[svn-upgrade] Integrating new upstream version, strongswan (4.1.1)

1 files changed, 1079 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 000000000..f52898a8e
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,1079 @@
+ strongswan-4.1.0 / R:2552 
+===========================
+
+fixed nat detection bug
+OCSP support
+updated NEWS, TODO and man page
+respecting "keyingtries" parameter on IKE_SA setup
+cleanups
+fixed reset()
+not installing a route when policy gets updated
+renamed keyingtries attribute
+adjusted loglevels
+delay OCSP response by 5 seconds
+always update reqid on policy install, fixes dpdaction=hold issue
+EAP-SIM cleanups
+fixed CHILD_SA rekeying/delete bug on 64bit machines
+removed obsolete methods in delete_payload
+Shortened distribution string
+Shortened distribution string
+shortened distribution string
+add daemon.log to web page
+remove /etc/resolv.conf
+version bump to 4.1.0
+added apache2/ocsp log directory to winnetou
+removed killall openssl
+removed killall openssl
+deleted
+deleted
+create apach2/ocsp/ logging directory on winnetou
+do not check for type of dpd action any more
+create /var/log/apache2/ocsp on winnetou
+added
+added
+added
+delete virtual IP addresses after use
+deleted
+added
+fixed case of missing subjectKeyID
+corrected typo
+version bump to 4.1.0
+added
+use CURLOPT_NOSIGNAL
+added --with-sim-reader option to configure script
+some cleanups in eap_sim
+removed dublicated code in eap_authenticator
+log reception of trusted signer certificate
+version bump to 4.1.0
+deleted
+added
+changed OCSPSigner to OCSPSigning
+fixed carry bug in FIPS prf
+user standard cert
+deleted
+deleted
+added
+added
+modified description.txt and evaltest.dat
+version number selection fix
+some cleanups
+cleaned up and fixed DPD handling code
+removed cfg-payload dns test code
+added
+added
+version bump to strongswan-4.1.0 and linux-2.6.20.3
+cosmetics
+increased control debugging output
+added EAP-SIM authentication
+  client side only
+  uses an external SIM reader library specified with SIM_READER_LIB
+  untested
+not detaching from bus when IKE_SA_INIT is retried
+added AES-192/256 proposals to IKE
+added generic EAP_IDENTITY client implementation using peers IKEv2 ID
+fixed compilation warnings and errors when not using curl
+results from the single responses is stored in the corresponding certinfo_t structs
+moved credential_store.h from charon/config/credentials to libstrongswan
+last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA
+fixed memory leak by calling curl_slist_free_all(headers)
+fixed memory leak by calling curl_slist_free_all(headers)
+whitelisting static Curl_getaddrinfo() memory leak
+fixed a certinfo_t memory leak in verify()
+fixed a memory leak in response_t
+ocsp signer certificate and ocsp response signature can be verified
+fixed memleaks when using EAP authentication
+fixed configuration payloads when using EAP
+fixed payload order (again)
+including peers certificate when his certreq is empty
+implemented cookies as initiator
+proper logging of notifies in IKE_SA setup
+disabling routing for IPv6, does not work correctly
+fixed call of add_auth_certificate()
+generalized get_ca_certificate() to get_auth_certificate(auth_flags)
+added fetcher_finalize() to clean up libcurl
+some cleanups
+not installing %any DNS servers
+support of setting and getting authority flags
+support if ocsp signing certificates
+support if ocsp signing certificates
+fixed payload order in IKE_AUTH
+removed SHA2 kernel proposals from default, the kernel doesn't support them yet
+allocation fixes, not complete
+handling "No policy found" properly
+added more debugging output for policy lookup
+returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE 
+fixed CHILD_SA creation within existing IKE_SA
+added ocsp_parse_single_response
+ported changes from EAP branch, renabling EAP framework
+added (not yet supported) sha2 algorithms to kernel
+only adding a route if using tunnel mode
+added SHA2 MAC and PRF to default proposal
+added more debug output 
+experimental SHA2 HMAC and PRF implementations
+parsing basic ocsp response
+forgot to assign public.is_ocsp_signer() method
+added parsing level to x509_create_from_chunk()
+added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method
+http post fetching using libcurl implemented
+added fetcher.h and fetcher.c
+added
+corrected @ingroup to utils
+corrected comment
+start ocsp checking only if there are any ocspuris present
+conntrack -F is used to flush the NAT states
+the hostaccess=yes parameters are not needed anymore
+use conntrack -F to flush NAT states
+replaced actual virtual IP addresses by symbolic ones
+removed unnecessary double quotes
+nonce in ocsp_t was not properly initialized
+ocsp request is now fully built but without requestor signature
+starting to build ocsp request
+prevent from initiating  multiple exchanges the same time
+updated apidoc documentation
+fixed notify handling in IKE_AUTH
