summaryrefslogtreecommitdiffstats
path: root/ipsec-tools/ChangeLog
blob: c31fc5f1838876741140c7eadd95bd79b6012f0c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
2013-07-12  Timo Teras <timo.teras@iki.fi>

	* src/racoon/main.c: From Sven Vermeulen
	  <sven.vermeulen@siphos.be>: Moves ploginit() up, allowing logging
	  events from init_avc() to show up as well.

2013-06-18  Timo Teras <timo.teras@iki.fi>

	* src/racoon/ipsec_doi.c: From Paul Barker: Remove redundant memset
	  after calloc that caused compile failures with gcc 4.8 due to error:
	  argument to 'sizeof' in 'memset' call is the same expression as the
	  destination; did you mean to dereference.

2013-06-03  Timo Teras <timo.teras@iki.fi>

	* src/racoon/admin.c: From Alexander Sbitnev
	  <alexander.sbitnev@gmail.com>: fix admin port establish-sa for
	  tunnel mode SAs.

2013-05-23  Timo Teras <timo.teras@iki.fi>

	* src/include-glibc/net/pfkeyv2.h: From Rainer Weikusat
	  <rweikusat@mobileactivedefense.com>: Fix SADB_X_EALG_CASTCBC
	  definition to use system definition (which differs at least on
	  Linux).

2013-04-12  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_cfg.c: From Rainer Weikusat
	  <rweikusat@mobileactivedefense.com>: Do not send out illegal zero
	  length MODE_CFG attributes.

	* src/racoon/: grabmyaddr.c, isakmp_inf.c: Some logging
	  improvements.

2013-02-05  Timo Teras <timo.teras@iki.fi>

	* src/racoon/grabmyaddr.c: Fix source port selection

	* src/racoon/isakmp_xauth.c: From Ian West <ian@niw.com.au>: Fix
	  double free of the radius info on config reload.

2013-01-24  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_inf.c: Fix handling of deletion notification.

2013-01-08  tag ipsec-tools-0_8_1

2013-01-08  Timo Teras <timo.teras@iki.fi>

	* NEWS, configure.ac: ipsec-tools-0.8.1

	* configure.ac: Fix errors from automake 1.13

	* src/include-glibc/Makefile.am: Don't derefence the directory
	  symlink which we might be recreating.

2012-12-24  Timo Teras <timo.teras@iki.fi>

	* src/racoon/crypto_openssl.c: From Götz Babin-Ebell
	  <g.babin-ebell@novamedia.de>: Smarter X.509 subject name compare.

	* configure.ac, src/racoon/crypto_openssl.c,
	  src/racoon/missing/crypto/sha2/sha2.c: From Götz Babin-Ebell
	  <g.babin-ebell@novamedia.de>: Require OpenSSL 0.9.8s or higher

2012-08-29  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
	  Accept DPD messages with cookies also in reversed order for
	  compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.

	* src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: add
	  remote's IP address to the "certificate not verified" error message.

	* src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: do not
	  print unnecessary warning about non-verified certificate when using
	  raw plain-rsa.

	* src/racoon/isakmp.c: From Rainer Weikusat
	  <rweikusat@mobileactivedefense.com>: Release unused phase2 of
	  passive remotes after acquire.

	* src/racoon/isakmp.c: From Wolfgang Schmieder
	  <wolfgang.schmieder@honeywell.com>: setup phase1 port properly.

	* src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
	  remote blocks without additional remote statements to be specified
	  in a simpler way. patch by Roman Hoog Antink <rha@open.ch>

2012-08-23  Timo Teras <timo.teras@iki.fi>

	* src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
	  memory allocation.

2012-01-01  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_unity.c: From Rainer Weikusat
	  <rweikusat@mobileactivedefense.com>: Fix one byte too short memory
	  allocation in isakmp_unity.c:splitnet_list_2str().

2011-11-17  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
	  current element could be removed during the loop

2011-11-14  Timo Teras <timo.teras@iki.fi>

	* src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@redhat.com>:
	  do not shrink pfkey socket buffers (if system default is larger than
	  what we want as minimum)

2011-08-12  Timo Teras <timo.teras@iki.fi>

	* src/racoon/privsep.c: Have privilege separation child process
	  exit if the parent exits.

	* Makefile.am: Create ChangeLog for proper CVS branch.

2011-03-18  tag ipsec-tools-0_8_0

2011-03-18  Yvan Vanhullebus <vanhu@netasq.com>

	* configure.ac: Yes: 0.8.0 is out !!!

	* NEWS: updated News for 0.8 branch

2011-03-17  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/oakley.c: fixed a memory leak in
	  oakley_append_rmconf_cr() while generating plist. patch by Roman
	  Hoog Antink <rha@open.ch>

	* src/racoon/oakley.c: free name later, to avoid a memory use after
	  free in oakley_check_certid(). also give iph1->remote to some plog()
	  calls. patch by Roman Hoog Antink <rha@open.ch>

	* src/racoon/oakley.c: fixed a memory leak in
	  oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch>

2011-03-15  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: isakmp.c, isakmp_inf.c, pfkey.c: directly call
	  isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as
	  it is useless an can lead to memory access after free

2011-03-14  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: grabmyaddr.c, handler.c, isakmp.c, isakmp_inf.c,
	  isakmp_quick.c, nattraversal.c, pfkey.c, policy.c, sockmisc.c,
	  sockmisc.h, throttle.c: Explicitly compare return value of
	  cmpsaddr() against a return value define to make it more obvious
	  what is the intended action. One more return value is also added, to
	  fix comparison of security policy descriptors. Namely, getsp()
	  should not allow wildcard matching (as the comment says, it does
	  exact matching) - otherwise we get problems when kernel has generic
	  policy with no ports, and a second similar policy with ports.

2011-03-14  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: cfparse.y, isakmp_xauth.c, isakmp_xauth.h,
	  remoteconf.c, remoteconf.h, rsalist.c, rsalist.h: avoid some
	  memory leaks / free memory access when reloading conf and have
	  inherited config. patch from Roman Hoog Antink <rha@open.ch>

	* src/racoon/handler.c: removed an useless comment

	* src/racoon/handler.c: check if we got RMCONF_ERR_MULTIPLE from
	  getrmconf_by_ph1() in revalidate_ph1tree_rmconf()

2011-03-11  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: handler.c, isakmp.c: directly delete a ph1 in
	  remove_ph1-) instead of scheduling it, to avoid (completely ?) a
	  race condition when reloading configuration

2011-03-06  Timo Teras <timo.teras@iki.fi>

	* src/racoon/privsep.c: Quiet a gcc warning when strict-aliasing
	  checks are enabled. Reported by Stephen Clark.

2011-03-02  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/session.c: flush sainfo list when closing session.
	  patch by Roman Hoog Antink <rha@open.ch>

	* src/racoon/: remoteconf.c, rsalist.c, rsalist.h: free rsa
	  structures when deleting a struct rmconf. patch by Roman Hoog Antink
	  <rha@open.ch>

	* src/racoon/: cfparse.y, remoteconf.c, remoteconf.h: free spspec
	  when deleting a rmconf struct. patch by Roman Hoog Antink
	  <rha@open.ch>

	* src/racoon/: remoteconf.c, session.c: fixed some memory leaks in
	  remoteconf. patch by Roman Hoog Antink <rha@open.ch>

	* src/racoon/: cfparse.y, prsa_par.y: fixed some memory leaks
	  during configuration parsing. patch by Roman Hoog Antink
	  <rha@open.ch>

2011-03-01  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: isakmp.c, pfkey.c: plog text fixes, patch from M E
	  Andersson <debian@gisladisker.se>

	* src/racoon/cfparse.y: reset yyerrorcount before doing parse
	  stuff. patch by Roman Hoog Antink <rha@open.ch>

2011-02-20  Timo Teras <timo.teras@iki.fi>

	* src/racoon/oakley.c: From Roman Hoog Antink <rha@open.ch>: Fix
	  memory leak when using plain RSA key authentication.

2011-02-11  Timo Teras <timo.teras@iki.fi>

	* src/racoon/plainrsa-gen.c: From Mats E Andersson
	  <debian@gisladisker.se>: Fix fprintf format specifier usage from
	  previous patch.

2011-02-10  Timo Teras <timo.teras@iki.fi>

	* src/racoon/plainrsa-gen.c: From Mats Erik Andersson
	  <debian@gisladisker.se>: Implement importing of RSA keys from PEM
	  files.

	* src/racoon/prsa_par.y: From M E Andersson
	  <debian@gisladisker.se>: Fix parsing of restricted RSA key
	  addresses.

