Major new upstream release, just ran svn-upgrade for now (and wrote some

debian/changelong entries).

1 files changed, 0 insertions, 781 deletions

diff --git a/CHANGES b/CHANGES
deleted file mode 100644
index 7b8344fe4..000000000
--- a/CHANGES
+++ /dev/null
@@ -1,781 +0,0 @@
-strongswan-2.8.3
-----------------
-
-- Support of SHA2_384 hash function for protecting IKEv1
-  negotiations and support of SHA2 signatures in X.509 certificates.
-
-- Fixed a serious bug in the computation of the SHA2-512 HMAC
-  function. Introduced testvector-based self-tests of all IKEv1 hash
-  and hmac functions during pluto startup. Failure of a self-test
-  currently issues a warning only but does not exit pluto [yet].
-
-
-strongswan-2.8.2
-----------------
-
-- strongSwan now interoperates with the NCP Secure Entry Client,
-  the Shrew Soft VPN Client, and the Cisco VPN client, doing both
-  XAUTH and Mode Config.
-
-- UNITY attributes are now recognized and UNITY_BANNER is set
-  to a default string.
-
-
-strongswan-2.8.1
-----------------
-
-- Support for extended authentication (XAUTH) in combination
-  with ISAKMP Main Mode RSA or PSK authentication. Both client and
-  server side were implemented. Handling of user credentials can
-  be done by a run-time loadable XAUTH module. By default user
-  credentials are stored in ipsec.secrets. 
-
-- Mixed PSK/RSA authentication is now possible between two hosts
-  with static IP addresses.
-
-
-strongswan-2.8.0
-----------------
-
-- Implementation of ModeConfig push mode via the new connection keyword
-  modeconfig=push allows interoperability with Cisco VPN gateways.
-
-- The command ipsec statusall now shows "DPD active" for all ISAKMP SAs
-  that are under active Dead Peer Detection control.
-
-
-strongswan-2.7.3
-----------------
-
-- "sha" and "sha1" are now treated as synonyms in the ike= and esp=
-  algorithm configuration statements.
-
-- Fixed possible segmentation faults in the eroute, klipsdebug, and 
-  other KLIPS-related auxiliary functions by making the USE_NAT_TRAVERSAL
-  compile-time condition defined in Makefile.inc known in
-  programs/Makefile.program. 
-
-
-strongswan-2.7.2
-----------------
-
-- The mixed PSK/RSA roadwarrior detection capability introduced by the
-  strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal
-  payloads by the responder right before any defined IKE Main Mode state had
-  been established. Although any form of bad proposal syntax was being correctly
-  detected by the payload parser, the subsequent error handler didn't check
-  the state pointer before logging current state information, causing an
-  immediate crash of the pluto keying daemon due to a NULL pointer.
-
-  We strongly recommend to update to the 2.7.2 release which fixes this
-  vulnerability to malformed proposal payloads that could otherwise be
-  exploited by Denial-of-Service attacks.
-
-
-strongswan-2.7.1
-----------------
-
-- Calling ipsec up|down|route|unroute with a non-empty connection name
-  caused pluto to crash. As a fix argument checks have been added both
-  to the ipsec command on the sender end and pluto/rcv_whack.c on the
-  receiver end.
-
-- reactivated the PPP pointopoint code in starter/interfaces.c which
-  creates an ipsecN interface when used with Linux 2.4 KLIPS.
-
-- replaced free() by curl_free() in pluto/fetch.c thus fixing pluto
-  crashes occuring on some 64 bit hardware platforms when curl couldn't
-  successfully resolve a DNS request prior to fetching a CRL.
-
-
-strongswan-2.7.0
-----------------
-
-- the dynamic iptables rules from the _updown_x509 template
-  for KLIPS and the _updown_policy template for NETKEY have
-  been merged into the default _updown script. The existing
-  left|rightfirewall keyword causes the automatic insertion
-  and deletion of ACCEPT rules for tunneled traffic upon
-  the successful setup and teardown of an IPsec SA, respectively.
