diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/debian')
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/ChangeLog | 1668 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/README.Debian | 17 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/changelog | 153 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/control | 17 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/copyright | 21 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/isakmpd.dirs | 13 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/isakmpd.init | 32 | ||||
-rw-r--r-- | keyexchange/isakmpd-20041012/debian/isakmpd.lintian | 3 | ||||
-rwxr-xr-x | keyexchange/isakmpd-20041012/debian/rules | 73 |
9 files changed, 0 insertions, 1997 deletions
diff --git a/keyexchange/isakmpd-20041012/debian/ChangeLog b/keyexchange/isakmpd-20041012/debian/ChangeLog deleted file mode 100644 index bae602d..0000000 --- a/keyexchange/isakmpd-20041012/debian/ChangeLog +++ /dev/null @@ -1,1668 +0,0 @@ -End of changelog debian package isakmpd.20041012-1 --------------------------------------------------- - -2004-10-08 17:18 hshoexer - - * sysdep/common/libsysdep/arc4random.c: pull in some changes from - libc arc4random (only relevant for non-OpenBSD systems): ansify, - discard first 256 output bytes, make key schedule more arc4 - stream ciper like. - - ok djm ho - -2004-10-01 06:08 jsg - - * monitor_fdpass.c: add some missing $, ok djm@ 'That looks fine to - me' millert@ - -2004-09-24 15:31 ho - - * udp_encap.c: Don't process NAT-T keepalives. Noted by Kamel - Messaoudi. hshoexer@ ok - -2004-09-20 23:36 hshoexer - - * virtual.c: compile cleanly with -Wsign-compare ok ho - -2004-09-20 23:35 hshoexer - - * monitor_fdpass.c: Remove __func__ ok ho deraadt - -2004-09-17 16:54 hshoexer - - * isakmpd.c: avoid signal race. - - ok ho@ otto@ - -2004-09-17 15:53 ho - - * exchange.c, ike_quick_mode.c, ipsec.c, key.c, pf_key_v2.c: - Missing #ifdefs. - -2004-09-17 15:46 ho - - * init.c: #include <stdlib.h> for srandom(). - -2004-09-17 15:45 ho - - * message.c: Permit next payload type NAT-OA. Noted by Kamel - Messaoudi. - -2004-08-23 13:53 ho - - * exchange.c: We need to set sa->initiator before checking if the - newly created SA replaces an old one, or the id_i/id_r check will - mismatch. Previous behaviour was mostly harmless, but wasted some - resources (until normal SA expiration). hshoexer@ "haven't tried, - but think it's ok" - -2004-08-23 13:16 ho - - * Makefile: Default enable DPD (Dead Peer Detection) support. - hshoexer@ ok - -2004-08-23 13:13 ho - - * exchange.h: Indent nit. - -2004-08-17 16:48 hshoexer - - * message.c: check for msg->isakmpg_sa being NULL before - referencing ok ho@ - -2004-08-14 15:29 hshoexer - - * ike_quick_mode.c: When using -K (keynote disabled), check peers' - proposal against isakmpd.conf. - - ok ho@ henning@ - -2004-08-13 04:51 djm - - * monitor_fdpass.c: extra check for no message case; ok markus, - deraadt, hshoexer, henning - -2004-08-12 13:21 hshoexer - - * monitor.c: Fix compiler warning on alpha. Noted by and ok ho@ - -2004-08-12 13:08 ho - - * pf_key_v2.c: Avoid memleak on error (Linux/KAME). Found by - Benjamin Pineau. - -2004-08-10 21:21 deraadt - - * virtual.c, x509.c: spacing - -2004-08-10 17:59 ho - - * dpd.c, dpd.h, exchange.c, ipsec.c, isakmp_num.cst, - isakmpd.conf.5, message.c, message.h, pf_key_v2.c, pf_key_v2.h, - sa.c, sa.h, sysdep.h, udp_encap.c, sysdep/bsdi/sysdep.c, - sysdep/darwin/sysdep.c, sysdep/freebsd/sysdep.c, - sysdep/freeswan/sysdep.c, sysdep/linux/sysdep.c, - sysdep/netbsd/sysdep.c, sysdep/openbsd/sysdep.c: Better - implementation of the Dead Peer Detection protocol, RFC 3706. - hshoexer@ ok. - -2004-08-10 11:49 ho - - * sysdep/linux/GNUmakefile.sysdep: Linux has AES (and DES). From - Benjamin Pineau. - -2004-08-10 11:47 ho - - * sysdep/common/libsysdep/arc4random.c: If opening /dev/arandom - fails, try /dev/random. Suggested by Benjamin Pineau. - -2004-08-08 21:11 deraadt - - * GNUmakefile, conf.c, dpd.c, exchange.c, ike_auth.c, - ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, log.c, - message.c, monitor.c, nat_traversal.c, pf_key_v2.c, policy.c, - sa.c, sysdep.h, transport.c, udp.c, udp_encap.c, ui.c, util.c, - virtual.c, x509.c: spacing - -2004-08-03 12:54 ho - - * nat_traversal.c, transport.c, udp.c, udp.h, udp_encap.c, - virtual.c: Rewrite the transport reference count code to avoid - leaks. hshoexer@ ok. - -2004-08-02 17:48 hshoexer - - * sa.c: Do not expire unestablished phase 2 SAs on SIGHUP. - - ok ho@ - -2004-08-02 17:30 ho - - * GNUmakefile: Missed to add virtual.c here. Noted by Benjamin - Pineau. - -2004-07-30 12:45 ho - - * Makefile, sysdep.h, util.c: Style. - -2004-07-29 22:02 ho - - * conf.c: Less noise while debugging. - -2004-07-29 10:54 ho - - * ike_aggressive.c, ike_phase_1.c, nat_traversal.c: Repair NAT-T - using Aggressive mode, NAT-D checks were in the wrong place. - Noted by Yvan VANHULLEBUS. - -2004-07-09 18:06 deraadt - - * doi.c, exchange.c: ansi - -2004-07-08 21:53 hshoexer - - * virtual.c: free() and close() in error path. - - ok ho@ - -2004-07-08 12:37 jmc - - * isakmpd.8, isakmpd.conf.5: typo, and line adjustment; - -2004-07-08 00:25 hshoexer - - * isakmpd.8, isakmpd.conf.5: document -a/-K and - "Acquire-Only"/"Use-Keynote". - - ok markus@ henning@ ho@ english polish and mdoc help and ok jmc@ - -2004-07-07 11:16 hshoexer - - * message.c: plug memleak when receiving an - INVALID_HASH_INFORMATION notify. Found by Patrick Latifi, - thanks! - - ok ho@ - -2004-07-07 11:13 hshoexer - - * udp_encap.c: compile cleanly with -Wsign-compare; while around, - kill a space - - ok ho@ - -2004-07-05 19:33 pvalchev - - * ike_phase_1.c: %lu and cast to unsigned long to print a size_t; - ok ho - -2004-06-30 12:07 hshoexer - - * nat_traversal.c: Compile cleanly with gcc3.3.2. - - ok ho@ - -2004-06-26 13:32 jmc - - * isakmpd.conf.5: new sentence, new line; - -2004-06-26 08:07 hshoexer - - * monitor.c, monitor.h, pf_key_v2.c, pf_key_v2.h, - sysdep/openbsd/sysdep.c: Narrow down privsep interface. Move - pf_key_v2_open() to monitor. - - Work in progress. - - ok ho@ - -2004-06-26 05:40 mcbride - - * sysdep/: bsdi/Makefile.sysdep, darwin/GNUmakefile.sysdep, - darwin/Makefile.sysdep, freebsd/GNUmakefile.sysdep, - freebsd/Makefile.sysdep, linux/GNUmakefile.sysdep, - netbsd/GNUmakefile.sysdep, netbsd/Makefile.sysdep, - openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep: Remove - -DHAVE_GETNAMEINFO frome makefiles. - - Pointed out by ho@ - -2004-06-25 22:25 hshoexer - - * conf.c, conf.h, ike_quick_mode.c, isakmpd.c, policy.c, policy.h: - Keynote policy checking can now be disabled by "-K" switch and - config tag "Use-Keynote". Default is to use keynote. - - ok henning@ ho@ - -2004-06-25 21:42 mcbride - - * udp.c, util.c: Remove HAVE_GETNAMEINFO alternate code. Compiled - binary is unchanged. - - ok msf@ hshoexer@ itojun@ ho@ - -2004-06-25 02:58 hshoexer - - * init.c, log.c, monitor.c, monitor.h, ui.c: Narrow down privsep - interface. Remove ui_init to monitor. So we can get rid of - monitor_mkfifo. - - Work in progress. - - ok ho@ - -2004-06-24 19:02 hshoexer - - * monitor.c: Remove some unused code. Fix handling of sigchild. - Now it's possible to sigstop/sigcont isakmpd correclty. - - ok ho@ - -2004-06-24 17:58 hshoexer - - * policy.c: Also handle keys from x509-certificates embedded in - keynote credentials. - - with msf@ ok ho@ - -2004-06-24 01:36 ho - - * pf_key_v2.c: Print corrent prefix. Found and tested by alex at - vbone.net. - -2004-06-23 05:01 hshoexer - - * ike_auth.c, util.c, util.h: Avoid stat before open. Do open and - fstat instead. Remove check_file_secrecy() as it is obsoleted be - check_file_secrecy_fd(). - - ok ho@ - -2004-06-23 03:17 ho - - * Makefile, sysdep.h, util.c: Make compiling with Boehm's gc - possible again. - -2004-06-23 02:56 ho - - * ike_phase_1.c: Support IPV{4,6}_ADDR_SUBNET IDs in Phase 1, just - like the man page says we do. Noted and tested by alex at - vbone.net. Also avoid a potential SEGV here. hshoexer@ok - -2004-06-23 02:55 hshoexer - - * ipsec.c, isakmpd.c: Add commandline switch -a / config tag - "Acquire-Only" to tell isakmpd to not touch flows. - - initial work by markus ok markus@ ho@ henning@ - -2004-06-22 20:22 hshoexer - - * ike_auth.c: kn_get_string() may return NULL on failure. Handle - this corrctly. - - with msf@, ok ho@ markus@ - -2004-06-22 05:44 ho - - * virtual.c: The NAT-T drafts suggest we should drop incoming - messages arriving on the old port (500) after we've switched to - the new one. - -2004-06-22 01:42 ho - - * isakmpd.conf.5: Describe the [Default]:NAT-T-Keepalive - configuration parameter. - -2004-06-22 01:28 ho - - * Makefile: Enable NAT-T support. - -2004-06-22 01:27 ho - - * ipsec.c, nat_traversal.c, nat_traversal.h, sa.c, sa.h, - udp_encap.c: Implement NAT-T keepalive messages. - -2004-06-21 20:41 ho - - * pf_key_v2.c: udpencap_port should be taken from dst transport - -2004-06-21 20:40 ho - - * virtual.c: When switching from main to encap transport, copy dst - port if translated (NAT). - -2004-06-21 20:34 ho - - * monitor.c: Strip away umask bits in monitor_fopen(). hshoexer@ - ok. - -2004-06-21 20:29 ho - - * ipsec.c: style nit - -2004-06-21 19:02 markus - - * features/nat_traversal: undo double-patch; Dries Schellekens - -2004-06-21 18:37 ho - - * log.c: Don't write too much IKE data in packet capture - -2004-06-21 18:01 ho - - * log.c, message.c: Packet capture should add the ESP-marker when - NAT-T is active. - -2004-06-21 17:15 ho - - * pf_key_v2.c: Tell the kernel to enable ESP-in-UDP encapsulation - when we have SAs negotiated with NAT-T. - -2004-06-21 15:09 ho - - * exchange.c, sa.h, transport.c, udp.c, udp_encap.c, virtual.c: - Port floating (500->4500) for p1 and p2 exchanges. - -2004-06-20 19:44 ho - - * message.c: message_parse_payloads should accept payloads in the - private range. While here, also cleanup some messages. - -2004-06-20 19:17 ho - - * dpd.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, - init.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, message.c, - message.h, nat_traversal.c: Make the payload array in struct - message dynamic, since we need to handle payloads in the private - range, such as the pre-RFC NAT-D/NAT-OA. Replace - TAILQ_FIRST(&msg->payload[i]) instances with function calls. - -2004-06-20 17:24 ho - - * Makefile, exchange.h, ike_phase_1.c, init.c, ipsec.c, isakmp.h, - isakmp_fld.fld, message.c, nat_traversal.c, nat_traversal.h, - policy.c, transport.c, transport.h, udp.c, udp.h, udp_encap.c, - udp_encap.h, util.c, util.h, virtual.c, virtual.h, - features/nat_traversal: NAT-Traversal for isakmpd. Work in - progress... hshoexer@ ok. - -2004-06-20 17:20 ho - - * dpd.c, dpd.h, exchange.c, isakmp_num.cst, sa.h, features/dpd: A - start towards Dead Peer Detection (DPD) support, as specified in - RFC 3706 - -2004-06-20 17:11 ho - - * message.c: Some vendors send the last Aggressive Mode message - unencrypted, which we should accept. Problem noted by alex at - vbone.net. hshoexer@ ok. - -2004-06-20 17:03 ho - - * isakmpd.c, monitor.c, monitor.h: To make debugging the - unprivileged child process easier, make 'isakmpd -dd' pause just - after privsep; print the PIDs and wait for SIGCONT. hshoexer@ ok - -2004-06-17 21:39 hshoexer - - * ipsec.c: Yet another bunch of memleask found and fixed by Patrick - Latifi. Thanks! - - ok ho@ - -2004-06-17 21:36 hshoexer - - * udp.c: Plug a memleak. Found and fixed (and some cleanup) by - Patrick Latifi. Thanks! - - ok ho@ - -2004-06-17 21:32 hshoexer - - * x509.c: Evaluate result of X509_verify_cert() more carefully. - - ok cloder@ - -2004-06-16 17:08 hshoexer - - * util.c: Fix wrong pointer dereference and plug memleak. Found - and patch by Patrick Latifi. Thanks! - - ok ho@ - -2004-06-16 17:05 hshoexer - - * ipsec.c: fix ipv6-address and ipv6-address-mask mixup. Found by - Patrick Latifi. Thanks! - - ok ho@ - -2004-06-15 17:53 hshoexer - - * ike_quick_mode.c, isakmp_cfg.c: also use MSG_AUTHENTICATED flag. - - ok ho@ - -2004-06-14 15:53 hshoexer - - * conf.c, ike_auth.c, x509.c: avoid stat before open - - ok ho@ - -2004-06-14 12:04 hshoexer - - * message.c: added a missing message_free(). - - ok ho@ - -2004-06-14 11:55 ho - - * cert.c, conf.c, connection.c, crypto.c, dnssec.c, exchange.c, - field.c, hash.c, if.c, ike_auth.c, ike_main_mode.c, - ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, - isakmp_doi.c, isakmpd.c, key.c, log.c, math_2n.c, math_group.c, - message.c, monitor.c, pf_key_v2.c, policy.c, timer.c, - transport.c, udp.c, util.c, x509.c: KNF, style, 80c, etc. - hshoexer@ ok - -2004-06-11 12:17 brad - - * message.c: typo in comment - -2004-06-11 05:08 brad - - * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: - MFC: Fix by hshoexer@ - - Mark authenticated messages explicitly. Better check for - authentication before deleteing SAs. - - This fix is needed to solve the problems reported by Thomas - Walpuski, previous diff was not sufficient. Pointed out by - Thomas. Thanks! - -2004-06-11 04:34 brad - - * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: - MFC: Fix by hshoexer@ - - Mark authenticated messages explicitly. Better check for - authentication before deleteing SAs. - - This fix is needed to solve the problems reported by Thomas - Walpuski, previous diff was not sufficient. Pointed out by - Thomas. Thanks! - -2004-06-10 14:54 hshoexer - - * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: - Mark authenticated messages explicitly. Better check for - authentication before deleteing SAs. - - This fix is needed to solve the problems reported by Thomas - Walpuski, previous diff was not sufficient. Pointed out by - Thomas. Thanks! - - ok ho@ niklas@, testing and spellcheck by todd@ msf@ - -2004-06-09 23:15 brad - - * message.c: MFC: Fix by hshoexer@ - - only accept DELETEs during an authenticated INFORMATIONAL - exchange. Fix for recent problem disclosed by Thomas Walpuski. - -2004-06-09 22:48 brad - - * message.c: MFC: Fix by hshoexer@ - - only accept DELETEs during an authenticated INFORMATIONAL - exchange. Fix for recent problem disclosed by Thomas Walpuski. - -2004-06-09 16:02 ho - - * conf.c, exchange.