2011-02-02  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: cftoken.l, isakmp.c, remoteconf.h, sainfo.c,
	  sainfo.h: store ph1id in an u_int32_t instead of a (signed)int.
	  Patch from Christophe Carre

2011-01-28  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: sainfo.c, sainfo.h, session.c: From Roman Hoog
	  Antink <rha@open.ch>: Clean up sainfo reloading: rename the
	  functions, and remove unneeded global variable.

	* src/racoon/: remoteconf.c, remoteconf.h, session.c: From Roman
	  Hoog Antink <rha@open.ch>: Clean up rmconf reloading: rename the
	  functions, and remove unneeded global variable.

	* src/racoon/plog.c: From Roman Hoog Antink <rha@open.ch>: Log
	  remote IP address if available (slightly modified by tteras)

2011-01-22  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@open.ch>:
	  Fixes a null pointer dereference that might occur after removing
	  peers from the config and then reloading.

2011-01-20  Yvan Vanhullebus <vanhu@netasq.com>

	* src/libipsec/pfkey.c: fixed a typo, it will now compile when
	  KMADDRESS is defined. reported by Roman Hoog Antink (rha (at)
	  open.ch)

2010-12-28  Timo Teras <timo.teras@iki.fi>

	* src/racoon/handler.c: From Roman Hoog Antink <rha@open.ch>: Fix
	  config reload to not delete too many phase 2 handles, because wrong
	  chain field is used when enumerating the handles.

2010-12-16  gdt

	* src/racoon/oakley.c: When encountering a certificate where "ID
	  mismatched with ASN1 SubjectName", and verify_identifier is off,
	  don't raise an error.  This makes the behavior match the man page.

	  Patch sent for review long ago:
	    http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
	  with no negative feedback received to date.

2010-12-14  Timo Teras <timo.teras@iki.fi>

	* src/racoon/ipsec_doi.c: From Roman Hoog Antink <rha@open.ch>: Fix
	  possible null derefence.

2010-12-08  Timo Teras <timo.teras@iki.fi>

	* src/racoon/admin.c: Use separate SA addresses for phase2's
	  created by admin command. The phase2 startup overwrites src/dst with
	  ISAKMP ports if they are zero and we don't want that to happen for
	  the SA ports.

2010-12-08  joerg

	* src/libipsec/pfkey.c: ANSIfy

2010-12-07  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_quick.c: Fix spacing and improve wording in
	  some log messages.

2010-12-03  Timo Teras <timo.teras@iki.fi>

	* src/libipsec/ipsec_dump_policy.c: Recognize direction for Linux
	  per-socket policies.

	* src/: libipsec/libpfkey.h, libipsec/pfkey_dump.c, setkey/parse.y,
	  setkey/setkey.8: Support GRE key as upper layer protocol
	  specifier (will be supported in Linux kernel 2.6.38).

	* src/racoon/grabmyaddr.c: Netlink deletion notification does not
	  guarentee actual address deletion: it might still exist on some
	  other interface. Make sure we do not unbind unless the address is
	  really gone.

2010-11-17  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c: Fix my
	  previous patch to not call purge_remote() twice. Change the place
	  where purge_remote() is called. This fixes also a possible crash
	  from the same patch since ph1->remote can be NULL (when we are
	  responder and config is not yet selected).

2010-11-12  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c:
	  isakmp_post_acquire is now called from admin commands too, add a
	  flag so admin commands can be used to establish even passive links
	  on demand.

	* src/racoon/isakmp.c: Purge all IPsec-SA's if the last main
	  ISAKMP-SA for the node is deleted by remote request and the phase1
	  rekeying is enabled (this will also trigger the new phase1_dead
	  script hook).

	* src/racoon/: handler.h, isakmp_inf.c: Improve DPD sequence checks
	  to allow any reply within valid sequence window to be proof of
	  livelyness. This can improves things if there's random packet
	  delays, or if racoon is not getting enough CPU time.

	* src/racoon/: admin.c, admin.h, kmpstat.c, racoonctl.c: Extern
	  admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
	  with many established SAs can be easily over the limit.

2010-10-22  Timo Teras <timo.teras@iki.fi>

	* src/racoon/grabmyaddr.c: Change Linux Netlink address monitoring
	  to monitor local route changes.  This works around a kernel bug, and
	  slightly improves behaviour on some special cases.

2010-10-21  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: admin.c, evt.c, grabmyaddr.c, isakmp.c, pfkey.c,
	  session.c, session.h: Introduce priorities for file descriptor
	  polling mechanism and give priority to admin port. If admin port is
	  used by ISAKMP-SA hook scripts they should be preferred, other wise
	  heavy traffic can delay admin port requests considerably. This in
	  turn may cause renegotiation loop for ISAKMP-SA. This is mostly
	  useful for OpenNHRP setup, but can benefit other setups too.

	* src/racoon/: admin.c, handler.c, handler.h: Remove
	  initial-contact entry when all ISAKMP-SA are purged via adminport.
	  This will avoid stale security associations if some of the delete
	  notifications happens to get lost.

2010-10-20  Timo Teras <timo.teras@iki.fi>

	* src/racoon/crypto_openssl.c: Use high-level openssl EVP and HMAC
	  functions when possible: this allows openssl to perform hardware
	  acceleration if available.

	* src/racoon/: isakmp.c, isakmp_quick.c: Various improvements to
	  error log messages and a few additional error log messages to
	  improve diagnosing an error condition.

	* src/racoon/grabmyaddr.c: Fix address comparison so we actually
	  close sockets which were bound to IP-address that got deconfigured.

2010-10-11  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/ipsec_doi.c: report a higher encryption key length in
	  approval for OBEY / CLAIM / STRICT modes

2010-09-27  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_xauth.c: fixed some typos in logs (reported by
	  fazaeli (at) sepehrs.com)

2010-09-24  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/cftoken.l: fixed a fd leak, patch by getlaser (at)
	  gmail.com

2010-09-22  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/admin.c: get the correct length of username when
	  processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com

	* src/racoon/nattraversal.h: fixed a typo in macros, reported by
	  marisp (at) mt.lv

2010-09-21  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_cfg.c: moved from utmp.h to utmpx.h (patch
	  provided by marcin.cieslak (at) gmail.com)

2010-09-08  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/remoteconf.c: fixed remoteconf selection when no ID
	  specified in configuration, and added some debug to remoteconf
	  selection

2010-08-26  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/remoteconf.c: fix by Sergio.Gelato (at) astro.su.se:
	  duplicate some dynamic values in duprmconf()

2010-08-04  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_cfg.c: fixed answer for IP4_SUBNET request

2010-07-30  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/doc/FAQ: updated link to NetBSD's documentation

2010-06-22  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Bump date for previous.

2010-06-22  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_inf.c,
	  racoon.conf.5, remoteconf.c, remoteconf.h: added a specific
	  script hook when a dead peer is detected

2010-06-04  Thomas Klausner <wiz@netbsd.org>

	* src/setkey/setkey.8: New sentence, new line. Bump date for
	  previous.

2010-06-04  Yvan Vanhullebus <vanhu@netasq.com>

	* src/setkey/: parse.y, setkey.8, token.l: Added support for
	  spdupdate command in setkey

2010-04-07  Yvan Vanhullebus <vanhu@netasq.com>

	* src/libipsec/ipsec_strerror.c: by Eric Preston: fixed a typo

2010-04-02  Christos Zoulas <christos@netbsd.org>

	* src/: libipsec/pfkey_dump.c, racoon/backupsa.c: handle ctime
	  returning NULL.

2010-03-11  Christos Zoulas <christos@netbsd.org>

	* src/racoon/handler.c: PR/42363: Yasuoka Masahiko: Second part of
	  the patch: iterate only on the phase2 handles that are bound by the
	  given phase1 handle.

2010-03-05  Timo Teras <timo.teras@iki.fi>

	* src/: libipsec/ipsec_set_policy.3, racoon/privsep.c,
	  racoon/doc/FAQ, setkey/setkey.8: From Stefan Bauer: Fix multiple
	  typoes and manpage formatting errors.

2010-03-04  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/session.c: From Pierre POMES: fixed admin port
	  initialization

2010-02-28  snj

	* src/racoon/: sockmisc.c, sockmisc.h: Fight the ever-increasing
	  size of src checkouts by spelling "useful" without an extra l.

2010-02-09  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/: pfkey.c, proposal.h: Fix typo in comment.

2010-01-17  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/sainfo.c: Free strdeupped string after using it. Found
	  by cppcheck.

	* src/racoon/: eaytest.c, ipsec_doi.c: Close file handles after
	  using them. Found by cppcheck.

2010-01-15  joerg

	* src/setkey/setkey.8: Use .%U instead of .%O for URLs.

2009-12-11  Timo Teras <timo.teras@iki.fi>

	* src/racoon/Makefile.am: From Paul Wernau: vmbuf.h was defined
	  twice in the headers. Remove the redundant entry so new install tool
	  does not complain about overwriting just installed file.