-  left|rightfirwall can be used with KLIPS under any Linux 2.4
-  kernel or with NETKEY under a Linux kernel version >= 2.6.16
-  in conjuction with iptables >= 1.3.5. For NETKEY under a Linux
-  kernel version < 2.6.16 which does not support IPsec policy
-  matching yet, please continue to use a copy of the _updown_espmark
-  template loaded via the left|rightupdown keyword.
-
-- a new left|righthostaccess keyword has been introduced which
-  can be used in conjunction with left|rightfirewall and the
-  default _updown script. By default leftfirewall=yes inserts
-  a bi-directional iptables FORWARD rule for a local client network
-  with a netmask different from 255.255.255.255 (single host).
-  This does not allow to access the VPN gateway host via its
-  internal network interface which is part of the client subnet
-  because an iptables INPUT and OUTPUT rule would be required.
-  lefthostaccess=yes will cause this additional ACCEPT rules to
-  be inserted. 
-
-- mixed PSK|RSA roadwarriors are now supported. The ISAKMP proposal
-  payload is preparsed in order to find out whether the roadwarrior
-  requests PSK or RSA so that a matching connection candidate can
-  be found.
-
-
-strongswan-2.6.4
-----------------
-
-- the new _updown_policy template allows ipsec policy based
-  iptables firewall rules. Required are iptables version
-  >= 1.3.5 and linux kernel >= 2.6.16. This script obsoletes
-  the _updown_espmark template, so that no INPUT mangle rules 
-  are required any more.
-
-- added support of DPD restart mode
-
-- ipsec starter now allows the use of wildcards in include
-  statements as e.g. in "include /etc/my_ipsec/*.conf".
-  Patch courtesy of Matthias Haas.
-
-- the Netscape OID 'employeeNumber' is now recognized and can be
-  used as a Relative Distinguished Name in certificates.
-
-
-strongswan-2.6.3
-----------------
-
-- /etc/init.d/ipsec or /etc/rc.d/ipsec is now a copy of the ipsec 
-  command and not of ipsec setup any more.
-
-- ipsec starter now supports AH authentication in conjunction with
-  ESP encryption. AH authentication is configured in ipsec.conf
-  via the auth=ah parameter.
-  
-- The command ipsec scencrypt|scdecrypt <args> is now an alias for
-  ipsec whack --scencrypt|scdecrypt <args>.
-
-- get_sa_info() now determines for the native netkey IPsec stack
-  the exact time of the last use of an active eroute. This information
-  is used by the Dead Peer Detection algorithm and is also displayed by
-  the ipsec status command.
-  
-
-strongswan-2.6.2
-----------------
-
-- running under the native Linux 2.6 IPsec stack, the function
-  get_sa_info() is called by ipsec auto --status to display the current
-  number of transmitted bytes per IPsec SA.
-
-- get_sa_info() is also used  by the Dead Peer Detection process to detect
-  recent ESP activity. If ESP traffic was received from the peer within
-  the last dpd_delay interval then no R_Y_THERE notification must be sent.
-
-- strongSwan now supports the Relative Distinguished Name "unstructuredName"
-  in ID_DER_ASN1_DN identities. The following notations are possible:
-
-    rightid="unstructuredName=John Doe"
-    rightid="UN=John Doe"
-
-- fixed a long-standing bug which caused PSK-based roadwarrior connections
-  to segfault in the function id.c:same_id() called by keys.c:get_secret()
-  if an FQDN, USER_FQDN, or Key ID was defined, as in the following example.
-
-  conn rw
-       right=%any
-       rightid=@foo.bar
-       authby=secret
-
-- the ipsec command now supports most ipsec auto commands (e.g. ipsec listall).
-
-- ipsec starter didn't set host_addr and client.addr ports in whack msg.
-
-- in order to guarantee backwards-compatibility with the script-based
-  auto function (e.g. auto --replace), the ipsec starter scripts stores
-  the defaultroute information in the temporary file /var/run/ipsec.info.
-
-- The compile-time option USE_XAUTH_VID enables the sending of the XAUTH
-  Vendor ID which is expected by Cisco PIX 7 boxes that act as IKE Mode Config
-  servers.
-
-- the ipsec starter now also recognizes the parameters authby=never and
-  type=passthrough|pass|drop|reject.