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, - isakmp_cfg.c, message.c, pf_key_v2.c, transport.c, udp.c: Style - nits. hshoexer@ ok - -2004-06-09 14:59 hshoexer - - * message.c: only accept DELETEs during an authenticated - INFORMATIONAL exchange. Fix for recent problem disclosed by - Thomas Walpuski. - - ok ho@ - -2004-06-06 15:05 ho - - * ike_phase_1.c: Style (KNF, 80c). No binary change. - -2004-06-02 18:19 hshoexer - - * ike_auth.c, x509.c: remove unused BIO-functions. - - ok markus@ ho@ - -2004-05-27 00:17 hshoexer - - * ike_auth.c: do not leak fd on error path. - - ok ho@ - -2004-05-24 16:54 hshoexer - - * util.c: Use correct function names in log messages. Kill some - spaces. - - ok deraadt@ ho@ - -2004-05-23 20:17 hshoexer - - * field.c, field.h, hash.c, if.c, ike_aggressive.c, - ike_aggressive.h, ike_auth.c, ike_main_mode.c, ike_main_mode.h, - ipsec.c, ipsec.h, isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, - isakmpd.c, key.c, log.c, log.h, math_2n.c, math_ec2n.c, - math_ec2n.h, math_group.c, message.c, message.h, monitor.c, - monitor_fdpass.c, pf_key_v2.h, policy.c, prf.c, sa.c, sa.h, - timer.c, timer.h, udp.c, ui.c, util.c, x509.c, x509.h: More KNF. - Mainly spaces and line-wraps, no binary change. - - ok ho@ - -2004-05-23 18:14 deraadt - - * if.c, udp.c: remove excessive monitor_ prefixes - -2004-05-23 18:14 deraadt - - * policy.c, util.c, util.h: stat before open is flawed - -2004-05-23 18:13 deraadt - - * key.c: greater care with arguments - -2004-05-19 16:30 ho - - * ipsec.c, isakmpd.c: Permit symbolic protocol and service names, - such as "Protocol= tcp", in the <IPsec-ID> sections. hshoexer@ ok - -2004-05-14 10:42 hshoexer - - * attribute.c, attribute.h, cert.c, cert.h, conf.c, conf.h, - connection.c, cookie.c, cookie.h, crypto.c, crypto.h, dh.h, - dnssec.c, dnssec.h, doi.c, doi.h: Some more KNF, no binary - change. - - ok ho@ - -2004-05-13 08:56 ho - - * connection.c, isakmpd.8, sa.c, sa.h, ui.c, ui.h: Extensions to - the FIFO interface: "C get [section]:tag" fetches a configuration - value. "C add [section]:tag=value" adds 'value' to a list, - typically for the [Phase 2]:Connections tag. FIFO "S" command - destination file changed. Various KNF cleanups. hshoexer@ ok. - -2004-05-10 20:34 deraadt - - * monitor.c: 64bit gcc saw missing cast - -2004-05-06 12:40 ho - - * exchange.c: KNF cleanup. hshoexer@ ok - -2004-05-03 23:23 hshoexer - - * exchange.c, exchange.h: KNF. ok ho@ - -2004-04-30 00:36 hshoexer - - * message.c: Better checking of minimum payload lengths. Drop out - safely when an unknown payload type is encountered. While - around, do some KNF. - - ok ho@ - -2004-04-28 22:20 hshoexer - - * ike_quick_mode.c, policy.c, policy.h: remove unused variable and - shorten names of two other. Removed some spaces while around. - - ok ho@ markus@ - -2004-04-28 16:40 ho - - * ipsec_num.cst, isakmp_num.cst: Reserve some payload numbers for - RFC 3547 and the earlier NAT-T drafts. hshoexer@ ok. - -2004-04-23 16:15 ho - - * conf.c, conf.h: Make sure KEY_LENGTH attribute is present when - checking AES proposals, required when acting as responder to - SafeNet peers. Also make conf_load_defaults() readable again - (KNF). hshoexer@ ok. - -2004-04-15 22:20 deraadt - - * conf.c: more knf; ok hshoexer - -2004-04-15 20:53 deraadt - - * conf.c: knf - -2004-04-15 20:39 deraadt - - * app.c, app.h, attribute.c, attribute.h, cert.c, cert.h, conf.c, - conf.h, connection.c, connection.h, constants.c, constants.h, - cookie.c, cookie.h, crypto.c, crypto.h, dh.c, dh.h, dnssec.c, - dnssec.h, doi.c, doi.h, exchange.h, field.c, field.h, - genconstants.sh, genfields.sh, gmp_util.c, gmp_util.h, hash.c, - hash.h, if.c, if.h, ike_aggressive.c, ike_aggressive.h, - ike_auth.c, ike_auth.h, ike_main_mode.c, ike_main_mode.h, - ike_phase_1.c, ike_phase_1.h, ike_quick_mode.c, ike_quick_mode.h, - init.c, init.h, ipsec.c, ipsec.h, ipsec_doi.h, isakmp.h, - isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, - isakmpd.c, key.c, key.h, libcrypto.c, libcrypto.h, log.c, log.h, - math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, - math_group.h, math_mp.h, message.c, message.h, monitor.c, - monitor.h, monitor_fdpass.c, pf_key_v2.c, pf_key_v2.h, policy.c, - policy.h, prf.c, prf.h, sa.c, sa.h, sysdep.h, timer.c, timer.h, - transport.c, transport.h, udp.c, udp.h, ui.c, ui.h, util.c, - util.h, x509.c, x509.h, sysdep/openbsd/keynote_compat.c, - sysdep/openbsd/sysdep.c: partial move to KNF. More to come. - This has happened because there are a raft of source code - auditors who are willing to help improve this code only if this - is done, and hey, isakmpd does need our standard auditing - process. ok ho hshoexer - -2004-04-15 02:27 deraadt - - * isakmpd.8: spaces - -2004-04-13 23:48 hshoexer - - * if.c: Add missing #include. Found by Stefan Paletta. - - ok henning@ ho@ - -2004-04-08 18:08 henning - - * sysdep/linux/sys/queue.h: swap the last two parameters to - TAILQ_FOREACH_REVERSE. matches what FreeBSD and NetBSD do. ok - millert@ mcbride@ markus@ ho@, checked to not affect ports by - naddy@ - -2004-04-08 12:05 hshoexer - - * init.c, isakmpd.c: Set timezone before privsep, child uses now - correct timezone. Noticed by david@ - - ok ho@ david@ - -2004-04-08 00:45 ho - - * conf.h, exchange.h, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, - ipsec.c, log.c, math_2n.c, math_group.c, math_group.h, message.c, - monitor.c, pf_key_v2.c, policy.c, sa.c, udp.c, ui.c, util.c, - x509.c, regress/crypto/cryptotest.c: -Wsign-compare nits. - hshoexer@ ok. - -2004-04-08 00:45 ho - - * key.c: Reset *data in case of unknown key types - -2004-04-08 00:43 ho - - * Makefile: -Wmissing-declarations - -2004-04-07 22:04 ho - - * sa.c: More careful when walking LIST queues. hshoexer@, david@ - ok. - -2004-03-31 12:54 ho - - * cert.c, crypto.c, exchange.c, hash.c, ike_auth.c: -Wsign-compare - nits. hshoexer@ ok. - -2004-03-31 12:53 ho - - * monitor.c: Use sysdep_sa_len() instead of sa->sa_len, also - correct a log_fatal() message. hshoexer@ ok. - -2004-03-31 12:47 ho - - * isakmpd.c, sysdep/openbsd/Makefile.sysdep: Don't assume - closefrom(2) exists everywhere. hshoexer@, markus@ ok. - -2004-03-29 19:07 deraadt - - * monitor.c: use malloc (oops) - -2004-03-29 18:32 deraadt - - * monitor.c: wrong FD_ZERO(); from ho, hshoexer, markus - -2004-03-29 18:32 deraadt - - * udp.c: memory mishandling; from ho - -2004-03-24 17:44 hshoexer - - * isakmpd.8: Add some notes about privsep to manpage. - - ok ho@ jmc@ deraadt@ - -2004-03-23 19:20 hshoexer - - * monitor.c: Remove erroneous null termination. - - ok ho@ deraadt@ - -2004-03-19 15:04 hshoexer - - * Makefile, conf.c, conf.h, if.c, ike_auth.c, isakmpd.c, log.c, - monitor.c, monitor.h, policy.c, sa.c, udp.c, ui.c, x509.c: Add - missing bits to make already present privsep code work. Enable - privsep. - - ok ho@ deraadt@ markus@ - -2004-03-17 16:05 brad - - * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, - message.c, util.h: MFC: Fix by hshoexer@ - - Fix payload handling flaws found by cloder@. Based on initial - patch by cloder@. - - ok deraadt@ hshoexer@ - -2004-03-17 15:59 brad - - * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, - message.c, util.h: MFC: Fix by hshoexer@ - - Fix payload handling flaws found by cloder@. Based on initial - patch by cloder@. - - ok deraadt@ hshoexer@ - -2004-03-17 12:10 ho - - * ike_auth.c: For consistency and to avoid a rare memory leak, the - result from ike_auth_get_key() should always be released after - use. Found and ok hshoexer@. - -2004-03-15 17:34 hshoexer - - * monitor.c: Properly check succes of