2009-11-22  Christos Zoulas <christos@netbsd.org>

	* src/racoon/handler.c: PR/42363: Yasuoka Masahiko:

	  racoon uses a wrong IPsec-SA handle that is for other peer in case
	  it receives a ISAKMP message for IPsec-SA that has the same
	  message-id as the message-id that is received before.

	  racoon uses message-id to find the handle of IPsec-SA.  The
	  message-id is a unique number for each peer, but different peers may
	  use the same value.

	  Different Windows Vista or Windows 7 peers seem to use the same
	  message-id.  racoon can handle the first Windows's Phase-2, but it
	  cannot handle the second Windows.  Because racoon misunderstands the
	  message for the second Windows as the message for the first Windows.

	  >Category:       bin >Synopsis:       racoon uses a wrong IPsec-SA
	  that is for different peer >Confidential:   no >Severity:
	  serious >Priority:       medium >Responsible:    bin-bug-people
	  >State:          open >Class:          sw-bug >Submitter-Id:   net
	  >Arrival-Date:   Sun Nov 22 18:25:00 +0000 2009 >Originator:
	  yasuoka@iij.ad.jp

2009-10-29  Christos Zoulas <christos@netbsd.org>

	* src/setkey/token.l: use %option noinput nounput

2009-10-28  Christos Zoulas <christos@netbsd.org>

	* src/setkey/token.l: no unput

2009-10-14  joerg

	* src/libipsec/ipsec_set_policy.3: Do not use .Xo/.Xc to workaround
	  ancient groff limits.

	* src/setkey/setkey.8: Do not use .Xo/.Xc to work around ancient
	  groff limits.  Fix markup.

	* src/racoon/racoon.conf.5: Don't use .Xo/.Xc to work around
	  ancient groff limits.  Set only one list type.

2009-09-18  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: isakmp_agg.c, isakmp_ident.c: From Tomas Mraz: Fix
	  gssapi error checking.

2009-09-03  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: admin.c, handler.c, handler.h, isakmp.c,
	  isakmp_var.h, pfkey.c: When rekeying phase2 use phase1 used to
	  negotiate phase2 as a hint to select the phase1 for rekeying the new
	  phase2.

2009-09-01  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: nattraversal.c, racoon.conf.5, vendorid.c: Check
	  nat_traversal configuration from remote configuration candidates
	  when acting as responder. Enable NAT-T if any of the remote
	  candidates have NAT-T enabled.

	* src/racoon/remoteconf.c: Change remote conf matching level to
	  matching score. This way one can override anonymous certificate
	  block config with more exact "inhereted" IP specific block.

	* src/racoon/: isakmp.c, racoon.conf.5: From Maik Broemme: export
	  ISAKMP SA identity as REMOTE_ID for phase1 up script (trac #313).

2009-08-24  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/oakley.c: fixed typo: algoriym -> algorithm

2009-08-19  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/remoteconf.c: fixed address check in
	  rmconf_match_type(), just check address with wildcard port

2009-08-19  Timo Teras <timo.teras@iki.fi>

	* src/racoon/remoteconf.c: Have an enum for rmconf_match_type()
	  return values to make the code a bit more readable.

2009-08-18  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/oakley.c: typo: algoritym -> algorithm

2009-08-17  Yvan Vanhullebus <vanhu@netasq.com>

	* src/libipsec/libpfkey.h: do not use SADB_X_NAT_T_NEW_MAPPING to
	  check system support for NAT-T, as at least FreeBSD doesn't have
	  this define anymore

	* src/racoon/schedule.h: include stddef.h so we have a chance to
	  get the system offsetof if present

	* src/racoon/crypto_openssl.h: removed a self include

2009-08-13  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/oakley.c: fixed a potential DoS in
	  oakley_do_decrypt(), reported by Orange Labs

2009-08-10  Timo Teras <timo.teras@iki.fi>

	* src/racoon/pfkey.c: Don't print EAGAIN error from
	  pfkey_handler(), it can occur normally under some code paths and is
	  not a hard error in any case.

2009-08-06  Timo Teras <timo.teras@iki.fi>

	* src/setkey/setkey.c: From Paul Wenau: Check fgets return value in
	  setkey to make gcc happy.

2009-08-05  Timo Teras <timo.teras@iki.fi>

	* src/racoon/pfkey.c: From Paul Wernau: Fix transport mode per-port
	  security associations that got broke during NAT-T fixes.

2009-07-07  Timo Teras <timo.teras@iki.fi>

	* src/racoon/sockmisc.c: From Arnaud Ebalard: Fix possible usage of
	  uninitialized local variable (not sure if any code path triggers
	  this, but this makes compiler happy).

2009-07-03  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: admin.c, grabmyaddr.c, handler.c, handler.h,
	  isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
	  nattraversal.c, pfkey.c, policy.c, remoteconf.c, remoteconf.h,
	  sockmisc.c, sockmisc.h, throttle.c: Get rid of the evil CMPSADDR
	  macro. Trac #295.

	* src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/isakmp.c,
	  racoon/isakmp_inf.c, racoon/pfkey.c, racoon/pfkey.h: From Yvan
	  Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
	  NAT-T port information. This might break compatibility with some
	  kernels, but as discussed this is the proper way to pass NAT-T ports
	  and the broken kernels need to be fixed.

2009-06-24  Timo Teras <timo.teras@iki.fi>

	* src/racoon/session.c: Fix a call to null pointer: in some cases,
	  the unmonitor_fd can be called from another fd's callback. That
	  could lead to still have callback pending after unmonitoring the fd
	  resulting in a call to null pointer.  This is fixed by making
	  unmonitor_fd now clear the pending fd_set too.  Bug was introduced
	  by my commit in 2008-12-23.

2009-05-20  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp.h: typo

2009-05-19  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: ipsec_doi.c, isakmp.c: From Jukka Salmi: Fix couple
	  of typos from previous commit.

2009-05-18  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: ipsec_doi.c, isakmp.c, sockmisc.c, sockmisc.h: From
	  Tomas Mraz: Introduce union sockaddr_any and use it to make code
	  more readable. Related to trac #293.

	* src/racoon/isakmp_inf.c: From Tomas Mraz: Remove variable that is
	  not really used; only referenced while uninitialized causing
	  valgrind error.

	* src/racoon/nattraversal.c: From Tomas Mraz: Fix natt_flags check.

2009-05-04  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Remove superfluous spaces around
	  parentheses.

2009-04-29  Timo Teras <timo.teras@iki.fi>

	* src/racoon/crypto_openssl.c: From Ross Meng: Fix a memory leak in
	  X509 certificate validation.

2009-04-28  Timo Teras <timo.teras@iki.fi>

	* src/racoon/handler.c: Reset nat_oa variables too when reusing
	  phase two handler. Otherwise phase2 rekeying might fail in some
	  scenarios.

2009-04-22  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_frag.c: From Neil Kettle: Fix a possible null
	  pointer dereference in fragmentation code.

2009-04-21  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: grabmyaddr.c, grabmyaddr.h, session.c: Fix
	  strict_address to work again. The lists needs to be initialized
	  before configuration is read, which happens before my_addr_init()
	  call.

2009-04-20  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: isakmp.c, isakmp.h, isakmp_var.h: Fix a memory leak
	  in certificate request generation.

	* src/racoon/: isakmp_inf.c, isakmp_xauth.c, plog.c: Orignally from
	  Bin Li: Fix possible memory corruption in binsanitize().

	* src/racoon/crypto_openssl.c: From Stephen Bevan: Fix a x509
	  signature verification memory leak.

	* src/racoon/: admin.c, racoonctl.c: Originally from Bin Li: Fix a
	  crash with racoonctl logout user.

	* src/racoon/nattraversal.c: Fix a memory leak in nat-t keepalive
	  code.

	* src/racoon/handler.c: From Paul Moore: Phase2 message id's should
	  be unique wrt phase1, not globally.

2009-03-13  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: pfkey.c, remoteconf.h: From Arnaud Ebalard: Fix
	  couple of problems with previous commit.

2009-03-12  he

	* src/racoon/: isakmp.c, remoteconf.c: When casting to/from a
	  pointer to an integral type (a bad practice, if you ask me), you
	  need to cast via intptr_t for portability.

2009-03-12  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: New sentence, new line. Avoid marking
	  up punctuation.

	* src/racoon/racoonctl.8: Bump date for previous. Sort options to
	  establish-sa.  Stop using Xo/Xc.