+moved nonce payload before TS in CHILD_SA setup
+moved REKEY_SA notify to the beginning of the message
+fixed traffic selector redundancy removal code (not completely tested)
+add crl and ocsp uris to linked list after partial verification
+added print hook for certinfo_t printing
+fixed typo
+sending an SPI of 0 as responder when IKE_SA_INIT fails
+iterate certinfos linked list for matching serialNumber
+some cleanups
+not assigning %any virtual IPs to peer anymore
+fixed double free bug
+added
+fixed ID selection bug when peer doesn't include IDr payload
+allowing vendor ID in any messag
+moved listing of crls to local_credential_store and ca
+refactored ca_info_t
+refactored ca_info_t
+fixed netlink socket receiver code
+implemented interface enumeration code with netlink: no getifaddrs reqired anymore
+refactored kernel interface, works reliable again
+implemented get_iface() using RTM_GETADDR
+added support for multi-header netlink messages
+really ugly now, need a lot of refactoring
+added debuggin for interface lookup
+fixed address lookup when !using getifaddrs()
+added firewalling support when using virtual IPs
+added support for 0.0.0.0/0 traffic selectors
+fixed routing to make correct 0.0.0.0/0 routes
+config-payload scenario fixes
+preparations for PLUTO_MY_SOURCEIP
+corrected typo
+added cert with OCSP access info
+dpd now takes 180 s and 5 retransmits
+changed grep to creating aquire job for CHILD SA
+replaced actual virtual IPs by place holders
+virtual-ip scenario has been replaces by config-payload scenario
+added
+added
+added ocsp.h and ocsp.c
+added
+r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines
+virtual ip uml test
+fixed reauthentication when connections other is %any
+merged tasking branch into trunk
+fixed big endian bug in md5 hasher
+cosmetics
+added once flag to certinfo_t
+cosmetics
+added certinfos linked list
+changed ca info to ca
+support of ca info sections
+added support of OCSP accessLocations
+correct interface definition
+added support of OCSP accessLocations
+full support of ca info records
+added the create_crluri_iterator method
+replace ca is realized as del_ca followed by add_ca
+last CA keyword is KW_OCSPURI2
+full support of ca info records
+full support of ca info records
+alphabetically sorting print commands
+listing ca_info items
+replace printf.h by stdio.h
+addin get_keyid() method
+support of ca info records
+support of ca info records
+version bump to 4.0.8
+support of ca info records
+support of ca info records
+typo
+SHA512-HMAC bug fix and hash function self-test support
+SHA512-HMAC bug fix and hash function self-test support
+handle strong SHA-2 signatures in X.509 certificates
+SHA-2 fixes and add-ons
+version bumps
+remove strong certs and keys after test
+added
+using "left" as my host per default, swapping to "right" when needed
+respecting source address when sending packets
+added PRINT_CAINFO hook
+stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp
+enable IP forwarding
+prepared support of ca information records and ocsp functionality
+added support of ca information records and ocsp keywords
+enabled adding and deleting ca information records
+fixed starter crash due to freeing default IPSEC_EAPDIR string
+add --eapdir option only if defined in ipsec.conf
+removed eap aka module due nda
+merged EAP framework from branch into trunk
+includes a lot of other modifications
+%T requires time_t ptr
+removed my time_t printf handler patch, applied the one of andreas (64bit save)
+fixed printf() hooks for time
+added support for NULL encryption in ESP
+be more liberal in accepting notifies with a protocol id
+include NO_EXT_SEQUENCE_NUMBER in default proposal
+output peer id if RSA public key is not found
+fixed typo
+version bump to 4.0.8
+added address listing without getifaddrs for uclibc (only IPv4 yet)
+added threads to support multiple simultaneous stroke requests
+renamed all static clone() functions to avoid naming conflicts with uclibc
+sending proper signal to the bus when detecting a dead peer
+added configuration of XAUTH and ModeConfig push mode
+version bump
+version bump
+Cisco XAUTH interoperability
+XAUTH interoperability with Cisco
+removed IPSECPOLICY compile option
+unload xauth_module only if XAUTH_DEFAULT_LIB is defined
+loading the XAUTH module requires libdl
+added some more attributes, inst XAUTH_TYPE in reply
+Mode Config refactoring
+XAUTH fixes and Cisco Unity support
+log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings
+added Cisco Unity ModeCfg attributes
+version bump to 4.0.7
+fixed 64 bit issue with print time
+fixed XAUTHResp bug
+included xauth.h
+use uml_mconsole to check end of booting process
+name the created CHILD_SA
+doubled PAYLIMIT to 40 payloads
+version bump
+show rekeying|reauthentication time
+show name of created CHILD_SA
+combined use_in and use_fwd
+corrected typo
+cosmetics
+cosmetics
+fixed an enumeration error, added CISCO_IOS VID
+fixed mismatch in interface definition of get_secret()