chroot(). - - ok ho@ - -2004-03-15 17:29 hshoexer - - * monitor.c, monitor.h: Remove unused code. - - ok ho@ - -2004-03-11 17:56 hshoexer - - * isakmp_cfg.c: Fix a memleak. - - ok ho@ - -2004-03-11 00:08 hshoexer - - * doi.h, ipsec.c, isakmp_doi.c, message.c, util.h: Fix payload - handling flaws found by cloder@. Based on initial patch by - cloder@. Testing by markus@ cloder@ hshoexer@. - - ok ho@ - -2004-03-10 17:10 hshoexer - - * message.c: Plug up memory leak. - - ok ho@ - -2004-03-10 12:17 hshoexer - - * message.c: Reduce some noise on receipt of an invalid spi. - - ok ho@ - -2004-03-10 10:28 ho - - * pf_key_v2.c: Fix for PR2429, from Clemens Wittinger. - -2004-03-09 22:42 hshoexer - - * message.c: Plug memleaks, found by cloder@. - - ok ho@ - -2004-02-27 20:14 hshoexer - - * ipsec.c: Remove dead code. - - ok ho@ - -2004-02-27 20:07 hshoexer - - * conf.c, isakmpd.conf.5: Add group 14 (modp2048) to predefined - suites. Manpage also updated. ok ho@ - -2004-02-27 11:16 ho - - * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: (C)-2004 - -2004-02-27 10:01 ho - - * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: Follow RFC 2408 more - closely regarding how to better check the proposal returned by - the other peer (the responder). Some implementations (notably the - Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. - With certain proposal combinations this caused us to setup the - wrong SA resulting in us being unable to process incoming IPsec - traffic (over this tunnel). - - Tested against a number of different IKE implementations. - hshoexer@ ok. - -2004-02-26 16:27 hshoexer - - * regress/rsakeygen/rsakeygen.c: remove unused code. noticed by - ho@ ok ho@ - -2004-02-26 06:52 jmc - - * isakmpd.conf.5: tweak; ok hshoexer@ - -2004-02-25 17:01 hshoexer - - * init.c, isakmpd.conf.5, log.c, log.h, regress/b2n/Makefile, - regress/crypto/Makefile, regress/crypto/cryptotest.c, - regress/dh/Makefile, regress/ec2n/Makefile, - regress/group/Makefile, regress/prf/Makefile, - regress/rsakeygen/Makefile, regress/rsakeygen/rsakeygen.c, - regress/util/Makefile: Add and document configuration options - Logverbose and Loglevel. As log.c now depends on conf.c and some - regression tests use log.c, add conf.c to Makefiles where - necessary. - - ok ho@ - -2004-02-20 12:31 hshoexer - - * ike_quick_mode.c: More small adjustments of log messages. - -2004-02-20 10:46 hshoexer - - * ike_quick_mode.c: Fix some double free errors. While around, - adjust a log message. ok ho@ - -2004-02-19 16:35 hshoexer - - * isakmpd.c: small cleanup of log messages. ok ho@ - -2004-02-19 10:54 ho - - * isakmpd.c, log.c, log.h: With -d, SIGINT should do a clean - shutdown. Without -d, logs should be sent to syslog, level - LOG_INFO. - -2004-02-19 10:46 ho - - * isakmpd.c: Cleanup. - -2004-02-16 21:40 markus - - * exchange.c: check for isakmp_sa->transport != NULL; noticed by - bluhm at genua.de ok hshoexer@ - -2004-02-11 09:55 jmc - - * samples/VPN-3way-template.conf: typo; from Olivier Cherrier; - -2004-02-05 12:01 hshoexer - - * exchange.c: small logging cleanup and improvement requested by - markus ok ho@ markus@ - -2004-01-26 15:56 niklas - - * regress/exchange/run.pl: Added 2-clause license - -2004-01-24 00:08 jmc - - * isakmpd.8: `Ns' implies `No', so `Ns No' -> `Ns'; (even simpler - in adduser(8)) discussed with todd@ - -2004-01-16 11:51 hshoexer - - * exchange.c, ike_quick_mode.c, isakmpd.8, isakmpd.c, log.c, log.h: - Added -v option. Enables logging of successful exchange - completion. ok ho@ - -2004-01-16 01:00 brad - - * exchange.c, ipsec.c, message.c: Fixes a few message handling - flaws in isakmpd as reported by Thomas Walpuski. - - ok deraadt@ hshoexer@ - -2004-01-13 23:50 brad - - * crypto.c, crypto.h, exchange.c, ipsec.c, message.c: Fixes a few - message handling flaws in isakmpd as reported by Thomas Walpuski. - - ok deraadt@ hshoexer@ - -2004-01-09 11:03 hshoexer - - * regress/exchange/run.sh: call nc correctly (nc has changed a - while ago). ok markus@ - -2004-01-06 01:22 hshoexer - - * conf.c, sa.c: small typos fixed. - - ok markus@ - -2004-01-06 01:09 hshoexer - - * x509.c: Remove redundant test for file types. Noted by Stefan - Paletta. While around, fix typos in log messages. - - Both ok markus@ - -2004-01-03 17:38 ho - - * ipsec.c: Be more careful with INITIAL-CONTACT and do not delete - SPIs when getting an INVALID-SPI notification. Issues noted by - Thomas Walpuski. markus@ ok. - -2003-12-22 19:13 markus - - * crypto.h: use AES_BLOCK_SIZE only for USE_AES; report - martti.kuparinen@iki.fi; ok ho@ - -2003-12-18 03:03 ho - - * transport.c: Mention the exchange name when giving up on a - message. Suggested by Michael Coulter. - -2003-12-15 11:06 hshoexer - - * ipsec.c, ipsec_num.cst, math_group.c, math_group.h: Support for - groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs - 14 to 18). - - ok ho@ - -2003-12-14 15:50 ho - - * log.c, util.c, util.h: Log the actual port for src and dst, don't - assume it's always 500. - -2003-12-14 15:34 ho - - * sysdep/linux/sysdep.c: Make isakmpd work on big endian linux - machines. From Sebastian Klemke. Also, a few style nits and a - better error message text. - -2003-12-05 14:17 ho - - * message.c: Style nits - -2003-12-04 23:44 hshoexer - - * message.c: Validate SPIs presented in DELETE messages of the - informational exchange. ok markus@ - -2003-12-04 22:13 miod - - * ike_phase_1.c, isakmp_cfg.c: Typos - -2003-11-20 12:23 jmc - - * isakmpd.8: use .Dv for AF_INET and AF_INET6 (kills ugly line - break); spotted by Alexey E. Suslikov; - - also kill some .Pp's before displays/lists for better PostScript - output; - -2003-11-08 20:17 jmc - - * init.c: typos from Jonathon Gray; - -2003-11-07 11:16 jmc - - * x509.c, samples/VPN-3way-template.conf: adress -> address, and a - few more; all from Jonathon Gray; - - (mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok - ho@ -End of changelog debian package isakmpd.20031107-1 --------------------------------------------------- - -2003-11-06 17:12 ho - - * dnssec.c, exchange.c, field.c, if.c, ike_auth.c, ipsec.c, key.c, - log.c, message.c, message.h, monitor_fdpass.c, pf_key_v2.c, - policy.c, ui.c, x509.c, x509.h: Style nits. - -2003-11-06 16:55 ho - - * exchange.c, message.c: Require encrypted messages are soon as we - have the keystate for it. Require DELETE payloads to be - accompanied by HASHes, and add validation for HASH payloads - without active exchanges. From Hans-Joerg Hoexer with various - modifications and suggestions from me and markus@. Ok markus@. - -2003-11-06 16:50 ho - - * ipsec.c: spis[] type tweak. From Hans-Joerg Hoexer. - -2003-11-05 13:55 jmc - - * isakmpd.conf.5: PFS: Perfect Forward Secrecy (RFC 2409); from - misc@ and ok markus@ - -2003-11-05 13:31 jmc - - * QUESTIONS: updated URL from Jared Yanovich; - -2003-10-25 22:47 mcbride - - * isakmpd.policy.5: OpenSSL generates DNs with emailAddress, not - Email. - -2003-10-25 09:47 jmc - - * isakmpd.8: receiveing -> receiving; from Jared Yanovich; - -2003-10-14 16:29 ho - - * exchange.c, ike_auth.c, ike_phase_1.c, ipsec.c, isakmp_doi.c: - constant_lookup() to constant_name() cleanup. markus@ ok. - -2003-10-13 15:57 ho - - * isakmpd.8, log.h, ui.c: Add a UI FIFO debug class. ok markus@ - plus I think