-
-
-strongswan-2.6.1
-----------------
-
-- ipsec starter now supports the also parameter which allows
-  a modular structure of the connection definitions. Thus
-  "ipsec start" is now ready to replace "ipsec setup".
-
-
-strongswan-2.6.0
-----------------
-
-- Mathieu Lafon's popular ipsec starter tool has been added to the
-  strongSwan distribution. Many thanks go to Stephan Scholz from astaro
-  for his integration work. ipsec starter is a C program which is going
-  to replace the various shell and awk starter scripts (setup, _plutoload,
-  _plutostart, _realsetup, _startklips, _confread, and auto). Since
-  ipsec.conf is now parsed only once, the starting of multiple tunnels is
-  accelerated tremedously.
-
-- Added support of %defaultroute to the ipsec starter. If the IP address
-  changes, a HUP signal to the ipsec starter will automatically 
-  reload pluto's connections.
-
-- moved most compile time configurations from pluto/Makefile to
-  Makefile.inc by defining the options USE_LIBCURL, USE_LDAP,
-  USE_SMARTCARD, and USE_NAT_TRAVERSAL_TRANSPORT_MODE.
-
-- removed the ipsec verify and ipsec newhostkey commands
-
-- fixed some 64-bit issues in formatted print statements
-
-- The scepclient functionality implementing the Simple Certificate
-  Enrollment Protocol (SCEP) is nearly complete but hasn't been
-  documented yet.
-
-
-strongswan-2.5.7
-----------------
-
-- CA certicates are now automatically loaded from a smartcard
-  or USB crypto token and appear in the ipsec auto --listcacerts
-  listing.
-
-
-strongswan-2.5.6
-----------------
-
-- when using "ipsec whack --scencrypt <data>" with  a PKCS#11
-  library that does not support the C_Encrypt() Cryptoki
-  function (e.g. OpenSC), the RSA encryption is done in
-  software using the public key fetched from the smartcard.
-
-- The scepclient function now allows to define the 
-  validity of a self-signed certificate using the --days,
-  --startdate, and --enddate options. The default validity
-  has been changed from one year to five years.
-
-
-strongswan-2.5.5
-----------------
-
-- the config setup parameter pkcs11proxy=yes opens pluto's PKCS#11
-  interface to other applications for RSA encryption and decryption
-  via the whack interface. Notation:
-
-  ipsec whack --scencrypt <data>
-             [--inbase  16|hex|64|base64|256|text|ascii]
-             [--outbase 16|hex|64|base64|256|text|ascii]
-             [--keyid <keyid>]
-
-  ipsec whack --scdecrypt <data>
-             [--inbase  16|hex|64|base64|256|text|ascii]
-             [--outbase 16|hex|64|base64|256|text|ascii]
-             [--keyid <keyid>]
-
-  The default setting for inbase and outbase is hex. 
-
-  The new proxy interface can be used for securing symmetric
-  encryption keys required by the cryptoloop or dm-crypt
-  disk encryption schemes, especially in the case when
-  pkcs11keepstate=yes causes pluto to lock the pkcs11 slot
-  permanently.
-
-- if the file /etc/ipsec.secrets is lacking during the startup of
-  pluto then the root-readable file /etc/ipsec.d/private/myKey.der
-  containing a 2048 bit RSA private key and a matching self-signed
-  certificate stored in the file /etc/ipsec.d/certs/selfCert.der
-  is automatically generated by calling the function
-
-  ipsec scepclient --out pkcs1 --out cert-self
-
-  scepclient was written by Jan Hutter and Martin Willi, students
-  at the University of Applied Sciences in Rapperswil, Switzerland.
-
-
-strongswan-2.5.4
-----------------
-
-- the current extension of the PKCS#7 framework introduced
-  a parsing error in PKCS#7 wrapped X.509 certificates that are
-  e.g. transmitted by Windows XP when multi-level CAs are used.
-  the parsing syntax has been fixed.
-
-- added a patch by Gerald Richter which tolerates multiple occurrences
-  of the ipsec0 interface when using KLIPS.