2009-03-12  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: admin.c, cfparse.y, cftoken.l, crypto_openssl.c,
	  crypto_openssl.h, dnssec.c, dnssec.h, handler.c, handler.h,
	  ipsec_doi.c, ipsec_doi.h, isakmp.c, isakmp.h, isakmp_agg.c,
	  isakmp_base.c, isakmp_ident.c, isakmp_inf.c, isakmp_quick.c,
	  isakmp_var.h, nattraversal.c, oakley.c, oakley.h, racoon.conf.5,
	  racoonctl.8, racoonctl.c, remoteconf.c, remoteconf.h, sockmisc.c,
	  vendorid.c: Support multiple anonymous remotes and decide
	  remoteconf based on identity, received certificates and other
	  information. General code clean up.

2009-03-06  Timo Teras <timo.teras@iki.fi>

	* src/setkey/: extern.h, parse.y, setkey.c: setkey: fix deleteall
	  in Linux

	  Linux requires SADB_DELETE message to have SPI. So send a
	  SADB_DELETE message for each matching SA. Trac #284.

	  From: Gabriel Somlo <somlo@cmu.edu>

2009-02-16  Timo Teras <timo.teras@iki.fi>

	* src/libipsec/policy_parse.y: From Paul Moore: Fix a heap
	  corruption bug (yacc return non-null terminated buffer and sprintf
	  writes over bounds).

2009-02-11  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: isakmp.c, sockmisc.c, sockmisc.h: trac#301: fixed
	  IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on
	  tunnel

2009-02-03  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp.c: From: Phil Sutter. Fix script environment
	  variables with IPv6 addresses.

2009-01-26  Timo Teras <timo.teras@iki.fi>

	* src/racoon/main.c: Argument parsing needs lcconf initialized.

2009-01-24  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoonctl.c: Sort options in usage.

	* src/racoon/racoonctl.8: Sort options. New sentence, new line.

	* src/racoon/racoon.8: Sort options.

2009-01-23  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: racoonctl.8, racoonctl.c: Update usage and manpage
	  for racoonctl.

	* src/racoon/: main.c, racoon.8: Racoon -v to print version and
	  compilation information. Update usage message.

	* NEWS: Update NEWS with major changes since 0.7 release.

	* src/racoon/schedule.c: Fix monotonic scheduler change, to not
	  refresh 'now' before exit. Otherwise we can return negative timeout
	  after spending time handling other events.

	* src/racoon/: handler.c, pfkey.c: From Arnaud Ebalard: Handle
	  reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
	  Also corrects some debugging statements.

	* src/racoon/pfkey.c: From Arnaud Ebalard: On the responder (for
	  instance), there is a need to not only migrate local and remote
	  addresses of Phase 1 that match previous addresses but also the
	  local and remote addresses of a Phase 1 *associated* with a migrated
	  Phase 2. For instance, we have that need when receiving the first
	  MIGRATE/KMADDRESS message because the old addresses are still the
	  HoA and the address of the HA (while the peer has contacted us using
	  the CoA and we have negotiated this address as src attribute in
	  Phase 2). The patch fixes that by having migrate_ph1_ike_addresses()
	  called from migrate_ph2_ike_addresses() callback.

	* src/racoon/isakmp_quick.c: From Arnaud Ebalard: Set phase2 spid
	  when acting as responder.

	* configure.ac, src/racoon/handler.c, src/racoon/handler.h,
	  src/racoon/isakmp_inf.c, src/racoon/isakmp_xauth.c,
	  src/racoon/schedule.c, src/racoon/schedule.h,
	  src/racoon/throttle.c, src/racoon/throttle.h: Detect if monotonic
	  system clock is available, and use it for relative time measurements
	  to avoid complite hang if time jumps backwards.

	* src/racoon/: cfparse.y, ipsec_doi.c, isakmp.c, isakmp_agg.c,
	  isakmp_base.c, isakmp_cfg.c, isakmp_ident.c, isakmp_xauth.c,
	  oakley.c, oakley.h: Fix authentication method ambiguity by
	  internally using unique ID and setting/interpreting the wire format
	  based on received vendor ID:s. Fixes trac #280.

	* src/racoon/: handler.h, isakmp_agg.c, isakmp_base.c,
	  isakmp_ident.c, vendorid.c, vendorid.h: Introduce vendorid
	  bitmask that can be used otherwhere to detect peer capabilities.

	* configure.ac, src/racoon/admin.c, src/racoon/evt.c,
	  src/racoon/grabmyaddr.c, src/racoon/isakmp.c, src/racoon/pfkey.c,
	  src/racoon/session.c, src/racoon/session.h: Remove "fastquit"
	  configure option and make it the default behaviour. The previous
	  normal behaviour is buggy, as after flush kernel can immediately
	  create larval SA:s which would prevent exit.

2009-01-20  Timo Teras <timo.teras@iki.fi>

	* Makefile.am, misc/cvs2cl.pl, misc/cvsusermap: Autogenerate
	  ChangeLog from NetBSD CVS. Put sourceforge.net changes to
	  ChangeLog.old.

2009-01-10  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Make ready for HTML output.  Use proper
	  escape for backslash ('\e').

2009-01-10  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: crypto_openssl.c, racoon.conf.5: From Cyrus Rahman:
	  Accept RFC2253 compliant escaped special characters for asn1dn
	  identifier.

2009-01-09  Timo Teras <timo.teras@iki.fi>

	* configure.ac: Fix a CPPLAGS typo to CPPFLAGS which was intended

2009-01-05  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Remove obsolete
	  configuration options, fix radius configuration block and add GRE as
	  recognized protocol.

	* src/racoon/session.c: Do not use counting in signal handling as
	  it was unsafe by not using atomic functions (post increment is not
	  necessarily atomic).  Instead reap all children on SIGCHLD as that
	  was the only signal needing signal counting.

2008-12-30  Timo Teras <timo.teras@iki.fi>

	* src/racoon/session.c: schedular() call can now modify fd mask so
	  make the working copy just before calling select(); otherwise it can
	  contain bad file descriptors

2008-12-29  Michael van Elst <mlelstv@netbsd.org>

	* src/setkey/parse.y: support icmp codes. Fixes PR 39056.

2008-12-24  Christos Zoulas <christos@netbsd.org>

	* src/racoon/grabmyaddr.c: remove sin{6,}_len linux does not have
	  it. From Timo Teras.

	* src/racoon/grabmyaddr.c: I was wrong. addr is actually set.

	* src/racoon/grabmyaddr.c:
	  - make this compile by zeroing out the whole structure not just
	  bogus fields.
	  - set length field of sockets appropriately.
	  - mark bogus no-op code (I don't understand what the author intended
	  here).

2008-12-23  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Bump date for identity configuration
	  option removal.

2008-12-23  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: cfparse.y, cftoken.l, ipsec_doi.c, localconf.c,
	  localconf.h, racoon.conf.5: Remove the obsoleted global identity
	  configuration option.

	* src/racoon/: admin.c, admin_var.h, cfparse.y, debug.h, evt.c,
	  evt.h, grabmyaddr.c, grabmyaddr.h, handler.c, isakmp.c,
	  isakmp_inf.c, isakmp_var.h, localconf.c, localconf.h, main.c,
	  nattraversal.c, pfkey.c, pfkey.h, privsep.c, session.c,
	  session.h: rewrite local address detection make some functions
	  static that arr not needed globally rework how fd_set is
	  construction for the main loop select()

2008-12-18  Timo Teras <timo.teras@iki.fi>

	* src/racoon/pfkey.c: From Arnaud Ebalard: Delete larval ph2handles
	  when expire with hard lifetime received

2008-12-16  Timo Teras <timo.teras@iki.fi>

	* README: Update README

	* src/racoon/pfkey.c: Fix transport mode address selection in
	  acquire handling.  Some earlier fixes got lost on 2008-12-05 commit.

2008-12-11  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/grabmyaddr.c: Fixed compilation on FreeBSD (RTM_IFINFO
	  and RTM_OIFINFO stuff)

	* src/racoon/isakmp.c: Fixed compilation when DPD support is
	  disabled

2008-12-08  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: pfkey.c, privsep.c, privsep.h: Do not cache pfkey
	  sockets: it might cause to not handle some pfkey events when
	  select() has marked pfkey socket readable, but a timer callback
	  first calls pfkey_dump_sadb().

2008-12-05  Timo Teras <timo.teras@iki.fi>

	* src/: libipsec/key_debug.c, libipsec/libpfkey.h,
	  libipsec/pfkey.c, racoon/handler.c, racoon/handler.h,
	  racoon/ipsec_doi.c, racoon/isakmp.c, racoon/isakmp_quick.c,
	  racoon/pfkey.c, racoon/policy.c, racoon/policy.h: From Arnaud
	  Ebalard: Improved Mobile IPv6 support per
	  draft-ebalard-mext-pfkey-enhanced-migrate.

2008-12-04  Christoph Badura <bad@netbsd.org>

	* src/racoon/privsep.c: Fix typo in previous and use SIG_IGN as I
	  intended.

