problem disclosed by Thomas Walpuski. + +2004-06-09 16:02 ho + + * conf.c, exchange.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, + isakmp_cfg.c, message.c, pf_key_v2.c, transport.c, udp.c: Style + nits. hshoexer@ ok + +2004-06-09 14:59 hshoexer + + * message.c: only accept DELETEs during an authenticated + INFORMATIONAL exchange. Fix for recent problem disclosed by + Thomas Walpuski. + + ok ho@ + +2004-06-06 15:05 ho + + * ike_phase_1.c: Style (KNF, 80c). No binary change. + +2004-06-02 18:19 hshoexer + + * ike_auth.c, x509.c: remove unused BIO-functions. + + ok markus@ ho@ + +2004-05-27 00:17 hshoexer + + * ike_auth.c: do not leak fd on error path. + + ok ho@ + +2004-05-24 16:54 hshoexer + + * util.c: Use correct function names in log messages. Kill some + spaces. + + ok deraadt@ ho@ + +2004-05-23 20:17 hshoexer + + * field.c, field.h, hash.c, if.c, ike_aggressive.c, + ike_aggressive.h, ike_auth.c, ike_main_mode.c, ike_main_mode.h, + ipsec.c, ipsec.h, isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, + isakmpd.c, key.c, log.c, log.h, math_2n.c, math_ec2n.c, + math_ec2n.h, math_group.c, message.c, message.h, monitor.c, + monitor_fdpass.c, pf_key_v2.h, policy.c, prf.c, sa.c, sa.h, + timer.c, timer.h, udp.c, ui.c, util.c, x509.c, x509.h: More KNF. + Mainly spaces and line-wraps, no binary change. + + ok ho@ + +2004-05-23 18:14 deraadt + + * if.c, udp.c: remove excessive monitor_ prefixes + +2004-05-23 18:14 deraadt + + * policy.c, util.c, util.h: stat before open is flawed + +2004-05-23 18:13 deraadt + + * key.c: greater care with arguments + +2004-05-19 16:30 ho + + * ipsec.c, isakmpd.c: Permit symbolic protocol and service names, + such as "Protocol= tcp", in the <IPsec-ID> sections. hshoexer@ ok + +2004-05-14 10:42 hshoexer + + * attribute.c, attribute.h, cert.c, cert.h, conf.c, conf.h, + connection.c, cookie.c, cookie.h, crypto.c, crypto.h, dh.h, + dnssec.c, dnssec.h, doi.c, doi.h: Some more KNF, no binary + change. + + ok ho@ + +2004-05-13 08:56 ho + + * connection.c, isakmpd.8, sa.c, sa.h, ui.c, ui.h: Extensions to + the FIFO interface: "C get [section]:tag" fetches a configuration + value. "C add [section]:tag=value" adds 'value' to a list, + typically for the [Phase 2]:Connections tag. FIFO "S" command + destination file changed. Various KNF cleanups. hshoexer@ ok. + +2004-05-10 20:34 deraadt + + * monitor.c: 64bit gcc saw missing cast + +2004-05-06 12:40 ho + + * exchange.c: KNF cleanup. hshoexer@ ok + +2004-05-03 23:23 hshoexer + + * exchange.c, exchange.h: KNF. ok ho@ + +2004-04-30 00:36 hshoexer + + * message.c: Better checking of minimum payload lengths. Drop out + safely when an unknown payload type is encountered. While + around, do some KNF. + + ok ho@ + +2004-04-28 22:20 hshoexer + + * ike_quick_mode.c, policy.c, policy.h: remove unused variable and + shorten names of two other. Removed some spaces while around. + + ok ho@ markus@ + +2004-04-28 16:40 ho + + * ipsec_num.cst, isakmp_num.cst: Reserve some payload numbers for + RFC 3547 and the earlier NAT-T drafts. hshoexer@ ok. + +2004-04-23 16:15 ho + + * conf.c, conf.h: Make sure KEY_LENGTH attribute is present when + checking AES proposals, required when acting as responder to + SafeNet peers. Also make conf_load_defaults() readable again + (KNF). hshoexer@ ok. + +2004-04-15 22:20 deraadt + + * conf.c: more knf; ok hshoexer + +2004-04-15 20:53 deraadt + + * conf.c: knf + +2004-04-15 20:39 deraadt + + * app.c, app.h, attribute.c, attribute.h, cert.c, cert.h, conf.c, + conf.h, connection.c, connection.h, constants.c, constants.h, + cookie.c, cookie.h, crypto.c, crypto.h, dh.c, dh.h, dnssec.c, + dnssec.h, doi.c, doi.h, exchange.h, field.c, field.h, + genconstants.sh, genfields.sh, gmp_util.c, gmp_util.h, hash.c, + hash.h, if.c, if.h, ike_aggressive.c, ike_aggressive.h, + ike_auth.c, ike_auth.h, ike_main_mode.c, ike_main_mode.h, + ike_phase_1.c, ike_phase_1.h, ike_quick_mode.c, ike_quick_mode.h, + init.c, init.h, ipsec.c, ipsec.h, ipsec_doi.h, isakmp.h, + isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, + isakmpd.c, key.c, key.h, libcrypto.c, libcrypto.h, log.c, log.h, + math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, + math_group.h, math_mp.h, message.c, message.h, monitor.c, + monitor.h, monitor_fdpass.c, pf_key_v2.c, pf_key_v2.h, policy.c, + policy.h, prf.c, prf.h, sa.c, sa.h, sysdep.h, timer.c, timer.h, + transport.c, transport.h, udp.c, udp.h, ui.c, ui.h, util.c, + util.h, x509.c, x509.h, sysdep/openbsd/keynote_compat.c, + sysdep/openbsd/sysdep.c: partial move to KNF. More to come. + This has happened because there are a raft of source code + auditors who are willing to help improve this code only if this + is done, and hey, isakmpd does need our standard auditing + process. ok ho hshoexer + +2004-04-15 02:27 deraadt + + * isakmpd.8: spaces + +2004-04-13 23:48 hshoexer + + * if.c: Add missing #include. Found by Stefan Paletta. + + ok henning@ ho@ + +2004-04-08 18:08 henning + + * sysdep/linux/sys/queue.h: swap the last two parameters to + TAILQ_FOREACH_REVERSE. matches what FreeBSD and NetBSD do. ok + millert@ mcbride@ markus@ ho@, checked to not affect ports by + naddy@ + +2004-04-08 12:05 hshoexer + + * init.c, isakmpd.c: Set timezone before privsep, child uses now + correct timezone. Noticed by david@ + + ok ho@ david@ + +2004-04-08 00:45 ho + + * conf.h, exchange.h, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, + ipsec.c, log.c, math_2n.c, math_group.c, math_group.h, message.c, + monitor.c, pf_key_v2.c, policy.c, sa.c, udp.c, ui.c, util.c, + x509.c, regress/crypto/cryptotest.c: -Wsign-compare nits. + hshoexer@ ok. + +2004-04-08 00:45 ho + + * key.c: Reset *data in case of unknown key types + +2004-04-08 00:43 ho + + * Makefile: -Wmissing-declarations + +2004-04-07 22:04 ho + + * sa.c: More careful when walking LIST queues. hshoexer@, david@ + ok. + +2004-03-31 12:54 ho + + * cert.c, crypto.c, exchange.c, hash.c, ike_auth.c: -Wsign-compare + nits. hshoexer@ ok. + +2004-03-31 12:53 ho + + * monitor.c: Use sysdep_sa_len() instead of sa->sa_len, also + correct a log_fatal() message. hshoexer@ ok. + +2004-03-31 12:47 ho + + * isakmpd.c, sysdep/openbsd/Makefile.sysdep: Don't assume + closefrom(2) exists everywhere. hshoexer@, markus@ ok. + +2004-03-29 19:07 deraadt + + * monitor.c: use malloc (oops) + +2004-03-29 18:32 deraadt + + * monitor.c: wrong FD_ZERO(); from ho, hshoexer, markus + +2004-03-29 18:32 deraadt + + * udp.c: memory mishandling; from ho + +2004-03-24 17:44 hshoexer + + * isakmpd.8: Add some notes about privsep to manpage. + + ok ho@ jmc@ deraadt@ + +2004-03-23 19:20 hshoexer + + * monitor.c: Remove erroneous null termination. + + ok ho@ deraadt@ + +2004-03-19 15:04 hshoexer + + * Makefile, conf.c, conf.h, if.c, ike_auth.c, isakmpd.c, log.c, + monitor.c, monitor.h, policy.c, sa.c, udp.c, ui.c, x509.c: Add + missing bits to make already present privsep code work. Enable + privsep. + + ok ho@ deraadt@ markus@ + +2004-03-17 16:05 brad + + * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, + message.c, util.h: MFC: Fix by hshoexer@ + + Fix payload handling flaws found by cloder@. Based on initial + patch by cloder@. + + ok deraadt@ hshoexer@ + +2004-03-17 15:59 brad + + * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, + message.c, util.h: MFC: Fix by hshoexer@ + + Fix payload handling flaws found by cloder@. Based on initial + patch by cloder@. + + ok deraadt@ hshoexer@ + +2004-03-17 12:10 ho + + * ike_auth.c: For consistency and to avoid a rare memory leak, the + result from ike_auth_get_key() should always be released after + use. Found and ok hshoexer@. + +2004-03-15 17:34 hshoexer + + * monitor.c: Properly check succes of chroot(). + + ok ho@ + +2004-03-15 17:29 hshoexer + + * monitor.c, monitor.h: Remove unused code. + + ok ho@ + +2004-03-11 17:56 hshoexer + + * isakmp_cfg.c: Fix a memleak. + + ok ho@ + +2004-03-11 00:08 hshoexer + + * doi.h, ipsec.c, isakmp_doi.c, message.c, util.h: Fix payload + handling flaws found by cloder@. Based on initial patch by + cloder@. Testing by markus@ cloder@ hshoexer@. + + ok ho@ + +2004-03-10 17:10 hshoexer + + * message.c: Plug up memory leak. + + ok ho@ + +2004-03-10 12:17 hshoexer + + * message.c: Reduce some noise on receipt of an invalid spi. + + ok ho@ + +2004-03-10 10:28 ho + + * pf_key_v2.c: Fix for PR2429, from Clemens Wittinger. + +2004-03-09 22:42 hshoexer + + * message.c: Plug memleaks, found by cloder@. + + ok ho@ + +2004-02-27 20:14 hshoexer + + * ipsec.c: Remove dead code. + + ok ho@ + +2004-02-27 20:07 hshoexer + + * conf.c, isakmpd.conf.5: Add group 14 (modp2048) to predefined + suites. Manpage also updated. ok ho@ + +2004-02-27 11:16 ho + + * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: (C)-2004 + +2004-02-27 10:01 ho + + * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: Follow RFC 2408 more + closely regarding how to better check the proposal returned by + the other peer (the responder). Some implementations (notably the + Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. + With certain proposal combinations this caused us to setup the + wrong SA resulting in us being unable to process incoming IPsec + traffic (over this tunnel). + + Tested against a number of different IKE implementations. + hshoexer@ ok. + +2004-02-26 16:27 hshoexer + + * regress/rsakeygen/rsakeygen.c: remove unused code. noticed by + ho@ ok ho@ + +2004-02-26 06:52 jmc + + * isakmpd.conf.5: tweak; ok hshoexer@ + +2004-02-25 17:01 hshoexer + + * init.c, isakmpd.conf.5, log.c, log.h, regress/b2n/Makefile, + regress/crypto/Makefile, regress/crypto/cryptotest.c, + regress/dh/Makefile, regress/ec2n/Makefile, + regress/group/Makefile, regress/prf/Makefile, + regress/rsakeygen/Makefile, regress/rsakeygen/rsakeygen.c, + regress/util/Makefile: Add and document configuration options + Logverbose and Loglevel. As log.c now depends on conf.c and some + regression tests use log.c, add conf.c to Makefiles where + necessary. + + ok ho@ + +2004-02-20 12:31 hshoexer + + * ike_quick_mode.c: More small adjustments of log messages. + +2004-02-20 10:46 hshoexer + + * ike_quick_mode.c: Fix some double free errors. While around, + adjust a log message. ok ho@ + +2004-02-19 16:35 hshoexer + + * isakmpd.c: small cleanup of log messages. ok ho@ + +2004-02-19 10:54 ho + + * isakmpd.c, log.c, log.h: With -d, SIGINT should do a clean + shutdown. Without -d, logs should be sent to syslog, level + LOG_INFO. + +2004-02-19 10:46 ho + + * isakmpd.c: Cleanup. + +2004-02-16 21:40 markus + + * exchange.c: check for isakmp_sa->transport != NULL; noticed by + bluhm at genua.de ok hshoexer@ + +2004-02-11 09:55 jmc + + * samples/VPN-3way-template.conf: typo; from Olivier Cherrier; + +2004-02-05 12:01 hshoexer + + * exchange.c: small logging cleanup and improvement requested by + markus ok ho@ markus@ + +2004-01-26 15:56 niklas + + * regress/exchange/run.pl: Added 2-clause license + +2004-01-24 00:08 jmc + + * isakmpd.8: `Ns' implies `No', so `Ns No' -> `Ns'; (even