+forward declaration of struct state not needed
+cosmetics
+added firewall support to scenario
+updated changelog for 4.0.6
+fixed crash when CA for certrequest not found
+fixed build when !using smartcard
+removed unused debugging code
+updated NEWS for 4.0.6
+
+
+ strongswan-4.0.6 / R:2131 
+===========================
+
+updated NEWS for 4.0.6
+readded tranport mode test using new status output
+removed dublicated host2host-transport test
+fixed reauthentication when using %any hosts
+support for transport in create_child_sa
+include TRANSPORT/TUNNEL information in statusall
+load xauth module via dlopen()
+define path to xauth module
+added host2host-transport scenario
+removed trailing lines
+added XAUTH support
+fixed typo
+added XAUTH server and client support
+load and unload XAUTH module
+added xauth.h and xauth.c
+added enable-cisco-quirks configure option
+added xauth scenarios
+added config option for BEET mode
+fixed reuathentication when connections other host is %any
+fixed host conversion length check
+negated POLICY_REAUTH to POLICY_DONT_REAUTH
+negated POLICY_REAUTH to POLICY_DONT_REAUTH
+enable XAUTH_VID by default
+added support for transport mode and (experimental!) BEET mode
+support for the type=transport/tunnel parameter in charon
+fixed charset & cleanups
+added XAUTH server and client support
+additional parentheses for same_chunk() macro
+renamed to appear in doxygen build
+added a roadmap of the strongSwan project (TODO)
+added some NEWS
+first try to update ipsec.conf manual
+implemented reauthentication using the new reauth=yes|no parameter 
+fixed more uClibc issues
+should compile against a uClibc > 0.9.28 (untested)
+added XAUTH client states
+version bump to 4.0.6
+fixed stddef.h include
+fixed encoding rules string
+updated todo
+fixed some byte-order issues
+fixed HAVE_BACKTRACE checks
+starter Makefile now uses proper $(COMPILE) to build pluto objects
+made backtrace() calls optional to support uClibc
+XAUTH support
+XAUTH support
+fixed bug in ifdef CISCO_QUIRKS
+added XAUTH support
+support of Cisco Unity VID
+added new VIDs
+version bump to 4.0.6
+fixed case with wildcard peer ID and static peer address
+added simple script to port trunk changes into branches
+start kdevelop with project file from actual branch
+updated changelog
+fixed typos
+
+
+ strongswan-4.0.5 / R:1447 
+===========================
+
+fixed typos
+improved selection of ipsec status|statusall <name>
+fixed NEWS (runtime debug level options)
+fixed credits
+fixed very old bug in linked_list's remove_first and remove_last
+proper "ipsec up" signal handling when initiating to %any
+removed iterator hook for replace
+fixed output of proto/port selectors
+cosmetics
+due to console logging, no need for final sleep anymore
+adapted checks to changed ipsec status output
+due to narrowing no need for rightsubnetwithin
+no need to send certreq
+fixed ipsec status|statusall <name>
+log IKE SPIs on a separate line
+redesigned formatting of ipsec status|statusall
+cosmetics
+version bumps of strongSwan, Linux kernel and Gentoo root file system
+corrected description
+added dpd-hold scenario
+added new features
+fixed 64 bit issue
+solved 64 bit issue by changing long to int
+solved 64 bit issue in push/pop stroke interface
+fixed 64 bit issue
+some fixes for doxygen
+better split up of library files "types.h" & "definitions.h"
+centralized all printf specifier character definitions
+reuse of arginfo handlers
+more cleanups
+fixed more AMD64 issues
+added DEBUG_LEVEL compile flag to exclude DBGn() statements
+added nodebug configure script without any debug messages and without -g
+preparations to include certreqs in policy decisions
+do not sent certreq payloads when the peer is known to use PSK
+position of (myself) moved in log output
+do not sent certreq payloads when using self-signed certs
+moved (myself) in log output
+moved typedefs to beginning of files to solve some include problems
+splitted authenticator to have a separate implementation for each auth_method_t
+using va_copy to clone va_lists, should fix proplems on AMD64
+some other cleanups
+do not sanitize '*' character
+fixed SIGSEGV when setup of an additional CHILD_SA fails
+added IKEv2 clarifications RFC
+changed debug level of certreq log output
+cosmetics in debug output
+support of certreq payload in IKE_AUTH messages
+chunk_to_hex() function declaration deleted
+added function certreq_payload_create_from_x509()
+send a certreq as initiator if other_ca is set
+added method get_ca_certificate()
+added methods get_my_ca() and get_other_ca()
+added methods get_my_ca() and get_other_ca()
+added some missing 'AUD' entries
+cosmetics
+cosmetics
+change due to change debug output
+spaces should not be sanitized
+fixed due to new logging concept
+some improvements in signaling code
+include only source NATD payloads really needed
+updated for NAT team
+improved signal handling and emitting
+support of ModeCfg Push mode