2008-12-02  Timo Teras <timo.teras@iki.fi>

	* src/racoon/session.c: Explicitly ignore SIGPIPE. Default action
	  on Linux is terminate.

2008-11-28  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Remove empty line. Fix typo. New
	  sentence, new line.

2008-11-27  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/main.c: Set up a default value for Mode Config Pool
	  size if pool address specified but pool size not specified

	* src/racoon/isakmp_cfg.c: Fixed pool resizing

2008-11-27  Timo Teras <timo.teras@iki.fi>

	* src/racoon/pfkey.c: From Arnaud Ebalard: Remove MAXNESTEDSA
	  weirdness. It's probably meant for bundle support which is not done.
	  When someone actually writes bundle support, the nested SA stuff
	  would probably be reworked too anyway.

	* src/: libipsec/libpfkey.h, libipsec/pfkey.c, racoon/cfparse.y,
	  racoon/cftoken.l, racoon/localconf.c, racoon/localconf.h,
	  racoon/pfkey.c, racoon/racoon.conf.5: From: Matthew Krenzer
	  Ability to set pfkey socket buffer size via configuration file
	  directive.  (Indentation and minor fixes by me.)

2008-11-25  Christoph Badura <bad@netbsd.org>

	* src/racoon/: evt.c, privsep.c, session.c: Avoid using
	  MSG_NOSIGNAL as it is not available everywhere.  Ignore SIGPIPE
	  instead.

	* src/racoon/grabmyaddr.c: Ignore unspecified and looback
	  addresses.  Ignoring unspecified addresses prevents racoon from
	  trying to bind to the wildcard address and specific addresses
	  simultaneously after e.g. dhclient has changed an interface's
	  address to 0.0.0.0.

	* src/racoon/grabmyaddr.c: RTM_DELETE and RTM_IFINFO don't carry
	  info for added or deleted addresses.  Ignore them silently.

	* src/racoon/grabmyaddr.c: Ignoring an unsuitable address is not an
	  error.  Therefore log it as informational.  Make it clear from the
	  log message that a route message is not interesting.

	* src/racoon/grabmyaddr.c: Use insmyaddr() instead of open coding
	  it.

	* src/racoon/isakmp.c: Do not return erroneously from isakmp_open()
	  when setting IPV6_USE_MIN_MTU fails.

	* src/racoon/: grabmyaddr.c, isakmp.c: Keep myaddr.sock at -1 when
	  no socket is opened.

2008-11-08  Christoph Badura <bad@netbsd.org>

	* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
	  phase1-up.sh: Preserve owner and permissions of original
	  /etc/resolv.conf.  Ensure that new /etc/resolv.conf isn't group or
	  world writable.

	* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
	  phase1-up.sh: Print and check INTERNAL_NETMASK4.

	* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
	  phase1-up.sh: Make the handling of NAT-T SPD entries automatic.

	* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
	  phase1-up.sh: Ensure that the determination of the default
	  gateway and the corresponding interface don't get confused by
	  multiple, possibly non-IPv4  default routes.  Bring the NetBSD case
	  of deleting the VPN routes and address in line with the Linux case
	  and delete the address after deleting the VPN routes.

2008-11-06  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/sainfo.c: fixed delsainfo() to avoid a crash when
	  iddst's value is SAINFO_CLIENTADDR

2008-10-29  S.P.Zeidler <spz@netbsd.org>

	* src/racoon/ipsec_doi.c: Changes to ipsecdoi_id2str():

	  struct sockaddr -> struct sockaddr_storage fixes a stack overflow

	  For non-linklocal addresses the value in 'scope' is garbage and gets
	  set to zero instead.

2008-10-27  Timo Teras <timo.teras@iki.fi>

	* src/racoon/pfkey.c: From Arnaud Ebalard: Add missing return to
	  error path

	* src/racoon/grabmyaddr.c: From Francis Dupont (sent by Arnaud
	  Ebalard): recognize RTM_IFANNOUNCE

	* src/racoon/grabmyaddr.c: From Arnaud Ebalard: Fix indentation
	  issues for readability

	* src/racoon/session.c: From Arnaud Ebalard: initfds() needs to be
	  called only if monitored file descriptor numbers have changed

	* src/racoon/isakmp_var.h: From Arnaud Ebalard: Remove duplicate
	  declaration

2008-10-23  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: privsep.c, session.c, session.h: From Krzysztof
	  Piotr Oledzki <olel@ans.pl>: Revert parts of 2008-08-06 commit; the
	  problem those changes address are already handled in a sensible way
	  by Cyrus Rahman's patch from 2008-03-06.

2008-10-09  Timo Teras <timo.teras@iki.fi>

	* src/racoon/isakmp_quick.c: From Arnaud Ebalard: remove
	  unnecessary unbindph12() call which is now done in remph2()

2008-09-25  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp.c: Fixed resending mechanism to have non-ESP
	  marker for retransmitted packets

2008-09-19  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: New sentence, new line.

2008-09-19  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: admin.c, cfparse.y, cftoken.l, handler.c, handler.h,
	  isakmp.c, isakmp_cfg.c, isakmp_inf.c, isakmp_quick.c,
	  isakmp_var.h, isakmp_xauth.c, pfkey.c, proposal.c, racoon.conf.5,
	  remoteconf.c, remoteconf.h: Implement ISAKMP SA rekeying
	  configurable with rekey {on|off|force} option in remote conf.

	* src/racoon/: handler.c, handler.h, isakmp.c, isakmp_inf.c,
	  isakmp_quick.c, isakmp_var.h, isakmp_xauth.c, isakmp_xauth.h,
	  nattraversal.c, pfkey.c, pfkey.h, schedule.c, schedule.h,
	  session.c: Change struct sched to be allocated be the caller to
	  avoid some memory allocations. Optimize scheduling algorithm to not
	  scan all entries in the main loop.

2008-09-17  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: Fixed port match in purge_ipsec_spi()
	  when NAT-T enabled and trying to purge non NAT-T SAs

2008-09-09  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/pfkey.c: Some calls to set_port() were not correctly
	  updated in the previous commit

2008-09-03  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/pfkey.c: From Tomas Mraz: Duplicate addresses in
	  pk_sendxxx functions, as they may be altered for NAT-T stuff.

2008-09-03  Timo Teras <timo.teras@iki.fi>

	* src/: libipsec/pfkey.c, racoon/pfkey.c, racoon/sockmisc.c:
	  - Fix reloading of SPD (Linux satype check, handling of SPD dump
	  responses)
	  - Remove some spurious error log message from extract_port()

2008-08-29  Gregory McGarry <gmcgarry@netbsd.org>

	* src/racoon/isakmp.c: Eliminate gcc-specific feature of empty
	  structures.

	* src/racoon/evt.h: Eliminate superfluous semicolon.

	* src/racoon/: admin.c, admin.h: Eliminate gcc-specific feature of
	  unnamed structures added recently.

2008-08-12  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp.c: From Krzysztof Piotr Oledzki: Remove
	  ph1handler if we received an invalid first exchange from initiator.

2008-08-06  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: privsep.c, session.c, session.h: From Krzysztof
	  Piotr Oledzki: Make privileged process exit if unprivileged process
	  is terminated and some spelling fixes.

2008-07-23  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: cfparse.y, session.c: Add some missing ifdefs
	  required for non-radius enabled builds.

2008-07-23  Timo Teras <timo.teras@iki.fi>

	* src/racoon/Makefile.am: Do not use GNU make specific extension.

	* src/: libipsec/Makefile.am, racoon/Makefile.am,
	  setkey/Makefile.am: Do flex/bison invocation in a more standard
	  way, and keep the generated files in the dist tarball.

2008-07-22  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/proposal.c: From Kohki Ohhira: fix some memory leaks,
	  when malloc fails or when peer sends invalid proposal.

2008-07-22  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: cfparse.y, cftoken.l, isakmp_cfg.c, isakmp_xauth.c,
	  isakmp_xauth.h, main.c, racoon.conf.5, session.c: Add an optional
	  radius configuration section to the racoon.conf file. This is
	  similar to the the LDAP configuration section and overrides settings
	  in the system radius configuration file.

2008-07-21  Matthias Scheler <tron@netbsd.org>

	* src/racoon/cfparse.y: Correct typo to fix the build.

2008-07-21  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: isakmp_agg.c, isakmp_base.c, isakmp_ident.c,
	  vendorid.c, vendorid.h: Separate generic vendor id handling to a
	  new function and use it.

	* src/racoon/cfparse.y: Do not set default gss id if xauth is used,
	  otherwise gss-id attribute might be sent even if it was not
	  requested.

2008-07-15  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/isakmp_cfg.c: Fix an a typo that prevented racoon from
	  building with hybrid enabled.