-
-
-strongswan-2.5.3
-----------------
-
-- with gawk-3.1.4 the word "default2 has become a protected
-  keyword for use in switch statements and cannot be used any
-  more in the strongSwan scripts. This problem has been
-  solved by renaming "default" to "defaults" and "setdefault"
-  in the scripts _confread and auto, respectively.
-
-- introduced the parameter leftsendcert with the values
-
-  always|yes (the default, always send a cert)
-  ifasked    (send the cert only upon a cert request)
-  never|no   (never send a cert, used for raw RSA keys and
-              self-signed certs) 
-
-- fixed the initialization of the ESP key length to a default of
-  128 bits in the case that the peer does not send a key length
-   attribute for AES encryption.
-
-- applied Herbert Xu's uniqueIDs patch
-
-- applied Herbert Xu's CLOEXEC patches
-
-
-strongswan-2.5.2
-----------------
-
-- CRLs can now be cached also in the case when the issuer's
-  certificate does not contain a subjectKeyIdentifier field.
-  In that case the subjectKeyIdentifier is computed by pluto as the
-  160 bit SHA-1 hash of the issuer's public key in compliance
-  with section 4.2.1.2 of RFC 3280.
-
-- Fixed a bug introduced by strongswan-2.5.1 which eliminated
-  not only multiple Quick Modes of a given connection but also
-  multiple connections between two security gateways.
-
-
-strongswan-2.5.1
-----------------
-
-- Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
-  installed either by setting auto=route in ipsec.conf or by
-  a connection put into hold, generates an XFRM_AQUIRE event
-  for each packet that wants to use the not-yet exisiting
-  tunnel. Up to now each XFRM_AQUIRE event led to an entry in
-  the Quick Mode queue, causing multiple IPsec SA to be
-  established in rapid succession. Starting with strongswan-2.5.1
-  only a single IPsec SA is established per host-pair connection.
-
-- Right after loading the PKCS#11 module, all smartcard slots are
-  searched for certificates. The result can be viewed using
-  the command
-
-    ipsec auto --listcards
-
-  The certificate objects found in the slots are numbered
-  starting with #1, #2, etc. This position number can be used to address
-  certificates (leftcert=%smartcard) and keys (: PIN %smartcard)
-  in ipsec.conf and ipsec.secrets, respectively:
-
-    %smartcard      (selects object #1)
-    %smartcard#1    (selects object #1)
-    %smartcard#3    (selects object #3)
-
-  As an alternative the existing retrieval scheme can be used:
-
-    %smartcard:45   (selects object with id=45)
-    %smartcard0     (selects first object in slot 0)
-    %smartcard4:45  (selects object in slot 4 with id=45)
-
-- Depending on the settings of CKA_SIGN and CKA_DECRYPT
-  private key flags either C_Sign() or C_Decrypt() is used
-  to generate a signature.
-
-- The output buffer length parameter siglen in C_Sign()
-  is now initialized to the actual size of the output
-  buffer prior to the function call. This fixes the
-  CKR_BUFFER_TOO_SMALL error that could occur when using
-  the OpenSC PKCS#11 module.
-
-- Changed the initialization of the PKCS#11 CK_MECHANISM in
-  C_SignInit() to mech  = { CKM_RSA_PKCS, NULL_PTR, 0 }.
-
-- Refactored the RSA public/private key code and transferred it
-  from keys.c to the new pkcs1.c file as a preparatory step
-  towards the release of the SCEP client.
-
-
-strongswan-2.5.0
-----------------
-
-- The loading of a PKCS#11 smartcard library module during
-  runtime does not require OpenSC library functions any more
-  because the corresponding code has been integrated into
-  smartcard.c. Also the RSAREF pkcs11 header files have been
-  included in a newly created pluto/rsaref directory so that
-  no external include path has to be defined any longer.
-
-- A long-awaited feature has been implemented at last:
-  The local caching of CRLs fetched via HTTP or LDAP, activated
-  by the parameter cachecrls=yes in the config setup section
-  of ipsec.conf. The dynamically fetched CRLs are stored under
-  a unique file name containing the issuer's subjectKeyID
-  in /etc/ipsec.d/crls.
