Commit graph

57 commits

Author SHA1 Message Date
itojun
0e75fcbed3 upgrade to 20011215a.
- memory leaks has been plugged
- retransmission logic has improved
- 6144 DH MODP group
2001-12-14 17:09:49 +00:00
zuntum
c72c1cf5f9 Move pkg/ files into package's toplevel directory 2001-11-01 00:57:41 +00:00
itojun
95baf3f8cd upgrade to 20011026a. 20011016a had a serious bug in tunnel mode SA
establishment.
2001-10-26 01:32:29 +00:00
itojun
750f619f41 correct version identification string. 2001-10-17 23:53:49 +00:00
itojun
32fa4dde44 upgrade to 10/16 snapshot.
- bugfixes in spd handling, scheduler leak.
- make identity check more strict.
- correct phase 2 proposal check.
2001-10-17 02:53:08 +00:00
jlam
f79573370a Mechanical changes to 375 files to change dependency patterns of the form
foo-* to foo-[0-9]*.  This is to cause the dependencies to match only the
packages whose base package name is "foo", and not those named "foo-bar".
A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net.  Also
change dependency examples in Packages.txt to reflect this.
2001-09-27 23:17:41 +00:00
itojun
7fedc491e8 upgrade to the latest (20010831a). a lot of bug fixes after helsinki IPsec/IKE
bakeoff.
2001-08-31 09:43:09 +00:00
itojun
00af74fa3f update. fix compilation on alpha. 2001-08-06 08:25:12 +00:00
itojun
f36045ed80 embed pkg version into binary to help diagnosis. 2001-08-02 15:25:15 +00:00
itojun
1649deedd0 make it at least compile on netbsd151 systems. kernel API diffs should be
wrapped by configure.in scripts, however, we don't use them for libipsec part.
2001-08-02 12:44:18 +00:00
itojun
6bec204d53 upgrade to 2001/8/2 KAME tree. whole bunch of stabilization were made. 2001-08-02 12:22:54 +00:00
itojun
09dbfc008a make sure to link against local libipsec.a.
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
2001-06-28 23:34:10 +00:00
jlam
328a35f96f LIBS is automatically added to CONFIGURE_ENV by bsd.pkg.mk if
GNU_CONFIGURE is defined, so simply set LIBS to the appropriate value.
2001-06-12 20:33:00 +00:00
jlam
c4e71c5e7a CPPFLAGS is now passed to MAKE_ENV and CONFIGURE_ENV by bsd.pkg.mk, so
adapt by moving CPPFLAGS settings to top-level, and removing explicit
inclusion of CPPFLAGS into MAKE_ENV and CONFIGURE_ENV.
2001-06-11 06:34:17 +00:00
itojun
0034490c6d remove "twofish" from sample configuration file, as the algorithm
is not available in *BSD integrated KAME IPsec tree.
2001-04-22 00:05:16 +00:00
itojun
b32f3f64c0 upgrade to latest racoon snapshot tar.gz on ftp.kame.net (20010418a).
Wed Apr 11 18:52:26 JST 2001 sakane@ydc.co.jp
	* racoon:
	Supported to get a certificate from DNS CERT RR.
	Also getcertsbyname() is implemented In order to get CERT RRs.
	This function can use lwres.a if HAVE_LWRES is defined when racoon
	is compiled.
	XXX need more local test and interoperability test.
	XXX should be arranged too many certificate stuff in racoon.conf.

2001-04-10  Jason R. Thorpe  <thorpej@zembu.com>

	* racoon/pfkey.c: pk_recvacquire(): Make sure the phase1
	and phase2 handlers are unbound before the phase 2 handler
	is deleted.
	* racoon/isakmp.c: ph1_main(), quick_main(): Add the message
	to the received-list before processing to ensure the packet
	isn't processed twice in case of an error.
	isakmp_post_acquire(): Don't unbind the phase1/phase2 handlers;
	let the caller do it.
	isakmp_newcookie(): Plug memory leaks.
	From George Yang <gyang@zembu.com>.
	* racoon/ipsec_doi.c: get_ph2approvalx(): When we find a
	matching saprop, make sure to flushsaprop(pr0), as the returned
	saprop is a copy.  Fixes a memory leak.
	From George Yang <gyang@zembu.com>.
	* racoon/isakmp_quick.c: quick_r2send(): Make sure to vfree(data)
	if we fail to allocate a new body.  Fixes a memory leak.
	From George Yang <gyang@zembu.com>.