	* src/racoon/: crypto_openssl.c, eaytest.c, misc.c, misc.h,
	  racoonctl.c: Fix a conflict with the FreeBSD 8 system hexdump
	  function.

2008-07-14  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: handler.h, ipsec_doi.c, ipsec_doi.h, isakmp_quick.c,
	  pfkey.c: Handle RESPONDER-LIFETIME notification in quick mode.

	* src/racoon/: handler.h, isakmp.c, isakmp_agg.c, isakmp_ident.c,
	  isakmp_inf.c, isakmp_inf.h, isakmp_quick.c, strnames.c: Clean up
	  notification payload handling. Handle INITIAL-CONTACT notification
	  in last main mode exchange (delayed) and during quick mode
	  exchanges.

2008-07-11  Timo Teras <timo.teras@iki.fi>

	* src/racoon/: isakmp.c, isakmp_inf.c: Original patch from Atis
	  Elsts: Fix a double memory free and a memory corruption
	  (LIST_REMOVE() on an uninserted node) in some error handling paths.

2008-07-09  Timo Teras <timo.teras@iki.fi>

	* src/racoon/cfparse.y: From Chong Peng: fix a file descriptor and
	  memory leak on configuration file reread

2008-07-02  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: From Timo Teras: fix some %d to %zu
	  (size_t values)

2008-06-18  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoonctl.8: Bump date for previous.

2008-06-18  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: admin.c, admin.h, racoonctl.8, racoonctl.c: Add an
	  admin port command to retrieve the peer certificate. Submitted by
	  Timo Teras.

	* src/racoon/: admin.c, grabmyaddr.c, isakmp.c, misc.c, misc.h: Set
	  sockets to be closed on exec to avoid potential file descriptor
	  inheritance issues. Submitted by Timo Teras.

	* src/racoon/: admin.c, grabmyaddr.c, ipsec_doi.c, isakmp.c,
	  isakmp_cfg.c, isakmp_inf.c, privsep.c, remoteconf.c: Use utility
	  functions to evaluate and manipulate network port values. No
	  functional changes. Submitted by Timo Teras.

	* src/racoon/: admin.c, racoonctl.c: Admin port code cleanup. No
	  functional changes. Submitted by Timo Teras.

	* src/racoon/pfkey.c: Correct a phase2 status event. Submitted by
	  Timo Teras.

2008-05-24  Christos Zoulas <christos@netbsd.org>

	* src/racoon/privsep.c: Coverity CID 5018: Fix double frees.

2008-05-08  Emmanuel Dreyfus <manu@netbsd.org>

	* configure.ac: From Christian Hohnstaedt: allow out of tree
	  building

2008-04-30  Martin Husemann <martin@netbsd.org>

	* netbsd-import.sh: Convert TNF licenses to new 2 clause variant

2008-04-25  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: From Timo Teras: extract port numbers
	  from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().

2008-04-13  Christos Zoulas <christos@netbsd.org>

	* src/racoon/privsep.c: for symmetry set controllen the same way we
	  set it on the receiving side.

2008-04-02  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/: Makefile.am, sockmisc.c, sockmisc.h: fix Linux build

2008-03-28  Christos Zoulas <christos@netbsd.org>

	* src/racoon/privsep.c: properly fix the variable stack allocation
	  code.

2008-03-28  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/privsep.c: Still from Cyrus Rahman: fix file
	  descriptor leak introduced by previous commit.

	* src/racoon/: Makefile.am, isakmp.c, isakmp_inf.c, privsep.c,
	  privsep.h, sockmisc.c, doc/README.privsep: From Cyrus Rahman:
	  Allow interface reconfiguration when running in privilege separation
	  mode, document privilege separation

2008-03-06  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/oakley.c: Generates a log if cert validation has been
	  disabled by configuration

2008-03-06  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/: privsep.c, session.c: From Cyrus Rahman
	  <crahman@gmail.com> privilegied instance exit when unprivilegied one
	  terminates. Save PID in real root, not in chroot

2008-03-06  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: admin.c, isakmp.c, isakmp_var.h, pfkey.c,
	  racoonctl.8, racoonctl.c: Add the ability to initiate IPsec SA
	  negotiations using the admin socket.  Submitted by Timo Teras.

	* src/racoon/: admin.c, admin.h, evt.c, evt.h, handler.c,
	  handler.h, isakmp.c, isakmp_agg.c, isakmp_base.c, isakmp_cfg.c,
	  isakmp_ident.c, isakmp_inf.c, isakmp_var.h, isakmp_xauth.c,
	  racoonctl.8, racoonctl.c, session.c: Refactor admin socket event
	  protocol to be less error prone. Backwards compatibility is
	  provided. Submitted by Timo Teras.

2008-03-05  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/cfparse.y: Properly initialize the unity network
	  struct to prevent erroneous protocol and port info from being
	  transmitted.

	* src/racoon/: pfkey.c, pfkey.h, session.c: Reload SPD on SIGHUP or
	  adminport reload. Also provide better handling for pfkey socket read
	  errors. Submitted by Timo Teras.

2008-02-25  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/ipsec_doi.c: From Brian Haley <brian.haley@hp.com>
	  There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
	  checking spi_size but it's not.  I'm not sure this patch is correct,
	  but what's there isn't either.

2008-02-22  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp.c: Fix address length, from Brian Haley

2008-02-10  S.P.Zeidler <spz@netbsd.org>

	* src/racoon/ipsec_doi.c: closes PR bin/37644 did not meet violent
	  opposition ( :) ) on ipsec-tools-devel

2008-01-11  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: From Timo Teras: reset iph1->dpd_r_u in
	  the scheduler's callback, to avoid access to freed memory.

	* src/racoon/crypto_openssl.c: From Krzysztof Oledzki: Fix
	  compilation with IDEA and recent gcc.

	* src/racoon/isakmp_inf.c: From Krzysztof Oledzki: added some
	  details to some logs (also reported new getph1byaddr() arg).

	* src/racoon/isakmp.c: From Krzysztof Oledzki: Only search for
	  established ph1 handles in DPD (also reported new getph1byaddr()
	  arg).

	* src/racoon/: handler.c, handler.h: added an 'established' arg to
	  getph1byaddr()

2007-12-31  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: policy.c, racoonctl.8, racoonctl.c: Add GRE protocol
	  number to racoonctl. Correct id wildcard matching for transport
	  mode. Submitted by Timo Teras.

2007-12-12  Matthew Grooms <mgrooms@shrew.net>

	* NEWS, src/racoon/isakmp_quick.c: Add corrections submitted in a
	  follow up patch for the nat-t oa support.

	* src/racoon/: handler.c, handler.h, isakmp_quick.c, pfkey.c: Add
	  support for nat-t oa payload handling. Submitted by Timo Teras.

2007-12-04  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: ipsec_doi.c, ipsec_doi.h, isakmp_quick.c: Modify
	  ipsecdoi_sockaddr2id() to obtain an id without specifying the exact
	  prefix length. Correct a memory leak in phase2. Both submitted by
	  Timo Teras.

2007-12-01  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Fix typos. New sentence, new line.

2007-11-29  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/Makefile.am: From Natanael Copa: fixed a race
	  condition when building yacc stuff.

2007-11-09  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/pfkey.c: From Arnaud Ebalard: Some sanity checking in
	  pk_recv()

	* src/racoon/policy.c: From Arnaud Ebalard: Better matching of SPD
	  entries in getsp_r().

	* src/racoon/isakmp_quick.c: From Arnaud Ebalard: Added some debug
	  in get_proposal_r().

2007-10-19  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/: isakmp_cfg.c, isakmp_unity.c, isakmp_unity.h,
	  racoon.conf.5: Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts

2007-10-15  Yvan Vanhullebus <vanhu@netasq.com>

	* src/libipsec/pfkey.c: Try to increase the buffer size of the
	  pfkey socket, this may help things when we have a huge SPD

2007-10-02  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/crypto_openssl.c: From Scott Lamb: include plog.h to
	  work with the new plog macro.

	* src/racoon/kmpstat.c: From Scott Lamb: plog changed to _plog to
	  work with new plog macro

	* src/racoon/: plog.c, plog.h: From Scott Lamb: new plog macro.

2007-09-19  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/isakmp.c: Set REUSE option on sockets to prevent
	  failures associated with closing and immediately re-opening.
	  Submitted by Gabriel Somlo.

	* src/racoon/isakmp_unity.c: Prevent duplicate entries in splitnet
	  list. Submitted by Gabriel Somlo.

2007-09-13  Matthew Grooms <mgrooms@shrew.net>

	* configure.ac: Fix autoconf check for selinux support. Submitted
	  by Joy Latten.