-  
-- Applied a one-line patch courtesy of Michael Richardson
-  from the Openswan project which fixes the kernel-oops
-  in KLIPS when an snmp daemon is running on the same box.
-
-
-strongswan-2.4.4
-----------------
-
-- Eliminated null length CRL distribution point strings.
-
-- Fixed a trust path evaluation bug introduced with 2.4.3
-
-
-strongswan-2.4.3
-----------------
-
-- Improved the joint OCSP / CRL revocation policy.
-  OCSP responses have precedence over CRL entries.
-
-- Introduced support of CRLv2 reason codes.
-
-- Fixed a bug with key-pad equipped readers which caused
-  pluto to prompt for the pin via the console when the first
-  occasion to enter the pin via the key-pad was missed.
-
-- When pluto is built with LDAP_V3 enabled, the library
-  liblber required by newer versions of openldap is now
-  included.
-
-
-strongswan-2.4.2
-----------------
-
-- Added the _updown_espmark template which requires all
-  incoming ESP traffic to be marked with a default mark
-  value of 50.
-  
-- Introduced the pkcs11keepstate parameter in the config setup
-  section of ipsec.conf. With pkcs11keepstate=yes the PKCS#11
-  session and login states are kept as long as possible during 
-  the lifetime of pluto. This means that a PIN entry via a key
-  pad has to be done only once.
-
-- Introduced the pkcs11module parameter in the config setup
-  section of ipsec.conf which specifies the PKCS#11 module
-  to be used with smart cards. Example:
-  
-    pkcs11module=/usr/lib/pkcs11/opensc-pkcs11.lo
-  
-- Added support of smartcard readers equipped with a PIN pad.
-
-- Added patch by Jay Pfeifer which detects when netkey
-  modules have been statically built into the Linux 2.6 kernel.
-
-- Added two patches by Herbert Xu. The first uses ip xfrm
-  instead of setkey to flush the IPsec policy database. The
-  second sets the optional flag in inbound IPComp SAs only.
-    
-- Applied Ulrich Weber's patch which fixes an interoperability
-  problem between native IPsec and KLIPS systems caused by
-  setting the replay window to 32 instead of 0 for ipcomp.
-
-
-strongswan-2.4.1
-----------------
-
-- Fixed a bug which caused an unwanted Mode Config request
-  to be initiated in the case where "right" was used to denote
-  the local side in ipsec.conf and "left" the remote side,
-  contrary to the recommendation that "right" be remote and
-  "left" be"local".
-
-
-strongswan-2.4.0a
------------------
-
-- updated Vendor ID to strongSwan-2.4.0
-
-- updated copyright statement to include David Buechi and
-  Michael Meier
-  
-  
-strongswan-2.4.0
-----------------
-
-- strongSwan now communicates with attached smartcards and
-  USB crypto tokens via the standardized PKCS #11 interface.
-  By default the OpenSC library from www.opensc.org is used
-  but any other PKCS#11 library could be dynamically linked.
-  strongSwan's PKCS#11 API was implemented by David Buechi
-  and Michael Meier, both graduates of the Zurich University
-  of Applied Sciences in Winterthur, Switzerland.
-
-- When a %trap eroute is triggered by an outgoing IP packet
-  then the native IPsec stack of the Linux 2.6 kernel [often/
-  always?] returns an XFRM_ACQUIRE message with an undefined
-  protocol family field and the connection setup fails.
-  As a workaround IPv4 (AF_INET) is now assumed.
-  
-- the results of the UML test scenarios are now enhanced 
-  with block diagrams of the virtual network topology used
-  in a particular test. 
-
-
-strongswan-2.3.2
-----------------
-
-- fixed IV used to decrypt informational messages.
-  This bug was introduced with Mode Config functionality.
- 
-- fixed NCP Vendor ID.
-
-- undid one of Ulrich Weber's maximum udp size patches
-  because it caused a segmentation fault with NAT-ed
-  Delete SA messages.
-  
-- added UML scenarios wildcards and attr-cert which
-  demonstrate the implementation of IPsec policies based
-  on wildcard parameters contained in Distinguished Names and
-  on X.509 attribute certificates, respectively.