+support of mixed RSA/PSK static connections
+support of ipsec statusall in state output
+output of 'DPD active' in ISAKMP SAs
+support of ipsec statusall in state output
+added natip support
+added has_natip flag
+added ModeCfg push policy and states
+added ModeCfg push policy and states
+fixed typo in debug statement
+redesigned list output format
+added 'modeconfig=pull|push' and 'left|rightnatip' keywords
+added has_natip flag
+added has_natip flag
+added 'exit' statement in listcerts,.. case
+fixed two bugs in the time_t and chunk_ct print functions
+redesigned format of print function
+replaced 'times' by 'dates'
+added private flag to asn1_init
+added private flag to asn1_ctx_t
+removed DES-EDE3-CBC only comment
+removed deprecated iterator methods (has_next & current)
+added iterator hook to manipulate iterator the clean way
+linked list cleanups
+added list methods invoke(), destroy_offset(), destroy_function()
+simplified list destruction when destroying its items
+added verbosity level to stroke
+upgrade to new Gentoo root file system and tcpdump command
+added
+deleted
+renamed ikev1 scenario and added ikev2 scenario
+added new scenarios
+Version bumps of UML kernel, Gentoo root file system and strongSwan release
+code cleanups in printf handlers
+added eap authentication draft for ikev2
+updated stroke to allow run-time manipulation of debug levels
+added charondebug config parameter to set debug level at startup
+introduced new logging subsystem using bus:
+  passive listeners can register on the bus
+  active listeners wait for signals actively
+  multiplexing allows multiple listeners to receive debug signals
+  a lot more...
+updated file filter for kdev project
+include CREDITS file in distribution
+moved various scripts in scripts/ dir
+add configure script wrappers
+removed txt files from doxygen
+removed module tests, outdated. We need something more system-test like
+added missing -DDEBUG compile option
+fixed auxillary message data parsing for IPV6 socket
+using SOL_* constants for socket level
+fixed IPV6_PKTINFO setsockopt() to work with most kernel headers
+replaced strerror(errno) with %m printf specifier
+added stronger certs for moon, carol, and dave
+added IPv6 hw and multicast addresses
+adapted to new tcpdump ipv6 output
+multi-level-ca scenarios use unencrypted private key
+added scenario
+fixed timing
+new gentoo root file system
+fixed bug with openldap 2.3
+removed ipsec.conf version information
+carolKey.pem is now protected by 3DES passphrase
+updated net runlevel scripts
+updated net init scripts
+new net configuration format
+HW addresses must be predefined
+cosmetics
+added USE_LIBCURL
+cosmetics
+found libraries are not appended to LIBS anymore
+version bump to 4.0.5
+fixed DPD to survive IKE_SA rekeying
+introduced printf() specifiers for:
+  host_t (%H)
+  identification_t (%D)
+  chunk pointers (%B)
+  memory pointer/length (%b)
+added a signaling bus:
+  receives event and debug messages, sends them to its listeners
+  stream_logger, sys_logger, file_logger added, listen to bus
+some other tweaks here and there
+added often used RFCs and drafts
+DES for private key encryption is not supported
+updated NEWS and ChangeLog for 4.0.4 release
+fixed retransmission policy for responder
+fixed dpd for responder
+added ID_ANY check to matches_binary()
+replaced 'missing value' warning by zero length chunk_t value
+defined maximum hash size
+support of AES-192-CBC private key encryption
+added hostaccess support
+added hostaccess support
+moved auth_method to policy
+added hostaccess support
+added hostaccess support
+more consistent authentication logging
+added hostaccess support
+moved auth_method to policy
+moved auth_method to policy
+added hostaccess support; moved auth_method to policy
+added hostaccess support
+added hostaccess support
+added new test scenarios
+fixed some compiler warnings
+
+
+ strongswan-4.0.4 / R:1289 
+===========================
+
+fixed some compiler warnings
+extended statusall output
+  added job/event-queue statistics
+  added allocation statistics when using LEAK_DETECTIVE
+fixed include typo
+public declaration of all HASH_SIZEs in hasher.h
+support of encrypted private key files
+added copyright notice to sha2_hasher
+included SHA2 in build process
+implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512
+added support for 3DES encryption algorithm in IKE
+fixed the ids parsing bug
+fixed the ids parsing bug
+updated TODOs
+fixed memleak
+fixed proper handling of id parsing errors
+proper return value when no PSK found
+added HOST_ACCESS for firewall script as default
+more debugging output for PSK authentication
+some cleanups here and there
+added auth_method field
+added auth_method field
+cosmetics
+verify_emsa_pkcs1_signature returns status_t
+cosmetics
+added PSK support
+enabled firewall support
+proper error handling for socket creation
+handle certificate parsing error more generous
+fixed certificate verification bug!