henning@ - -2003-10-04 19:29 cloder - - * ike_phase_1.c: Avoid crash on invalid config file (missing value - for LIFE_DURATION). OK ho@ - -2003-09-26 17:59 aaron - - * sysdep/freeswan/klips.c: Fix off-by-ones in format string for 's' - specifier; millert@, deraadt@ ok - -2003-09-26 13:29 cedric - - * udp.c: don't listen to INADDR_ANY if Listen-on is specified. - patch from markus@, ok ho@ - -2003-09-26 00:28 aaron - - * monitor.c: Fix off-by-one out-of-bounds write; millert@ ok - -2003-09-25 16:15 cloder - - * exchange.c, if.c: Fix one case of set length before realloc. Fix - another case of foo = realloc(foo...) and avoid possible memory - leaks. Avoid leaving things pointing to freed memory on failure. - -2003-09-24 13:12 markus - - * crypto.c, crypto.h, regress/crypto/cryptotest.c: re-add AES, but - without using EVP; patch from Hans-Joerg.Hoexer at - yerbouti.franken.de; ok ho@ (interops with isakmpd+AES in OpenBSD - 3.4) - -2003-09-24 12:13 markus - - * crypto.c, crypto.h, regress/crypto/cryptotest.c: back out EVP - change; causes fd leaks; ok cedric@ - -End of changelog debian package isakmpd.20030907-1 --------------------------------------------------- - -2003-09-05 09:50 tedu - - * monitor.c: socket leak on error paths. from Patrick Latifi. ok - deraadt@ ho@ - -2003-09-02 20:15 ho - - * conf.c, ipsec.c: A couple of nits. deraadt@ ok. - -2003-09-02 20:14 ho - - * message.c: Require ISAKMP_FLAGS_ENC on phase 2 messages. ok - markus@, deraadt@. - -2003-09-02 20:11 ho - - * sysdep/linux/: bitstring.h, sys/queue.h: For easier compilation - on linux systems. Requested by Thomas Walpuski. - -2003-08-28 16:43 markus - - * Makefile, TO-DO, conf.c, crypto.c, crypto.h, isakmpd.conf.5, - regress/crypto/Makefile, regress/crypto/cryptotest.c: support AES - in phase 1, too. switch to OpenSSL EVP interface; with - Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@ - -2003-08-20 16:43 ho - - * samples/singlehost-west.conf: Zap an old "Identification" tag in - this sample config. I have no idea what it was supposed to do and - in any case there is no reference to this tag in current code. - Pointed out by Fridtjof Busse. - -2003-08-20 14:25 ho - - * isakmpd.8: certpatch(8) can be used to create FQDN X509v3 - extensions too. From Fridtjof Busse, via henning@. Thanks. - - -End of changelog debian package isakmpd.20030820-1 --------------------------------------------------- - -2003-07-09 10:16 jmc - - * isakmpd.conf.5, isakmpd.policy.5: - remove some .Ss's that worked - around the old blank line bug - remove some unnecessary .Pp's - - mdoc a list - - ok ho@ - -2003-06-20 11:14 ho - - * transport.c: Be a bit more verbose when we give up on ever seeing - a response to the last message we sent out. In case we initiated - the exchange, one possible and common reason is a network level - problem (pf, routing, whatnot), if we're the responder, there is - also the possibility we were scanned by something like ike-scan. - markus@ ok. - -2003-06-17 23:56 millert - - * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Sync with - share/misc/license.template and add missing DARPA credit where - applicable. - -2003-06-15 12:32 ho - - * exchange.c: ID copying should happen earlier in exchange_finalize - so that we won't lose data during rekeying. From Jean-Francois - Dive. - -2003-06-14 13:47 ho - - * message.c: allocate payload_node with calloc instead of malloc - -2003-06-13 05:50 brad - - * ipsec.c: MFC: Fix from ho@ - - Do not crash on unsupported IPSec ID types, as noted by Eric - Boudrand. - - deraadt@ millert@ ok - -2003-06-13 05:34 brad - - * ipsec.c: MFC: Fix from ho@ - - Do not crash on unsupported IPSec ID types, as noted by Eric - Boudrand. - - deraadt@ millert@ ok - -2003-06-10 18:41 deraadt - - * conf.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, - isakmp_cfg.c, log.c, monitor.c, monitor.h, pf_key_v2.c, policy.c, - transport.c, udp.c, x509.c: boring cleanups - -2003-06-10 14:21 ho - - * ipsec.c: Do not crash on unsupported IPSec ID types, as noted by - Eric Boudrand. - -2003-06-04 09:31 ho - - * exchange.c, ike_aggressive.c, ike_auth.c, ike_phase_1.c, - ike_quick_mode.c, init.c, ipsec.c, ipsec.h, isakmpd.8, isakmpd.c, - isakmpd.policy.5, libcrypto.c, libcrypto.h, message.c, message.h, - pf_key_v2.c, policy.c, policy.h, sa.c, sa.h, udp.c, x509.c, - x509.h, apps/certpatch/certpatch.8, apps/certpatch/certpatch.c, - regress/ec2n/ec2ntest.c, regress/hmac/hmactest.c: Remove the rest - of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. - Keromytis and Niels Provos. - -2003-06-04 09:27 ho - - * DESIGN-NOTES: Remove 3 and 4 from the "license to use" - -2003-06-03 17:20 ho - - * sysdep/linux/: GNUmakefile.sysdep, sysdep-os.h, sysdep.c: Remove - clause 3. Approved by niklas@ and Thomas Walpuski. - -2003-06-03 17:02 ho - - * sysdep/linux/README: Obsolete. - -2003-06-03 16:53 ho - - * sysdep/: bsdi/GNUmakefile.sysdep, bsdi/Makefile.sysdep, - bsdi/sysdep-os.h, bsdi/sysdep.c, darwin/GNUmakefile.sysdep, - darwin/Makefile.sysdep, darwin/sysdep-os.h, darwin/sysdep.c, - freebsd/GNUmakefile.sysdep, freebsd/Makefile.sysdep, - freebsd/sysdep-os.h, freebsd/sysdep.c, - freeswan/GNUmakefile.sysdep, freeswan/Makefile.sysdep, - freeswan/klips.c, freeswan/klips.h, freeswan/sysdep-os.h, - freeswan/sysdep.c, netbsd/GNUmakefile.sysdep, - netbsd/Makefile.sysdep, netbsd/sysdep-os.h, netbsd/sysdep.c, - openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep, - openbsd/keynote_compat.c, openbsd/sysdep-os.h, openbsd/sysdep.c: - Remove clauses 3 and 4. Approved by markus@ and niklas@. - -2003-06-03 16:52 ho - - * sysdep/common/: blf.h, libsysdep/GNUmakefile, libsysdep/Makefile, - libsysdep/blowfish.c: Remove clauses 3 and 4. Approved by Niklas - Hallqvist and Niels Provos. - -2003-06-03 16:39 ho - - * regress/Makefile, regress/check.sh, regress/b2n/b2ntest.c, - regress/crypto/cryptotest.c, regress/dh/dhtest.c, - regress/exchange/Makefile, regress/exchange/run.sh, - samples/Makefile, regress/group/grouptest.c, - regress/prf/prftest.c, regress/rsakeygen/Makefile, - regress/rsakeygen/rsakeygen.c, regress/util/utiltest.c, - regress/x509/Makefile, regress/x509/x509test.c: Remove clauses 3 - and 4. Approved by Niklas Hallqvist and Niels Provos. - -2003-06-03 16:35 ho - - * apps/: Makefile, certpatch/Makefile: Remove clauses 3 and 4. - Approved by Niklas Hallqvist and Niels Provos. - -2003-06-03 16:34 ho - - * apps/keyconv/: Makefile, keyconv.8, keyconv.c, keyvalues.h: - Remove clause 3. - -2003-06-03 16:29 ho - - * features/: aggressive, dnssec, ec, isakmp_cfg, policy, privsep, - x509: Remove clause 3. Approved by niklas@ - -2003-06-03 16:28 ho - - * GNUmakefile, Makefile, app.c, app.h, attribute.c, attribute.h, - cert.c, cert.h, conf.c, conf.h, connection.c, connection.h, - constants.c, constants.h, cookie.c, cookie.h, crypto.c, crypto.h, - dh.c, dh.h, dnssec.c, dnssec.h, doi.c, doi.h, exchange.h, - exchange_num.cst, field.c, field.h, genconstants.sh, - genfields.sh, gmp_util.c, gmp_util.h, hash.c, hash.h, if.c, if.h, - ike_aggressive.h, ike_auth.c, ike_auth.h, ike_main_mode.c, - ike_main_mode.h, ike_phase_1.h, ike_quick_mode.h, init.c, init.h, - ipsec_doi.h, ipsec_fld.fld, ipsec_num.cst, isakmp.h, - isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, - isakmp_fld.fld, isakmp_num.cst, isakmpd.conf.5, log.c, log.h, - math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, - math_group.h, math_mp.h, monitor.c, monitor.h, pf_key_v2.h, - prf.c, prf.h, sysdep.h, timer.c, timer.h, transport.c, - transport.h, udp.h, ui.c, ui.h, util.c, util.h: Remove clauses 3 - and 4. With approval from Niklas Hallqvist and Niels Provos. - -2003-06-03 15:16 jmc - - * isakmpd.8, isakmpd.conf.5, isakmpd.policy.5: - section reorder - - some mdoc fixes - -2003-06-03 14:51 ho - - * conf.c, constants.c, dnssec.c, exchange.c, ike_auth.c, - ike_phase_1.c, ike_quick_mode.c, ipsec.c, log.c, message.c, - policy.c, sa.c, udp.c, x509.c: Cleanup. Use 'sizeof variable' - instead of magic constants. - -2003-06-03 03:52 millert - - * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Use an ISC-tyle - license for all my code; it is simpler and more permissive. - -2003-06-02 22:06 millert - - * sysdep/freeswan/sys/queue.h: Remove the advertising clause in the - UCB license which Berkeley rescinded 22 July 1999. Proofed by - myself and Theo. - -2003-05-18 23:26 ho - - * monitor.c: Add some path sanitation; only permit write operations - to /tmp, /var/tmp and /var/run. Opens in /etc/isakmpd/ are - read-only. Any other path is invalid. markus@ ok. - -2003-05-18 22:46 ho - - * init.c: Style tweak. - -2003-05-18 22:39 ho - - * sa.c: Add a debug message to sa_reinit() to indicate when we - renegotiate active connections. - -2003-05-18 22:09 ho - - * monitor_fdpass.c: Forgot to remove a couple of debug messages - -2003-05-18 22:06 ho - - * udp.c: struct sockaddr is not large enough in itself to contain - the address value. Switching to sockaddr_storage makes interface - rescanning work properly. niklas@ ok. - -2003-05-18 21:37 ho - - * conf.c, ike_auth.c, isakmpd.c, log.c, monitor.c, monitor.h, - monitor_fdpass.c, pf_key_v2.c, policy.c: More isakmpd privsep - work. X509 private keys are now kept in the privileged process - only. Various cleanup and bugfixes. markus@ ok - -2003-05-18 20:16 ho - - * GNUmakefile, pf_key_v2.c, udp.c, sysdep/linux/GNUmakefile.sysdep, - sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Sysdep for - native Linux IPSec, 2.5 and later. From Thomas Walpuski, with - various tweaks by me. niklas@ ok. - -2003-05-17 19:39 ho - - * monitor.h, monitor_fdpass.c: Better return codes from mm_send_fd - and mm_receive_fd - -2003-05-17 19:32 ho - - * monitor_fdpass.c: Use log_error(), not log_fatal(). Style. - -2003-05-17 19:26 jmc - - * isakmpd.conf.5: tweak; ok ho@ - -2003-05-16 22:31 ho - - * init.c, isakmpd.conf.5, sa.c, sa.h: If the "Renegotiate-on-HUP" - tag is defined in the [General] section, a HUP signal (or "R" to - the FIFO) will also renegotiate all Phase 2 SAs, i.e all - connections. ok niklas@, tested and ok kjell@. - -2003-05-15 05:20 ho - - * ike_auth.c: Correct a two year old typo, which might actually - make setsockopt(..., IP_IPSEC_LOCAL_AUTH, ...) start working. - -2003-05-15 04:28 ho - - * exchange.c, ike_auth.c, sa.c, sa.h: Cleanup. Do not store the - private key in either the exchange or sa structs. - -2003-05-15 04:08 ho - - * ike_auth.c: Work around some OpenSSL BIO "features" to read the - key correctly. - -2003-05-15 04:04 ho - - * monitor.c: Proper exit of the monitor process. - -2003-05-15 03:51 ho - - * monitor.c: wait() for the child process - -2003-05-15 02:28 ho - - * Makefile, conf.c, conf.h, ike_auth.c, init.c, isakmpd.c, log.c, - monitor.c, monitor.h, monitor_fdpass.c, pf_key_v2.c, policy.c, - udp.c, ui.c, util.c, features/privsep, sysdep/openbsd/sysdep.c: - Start of privilege separation for isakmpd. There are some kinks - left, so keep it default disabled for now. markus@ says ok to - commit. - -2003-05-15 02:24 ho - - * log.h: (c) - -2003-05-15 01:44 kjell - - * pf_key_v2.c: properly terminate debug string (levels >=40) Use - "%.*s" as suggested by Niklas. ok ho@. Lost by kjell. oked ho@. - lost by kjell again. oked ho@ - -2003-05-15 01:29 ho - - * features/policy: Remove the .if/.endif stuff that gmake does not - understand. Replace with a comment about needing keynote for - policy. - -2003-05-14 22:49 ho - - * GNUmakefile, Makefile, sysdep/freeswan/GNUmakefile.sysdep, - sysdep/freeswan/Makefile.sysdep, sysdep/freeswan/README, - sysdep/freeswan/klips.c, sysdep/freeswan/klips.h, - sysdep/freeswan/sysdep-os.h, sysdep/freeswan/sysdep.c, - sysdep/freeswan/sys/queue.h, sysdep/linux/GNUmakefile.sysdep, - sysdep/linux/Makefile.sysdep, sysdep/linux/README, - sysdep/linux/klips.c, sysdep/linux/klips.h, - sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Call the - FreeS/WAN sysdep 'freeswan'. The 'linux' sysdep will be native - Linux IPSec. - -2003-05-14 20:11 ho - - * conf.c, conf.h, ike_auth.c: Default public key directory - definition sanity. - -2003-05-14 20:10 ho - - * policy.c, policy.h: Policy file default defined twice, kill the - local copy. - -2003-05-14 20:08 ho - - * isakmpd.c: Fix a typo (in unused code). - -2003-05-14 19:37 ho - - * ipsec.c, ipsec_num.cst, pf_key_v2.c, policy.c, sa.c: I did not - test this enough. Unbreak. - -2003-05-12 23:48 ho - - * isakmp_num.cst: Update with some data for NAT-T specific payload - types, IKEv2 notifications, ISAKMP EAP code and types, plus fix - an old typo. - -2003-05-12 23:43 ho - - * ipsec.c, pf_key_v2.c, policy.c, sa.c: AES -> AES_128_CBC - -2003-05-12 23:42 ho - - * ipsec_num.cst: Add two more encapsulation types (UDP encap, - potential future NAT-T) Add BLOCK_SIZE attribute Rename - IPSEC_ESP_AES -> IPSEC_ESP_AES_128_CBC. - -2003-05-12 01:17 ho - - * genconstants.sh: Slight style fix for .cst files. Permit comments - also after a definition. - -2003-05-11 04:16 markus - - * pf_key_v2.c: fix ID-type for ipv6; ok niklas; report fries - -2003-05-10 23:13 jmc - - * isakmpd.8, isakmpd.conf.5: typos; - -2003-04-30 17:15 jason - - * conf.c: cast size_t to unsigned long and use %lu;ok ho - -2003-04-27 13:17 ho - - * isakmpd.8: Describe the 'C set' FIFO command better. (PR#3148, - also) - -2003-04-27 13:16 ho - - * ui.c: Make the 'C set' FIFO command work as expected. PR#3148. - -2003-04-14 15:08 ho - - * isakmpd.c: Unlink FIFO and pid files on clean shutdown. PR#3199 - -2003-04-14 12:22 ho - - * pf_key_v2.c: More snprintf style - -2003-04-14 12:14 ho - - * pf_key_v2.c: A "%d" is 12 chars, not 10. Use sizeof num instead - of '10' in snprintf. From Theo. - -2003-04-09 17:46 ho - - * x509.c: Less noise for missing crl dir, demoted to debug message. - -2003-03-21 16:13 markus - - * isakmpd.conf.5: document [initiator-id] section; - richb@timestone.com.au; ok ho@, jmc@ - -2003-03-20 20:39 margarida - - * isakmp_cfg.c: Pull patch from current: Fix by ho@. Proper - id_string for SET/ACK responder, plus attr payload fixes. - - ok millert@ markus@ ho@ - -2003-03-16 09:13 matthieu - - * samples/: VPN-east.conf, VPN-west.conf: secrity -> security. Ok - ho@ - -2003-03-14 15:49 ho - - * math_group.c, transport.c, sysdep/common/blf.h, - sysdep/common/libsysdep/blowfish.c: Spelling fixes from david@. - jmc@ ok. - -2003-03-13 14:24 ho - - * ike_auth.c: Might as well do blinding here too. - -2003-03-13 11:31 ho - - * util.c: Avoid "j += snprintf()". niklas@ ok. - -2003-03-06 21:29 jmc - - * isakmpd.conf.5, isakmpd.policy.5: .Xr typos; - - ok deraadt@ - -2003-03-06 