-
-
-strongswan-2.3.1
-----------------
-
-- Added basic Mode Config functionality
-
-- Added Mathieu Lafon's patch which upgrades the status of
-  the NAT-Traversal implementation to RFC 3947.
- 
-- The _startklips script now also loads the xfrm4_tunnel
-  module.
-  
-- Added Ulrich Weber's netlink replay window size and
-  maximum udp size patches.
-
-- UML testing now uses the Linux 2.6.10 UML kernel by default.
-   
-
-strongswan-2.3.0
-----------------
-
-- Eric Marchionni and Patrik Rayo, both recent graduates from
-  the Zuercher Hochschule Winterthur in Switzerland, created a
-  User-Mode-Linux test setup for strongSwan. For more details
-  please read the INSTALL and README documents in the testing
-  subdirectory.
-
-- Full support of group attributes based on X.509 attribute
-  certificates. Attribute certificates can be generated 
-  using the openac facility. For more details see
-   
-  man ipsec_openac.
- 
-  The group attributes can be used in connection definitions
-  in order to give IPsec access to specific user groups.
-  This is done with the new parameter left|rightgroups as in
-  
-  rightgroups="Research, Sales"
-
-  giving access to users possessing the group attributes
-  Research or Sales, only.
-
-- In Quick Mode clients with subnet mask /32 are now
-  coded as IP_V4_ADDRESS or IP_V6_ADDRESS. This should 
-  fix rekeying problems with the SafeNet/SoftRemote and NCP
-  Secure Entry Clients.
-
-- Changed the defaults of the ikelifetime and keylife parameters
-  to 3h and 1h, respectively. The maximum allowable values are
-  now both set to 24 h.
-
-- Suppressed notification wars between two IPsec peers that
-  could e.g. be triggered by incorrect ISAKMP encryption.
-
-- Public RSA keys can now have identical IDs if either the
-  issuing CA or the serial number is different. The serial
-  number of a certificate is now shown by the command
-  
-  ipsec auto --listpubkeys
-
-
-strongswan-2.2.2
-----------------
-
-- Added Tuomo Soini's sourceip feature which allows a strongSwan
-  roadwarrior to use a fixed Virtual IP (see README section 2.6)
-  and reduces the well-known four tunnel case on VPN gateways to
-  a single tunnel definition (see README section 2.4).
-
-- Fixed a bug occuring with NAT-Traversal enabled when the responder
-  suddenly turns initiator and the initiator cannot find a matching
-  connection because of the floated IKE port 4500.
-  
-- Removed misleading ipsec verify command from barf.
-
-- Running under the native IP stack, ipsec --version now shows
-  the Linux kernel version (courtesy to the Openswan project).
-
-
-strongswan-2.2.1
-----------------
-
-- Introduced the ipsec auto --listalgs monitoring command which lists
-  all currently registered IKE and ESP algorithms.
-
-- Fixed a bug in the ESP algorithm selection occuring when the strict flag
-  is set and the first proposed transform does not match.
-  
-- Fixed another deadlock in the use of the lock_certs_and_keys() mutex,
-  occuring when a smartcard is present.
-
-- Prevented that a superseded Phase1 state can trigger a DPD_TIMEOUT event.
-  
-- Fixed the printing of the notification names (null)
-
-- Applied another of Herbert Xu's Netlink patches.
-
-
-strongswan-2.2.0
-----------------
-
-- Support of Dead Peer Detection. The connection parameter
-
-    dpdaction=clear|hold
-     
-  activates DPD for the given connection.
-
-- The default Opportunistic Encryption (OE) policy groups are not
-  automatically included anymore. Those wishing to activate OE can include
-  the policy group with the following statement in ipsec.conf:
-  
-    include /etc/ipsec.d/examples/oe.conf
-  
-  The default for [right|left]rsasigkey is now set to %cert.
-
-- strongSwan now has a Vendor ID of its own which can be activated
-  using the compile option VENDORID
-
-- Applied Herbert Xu's patch which sets the compression algorithm correctly.
-
-- Applied Herbert Xu's patch fixing an ESPINUDP problem
-
-- Applied Herbert Xu's patch setting source/destination port numbers.
