file descriptor leak fix.
null encryption algorithm key length fix (should use 0).
couple of null-pointer reference fixes.
set port # to 500 in ID payload (possible interop issue - spec is unclear).
correctly match address pair on informational exchange.
Wed Apr 11 18:52:26 JST 2001 sakane@ydc.co.jp
* racoon:
Supported to get a certificate from DNS CERT RR.
Also getcertsbyname() is implemented In order to get CERT RRs.
This function can use lwres.a if HAVE_LWRES is defined when racoon
is compiled.
XXX need more local test and interoperability test.
XXX should be arranged too many certificate stuff in racoon.conf.
2001-04-10 Jason R. Thorpe <thorpej@zembu.com>
* racoon/pfkey.c: pk_recvacquire(): Make sure the phase1
and phase2 handlers are unbound before the phase 2 handler
is deleted.
* racoon/isakmp.c: ph1_main(), quick_main(): Add the message
to the received-list before processing to ensure the packet
isn't processed twice in case of an error.
isakmp_post_acquire(): Don't unbind the phase1/phase2 handlers;
let the caller do it.
isakmp_newcookie(): Plug memory leaks.
From George Yang <gyang@zembu.com>.
* racoon/ipsec_doi.c: get_ph2approvalx(): When we find a
matching saprop, make sure to flushsaprop(pr0), as the returned
saprop is a copy. Fixes a memory leak.
From George Yang <gyang@zembu.com>.
* racoon/isakmp_quick.c: quick_r2send(): Make sure to vfree(data)
if we fail to allocate a new body. Fixes a memory leak.
From George Yang <gyang@zembu.com>.
Fri Apr 6 23:25:19 JST 2001 sakane@ydc.co.jp
* racoon:
implemented to generate the policy in the responder side automatically.
If the responder does not have any policy in SPD during phase 2
negotiation, and the directive is set on, then racoon will choice
the first proposal in the SA payload from the initiator, and generate
policy entries from the proposal. This function is for the responder,
and ignored in the initiator case.
XXX should be checked tunnel mode case.
2001-04-04 Jason R. Thorpe <thorpej@zembu.com>
* racoon: Add support for the Dmalloc debugging malloc
library. This library gives very nice memory usage
statistics and leak information.
Wed Apr 4 22:47:27 JST 2001 sakane@ydc.co.jp
* racoon:
support scopeid. base code was from <Francis.Dupont@enst-bretagne.fr>.
it should be considered more.
2001-04-03 Jason R. Thorpe <thorpej@zembu.com>
* racoon: Better integration of debugging malloc libraries.
Use wrapper macros (racoon_{malloc,calloc,free,realloc}())
so that debugging malloc implementations can get file/line
info, and also put traditional malloc/calloc/free/realloc
stubs in the main program so that libraries linked with
racoon get the debugging allocators, as well.
2001-03-26 Jason R. Thorpe <thorpej@zembu.com>
* racoon/isakmp_ident.c: ident_ir2sendmx(): plug memory
leak -- gsstoken wasn't being freed at function exit.
2001-03-26 Jason R. Thorpe <thorpej@zembu.com>
* racoon: Changes to Vendor ID payload handling. Determine
which VID we will send on a per-proposal basis; we may need
to send a different one for each proposal depending on the
proposal contents (e.g. GSSAPI auth method). We no longer
set the Vendor ID in the localconf.
When matching the Vendor ID in check_vendorid(), use a table
of known Vendor IDs, and return the index, and maintain a list
of extensions that vendors implement (e.g. GSSAPI auth method).
XXX We have a slight hack to recognize the Windows 2000 Vendor
ID. Need to clarify with the Microsoft IPsec guys.
In Aggressive Mode, as responder, when sending first
response, make sure to include a Vendor ID payload.
In Main Mode, as responder, when sending first response,
make sure to include a Vendor ID payload.
XXX Still more Vendor ID processing fixes to go. And
GSSAPI auth doesn't interoperate with Windows 2000 yet.
Thu Mar 22 08:06:30 JST 2001 sakane@ydc.co.jp
* racoon:
fixed to parse modp1536 of DH group. reported by <shigeru@iij.ad.jp>
Thu Mar 22 04:56:57 JST 2001 sakane@ydc.co.jp
* racoon/policy.c:
fixed to compare between policies when the responder decides to
accept the proposal or not. the upper layer protocol is represented
by 0 in ID payload.
Thu Mar 22 01:45:32 JST 2001 sakane@ydc.co.jp
* racoon:
fixed potencial of a buffer overrun when adding a ID payload to
the ISAKMP payload. It happened when policy is both to use IPSec
transport mode and not to specify a transport protocol.
reported by <cs@purdue.edu>.
Thu Mar 15 20:39:03 JST 2001 sakane@ydc.co.jp
* racoon:
- fixed a phase 2 handler deletion. racoon will delete a phase2
handler immediately when hard lifetime expires.
- check a unit of the timer in the configuration file.
2001-03-06 Jason R. Thorpe <thorpej@zembu.com>
* kame/racoon/schedule.c: Implement sched_scrub_param(),
which kills all scheduler work queue entries which a
specified parameter.
* kame/racoon/handler.c: Use sched_scrub_param() to make
sure no references to a handler exist when it is freed.
2001-03-05 Jason R. Thorpe <thorpej@zembu.com>
* kame/racoon/gssapi.c: Use GSS_C_MECH_CODE when reporting
GSSAPI errors.
2001-03-05 Jason R. Thorpe <thorpej@zembu.com>
* kame/racoon/handler.c: Implement deleteallph2(), which
deletes all Phase 2 handlers for a given src/dst/proto.
* kame/racoon/isakmp_inf.c: When processing INITIAL-CONTACT,
try to use the SADB_DELETE `delete all' extension and
deleteallph2() before doing it The Hard Way. For both The
Easy Way and The Hard Way, make sure we only delete SAD entries
for SATYPEs that we manage.
* kame/racoon/pfkey.c: Use a table of SATYPEs that we manage,
and use that table to initialize our PF_KEY state.
Thu Feb 22 10:08:27 JST 2001 sakane@ydc.co.jp
* racoon:
fixed to check the outbound policy when the responder received the
1st packet in phase 2. the tunnel mode and the transport specified
the pair of IP addresses of the end of the SA had failed.