15:22 cedric - - * util.c: fix text2sockaddr() when HAVE_GETNAMEINFO is false and - port is NULL. ok ho@ - -2003-03-06 14:48 cedric - - * field.c: "len" is decremented too early, so the second argument - of the snprintf call is too small on last run of the loop. ok - ho@ - -2003-03-06 14:32 ho - - * exchange.c: Bad cut'n'paste msg plus style fixes. - -2003-03-06 10:56 ho - - * util.c: Less ambiguous l-value usage. Noted by cedric@ - -2003-03-06 05:07 david - - * apps/keyconv/keyconv.8: date should be written formally: .Dd - Month day, year ok henning@ jmc@ - -2003-03-03 17:51 ho - - * isakmpd.conf.5: Re-add the BUGS section; the RFCs still do not - permit differing DH groups in the same proposal. This time, - mention that this also applies to mixing PFS and non-PFS suites. - -2003-02-26 23:55 ho - - * samples/VPN-west.conf: Typo/pasto. Spotted by Tim Donahue. - -2003-02-26 09:17 david - - * exchange.c: IPsec is written ``IPsec'', not ``IPSec''. ok ho@ - -2003-02-24 13:01 markus - - * pf_key_v2.c: pf_key_v2_flow: typo in debug msg (KAME) - -2003-02-22 07:57 kjell - - * README: typo: noneheless->nontheless - -2003-02-22 07:56 kjell - - * isakmpd.8, isakmpd.conf.5: Clarify some language, grammar. ho@ - okayed this many moons ago, and I forgot all about it. - -2003-02-12 16:11 markus - - * if.c, if.h, udp.c: better error checking on bind(); from - Alexander_Bluhm at genua.de; ok ho@ - -2003-02-05 11:29 jmc - - * isakmpd.8: typos; isakmpd(8) ok niklas@, mailwrapper(8) help - kjell@ - -2003-02-04 21:02 markus - - * conf.c: don't set the Transform for Default-phase-1-configuration - twice, ok ho@ - -2003-02-04 21:02 markus - - * conf.h: default to 3DES-SHA-RSA_SIG (same as in OpenBSD 3.2); ok - ho@ - -2003-01-22 16:13 ho - - * ike_auth.c: Typo. - -2003-01-20 20:52 deraadt - - * isakmpd.policy.5: typos; alan@alanday.com diff --git a/keyexchange/isakmpd-20041012/debian/README.Debian b/keyexchange/isakmpd-20041012/debian/README.Debian deleted file mode 100644 index 5ed5128..0000000 --- a/keyexchange/isakmpd-20041012/debian/README.Debian +++ /dev/null @@ -1,17 +0,0 @@ -State of the package / isakmpd port to linux --------------------------------------------- -The port is operational and is included in upstream, from various sources. - - -Where to start --------------- -- isakmpd.conf man pages. -- configuration examples. -- openbsd isakmpd documentation. - -caution note ------------- -- keynote is used to check for all policy components. For exemple, if acting - as initiator, isakmpd will send the isakmpd.conf configured proposals but - will only check the received proposal with the rules enforced in isakmpd.policy. - diff --git a/keyexchange/isakmpd-20041012/debian/changelog b/keyexchange/isakmpd-20041012/debian/changelog deleted file mode 100644 index 1883efc..0000000 --- a/keyexchange/isakmpd-20041012/debian/changelog +++ /dev/null @@ -1,153 +0,0 @@ -isakmpd (20041012-4) unstable; urgency=high - - * Fix replay protection (CVE-2006-4436) - Thanks to Stefan Fritsch <sf@fritsch.de> (Closes: #385894) - - -- Jochen Friedrich <jochen@scram.de> Mon, 4 Sep 2006 18:41:00 +0200 - -isakmpd (20041012-3) unstable; urgency=low - - * Fix NAT-T RFC support. - * Remove superfluos header from packet dump so tcpdump and ethereal - can read the dump. - - -- Jochen Friedrich <jochen@scram.de> Mon, 28 Aug 2006 17:14:47 +0200 - -sakmpd (20041012-2) unstable; urgency=low - - * New maintainer (Closes: #358800) - * Replace SADB_X_SPDADD by SADB_X_SPDUPDATE (Closes: #346214) - * Fix NAT-T (Closes: #324753) - * Fix openssl incompatibility with version 0.9.8b (Closes: #334624) - * Fix dependencies (Closes: #320393, #325849) - * gcc compiler fixes (Closes: #318241) - * Update standards version to 3.7.2 - - -- Jochen Friedrich <jochen@scram.de> Tue, 21 Feb 2006 14:26:40 +0100 - -isakmpd (20041012-1) unstable; urgency=high - - * new upstream cvs merge. - * add setsockopt to properly configure udp encap socket. - * add proper source port in nat-t sadb set (thanks to Thomas Walpuski). - * DPD now works (closes: #258479). - * NAT-T now works (closes: #269851). - * remove double dependency on libkeynote0 (closes: #272377). - - -- Jean-Francois Dive <jef@debian.org> Tue, 7 Sep 2004 11:28:18 +0200 - -isakmpd (20040628-1) unstable; urgency=high - - * New upstream cvs merge. - * Enabled DPD. - * Enabled NAT-T + added support for linux nat-t pfkey msgs. - * Fix payload handling denial-of-service vuln (closes: #239739); - * Add spd cleartext entry (thanks to Vincent Bernat). (closes: #243990). - * Add dependency on linux-kernel-headers (closes: #238793). - * Add man page for isakmpd.policy. - * No issue with Renegotiate-on-HUP (closes: #255507). - * x509v3.cnf provided (closes: #238542). - * Added certpatch utility (closes: #231743). - * Fixed pcap support (closes: #238543). - - -- Jean-Francois Dive <jef@debian.org> Mon, 5 Jul 2004 23:32:47 +0200 - -isakmpd (20040204-1) unstable; urgency=low - - * Provide ike-server (closes: #223784). - * Fixes for big indian systems (thanks to Sebastian Klemke). - (closes: #223845). - * Fix for certificates file access on non ext2 enabled kernel - systems, thanks to jochen. (closes: #225474). - * Update kernel version informations. (closes: #229795). - * New upstream cvs merge. - * Added missing man page isakmpd.policy(5) (thanks to Toni Mueller). - (closes: #231123). - - -- Jean-Francois Dive <jef@debian.org> Sun, 8 Feb 2004 20:55:34 +0100 - -isakmpd (20031107-2) unstable; urgency=high - - * SECURITY fix for INITIAL_CONTACT handeling. (previous - release actually did fixed INVALID_SPI informational exchange - security issue). The problem is the exact same nature for both - type of informational messages: because the end result is SA - deletation, the HASH payload should be in the message and checked. - - -- Jean-Francois Dive <jef@debian.org> Thu, 13 Nov 2003 14:54:01 +0100 - -isakmpd (20031107-1) unstable; urgency=high - - * new upstream cvs merge. - * SECURITY fix for HASH payload handeling (closes: #219864). - * SECURITY fix handeling of quick mode exchange encryption (it now - does require quick mode to be encrypted both Rx/Tx). - * SECURITY fix for INITIAL_CONTACT handeling (did not check for - mandatory HASH payload). - * Updated linux kernel header for interop with debian x86 kernels. - * Fix issues with policy handeling in keynote. - - -- Jean-Francois Dive <jef@debian.org> Thu, 13 Nov 2003 11:05:09 +0100 - -isakmpd (20030907-1) unstable; urgency=high - - * new upstream cvs merge. - * Fixed kernel interface due to ABI changes in linux IPSec. - * Fixed keynote issue. - - -- Jean-Francois Dive <jef@debian.org> Wed, 10 Sep 2003 22:47:17 +0200 - -isakmpd (20030718-1) unstable; urgency=high - - * New upstream version. - * Merged new upstream linux native build support. - * Added fine grained selector support to upstream linux native sysdep. - * Removed useless libc and kernel headers. - * Removed libdes. - * Added generated upstream changelog (generated by cvs2cl.pl). - - -- Jean-Francois Dive <jef@debian.org> Tue, 22 Jul 2003 12:15:30 +0200 - -isakmpd (20030119-2) unstable; urgency=low - - * Fixed init script (closes: #188086). - * Added support for Protocol and Port text definition in ID handeling. - (expl: Protocol = icmp instead of Protocol = 