Upcoming ipsec-tools 0.8.1

dhatz

http://sourceforge.net/mailarchive/forum.php?thread_name=20120829150102.08edec4c%40vostro&forum_name=ipsec-tools-devel

[Ipsec-tools-devel] time for 0.8.1 ?
From: Timo Teras <timo.teras@ik…>- 2012-08-23 11:55

Hi,

It's been almost 1.5 years since 0.8.0 was released. There's been only
a handful [see below] of commits to 0.8 branch, but some of them are
quite essential.

I'm planning to do 0.8.1 release tarball soon. Please yell if we need
to cherry-pick more commits, or you have pending things for the
0_8-branch.

Thanks,
Timo

ChangeLog for the 0.8 branch since 0.8.0 tagging:

2012-08-23  Timo Teras <timo.teras@…>* src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
          memory allocation.

2012-01-01  Timo Teras <timo.teras@...>* src/racoon/isakmp_unity.c: From Rainer Weikusat
          <rweikusat@...>: Fix one byte too short memory
          allocation in isakmp_unity.c:splitnet_list_2str().

2011-11-17  Yvan Vanhullebus <vanhu@...>* src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
          current element could be removed during the loop

2011-11-14  Timo Teras <timo.teras@...>* src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@...>:
          do not shrink pfkey socket buffers (if system default is larger than
          what we want as minimum)

2011-08-12  Timo Teras <timo.teras@...>* src/racoon/privsep.c: Have privilege separation child process
          exit if the parent exits.

* Makefile.am: Create ChangeLog for proper CVS branch.

2011-03-18  tag ipsec-tools-0_8_0</timo.teras@...></mleitner@...></timo.teras@...></vanhu@...></rweikusat@...></timo.teras@...></timo.teras@…></timo.teras@ik…>

dhatz

Something seems to be moving afterall in the ipsec-tools front:

http://sourceforge.net/mailarchive/forum.php?thread_name=20121212115419.1e94b02b%40vostro&forum_name=ipsec-tools-devel

The patches applied since the original mail are:

2012-08-29  Timo Teras <timo.teras@…>* src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@...>:
          Accept DPD messages with cookies also in reversed order for
          compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.

* src/racoon/oakley.c: From Roman Hoog Antink <rha@...>: add
          remote's IP address to the "certificate not verified" error message.

* src/racoon/oakley.c: From Roman Hoog Antink <rha@...>: do not
          print unnecessary warning about non-verified certificate when using
          raw plain-rsa.

* src/racoon/isakmp.c: From Rainer Weikusat
          <rweikusat@...>: Release unused phase2 of
          passive remotes after acquire.

* src/racoon/isakmp.c: From Wolfgang Schmieder
          <wolfgang.schmieder@...>: setup phase1 port properly.

* src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
          remote blocks without additional remote statements to be specified
          in a simpler way. patch by Roman Hoog Antink<rha@...></rha@...></wolfgang.schmieder@...></rweikusat@...></rha@...></rha@...></rha@...></timo.teras@…>

According to the discussion, there are two last patches to be committed any day now:

Attached patch is a somewhat smarter X509 subject name compare.
X509 names may contain entries with different encodings (like UTF-8)
The old code (some copy from the ancient openssl 0.9.7 release)
did not handle that.
The new code does only handle stripping of the wildcards from the name
and let openssl do the compare of all non wildcard entries…

And another patch to check that building ipsec-tools is done with a reasonably recent OpenSSL 0.9.7 or newer