Fri Apr  6 23:25:19 JST 2001 sakane@ydc.co.jp
	* racoon:
	implemented to generate the policy in the responder side automatically.
	If the responder does not have any policy in SPD during phase 2
	negotiation, and the directive is set on, then racoon will choice
	the first proposal in the SA payload from the initiator, and generate
	policy entries from the proposal.  This function is for the responder,
	and ignored in the initiator case.
	XXX should be checked tunnel mode case.

2001-04-04  Jason R. Thorpe  <thorpej@zembu.com>

	* racoon: Add support for the Dmalloc debugging malloc
	library.  This library gives very nice memory usage
	statistics and leak information.

Wed Apr  4 22:47:27 JST 2001 sakane@ydc.co.jp
	* racoon:
	support scopeid.  base code was from <Francis.Dupont@enst-bretagne.fr>.
	it should be considered more.

2001-04-03  Jason R. Thorpe  <thorpej@zembu.com>

	* racoon: Better integration of debugging malloc libraries.
	Use wrapper macros (racoon_{malloc,calloc,free,realloc}())
	so that debugging malloc implementations can get file/line
	info, and also put traditional malloc/calloc/free/realloc
	stubs in the main program so that libraries linked with
	racoon get the debugging allocators, as well.

2001-03-26  Jason R. Thorpe  <thorpej@zembu.com>
	* racoon/isakmp_ident.c: ident_ir2sendmx(): plug memory
	  leak -- gsstoken wasn't being freed at function exit.

2001-03-26  Jason R. Thorpe  <thorpej@zembu.com>
	* racoon: Changes to Vendor ID payload handling.  Determine
	  which VID we will send on a per-proposal basis; we may need
	  to send a different one for each proposal depending on the
	  proposal contents (e.g. GSSAPI auth method).  We no longer
	  set the Vendor ID in the localconf.

	  When matching the Vendor ID in check_vendorid(), use a table
	  of known Vendor IDs, and return the index, and maintain a list
	  of extensions that vendors implement (e.g. GSSAPI auth method).
	  XXX We have a slight hack to recognize the Windows 2000 Vendor
	  ID.  Need to clarify with the Microsoft IPsec guys.

	  In Aggressive Mode, as responder, when sending first
	  response, make sure to include a Vendor ID payload.

	  In Main Mode, as responder, when sending first response,
	  make sure to include a Vendor ID payload.

	  XXX Still more Vendor ID processing fixes to go.  And
	  GSSAPI auth doesn't interoperate with Windows 2000 yet.

Thu Mar 22 08:06:30 JST 2001 sakane@ydc.co.jp
	* racoon:
	fixed to parse modp1536 of DH group. reported by <shigeru@iij.ad.jp>

Thu Mar 22 04:56:57 JST 2001 sakane@ydc.co.jp
	* racoon/policy.c:
	fixed to compare between policies when the responder decides to
	accept the proposal or not.  the upper layer protocol is represented
	by 0 in ID payload.

Thu Mar 22 01:45:32 JST 2001 sakane@ydc.co.jp
	* racoon:
	fixed potencial of a buffer overrun when adding a ID payload to
	the ISAKMP payload.  It happened when policy is both to use IPSec
	transport mode and not to specify a transport protocol.
	reported by <cs@purdue.edu>.

Thu Mar 15 20:39:03 JST 2001 sakane@ydc.co.jp
	* racoon:
	- fixed a phase 2 handler deletion.  racoon will delete a phase2
	  handler immediately when hard lifetime expires.
	- check a unit of the timer in the configuration file.

2001-03-06  Jason R. Thorpe  <thorpej@zembu.com>

	* kame/racoon/schedule.c: Implement sched_scrub_param(),
	which kills all scheduler work queue entries which a
	specified parameter.
	* kame/racoon/handler.c: Use sched_scrub_param() to make
	sure no references to a handler exist when it is freed.

2001-03-05  Jason R. Thorpe  <thorpej@zembu.com>

	* kame/racoon/gssapi.c: Use GSS_C_MECH_CODE when reporting
	GSSAPI errors.

2001-03-05  Jason R. Thorpe  <thorpej@zembu.com>

	* kame/racoon/handler.c: Implement deleteallph2(), which
	deletes all Phase 2 handlers for a given src/dst/proto.
	* kame/racoon/isakmp_inf.c: When processing INITIAL-CONTACT,
	try to use the SADB_DELETE `delete all' extension and
	deleteallph2() before doing it The Hard Way.  For both The
	Easy Way and The Hard Way, make sure we only delete SAD entries
	for SATYPEs that we manage.
	* kame/racoon/pfkey.c: Use a table of SATYPEs that we manage,
	and use that table to initialize our PF_KEY state.