+fixed memleak when receiving invalid certificate
+version bump to 4.0.4
+version bump to 4.0.4
+two new test scenarios
+fixed path to images directory
+implemented updown script to handle firewalling
+add priority management for kernel policy
+let ROUTED policies installed, until manuall removed
+introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
+ike_sa_manager cleanups
+implemented handling of dpdaction and dpddelay ipsec.conf parameters
+reuse reqid when a ROUTED child_sa gets INSTALLED
+fixed a bug in retransmission code
+added support for the "keyingtries" ipsec.conf parameter
+added support for the "dpddelay" ipsec.conf parameter
+done some work for "dpdaction" behavior
+some other cleanups and fixes
+fixed a at-least-one-year-old bug which caused crashed in the scheduler
+added raw socket filter for IPv6
+implemented NAT detection for IPv6
+removed unneeded constructor
+initial support for IPv6 (more testing needed)
+  socket works (without v6 filter)
+  traffic selector handle IPv4/v4 cleanly
+    improvements in traffic selector code
+  kernel interface accepts v6 traffic selectors and hosts
+  host_t class has full IPv6 support
+added stddef.h include for compilers which do not support the offsetof() directive
+moved interface enumeration code to socket, where it belongs
+query interfaces every time we need it to respect changes in network config
+added address listing on startup and "ipsec statusall"
+version bump of UML kernel to 2.6.17.11
+fixed crash bug when doing "ipsec down" with an unknown connection
+added name property in CHILD_SA, allows proper status output
+fixed bug which prevented port float when nat is detected
+version bumps
+'sha' and 'sha1' are now treated as synonyms
+updated Changelog and other docs
+
+
+ strongswan-4.0.3 / R:1235 
+===========================
+
+fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
+implement proper handling of most simultaneous IKE_SA rekeying cases
+version bump to 4.0.3
+implemented proper refcounting using atomic operations
+implemented IKE_SA rekeying
+	uses ikelifetime, rekeymargin and rekeyfuzz config settings
+	no handling of simultaneus exchanges yet!
+added possibility to route CHILD_SAs, without to set them up
+	support for auto=route parameter
+	support for ipsec route and ipsec unroute
+	initiating of CHILD and/or IKE_SAs based on kernel acquires
+reuse an existing IKE_SA to set up additional CHILD_SAs
+introduced refcounting on policy and connections
+	aren't stored in the IKE_SA anymore, they are queried on the fly
+	are immutable now, allows it to share them
+policy selection based on traffic selectors, leads to valid lookup results
+	rekeying queries the policy based on its traffic selectors
+cleanups in kernel interface code
+added proper traffic selector to string conversion
+some cleanups here & there
+X.509 certificate trust path verification
+added
+fixed UDP decapsulation by adding inbound bypass policy for send socket
+updated mixed tests to new charon output
+corrected DPD entry
+reenabled module tests for charon
+fixed bug which erroneously detected KE payload when rekeying
+added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
+improved logging on verify errors for some payloads
+enforcing IKE_SA shutdown, even when transactions are outstanding
+proper reject of CREATE_CHILD_SA message with KE payload
+added test cases from NAT team
+updated all IKEv2 tests to work with new status output
+added tcpdumpcount function from NATT guys
+added possibility to mount the strongswan tree into all UMLs
+added script for installing from shared tree in all UMLs
+added script to shut down all UMLs properly
+removed in favour of tests from NAT team
+fixed CREATE_CHILD_SA transaction dispatching
+added CHILD_SA states, which allows us to detect further simultaneous transactions
+reimplemented the buggy message id handling
+updated some inline docs
+fixed crypter/signer in/out to conform with standard
+fixed payload order
+added message id logging
+added all currently known notify payload types
+added policy cache to kernel interface
+	allows refcounting of multiple installed policies
+	finally brings us stable simultaneous rekeying
+leak detective blanks memory on free & alloc, allows further membug detection
+code cleanups
+identification_t.matches() supports multiple wildcard counts
+identification_t.matches() supports multiple wildcard counts
+further work done for simultaneous rekeying/delete
+	still some cases which cause trouble
+fixed compiler warnings in parser when using -O2
+reenabled check_expiry
+updated copyright information
+reimplemented CHILD_SA rekeying & delete
+	no simultanous transaction with CHILD_SAs yet!