simpler + in adduser(8)) discussed with todd@ + +2004-01-16 11:51 hshoexer + + * exchange.c, ike_quick_mode.c, isakmpd.8, isakmpd.c, log.c, log.h: + Added -v option. Enables logging of successful exchange + completion. ok ho@ + +2004-01-16 01:00 brad + + * exchange.c, ipsec.c, message.c: Fixes a few message handling + flaws in isakmpd as reported by Thomas Walpuski. + + ok deraadt@ hshoexer@ + +2004-01-13 23:50 brad + + * crypto.c, crypto.h, exchange.c, ipsec.c, message.c: Fixes a few + message handling flaws in isakmpd as reported by Thomas Walpuski. + + ok deraadt@ hshoexer@ + +2004-01-09 11:03 hshoexer + + * regress/exchange/run.sh: call nc correctly (nc has changed a + while ago). ok markus@ + +2004-01-06 01:22 hshoexer + + * conf.c, sa.c: small typos fixed. + + ok markus@ + +2004-01-06 01:09 hshoexer + + * x509.c: Remove redundant test for file types. Noted by Stefan + Paletta. While around, fix typos in log messages. + + Both ok markus@ + +2004-01-03 17:38 ho + + * ipsec.c: Be more careful with INITIAL-CONTACT and do not delete + SPIs when getting an INVALID-SPI notification. Issues noted by + Thomas Walpuski. markus@ ok. + +2003-12-22 19:13 markus + + * crypto.h: use AES_BLOCK_SIZE only for USE_AES; report + martti.kuparinen@iki.fi; ok ho@ + +2003-12-18 03:03 ho + + * transport.c: Mention the exchange name when giving up on a + message. Suggested by Michael Coulter. + +2003-12-15 11:06 hshoexer + + * ipsec.c, ipsec_num.cst, math_group.c, math_group.h: Support for + groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs + 14 to 18). + + ok ho@ + +2003-12-14 15:50 ho + + * log.c, util.c, util.h: Log the actual port for src and dst, don't + assume it's always 500. + +2003-12-14 15:34 ho + + * sysdep/linux/sysdep.c: Make isakmpd work on big endian linux + machines. From Sebastian Klemke. Also, a few style nits and a + better error message text. + +2003-12-05 14:17 ho + + * message.c: Style nits + +2003-12-04 23:44 hshoexer + + * message.c: Validate SPIs presented in DELETE messages of the + informational exchange. ok markus@ + +2003-12-04 22:13 miod + + * ike_phase_1.c, isakmp_cfg.c: Typos + +2003-11-20 12:23 jmc + + * isakmpd.8: use .Dv for AF_INET and AF_INET6 (kills ugly line + break); spotted by Alexey E. Suslikov; + + also kill some .Pp's before displays/lists for better PostScript + output; + +2003-11-08 20:17 jmc + + * init.c: typos from Jonathon Gray; + +2003-11-07 11:16 jmc + + * x509.c, samples/VPN-3way-template.conf: adress -> address, and a + few more; all from Jonathon Gray; + + (mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok + ho@ +End of changelog debian package isakmpd.20031107-1 +-------------------------------------------------- + +2003-11-06 17:12 ho + + * dnssec.c, exchange.c, field.c, if.c, ike_auth.c, ipsec.c, key.c, + log.c, message.c, message.h, monitor_fdpass.c, pf_key_v2.c, + policy.c, ui.c, x509.c, x509.h: Style nits. + +2003-11-06 16:55 ho + + * exchange.c, message.c: Require encrypted messages are soon as we + have the keystate for it. Require DELETE payloads to be + accompanied by HASHes, and add validation for HASH payloads + without active exchanges. From Hans-Joerg Hoexer with various + modifications and suggestions from me and markus@. Ok markus@. + +2003-11-06 16:50 ho + + * ipsec.c: spis[] type tweak. From Hans-Joerg Hoexer. + +2003-11-05 13:55 jmc + + * isakmpd.conf.5: PFS: Perfect Forward Secrecy (RFC 2409); from + misc@ and ok markus@ + +2003-11-05 13:31 jmc + + * QUESTIONS: updated URL from Jared Yanovich; + +2003-10-25 22:47 mcbride + + * isakmpd.policy.5: OpenSSL generates DNs with emailAddress, not + Email. + +2003-10-25 09:47 jmc + + * isakmpd.8: receiveing -> receiving; from Jared Yanovich; + +2003-10-14 16:29 ho + + * exchange.c, ike_auth.c, ike_phase_1.c, ipsec.c, isakmp_doi.c: + constant_lookup() to constant_name() cleanup. markus@ ok. + +2003-10-13 15:57 ho + + * isakmpd.8, log.h, ui.c: Add a UI FIFO debug class. ok markus@ + plus I think henning@ + +2003-10-04 19:29 cloder + + * ike_phase_1.c: Avoid crash on invalid config file (missing value + for LIFE_DURATION). OK ho@ + +2003-09-26 17:59 aaron + + * sysdep/freeswan/klips.c: Fix off-by-ones in format string for 's' + specifier; millert@, deraadt@ ok + +2003-09-26 13:29 cedric + + * udp.c: don't listen to INADDR_ANY if Listen-on is specified. + patch from markus@, ok ho@ + +2003-09-26 00:28 aaron + + * monitor.c: Fix off-by-one out-of-bounds write; millert@ ok + +2003-09-25 16:15 cloder + + * exchange.c, if.c: Fix one case of set length before realloc. Fix + another case of foo = realloc(foo...) and avoid possible memory + leaks. Avoid leaving things pointing to freed memory on failure. + +2003-09-24 13:12 markus + + * crypto.c, crypto.h, regress/crypto/cryptotest.c: re-add AES, but + without using EVP; patch from Hans-Joerg.Hoexer at + yerbouti.franken.de; ok ho@ (interops with isakmpd+AES in OpenBSD + 3.4) + +2003-09-24 12:13 markus + + * crypto.c, crypto.h, regress/crypto/cryptotest.c: back out EVP + change; causes fd leaks; ok cedric@ + +End of changelog debian package isakmpd.20030907-1 +-------------------------------------------------- + +2003-09-05 09:50 tedu + + * monitor.c: socket leak on error paths. from Patrick Latifi. ok + deraadt@ ho@ + +2003-09-02 20:15 ho + + * conf.c, ipsec.c: A couple of nits. deraadt@ ok. + +2003-09-02 20:14 ho + + * message.c: Require ISAKMP_FLAGS_ENC on phase 2 messages. ok + markus@, deraadt@. + +2003-09-02 20:11 ho + + * sysdep/linux/: bitstring.h, sys/queue.h: For easier compilation + on linux systems. Requested by Thomas Walpuski. + +2003-08-28 16:43 markus + + * Makefile, TO-DO, conf.c, crypto.c, crypto.h, isakmpd.conf.5, + regress/crypto/Makefile, regress/crypto/cryptotest.c: support AES + in phase 1, too. switch to OpenSSL EVP interface; with + Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@ + +2003-08-20 16:43 ho + + * samples/singlehost-west.conf: Zap an old "Identification" tag in + this sample config. I have no idea what it was supposed to do and + in any case there is no reference to this tag in current code. + Pointed out by Fridtjof Busse. + +2003-08-20 14:25 ho + + * isakmpd.8: certpatch(8) can be used to create FQDN X509v3 + extensions too. From Fridtjof Busse, via henning@. Thanks. + + +End of changelog debian package isakmpd.20030820-1 +-------------------------------------------------- + +2003-07-09 10:16 jmc + + * isakmpd.conf.5, isakmpd.policy.5: - remove some .Ss's that worked + around the old blank line bug - remove some unnecessary .Pp's - + mdoc a list + + ok ho@ + +2003-06-20 11:14 ho + + * transport.c: Be a bit more verbose when we give up on ever seeing + a response to the last message we sent out. In case we initiated + the exchange, one possible and common reason is a network level + problem (pf, routing, whatnot), if we're the responder, there is + also the possibility we were scanned by something like ike-scan. + markus@ ok. + +2003-06-17 23:56 millert + + * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Sync with + share/misc/license.template and add missing DARPA credit where + applicable. + +2003-06-15 12:32 ho + + * exchange.c: ID copying should happen earlier in exchange_finalize + so that we won't lose data during rekeying. From Jean-Francois + Dive. + +2003-06-14 13:47 ho + + * message.c: allocate payload_node with calloc instead of malloc + +2003-06-13 05:50 brad + + * ipsec.c: MFC: Fix from ho@ + + Do not crash on unsupported IPSec ID types, as noted by Eric + Boudrand. + + deraadt@ millert@ ok + +2003-06-13 05:34 brad + + * ipsec.c: MFC: Fix from ho@ + + Do not crash on unsupported IPSec ID types, as noted by Eric + Boudrand. + + deraadt@ millert@ ok + +2003-06-10 18:41 deraadt + + * conf.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, + isakmp_cfg.c, log.c, monitor.c, monitor.h, pf_key_v2.c, policy.c, + transport.c, udp.c, x509.c: boring cleanups + +2003-06-10 14:21 ho + + * ipsec.c: Do not crash on unsupported IPSec ID types, as noted by + Eric Boudrand. + +2003-06-04 09:31 ho + + * exchange.c, ike_aggressive.c, ike_auth.c, ike_phase_1.c, + ike_quick_mode.c, init.c, ipsec.c, ipsec.h, isakmpd.8, isakmpd.c, + isakmpd.policy.5, libcrypto.c, libcrypto.h, message.c, message.h, + pf_key_v2.c, policy.c, policy.h, sa.c, sa.h, udp.c, x509.c, + x509.h, apps/certpatch/certpatch.8, apps/certpatch/certpatch.c, + regress/ec2n/ec2ntest.c, regress/hmac/hmactest.c: Remove the rest + of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. + Keromytis and Niels Provos. + +2003-06-04 09:27 ho + + * DESIGN-NOTES: Remove 3 and 4 from the "license to use" + +2003-06-03 17:20 ho + + * sysdep/linux/: GNUmakefile.sysdep, sysdep-os.h, sysdep.c: Remove + clause 3. Approved by niklas@ and Thomas Walpuski. + +2003-06-03 17:02 ho + + * sysdep/linux/README: Obsolete. + +2003-06-03 16:53 ho + + * sysdep/: bsdi/GNUmakefile.sysdep, bsdi/Makefile.sysdep, + bsdi/sysdep-os.h, bsdi/sysdep.c, darwin/GNUmakefile.sysdep, + darwin/Makefile.sysdep, darwin/sysdep-os.h, darwin/sysdep.c, + freebsd/GNUmakefile.sysdep, freebsd/Makefile.sysdep, + freebsd/sysdep-os.h, freebsd/sysdep.c, + freeswan/GNUmakefile.sysdep, freeswan/Makefile.sysdep, + freeswan/klips.c, freeswan/klips.h, freeswan/sysdep-os.h, + freeswan/sysdep.c, netbsd/GNUmakefile.sysdep, + netbsd/Makefile.sysdep, netbsd/sysdep-os.h, netbsd/sysdep.c, + openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep, + openbsd/keynote_compat.c, openbsd/sysdep-os.h, openbsd/sysdep.c: + Remove clauses 3 and 4. Approved by markus@ and niklas@. + +2003-06-03 16:52 ho + + * sysdep/common/: blf.h, libsysdep/GNUmakefile, libsysdep/Makefile, + libsysdep/blowfish.c: Remove clauses 3 and 4. Approved by Niklas + Hallqvist and Niels Provos. + +2003-06-03 16:39 ho + + * regress/Makefile, regress/check.sh, regress/b2n/b2ntest.c, + regress/crypto/cryptotest.c, regress/dh/dhtest.c, + regress/exchange/Makefile, regress/exchange/run.sh, + samples/Makefile, regress/group/grouptest.c, + regress/prf/prftest.c, regress/rsakeygen/Makefile, + regress/rsakeygen/rsakeygen.c, regress/util/utiltest.c, + regress/x509/Makefile, regress/x509/x509test.c: Remove clauses 3 + and 4. Approved by Niklas Hallqvist and Niels Provos. + +2003-06-03 16:35 ho + + * apps/: Makefile, certpatch/Makefile: Remove clauses 3 and 4. + Approved by Niklas Hallqvist and Niels Provos. + +2003-06-03 16:34 ho + + * apps/keyconv/: Makefile, keyconv.8, keyconv.c, keyvalues.h: + Remove clause 3. + +2003-06-03 16:29 ho + + * features/: aggressive, dnssec, ec, isakmp_cfg, policy, privsep, + x509: Remove clause 3. Approved by niklas@ + +2003-06-03 16:28 ho + + * GNUmakefile, Makefile, app.c, app.h, attribute.c, attribute.h, + cert.c, cert.h, conf.c, conf.h, connection.c, connection.h, + constants.c, constants.h, cookie.c, cookie.h, crypto.c, crypto.h, + dh.c, dh.h, dnssec.c, dnssec.h, doi.c, doi.h, exchange.h, + exchange_num.cst, field.c, field.h, genconstants.sh, + genfields.sh, gmp_util.c, gmp_util.h, hash.c, hash.h, if.c, if.h, + ike_aggressive.h, ike_auth.c, ike_auth.h, ike_main_mode.c, + ike_main_mode.h, ike_phase_1.h, ike_quick_mode.h, init.c, init.h, + ipsec_doi.h, ipsec_fld.fld, ipsec_num.cst, isakmp.h, + isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, + isakmp_fld.fld, isakmp_num.cst, isakmpd.conf.5, log.c, log.h, + math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, + math_group.h, math_mp.h, monitor.c, monitor.h, pf_key_v2.h, + prf.c, prf.h, sysdep.h, timer.c, timer.h, transport.c, + transport.h, udp.h, ui.c, ui.h, util.c, util.h: Remove clauses 3 + and 4. With approval from Niklas Hallqvist and Niels Provos. + +2003-06-03 15:16 jmc + + * isakmpd.8, isakmpd.conf.5, isakmpd.policy.5: - section reorder - + some mdoc fixes + +2003-06-03 14:51 ho + + * conf.c, constants.c, dnssec.c, exchange.c, ike_auth.c, + ike_phase_1.c, ike_quick_mode.c, ipsec.c, log.c, message.c, + policy.c, sa.c, udp.c, x509.c: Cleanup. Use 'sizeof variable' + instead of magic constants. + +2003-06-03 03:52 millert + + * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Use an ISC-tyle + license for all my code; it is simpler and more permissive. + +2003-06-02 22:06 millert + + * sysdep/freeswan/sys/queue.h: Remove the advertising clause in the + UCB license which Berkeley rescinded 22 July 1999. Proofed by + myself and Theo. + +2003-05-18 23:26 ho + + * monitor.c: Add some path sanitation; only permit write operations + to /tmp, /var/tmp and /var/run. Opens in /etc/isakmpd/ are + read-only. Any other path is invalid. markus@ ok. + +2003-05-18 22:46 ho + + * init.c: Style tweak. + +2003-05-18 22:39 ho + + * sa.c: Add a debug message to sa_reinit() to indicate when we + renegotiate active connections. + +2003-05-18 22:09 ho + + * monitor_fdpass.c: Forgot to remove a couple of debug messages + +2003-05-18 22:06 ho + + * udp.c: struct sockaddr is not large enough in itself to contain + the address value. Switching to sockaddr_storage makes interface + rescanning work properly. niklas@ ok. + +2003-05-18 21:37 ho + + * conf.c, ike_auth.c, isakmpd.c, log.c, monitor.c, monitor.h, + monitor_fdpass.c, pf_key_v2.c, policy.c: More isakmpd privsep + work. X509 private keys are now kept in the privileged process + only. Various cleanup and bugfixes. markus@ ok + +2003-05-18 20:16 ho + + * GNUmakefile, pf_key_v2.c, udp.c, sysdep/linux/GNUmakefile.sysdep, + sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Sysdep for + native Linux IPSec, 2.5 and later. From Thomas Walpuski, with + various tweaks by me. niklas@ ok. + +2003-05-17 19:39 ho + + * monitor.h, monitor_fdpass.c: Better return codes from mm_send_fd + and mm_receive_fd + +2003-05-17 19:32 ho + + * monitor_fdpass.c: Use log_error(), not log_fatal(). Style. + +2003-05-17 19:26 jmc + + * isakmpd.conf.5: tweak; ok ho@ + +2003-05-16 22:31 ho + + * init.c, isakmpd.conf.5, sa.c, sa.h: If the "Renegotiate-on-HUP" + tag is defined in the [General] section, a HUP signal (or "R" to + the FIFO) will also renegotiate all Phase 2 SAs, i.e all + connections. ok niklas@, tested and ok kjell@. + +2003-05-15 05:20 ho + + * ike_auth.c: Correct a two year old typo, which might actually + make setsockopt(..., IP_IPSEC_LOCAL_AUTH, ...) start working. + +2003-05-15 04:28 ho + + * exchange.c, ike_auth.c, sa.c, sa.h: Cleanup. Do not store the + private key in either the exchange or sa structs. + +2003-05-15 04:08 ho + + * ike_auth.c: Work around some OpenSSL BIO "features" to read the + key correctly. + +2003-05-15 04:04 ho + + * monitor.c: Proper exit of the monitor process. + +2003-05-15 03:51 ho + + * monitor.c: wait() for the child process + +2003-05-15 02:28 ho + + * Makefile, conf.c, conf.h, ike_auth.c, init.c, isakmpd.c, log.c, + monitor.c, monitor.h, monitor_fdpass.c, pf_key_v2.c, policy.c, + udp.c, ui.c, util.c, features/privsep, sysdep/openbsd/sysdep.c: + Start of privilege separation for isakmpd. There are some kinks + left, so keep it default disabled for now. markus@ says ok to + commit. + +2003-05-15 02:24 ho + + * log.h: (c) + +2003-05-15 01:44 kjell + + * pf_key_v2.c: properly terminate debug string (levels >=40) Use + "%.*s" as suggested by Niklas. ok ho@. Lost by kjell. oked ho@. + lost by kjell again. oked ho@ + +2003-05-15 01:29 ho + + * features/policy: Remove the .if/.endif stuff that gmake does not + understand. Replace with a comment about needing keynote for + policy. + +2003-05-14 22:49 ho + + * GNUmakefile, Makefile, sysdep/freeswan/GNUmakefile.sysdep, + sysdep/freeswan/Makefile.sysdep, sysdep/freeswan/README, + sysdep/freeswan/klips.c, sysdep/freeswan/klips.h, + sysdep/freeswan/sysdep-os.h, sysdep/freeswan/sysdep.c, + sysdep/freeswan/sys/queue.h, sysdep/linux/GNUmakefile.sysdep, + sysdep/linux/Makefile.sysdep, sysdep/linux/README, + sysdep/linux/klips.c, sysdep/linux/klips.h, + sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Call the + FreeS/WAN sysdep 'freeswan'. The 'linux' sysdep will be native + Linux IPSec. + +2003-05-14 20:11 ho + + * conf.c, conf.h, ike_auth.c: Default public key directory + definition sanity. + +2003-05-14 20:10 ho + + * policy.c, policy.h: Policy file default defined twice, kill the + local copy. + +2003-05-14 20:08 ho + + * isakmpd.c: Fix a typo (in unused code). + +2003-05-14 19:37 ho + + * ipsec.c, ipsec_num.cst, pf_key_v2.c, policy.c, sa.c: I did not + test this enough. Unbreak. + +2003-05-12 23:48 ho + + * isakmp_num.cst: Update with some data for NAT-T specific payload + types, IKEv2 notifications, ISAKMP EAP code and types, plus fix + an old typo. + +2003-05-12 