1). - - -- Jean-Francois Dive <jef@debian.org> Mon, 9 Jun 2003 14:11:02 +0200 - -isakmpd (20030119-1) unstable; urgency=low - - * Changed version number to a sane format. - - -- Jean-Francois Dive <jef@debian.org> Thu, 20 Mar 2003 18:46:56 +0100 - -isakmpd (19012003-4) unstable; urgency=low - - * Fixed source tree clean issues (libdes, libsysdep) (closes: #184295). - * Added diff to package upload. - - -- Jean-Francois Dive <jef@debian.org> Tue, 18 Mar 2003 17:30:57 +0100 - -isakmpd (19012003-3) unstable; urgency=low - - * switched libdes copyright from copyright.libdes to - copyright file. - - -- Jean-Francois Dive <jef@debian.org> Thu, 20 Feb 2003 13:10:54 +1100 - -isakmpd (19012003-2) unstable; urgency=low - - * Added reference to BSD license and libdes license. - * Renmoved double dependency on libssl. - * Removed /usr/doc link. - * Added lintian overrides. - - -- Jean-Francois Dive <jef@debian.org> Sun, 26 Jan 2003 00:36:40 +1100 - -isakmpd (19012003-1) unstable; urgency=low - - * Inital debianization (Closes: #163904). - - -- Jean-Francois Dive <jef@debian.org> Sun, 26 Jan 2003 00:36:40 +1100 - diff --git a/keyexchange/isakmpd-20041012/debian/control b/keyexchange/isakmpd-20041012/debian/control deleted file mode 100644 index ba34296..0000000 --- a/keyexchange/isakmpd-20041012/debian/control +++ /dev/null @@ -1,17 +0,0 @@ -Source: isakmpd -Maintainer: Jochen Friedrich <jochen@scram.de> -Priority: optional -Section: net -Standards-Version: 3.7.2 -Build-Depends: debhelper (>= 5), libkeynote-dev, libssl-dev, libgmp3-dev, libpcap-dev, linux-kernel-headers - -Package: isakmpd -Priority: optional -Section: net -Architecture: any -Provides: ike-server -Depends: ${shlibs:Depends}, ${misc:Depends} -Description: The Internet Key Exchange protocol openbsd implementation - IKE is a protocol which allow to exchange security information between - to peers. This implementation requires the native linux ipsec support. - diff --git a/keyexchange/isakmpd-20041012/debian/copyright b/keyexchange/isakmpd-20041012/debian/copyright deleted file mode 100644 index f418b06..0000000 --- a/keyexchange/isakmpd-20041012/debian/copyright +++ /dev/null @@ -1,21 +0,0 @@ -This package have been packaged by Jean-Francois Dive <jef@debian.org> as -isakmpd. The upstream source of isakmpd can be found at www.openbsd.org - -This package is now maintained by Jochen Friedrich <jochen@scram.de> - -- This package links against openssl. -- This package include linux kernel include files for interface definition - purposes. This should mean that GPL does not apply for this distribution. -- This package include libdes from the openbsd tree which have the same - license as openssl, please refer to the following license statement for details. - -This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) -implementation. It's written by Niklas Hallqvist and Niels Provos, -funded by Ericsson Radio Systems AB. Isakmpd's home is in the -OpenBSD main source tree under src/sbin/isakmpd. Look at -http://www.openbsd.org/ for details on how to get OpenBSD source. - -The isakmpd license is the BSD license, please refer to -/usr/share/common-license/BSD for details. The few code modification in isakmpd -(linux support) are authored by Jean-Francois Dive and Jochen Friedrich -and are release on the same license as isakmpd itself. diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.dirs b/keyexchange/isakmpd-20041012/debian/isakmpd.dirs deleted file mode 100644 index de7adf9..0000000 --- a/keyexchange/isakmpd-20041012/debian/isakmpd.dirs +++ /dev/null @@ -1,13 +0,0 @@ -usr/sbin -usr/bin -etc/isakmpd -etc/isakmpd/certs -etc/isakmpd/crls -etc/isakmpd/ca -etc/isakmpd/pubkeys/ipv4 -etc/isakmpd/pubkeys/ipv6 -etc/isakmpd/pubkeys/fqdn -etc/isakmpd/pubkeys/ufqdn -etc/isakmpd/private -usr/share/doc/isakmpd/samples -usr/share/lintian/overrides diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.init b/keyexchange/isakmpd-20041012/debian/isakmpd.init deleted file mode 100644 index 57de3d4..0000000 --- a/keyexchange/isakmpd-20041012/debian/isakmpd.init +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -# -PATH=/bin:/usr/bin:/sbin:/usr/sbin -DAEMON=/usr/sbin/isakmpd -PIDFILE=/var/run/isakmpd.pid - -test -f $DAEMON || exit 0 - -case "$1" in - start) - echo -n "Starting OpenBSD isakmpd: " - start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - echo "done" - ;; - stop) - echo -n "Stopping OpenBSD isakmpd: " - start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - echo "done" - ;; - restart|force-reload) - echo -n "Restarting OpenBSD isakmpd: " - start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - echo "done" - ;; - *) - echo "Usage: /etc/init.d/isakmpd {start|stop|restart|force-reload}" - exit 1 - ;; -esac - -exit 0 diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.lintian b/keyexchange/isakmpd-20041012/debian/isakmpd.lintian deleted file mode 100644 index 7d9b585..0000000 --- a/keyexchange/isakmpd-20041012/debian/isakmpd.lintian +++ /dev/null @@ -1,3 +0,0 @@ -isakmpd: copyright-should-refer-to-common-license-file-for-gpl -isakmpd: non-standard-dir-perm -isakmpd: non-standard-file-perm diff --git a/keyexchange/isakmpd-20041012/debian/rules b/keyexchange/isakmpd-20041012/debian/rules deleted file mode 100755 index d15e56a..0000000 --- a/keyexchange/isakmpd-20041012/debian/rules +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/make -f - -export DH_COMPAT := 5 - -b := $(CURDIR)/debian/isakmpd - -arrange: arrange-stamp -arrange-stamp: install - dh_testdir - touch arrange-stamp - -binary: binary-stamp -binary-stamp: binary-indep binary-arch - dh_testdir - touch binary-stamp - -binary-arch: binary-arch-stamp -binary-arch-stamp: arrange - dh_testdir - dh_testroot - dh_installdocs -n DESIGN-NOTES QUESTIONS README README.PKI TO-DO $(CURDIR)/debian/README.Debian x509v3.cnf - cp $(CURDIR)/samples/*.conf $(b)/usr/share/doc/isakmpd/samples/ - cp $(CURDIR)/samples/VPN-east.conf $(b)/etc/isakmpd/isakmpd.conf - cp $(CURDIR)/samples/policy $(b)/etc/isakmpd/isakmpd.policy - cp $(CURDIR)/isakmpd $(b)/usr/sbin/ - cp $(CURDIR)/apps/certpatch/certpatch $(b)/usr/bin - cp $(CURDIR)/debian/isakmpd.lintian $(b)/usr/share/lintian/overrides/isakmpd - dh_installman isakmpd.8 isakmpd.conf.5 isakmpd.policy.5 apps/certpatch/certpatch.8 - dh_installinit - dh_installchangelogs $(CURDIR)/debian/ChangeLog upstream - dh_compress - dh_fixperms - find $(b)/etc/isakmpd -type d | xargs chmod 0700 - find $(b)/etc/isakmpd -type f | xargs chmod 0600 - dh_strip - dh_installdeb - dh_perl - dh_shlibdeps - dh_gencontrol - dh_md5sums - dh_builddeb - touch binary-arch-stamp - -binary-indep: binary-indep-stamp -binary-indep-stamp: arrange - dh_testdir - touch binary-indep-stamp - -build: build-stamp -build-stamp: config - dh_testdir - $(MAKE) - touch build-stamp - -clean: - dh_testdir - dh_testroot - $(MAKE) clean - dh_clean arrange-stamp binary-stamp binary-arch-stamp binary-indep-stamp build-stamp config-stamp install-stamp - find $(CURDIR) -type f -name ".depend" | xargs rm -f - -config: config-stamp -config-stamp: - dh_testdir - touch config-stamp - -install: install-stamp -install-stamp: build - dh_testdir - dh_installdirs - touch install-stamp - -.PHONY: arrange binary binary-arch binary-indep build clean config install |