Thu Feb 22 10:08:27 JST 2001 sakane@ydc.co.jp
	* racoon:
	fixed to check the outbound policy when the responder received the
	1st packet in phase 2.  the tunnel mode and the transport specified
	the pair of IP addresses of the end of the SA had failed.
2001-04-18 03:14:55 +00:00
agc
2d6b6a009c + move the distfile digest/checksum value from files/md5 to distinfo
+ move the patch digest/checksum values from files/patch-sum to distinfo
2001-04-17 11:43:32 +00:00
hubertf
d32e698de6 Cleanup MKDIR usage => INSTALL_*_DIR
XXX need to teach pkglint to be more picky about this
2001-02-25 04:17:35 +00:00
itojun
2e07181b73 update to 2001/2/22 snapshot.
sync up with majority interpretation on tunnel mode bundle proposal.
lots of IKE implementation proposes "IP AH ESP IP payload" as
"AH tunnel and ESP tunnel".

couple of other minor fixes
2001-02-22 02:12:32 +00:00
itojun
f8389ac42a upgrade: 20001211a -> 20010215a
key changes:
-B flag, DH shared secret length handling fix, logging level fix,
gssapi support (not enabled, may not work on plain 1.5 due to issue in
kerberos library)
2001-02-18 16:00:14 +00:00
wiz
a87738b456 Update to new COMMENT style: COMMENT var in Makefile instead of pkg/COMMENT. 2001-02-17 17:42:09 +00:00
dent
03b5b152e9 Fix typo. 2001-01-11 21:21:17 +00:00
itojun
72b96a6da6 typo. freebsd PR 24127 2001-01-08 06:33:42 +00:00
itojun
d5689c8473 remove bogus bound-check. need revisit (DoS issue is not re-introduced).
sync with kame
2000-12-12 08:16:00 +00:00
itojun
767d3adb3c upgrade to the latest (2000/12/11). most important change is that prior
versions had DoS possiblity, due to insufficient length check.
2000-12-11 09:01:45 +00:00
itojun
b168919aa6 upgrade to 11/11a. better support for multiple address on a single IF,
and IPv6 address properties (deprecated, tentative).
2000-11-11 05:10:14 +00:00
itojun
f189dd69de upgrade to 20001106a.
- validate initial contact better.
- more fine-grained control over pre-shared key configuration.
- cert fixes.
2000-11-06 09:00:46 +00:00
itojun
7d609f5d02 do not return negative value from internal random() function.
from shigeru@iij.ad.jp.  sync with KAME.
2000-11-06 08:52:08 +00:00
wiz
88fd17699b add RCS Id 2000-10-21 22:54:23 +00:00
itojun
dfa8b72de9 aupdate to 2000/10/10a.
- always use random number from /dev/urandom, instead of random(3).
- OpenSSL dependency is simplified - just use USE_SSL, and assume that
  RSA function is there.  pkgsrc does not really support intermediate
  netbsd-current codebase.  per discussion on packages@netbsd.org.

approved by packages@netbsd.org
2000-10-10 09:47:50 +00:00
itojun
2b9e27d510 upgrade to 10/4 snapshot.
- disable idea/rc5 in phase 1 by default
- use official DOI # for AES (= rijndael)
- be more careful about parsing variable-length packet content
- have __attribute__((__packed__)), be friendly with align-picky arch
  (confirmed to be working on i386, sh3 and alpha)
2000-10-04 00:31:48 +00:00
itojun
63f9c7ba3a disable admin port better (KAME session.c 1.13 -> 1.14) 2000-09-24 17:28:23 +00:00
itojun
0b59a57666 upgrade to 9/23 snapshot.
changes: lots of stabilization (made during interop tests with bunch of
other implementations), certificate support improvement, security issue fix
(admin tcp port, without authentication, was open previously)
2000-09-23 21:25:06 +00:00
itojun
95798eefd8 upgrade to 9/13b. it fixes fatal bug in phase 1 negotiation. 2000-09-12 15:32:06 +00:00
itojun
42e22e4b74 upgrade racoon to 2000/9/12.
certificate improvements.  bug fix in policy matching.  make pfs/policy
matching strictness configurable.  other logs can be found at
http://www.kame.net/dev/cvsweb.cgi/kame/CHANGELOG.
2000-09-12 12:51:27 +00:00
fredb
0c6b58570c Reorganize crypto handling, as discussed on tech-pkg. Remove all
RESTRICTED= variables that were predicated on former U.S. export
regulations. Add CRYPTO=, as necessary, so it's still possible to
exclude all crypto packages from a build by setting MKCRYPTO=no
(but "lintpkgsrc -R" will no longer catch them).