2007-09-12  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: cfparse.y, cftoken.l, handler.c, isakmp_quick.c,
	  pfkey.c, racoon.conf.5, sainfo.c, sainfo.h: Implement clientaddr
	  sainfo remote id option and refine the sainfo man page syntax.

2007-09-05  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/sainfo.c: Sort sainfo sections on insert and improve
	  matching logic.

2007-09-03  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/: cftoken.l, racoon.conf.5: Correct the syntax for
	  wins4 in the man page and add nbns4 as an alias. Pointed out by
	  Claas Langbehn.

2007-08-07  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp_xauth.c: src/racoon/isakmp_xauth.c: Don't mix
	  up RADIUS authentication and authorization ports. Allow
	  interoperability with freeradius

2007-07-24  Matthew Grooms <mgrooms@shrew.net>

	* NEWS: Update NEWS file with additional 0.7 improvements.

2007-07-18  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/racoon.conf.5: Various racoon configuration manpage
	  updates.

2007-07-18  Yvan Vanhullebus <vanhu@netasq.com>

	* configure.ac, src/libipsec/ipsec_dump_policy.c,
	  src/libipsec/ipsec_get_policylen.c,
	  src/libipsec/ipsec_strerror.c, src/libipsec/key_debug.c,
	  src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
	  src/libipsec/pfkey_dump.c, src/libipsec/policy_parse.y,
	  src/libipsec/policy_token.l, src/libipsec/test-policy-priority.c,
	  src/racoon/admin.c, src/racoon/backupsa.c, src/racoon/cfparse.y,
	  src/racoon/cftoken.l, src/racoon/ipsec_doi.c,
	  src/racoon/isakmp.c, src/racoon/isakmp_inf.c,
	  src/racoon/isakmp_quick.c, src/racoon/pfkey.c,
	  src/racoon/policy.c, src/racoon/proposal.c,
	  src/racoon/remoteconf.c, src/racoon/sainfo.c,
	  src/racoon/session.c, src/racoon/sockmisc.c,
	  src/racoon/strnames.c, src/setkey/parse.y, src/setkey/setkey.c,
	  src/setkey/token.l: use a single PATH_IPSEC_H to fix some
	  path_to_ipsec.h issues

2007-07-16  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/grabmyaddr.c: fixed a socket leak

	* src/racoon/proposal.c: indentation

2007-06-07  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp_cfg.c: From Paul Winder
	  <Paul.Winder@tadpole.com>: Fix ignored INTERNAL_DNS4_LIST

2007-06-06  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: eaytest.c, var.h: From Rong-En Fan: fix compilation
	  with gcc 4.2

	* src/racoon/session.c: From Jianli Liu: speed up interfaces update
	  when they change.

	* src/racoon/handler.c: ignore obsolete lifebyte when validating
	  reloaded configuration

2007-05-31  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/: main.c, policy.h, security.c: From Joy Latten
	  <latten@austin.ibm.com> Fix file descriptor shortage when using
	  labeled IPsec.

2007-05-30  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/kmpstat.c: From Jianli Liu <jlliu@nortel.com>: In
	  racoonctl, use the specified socket path instead of the default
	  location

2007-05-16  Christos Zoulas <christos@netbsd.org>

	* src/racoon/cfparse.y: coverity CID 4168: yyerror() does not
	  return, so we proceed to de-reference NULL. Make it return -1
	  instead like in other places.

	* src/racoon/cfparse.y: coverity CID 4170: yyerror() does not
	  return, so we proceed to de-reference NULL. Make it return -1
	  instead like in other places.

2007-05-04  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/handler.c: search a ph1 by address if iph2->ph1 is
	  NULL when validating the new config

	* src/racoon/handler.c: added some debug in getph1byaddr() to track
	  some port matching problems with NAT-T

	* src/racoon/isakmp.c: added some debug in isakmp_chkph1there() to
	  track some port matching problems with NAT-T

	* src/racoon/isakmp_inf.c: added some debug for DELETE_SA process

	* src/racoon/pfkey.c: Force the update of ph2 in pk_recvupdate() if
	  NAT_T support, to solve some port match problems with the first
	  IPSec SAs negociated as initiator

2007-04-04  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/ipsec_doi.c: checks proto_id in ipsecdoi_chkcmpids()

	* src/racoon/oakley.c: dumps peer's ID and peer's certificate
	  subject /subjectaltname if they don't match

2007-03-26  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: Store the DPD main scheduler in ph1
	  handler, to be able to cancel it when removing the handler, and some
	  minor cleanups in DPD code

2007-03-24  Christos Zoulas <christos@netbsd.org>

	* src/racoon/isakmp_xauth.c: PR/36069: Huang Yushuo: racoon can't
	  work with pam_group Set RUSER.

2007-03-23  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: ipsec_doi.c, security.c: From Joy Latten: fix a
	  segfault when using security labels between 32bit and 64bit host.

	* src/racoon/handler.c: expire zombie handlers in getph2byid(), to
	  avoid situations where we'll never negociate a phase2 again

	* src/racoon/: oakley.c, racoon.conf.5: From Cyrus Rahman: give
	  more details about what is checked when using certificates to
	  authenticate

2007-03-22  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: cfparse.y, ipsec_doi.c: fixed subnet check to
	  generate IPV4_ADDRESS when needed in sockaddr2id()

2007-03-21  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: handler.c, isakmp.c, isakmp_inf.c, pfkey.c: NULL
	  sched check is now done in SCHED_KILL

	* src/racoon/schedule.h: checks if arg is NULL in SCHED_KILL

2007-03-15  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/grabmyaddr.c: From Yves-Alexis Perez: enable
	  monitoring of ipv6 address changes on Linux.

	* src/racoon/isakmp.c: Consider a negociation timeout when
	  retry_counter is <=0 instead of < 0

2007-02-28  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/ipsec_doi.c: Add logic to allow ip address ids to be
	  matched to ip subnet ids when appropriate.

2007-02-21  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/ipsec_doi.c: block variable declaration before code in
	  ipsecdoi_id2str()

2007-02-20  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: Removed a debug printf....

	* src/racoon/isakmp.c: Only delete a generated SPD if it's creation
	  date matches the creation date of the SA we are currently deleting

	* src/racoon/: handler.c, isakmp_var.h: updated delete_spd() calls

	* src/racoon/: isakmp_inf.c, pfkey.c: fills creation date of
	  generated SPDs

	* src/racoon/policy.h: added 'created' var

2007-02-19  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp.c: Removed a debug printf....

2007-02-16  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/ipsec_doi.c: From Olivier Warin: Fix a %zu in a
	  printf.

2007-02-15  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/security.c: Missing SELinux file

	* configure.ac: Missing stuff for SELinux

2007-02-15  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: Just
	  expire a ph1 handle when receiving a DELETE-SA instead of calling
	  purge_remote().

	* src/racoon/isakmp.c: Fixed the way phase1/2 messages are
	  sent/resent, to avoid zombie handles and acces to freed memory

2007-02-02  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/cfparse.y: Fixed a check of NAT-T support in libipsec

2007-02-01  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp_inf.c: From "Uncle Pedro" on sf.net: When
	  receiving an ISAKMP DELETE_SA, get the cookie of the SA to be
	  deleted from payload instead of just deleting the ISAKMP SA used to
	  protect the informational exchange.

2006-12-26  Arnaud Lacombe <alc@netbsd.org>

	* src/racoon/ipsec_doi.c: CID-4167: check for 'iph1->approval !=
	  NULL'

2006-12-23  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Use even more macros.

	* src/racoon/racoon.conf.5: Use more macros.

	* src/racoon/racoon.conf.5: Serial comma, and bump date for
	  previous.

2006-12-18  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/crypto_openssl.c: From Joy Latten: fix a memory leak

2006-12-10  Emmanuel Dreyfus <manu@netbsd.org>

	* src/: libipsec/Makefile.am, libipsec/libpfkey.h,
	  libipsec/pfkey.c, racoon/backupsa.c, racoon/cfparse.y,
	  racoon/pfkey.c: Bring back API and ABI backward compatibility
	  with previous libipsec before recent interface change. Bump libipsec
	  minor version. Remove ifdefs in struct pfkey_send_sa_args to avoid
	  ABI compatibility lossage.  Add a capability flags to detect missing
	  optional feature in libipsec

	* src/racoon/: Makefile.am, doc/README.plainrsa: From Joy Latten:
	  README.plainrsa documenting plain RSA auth

2006-12-09  Emmanuel Dreyfus <manu@netbsd.org>

	* configure.ac, src/libipsec/libpfkey.h, src/libipsec/pfkey.c,
	  src/racoon/Makefile.am, src/racoon/backupsa.c,
	  src/racoon/backupsa.h, src/racoon/cftoken.l,
	  src/racoon/ipsec_doi.c, src/racoon/ipsec_doi.h,
	  src/racoon/isakmp_inf.c, src/racoon/isakmp_quick.c,
	  src/racoon/pfkey.c, src/racoon/policy.c, src/racoon/policy.h,
	  src/racoon/proposal.c, src/racoon/proposal.h,
	  src/racoon/remoteconf.c: From Joy Latten: Add support for SELinux
	  security contexts. Also cleanup the libipsec interface for adding
	  and updating security associations.