+removed NAT_TRAVERSAL and VIRTUAL_IP compile options
+removed NAT_TRAVERSAL compile option
+removed NAT_TRAVERSAL and VIRTUAL_IP compile options
+added
+updated NEWS
+added support for leftprotoport and rightprotoport
+improved CHILD_SA output for "ipsec statusall"
+updated whitelist (getprotobynumber)
+redesigned IKE_SA using a transaction mechanism:
+	removed old state machine
+	reimplemented IKE_SA setup and delete
+	implemented dead peer detection
+	implemented keep-alives
+	a lot of fixes
+	no rekeying yet		
+fixed compiler warnings
+made thread ids unsigned again, to avoid negative thread ids on some systems
+fixed memleak when initiating a connection already up
+updated leak detective whitelist
+applied latest NATT patch with some fixes and cleanups
+test currently without firewall
+added
+added
+added
+removed
+removed version information from ipsec.conf
+log entries start with lowcercase character
+restored lost IKEv2 packet suppression
+added USE_LEAK_DETECTIVE option
+fixed natd_hash memory leak
+tests with subdirectory structure
+removed tests
+introduced subdirectory structure
+support of cert payloads
+lowercase log entries
+distributed by ITA
+added support of updown parameter
+generation of default key
+cosmetics
+added support of updown parameter
+version bump to 4.0.2
+added X.509 trust chain verification
+version bump to 4.0.2
+ESP packet size changed
+fixed bad_proposal_syntax bug
+updated ingorelist for stroke_keywords.c
+applied new changes from NATT team
+	DPD only done when no IPsec and IKE traffic processed
+	minor changes here and there
+some message code cleanups
+fixed identification_t clone to apply function pointers
+cleaner error handling on UDP encapsultion sockopt failure
+added mysterious UDP encapsulation socket option to get encapsulation working
+fixed BAD_PROPOSAL_SYNTAX vulnerability
+first merge of NATT code
+fixed testing build
+updated for 4.0.1 release
+updated news for 4.0.1 release
+fixed whitelist detection
+
+
+ strongswan-4.0.1 / R:1144 
+===========================
+
+fixed whitelist detection
+reworked function ignore mechanism to not-report whitelist
+  rather than overriding functions
+fixed execv call args to work when using strictcrl and syslog
+fixed bug: usage of already freed mem
+readded local_credential_store
+added sendcert policy to connection
+some other cleanups
+implemented rereadcrls rereadcacerts
+implemented rereadcrls rereadcacerts
+implemented rereadcrls rereadcacerts
+removed local_credential_store
+fixed SPI when acting as initiator of rekeying
+fixed SPI when rekeying and deleting CHILD_SAs
+change key derivation order to fullfill RFC
+added crl support
+added listcrls
+added chunk_equals_or_null()
+added crl support
+changed tabs from 8 to 4 spaces
+added crl support
+cosmetics
+cosmetics (space)
+fixed compilation error
+updated for release
+fixed aes code, we support now aes128, aes192, aes256 in IKE
+added support for "ike" and "esp" keywords
+fixed bugs in proposal code
+algorithm selection for charon works now with ipsec.conf
+a lot of other fixes
+implemented clean spi allocation behavior when using multiple proposals
+fixed logleve(l) keyword typo
+handling of "rekey=no" parameter added
+changed default algorithms to:
+  ike: aes128-sha-modp2048
+  esp: aes128-sha1, 3des-md5
+added default CRL directory path
+added strictcrlpolicy command line argument
+added option parsing
+added local CRLs
+added rekeying parameters
+corrected some descriptions
+moved RSA key size constraints to definitions.h
+fixed down keyword
+debug and logging improvements
+support for stroke listcerts|listcacerts|listcrls|listall
+support for stroke listcerts|listcacerts|listall and left|rightca=
+gperf creates optimum hash table for stroke keywords
+using same reqid if a child sa rekeys an existing one
+NULL string argument is treated as %any
+add_certificate() now returns pointer to added cert
+cosmetics
+single tests now start up faster
+workaround for peers rekeying at the same time
+loading lifetime policies from ipsec.conf
+old child_sa gets deleted after rekeying
+rekeying almost complete, but:
+	IKE_SA get in an invalid state when both initiate rekeying at the same time,
+corrected type
+improved kernel interface logging
+fixed clone/destroy behavior when not using CAs
+specifying keysize in bits, as it is required in IKEv2
+added generic kernel SA algorithm handling, which brings us:
+        aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
+added support for leftsendcert= and left|rightca= parameters
+discard cert if CA basic constraints flag is not set and warn if cert is not valide
+added public methods is_ca() and is_valid()
+changed ASN.1 CONTROL log output to LEVEL2
+cosmetics
+removed unused Makefile
+stroke.h requires libstrongswan/types.h
+fixed compile warnings when using -Wall
+further CHILD_SA rekeying work done:
+	creation of a new CHILD_SA on a expire from a kernel works
+	delete of old CHILD_SA still missing
+	some issues when both initiate rekeing 
+updated INSTALL to conform with autotools
+added a short HACKING introduction
+further work for rekeying:
+  get liftimes from policy
+  added new state
+  initiation of rekeying done
+proposal redone:
+  removed support for AH+ESP proposals
+proper leak detective hook for realloc
+excluded pthread_setspecific from leak detective
+fixed a memleak
+cosmetics
+ipv6-host2host scenario added
+created IPv6 environment
+job management:
+  moved job code from thread_pool to job, jobs have an "execute" method now
+  added two new jobs: delete_child_sa & rekey_child_sa
+kernel interface:
+  listens now for ACQUIRE & EXPIRE
+  supports hard and soft lifetimes
+  fires jobs for delete and rekey child sa
+ike sa manager:
+  can checkout IKE SAs by requid of owned CHILD SAs
+we have now the infrastructure to do the rekeying... :-)
+fixed some memleaks/freebugs
+leak detective works almost usable now (?!)