Specifically,

- - All packages which set USE_SSL just lose their RESTRICTED
    variable, since MKCRYPTO responds to USE_SSL directly.
- - realplayer7 and ns-flash keep their RESTRICTED, which is based
    on license terms, but also gain the CRYPTO variable.
- - srp-client is now marked broken, since the distfile is evidently
    no longer available. On this, we're no worse off than before.
    [We haven't been mirroring the distfile, or testing the build!]
- - isakmpd gets CRYPTO for RESTRICTED, but remains broken.
- - crack loses all restrictions, as it does not evidently empower
    a user to utilize strong encryption (working definition: ability
    to encode a message that requires a secret key plus big number
    arithmetic to decode).
2000-09-09 19:40:14 +00:00
itojun
55e5f04dbb add comment - the .if statment is not friendly with cross build 2000-08-27 07:35:09 +00:00
hubertf
e75965c6ba Update IGNORE-messages for recent changes: add ${PKGNAME} where
appropriate.
2000-08-21 21:01:29 +00:00
thorpej
c01c1dbda3 Fix a bug where the parser would fail if a keylength was not
explicitly specified in a Phase-1 proposal statement.

Patch sent to sakane@kame.net.
2000-08-04 00:25:04 +00:00
itojun
0cc8708191 update to latest (7/31), to sync with /usr/include/netinet6/ipsec.h change.
- improvements in multiple address case
- sync with improvements in INET2000 bakeoff
2000-07-30 16:56:36 +00:00
hubertf
a429b241f3 This produces some funny errors:
RESTRICT="foo; bar"

Fix by s/;/,/
2000-07-25 00:25:11 +00:00
itojun
4ef87a14ce update to 20000719a.
changes: basically, result from TAHI 2nd interop test (www.tahi.org)
- phase 1/2 SA removal corrections
- remove possible memory leak
- no notify message on information exchange
- correct isakmp payload manipulation on duplicated payload types
2000-07-18 15:31:47 +00:00
itojun
2e2b2ad5e7 update from racoon 20000701a tree to 20000716a tree.
changes:
- RFC2367 conformance for SADB_[AE]ALG_xxx.
- implement initial contact
- runs in background by default
- delete notification
- improve error handling
2000-07-18 15:04:18 +00:00
itojun
2cc6541890 check for /usr/include/openssl/rsa.h, and if it is found, do not depend upon
openssl.  From: Bernd.Ernesti@security.kpnqwest.com (Bernd Ernesti)
2000-07-05 17:07:43 +00:00
itojun
ef7d7a19a5 use more recent code from kame(7/1).
changes from 6/14:
- improved internal data garbage collection
- avoid sending packet that constitutes invalid exchange
- "non_auth" setting will avoid negotiating ESP authentication
- improve notify message
2000-07-01 01:11:28 +00:00
itojun
fa7cf532ea upgrade to more recent (2000/6/20).
-- full changelog
Mon Jun 19 18:23:15 JST 2000 sakane@ydc.co.jp
        * kame/kame/racoon:
        A path name in configuration file is always complemented if it is
        not begin from slash(/).  If it's begin from slash, a path name
        never be complemented.

Mon Jun 19 16:51:24 JST 2000 sakane@ydc.co.jp
        * kame/kame/racoon:
        If "non_auth" is defined in racoon.conf, any transform of AH proposal
        including "non_auth" is not sent to the peer.

Thu Jun 15 14:44:30 JST 2000 sakane@ydc.co.jp
        * kame/kame/racoon:
        CR payload is only made if signature authentication method is applied.

Thu Jun 15 13:29:29 JST 2000 sakane@ydc.co.jp
        * kame/kame/racoon/cfparse.y:
        In racoon.conf, the path of configuration file is complemented by
        include directive only if there is no '/' in the path.
2000-06-20 16:37:25 +00:00
itojun
e704c8da48 upgrade to 2000/6/14 snapshot. changes:
- SA bundle (AH + ESP) negotiation is corrected
- be more picky about permission of pre-shared key file (don't open it
  it it looks vulnerable).
2000-06-14 08:00:49 +00:00
itojun
e65cd2914c add couple of more issues and a design choice. 2000-06-12 16:00:45 +00:00
itojun
dc807e6af1 add RESTRICTED for crypto. 2000-06-12 11:21:31 +00:00
itojun
f86c5b700e add files/md5. From: Bernd Ernesti 2000-06-12 11:09:33 +00:00