-
-- Reapplied one of Herbert Xu's NAT-Traversal patches which got
-  lost during the migration from SuperFreeS/WAN.
-  
-- Fixed a deadlock in the use of the lock_certs_and_keys() mutex.
-
-- Fixed the unsharing of alg parameters when instantiating group
-  connection.
-  
-
-strongswan-2.1.5
-----------------
-
-- Thomas Walpuski made me aware of a potential DoS attack via
-  a PKCS#7-wrapped certificate bundle which could overwrite valid CA
-  certificates in Pluto's authority certificate store. This vulnerability
-  was fixed by establishing trust in CA candidate certificates up to a
-  trusted root CA prior to insertion into Pluto's chained list.
-
-- replaced the --assign option by the -v option in the auto awk script
-  in order to make it run with mawk under debian/woody.
-
-
-strongswan-2.1.4
-----------------
-
-- Split of the status information between ipsec auto  --status (concise)
-  and ipsec auto --statusall (verbose). Both commands can be used with
-  an optional connection selector:
-
-    ipsec auto --status[all] <connection_name>
-
-- Added the description of X.509 related features to the ipsec_auto(8)
-  man page.
-
-- Hardened the ASN.1 parser in debug mode, especially the printing
-  of malformed distinguished names.
-
-- The size of an RSA public key received in a certificate is now restricted to
-
-    512 bits <= modulus length <= 8192 bits.
-
-- Fixed the debug mode enumeration.
-
-
-strongswan-2.1.3
-----------------
-
-- Fixed another PKCS#7 vulnerability which could lead to an
-  endless loop while following the X.509 trust chain.
-  
-
-strongswan-2.1.2
-----------------
-
-- Fixed the PKCS#7 vulnerability discovered by Thomas Walpuski
-  that accepted end certificates having identical issuer and subject
-  distinguished names in a multi-tier X.509 trust chain.
-  
-
-strongswan-2.1.1
-----------------
-
-- Removed all remaining references to ipsec_netlink.h in KLIPS.
-
-
-strongswan-2.1.0
-----------------
-
-- The new "ca" section allows to define the following parameters:
-
-  ca kool
-     cacert=koolCA.pem                   # cacert of kool CA
-     ocspuri=http://ocsp.kool.net:8001   # ocsp server
-     ldapserver=ldap.kool.net            # default ldap server
-     crluri=http://www.kool.net/kool.crl # crl distribution point
-     crluri2="ldap:///O=Kool, C= .."     # crl distribution point #2
-     auto=add                            # add, ignore
-     
-  The ca definitions can be monitored via the command
-  
-     ipsec auto --listcainfos
-
-- Fixed cosmetic corruption of /proc filesystem by integrating
-  D. Hugh Redelmeier's freeswan-2.06 kernel fixes.
-
-
-strongswan-2.0.2
-----------------
-
-- Added support for the 818043 NAT-Traversal update of Microsoft's
-  Windows 2000/XP IPsec client which sends an ID_FQDN during Quick Mode.
-  
-- A symbolic link to libcrypto is now added in the kernel sources 
-  during kernel compilation
-  
-- Fixed a couple of 64 bit issues (mostly casts to int).
-  Thanks to Ken Bantoft who checked my sources on a 64 bit platform.
-
-- Replaced s[n]printf() statements in the kernel by ipsec_snprintf().
-  Credits go to D. Hugh Redelmeier, Michael Richardson, and Sam Sgro
-  of the FreeS/WAN team who solved this problem with the 2.4.25 kernel.
-
-
-strongswan-2.0.1
-----------------
-
-- an empty ASN.1 SEQUENCE OF or SET OF object (e.g. a subjectAltName
-  certificate extension which contains no generalName item)  can cause
-  a pluto crash. This bug has been fixed. Additionally the ASN.1 parser has
-  been hardened to make it more robust against malformed ASN.1 objects.
-
-- applied Herbert Xu's NAT-T patches which fixes NAT-T under the native
-  Linux 2.6 IPsec stack.
-  
-  
-strongswan-2.0.0
-----------------
-
-- based on freeswan-2.04, x509-1.5.3, nat-0.6c, alg-0.8.1rc12