23:43 ho + + * ipsec.c, pf_key_v2.c, policy.c, sa.c: AES -> AES_128_CBC + +2003-05-12 23:42 ho + + * ipsec_num.cst: Add two more encapsulation types (UDP encap, + potential future NAT-T) Add BLOCK_SIZE attribute Rename + IPSEC_ESP_AES -> IPSEC_ESP_AES_128_CBC. + +2003-05-12 01:17 ho + + * genconstants.sh: Slight style fix for .cst files. Permit comments + also after a definition. + +2003-05-11 04:16 markus + + * pf_key_v2.c: fix ID-type for ipv6; ok niklas; report fries + +2003-05-10 23:13 jmc + + * isakmpd.8, isakmpd.conf.5: typos; + +2003-04-30 17:15 jason + + * conf.c: cast size_t to unsigned long and use %lu;ok ho + +2003-04-27 13:17 ho + + * isakmpd.8: Describe the 'C set' FIFO command better. (PR#3148, + also) + +2003-04-27 13:16 ho + + * ui.c: Make the 'C set' FIFO command work as expected. PR#3148. + +2003-04-14 15:08 ho + + * isakmpd.c: Unlink FIFO and pid files on clean shutdown. PR#3199 + +2003-04-14 12:22 ho + + * pf_key_v2.c: More snprintf style + +2003-04-14 12:14 ho + + * pf_key_v2.c: A "%d" is 12 chars, not 10. Use sizeof num instead + of '10' in snprintf. From Theo. + +2003-04-09 17:46 ho + + * x509.c: Less noise for missing crl dir, demoted to debug message. + +2003-03-21 16:13 markus + + * isakmpd.conf.5: document [initiator-id] section; + richb@timestone.com.au; ok ho@, jmc@ + +2003-03-20 20:39 margarida + + * isakmp_cfg.c: Pull patch from current: Fix by ho@. Proper + id_string for SET/ACK responder, plus attr payload fixes. + + ok millert@ markus@ ho@ + +2003-03-16 09:13 matthieu + + * samples/: VPN-east.conf, VPN-west.conf: secrity -> security. Ok + ho@ + +2003-03-14 15:49 ho + + * math_group.c, transport.c, sysdep/common/blf.h, + sysdep/common/libsysdep/blowfish.c: Spelling fixes from david@. + jmc@ ok. + +2003-03-13 14:24 ho + + * ike_auth.c: Might as well do blinding here too. + +2003-03-13 11:31 ho + + * util.c: Avoid "j += snprintf()". niklas@ ok. + +2003-03-06 21:29 jmc + + * isakmpd.conf.5, isakmpd.policy.5: .Xr typos; + + ok deraadt@ + +2003-03-06 15:22 cedric + + * util.c: fix text2sockaddr() when HAVE_GETNAMEINFO is false and + port is NULL. ok ho@ + +2003-03-06 14:48 cedric + + * field.c: "len" is decremented too early, so the second argument + of the snprintf call is too small on last run of the loop. ok + ho@ + +2003-03-06 14:32 ho + + * exchange.c: Bad cut'n'paste msg plus style fixes. + +2003-03-06 10:56 ho + + * util.c: Less ambiguous l-value usage. Noted by cedric@ + +2003-03-06 05:07 david + + * apps/keyconv/keyconv.8: date should be written formally: .Dd + Month day, year ok henning@ jmc@ + +2003-03-03 17:51 ho + + * isakmpd.conf.5: Re-add the BUGS section; the RFCs still do not + permit differing DH groups in the same proposal. This time, + mention that this also applies to mixing PFS and non-PFS suites. + +2003-02-26 23:55 ho + + * samples/VPN-west.conf: Typo/pasto. Spotted by Tim Donahue. + +2003-02-26 09:17 david + + * exchange.c: IPsec is written ``IPsec'', not ``IPSec''. ok ho@ + +2003-02-24 13:01 markus + + * pf_key_v2.c: pf_key_v2_flow: typo in debug msg (KAME) + +2003-02-22 07:57 kjell + + * README: typo: noneheless->nontheless + +2003-02-22 07:56 kjell + + * isakmpd.8, isakmpd.conf.5: Clarify some language, grammar. ho@ + okayed this many moons ago, and I forgot all about it. + +2003-02-12 16:11 markus + + * if.c, if.h, udp.c: better error checking on bind(); from + Alexander_Bluhm at genua.de; ok ho@ + +2003-02-05 11:29 jmc + + * isakmpd.8: typos; isakmpd(8) ok niklas@, mailwrapper(8) help + kjell@ + +2003-02-04 21:02 markus + + * conf.c: don't set the Transform for Default-phase-1-configuration + twice, ok ho@ + +2003-02-04 21:02 markus + + * conf.h: default to 3DES-SHA-RSA_SIG (same as in OpenBSD 3.2); ok + ho@ + +2003-01-22 16:13 ho + + * ike_auth.c: Typo. + +2003-01-20 20:52 deraadt + + * isakmpd.policy.5: typos; alan@alanday.com diff --git a/keyexchange/isakmpd-20041012/debian/README.Debian b/keyexchange/isakmpd-20041012/debian/README.Debian new file mode 100644 index 0000000..5ed5128 --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/README.Debian @@ -0,0 +1,17 @@ +State of the package / isakmpd port to linux +-------------------------------------------- +The port is operational and is included in upstream, from various sources. + + +Where to start +-------------- +- isakmpd.conf man pages. +- configuration examples. +- openbsd isakmpd documentation. + +caution note +------------ +- keynote is used to check for all policy components. For exemple, if acting + as initiator, isakmpd will send the isakmpd.conf configured proposals but + will only check the received proposal with the rules enforced in isakmpd.policy. + diff --git a/keyexchange/isakmpd-20041012/debian/changelog b/keyexchange/isakmpd-20041012/debian/changelog new file mode 100644 index 0000000..1883efc --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/changelog @@ -0,0 +1,153 @@ +isakmpd (20041012-4) unstable; urgency=high + + * Fix replay protection (CVE-2006-4436) + Thanks to Stefan Fritsch <sf@fritsch.de> (Closes: #385894) + + -- Jochen Friedrich <jochen@scram.de> Mon, 4 Sep 2006 18:41:00 +0200 + +isakmpd (20041012-3) unstable; urgency=low + + * Fix NAT-T RFC support. + * Remove superfluos header from packet dump so tcpdump and ethereal + can read the dump. + + -- Jochen Friedrich <jochen@scram.de> Mon, 28 Aug 2006 17:14:47 +0200 + +sakmpd (20041012-2) unstable; urgency=low + + * New maintainer (Closes: #358800) + * Replace SADB_X_SPDADD by SADB_X_SPDUPDATE (Closes: #346214) + * Fix NAT-T (Closes: #324753) + * Fix openssl incompatibility with version 0.9.8b (Closes: #334624) + * Fix dependencies (Closes: #320393, #325849) + * gcc compiler fixes (Closes: #318241) + * Update standards version to 3.7.2 + + -- Jochen Friedrich <jochen@scram.de> Tue, 21 Feb 2006 14:26:40 +0100 + +isakmpd (20041012-1) unstable; urgency=high + + * new upstream cvs merge. + * add setsockopt to properly configure udp encap socket. + * add proper source port in nat-t sadb set (thanks to Thomas Walpuski). + * DPD now works (closes: #258479). + * NAT-T now works (closes: #269851). + * remove double dependency on libkeynote0 (closes: #272377). + + -- Jean-Francois Dive <jef@debian.org> Tue, 7 Sep 2004 11:28:18 +0200 + +isakmpd (20040628-1) unstable; urgency=high + + * New upstream cvs merge. + * Enabled DPD. + * Enabled NAT-T + added support for linux nat-t pfkey msgs. + * Fix payload handling denial-of-service vuln (closes: #239739); + * Add spd cleartext entry (thanks to Vincent Bernat). (closes: #243990). + * Add dependency on linux-kernel-headers (closes: #238793). + * Add man page for isakmpd.policy. + * No issue with Renegotiate-on-HUP (closes: #255507). + * x509v3.cnf provided (closes: #238542). + * Added certpatch utility (closes: #231743). + * Fixed pcap support (closes: #238543). + + -- Jean-Francois Dive <jef@debian.org> Mon, 5 Jul 2004 23:32:47 +0200 + +isakmpd (20040204-1) unstable; urgency=low + + * Provide ike-server (closes: #223784). + * Fixes for big indian systems (thanks to Sebastian Klemke). + (closes: #223845). + * Fix for certificates file access on non ext2 enabled kernel + systems, thanks to jochen. (closes: #225474). + * Update kernel version informations. (closes: #229795). + * New upstream cvs merge. + * Added missing man page isakmpd.policy(5) (thanks to Toni Mueller). + (closes: #231123). + + -- Jean-Francois Dive <jef@debian.org> Sun, 8 Feb 2004 20:55:34 +0100 + +isakmpd (20031107-2) unstable; urgency=high + + * SECURITY fix for INITIAL_CONTACT handeling. (previous + release actually did fixed INVALID_SPI informational exchange + security issue). The problem is the exact same nature for both + type of informational messages: because the end result is SA + deletation, the HASH payload should be in the message and checked. + + -- Jean-Francois Dive <jef@debian.org> Thu, 13 Nov 2003 14:54:01 +0100 + +isakmpd (20031107-1) unstable; urgency=high + + * new upstream cvs merge. + * SECURITY fix for HASH payload handeling (closes: #219864). + * SECURITY fix handeling of quick mode exchange encryption (it now + does require quick mode to be encrypted both Rx/Tx). + * SECURITY fix for INITIAL_CONTACT handeling (did not check for + mandatory HASH payload). + * Updated linux kernel header for interop with debian x86 kernels. + * Fix issues with policy handeling in keynote. + + -- Jean-Francois Dive <jef@debian.org> Thu, 13 Nov 2003 11:05:09 +0100 + +isakmpd (20030907-1) unstable; urgency=high + + * new upstream cvs merge. + * Fixed kernel interface due to ABI changes in linux IPSec. + * Fixed keynote issue. + + -- Jean-Francois Dive <jef@debian.org> Wed, 10 Sep 2003 22:47:17 +0200 + +isakmpd (20030718-1) unstable; urgency=high + + * New upstream version. + * Merged new upstream linux native build support. + * Added fine grained selector support to upstream linux native sysdep. + * Removed useless libc and kernel headers. + * Removed libdes. + * Added generated upstream changelog (generated by cvs2cl.pl). + + -- Jean-Francois Dive <jef@debian.org> Tue, 22 Jul 2003 12:15:30 +0200 + +isakmpd (20030119-2) unstable; urgency=low + + * Fixed init script (closes: #188086). + * Added support for Protocol and Port text definition in ID handeling. + (expl: Protocol = icmp instead of Protocol = 1). + + -- Jean-Francois Dive <jef@debian.org> Mon, 9 Jun 2003 14:11:02 +0200 + +isakmpd (20030119-1) unstable; urgency=low + + * Changed version number to a sane format. + + -- Jean-Francois Dive <jef@debian.org> Thu, 20 Mar 2003 18:46:56 +0100 + +isakmpd (19012003-4) unstable; urgency=low + + * Fixed source tree clean issues (libdes, libsysdep) (closes: #184295). + * Added diff to package upload. + + -- Jean-Francois Dive <jef@debian.org> Tue, 18 Mar 2003 17:30:57 +0100 + +isakmpd (19012003-3) unstable; urgency=low + + * switched libdes copyright from copyright.libdes to + copyright file. + + -- Jean-Francois Dive <jef@debian.org> Thu, 20 Feb 2003 13:10:54 +1100 + +isakmpd (19012003-2) unstable; urgency=low + + * Added reference to BSD license and libdes license. + * Renmoved double dependency on libssl. + * Removed /usr/doc link. + * Added lintian overrides. + + -- Jean-Francois Dive <jef@debian.org> Sun, 26 Jan 2003 00:36:40 +1100 + +isakmpd (19012003-1) unstable; urgency=low + + * Inital debianization (Closes: #163904). + + -- Jean-Francois Dive <jef@debian.org> Sun, 26 Jan 2003 00:36:40 +1100 + diff --git a/keyexchange/isakmpd-20041012/debian/control b/keyexchange/isakmpd-20041012/debian/control new file mode 100644 index 0000000..ba34296 --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/control @@ -0,0 +1,17 @@ +Source: isakmpd +Maintainer: Jochen Friedrich <jochen@scram.de> +Priority: optional +Section: net +Standards-Version: 3.7.2 +Build-Depends: debhelper (>= 5), libkeynote-dev, libssl-dev, libgmp3-dev, libpcap-dev, linux-kernel-headers + +Package: isakmpd +Priority: optional +Section: net +Architecture: any +Provides: ike-server +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: The Internet Key Exchange protocol openbsd implementation + IKE is a protocol which allow to exchange security information between + to peers. This implementation requires the native linux ipsec support. + diff --git a/keyexchange/isakmpd-20041012/debian/copyright b/keyexchange/isakmpd-20041012/debian/copyright new file mode 100644 index 0000000..f418b06 --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/copyright @@ -0,0 +1,21 @@ +This package have been packaged by Jean-Francois Dive <jef@debian.org> as +isakmpd. The upstream source of isakmpd can be found at www.openbsd.org + +This package is now maintained by Jochen Friedrich <jochen@scram.de> + +- This package links against openssl. +- This package include linux kernel include files for interface definition + purposes. This should mean that GPL does not apply for this distribution. +- This package include libdes from the openbsd tree which have the same + license as openssl, please refer to the following license statement for details. + +This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) +implementation. It's written by Niklas Hallqvist and Niels Provos, +funded by Ericsson Radio Systems AB. Isakmpd's home is in the +OpenBSD main source tree under src/sbin/isakmpd. Look at +http://www.openbsd.org/ for details on how to get OpenBSD source. + +The isakmpd license is the BSD license, please refer to +/usr/share/common-license/BSD for details. The few code modification in isakmpd +(linux support) are authored by Jean-Francois Dive and Jochen Friedrich +and are release on the same license as isakmpd itself. diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.dirs b/keyexchange/isakmpd-20041012/debian/isakmpd.dirs new file mode 100644 index 0000000..de7adf9 --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/isakmpd.dirs @@ -0,0 +1,13 @@ +usr/sbin +usr/bin +etc/isakmpd +etc/isakmpd/certs +etc/isakmpd/crls +etc/isakmpd/ca +etc/isakmpd/pubkeys/ipv4 +etc/isakmpd/pubkeys/ipv6 +etc/isakmpd/pubkeys/fqdn +etc/isakmpd/pubkeys/ufqdn +etc/isakmpd/private +usr/share/doc/isakmpd/samples +usr/share/lintian/overrides diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.init b/keyexchange/isakmpd-20041012/debian/isakmpd.init new file mode 100644 index 0000000..57de3d4 --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/isakmpd.init @@ -0,0 +1,32 @@ +#!/bin/sh +# +PATH=/bin:/usr/bin:/sbin:/usr/sbin +DAEMON=/usr/sbin/isakmpd +PIDFILE=/var/run/isakmpd.pid + +test -f $DAEMON || exit 0 + +case "$1" in + start) + echo -n "Starting OpenBSD isakmpd: " + start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 + echo "done" + ;; + stop) + echo -n "Stopping OpenBSD isakmpd: " + start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 + echo "done" + ;; + restart|force-reload) + echo -n "Restarting OpenBSD isakmpd: " + start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 + start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 + echo "done" + ;; + *) + echo "Usage: /etc/init.d/isakmpd {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.lintian b/keyexchange/isakmpd-20041012/debian/isakmpd.lintian new file mode 100644 index 0000000..7d9b585 --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/isakmpd.lintian @@ -0,0 +1,3 @@ +isakmpd: copyright-should-refer-to-common-license-file-for-gpl +isakmpd: non-standard-dir-perm +isakmpd: non-standard-file-perm diff --git a/keyexchange/isakmpd-20041012/debian/rules b/keyexchange/isakmpd-20041012/debian/rules new file mode 100755 index 0000000..d15e56a --- /dev/null +++ b/keyexchange/isakmpd-20041012/debian/rules @@ -0,0 +1,73 @@ +#!/usr/bin/make -f + +export DH_COMPAT := 5 + +b := $(CURDIR)/debian/isakmpd + +arrange: arrange-stamp +arrange-stamp: install + dh_testdir + touch arrange-stamp + +binary: binary-stamp +binary-stamp: binary-indep binary-arch + dh_testdir + touch binary-stamp + +binary-arch: binary-arch-stamp +binary-arch-stamp: arrange + dh_testdir + dh_testroot + dh_installdocs -n DESIGN-NOTES QUESTIONS README README.PKI TO-DO $(CURDIR)/debian/README.Debian x509v3.cnf + cp $(CURDIR)/samples/*.conf $(b)/usr/share/doc/isakmpd/samples/ + cp $(CURDIR)/samples/VPN-east.conf $(b)/etc/isakmpd/isakmpd.conf + cp $(CURDIR)/samples/policy $(b)/etc/isakmpd/isakmpd.policy + cp $(CURDIR)/isakmpd $(b)/usr/sbin/ + cp $(CURDIR)/apps/certpatch/certpatch $(b)/usr/bin + cp $(CURDIR)/debian/isakmpd.lintian $(b)/usr/share/lintian/overrides/isakmpd + dh_installman isakmpd.8 isakmpd.conf.5 isakmpd.policy.5 apps/certpatch/certpatch.8 + dh_installinit + dh_installchangelogs $(CURDIR)/debian/ChangeLog upstream + dh_compress + dh_fixperms + find $(b)/etc/isakmpd -type d | xargs chmod 0700 + find $(b)/etc/isakmpd -type f | xargs chmod 0600 + dh_strip + dh_installdeb + dh_perl + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + touch binary-arch-stamp + +binary-indep: binary-indep-stamp +binary-indep-stamp: arrange + dh_testdir + touch binary-indep-stamp + +build: build-stamp +build-stamp: config + dh_testdir + $(MAKE) + touch build-stamp + +clean: + dh_testdir + dh_testroot + $(MAKE) clean + dh_clean arrange-stamp binary-stamp binary-arch-stamp binary-indep-stamp build-stamp config-stamp install-stamp + find $(CURDIR) -type f -name ".depend" | xargs rm -f + +config: config-stamp +config-stamp: + dh_testdir + touch config-stamp + +install: install-stamp +install-stamp: build + dh_testdir + dh_installdirs + touch install-stamp + +.PHONY: arrange binary binary-arch binary-indep build clean config install |