	* src/racoon/racoon.conf.5: From Simon Chang: More hints about
	  plain RSA authentication

2006-12-05  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: proposal.c, proposal.h, racoon.conf.5: Check keys
	  length regarding proposal_check level

2006-11-16  Matthew Grooms <mgrooms@shrew.net>

	* src/racoon/sainfo.c: Correct issues associated with anonymous
	  sainfo selection in racoon.

2006-11-09  Christos Zoulas <christos@netbsd.org>

	* src/racoon/crypto_openssl.c: eliminate the only variable stack
	  array allocation.

2006-10-31  Christian Biere <cbiere@netbsd.org>

	* src/racoon/sockmisc.c: Don't define the deprecated
	  IPV6_RECVDSTADDR if the "advanced IPv6 API" is used because
	  IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent potential bugs
	  in the future just in case that the numeric value of the socket
	  option is ever recycled.

2006-10-22  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/: backupsa.c, cfparse.y: From Michal Ruzicka: fix
	  typos

2006-10-19  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/sainfo.c: From Matthew Grooms: use
	  ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().

	* src/racoon/: ipsec_doi.c, ipsec_doi.h: From Matthew Grooms: Added
	  ipsecdoi_chkcmpids() function.

2006-10-09  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/proposal.c: Fix memory leak (Coverity 3438 and 3437)

	* src/racoon/isakmp_unity.c: Correctly check read() return value:
	  it's signed (Coverity 1251)

2006-10-06  Emmanuel Dreyfus <manu@netbsd.org>

	* configure.ac, src/libipsec/pfkey_dump.c, src/racoon/algorithm.c,
	  src/racoon/algorithm.h, src/racoon/cftoken.l,
	  src/racoon/crypto_openssl.c, src/racoon/crypto_openssl.h,
	  src/racoon/eaytest.c, src/racoon/ipsec_doi.c,
	  src/racoon/ipsec_doi.h, src/racoon/oakley.h, src/racoon/pfkey.c,
	  src/racoon/racoon.conf.5, src/racoon/strnames.c,
	  src/setkey/setkey.8, src/setkey/test-pfkey.c, src/setkey/token.l:
	  Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
	  <okazaki@kick.gr.jp>

2006-10-03  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/admin.c: fix endianness issue introduced yesterday

2006-10-03  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/racoon.conf.5: Added remoteid/ph1id syntax

	* src/racoon/: cfparse.y, cftoken.l: Parses remoteid/ph1id values

	* src/racoon/: handler.c, isakmp_quick.c, pfkey.c, sainfo.c: Uses
	  remoteid/ph1id values

	* src/racoon/: remoteconf.h, sainfo.h: Added remoteid/ph1id values

2006-10-02  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp_base.c:
	   avoid reusing free'd pointer (Coverity 2613)

	* src/racoon/isakmp_inf.c: Check for NULL pointer (COverity 4175)

	* src/racoon/isakmp_ident.c: Remove dead code (Coverity 3451)

	* src/racoon/algorithm.c: Fix array overrun (Coverity 4172)

	* src/racoon/admin.c: Fix memory leak (Coverity 2002)

	* src/racoon/: admin.c, isakmp.c, sockmisc.c: Fix memory leak
	  (Coverity 2001), refactor the code to use port get/set functions

	* src/racoon/admin.c: Avoid reusing free'd pointer (Coverity 4200)

	* src/racoon/oakley.c: Don't use NULL pointer (Coverity 3443),
	  reformat to 80 char/line

2006-10-02  Tom Spindler <dogcow@netbsd.org>

	* src/racoon/ipsec_doi.c: If you're going to initialize a pointer,
	  you have to init it with a pointer type, not an int.

2006-10-02  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp.c: Don't use NULL pointer (coverity 3439)

	* src/racoon/ipsec_doi.c: Don't use NULL pointer (Coverity 1334)

	* src/racoon/pfkey.c: Don't use NULL pointer (Coverity 944)

	* src/racoon/proposal.c: Don't use NULL pointer (Coverity 941)

	* src/racoon/racoonctl.c: Don't use NULL pointer (Coverity 942)

	* src/racoon/sockmisc.c: Don't use null pointer (Coverity 863)

2006-10-01  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/ipsec_doi.c: FIx memory leak (Coverity 4181)

	* src/racoon/isakmp.c: Check that iph1->remote is not NULL before
	  using it (Coverity 3436)

2006-09-30  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp_agg.c: emove dead code (Coverity 4165)

	* src/racoon/isakmp_cfg.c: Fix memory leak (Coverity 4179)

	* src/racoon/samples/roadwarrior/client/: phase1-down.sh,
	  phase1-up.sh: update the scripts for wrorking around routing
	  problems on NetBSD

	* src/racoon/session.c: Reuse existing code for closing IKE
	  sockets, and avoid screwing things by setting p->sock = -1, which is
	  not expected (Coverity 4173).

	* src/racoon/admin.c: Do not free id and key, as they are used
	  later

2006-09-29  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/racoonctl.c: Fix the fix: handle_recv closes the
	  socket, so we must call com_init before sending any data.

2006-09-28  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp_xauth.c: Fix unchecked mallocs (Coverity 4176,
	  4174)

	* src/racoon/racoonctl.c: Fix access after free (Coverity 4178)

2006-09-26  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/cfparse.y: Fix memory leak (Coverity)

	* src/racoon/backupsa.c: Fix memory leak (Coverity)

	* src/racoon/admin.c: Remove dead code (Coverity)

	* src/racoon/admin.c: Fix memory leak (Coverity)

	* src/racoon/admin.c: One more memory leak

	* src/racoon/admin.c: Fix memory leak in racoonctl (coverity)

	* src/racoon/ipsec_doi.c: Fix buffer overflow Also fix credits: SA
	  bundle fix was contributed by Jeff Bailey, not Matthew Grooms.
	  Matthew updated the patch for current code, though.

	* src/racoon/: pfkey.c, proposal.c: fix SA bundle (e.g.: for
	  negotiating ESP+IPcomp)

2006-09-25  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/isakmp.c: From Yves-Alexis Perez: struct ip -> struct
	  iphdr for Linux

2006-09-25  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/isakmp.c: style (mostly for testing
	  ipsec-tools-commits@netbsd.org)

	* src/racoon/ipsec_doi.c: Fix double free, from Matthew Grooms

2006-09-21  Yvan Vanhullebus <vanhu@netasq.com>

	* src/libipsec/pfkey.c: use sysdep_sa_len to make it compile on
	  Linux

2006-09-19  Thomas Klausner <wiz@netbsd.org>

	* src/racoon/racoon.conf.5: Bump date for ike_frag force.

	* src/racoon/: plainrsa-gen.8, racoon.conf.5: New sentence, new
	  line.

	* src/racoon/: racoon.conf.5, plainrsa-gen.8: Remove trailing
	  whitespace.

2006-09-19  Yvan Vanhullebus <vanhu@netasq.com>

	* src/racoon/proposal.c: From Yves-Alexis Perez: fixes default
	  value for encmodesv in set_proposal_from_policy()

	* src/racoon/isakmp.c: always include some headers, as they are
	  required even without NAT-T

	* src/: libipsec/pfkey_dump.c, setkey/token.l: From Larry Baird:
	  define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed

	* src/racoon/crypto_openssl.c: From Larry Baird: some printf() ->
	  plog()

2006-09-18  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/: cfparse.y, cftoken.l, isakmp.c, isakmp_frag.h,
	  isakmp_inf.c, racoon.conf.5, remoteconf.c: From Matthew Grooms:
	  ike_frag force option to force the use of IKE on first packet
	  exchange (prior to peer consent)

	* src/racoon/isakmp.c: From Matthew Grooms: handle IKE frag used in
	  the first packet. That should not normally happen, as the initiator
	  does not know yet if the responder can handle IKE frag.  However, in
	  some setups, the first packet is too big to get through, and
	  assuming the peer supports IKE frag is the only way to go.

	  racoon should have a setting in the remote section to do taht
	  (something like ike_frag force)

2006-09-16  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/ipsec_doi.c: Trivial bugfix in RFC2407 4.6.2
	  conformance, from Matthew Grooms

2006-09-15  Emmanuel Dreyfus <manu@netbsd.org>

	* src/racoon/ipsec_doi.c: Fix build on Linux

For older changes see ChangeLog.old