+added host2host test for ikev2
+fixed host-host tunnel traffic selection, host-host works now
+bug fixed circumventing an assertion in delete_connection when ikev1 is not set
+minimized prefixed on stroke logger output
+charon outputs strongSwan version
+tests with subjectAltNames now
+fixed event queue for events >36min
+included charons module tests to build & dist
+full support of ikev1 and ikev2 connection flags
+cosmetics in log_status output
+use of streq
+added testing files to dist
+  required the use of the "ustar" format to support 
+  filenames longer than 99 chars
+lookup of private key based on keyid of public key
+new functions to add certificates and retrieve private and public keys
+changed log level
+list ca certificates
+computation of SHA-1 hash over publicKeyInfo object
+moved abbreviated thread_id in front of brackets
+added has_key parameter to log_certificates()
+log_certificates() now shows keyid and availability of matching private key
+indented loaded file log entry
+moved TIMETOA_BUF definition to types.h
+moved TIMETOA_BUF definition from asn1.h
+define default CA_CERTIFICATE_DIR
+load all ca certificates
+fixed daemon destruction order to prevent
+  crashes on termination
+fixed memleak when deleting a connection
+updated todo list
+policies contain a connections name now
+  used for initiate and delete
+connections won't get initiated twice anymore
+deleting of connections is now possible, which allows us to use
+  ipsec update and ipsec reload
+changed iterator->remove behavior
+ipsec up|down|route|delete require a connection name
+stroke now uses constant size string buffer
+changed to standard connection log output
+reworked parsing and matching of subjectAltNames
+added memeq() macro
+moved timetoa() from asn1.c to types.c
+corrected type
+some logging improvements and cosmetics
+handle IKE_SA setup without a piggy-packed CHILD_SA
+  more IKEv2 conform
+initiate IKE_SA deletion befor manager destruction
+improved code of chunk_equals
+added streq() macro and defined default BUF_LEN
+typo
+build gets perl and gperf from configure now
+moved built sources to maintainer-clean
+show connection templates in status & statusall
+don't complain on termination of IKEv1 connections
+updated ipsec.conf manual to reflect actual state of
+  keyexchange-parameter
+using hubs instead of switches, which allows us
+  to sniff the traffic from the host system.
+changed config load strategy:
+  starter loads both connections in charon & pluto,
+  charon ignores anything with keyexchange!=ikev2.
+  pluto needs the same behavior.
+ changed build order to fix build error after distclean
+load_end_certificate() now loads certificates
+cosmetics
+moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
+moved definition of generalNames_t to identification.h
+corrrected description
+reimplemented proper IKE SA deletion using a seperate state,
+  should conform now to IKEv2
+fixed build when using --enable-leak-detective
+added removed files to svn:ignore
+fixed bug in pluto/Makefile.am
+removed perl-generated oid.c/h from svn,
+  added them to "dist" and "distclean"
+removed lex, yacc and gperf output from svn,
+  added them to "dist" and "distclean"
+storing release revision in svn property "release-revision", because I forget it all the times
+fixed ignorelist, should work now
+added ingorelist for builded files
+re-added doxygen apidoc, buildable with "make apidoc"
+added missing ipsec.conf.5 to distribution :-/
+fixed another typo
+added missing ipsec.conf ipsec.conf.5
+existing ipsec.conf won't get overwritten anymore
+fixed typo in Makefile which corrupted the build
+applied patch from the NAT-T team fixing several typos
+applied patch from andreas, which allows certificate listing via stroke
+added ipsec.conf template and man page back
+removed old Makefiles
+added new strongswan KDevelop project & startup hack
+fixed Revision in changelog fo 4.0.0
+started ChangeLog
+simple script for ChangeLog update via "svn log"
+fixed compliation error using --enable-smartcard
+added test for ikev1-ikev2 mixed mode
+added test ikev2 roadwarrior scenario
+applied andreas's patch
+  logger output improvements
+  testin gupdates
+  and a lot more
+updated testsuite to autotools
+added random source ./configure options
+fixed default-pkcs11 option
+testcommit
+fixed errors when --enable-pkcs11
+added autogen script
+introduced autotools
+  first working version
+  make dist should work
+  things to do:
+    UML testing!
+    more cleanups
+fixed build
+started to rebuild source layout
+fixed stroke error output to starter
+using random SPIs now, but without collision checks
+applied some -W's from strongswan
+fixed that warnings
+removed IKEV2 ifdefs
+applied patch from andreas
+  added charonstart option to config
+  new ikev2 tests for UML
+
+ strongSwan-4.0.0 / R:967
+==========================
+
+removed IKEV2 ifdefs
+applied patch from andreas
+  added charonstart option to config
+  new ikev2 tests for UML
+applied patch from andreas
+  pem loading
+  secrets file parsing
+  ikev2 testcase
+  some other additions here and there
+connection termination is handled cleanly by name now
+fixed bad bug, certs load now cleanly again
+fixed make install (subdir order)
+fixed include path
+added missing script
+finished initial import of strongswan file tree
+removed a lot of old and unused stuff
+moved RFCs from ikev2 into doc dir
+added missing files for starter
+applied patch for charon (this time really)
+import of strongswan-2.7.0
+applied patch for charon
+renamed get_block_size of hasher
+reworked usage of IDs in various states
+using ID_ANY for any, not NULL as before
+initiator sends IDr payload in IKE_AUTH when ID unique
+fixed charon checks
+using status & statusall
+patch for 2.7.0 
+add connection names to connections
+stroke status / ipsec status shows them
+added statusall for stroke
+added status by connection name
+some tests repaired, more to come
+fixed spi conversion
+improved "stroke status" output
+setup PID file after daemon initilization, to correctly inform
+  starter about daemon startup
+added separate implementation for connection_store, credential_store, policy_store
+added folder structure to config
+credentials are fetched solely on IDs now
+identification_t supports now almost all id types
+x509 certificates work with identification_t now
+fixes here, fixes there
+fixed doxygen build
+seperates now in lib and charon
+library initialization done at a central point (library.c)
+some leak_detective fixes
+updated Todos
+fixed log-to-syslog behavior
+added patch against strongswan-2.6.4
+x509 certificate loading with pluto asn1 code
+x509 needs a lot more attention!
+renamed some files
+using asn1 pluto stuff now
+removed, since we use pluto asn1 stuff
+leak detective is usable, but does not show static function names
+  a script which gets address via ldd and resolves address via addr2line would be nice
+fixed a leak in child_sa with new detective ;-)
+some improvements to new asn1 stuff
+to be continued
+fixed bad bugs in kernel interface
+added some logging info
+works now much more stable
+startet importing pluto ASN1 stuff
+der PKCS#1 key loading works (as it did with der_decoder)
+split up in libstrong, charon, stroke, testing done
+new leak detective with malloc hook in library
+  useable, but needs improvements
+logger_manager has now a single instance per library
+  allows use of loggers from any linking prog
+a LOT of other things
+../svn-commit.tmp
+added misssing stroke.h
+improved strokeing
+  down connection
+  status
+some other tweaks
+rewrote a lot of RSA stuff
+done major work for ASN1/decoder
+allow loading of ASN1 der encoded private keys, public keys and certificates
+extracting public key from certificates
+passing certificates from stroke to charon
+=> basic authentication with RSA certificates works!
+starter work on asn1 with der de/encoder
+RSA private and public key can load read key from ASN1 DER
+some other fixes here and there
+rewrite of logger_manager, uses now one instance per context
+cleanups for logger here and there
+removed critical flag check in payload verification (conformance to IKEv2)
+so thats and theres everywere... ;-)
+patch for strongswan-2.6.3
+added charon support for strongswan build process
+ipsec starter supports charon startup and control
+removed old diploma thesis scripts
+some cleanups
+compatibility to strongswan, Makefile can be called by "make programs"
+  and "make install" (ikev2 patch must be applied to strongswan)
+first version of stroke control utility
+moved output to doc/api, since doc is used for other docs now
+some first documentation in english
+removed old eclipse project files
+works quite well now with ipsec.conf & ipsec starter
+belongs to previous commit ;-)
+reworked configuration framework completly
+configuration is now split up in: connections, policies, credentials and daemon config
+further alloc/free fixes needed!
+first attempt for connection loading and starting via "stroke"
+some improvements here and there
+configuration_manager replaced by configuration_t interface
+current configuration_manager is now static_configuration (testing)
+first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
+some cleanups
+socket_t uses RAW socket, which allows parallel service of pluto/charon
+comments and cleanups
+working policy installation and removal
+fixed policy setup bug
+proposal setup implementation begun
+fixed socket code, so we know on which address we receive traffic
+AH/ESP setup in kernel is working now!!! :-)))
+installing of child sa works
+need correct IP adresses to actually use IPsec
+new RFCs of IKEv2, IKEv2 algs and IPSec arch added
+update of IKEv2 clarification document
+refactored ike proposal
+uses now proposal_t, wich is also used by child proposals
+ike key derivation refactored
+crypter_t api has get_key_size now
+some other improvements here and there
+config uses uml hosts alice and bob
+key derivation for child_sa works
+some fixes here and there
+fixed memleaks
+works with new proposal code
+still some(!) memleaks
+fixed alot of bugs in child_proposal
+near to working state ;-)
+dead end implementation
+
+... there is a lot more of it, but nothing of interest